1cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com
Enterprise IT
Certificates, Cards and Middleware
Joachim Kessel – Product Manager, Markus Tesche – Program Manager
2
The plot…
HIS LAPTOP‘S ENCRYPTED. LET‘S BUILD A MILLION-DOLLAR CLUSTER TO CRACK IT.
NO GOOD! IT‘S 4096-BIT RSA
BLAST! OUR EVIL PLAN IS FOILED!
A CRYPTO NERD‘S IMAGINATION:
HIS LAPTOP‘S ENCRYPTED. DRUG HIM AND HIT HIM WITH THIS $5 WRENCH UNTIL HE TELLS US THE PASSWORD.
GOT IT.
WHAT WOULD ACTUALLY HAPPEN:
3
Utopian Corporation (UC)
• Computer hardware and software supplier
• Fortune 400 company of Utopia
• Revenue: 50 billion Dollar
• Worldwide customer base
UCUtopian
Corporation
4
Requirements
Security requirements of the Utopican Corporation
Secure building access
Secure company assets
Secure authenticationand communication
Login with strong authentication
Secure remote login
Document authenticity and privacy
Trusted workflow
5
Derived requirements
Derived requirements
• Employee self service
• Creation of a custom card profile
• Applications (applets) on card
• Fingerprints for authentication
UCUtopian
Corporation
6
Secure company assets
Secure company assets
• Hard drive encryption
• e.g. Cryptware Secure Disk
• Password-less login
7
Secure communication
Secure communication
• E-mail encryption
• E-mail signing
• SSL mutual authentication
8
Login with strong authentication
Login with strong authentication
• Smart card login to workstation
• Smart card login to Terminal Services
• SSL client- or mutual authentication
• OTP-Token functionality
• Fido Universal Second Factor (U2F)
• SSO (e.g. Evidian Enterprise SSO)
10
Document authenticity / encryption
Document authenticity / encryption
• Document signing
• Document encryption
11
Trusted workflow
Trusted workflow
• Sign workflow step(s)
• For instance approval of budget for an order
• Sign document by multiple people
• For instance Sharepoint Collect signatures workflow
12
Secure building access
Secure building access
• Access valid areas using the smart card
• E.g. Mifare DESfire
• Event correlation
14
Employee self service
Employee self service
• Locked smart card
• Unlock via Challenge – Response (e.g. Self Service Portal)
15
Applications on card
Applications (applets) on card
• PKI applet for storing certificates and keys
• eID applet for storing employee data
16
Fingerprints for authentication
Fingerprints for authentication
• Enroll fingerprints
• Verify fingerprints via Match-on-Card
• Use fingerprints as PIN replacement
17
Workshop to define a card profile
Workshop to define a card profile
• Cards must fulfill all requirements
• Define applets (card applications) to use
• Define fingerprints to use
• Define card permissions / ChatBits (r/w)
• Define eID structure
• Define number of certificates and keys on card
18
Card profile creation
Card profile creation
• Choose a smart card to use
• Define objects (PIN(s), PUK(s), SO-PIN)
• Define structure (PKCS#15 preferred)
• Define applications
• Basic application: ePKI applet
• Advanced applications: ePasslet Suite
19
Sampler usage
• Create new company card profile
• PKCS#15 or proprietary profile to store data
• Install applets
• Create APDU trace for pre-personalization
Sampler
21
Certificates by CAmelot
Cards and infrastructure systemsneed digital certificates
Certificates can beprovided by
CAmelotCertificates needed for
Authentication
Signatures
Encryption
Certificates needed forauthentication against
Card
Card content signing
CAmelot
22CAmelot
Product Mission
CAmelot provides fully modular
certificate lifecycle management
Regist-ration
Request
Provisioning
PublicationDocumentSigning
Key Generation
CertificateGeneration
EoL
24
ePasslet Sampler
ePasslet Sampler
• Tool for generating reference cards
