Purpose

The Derived Credential (DC) module provides lifecycle management of elliptic curve key-pairs. This enables several business use-cases:

• User authentication with a key-pair (i.e. FIDO)
• Replacing a legacy credential (username/password) with cryptographic authentication
• Extend a physical credential (i.e. smart card) to a digital space
• Provide digital signatures for forms/contracts

The DC module automatically uses the strongest possible mechanism to store the private key. The module is packaged with the IDENTOS EaaS SDK; if a local Secure Element (SE) is not present this module must be used in conjunction with the IDENTOS EaaS Encryption Key management module. Read more about EaaS here

ENVIRONMENT

On devices with Secure Enclave (SE) hardware and operating on iOS 10.0+ the DC key-pair is protected and authenticated by the SE. The SE is an onboard HSM, which provides very strong assurance that the generated key-pair cannot be tampered with or extracted.

For older devices and iOS platforms, the DC key-pair is protected by the authentication of the user via IDENTOS EaaS (See README_EaaS)

FUNCTIONS

Requires IDENTOS User

Determines if the DC module requires the user to authenticate using IDENTOS EaaS in the event there is not a compatible SE available
Output:
• True - EaaS authentication is required to use the DC Module
• False - DC Module interfaces can be used immediately

Generate Key-pair

Generate a new EC key-pair, provides a handle to reference the key

Input:
• Keytype (FIDO compliant, EC, Secure Enclave)

Output:
• KeyHandle

Export Public Key

Export PEM of public key represented by the supplied handle
Input:
• KeyHandle

Output:
• PEM formatted public key

Sign

Create DER signature over the data
Input:
• KeyHandle
• Data

Output:
• Signature

Revoke

Destroy a key, this function is NOT reversible
Input:
• KeyHandle

Output:
• If the key was successfully destroyed

GLOSSARY

EaaS - IDENTOS Encryption as a Service
EC - Elliptic Curve Keys
FIDO - https://fidoalliance.org
DER – binary format encoding rules for cryptographic objects
DC - Derived Credential, a cryptographic key bound to a user
HSM - Hardware Security Module
SE - Secure Enclave
SDK - Software Development Kit
PEM - Base64 encoded DER representing a cryptographic object (key, certificate)
PKCS - Public Key Cryptography Standards