eID and ePASSPORT
PWPW supplies not only physical products – in the form of a card document or a booklet, for example, identity cards, biometric passports, driving licences, etc., but also provides IT systems in which these documents function. Our IT experts design author's IT solutions such as eID/ePassport, specialist software (the so-called applet) together with an operating system and dedicated microchip for biometric documents and cryptographic cards (PWPW SmartApp®), solutions for digital tachographs, elements of Track&Trace systems, Public Key Infrastructure (PKI), and provide a safe wide area network (PWPW WAN).
eID and ePASSPORT
PWPW is a provider of complex systems for document life cycle management – from production of a physical document (eID forms and ePassport), through enrolment of personal and biometric data, its transfer and personalisation, up to sending the finished documents to citizens. This offer includes various additional services (post-issuance services).
Data is enrolled with the use of software developed by PWPW experts. Data transmission is secured in compliance with system architecture designed for a specific client. The microchip personalisation and applet recording (PWPW SmartApp®) as well as central biometric services (AFIS) and services securing access to the microchip are integrated within one document personalisation system. We use a public key infrastructure (PKI) which may also be offered as a stand-alone product for the existing solutions.
PWPW offers complex IT solutions supporting the production of eID/ePassport documents. The offered infrastructure encompasses personal and biometric data enrolment system, data transmission (WAN) and the central system (Data Centre and Personalisation Centre). The model of infrastructure of the system for personalisation of eIDs and ePassports has been presented in the drawing.
Enrolment of personal and biometric data – ES area
Local offices/locations (ES) accept applications for the issuance of documents, enrol biometric data and issue finished documents as well as provide post-issuance services, i.e., services connected with lost or stolen documents
.
Wide area network - WAN
The wide area network (described in detail in the "PWPW WAN" section) is a safe platform for transfer of orders for highly secured products (eIDs/ePassports). It connects all ES locations in Poland with the Data Centre and personalisation centres.
Central System
Management subsystem is a central register of all applications that also provides information on their current status. The system supports production and distribution subsystems for finished documents. It is composed of:
Production subsystem is a module responsible for the entire personalisation process:
Biometric matching subsystem (AFIS) is a central register of biometric data and additional services. It is used for:
Security subsystem is a set of mechanisms ensuring high level of security of the entire IT system that supports the servicing of biometric documents. These include:
PWPW has its own Public Key Infrastructure (PKI) required for the provision of electronic certification services, including, among others, the issuance of qualified certificates and time stamping. PWPW offers transactional systems based on its own technological products and integrates them with solutions already held by the client. PKI products are offered as a service or are implemented at the client's premises.
PWPW has extensive experience in designing, implementation and maintenance of production systems for identity cards, biometric passports, driving licences and other documents. PWPW has implemented among others:
PWPW has developed its own applets, i.e., PWPW SmartApp®. These products are used in cards and electronic documents such as biometric passports, electronic identity cards, IDs and cryptographic cards. PWPW SmartApp® solutions are composed of specialist software (the so-called applet) developed by PWPW software engineers, an operating system and a special microchip dedicated to applications that require high security level. The applied technology offers the highest level of security of the stored data and broad possibilities of use of PWPW SmartApp® in electronic services and transactions. It also offers broader opportunities for users and control/inspection authorities.
Biometric data enrolled in ES system, transmitted via WAN and personalised together with other data as part of the Central System is serviced with the use of PWPW's own AFIS system.
IT systems supporting eDocuments require safe management of keys and certificates to maximise the level of safety and minimise the risk of unauthorised use of the keys (including Inspection System – IS keys). PWPW has developed its own Central Inspection System (CIS) for central provision of IS key services for the needs of local offices (ES).
PWPW WAN
As part of the supplied ICT systems and solutions PWPW may provide its clients with safe WAN (wide access network) services. WAN is based on MPLS protocol and is made available via Ethernet in a designated location. The equipment used for providing network services is produced, among others, by Cisco, HP and Juniper.
