Overview of cryptovision's eID Product Offering ... · Overview of cryptovision's eID Product...

1cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com

Overview of cryptovision's eID Product Offering

Presentation & Demo

Benjamin Drisch, Adam Ross

2

General Requirements

Government of Utopia


Utopia Electronic Identity Card Project

Requirements:

• capable of multiple applications

• functional comprehensive

• customizable

• post-issuance updates shall be possible

3

Customer „wish list“


Signature application(for eGov and enterprise use)

Travel document(Schengen-type)

eID with local content and access for various authorities and private enterprises

Fingerprint for holder identification(identification services also for

private enterprises)

Post-issuance update

capabilities


4Overview of cryptovision's eID Product Offering

Demo Kit

cryptovision eIDDemo Kit

3 personalized sample cards

Fingerprint reader

USB flash drive with pre-configured VMWare image

Contactless card reader

5ePasslet Suite


Card Solution Offering

ePasslet Suite

- Ready-to-use Java Card applets for various eID applications -

- Many appletes can be used on one card -

- Easily customizable and extendable -


Use multiple applications from the same chip

Combine PKI and many other common eID applications onto a single card

Support for all the latest security standards and mechanisms, including BAC, EAC, SAC/PACE and enables the right security features for the desired application.

NXP JCOP Java Card Operating System

eID ePKI MoC ICAODriving License Transport

cryptovision ePasslet Suite Core Library

Insurance

RO

MEE

PR

OM

Keys CertificatesPersonal data Fingerprints Custom data


Mix and Match functionality as needed

Includes 3rd party biometric MoC and support for custom applications

The same card application suite can be reused to cover a number of different document types including eID, ePassport, or extended to support customer defined cards

NXP JCOP Java Card Operating System

eID ePKI MoC ICAODriving License Transport

cryptovision ePasslet Suite Core Library

Insurance

RO

M

Keys CertificatesPersonal data Fingerprints Custom dataEEP

RO

M

9

Customer „wish list“ revisited


Signature application(for eGov and enterprise use)

Travel document(Schengen-type)


Fingerprint for holder identification(identification services also for

private enterprises)

Post-issuance update

capabilities


10

Card profile definition

Card

Profile

Specification

• Applications

• Data, Credentials

• Access rights


12

Introducing ePasslet Sampler

ePasslet Sampler

• Tool for generating reference cards

• Meant to be used for

• card profile validation

• test card generation



ePasslet Sampler


Use Cases

Government of Utopiasignature application

(for eGov and enterprise use)

travel document(Schengen-type)


fingerprint for card holder identification

(identification service also for private

enterprises)

post-issuance capabilities

All these use cases can be configured on card with

ePasslet Sampler

16

Smart Card Middleware Environment


applicationsmart card middleware

smart cardreader

17

Distributed Smart Card Middleware

Client-based Smart Card Middleware

Middleware runs on the client

Part on the middleware runs on a trusted served


Smart Card Middleware Approaches

19

SCalibur Environment


Distributed Middleware

Reader

Card Online Service

Trusted Server


SCalibur Architecture

TrustedDeviceTopping:

high level interface for

rapid development

SCalibur is some layered Cake

Filling:low level interface

with more control Foundation:

Core functions

SDK Online Service

Trusted Server

Applications

Take the neededpiece of cake and

your card

Development


Use Cases







enterprises)


All these use cases are supported by SCalibur

23

sc/interface Environment


crypto interface

Host

application middleware

smart cardreader

card interface

24sc/interface

sc/interface Architecture

Applications

Operating Systems

Admin Tool User Tool Register Tool

Secure Token Interface

Security Token

TokenD PKCS#11 CSPMini

Driver

Browser E-Mail SSO-ClientSignature


Use Cases







enterprises)


All these use cases are supported by sc/interface

27

eID projects require certificates

Cards and infrastructure systemsneed digital certificates

Certificates can beprovided by CAmelot

Certificates needed forauthentication,

signatures, encryption

Certificates needed forauthentication against

card, card contentsigning, encryption



X.509 and Card Verifiable Certificates

certificate holder

certificate verifier

syntax: flexible

typical size: 200 byte

person orcomponent

inspection systemor terminal

smart card chip

PC, server

X.509 CertificateVersion

Serial Number

Signature

Issuer

Validity

Subject

Subject Public Key Info

Authority Key Identifier

Subject Key Identifier

Key Usage

Private Key Usage Period

Policy Mappings

Subject Alternative Name

Issuer Alternative Name

typical size: 2,000 byte

Card Verifiable Certificate

Certification Authority

Certificate Holder

Certificate Holder Authorization

Validity Period

Key

Profile Identifier

syntax: simple

29

CAmelot

» EAC allows to granularly define and restrict access for Inspection Systems (IS)

» The access rights are defined in the CVCA, DV and IS certificates

EACv1

DG3

0/1

DG4

0/1

Effective Authorization: AND over whole certificate

chain

CVCA 0 0 0 0 1 1 1 1

DV 0 0 1 1 0 0 1 1

IS 0 1 0 1 0 1 0 1

Certificate Holder Authorization

Template (CHAT)

Using cv certificates for access control

Card Verifiable Certificate

Certification Authority

Certificate Holder

Holder Authorization

Validity Period

Key

Profile Identifier



CAmelot - Product Mission

CAmelot provides fully modular

certificate lifecycle management

Regist-ration

Request

Provisioning

PublicationDocumentSigning

Key Generation

CertificateGeneration

EoL


Use Cases







enterprises)


These use cases require digital certificates


Solution Partners


Outlook

Future Project Steps

• Post-issuance updates (process involves all parts of the system)

• Convergence (banking/payment, things we learned from Enterprise projects)

• Derived IDs based on a trusted initial document-based identity?


Summary

• Customizable With ePasslet Suite, agencies will be enabled to customize existing applications and add local content

• Multi-application ePasslet Suite cards can host various applications in parallel, including payment

• Standard-compliant All our solutions comply with international standards and provide proven security and interoperability

• Cross-platform sc/interface supports over 50 PKI cards and all major clients,

• Versatile SCalibur provides all common eID mechanisms and can easily integrated

• Java / Java Card Open platform provides transparency and prevents vendor lock-in situations


End

Thank You!

Contact cv cryptovision

cv cryptovision GmbHMunscheidstr. 1445886 Gelsenkirchen

Germany

Tel: +49 (0) 2 09 / 1 67 - 24 50Fax: +49 (0) 2 09 / 1 67 - 24 61E-Mail: info(at)cryptovision.com

mailto:[email protected]

Overview of cryptovision's eID Product Offering ... · Overview of cryptovision's eID Product...

Documents

Transcript of Overview of cryptovision's eID Product Offering ... · Overview of cryptovision's eID Product...