FR3076252A1 - IDENTIFICATION DOCUMENT CUSTOMIZING DEVICE FOR PRINTER AND PRINTER INCLUDING THE SAME - Google Patents

Abstract

An object of the invention is an identity document personalization device (104) comprising: a data transmission-reception interface (340) configured to receive personalization data relating to an identity document; a data structuring module (331) configured to structure the received personalization data; a digital signature generation module (332) configured to digitally sign the structured personalization data; and an encoding module (333) configured to encode the structured personalization data signed in at least one of text, graphic code, magnetic code and electronic code; the device (104) further comprising a removable hardware security key (370) configured to store sensitive configuration data of the personalization device (104); the device (104) being integrated in a printer or connected to a printer.

Description

IDENTITY DOCUMENT PERSONALIZATION DEVICE FOR

PRINTER AND PRINTER COMPRISING THE SAME

The present invention relates to the field of identity / identification (ID) document printers, and relates in particular to an identity document personalization device for a printer and to a printer comprising it.

Identification documents are documents that contain personal identification information of the person holding the document.

Identity documents such as cards (e.g. identity cards), such as passbooks (e.g. machine-readable travel documents, passports), or such as source documents (e.g. extracts from documents birth certificates, university degrees) are among the many types of printable identification documents available today.

Electronic identity documents (for example, microchip electronic identity cards and electronic passports) are documents which also contain machine-readable data encoded in a microchip incorporated in the card or in the passport book.

The production of identity documents typically involves two distinct stages: “graphic” personalization and “electronic” personalization.

“Graphic” personalization consists of printing the information of the document holder on the document (such as the name of the document holder, his date of birth, his nationality, the photo of his face or any other identifying information) as well as information of the document itself (such as the unique number of the document, its date of issue, its period of validity, the issuing authority of the document).

The "electronic" personalization is also in storage in electronic form in the micro chip (process also known as the name encoding) Datas graphically printed on the document. In Besides, the microchip can contain one or

several biometric identifying information of the individual carrying the document (for example, the photo of the face, his / her fingerprint (s), the characteristics of the retina or iris, the electronic structure of 1 'DNA of the cardholder).

Protection mechanisms and cryptographic protocols are implemented in the microchip in order to protect the data stored electronically, to prevent unauthorized access, as well as to ensure the integrity and authenticity of the data for later verification.

The “digital signature” is used to ensure the integrity and authenticity of the document data. A digital signature can be printed in the form of a text and / or a code (for example, barcode, QR code, 2D code) and / or in the form of a code electronically encoded in the microchip in the case of electronic identity documents and / or in the form of a magnetic code, for example a magnetic code as defined by standard ISO 7811.

The digital signature is a number, this number can be stored on different supports (for example, electronic, magnetic, paper) in different formats (for example, numbers, combinations of letters).

A digital signature is produced using cryptographic keys.

Cryptographic keys are sensitive information that is generally protected by a secure key management system (or HSM for "

Hardware Security Module ”in English terminology).

The protection of cryptographic keys by specialized equipment, resistant to attempts at physical modification, ensures the protection of sensitive cryptographic data against unauthorized use.

Digital certificates are used in combination with the digital signature during the digital signature verification process.

We can mainly distinguish two types of identity document printers:

the high-speed industrial machine suitable for the production of identity documents in large volumes; and the office printer (such as a passport printer) suitable for production in small and medium volumes.

The industrial high-speed printer is usually referred to as “centralized” transmission equipment since the production of identity documents is centralized in a single location. High speed equipment is usually quite bulky equipment. The IDENTIFIER6000® model from the company Mülhbauer is an example of high-speed industrial personalization equipment.

Office printers are much less bulky equipment and can fit on an office table. Office printers are usually referred to as "instant" issuing equipment since the production of identity documents can be decentralized (for example, several office printer production sites may also be suitable for instant printing.

The for a centralized than decentralized broadcast. The Diletta company is an example model of office passport printers. The Primacy® model of

1'entreprise

Evolis is an example of a desktop card printer.

We can mainly distinguish two types of microchip of identity document microchips memory and microchips with microprocessor, microchips with memory being also known under the name of label or card RFID.

files, integrate

Microchips with memory while microchips with a microprocessor have no microchip system memory and a file system.

The microchip microprocessor usually integrates an operating system, the operating system either being said to be proprietary or said to be open when it implements a public specification such as a virtual machine of “Javacard” type conforming to the standards of

GlobalPlatform®.

The MTCOS® file system operating system from Masktech is an example of a proprietary operating system in the area of identity documents. The JCOP® file system operating system from NXP / Qualcomm is an example of an open operating system in the area of identity documents.

We can distinguish three types of physical interface for microchips: microchips with external contacts according to ISO / IEC7816, contactless microchips according to ISO / IEC14443 and dual interface microchips combining the two interfaces previously mentioned.

The identification document can be a microchip identity card with external contacts flush in ID1 format or a passport or booklet in ID3 format according to the standard of the International Civil Aviation Organization (ICAO often designated by its English acronym ICAO) comprising such a microcontroller provided with contactless communication means, arranged in the thickness of one of its sheets or of the cover.

There are several frequencies of communication with the microchip, for example the low frequencies 125kHz, the medium frequencies 13.56MHz or even the high frequencies between 300MHz and 3GHz. Microchips for identity document applications operate at frequencies of 13.56 MHz for distances of the order of a few centimeters.

The file system of the microprocessor microchip operating system must be initialized (for example, initialization of the number of folders and files, the size of each file, instantiation of the application (s)). File system initialization is a process also known as "electronic pre-personalization". This is a step that takes place before the electronic personalization of the identification document. Following the initialization of the microchip file system, it is only possible to personalize the microchip with the knowledge of cryptographic keys referred to as "transport keys".

Electronic passports and national electronic identity cards comply, for interoperability reasons, with the directives defined by the International Civil Aviation Organization (ICAO).

Software for graphic and electronic personalization is required in order to produce an electronic identity document conforming to ICAO standards with the printers mentioned above.

Electronic identity documents combine physical and electronic protection techniques to provide a significantly higher level of security than non-electronic documents. As a result, electronic documents are much more difficult to forge than non-electronic documents (such as non-electronic passports known as machine-readable travel documents).

More and more countries and organizations today issue electronic identity documents. However, many developing countries and organizations still remain excluded from the benefits of electronic identity documents and still issue non-electronic identity documents.

The infrastructure required to issue electronic identity documents requires additional and costly components, including: a public key infrastructure (PKI), an electronic key management system, and an electronic microchip personalization system.

A non-electronic identity document issuing infrastructure is very similar to an electronic identity document issuing infrastructure except that it does not include the three components mentioned above.

Some manufacturers of office passport printers provide personalization software with their equipment, for example CardPlus® for the company Diletta. However, a first restriction is that these software programs only allow graphic personalization and in particular do not allow electronic personalization in accordance with parts 9 to 11 of ICAO standard ICAO9303. Indeed, an existing printer from the Diletta company for example integrates only a transparent smart card reader which cannot by itself create a data structure, generate a signature of the data structure and establish a secure communication channel with the microchip in order to program the file system of the latter.

Some manufacturers of industrial passport printers such as Mühlbauer may provide software capable of performing electrical personalization in accordance with ICAO standard ICAO9303. However, a second restriction is that the latter requires specific development. Indeed, the software must be configured to the configuration of the machine which is specific and different depending on the project.

