Content

Citizen Card & mobile phone signature


The mobile phone signature and the card with activated Citizen Card function (e.g. e-card) can be used in the Internet as a legally valid electronic signature. This is the equivalent of a handwritten signature. The mobile phone and activated e-card therefore become a virtual ID with which you can legally digitally sign documents or invoices.
The key concepts of the mobile phone signature or alternatively Citizen Card are the security layer interface as well as identity link. These priority topics provide information on these underlying concepts and give developers useful and helpful information for the integration of the mobile phone signature or alternatively Citizen Card in their own applications.

Security-Layer

The mobile phone signature or alternatively Citizen Card is based on a technology- and platform-neutral concept whose functions are accessible via an abstract and standardised interface. This interface is called the security layer and encapsulates fundamental security functions via a specified communication protocol such as the creation of qualified signatures, the encryption of data or reading data storage from the Citizen Card (e.g. the identity link).

Interface

 

The security layer interface uses XML protocol (see specification at www.bürgerkarte.at), with which all functions can be encapsulated at abstract levels.

The following is a simple example of the creation of a qualified signature:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <sl:CreateXMLSignatureRequest
  3.   xmlns:sl="http://www.buergerkarte.at/namespaces/securitylayer/1.2#">
  4.   <sl:KeyboxIdentifier>SecureSignatureKeypair</sl:KeyboxIdentifier>
  5.   <sl:DataObjectInfo Structure="enveloping">
  6.     <sl:DataObject>
  7.       <sl:XMLContent>Ich bin ein einfacher Text.</sl:XMLContent>
  8.     </sl:DataObject>
  9.     <sl:TransformsInfo>
  10.       <sl:FinalDataMetaInfo>
  11.         <sl:MimeType>text/plain</sl:MimeType>
  12.       </sl:FinalDataMetaInfo>
  13.     </sl:TransformsInfo>
  14.   </sl:DataObjectInfo>
  15. </sl:CreateXMLSignatureRequest>

In this example, simple text of the text/plain type is given a qualified signature with an "enveloping" signature ("SecureSignatureKeypair").

Citizen card environments (CCE), i.e. software that takes over the communication with the Citizen Card token (chip card such as the e-card or mobile phone signature), must implement the security layer specification. Communication via the security layer protocol is usually handled via HTTP(s) binding. In this case, the transmission of the request is handled via HTTP(s) form parameters. The process is usually as follows: The application makes an HTML form available to the citizen via a website. The citizen sends this form to the HTTP(s) address of the CCE. The form must, or alternatively can, contain the following parameters:

  • XMLRequest: The security layer XML request. The CCE accepts the request and processes it.
  • DataURL (optional):If this parameter is used, then the CCE sends the result of the processing of the XML request to this URL. Otherwise, the result is returned to the browser, or
  • RedirectURL (optional):If this parameter is set, then the result is not shown in the browser, but rather the citizen is forwarded to the address set in this parameter.

The following is an example of an HTTP form request to a CCE, which transfers the signature request from the above example to the mobile phone signature environment. In the process, the signature is to be sent to a specific DataURL.

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <form method="post" action="https://www.a-trust.at/mobile/https-security-layer-request/default.aspx" accept-charset="utf-8" enctype="multipart/form-data">
  3.   <input type="text" name="DataURL" value="https://app.gv.at:443/ProcessBKURequest"/>
  4.   <input type="text" name="XMLRequest" value="&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;UTF-8&amp;quot;?&amp;gt;
  5. &amp;lt;sl:CreateXMLSignatureRequest xmlns:sl=&amp;quot;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&amp;quot;&amp;gt;
  6. &amp;lt;sl:KeyboxIdentifier&amp;gt;SecureSignatureKeypair&amp;lt;/sl:KeyboxIdentifier&amp;gt;
  7. &amp;lt;sl:DataObjectInfo Structure=&amp;quot;enveloping&amp;quot;&amp;gt;
  8. &amp;lt;sl:DataObject&amp;gt;
  9. &amp;lt;sl:XMLContent&amp;gt;Ich bin ein einfacher Text.&amp;lt;/sl:XMLContent&amp;gt;
  10. &amp;lt;/sl:DataObject&amp;gt;
  11. &amp;lt;sl:TransformsInfo&amp;gt;
  12. &amp;lt;sl:FinalDataMetaInfo&amp;gt;
  13. &amp;lt;sl:MimeType&amp;gt;text/plain&amp;lt;/sl:MimeType&amp;gt;
  14. &amp;lt;/sl:FinalDataMetaInfo&amp;gt;
  15. &amp;lt;/sl:TransformsInfo&amp;gt;
  16. &amp;lt;/sl:DataObjectInfo&amp;gt;
  17. &amp;lt;/sl:CreateXMLSignatureRequest&amp;gt;"/>
  18. </form>
  19.  

