Microcrypt Technologies Ltd.

PKI Card Perso-CRM

Complex «PKI Card Perso-CRM» is designed to automate customers service in a system that provides the issuance of personalized smart cards (or other protected key carriers) and / or public key certificates. The complex supports the usage of the personalized smart cards (or tokens) as active carriers of private keys for some Public Key Infrastructure (PKI).

Functionally, the complex consists of 4 modules (3 optional):

  • The module of accounting and status management of clients of the system (kernel);
  • The module of logical personalization of active key carriers (optional);
  • The module of graphical personalization of plastic cards (optional);
  • The module of integration with Certification Authority (CA) technology (optional).

The system provides a structured and protected storage of customers personal information. Various types of customers are supported: physical, legal, entrepreneur and officials persons. It provides a flexible search engine by various attributes and allows you to quickly manage the status of the client's certificates and key carriers.

The system provides the full life cycle support of personalized smart card: from the issue including logical and graphical personalization and up to their cancellation. In addition to smart cards, the system also supports other active and passive key carriers, but the graphical personalization is possible only for plastic cards. Logical personification is possible only for the active key carriers (smart cards and USB-tokens). Logical and graphical personalization of smart cards is carried out in a single production process.

The complex is integrated with certified CA technology ("IIT CSK-1") and supports the smart cards usage as a tool of the digital signature (DS). Therefore this complex can be used as a Customer Relationship Management (CRM) system for CA customers service automation.

Technological structure of «PKI Card Perso-CRM» complex:

  • Server of the System − software for accounting and status management of clients ("card holders"). It includes an application server and a database (MS SQL).
  • Automated workplaces (AWPs) − a set of software for different types of the system operators: «Operator of Registration», «Photographer and Signature Scanner», «Cards Personalization and Printing», «Contracts Printing», «Administrator».
  • Kit of Hardware Security Modules (HSM/SAM) organized into a hierarchical system «SAM Hierarchy». The kit provides a secure application of master keys that are used in the system of cards production and support. The kit includes a software for SAM-modules management. The set of this kit may vary depending on the purpose of the card. This package is not required to support of key carriers used exclusively for simple digital signature.
  • Integration Module (via AWP "Registration Authority" of CA) for connecting with the Certification Authority technology ("IIT CSK-1"). This module is required only to support of the CA technology. Similarly, it is possible to connect other CA technology.

The functional purpose of the system operators' AWP:

AWP «Operator of Registration»

This AWP is intended to automate the all activities for the registration and management of clients, data preparation for the contracts printing and production of key carriers. The AWP supports execution of the following functions:

  1. Clients Management:
    • Enter the registration personal data of a natural person;
    • Enter details of the individual entrepreneur;
    • Enter details of the legal entity;
    • Registration of officials of legal person clients;
    • Registration of electronic seals;
    • Enter supporting information: details of banks, templates of contracts, etc.
  2. Task Management:
    • Management of the requests for contracts printing;
    • Management of the requests for smart cards printing and personalization.

AWP «Photographer and Signature Scanner»

This AWP is intended to automate the activities of an operator when preparing data for graphic personalization of smart cards. The AWP supports execution of the following functions:

  1. Preparation of a natural person photo:
    • Photographing and client's photo saving to database;
    • Loading from a file and saving to the database of the client's photo prepared in advance;
  2. Preparation of the signature image of a natural person:
    • Scanning of a handwritten client's signature;
    • Loading from a file and saving to the database of the client's signature image prepared in advance.

AWP «Cards Personalization and Printing»

This AWP is intended to control a multi-threaded graphics printing and logical personalization of smart cards in a semi-automatic mode. It supports multiple printers DataCard SP75Plus on a single workstation. The AWP supports execution of the following functions:

  • Viewing and managing of cards print jobs;
  • Management of multi-threaded cards printing process;
  • Graphical cards personalization by customer data that are stored in the database;
  • Logical personalization of smart card chips according to the purpose of the card;
  • View and manage of executed tasks and printed cards.

AWP «Contracts Printing»

This AWP is intended to control the printing of the contracts with customers in the semi-automatic mode. The AWP supports execution of the following functions:

  • Viewing and managing of contracts print jobs;
  • Management of contracts printing process;
  • View and manage of executed tasks.

AWP «Administrator»

This AWP is intended to manage the user roles with regard to their access to applications of the System and set their permissions. The AWP supports execution of the following functions:

  • Create new users of the system;
  • Determine the list of applications of the complex to which the user will be admitted (by selecting the appropriate user role);
  • Roles management;
  • Prepare reports by the database.

The minimum set of security modules (SAM) to support the possibility of a secure authentication of the personalized key carrier and establishing a secure communication channel with it:

  1. Root SAM-module for secure entering, generation and storage of secret keys for servicing of the key carriers. It is the single "root" of the whole key hierarchy.
  2. Reserve (Master) SAM-module for secure storage and distribution of secret keys for servicing of the key carriers. It is used to create backup copies of the keys generated / uploaded into the root SAM-module, as well as for the initialization of Service SAM-modules.
  3. Service SAM-module for logical personalization of the key carriers ("Personify SAM"). It performs calculations and setting unique keys to a chip of the key carrier.
  4. Service SAM-module for the "mutual" authentication of the key carrier and a "server", as well as establishing a secure communication channel between them ("Mutual Authentication SAM").

Depending on the application scope of the protected key carriers, a set of SAM-modules can vary. For example, to support a health insurance card «Social Card», the above set of SAM-modules should be extended by the following two modules:

  1. Service SAM-module for synchronization (save) of the medical data on the card ("HealthCare Write SAM"). It generates encrypted and signed (by MAC) commands of medical information updates. Updating of medical information is possible only if the card holder has verified by his/her PIN.
  2. Service SAM-module of "ambulance" to read the emergency medical information of the card holder without his/her participation, i.e. without entering of the card holder PIN ("HealthCare Read SAM").