The provided network is not shared with other clients and has no internet access points. PWPW manages it centrally, makes backups and provides repair services in case of failures - according to response times agreed under SLA.
PWPW WAN is a wide area network covering the territory of Poland. PWPW WAN model has been presented in the drawing.
PWPW WAN is a base network for the following systems:
PWPW maintains and manages the network in co-operation with its partners providing telecommunications and integration services. PWPW WAN is a safe network separated with the use of MPLS technology (dedicated IP VPN MPLS channels).
PWPW WAN services allow for connecting remote and central locations of the client. It also makes it possible to maintain parameters guaranteed under the agreed SLA (QoS and guaranteed response time), ensures day-to-day maintenance of wide area network as well as monitoring and support services (helpdesk).
The terrestrial part of PWPW WAN is based on MPLS protocol. A dedicated channel in the operator's network (IP VPN MPLS) has been established for CEPIK and PSI systems, which guarantees integrity of transmitted data. In order to maintain confidentiality, the transmission is encrypted with the use of IPSEC VPN tunnels or DMVPN dynamic tunnel technology. To increase the network access security level, replacement solutions have been prepared for PWPW WAN based on VSAT (satellite technology) and GSM/LTE technology (packet data sent via mobile network). The replacement technologies are activated in case of a prolonging repair of the terrestrial part of PWPW WAN. In central locations, redundant links are used in particular systems, employing different routes or different technologies.
PWPW WAN is managed to CE routers being the network edge (Ethernet interface). Its bandwidth ranges, depending on the client's needs, from 512 Kbits up to 10 Mbits for remote locations and from 6 Mbits up to 80 Mbits for central locations.
For the needs of service work, PWPW has developed network monitoring procedures for PWPW WAN with the use of several systems, procedures for entering the premises of remote locations to repair or provide proper service stock for terminals (routers).
The monitoring system for PWPW WAN is based on collection of network statistics (with the use of IP SLA technology) from network devices (link/interface traffic, accessibility map) and verification of accessibility of routers in five-minute intervals. PWPW clients have access to the helpdesk which is responsible for accepting service requests, providing up-to-date information and supervising the monitoring system.
PKI
PWPW has its own Public Key Infrastructure (PKI) required for the provision of electronic certification services, including, among others, the issuance of qualified certificates and time stamping. PWPW offers transactional systems based on its own technological products and integrates them with solutions already held by the client. PKI products are offered as a service or are implemented at the client's premises
PWPW_PKI is a complex project at an advanced level based on Java technology and using EJBCA architecture. The solution is designed for applications in systems with a large number of users and offers a high level of adjustment to the needs of target PKI system.
PWPW_PKI may be used as a separate module or as an authorisation module in complex transactional systems. The implementation of PWPW_PKI module is easy and fast via available interfaces.
PWPW_PKI offers its end users certification services increasing trust and confidence in the system. Its key function is to issue and publish certificates based on accepted certification requests as well as invalidating, renewing and publication of certificates together with CRL (LDAP service). OCSP (online certificate status protocol) service is yet an additional element that may be implemented.
PKI offered by PWPW is composed of the following elements:
PWPW_PKI is developed based on open-source software.
In order to guarantee high level of trust and reliance of services provided by PWPW in the area of PKI, a number of requirements must be met. The key requirements include:
PWPW provides certification services to firms, public sector institutions and individual users. In the register of qualified entities providing certification services (NCCERT) PWPW has been entered under number 3 as a firm authorised to issue qualified certificates, and under number 5 for qualified time stamping services.
The activities of PWPW in the area of issuance and servicing of qualified certificates and time stamping service have been regulated in the Act of 18 September 2001 on Electronic Signature (Journal of Laws No. 130, Item 1450, as amended) and secondary regulations. In accordance with the Act on Electronic Signature, qualified certificates enable their users to set legally binding signatures tantamount to handwritten signatures.
In addition to qualified certificates, PWPW offers commercial certificates that may be used on various other occasions.