On the other hand, the software must also be adapted to the microchip integrated into the identity document. Finally, this software only works with printers from the manufacturer, also a software publisher, and is very often dependent on an operating system. For example, the library

Windows (dll) to generate write commands in the microchip only works under WindowsXP® and not under WindowslO®. In addition, a software development kit (SDK) provided by the manufacturer of the microchip operating system such as the company Masktech or even the company NXP is very often necessary to generate the appropriate library.

Manufacturers of smart card printers also provide personalization software with their equipment, for example

Cardpresso® for the third only cards integrate company

Evolis. However, a restriction is that personalization

RFID. Indeed, as soon as the module to program

Classic® but this software allows electric labels or that certain printer modules says "electronic encoding" such

Identical to SCM3712®, the latter are capable of micro memory chip structures of the MIFARE ™ type, neither capable of personalizing complex microchip files, nor capable of establishing secure communication sessions with the microchip, nor capable of digitally sign the data.

Consequently, software used for electronic personalization the ICAO 9303 manufacturers publishers of solution solutions fourth complying with the directives of is not supplied with the printers but rather printers separately software such as 1 the company Gemalto by by them with her

Gemalto Issuance Solutions®. However, the restriction is that these solutions are turnkey owners, one of the complexes since they link graphic and electrical personalization, and therefore require specific development by type of printer. There is no example of reusing software that is an existing graphic with these solutions.

solutions being proprietary and not possible by customization

In addition, requiring these specific development, they are expensive.

In summary, the infrastructure for issuing non-electronic identity documents is not compatible with the infrastructure for issuing electronic identity documents. Therefore, issuing electronic identity documents s in most cases means completely replacing the document issuing infrastructure with a more complex and costly one. Replacing infrastructure represents a significant investment for small emerging and developing countries, which forces them to continue to issue non-electronic identity documents.

On the other hand, high-speed industrial machines and office printers use different software. Therefore, a software solution for centralized transmission with a high speed industrial printer cannot be used for instant transmission with a desktop printer and vice versa.

The present invention aims to solve the drawbacks of the prior art, by proposing a device for personalizing an identity document integrated into a printer or connected to a printer.

The customization device according to

The invention can be used as a universal printer accessory, allowing any identity document printer to generate digitally signed data which can be electronically programmed into an identity document chip and / or can be printed in the form of text and / or graphic code and / or magnetic code on the identity document.

The present invention therefore relates to a device for personalizing an identity document, characterized in that it comprises: a data transmission-reception interface configured to receive personalization data relating to an identity; a data document structuring module configured to structure the personalization data received; a digital signature generation module configured to digitally sign the structured personalization data using at least one cryptographic key; and an encoding module configured to encode the signed structured personalization data, on the identity document, in at least one form among a text, a graphic code, a magnetic code and an electronic code; the identity document personalization device further comprising a removable hardware security key configured to store sensitive configuration data of the personalization device; the identity document personalization device being integrated in a printer or connected to a printer.

Advantageously, the personalization data are not permanently stored in the identity document personalization device, but erased after each use. Thus, the identity document personalization device according to the present invention can be used as a universal printer accessory, allowing any identity document printer to generate digitally signed data which can be electronically programmed in an identity document chip and / or which can be printed as text and / or graphic code and / or magnetic code on the identity document. The advantage of storing the signature in two forms (electronic and graphic code for example) makes it possible to ensure that the signature is verifiable, even if the chip is damaged and illegible.

Most of the emerging or developing countries issuing non-electronic identity documents have often already invested in an IT infrastructure, for example hardware servers, databases, graphic personalization software, and in one or more printers for graphic customization only.

The identity document personalization device according to the invention makes it possible to transform a “conventional” printer into an “intelligent” printer capable of organizing and digitally signing electronic data and thus of personalizing an electronic identification document (for example and encoding them in a complex file structure of a microchip) and / or generating an electronic signature in the form of text and / or printable code and / or magnetic code.

The customization device can implement protocols and / or standardized hardware and software interfaces, such as PKCS # 11, ICAO9303, CCID, PC / SC, WebSocket, SSL, ISO7816, JSON and / or XML, which facilitate integration with a large number of graphic personalization software, a large number of HSMs and a large number of printers. Therefore, it is possible to transform any infrastructure capable of issuing non-electronic identity documents into an infrastructure capable of issuing electronic identity documents by generating and encoding digitally signed data.

The personalization device can either be integrated into the printer or be portable and connected to the printer.

The personalization device processes the personalization data received using the data structuring module, digitally signs the structured personalization data using the signature generation module, then writes the said structured personalization data signed in the microphone. identity document chip and / or transmits signed structured personalization data in the form of text and / or printable code and / or magnetic code using the encoding module.

The removable hardware security key, also known as a “dongle” in English terminology, storing sensitive configuration data of the personalization device, makes it possible to secure the personalization device, the latter not being able to function when it is not is not linked to said security key. The security key is preferably in removable mini USB format.

It should be noted that a purely software implementation of the security key might also be possible, although less recommended.

According to a particular characteristic of the invention, when the signed structured personalization data are coded in the form of text, graphic code or magnetic code, the encoding module is configured to send the signed structured personalization data coded to the printer through the data transmit-receive interface. The coded signed structured personalization data can be sent to the printer via a workstation to which the coding module and the printer are connected.

Thus, the printer can print the structured personalization data signed coded, of type text, graphic code and / or magnetic code, on the identity document once it has received these.

The printer can be directly connected to the data transmission / reception interface of the personalization device or linked to this via a workstation linked to both the printer and the personalization device data transmission-reception interface.

According to a particular characteristic of the invention, when the signed structured personalization data are coded in the form of an electronic code, the personalization device further comprises at least one smart card reader capable of communicating with the electronic chip of a document of identity of electronic chip type, said at least one chip card reader being integrated in the printer or connected to the printer, the encoding module being configured to send the structured personalization data signed coded to the at least one smart card reader which is configured to code the electronic chip of the identity document as a function of the structured personalization data signed coded received.

Thus, the encoding module is responsible for coding and sending the APDU (Application Protocol Data Unit) personalization commands to the smart card reader, which then sends them to the microchip of the electronic identity document. . It can be connected to one or more smart card readers, whether embedded in the printer or not. The encoding module is thus able to establish a secure communication session with the smart card. The secure connection is established according to a mutual authentication protocol defined by the ICAO, BSI or GlobalPlatform standards (in the case of a javacard). The device according to the invention thus differs from existing products which can encode RFID tags and tags, but cannot establish a complex secure communication session with a smart card.

It should be noted that the steps of electronic personalization and graphic personalization of the identity document can be carried out either separately or simultaneously.

According to a particular characteristic of the invention, the at least one smart card reader is of the contactless type.

So, just place the electronic identity document on the contactless smart card reader and then a personalization command (containing personalization information to write in the identity document chip, such as a photo or fingerprints the encoding module.

It is to highlight that

At least one smart card reader could also be contact or both contact and contactless, without departing from the scope of the present invention.

According to a first variant of

1'invention, the personalization device further comprises a hardware security module, HSM, removable in which is stored at least one cryptographic key used by the digital signature generation module.

The digital signature generation module is responsible for digitally signing the personalization data structured by the data structuring module (such as the EF.SOD file in the case of documents conforming to the ICAO9303 standard) which must be stored in the micro chip integrated into the electronic identity document. The cryptographic keys used to sign the personalization data are protected in hardware or software by the

HSM which implements a standard interface such as

The PKCS # 11 cryptographic interface.

