Microsec Implements eIDAS Compliant Trusted Mobile ID With Thales HSMs

Headquartered in Budapest, Hungary, Microsec is the largest Hungarian certificate authority and a Trust Service Provider (TSP) for electronic signatures and eIDAS-certified solutions. Founded in 1984, Microsec delivers a wide array of next-generation public key infrastructure (PKI) solutions and services that include e-Passport, e-ID card security technology, transaction authorization, and mobile PKI.

image description

A highly popular solution is Microsec PassBy[ME] Mobile ID, a PKI-based mobile ID system providing future-proof user authentication, transaction signing and mobile electronic signatures – creating a seamless end-to-end digital process for users. The solution is designed to equip smartphone users with a secure mobile identity which can be used for online banking access, ATM cash withdrawals, e-government services such as e-health or tax services, or by cloud service providers for secure remote access. The patented PassBy[ME] Mobile ID leverages eIDAS-compliant certificates to deliver future proof strong customer authentication; legal traceability and non-repudiation; and trusted messaging with signed receipts of messages as proof of delivery.

Electronic Identification and Trust Services (eIDAS) is a European regulation designed to create consistency and standards across the European Union (EU) for electronic identities and trust services supporting authentication and signatures. eIDAS ensures that electronic transactions are secure, no matter where they take place.

Business Challenge

A fundamental design goal of Microsec PassBy[ME] Mobile ID was to establish the very same guarantees that exist in the physical world – such as in a bank branch office – replicated in an online model to facilitate legally-binding transaction authorization and signatures from any type of mobile device.

Dr. Sándor Szőke, Microsec’s deputy director of eIDAS Trust Services, explained the major use cases for PassBy[ME] Mobile ID, “For the financial sector our solution facilitates online banking and ecommerce, ATM transactions and point of sale usage. For government entities, it can deliver services for e-health, tax, and a range of amenities for citizens. Government departments can also use the solution to securely access information and sensitive data. It also provides remote access services for cloud environments.”

Technical Challenge

The primary technology-related requirement for PassBy[ME] Mobile ID was the use of PKI with corresponding keys and eIDAS-compliant certificates. “With the critical nature of the transactions we support, we need to implement state-of-theart technology with the highest security solution components available to protect the private signing keys used in the system. These requirements can only be fulfilled by leveraging certified hardware security modules,” Dr. Szőke described.

Solution

Microsec has over a decade of experience utilizing hardware security modules (HSMs) from Thales, finding that the devices deliver a hardened environment for secure cryptographic processing, key protection, and key management, while enabling optimal operational efficiency.

Dr. Szőke reported, “We selected Thales nShield Solo HSMs to be integrated into Microsec PassBy[ME] Mobile ID to provide comprehensive protection of the PKI private keys. The integration enables customers and service providers to meet EU cross-border standards; generate and manage sensitive cryptographic keys in a certified, tamper-resistant hardware environment; and deliver a source of trust for all derived digital services.”

Specifically, Thales nShield Solo is used to secure keys within a carefully designed cryptographic boundary that leverages a robust access control mechanism, ensuring that keys are only utilized for their authorized purpose. The Thales HSM certifies key availability by using sophisticated management, storage, and redundancy features to guarantee they are always accessible when needed. Key information such as service logs and receipts of messages – as proof of delivery – are stored within Thales HSM.

Thales nShield HSMs are certified to Common Criteria Evaluation Assurance Level (EAL) 4+ and by way of this certification are recognized as Secure Signature Creation Devices (SSCDs) which earns them eIDAS compliance (Article 51, Transitional Measures). They are also certified to FIPS 140-2 Level 3, the most widely adopted security benchmark for cryptographic solutions in government and commercial enterprises. In addition nShield HSMs support interfacing options with applications using industry standard APIs such as PKCS#11, OpenSSL, JCE, CAPI and CNG.

Results

“While the current concept specifically targets the European marketplace we believe it is applicable outside of the European Union because of its inherent security features and compliance with global standards,” noted Dr. Szőke.

Best Of The Best

“Cryptographic private keys handled outside the protected boundary of a certified HSM are significantly more vulnerable to attacks, consequently our selection of Thales nShield Solo gives us peace of mind that we have a best-in-class hardware solution embedded within PassBy[ME] Mobile ID,” summarized Dr. Szőke.

EMBEDDING A BEST-IN-CLASS HSM

Business need

  • Facilitate legally-binding online transaction authorization and signatures
  • Replicate physical guarantee process inside a protected digital environment

Technology need

  • Protect private signing keys used within PassBy[ME] Mobile ID solution
  • Identify method to deliver hardened cryptographic processing
  • Ensure compliance with rigorous industry and governmental standards

Solution

  • Thales nShield Solo HSM for the management of sensitive cryptographic keys in a certified, tamperresistant hardware environment

Result

  • Delivering a source of trust across broad range of mobile digital services
  • Able to bring secure eIDAS-compliant mobile ID solution to market
  • Compliance with FIPS and Common Criteria standards
  • Full compatibility with industry-standard APIs

About Thales eSecurity

Thales eSecurity is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premises, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales eSecurity is part of Thales Group.

Download