Digital transactions which require customer authentication have soared exponentially in past few years. It is expected it will keep on rising as digital services become an increasing part of our lives. In past decade there has been significant development to make authentication services convenient to use. This development has produced eIDAS (910/2014), which laid standards for software/hardware vendors to follow. While maintaining the same or enhanced security target as previous eID technologies (e.g PKI Sim Card, eID card, etc).
According to eIDAS, signature creation devices should implement user’s sole control over their private/signing keys. These devices are called as Qualified or Secure Signature Creation Devices i.e QSCD or SSCD based on their conformance to standards. For example, the following devices can be defined or QSCD or SSCD: SIM/eSIM in phones, eID cards, SecureElement (SE) in smartphones, USB dongles, HSM & SAM in connectivity with smartphone app.
eIDAS 2.0 is expanding the scope which also mandates all EU member states. eIDAS 2.0 makes a EUDI Wallet available to every citizen who wants one by September 2023.
EUDI Wallet:
The EUDI Wallets on smartphones will enable users to:
- perform strong authentication,
- sign by means of qualified electronic signature (QES) or seal
- choose which aspects of their identity, data, and certificates they share with third parties
- keep track of your data attributes shared with third parties
- allow end users to upload payment cards to the app and perform digital payments
EUDI wallet app will be required to focus on functionality that would streamline transactions requiring both identity documents and payments. Moreover, a secure implementation requires smartphone app to connect with SSCD/QSCD.
Image below lists the 3-tiers of signature framework which is provided by SSCD/QSCD.
LSCD: Local Signature-Creation Device. A (secure) signature-creation device that is owned by and in the proximity of an end user.
RSCD: Remote Signature-Creation Device. A (secure) signature-creation device that is owned by, but not in the proximity of, an end user. Nonetheless, the usage of the device is (by some other means) under the control of the end user.
There are three practical ways to implement the signature creation devices on smartphone which can be leveraged for EUDI wallet app:
- Local QSCD/SSCD:
- SIM/eSIM
- SE of the smartphone
- Remote QSCD/SSCD
- HSM & SAM signing
In this list, we have omitted FIDO & Dongles. Even in the FIDO Alliance they consider using remote signature services when SSCD/QSCD is needed.
Currently, Android does not provide Secure Element support, which would be internationally standardized and available on majority of smartphones. Additionally, smartphone SE is controlled mainly by USA /Chinese vendors. European digital identity should not be dependent on these vendors only.
SSCD / QSCD Implementation
These limitations leaves Local and Remote implementation as viable options to implement EUDI Wallet app on Smartphone with QSCD/SSCD. Simplified technical implementations on smartphone as a QSCD/SSCD for EUDI Wallet app could be:
- Remote SSCD/QSCD:
- European vendors provide a backend and HSM. User signing keys are generated at HSM, encrypted and exported to the SAM. SAM splits the encrypted key into two parts, one stored locally and second on the users smartphone app. App architects should develop APPs which utilize these keys. Keys are registered under new type of identifier that enables verifiable DID.
- Local SSCD/QSCD:
- European vendors provide applet to MNOs, who install the applet in Supplementary Security Domain SSD of UICC card. SSD keys are delivered securely to EUDI Wallet App architects. App uses predefined TAR and AID to communicate with the applet. Keys are registered under new type of identifier that enables verifiable, decentralized digital identity (DID). App can use DID or either directly use the Applet.
To implement Remote SSCD/QSCD approach, EUDI wallet app either develops a secure identity app which can communicate with HSM via SAM or use some existing software development kit.
To implement Local SSCD / QSCD approach, EUDI wallet app can also leverage on existing national Mobile ID scheme of many European countries (Mobiilivarmene, Swiss Mobile ID, etc.). Meaning every person using a mobile network have an applet enabled in their phone, which can be leveraged to provide SSCD/QSCD requirement of the EUDI Wallet app.
Using these implementations would provide simple revocation, cross-border authentication and document signing features from the beginning once enabled. End-users may have the same DID certificate and the member state enrolls its own Verifiable Credentials.
Methics is positioned to support the key stakeholders responsible for making the EUDIW a reality. As a global leader of open standard Mobile ID services, our products are delivering tech for strong authentication. Feel free to get in touch with us if you want to discuss the presented model and how SSCD/QSCD can be provided from EUDI wallet to European residents.
Publish Date: 12 May 2022
Written and Edited by: Ammar Bukhari & Jarmo Miettinen
—–
References:
1. http://docs.oasis-open.org/dss-x/localsig/v1.0/localsig-v1.0.html
3. Decentralized Identifiers (DIDs) v1.0, Core architecture, data model, and representations, W3C Proposed Recommendation
4. https://www.methics.fi/methics-product-portfolio/kiuru-sam/
5. https://www.methics.fi/solutions/unified-signing-solution/