Globally, regulatory activities surrounding cybersecurity have been increasing for years. At the European level, this is reflected, for example, in the organizational requirements for essential and important entities specified in the NIS (2) directive as well as the introduction of a voluntary certification framework within the EU Cybersecurity Act (CSA).

Beside those activities the cybersecurity of products is more and more coming into focus. Based on the product focused European New Legislative Framework (NFL), existing regulations have already been or will be amended to address the topic of cybersecurity. New horizontal regulations, such as the EU Cyber Resilience Act (CRA), will come into force very soon. Within the NLF the timely availability of so-called harmonized standards is crucial to support product manufacturers in order to make products available on the EU market in compliance with the applicable regulations.

The impulse speech will focus on the current and upcoming challenges on the way to the availability of cybersecurity related harmonized standards.

As early as 2014, the EU regulation "on electronic identification and trust services for electronic transactions in the internal market" created binding specifications for trust services throughout Europe. In the standardisation mandate /460, CEN and ETSI created the European norms, which guarantee the technical interoperability and a standardised security level of qualified trust services throughout Europe.

In November 2023, the European Commission, Council and Parliament agreed on a final text to amend the eIDAS Regulation. The eIDAS revision obliges member states to provide natural and legal persons with an European Digital Identity Wallet (EDIW) 30 months after it comes into force. This means that Germany must also provide citizens and companies with an EDIW by 2026.

The wallet is intended to be an electronic means of identification that enables the user to securely store, manage and validate identity data and electronic attestations of attributes, among other things. The attributes that can be mapped via the wallet now also explicitly include powers of attorney and mandates to represent or act on behalf of natural or legal persons.

The presentation explains the concept of the EDIW and assesses the risks and opportunities of a successful (!) implementation.

The presentation reflects the existing regulations in the six largest economic region in terms of population regarding electronic ID (eID) and digital ID systems (DID). These regions are ECOWAS (424m citizens) in Africa, China (1.4b), EU (450m), India (1.4b), Indonesia (270m) and the USA (330m). Together, all six regions represent today cumulated more than 60% of the world´s population.

The Cyber Resilience Act was born out of a need to address today’s unbearable state of vulnerabilities impacting software and hardware products. It attempts indeed to improve product security by defining baselines for manufacturers. A quite large set of products will have to comply with it, though with varying degrees of conformity requirements. This presentation discusses the origin of the Act and some of the contentious points which emerged during the negotiations held between the EU institutions.

The ongoing digital transformation, significantly amplified by AI, has ushered in a new era of disruption, fueling the development of new eID applications such as AI-supported biometric identification. However, this digital transformation also impacts patent practices at patent offices such as the European Patent Office (EPO). While AI generally is patentable, there are numerous hurdles, including those related to the origin of AI training data, that must be overcome to obtain valuable and sustainable AI patents. This presentation will provide practical guidance on systematically developing and patenting AI-related inventions in the eID domain.

The Cyber Resilience Act is a unique legal framework, as it comes to address the challenges of a digital base economy, where everything is connected and as such, at risk. The Act introduces concepts that while they are not new, this is the first time they are introduced in a legal text at a global level. Like with any other innovations, there are challenges, ambiguities and additional work required. Given the implications that the Act brings to all the economic actors in Europe selling products with digital elements, it’s important to understand the legal and technical implications. What is a “product”? What are the conformance mechanisms? How to claim conformance? Is it enough to claim the product is secure? Those are just a few of the questions that this presentation will address, with a touch of pragmatism, in what the implications of the Act, a legal text, have on the technology and products.

In September 2022, the EU Commission introduced a proposal for the Cyber Resilience Act (CRA), aiming to establish cybersecurity rules that ensure the security of hardware and software products. The proposed regulation is based on Essential Requirements outlined in the CRA and aligned with the New Legislative Framework. The Final Compromise, reached between the Council and Parliament, was published in December 2024, laying the groundwork for the upcoming Standardisation Request.

Within the broader context of cybersecurity, it is crucial to consider other relevant EU directives and regulations. The recently published Implementing Regulation of the Cyber Security Act, which focuses on adopting a European Common Criteria-based cybersecurity certification scheme, will play a significant role. On the other side, the Radio Equipment Directive (RED) and its Delegated Act (DA) on Baseline Security Requirements (Commission Delegated Regulation (EU) 2022/30 of 29 October 2021) are also key components.