The support by the personalization device of the PKCS # 11 standard allows easy integration with a large number of HSMs such as smart cards, PCI cards or network equipment.

In the case of a so-called offline digital transmission (“offline” in English terminology), the HSM can typically be implemented by an HSM based on a smart card having a reduced size, such as a format key removable mini USB, compliant with PKCS # 11 standard.

In the case of a so-called digital signature online transmission (“online” in English terminology), the HSM can be implemented by a PCI card (“Peripheral Component Interconnect”, in English terminology), a network HSM or an HSM based on smart card conforming to PKCS # 11 standard.

Since the personalization device implements a standard cryptographic interface (e.g. PKCS # 11), a large number of HSMs such as smart card-based HSMs, PCI interface HSMs or network card-based HSMs can interface with the personalization device. The invention follows established industry best practices including the use of HSM to protect private cryptographic keys. It should be noted that a purely software implementation of HSM is, although less recommended, also possible.

According to a second variant of the invention, the at least one cryptographic key used by the digital signature generation module is stored on a remote server in communication with

The data transmission / reception interface.

According to a particular characteristic of

The invention the sensitive configuration data stored in the hardware security key are one of at least one transport key, at least part of the source code of the various modules of the personalization device, an incremental / decremental counter, and, if necessary, a PIN code intended to activate the HSM.

Thus, the sensitive information listed above is protected by the security key.

A transport key is a key allowing to write in the microchip of an electronic identity document. Without knowledge of this key, it is impossible to write data to the microchip.

It should be noted that the sensitive data may also include a counter value limiting the number of uses of the personalization device.

According to a particular characteristic of the invention, the personalization device further comprises a secure storage module connected to the hardware security key.

Thus, the secure storage module can securely store sensitive data protected by the hardware security key.

According to a particular characteristic of the invention, the personalization device further comprises a coordination module configured to manage the transfer of the data received via the transmission-reception interface to the various modules of the personalization device.

Thus, the coordination module is responsible for coordinating the various modules and for transferring the data from the data transmission / reception interface to the appropriate modules and vice versa.

According to a particular characteristic of the invention, the data structuring module is configured to structure the personalization data received in accordance with the ICAO9303 standard from the organization of international civil aviation.

Thus, data structuring consists in preparing personalization data in the form of a logical data structure (“Logical Data Structure”, in English terminology) of the ICAO9303 standard of the ICAO.

The logical data structure (SDL) corresponds to the electronic data file structure to comply with the specifications of ICAO9303 in the case of electronic passports and / or national identity cards. The SDL can be stored in the microchip of the electronic passport and / or the national identity card and / or encoded in the form of a visible digital seal (VDS, "Visible Digital Seal" in English terminology) according to ICAO9303 and BSI TR-03137 standards.

The data structuring module is responsible for organizing personalization data according to the ICAO9303 standard for logical data structure and / or according to ISO / IEC 18013-2: 2008. Other standards, existing or future, could also be implemented by the data structuring module, without departing from the scope of the invention.

According to a particular characteristic of the invention, the data transmission-reception interface is able to communicate, wirelessly or wired, with a work station by means of a standardized communication protocol in real time. , of type WebSocket.

Thus, the personalization device can be connected to the workstation via a wired network cable (for example, Ethernet) or wirelessly (for example, WIFI). Communication between the workstation and the personalization device is established by standard communication protocol such as

WebSocket / SSL.

The personalization device obtains personalization data linked to a holder of the identity document in a standard format as encoded in Base64 and structured in XML, JSON by a standard WebSocket / SSL communication means.

Support for the WebSocket real-time standardized communication protocol allows simplified software integration with graphic personalization software.

The WebSocket type interface allows you to separate the business application (i.e. the ICAO9303 software stack which creates the file structure conforming to the ICAO9303 standard, signs the data digitally and writes the data to the document chip) of the graphical interface.

Since the customization device implements a standard WebSocket network communication interface, it can easily be integrated and connected with virtually any software written in any programming language. A simple script written in any programming language (for example, C, Python, Java, VB) running on the workstation can make the personalization device compatible with almost all databases (for example, MS Access, MySQL, Oracle) and with almost all graphic personalization software (for example, CardPresso®).

According to a particular characteristic of the invention, the smart card reader is connected to the encoding module via at least one of a USB CCID interface and a PC / SC interface.

Thus, given that the personalization device implements a standardized CCID or PC / SC interface, it is possible to connect it to a large number of smart card readers, making it compatible with all the identity document printers currently available. on the market. If the printer does not include a smart card reader, the personalization device can be used with a stand-alone smart card reader.

According to a particular characteristic of the invention, the various modules of the personalization device are implemented in a mini-computer. It should be noted that the device according to the invention can also be a programmed device. The instructions of the program (s) implementing the invention can, for example, be implemented in a programmable or specific integrated circuit (in English Application Specifies Integrated Circuit, ASIC).

Thus, the mini-computer (SBC, “Single Board

Computer ", in English terminology) is an economical and efficient solution for implementing the software modules of the personalization device.

The

SBC is capable of executing the code necessary to prepare the logical data structure of the standard

ICAO9303. Likewise, the SBC is capable of executing the code to encode a microcontroller card and to encode the file system of the electronic identity document chip.

The SBC preferably integrates

Ethernet, Wifi, PSTN,

USB and a processor used to run a high-level operating system, such as

Linux®, and hardware-independent code, such as Java.

According to a particular characteristic of the invention, the personalization device further comprises at least one input / output port for a link with at least one peripheral, such as a relay, a sensor, a camera or a scanner in order to '' acquire a unique value from the document - personalization data is never permanently stored in the device but erased after each use.

According to a particular characteristic of the invention, a non-clonable physical value of the document is stored in the data structure and serves as a component for at least one of the digital signatures.

According to a particular characteristic of the invention, a removable physical or software cryptographic circuit, protects the electronic data used to unlock said digital signature generation module and / or protects the transport key (s) making it possible to establish the encrypted communication session. with the microchip.

Each network interface can be a wired or wireless network interface allowing access to a remote database to request and / or obtain data.

The communication protocols implemented can be real-time standard communication protocols.

Communications can be encrypted by a cryptographic algorithm.

At least one of secure communications session keys can be established from a mutual authentication protocol.

Each module can be run on a 32-bit or 64-bit architecture microcontroller

RISC or CISC or ASIC running a high level operating system providing support for several multi-threaded processes in English terminology - such as for example Linux® or Windows®.

The cryptographic circuits can be removable physical circuits and / or implemented by the device itself and / or remote over the network.

The encoding module can analyze and execute an electronic pre-personalization script consisting of a series of APDU packets stored by the data storage module in order to initialize the structure of the microchip file system.

The data storage module can protect at least one PIN code used to activate the digital signature generation module, one or more transport keys used to write-protect the microchip of the document to be personalized, part or all of the code source of the modules constituting the device, an incremental or decremental counter limiting the number of uses of the device.

The encoding module can detect by reading the response to the reset and / or by the response to the command for selecting the elementary files of the microchip at least one of the following information:

- the manufacturer of the microchip;

- the version of the microchip operating system in order to optimize the size of the APDU write commands sent to the microchip and / or the files of the microchip to be written.

The digital signature generation module and / or the data structuring module and / or the encoding module can be executed on the same processing unit to optimize the personalization of the microchip.

Personalization of the microchip can also be optimized by buffering the electrical pre-personalization script in said encoding module.

The modules can securely erase the data received and generated by overwriting it with constant values.

