ZION eID

1
ZION eID

• eID-Toepassingen voor bedrijven

2
About ZION SECURITY

• Belgian start-up in application security
• Our services
• Execute security tests
• Train developers
• Secure applications
• Electronic Identity Card
• Design secure architectures J2EE, .NET, PHP, Web
  Services, ...
• References De Post, Excelligent, CSI4SAP, Aprico
  Consultants, Mediargus, ...

3
Introduction

• Some quotes from Luc Beirens, head of the Federal
  Computer Crime Unit
• Belgian companies are getting hacked and
  attacked, sometimes withour their knowledge
• E-spionage is real, cases exist in Belgium
• Cybercrime has just started in Belgium
• Source ISACA Round Table Meeting _at_ KPMG

4
We need the eID and ASAP

• eID implements strong authentication
• Something you have The card with public/private
  keys
• Something you know The PIN-code
• No more need for different usernames and
  passwords for different applications 1 card, 1
  PIN code for all eID-enabled applications
• Secure e-mail and legal digital signatures

5
But...

• You still need to think about authorization in
  your application
• You need to handle identity management to map eID
  users to your application users
• You need secure session management to protect
  authenticated users
• You need to make sure that your integration of
  the eID framework has no vulnerabilities
• HTTPS is required during the entire session
• Patch your web server
• Secure your applications

6
Remaining threats

• Threat 1 authentication certificate is not used
  for SSL authentication
• Threat 2 authentication certificate is not used
  at all ?
• Threat 3 bad implementation of identity
  management
• Threat 4 no adequate authorization
• Threat 5 bad session management
• Threat 6 connection to evil server using
  phishing or spoofing attacks
• Threat 7 no server-side verification of
  authentication certificate
• Threat 8 bad implementation of authentication
  proxy

7
Is this a secure eID site?
8
Is this a secure eID site?
9
ZION eID

• Secure integration of eID in any existing
  application
• State of the art security with existing solutions
• Audit of applications for security
  vulnerabilities like SQL Injection,
  Cross-site-scripting,
• Secure data capture
• Secure digital signature
• ZION eID quality label

10
Zion eID architecture

• Platform independent Java applet
• Datacapture
• Windows
• Unix (Linux, Solaris, )
• OS/X
• Legally binding digital signature creation
• Usage of industry standard Sun Java implementation

11
Zion eID architecture

• Pure Microsoft .NET implementation
• Data capture
• Network authentication
• Legally binding digital signature creation
• Backend integration
• Microsoft Office 2003 embedded signatures
• PDF embedded signatures

12
Zion eID architecture

• Kiosk applications
• Information terminals
• Thin clients
• Industrial hardware

13
Best practices

• Dont store the Rijksregisternumber
• eID is not the silver bullet, only helps with
  strong authentication
• Build strong authorization controls
• Security test your applications
• Dont rely on network defenses like firewalls
  defense in depth!