Decomposing "Bonjour Robert!"

"Bonjour Robert!" may seem a simple thing to do, but it is not really trivial in terms of programming.

Let's make an overview of the different steps it will take before we can say "Bonjour Robert!":

1) Someone says hello to me and presents his ID papers (eg. he inserts his card in the reader)
2) I ask this person "Are these your papers?" (the program asks to prove that the person is the owner of the card)
3) The person "proves" that these are indeed his papers (he gives the PIN code)
4) I check if his papers are valid (are the certificates from the card valid, revoked, suspended?)
5) I read his name from the papers (the program accesses the information found in the ID card)
6) I say "Bonjour Robert!"

Here we work in an environment composed of 3 distinct parts:

- The program (in Java)
- The card + reader
- The middleware (software that enables communication between the program and the card)

The card is provided by Robert, the middleware is installed on the computer and is standard, so the part we can work on is the Java program.

The first and probably hardest part, will be to authenticate the card (steps 2-3-4) so I'll start there. But how does authentication work then? Well inside the card's chip there is a so-called "Private Key" and also a "Public Key".

Private Key / Public Key

When the card sends information, it is encrypted with the card's Private Key. This key is known only from the card and no-one can read it or access it.

In order to read that information, it can only be decrypted with the Public Key, which can be known by anyone.

On the opposite side, the program can send information to the card and encrypt that information using the public key. Only the private key can be used to decrypt that message.

What this means is that if the program receives an information from the card, if that information can be decrypted with the card's public key, then the program is certain that the information really comes from the card and not a third party that tries to hack the conversation. This way, a hacker can't fool the program into believing that he is the owner of the card, nor can that hacker read any information that the program sends to the card (he can't decode it because he doesn't have the private key).

So this is how the program and the card establish a communication, however this still doesn't prove that the ID card is not a fake. This is ensured by the use of Certificates (but I'll talk about this tomorow).