Didier Stevens

Monday 31 December 2007

How Can I Trust the BeID Runtime?

Filed under: Encryption — Didier Stevens @ 10:57

As a Belgian citizen, the federal government issued me an electronic ID (eID). It’s essentially a smart card with personal data, my picture (jpeg) and a couple of X.509 certificates for authentication and digital signing.

One of its applications is authentication on web sites. And this is already possible now, provided I’ve a smart card reader and I install the necessary software provided by the federal government.

Now take a look at the properties of the Windows setup file for the eID client software:


Now I expect to see something here, but it’s missing. Do you miss it too? Here’s a hint:


That’s right, the installation program is not digitally signed (AuthentiCode). Neither are any of the executables installed by the installation program.

I’m surprised that the government invests in a PKI to issue IDs to all its citizens, yet it doesn’t deem it necessary to invest in a delivery mechanism that certifies the origin and integrity of the client software.


  1. You’re correct, the government should sign the installation package. You should request this to Fedict (servicedesk at fedict.be).

    Just a correction: the CSP (the part doing the crypto stuff in Windows) is signed; it must be to be accepted by Windows. So, all authentication-related parts are performed by a signed software.

    Comment by Marc Stern — Wednesday 16 January 2008 @ 10:40

  2. I did a bit of research (I will post it soon) but here is the conclusion: the type of signature that is used to sign a CSP (beidcsp.dll in this case) by Microsoft is not the same as code signing (AuthentiCode). Technically, it is implemented differently and its goal is also different.

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:17

  3. […] Quickpost — Didier Stevens @ 9:43 This post is the result of additional research started by this comment. A Cryptographic Service Provider (CSP) must be digitally signed by Microsoft before it can be […]

    Pingback by Quickpost: The Digital Signature of a Cryptographic Service Provider « Didier Stevens — Wednesday 23 January 2008 @ 9:44

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.