AT519025B1 - Procedure for exchanging data fields of certified documents - Google Patents

Abstract

The invention relates to a method for exchanging data fields of certified documents between a client (U) and a service (S) via an authentication server (A), wherein the client (U) has a document (Doc) containing a number of encrypted data fields (c1, ..., cn) and a signature (σ), - wherein the document (Dok) is transmitted from the client (U) to the authentication server (A), - wherein the client (U) the authentication server ( A) communicates a modification rule (m) indicating which of the data fields (c1, ..., cn) of the document (doc) may not be transmitted from the authentication server (A) to the service (S), - the authentication server (A) a modified document (Dok ') is created, in which the given data fields (c1, ..., cn) or the signature (σ) are modified, - that a certificate (z) is added to the modified document (doc'), that the modified document (doc ') including the certificate s (z) is transmitted from the authentication server (A) to the service (S), - that the service (S) checks the modified document (Dok ') on the basis of the certificate (z) as to whether the data fields (c1', .. ., cn ') of the modified document (Dok') were created on the basis of a document (Doc) with a valid signature (σ) and the modification mentioned in step e) corresponds to the modification instruction (m), i) that the service (S) has key material that allows the service (S) to decrypt the data fields (c1 ', ..., cn').

Description

Description [0001] The invention relates to a method for selective exchange of individual data fields of certified documents between a client and a service via an authentication server while maintaining the authenticity of the data in a cloud environment.

The project leading to this application was supported by the European Union's Horizon 2020 Research and Innovation Framework Program under Grant Agreement number 653454 ('CREDENTIAL').

Different approaches are known from the prior art, with which it is possible to prove individual access permissions for different services on the Internet at different points.

From the prior art, it is particularly known to store individual passwords or access information that a user needs to access a service on a local disk. If the same user is to contact the service from a client computer, the documents thus stored on the data carrier or the information contained in the data fields of the documents, such as e.g. Activation codes are transmitted from the data carrier via the respective client computer to the service. In this case, however, there is the problem that all data on each currently used client computer are available in plain text, which in turn has the disadvantage that when using an insecure client computer, there is a risk that the documents are unauthorized Can be read out to third parties.

In addition, it is known to store information that allows access to individual services on an on-line authentication server, the individual data fields of the documents that are normally exchanged between client and service, are stored in plain text on the authentication server. With this procedure, it is possible to use the documents from different clients, whereby the client concerned does not need to know anything about the documents since these are transmitted by the authentication server to the relevant service. However, this has the considerable disadvantage that the authentication server receives all the data fields of the user's documents in plain text.

The methods mentioned in the prior art have the particular problem that a client computer or the authentication server has sensitive data in plain text and therefore can receive a variety of personal information about the user.

The object of the invention is to provide a method for the selective exchange of data fields of certified documents between a client and a service via an authentication server, wherein the authentication server no significant gain in information about the exchanged between the client and the service data fields receives.

The invention solves this problem in a method of the type mentioned above with the features of claim 1.

With this method, it is advantageously possible to store all access information that a user needs for various services located on the Internet in order to store on an authentication server, which in turn receives no knowledge about the relevant access information. In addition, no information about the exchanged data fields is transmitted to the specifically used client.

An advantageous approach to avoid that clear text data known to the authentication server, provides that - the client and the service have private and public keys, - that based on a private and / or public key of the service and, based on the private key of the client, a reencryption key is created and made available to the authentication server, - wherein the Reencryption key encrypts data fields of the document that have been encrypted with the public key of the client in such a way that they are encrypted with the client private keys of the service are decrypted, - that prior to the creation of the certificate in step f), the individual data fields of the modified document agreed in the agreement between the client and the service are re-encrypted using the reencryption key, - that in the certificate additional information is included , d ie specify that the encryption was performed correctly with the Reencryption key created based on the keys specified by the client and service, and that in step j) the private key of the service is used for decryption.

In order to avoid traceability or linkability of the client based on the transmitted encrypted data fields, it can be provided that - before re-encrypting a Rerandomisierung the document is made in which the agreed in the agreement encrypted data fields are modified in the However, the information contained in encrypted data fields remain unchanged, and that the certificate additionally contains information indicating that the re-randomization was carried out correctly.

