- Nigeria eID Card
- E.ON Smart Token Project
- Uniklinik Würzburg PKI
- Armed Forces (Bundeswehr)
- More references
Nigeria: One of the largest PKIs ever built is powered by cryptovision
With over 180 million citizens, Nigeria is Africa’s most populous country. As part of an ambitious Presidential initiative, adult Nigerians and resident legal aliens currently receive advanced multipurpose electronic identity cards. These cards will be used for identification, border control, digital signatures, payment and many more applications. Due to the size of the Nigerian population, the Nigerian eID card project is one of the largest of its kind in history. In addition to the card deployment, several other projects have been started by the Nigerian Identity Management Commission (NIMC) to build up a new citizen database at the latest state of technology.
cryptovision plays an essential role in the Nigerian eID card project. We are responsible for the deployment of the PKI, which will be used to electronically validate the card itself as well as to enable online digital signatures. One of the largest PKIs in the world, the full deployment will include at least eight Certification Authorities, which will eventually issue certificates for more than 100 million card holders. The cryptovision product used for managing the PKI is CAmelot, which was chosen by NIMC because of its suitability even for very large PKIs and because of its flexibility (including the support of card-verifiable certificates).
In addition, most of the card applications of the Nigerian eID document are realised with the cryptovision product ePasslet Suite. Currently, five card applications are implemented: identity check, authentication and signature, travel document, fingerprint check, and payment. Five more applications are planned for the near future.
Finally, our middleware products represent important building blocks in the Nigerian eID system. The distributed middleware SCalibur is used for card activation and for communication between system components based on standardised eID protocols (e.g., BAC and EAC). cryptovision’s conventional smart card middleware sc/interface connects the Nigerian eID card with the respective application.
Read more about the Nigeria eID project: https://silicontrust.wordpress.com/2014/09/16/silicon-trust-members-to-facilitate-nigerias-eid-scheme/
BSI: The first eIDAS Token implementation is powered by cryptovision
eIDAS is the legal framework for digital signatures in the European Union. The abbreviation stands for “Regulation on electronic identities and trust services”. In 2016, eIDAS has superseded national laws, like the German digital signature act. eIDAS is expected to make the handling of digital signatures easier and to make this technology more attractive. As with other laws, eIDAS only establishes a general framework, while the technical details are left to EU and national regulations, implementing acts, and technicalstandards.
The German IT security agency BSI and its French counterpart ANSSI were among the first who worked out technical details for eIDAS. Jointly, they developed an eIDAS-compliant smart token specification, which is based on the technology already used for the German identity card (TR-03110). This specification is referred to as “eIDAS Token specification”.
Given these developments, the BSI commissioned a project named POSeIDAS to cryptovision, HJP Consulting, and Governikus. This project aimed to provide three results:
- an eIDAS Token implementation realized as a smart card,
- a software simulating the functions of an eIDAS Token,
- and a prototype of an eIDAS server.
cryptovision’s part in the project was to deliver the POSeIDAS smart card solution, which represents the first implementation of the eIDAS functions on an actual card chip. This implementation is based on the cryptovision product ePasslet Suite, a modular Java Card based framework for multi-functional identity documents. ePasslet Suite, which is already used in over 20 eID projects worldwide, provides a set of Java Card applets for passports, eID cards, electronic driving licenses, signature cards and other applications. As part of the POSeIDAS project, cryptovision extended ePasslet Suite by a number of eIDAS Token specific functions, especially Pseudonymous Signatures, Chip Authentication (CA) 3, and Enhanced Role Authentication (ERA). As ePasslet now supports the whole range of eIDAS token functionality, it is the first solution for eIDAS token compliant identity documents on the market.
HJP-Consulting had the role of the project’s main contractor and provided an eIDAS Token implementation based on their open source eID card simulator PersoSim. Governikus delivered an open source version of an eID server and a corresponding eID client for the POSeIDAS project.
Read more about POSeIDAS in our press release.
E.ON: cryptovision solution takes care of 70,000 smart tokens
When a large company introduces smart cards as a replacement of passwords, even the smallest things are important. Every tiny mistake may have far-reaching consequences if it is repeated on tens of thousands of user platforms. Therefore, a smart token solution needs to offer much more than just security.
