Monthly Archives: November 2008

R10 : eID Firefox Extension

[Work done from 3rd November to 16th November 2008]

After started to work on the new architecture of the eID system, I started to worked on the browser extension and with the Desktop application. I created the Firefox extension to get the policy from the Re lain party and display it to the client in a formatted manner to get the confirmation from the client.

Then I have to pass the policy to the desktop allocation (that is not fully functioning ), to sign the policy by the client.

When I was developing the Firefox extension, I faced many problem with that. First I needed to start it from the scratch, and I needed to study about the XUL and JavaScript Java bridge XPCOM. They were very new for me.

And now I’m working with the desktop application. And we are also updating out blog at blog.project-eid.org.

Shayanth

Filed under Reports

R10: Working on Java Card Applets

[Work done from 3rd November to 16th November 2008]

For the last two week period I was busy with completing my modules for the demonstration. I was doing the development in the Java card environment, I had to develop an applet which will be deployed in a Java card as a CAP file. The methods defined in these applets can be accessed in two methods, message passing model and Remote method invocation method. I’m developing a terminal application which is a normal java program which will reside in the local machine and can communicate with the Java smart card. This is very essential as this is the main component which can help to demonstrate the functionality of Java card applet. Otherwise the applet can be converted to a CAP file and deployed to a Java card, but there is no way to check the functionalities.

We had a meeting with our project supervisor Dr.Chandana Gamage and discussed the progress of the project. During the meeting we finalized the deliverables of the project. We are still updating our blog at project website blog.project-eid.org with the latest updates and progresses of the project. The project website is also being updated periodically.

In addition to the meeting with the supervisor, we had several group discussions and exchanged ideas. Each one of us are responsible for clearly separated modules of the project, and also we have to interact within those modules. For this purpose each one of us should be aware of other’s work. For this purpose we are having online conferencing whenever needed.

Filed under Reports

R10: Deploying eID Web Service

[Work done from 3rd November to 16th November 2008]

After moving to the new architecture of the eID system, I continue my works with the Web Service again. First of all, I start to design the class which will be useful for the Develop the web service.

The service which should provide to the cardholder by the eID web service is first verifying Reliant Parties and cardholder. Then replying with an authenticating or an identification token, according to the Reliant Parties Policy request, send to the web service and the access level of the Reliant Party.

In here first eID web browser plug-in will take the policy of the Reliant Party and the Signature for that Policy from the Reliant Party. Then that Plug-In will clarify that policy with the cardholder and using the eID card it will sign the policy and invoke the eID web service using Authentication operation in web service.

Inside the web service that will take the policy and first of all it will verify that is policy is not tampered one using the signature send by the Reliant Party and the cardholder. If the policy is verified then web service will create a token and encrypt it with RP’s public key reply back with tat encrypted token.

Here policy request of the Reliant Party is consist of Reliant Parties eIDcode and the Claims that are need for the authentication process. And Also Token send by the Web Service will be consisting of the information according to the policy sent.

I used AXIS2 and WSO2 WSAS IDE for deploy the web service. Also, I used RSA Encryption and Decryption mechanism for the secured communication. For the signing purposes I used SHA1withRSA Signature and verification mechanism.

Using those technologies I deployed web service which has Core functionalities. Then I did a demonstration to group member about the web service. Still need some secure mechanisms for web service and I’m expecting to add those functionalities with in next week.

Filed under Reports

R10: Offline Application and Deadlines

[Work done from 3rd November to 16th November 2008]

We started working more on the project as we had set some of our own deadlines after our switch to the new architecture.

I’ve been working on the Read Only USB based eID, which will another form of eID apart from the Smart Card based eID. I research about how to make a USB memory stick read only and found no possitive results on that, but I’m continuing to find other workarounds to tackle this issue.

I’m also working on the Offline Identification Application of the eID frame work. This is a standalone application that will run is a special devide. This application will also include a PoI database verification, and I’m working on that too. This involves key verification of the eID file, and I’m currently implementing this to support only USB memort based eIDs, but we might extend it to Smart Card based eID also.

