Since all Avalon Biometrics solutions have a robust J2EE backend, ARGUS perfectly complements our Enterprise Service Orientated Architecture. ARGUS comes with a flexible and powerful Web-based admin GUI and is fulfilling various requirements a large enterprise can have, concerning not only security aspects but also connectivity, administrative delegation and event logging.
Besides regular PKI functionality for signing and securing all communications within the system, ARGUS also features the entire functionality for Public Key Infrastructure for eDopcument perosnalization as well as for Document Verifiers & Inspection Systems.
Using ARGUS you can set up a complete infrastructure for CVCAs with:
• Country CVCA
• Domestic DVs (Document Verifier)
• Foreign DVs (Document Verifier)
• Inspection Systems (IS) certificates
ARGUS is a Certification Authority (CA) and a complete PKI management system and provides optional operational modes as a standalone CA, or completely embedded and integrated within the business application & process.
Key Features
ARGUS supports RSA and ECC keys in CV certificates with all commonly used algorithms
Support for ePassports
ARGUS has full support for PKI needed for ePassports. You can easily set up CSCA, CVCA and DVCAs. ARGUS has full support for the latest EAC ePassport PKIs and is used already in production in Europe.
Handle CVCAs and DVs
Using ARGUS you can set up the infrastructure CAs for EAC. This includes the root CVCA as well as your domestic DVs. You can sign other member states DVs and get your DVs signed by other member states. Naturally, you can also create CVCA link certificates.
Issue IS certificates
You can issue IS certificates to your inspection systems and easily integrate your IS systems with the PKI. Using WebService you can manage the whole life-cycle of IS certificates.
Using HSMs
Latest security-related policies requires that you use an HSM to protect the CAs signature keys. Depending on the algorithms you choose you have different options which are supported by ARGUS.
Support for various HSMs via PKCS#11
• Utimaco
• SafeNet
• nCipher
• AEP KeyPer
Audit compliance
• Certified against ETSI QC standards
• Certified against WebTrust standards
Policies & Conformance - EAC ePassport
• Conform with EU EAC specification.
• Supports EU common certificate policy.
• Issue Express Passports together with ARGUS SignService.
• Supports dual authentication, when creating DV‘s, etc.
• Web service API, modelled after EU policy.
Features related to ePassport:
The features are modeled to support the EAC specification and the EU common certificate policy for EAC control infrastructure.
• Supports CVC certificates according to the EAC specification
• Setting up CVCAs
• Setting up Document Verifiers (DVs)
• Issuing certificates for Inspection Systems (ISs)
• Supports RSA algorithms specified in the EAC specification
• Supports ECC algorithms specified in the EAC specification
• Automatic handling of Sequences for identifying the public key of CVC CAs and DVs
• Automatic handling of EAC roles (CVCA, DV-D, DV-F, IS) when issuing certificates with different certificate profiles and with different country codes
• DVs signed by own CVCA, or by creating requests to be signed by foreign CVCAs
• Sign requests from your DVs with your CVCA to send to other member states
• Sign foreign DVs with your own CVCA
• Automatic renewal of domestic DVs in ARGUS, generating new keys when DVs are renewed
• Inspection systems (IS) – Domestic & Foreign Passports
• Different CVCAs use different algorithms, which requires DVs using the same algorithms, which is supported by the ARGUS PKI
• Add ISs as users and issue IS certificates
• Create CVCA link certificates to change CVCA or roll over keys
• Web service API for integration and automatic processing of IS, and foreign DV, certificate requests
• Command line client to test, display, and verify CVC certificates and requests
• Import and export functionality of CVCAs and DVs when using soft keystores for easy testing and integration with passport manufacturers
Fully Integrated
• Integrated as standard PKI for securing communications in Avalons solutions.
• Integrated into Production Systems for personalization of electronic documents.
• Integrated into VeriDoc & SBMS for full Inspection System support
Flexible integration APIs
Using the industry standard, multi-platform web services, ARGUS offers a web service API for issuing IS and foreign DV certificates in an efficient and easy to integrate process. There are other options available for integration, as well as the possibility to create an own API.
Flexible Design
Multiple instances of ARGUS run simultaneously, sharing a database containing the current CAs. This permits each instance of the software to access any CA.
Additional Features
• Get central trusted Time Stamps for electronically signed documents
• Perform central signing of document
• Sign electronic passport data (MRTD)
• Issue hard tokens (smart cards) and manage the complete life cycle of cards and certificates
WebService Interface
The main way of communicating with the ARGUS SignService is through a WebService interface, but the Timestamp Signer is also available through HTTP communication and the PDF signer has a simple HTML page that allows users to upload documents to be signed.
One ARGUS SignService can have multiple signers for different purposes to provide maximum flexibility
ePassport Personalization Scenario - ARGUS PKI
1.) CSCA issues DScert to DS
2.) Personal Data send to DS for signing
3.) Signed Personal Data gets returned to the Production System
4.) PA & AA are provided to the Production System
5.) CVCA generates the CVCAcert for EAC
6.) Production System personalizes the epassport LDS with
• Signed Personal Data (optionally encrypted)
• PA (mandatory - Digital Signature)
• AA (optional - challenge response based on public key cryptography & Digital Signature)
• CVCAcert for EAC BAC as well as the other security mechanisms have to be be supported of course by the chip OS
Border Control Inspection Scenario - ARGUS PKI
The PKI can be seamlessly integrated to support Border Control Authorities for efficiently managing their Inspection Systems and make full use of the new ePassports and their inherited security principles.
The Inspection System must always have a DV with a certificate that is signed by the corresponding ePassport country´s CVCA in order to be able to inspect the ePassport of this country.
1. DV has DVcert signed by the countries CVCA (national)
2. DV has DVcert signed by the other countries CVCA in order to be able to inspect the other countries ePassport (international)
