The Identos Encryption as a Service (EaaS) platform allows an application to strongly credential a user with a cryptographic identity. Credentials are created using a PKI with the express purpose of binding a user account to a cryptographic key providing a strong credential to the user. This credential enables:
• Data Security – secure data encryption key delivery • Access Control – only authorized user can be delivered a key • Message Integrity – signature can be verified against the registered user certificate • User Revocation – administrators can disable a user or specific device to prevent key delivery and clear existing keys from the device
Additionally, the SDK provides several device/application integrity checks to prevent unintended disclosures of data, keys, and passphrases.
EaaS runs on most operating systems/platforms: • iOS • Android • Mac OSX • Windows 10 • Linux • Cordova • Xamarin
EaaS runs with language support for the following: • C • OBIC/Swift • Java • .NET C# • Python
Prepare the SDK for use. This function will need to be called every time to: • Get application policies from the IDENTOS server • Verify the device/application environment
Device status: • Unregistered • Registered • Disabled
If the device is
Pending Confirmation, this function provides the token the server needs to send to the IDENTOS server to bind this device to an account.
Allows a user to use either passphrase or Touch ID to unlock their cryptographic identity and start a session.
This is the typical flow performed by the app to register a device to a users account in the application server.
This function will utilize the IDENTOS SDK and server to encrypt specified data.
Input: • Data • Optional key identifier – using the optional key identifier allows related data to be secured under the same data encryption key
Output: • Encrypted data • Key identifier
Data encrypted by the IDENTOS SDK can be decrypted for use. The decrypted data is packaged with the required key identifier. The key is automatically fetched after the user’s access is verified.
Input: • Encrypted data
Output: • Decrypted data • Key identifier
This function will add a user to the access control list for a key identifier.
Input: • Key ID • List of user ID's
Output: • Success/Failure
The Sign/Verify function ensures that a signature can be verified against the registered user certificate.
Sign any data with a key registered to a user
Input: • Data
Output: • Signature
The signature is packaged with the signer certificate ID. This certificate is fetched from the IDENTOS server to enable the verification of the signature.
Input: • Data • Signature
Output: • Boolean • Signers identity
A derived elliptical curve key pair can be implemented in addition to the EaaS identity for use with custom identity protocols (ex. FIDO). This service leverages hardware secure element (SE) if available, more info can be found here:
Allow the registered SDK to provide a Federated SSO to other services, acting as a login credential into other applications. It alllows for a high level of assurance based on 1. possession of the device, 2. biometric authentication (iOS), and 3. knowledge of passphrase. More info can be found here:
The EaaS SDK has the following lifecycle:
START -> INITIALIZED -> AUTHENTICATED -> DISABLED
• Application start • Waiting for initialization
There are 5 possible outcomes: • Error - device didn't pass verification checks • Unregistered - the user must register before they can use EaaS • Pending Confirmation - the device has not associated with a user • Disabled - the device has been remotely disabled by an admin • Okay - the user can authenticate
Only an AUTHENTICATED user is able to use the cryptographic functionality.
EaaS - Identos Encryption as a Service PKI - Public Key Infrastructure