adam ross, ben drisch cryptovision gmbh · adam ross, ben drisch cryptovision gmbh. ... •...
TRANSCRIPT
1cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com
cryptovision’s Government Solutions
Adam Ross, Ben Drischcryptovision GmbH
2cryptovision‘s Government Solutions
cryptovision
cryptovisionGelsenkirchen
SubsidiaryNew York City
OfficeSilicon Valley
OfficeMexico City
Office Vienna
3cryptovision‘s Government Solutions
Trend 1:Multi-application
eID Projects
4cryptovision‘s Government Solutions
Trend 1: Multi-application eID projects
Multi-application eID cards are already there
Electronic ID Card Signature Card
Health Insurance Card Company card
Loyalty card
Payment CardAccess Card
5cryptovision‘s Government Solutions
Prepaid SIM Registration
Many countries implementedprepaid SIM registration by law
Key Objectives:• Assist security agencies• Reduce fraud• Support resolving crime• Collect data on phone usage• Offer value add services
6cryptovision‘s Government Solutions
Prepaid SIM Registration
Current processes are slow, unsecure and costly:• Often involves paper-based forms to be filled by applicants• Identification based on traditional IDs (photocopy created)• Biometric fingerprint has to be taken and stored, again• Multiple 100 million pages of paper to be archived• Secure process relies on telecom employees
7cryptovision‘s Government Solutions
Prepaid SIM Registration
Use eID card to• Securely identify the person• Store the prepaid SIM serial number on the eID card for
offline verification of registered SIM cards
8cryptovision‘s Government Solutions
Prepaid SIM Registration
eID ePKI MoC Driving License Transport
Health
Payment
Voting
Appl
icat
ions
Use
r dat
a
Pension Insurance CustomTax
Keys CertificatesPersonal data Fingerprints Additional data
ICAO
SIM
9cryptovision‘s Government Solutions
Trend 1: Multi-application eID projects
ePasslet Suite A Java Card Applet Suite for eID document applications Provides all relevant applications from one solution Supports multi-application configurations
Shared file system, inter-applet communication
Post-issuance activation and applet loading possible Without losing the CC certification
10cryptovision‘s Government Solutions
Trend 1: Multi-application eID projects
ePasslet Suite v3.0 DESFire support for Ticketing/Transport Convergence with M/Chip, VSDC, CPA available eIDAS token functionality Improved flexibility of key and certificate provisioning
Available on NXP JCOP 3 and Veridos SCE 7 (IFX)* 2nd source option for both chip and operating system Certification at EAL 5+ to be concluded end of Q3/2017
* Functional scope may vary
11cryptovision‘s Government Solutions
Trend 2:Smart Cardsand Mobility
12cryptovision‘s Government Solutions
Part 1: Using mobile devices for eIDdocument access
Both OTS mobile hardware as well as custom build devices are used for enrolment and read-out
Trend 2: Smart Cards and Mobility
13cryptovision‘s Government Solutions
Mobile Identity Verification
Key Objectives:• Allow identity verification for police forces
and emergency personnel• Support (temporary) offline scenarios• Non-stationary use
Many countries are looking for mobilesolutions to verify citizens’ identity
14cryptovision‘s Government Solutions
Use eID card to• Read out eID document data• Identify card holder using face and/or fingerprint matching• Support Match-on-Card (for offline usage and privacy)
Mobile Identity Verification
15cryptovision‘s Government Solutions
Mobile Identity Verification
• Fingerprint/PIN management• Read/Write data• Read out ICAO application
Terminal application based on SCalibur SDK
16cryptovision‘s Government Solutions
Trend 2: Smart Cards and Mobility
SCalibur v2.0.0 - cryptovision’s eID middleware SDK Provides all common eID document protocols/mechanisms Easily portable due to Java Also available for mobile devices running Android Client-only and client-server settings supported
All eIDprotocols Biometrics
EACv2 / TR3110
Variousprofiles
Standard compliant
17cryptovision‘s Government Solutions
Trend 2: Smart Cards and Mobility
Some notes on OTS general purpose mobile devices Often problematic antenna design NFC not fully usable
No extended length APDUs (getting better) Not fully compliant to ISO 14443 Sometimes restricted access (iOS – getting better?)