An alternative approach to avoid the disclosure of plain text data to the authentication server provides that - the client has a private and a public key, - that the client creates a derived private key from the private key, - that the in the agreement, data fields of the document are encrypted to be decryptable with the derived private key, - that the derived private key is transmitted to the service, - that in step e) at least the signature of the document is modified, and - the derived private key is used to decrypt the data fields of the modified document.

In order to avoid traceability or linkability of the client based on the transmitted encrypted data fields, it can be provided that - in the course of the modification, a rerandomization is carried out in which the encrypted data fields agreed in the agreement are modified, which in the encrypted However, the information contained in data fields remains unchanged, and that the certificate additionally contains information indicating that the re-randomization has been carried out correctly.

To create a document can be provided in particular: - that the client has a private and a public key, - that the document is created by a number of plain text data fields are encrypted with the public key of the client, - that a certification authority creates a signature that depends on the encrypted data fields and on its own private key; and that in step h) the public key of the certification authority is used to verify the validity of the certificate.

In order to allow the certification body checks individual data fields before the award of the signature, it can be provided that the certification body checks before creating the signature for a number of encrypted data fields of the document, whether they are encrypted by default or between result in clear text data fields agreed upon by the client and the certification authority.

The access to the service in question provides, in particular, that the client makes an access request to the service after step d), that the service prompts the authentication server for the transmission of the modified document and the modified document corresponding to the steps in which Step h) checks, and - that the service checks the required authorization of the client based on the decrypted data fields, the certificate and the modified document and, if appropriate, grants the access to the client according to the access request.

Furthermore, the invention solves this problem in a system of the type mentioned above with the features of claim 9.

Several embodiments of the invention will now be described in detail: Fig. 1 shows schematically the procedure in a first embodiment of the invention. In this embodiment, a client U, a service S and an authentication server A are connected to one another via a computer network, in particular via the Internet, whereby a separate logical connection can be established between each of the aforementioned computers U, S, A.

Typically, the procedure according to the invention is used to make an access request from the client U to the service S, wherein the user does not necessarily have all the information required for authentication at the service S available to him on the client U currently being used by him. This information is stored in the form of a document on the authentication server A. If a client U wants to receive access to the service S, the service S in turn requests the authentication server A to transmit the data required for the authentication and then checks the required authorization of the client U based on the data transmitted by the authentication server A. If the data transmitted by the authentication server A to the service S for authentication allow access or authorize the client U to access the service, the service S allows the client U access according to the access request.

For authentication, a document Dok is created, which has a number of encrypted data fields Ci, ..., cn, wherein the encrypted data fields Ci, ..., cn after decryption the service the release of the client U requested data allow. The encryption of the relevant data fields Ci,..., Cn of the document Dok can be carried out either by the relevant client U or by a certification authority CA. Subsequently, a signature σ is created by the certification authority CA or by the client U and added to the document Dok. With this signature σ, it can be subsequently checked whether the certification authority CA has actually certified or signed the encrypted data fields c 1..., Cn of the document doc and whether this signature σ is obtained from the encrypted data fields Ci, Document doc results. Before the signature is created, the certification authority CA checks whether the signature is actually obtained by encryption from the specified plaintext data fields ai,..., Agreed between the client U and the certification authority.

If, for example, the certification authority CA in the form of an authority that is authorized to issue an identity card, a digital document Dok with the data fields "first name", "last name", "date of birth" are created, then can in a particularly simple Embodiment of the invention, the document in question Dok are created directly by the certification authority CA. In this case, the certification authority CA encrypts the individual plaintext data fields ai,..., Of the document doc with its own predefined key and, based on the encrypted data fields Ci,..., Cn, creates a signature s. When creating this signature, a private key skCA of the certification authority CA is advantageously used, with a public key pkCA generally being disclosed for external verification of the validity of the signature by the certification authority CA.

In addition, there is also the possibility that the encryption of the individual data fields Ci, ..., cn of the document Dok is made by the user or by the client U itself, the CA CA is given the opportunity to check whether the encrypted data fields Ci, cn of the document Dok by encryption from the agreed between the client U and the CA CA plaintext data fields ..., on. For example, the client U can encrypt its personal data "first name", "last name", "date of birth" by a certification authority CA authorized to issue identification cards in a manner prescribed by it and can prove to the certification authority CA that the encrypted ones are authenticating Data fields Ci, ..., cn of the document Dok by encoding the to be confirmed by the certification authority CA plain text data fields ai, ..., an. The CA verifies this and provides the document Dok with a corresponding signature σ.

