1cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com

Enterprise IT

Certificates, Cards and Middleware

Joachim Kessel – Product Manager, Markus Tesche – Program Manager

2

The plot…

HIS LAPTOP‘S ENCRYPTED. LET‘S BUILD A MILLION-DOLLAR CLUSTER TO CRACK IT.

NO GOOD! IT‘S 4096-BIT RSA

BLAST! OUR EVIL PLAN IS FOILED!

A CRYPTO NERD‘S IMAGINATION:

HIS LAPTOP‘S ENCRYPTED. DRUG HIM AND HIT HIM WITH THIS $5 WRENCH UNTIL HE TELLS US THE PASSWORD.

GOT IT.

WHAT WOULD ACTUALLY HAPPEN:

3

Utopian Corporation (UC)

• Computer hardware and software supplier

• Fortune 400 company of Utopia

• Revenue: 50 billion Dollar

• Worldwide customer base

UCUtopian

Corporation

4

Requirements

Security requirements of the Utopican Corporation

Secure building access

Secure company assets

Secure authenticationand communication

Login with strong authentication

Secure remote login

Document authenticity and privacy

Trusted workflow

5

Derived requirements

Derived requirements

• Employee self service

• Creation of a custom card profile

• Applications (applets) on card

• Fingerprints for authentication

UCUtopian

Corporation

6

Secure company assets

Secure company assets

• Hard drive encryption

• e.g. Cryptware Secure Disk

• Password-less login

7

Secure communication

Secure communication

• E-mail encryption

• E-mail signing

• SSL mutual authentication

8

Login with strong authentication

Login with strong authentication

• Smart card login to workstation

• Smart card login to Terminal Services

• SSL client- or mutual authentication

• OTP-Token functionality

• Fido Universal Second Factor (U2F)

• SSO (e.g. Evidian Enterprise SSO)

9

Secure remote login

Secure remote login

• VPN access (e.g. OpenVPN)

• Terminal server

10

Document authenticity / encryption

Document authenticity / encryption

• Document signing

• Document encryption

11

Trusted workflow

Trusted workflow

• Sign workflow step(s)

• For instance approval of budget for an order

• Sign document by multiple people

• For instance Sharepoint Collect signatures workflow

12

Secure building access

Secure building access

• Access valid areas using the smart card

• E.g. Mifare DESfire

• Event correlation

13

Derived requirements

Derived requirementsUCUtopian

Corporation

14

Employee self service

Employee self service

• Locked smart card

• Unlock via Challenge – Response (e.g. Self Service Portal)

15

Applications on card

Applications (applets) on card

• PKI applet for storing certificates and keys

• eID applet for storing employee data

16

Fingerprints for authentication

Fingerprints for authentication

• Enroll fingerprints

• Verify fingerprints via Match-on-Card

• Use fingerprints as PIN replacement

17

Workshop to define a card profile

Workshop to define a card profile

• Cards must fulfill all requirements

• Define applets (card applications) to use

• Define fingerprints to use

• Define card permissions / ChatBits (r/w)

• Define eID structure

• Define number of certificates and keys on card

18

Card profile creation

Card profile creation

• Choose a smart card to use

• Define objects (PIN(s), PUK(s), SO-PIN)

• Define structure (PKCS#15 preferred)

• Define applications

• Basic application: ePKI applet

• Advanced applications: ePasslet Suite

19

Sampler usage

• Create new company card profile

• PKCS#15 or proprietary profile to store data

• Install applets

• Create APDU trace for pre-personalization

Sampler

20CAmelot

21

Certificates by CAmelot

Cards and infrastructure systemsneed digital certificates

Certificates can beprovided by

CAmelotCertificates needed for

Authentication

Signatures

Encryption

Certificates needed forauthentication against

Card

Card content signing

CAmelot

22CAmelot

Product Mission

CAmelot provides fully modular

certificate lifecycle management

Regist-ration

Request

Provisioning

PublicationDocumentSigning

Key Generation

CertificateGeneration

EoL

23Sampler

24

ePasslet Sampler

ePasslet Sampler

• Tool for generating reference cards

• Used for

• Card profile validation

• Test card generation

Sampler

25Sampler

ePasslet Sampler

26sc/interface

27

sc/interface Environment

sc/interface

crypto interface

Host

application middleware

smart cardreader

card interface

28

Usage of sc/interface as smart card middleware

Usage of sc/interface as smart card middleware

PKCS#15 card access using PIN and SO-PIN

Smart card login - local and remote (VDI)

