The eID on Linux in 2015

Wouter VerhelstLOADays 2015

w@uter.bewouter.verhelst@fedict.be

@wouter_verhelst

About me

● Debian Developer since 2001● Used to maintain eID software in Debian

(2004 -2010)● Contractor at Fedict for eID-software (since

2014)

Anecdote

● “It doesn't work. Help!”

:-)

● “It doesn't work. They didn't test! Bastards!”

:-T

● “It doesn't work. I'll have to use something else.”

:-(

Linux-support

● Support means:– Precompiled packages

– For a limited number of distributions and versions

– Support on equal terms as Windows or OSX

– Single person (me)...

– Source code available (LGPLv3)

Supported distributions

● List approx. based on most popular distribution (distrowatch.com)– Might add more distributions on popular request

● Currently:– Ubuntu/Mint

– Debian– openSUSE

– Fedora– CentOS/RHEL

Supported distribution versions● “Rules”:

– Most recent 'regular' release

– Two most recent 'LTS' releases (if applicable)

– Never more than three releases (two if no LTS)

– Never when no longer supported by distribution

● Example:– Ubuntu: 12.04 LTS, 14.04 LTS, 14.10

● Soon: +15.04, -14.10

– Debian: 7 (soon: +8)

– RHEL/CentOS: 6, 7

– Fedora: 20, 21

● Older packages will remain (not updated)– Currently only Fedora 19

Components

Components

Components

Components

Components

Components

The card

● JavaCard– On-card applet written by Gemalto

● Contains:– Identity data (name, address, photo, …)

● Signed by RRN cert

– 2 RSA private keys (1024 bit, 2048 bit for newer 10y cards)

● 1 for signature, 1 for authentication● Cannot be extracted

– 5 certificates (root, RRN, CA, signature, authentication)

PCSC

● PC SmartCard API● Low-level API: “SCardTransmit”,

“ScardControl”, etc.● Originally developed for Windows, now cross-

platform API thanks to pcsc-lite● Daemon to talk to hardware

CCID

● “Chip Card Interface Device”● Standard USB protocol for smartcard readers;

compare usb HID protocol.● Most card readers today implement this protocol● Libccid: userspace implementation, used by pcscd

to talk to card readers.● ACR38U: nonstandard protocol; oldest Fedict

cardreaders used it → libacr38u

PKCS#11

Read dataC_Initialize()C_GetSlotList()C_OpenSession()C_FindObjectsInit()C_FindObjects()C_GetAttributeValue()C_FindObjectsFinal()C_CloseSession()C_Finalize()

Sign dataC_Initialize()C_GetSlotList()C_OpenSession()C_FindObjectsInit()C_FindObjects()C_SignInit()C_Sign()C_FindObjectsFinal()C_CloseSession()C_Finalize()

● Public Key Cryptography Standard● Standardized C API● Originally RSA, now OASIS

PKCS#11 module

● libbeidpkcs11.so● In standard library path (distribution-dependent)● PKCS#11 supported by wide variety of software

– Chrome

– Firefox

– Adobe reader

– OpenSSH

– …

● Multiarch-enabled (since july 2014)

Firefox plugin

● Automates installation of:– PKCS#11

– Belgian root certificates

● Not strictly needed; possible to do manually– Does make things easier to use

● Also configures: thunderbird, libreoffice– Because they use firefox configuration...

Chrome/chromium

● No proper/“official” smartcard support under Linux

● Uses libnss, firefox' SSL library– With a simple command-line incantation, adding a

PKCS#11 module is possible● https://github.com/Fedict/eid-mw/wiki/ChromeLinux● Rough around the edges, but works

Evolution

● Similar to chrome/chromium– -dbdir argument: ~/.local/evolution

Adobe Reader

● Needed for signing PDF files w/ Adobe Lifecycle– InterVAT

● Adobe Reader for Linux EOL– Can still be found (e.g., in Ubuntu Partner

repositories)

– Not security supported!

– 32-bit only!

● Document → Security settings → PKCS#11 modules

OpenSSH

● ssh -I /usr/.../libbeidpkcs11.so # i, not L● ssh-add -s /usr/.../libbeidpkcs11.so

– ssh-add -e /usr/.../libbeidpkcs11.so● Do not forget when removing card!

– ssh-add -l

Shell scripts (!)

● Requires OpenSC● pkcs11-tool with libbeidpkcs11

– One call per label

– Many confirmation dialogs...

● eidenv– Doesn't use libbeidpkcs11

● No confirmation dialogs● No Fedict support...

HTTP server● Server-side application!

– Doesn't need card → doesn't need middleware

● Two major options:– Mutual SSL

– eid-applet

Mutual SSL

● eID certificate was used at some point● No guarantee that identity information is correct● Enough for basic needs● Client needs middleware installed● Certificates on repository.eid.belgium.be● Downsides:

– Difficult to debug for client in case of problems

– Antivirus MITM-proxies– Vulnerable:

● XSS● TLS session recovery

eid-applet

● Complex server-side (tomcat, servlet, database, …)➔ May be overkill for small sites

● Guarantees that identity information is correct● Applet accesses smartcard directly, bypassing

middleware➔ Middleware not needed for client