abc4trust architecture and the benefits for eid schemes
TRANSCRIPT
![Page 1: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/1.jpg)
A research project funded by the European Commission’s 7th Framework Programme.
ABC4Trust Architecture and the
Benefits for eID Schemes
Cyber Security & Privacy EU Forum
Brussels, 18-19 April 2013
Ioannis Krontiris, Goethe University Frankfurt
![Page 2: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/2.jpg)
08.01.2015
Overview
• Example of German eID
• Privacy problems
• Privacy-ABCs to the rescue
• The ABC4Trust architecture
• Integration to the German eID system
• Privacy-ABCs on Smart Cards
![Page 3: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/3.jpg)
08.01.2015
eIDs in Europe
• A number of eIDs and qualified electronic signatures (QES)
already exist
e-Government services
Healthcare services
Financial services
Online shopping
![Page 4: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/4.jpg)
08.01.2015
The German e-ID system
![Page 5: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/5.jpg)
08.01.2015
Security and Privacy Problems
• eID server knows all user transactions
The eID server traces and links all communications and transactions of
each user
• eID server knows all customers of the service provider
The eID server learns all customers trying to access a specific service
• User impersonation
Insiders can copy or alter user’s credentials and impersonate them to
services.
• Availability
Denial of service attacks against the eID server impacts all applications
using the service.
![Page 6: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/6.jpg)
08.01.2015
Moving Ahead
“As such, privacy-enhanced PKI technologies have
significant potential to enhance existing eID card privacy
functions. Although these technologies have been available
for a long time, there has not been much adoption in
mainstream applications and eID card implementations”
• the available technologies based on Privacy-ABCs use different terminology for their features and even different cryptographic mechanisms to realize them
• the performance of Privacy-ABCs on smart cards (like eIDs) was poor and did not allow practical deployment
• Privacy-ABCs are very complex and hard to understand for non-specialists
![Page 7: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/7.jpg)
08.01.2015
High-level view (user)
7
• technology-agnostic
credential & policy handling
• unified and technology-
independent APIs
![Page 8: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/8.jpg)
08.01.2015
High-level view (presentation)
8
language framework covering
the full life-cycle of
credentials and support all
concepts
![Page 9: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/9.jpg)
08.01.2015
ABC4Trust Interactions and Entities
9
Unlinkability (presentation)
Selective Disclosure
Unlinkability (multi-use)
![Page 10: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/10.jpg)
08.01.2015
• Privacy-ABCs are by default untraceable
IdSPs are not able to track and trace at which sites the user is presenting the
information
• Privacy-ABCs can be obtained in advance and stored
No real-time burden of the IdSP – better scalability
• User-binding
No credential pooling possible – Presentation requires proof of knowledge of a
secret key (stored on a secure device like SC)
• Unlimited number of pseudonyms supported
In addition to which, scope-exclusive pseudonyms can be imposed – user can
only register one pseudonym per scope (URL).
Advantages
10
![Page 11: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/11.jpg)
08.01.2015
German eID Integration
11
R. Bjones, “eParticipation Scenario Reference Guide”, Microsoft, Tech. Rep., October 2010
![Page 12: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/12.jpg)
08.01.2015
ABCs on Smart Cards
• ABCs are practical on smart cards
• We selected a contactless smart card chip with cryptoprocessor
• We found that, using precomputations (coupons):
U-Prove can be made efficient
• Issuance < 260 ms
• Presentation 434 ms for 10 attributes
Idemix can be made efficient
• Issuance 231 ms
• (less clear for presentation)
• Specification and development of the ABC4Trust card are now
underway
12
![Page 13: ABC4Trust Architecture and the Benefits for eID Schemes](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55b9fcdebb61eb96638b47f7/html5/thumbnails/13.jpg)
08.01.2015
Smart Card Architecture
13
32-bit chip made available by Invia