Challenge – Response self service

Fingerprint access / storage

Authentication

Signing and encryption

sc/interface

29

Usage of sc/interface as smart card middleware

Usage of sc/interface as smart card middleware

• VPN support (e.g. OpenVPN)

• HDD encryption (e.g. Cryptware Secure Disk)

• Investment protection

• Support for 3rd party card profiles

• 60+ cards supported

• 60+ readers supported

• Available for all platforms (Windows, Linux, OS X)

sc/interface

30SCalibur

31

SCalibur Environment

SCalibur

Distributed Middleware

Reader

Card Online Service

Trusted Server

32

SCalibur

Usage of SCalibur as eID middleware SDK

Enrollment of Fingerprints and eID Data

Use SDK to connect multiple applications

» E.g. Self-Service-Portal

» Name change

» Address change

» Department change

SCalibur

33s/mail

34

Usage of s/mail for end-to-end eMail encryption

Usage of s/mail for end-to-end eMail encryption

• End-to-End encryption

• E-mail signing

• VS-NfD approval in collaboration with BSI

• Outlook and Notes plugin

• Other curves than NIST may be used (e.g. Brainpool)

• Message recovery

s/mail

35

Product Roadmaps

36

Outlook – Roadmap Camelot 3.0

● Camelot 3.0 (end of July 2015)

● Support for additional HSMs: Bull, Thales, Safenet

● Support for additional Databases: MySQL, MS SQL, H2

● Improved monitoring functionality via Web Interface and Nagios

● Improved remote management functionality

● RSA PSS support

37

Outlook – Roadmap sc/interface 6.4

● sc/interface 6.4 (end of July 2015)

● ePasslet 2.1 support

● Minidriver ECC, ECDH

» Smart Card login using ECC

» Encryption and signing using ECC

● Enhanced certificate handling using plugin-interface

● Basic Credential provider

● Class 2 / 3 reader support for Outlook

● TCOS Signature Card v1 and v2 integration

● PCSC Cache

38

Outlook – Roadmap sc/interface 6.5

● sc/interface 6.5 (end of 2015)

● Read-only Minidriver with Biometric support

● Biometric Credential Provider

» Bio-logon in Windows

● CAN protection of cards

● Filesystem Cache for Linux

● Documentation refactoring

● STARCOS 3.5 support

● Windows 10 support

39

Outlook – Roadmap sc/interface 6.6

● sc/interface 6.6 (~mid of 2016)

● CardOS 5.0 & 5.3 support

● Sm@rt Café Expert 7 support

● OS X 10.11

40

Outlook – Roadmap SCalibur 1.1 & 1.2

● SCalibur 1.1 (release at Mindshare)

● Integration of MRZ scanner functionality

● Basic ICAO support

● OS X 10.10 support

● SCalibur 1.2 (Q3 2015)

● Generic ICAO profile support

● Integration of ICAO Test suite by HJP

41

Outlook – Roadmap SCalibur 2.0

● SCalibur 2.0 (Q3 2015)

● ePKI without PKCS#15

● TR03129 – Camelot connectivity

» E.g. request or renew CA keys

● ICAO with and without SAC

● Web Terminal

» Distributed application with web frontend

● Generic Advanced eID Card (GAeIDCard)

» Support for EACv2 & RI & Age Verification

● Neurotechnology Biometric Fingerprint SDK support

42

Outlook – Roadmap ePasslet v3.x

● ePasslet v3.x

● Encrypted key import

● Modularization (for smaller ROM chips and Flash platforms)

● Enhanced flexibility of authentication protocols

● ePasslet v3.x ff.

● Adding full eIDAS functionality according to updated TR03110

43

Outlook – Roadmap s/mail 4.0.0

● s/mail 4.0.0, released on 2015-06-18

● Full approval for VS-NfD

● PKCS#1v2.2 RSA Padding Schema support as demanded by BSI

● Token based Random Number Generation (RNG)

44

End

Thank You!

Contact cv cryptovision

cv cryptovision GmbHMunscheidstr. 1445886 Gelsenkirchen

Germany

Tel: +49 (0) 2 09 / 1 67 - 24 50Fax: +49 (0) 2 09 / 1 67 - 24 61E-Mail: info(at)cryptovision.com