DE102008042262A1 - Method for storing data for managing digital identity of user, involves writing data from provider computer system to token via connection to store data in token, and providing connections with connection-oriented protocol - Google Patents

Abstract

The method involves establishing a connection (101) between an identification (ID) token (106) e.g. passport and driving license, and an identification-provider computer system (136) via a user computer system (100) e.g. Laptop. Data is written from the provider computer system to another ID token (107) via another connection (103) to store the data in the latter token, where a prerequisite for the write process is performed when the former connection still exists. The connections are provided with end-to-end encryption and a connection-oriented protocol e.g. transmission control protocol. Independent claims are also included for the following: (1) a computer program product for storing data (2) a computer system with a data transmitting unit.

Description

The The invention relates to a method for storing data Computer program product, an ID token, in particular a value or Security document, as well as a computer system.

Various methods for managing the so-called digital identity of a user are known from the prior art:
Microsoft Windows CardSpace is a client-based digital identity system designed to allow Internet users to communicate their digital identity to online services. The disadvantage here is, inter alia, that the user can manipulate his digital identity.

at On the other hand, OPENID is a server-based system. One so-called identity server stores a database with the digital identities the registered user. The disadvantage of this is, inter alia, a poor privacy, because the digital identities the user is centrally stored and the user behavior recorded can.

Out US 2007/0294431 A1 Another method for managing digital identities is known, which also requires user registration.

In the unpublished patent application at the time of application DE 2008 000 067.1-31 The same applicant discloses a method for reading at least one attribute stored in an ID token, both an authentication of the user and of a computer system to the ID token is required in order to allow read access to an attribute stored in the ID token so that it can be forwarded to a computer system for providing a service.

Out US 2003/0023858 A1 is a method for generating a record known to serve as an electronic passport. The record is downloaded by a user and stored on a mobile phone, for example.

Of the The invention is based on the object, a to provide an improved method of storing data as well a corresponding computer program product, an ID token and a Computer system.

The The objects underlying the invention are each with the Characteristics of the independent claims solved. Embodiments of the invention are in the dependent Claims specified.

To Embodiments of the invention will be a method for Storage of data created. A first connection will be between a first ID token and a first computer system via built a second computer system. At the first computer system it can be a server computer system, which in the following also called ID provider computer system, and which with the second computer system via a network such as Example the internet, connected. In the second computer system it can be a personal computer (PC) of a user, which is also referred to below as a user computer system. From the first computer system is over the first connection at least a first attribute is read from the first ID token.

Further is a second connection between a second ID token and the first computer system via the second computer system built to at least a second attribute from the second ID token read. For this purpose, the second computer system of the first Computer system received a command, after which to the first and second ID token each connection should be established, So a so-called multi-session should take place. This will avoided the second computer system breaking the first connection, after the first attributes are read from the first ID token have been.

The first and second attributes are from the first computer system sent to a third computer system. In the third computer system it can be a server computer system that works with the first and / or the second computer system via the network connected is. The third computer system may be a Server computer system of a service provider acting in the Also referred to as a service computer system. Preferably become the first and second attributes of the first computer system digitally signed before forwarding to the third computer system, so that the third computer system the trustworthiness check the first and second attributes.

Preferably, the first attributes are forwarded from the first computer system to the third computer system immediately after read out of the first ID token so that the first attribute need not be stored permanently by the first computer system. By contrast, it suffices to store the first attribute in the first computer system only as long as it is necessary to forward the first attribute to the third computer system after it has been read from the first ID token. Likewise, it is preferable to proceed with respect to the second attribute, which is also forwarded by the first computer system immediately after reading from the second ID token to the third computer system. A temporary copy of the first and second attributes which may be required for the purposes of forwarding the attributes from the first computer system to the third computer system is deleted from the first computer system immediately after transmission. This has the advantage that the first computer system can be stateless, and that data requiring protection, which may include the first and second attributes, are not collected by the first computer system.

The third computer system uses the one from the first computer system received first and second attributes for the determination of data. This can be done so that the third computer system from the first and second attributes calculate or access the data a database using the first and second attributes of the data queried from a database. The first computer system receives then the data from the third computer system, for example via the network. The transfer of data from the third Computer system to the first computer system is preferably via a secure connection.

The The first computer system then writes data to the second ID token the second connection to store the data in the second ID token. Condition for this is that even the first connection to the first ID token still exists, during the total time of writing. This will ensure that not in the meantime the user has his authorization to write of the first ID token by the first computer system thereby has revoked that he got his first ID token from a reader of the first computer system has removed, making the first connection would cancel. By doing that writing the data over the second connection is made, it is further ensured that the In the meantime, the second connection has not been interrupted is that the second ID token manipulated by one, for example, d. H. replaces fake or corrupted ID tokens has been.

