Cryptomathic Blog

Itemizing the potential risks of the European Digital Identity (EUDl) Wallet scheme is a complex task that involves assessing the attack surface of the digital wallet app across various platforms, as well as the backend infrastructure, processes, and organizations involved. To provide support, the ENISA and OWASP mobile app guidelines offer useful resources for a secure development lifecycle of digital wallets, as outlined in this article.

We also introduce how Cryptomathic's Mobile App Security Core helps address the majority of the ENISA and OWASP security recommendations.

Mobile apps and mobile software components are rarely stand-alone as they frequently perform their most important operations on various backend systems. Both parties in this communication need assurance that they are talking to an authentic partner at the other end. The server needs assurance that the software it talks to on the mobile device is authentic and not tampered with. The software on the mobile device needs assurance that it talks to the authentic server (not a man-in-the-middle) and that data can reliably be sent to the server.

The European Commission promotes the European Digital Identity wallet (EUDI wallet) as part of its effort to digitize the economy and help foster trust services. In practice, this means that from the end of 2023 each EU Member State will gradually offer a mobile-based wallet to their citizens, residents and businesses to identify and authenticate online. Here we look at the scope of the EUDI and some of the security challenges for the app.

On April 19, 2022, information about a severe vulnerability in recent versions of Java shook up the security community.

Today's businesses rely heavily on cryptography to authenticate people and processes, secure communications, and safeguard critical data.

For trustworthy remote identity verification, a proof of the authenticity of the identity card and of the integrity of its contents is needed, along with reliable binding between the ID card and the identifying individual. Verification of biometric markers in a remote video identification procedure has long been undermined by deep fake technology. The recent hack of the Video-Ident procedure presents a more scalable attack and has further destroyed trust in online identity verification. A solution to this problem lies in the utilization of the NFC chip that is built into a growing number of national identity cards.

Just a month ago, NIST announced its selection of three digital signature algorithms and one key establishment mechanism (KEM) for future use in quantum-resistant cryptography applications. Also, four algorithms for post-quantum key establishment were selected as candidates for the 4^th round of evaluation, for potential standardization at a later time.

In this article, we proposeWhat-You-See-Is-What-You-Timestamp (WYSIWYT) as an attractive alternative to Qualified Electronic Signatures, for certain signing needs where non-repudiable user acceptance and integrity protection are required for a given contract or transaction, i.e. when documents need to be formally accepted, but where no fulfilment form is prescribed by national law.

An over five-year-long process has come to a preliminary end: On July 5, 2022, NIST issued the long-awaited announcement of the winners of Round 3 of the NIST Post-Quantum Crypto (PQC) Standardization Process, that is, which quantum-resistant cryptographic algorithms NIST has selected for standardization.