[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2010034507A1 - Method for supporting secure authentication of a user using a smartcard - Google Patents

Method for supporting secure authentication of a user using a smartcard Download PDF

Info

Publication number
WO2010034507A1
WO2010034507A1 PCT/EP2009/006945 EP2009006945W WO2010034507A1 WO 2010034507 A1 WO2010034507 A1 WO 2010034507A1 EP 2009006945 W EP2009006945 W EP 2009006945W WO 2010034507 A1 WO2010034507 A1 WO 2010034507A1
Authority
WO
WIPO (PCT)
Prior art keywords
pseudonym
user
smartcard
signature
group
Prior art date
Application number
PCT/EP2009/006945
Other languages
French (fr)
Inventor
Joao Girao
Christoph Sorge
Dirk Westhoff
Original Assignee
Nec Europe Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Europe Ltd. filed Critical Nec Europe Ltd.
Publication of WO2010034507A1 publication Critical patent/WO2010034507A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the present invention relates to a method for supporting secure authentication of a user using a smartcard, in particular an electronic identity (elD) card, said smartcard storing a secret identifier and being issued by a trusted issuer, said secret identifier being uniquely assigned to said user, wherein a pseudonym is generated on said smartcard, said pseudonym being based on said secret identifier.
  • a smartcard in particular an electronic identity (elD) card
  • said smartcard storing a secret identifier and being issued by a trusted issuer, said secret identifier being uniquely assigned to said user, wherein a pseudonym is generated on said smartcard, said pseudonym being based on said secret identifier.
  • elD electronic identity
  • Smart- cards are pocket-sized cards with embedded integrated circuits. They can store data, receive input data, process data and generate an output generally based on input data.
  • Many smartcards provide storage area which can only be read using the embedded integrated circuit, generally a processor. Thus, this memory area can store private information which can only be read, if for instance a correct passphrase is provided. For some data, output might be completely prevented. This data can only be read and used at processing data on the smartcard, e.g. at generation of a signature or encrypted data.
  • Smartcard functionality is currently added to identity cards, thus forming electronic identity (elD) cards.
  • elD cards have been introduced or will be introduced shortly.
  • citizens can authenticate to electronic services (like music download services) or prove that they have a certain attribute (for instance they life in a certain city or they are more than 18 years old).
  • One benefit is that the service provider can recognize a user when he/she accesses its services.
  • these different service provider could merge their data bases and build a profile of the users. This violates privacy of the users.
  • the Austrian elD solution (“B ⁇ rger badge”) addresses this problem by generating pseudonyms on the card.
  • the pseudonyms are created using a hash function, receiving as input both a secret key stored on the card and a unique identifier of the service provider. In this way, a service provider can recognize a user, as the user always accesses to its services using the same pseudonym. As the pseudonyms are different for different service providers, linking of pseudonyms is not possible and building of a profile of the users is prevented.
  • the aforementioned object is accomplished by a method comprising the features of claim 1.
  • a method comprising the features of claim 1.
  • such a method is characterized by the steps of generating a signature for said pseudonym, said signature being generated on said smartcard and being based on a group signature scheme, transmitting said pseudonym and said signature to a service provider, and verifying said pseudonym by checking said signature using one or several group public keys, wherein at said verification step the identity of said user cannot be revealed.
  • each signature provided at smartcards is unambiguously linked to a user, as this is regarded to improve the authentication.
  • the information to which the authenticating signature refers is generated by a trusted smartcard.
  • the service provider receives a pseudonym from the smartcard which was generated based on the secret identifier stored on the smartcard. This secret identifier cannot be changed after programming into the smartcard by the trusted issuer of the smartcard.
  • the service provider receives this pseudonym and can be sure that this pseudonym was generated by a trusted smartcard, authentication does not have to provide a link to a particular user. In fact it is sufficient to authenticate the smartcard as being trusted in order to authenticate the pseudonym.
  • the signature for the pseudonym is generated based on a group signature scheme.
  • Group signature schemes allow generating of signatures by the members of the group and verification of the signature using the group public key. At verifying the signature, it can be ensured that the signature was generated by one of the members of the group, but the identity of the user cannot be revealed.
  • a signature for the pseudonym is generated on the smartcard based on the group signature scheme.
  • the pseudonym and the signature are transmitted to the service provider.
  • the service provider verifies the pseudonym by checking the signature using one or several group public keys, depending on the used group signature scheme. By doing so, the service provider can ensure that the pseudonym was generated and sent by a trusted smartcard. If the pseudonym would not be generated on the smartcard, the verification of the pseudonym and a signature would fail.
  • the method concerning to the invention provides a secure authentication.
  • group signature scheme refers to each signature scheme, where a valid group signature can be generated by one of its members and one or several public group keys are sufficient to ensure the membership of the member.
  • group signature scheme was published by Chaum & van Heyst in 1991.
  • Other group signature schemes were published for instance by Camenisch & Michels in November 1998.