This is due to the fact that the first and second connections respectively built using a connection-oriented protocol and be maintained. Such a connection-oriented protocol registered if one of the two participants removes the connection becomes. This can be done during the entire period between the structure of the first connection and the structure of the second connection checks the necessary condition until the data is written be that both the first and the second connection up to complete the write process. For the case that after all the first or the second connection before completion of the write operation, the data is not in the second one ID tokens stored.

embodiments The invention is particularly advantageous because it allows the invention, the to securely describe second ID tokens with individual document data the first ID token serving as the "trust anchor". The owner of the first ID token is thereby enabled to its second ID token with document-specific data for the first time be described or such individual document data to update, online, without the owner of the first ID tokens for example, an authority personally must visit.

For example is the first ID token to the authorized user, i. H. the owner of the ID token. For example, it is in the first ID token with an electronic identity card. The second On the other hand, ID tokens can be assigned to a thing, for example a motor vehicle. For example, it is the second ID token to an electronic vehicle letter or electronic The registration document. The invention makes it possible, the electronic Update your vehicle registration or vehicle registration online if, for example, the owner of the motor vehicle and / or the official Change the license plate of the motor vehicle.

Under According to the invention, a "document" is paper-based and / or plastic-based documents, such as Identity documents, in particular special passports, identity cards, Visas and driving licenses, vehicle registration documents, vehicle registration documents, Company IDs, health cards or other ID documents as well also chip cards, means of payment, in particular bank cards and credit cards, Bill of lading or other credentials in which a data store is integrated to store at least one attribute.

To An embodiment of the invention is the connection-oriented protocol of the first and / or second Connections to a packet-switched transport protocol for setup an end-to-end connection in full duplex, such as the Transmission Control Protocol (TCP).

Embodiments of the invention are thus particularly advantageous since the at least one attribute is read from a particularly trustworthy document, for example an official document. Of particular advantage is further that a central storage of the attributes is not required. The invention thus enables a particularly high degree of trustworthiness with regard to the communication of the attributes associated with a digital identity, combined with optimum data protection and extremely convenient handling.

To An embodiment of the invention has the first computer system at least one certificate, which is used to authenticate the first Computer system opposite the first and / or second ID token is used. The certificate includes an indication of those Attributes for which the first computer system is read-only Has. The relevant ID token checks against this certificate, whether the first computer system has the required read permission for has read access to the first or second attribute before a such read access is performed by the first computer system can be.

To An embodiment of the invention transmits the first computer system the at least one of the ID tokens read first and second Attribute directly to the third computer system. At the third Computer system can be, for example, a server of an authority, such as B. a motor vehicle registration office act.

To In one embodiment of the invention, the transmission takes place the attributes read from the ID token from the first computer system first to the second computer system of the user. For example the second computer system has a standard internet browser, with which the user can open a website of the third computer system. The user can make a request for a website Service, such as B. updating his electronic vehicle registration certificate, enter.

The third computer system then specifies those attributes for example, the user and / or his first and / or second ID tokens, which it for the provision of the service or the acceptance of the order is needed. The corresponding Attribute specification that includes the specification of these attributes, is then transferred from the third computer system to the first computer system Posted. This can be done with or without interposition of the second Computer system done. In the latter case, the user can desired first computer system over the specify third computer system, for example by input the URL of the first computer system in a web page of the third Computer system from the second computer system.

To An embodiment of the invention includes the service request the user to the third computer system the indication of an identifier, wherein the identifier identifies the first computer system. For example, the identifier is a link, for example, a URL of the first computer system.

To In one embodiment of the invention, the attribute specification becomes not directly from the third computer system to the first computer system but first from the third computer system to the second computer system.

To an embodiment of the invention are from the first or second ID tokens read attributes from the first Computer system signed and then transferred to the second computer system. The user of the second computer system can thus read the attributes, but without being able to change them. Only after Release by the user becomes the attributes of the second computer system forwarded to the third computer system.

To According to one embodiment of the invention, the user can first and / or second attributes before their forwarding by add further data.

To An embodiment of the invention has the first computer system several certificates with different reading rights. Due to the Receiving the attribute specification selects the first computer system one or more of these certificates to the appropriate ones Read out attributes from the ID tokens.

In In another aspect, the invention relates to a computer program product, in particular a digital storage medium, with executable Program instructions for carrying out an inventive Process.

In In another aspect, the invention relates to an ID token with a protected memory area for storing at least an attribute and storage of data, means for authentication a first computer system relative to the ID token, means to establish a connection to the first computer system after a connection-oriented protocol, over which the first computer system the at least one attribute can read, with a necessary Prerequisite for reading the at least one attribute the ID token through the first computer system successful authentication the first computer system is opposite to the ID token and where the data about the connection in the memory area can be written.

