Post on 27-Mar-2015
transcript
The eID-ClientCore- Status and Outlook
Wolf.Mueller@informatik.hu-berlin.dehttps://sar.informatik.hu-berlin.de
http://BeID-lab.de
Dr. Wolf Müller
Wolf.Mueller@informatik.hu-berlin.de 2
eIDCC: Focus
Library
CommandLine
Interface
GUI
Open Identity Summit 2013
Embedded & Mobile Devices
PC
Laptop
EvaluationPrototype
Demo
Education
Research
nPAPIN-
Manag.
eID
eSIGN
Wolf.Mueller@informatik.hu-berlin.de 3
eIDCC: Requirements
• Interoperability• Binary Distribution• Compiling for different hardware platforms
C based Implementation
• PACE / EAC, RSA-PSK, Secure Messaging• ASN.1 Parsing (Certificates …)• Inspection of Protocol / Freshness / Binding of Channels
Crypto
• Basic Implementation• nPA-only, (optional) Card Detection
eCard-API
• Licensing• Looking for Compatible Building Blocks
OpenSource
Open Identity Summit 2013
Wolf.Mueller@informatik.hu-berlin.de 4
eIDCC: Seed
• September 2012: BDr and HUB release initial version as OpenSource• https://github.com/BeID-lab/eIDClientCore
Open Identity Summit 2013
Wolf.Mueller@informatik.hu-berlin.de 5
eIDCC: License
• OpenSource, but use limited to eID@(nPA|eAT)
„Die Humboldt-Universität räumt dem Nutzer mit diesen Nutzungsbedingungen unentgeltlich ein einfaches, räumlich und zeitlich unbeschränktes Nutzungsrecht ein, den eIDClientCore nach Maßgabe der folgenden Bestimmungen zu nutzen, und zwar beschränkt auf eIDClientCore Software für clientseitige Anwendungen, die einen elektronischen Identitätsnachweis mittels eines deutschen hoheitlichen Dokuments ermöglichen …“
https://raw.github.com/BeID-Lab/eIDClientCore/master/COPYING
Open Identity Summit 2013
Wolf.Mueller@informatik.hu-berlin.de 6
eIDCC (Seed): Libs & Dependencies
Open Identity Summit 2013
Lang
C C++
Crypto
gnutls cryptopp gcrypt
Parse
asn1c expat
SC
pcsc-lite
No Libs or Own
PAOS
TR-03112
TR-03110 html
Wolf.Mueller@informatik.hu-berlin.de 7
eIDCC: Further Steps
Open Identity Summit 2013
• Reduce dependencies!– Integration of OpenPACE– one Cryto-Lib
• PACE, CA, TA, • SSL/TLS, RSA-PSK,• Verification of (CV)-Certificates, …
• Modularization in order to– Separate test cases for
different layers
OpenSSL
Wolf.Mueller@informatik.hu-berlin.de 8
eIDCC: Future
Open Identity Summit 2013
Lang
C C++
Crypto
openssl
Parse
asn1c expat libcurl
SC
generic
No Libsor Own
PAOS TR-03112
Open-PACE
Wolf.Mueller@informatik.hu-berlin.de 9
eIDCC: Challenges
Open Identity Summit 2013
• Used with real Infrastructure– Interoperability:
• Different (implemented) eID-Services• Different nPA-generations
• “Cat-B”-Reader in the field• eIDCC (or similar) becomes available
= possible automated access to eID-Services• Re-assembling/-connecting of components (of eID-infrastructure)
by an attacker becomes feasible– “Selbstauskunft”-in the middle– Relaying eSIGN
Wolf.Mueller@informatik.hu-berlin.de 10
“Selbstauskunft”-in the middle*
Does X need a “Berechtigungszertifikat” to verify a users name?• Strategy like “Sofortüberweisung”
Open Identity Summit 2013
Prove ID:• Firstname• NameviaSelbstauskunft
X X eID-Service
= Remote Reader
https &eID-Client eID-Service Y
SSL/TLS (PSK)own
Secu
re M
essa
ging
SSL/TLS
*{gehring,wolfm}@informatik.hu-berlin.de
Wolf.Mueller@informatik.hu-berlin.de 11
Relaying eSIGN Cat-B Cat-K*
Open Identity Summit 2013
eIDvictim
attacker
eSIGN))))
?!
Cat-B
Cat-K
2-factor “something you have attacker can access + something you know” 1-factor
*{gehring,wolfm}@informatik.hu-berlin.de
video of the demo available
Wolf.Mueller@informatik.hu-berlin.de 12
Credits
Students or PHDs• Michael Gehring• Dominik Oepen• Frank Morgner
Pictures:– https://openclipart.org/{radar, 1284641890, buildng, rubik_3D_colored, service}– https://commons.wikimedia.org/wiki/File:Personalausweis_Text_logo.svg
Open Identity Summit 2013