I also did some modifications in out CSE SVN repository to use externals, and also did some modification in the Project eID website.

We are also continiously updating our website at www.project-eid.org, and out blog at blog.project-eid.org.

Filed under Reports

Pre 3rd Formal Evaluation Demo

We are having the 3rd Formal Evaluation of our project on the 27th Thursday, and we were asked to do a pre demo to our project supervisor Dr. Chandana Gamage. This is just an update of that demo session, and feedback we received.

At today’s demostration we were able to show the following components of out project:

  • Browser plug-in (Very Basic version)
  • Authentication Web Service
  • Java Card eID (with basic functionalities)
  • Off-line Identification Application (without PoI database functionalities)

Some feed back we received:

  • Relying Party Policy
    • Include Privacy Definitions
    • Privacy Levels
    • Standard Privacy Policy
  • UI Engineering
    • Colour levels in Browser Plugin while getting user acceptance
    • User Friendly Interfaces
    • Elegant design for offline application
    • More graphical, but neat appearance in the offline application
  • Policy encryption
    • Not really needed, but can make it no visible
    • Using Rampat would solve this
  • Replay Attacks
    • At user end time stamp should be added to relying party policy and signed
    • Checking for defined time frame at WS

Out project supervisor was stisfied with out progress so far, and wanted to do some more before the evaluvation on 27th. He also mention that finishing the project by the end of December is good, and we are also working towards that goal.

Filed under News

Browser Plug-in Workflow

We are in the process of developing the eID Browser Plug-in. This will be divided into two parts, one plug-in and the second underlying application, which will do the real work.

We just discussed about the basic workflow of messages/actions in the browser plugin. I’ll just summerise what we have decided on.

Starts with the browser plug-in in the user’s browser.

  • Browser page detected – using some tags or some other method
  • Get the signed policy file from the Relying Party
  • Get user acceptance to the policy
  • Pass it down to the application

Now the underlying application will take control.

  • Application access the eID card (Smart Card/USB)
  • Do signing and encryption as needed
  • Policy need to be signed by the user to ensure acceptance
  • Send to Web Service

Now the ball in the court of WS. It does whatever it need to do and it will reply to the application. Application gets control again.

  • Analyse the received reply
  • Send back the reply to the browser plug-in

Control back to the plug-in. Send the reply back to the Relying Party website, and the user continues to do this stuff at the site.

This might be a long list but this need to happen within about a 15-30 seconds, and I think Shayanthan and Ramanan will make sure this works. Will keep updated one more soon.

Filed under Articles, News

SVN Externals for CSE Repo using TortoiseSVN

I have just finished adding the svn:externals property to our SVN repository at university, to enable pulling the commits from our Project eID repository.

We were recently given a Subversion repository for project purposes at our university which is at http://repos.cse.mrt.ac.lk/05/cnwisg2/. But as we are already having setup our Project eID repository at http://svn.project-eid.org/eid/ I thought of using svn:externals at the CSE repository, thanks to Senaka for proposing the idea.

I used TortoiseSVN to do this, though this can be done with any SVN client (including the geekey command line client). Thanks to this and this, now things are working fine.

Just for the information I used the following properties with svn:externals

trunk      http://svn.project-eid.org/eid/trunk/
branches   http://svn.project-eid.org/eid/branches/

Filed under Articles, News

R9: A new direction

[Work done from 20th October to 2nd November 2008]

During this period we had couple of meetings with our project supervisor Dr. Chandana Gamage, which lead us to a redesign of our architecture. We found that there were some flaws in our earliear architecture, in which the eID WS was sitting on the middle, which could easily lead to problems in terms of load as well as attack prone.

So we discussed on this as decided to make the end-user to be at the end and include one more application to our deliverables list that would be a browser plugin. This plugin will now at as the center point which will handle the message flow from relying party, web service and the eID card.

