cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1
cryptovision cryptovision Gelsenkirchen Office Vienna Office Silicon Valley Office Mexico City Subsidiary New York City 2
Trend 1: Multi-application eid Projects 3
Trend 1: Multi-application eid projects Multi-application eid cards are already there Electronic ID Card Signature Card Health Insurance Card Company card Payment Card Access Card Loyalty card 4
Prepaid SIM Registration Many countries implemented prepaid SIM registration by law Key Objectives: Assist security agencies Reduce fraud Support resolving crime Collect data on phone usage Offer value add services 5
Prepaid SIM Registration Current processes are slow, unsecure and costly: Often involves paper-based forms to be filled by applicants Identification based on traditional IDs (photocopy created) Biometric fingerprint has to be taken and stored, again Multiple 100 million pages of paper to be archived Secure process relies on telecom employees 6
Prepaid SIM Registration Use eid card to Securely identify the person Store the prepaid SIM serial number on the eid card for offline verification of registered SIM cards 7
Prepaid SIM Registration Applications User data Personal data Fingerprints Keys Certificates Additional data eid epki MoC Payment Driving License ICAO Transport Health Voting Pension Insurance Tax SIM Custom 8
Trend 1: Multi-application eid projects epasslet Suite A Java Card Applet Suite for eid document applications Provides all relevant applications from one solution Supports multi-application configurations Shared file system, inter-applet communication Post-issuance activation and applet loading possible Without losing the CC certification 9
Trend 1: Multi-application eid projects epasslet Suite v3.0 DESFire support for Ticketing/Transport Convergence with M/Chip, VSDC, CPA available eidas token functionality Improved flexibility of key and certificate provisioning Available on NXP JCOP 3 and Veridos SCE 7 (IFX)* 2 nd source option for both chip and operating system Certification at EAL 5+ to be concluded end of Q3/2017 * Functional scope may vary 10
Trend 2: Smart Cards and Mobility 11
Trend 2: Smart Cards and Mobility Part 1: Using mobile devices for eid document access Both OTS mobile hardware as well as custom build devices are used for enrolment and read-out 12
Mobile Identity Verification Many countries are looking for mobile solutions to verify citizens identity Key Objectives: Allow identity verification for police forces and emergency personnel Support (temporary) offline scenarios Non-stationary use 13
Mobile Identity Verification Use eid card to Read out eid document data Identify card holder using face and/or fingerprint matching Support Match-on-Card (for offline usage and privacy) 14
Mobile Identity Verification Terminal application based on SCalibur SDK Fingerprint/PIN management Read/Write data Read out ICAO application 15
Trend 2: Smart Cards and Mobility SCalibur v2.0.0 - cryptovision s eid middleware SDK Provides all common eid document protocols/mechanisms Easily portable due to Java Also available for mobile devices running Android Client-only and client-server settings supported All eid protocols Standard compliant Various profiles Biometrics EACv2 / TR3110 16
Trend 2: Smart Cards and Mobility Some notes on OTS general purpose mobile devices Often problematic antenna design NFC not fully usable No extended length APDUs (getting better) Not fully compliant to ISO 14443 Sometimes restricted access (ios getting better?) Mobile OSs lack generic interface for card integration 17
Trend 2: Smart Cards and Mobility Mobile devices equipped with SCalibur Image source: Credence ID 18
Trend 2: Smart Cards and Mobility Part 2: Moving eid applications to mobile platforms smart card/ eid document mobile smart card alternative More and more organizations look for mobile smart card alternatives 19
Trend 2: Smart Cards and Mobility Storing signed data and verifying it is easy only needs public key no requirements for secure execution environment Prevent cloning or storing private keys is hard Requires at least some form of trusted execution environment Ideally supported by dedicated security hardware 20
Trend 2: Smart Cards and Mobility We don t see a unified mobile solution with security hardware anytime soon There is the need for a leveled security approach with different security levels for different use case scenarios contact card contactless mobile built-in chip implant smart token TPM SGX software smart card emulation Remote CSP SIM Credentials Of Various Forms Effectively Functioning Equivalently (COVFEFE) microsd mobile key store 21
Trend 2: Smart Cards and Mobility Credential Orchestration System From the cryptovision labs Smartcard Reader Device Reader Driver (PCSC) Smartcard Middleware Applications TPM Smartcard Simulation Service Virtual Reader Driver (PCSC) Smartcard Middleware Applications Intel SGX Remote Server (HSM) Token Enclave Service Remote Connection Service Virtual Reader Driver (PCSC) Virtual Reader Driver (PCSC) Smartcard Middleware Smartcard Middleware Applications Applications Security Level Mobile Phone (ios, Android) Mobile Connection Service Virtual Reader Driver (PCSC) Smartcard Middleware Applications PFX File PFX File Service Virtual Reader Driver (PCSC) Smartcard Middleware Applications 22
Trend 2: Smart Cards and Mobility From the cryptovision labs Usage of existing smart card based applications No modification of existing use cases Virtual token module used to configure different tokens Virtual Token Module TPM SGX Remote Mobile Phone Hardware Token Virtual Token Virtual Token Virtual Token Virtual Token Virtual Token sc/interface Minidriver PKCS#11 Smartcard Logon E-Mail SSL/TLS VPN CMS 23
Trend 3: eidas 24
Trend 3: eidas What is eidas? EU regulation on electronic identification and trust services for electronic transactions Goals: amend the regulations on electronic signatures extend electronic identification improve interoperability of these services within the EU 25
Trend 3: eidas The eidas token specification Is a joint effort between ANSSI and BSI Provides interesting new features for eid documents: Authorization Extensions Enhanced Role Authentication Pseudonymous Signatures 26
Trend 3: eidas Authorization Extensions Allows for defining access to on-card data based on certificate extensions Even for future use cases not known at the time of issuance Example: Adding health data to an eid card Emergency Data R Insurance Plan R/W 27
Trend 3: eidas Enhanced Role Authentication Enables download of (short term) credentials in a secure online session Also supports new uses case and increases interoperability Example: downloading a missing credential Service Trust 28
Trend 3: eidas POSeIDAS cryptovision: card implementation on Java Card HJP: eidas for PersoSIM (Open Source eid card simulator) Governikus: eid Server, eid Client 29
Trend 4: Additional Biometric Modalities 30
Thank you for your attention! Adam Ross, Ben Drisch cryptovision GmbH cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 31