All three European Standardisation Bodies (SDOs) – ETSI, CEN, and CLC – have initiated pre-Standardisation activities for implementing the CRA. This is in line with the tight timeline leading up to the publication of accompanying Harmonised Standards (hENs) and their subsequent application for the European Industry.

The presentation will delve deeper into the preparatory work carried out by the newly established CEN/CLC Joint Working Group (CEN/CLC JTC 13 WG 9). This group intends to develop both horizontal (generic) Standards and coordinate the creation of vertical (product-class specific) harmonized Standards (hENs) based on the CRA Essential Requirements.

Moreover, the exploration of reuse options for developing horizontal hENs for the RED DA , based on the Draft hENs prEN 18031 (1-3) in preparation for the Formal Vote, demonstrates a strategic and efficient approach. However, it also acknowledges the need to address emerging challenges in the process.

The cryptographic service provider (CSP), offers advanced cryptographic capabilities, surpassing classical cryptographic libraries. The CSP simplifies the process with single high-level methods, encompassing all cryptographic mini-steps. For security-relevant tasks, the CSP handles all necessary steps in a single operation, ensuring robust security for application development.

Achieving interoperability requires interfaces adopted by all CSP vendors and robust international standards. We provide an overview of our activities in standardization forums and outline future tasks planned.

A wide variety of use cases like governmental IDs, electronic record keeping systems, mobile network connectivity, automotive, and healthcare face the same challenge: how to securely store and operate cryptographic keys representing digital identities , and provide assurance by a security certification?

The BSI project CRYSPI aims at defining an interoperable application programming interface for a Cryptographic Service Provider (CSP) that:

• centralizes all essential security features for digital identity solutions,
• can be validated to support several of the above-mentioned use cases,
• and supports further standardization.

An interoperable, open, and re-usable CSP standard helps to reduce evaluation and development costs and supports highly secure digital identities in heterogeneous eco-systems like mobile phones, electronic record keeping systems, or embedded devices.

For secure mobile services to function smoothly on different smartphones, standardization of both the eIDs and the corresponding security functions and secure components is required. In addition, non-discriminatory access to the security components must be possible.

The purpose of the speech and the corresponding paper is to motivate the topic of standardization from the perspective of a TSMS and to show which standardization steps are necessary for a successful system. In Addition, the speech and the paper give an overview on further framework conditions for standardization like the Digital Markets Act and the revision of the eIDAS regulation.

The presentation introduces the work of international standardization in the field of digital identities managed by an application of a mobile device. The projects ISO/IEC 23220 and ISO/IEC 18013 as well as developments by OpenID Foundation aim at specifying data formats, protocols and services for verification of digital identities and credentials such as mobile driver's licenses or digital ID documents either by a remote party or by an on-site verifier. The concept of mdoc and related transmission protocols, such as OID4VP, are introduced.

The work of ISO and OpenID Foundation is also reflected in the ongoing work of the specification of the EUDI-Wallet, which is briefly discussed. Finally, the presentation gives an outlook on how the introduced data formats and protocols are applied in the specification of the German EUDI-Wallet and the German eID scheme.

The ISO/IEC 39794 series of standards specifies new, extensible biometric data interchange formats based on ASN.1 (Abstract Syntax Notation One), yielding binary tag-length-value encodings. According to ICAO's timeline, from 2026 onwards, newly issued electronic passports (ePassports) may use the new data formats, and ePassport readers must be able to handle them. From 2030, all newly issued ePassports must use the extensible formats. Before roll-out, conformance and interoperability of the new types of ePassports and ePassport readers must be systematically tested. This talk discusses tools and data for such tests regarding the new face image data interchange format.

The Extended Access Control (EAC) protocol for authenticated key agreement is mainly used to secure connections between machine-readable travel documents (MRTDs) and inspection terminals, but it can also be adopted as a universal solution for attribute-based access control with smart cards. In this work we present PQ-EAC, a quantum-resistant version of the EAC protocol. We show how to achieve post-quantum confidentiality and authentication without sacrificing usability on smart cards. To show real-world practicality of PQ-EAC we have implemented a version using signatures on an ARM SC300 security controller, which is typically deployed in MRTDs. We also implemented PQ-EAC on a VISOCORE terminal for border control. Furthermore we give a an overview of which mechanisms can be applied to achieve cryptographic agility beyond the protocol wise flexibility shown with PQ-EAC. We discuss mechanisms for a PQ resistant PKI as well as the security via software updates and data integrity to initiate the transition to post quantum security with mechanisms and implementations that are available today.