By way of example, the ID token is an electronic vehicle document that is only for a motor vehicle but not for a user is permanently assigned. An authentication of the user against the ID token can then be omitted.

additionally to the authentication of the first computer system the ID token, as such, for example, as so-called Extended Access Control for machine-readable travel documents (machine-readable The documents - MRTD) and international Aviation Authority ICAO is specified, it can indeed after Embodiment may be required that also the user authenticated against the ID token. For example through a successful authentication of the user unlocked the ID token so that the further steps, namely the authentication of the first computer system against the ID token and / or the establishment of a protected Connection to read the attributes, can expire.

To In one embodiment of the invention, the ID token has means for end-to-end encryption. this makes possible it, the connection between the ID token and the first computer system via to build a third computer system of the user, as the user no changes due to end-to-end encryption the data transmitted over the connection.

In In another aspect, the invention relates to a first computer system with computer system having means for establishing a first connection between a first ID token and a first computer system via a second computer system for reading at least a first attribute from the first ID token, means for establishing a second connection between a second ID token and the first computer system via the second computer system for reading at least one second attribute from the second ID token, means for transmitting the first and second Attributes from the first computer system to a third computer system, Means for receiving the data from the third computer system the first computer system, means for writing the data from the first Computer system into the second ID token over the second connection, to store the data in the second ID token, assuming requirement for writing the data is that too the first connection still exists, with the first and second compounds each with connections with end-to-end encryption and is a connection-oriented protocol.

To Embodiments of the invention have the first computer system Means for receiving an attribute specification via a Network, wherein the attribute specification at least one attribute specifies means of authentication to one ID token, means for reading at least one attribute from the ID token via a secure connection, wherein the reading of the at least one Attributes requires that a user associated with the ID token authenticated against the ID token.

To In one embodiment of the invention, the first computer system Include means for generating a request to the user. After this For example, the first computer system the attribute specification from the third computer system, it then sends a request to the second computer system of the user, so the user is prompted to face the first one and / or second ID tokens. After the authentication the user against the first and / or second ID token has been successfully completed, receives the first computer system from the second computer system an acknowledgment. Then the first computer system authenticates itself the relevant ID token and it becomes the secure first or second Connection between the ID token and the first computer system with built an end-to-end encryption.

To An embodiment of the invention has the first computer system multiple certificates, each having different read rights and / or write permissions specify. After receiving the attribute specification selects the first computer system with at least one of these certificates sufficient reading rights to read the specified attributes. Furthermore, the first computer system selects that certificate, which required to write the data in the second ID token Rights specified to its related authority prove to the second ID token.

embodiments of the first computer system according to the invention especially advantageous as it combines with the need authentication of the user against the ID token Confidence anchor for the unadulterated digital identity form the user. It is of particular advantage that this no prior registration of the user against the first computer system requires as well as no central storage the attributes of users constituting the digital identities.

To An embodiment of the invention is the first computer system is an officially certified Trust Center, in particular a signature law compliant Trust Center.

in the Further, embodiments of the invention will be referred to explained in more detail on the drawings. Show it:

1 a block diagram of an embodiment of computer systems according to the invention and ID tokens,

2 a flow chart of an embodiment of a method according to the invention,

3 a block diagram of another embodiment of computer systems according to the invention and ID tokens,

4 a flowchart of another embodiment of a method according to the invention,

5 a UML diagram of a further embodiment of a method according to the invention,

6 a block diagram of another embodiment of inventive computer systems and ID tokens.

elements the following embodiments, which correspond to each other, are marked with the same reference numerals.

The 1 shows a block diagram of an embodiment of a data processing system according to the invention. The data processing system has a user computer system 100 , In the user computer system 100 it may be a personal computer, a portable computer, such as a laptop or palmtop computer, a personal digital assistant (PDA), a mobile telecommunications device, in particular a smartphone, or the like.

The user computer system 100 is used to communicate with the ID token A. 106 and the ID token B 107 , The communication between the ID tokens A and B on the one hand and the user computer system 100 on the other hand, contact-based or contactless, in particular by an RFID method, take place. The ID token A can be an electronic identity card, ie an identity card which contains an RFID chip in which attributes of the user are stored.

Of the ID token B can in principle be structured as the ID token A, where the ID token B is not the user, but a thing like for example, a motor vehicle, is assigned. For example, it acts the ID token B is an electronic motor vehicle letter or an electronic vehicle license, in which attributes of the motor vehicle are stored.

