White Paper Implementing mobile electronic identity

Similar documents
Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Legal Regulations and Vulnerability Analysis

Electronic signature framework

1. Publishable Summary

Overview of PBI-blockchain cooperation technology

cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH

The German IT Security Certification Scheme. Joachim Weber

SAT for eid [EIRA extension]

Authentication Technology for a Smart eid Infrastructure.

NFC embedded microsd smart Card - Mobile ticketing opportunities in Transit

eidas Regulation eid and assurance levels Outcome of eias study

Electronic and digital signatures in Adobe Sign for government.

SUCCESS STORY INFORMATION SECURITY

Trusted National Identity Schemes. Coralie MESNARD

eidas Regulation (EU) 910/2014 eidas implementation State of Play

Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

GDPR: A QUICK OVERVIEW

Security Policies and Procedures Principles and Practices

White Paper. Blockchain alternatives: The case for CRAQ

Mobile Security / Mobile Payments

Comparison of Electronic Signature between Europe and Japan: Possibiltiy of Mutual Recognition

Sparta Systems TrackWise Digital Solution

white paper SMS Authentication: 10 Things to Know Before You Buy

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

The Role of the Data Protection Officer

Sparta Systems Stratas Solution

Cross border eservices STORK 2.0

Effective Strategies for Managing Cybersecurity Risks

Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

White Paper. View cyber and mission-critical data in one dashboard

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018

GSM Association (GSMA) Mobile Ticketing Initiative

Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Scalable Security solutions to enable Cyber Security and to manage Digital Identities

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

PSD2 Compliance - Q&A

FIDO AS REGTECH ADDRESSING GOVERNMENT REQUIREMENTS. Jeremy Grant. Managing Director, Technology Business Strategy Venable LLP

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Privacy Policy. Overview:

simply secure IncaMail Information security Version: V01.10 Date: 16. March 2018 Post CH Ltd 1 / 12

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

Sparta Systems TrackWise Solution

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Spanish Information Technology Security Evaluation and Certification Scheme

Identity & security CLOUDCARD+ When security meets convenience

European Union Agency for Network and Information Security

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

CC withinthe Context of the EU Privacy Seal - EuroPriSe

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

D12.4. Project Logo, LIGHTest Website and Infrastructure for LIGHTest WIKI. Document Identification. Draft. Don Thibeau (OIX), Charles Sederholm (GS)

ISO/IEC INTERNATIONAL STANDARD

TeamViewer Security Statement

Identity Management: Setting Context

PSD2 webinar session - Q&A

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

GDPR Workflow White Paper

The NIS Directive and Cybersecurity in

GDPR Update and ENISA guidelines

ETSI TR V1.1.1 ( )

Identity Ecosystem Design challenges. Wim Coulier eidas Expert Belgian Mobile ID

Lao PDR Practice for Information Security

Dissecting NIST Digital Identity Guidelines

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

Singapore s National Digital Identity (NDI):

Creating Trust in a Highly Mobile World

LAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION»

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Introduction to Device Trust Architecture

New Paradigms of Digital Identity:

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NIS Standardisation ENISA view

European Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the EU internal market

Package of initiatives on Cybersecurity

Securing Digital Applications

FOR QTSPs BASED ON STANDARDS

Discussion on MS contribution to the WP2018

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

BML MobilePay FAQ. Page 1

eidas Interoperability Architecture Version November 2015

etouches, Inc. Privacy Policy

Cyber Security and Cyber Fraud

Adobe Sign and 21 CFR Part 11

SWAMID Person-Proofed Multi-Factor Profile

D5.5. Open Source Client Library and Server Tools for Delegations. Document Identification. Final UBISECURE, OIX

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

Electronic registered delivery services (ERDS) in light of the eidas regulation. Warsaw Common Sign Conference 2015

Technical Guideline TR eid-server. Part 2: Security Framework for eid-server operations

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Cybersecurity & Digital Privacy in the Energy sector

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

PKI Credentialing Handbook

TRACKVIA SECURITY OVERVIEW

Identity and Authentication PKI Portfolio

IoT and Privacy by Design

Software Version 3.3 Version 1.0 October Xerox Print Portal. Information Assurance Disclosure

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Transcription:

