Presentation & Demo Benjamin Drisch, Adam Ross cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1
General Requirements Government of Utopia Utopia Electronic Identity Card Project Requirements: capable of multiple applications functional comprehensive customizable post-issuance updates shall be possible 2
Customer wish list Signature application (for egov and enterprise use) Travel document (Schengen-type) Government of Utopia Post-issuance update capabilities Fingerprint for holder identification (identification services also for private enterprises) eid with local content and access for various authorities and private enterprises 3
Demo Kit Contactless card reader 3 personalized sample cards USB flash drive with pre-configured VMWare image Fingerprint reader cryptovision eid Demo Kit 4
epasslet Suite 5
Card Solution Offering epasslet Suite - Ready-to-use Java Card applets for various eid applications - - Many appletes can be used on one card - - Easily customizable and extendable - 6
Use multiple applications from the same chip R O M EEPROM Combine PKI and many other common eid applications onto a single card Personal data Fingerprints Keys Certificates Custom data eid epki MoC Insurance Driving License ICAO Transport cryptovision epasslet Suite Core Library NXP JCOP Java Card Operating System Support for all the latest security standards and mechanisms, including BAC, EAC, SAC/PACE and enables the right security features for the desired application. 7
Mix and Match functionality as needed EEPROM R O M Includes 3 rd party biometric MoC and support for custom applications Personal data Fingerprints Keys Certificates Custom data eid epki MoC Insurance Driving License ICAO Transport cryptovision epasslet Suite Core Library NXP JCOP Java Card Operating System The same card application suite can be reused to cover a number of different document types including eid, epassport, or extended to support customer defined cards 8
Customer wish list revisited Signature application (for egov and enterprise use) Travel document (Schengen-type) Government of Utopia Post-issuance update capabilities Fingerprint for holder identification (identification services also for private enterprises) eid with local content and access for various authorities and private enterprises 9
Card profile definition Card Profile Specification Applications Data, Credentials Access rights 10
11
Introducing epasslet Sampler epasslet Sampler Tool for generating reference cards Meant to be used for card profile validation test card generation 12
epasslet Sampler 13
Use Cases signature application (for egov and enterprise use) Government of Utopia travel document (Schengen-type) post-issuance capabilities All these use cases can be configured on card with epasslet Sampler fingerprint for card holder identification (identification service also for private enterprises) eid with local content and access for various authorities and private enterprises 14
15
Smart Card Middleware Environment application smart card middleware reader smart card 16
Smart Card Middleware Approaches Client-based Smart Card Middleware Distributed Smart Card Middleware Middleware runs on the client Part on the middleware runs on a trusted served 17
18
SCalibur Environment Distributed Middleware Trusted Server Reader Card Online Service 19
SCalibur Architecture Topping: high level interface for rapid development SCalibur is some layered Cake Take the needed piece of cake and your card Trusted Device Trusted Server Filling: low level interface with more control Foundation: Core functions SDK Development Applications Online Service 20
Use Cases signature application (for egov and enterprise use) Government of Utopia travel document (Schengen-type) post-issuance capabilities All these use cases are supported by SCalibur fingerprint for card holder identification (identification service also for private enterprises) eid with local content and access for various authorities and private enterprises 21
22
sc/interface Environment Host crypto interface card interface reader smart card application middleware 23
sc/interface Architecture Applications Signature Browser E-Mail SSO-Client Admin Tool User Tool Register Tool TokenD PKCS#11 CSP Mini Driver Secure Token Interface Operating Systems Security Token sc/interface 24
Use Cases signature application (for egov and enterprise use) Government of Utopia travel document (Schengen-type) post-issuance capabilities All these use cases are supported by sc/interface fingerprint for card holder identification (identification service also for private enterprises) eid with local content and access for various authorities and private enterprises 25
26
eid projects require certificates Cards and infrastructure systems need digital certificates Certificates needed for authentication, signatures, encryption Certificates can be provided by CAmelot Certificates needed for authentication against card, card content signing, encryption 27
X.509 and Card Verifiable Certificates syntax: flexible X.509 Certificate Version Serial Number Signature Issuer Validity Subject Subject Public Key Info Authority Key Identifier Subject Key Identifier Key Usage Private Key Usage Period Policy Mappings Subject Alternative Name Issuer Alternative Name typical size: 2,000 byte person or component PC, server certificate holder inspection system or terminal certificate verifier smart card chip syntax: simple Card Verifiable Certificate Profile Identifier Certification Authority Certificate Holder Certificate Holder Authorization Validity Period Key typical size: 200 byte 28
Using cv certificates for access control» EAC allows to granularly define and restrict access for Inspection Systems (IS)» The access rights are defined in the CVCA, DV and IS certificates Card Verifiable Certificate Profile Identifier Certification Authority Certificate Holder Holder Authorization Validity Period Key Effective Authorization: AND over whole certificate chain CVCA 0 0 0 0 1 1 1 1 DV 0 0 1 1 0 0 1 1 CAmelot EACv1 DG3 DG4 0/1 0/1 Certificate Holder Authorization Template (CHAT) IS 0 1 0 1 0 1 0 1 29
CAmelot - Product Mission CAmelot provides fully modular certificate lifecycle management Registration Key Generation Request Certificate Generation EoL Provisioning Document Signing Publication 30
Use Cases signature application (for egov and enterprise use) Government of Utopia travel document (Schengen-type) post-issuance capabilities These use cases require digital certificates fingerprint for card holder identification (identification service also for private enterprises) eid with local content and access for various authorities and private enterprises 31
32
Solution Partners 33
34
Outlook Future Project Steps Post-issuance updates (process involves all parts of the system) Convergence (banking/payment, things we learned from Enterprise projects) Derived IDs based on a trusted initial document-based identity? 35
Summary Customizable With epasslet Suite, agencies will be enabled to customize existing applications and add local content Multi-application epasslet Suite cards can host various applications in parallel, including payment Standard-compliant All our solutions comply with international standards and provide proven security and interoperability Cross-platform sc/interface supports over 50 PKI cards and all major clients, Versatile SCalibur provides all common eid mechanisms and can easily integrated Java / Java Card Open platform provides transparency and prevents vendor lock-in situations 36
End Contact cv cryptovision cv cryptovision GmbH Munscheidstr. 14 45886 Gelsenkirchen Germany Tel: +49 (0) 2 09 / 1 67-24 50 Fax: +49 (0) 2 09 / 1 67-24 61 E-Mail: info(at)cryptovision.com Thank You! 37