Mobile OSs lack generic interface for card integration
18cryptovision‘s Government Solutions
Trend 2: Smart Cards and Mobility
Mobile devices equipped with SCalibur
Image source: Credence ID
19cryptovision‘s Government Solutions
Part 2: Moving eID applications tomobile platforms
More and more organizations look for mobile smart card alternatives
smart card/eID document
mobile smart card alternative
Trend 2: Smart Cards and Mobility
20cryptovision‘s Government Solutions
Trend 2: Smart Cards and Mobility
Storing signed data and verifying it is easy only needs public key no requirements for secure execution environment
Prevent cloning or storing private keys is hard Requires at least some form of trusted execution environment Ideally supported by dedicated security hardware
21cryptovision‘s Government Solutions
Trend 2: Smart Cards and Mobility
We don’t see a unified mobile solution with security hardware anytime soon
There is the need for a leveled security approach with different security levels for different use case scenarios
contact card
contactless
smart token
mobile
microSD
SIM
built-in
TPM
SGX
chip implant
mobile key store
software smart card emulation
Remote CSP
Credentials Of Various Forms Effectively
Functioning Equivalently
(COVFEFE)
22cryptovision‘s Government Solutions
Trend 2: Smart Cards and Mobility
From the cryptovision labs
Smartcard Reader Device Reader Driver (PCSC)
SmartcardMiddleware
Applications
TPMSmartcard Simulation
ServiceVirtual Reader Driver (PCSC)
Smartcard Middleware Applications
Intel SGX Token Enclave Service
Virtual Reader Driver (PCSC)
Smartcard Middleware Applications
Remote Server (HSM)
Remote Connection
ServiceVirtual Reader Driver (PCSC)
Smartcard Middleware Applications
Mobile Phone (iOS,
Android)
Mobile Connection
ServiceVirtual Reader Driver (PCSC)
Smartcard Middleware Applications
PFX File PFX File Service
Virtual Reader Driver (PCSC)
Smartcard Middleware Applications
Security Level
Credential Orchestration System
23cryptovision‘s Government Solutions
Trend 2: Smart Cards and Mobility
From the cryptovision labs
Virtu
al T
oken
Mod
ule
Virtual Token
Virtual Token
Virtual TokenTPM
SGX
Remote
Virtual Token…
sc/interface
MinidriverPKCS#11
Hardware Token
Smartcard Logon
SSL/TLS
VPN
…
Virtual TokenMobile Phone CMS
Usage of existing smart card based applications
No modification of existing use cases
Virtual token module used to configure different tokens
24cryptovision‘s Government Solutions
Trend 3:eIDAS
25cryptovision‘s Government Solutions
What is eIDAS?
EU regulation on electronic identification and trust services for electronic transactions Goals: amend the regulations on electronic
signatures extend electronic identification improve interoperability of these services
within the EU
Trend 3: eIDAS
26cryptovision‘s Government Solutions
The eIDAS token specification
Is a joint effort between ANSSI and BSI Provides interesting new features for eID
documents: Authorization Extensions Enhanced Role Authentication Pseudonymous Signatures
Trend 3: eIDAS
27cryptovision‘s Government Solutions
Authorization Extensions
Allows for defining access to on-card data based on certificate extensions
Even for future use cases not known at the time of issuance
Trend 3: eIDAS
Example: Adding health data to an eID card
Emergency Data
R
Insurance Plan
R/W
28cryptovision‘s Government Solutions
Enhanced Role Authentication
Enables download of (short term) credentials in a secure online session
Also supports new uses case and increases interoperability
Trend 3: eIDAS
Example: downloading a missing credentialService
Trust
29cryptovision‘s Government Solutions
cryptovision: card implementation on Java Card
HJP: eIDAS for PersoSIM (Open Source eID card simulator)
Governikus: eID Server, eID Client
Trend 3: eIDAS
POSeIDAS
30cryptovision‘s Government Solutions
Trend 4:Additional Biometric
Modalities
31cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com
Thank you for your attention!
Adam Ross, Ben Drischcryptovision GmbH