Why is defense in depth important for digital identity systems?

Digital identity systems are high-value targets because compromising them can enable identity theft, fraud, and unauthorized access to services across an entire ecosystem. A single security mechanism, no matter how strong, can have implementation flaws or face novel attacks. Defense in depth ensures that an attacker who bypasses one control (e.g., phishing a user password) still faces additional barriers (e.g., device binding, biometric verification, hardware-protected keys). For the EUDI Wallet serving 450 million EU citizens, this layered approach is essential because the consequences of a systemic breach would be severe and EU-wide.

How many security layers does the EUDI Wallet architecture have?

The EUDI Wallet architecture implements at least six distinct security layers: (1) Hardware layer -- secure elements (TEE/SE) protecting cryptographic keys from extraction; (2) Cryptographic layer -- digital signatures, key binding, and selective disclosure protocols; (3) Authentication layer -- user authentication via PIN, biometrics, or both before credential use; (4) Application layer -- input validation, secure coding practices, and code signing for wallet apps; (5) Network layer -- TLS 1.3, certificate pinning, CORS, CSP, and DDoS protection; (6) Operational layer -- monitoring, logging, incident response, and regular security audits. Each layer operates independently so that compromising one does not automatically compromise others.

How does defense in depth apply to credential verification specifically?

When a verifier receives a credential from an EUDI Wallet, defense in depth means multiple independent checks occur: the credential digital signature is verified against the issuer public key, the issuer certificate chain is validated up to a trusted root, revocation status is checked via OCSP or CRL, the credential is confirmed to be bound to the presenting wallet device, the wallet app integrity is verified through attestation, and the transaction is logged for audit. An attacker would need to forge a valid issuer signature AND compromise the PKI trust chain AND bypass device binding AND defeat wallet attestation to successfully present a fraudulent credential.

Defense in Depth - EUDI Wallet Glossary

Defense in Depth

security

Full Name: Defense in Depth Security Strategy

Definition

Defense in depth is a cybersecurity strategy borrowed from military doctrine that employs multiple layers of security controls placed throughout an information technology system. Rather than relying on a single security mechanism (a "hard shell, soft center" approach), defense in depth assumes that any individual control can fail and therefore deploys redundant, overlapping protections. In the EUDI Wallet ecosystem, defense in depth is the architectural philosophy that protects Europe's digital identity infrastructure by ensuring that compromising one security layer does not grant an attacker access to the entire system.

The Security Layers in EUDI Wallet Architecture

The EUDI Wallet implements defense in depth through multiple independent security layers, each addressing different threat vectors:

•Hardware security layer: Cryptographic private keys are stored in the device's Trusted Execution Environment (TEE) or Secure Element (SE). Even if the operating system is compromised through malware, the keys remain protected in tamper-resistant hardware that prevents extraction. Server-side HSMs provide equivalent protection for backend infrastructure.
•Cryptographic layer: All credentials are digitally signed by issuers, credential presentations are bound to the presenting device through proof-of-possession mechanisms, and communication channels use authenticated encryption. These cryptographic guarantees hold even if network security is bypassed.
•Authentication layer: Users must authenticate (PIN, biometrics, or both) before the wallet releases any credentials. This ensures that physical access to the device is insufficient -- the attacker must also bypass user authentication, which is enforced by the secure hardware.
•Application layer: The wallet application itself implements input validation, secure memory handling, code obfuscation, runtime integrity checks, and secure coding practices. App store distribution ensures code signing verification, and wallet attestation confirms the app has not been tampered with.
•Network layer: TLS 1.3 with certificate pinning protects data in transit. CSP headers prevent injection attacks on web interfaces. CORS policies restrict cross-origin access. DDoS protection ensures availability under attack.
•Operational layer: Continuous monitoring detects anomalous patterns. Incident response procedures enable rapid containment. Regular penetration testing and security audits identify weaknesses before attackers do. Revocation mechanisms allow rapid response to compromised credentials or certificates.

Practical Defense in Depth Scenarios

To understand how defense in depth protects EUDI Wallet users in practice, consider these attack scenarios and how multiple layers respond:

Stolen device scenario: An attacker steals a user's phone. Layer 1 (device lock screen) provides initial protection. Layer 2 (wallet PIN/biometric) prevents opening the wallet app. Layer 3 (secure element) prevents extracting keys even with forensic tools. Layer 4 (remote wipe) allows the user to revoke the wallet instance remotely. Even if the attacker bypasses the lock screen, they still face three additional independent barriers.

Phishing scenario: An attacker creates a fake verifier website requesting credentials. Layer 1 (relying party registration) -- the fake verifier is not in the trusted registry. Layer 2 (wallet UI) -- displays the verifier identity for user inspection. Layer 3 (origin verification) -- the wallet checks the verifier's registered domain against the request origin. Layer 4 (consent logging) -- even if the user is tricked, the transaction is logged, enabling detection and revocation.

Compromised issuer scenario: An issuer's signing key is compromised. Layer 1 (certificate revocation) -- the issuer certificate is revoked via CRL/OCSP. Layer 2 (Trusted List update) -- the issuer is removed from the EU Trusted List. Layer 3 (credential validity checks) -- verifiers reject credentials signed by the revoked certificate. Layer 4 (re-issuance) -- affected users receive new credentials from a replacement issuer. The compromise is contained and remediated without systemic impact.

Defense in Depth as a Regulatory Requirement

The eIDAS 2.0 regulation and its implementing acts require EUDI Wallet providers to implement defense in depth. The certification framework (based on Common Criteria and SOG-IS) evaluates wallet security not as a single control but as a complete security architecture where multiple mechanisms work together. Certification assessors specifically test whether bypassing one security layer leads to full compromise or whether additional layers maintain protection.

ENISA (the EU Agency for Cybersecurity) provides guidance on implementing defense in depth for critical infrastructure, which EUDI Wallet services qualify as. This guidance covers network segmentation, access control layering, monitoring depth, and supply chain security -- all elements that wallet providers must demonstrate in their security architecture documentation. The goal is not just technical security but demonstrable, auditable, layered protection that regulators and citizens can trust.

What is defense in depth?

Defense in Depth: Layered Security in the EUDI Wallet Architecture

Defense in Depth

Definition

The Security Layers in EUDI Wallet Architecture

Practical Defense in Depth Scenarios

Defense in Depth as a Regulatory Requirement

Related Terms

CSP

HSM

Incident Response

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ CSP

→ HSM

→ Incident Response

Quellen

⚠️ Independent Information