  • ring signature schemes can be used in combination with the method according to the invention.
  • group signature schemes include the possibility for one specific entity, the group manager, to identify the signer.
  • a signature is generated based on the transmitted message, the private key of the signing user and each public key of the other members of the group; there is no need for prearranged groups, as the group can be formed ad hoc using the public keys of its members.
  • the public keys of each member of the group, the message and the signature are checked. If the ring signature is properly computed, the test is passed. However, it is not possible for anyone to reveal the identity of the user who generated the signature. It should be understood that this signature scheme is also within the scope of the appended claims.
  • the pseudonym can be each piece of information which is generated by the smartcard based on the secret identifier (which may be identical to a cryptographic private key) of the user.
  • the pseudonym as described in connection with the Austrian elD card and this kind of elD is one of the preferred embodiments of the invention, it is obvious to those skilled in the art that other pieces of information can be used as well. It is just important that the piece of information is based on a secret identifier, or key, of the user.
  • the pseudonym can be combining a random number generated on the smartcard with the secret identifier.
  • the pseudonym may be stored in a table which links the single service providers to the respective pseudonyms. This table is preferably stored in a memory space of the smartcard.
  • the pseudonym and its signature can be trusted in cases the signature is recognized as being correct.
  • Another possibility includes generation of the pseudonym further based on a public identifier of the service provider.
  • This public identifier can be generated once and be stored on a remote webserver. If a pseudonym should be generated, the public identifier can be retrieved from this webserver and be passed to the smartcard for generation of the pseudonym. The pseudonym is then generated on the smartcard using the secret identifier of the user and the public identifier of the service provider.
  • the signature for the pseudonym is generated on the smartcard based on a card private key.
  • This card private key is integrated in a group signature scheme, i.e. each signature being generated based on the card private key using the group signature scheme can be verified using one or several group public keys. With most group signature schemes one group public key is sufficient. When using ring signature schemes, several public keys from the group are necessary.
  • the card private key can be stored similarly as the generic secret identifier in a smartcard memory space which cannot be accessed directly through the I/O pin(s) of the smartcard. Each access to this memory space is controlled by the integrated circuit of the smartcard.
  • the single keys necessary for the group signature scheme are generated when issuing the smartcards using a setup-function provided by the group signature scheme.
  • the setup of the group signature one or several card private keys are generated as well as the group public key(s).
  • group signature schemes known in the art which allow for the creation of very large groups. Even in context of using the smartcards as el D cards, it is possible for all users of the elD card solution to be member of just one group. Alternatively, the set of users can be split up into smaller groups, provided they are large enough to ensure user's anonymity. Users living in a certain area or a certain city can form a group.
  • the used group signature function may provide a join-function which allows generating and integrating new card private keys in already setup groups.
  • the issuer of smartcards can always add new cards to a group which provides a flexible usage of the system.
  • the group signature scheme works nevertheless.
  • the group signature scheme may provide an open-function which allows revealing the user's identity.
  • the access to the open- function can be restricted to certain entities.
  • a revocation-function might be provided at the group signature scheme.
  • the revocation function allows revoking a card private key by the issuer. After revocation of the card private key, the verification of a signature based on the card private key fails. The smartcard is no longer able to generate valid signatures for this group.
  • a membership manager and a revocation manager can be established (instead of a single group manager). Both receive specific keys which are needed to perform administrative tasks within the group.
  • a membership manager is capable of adding new members or of revealing the identity of a member in case of abuse of the signature.
  • the revocation manager is capable of revoking a card private key of a user.
  • the membership manager and the revocation manager can be one entity and can use the same private key.
  • Each user may be member of several groups. For this reason, the smartcard might provide several card private keys for the membership of several groups. The different keys might also refer to different group signature schemes.
  • the smartcard and the service provider Before transmitting the pseudonym to the service provider, the smartcard and the service provider might establish a secure communication channel.
  • This secure communication channel then may be used for communication between the service provider and the smartcard.
  • the secure communication channel can be used for transmitting the pseudonym to the service provider.
  • the smartcard can supply the service provider with a set of user attributes through this secure communication channel. Examples for such user attributes include the citizenship of the user, the city or the address of the user, or even the size of the user.
  • the user attributes are preferably stored in a memory area of the smartcard.
  • the secure communication channel may be based on a Secure Socket Layer (SSL) or on Transport Layer Security (TSL).
