ELSTER and QES

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ELSTER and QES

Tormen
Hi,

I am wondering if you ever heard about or could point me in the right
direction regarding a setup that would work with (pass the test done by)
the java applet from this website here:
    https://www.elsteronline.de/eportal/eop/auth/ElsterfitR.tax
?

Even though the German ELSTER support does officially state that the
usage of signature cards (smart-cards) under Linux is not possible,
curiously though, for me it loads (after it installed an outdated
version (< v1.3) of iaikPkcs11Wrapper (http://jce.iaik.tugraz.at), but
only to present me an /empty/ select box asking to choose my signature
card type.
Maybe just because I don't have the right driver(s) installed? Or am I
missing the right card?
I was wondering if anyone with the right setup (already working
signature cards for some purpose) could have a short look at this page
and see if his/her signature card would get recognized by the applet.

I am not yet in the possession of any signature capable smart-card
myself, but I do possess a ReinerSCT CyberJack e-com v3, which should be
capable of dealing with signature cards from what I read so far. Can
anyone confirm that?
What signature card would be a good choice regarding good LINUX support
(in general)?

Also on a more general level:
Does anyone know of any LINUX compatible setup that would allow
signature card (so using an external card-reader with it's own pin-pad)
based delivery of German tax declaration (ELSTER) ?

I just can't believe that this should not be possible. There seems to be
plenty of bits and pieces. I am slowly trying to put them together.

>From what I know:
        * there are a bunch of officially supported signature cards, so I guess
one must use one of these cards ? [1]
        * then of course you need a card-reader which is able to access this
card for you
        * and here it becomes fuzzy for me, I read about the CSP (cryptographic
service provider) - a middlewaere between the card-reader (driver) and
the application ... like cups for printers under linux ... this is what
I deem openSC to be !? And is openSC language specific (e.g. java?) or
are there bindings for many programming languages?

How does the iaikPkcs11Wrapper fit into that picture ?
Would he be sitting between openSC and the Java-app(let in the browser)
... so basically iaikPkcs11Wrapper is the java specific SC framework?
Does PKCS11 stand for personal key card standard 11 or 1.1 ?
And a personal key card is ... a smartcard ?

Related to this "stack" of layers: I read that openSC seems to be usable
from the browser.
How would this then (technically) work? Through a plugin in Mozilla
firefox or does this need to be compiled into firefox itself?

More specifically: Does this browser integration then get rid of the
need for a [java] middleware layer entirely ?
I read that ELSTER now wants to work without JAVA and partly already
does and was wondering how such a solution supporting signature-cards
(with the focus on LINUX) could look like.

Further related to "browser supporting smartcards": I read that Google
plans to support the U2F (yet-to-be-finished-by-FIDO??) standard in
their Chrome browser.

For this I read in a non-technical source that Google modified their
browser code in order to support the U2F ... what did they
change/integrate? and how does this relate to the layers of software
necessary to talk to the U2F device, which in any case from what I
understood will be a smartcard (?):

Yubico NEO - praised to be the "First authentication device to comply
with Universal 2nd Factor (U2F) requirements" [2]

The NEO implements a CCID compliant USB token, including secure element
and JavaCard. Current version limited to an OpenPGP applet.
Interestingly their former Yubikey functionality is then implemented as
another java(?) applet on sittin on this JavaCard/JCOP framework [3]
Or as Yubico states it:
"""
The NEO is built around a secure element, featuring Javacard 3.0 and
JCOP 2.4.2 R1, which complies to the Global Platform specification
version 2.1. With this, Javacard applets designed for traditional
smartcards can be loaded into the NEO and accessed using tools and
middleware that works with Javacard and CCID, such as PC/SC
"""

Even though I still have a lot of (obvious ;) half-knowledge about the
specific topic of signature-cards (QES) and smartcards in general,
please feel free to answer in technical terms ... I will then try
to puzzle together the rest :)

I saw that on this list there are some @gmx adresses, which might
indicate German roots. On that note, I wanted to

*** know if one of you does happen to know more about the German nPA
(new electronic PersonalAusweis) ?

The sign-me certificate on the nPA uses the X.509
standard and uses ECC, not RSA (wonder why?).
I am not quite sure yet, what to think about this, but wouldn't it maybe
be nice to use this nPA with your 6 digit pin to be able to do a
qualified electronic signature (QES)?
What about possible Linux support there? Could this maybe be the
solution for submitting ELSTER with signature card?

