From bouncy castles and passports

Public Key Infrastructure From bouncy castles and passports

For the verification of identities benefits of certification bodies, the so-called Public Key Infrastructure. Although the technology is more frequently used in everyday life than we might think at the first Moment. It requires at the same time, however, a lot of know-how.


Sounds weird, but it's true:
Sounds weird, but it’s true: “The Legion of the bouncy castle” provides the API library, on the solutions of a PKI provider, Primekey based.

(Image: © arkezz –

How to fit the electronic passport, Smart Devices, E-Mails, and a bouncy castle in a common context? The unifying Element is the technology of Public Key Infrastructure (PKI)! This is a security infrastructure, the Services for a secure data exchange provides.

By using the PKI certificates and membership of public keys to be checked. This key could be sent, for example, by E-Mail or downloaded from a Website. With digital certificates ensures that it is a forgery of the key.

This results in a wide range of application scenarios. Both of the passport, as well as the electronic identity card to connect to a natural Person with a digital identity. When applying for a passport, the inhabitants checks to the office of the identity and with the submission of the fingerprint is transmitted in addition to the physical identity electronically. At the border control, the Pass is then laid on a reading device which reads the electronic certificates. “You can imagine quite well what needs to be there for a infrastructure. I must, finally, can the world make up the identity of each border control point,“ says Andreas Philipp, Business Development Manager at Primekey. The Swedish company is one of the most well-known provider for certificate-based security systems.

Components of a Public Key Infrastructure

A PKI consists of the following components:

  • a certification authority that issues the digital certificates
  • a certificate with a public key
  • a registration authority, which verifies the correctness of the data in the certificate request and approved
  • a directory for the storage and management of certificates and keys
  • Company electronically secured cooperation from, for example, out of the way, the infrastructure of course much smaller. Intelligent devices are often equipped with digital certificates. If the user wants to query the data, the device signals the Central platform of the manufacturer, where it must identify himself with the certificate. Then, the platform checks whether this unit has access to the relevant information.

    How does the electronic passport?

    The ePassport was introduced in Germany in November 2005. In the data card, the passport book is a contactless Radio Frequency Chip is integrated. The personal data and the biometric facial image of the holder are located. Since 2007, also two fingerprints.

    A Central storage of the data takes place according to the BSI. The fingerprints are only stored on the Chip for a short time during the production of the passport. As soon as the owner to pick up his passport at the registration office, will be deleted prints. For the protection of the Chips against unauthorized reading, there are various security mechanisms. Thus, it is possible to detect counterfeits and forgeries of the passport quickly.

    Smart devices and IoT Devices are for the PKI, however, is a challenge. Because it is not natural identities, which are provided with the certificates, but to machines, the need to identify themselves to a service. “The identity is already assigned in the production of the device. It is produced, a Software is played, and then it goes online. Only then gets his certificate. And in this Moment, I don’t know, the environment in which the device is located,“ explains Philipp. That’s why companies need secure communication networks to the factories. But this is for Primekey a new area. “In engineering, we need to learn from the IT industry, a lot of it.”

    E-Mail signatures, to ensure the integrity of data and the sender need to have certificates in a PKI provides. “Microsoft, for example, has recognized early on, and supplies the default server Software licenses, which contain a PKI. The certificates are integrated in such a way that the users will notice nothing.“ Especially more home office and remote work, the access management has become more important than ever. The relevance of infrastructure for electronic identity cards to be declined in the past year, says Philipp. Small-scale infrastructure for companies to VPN-build networks, and to enable secure E-Mail communication, were on the other hand, asks frequently.

    Bouncy Castle

    The connection of the passport with IoT devices and the E-Mail opens up so. Behind each of these developments, a PKI is. But what has this to do with a bouncy castle with it? The cryptographic libraries used by Primekey for PKI solutions, based on an Open-Source project in Australia. This is called a Bouncy Castle to castle, and is supervised by the “Legion of the bouncy castle”. The programming interfaces of the project are platform-independent and can therefore connect to external solutions. Commercially, the API collection of Bouncy Castle from the Australian company Crypto Workshop is operated.

    At the beginning of February 2020 Primekey Crypto Workshop has taken over. Thus, the company completed the own solutions and covers the entire Software Stack needed for PKI-related, as well as for General cryptographic applications.