To the user computer system 100 is a suitable reader (in the 1 not shown) or into the user computer system 100 integrated, so the user computer system 100 can communicate with ID tokens A and B. The reader is designed so that at the same time a first connection A 101 between the ID token A and the user computer system 100 and a second compound B 103 between the ID token B and the user computer system 100 can exist.

In the ID token B at least one attribute is stored, which the Assignment of the ID token B to the thing, for example to the motor vehicle, manufactures. This attribute may be a so-called Unique identifier of the thing acting, such as the chassis number of the motor vehicle or the like.

The user computer system 100 is over a network 116 such as the Internet, with a service computer system 150 connected. At the service computer system 150 it may be a server computer system of an authority, such as a vehicle registration office.

Further, the user computer system 100 over the network 116 with the ID provider computer system 136 connected. The ID provider computer system 136 is used to read the attributes from the ID tokens A and B to pass these attributes to the service computer system 150 for receiving data from the service computer system 150 and for write access based on this data to the ID token B to update the ID token B. The data may be z. For example, to be updated attribute values.

If For example, due to a move of the user the official License plate of the motor vehicle changes, so can the ID token B updated with the new license plate as follows without the user visiting an authority got to.

Between the ID token A and the ID provider computer system 136 becomes a first connection A 101 built up. At the connection 101 This is a connection with end-to-end encryption, so the ones over the connection 101 exchanged data neither from the user computer system 100 still from other participants of the network 116 can be decrypted. The connection 101 is built and maintained using a connection-oriented protocol.

The procedure for the ID token B is the same: between the ID token B and the ID provider computer system 136 becomes a second one Compound B 103 established, also via the user computer system 100 and the network 116 with end-to-end encryption and also with the connection-oriented protocol.

The ID provider computer system 136 Read about the connection 101 at least one first attribute A from the ID token A or more of such attributes A, by which the user is uniquely identified. For example, this may be the name, date of birth and place of residence of the user.

The attributes A are from the ID provider computer system 136 digitally signed and attached to the service computer system 150 forwarded. This is preferably done so that the ID provider computer system 136 No copy of attributes A remains after attributes A with the signature to the service computer system 150 have been sent.

Also, regarding the second attribute B stored in the ID token B, the procedure is as follows: The attribute B, such as the chassis number, is provided by the ID provider computer system 136 about the connection 103 read from the ID token B, signed and sent to the service computer system 150 Posted. The attribute B also appears in the ID provider computer system 136 after sending to the service computer system 150 preferably no copy stored.

The service computer system 150 determines with the help of the attributes A and the attribute B the updated registration number of the motor vehicle, which is identified by the attribute B. For example, the service computer system determines 150 this new license plate by a database query in a database in which such flags are stored. For the database query the attributes A and / or the attribute B can be used.

The service computer system 150 sends data containing the new license plate to the ID provider computer system 136 , Preferably, the service computer system signs 150 the data, so the ID provider computer system 136 Check this signature to ensure the authenticity of this data.

The data with the new license plate sends the ID provider computer system 136 then about the connection 103 to the ID token B, so that the new license plate is stored there. Additionally, the ID provider computer system 136 also write the updated address of the user in the ID token B in this way. This may require the ID provider computer system 136 again over the connection 101 accesses the ID token A to read out the attributes with the changed address.

For a write access of the ID provider computer system 136 about the connection 103 On the ID token B, it is a necessary condition that the connection Ver 101 to the ID token A still exists. This ensures that the "trust anchor" is still present if the data, for example the new license plate, is in the ID token B via the connection 103 to be written.

The 2 shows a corresponding flow chart.

In the step 10 the connection A is established between the ID provider and the ID token A, with a connection-oriented protocol and with end-to-end encryption. In the step 12 For example, the attributes A are read out of the ID token A from the ID provider via the connection A. The attributes A are then retrieved from the ID provider in the step 14 forwarded to the service (see ID provider computer system 136 and service computer system 150 in the embodiment of the 1 ).

Analog will be in the steps 16 . 18 and 20 with reference to the ID token B and the attributes B stored in the ID token B, which are also received by the service.

In the step 22 The service uses the attributes A and B to determine the data to be used for updating the ID token B. This data may include, for example, the registration number of the motor vehicle to which the ID token B is assigned.

In the step 24 This data is sent from the service to the ID provider. If the ID token B is also to be updated with the attributes A, then these attributes A become in the step 26 read again by the ID provider over the connection A. In the step 28 The ID provider generates write data from the attributes A and the data received from the service, ie a data record which contains the data to be written into the ID token B.

In the step 30 the ID provider checks if the connection A still exists. If so, the write data in the step 32 from the ID provider via the connection B in the ID token B written and stored there, so that the ID token B is updated. In the opposite case, the break ID provider in the step 34 the process, since a secure writing of the write data in the ID token B due to the termination of the connection A is not possible.