  • SSL Secure Socket Layer
  • TSL Transport Layer Security
  • Fig. 1 is a block diagram showing generation and unauthenticated transmission of a pseudonym according to the method of the art
  • Fig. 2 is a block diagram showing generation and authenticated transmission of a pseudonym according to the method of the art.
  • Fig. 3 is a block diagram which refers to a preferred embodiment of a method according to the invention.
  • Fig. 1 is a block diagram which shows a method as used (in principle) at the Austrian elD card.
  • a secret identifier for the user - the secret identifier - is stored on the elD card of the user.
  • the elD card is a special smartcard issued by a trusted issuer (generally a bank institute) for a particular citizen (the user) who can authenticate using this elD card.
  • a public identifier for the service provider is combined with the secret identifier of the user. This leads to an unambiguous pseudonym P which allows recognizing the user but which is different for each service provider connected in this way.
  • the pseudonym P generated in this manner is transmitted to the service provider using unauthenticated transmission.
  • the pseudonym P is recognized and used for the services of the service provider, e.g. identifying a user at a music download portal.
  • Fig. 2 shows a block diagram referring to authenticated transmission of the pseudonym to a user as suggested in the art.
  • the pseudonym P is again generated using the secret identifier of the user and the public identifier for the service provider. This is performed on the el D card as well as the generation of a signature for the pseudonym P.
  • a card private key is used which is unique for the particular el D card.
  • the card private key is linked uniquely to a card public key which is used at checking of the signature.
  • the pseudonym P and its signature are transmitted to a service provider which uses the signature for authentication of the user. Therefore, the card public key is combined with a signature of the pseudonym.
  • the pseudonym P may be recognized and used for providing services of that service provider.
  • the service provider does not store the card public key and does not use the information for tracking the user's habits.
  • a technical possibility is given which breaks the unlinkability of the pseudonyms P for different service providers.
  • Fig. 3 shows a method according to the invention which solves this problem.
  • This method allows verifying that a transmitted signature is generated by a valid el D card. By doing so authentication of the signature is possible, but a link to the user generating the signature is prevented.
  • the pseudonym P is again generated using the secret identifier of the user and the public identifier of the service provider.
  • a signature is generated using a card private key.
  • this card private key is a key of a group signature scheme which is linked to a group public key. This group public key is shared by many cards and thus by many users.
  • the group signature scheme allows authentication of the signature without allowing a link to a specific user.
  • the pseudonym P and its signature are transmitted to the service provider preferably (but not necessarily) using a secure communication channel based on SSL or TLS.
  • the group signature is checked using the group public key to which the user generating the signature belongs. After passing the group signature check, the membership of the user to the specific group is verified.
  • the group signature is generated by a smartcard which is issued by a trusted issuer, the smartcard itself generating the signature can be trusted.
  • the pseudonym P generated on the smartcard using the secret identifier of the user can be trusted as well.
  • the group signature for signing and the secret identifier of the user for generating a piece of information to be authenticated both the user and the piece of information are authenticated.
  • a group signature scheme generally does not reveal the identity of the user who generated the group signature, linkability of an elD card at several service providers is prevented technically. Thus, security and privacy of a user can be guaranteed using technical means.
  • a user has received an elD card from the local issuing authority.
  • the user now accesses the library's website and orders a set of books to read at home.
  • the library requires a proof that the user is a local.
  • the user fills in the form and his el D card gives out the proof that the user is a local based on a pseudonym generated for the library.
  • the user returns the book, he'll associate the return with that same pseudonym, thanks to his/her el D card.
  • the transactions with pseudonyms will be secured by the fact that the card will prove that it is a correctly issued card without revealing the user's identity.
  • the card will use a group signature to sign over the newly generated pseudonym.
  • the card can prove that the user is a local resident by signing other information with that same group signature.
  • the Library can contact the issuing authority (e.g. the local government) to break the anonymity provided by the group digital signature (using the open function) and reveal the user under that pseudonym, if a group signature scheme with such an open function has been applied.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A method for supporting secure authentication of a user using a smartcard, in particular an electronic identity (elD) card, said smartcard storing a secret identifier and being issued by a trusted issuer, said secret identifier being uniquely assigned to said user, wherein a pseudonym is generated on said smartcard, said pseudonym being based on said secret identifier, is characterized by the steps of generating a signature for said pseudonym, said signature being generated on said smartcard and being based on a group signature scheme, transmitting said pseudonym and said signature to a service provider, and verifying said pseudonym by checking said signature using one or several group public keys, wherein at said verification step the identity of said user cannot be revealed.

Description

METHOD FOR SUPPORTING SECURE AUTHENTICATION OF A USER USING A SMARTCARD
The present invention relates to a method for supporting secure authentication of a user using a smartcard, in particular an electronic identity (elD) card, said smartcard storing a secret identifier and being issued by a trusted issuer, said secret identifier being uniquely assigned to said user, wherein a pseudonym is generated on said smartcard, said pseudonym being based on said secret identifier.
In recent years several smartcard based authentication systems evolved. Smart- cards are pocket-sized cards with embedded integrated circuits. They can store data, receive input data, process data and generate an output generally based on input data. Many smartcards provide storage area which can only be read using the embedded integrated circuit, generally a processor. Thus, this memory area can store private information which can only be read, if for instance a correct passphrase is provided. For some data, output might be completely prevented. This data can only be read and used at processing data on the smartcard, e.g. at generation of a signature or encrypted data.
Smartcard functionality is currently added to identity cards, thus forming electronic identity (elD) cards. In several countries these elD cards have been introduced or will be introduced shortly. With these cards, citizens can authenticate to electronic services (like music download services) or prove that they have a certain attribute (for instance they life in a certain city or they are more than 18 years old). One benefit is that the service provider can recognize a user when he/she accesses its services. However, at using the same unique identifier provided by the smartcards with several service providers, these different service provider could merge their data bases and build a profile of the users. This violates privacy of the users.
The Austrian elD solution ("Bϋrgerkarte") addresses this problem by generating pseudonyms on the card. The pseudonyms are created using a hash function, receiving as input both a secret key stored on the card and a unique identifier of the service provider. In this way, a service provider can recognize a user, as the user always accesses to its services using the same pseudonym. As the pseudonyms are different for different service providers, linking of pseudonyms is not possible and building of a profile of the users is prevented.
However, even this approach is problematic, if authentication of the pseudonym should be provided. In case of user authentication, a signature is generated based on a card secrete identifier stored in the smartcard. At many systems of the art, this key is only used for establishing a communication channel to the service provider and after authentication the received signature is deleted. However, as the signature can be related unambiguously to a specific user, this approach offers information that can be abused by service providers. Service providers can store the public key and use it as a unique identifier breaking the unlinkability provided by the pseudonym. As such, the privacy protection provided by the pseudonym generation is rendered inert when authentication schemes are used.
It is therefore an object of the present invention to improve and further develop a method of the initially described type which provides authentication of a user without transmitting information which is unambiguously linked to this user.
In accordance with the invention, the aforementioned object is accomplished by a method comprising the features of claim 1. According to this claim, such a method is characterized by the steps of generating a signature for said pseudonym, said signature being generated on said smartcard and being based on a group signature scheme, transmitting said pseudonym and said signature to a service provider, and verifying said pseudonym by checking said signature using one or several group public keys, wherein at said verification step the identity of said user cannot be revealed.
According to the invention and in contrast to the methods of the art it has first been recognized that for authentication of a user using a smartcard unique association of a signature to a user is not necessary. According to methods of the art, each signature provided at smartcards is unambiguously linked to a user, as this is regarded to improve the authentication. However, in this context and according to the invention it is sufficient to know that the information to which the authenticating signature refers is generated by a trusted smartcard. At the method concerning the invention, the service provider receives a pseudonym from the smartcard which was generated based on the secret identifier stored on the smartcard. This secret identifier cannot be changed after programming into the smartcard by the trusted issuer of the smartcard. If the service provider receives this pseudonym and can be sure that this pseudonym was generated by a trusted smartcard, authentication does not have to provide a link to a particular user. In fact it is sufficient to authenticate the smartcard as being trusted in order to authenticate the pseudonym.
According to the invention the signature for the pseudonym is generated based on a group signature scheme. Group signature schemes allow generating of signatures by the members of the group and verification of the signature using the group public key. At verifying the signature, it can be ensured that the signature was generated by one of the members of the group, but the identity of the user cannot be revealed. At using the group signature scheme, in a first step a signature for the pseudonym is generated on the smartcard based on the group signature scheme. The pseudonym and the signature are transmitted to the service provider. The service provider verifies the pseudonym by checking the signature using one or several group public keys, depending on the used group signature scheme. By doing so, the service provider can ensure that the pseudonym was generated and sent by a trusted smartcard. If the pseudonym would not be generated on the smartcard, the verification of the pseudonym and a signature would fail. Thus, the method concerning to the invention provides a secure authentication.
The term "group signature scheme" refers to each signature scheme, where a valid group signature can be generated by one of its members and one or several public group keys are sufficient to ensure the membership of the member. One possibility of such a group signature scheme was published by Chaum & van Heyst in 1991. Other group signature schemes were published for instance by Camenisch & Michels in November 1998. Also ring signature schemes can be used in combination with the method according to the invention. Typically, group signature schemes include the possibility for one specific entity, the group manager, to identify the signer. At ring signatures schemes, a signature is generated based on the transmitted message, the private key of the signing user and each public key of the other members of the group; there is no need for prearranged groups, as the group can be formed ad hoc using the public keys of its members. At verification of these signatures, the public keys of each member of the group, the message and the signature are checked. If the ring signature is properly computed, the test is passed. However, it is not possible for anyone to reveal the identity of the user who generated the signature. It should be understood that this signature scheme is also within the scope of the appended claims.
Further, is should be understood that the pseudonym can be each piece of information which is generated by the smartcard based on the secret identifier (which may be identical to a cryptographic private key) of the user. Although the pseudonym as described in connection with the Austrian elD card and this kind of elD is one of the preferred embodiments of the invention, it is obvious to those skilled in the art that other pieces of information can be used as well. It is just important that the piece of information is based on a secret identifier, or key, of the user.
One possibility of generating the pseudonym can be combining a random number generated on the smartcard with the secret identifier. As the pseudonym has to be the same at each connection of the smartcard to a specific service provider, the pseudonym may be stored in a table which links the single service providers to the respective pseudonyms. This table is preferably stored in a memory space of the smartcard. As the pseudonym is generated on the smartcard using the secrete identifier of the user, the pseudonym and its signature can be trusted in cases the signature is recognized as being correct.
Another possibility includes generation of the pseudonym further based on a public identifier of the service provider. This public identifier can be generated once and be stored on a remote webserver. If a pseudonym should be generated, the public identifier can be retrieved from this webserver and be passed to the smartcard for generation of the pseudonym. The pseudonym is then generated on the smartcard using the secret identifier of the user and the public identifier of the service provider.
Preferably, the signature for the pseudonym is generated on the smartcard based on a card private key. This card private key is integrated in a group signature scheme, i.e. each signature being generated based on the card private key using the group signature scheme can be verified using one or several group public keys. With most group signature schemes one group public key is sufficient. When using ring signature schemes, several public keys from the group are necessary. The card private key can be stored similarly as the generic secret identifier in a smartcard memory space which cannot be accessed directly through the I/O pin(s) of the smartcard. Each access to this memory space is controlled by the integrated circuit of the smartcard.