Also we decided to add one more deliverable to our project in the form of an alternative eID card to smart card based one, using a read-only memory stick. Though this would miss some security advantges, this could give some advantage interms of cost of the device.

I was mainly working on the above two modules of the project during this period. There were no many ways to make a normal USB drive readonly at software level, but it could be done at hardware level. Also there is the option of using virtual partition of the USB drives but this might lead to a Windows-only kind of a situation with my current observations. So I’m exploring into options for possible alternatives to build as read-only memory based eID card.

I have also setup the project repository at http://svn.project-eid.org to which we will be committing our codes in future.

We also finalized our list of final project deliverables with our supervisor as follows.

  • eID card
    • Smart card based
    • Read-only memory based
  • Online Authentication Web Service
  • Browser plugin for online authentication
  • Offline Authentication Application
  • Card issuing/creating application
  • 2 (or 3) Research Papers

I think we are on track now, and with some speed up development we can do think better in days to come.

Filed under Reports

R9: Moving to new Architecture

Due to problem we had with web service developments, we meet Dr. Chandana Gamage within the week started after the vacation. Then we discussed about the current situation of the project and the problems we had regarding the eID system architecture and web service development. Finally in that meeting we figure out several problems with the architecture.

  • High probability of malicious attacks to eID system
  • Most of the processing are happening in the server side (high work load on server)
  • Difficulty of developing a web service with that architecture

Because of that, I proposed new idea about the system architecture. Which is more user controllable and more secured. After the meeting with Dr. Chandana Gamage, we had another group meeting and discussed about problems we had and solutions provided by the new architecture. Also, abilities we have to be continued with the existing architecture.

Then again we had meeting with Dr. Chandana Gamage, regarding the latest condition of the project architecture. Finally we decided, that is better to move in to new architecture which is having more capabilities of implementing eID system.
Also in that meeting Dr. Chandana Gamage advice us to come across a mechanism, which is using read-only USB memory stick for eID card rather than USB smart card.

After that, I start to develop the eID web service according to the new architecture. Also I had read lots of articles about the AXIS2 and AXIOM data modal. Also after some discussions we decided to use “RSA” for encryption, decryption and signing.

Filed under Reports

R9: Java Card applet

[Work done from 20th October to 2nd November 2008]

For the last two week period I was working with Java card technology, which was not so familiar already. So I had to refer to many web resources to learn the basic concepts and programming techniques. The website belong to Sun microsystems on Javacard Technology was really helpful in finding the necessary information. I supposed to use the Javacard development kit (v 2.2.2) together with Apache ant for creating ant builds. Many information available on the web is mainly useful in credit card sort of programming problems, and I had to extract the useful information out of that and use in our eID domain.

Through continuous reading I found that we need to use applets in Javacard to implement additional functionalities. So I started writing the applet to be used in the eID smart card. Many of the functionalities are implemented and some additional functions have to be implemented after the completion of other components of the overall system, because those functions have to be called by those particular components and presently I don’t have enough information and specifications to implement them. Mainly because there is a desktop application which accesses the card also interacts with eID authentication Webservice. I need the policy and the message exchange formats to complete that part. But that is not such hard work compare to other components of the system.

Presently this implementation is only in Java Development Kit’s JCRE (Java Card Runtime Environment) and as soon as we get the actual Java Card we will implement this to that. We are making arrangements to buy a Java Card with card reader or USB Java Card. We are going to have two deliverables as the eID container. One will be smart card based and another one will be our own read only USB stick. The second option was suggested by our superviser and we are trying to build our own stick(We are not going to create electronic circuits, but going to make them read-only).

We had two meetings with our project superviser Dr.Chandana Gamage, in which we discussed several issues in the application development. Some of the architecture components had to be changed. So, We redesigned the architecture, discussed that with the superviser and confirmed that. We were adviced to have regular meetings with him to update the project progress.

Filed under Reports