Certified Authentication with Secure Elements

Ensuring Data Security and Certified Authentication with Secure Elements

HLS® utilizes highly secure elements, featuring EAL6+ certification, FIPS 140-2 and 140-3 compliance, AES & DES symmetric encryption, RSA & ECC/ECDSA asymmetric cryptography, extensive physical and software protections, and a TRNG-based key generation system.

Today we all hear more and more about the term “Digitalization”

Digitalization can be defined in many ways, but simply put, it is actually the process of transforming information transmitted physically (classically by printing on paper) into an electronic format.

Digitalization brings with it a number of advantages, such as:

· reduction of operational costs,

· facilitating access to information,

· the possibility of offering services adapted to the personal needs of users.

An important topic in Romania is the digitalization of public services, which implies, among other things:

· automation of the request submission process,

· identification and authorization of applicants,

· completing and digitally signing documents,

· online payment of taxes,

· delivery of electronic documents to the user,

· data exchange between institutions,

· secure hosting of electronic services.

Of course, in addition to the advantages mentioned above, digitization also brings with it great challenges, of which, probably the most important is data security.

This is why, in the following we will briefly discuss how data security and certified user authentication can be ensured in modern digital platforms.

A Secure Element is a microprocessor specially built for storing sensitive data, being able to run applications with an extremely high level of security.

Due to its very small size, extremely low power consumption and extremely high processing speed, the secure element can be embedded in any mobile device.

It basically acts as a safe, protecting what is stored in its non-volatile memory (applications and data) from threats such as:

· typical malware attacks (software attacks aimed at the device’s operating system),

· DoS (denial of service – blocking the device by sending a large number of write/read requests in a very short time),

· Side Channel Attack (observing the behavior of the device in different operating modes – for example when resetting – and exploiting vulnerabilities),

· hardware attacks (exploiting the vulnerability of the system, for example by cooling or overheating the device).

The secure element is central to achieving digitization because it manages all kinds of applications that are vital to our modern lives, applications such as:

· Digital authentication

Instead of name and password, access to an online service can be protected by a strong authentication mechanism based on the data stored and processed in the secure element. For example, to connect to a VPN or email, a secure element can be used in the background to ensure that only authenticated users can access the resources mentioned earlier.

· Digital signature

Applications can use a secure element to digitally sign a document or any data using a locally stored key pair. These keys help the secure element to decrypt the data for reading. Again, this is used to prove that the user has the right to access the resources. For example, our email program could connect to a secure element to digitally “sign” the emails we send, or a government web application could access it when using its digital services.

· Mobile payments

In this case, the secure element securely stores the card data and manages the reading of the encrypted data. During a banking transaction, it acts as an NFC contactless card (we all use this technology when we go to the store and pay by touching the card, phone or watch to the POS). The secure element can be embedded in the phone, SIM cards, access cards, etc.

At Headlightsolutions, we use only high-level secure elements (EAL6+ security certification, FIPS 140-2 and 140-3 certified platform with OS and Applet security level 3 and physical security level 4), providing symmetric encryption algorithms (among others, AES & DES) and asymmetric (RSA & ECC/ECDSA – cryptography using elliptic curves), with large encryption key sizes.

Secure elements are protected by multiple layers of both software and physical protection, including metal shielding, end-to-end encryption, memory encryption, tamper detection etc.

The secure elements used also offer significant storage capacity for security keys or sensitive files, ranging from 50 kB to 200 kB.

Also, the generation of security keys is based on a TRNG (true random number generator) hardware module that ensures the uniqueness of the generated keys.