Cryptographic Service Provider (CSP) Training

CSP is a novel way to develop, certify, and manage applications, and this training will explain the different facets of this new model. This training provides a comprehensive understanding of the GlobalPlatform Cryptographic Service Provider (CSP) model and its role as an extension to the GlobalPlatform Card Specification. Participants will gain both conceptual and practical knowledge of how the CSP delivers high-level cryptographic building blocks, simplifies application development, and enables platform-independent application certification while maintaining strong security comparable to Common Criteria EAL4+ AVA_VAN.5.

The program equips participants with the skills to design, implement, configure, integrate, and certify CSP-based solutions. It concludes with an in-depth review of the CSP certification process and advanced developer topics, including solution architecture, custom workflows, dynamic policy control, secure applet development, advanced APDU handling, large-scale testing, remote resource management and deployment, and operational management of CSP platforms.

Key Learnings for Course Attendees

After completing this 2-day course, participants will:

• Gain a comprehensive understanding of the full CSP model, including the GPCS Amendment N – CSP Specification, CSP Protocol, CSP Protection Profile, CSP API, CSP Guidance for Applet Developers, CSP Evaluation Methodology, and related CSP configurations such as the CSP eID Configuration.
• Gain a clear understanding of the GlobalPlatform Cryptographic Service Provider (CSP) specification and its architectural intent including CSP Protocols and the CSP API.
• Learn how CSP provides high-level, standardized cryptographic abstractions that simplify application development while improving security consistency.
• Become familiar with CSP’s role in enabling platform-independent and certifiable applications aligned with high-assurance security levels.
• Understand CSP’s relevance for identity and wallet use cases, including secure credential storage, authentication, and regulated deployments such as digital identity wallets.
• Learn best practices for policy-driven key management, including key lifecycle control, usage restrictions, and secure access enforcement.
• Learn how to deploy and integrate CSP.
• Learn the CSP certification process and how it achieves a high level of assurance.

Who Should Attend?

This course is intended for:

• SE Application developers requiring crypto services.
• Card manufacturers and platform developers responsible for implementing a CSP
• New and experienced professionals working with secure elements and smart card technologies across industries.
• Wallet providers, wallet implementers, and solution integrators
• Government and Member State representativesinvolved in European Digital Identity (EUDI) Wallet and digital identity deployments.
• Automotive industry stakeholders, OEMs, Tier-1 suppliers, and solution integrators developing secure in-vehicle platforms, digital key solutions, and safety- and security-critical automotive applications.

Course Outline:

Day One:

• Module 1 – Introduction & Context
  • Purpose of the CSP specification
  • Audience and intended use
  • Key terminology and abbreviations
  • High-level architecture of the CSP
  • CSP Admin
  • CSP Client
• Module 2 – Use Cases & Requirements
  • Typical CSP deployment scenarios
  • Functional and non-functional requirements
  • Modularity and exclusions
  • CSP Configurations - Sample Configurations
• Module 3 - Core Features Overview
  • Resource management lifecycle
  • Access control and authentication
  • Key & certificate management fundamentals
  • Password management principles
  • Secure messaging protocols (PACE, SCP03, etc.)
  • Attestations, counters, timers, auditing
• Module 4 – CSP Architecture & Lifecycle
  • Component architecture
  • Roles and responsibilities
  • Installation and activation process
  • Lifecycle management
• Module 5 – Core Modules in Detail
  • System module
  • Resource module
  • Access & Policy module
• Module 6 – Optional Modules & Advanced Functions
  • Cipher and Transform services
  • Secure Channel & Confidential Data Transfer services
  • Signature & Attestation services
  • Key, Certificate, Password, Counter, and Timer services
  • Audit, Field, Offloading, Random Data services
• Module 7 – CSP Protocols & API
  • CSP admin commands
  • CSP client commands
  • CSP Java Card API Service interfaces (from Javadoc)
  • CSP Java Card API byte buffers, and listener mechanism
• Module 8 – Practical Implementations
  • Installing and configuring CSP
  • Creating keys and setting policies
  • Establishing a secure channel
  • Implementing secure messaging
  • Performing attestation and auditing
• Module 9 – CSP Certification Process
  • How to achieve level of certifications
• Module 10 – CSP for Developers
  • Guidelines for developers
  • Documentation Process

Day Two:

• Advanced CSP Solution Architecture
  • Designing custom admin workflows
• CSP Admin Platform – Developer Extensions
  • CSP Access Control and dynamic policy
  • Event triggers
• Advanced Applet Development
  • Secure coding for applets: transaction management, atomicity, rollback handling
  • Advanced APDU handling (chained APDUs, extended length, secure messaging)
  • Multi-applet communication and shared interface design
  • Debugging and testing at scale (unit tests + CSP integration tests)
• Remote Resource Deployment
  • Deploy a complex resource package with multiple applets/keys
• CSP Resource Management & Operations
• Wrap-Up