The 3 shows a user computer system 100 a user 102 , The user computer system 100 has an interface 104 for communication with the ID token 106A that has a corresponding interface 108 having.

The user computer system 100 has at least one processor 110 for executing program instructions 112 as well as a network interface 114 for communication via a network 116 , The network can be a computer network, such as the Internet.

The ID token 106 has an electronic memory 118 with protected storage areas 120 . 122 and 124 , The protected memory area 120 is used to store a reference value used for authentication of the user 102 opposite the ID token 106 is needed. This reference value is, for example, an identifier, in particular a so-called Personal Identification Number (PIN), or reference data for a biometric feature of the user 102 which is used to authenticate the user against the ID token 106 can be used.

The protected area 122 is used to store a private key and the protected storage area 124 is used to store attributes, such as the user 102 such as the name, place of residence, date of birth, gender, and / or attributes concerning the ID token itself, such as the institution that created or issued the ID token, the validity period of the ID token, an identifier of the ID token, such as a passport number or a credit card number.

The electronic memory 118 may further include a memory area 126 to store a certificate. The certificate includes a public key similar to the one in the protected space 122 stored private key is assigned. The certificate may have been created according to a public key infrastructure (PKI) standard, for example according to the X.509 standard.

The certificate does not necessarily have to be in the electronic memory 118 of the ID token 106 be saved. Alternatively or additionally, the certificate can also be stored in a public directory server.

The ID token 106 has a processor 128 , The processor 128 is used to execute program instructions 130 . 132 and 134 , The program instructions 130 are used for user authentication, ie for authentication of the user 102 opposite the ID token.

In one embodiment with PIN, the user enters 102 his PIN for his authentication in the ID token 106 a, for example via the user computer system 100 , By executing the program instructions 130 will then go to the protected storage area 120 is accessed to compare the entered PIN with the reference value of the PIN stored there. In the event that the entered PIN matches the reference value of the PIN, the user is valid 102 as authenticated.

Alternatively, a biometric feature of the user 102 detected. For example, the ID token has 106 this is a fingerprint sensor or a fingerprint sensor is to the user computer system 100 connected. The by the user 102 captured biometric data is generated by executing the program instructions 130 in this embodiment, with those in the protected memory area 120 stored biometric reference data compared. With sufficient agreement of the user 102 collected biometric data with the biometric reference data is the user 102 as authenticated.

The program instructions 134 are used to execute the ID token 106 relevant steps of a cryptographic protocol for authentication of an ID provider computer system 136 opposite the ID token 106 , The cryptographic protocol may be a challenge-response protocol based on a symmetric key or an asymmetric key pair.

For example, the cryptographic protocol implements an Extended Access Control method as specified for machine-readable travel documents (MRTD) by the International Aviation Authority (ICAO). Successful execution of the cryptographic protocol authenticates the ID provider computer system 136 relative to the ID token and thereby has its read permission to read in the protected memory area 124 stored attributes. The authentication can also be mutually exclusive, ie also the ID token 106 must then face the ID provider computer system 136 authenticate according to the same or another cryptographic protocol.

The program instructions 132 serve for End-to-end encryption of between the ID token 106 and the ID provider computer system 136 transmitted data, but at least that of the ID provider computer system 136 from the protected storage area 124 read attributes. For the end-to-end encryption, a symmetric key can be used, for example, when executing the cryptographic protocol between the ID token 106 and the ID provider computer system 136 is agreed.

The program instructions 131 are used to carry out the connection-oriented protocol on the part of the ID token 106 , For example, the connection-oriented protocol may be TCP. A "connection-oriented protocol" is understood to mean any protocol for establishing a virtual channel between two endpoints, in this case between one of the ID tokens and the ID provider computer system 136 , On this channel can be transmitted in both directions. For example, this is a proprietary or a standardized protocol, such. B. uses TCP; TCP is in the layer 4 based on the OSI reference model and can be based on the Internet Protocol.

Alternatively to the one in the 3 illustrated embodiment, the user computer system 100 with its interface 104 not directly with the interface 108 communicate but via a to the interface 104 connected reader for the ID token 106 , About this reader, such as a so-called class 2 smart card terminal, the PIN can also be entered.

the interface 104 and possibly the reader are designed so that at the same time the connections 101 and 103 (see. 1 ) can be maintained. For example, two slots are provided for the ID tokens A and B in the reader, or simultaneous communication with the ID tokens A and B is possible via an RF channel.