The device can test the presence of at least one of said modules which can be removable before each use of said device.

The modules can be executed not remotely on the network.

The modules can be implemented in at least one programming language such as for example the C language,

C ++ or

Java.

At least one of said modules can be executed on a programmable prediffused matrix (FPGA).

The device can be connected to several card readers.

The secure data storage module can include a counter limiting the number of uses of said device.

The present invention also relates to a printer comprising a device for personalizing an identity document as described above.

To better illustrate the object of the present invention, there will be described below, by way of illustration and not limitation, preferred embodiments, with reference to the accompanying drawings.

In these drawings:

FIGS. 1A to 1E respectively illustrate five different variants of the system architecture of the identity document production environment comprising a device for personalizing an identity document according to the present invention;

- Figures 2A to 2C respectively illustrate three different variants of the housing of the identity document personalization device according to the present invention;

- Figure 3A shows a functional view of the identity document personalization device according to the invention which illustrates the interaction between its different modules;

FIG. 3B represents a sequential diagram illustrating an example of possible interactions between the different modules of the device for personalizing an identity document according to the present invention;

- Figure 4 shows a data flow diagram illustrating an example of data processing by the identity document personalization device according to the invention;

- Figures 5A and 5B show block diagrams of the identity document personalization device according to the invention;

- Figure 6 shows a flowchart illustrating an example of processing of main orders by the personalization device of identity document according to the invention; and - Figure 7 shows a high-level block diagram of the device for personalizing an identity document according to the invention.

If one refers to FIGS. 1A to 1E, it can be seen that there are represented there five different variants of system architecture of environment for production of identity document comprising an identity document personalization device 104 according to the present invention

FIG. 1A illustrates a first variant of implementation of the invention in an environment for producing identity documents.

This first variant is the simplest variant in which the transmission (instantaneous or not) of identity document is carried out with the generation of digital signature called offline. In this very easy-to-use case, the data of the identity document holder are stored, for example, in a local database 103.

A workstation 101, running graphical personalization software and capable of containing the local database 103, is connected to an office printer 111 for secure identity documents (such as passports, booklets, diplomatic passes , provisional travel documents, national identity cards or any other government identification document, driver's licenses, registration cards, security badges, foreign residence identity cards, voting cards , health cards, student cards, sailor identification booklets, military booklets, etc.) via a serial or network connection 112.

On the other hand, the workstation 101 is connected to the identity document personalization device 104 via a network connection 106 (for example, wired Ethernet link or wireless link

The personalization device 104 is also connected to a smart card reader 105 via a serial connection 107 (for example,

USB, UART, SPI or I2C).

The smart card reader 105 may or may not be integrated into the printer 111.

The personalization device 104 can be connected to a hardware security module (HSM) 109 and / or to a hardware protection key 114.

An identity document incorporating a microchip 108 is inserted into the office printer 111 or placed on the chip card reader 105 during electronic personalization.

The workstation 101 executes the graphic personalization software which communicates directly with the printer 111 for the graphic personalization of the document 108. The personalization software also executes software or a script which transfers the appropriate electronic data to the personalization device 104 in a standardized format such as XML, JSON or Base64.

The personalization device 104 takes care entirely of the electronic personalization of the document

108 consisting of: the preparation of the logical data structure (SDL) to be written in the file structure of the microchip of the document 108, the digital signature of the data and the encoding of the data in the microchip of the document 108. In the case where a printable text and / or code must be printed on the document 108, the personalization device 104 produces and returns to the workstation 101 the structured and signed personalization data in the form of printable text and / or code .

The workstation 101 is thus connected on the one hand to the personalization device 104 for the electronic personalization of the document 108 and on the other hand to the printer 111 for the graphic personalization of the document 108. The sensitive cryptographic data (for example, the sensitive key (s) used to digitally sign the electronic data which are then encoded in the microchip of the electronic document 108 and / or encoded in the form of text and / or printable code and / or magnetic code) are stored and protected by the local HSM 109 which can be a HSM based on a smart card or any HSM which implements or not the standard interface of the PKCS # 11 type.

The HSM 109 provides a secure means of generating and storing private signature keys in a secure manner, for example by storing the key in an encrypted form, unlike a storage software solution in which the private key is available in clear text. memory, making it vulnerable to various attacks. The private key used to digitally sign certificates may sometimes never even be extractable from the HSM 109. Thus, the protection of the private key by the HSM 109 provides increased protection against the unauthorized creation of fraudulent certificates. Thanks to the use of HSM 109, all sensitive keys are protected by an unalterable module.

In this first variant, the public key infrastructure (PKI) is considered offline and distributed.

Figure IB illustrates a second variant of an identity document production environment known as "online".

In this second variant, the workstation 101 is also connected to a server with HSM 113 remote on the network protecting the sensitive cryptographic keys, via a communication network 115 (for example, Intranet or Internet). The document transmission is decentralized in the sense that the workstation 101 can be located in a different location from the server with HSM 113 which is remote on the network and therefore online.

The public key infrastructure (PKI) is said to be “centralized” and, each time an electronic document 108 is produced, the digital signature is calculated in a centralized manner. The centralized HSM 113, remote on the network, can be implemented for example by a PCI card, a network card or based on a smart card.

The exchange of data between the central system and the place of document issuance can be secured for example by a protocol such as "Secure Socket Layer" (SSL).

It should be noted that, for the two variants of Figures IA and IB, it is possible to envisage that the workstation 101 also serves as an enrollment station (enrollment software with a camera, a data acquisition module paper signature, fingerprint sensor, etc.). In this case, the secure identity document 108 can be issued in just a few minutes.

Figure IC illustrates a third variant of a so-called “centralized” identity document production environment.

In this third variant, a high speed industrial machine type printer 117 is used instead of an office printer 111.

In this third variant, the workstation 101 is connected to the personalization device 104, itself connected to a smart card reader 105 integrated in the printer of the high-speed industrial machine type 117. The personalization device 104 can also be connected to various sensors and peripherals (not shown in Figure IC) such as relays, presence detectors, light emitting diodes, buttons, motors, cameras and / or scanners integrated in the large industrial machine speed 117.

The personalization device 104 is connected, by an input / output port to the sensors of

Industrial printer

117 either indirectly, as illustrated in Figure IC, by

The intermediary of an industrial programmable controller

116 (“Programmable Logic Controller”, PLC, according to English terminology).

Figure 1D illustrates a fourth variant of an environment for producing different types of identity documents such as passports and identity cards.

The environment illustrated in Figure 1D is a variant of that illustrated in Figure IA.

The personalization device 104 is also connected to a second smart card reader 105 which is integrated into a smart card printer 119.

In this fourth variant, the personalization device 104 is used to personalize simultaneously and in parallel two different types of identity documents such as passports and electronic identity cards.

Figure 1E illustrates a fifth variant of an environment for producing source documents such as civil status certificates and / or diplomas, known as "online signature".

Two workstations 101 and 102 are connected to the personalization device 104 via a communication network 115 consisting for example of a router 123 and a WIFI access point 124. The workstation 101 is connected to the network 115 by wired link while the workstation 102 is connected to the network 115 wirelessly.

The personalization device 104 is connected to the access terminal 124 wirelessly. A removable protection key 114 is connected to the personalization device 104. The personalization device 104 is either integrated directly without a housing in a conventional printer 121, or is protected by a housing and is affixed to the conventional printer 121 as illustrated in the Figure 1E. The conventional printer 121 is connected to the access terminal 124 wirelessly.

