Integrating the Belgian e-ID into Android

Gauthier Van Damme Karel Wouters Danny De CockDries Schellekens

Katholieke Universiteit LeuvenESAT/SCD/IBBT-COSIC

Droidcon, 2011

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 1 / 14

Outline

1 The Belgian e-ID cardThe Belgian e-ID cardThe open source Belgian e-ID card

2 Building a secure application on AndroidSecure Elements in Mobile PhonesWorking with Secure Elements in Android

3 Belgian e-ID for AndroidBelgian e-ID for AndroidOpportunities & pittfalls for mobile e-ID

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 2 / 14

Outline

1 The Belgian e-ID cardThe Belgian e-ID cardThe open source Belgian e-ID card

2 Building a secure application on AndroidSecure Elements in Mobile PhonesWorking with Secure Elements in Android

3 Belgian e-ID for AndroidBelgian e-ID for AndroidOpportunities & pittfalls for mobile e-ID

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 3 / 14

The Belgian e-ID card

March 31st, 2003: �rst Belgian e-ID cards issued

Today: almost 10 million cards active

Printed information provide for normal citizen identi�cation

Java Card application for secure data & key storage:I PKI based on X.509 v3 certi�catesI Two key pairs per citizen are de�ned inside this PKI

F Authentication key pair for client authenticationF Non-Repudiation key pair for �le signature

I Key usage is PIN protected

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 4 / 14

The e-ID Quick Key Toolset

Belgian e-ID application is closed source and rigid ⇒Open Source version developed for innovation & security purposes

Can be written on any Java Card

Enables creation of e-ID clones

Cryptographic keys of course di�erent

See: http://code.google.com/p/eid-quick-key-toolset/

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 5 / 14

Outline

1 The Belgian e-ID cardThe Belgian e-ID cardThe open source Belgian e-ID card

2 Building a secure application on AndroidSecure Elements in Mobile PhonesWorking with Secure Elements in Android

3 Belgian e-ID for AndroidBelgian e-ID for AndroidOpportunities & pittfalls for mobile e-ID

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 6 / 14

Secure Elements in Mobile Phones

Mid-1990s: idea of Secure Element (SE) accessible by mobile phoneapplications→ Securely store data and keys

Mostly Java Cards as compatible platform

Applications managed by one entity

3 Secure Element versions found today:I In SIM, controlled by MNOI Embedded in phone, controlled by OEMI On microSD card, controlled by card distributor

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 7 / 14

Java Card 2.2.x as Secure Element

Compliant to the ISO 7816 standard:I Communication done through APDUsI Prede�ned �le types & structureI De�nes an extensible set of card commands

Primitive subset of the Java environment:I Data types: boolean, short, string, arraysI Packages, classes, interfaces, and exceptionsI Dedicated libraries for cryptographic operationsI No garbage collectionI No multithreading

Class �les converted to `cap' �les, loaded on Java Card→ According to Global Platform speci�cations for card management→ Each applet unique AID on card

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 8 / 14

Working with Java Cards in Android

1. Develop your Java Card applet & load it into the SEI Load it into your SE using program of your choice (e.g. GPShell)I It will respond to APDUs coming from your mobile phoneI e.g. Verify PIN, Sign Data, Encrypt Data, etc.

2. Have a smart card driver installed on the phone

3. Develop your android applicationI Need library to access driverI Have a SmartCardClient to initialise a smart card connection

I Initialise your SmartCardClient

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 9 / 14

Working with Java Cards in Android (2)

I Connect to your application on the smart cardI Start communicating with your application

I Don't forget to clean up smart card connection

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 10 / 14

Outline

1 The Belgian e-ID cardThe Belgian e-ID cardThe open source Belgian e-ID card

2 Building a secure application on AndroidSecure Elements in Mobile PhonesWorking with Secure Elements in Android

3 Belgian e-ID for AndroidBelgian e-ID for AndroidOpportunities & pittfalls for mobile e-ID

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 11 / 14

Belgian e-ID for Android

Used Giesecke & Devrient secure microSD card as Java Card

Used open source Smart Card driver & library

Source code & further info found at:http://code.google.com/p/seek-for-android/

Contains:I Full e-ID clone on microSD cardI Read functionalitiesI Data & �le signingI Data loading and veri�ctation

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 12 / 14

Opportunities & pittfalls for mobile e-ID

Authenticated cryptographic primitives & ID could enable:

+ Signing documents & mails easily & everywhere

+ Secure authentication to web and other servers

+ Visual citizen identi�cation: visual/NFC/...

+ Direct picture or video watermarking

+ Setting up encrypted communication channels (e.g. in VoIP)

Unfortunately:

- No visual security measures can be implemented

- In case of malware on phone: security & card blocking risk→ `Always-on' connection!

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 13 / 14

Future Work

Current & Future work:

Extend e-ID for anonymous petition signing on mobile phone

Use e-ID in mobile banking application

Questions?

Acknowledgment:

Giesecke & Devrient for their support

Belgian Government (FEDICT) for the close collaboration

ESAT/SCD-COSIC (KUL) Integrating the Belgian e-ID in Android Droidcon, 2011 14 / 14