*** share that it makes me really angry that :
    (a) They don't publish ElsterFormular / ElsterOnline as openSource.
They could still maintain it, but benefit from
forks/spin-offs/contributions. Especially as this is a non-commercial
and non-secret software: In the end this software does what we taxpayers
did in the past, it transmits filled and signed forms. And moreover it
is targeted at a large public with all German taxpayers (as a community)
financing this software!

    (b) Europe (Germany) on one hand files lawsuits against Microsoft
for having a monopoly on the OS market and on the other hand ELSTER more
or less only targets the Windows OS:
        * ELSTER plus (Signature Card) is only availablle for Windows
        * There is only a Windows version of ELSTER Formular, even though it
seemingly is based on QT
They should have an obligation to offer support free OS alternatives!

    (c) For buisnesses it is mandatory since January 2012 [4] and now I
read that they want to make it mandatory to hand in the tax declaration
electronically in 2014 and do not offer a secure possibility [5] to do
so under a free operating system (LINUX) without buying third party
software (and I am fine with paying for the necessary hardware once!)

But is it possible at all under Linux (and if yes HOW and if not WHY
NOT) ... I only found some indications so far and am still (as I am not
a SC specialist) trying to puzzle this together...


Cheers,

Tormen


[1] https://www.elsteronline.de/eportal/UnterstuetzteSignaturkarten.tax

[2] https://www.yubico.com/products/yubikey-hardware/yubikey-neo/

[3] Chapter 7.6 in
https://www.yubico.com/wp-content/uploads/2013/07/YubiKey-Manual-v3_1.pdf

[4] https://www.elster.de/untern_recht.php

[5]
I don't like the ELSTER Spezial Sicherheits-stick, because the PIN
to access the private key on the stick will have to be entered on the
computer! (a) and (b) why buying / having another crypto hardware if I
already a cardreader for my HBCI online banking.
Plus I must wonder why the ELSTER-Special solution got classified as
"very secure" even though such a setup for HBCI online banking would
only get classified as medium secure, but not very secure, because it
only is very secure if the PIN is entered on the cardreader itself :/
->
So "secure possibility" for me must refer to a smartcard-reader with pinpad.


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ELSTER and QES

Andreas Schwier (ML)
Hi Tormen,

see below.

On 10/31/2013 07:03 PM, Tormen wrote:

> Hi,
>
> I am wondering if you ever heard about or could point me in the right
> direction regarding a setup that would work with (pass the test done by)
> the java applet from this website here:
>     https://www.elsteronline.de/eportal/eop/auth/ElsterfitR.tax
> ?
>
> Even though the German ELSTER support does officially state that the
> usage of signature cards (smart-cards) under Linux is not possible,
> curiously though, for me it loads (after it installed an outdated
> version (< v1.3) of iaikPkcs11Wrapper (http://jce.iaik.tugraz.at), but
> only to present me an /empty/ select box asking to choose my signature
> card type.
> Maybe just because I don't have the right driver(s) installed? Or am I
> missing the right card?
> I was wondering if anyone with the right setup (already working
> signature cards for some purpose) could have a short look at this page
> and see if his/her signature card would get recognized by the applet.
You will need a PKCS#11 middleware that matches your signature card.
OpenSC supports some older cards available in the German market.

>
> I am not yet in the possession of any signature capable smart-card
> myself, but I do possess a ReinerSCT CyberJack e-com v3, which should be
> capable of dealing with signature cards from what I read so far. Can
> anyone confirm that?
Yes, ReinerSCT works well with signature cards.

> What signature card would be a good choice regarding good LINUX support
> (in general)?
As we've just added support for the current D-Trust card [1], I would
recommend it.

>
> Also on a more general level:
> Does anyone know of any LINUX compatible setup that would allow
> signature card (so using an external card-reader with it's own pin-pad)
> based delivery of German tax declaration (ELSTER) ?
>
> I just can't believe that this should not be possible. There seems to be
> plenty of bits and pieces. I am slowly trying to put them together.
>
>>From what I know:
> * there are a bunch of officially supported signature cards, so I guess
> one must use one of these cards ? [1]
> * then of course you need a card-reader which is able to access this
> card for you
> * and here it becomes fuzzy for me, I read about the CSP (cryptographic
> service provider) - a middlewaere between the card-reader (driver) and
> the application ... like cups for printers under linux ... this is what
> I deem openSC to be !? And is openSC language specific (e.g. java?) or
> are there bindings for many programming languages?
On Linux the stack is

card reader -> PC/SC Daemon -> PKCS#11 Middleware ->
OpenSC-Java/SunPKCS#11/IAIKWrapper -> Java application

A CSP is required for Microsoft applications like Outlook or IE.