Implementing mobile electronic identity A DXC Enterprise approach based on hardware token microsd card

Table of contents Secure Element form factors in mobile devices 2 Other alternatives for implementing MeID 3 MicroSD card a natural enabler 5 Technical composition of mobile devices Mobile electronic identity, or MeID, is a complementary concept combining the advantages of electronic ID (eid) and mobile devices. It represents the integration of existing eid functionality into a mobile device for example, a smartphone or tablet. And it uses standardized components such as secure element and near-field communication. Secure Element form factors in mobile devices According to the European Union Agency for Network and Information Security (ENISA), mobile devices need a secure element () to achieve a high level of end-toend security. is a tamper-resistant platform capable of keeping data confidential and supporting cryptographic functions. It is an obvious choice for realizing identification and authentication solutions for mobile devices. Currently, the technological composition of mobile devices can work with the form factors shown in Figure 1. 1 2 3 UICC ( card) Embedded MicroSD card Figure 1. Secure element form factors Here are descriptions of each form factor: as universal integrated circuit card (UICC) Some European Union (EU) member countries, such as Estonia and Finland, have introduced MeID using this concept. Disadvantages of this approach include a complicated implementation and higher costs because distributing special cards requires collaboration between issuing authorities and various mobile network operators. Additionally, 2

Key principles for MeID realization include: Identical functionality as implemented in national identification scheme A high level of security and reliability for MeID that is equal to eid Already existing infrastructure and logistical processes used for MeID lifecycle management Availability on a broad spectrum of mobile platforms such as Android, ios, and Windows some mobile devices lack a slot, such as tablets and ultrabooks, yet are still highly portable and often connected via Wi-Fi. Moreover, GSMA released a remote-provisioning specification, which introduces embedded (e) implanted directly into the mobile device. This specification may result in a gradual but complete substitution of removable cards in the next few years. The technological director of T-Mobile Slovakia said that the first models of mobile devices with e should appear on the market in 2016 and massive penetration is expected in 2017 and 2018. Taking into account previous findings, we are convinced that the removable card model is considered obsolete. embedded in the mobile device Embedded probably will replace removable cards in the near future. MicroSD card as This is an open concept supported by renowned mobile device manufacturers. Based on DXC Technology (DXC) analysis, a microsd slot is present in 85 percent of smartphones and 80.8 percent of tablets available on the Slovak market as of 25 April 2016. Except for Apple, all major producers now include a slot for microsd cards into their product designs; they consider it a relevant and stable part of their development plans. DXC proposes pursuing the third option microsd card for implementing MeID. In this case, the owner of the microsd card decides which applications can be activated or added. From the product point of view, we highly recommend innovative microsd card designed by the SMK-Logomotion Corporation. Refer to the appendix of this document for more details. Compliance with BSI and ANSSI eidas token specification (TR 03110) and adherence to EU Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eidas) are cornerstones of the presented option. Saved key pairs can be used in these scenarios: Electronic identification and authentication of users accessing electronic service provider services The user signs the authentication and identification token by a remotely available private key to which there is a corresponding certificate. Creation of a qualified electronic signature The user signs an electronic document by a remotely available private key to which there is a corresponding qualified certificate. Other alternatives for implementing MeID Software token The software token solution keeps private key and certificates in the operation system while the storage space is usually a file or storage provided by the system itself. Such storage is typically protected by encryption. To work with the saved keys, the user must enter the password as part of system login or when accessing a file with the keys. The advantage of the solution is its low price, as you don t need to purchase security hardware for storing key pairs and associated certificates. An additional benefit is easy integration into the application, avoiding any installation and integration by using drivers supplied by the device manufacturer. But from a security perspective, software storage typically has a low or intermediary security level. Software storage can be remotely stolen, such as through malware, and then the key value retrieved by applying a brute-force attack. 3

