Microsec implements eIDAS compliant trusted mobile ID with nCipher Security HSMs

Headquartered in Budapest, Hungary, Microsec is the largest Hungarian certificate authority and a Trust Service Provider (TSP) for electronic signatures and eIDAS-certified solutions. Founded in 1984, Microsec delivers a wide array of next-generation public key infrastructure (PKI) solutions and services that include e-Passport, e-ID card security technology, transaction authorization, and mobile PKI.

image description

A highly popular solution is Microsec PassBy[ME] Mobile ID, a PKIbased mobile ID system providing future-proof user authentication, transaction signing and mobile electronic signatures – creating a seamless end-to-end digital process for users. The solution is designed to equip smartphone users with a secure mobile identity which can be used for online banking access, ATM cash withdrawals, e-government services such as e-health or tax services, or by cloud service providers for secure remote access. The patented PassBy[ME] Mobile ID leverages eIDAS-compliant certificates to deliver future proof strong customer authentication; legal traceability and non-repudiation; and trusted messaging with signed receipts of messages as proof of delivery.

Electronic Identification and Trust Services (eIDAS) is a European regulation designed to create consistency and standards across the European Union (EU) for electronic identities and trust services supporting authentication and signatures. eIDAS ensures that electronic transactions are secure, no matter where they take place.

BUSINESS CHALLENGE

A fundamental design goal of Microsec PassBy[ME] Mobile ID was to establish the very same guarantees that exist in the physical world – such as in a bank branch office – replicated in an online model to facilitate legally-binding transaction authorization and signatures from any type of mobile device.

Dr. Sándor Szőke, Microsec’s deputy director of eIDAS Trust Services, explained the major use cases for PassBy[ME] Mobile ID, “For the financial sector our solution facilitates online banking and ecommerce, ATM transactions and point of sale usage. For government entities, it can deliver services for e-health, tax, and a range of amenities for citizens. Government departments can also use the solution to securely access information and sensitive data. It also provides remote access services for cloud environments.”

TECHNICAL CHALLENGE

The primary technology-related requirement for PassBy[ME] Mobile ID was the use of PKI with corresponding keys and eIDAS-compliant certificates. “With the critical nature of the transactions we support, we need to implement state-of-the-art technology with the highest security solution components available to protect the private signing keys used in the system. These requirements can only be fulfilled by leveraging certified hardware security modules,” Dr. Szőke described.

SOLUTION

Microsec has over a decade of experience utilizing hardware security modules (HSMs) from nCipher, finding that the devices deliver a hardened environment for secure cryptographic processing, key protection, and key management, while enabling optimal operational efficiency.

Dr. Szőke reported, “We selected nCipher nShield Solo HSMs to be integrated into Microsec PassBy[ME] Mobile ID to provide comprehensive protection of the PKI private keys. The integration enables customers and service providers to meet EU cross-border standards; generate and manage sensitive cryptographic keys in a certified, tamper-resistant hardware environment; and deliver a source of trust for all derived digital services.”

Specifically, nCipher nShield Solo is used to secure keys within a carefully designed cryptographic boundary that leverages a robust access control mechanism, ensuring that keys are only utilized for their authorized purpose. The nCipher HSM certifies key availability by using sophisticated management, storage, and redundancy features to guarantee they are always accessible when needed. Key information such as service logs and receipts of messages – as proof of delivery – are stored within nCipher HSM.

nCipher nShield HSMs are certified to Common Criteria Evaluation Assurance Level (EAL) 4+ and by way of this certification are recognized as Secure Signature Creation Devices (SSCDs) which earns them eIDAS compliance (Article 51, Transitional Measures). They are also certified to FIPS 140-2 Level 3, the most widely adopted security benchmark for cryptographic solutions in government and commercial enterprises. In addition nShield HSMs support interfacing options with applications using industry standard APIs such as PKCS#11, OpenSSL, JCE, CAPI and CNG.

RESULTS

“While the current concept specifically targets the European marketplace we believe it is applicable outside of the European Union because of its inherent security features and compliance with global standards,” noted Dr. Szőke.

BEST OF THE BEST

“Cryptographic private keys handled outside the protected boundary of a certified HSM are significantly more vulnerable to attacks, consequently our selection of nCipher nShield Solo gives us peace of mind that we have a best-in-class hardware solution embedded within PassBy[ME] Mobile ID,” summarized Dr. Szőke.

EMBEDDING A BEST-IN-CLASS HSM

Business need

  • Facilitate legally-binding online transaction authorization and signatures
  • Replicate physical guarantee process inside a protected digital environment

Technology need

  • Protect private signing keys used within PassBy[ME] Mobile ID solution
  • Identify method to deliver hardened cryptographic processing
  • Ensure compliance with rigorous industry and governmental standards

Solution

  • nCipher nShield Solo HSM for the management of sensitive cryptographic keys in a certified, tamper-resistant hardware environment

Result

  • Delivering a source of trust across broad range of mobile digital services
  • Able to bring secure eIDAS-compliant mobile ID solution to market
  • Compliance with FIPS and Common Criteria standards
  • Full compatibility with industry-standard APIs

ABOUT NCIPHER SECURITY

nCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM) market, empowering world-leading organizations by delivering trust, integrity and control to their business critical information and applications.

Today’s fast-moving digital environment enhances customer satisfaction, gives competitive advantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secure emerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates. We do this using our same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure

We deliver trust for your business critical applications,ensure the integrity of your data and put you in complete control-today, tomorrow, always www.ncipher.com.

Download