Abstract
We investigate eIDAS Token specification for Pseudonymous Signature published recently by German security authority BSI, German Federal Office for Information Security. We analyze how far the current specification prevents privacy violations by the Issuer by malicious or simply careless implementation. We find that, despite the declared design goal of protecting privacy of the citizens, it is quite easy to convert the system into a “Big Brother” system and enable spying the citizens by third parties.
We show that there is a simple and elegant way for preventing all attacks of the kind described. Moreover, we show that it is possible with relatively small amendments to the scheme.
This research has been supported by the Polish National Science Centre, project HARMONIA, DEC-2013/08/M/ST6/00928.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bao, F., Deng, R.H., Zhu, H.: Variations of Diffie-Hellman problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301–312. Springer, Heidelberg (2003)
Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: Domain-specific pseudonymous signatures for the German identity card. IACR Cryptology ePrint Archive 2012, 558 (2012)
Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: Domain-specific pseudonymous signatures for the German identity card. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 104–119. Springer, Heidelberg (2012)
Bringer, J., Chabanne, H., Lescuyer, R., Patey, A.: Efficient and strongly secure dynamic domain-specific pseudonymous signatures for ID documents. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 252–269. Springer, Heidelberg (2014)
BSI: Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token 2.20. Technical Guideline TR-03110-2 (2015)
European Parliament the Council: Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014)
Hanzlik, L., Kutyłowski, M.: Insecurity of anonymous login with German personal identity cards. In: Security and Privacy in Social Networks and Big Data (SocialSec), pp. 39–43. IEEE Computer Society (2015)
Kluczniak, K.: Anonymous authentication using electronic identity documents. Ph.D. Dissertation, submitted (2016)
Kluczniak, K.: Domain-specific pseudonymous signatures revisited. IACR Cryptology ePrint Archive 2016, 70 (2016)
NIST: Annex C: Approved random number generators for FIPS PUB 140–2, security requirements for cryptographic modules, January 2016. http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kutyłowski, M., Hanzlik, L., Kluczniak, K. (2016). Pseudonymous Signature on eIDAS Token – Implementation Based Privacy Threats. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-40367-0_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40366-3
Online ISBN: 978-3-319-40367-0
eBook Packages: Computer ScienceComputer Science (R0)