Particularly advantageously, the document can be created if the client U, as indicated in this embodiment, sku, pku has a private and a public key. The document Dok is created by the client U or the certification authority CA encrypts a number of plain text data fields with the client U public key. The certification authority CA generates a signature σ that depends on the encrypted data fields and on their own private signature keys sku.

The individual plaintext data fields ai, ..., are each encrypted independently of one another, with the possibility exists that individual of the resulting encrypted data fields Ci, ..., cn according to different encryption methods and / or with different keys encrypted and contained in the document Dok. The signature σ issued by the certification authority CA is based on the encrypted data fields Ci, ..., cn of the document Dok and allows an external check as to whether on the one hand the signature σ actually originates from the certification authority CA and on the other hand that the encryption of the individual Data fields Ci, ..., cn of the document Dok has expired correctly.

In a preferred embodiment of the invention, there is also the possibility that the certification authority CA agrees with the service S or cooperates with it. This can be advantageous, for example, if a particular service provides one-time codes with which certain services can be called up once, in particular, this relates to the case of the one-time retrieval of a movie via a portal.

For this purpose, the client U can create at his discretion a document Dok containing an encrypted data field Ci, which was created randomly and whose data field size is so large that can be excluded that a data field c ^ of the same content random created twice or more times. Typically, a data field size of 16 to 32 bytes can be selected for this. The client U transmits to the certification authority CA, which is under the control of the service S, a document Dok with an encrypted data field Ci, the content of which has been defined by it. The certification authority CA confirms, for example after payment, the correctness or validity of the document Dok or of the encrypted data field Ci created therein by the client U with regard to the usability for a single viewing of a film in the relevant service S.

As shown in FIG. 1, the client U has one or more documents Doc after being created by the certification authority CA. The or each document Dok has a number of encrypted data fields Ci,..., Cn and a signature , which is dependent on the encrypted data fields Ci, ..., cn. With the knowledge of the relevant certification authority CA, the signature σ can be checked to see whether the encrypted data fields Ci,..., Cn actually originate from the certification authority CA or originate from it.

In order to keep the document or documents Dok available for a plurality of different services S, they are transmitted by the client U on the authentication server A. The authentication server A allows a configuration to the effect that this individual services S allows the query of different data fields Ci, ..., cn of a document stored in his doc. In this case, a modification rule m is specified which prescribes to the authentication server A which of the encrypted data fields Ci,..., Cn of the document doc can not be transmitted from the authentication server A to the service S. The client U and the service S reach an agreement in which it is determined which data fields Ci, ..., cn readable for the service are to be contained in a document doc 'to be transmitted to the service. Thus, for example, the client U the authentication server A deposit a document Doc, in which as data fields c1; ..., cn both his name (first name and surname) and his date of birth are stored. Furthermore, the client U agrees with the service S that the service S is only required to prove that the user has reached a certain age, so that the service S only communicates the encrypted data field c3, which contains the date of birth, contained in the document Dok. The modification regulation m, which the client U transmits to the authentication server A, specifies that the data field d3 of the document doc concerning the date of birth may be transmitted from the authentication server A to the service S while the data fields Ci, c2 of the document doc relating to the first name and last name of the document Authentication server A may not be transmitted to the service S.

In the first embodiment of the invention shown below, the client U and the service S have private and public keys sku, sks or pku, pks and the public key of the certification authority pkCA · based on a private and / or public key of the service as well as on the basis of the private key of the client U, a reencryption key rku ^ s is created and passed to the authentication server A. With this reencryption key rku ^ s, data fields Ci, ..., cn of the document Dok, which are encrypted with the public key pku of the client U, can be re-encrypted in such a way that they can be decrypted with the private key sks of the service S. Such a procedure can be carried out, for example, in connection with an EIGamal-type encryption, see in particular M. Blaze, G. Bleumer, and M. Strauss. "Divertible Protocols and atomic proxy cryptography." In K. Nyberg (ed.), EUROC-RYPT 1998, LNCS vol 1403, pp. 127-144, Springer Verlag, 1998.

