If everything is valid, the client can connect and chat with other clients. Every message send to the server is signed by the client and validated, making sure each message arriving at the server originated from that user. The server then extracts the username from the certificate and uses this to broadcast the message to the other clients. Ultimately, this means users only have to insert their eID card, enter their PIN and are safely chatting away with others.
The steps used to authenticate a client are as follows:
- The client asks for a logon.
- The server sends a random challenge back to the client and remembers this value.
- The client signs this challenge and sends the signed challenge back to the server along with its certificate.
- The server first validates if the serial number of the certificate is in the database of allowed serials, otherwise the client gets denied.
- After this it validates if the certificate is still valid. If it is expired or revoked, it denies the client.
- The server takes the public key from the certificate and verifies the signature of the client.
- If the signature is valid, the client is really who he claims to be, and is allowed to logon. The client certificate is stored to be used for future communication verification and to extract the client’s name to include in the broadcasted communication.