|PRODUCT NAME AND VERSION
EzIdentityTM mSignTM (Android v22.214.171.124 & iOS v126.96.36.199) and EzIdentityTM Authentication Platform v188.8.131.52
Software product used for digital signing of data, file, or transaction that includes the client and server components of the EzIdentityTM.Software product used for digital signing of data, file, or transaction that includes the client and server components of the EzIdentityTM.
|PRODUCT SPONSOR / DEVELOPER
PRODUCT SPONSOR / DEVELOPER CONTACT DETAILS
2B-23A-3, Block 2B,
Plaza Sentral, Jalan Stesen Sentral 5,
50470 Kuala Lumpur,
EzIdentity™ mSign™ (Android v184.108.40.206 & iOS v220.127.116.11) and EzIdentity™ Authentication Platform v18.104.22.168 (hereafter referred as mSign and EzIdentity Platform) from EZMCOM Inc. are the Target of Evaluation (TOE) for this Evaluation Assurance Level (EAL) 2 evaluation.
The TOE is consists of two components as follows:
- Client side: EzIdentity™ mSign. mSign is a smartphone based application that provides users with the ability to apply digital signatures to documents and data that the users receive. The application allows for the generation of a digital signature, which can then be used to approve and sign transactions (such as internet banking, funds transfers, etc.). In addition, the application supports the generation of One Time Password (OTP) for software initialisation and challenge response code in order to unblock the blocked user.
- Server side: EzIdentity™ Authentication Platform. EzIdentity platform supports an organisations deployment of the mSign application by providing a back-end platform to manage and control deployment and configuration. The platform assists in the transfer of transaction data to be signed between third parties and mSign users, provides user and role management, security and management functions and allows organisations to manage and configure all aspects of both the EzIdentity platform and mSign application deployment.
The scope of evaluation covers major security functions described as follows:
- Security Audit - EzIdentity platform generates audit records for security events. The Administrator, Super Operator and Operator who have roles with access to the audit report module are allowed to view the audit trail.
- Data Protection - User data such as device ID, user PIN and signature data that is stored within mSign application is encrypted with Triple-DES encryption to prevent from data modification and unauthorised access.
- Identification and Authentication - The TOE, both mSign and EzIdentity platform, enforce user identification and authentication mechanism prior to allow user to any user action or information flow being permitted. mSign user is required to enter user PIN before permitted to perform any actions. On the EzIdentity platform, users such as Administrators, Super Operators, and Operators must be authenticated using correct combination of username and password before permitted to perform any administrative functions.
- Security Management - EzIdentity platform provides a wide range of security management function for Administrators including TOE configuration, manage mSign client application, managing users, assign the information flow policy, and audit management among other routine maintenance activities.
- TOE Access - TOE provides session termination based on time limitation set on user inactivity. The TOE also enforce user blocking session if the user have wrongly entered user PIN after certain number of invalid authentication attempts are made. In order to unblock the session, user is required to request Challenge Response Code which will be sent to his or her registered mobile phone or email as defined during user registration process.
- Cryptographic Operation - Both mSign and EzIdentity platform provide users with functionality to digitally sign files, data and sensitive transaction (such as internet banking transfer) to provide integrity and non-repudiation. It also provides One Time Password (OTP) generation, secure transit of data between TOE components and secure storage of user data on device.