Preferably, the single keys necessary for the group signature scheme are generated when issuing the smartcards using a setup-function provided by the group signature scheme. At the setup of the group signature, one or several card private keys are generated as well as the group public key(s). There are group signature schemes known in the art which allow for the creation of very large groups. Even in context of using the smartcards as el D cards, it is possible for all users of the elD card solution to be member of just one group. Alternatively, the set of users can be split up into smaller groups, provided they are large enough to ensure user's anonymity. Users living in a certain area or a certain city can form a group.
In order to keep the method according to the invention flexible, the used group signature function may provide a join-function which allows generating and integrating new card private keys in already setup groups. Thus, the issuer of smartcards can always add new cards to a group which provides a flexible usage of the system. The group signature scheme works nevertheless.
In case of an abuse of the system, the group signature scheme may provide an open-function which allows revealing the user's identity. The access to the open- function can be restricted to certain entities. In order to remove smartcards from one group, a revocation-function might be provided at the group signature scheme. The revocation function allows revoking a card private key by the issuer. After revocation of the card private key, the verification of a signature based on the card private key fails. The smartcard is no longer able to generate valid signatures for this group.
At the setup of the group and depending on the used group signature scheme, a membership manager and a revocation manager can be established (instead of a single group manager). Both receive specific keys which are needed to perform administrative tasks within the group. A membership manager is capable of adding new members or of revealing the identity of a member in case of abuse of the signature. The revocation manager is capable of revoking a card private key of a user. The membership manager and the revocation manager can be one entity and can use the same private key.
Each user may be member of several groups. For this reason, the smartcard might provide several card private keys for the membership of several groups. The different keys might also refer to different group signature schemes.
Before transmitting the pseudonym to the service provider, the smartcard and the service provider might establish a secure communication channel. This secure communication channel then may be used for communication between the service provider and the smartcard. The secure communication channel can be used for transmitting the pseudonym to the service provider. Besides that, the smartcard can supply the service provider with a set of user attributes through this secure communication channel. Examples for such user attributes include the citizenship of the user, the city or the address of the user, or even the size of the user. The user attributes are preferably stored in a memory area of the smartcard. The secure communication channel may be based on a Secure Socket Layer (SSL) or on Transport Layer Security (TSL).
There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end it is to be referred to the patent claims subordinate to patent claim 1 on the one hand and to the following explanation of a preferred embodiment of the invention by way of example, illustrated by the figure on the other hand. In connection with the explanation of the preferred embodiment of the invention by the aid of the figure, generally preferred embodiments and further developments of the teaching will we explained. In the drawing
Fig. 1 is a block diagram showing generation and unauthenticated transmission of a pseudonym according to the method of the art,
Fig. 2 is a block diagram showing generation and authenticated transmission of a pseudonym according to the method of the art, and
Fig. 3 is a block diagram which refers to a preferred embodiment of a method according to the invention.
Fig. 1 is a block diagram which shows a method as used (in principle) at the Austrian elD card. A secret identifier for the user - the secret identifier - is stored on the elD card of the user. The elD card is a special smartcard issued by a trusted issuer (generally a bank institute) for a particular citizen (the user) who can authenticate using this elD card. At generating a pseudonym which is used at a service provider, a public identifier for the service provider is combined with the secret identifier of the user. This leads to an unambiguous pseudonym P which allows recognizing the user but which is different for each service provider connected in this way. The pseudonym P generated in this manner is transmitted to the service provider using unauthenticated transmission. At the service provider, the pseudonym P is recognized and used for the services of the service provider, e.g. identifying a user at a music download portal.
Fig. 2 shows a block diagram referring to authenticated transmission of the pseudonym to a user as suggested in the art. The pseudonym P is again generated using the secret identifier of the user and the public identifier for the service provider. This is performed on the el D card as well as the generation of a signature for the pseudonym P. At generating the signature, a card private key is used which is unique for the particular el D card. The card private key is linked uniquely to a card public key which is used at checking of the signature. The pseudonym P and its signature are transmitted to a service provider which uses the signature for authentication of the user. Therefore, the card public key is combined with a signature of the pseudonym. In case the signature is proven to be correct, the pseudonym P may be recognized and used for providing services of that service provider. Generally, it is expected, that the service provider does not store the card public key and does not use the information for tracking the user's habits. However, a technical possibility is given which breaks the unlinkability of the pseudonyms P for different service providers.
Fig. 3 shows a method according to the invention which solves this problem. This method allows verifying that a transmitted signature is generated by a valid el D card. By doing so authentication of the signature is possible, but a link to the user generating the signature is prevented. The pseudonym P is again generated using the secret identifier of the user and the public identifier of the service provider. For the pseudonym P a signature is generated using a card private key. However, in contrast to the method of the art, this card private key is a key of a group signature scheme which is linked to a group public key. This group public key is shared by many cards and thus by many users. The group signature scheme allows authentication of the signature without allowing a link to a specific user.
The pseudonym P and its signature are transmitted to the service provider preferably (but not necessarily) using a secure communication channel based on SSL or TLS. At the service provider, the group signature is checked using the group public key to which the user generating the signature belongs. After passing the group signature check, the membership of the user to the specific group is verified. As the group signature is generated by a smartcard which is issued by a trusted issuer, the smartcard itself generating the signature can be trusted. Thus, the pseudonym P generated on the smartcard using the secret identifier of the user can be trusted as well. By the combination of the group signature for signing and the secret identifier of the user for generating a piece of information to be authenticated, both the user and the piece of information are authenticated. As a group signature scheme generally does not reveal the identity of the user who generated the group signature, linkability of an elD card at several service providers is prevented technically. Thus, security and privacy of a user can be guaranteed using technical means.
In the following an example usage scenario is described for further improving understanding of the invention. A user has received an elD card from the local issuing authority. The user now accesses the library's website and orders a set of books to read at home. The library requires a proof that the user is a local. The user fills in the form and his el D card gives out the proof that the user is a local based on a pseudonym generated for the library. When the user returns the book, he'll associate the return with that same pseudonym, thanks to his/her el D card. The transactions with pseudonyms will be secured by the fact that the card will prove that it is a correctly issued card without revealing the user's identity. The card will use a group signature to sign over the newly generated pseudonym. In a similar way, the card can prove that the user is a local resident by signing other information with that same group signature. Should the user try to steal the book, the Library can contact the issuing authority (e.g. the local government) to break the anonymity provided by the group digital signature (using the open function) and reveal the user under that pseudonym, if a group signature scheme with such an open function has been applied.
Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