In the context of the creation of the modified document Dok ', in which the individual data fields of the document Dok are re-encrypted, one obtains modified data fields c ^, ..., cn', which are assigned to the modified document doc '. Those data fields c ^ c2, which may not be transmitted to the service S due to the modification rule m, are deleted or overwritten with random numbers.

Before re-encrypting, a re-randomization of the document can be made, in which the encrypted data fields agreed upon in the agreement between the client U and the service are modified, the information contained in the encrypted data fields or the plain texts contained in the encrypted data fields unchanged stay.

The modified document Dok 'is further added a certificate z, with the service S is traceable that the data fields Ci', ..., cn 'of the modified document Dok' based on a document Dok valid signature σ have been created and the modification made to the document Dok comprehensively corresponds to the steps of re-encrypting the data fields Ci, ..., cn and deleting or overwriting the data fields Ci, c2 not to be transmitted. The certificate z additionally contains information indicating that the re-encryption was performed correctly with the reencryption key rku ^ s created on the basis of the client U and service S keys.

If a re-randomization is performed before the re-encryption, the certificate z in addition to the correctness of the transcoding still added information with which it can be understood that the Rerandomisierung was performed correctly.

Even if it allows the certificate z to check the correctness of the steps taken, the service S acquires as the recipient of the certificate z no knowledge of the individual underlying the certificate z clear text data fields or used in the encryption key or reencryption -Key. Based on the certificate z, it is possible to demonstrate for the service S without knowledge of the relevant non-public key that all modifications were made during the preparation and modification of the document.

Fonts were respected. That such evidence is possible is from O. Goldreich, S. Micali, A. Widgerson. "How to Prove All NP Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design." In A. Odlyzko (ed.), CRYPTO 1986, LNCS vol 263, pp. 171-185, Springer Verlag, 1986 known theoretically Practical concrete protocols are a standard part of modern cryptographic protocols and are very often based on C.P. Schnorr's "Efficient Signature Generation by Smart Cards". In the Journal of Cryptology, vol. 4 (3), pp. 161-174, Springer Verlag, 1991. A detailed guide to the realization of such protocols can be found, for example, in S. Krenn: "Bringing zero-knowledge proofs of knowledge to practice." Logos Verlag, 2012, ISBN 978-3-8325- 3217-8, and in U. Maurer. "Unifying Zero-Knowledge Proofs of Knowledge", in B. Preneel (ed.), AFRICACRYPT 2009, LNCS vol 5580, pp. 272-286, Springer Verlag, 2009. In particular, it is possible with such methods to check the correctness of the execution of several successive steps, without it being necessary for the checking service S to have knowledge about all the intermediate steps that have been taken. These individual steps are, for example: the validity of the procedure for creating the signature of the document, the re-encryption by the authentication server, the overwriting of the encrypted data fields which are not to be forwarded, the re-randomization of the encrypted data fields to be transmitted, the service wants S, for example, at the request of the client U, check whether certain data fields correspond to predetermined criteria c3, it asks the authentication server A a request for transmission of the modified document Dok '. The authentication server A then transmits the modified document Dok 'including the certificate z to the service S. The service S checks the modified document doc' on the basis of the certificate z as to whether the data fields Ci ', ..., cn' of the modified document doc 'were created on the basis of a document Dok valid signature σ and the aforementioned modification of the modification rule m corresponds, ie whether the re-encryption and, if necessary, re-randomization has been carried out correctly.

In verifying the validity of the certificate, the public key pku of the certification authority CA is used to check the validity of the certificate z.

In the following, a semi-abstract description of the signature and the authentication process is given. For the sake of concretization, the underlying proxy re-encryption method is based on the method described by Blaze et al. (see above), but left the signature method used by the certification authority CA arbitrary.

In this case, the following protocol describes the signature process:

[0040] In this case, the user U has as input values any system parameters sp, the plaintext

Data fields a, the range of valid values for the data fields AS, the indices of the certification authority CA disclosed values D, the public key of the CA pkCA, as well as the own public and private key pku, sku- The CA has the specified input values, whereby pkCA, skCA, different from user U's own private and public keys designate. The plain text data fields a, are encrypted in line 3-4 to c ,, and transferred in line 5 to the CA. In line 6, the user proves by means of a zero-knowledge proof that any disclosed data fields correspond to the agreed values, in concrete terms the values to be proved would be occupied by e, (η), £ D. In line 7, the CA signs the encrypted data fields by means of the signing algorithm Sign of the selected signature method, and returns the signature in line 8 to the user, who outputs the corresponding values and transmits them to the authentication server A.

