search

cliffdeclerck / eid-applet

Automatically exported from code.google.com/p/eid-applet
Other
0 stars 0 forks source link

New mode? Auth + Ident? #12

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?

For now, you have Authentification and Identification, but for
identification there is no real validation of data. What about a third
mode Auth+Identification in which a MD5 on the data is added to the
challenge? It would improve reliability on the data and we would be
able to avoid "man in the middle" attacks. 

What is the expected output? What do you see instead?

In my usage, I need the auth and the identification, meaning I need to make
two requests for having the whole data and I'm not even sure the data in
identification is safe. 

An extra mode with a signature on the data would improve my process and
would guarantee the integrity of the data, or at least make it less
sensible to man in the middle attacks.

Original issue reported on code.google.com by sbuyss...@gmail.com on 11 Sep 2009 at 2:25

GoogleCodeExporter commented 9 years ago 
If you check out:
http://code.google.com/p/eid-applet/source/browse/trunk/eid-applet-service/src/m
ain/java/be/fedict/eid/applet/service/impl/handler/IdentityDataMessageHandler.ja
va#190

you'll notice that the eID Applet Service already has such a feature. If you 
first
perform an eID authentication, then a following eID identification will have the
national registration number of the authentication checked against the one 
inside the
identity file. Digesting the identity file inside the authentication signature 
is not
necessary as you can link the two via the national registration number.

Anyway, for the version 1.1 of the eID Applet we have planned some rework in 
this
area. In the future it will be possible to combine both the authentication and
signature creation operations with eID identification. For authentication this 
is
useful when constructing a 'dynamic' identity provider. For signature creation 
this
is important to be able to digest identity data and certificates as part of the
signature.

Original comment by frank.co...@gmail.com on 12 Sep 2009 at 7:15

GoogleCodeExporter commented 9 years ago 
For signature creation it is already possible to also retrieve the 
non-repudiation
certificate chain during the pre-sign phase.

Original comment by frank.co...@gmail.com on 28 Oct 2009 at 7:07

GoogleCodeExporter commented 9 years ago 
Hello,

I am using PHP.

Does it means that if I need authenticate someone, create the NRCID and also 
having
identification data,I have to first run the applet in authentication mode, then 
in
identification mode ?
Then, I'll have to compare authenticated national id against the one coming with
identification data. I am right ?

Original comment by php.h...@wanadoo.fr on 8 Dec 2009 at 12:12

GoogleCodeExporter commented 9 years ago

Original comment by frank.co...@gmail.com on 4 Jan 2010 at 4:09