The importance of these criteria is demonstrated by a project cryptovision has carried out for German energy supplier, E.ON. The Essen-based energy giant wanted to replace passwords, which were used virtually everywhere throughout the enterprise, with more secure authentication mechanisms. To do so, E.ON equipped 70,000 IT users with smart tokens.
The smart tokens E.ON chose were considered secure, but security was by far not the only requirement. Especially, user-friendliness was considered extremely important. It was clear that if only one percent of 70,000 smart card users had trouble with their cards, chaos and a decline of user acceptance would be inevitable. Such a scenario could easily result in 700 employees being unable to do their job, while the help desk is flooded with 700 support calls. In addition, E.ON considered verification speed an important point. If a card-based login process takes only five seconds longer than necessary, this results in 70,000 employees wasting 10 seconds a day (provided that each employees logs in twice a day). This sums up to 700,000 seconds (or 24 working days) a day. All in all, over 5,000 working days per year are wasted.
Being aware of these problems, many customers prefer a high quality smart card solution, even if it costs more than a mediocre alternative. In addition, software customizations that ease the use of a smart card solution often make sense, as they usually pay off within a short time.
After a few years, E.ON analyzed the impacts of their smart token system. It became clear that the token middleware (i.e., the software that connects the tokens with the program using it) had a number of flaws that caused unnecessary helpdesk traffic. In addition, it was discovered that a cheaper token solution of better quality (including shorter verification time) was available on the market. E.ON therefore decided to abandon the existing smart card solution and to migrate to a new one.
E.ON chose cryptovision’s sc/interface as the new token middleware. sc/interface not only proved to be cheaper and more reliable than the solution used before but also supported all card applications in use at E.ON – among others, Sophos LAN Crypt, Citrix ICA Client, and Check Point Secure Remote Client.
sc/interface has been on the market for more than a decade and has long since developed a very good reputation as a robust and user-friendly solution. It supports over 80 token types and profiles on all major platforms. All tokens that come to use at E.ON are delivered by cryptovision (via T-Systems).
Already for the old token solution E.ON had developed a number of specific components that simplified token use in the E.ON environment (this quickly paid off due to the huge quantity of users). In order to make sc/interface support these additional programs, cryptovision had to adapt it in some parts.
As E.ON follows a “bring your own device” policy, the tokens used need to be available on different platforms – especially Windows, Linux and MacOS. This was easy to implement, as sc/interface is available on all these platforms. cryptovision even provided a solution that automatically installs a certified MiniDriver in the user’s Windows environment.
In addition, a self-service enrollment process was established: A person eligible for an E.ON token receives a blank token first and then enrolls online. It is required that a colleague confirms the identity of this person with his token.
The managed Certification Authority (CA) E.ON used, had also to be replaced, as the old one quitted operation. It turned out that D-Trust, the CA of Bundesdruckerei, was a perfect substitute. For various E.ON specific processes further adjustments were required.
After the new solution has now been running smoothly for years, there is no doubt that the migration has paid off. In spite of the lower price, user-friendliness has been improved and verification time was shortened. In addition, there are no complaints about security. However, this had been assumed by customer E.ON anyway.
Read more about cryptovision’s E.ON project in the issue 1/2017 of the magazine Dig:ID.
Uniklinik Würzburg: Patient data protected with cryptovision technology
As one of the largest hospitals in the state of Bavaria, Universitätsklinikum Würzburg has more than 4,000 employees and an even larger number of IT users. Like every hospital, Universitätsklinikum Würzburg has to fulfill high IT security standards in order to protect patient data.
In order to meet the high security needs, Universitätsklinikum Würzburg chose to introduce strong encryption and authentication mechanisms based on digital certificates for a wide range of medical IT applications. Wherever possible, smart cards are used to store private keys; only in exceptional cases software keys are used. To manage these digital certificates Universitätsklinikum Würzburg had to deploy a Public Key Infrastructure (PKI).
The PKI of Universitätsklinikum Würzburg is operated with a Certification Authority (CA) powered by cryptovision’s PKI solution PKIntegrated. This advanced product proved to be an optimal fit, as it has a seemless integration into the Micro Focus identity management solution used by the hospital.
The Micro Focus identity management suite, featuring products like eDirectory, Identity Manager and iManager, used to be a product family of US software giant Novell, before Novell was acquired in 2010. cryptovision has been a partner of Novell and Micro Focus in 15 years. The PKI solution PKIntegrated is tailor-made for the Micro Focus (formerly: Novell) identity management range. As a long-term Novell and Micro Focus customer, Universitätsklinikum Würzburg realised that no other PKI product on the market fit as well in their identity management environment as PKIntegrated. For over five years PKIntegrated has now been in operation.
In addition to PKIntegrated, Universitätsklinikum Würzburg uses cryptovision’s sc/interface. This smart card middleware connects the users’ PCs with the cards. As an additional tool, a card management system provided by Nexus Technologies is in use.
Universitätsklinikum Würzburg is one out of many customers cryptovision has in the health sector. Most of them are large hospitals with complex IT infrastructures with the need of secure protection without interfering the staff in performing their life-critical work.
German Armed Forces (Bundeswehr): military-grade email encryption provided by cryptovision
The German Armed Forces (Bundeswehr) is the largest IBM Notes user in Germany and also uses Microsoft Outlook. It goes without saying that email encryption is essential for such a military organization. However, the native encryption functions of Notes and Outlook neither have an appropriate security evaluation required for high demands nor do they provide all the functionality required for large user groups. The Bundeswehr therefore had to look for a more sophisticated email encryption solution.
While there are many email protection solutions on the market, cryptovision’s s/mail proved to be the only one that fit with the Bundeswehr’s requirements. In contrast to some other email encryption products, s/mail is client-based and therefore renders end-to-end security. In addition, s/mail is available for both Notes and Outlook, which was a major requirement of Bundeswehr. It also has a number of practical features that are especially interesting for large user groups.
Most of all, s/mail provides highest the security level of all email crypto solutions available. It even has VS-NfD, NATO Restricted and EU Restricted approvals. There is no other email crypto product with these certifications on the market.
In a process of several years Bundeswehr evaluated s/mail. As a consequence, cryptovision implemented several additional features and improvements, which made s/mail an even more powerful solution. In 2007, Bundeswehr purchased an s/mail enterprise license.
Read more about s/mail at the Bundeswehr on Heise Online (German).
Other cryptovision reference customers
Allied Irish Banks (AIB) is one of the largest financial institutions in Ireland. AIB, which is mostly owned by the Irish state, offers a full range of personal and corporate banking services, including international banking and treasury operations. Like every company in the financial sector, AIB has high security requirements. In 2013, AIB deployed a corporate Public Key Infrastructure (PKI) in order to protect several IT applications with digital certificates. As a long-term Micro Focus (formerly: Novell) customer, AIB chose for cryptovision’s PKIntegrated as the certificate lifecycle management solution. PKIntegrated is tailor-made for the Micro Focus identity management solutions (including eDirectory and Identity Manager) and was therefore a perfect fit for AIB’s requirements. In addition, AIB uses cryptovision’s pki/roamer for user auto-enrollment. Finally, AIB encrypts emails with cryptovision’s high-end email security solution s/mail.
Allianz is one of the world’s leading financial services providers headquartered in Munich, Germany. For years, Allianz has been operating a Public Key Infrastructure (PKI) for authentication, Single Sign-on and data encryption. As Allianz puts great stress on security, the IT department chose to use smart cards for private key storage instead of a purely software-based solution. For connecting the smart cards used with the applications, Allianz selected cryptovision’s smart card middleware sc/interface. The main reasons for this choice were the product’s excellent integration support for the targeted applications and a seamless migration from a previously used solution. Meanwhile nearly 70,000 Allianz employees use sc/interface.
Bayerisches Landesamt für Digitalisierung, Breitband und Vermessung
The Bayerisches Landesamt für Digitalisierung, Breitband und Vermessung (LDBV) is an authority operated by the German federal state of Bavaria. The LDBV is responsible for digitalisation, promotion of broadband infrastructure, and measurement in this state, supervising 51 other authorities in this segment. The IT-DLZ, LDBV’s IT service provider, is responsible for all Bavarian law courts. In addition, the IT-DLZ is the IT distributor for all Bavarian authorities providing . In order to provide its customers powerful smart card middleware, the LDBV has concluded a framework contract with cryptovision concerning the product sc/interface. As Bavarian authorities more and more replace passwords with smart cards, there is a considerable demand for this solution. Meanwhile LDBV has provided sc/interface to over 50 customers – e.g., universities, parliaments, administration authorities, and law courts.
e.solutions is a joint venture started by Audi and automotive IT specialist Elektrobit. With almost 600 employees e.solutions is specialised in automotive infotainment. Their main goal is to develop innovative consumer electronics solutions for cars, including features like voice control and ergonomic user interfaces.
As a security-aware company, e.solutions uses smart cards for protecting operation system login and other authentication tasks, among other things in a virtual infrastructure. The smart card middleware used is cryptovision’s sc/interface. sc/interface has been on the market for over a decade. It supports over 80 cards /card types on all relevant platforms via all relevant crypto interfaces, which makes it one of the most powerful smart card middleware solutions on the worldwide market.
PSA is the second-largest European automaker. Based in Paris, France, PSA is known for its brands Peugeot, Citroën, DS, as well as recently Opel and Vauxhall. Like many other enterprises in the industrial sector, PSA is more and more replacing password-based authentication for IT systems with more secure solutions, especially smart cards. For this reason, smart card middleware plays an important role in the company’s IT security strategy. PSA has chosen to use cryptovision’s smart card middleware sc/interface, which is known for its flexibility making it suitable for all major applications, platforms, interfaces, and card types.
The German insurance company, SIGNAL Iduna, has high security requirements. For this reason, Signal Iduna is implementing cryptovision’s smart card middleware, sc/interface, for protecting their thin clients and other applications. sc/interface is one of the most advanced solutions for using smart cards in a virtual desktop infrastructure with support for several thin client vendor hardware. Instead of equipping their employees with PCs, Signal Iduna has chosen to work with IGEL thin clients. Thin clients are much leaner and cheaper than PCs, but they also make interesting targets for hackers. Therefore, protection of thin client to server communication is highly important. In particular, authentication should rely on a secure solution second factor, like smart cards. IGEL thin clients support smart cards via the Linux version of cryptovision’s sc/interface. SIGNAL Iduna chose to use this solution in order to fulfill their high security requirements. Thus, sc/interface has become a major building block in SIGNAL Iduna’s security strategy.
ThyssenKrupp Presta is a part of ThyssenKrupp, a German multinational group of companies with over 150,000 employees. ThyssenKrupp Presta is an automotive supplier located in Liechtenstein. Like many other enterprises in the industrial sector, ThyssenKrupp Presta is currently replacing password-based authentication for IT systems with smart card solutions. For this reason, smart card middleware plays an important role in the company’s IT security strategy. ThyssenKrupp Presta has chosen for cryptovision’s smart card middleware sc/interface, which supports all major applications, platforms, interfaces, and card types used in this heterogeneous enterprise.
Vector Informatik has been a leading developer of automobile electronics for over 25 years. At 21 locations worldwide, over 1,800 employees support manufacturers and suppliers of the automotive industry with tools, software components and services for developing embedded systems. Vector Informatik uses cryptovision’s library/es. Based on crypto mechanisms provided by this library a secure bootloader for automobile control systems was realised, which is now used in millions of cars by several major car producers.
The VKB Group is the largest public insurance company in Germany and one of the top ten of primary insurers. IT affairs are handled by the internal IT service provider, VKBit. Due to the high security requirements in the insurance industry, VKBit decided to use digital certificates for securing LAN and WLAN access. cryptovision’s integrated PKI product PKIntegrated proved to be the ideal solution for issuing digital certificates within VKBit’s IAM Environment. Further PKI applications like for mobile platforms are planned for the near future.
Westfleisch is a leading meat marketer in Germany and Europe. It goes without saying that processing food requires high security standards. Westfleisch has been a cryptovision customer in over ten years. In the first common project, cryptovision created a smart card based authentication solution for a Westfleisch web portal. Westfleisch decided to introduce smart cards for authentication. The smart card solution was delivered by cryptovison. Meanwhile, cryptovision has conducted other projects at Westfleisch. For instance, cryptovision’s smart card middleware sc/interface is used for employee authentication – an important task considering the high security requirements in the food business. The digital certificates used are provided by cryptovision’s PKI solution PKIntegrated.