The ID token B 107 In the embodiment considered here, in principle the same or similar structure as the ID token A. 106 , For a description of the individual components of the ID token B 107 Therefore, reference is made to the above description of the components of the ID token A. 106 directed. Unlike the ID token A can write access to the protected memory area 124 ' via connection B to update the attribute values stored there with the write data. Excluded from this is the attribute value with the unique identifier, ie for example the chassis number, which is immutable.

The program instructions 130 ' can be omitted if for the ID token 107 no user authentication is provided.

The ID provider computer system 136 has a network interface 138 for communication over the network 116 , The ID provider computer system 136 also has a memory 140 in which a private key 142 of the ID provider computer system 136 as well as the corresponding certificate 144 is stored. Also, this certificate may be, for example, a certificate according to a PKI standard, such as X.509.

The ID provider computer system 136 also has at least one processor 145 for executing program instructions 146 and 148 , By executing the program instructions 146 become the the ID provider computer system 136 relevant steps of the cryptographic protocol. Overall, therefore, the cryptographic protocol by execution of the program instructions 134 through the processor 128 of the ID token 106 or the ID token 107 as well as by executing the program instructions 146 through the processor 145 of the ID provider computer system 136 implemented.

The program instructions 148 are used to implement end-to-end encryption on the ID provider computer system side 136 For example, based on the symmetric key used when executing the cryptographic protocol between the ID token 106 respectively. 107 and the ID provider computer system 136 has been agreed. In principle, any method known per se for agreeing the symmetric key for end-to-end encryption, such as a Diffie-Hellman key exchange, may be used.

The program instructions 147 are used to implement the connection-oriented protocol, in such a way that simultaneously the two connections 101 and 103 can be maintained.

The program instructions 151 are used to implement a control program for the process control.

The ID provider computer system 136 is preferably located in a specially protected environment, in particular in a so-called trust center, so that the ID provider computer system 136 in combination with the need of authentication of the user 102 opposite the ID token 106 the confidence anchor for the authenticity of the ID token 106 forms read attributes.

The service computer system 150 can be designed to receive a service request for initialization, in particular for updating the ID token B.

The service computer system 150 has a network interface for this purpose 152 to connect to the network 116 , Furthermore, the service computer system has 150 at least one processor 154 for executing program instructions 156 , By executing the program instructions 156 For example, dynamic HTML pages are generated over which the user 102 can enter his service request.

Depending on the type of service request, the service computer system must be 150 one or more attributes of the ID token 106 and the ID token 107 from the ID provider computer system 136 received in order to execute the service request.