>
> How does the iaikPkcs11Wrapper fit into that picture ?
It's one of the three alternatives SunPKCS#11 / OpenSC-Java or IAIKWrapper
> Would he be sitting between openSC and the Java-app(let in the browser)
> ... so basically iaikPkcs11Wrapper is the java specific SC framework?
No, it's the wrapper that make PKCS#11 available to the applet.

> Does PKCS11 stand for personal key card standard 11 or 1.1 ?
No, PKCS = Public Key Cryptography Standards - Wikipedia is your friend.

> And a personal key card is ... a smartcard ?
Yep.

>
> Related to this "stack" of layers: I read that openSC seems to be usable
> from the browser.
Firefox, Thunderbird, Acrobat Reader and OpenOffice all have a PKCS#11
interface that allows the application to perform cryptographic
operations with keys stored in the smart card.
> How would this then (technically) work? Through a plugin in Mozilla
> firefox or does this need to be compiled into firefox itself?
You go to Edit/Preferences/Advanced/Certificates/Security Devices and
add the PKCS#11 module (dll/so) to the list. This makes all certificates
and keys on the card available to the browser.
>
> More specifically: Does this browser integration then get rid of the
> need for a [java] middleware layer entirely ?
No, this only allows the browser to access the card. It does not allow a
web application any access. So doing an electronic signature still
requires some application that prepares the data to the signed and then
calls the sign operation via the PKCS#11 interface.

> I read that ELSTER now wants to work without JAVA and partly already
> does and was wondering how such a solution supporting signature-cards
> (with the focus on LINUX) could look like.
>
> Further related to "browser supporting smartcards": I read that Google
> plans to support the U2F (yet-to-be-finished-by-FIDO??) standard in
> their Chrome browser.
U2F tries to establish a secure key store at the client in which a
server can generate keys and use that key for authentication in
subsequent sessions.
>
> For this I read in a non-technical source that Google modified their
> browser code in order to support the U2F ... what did they
> change/integrate? and how does this relate to the layers of software
> necessary to talk to the U2F device, which in any case from what I
> understood will be a smartcard (?):
Nobody knows - there are no public specifications yet.

>
> Yubico NEO - praised to be the "First authentication device to comply
> with Universal 2nd Factor (U2F) requirements" [2]
They are working with Google on U2F - other than that it's probably
snake oil.

>
> The NEO implements a CCID compliant USB token, including secure element
> and JavaCard. Current version limited to an OpenPGP applet.
> Interestingly their former Yubikey functionality is then implemented as
> another java(?) applet on sittin on this JavaCard/JCOP framework [3]
> Or as Yubico states it:
> """
> The NEO is built around a secure element, featuring Javacard 3.0 and
> JCOP 2.4.2 R1, which complies to the Global Platform specification
> version 2.1. With this, Javacard applets designed for traditional
> smartcards can be loaded into the NEO and accessed using tools and
> middleware that works with Javacard and CCID, such as PC/SC
> """
Like our SmartCard-HSM, which is well supported in OpenSC.

>
> Even though I still have a lot of (obvious ;) half-knowledge about the
> specific topic of signature-cards (QES) and smartcards in general,
> please feel free to answer in technical terms ... I will then try
> to puzzle together the rest :)
>
> I saw that on this list there are some @gmx adresses, which might
> indicate German roots. On that note, I wanted to
>
> *** know if one of you does happen to know more about the German nPA
> (new electronic PersonalAusweis) ?
Yes, we even have an open source simulation of the German nPA at [2].

>
> The sign-me certificate on the nPA uses the X.509
> standard and uses ECC, not RSA (wonder why?).
Because BSI loves ECC on Brainpool curves. And looking at the current
NSA issue they are probably right.

> I am not quite sure yet, what to think about this, but wouldn't it maybe
> be nice to use this nPA with your 6 digit pin to be able to do a
> qualified electronic signature (QES)?
That's the idea of sign-me.

> What about possible Linux support there? Could this maybe be the
> solution for submitting ELSTER with signature card?
Not unless ELSTER starts supporting the nPA. As the nPA is a contactless
card using the EAC 2.0 protocol it is not compatible with PKCS#11. You
need a different middleware, the so called AusweisApp.