C l a i m s
1. Method for supporting secure authentication of a user using a smartcard, in particular an electronic identity (elD) card, said smartcard storing a secret identifier and being issued by a trusted issuer, said secret identifier being uniquely assigned to said user, wherein a pseudonym is generated on said smartcard, said pseudonym being based on said secret identifier, c h a r a c t e r i z e d b y the steps of generating a signature for said pseudonym, said signature being generated on said smartcard and being based on a group signature scheme, transmitting said pseudonym and said signature to a service provider, and verifying said pseudonym by checking said signature using one or several group public keys, wherein at said verification step the identity of said user cannot be revealed.
2. Method according to claim 1 , wherein said pseudonym is generated further based on a public identifier of said service provider.
3. Method according to claim 1 or 2, wherein said signature is generated based on a card private key, said card private key being integrated in said group signature scheme.
4. Method according to claim 3, wherein said group public key and said card private key being generated using a setup-function of said group signature scheme.
5. Method according to claim 3 or 4, wherein said card private key is generated and integrated in said group signature scheme by said issuer using a join-function of said group signature scheme.
6. Method according to any of claims 3 to 5, wherein said group signature scheme provides an open-function, said open function revealing the identity of said user.
7. Method according to any of claims 3 to 6, wherein said group signature scheme provides a revocation-function, said revocation-function allowing revocation of a card private key by said issuer, wherein after revocation of said card private key said step of verification fails.
8. Method according to any of claims 1 to 7, further comprising the step of setting up a secure communication channel between said smartcard and said service provider, said secure communication channel being used for communication between said service provider and said smartcard.
9. Method according to claim 8, wherein said secure communication channel is used for transmitting said pseudonym to said service provider.
10. Method according to claim 8 or claim 9, wherein said secure communication channel is used for transmitting user attributes of said user of said smartcard.
11. Method according to any of claims 8 to 10, wherein said secure communication channel is based on SSL (Secure Socket Layer) or TLS (Transport Layer Security).
PCT/EP2009/006945 2008-09-25 2009-09-25 Method for supporting secure authentication of a user using a smartcard WO2010034507A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP08016811 2008-09-25
EP08016811.5 2008-09-25