• Used for
• Card profile validation
• Test card generation
Sampler
27
sc/interface Environment
sc/interface
crypto interface
Host
application middleware
smart cardreader
card interface
28
Usage of sc/interface as smart card middleware
Usage of sc/interface as smart card middleware
PKCS#15 card access using PIN and SO-PIN
Smart card login - local and remote (VDI)
Challenge – Response self service
Fingerprint access / storage
Authentication
Signing and encryption
sc/interface
29
Usage of sc/interface as smart card middleware
Usage of sc/interface as smart card middleware
• VPN support (e.g. OpenVPN)
• HDD encryption (e.g. Cryptware Secure Disk)
• Investment protection
• Support for 3rd party card profiles
• 60+ cards supported
• 60+ readers supported
• Available for all platforms (Windows, Linux, OS X)
sc/interface
32
SCalibur
Usage of SCalibur as eID middleware SDK
Enrollment of Fingerprints and eID Data
Use SDK to connect multiple applications
» E.g. Self-Service-Portal
» Name change
» Address change
» Department change
SCalibur
34
Usage of s/mail for end-to-end eMail encryption
Usage of s/mail for end-to-end eMail encryption
• End-to-End encryption
• E-mail signing
• VS-NfD approval in collaboration with BSI
• Outlook and Notes plugin
• Other curves than NIST may be used (e.g. Brainpool)
• Message recovery
s/mail
36
Outlook – Roadmap Camelot 3.0
● Camelot 3.0 (end of July 2015)
● Support for additional HSMs: Bull, Thales, Safenet
● Support for additional Databases: MySQL, MS SQL, H2
● Improved monitoring functionality via Web Interface and Nagios
● Improved remote management functionality
● RSA PSS support
37
Outlook – Roadmap sc/interface 6.4
● sc/interface 6.4 (end of July 2015)
● ePasslet 2.1 support
● Minidriver ECC, ECDH
» Smart Card login using ECC
» Encryption and signing using ECC
● Enhanced certificate handling using plugin-interface
● Basic Credential provider
● Class 2 / 3 reader support for Outlook
● TCOS Signature Card v1 and v2 integration
● PCSC Cache
38
Outlook – Roadmap sc/interface 6.5
● sc/interface 6.5 (end of 2015)
● Read-only Minidriver with Biometric support
● Biometric Credential Provider
» Bio-logon in Windows
● CAN protection of cards
● Filesystem Cache for Linux
● Documentation refactoring
● STARCOS 3.5 support
● Windows 10 support
39
Outlook – Roadmap sc/interface 6.6
● sc/interface 6.6 (~mid of 2016)
● CardOS 5.0 & 5.3 support
● Sm@rt Café Expert 7 support
● OS X 10.11
40
Outlook – Roadmap SCalibur 1.1 & 1.2
● SCalibur 1.1 (release at Mindshare)
● Integration of MRZ scanner functionality
● Basic ICAO support
● OS X 10.10 support
● SCalibur 1.2 (Q3 2015)
● Generic ICAO profile support
● Integration of ICAO Test suite by HJP
41
Outlook – Roadmap SCalibur 2.0
● SCalibur 2.0 (Q3 2015)
● ePKI without PKCS#15
● TR03129 – Camelot connectivity
» E.g. request or renew CA keys
● ICAO with and without SAC
● Web Terminal
» Distributed application with web frontend
● Generic Advanced eID Card (GAeIDCard)
» Support for EACv2 & RI & Age Verification
● Neurotechnology Biometric Fingerprint SDK support
42
Outlook – Roadmap ePasslet v3.x
● ePasslet v3.x
● Encrypted key import
● Modularization (for smaller ROM chips and Flash platforms)
● Enhanced flexibility of authentication protocols
● ePasslet v3.x ff.
● Adding full eIDAS functionality according to updated TR03110
43
Outlook – Roadmap s/mail 4.0.0
● s/mail 4.0.0, released on 2015-06-18
● Full approval for VS-NfD
● PKCS#1v2.2 RSA Padding Schema support as demanded by BSI
● Token based Random Number Generation (RNG)
44
End
Thank You!
Contact cv cryptovision
cv cryptovision GmbHMunscheidstr. 1445886 Gelsenkirchen
Germany
Tel: +49 (0) 2 09 / 1 67 - 24 50Fax: +49 (0) 2 09 / 1 67 - 24 61E-Mail: info(at)cryptovision.com