Implementations

Due to the different Citizen Card forms (chip card, mobile phone signature), there are also different CCEs, which have to be addressed via the respective URLs.

Mobile phone signature

bku-handy

The mobile phone signature runs as a central service with the certification service provider A-Trust. Both the signature-creation data (private key) as well as the software are managed or run respectively on the server side. The benefit of this CCE is that only a Web browser as well as a mobile phone are required to use it. The user does not have to install any other local components such as drivers or software.


Security-Layer URL:

https://www.a-trust.at/mobile/https-security-layer-request/default.aspx



Online CCE

The online CCE is a Citizen Card environment for chip-card-based Citizen Cards. If the user has already installed Java (at least version 6) on the computer, then it is not necessary to install any other software components or alternatively card drivers. The online CCE consists of two components:

  • Server component: This component is run on the server side in the context of a J2EE servlet container and takes over all complex or alternatively CPU-intensive tasks, for example the XML processing (parsing, transformations, and so on.). Furthermore, the server component implements the complete process logic of the security layer interface, i.e. also the communication with the DataURL.
  • Client component: To be able to communicate with the chip card, a minimalistic Java applet runs in the user's browser. This applet communicates on the one hand via the Java smart card API (via PC/SC interface) with the chip card. On the other hand, it communicates with the server component of the online CCE. Even though the majority of the security layer communication takes place in the server part, necessary card communication (signature creation, reading data structures such as identity link, and so on) can be carried out via the client component.


Security layer URL (dependent on the installation/deployment):
Example:

https://apps.egiz.gv.at/bkuonline/https-security-layer-request

Local Citizen Card environments

mocca-logo

Local Citizen Card environments run on the user's computer and communicate with the chip card. There are currently the following implementations in the market:


 

 

 

Mobile phone signature

The mobile phone signature is a variation of the implementation of a secure signature creation unit or alternatively Citizen Card environment. In contrast to card-based Citizen Cards in which the secure signature creation unit is implemented as a chip on the card, the mobile phone signature uses a hardware security module (HSM) that is run centrally in a secure domain on a server as a secure signature creation unit. The signature creation data (i.e. the private key) is securely managed by the certification service provider A-Trust and can only be used with the involvement of the user. The foundation for the mobile phone signature is certification by the Austrian confirmation authority (A-SIT) in accordance with Section 19 of the Electronic Signature Act. The signature is triggered like with the card-based variation, also via two-factor authentication by means of knowledge and ownership.

General information on the use and application of the mobile phone signature can be found at www.handy-signatur.at or alternatively www.buergerkarte.at.

The following describes both the registration as well as signature process from a technical perspective.

Registration process

Starting situation

mobilephonesig-reg-1

The user, who would like to register for the mobile phone signature, requires two things:

  • a secret password
  • a mobile phone with an Austrian number (contract or pre-paid mobile phone)

mobilephonesig-reg-2

The server side architecture of the mobile phone signature consists of four essential components:
  1. Web front-end for communication between the user/application and the mobile phone signature
  2. SMS gateway for sending one-off codes to the mobile phone of the user
  3. Hardware Security Module (HSM), which
    1. is used for the creation of signature creation data
    2. decrypts encrypted signature creation data, and
    3. creates qualified signatures with the help of the signature creation data of the user
  4. Key database that contains the signature creation data of the user in an encrypted form, whereby the key that is used consists of at least the secret password of the user and the secret HSM key.