The personalization device 104 is also connected to a server with an HSM 113 remote on the network 115 protecting the sensitive cryptographic keys for the generation of the digital signature (s).

In this use case, the data of the document to be certified is sent to the personalization device 104 through the communication network 115. The personalization device 104 organizes the electronic data according to the VDS standard of the ICAO, signs the data electronically using the HSM 113 remote on the network 115 and returns the code

VDS at the workstation

101 and / or 102 for graphic printing on the document by the printer 121.

If we refer to the Figures

2A to 2C, it can be seen that there are represented there three different variants of housing

200 of the identity document personalization device 104 according to the present invention.

The box

200 can include one or more USB ports 202, one or more slots 204 several Ethernet ports 201, one or for external memory 204a (such as a memory card for a power supply 203, one or more light indicators 207 (such as light-emitting diodes) ) to indicate the operating status of the device 104 (for example, green color for "Ready", red color for "Error" and orange color for "

Processing in progress connector for input / output ports (not shown in Figures 2A to 2C).

The smart card reader (s) 105 can be connected to the USB ports 202.

Workstation 101, 102 can be connected to the port

Ethernet 201.

One or more cryptographic circuits can be connected to the USB ports

202, such as the hardware security key 114 in the form of a mini USB key and the HSM 109 based on a smart card in the form of a mini key

USB.

The housing 200 may also include rubbers

208, 210 to protect the housing

200 from falls, mechanisms such as conduits 206 in order to ventilate the housing 200, a security lock

205 for a safety cable, and a button

214 to turn on the personalization device 104. The box

200 can be made of metal and / or shielded and / or plastic.

The customization device

104 is thus a mobile and universal on-board system which can be integrated into or connected to any type of printer such as industrial printers or office printers.

If we refer to Figure 3A, we can see that there is shown a functional view of the personalization device 104 which illustrates the interaction between the various hardware and software components thereof.

The personalization device 104 comprises five main modules: a coordination module 330, a data structuring module 331, a signature generation module 332, an encoding module 333 and a secure storage module 339.

The personalization device 104 also comprises five main interfaces: a data transmission / reception interface (designated INT_ACQ) 340, an HSM interface (designated INT_HSM) 342, a smart card reader interface (designated INT_RD) 343 , an input / output interface (designated INT_IO) 344 connected to an input / output adapter 334, and a security key interface (designated INT_DONGLE) 349.

The coordination module 330 is responsible for coordinating the various modules 331, 332, 333, 334, 339 and for sending the data received and / or acquired from the workstation 101 by the interface INT_ACQ 340 to the appropriate modules 331, 332, 333, 334, 339. The coordination module 330 includes an internal interface (designated INT_COR_CLT) 350 respectively connected to an internal interface (designated INT_STR_SVR) 351 of the data structuring module 331, to an internal interface (designated INT_SIG_SVR) 352 of the signature generation module 33), to an internal interface (designated INT_ENC_SVR) 353 of the encoding module 333, to the input / output adapter 334 and to an internal interface (designated INT_TO_SVR) of the secure storage module 339 The server interfaces (INT_SVR) and the client interface (INT_CLT) make it possible to be able to execute the modules in the form of micro-services, possibly deported to the network.

The data structuring module 331 is responsible for creating, from the personalization data received, a logical data structure (SDL) according to the ICAO9303 standard of the data to be stored in the microchip of an electronic identity document and / or to encode in the form of text and / or printable code.

The signature generation module 332 is responsible for digitally signing the logical data structure (SDL) created by the data structuring module 331 according to the ICAO9303 standard.

The cryptographic key used for the digital signature is protected by the HSM 335 cryptographic key protection module connected to the signature generation module 332 by the INT_HSM 342 interface. The personalization device 104 can implement a standard cryptographic interface, such as PKCS # 11, to facilitate the integration of different types of hardware and / or software HSM modules.

In the case of an instant issuance of identity documents, the HSM 335 can be implemented by a smart card-based HSM in compact format, such as a USB key in mini USB format, for greater mobility of the device 104.

In the case of centralized identity document issuance, the HSM 335 can be implemented by any type of hardware, such as a LAN or smart card HSM, or by software.

The 333 encoding module is responsible for: establishing secure communication by mutual authentication protocol, for example by establishing a secure session using the transport key (s) following mutual authentication according to the ICAO903 standard and

BSI TR 03-137, with microchip of identity document and send orders

APDU according to ISO / IEC standard

7816 microchip personalization of the electronic identity document, the encoding module

333 being connected by the INT interface

RD

43 to the smart card reader 105 with contact / contactless and / or dual autonomous interface or incorporated in a printer and / or encoding the data structure containing at least one signature in the form of VDS code.

The personalization device 104 can be connected via the interface

INT

344 to various peripherals a sensor 337, a camera and / or a scanner 336.

The secure storage module 339 is responsible for storing the sensitive configuration information of the personalization device 104 in an encrypted manner in order to ensure confidentiality, said sensitive information possibly being the transport key or keys, the sensitive source code of the software, or the code

PIN to unlock the HSM 335.

The cryptographic key used for data encryption by the secure storage module

339 can be protected with a hardware protection key

370 connected to the secure storage module

339 via the INT_DONGLE interface 349. The hardware protection key

370 can also store in its secure memory all or part of the sensitive configuration information of the personalization device 104.

If one refers to FIG. 3B, one can see that there is represented there a sequential diagram which illustrates an example of possible interactions between the various modules of the personalization device 104.

The coordination module 330 is the module to which all the other modules of the personalization device 104 are connected.

The sequential diagram of Figure 3B illustrates a possible example of electronic personalization with a high speed industrial printer 117, for which a presence sensor 337 detects the arrival of a document. The personalization device 104 then retrieves the unique identifier (UID) of the document, such as the unique number of the document or the unique number of the microchip of the document, via a sensor (such as a camera 336 or a smart card reader 105) and transfers this information to the workstation 101. The workstation 101 then returns to the personalization device 104 the data of the document holder to be personalized electronically in the microchip and / or for the encoding of text and / or printable code.

The personalization device 104 then performs the complete electronic personalization of the document consisting of the creation of the logical data structure to be written in the file structure of the microchip, the digital signature of the data and the writing of the data in the microchip and / or returns it to the workstation 101 of the signed data structure in the form of text and / or printable code.

The sequential diagram in Figure 3B illustrates a case of using electronic personalization as an example composed of twenty elementary steps which are as follows:

The sensor 337 detects 303 the presence of a document and informs the coordination module 330 thereof;

the coordination module

330 sends information back to workstation 101;

Since the WebSocket protocol is bidirectional, the coordination module, although it implements the server part of the protocol, can initiate communication with the client (the

If the protocol had not been bidirectional, communication would have been possible only on the initiative of the client;

workstation 101 requests

05 to the coordination module

330 to retrieve the document identifier;

the coordination module 330 transfers 306 the request to the module managing the camera

336; the coordination module

330 could also retrieve the unique identifier of the document by means of a device other than the camera 336, for example by means of a smart card reader 105;

the camera

336 of the document and returns it to the coordination module 330 the module of the work station 101; it should be noted that, although the workstation 101 could also directly trigger the request to recover the document's UID;

the post working 101 transfers 309 to module of coordination 330 the complete data for the customization, such than 1'identifiant of the key for the signature digital, characteristics of document, the data of document and or the

encoding characteristics;

- the coordination module 330 sends 310 the data, transformed or not, to the data structuring module 331;

- the data structuring module 331 structures 311 the data and returns them to the coordination module 33 0;