• 1. Authentifizierung des Nutzers 102 gegenüber dem ID-Token 106. Der Nutzer 102 authentifiziert sich gegenüber dem ID-Token 106. Bei einer Implementierung mit PIN gibt der Nutzer 102 hierzu seine PIN beispielsweise über das Nutzer-Computersystem 100 oder einen daran angeschlossenen Chipkarten-Terminal ein. Durch Ausführung der Programminstruktionen 130 prüft dann der ID-Token 106 die Korrektheit der eingegebenen PIN. Wenn die eingegebene PIN mit dem in dem geschützten Speicherbereich 120 gespeicherten Referenzwert der PIN übereinstimmt, so gilt der Nutzer 102 als authentifiziert. Analog kann vorgegangen werden, wenn ein biometrisches Merkmal des Nutzers 102 zu dessen Authentifizierung verwendet wird, wie oben beschrieben.
• 2. Authentifizierung des ID-Provider-Computersystems 136 gegenüber dem ID-Token 106. Hierzu wird die Verbindung 101 zwischen dem ID-Token 106 und dem ID-Provider-Computersystem 136 über das Nutzer-Computersystem 100 und das Netzwerk 116 hergestellt. Beispielsweise überträgt das ID-Provider-Computersystem 136 sein Zertifikat 144 über diese Verbindung 101 an den ID-Token 106. Durch die Programminstruktionen 134 wird dann eine so genannte Challenge generiert, d. h. beispielsweise eine Zufallszahl. Diese Zufallszahl wird mit dem in dem Zertifikat 144 beinhalteten öffentlichen Schlüssel des ID-Provider-Computersystems 136 verschlüsselt. Das resultierende Chiffrat wird von dem ID-Token 106 über die Verbindung an das ID-Provider-Computersystem 136 gesendet. Das ID-Provider-Computersystem 136 entschlüsselt das Chiffrat mit Hilfe seines privaten Schlüssels 142 und erhält so die Zufallszahl. Die Zufallszahl sendet das ID-Provider-Computersystem 136 über die Verbindung an den ID-Token 106 zurück. Durch Ausführung der Programminstruktionen 134 wird dort geprüft, ob die von dem ID-Provider-Computersystem 136 empfangene Zufallszahl mit der ursprünglich generierten Zufallszahl, d. h. der Challenge, übereinstimmt. Ist dies der Fall, so gilt das ID-Provider-Computersystem 136 als gegenüber dem ID-Token 106 authentifiziert. Die Zufallszahl kann als symmetrischer Schlüssel für die Ende-zu-Ende Verschlüsselung verwendet werden.
• 3. Nachdem sich der Nutzer 102 erfolgreich gegenüber dem ID-Token 106 authentifiziert hat, und nachdem sich das ID-Provider-Computersystem 136 erfolgreich gegenüber dem ID-Token 106 authentifiziert hat, erhält das ID-Provider-Computersystem 136 eine Leseberechtigung zum Auslesen, eines, mehrerer oder aller der in dem geschützten Speicherbereich 124 gespeicherten Attribute A. Aufgrund eines entsprechenden Lesekommandos, welches das ID-Provider-Computersystem 136 über die Verbindung an den ID-Token 106 sendet, werden die angeforderten Attribute A aus dem geschützten Speicherbereich 124 ausgelesen und durch Ausführung der Programminstruktionen 132 verschlüsselt. Die verschlüsselten Attribute A werden über die Verbindung an das ID-Provider-Computersystem 136 übertragen und dort durch Ausführung der Programminstruktionen 148 entschlüsselt. Dadurch erhält das ID-Provider-Computersystem 136 Kenntnis der aus dem ID-Token 106 ausgelesenen Attribute. Diese Attribute A werden von dem ID-Provider-Computersystem mit Hilfe seines Zertifikats 144 signiert und über das Nutzer-Computersystem 100 oder direkt an das Dienst-Computersystem 150 übertragen. Dadurch wird das Dienst-Computersystem 150 über die aus dem ID-Token 106 ausgelesenen Attribute A in Kenntnis gesetzt. Durch die Notwendigkeit der Authentifizierung des Nutzers 102 gegenüber dem ID-Token 106 und der Authentifizierung des ID-Provider-Computersystems 136 gegenüber dem ID-Token 106 ist der notwendige Vertrauensanker geschaffen, sodass das Dienst-Computersystem 150 sicher sein kann, dass die ihm von dem ID-Provider-Computersystem 136 mitgeteilten Attribute des Nutzers 102 zutreffend und nicht verfälscht sind.
• 4. Zur Übertragung zumindest eines Attributs B an das Dienst-Computersystem 150 wird analog dazu vorgegangen, d. h. die o. g. Schritte 1 bis 3 werden mit Bezug auf den ID-Token 107 ausgeführt, wozu die Verbindung 103 aufgebaut wird. Im Ergebnis hat das Dienst-Computersystem 150 dann die Attribute A und B auf sichere und vertrauenswürdige Art empfangen. Die Authentifizierung des Nutzers gegenüber dem ID-Token B kann im Unterschied zu der ersten Durchführung der Schritte 1 bis 3 entfallen.
• 5. Mit Hilfe der Attribute A und B ermittelt das Dienst-Computersystem dann die Daten, die in den ID-Token B zum Beispiel zur Aktualisierung oder Initialisierung von einem der in dem geschützten Bereich 124' gespeicherten Attributwerte dienen sollen. Wenn der ID-Token B zum Beispiel einem Kraftfahrzeug 172 zugeordnet ist und es sich bei dem Dienst-Computersystem 150 um eine Online-Kfz-Meldebehörde handelt, kann das Dienst-Computersystem das aktuelle amtliche Kennzeichen des Kraftfahrzeugs 172 ermitteln, indem es mit Hilfe der Attribute A und/oder B auf eine Datenbank 174 zugreift, welche mit dem Dienst-Computersystem 150 verbunden ist. Dies kann so erfolgen, dass durch Ausführung der Programminstruktionen 156 mit Hilfe der Attribute A und/oder B eine Datenbankabfrage der Datenbank 174 durchgeführt wird, um das dort gespeicherte aktuelle Kfz-Kennzeichen abzurufen. Das Dienst-Computersystem signiert dann die Daten, welche das aktuelle amtliche Kennzeichen beinhalten, mit seinem privaten Schlüssel und sendet die signierten Daten über das Netzwerk 116 an das ID-Provider-Computersystem 136. Das ID-Provider-Computersystem 136 prüft dann die Validität der Signatur. Wenn die Signatur valide ist, prüft das Steuerungsprogramm 151, ob beide Verbindungen 101 und 103 noch bestehen. Falls dies der Fall ist, schreibt das Steuerungsprogramm 151 dann die von dem Dienst-Computersystem 150 empfan genen Daten über die Verbindung 103 in den ID-Token B, beispielsweise um den Attributwert des amtlichen Kennzeichens, der in dem geschützten Speicherbereich 124' des ID-Tokens B gespeichert ist, zu aktualisieren.

