Signing GMail Messages with the Estonian eID PKI Card (Part 1)

综合技术 2016-04-01

After reading several articles about the Estonian eID, such as this one:

I’m now an Estonian e-resident, but I still don’t know what to do with it

it becomes clear that there needs to be a bit more use cases around the eID ecosystem. Cyrus Farivar (the author of the above article) already mentions how he used the system to sign an email, but there are some shortcomings, some of which he points out himself in his article:

  • The first problem is that in order for these type of systems to become popular, we need to make them extremely easy to use. Cyrus has used PGP before, which admittedly is one of the more complicated crypto systems to use, so he had an advantage over Joe Doe. I want to build a prototype system which is very easy to use (think highlight some text, click “sign”, and out comes the signed signature, with a similar process to verify the signature)
  • As Cyrus pointed out:

    Worse, there appears to be no equivalent of a PGP keyserver. I couldn’t find an obvious way to locate someone’s public key

There is a way…. but it’s not obvious at all as we’ll see later in this article (it could be that there’s an easier way that I haven’t come across yet, I admit I haven’t dug around too hard or even contacted their support).

In the following video I’ll showcase a Proof-of-Concept Chrome plugin that allows you to sign an email (or any text really) by simply highlighting the text and clicking a single button. In part two i’ll show how to verify this signature. This proof of concept is by no means ready for a number of reasons:

  • The plugin only work on linux at the moment. To save a bunch of work I used a very naive script that leverages pkcs15-crypt. Ideally this should be implemented as a self contained solution.
  • The pkcs15-crypt script contains the private PIN in plaintext. A definite security no-no . A fixable problem for those that have the time
  • There is an official Estonian Javascript crypto library that leverages the card. I dint use it just because I wanted to build everything from scratch to learn. It’s obviously safer and easier to use their library ( http://open-eid.github.io/#web-components ).

In this video I’ll just demo how to sign an email, while in the second part I’ll extend the chrome plugin to verify a signature.

Before presenting the plugin, let’s address Cyrus’ issue that there isn’t a public key server. There is one, in the form of an LDAP server. There also is an OSCP server, which is a paid for subscription service however. To use the LDAP server, you’ll need an LDAP browser. I used Apache Directory Studio , with the following settings for the LDAP connection:

When you connect, you see a bunch of folders (“organization units” in LDAP parlance). If you navigate to c=EE, o=ESTEID (DIGI-ID E-RESIDENT), ou=digital signature you’ll see a list of e-residents, with their public certificate, as shown below.

There’s your public key server. I’ll be leveraging this in the second part of the series when we come to verify a signature. Note in the above figure how every person has a “serial number” which is also printed on the front of the e-ID card. Using this service and the serial number we should in theory be able to verify any Estonian e-Resident’s signature. So stay tuned for part 2

In the meantime, enjoy the video showing the plugin in action below. PS, all the code I used so far can be found in my github repo, here:

https://github.com/dvas0004/estonianEID_Lab

https://www.youtube.com/watch?v=BUwPZeyKuNU

责编内容by:Dvas0004's Blog (源链)。感谢您的支持!

您可能感兴趣的

Quick tip: human-readable LDAP filter Whenever I work with Active Directory and I want to use pretty complex LDAP Filt...
Joomla LDAP Injection Vulnerability (CVE-2017-1459... In the recent days, a new vulnerability in Joomla has been published ( CVE-2017...
私密信息管理利器 HashiCorp Vault——验证和授权... 到目前为止,我们都是使用 vault 客户端直接访问服务器,并未进行任何登录之类的操作。这是因为在开发模式下,服务器会自动将用户登录为 root 用户,目的是...
Seeking response on: LDAP Authentication with SQL ... Few days back I got an email from one of the reader of this blog “Amit Bhatt”. A...
FOSS Project Spotlight: Pydio Cells, an Enterprise... Pydio Cells is a brand-new product focused on the needs of enterprises and la...