Open eID Fraunhofer Wiki
Implementation of the protocols PACE, Terminal and Chip Authentication
Brought to you by:
open-eid
Menu
▾
▴
Implementation
Implementation
Fraunhofer FOKUS developed a Java implementation of the protocols described above. Also an Android app has been developed for the use with NFC capable Android smartphones. These implementations are open source. The implementation is pure Java and uses a small set of libraries, as there are:
- Bouncycastle: cryptographie
- SimpleXML: XML serialization
The implementation is structured with regard to the different protocols. Each Protocol is encapsulated in its own package.
EAC
Extended Access Control (EAC) comprises the three protocols PACE, Terminal Authentication and Chip Authentication. Therefore the EAC module contains the implementations and data structures for these protocols.
EID State Manager
This module provides implementations for maintaining and managing the eID protocol states and related data. Most important there is the “EacStateManager” which provides easy state maintenance of the whole eID process and can be used to iterate through the different steps.
The following example goes through each step of all three protocols. In the “PRE_PACE” state the CHAT is retrieved and a new CHAT which was defined by the user is set. It also checks if each step has performed successfully.
After certain steps in the whole eID process it is necessary to perform additional steps or to request user interaction. For example when the PIN and CHAT are required. That is why we created state processors that check each state and therefore can react on certain states.
EacStateProcessor is the basic processor that tries to get the PIN and user CHAT before starting pace. Later we added two processors that are employed with respect to whether the older PAOS binding (browser plugin) or the newer online authentication method is used.
Both Terminal and Chip Authentication make use of some object identifiers (OID) which are maintained in the corresponding classes ending on “OID”. Furthermore both protocols store information about the protocol version, OID and used key in their “*Info” classes.
ISO 7816-4
ISO 7816 standardizes chip cards. It is divided into four parts, whereas the fourth part specifies the commands that can be exchanged with a chip card.
Consequently this package contains implementations of all necessary commands for the eID client implementation as well as a secure messaging implementation.
Additionally, this module contains the “cryptography” package which comprises mainly classes for key creation and derivation. The “Symmetric” interface is a general abstraction for keys and algorithms that allow to encrypt and decrypt using one key. The “KeyDerivation” class allows to derive keys from a password by providing the type of the key that should be derived. Because a key is always derived from some key material and keys with different encryption algorithms use different ways of deriving the key from this material the “Key” class was introduced to abstract from the underlying specialized keys.
To extend the application with further cryptographic algorithms for key derivation, the algorithm has to be realized first implementing the “Symmetric” interface and a key class should be created afterwards that uses this algorithm implementing the abstract “Key” class.
eCard API
The eCard API specifies an interface to different kinds of smart cards including the German eID cards. For the eID client this specification is relevant for the communication with the eID server. The corresponding module contains generated classes for XML serialization and de-serialization in order to easily create SOAP messages for this communication.
UbiPOL Integration
eID Android Client
For the Android eID App can be called by starting an Intent with the mime-type “application/vnd.ecard-client” and the action “ATTACH_DATA”. The eID-App will then go through the process performing all protocol steps. After the data was read by the eID-Server the eID App will close and the calling app will come to the front again.
