For our authentication needs we introduced "BioID Server Certificates". These certificates enable BioID clients to trust BioID servers. If a valid BioID server certificate is installed on a client computer, the client will trust this server and is able to communicate to this server using the public key stored in the certificate.
A BioID Server Certificate can be requested from the BioID CA. The BioID CA is a standalone Root Certification Authority, located at HumanScan in Erlangen. The CA certificate is installed with your BioID installation to enable BioID to verify any server certificates.
The main information within a server certificate are:
The object identifiers (OID) used in the certificates are based on the registered BioID enterprise number 1.3.6.1.4.1.7661.
The BioID client needs a server certificate as soon as it wants to connect to a remote server. The connection to the server is made using the protocol string given by the certificate extension. Data objects sent to the remote server are then encrypted using the public key exchange key stored in the certificate. When the server receives an encrypted data object and the server is the intended recipient, it is able to decrypt the data using its own private key exchange key. The server always stores data in the database encrypted with its public key exchange key. This makes the stored data private to this BioID server. If more than one server have to share a database all servers have to use the same keys.
Distributed BioID applications that use their own client server connection can use the BioID client by manually passing a certificate to the client's record method. The resulting patterns are then encrypted using the public key exchange key stored in the given certificate. These patterns can now be sent to a BioID server which, is able to decrypt the patterns.