[Tokend-Dev] Altered Security Tokend for Belpic/Beid

Maccampus maccampus at gmail.com
Tue Aug 25 08:38:01 PDT 2015


I got a Reply From Ludovic Rousseau (is this your real name?) Telling me the Belpic Tokend is under Apple Public Source
License Version 2.0. [1] & as long as the Belgian Government Agency respect the licence that is fine.

However The Belgian Government doesn’t update the Tokend & The Mac OS Forge does. However the 3th generation of BEid Cards need the version of the Belgian Government because the Apple Tokend doesn’t contain the right encryption/decryption for that Generation of ID Cards.

This is where trouble’s start.

To be certain troubles start with the Tokend & the 3th Generation ID Card i did the following tests.

There are 2 other methods to use the ID Card without the Tokend, 

-There’s a Java application (which still needs Apple’s Java 6, but if you get the Application.jar out of the application.app bunble it does run on newer Jave, so i run it on Java 8). This Java App can read my 3th generation ID Card & can test the pincode (password). Method 2 is using the Firefow Browser with an add on written by the Belgian Government, this also works fine, i can login & go to my personal dossiers at several government or government linked agency’s (tax, social security, pension, birth,…). Needles to say it also works for 2nd generation, ID Cards.

-Then there is the Apple way, with this i mean Software that uses the Apple way of using Smartcards. (The tokend make the keychain from the Card available in Keychain & the Applications use Keychain to use the keys, Applications like Safari, Google chrome). For this test i use Safari & also Google chrome to double check.
	-First problem: The keychain should be added to keychain as soon as you connect the Smartcard Reader & insert a ID Card. This hardly works 	(So almost all the time the keychain is not added, seems like the tokens doesn’t see the smartcard reader while if i open the java application ID 	information gets instantly read). This is with any version of ID Card. You can keep trying & eventually get lucky, but if you connect the reader 			before boot it works.
With that first problem out of the way, i see my 3th Gen ID Card in the Keychain, i open Safari, go to a protected Government website & try to login, This brings me to the BEid Login site & asks me to select the Certificate & then asks for my pincode which i give, it then again asks me for the right certificate, i am stuck in an infinite Loop.
I now do the same with a 2nd Gen ID Card, after providing the pincode i go to the protected website with the personal information of a family member who still has a 2nd gen ID Card.

As we see, it works if we avoid the tokend, if we use the tokens, it works with Gen 2 but not Gen 3 ID Cards, besides that, the reader needs to be connected before boot. We also know The Belgian Government written tokens is Version 2.0-2.0.1 which is certainly not written For Mac OS X 10.10. The MacOSForge tokens is version 3.0, supports Mac OS X 10.10 but doesn’t have the compatibility with Belgian Beid Cards version 3.

The solutions are (imho).
- Belgian Government fix their Tokend & during this fix update it to version 3.0. Also they keep it up to date from now on.
- The Belgian Government gives the MacOSForge the needed code to make their Tokend BeID Card Version 3 compatible & let them keep the tokend up to date. If a future Generation 4 happens again, they work with the MacOSForge & let them have the new code. Also they supply the latest DMG of smartcardservices with every update of their software or provide a link to the MacOSForge to let the end user get the latest SmartCardServices themselves.



> Op 24-aug.-2015, om 20:12 heeft tokend-dev-request at lists.macosforge.org het volgende geschreven:
> 
> Date: Mon, 24 Aug 2015 20:07:47 +0200
> From: Maccampus <maccampus at gmail.com>
> To: tokend-dev at lists.macosforge.org
> Subject: [Tokend-Dev] Altered Security Tokend for Belpic/Beid
> Message-ID: <D2362340-45CA-4B87-865A-F6848C08DEDA at gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> 
> Hello,
> 
> The Belgian Government Agency (Belpic) who is in charge of making software for the Belgian Electronic Identity Card (BEID) has altered the BelPic Tokend from this project.
> They never have uploaded their changes to this project though.
> 
> They seem to have taken the Apple Card Services 2.0bx or lower which contains Belpic.tokend 2.2.1 & 2.2. Maybe they took the source files & altered them or they took the Installable files & have hacked them, to add a higher encryption for Version 3 of the Beid Cards.
> 
> They have not informed you of their changes & their changes are not added to the later versions of your versions of the Belpic.tokend. Rather they renamed the Belpic.tokent to Beid.tokend & even with their latest software they make us Belgian Apple using citizens to install an old version of the Belpic.tokend, instead of altering the later versions as one would atlas have expected.
> 
> I want to inform you about these changes in hope that you can add them to the latest versions of the Belpic.tokend & inform them about their inappropriate behavior. Maybe also discuss the future name of the tokens to be Belpic or Beid.
> 
> I have added their versions of the older Tokend which they are currently using, maybe you can extract the changes from those, if not you will need to ask them for the source.
> 
> They are found here  Home <http://eid.belgium.be/nl/>  & have an online contactsheet for technical questions Contact - Home <http://eid.belgium.be/nl/contact/contactform.jsp>. They also use a 3th party to develop for them which is Zetes & can be found here, Zetes Industries - Supply Chain & Mobility Solutions | Auto-ID & Goods Identification | People ID Solutions - Zetes Europe, Middle-East & Africa <http://nl.zetes.be/>, or here Overzicht - Kaartlezers Belgische identiteitskaart <http://www.belgeid.be/>. Maybe you might find them to be the one?s that (once) altered & delived your software for the Belpic Agency.
> 
> I hope you can make them in cooperation with you deliver the latest version of YOUR Belpic/Beid.tokend containing THEIR changes with their software, preferably by adding your complete software installer to their package or a link to your website rather then only the BELPIC/BEID.tokend. They can inform users to only install the Belpic/Beid Tokend.
> 
> Thanks for making them setting things right.
> 
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.macosforge.org/pipermail/tokend-dev/attachments/20150824/e2cf43d2/attachment.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: Altered-Belpic.tokend.zip
> Type: application/zip
> Size: 550766 bytes
> Desc: not available
> URL: <https://lists.macosforge.org/pipermail/tokend-dev/attachments/20150824/e2cf43d2/attachment.zip>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.macosforge.org/pipermail/tokend-dev/attachments/20150824/e2cf43d2/attachment-0001.html>
> 
> ------------------------------
> 
> _______________________________________________
> Tokend-Dev mailing list
> Tokend-Dev at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/tokend-dev



More information about the Tokend-Dev mailing list