A qualified time stamping is yet another service offered by PWPW. Time stamping triggers legal consequences of a certified date within the meaning of the Polish Civil Code and may be used as evidence in court proceedings.
PWPW SmartApp®
PWPW SmartApp® products are used in cards and electronic documents such as biometric passports, electronic identity cards, IDs and cryptographic cards. PWPW SmartApp® solutions are composed of specialist software (the so-called applet) developed by PWPW software engineers, an operating system and a special microchip dedicated to applications that require high security level.
The applied technology offers the highest level of security of the stored data and broad possibilities of use of PWPW SmartApp® in electronic services and transactions. It also offers broad opportunities for the users and control/inspection authorities.
PWPW SmartApp-ID
PWPW SmartApp-ID products are intended for biometric passports and electronic residence cards for foreigners. They may also be used in other types of identity documents.
The key task of PWPW SmartApp-ID is to store data (personal data, document data, biometric data) and provide authorised persons with safe access to such data. Security mechanisms implemented in this product protect integrity and authenticity of the stored data, prevent their counterfeiting and unauthorised reading, and enable faster immigration control and better border protection.
PWPW SmartApp-ID 3.1 (IFX) encompasses the state-of-the-art Supplemental Access Control (SAC) mechanism which, in accordance with the requirements of the European Commission, must be used in all passports and residence cards issued from the beginning of 2015 and is recommended by the International Civil Aviation Organisation (ICAO) to be used in electronic passports all over the world. In 2014, PWPW SmartApp-ID 3.1 (IFX) with SAC mechanism was awarded a prestigious Common Criteria Certificate.
From the beginning of 2015, PWPW SmartApp-ID 3.1 (IFX) has been used in Polish passports and Polish residence cards for foreigners. SmartApp-ID products are also used in documents of the Republic of Lithuania and Armenia.
PWPW SmartApp-CRYPTO
PWPW SmartApp-CRYPTO products are intended for cryptographic use such as electronic signature, data encrypting and data authentication/validation in IT systems. These products may be used in cryptographic cards, IDs and corporate cards. In addition to the above listed functionalities the newest PWPW SmartApp-CRYPTO 3.0 product enables safe storing of user data in a special system of files and is compatible with Mifare technology dedicated to municipal and access cards. PWPW SmartApp-CRYPTO does not require any additional middleware – it is serviced directly by Microsoft Windows systems. The product complies with the Microsoft Generic Identity Device Specification.
Digital tachograph
Digital tachographs have been mandatory in the European Union since 1 May 2006.
The provisions regulating this aspect were published in the Official Journal of the European Union dated 11 April 2006 and include Regulation (EC) No. 561/2006 of the European Parliament and of the Council of 15 March 2006 on the harmonisation of certain social legislation relating to road transport and amending Council Regulations (EEC) No 3821/85 and (EC) No 2135/98 and repealing Council Regulation (EEC) No 3820/85.
Each EU Member State is obliged to issue electronic cards for digital tachographs. In Poland, this aspect has been regulated in the Act of 29 July 2005 on the System of Digital Tachographs.
PWPW is authorised to issue cards for digital tachographs in Poland under agreement entered into with the Ministry of Infrastructure on 4 October 2012.
Four types of electronic cards are issued as part of the complex Digital Tachograph System (STC):
The key functions of the system include:
STC (Digital Tachograph System) is composed of three integrated subsystems:
Diagram: modules of the Digital Tachograph System
PWPWTrace®
PWPWTrace® - it is a multifunctional platform which enables product tracking at any stage of the supply chain: from the manufacturer up to the final retail outlet. It not only secures the product through its marking with an unique code but also guarantees integrity of the supply chain. PWPWTrace® is the sole type of IT security system that enables effective verification of product authenticity and its tracking as well as allows for effective combating trade in counterfeited goods. This solution meets the needs of potential clients (domestic and foreign) from tobacco, pharmaceutical, food processing and cosmetic sectors and firms which concentrate on protection of their respective brands. The system meets the requirements of, among others, EU Directive in the area of the tracking of tobacco products.
|