Thales EUCC certification - Civil identity

MultiApp cards

The MultiApp ID smart cards are fully compliant with two major industry standards: Oracle Java Card Classic Edition and GlobalPlatform (GP) Card Specification. They are therefore Java-GP cards, capable of managing applets in a controlled and secure manner in this multi-applet environment. 

MultiApp products certified under the European Cybersecurity Certification (EUCC) scheme: 

General security guidance applicable to Thales MultiApp certified products: 

• All administrators who interact with the product must be trusted actors trained and aware of the sensitivity of the assets they manage. Especially, administrators must enforce security policies to ensure the confidentiality and integrity of all cryptographic keys under their responsibility.
• Administrators in charge of content management must enforce the product issuer’s policy related to the loading, installation, update and deletion of applications.
• The communication between the product and authorized equipment (e.g. servers, terminals) must remain secure. It is the responsibility of the related actors to use the Secure Channel Protocols which are implemented in the product for that purpose.
• Some use cases or applications enforce end-user authentication by means of Personal Identification Number (PIN). PIN values shall be robust, i.e. not easy to guess (values such as “0000” or “1234” must be avoided).The end-user must also keep PIN values secret, i.e. not disclose them to anybody, neither intentionally (sharing) nor involuntarily (careless typing).
• Thales customers are invited to contact their Thales representative to get further secure usage recommendations and guidelines.

IAS Classic and Q-IAS Applications

IAS and Q-IAS products are proposing digital signature and PKI functionalities IAS Classic or Q-IAS — an applet that can be used for public key infrastructure (PKI) applications such as identity cards and corporate security (closed user groups). IAS or Q-IAS are fully compliant with digital signature law.  

IAS classic products certified under the European Cybersecurity Certification (EUCC) Scheme: 

General security guidance applicable to Thales IAS Classic and Q-IAS certified products: 

• All administrators who interact with the application must be trusted actors trained and aware of the sensitivity of the assets they manage. Especially, administrators must enforce security policies to ensure the confidentiality and integrity of all cryptographic keys under their responsibility.
• The communication between the application and authorized equipment (e.g. servers, terminals) must remain secure. It is the responsibility of the related actors to use the Secure Channel Protocols which are implemented in the product for that purpose.
• Some use cases or applications enforce end-user authentication by means of Personal Identification Number (PIN). PIN values shall be robust, i.e. not easy to guess (values such as “0000” or “1234” must be avoided).The end-user must also keep PIN values secret, i.e. not disclose them to anybody, neither intentionally (sharing) nor involuntarily (careless typing).
• Thales customers are invited to contact their Thales representative to get further secure usage recommendations and guidelines.

Tachograph cards

A digital tachograph records speed, distance, driving periods, breaks, some events like over speeding, driving without the card, and fraud attempts. This data is mainly used to make sure drivers follow the rules on drivers’ driving and resting times, ensuring companies can follow these rules and enforcers are able to perform effective roadside checks.

This application is ruled by European regulation: Regulation (EU) 2016/799 and Amendment (EU) 2018/502.

Tachograph card products certified under the European Cybersecurity Certification (EUCC) Scheme:

General security guidance applicable to Thales Tachograph certified products:

• Tachograph cards validity is set according to the (EU) regulation (2016/799 and amendments). Validity is 5 years for Driver and Company cards, 2 years for Control cards and 1 year for Workshop cards.
• Card issuer must personalize the tachograph cards in a secure environment. Special attention must be paid to secret and private keys that must be handled maintaining confidentiality and integrity when manipulated. A proper management of corresponding public keys and certificates, with their possible revocation must be set in place.
• Cardholder shall take appropriate measures to protect his card against theft. If the card is lost or stolen, the owner shall warn the Card Issuing Authority who will invalidate the corresponding certificate.
• For workshop cards, the PIN must be handled in a secure way, it shall not be disclosed to anyone. PIN must not be written anywhere.
• Thales customers are invited to contact their Thales representative to get further secure usage recommendations and guidelines.

Electronic Identity Documents

An Electronic Identity Document is a digital solution for proof of identity of citizens.

Passports, Driving License, Resident Permit and Identity cards rely on the same common core of specifications originally dedicated to electronic passport documents specified by the International Civil Aviation Organization (ICAO). The specifications are “ICAO – Doc 9303 - Machine Readable Travel Documents”.

In the European Union (EU), Electronic Identity Documents are ruled by:

• Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States
• Regulation (EC) No 444/2009 of the European Parliament and of the Council of 28 May 2009 amending Council Regulation (EC) No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States
• Regulation (EU) 2019/1157 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members
• Commission Regulation (EU) No 383/2012 of 4 May 2012 laying down technical requirements with regard to driving licences which include a storage medium and Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences.

Thales Electronic Identity Documents products certified under the European Cybersecurity Certification (EUCC) Scheme:

General security guidance applicable to Thales Identity Document certified products:

• The Issuing State or Organization must ensure that the Personalization Agents acting on behalf of the Issuing State or Organization perform the following:
  • Establish the correct identity of the holder and create biometric data for the electronic document.
  • Enroll the biometric reference data of the electronic document holder (that is, the portrait photo, the encoded finger images and/or the encoded iris images).
  • Personalize the electronic document for the holder together with the defined physical and logical security measures to protect the confidentiality and integrity of the data.
• The Issuing State or Organization must perform the following to ensure the authentication of the Electronic Identity Document:
  • Generate a cryptographic secure Country Signing Key Pair.
  • Ensure the secrecy of the Country Signing Private Key and sign Document Signer Certificates in a secure operational environment.
  • Distribute the Certificate of the Country Signing Public Key to receiving States and organizations maintaining its authenticity and integrity.
• Recommendations for the Electronic Identity Document Holder:
  • The document must always be carried in a wallet, purse or similar device.
  • The document must always be and remain protected against mechanical, thermal and chemical influences and impacts since these effects lower the durability of the document including also its body materially. Exposure to extreme mechanical forces (bending, torsion, stamping, etc.) and exposure to extremes of light, fluids or aggressive gases, sweat, chemicals e.g. such as softeners, skin fat, saliva and extreme humidity must be avoided under all circumstances. All this – among other things – has an accelerated aging effect on the document.
• Thales customers are invited to contact their Thales representative to get further secure usage recommendations and guidelines.