Didier Stevens

Monday 31 December 2007

How Can I Trust the BeID Runtime?

Filed under: Encryption — Didier Stevens @ 10:57

As a Belgian citizen, the federal government issued me an electronic ID (eID). It’s essentially a smart card with personal data, my picture (jpeg) and a couple of X.509 certificates for authentication and digital signing.

One of its applications is authentication on web sites. And this is already possible now, provided I’ve a smart card reader and I install the necessary software provided by the federal government.

Now take a look at the properties of the Windows setup file for the eID client software:


Now I expect to see something here, but it’s missing. Do you miss it too? Here’s a hint:


That’s right, the installation program is not digitally signed (AuthentiCode). Neither are any of the executables installed by the installation program.

I’m surprised that the government invests in a PKI to issue IDs to all its citizens, yet it doesn’t deem it necessary to invest in a delivery mechanism that certifies the origin and integrity of the client software.

Blog at WordPress.com.