In order to perform an authentication of the user, the authentication server A and the service S carry out the following steps:

The authentication server A receives the specified input value, similar to the case of the above protocol. Furthermore, it receives a reencryption key rku ^ s, which allows to rewrite key texts from the user's public key to those of the service, whereby the public and private keys of the service are designated by pks and sks. The service receives the corresponding specified input values.

In steps 1-2, the authentication server A rerandomisiert the key texts of the user. In 3-4, the data fields not revealed to Service S are replaced by random values. The actual encryption is done in step 5 and the results are transferred to S. In step 7, A now proves by means of zero-knowledge proof that the rendererization and the re-encryption were performed correctly, the undefended data fields were correctly blackened, that only correct key material was used, and that a signature was added to the original encrypted data fields of CA. is known, which consists of the signature Verification Ver Ver of the selected signature method (the values to be proved would be concretely occupied as follows: (σ, (f,), e D, (v ,, w,), s ο, rku ^ s In the case that this certificate is correct, the service S decrypts the corresponding key texts in step 8 using its own secret key sks by means of the decryption algorithm Dec of Blaze et al. encryption method, and receives the plaintext data fields.

A concrete instantiation of the signature method with the method of Abe et al. (M. Abe and J. Groth and K. Haralambiev and M. Ohkubo. "Optimal Structure-Preserving Signatures in Asymmetry Bilinear Groups." In P. Rogaway (ed.), CRYPTO 2011, LNCS vol 6841, pp. 649-666 , Springer Verlag, 2011.) provides the following concrete signature protocol:

The public key of the certification authority pkCA in this specific case consists of G, H, Wu ..., \ N2n + 2, the algebraic setting being described in the original publication. The private key of the certification authority (CA) skCA consists of r, v, w1, ..., w2n + 2. Steps 7-11 now describe the precise signature process.

When performing an authentication, the following protocol is performed:

Steps 6-13 as well as parts of the values sent in step 14 are used for precalculation for the zero-knowledge proof step carried out in step 15 for the creation of the certificate z, whose concrete implementation can be realized directly by means of the referenced literature. The values to be proved would be substantiated as follows:

After it has been ensured that the relevant modified document doc 'has reached the service S on the basis of a correct treatment or modification in accordance with the modification rule m, the service can decrypt the individual data fields d3 made available to it. For this purpose, the service S has corresponding key material which enables it to decrypt the data fields d3 of the modified document doc 'specified in the agreement. Due to the previously performed re-encryption, it is sufficient in the present embodiment of the invention, if the service has its own private key sks, with which it is possible for him to decrypt the data contained in the modified document doc 'data fields d3. The service decrypts the relevant data fields d3 of the modified document doc 'and thus creates decrypted data fields a3 * which are kept available for further processing. In particular, in the present embodiment, it is merely checked whether the date of birth contained in the document in question is more than 18 years before the current time, i. whether the user in question is older than 18 years of age and is therefore entitled to receive the Service S service concerned.

In the following, a second preferred embodiment of the invention is shown in more detail (Fig. 2), which does not recode the data fields Ci, ..., cn of the document Dok, but uses derived private key sku 'of the client U. The creation of the document Dok between the certification authority CA and the client U takes place as in the first embodiment of the invention. The client U has a private key sku and a public key pky. The client U creates a derived private key sku 'from the private key sku, whereby the data fields Ci,..., Cn of the document Dok agreed upon in the agreement are encrypted in such a way that they are not only encrypted with the private key sku but also with the private key derived private key sku 'are decipherable. All other data fields of the document Dok, however, can not be decrypted with the derived private key sku '. The derived private key sku 'is transmitted to the service S. At the request of the service, the authentication server A prepares a modified document Dok 'based on the document Dok, in which at least the signature σ is modified with respect to the document doc. The modification of the signature o of the document Dok can be carried out, for example, by means of rerandomization. Likewise, the remaining data fields c 1..., C n of the document can be reandomized in the course of the modification, whereby at least the encrypted data fields c 1..., Cn agreed in the convention are modified, but the information contained in the encrypted data fields remains unchanged , In addition, the z certificate is appended with information indicating that the rerandomization was performed correctly.