>
> *** share that it makes me really angry that :
>     (a) They don't publish ElsterFormular / ElsterOnline as openSource.
> They could still maintain it, but benefit from
> forks/spin-offs/contributions. Especially as this is a non-commercial
> and non-secret software: In the end this software does what we taxpayers
> did in the past, it transmits filled and signed forms. And moreover it
> is targeted at a large public with all German taxpayers (as a community)
> financing this software!
Go and set-up a community that develops an open source Elster solution ;-)

>
>     (b) Europe (Germany) on one hand files lawsuits against Microsoft
> for having a monopoly on the OS market and on the other hand ELSTER more
> or less only targets the Windows OS:
> * ELSTER plus (Signature Card) is only availablle for Windows
> * There is only a Windows version of ELSTER Formular, even though it
> seemingly is based on QT
> They should have an obligation to offer support free OS alternatives!
Why ? That's not how the market works: Ever heard of public procurement
? Government is going to spend big money, issues a request for tender
and the industry makes an offer. Best price vendor is selected. Try to
do that with an open source community.

>
>     (c) For buisnesses it is mandatory since January 2012 [4] and now I
> read that they want to make it mandatory to hand in the tax declaration
> electronically in 2014 and do not offer a secure possibility [5] to do
> so under a free operating system (LINUX) without buying third party
> software (and I am fine with paying for the necessary hardware once!)
>
> But is it possible at all under Linux (and if yes HOW and if not WHY
> NOT) ... I only found some indications so far and am still (as I am not
> a SC specialist) trying to puzzle this together...
It should be possible at the end. We use the combination Cryptography /
Java / PKCS#11 / Smartcards quite extensively.

>
>
> Cheers,
>
> Tormen
>
>
> [1] https://www.elsteronline.de/eportal/UnterstuetzteSignaturkarten.tax
>
> [2] https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
>
> [3] Chapter 7.6 in
> https://www.yubico.com/wp-content/uploads/2013/07/YubiKey-Manual-v3_1.pdf
>
> [4] https://www.elster.de/untern_recht.php
>
> [5]
> I don't like the ELSTER Spezial Sicherheits-stick, because the PIN
> to access the private key on the stick will have to be entered on the
> computer! (a) and (b) why buying / having another crypto hardware if I
> already a cardreader for my HBCI online banking.
> Plus I must wonder why the ELSTER-Special solution got classified as
> "very secure" even though such a setup for HBCI online banking would
> only get classified as medium secure, but not very secure, because it
> only is very secure if the PIN is entered on the cardreader itself :/
> ->
> So "secure possibility" for me must refer to a smartcard-reader with pinpad.
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

[1] https://github.com/CardContact/sc-hsm-embedded/tree/starcos
[2] http://www.openscdp.org/scripts/eID/index.html



------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ELSTER and QES

Frank Morgner
Hi!

> > I am not quite sure yet, what to think about this, but wouldn't it maybe
> > be nice to use this nPA with your 6 digit pin to be able to do a
> > qualified electronic signature (QES)?
> That's the idea of sign-me.
>
> > What about possible Linux support there? Could this maybe be the
> > solution for submitting ELSTER with signature card?
> Not unless ELSTER starts supporting the nPA. As the nPA is a contactless
> card using the EAC 2.0 protocol it is not compatible with PKCS#11. You
> need a different middleware, the so called AusweisApp.
I think a wrapper should be possible with OpenSC and nPA Smart Card
Library [3]. Both play nicely together, but OpenSC needs to know about
nPA's signature key. OpenSC only needs a PKCS#15 emulator for nPA,
that's all.  Unfortunately, I don't have so much time...

> > *** share that it makes me really angry that :
> >     (a) They don't publish ElsterFormular / ElsterOnline as openSource.
> > They could still maintain it, but benefit from
> > forks/spin-offs/contributions. Especially as this is a non-commercial
> > and non-secret software: In the end this software does what we taxpayers
> > did in the past, it transmits filled and signed forms. And moreover it
> > is targeted at a large public with all German taxpayers (as a community)
> > financing this software!
> Go and set-up a community that develops an open source Elster solution ;-)
>
> >
> >     (b) Europe (Germany) on one hand files lawsuits against Microsoft
> > for having a monopoly on the OS market and on the other hand ELSTER more
> > or less only targets the Windows OS:
> > * ELSTER plus (Signature Card) is only availablle for Windows
> > * There is only a Windows version of ELSTER Formular, even though it
> > seemingly is based on QT
> > They should have an obligation to offer support free OS alternatives!
> Why ? That's not how the market works: Ever heard of public procurement
> ? Government is going to spend big money, issues a request for tender
> and the industry makes an offer. Best price vendor is selected. Try to
> do that with an open source community.
Why? You answered it yourself, the market doesn't solve this problem.
Democracy claims to respect minorities and to empower citizens to
participation. This is something big money should be spent on.
Unfortunately, I am not in charge to decide what to do with my taxes.


[3] http://vsmartcard.sourceforge.net/npa/README.html

--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment