eu regulation - id cards - nxp community
TRANSCRIPT
Company Public – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP
B.V. All other product or service names are the property of their respective owners. © 2019 NXP B.V.
Julien Vintrou
EU REGULATION - ID Cards
November 2019 | EUF-CIT-T3866
Marketing Manager Government
COMPANY PUBLIC 1COMPANY PUBLIC 1
Agenda
• EU Regulation
• Chip Content
• NXP JCOP® 4
• Wrap-Up
COMPANY PUBLIC 2
EU Regulation
ID CardS
COMPANY PUBLIC 3
Regulation - Status
➢Title: REGULATION OF THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL on strengthening the security of identity cards of
Union citizens and of residence documents issued to Union citizens
and their family members exercising their right of free movement
➢Publication at Official Journal of the European Union: 12.07.2019
➢Entry Into Force: 02.08.2019
➢Regulation Applicable: 02.08.2021 (new issued ID shall comply)
COMPANY PUBLIC 4
Regulation – CONCERNED DOCUMENTS
➢Identity cards delivered by Member States to their own nationals
➢Registration certificates issued to Union citizens residing for more than
three months in a host Member State
➢Residence cards issued to family members of Union citizens who are not
nationals of a Member State
COMPANY PUBLIC 5
Regulation – Period Of Validity
➢Identity cards should shall have a period of validity of ten years.
➢Identity cards issued to minors may have a period of validity of five years.
➢Where it is temporarily impossible to take fingerprints or a facial image, identity cards shall have a maximum period of validity of 3 months.
➢In the event a Member State decides to take fingerprints, children under the age of 12 years may be exempt from the requirement to give fingerprints. Children under the age of 6 years shall be exempt from the requirement to give fingerprints.
COMPANY PUBLIC 6
Regulation – Phase out
➢Phase out of existing ID with MRZ = 10y max (earlier with expiry)
➔ 03.08.2031
➢Phase out of existing ID without MRZ = 5y (Greece)
➔ 03.08.2026
➢No mandate to comply when no ID exists (UK / Denmark)
COMPANY PUBLIC 7
Item Impact CommentICAO eMRTD
application
ICAO document 9303 with
- Logical Data Structure
- Security Mechanisms
Ensure global interoperability when these
documents are verified using visual inspection and
machine readable means
Contactless Interface Allowed communication interfaces:
Contactless, Dual and Hybrid
Pure contact interface not allowed
SAC
Storage of Facial
image
30KB JPEG2000 See https://readid.com/blog/face-images-in-
ePassports
Storage of Fingerprint
images
30KB in WSQ format
(12kB x 2 fingers)
EAC
Data Separation Subject to interpretation ➔ Duplication of data in
National apps (eGov and eBiz) and ICAO eMRTD
app
All national data should be physically or logically
separated from biometric data referred to in this
Regulation
"The compulsory inclusion of *biometric data … will be implemented with specific safeguards in line
with those in place for passports..."
*Biometric data = fingerprints, facial images, hand written signature
Regulation – Main Impact on CHIP
COMPANY PUBLIC 8
Chip Content
COMPANY PUBLIC 9
ICAO E-MRTD WITH FINGERPRINT STORAGE
BAC/PACEExpress user consent
& Privacy, very relevant in CL mode
PAAgainst counterfeiting &
manipulation
AA Against copying & cloning
EACProtects sensitive data
(fingerprint & iris)
4 Security Mechanisms
Fringerprint
Mandatory with
EU Regulation
▪ Challenge: Non-trivial IT required for EAC inspection ➔ EAC is mandatory for ePP since 2009.
As of today, only Germany and Netherlands are ready for cross-border EAC inspection
▪ Benefit: Interoperability / Reuse ePP infrastructure
Logical Data Structure
COMPANY PUBLIC 10
• December 2, 2019
10.
New EU Reg.
QSCD eIDAS Reg.
New EU Reg.
ID CARD PROFILE AT A GLANCE (RECOMMENDATION)
COMPANY PUBLIC 11
Implicit Requirements
➢SAC and EAC are mandatory with new regulation; QSCD was
mandatory with eIDAS regulation* ➔ Increased security
➢Memory consuming attributes are mandatory ➔ Increased
personalization and read-out performance in order to sustain the
inspection flow
➢Mandate on ICAO eMRTD application with fingerprint but no
mandate on national application(s) ➔ large application portfolio
required (IAS app, eIDAS Token Spec., etc.)
*In case Signature Service is offered from
card and eID scheme notified at LOA "High"
COMPANY PUBLIC 12
NXP JCOP 4
COMPANY PUBLIC 13
NXP Is Recognized As Preferred Technology Provider Offering Highest Security
PROVEN
TRACK RECORD
250+ NXP CC certification
awards listed
HIGHEST LEVEL OF
CC CERTIFICATION
26 awards for EAL 6+
HARDWARE
PLUS OS
Ready for FIPS 140-2
level 3 certification
CERTIFIED FOR
COMPOSITION
NXP provides security guidance to allow
applet developers to certify own applets
on top of the NXP OS
APPLICATION
COMPREHENSIVE
Enhanced security level for
payment (EMVCo, CUP)
and eGov applications (CC)
SETTING NEW
STANDARDS
1st EAL 6+ Java Card OS in 2019
1st EAL 6+ IC in 2012
1st EAL 5+ IC in 2001
CONVERGENCE
OF IP
Secure element, mobile,
IOT and automotive
COMPANY PUBLIC 14
JCOP: The globally proven and card independent Java
Card OS
> 2.5 billion pcs of certified JCOP OS
shipped to arround 50 countries
More than 80 customer including most of
the biggest card makers
Superior security for HW (EAL6+), OS and
applications with EMVCo and CC EAL6+
(JCOP 4) certification
#1 Convergence platform for Payment,
Identity and Mobility with EMVCo and CC for
same OS
Excellent performance in all application
areas (e.g. < 200ms M/Chip Advance on
JCOP 4)
COMPANY PUBLIC 15
JCOP 4 – Setting new standards
CONFORM TO
ALL STANDARDS
UNMATCHED
PERFORMANCE
A NEW DIMENSION
OF FLEXIBILITY
CC EAL6+ Open Platform
EMVCo Open Platform
JavaCard 3.0.5
GP 2.3 Basic Financial Config
SCP03 support
FIPS 140-2
M/Chip transaction < 200ms
SAC ePP readout < 2s
Pre-personalization < 1s
M/Chip personalization < 3s
SAC ePP personalization < 4s
Improved reading distance
and interoperability thanks to
EMD noise reduction
Broad secure identification
applet portfolio
Up to 450 KB user memory
Convergence with MIFARE
DESFire EV2 and up to 4
payment applets available in
parallel at delivery
COMPANY PUBLIC 16
JCOP SECID ROADMAP
JCOP 4 SECID
− P71D321 40nm Flash Platform
− JC CC EAL6+
− 180 KB available for applet and data
− EMVco Certified
− MIFARE Plus/DESFire EV2
− Full Applets portfolio (SecID applets, Payments applets)
20202019
Samples Production
2021
JCOP4 P71D600
− 40nm Flash Platform
− JC CC EAL6+
− >450 KB Flash available for applet and data
− MIFARE Plus/DESFire EV2
− Full Applets portfolio (SecID applets, Payments applets)
Design
Available
JCOP 3 SecID
− P60D145 90nm ROM/EEPROM Platform
− JC CC EAL5+
− 128 KB available for data (applets in ROM)
− EMVco Certified
− MIFARE Plus/DESFire EV1
− SecID applets
− CPA
COMPANY PUBLIC 17
JCOP 4 P71 – SECID DUAL INTERFACE & CONTACT
SecID Solutions Mono Multi Convergence Convergence ConvergenceQ2 2021 Q2 2021
Available Memory 110k 150k 180k 300k 450k
Target Applications Mono-App Multi-App Convergence Convergence Convergence
EU Regulation
Interface Contact / DIF Contact / DIF DIF DIF DIFType J2R110 / J3R110 J2R150 / J3R150 J3R180 J3R300 J3R450
Applet Options
Secure ID Applet Suites optional optional optional optional optionalEMV Applets - - optional optional optional
OS Addons
RSA Key Gen optional optional optional included includedMoC ID3 / NT optional optional optional optional optionalFIPS Module optional optional optional optional optional
MIFARE Plus EV1 - - optional optional optionalMIFARE DESFire EV2 - - optional optional optionalApplets, MIFARE Emulations and Addons as well as payload memory of the selected Applications (incl. MIFARE) need to fit into the selected overall available memory
MIFARE Emulations and Addons may be requested to be loaded before delivery in NXP factory to extend base funtionality of products and can be deleted at pre-perso of the product
MIFARE Plus EV1 includes MIFARE Classic and backwards compatibility to MIFARE Plus
MIFARE DESFire EV2 is backwards compatible to DESFire EV1
COMPANY PUBLIC 18
Simple
App.
National Applications: a dozen of standards can apply
+FIDO (Authentication only)
JCOP 4 offering the Broadest applet portfolio
COMPANY PUBLIC 19
Wrap-up
COMPANY PUBLIC 20
Summary
➢EU Regulation has entered into force already
➢JCOP 4 is the right candidate to provide security, performance and
features necessary to support the regulation
➢JCOP 4 is available now ! JCOP 4 roadmap fits regulation timeline
➢Demo available in the LAB
COMPANY PUBLIC 21
Q&A
COMPANY PUBLIC 22
Thank you for your attention!
Julien Vintrou
Marketing Manager Government
+49 1516 285 7979
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2019 NXP B.V.