Decomposition

This chapter documents the overarching roles and components of the architecture as well as their connections and interactions.

Roles

Name	Abbreviation	Description
User	USER	Entity that uses the Wallet. Natural person to whom the PID belongs.
PID Provider	PP	Entity that verifies the identity of the User, issues the PID to the User's Wallet and publishes information to let Relying Parties verify the validity of the PID.
eID Server	ES	Entity that verifies the eID Card of the User and provides the contained data groups to the PID Provider.
Wallet Provider	WP	Entity that provides the Wallet Solution.
Relying Party	RP	Entity that relies on the PID.
Platform Attestation Provider	PAP	Entity that provides platform attestations about the integrity of the User Device and the installed Wallet App.
Mobile Device Vulnerability Management Service	MDVM	Entity that provides a vulnerability management system to the Wallet Provider about vulnerabilities in mobile devices and cryptographic key stores.

Logical Components

Name	Description
Wallet Solution	The Wallet Provider's product, which encompasses the Wallet App, the Wallet Backend and the Remote WSCD.
Wallet Unit	A unique configuration of a Wallet solution that includes Wallet Instances, Wallet Secure Cryptographic Applications and Wallet Secure Cryptographic Devices provided by the Wallet Provider to an individual User.

Components

Name	Abbreviation	Description
User Device	UD	The mobile device of the User serves as the host for the Wallet Instance.
Wallet Instance	WI	The Wallet App installed on the User's Device.
Hardware-backed Key Store	HKS	A sub-component of the user device that manages locally stored, hardware-backed cryptographic keys (e.g. TEE, Android StrongBox, iOS Secure Enclave).
Wallet Provider Backend	WB	The Backend of the Wallet Provider.
Remote Wallet Secure Cryptographic Device	RWSCD	A Service offering the functionality of a Wallet Secure Cryptographic Application (WSCA) and a Wallet Secure Cryptographic Device (WSCD) for a Wallet Unit that the Wallet Instance accesses remotely. This encompasses wallet cryptographic operations and protection of critical assets for that operations.

Wallet Instance (WI) decomposition

Name	Description
Graphical User Interface	Primary Interface for the user to operate the app (WI).
EUDI Wallet Reference Implementation	Reference Implementation of the EUDI Wallet providing core functionality on OpenID4VC, SD-JWT, ISO mdoc, storage, WSCD interface and implementation for local WSCD.
AusweisApp SDK	SDK implementing the protocols and interfaces for reading the German eID card.
Wallet backend Client	Client for accessing Wallet Backend (WB) operations.
Remote WSCD Client	Client for accessing Remote WSCD (RWSCD) operations.

Wallet Provider Backend (WB) decomposition

Name	Description
Wallet Provider Backend API	API providing Wallet Provider Backend operations to the Wallet Instance.
Wallet Provider Backend Database	Database for storing Wallet instance accounts in the Wallet Provider Backend.
Hardware Security Module (HSM)	Hardware module for storing cryptographic keys used to sign Wallet Instance Attestations.
Vulnerability Management Client	Client for accessing the API of the Vulnerability Management Provider.

Remote Wallet Secure Cryptographic Device (RWSCD) decomposition

Name	Description
Remote WSCD Client	Client on the Wallet Instance authenticating operations to the Remote WSCD using a possession factor from the Hardware-Backed Keystore and a knowledge factor derived from the user's RWSCD-PIN.
Remote WSCA API	API authenticating the User and providing Remote WSCD operations to the Wallet Instance.
Remote WSCA Database	Database for storing Wallet Instance accounts in the Remote WSCD.
HSM Client	Client for accessing the HSM Cluster to perform key-related operations.
Wrapped Key Database	Database for storing wrapped keys outside of the HSM using standardized PKCS#11 functionality. The wrapped keys can only be used from within the HSM.
HSM Cluster	Cluster of multiple Hardware Security Modules (HSM) that are synced with a common master key and perform cryptographic operations using wrapped keys from the Wrapped Key Database.
Wallet Security Cryptographic Application	Logical abstraction that manages critical assets by providing cryptographic operations through the Wallet Security Cryptographic Device, as defined by CIR (EU) 2024/2979.
Wallet Security Cryptographic Device	Logical abstraction for tamper-resistant device that protects critical assets by providing cryptographic operations by providing cryptographic operations to the Wallet Security Cryptographic Application, as defined by CIR (EU) 2024/2979. This component is implemented as a Hardware Security Module (HSM), ensuring that keys created within the WSCD never leave the device (unless for encrypted storage).

Mobile Device Vulnerability Management Service (MDVM) decomposition

Name	Description
MDVM Service	Backend Service that verifies platform attestations, determines device classes and checks for vulnerabilities using the databases for device class vulnerabilities and leaked Platform Attestation keys. The MDVM service then acts on potential device, app or vulnerability information by restricting the WI's capabilities and actions.
RASP SDK	Runtime Application Self-Protection (RASP) as an SDK integrated into the Wallet App to enable detection and prevention of security threats during the application's execution. It allows to monitor its own behavior and environment, identify potential attacks such as tampering or code injection, and respond automatically to protect itself.
Device Class Vulnerability Database	Vulnerability database that provides device class vulnerability information to the MDVM service.
Leaked Platform Attestation Key Database	Vulnerability database that provides leaked attestation keys for Platform Attestation Services to the MDVM service.