Publications (1)

Publication Number Publication Date
WO2010034507A1 true WO2010034507A1 (en) 2010-04-01

Family

ID=41381660

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/006945 WO2010034507A1 (en) 2008-09-25 2009-09-25 Method for supporting secure authentication of a user using a smartcard

Country Status (1)

Country Link
WO (1) WO2010034507A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102801736A (en) * 2011-12-29 2012-11-28 公安部第三研究所 Generation and verification control method of network identity identification code in network electronic identity card
WO2013007686A1 (en) 2011-07-08 2013-01-17 Bundesrepublik Deutschland, Vertreten Durch Das Bundesministerium Des Innern, Vertreten Durch Das Bundesamt Für Sicherheit In Der Informationstechnik, Vertreten Durch Den Präsidenten Method for generating and verifying an electronic pseudonymous signature
CN104283899A (en) * 2014-10-30 2015-01-14 西安电子科技大学 User anonymous identity authentication protocol based on k-pseudonym set in wireless network
US20150074776A1 (en) * 2011-07-14 2015-03-12 Docusign, Inc. Online signature identity and verification in community
WO2017102020A1 (en) * 2015-12-18 2017-06-22 Telefonaktiebolaget Lm Ericsson (Publ) Method of generating a pseudonym associated with a communication device, a network node, computer program and computer program product
US9824198B2 (en) 2011-07-14 2017-11-21 Docusign, Inc. System and method for identity and reputation score based on transaction history
CN110768960A (en) * 2019-09-23 2020-02-07 中国地质大学(北京) Network identity card with reminding and early warning functions

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050081038A1 (en) * 2001-12-27 2005-04-14 David Arditti Modiano Cryptographic system for group signature

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050081038A1 (en) * 2001-12-27 2005-04-14 David Arditti Modiano Cryptographic system for group signature

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CAMENISCH J ET AL: "EFFICIENT GROUP SIGNATURE SCHEMES FOR LARGE GROUPS", ADVANCES IN CRYPTOLOGY - CRYPTO '97. SANTA BARBARA, AUG. 17 - 21, 1997; [PROCEEDINGS OF THE ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE (CRYPTO)], BERLIN, SPRINGER, DE, vol. CONF. 17, 17 August 1997 (1997-08-17), pages 410 - 424, XP000767547, ISBN: 978-3-540-63384-6 *
CANARD S ET AL: "IMPLEMENTING GROUP SIGNATURE SCHEMES WITH SMART CARDS", SMART CARD RESEARCH AND ADVANCED APPLICATIONS. IFIP WORKINGCONFERENCE ON SMART CARD RESEARCH AND ADVANCED APPLICATIONS, XX, XX, 21 November 2002 (2002-11-21), pages 1 - 10, XP002370010 *
CHAUM D: "GROUP SIGNATURES", ADVANCES IN CRYPTOLOGY- EUROCRYPT. INTERNATIONAL CONFERENCE ONTHE THEORY AND APPLICATION OF CRYPTOGRAPHIC TECHNIQUES, SPRINGER VERLAG, DE, 1 April 1991 (1991-04-01), pages 257 - 265, XP000900793 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013007686A1 (en) 2011-07-08 2013-01-17 Bundesrepublik Deutschland, Vertreten Durch Das Bundesministerium Des Innern, Vertreten Durch Das Bundesamt Für Sicherheit In Der Informationstechnik, Vertreten Durch Den Präsidenten Method for generating and verifying an electronic pseudonymous signature
US11055387B2 (en) 2011-07-14 2021-07-06 Docusign, Inc. System and method for identity and reputation score based on transaction history
US11790061B2 (en) 2011-07-14 2023-10-17 Docusign, Inc. System and method for identity and reputation score based on transaction history
US20150074776A1 (en) * 2011-07-14 2015-03-12 Docusign, Inc. Online signature identity and verification in community
US9628462B2 (en) * 2011-07-14 2017-04-18 Docusign, Inc. Online signature identity and verification in community
US11263299B2 (en) 2011-07-14 2022-03-01 Docusign, Inc. System and method for identity and reputation score based on transaction history
US9824198B2 (en) 2011-07-14 2017-11-21 Docusign, Inc. System and method for identity and reputation score based on transaction history
US10430570B2 (en) 2011-07-14 2019-10-01 Docusign, Inc. System and method for identity and reputation score based on transaction history
CN102801736A (en) * 2011-12-29 2012-11-28 公安部第三研究所 Generation and verification control method of network identity identification code in network electronic identity card
CN104283899B (en) * 2014-10-30 2017-10-13 西安电子科技大学 User anonymity identity identifying method based on k assumed name set in wireless network
CN104283899A (en) * 2014-10-30 2015-01-14 西安电子科技大学 User anonymous identity authentication protocol based on k-pseudonym set in wireless network
US10855441B2 (en) 2015-12-18 2020-12-01 Telefonaktiebolaget Lm Ericsson (Publ) Method of generating a pseudonym associated with a communication device, a network node, computer program and computer program product
WO2017102020A1 (en) * 2015-12-18 2017-06-22 Telefonaktiebolaget Lm Ericsson (Publ) Method of generating a pseudonym associated with a communication device, a network node, computer program and computer program product
CN110768960B (en) * 2019-09-23 2020-11-13 中国地质大学(北京) Network identity card and integrated circuit chip with reminding and early warning functions
CN110768960A (en) * 2019-09-23 2020-02-07 中国地质大学(北京) Network identity card with reminding and early warning functions

Similar Documents

Publication Publication Date Title
Buchmann et al. Introduction to public key infrastructures
Chang et al. Untraceable dynamic‐identity‐based remote user authentication scheme with verifiable password update
US9380058B1 (en) Systems and methods for anonymous authentication using multiple devices
US20190028281A1 (en) Remote attestation of a security module's assurance level
US10567370B2 (en) Certificate authority
Lai et al. Applying semigroup property of enhanced Chebyshev polynomials to anonymous authentication protocol
US20080212771A1 (en) Method and Devices For User Authentication
CN106230784A (en) A kind of device authentication method and device
US20110213959A1 (en) Methods, apparatuses, system and related computer program product for privacy-enhanced identity management
KR20020081269A (en) Method for issuing an electronic identity
CN101777978A (en) Method and system based on wireless terminal for applying digital certificate and wireless terminal
WO2010034507A1 (en) Method for supporting secure authentication of a user using a smartcard
US20160352702A1 (en) System and Method for Resetting Passwords on Electronic Devices
CN109981287A (en) A kind of code signature method and its storage medium
CN105429991A (en) Efficient data transmission method for mobile terminal
US11159319B2 (en) Secure electronic device with mechanism to provide unlinkable attribute assertion verifiable by a service provider
US20230327884A1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
WO2012163970A1 (en) Method for generating an anonymous routable unlinkable identification token
Moreno et al. Olympus: Towards oblivious identity management for private and user-friendly services
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
US20220237601A1 (en) WebAuthn+JSON DLT ˜the internet of value
CN114221768A (en) Method and system for proving that key pair is protected by hardware
EP3035589A1 (en) Security management system for authenticating a token by a service provider server
WO2016020497A1 (en) Security management system for revoking a token from at least one service provider terminal of a service provider system
KR20170092992A (en) User authentication apparatus and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09736378

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09736378

Country of ref document: EP

Kind code of ref document: A1