CaSPAR Remote Qualified. electronic signatures with Smartphones. Dr. Sven Kloppenburg, AUTHADA
|
|
- Phoebe Pope
- 5 years ago
- Views:
Transcription
1 CaSPAR Remote Qualified Dr. Sven Kloppenburg, AUTHADA electronic signatures with Smartphones This project (HA project no. 499/16-11) is funded in the framework of Hessen ModellProjekte, financed with funds of LOEWE Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz, Förderlinie 3: KMU-Verbundvorhaben (State Offensive for the Development of Scientific and Economic Excellence).
2 eidas compliant, remote, mobile QES User Digital Business App Transfer A 1.548,00 NFC Transfer B Create Signature Transfer C Balance 345,67 125, ,67 Qualified Trusted Service Provider
3 Project Goals Gather requirements Business Regulatory Design a system architecture Comply with all relevant regulations Reuse stable components Security by design Privacy by design Build a prototype
4 Usecases Banking & FinTech Consumer Credit Leasing Digital Leasing QES to close EU wide Insurance Life Insurance Property finance Telecommunication Post-paid
5 Compliance with national and EU-laws (and technical guidelines) evolving during the project eidas-directive, Vertrauensdienstegesetz + -Verordnung several ISO and ETSI Standards Personalausweisgesetz und verordnung several BSI TRs Identifizierungsdiensteanbieter BDSG (german data protection law) and GDPR Compliance
6 Project Goals Gather requirements Business Regulatory Design a system architecture Comply with all relevant regulations Reuse stable components Security by design Privacy by design Build a prototype
7 Workflow Bank Bank & User prepare contract QTSP User Checks Contract Authada App User identifies w/eid Bank receives contract User downloads Contract User triggers signature
8 System Architecture Overview
9 Project Consortium Authada Mobile App with eid Identification Webapp for Remote Signing (SSA) MTG Backend for Remote Signing (QSCD) Certficate Handling (CARA) HDA Academic support Security Architecture
10 Project Goals Gather requirements Business Regulatory Design a system architecture Comply with all relevant regulations Reuse stable components Security by design Privacy by design Build a prototype
11 System Architecture Overview
12 System Architecture Overview
13 smarthsm Joint Venture by MTG and Reiner SCT Developed for use with Smart Meters The REINER SCT smarthsm is connected via USB to the Application Server Contains a security module conforming to BSI TR , Appendix B: Smart Meter Mini-HSM Functional and Interoperbility Requirements for the security module. since October 2017 Common Criteria EAL 4+ certified
14 System Architecture Overview
15 System Architecture Overview
16 Means of identification are defined by member states Thus, no single european eid Notification of national eid schemes Interoperability achieved using middleware, proxies and connectors eidas Creates Interoperability
17 Notification of eid means Optional Notification for national eid Systems Notified eid have a level of assurance low, e.g. login / password Substantial, e.g. software certificates High, e.g. the german epa If a notifying country accepts eid for usecases in the public sector, it must accept any eidas-notified eid with matching LOA Germany was first to start notification process, notification published Sep 2017
18 Countries providing notified eids implement Proxies or Middleware based schemes Providing notified eids German version: "eidas- Middleware-Service for eidas-token (TR )
19 Consuming notified eids Countries consuming notified eids provide an eidas Connector to the eidas network German version: Integration in eid-servers Implementation is eid-server-specific CaSPAR Project: eidas Connector integrated into remote QES Service.
20 Using eidas based eid as means of identification Identification is easy and fast Minimum amount of data stored for the minimum time No Account created Short lived, one time certificates Personal Data limited to the required fields Works with any notified eid level substantial or high providing required data fields
21 Project Goals Gather requirements Business Regulatory Design a system architecture Comply with all relevant regulations Reuse stable components Security by design Privacy by design Build a prototype ( )