adam ross, ben drisch cryptovision gmbh · adam ross, ben drisch cryptovision gmbh. ... •...

1cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com

cryptovision’s Government Solutions

Adam Ross, Ben Drischcryptovision GmbH

2cryptovision‘s Government Solutions

cryptovision

cryptovisionGelsenkirchen

SubsidiaryNew York City

OfficeSilicon Valley

OfficeMexico City

Office Vienna


Trend 1:Multi-application

eID Projects


Trend 1: Multi-application eID projects

Multi-application eID cards are already there

Electronic ID Card Signature Card

Health Insurance Card Company card

Loyalty card

Payment CardAccess Card


Prepaid SIM Registration

Many countries implementedprepaid SIM registration by law

Key Objectives:• Assist security agencies• Reduce fraud• Support resolving crime• Collect data on phone usage• Offer value add services



Current processes are slow, unsecure and costly:• Often involves paper-based forms to be filled by applicants• Identification based on traditional IDs (photocopy created)• Biometric fingerprint has to be taken and stored, again• Multiple 100 million pages of paper to be archived• Secure process relies on telecom employees



Use eID card to• Securely identify the person• Store the prepaid SIM serial number on the eID card for

offline verification of registered SIM cards



eID ePKI MoC Driving License Transport

Health

Payment

Voting

Appl

icat

ions

Use

r dat

a

Pension Insurance CustomTax

Keys CertificatesPersonal data Fingerprints Additional data

ICAO

SIM



ePasslet Suite A Java Card Applet Suite for eID document applications Provides all relevant applications from one solution Supports multi-application configurations

Shared file system, inter-applet communication

Post-issuance activation and applet loading possible Without losing the CC certification



ePasslet Suite v3.0 DESFire support for Ticketing/Transport Convergence with M/Chip, VSDC, CPA available eIDAS token functionality Improved flexibility of key and certificate provisioning

Available on NXP JCOP 3 and Veridos SCE 7 (IFX)* 2nd source option for both chip and operating system Certification at EAL 5+ to be concluded end of Q3/2017

* Functional scope may vary


Trend 2:Smart Cardsand Mobility


Part 1: Using mobile devices for eIDdocument access

Both OTS mobile hardware as well as custom build devices are used for enrolment and read-out

Trend 2: Smart Cards and Mobility


Mobile Identity Verification

Key Objectives:• Allow identity verification for police forces

and emergency personnel• Support (temporary) offline scenarios• Non-stationary use

Many countries are looking for mobilesolutions to verify citizens’ identity


Use eID card to• Read out eID document data• Identify card holder using face and/or fingerprint matching• Support Match-on-Card (for offline usage and privacy)




• Fingerprint/PIN management• Read/Write data• Read out ICAO application

Terminal application based on SCalibur SDK



SCalibur v2.0.0 - cryptovision’s eID middleware SDK Provides all common eID document protocols/mechanisms Easily portable due to Java Also available for mobile devices running Android Client-only and client-server settings supported

All eIDprotocols Biometrics

EACv2 / TR3110

Variousprofiles

Standard compliant



Some notes on OTS general purpose mobile devices Often problematic antenna design NFC not fully usable

No extended length APDUs (getting better) Not fully compliant to ISO 14443 Sometimes restricted access (iOS – getting better?)

Mobile OSs lack generic interface for card integration



Mobile devices equipped with SCalibur

Image source: Credence ID


Part 2: Moving eID applications tomobile platforms

More and more organizations look for mobile smart card alternatives

smart card/eID document

mobile smart card alternative




Storing signed data and verifying it is easy only needs public key no requirements for secure execution environment

Prevent cloning or storing private keys is hard Requires at least some form of trusted execution environment Ideally supported by dedicated security hardware



We don’t see a unified mobile solution with security hardware anytime soon

There is the need for a leveled security approach with different security levels for different use case scenarios

contact card

contactless

smart token

mobile

microSD

SIM

built-in

TPM

SGX

chip implant

mobile key store

software smart card emulation

Remote CSP

Credentials Of Various Forms Effectively

Functioning Equivalently

(COVFEFE)



From the cryptovision labs

Smartcard Reader Device Reader Driver (PCSC)

SmartcardMiddleware

Applications

TPMSmartcard Simulation

ServiceVirtual Reader Driver (PCSC)

Smartcard Middleware Applications

Intel SGX Token Enclave Service

Virtual Reader Driver (PCSC)


Remote Server (HSM)

Remote Connection



Mobile Phone (iOS,

Android)

Mobile Connection



PFX File PFX File Service

Virtual Reader Driver (PCSC)


Security Level

Credential Orchestration System



From the cryptovision labs

Virtu

al T

oken

Mod

ule

Virtual Token

Virtual Token

Virtual TokenTPM

SGX

Remote

Virtual Token…

sc/interface

MinidriverPKCS#11

Hardware Token

Smartcard Logon

E-Mail

SSL/TLS

VPN

…

Virtual TokenMobile Phone CMS

Usage of existing smart card based applications

No modification of existing use cases

Virtual token module used to configure different tokens


Trend 3:eIDAS


What is eIDAS?

EU regulation on electronic identification and trust services for electronic transactions Goals: amend the regulations on electronic

signatures extend electronic identification improve interoperability of these services

within the EU

Trend 3: eIDAS


The eIDAS token specification

Is a joint effort between ANSSI and BSI Provides interesting new features for eID

documents: Authorization Extensions Enhanced Role Authentication Pseudonymous Signatures

Trend 3: eIDAS


Authorization Extensions

Allows for defining access to on-card data based on certificate extensions

Even for future use cases not known at the time of issuance

Trend 3: eIDAS

Example: Adding health data to an eID card

Emergency Data

R

Insurance Plan

R/W


Enhanced Role Authentication

Enables download of (short term) credentials in a secure online session

Also supports new uses case and increases interoperability

Trend 3: eIDAS

Example: downloading a missing credentialService

Trust


cryptovision: card implementation on Java Card

HJP: eIDAS for PersoSIM (Open Source eID card simulator)

Governikus: eID Server, eID Client

Trend 3: eIDAS

POSeIDAS


Trend 4:Additional Biometric

Modalities

31cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com

Thank you for your attention!

Adam Ross, Ben Drischcryptovision GmbH

adam ross, ben drisch cryptovision gmbh · adam ross, ben drisch cryptovision gmbh. ... •...

Documents