- the coordination module 330 sends 312 the data, transformed or not, to the signature generation module 332;

the coordination module 330 is also able to retrieve information such as the PIN code in order to unlock the HSM 335 from the protection key

370 the signature generation module 332 prepares

313 a digital certificate and request to the cryptographic module, such as the

HSM 335, to digitally sign the latter;

- the HSM 335 cryptographic module, which protects sensitive cryptographic keys, calculates 314 the digital signature and returns the result to the signature generation module 332;

The signature generation module 332 returns 315 the signed data to the coordination module 330; the coordination module 330 could also send the signed data back to the workstation 101 at this stage, this could be of interest if the workstation 101 wishes to prepare the signed data in advance for reasons of performance improvement, the coordination module 330 could then, in this event, receive from the workstation 101 data already prepared and signed to be transferred directly to the encoding module 333;

The coordination module 330 sends 316 the data, transformed or not, to the encoding module 333; the coordination module 330 could also retrieve information, such as the transport key or keys, from the protection key 370;

The encoding module 333 sends 317 the data to the smart card reader 105 and / or encodes the data in the form of text and / or printable code;

- the chip card reader 105 writes 318 the data in the file system of the microchip of the document 108;

The microchip of document 108 returns 319 the status of the encoding of the microchip to the chip card reader 105;

The smart card reader 105 returns 320 the encoding status of the microchip to the encoding module 333;

The encoding module 333 returns 321 the status of the encoding of the microchip to the coordination module 330 and / or returns the printable code to the coordination module 330 in the case of generation of a text and / or a printable code; and the coordination module 330 returns 322 the status of the encoding to the workstation 101 in the case of the encoding of the microchip and / or returns the text and / or the printable code to the workstation 101; the coordination module 330 being able, via

input / output adapter, activate anything what peripheral, Phone than a relay or an indicator bright in the case an error would to himself produce. If 1 himself refers to Figure 4, we can see

that there is shown a data flow diagram representing an example of data flow and its processing by the personalization device 104.

The data received from the workstation 101 (designated input data) are first structured by the data structuring module 331, then digitally signed by the signature generation module 332 and finally encoded in the microchip and / or in the form of text and / or printable code (designated as output data 409) by the encoding module 333. Each of the data structuring module 331, the signature generation module 332 and the encoding module 333 includes an audit trail 406, 408, 410.

The input data are transferred in a standardized form by a standard communication protocol, such as WebSocket, by the workstation 101 to the personalization device 104. They contain the information of the document holder (such as the name of the holder of the document). document, date of birth, nationality, photo of his face and / or any other identifying information) as well as information from the document itself (such as its unique number, date of issue, duration of validity, the issuing authority) and may contain one or more of the individual carrying the document his or her fingerprint (s), retina or iris), designated biometric data (for example, portrait, characteristics of the under the name of data "

403 which are sent to the data structuring module

331. Furthermore, the input data may also contain information on the cryptographic mechanisms and protocols implemented by the microchip to protect the data stored electronically in the microchip and to prevent unauthorized access to it, as well as to verify integrity and authenticity (such as information about active authentication (AA), extended access control mechanism (EAC), additional access control mechanism (SAC), certificate of verification of the issuing country (CVCA), in the case of a document conforming to the standards of ICAO9303) designated by the name of “specific data for structuring of data” 402 which are sent to the data structuring module 331.

The output data from the data structuring module 331 is the unsigned structured data 405, such as an unsigned structure SDL in the case of a document conforming to ICAO9303 and / or 1'13018013. This unsigned structured data 405 is used as input data for the signature generation module.

332. On the other hand, the signature generation module 332 also takes as input data, the information on the parameters of the digital signature (such as the identifier of the cryptographic key and the algorithm of the digital signature, the PIN code to unlock the HSM 335). This data is designated by the name of “specific signature module data” 401. The output data 407 of the signature generation module 332 are structured and signed and are ready to be encoded in a microchip and / or in the form of text and / or printable code.

Structured and signed data 407 is used as input data for the encoding module

333. The encoding module 333 also takes as input information on the microchip (such as the transport key (s), the manufacturer of the microchip, the version of the operating system, the scripts, the slot number of the smart card reader), designated under the name of “specific data of encoding module” 404, in order to electronically program the microchip and / or to calculate a text and / or a printable code.

The personalization device 104 is designed so that each module 331, 332, 333 does not keep information on its previous state or the information previously processed, meaning that each module 331, 332, 333 receives for input data: the data to be processed as well as the data configuring the behavior of the module itself. Each module 331, 332, 333 therefore does not keep its previous state. This property makes it possible to use the same personalization device 104 to produce different types of documents (for example both national identity cards and electronic passports).

If we refer to Figure 5A, we can see that there is shown a block diagram of an identity document personalization device 500 according to the invention.

A workstation 101 is connected to the personalization device 500 via a network connection 503 and a network input / output (I / O) adapter 502, such as a wired network connection of Ethernet type or a WiFi type wireless network connection. The communication protocol between the workstation 101 and the personalization device 500 is carried out via a network communication stack 509 which can be implemented in a coordination module 510. The network communication stack 509 implements a protocol standard communications, such as real-time, bidirectional, full duplex, with little system overhead, secure, and standard referred to as WebSocket secure with TLS / SSL or any other standardized protocol such as a message broker .

The customization device

500 is characterized by the fact that the electronic personalization business logic is completely separate from the graphic user interface graphic personalization software running on the workstation 101. The use of a standard transmission protocol between the workstation work 101 and the personalization device 500 makes it possible to separate the business logic from the GUI. In addition, the use of a standardized protocol makes it possible to easily interface graphical personalization of any software with the personalization device.

500. Indeed, standard protocols are implemented in a multitude of programming languages and in particular the best known such as C languages,

Java, C ++,

Javascript and

Python.

Consequently, since the graphic personalization software is developed in a programming language, it is possible either to integrate the standardized protocol directly into the graphic personalization software by specific development or via a script (such as

Javascript coordination module 510 implements a 511 data parser stack (such as XML, JSON, or Base64 markup languages), allowing the exchange of text-based data, not dependent on hardware and / or operating systems .

A secure storage module 514 is implemented by a cryptographic circuit also designated under the name of protection key 520, said protection key 520 being connected to the secure storage module 514 by means of a serial / network adapter 505. The secure storage module 514 contains sensitive data, such as the software source code, and / or configuration configuration data, such as the PIN code to unlock an HSM 519 and / or configuration data such as specific data digital signature, specific data preparation data and / or encoding data and / or specific encoding scripts for a microchip. The personalization device 500 is characterized by the fact that it may not be functional without the physical or logical presence of the protection key 520 protecting the secure storage module 514.

The personalization device 500 also includes a data structuring module 517 configured to structure the personalization data coming from the coordination module 510.

The personalization device 500 further comprises a signature generation module 512 which is connected to a digital signature cryptographic circuit also designated by the name of hardware security module (HSM)

519, said

HSM 519 being connected to the signature generation module

512 via serial / network adapter

504

The HSM digital signature cryptographic circuit

519 is implemented by unalterable hardware (such as a

HSM has a direct connection but it could be to the personalization device 500, also to be deported to other appropriate locations in the document generation environment. For example, the digital signature cryptographic circuit HSM 519 could be accessible through the network, such as by a virtual private network (VPN) for example. The HSM 519 digital signature cryptographic circuit could also be implemented by software.