The examination of the modified document Dok 'by the service S based on the certificate z takes place as well as in the first embodiment of the invention, in particular the correctness of the Rerandomisierung can be checked by means of the certificate. As with the first embodiment of the invention, this can be done concretely without knowledge of the data underlying the Rerandomisierung.

Unlike the first embodiment of the invention, the service S has a derived private key sku 'of the private key sku of the client U. The transmission of the derived private key sku' can either directly between the client U and the service S or the client U transfers the derived private key sku 'to the authentication server A, which transmits the derived private key sku' to the service S on request. In both cases, the service S has sufficient key material, namely the derived private key sku ', which enables it to decrypt the data fields Ci', ..., cn 'of the modified document Dok' specified in the agreement. LIST OF REFERENCE NUMBERS:

Claims (2)

claims A method of exchanging data fields of certified documents between a client (U) and a service (S) via an authentication server (A), a) wherein the client (U) has a document (Doc) containing a number of encrypted ones Data field (c1; cn) and a signature (σ), which depends on the encrypted data fields (Ci, ..., cn), b) where the document (Dok) from the client (U) to the authentication server (A) c) wherein the client (U) tells the authentication server (A) of a modification rule (m) indicating which of the data fields (Ci, ..., cn) of the document (Dok) from the authentication server (A) to the service (S) may not be transmitted, d) wherein the client (U) and the service (S), in accordance with the modification rule (m), make an agreement specifying which data fields (c1; .., cn) in a to be transmitted from the server to the service (S) modifizier e) that the authentication server (A) based on the document (Dok) creates a modified document (Dok '), in which the specified in the modification rule (m) data fields (c1 ; ..., cn) and / or the signature (o) are modified relative to the document (Doc) in such a way that the information contained in the relevant data field (ci \ ..., cn ') of the modified document (Dok') Service (S) is not reconstructable, f) that the modified document (Dok ') a certificate (z) is added, with the service (S) is traceable that the data fields (cA ..., cn') of modified document (Dok ') on the basis of a document (Doc) with a valid signature (S) and the modification mentioned in step e) corresponds to the modification rule (m), g) that the modified document (Dok') including the certificate ( z) is transmitted from the authentication server (A) to the service (S), h) that the service (S) checks the modified document (Dok ') on the basis of the certificate (z) as to whether the data fields (ei', ... 'cn') of the modified document (doc ') based on a document (doc) with a valid signature (o) i) that the service (S) has key material, in particular that key material is transmitted to the service (S), which enables the service (S) to be created, and the modification (s) mentioned in step e) decrypt the data fields (ei ', ..., cn') of the modified document (Dok ') specified in the agreement, j) that the service (S) contains the data fields (ei', ..., cn ') of the modified K) that the service (S) keeps the data fields (a ^, ..., an *) thus decrypted for further processing. 2. The method according to claim 1, characterized in that - the client (U) and the service (S) have private and public keys (sky, sks, pku, pks), - that based on a private and / or public key (sks, pks) of the service (S) and on the basis of the private key (sku) of the client (Ü) a Reenc-ryption key (rky ^ s) created and the authentication server (A) is provided, - where with the Reencryption key (rky ^ s) data fields (c ^ ..., cn) of the document (doc), which were encrypted with the public key (pku) of the client (U), are re-encrypted so that they are encrypted with the private Key (sks) of the service (S) are decryptable, - that prior to the creation of the certificate (z) in step f) the individual agreed in the agreement between the client (U) and the service (S) data fields (ci \ cn ' ) of the modified document (doc ') by means of the reencryption key (rky ^ s) In addition, the certificate (z) contains additional information indicating that the re-encryption was carried out correctly using the reencryption key (rky ^ s) created on the basis of the keys specified by the client (U) and service (S) , and - that in step j) the private key (sks) of the service (S) is used for decryption. A method according to claim 2, characterized in that before re-encrypting a re-randomization of the document (Doc) is carried out, in which the agreed upon in the agreement encrypted data fields (c1; ..., cn) are modified in the encrypted data fields ( c1; ..., cn) remain unchanged, and - that the certificate (z) additionally contains information indicating that the re-randomization was performed correctly. A method according to claim 1, characterized in that - the client (U) has a private and a public key (sky, pky), - that the client (U) from the private key (sky) a derived private key (sky ' ), - that the data fields (Ci, ..., cn) of the document (Doc) agreed in the agreement are encrypted