Registration step 1 - disclosure of the mobile phone number and password

In the first step, the mobile phone number and the password of the user are disclosed. This is transmitted via the Web front-end by the user to the mobile phone signature environment. Afterwards, a one-time code is created that is sent to the given mobile phone number via the SMS gateway.

Registration step 2 - verification of ownership of mobile phone

In the second step, the ownership of the mobile phone with the given number is verified. Here, the user transmits the one-time code received as a text message via the Web front-end to the mobile phone signature environment, which verifies the code and hence the ownership of the mobile phone.

Afterwards, the HSM generates the signature creation data (i.e. private key) of the user, encrypts it with the secret key of the HSM or alternatively a stored key from the password of the user and saves the encrypted result in the database.

Signature process

Signature step 1 - signature request and disclosure of the password

The application sends a signature request via the security layer interface including the data to be signed via the user's browser to the Web front-end of the mobile phone signature.
Afterwards, the user must enter the mobile phone number and password via the Web front-end. This is the first part of the authentication process (=knowledge).

Signature step 2 - generation of one-time code

The mobile phone signature environment calculates a hash value from the data to be signed, generates a random one-time code with a secure algorithm and sends the one-time code or alternatively hash value via the SMS gateway to the mobile phone of the user.

Signature step 3 - verification of ownership of mobile phone number

Afterwards, the user enters the received one-time code via the Web front-end. The mobile phone signature environment checks the validity of the code and restores the signature creation data of the user from the database. This happens with the help of the secret key from the HSM as well as the key derived from the user's password. Afterwards, the data transmitted by the application is signed with the private key of the user.

Key points from a security-related perspective:
  • The one-time code verifies the ownership of the mobile phone
  • The application/use of the signature creation data is only possible inside the HSM and after input of the signature password through the signature.

Signature step 4 - return of the signed data

After completion of the signature, the signed data is transferred back to the application via the security layer interface.

 

 

Developers

This area provides fundamental information for developers in connection with the Austrian Citizen Card or alternatively mobile phone signature.

Tutorial on Citizen Card

www.buergerkarte.at provides a tutorial for using the security layer application interface for developers of applications. This tutorial is designed for developers of applications in the area of eGovernment and E-Commerce. It provides a practical overview of how the functions of the Citizen Card can be integrated into such applications.

Mobile phone signature test environment

A-Trust provides a test system for the mobile phone signature at test1.a-trust.at. The mobile phone signature for yourself can be activated there as a test, or alternatively it is recommended to use the "John Doe" test mobile phone signature. For this test person, no text message will be sent, because the TAN value is specified by default.

Test portal

The integration of common eGovernment infrastructure elements can be tested as examples in our test portal.


 

The Citizen Card is a technology- and platform-neutral concept that facilitates the use of different technologies as a virtual ID (electronic identity).

The Citizen Card is currently available in two forms:

  • as a mobile phone signature. A mobile phone that is ready to receive is necessary for this. The mobile phone signature works with all mobile phones and is free.
  • as a card with an activated Citizen Card function (e.g. e-card) plus a card reader.

The technology- or alternatively platform-neutrality is achieved through the use of an abstract and standardised interface, the so-called security layer, for communication with the Citizen Card or alternatively mobile phone signature. Besides the creation of qualified or alternatively advanced signatures, the Citizen Card or alternatively mobile phone signature serves as a virtual ID with which you can provide high-quality identification for yourself for eGovernment or alternatively other online applications. This is possible because a data structure with personal data, the so-called identity link, is stored on the Citizen Card or alternatively mobile phone signature, which contains the basic identity data such as name, birthday and source PIN (unique national identifier) of the citizen.

This priority topic deals with the technological concepts of the security layer, identity link and mobile phone signature. Furthermore, useful and helpful information is provided for the integration of the Citizen Card or alternatively mobile phone signature.

General information on the use of the Citizen Card or alternatively mobile phone signature can be found at www.bürgerkarte.at.

Choose in the following the area that interests you or alternatively for which you would like to obtain additional information.

I would like...

...to find out more information on the security layer protocol and communication with the Citizen Card

...to find out more about the security-related concepts of the mobile phone signature

...would like to find out more about the identity link on the Citizen Card

...find out more about the integration of the mobile phone signature or alternatively Citizen Card in my application