The HSM 519 digital signature cryptographic circuit provides a secure location for producing and storing the sensitive digital signature cryptographic key or keys stored in an encrypted or unencrypted manner. The cryptographic key used to sign data may also not be extractable from the HSM 519.

The signature generation module 512 and the HSM 519 implement a cryptographic programming interface (API, “Application Programming Interface”), respectively 513 and 521, such as PKCS # 11.

The personalization device 500 is characterized by the fact that it cannot produce a digital signature without the physical or logical presence of the protection key 520.

The personalization device 500 further comprises an encoding module 518 which implements a script analyzer module 516. The script analyzer module 516 can implement the possibility of executing pre-personalization scripts used for the initialization of the microchip file structure of a 525 identity document before personalization of the latter. The script analyzer module 516 can therefore optimize the industrial process of personalizing the microchip by eliminating the step of pre-personalizing the microchip.

A smart card reader 527 is connected to the encoding module 518 via a serial adapter 526, the smart card reader 527 making it possible to program the microchip of the identity document 525.

A camera 524 can be connected to the personalization device 500 via a serial / network adapter 528.

The personalization device 500 also comprises a central processing unit (CPU) 508 which can implement a CISC architecture (complex instruction set calculation, “Complex Instruction Set

Computing ", in English terminology) or RISC (computer with reduced instruction set," Reduced

Instruction Set Computer ”(in English terminology).

A single-card computer (sometimes abbreviated as SBC, from the English “Single-Board Computer”) such as the UP Board® is an example of a processing unit with CISC architecture.

A single-card computer such as the Raspberry Pi 3® is an example of a processing unit with RISC architecture.

The personalization device 500 further comprises a real time clock 507 with a battery, the real time clock 507 being implemented in particular for time stamping the different logs of the different modules.

The personalization device 500 also includes an input-output adapter 506, peripheral input / output devices 523, such as relays, light-emitting diodes, buttons or a presence detector 515, which can be connected either directly to the input-output adapter 506 either via a programmable controller (PLC) (not shown in Figure 5A).

Communication

522 between the different modules (coordination module

510, signature generation module 512, data structuring module 517, by a simple application programming interface (API) or by a network communication stack. The advantage of the latter is that it makes it possible to communicate different modules programmed in different programming languages (for example, the signature generation module 512 can be programmed in the C language while the rest of the modules can be programmed in JAVA language) and / or that it makes it possible to execute certain remote modules on the network (for example, the signature generation module 512 could be executed on a server remote from the network). Each module then becomes a "micro-service" which can be executed remotely on the network.

The personalization device 500 is electrically powered by a power source 501.

If we refer to Figure 5B, we can see that there is shown an additional block diagram of the personalization device 500 supplementing that of the

Figure 5A.

Personalization device 500 implements an operating system (OS)

530 high level, such as

UNIX, Windows, Mac OS or GNU / Linux.

The various modules of the personalization device 500 can be implemented as native applications 528 (for example, programmed in C language) comprising the data structuring module 517a, the signature generation module 512a with its cryptographic stack 513a, the coordination module 510a with its network communication stack 509a and its data parser stack 511a, the encoding module 518a with its script analyzer module 516a and a cryptographic module 536. The various modules of the personalization device 500 can also be implemented as portable applications (applets) 539, running on a virtual machine

531 such as a Java virtual machine, comprising the data structuring module 517b, the signature generation module 512b with its cryptographic stack 513b, the coordination module 510b with its network communication stack

509b and its data parser stack 511b and the encoding module 518b with its script analyzer module 516b. The advantage of this latter approach is that the modules can then run on any hardware platform provided that the virtual machine 531 is implemented on this platform.

The HSM cryptographic circuit 519 used for the generation of the digital signature and the security key cryptographic circuit 520 used for the protection of the secure storage module 514 are each implemented by a secure microprocessor 532, 534 and an operating system 533, 535 (for example, a native and / or virtual machine-based operating system such as JavaCard). The HSM cryptographic circuit 519 and the security key cryptographic circuit 520 each comprise a serial / network adapter 540, 541 configured to be connected to the corresponding serial / network adapter 504, 505 of the personalization device 500.

Referring to Figure 6, it can be seen that there is shown a flowchart illustrating an exemplary method of operation of the identity document personalization device 500 according to the invention.

The operating method starts at step 601.

The personalization device 500 performs a self-diagnosis in step 602 when it is powered up or when it is used for the first time. If the diagnoses are positive, the personalization device 500 is then ready to receive instructions from the work station 101 and / or events detected by one or more sensors, such as a button or a presence detector, on the 'step 603.

604 receipt of request instruction

Step 605 returns to the diagnostic state.

At the personalization device 500 for diagnoses at the workstation 101 upon receipt 604 of a signature request instruction, the personalization device 500 performs a structuring of the data in step 606 and digitally signs them at

1'étape

607, the personalization device

500 able to use the cryptographic circuit

HSM 519 for calculating the digital signature.

If workstation 101 only requests the signature of personalization devices

500 returns only the signed data without encoding it in step 609.

If the workstation 101 also requests data encoding, the personalization device 500 encodes the data in the microchip of the document and / or in the form of a text and / or a printable code at

Step 610.

The personalization device 500 increments (or decrements) an internal counter for each new processing in step 611, then transmits the state of the encoding of the microchip and / or the encoding of the text and / or the code printable at workstation 101 in step 612.

The personalization device 500 can recover the transport key or keys from the secure storage module 514 by the security key 520 in order to be able to establish a secure session with the microchip.

The internal counter can be protected by the security key

0 and can be used for example to restrict the number of uses of the device 500. The personalization device 500 can check the value of the internal counter before authorizing the processing of

1'encodage.

Upon receipt of a unique identifier request instruction, the personalization device 500 retrieves the unique identifier of the document in step 613, for example via the camera 524 or the smart card reader 527 , and transmits it to the workstation 101 in step 614.

Upon receipt of an encoding instruction only, the personalization device 500 directly encodes the data in the microchip and / or in the form of text and / or code printable in step 610.

Upon receipt of an event detected by a sensor such as the presence detector, the personalization device 500 can transmit information to the work station 101.

The personalization device 500 can also process the initialization of the file structure of the microchip, a process also known as “pre-personalization”.

It should be noted that the bubbles "1" and "2" in the flowchart in Figure 6 indicate respectively the connections between the different branches of the flowchart.

If we refer to Figure 7, we can see that there is shown a high-level block diagram of an identity document personalization device 700 according to the invention.

The personalization device 700 is an on-board device combining both hardware and software.

The main modules of the personalization device 700 include a power unit 701, a network adapter 702, one or more serial adapters

703, one or more input / output adapters 704, a real time clock 705, a central processing unit

706 with memory 711, a network communication module 707, a module of a data parser module 709, a signature generation module 710, a sensor module

712, a script analyzer module 713, a data structuring module 714, an encoding module 715 and one or more cryptographic modules 716.

The present invention thus makes it possible to transform a “conventional” printer into an “intelligent” printer and, consequently, makes it possible to transform an infrastructure for issuing non-electronic identity documents into an infrastructure capable of issuing electronic identity documents. while reusing databases, graphic personalization software and printers, thus avoiding entirely replacing existing equipment.