Appendix SMK-Logomotion Corporation (SLC) was established on May 7, 2015 as a joint venture of Slovak company Logomotion and Japanese company SMK Corporation. The SLC head office is located in Tokyo, with a branch office in Bratislava, Slovakia. It specializes in developing innovative NFC (Near Field Communication) products and aims to maximize the potential of patented technology to support secure NFC payments and Internet of Things applications. The microsd architecture distinguishes itself by specific elements and patented technologies (see Figure 2): Two separate and independent secure elements High-performance miniature near-field communication antenna that communicates even through the microsd slot s metallic casing ISO7816 contacts on the card surface In addition to the properties mentioned, this microsd card is certified as a Mobile MasterCard PayPass product and also provides conventional data storage. ISO 7816 contacts Flash memory 16 GB eid Contactless payments NFC antenna Figure 2. MicroSD architecture This security level is considerably lower than the one offered by certified hardware tokens, which use state-of-the-art techniques for key protection. These include resistance to simple/differential power analysis, active shield, bus scrambling, and memory encryption. Therefore, in terms of assurance-level classification corresponding with eidas regulation, the security level of the eid scheme, based on software storage, is rated low or substantial at the most. Comparatively, the hardware token assurance level is assessed as high. Server Signing Another conceivable solution for eid and user authentication is the Server Signing solution, where key pairs and associated certificates are stored in a hardware security module (HSM) of a trusted service provider. Server Signing Secure Signature Creation Service (SSCS) originates from CEN/TS 419241:2014 Security Requirements for Trustworthy Systems Supporting Server Signing. Access to keys stored in an HSM is granted exclusively to its user an owner of the key pair and certificate. This access right is based on authentication by means of identificator, password, and additional authentication. This involves using a one-time password obtained via short message service on a registered phone number. The availability of electronic identification and authentication that extends to mobile platforms is seen as advantageous in this case. That s because for the application, it is not necessary to install and integrate any peripheral security device you only need an application for a specific mobile platform. On the other side, this solution s weakness lies in the security of the authentication process at the moment a user remotely accesses stored keys. Most of all, considering all well-known attacks, OTP (one time password) cannot be graded today as the high assurance level defined in eidas. In line with statements made by the German Bureau of Information Safety (BSI, or Bundesamtes für Sicherheit in der Informationstechnik), OTP mechanisms should not be used in solutions where a high assurance level is required. This is because of the recent discovery of new types of malicious software focused on capturing OTP and delivering it to an intruder. Despite the fact that online banking is the primary target, it shows that such an attack on the Server Signing concept also could be effective. BSI advises that a plausible alternative for securing Server Signing is employing hardware tokens such as a USB token or MeID microsd card instead of the OTP. Moreover, applying an electronic signature for identification and authentication conflicts with eidas legislation, as the European Commission pronounced that: Since 1st of July 2016, when the trust services provisions under the eidas regulation entered into application, an esignature can only be used by a natural person to sign, that is, mainly to express consent on the data the esignature is put. This represents a significant difference from the esignature Directive where the esignature, which could also be used by legal persons, was defined as a means for authentication. 4

MicroSD card a natural enabler Innovative solutions based on the microsd card introduce a capacity to securely retain multiple documents on a single carrier in digitized form and generate development impulse for establishing mobile government in the Slovak republic. Currently, various countries including the U.S., UK, and Australia are considering digitizing driving licenses. And it appears that doing the same with other types of official documents or government-issued licenses will be next. Other countries probably will follow this trend. So adding a mobile electronic driving license as the next application to our microsd card solution seems to be reasonable, with a high potential for success. The goal is to integrate various documents in adherence to legislative conditions. In the end, a citizen would possess a mobile device containing a microsd card capable of accumulating all relevant documents in digitized form. It would be significantly beneficial for citizens to have key electronic documents readily available in their mobile device and the ability to display them to authorities on request. Additionally, authorities could conduct a real-time inspection of electronic documents by means of a mobile device in proximity mode. For citizens, MeID provides the required convenience, flexibility, and mobility on all major platforms Android, ios, and Windows. For governments, this technology boosts use of e-government services. And for businesses, it delivers higher security at a lower cost. Should the Slovakian government start to pioneer MeID solutions, it will realize an additional benefit: This technology is proving to be a natural enabler for public-private sector cooperation and collaboration, benefiting banking, e-commerce, e-health, transportation, tourism, and many other areas of operation. About DXC DXC Technology (NY: DXC) is the world s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company s technology independence, global talent and extensive partner network combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology. www.dxc.technology 2017 DXC Technology Company. All rights reserved. DXC_4AA6-8167ENW. October 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback