The Derived Credential (DC) module provides lifecycle management of elliptic curve key-pairs. This enables several business use-cases:

• User authentication with a key-pair (i.e. FIDO)
• Replacing a legacy credential (username/password) with cryptographic authentication
• Extend a physical credential (i.e. smart card) to a digital space
• Provide digital signatures for forms/contracts

The DC module automatically uses the strongest possible mechanism to store the private key. The module is packaged with the IDENTOS EaaS SDK; if a local Secure Element (SE) is not present this module must be used in conjunction with the IDENTOS EaaS Encryption Key management module. Read more about EaaS here


On devices with Secure Enclave (SE) hardware and operating on iOS 10.0+ the DC key-pair is protected and authenticated by the SE. The SE is an onboard HSM, which provides very strong assurance that the generated key-pair cannot be tampered with or extracted.

For older devices and iOS platforms, the DC key-pair is protected by the authentication of the user via IDENTOS EaaS (See README_EaaS)


Requires IDENTOS User

Determines if the DC module requires the user to authenticate using IDENTOS EaaS in the event there is not a compatible SE available
• True - EaaS authentication is required to use the DC Module
• False - DC Module interfaces can be used immediately

Generate Key-pair

Generate a new EC key-pair, provides a handle to reference the key

• Keytype (FIDO compliant, EC, Secure Enclave)

• KeyHandle

Export Public Key

Export PEM of public key represented by the supplied handle
• KeyHandle

• PEM formatted public key


Create DER signature over the data
• KeyHandle
• Data

• Signature


Destroy a key, this function is NOT reversible
• KeyHandle

• If the key was successfully destroyed


EaaS - IDENTOS Encryption as a Service
EC - Elliptic Curve Keys
FIDO - https://fidoalliance.org
DER – binary format encoding rules for cryptographic objects
DC - Derived Credential, a cryptographic key bound to a user
HSM - Hardware Security Module
SE - Secure Enclave
SDK - Software Development Kit
PEM - Base64 encoded DER representing a cryptographic object (key, certificate)
PKCS - Public Key Cryptography Standards