The use of mobile devices increasingly demands that these devices support security-critical functions. However, the elevated security requirements cannot be adequately met by conventional software-based security mechanisms. Therefore, hardware-based security solutions become necessary. Hardware secure elements are now being employed and are already integrated into many mobile devices. However, accessing these secure elements is a significant challenge for a service provider. This contribution shows how a Trusted Service Management System can solve these challenges and which use cases it can serve.

Highly interconnected systems such as the (industrial) Internet of Things comprise many devices and entities such as sensors and data aggregating nodes. Trusted and secure communication channels between participants are essential for the overall security of the system. Enrollment protocols such as the presented EST and BRSKI allow the implementation of automatized onboarding processes that do not require the involvement of human actors. This paper sets the focus on additionally required infrastructure that is required to realize seamless enrollment pro-cesses and considers the involvement of secure elements for the protection of critical information such as secret keys and certificates.

„The next evolutionary stage of digital identities is shaping. The EU Council and EU Parliament agreed on a final text to amend the eIDAS Regulation. The focus is on establishing digital trust across the border, which is crucial for a secure and reliable use of digital services in Europe. The EU Digital Identity Wallet will become a secure platform for the management of digital identities.

This session provides insights in an implementation which enables Wallet Provider to store Person Identification Data (PID) on Secure Elements and enables users to onboard to an EUDI-Wallet at the Point-of-Sale.”

Since the advent in 1995 of the famous Shor polynomial-time algorithm for prime factorization and discrete logarithms on quantum computer and the rapid progress in the development of quantum computers, the importance of migrating to quantum safe cryptography for the currently used technologies handling sensitive information is not to be demonstrated anymore.

Even before being completely operational, quantum computers are already a threat to some currently sensitive information because of the “store now and decrypt later” attack. That is the reason why the NIST (US National Institute for Standards and Technology) launched in 2016 a competition for quantum safe cryptographic algorithms. Several algorithms were proposed and in 2022 four candidates have been selected for standardization, namely CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon and SPHINCS+. Before being spread and widely used, these algorithms must also undergo some other investigations like side channel analysis. The aim being to provide guidelines for secure implementations of the cryptographic algorithms.

We focus here on the CRYSTALS-Dilithium signature algorithm, which could for instance be an alternative to RSA or ECDSA signature algorithm in smart card-based authorization for electronic payment systems (SDA/DDA/CDA).

We present a side channel (template) attack on some open-source (unprotected) implementation of CRYSTALS-Dilithium. The attack is based on some leakage of the Montgomery modular multiplication of the challenge 𝑐 with the secret key 𝑠1 in the course of the signature computation. We were able to leverage that leakage and completely recover the secret key 𝑠1.

The Trust over IP (ToIP) initiative is a collaborative effort aimed at redefining and enhancing digital trust and interoperability on the internet. It seeks to establish a new, decentralized trust layer for the internet using open standards and protocols. It gives rise to new and interesting solutions. This includes a concept from the Canadian Internet Registration Authority (CIRA), which uses a DNS protected by DNSSEC as a building block for self-sovereign identities on the Internet. The presentation gives an overview of ToIP and the possible role of DNS in such an ecosystem.

The German Telematics Infrastructure (TI) serves as the digital backbone of the country’s universal, multi-player healthcare system, enabling all its stakeholders to securely exchange digital health data through applications such as the electronic patient record or e-prescription system. Due to the high sensitivity of medical data, storage, processing and access require a high level of security and privacy.

This presentation provides an insight into the Identity and Access Management (IAM) of the TI, focusing on the tech stack, the protocols used and the regulatory requirements.

Identity Access Management (IAM) plays a pivotal role in many systems, and the open-source product Keycloak provides a robust foundation for it. This presentation explores the incorporation of the central Gematik-IDP (Identity Provider) into Keycloak and the significance of linking various Identity Providers for comprehensive security standards.

Particularly within the German healthcare system, applications often require authentication via the Gematik Authenticator within the Telematics Infrastructure (TI). By extending Keycloak with a specialized Identity Provider written in Kotlin, users can seamlessly interact with the Gematik-IDP.

The presentation elucidates the authentication process using the extended OpenID Connect protocol, enabling the utilization of Practice & Institution Smart Cards (SMC-B) or electronic Health Professional Cards (eHBA). Additionally, it discusses the successful collaboration with gematik and the development of the plugin as an open-source project actively utilized since its release on GitHub.