Claims (7)

1 - Device for personalization of identity document (104, 500, 700), characterized in that it comprises: - a data transmission / reception interface (340) configured to receive personalization data relating to an identity document; a data structuring module configured to structure the personalization data received; - a digital signature generation module (332, 512, 710) configured to digitally sign the structured personalization data using at least one cryptographic key; and - an encoding module (333, 518, 715) configured to encode the signed structured personalization data, on the identity document, in at least one form among a text, a graphic code, a magnetic code and an electronic code ; the document personalization device further comprising a hardware security key (114, removable configured to store sensitive configuration data of the personalization device (104, 500, 700); the document personalization device identity (104, 500, 700 ) being integrated in a printer (111, 117, 119, 121) or joined to one printer (111, 117, 119, 121). 2 - Device (104, 500 700) according to the revendicati on 1, characterized speak fact than, when the signed structured personalization data is encoded in the form of text, graphic code or magnetic code, the encoding module (333, 518, 715) is configured to send the structured signed personalization data encoded to the printer (111, 117, 119, 121) via the data transmission / reception interface (340). 3 - Device (104, 500, 700) according to claim 1 or 2, characterized in that, when the signed structured personalization data are coded in the form of electronic code, the personalization device (104, 500, 700) comprises furthermore at least one smart card reader (105, 527) capable of communicating with the electronic chip of an identity document of the electronic chip type (108, 525), said at least one smart card reader ( 105, 527) being integrated into the printer (111, 117, 119, 121) or connected to the printer (111, 117, 119, 121), the encoding module (333, 518, 715) being configured to sending the encoded signed structured personalization data to the at least one smart card reader (105, 527) which is configured to encode the electronic chip of the identity document (108, 525) according to the signed structured personalization data coded received. 4 - Device (104, 500, 700) according to claim 3, characterized in that the at least one smart card reader (105, 527) is of the contactless type. 5 - Device (104, 500, 700) according to one of claims 1 to 4, characterized in that it further comprises a hardware security module, HSM, (109, 335, 519) removable in which is stored at least one cryptographic key used by the digital signature generation module (332, 518, 710). 6 - Device (104, 500, 700; i according 1 'a of the claims 1 to 4, characterized through the fact than 1 'to minus one key cryptographic used speak module generation of digital signature (332 , 518, 710) East stored on a remote server (113) in communication with 1'interface of < data transmission / reception (340) 7 - Device (104, 500, 700; i according 1 'a of the claims 1 to 6, characterized through the fact : than the sensitive configuration data stored in the hardware security key (114, 370, 520) is one of at least one transport key, at least part of the source code of the various modules of the personalization (104, 500, 700), a counter Incremental / décrémentai, and, the case if necessary, a coded PINE intended to activate the HSM (109, 335, 519). 8 - Device (104, 500, 700) according to 1 'a of the claims 1 at 7, characterized through the fact that he further includes a secure storage module (339, 514) connected to the key Securit é material (114, 520). 9 - Device (104, 500, 700) according to 1 'a of the claims 1 at 8, characterized through the fact that he further includes a coordination module (330, 510 708) configured to manage the transfer of data received via the transmit-receive interface (340) to the various modules of the personalization device (104, 500, 700). 10 - Device (104, 500, 700) according to one of claims 1 to 9, characterized in that the data structuring module (331, 517, 714) is configured to structure the personalization data received in accordance with the standard ICAO9303 from the organization of international civil aviation. 11 - Device (104, 500, 700) according to one of claims 1 to 10, characterized in that the data transmission-reception interface (340) is able to communicate, in wireless or wired connection, with a work station (101, 102) via a standardized bidirectional real-time communication protocol. 12 - Device (104, 500 700) according to 1 ' a of the claims 3 to him, character érisé through the fact than the card reader smart (105, 527) East connected to module encoding (333, 518, 715) via at least one of a USB CCID interface and a PC / SC interface. 13 - Device (104, 500, 700) according to one of claims 1 to 12, characterized in that the different modules of the personalization device (104, 500, 700) are implemented in a mini-computer. 14 - Device (104, 500, 700) according to one of claims 1 to 13, characterized in that it further comprises at least one input / output port (334, 506) for a connection with at least a peripheral, such as a relay (338), a sensor (337), a camera or a scanner (336). 15 - Printer (111, 117, 119, 121) comprising a device for personalizing an identity document (104, 500, 700) according to one of claims 1 to 14. 1/14 Figure IA m o 2/14 Figure IB 3/14 m ο Figure IC 4/14 104 Figure ID 119 5/14 124 Figure ΙΕ ο 6/14 Figure 2B 7/14 'Str-i Figure 3A MODULE MODULE Figure 3B 10/14 Figure 4 11/14 LU Q READ H Q o in READ READ Z) <cz H Q Z) H not O 5 o Z) cz h Q READ READ Ξ not C £ 1 H in <r (X CL CU o <) X READ READ H ζ ,,, a ffl / n what read Γ7 z> z in z! £ z o m g ^Q READ to. E D ATl · z —1 hour P £ ë E OF NI CAT; water MC 00 - ¹ Z) tu Cl CC o O CJ READ READ Q O READ H O < oc in o in o O in CL <LH φ i_ D due m o LH 12/14 CHIP CARD READER cz Z) READ Z) H READ < Ξ LU üO CL READ READ < (Z) have Q < 500 -t-- Q (Z) _Q O LU O _i Z n CC CJ <Q LU S. Cl ^Q H LU <i Z —I H P g δ r> ûi ° h O - ¹ LU Cl 2 CC O o m cm o m m LH LH LH CÛ LH Φ i_ D due 13/14 m τ — I t — I LD LD 14/14 LU Q READ H Q O in READ Z) tr u-i ch Q Z? ΓΊ 5 O Q Z cz h READ Q cz READ Z _______1 Z) < Q H O QD 5 in READ READ Q q in READ CH LU Z Q Z H LU 2 in ΓΊ ch O 5 S ^u H LU O ^Q 5 LU <igi ° g OO H O LU Q READ £ O Z < Z) H READ Q Z in LU O cz 5 O (_) READ READ QD READ O CH in CH CL O X LU H Figure 7 FRENCH REPUBLIC irai - I NATIONAL INSTITUTE PROPERTY INDUSTRIAL PRELIMINARY SEARCH REPORT based on the latest claims filed before the start of the search National registration number FA 851115 FR 1763331 DOCUMENTS CONSIDERED AS RELEVANT Relevant claim (s) Classification attributed to the invention by ΙΊΝΡΙ Category Citation of the document with indication, if necessary, of the relevant parts WO 2010/007479 A2 (GILLES LEROUX IND [FR] LEROUX GILLES [FR]; MONGIN HERVE [FR]) January 21, 2010 (2010-01-21) * page 8 - page 12; figure 1 * 1-15 B42D25 / 40 TECHNICAL AREAS SOUGHT (IPC) B42D G06K B41J EPO FORM 1503 12.99 (P04C14) Research completion date August 14, 2018 CATEGORY OF DOCUMENTS CITED X: particularly relevant on its own Y: particularly relevant in combination with another document in the same category A: technological background O: unwritten disclosure P: intermediate document Examiner Achermann, Didier T: theory or principle underlying the invention E: patent document with a date prior to the filing date and which was only published on that filing date or on a later date. D: cited in the request L: cited for other reasons &: member of the same family, corresponding document ANNEX TO THE PRELIMINARY RESEARCH REPORT RELATING TO THE FRENCH PATENT APPLICATION NO. FR 1763331 FA 851115 This appendix indicates the members of the patent family relating to the patent documents cited in the preliminary search report referred to above. The said members are contained in the computer file of the European Patent Office on the date dul4-08-2018 The information provided is given for information only and does not engage the responsibility of the European Patent Office or the French Administration