in such a way that they can be decrypted with the derived private key (sky '), - that the derived private key ( skU ') is transmitted to the service (S), - that in step e) at least the signature (σ) of the document (Doc) is modified, and - that the derived private key (sky') for decrypting the data fields (cA. .., cn ') of the modified document (Dok') is used. A method according to claim 4, characterized in that - in the course of the modification, a rerandomization is carried out in which the agreed upon in the agreement encrypted data fields (c1; ..., cn) are modified in the encrypted data fields (Ci, .. ., cn) remain unchanged, and - that in the certificate (z) additional information is included, indicating that the Rerandomisierung was performed correctly. Method according to one of the preceding claims, characterized in that - the client (U) has a private and a public key (sky, pky), - that the document (Doc) is created by a number of plain text data fields (a1 ; ..., an) be encrypted with the public key (pky) of the client (U), - that a certification authority (CA) creates a signature (σ) that is encrypted by the encrypted data fields (Ci, ..., cn) and is dependent on its own private key (skCA), and - that in step h) the public key (pkCA) of the certification authority (CA) is used to check the validity of the certificate (z). A method according to claim 6, characterized in that before the creation of the signature (σ) for a number of encrypted data fields (Ci, ..., cn) of the document (Doc), the certification authority (CA) checks whether this is due to encryption given or agreed between the client (U) and certification authority (CA) plain text data fields (ai, ..., an). Method according to one of the preceding claims, characterized in that - the client (U) to the service (S) after step d) an access request, - that the service (S) the authentication server (A) for transmitting the modified document (Doc ') and the modified document (doc') according to the steps in the step h) checks, and - that the service (S) the required authorization of the client (U) on the basis of the decrypted data fields (aA ..., an *), the certificate (z) and the modified document (doc ') and, if appropriate, grant access to the client (U) in accordance with the access request. System for exchanging data fields (c ^ ..., cn) and certified documents comprising a client (U), a server running a service (S) and an authentication server (A), a) the client (U ) has a document (Doc) comprising a number of encrypted data fields (c1; ..., cn) and a signature (σ) which depends on the encrypted data fields (c1; ..., cn), b ) wherein the client (U) is adapted to transmit the document (Doc) to the authentication server (A) and the authentication server (A) is adapted to receive and store the document (Dok) from the client (U), c ) wherein the client (U) is adapted to communicate to the authentication server (A) a modification rule (m) indicating which of the data fields (Ci, ..., cn) of the document (Doc) from the authentication server (A) to the Service (S) may not be transmitted and the authentication server (A) is adapted to Modification rule (m) to be stored, d) wherein an agreement of the modification (m) agreement between the client (U) and service (S) is specified, indicating which of the service (S) readable data fields (Ci, ..., cn ) should be contained in a modified document (Dok ') to be transmitted by the server to the service (S), characterized in that e) the authentication server (A) is designed to implement a modified document (Doc '), in which the data fields (ci, ..., cn) and / or the signature (σ) given in the modification instruction (m) are modified relative to the document (Doc) such that the data fields (c /, ..., cn ') of the modified document (Dok') for the service (S) can not be reconstructed, f) the authentication server (A) is designed to provide the modified document (Dok ') with a certificate ( z) with which for service (S) it is understandable that the data fields (c /, ..., cn ') of the modified document (doc') were created on the basis of the document (doc) with a valid signature (σ) and the modification of the modification rule made by the authentication server (A) (m), g) that the authentication server (A) is adapted to transmit the modified document (Dok ') including the certificate (z), in particular on request, to the service (S), h) that the service ( S) is adapted to check the modified document (Dok ') on the basis of the certificate (z) as to whether the data fields (c /, ..., cn') of the modified document (doc ') are based on a document (doc ) have been created with a valid signature (σ) and the modification made by the authentication server (A) corresponds to the modification rule (m), i) the service (S) has key material, in particular that it is designed to store key material from the authentication server (A), the key material allowing the service (S) to decrypt the data fields (ci ', ..., cn') of the modified document (doc ') specified in the agreement, j) the service ( S) is adapted to decrypt the data fields (c ^, cn ') of the modified document (doc'). A system according to claim 9, characterized in that - the client (U) and the service (S) have private and public keys (sku, sks, pky, pks), - that the user (U) is trained based on a private and / or public key (sks, pks) of the service (S) and on the basis of the private key (sku) of the client (U) a Reencryption key (rku ^ s) to create and the Au-thentisierungsserver (A ) - that the authentication server (A) is adapted, with the Reencryption key (rky ^ s) data fields (c ^ ..., cn) of the document (doc) with the public key (pku ) of the client (U) have been encrypted so that they can be decrypted with the private key (sks) of the service (S), - that the authentication server (A) is adapted to add information to the certificate (z) indicating that the re-encryption is based on that of the client (U) and service (S) specified key reencryption key (rku ^ s) was performed correctly, and - that the service (S) is adapted to the data fields (Ci ', ..., cn') of the modified Document (Dok1) with his private key (sks). System according to claim 10, characterized in that - the authentication server (A) is adapted to perform a re-randomization of the document (Doc) before the re-encryption in which the encrypted data fields (Ci, ..., cn) agreed upon in the agreement are modified However, the information contained in the encrypted data fields (c ^ ..., cn) remain unchanged, and - that the authentication server (A) is adapted to the certificate (z) in addition to add information indicating that the Rerandomisierung correct was carried out. System according to claim 9, characterized in that - the authentication server (A) is designed to create a modified document (Dok1) based on the document (Doc), in which the data fields (Ci,. .., cn) and / or the signature (σ) with respect to the document (doc) are modified such that the information contained in the relevant data field (c /, ..., cn ') of the modified document (doc') for the Service (S) is not reconstructable, - that the client (U) is adapted to create from the private key (sku) a derived private key (sku '), - that the client (U) is adapted to the in the agreement agreed to encrypt data fields (ci, ..., cn) of the document (doc) such that they are decipherable with the derived private key (sku '), - that the client (U) is adapted to the derived private Key (sku '), especially indirect by a transmission encrypted under a public key (pks) of the server (S) to the authentication server (A), which makes this encryption of the private key (sku ') available to the service (S) for retrieval, to the service (S) - that the authentication server (A) is adapted to modify at least the signature (σ) of the document (Doc) in the context of the creation of the modified document (Dok '), and - that the service (S) is designed for this purpose to use the derived private key (sku ') to decrypt the data fields (ci', ..., cn ') of the modified document (doc'). System according to claim 12, characterized in that - the authentication server (A) is adapted to perform a re-randomization of the document (Doc) before the re-encryption in which the encrypted data fields (Ci, ..., cn) agreed upon in the agreement are modified However, the information contained in the encrypted data fields (Ci, ..., cn) remain unchanged, and - that the authentication server (A) is adapted to the certificate (z) in addition to add information indicating that the Rerandomisierung correct was carried out. System according to one of claims 9 to 13, characterized in that - the client (U) has a public and a private key (pks, sks), - that the client (U) is adapted to a number of plain text data fields (ai, ..., an) with its public key (pky) to encrypt and thus to create a document (doc) and to transfer the document (doc) to a certification authority (CA), - that a certification authority (CA) provided is that is adapted to create a signature (σ) that depends on the encrypted data fields (Ci, ..., cn) and on a private key (skCA) associated with the certification authority (CA), and that Service (S) is adapted to query the public key (pkCA) of the certification authority (CA) to check whether the modified document (doc '), with the correct application of the modification rule (m), based on a valid signature (o) of theCertification Authority (CA). A system according to any one of claims 9 to 14, characterized in that the certification authority (CA) is adapted, prior to the creation of the signature (σ), for a number of the encrypted data fields (c ^ ..., cn) of the document (doc) check whether these result from encryption from predetermined or agreed between the client (U) and the certification authority (CA) plain text data fields (a ^ ..., an). System according to one of claims 9 to 15, characterized in that - the client (U) is adapted to provide the service (S) an access request after transmission of the document to the authentication server (A), - that the service (S ) is adapted to request the authentication server (A) to transmit the modified document (Dok ') and to check the modified document (Dok') on the basis of the modification rule (m), and - that the service is designed to provide the required authorization of the Check clients (U) based on the decrypted data fields (a /, ..., an *) of the certificate (z) and the modified document (doc ') and, in the case of a positive check, access the client (U) according to the access request grant. Data carrier on which a program for carrying out a method in the client (U), service (S) or authentication server (A) according to one of claims 1 to 8 is stored.