Didier Stevens

Monday 31 December 2007

How Can I Trust the BeID Runtime?

Filed under: Encryption — Didier Stevens @ 10:57

As a Belgian citizen, the federal government issued me an electronic ID (eID). It’s essentially a smart card with personal data, my picture (jpeg) and a couple of X.509 certificates for authentication and digital signing.

One of its applications is authentication on web sites. And this is already possible now, provided I’ve a smart card reader and I install the necessary software provided by the federal government.

Now take a look at the properties of the Windows setup file for the eID client software:

beid-properties.png

Now I expect to see something here, but it’s missing. Do you miss it too? Here’s a hint:

beid-properties-authenticode.png

That’s right, the installation program is not digitally signed (AuthentiCode). Neither are any of the executables installed by the installation program.

I’m surprised that the government invests in a PKI to issue IDs to all its citizens, yet it doesn’t deem it necessary to invest in a delivery mechanism that certifies the origin and integrity of the client software.

3 Comments »

  1. You’re correct, the government should sign the installation package. You should request this to Fedict (servicedesk at fedict.be).

    Just a correction: the CSP (the part doing the crypto stuff in Windows) is signed; it must be to be accepted by Windows. So, all authentication-related parts are performed by a signed software.

    Comment by Marc Stern — Wednesday 16 January 2008 @ 10:40

  2. I did a bit of research (I will post it soon) but here is the conclusion: the type of signature that is used to sign a CSP (beidcsp.dll in this case) by Microsoft is not the same as code signing (AuthentiCode). Technically, it is implemented differently and its goal is also different.

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:17

  3. [...] Quickpost — Didier Stevens @ 9:43 This post is the result of additional research started by this comment. A Cryptographic Service Provider (CSP) must be digitally signed by Microsoft before it can be [...]

    Pingback by Quickpost: The Digital Signature of a Cryptographic Service Provider « Didier Stevens — Wednesday 23 January 2008 @ 9:44


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 227 other followers

%d bloggers like this: