Upload
ngomien
View
220
Download
0
Embed Size (px)
Citation preview
1cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com
Overview of cryptovision's eID Product Offering
Presentation & Demo
Benjamin Drisch, Adam Ross
2
General Requirements
Government of Utopia
Overview of cryptovision's eID Product Offering
Utopia Electronic Identity Card Project
Requirements:
• capable of multiple applications
• functional comprehensive
• customizable
• post-issuance updates shall be possible
3
Customer „wish list“
Government of Utopia
Signature application(for eGov and enterprise use)
Travel document(Schengen-type)
eID with local content and access for various authorities and private enterprises
Fingerprint for holder identification(identification services also for
private enterprises)
Post-issuance update
capabilities
Overview of cryptovision's eID Product Offering
4Overview of cryptovision's eID Product Offering
Demo Kit
cryptovision eIDDemo Kit
3 personalized sample cards
Fingerprint reader
USB flash drive with pre-configured VMWare image
Contactless card reader
6Overview of cryptovision's eID Product Offering
Card Solution Offering
ePasslet Suite
- Ready-to-use Java Card applets for various eID applications -
- Many appletes can be used on one card -
- Easily customizable and extendable -
7Overview of cryptovision's eID Product Offering
Use multiple applications from the same chip
Combine PKI and many other common eID applications onto a single card
Support for all the latest security standards and mechanisms, including BAC, EAC, SAC/PACE and enables the right security features for the desired application.
NXP JCOP Java Card Operating System
eID ePKI MoC ICAODriving License Transport
cryptovision ePasslet Suite Core Library
Insurance
RO
MEE
PR
OM
Keys CertificatesPersonal data Fingerprints Custom data
8Overview of cryptovision's eID Product Offering
Mix and Match functionality as needed
Includes 3rd party biometric MoC and support for custom applications
The same card application suite can be reused to cover a number of different document types including eID, ePassport, or extended to support customer defined cards
NXP JCOP Java Card Operating System
eID ePKI MoC ICAODriving License Transport
cryptovision ePasslet Suite Core Library
Insurance
RO
M
Keys CertificatesPersonal data Fingerprints Custom dataEEP
RO
M
9
Customer „wish list“ revisited
Government of Utopia
Signature application(for eGov and enterprise use)
Travel document(Schengen-type)
eID with local content and access for various authorities and private enterprises
Fingerprint for holder identification(identification services also for
private enterprises)
Post-issuance update
capabilities
Overview of cryptovision's eID Product Offering
10
Card profile definition
Card
Profile
Specification
• Applications
• Data, Credentials
• Access rights
Overview of cryptovision's eID Product Offering
12
Introducing ePasslet Sampler
ePasslet Sampler
• Tool for generating reference cards
• Meant to be used for
• card profile validation
• test card generation
Overview of cryptovision's eID Product Offering
14Overview of cryptovision's eID Product Offering
Use Cases
Government of Utopiasignature application
(for eGov and enterprise use)
travel document(Schengen-type)
eID with local content and access for various authorities and private enterprises
fingerprint for card holder identification
(identification service also for private
enterprises)
post-issuance capabilities
All these use cases can be configured on card with
ePasslet Sampler
16
Smart Card Middleware Environment
Overview of cryptovision's eID Product Offering
applicationsmart card middleware
smart cardreader
17
Distributed Smart Card Middleware
Client-based Smart Card Middleware
Middleware runs on the client
Part on the middleware runs on a trusted served
Overview of cryptovision's eID Product Offering
Smart Card Middleware Approaches
19
SCalibur Environment
Overview of cryptovision's eID Product Offering
Distributed Middleware
Reader
Card Online Service
Trusted Server
20Overview of cryptovision's eID Product Offering
SCalibur Architecture
TrustedDeviceTopping:
high level interface for
rapid development
SCalibur is some layered Cake
Filling:low level interface
with more control Foundation:
Core functions
SDK Online Service
Trusted Server
Applications
Take the neededpiece of cake and
your card
Development
21Overview of cryptovision's eID Product Offering
Use Cases
Government of Utopiasignature application
(for eGov and enterprise use)
travel document(Schengen-type)
eID with local content and access for various authorities and private enterprises
fingerprint for card holder identification
(identification service also for private
enterprises)
post-issuance capabilities
All these use cases are supported by SCalibur
23
sc/interface Environment
Overview of cryptovision's eID Product Offering
crypto interface
Host
application middleware
smart cardreader
card interface
24sc/interface
sc/interface Architecture
Applications
Operating Systems
Admin Tool User Tool Register Tool
Secure Token Interface
Security Token
TokenD PKCS#11 CSPMini
Driver
Browser E-Mail SSO-ClientSignature
25Overview of cryptovision's eID Product Offering
Use Cases
Government of Utopiasignature application
(for eGov and enterprise use)
travel document(Schengen-type)
eID with local content and access for various authorities and private enterprises
fingerprint for card holder identification
(identification service also for private
enterprises)
post-issuance capabilities
All these use cases are supported by sc/interface
27
eID projects require certificates
Cards and infrastructure systemsneed digital certificates
Certificates can beprovided by CAmelot
Certificates needed forauthentication,
signatures, encryption
Certificates needed forauthentication against
card, card contentsigning, encryption
Overview of cryptovision's eID Product Offering
28Overview of cryptovision's eID Product Offering
X.509 and Card Verifiable Certificates
certificate holder
certificate verifier
syntax: flexible
typical size: 200 byte
person orcomponent
inspection systemor terminal
smart card chip
PC, server
X.509 CertificateVersion
Serial Number
Signature
Issuer
Validity
Subject
Subject Public Key Info
Authority Key Identifier
Subject Key Identifier
Key Usage
Private Key Usage Period
Policy Mappings
Subject Alternative Name
Issuer Alternative Name
typical size: 2,000 byte
Card Verifiable Certificate
Certification Authority
Certificate Holder
Certificate Holder Authorization
Validity Period
Key
Profile Identifier
syntax: simple
29
CAmelot
» EAC allows to granularly define and restrict access for Inspection Systems (IS)
» The access rights are defined in the CVCA, DV and IS certificates
EACv1
DG3
0/1
DG4
0/1
Effective Authorization: AND over whole certificate
chain
CVCA 0 0 0 0 1 1 1 1
DV 0 0 1 1 0 0 1 1
IS 0 1 0 1 0 1 0 1
Certificate Holder Authorization
Template (CHAT)
Using cv certificates for access control
Card Verifiable Certificate
Certification Authority
Certificate Holder
Holder Authorization
Validity Period
Key
Profile Identifier
Overview of cryptovision's eID Product Offering
30Overview of cryptovision's eID Product Offering
CAmelot - Product Mission
CAmelot provides fully modular
certificate lifecycle management
Regist-ration
Request
Provisioning
PublicationDocumentSigning
Key Generation
CertificateGeneration
EoL
31Overview of cryptovision's eID Product Offering
Use Cases
Government of Utopiasignature application
(for eGov and enterprise use)
travel document(Schengen-type)
eID with local content and access for various authorities and private enterprises
fingerprint for card holder identification
(identification service also for private
enterprises)
post-issuance capabilities
These use cases require digital certificates
35Overview of cryptovision's eID Product Offering
Outlook
Future Project Steps
• Post-issuance updates (process involves all parts of the system)
• Convergence (banking/payment, things we learned from Enterprise projects)
• Derived IDs based on a trusted initial document-based identity?
36Overview of cryptovision's eID Product Offering
Summary
• Customizable With ePasslet Suite, agencies will be enabled to customize existing applications and add local content
• Multi-application ePasslet Suite cards can host various applications in parallel, including payment
• Standard-compliant All our solutions comply with international standards and provide proven security and interoperability
• Cross-platform sc/interface supports over 50 PKI cards and all major clients,
• Versatile SCalibur provides all common eID mechanisms and can easily integrated
• Java / Java Card Open platform provides transparency and prevents vendor lock-in situations
37Overview of cryptovision's eID Product Offering
End
Thank You!
Contact cv cryptovision
cv cryptovision GmbHMunscheidstr. 1445886 Gelsenkirchen
Germany
Tel: +49 (0) 2 09 / 1 67 - 24 50Fax: +49 (0) 2 09 / 1 67 - 24 61E-Mail: info(at)cryptovision.com