- Created by Karolin Hemmingsson (Unlicensed), last modified on Jan 22, 2021
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 2 Next »
Nexus' statement of commitment
Nexus is dedicated to the implementation of an active, analytics-driven approach to cybersecurity. Security testing and improvement are ongoing activities that are incorporated into our vulnerability and threat management process.
Nexus performs continuous testing on all mobile solution components to ensure the highest possible level of security. We regularly engage external security auditors to validate our security posture. The regular assessments of application and system vulnerability threats cover the following:
- network vulnerability threat assessments,
- penetration testing and code review with leading, independent third parties, and
- security control framework review and testing.
Our commitment to ensure security was recently noted by an external auditor who declared it is evident that Nexus has made a significant effort to reduce the overall risk that is facing certificate-based security. Contact Nexus for more information.
As trust relates to transparency, all major call flows and APIs are available on our documentation website.
We strongly encourage customers to take all possible precautions to prevent unauthorized access using the current best practices in information security. In case any vulnerabilities are discovered in Nexus' products, they should be reported to Nexus without delay.
Please note that Nexus permits third-party vulnerability and penetration tests with Nexus' approval. Vulnerability and penetration tests shall not be attempted without Nexus' guidance, particularly not in a production environment, as uncontrolled tests may impact system availability, performance and security negatively.
Finally, the overall security in the system has dependencies on the overall PKI solution including the use of Hardware Security Modules (HSMs) and CA software. Lifecycle management processes should mitigate the risks when a device is in vulnerable state, for example lost or misused. Revocation of authentication and signing certificates and the distribution of certificate revocation lists (CRLs) to relying parties should be implemented for this case.
Nexus' CA software Certificate Manager is certified in compliance with Common Criteria for Information Technology Security Evaluation (CC) EAL4+ and covers lifecycle management and revocation processes.
Contents
Introduction to Nexus Smart ID Mobile App
The mobile device is key to adopting accessibility and mobility in the world of evolving digital services. It offers an appealing option to provide convenient and secure access to applications and services for users in the workforce domain as well as citizens in the government domain. The solution provides an intuitive and friction-less experience to the end user, while keeping security measures on the highest level to keep private information protected from cyber attacks and hackers both today and tomorrow.
Nexus' Smart ID Mobile App provides a vast set of use cases such as client authentication, digital signing and email encryption on the mobile device, as well as typical Windows 10 smart card use cases, such as Windows logon, when the mobile device is used together with a Windows machine connected over Bluetooth Low Energy (BLE). All use cases have one thing in common; they are all based on strong uncompromising PKI security.
The Smart ID Mobile App is supported on both iOS and Android and available in Apple App Store and Google Play. Nexus also offers the possibility to license the Smart ID Mobile SDK, which the App is built on, so that it can be embedded into third-party mobile apps for customers who want to further customize the Mobile App.
Smart ID Mobile App - a part of Nexus Smart ID
Since the Smart ID Mobile App is an integral part of Nexus Smart ID, it can out-of-the-box leverage the features and processes developed and excelled for many years granting a smooth and secure experience for both users and administrators.
Here are some features that could be combined with the Smart ID Mobile App:
- Digital access and single sign-on
- Lifecycle management of users and digital identities
- User self-service
- Mobile device management (MDM) integration
Integration with web applications, authentication and digital signing services can be achieved using industry standard protocols, published APIs, and SDKs.
The Smart ID Mobile App includes the following standard components:
- Smart ID Mobile App – stand-alone app for iOS and Android
- Smart ID Mobile SDK – security and communication core to be integrated in third-party mobile apps, for iOS and Android
- Smart ID Messaging (Hermod) - Spring-Boot Java server shipped as Docker container.
The Smart ID Mobile App works in combination with Smart ID Messaging, which represents the server side of the security infrastructure as well as the connection point to other server-side systems and services.
Security Features
Overview of layered security model
Nexus Smart ID Mobile App implements a layered security model using various technologies and security measures where the combination of these provide a resilient design, with no single point of exposure and failure. The target is to protect the user credential and private key from exposure at all times and keep the app safe from cyber attacks and hackers.
Security blocks
The layered security model of the Smart ID Mobile App is constituted by a set of security blocks:
Private key security and secure storage
Private Key Security | Security Features |
---|---|
|
Mobile App & SDK hardening
App & SDK Hardening | Security Features |
---|---|
|
Mobile App security
Mobile App Security | Security Features |
---|---|
|
Online authentication
Online Authentication | Security Features |
---|---|
|
PIN policy
PIN Policy | Security Features |
---|---|
|
Security standards
Security Standards | Security Features |
---|---|
|
Secure provisioning
Secure Provisioning | Security Features |
---|---|
|
Distributed security model
To further strengthen the protection of the PKI private key over the security feaures that are laid out in the previous sections, Smart ID Mobile SDK in conjunction with Smart ID Messaging implements a dual architecture to prevent extraction on the private key stored in the device.
Three security elements are required to bypass private key protection:
- The PIN set by the User, optionally further protected by biometrics
- A cryptographic secret generated and stored protected in the App
- A cryptographic secret generated and stored protected in Smart ID Messaging
Neither the mobile device nor the server holds all three elements, so stealing a PIN and hacked phone will not enable retrieving a private key.
The server controls the number of access attempts, to protect the private keys from exposure to for instance a brute force attack.
The mobile device and server work together using an advanced cryptographical protocol known as SPHINX, which is similar to Diffie-Hellman key establishment. See http://webee.technion.ac.il/~hugo/sphinx.pdf.
- No labels