Skip to content

Implementation of mDoc security mechanisms according to ISO/IEC 18013-5 standard

License

Notifications You must be signed in to change notification settings

eu-digital-identity-wallet/eudi-lib-ios-iso18013-security

EUDI Wallet ISO/IEC 18013-5 Security library for iOS

Important! Before you proceed, please read the EUDI Wallet Reference Implementation project description


eudi-lib-ios-iso18013-security

Swift Lines of Code Duplicated Lines (%) Reliability Rating Vulnerabilities

Implementation of mDoc security according to ISO/IEC 18013-5 standard (0.9.0)

Session encryption

Session encryption uses standard ephemeral key ECDH to establish session keys for authenticated symmetric encryption. The SessionEncryption struct implements session encryption (for the mDoc currently) It is initialized from

  1. the session establishment data received from the mdoc reader.
  2. the device engagement data generated from the mdoc.
  3. the handover data.
var sessionEncr = SessionEncryption(se: sessionEstablishmentObject, de: deviceEngagementObject, handOver: handOverObject)
let data = try sessionEncr.decrypt(sessionEstablishmentObject.data)!

mdoc authentication

The security objective of mdoc authentication is to prevent cloning of the mdoc and to mitigate man in the middle attacks. Currently the mdoc side is implemented (generation of device-auth) Initialized from the session trascript object, the device private key and the reader ephemeral public key

let mdocAuth = MdocAuthentication(transcript: sessionEncr.transcript, authKeys: authKeys)
let deviceAuth = try mdocAuth.getDeviceAuthForTransfer(docType: "org.iso.18013.5.1.mDL", deviceNameSpacesRawData: [0xA0], bUseDeviceSign: bUseDeviceSign)!
let ourDeviceAuthCBORbytes = deviceAuth.encode(options: CBOROptions())

mdoc reader authentication

The data that the mdoc reader authenticates is the ReaderAuthentication structure Currently the mdoc side is implemented (verification of reader-auth CBOR data)

let mdocAuth = MdocReaderAuthentication(transcript: sessionEncr.transcript)
guard let readerAuthRawCBOR = docR.readerAuthRawCBOR else { continue }
let b = try mdocAuth.validateReaderAuth(readerAuthCBOR: readerAuthRawCBOR, readerAuthCertificate: docR.readerCertificate!, itemsRequestRawData: docR.itemsRequestRawData!)

Dependencies (to other libs)

Reference

Detailed documentation is provided here

Disclaimer

The released software is a initial development release version:

  • The initial development release is an early endeavor reflecting the efforts of a short timeboxed period, and by no means can be considered as the final product.
  • The initial development release may be changed substantially over time, might introduce new features but also may change or remove existing ones, potentially breaking compatibility with your existing code.
  • The initial development release is limited in functional scope.
  • The initial development release may contain errors or design flaws and other problems that could cause system or other failures and data loss.
  • The initial development release has reduced security, privacy, availability, and reliability standards relative to future releases. This could make the software slower, less reliable, or more vulnerable to attacks than mature software.
  • The initial development release is not yet comprehensively documented.
  • Users of the software must perform sufficient engineering and additional testing in order to properly evaluate their application and determine whether any of the open-sourced components is suitable for use in that application.
  • We strongly recommend to not put this version of the software into production use.
  • Only the latest version of the software will be supported

License details

Copyright (c) 2023 European Commission

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

Implementation of mDoc security mechanisms according to ISO/IEC 18013-5 standard

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages