Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards Didier Bonnet February 2015
MicroSD slots deployment As of today, MicroSD cards are compatible with most of the Android and Windows platforms, but not the iOS ones
Gemalto MicroSD cards range Micro- controller IDPrime MD Secure Chip 8 GB or 16 GB Flash Memory Secure MicroSD cards embedding the same secure chip as the Gemalto IDPrime MD smart cards IDPrime MD 8840 – 8GB or 16GB: PKI enabled IDCore 8030 – 8GB or 16GB: Pure Java platform
IDCore 8030 features Secure MicroSD equipped with 8 or 16 GB Flash memory Compliant with the SD Association specifications and the ASSD protocol Java platform compliant with Java Card v2.2.2 and Global Platform v2.1.1 Secure chip EAL5+ certified, memory size of 80 KB (standard) or 160 KB (option) Support of all the most recent cryptographic algorithms including RSA 2048 and Elliptic Curves High security level certifications on request: FIPS140-2 Level 3 or Common Criteria EAL5+ Gemalto Java applets in option: OTP-OATH, MPCOS Drivers for Android, Windows 7 / 8.x, Linux and BlackBerry OS More details
IDPrime MD 8840 features More details Secure MicroSD equipped with 8 or 16 GB Flash memory Compliant with the SD Association specifications and the ASSD protocol PKI applet: Same features as the Gemalto IDPrime MD smart cards Support of all the most recent cryptographic algorithms including RSA 2048 and Elliptic Curves Certification Common Criteria EAL5+ / PP SSCD for Qualified Signature or FIPS 140-2 Level 3. FIPS140-2 Level 3 certification on request. OTP- OATH applet in standard, MPCOS applet in option Easy connection to a Windows PC through a PC/SC driver Supported by the IDGo 800 middleware on Android and Windows 7 / 8.x Linux on request More details
Marking specifications Standard marking 2 Marking customization: On request 6
Packaging specifications Standard packaging: Stuck in a white ISO format plastic card. 50 units per box. Option: Graphical customization of the plastic card Option: JEDEC 4 x 16 units trays 7
Common features with the IDPrime MD card srange
3rd party client applications IDGo 800 middleware and SDK 3rd party client applications Test tools OTP API PKI Crypto Layer API SDK Middleware PC-SC like API USB OTG (*) driver NFC driver Other reader drivers Other Secure Elements Key messages: 1- Compared to the existing middlewares for PCs (PKCS#11 or Base CSP + minidriver), this one also includes driver s of the communication channels with various Secure Element (PC-SC like). This is due to the fact that the drivers cannot be installed separately on Mobile OS 2- The main PKI interface is JCE = Java Encryption Extension because this is the standard interface for the Android applications which are mainly written in Java language. On iOS and other Mobile OS, the interface will be different (standard under creation by OASIS work group). A lower level PKI interface is also available for operations that are specific to the Gemalto cards (card parameters, file management, etc). 3- The SE addressed by version 1.0 are IDPrime .NET and MD cards in USB and NFC mode. The PIV cards can also be addressed on request (in the demo but not in v1.0) 4- The added value of Gemalto is that this middleware will evolve along the years and will embed new drivers for the future SE as soon as they are available (MicroSD, TEE, eSE, contact readers, PINpads, etc). We will provide these evolutions included in a Support & Maintenance (S & M) contract. 5- The SDK will be free of charge for our partners that will develop applications compliant with our IDGo800 middleware. However the middleware itself will be sold on a license fee basis and an associated S &M contract. So our partners will be required to signed a License agreement contract with Gemalto that will specify the sales conditions of the Licenses. 6- We expect to have a MicroSD card available and compliant with the IDPrime MD card by the end of this year, but we rely on a co-development with another Gemalto BU (ST BU). It will be supported by IDGo 800 as soon as available. 7- TEE is not expected before 18 months because it implies the development of a TSM (Trusted Service Manager) that will download our PKI / OTP applets into the ARM CPU Trustzone. Gemalto is presently the market leader on the TSM markets, mainly Payment and Transport. Gemalto is as well a founder of Trustonic (with ARM and G&D) that promotes TEE worldwide. TEE is already deployed in some of the Samsung smartphones) 8- IDGo 800 version 1.0 should be launched this summer on Android. A prototype version is already available for demo and beta-test purpose. Version 2.0 on Android is expected end 2013 and will supportMicroSD cards, PINpads, Precise Bio Tactivo reader on Android (if available). An IDGo 800 MW version should also be launched on iOS, and will support the PB Tactivo reader and another connected contact reader (to be defined). TEE (*) IDPrime cards (*) OTG: On-The-Go = USB Master TEE: Trusted Execution Environment
IDPrime cards positioning statement Gemalto helps organizations protect and manage their logical, physical, and cloud-based data assets. Our strong multi-factor authentication solutions support a range of form factors and authentication methods providing the highest level of protection. IDPrime Minidriver enabled PKI Cards 10
IDPrime cards range A common set of features Platform only Key Product Features IDPrime .NET 510 IDPrime .NET 5500 IDPrime MD 3810 Released ! IDPrime MD 830 IDPrime MD 3840 IDPrime MD 840 Base CSP PKCS#11 RSA On board PIN Policy Multi PIN support Biometry support Dual interface (contact / contactless & NFC support) FIPS 140 -2 Level 3 certif. (platform + PKI applet) FIPS 140-2 Level 2 certif (platform + PKI , OTP & MPCOS app) Platform only CC EAL5+ / Javacard & CC EAL5+ / PP SSCD (Java+applet) Elliptic Curves OTP OATH option MPCOS applet option
Value Proposition: IDPrime MD as Corporate Badge Enterprises, Universities & Governments who need to secure the access to their data, network & cloud-based assets from both PCs and mobile devices The IDPrime MD offers all the services of a smart card based Corporate Badge plus the full compatibility with the NFC interface of smartphones and tablets. IDPrime MD allows card holders to securely and easily access all their applications whatever their location. The IDPrime MD, associated with the IDGo 800 middleware suite, is the only Corporate Badge operating on any OS, Plug & Play under Windows, and via NFC with mobile devices. WE TARGET THE SOLUTION BENEFITS DIFFERENTIATOR 12
IDPrime MD key benefits 1/2 Plug & Play PKI smart cards Native support on Windows up to 8.1 IDGo 800 middleware suite: Minidriver, PKCS#11, Credential Provider, tools Ready for Mobile Security Dual interface capability ISO 14443 and NFC compliant) Security level even beyond Digital Signature regulations FIPS 140-2 Level 3 CC EAL5+ / PP SSCD Various form factors and authentication methods Contact / dual / hybrid smartcard or token Both PKI and OTP authentication are available
IDPrime MD key benefits 2/2 Enhanced cryptographic support PKI services with both RSA and Elliptic curves E-purse option with MPCOS applet Flexible security policy Extended on-board PIN Policy Optional Microsoft Secure Key Injection service Wide eco-system integration
Digital Signature regulations IDPrime MD security level is even beyond requirements for Digital Signature regulations FIPS140-2 Level 3 certified OS and PKI applet IDPrime MD 830 FIPS 140-2 Level 2 is required by US regulations CC EAL5+ / PPSSCD certified OS and PKI applet IDPrime MD 840 and IDPrime MD 3840 CC EAL4+ / PPSSCD required by European Digital Signature law All the IDPrime MD card chips are certified CC EAL5+ or EAL6+ All IDPrime MD cards embed the most advanced security countermeasures 15
Enhanced cryptography IDPrime MD is ready for the future, since it supports all the crypto. algorithms for immediate and future deployments IDPrime MD supports both RSA and Elliptic Curves RSA up to 2048, RSA OAEP & PSS Elliptic Curves up to P-521 SHA1, SHA 256, SHA-384, SHA-512 AES up to 256, 3DES ECC (Elliptic Curves) computation is faster than RSA Apart for signature verification – which is not performed by the card anyway Improved performances are becoming important with large key lengths
Various authentication methods PKI authentication PIN based Multi PIN option OTP authentication OATH standard Event based Batch, Self or Live provisioning With or without PIN entry (same PIN as PKI) Proposed as an option 17
Optelio Contactless MicroSD card
Dual Secure Element running contactless applets Optelio Contactless Micro SD A contactless MicroSD card with an integrated antenna, turning any handset into a contactless MIFARE Classic, MIFARE + and DESFire EV1 card Dual Secure Element running contactless applets Active contactless front end and specific RF antenna architecture to boost RF performance: A unique Gemalto design. A technological breakthrough The result of Gemalto’s unique RF and hardware integration expertise. 19
Value Proposition for Enterprises For Physical Access Control and private epurse use cases Makes any mobile phone equipped with a MicroSD slot ready to use 20
Qualified Android handsets – Oct 2014 21
Thank you!