To claim the service from the computer system 150 For example, the service provided is as follows:

• 1. Authentication of the user 102 opposite the ID token 106 , The user 102 authenticates to the ID token 106 , In a PIN implementation, the user enters 102 this, for example, his PIN on the user computer system 100 or a smart card terminal connected to it. By executing the program instructions 130 then checks the ID token 106 the correctness of the entered PIN. If the entered PIN is in the protected memory area 120 stored reference value of the PIN, the user is valid 102 as authenticated. Analog can be proceeded if a biometric feature of the user 102 used for its authentication, as described above.
• 2. Authentication of the ID provider computer system 136 opposite the ID token 106 , This is the connection 101 between the ID token 106 and the ID provider computer system 136 via the user computer system 100 and the network 116 produced. For example, the ID provider computer system transmits 136 his certificate 144 about this connection 101 at the ID token 106 , Through the program instructions 134 Then a so-called challenge is generated, ie, for example, a random number. This random number will be in the certificate 144 included public key of the ID provider computer system 136 encrypted. The resulting cipher is taken from the ID token 106 over the connection to the ID provider computer system 136 Posted. The ID provider computer system 136 decrypts the ciphertext using its private key 142 and gets the random number. The random number sends the ID provider computer system 136 over the connection to the ID token 106 back. By executing the program instructions 134 there is checked if the from the ID provider computer system 136 received random number with the originally generated random number, ie the Challenge matches. If this is the case, the ID provider computer system applies 136 as opposed to the ID token 106 authenticated. The random number can be used as a symmetric key for end-to-end encryption.
• 3. After the user 102 successful against the ID token 106 has authenticated, and after the ID provider computer system 136 successful against the ID token 106 has authenticated the ID provider computer system 136 a read permission to read one, more, or all of them in the protected memory area 124 Attributes stored A. Due to a corresponding read command, the ID provider computer system 136 over the connection to the ID token 106 sends, the requested attributes A from the protected memory area 124 read out and by executing the program instructions 132 encrypted. The encrypted attributes A are sent over the connection to the ID provider computer system 136 transferred and there by execution of the program instructions 148 decrypted. This preserves the ID provider computer system 136 Knowing from the ID token 106 read attributes. These attributes A are used by the ID provider computer system using its certificate 144 signed and via the user computer system 100 or directly to the service computer system 150 transfer. This will cause the service computer system 150 over from the ID token 106 read out attributes A read. Due to the need of authentication of the user 102 opposite the ID token 106 and the authentication of the ID provider computer system 136 opposite the ID token 106 is the necessary anchor of confidence created so that the service computer system 150 You can be sure that it's from the ID provider computer system 136 shared attributes of the user 102 are correct and not distorted.
• 4. For transmitting at least one attribute B to the service computer system 150 the procedure is analogous, ie the above-mentioned steps 1 to 3 be related to the ID token 107 executed, including the connection 103 is built. As a result, the service computer system has 150 then the attributes A and B on safe and ver received a trustworthy type. The authentication of the user against the ID token B can be different from the first execution of the steps 1 to 3 omitted.
• 5. Using attributes A and B, the service computer system then retrieves the data in the ID token B, for example, to update or initialize one of the protected area 124 ' stored attribute values are to serve. For example, if the ID token B is a motor vehicle 172 It is associated with the service computer system 150 is an online vehicle registration office, the service computer system, the current registration number of the motor vehicle 172 determine by using the attributes A and / or B on a database 174 accessing the service computer system 150 connected is. This can be done by executing the program instructions 156 using the attributes A and / or B, a database query of the database 174 is performed to retrieve the stored there current license plate. The service computer system then signs the data containing the current license plate with its private key and sends the signed data over the network 116 to the ID provider computer system 136 , The ID provider computer system 136 then checks the validity of the signature. If the signature is valid, the control program checks 151 , whether both connections 101 and 103 still exist. If this is the case, the control program writes 151 then the service computer system 150 received data via the connection 103 in the ID token B, for example, the attribute value of the license plate in the protected memory area 124 ' of the ID token B is to be updated.

Depending on the embodiment, the order of authentication may be different. For example, it may be provided that initially the user 102 opposite the ID token 106 must authenticate and subsequently the ID provider computer system 136 , But in principle it is also possible that initially the ID provider computer system 136 opposite the ID token 106 must authenticate and only subsequently the user 102 , The same applies to the ID token 107 ,

In the first case, the ID token 106 respectively. 107 For example, it is designed so that it only by entering a correct PIN or a correct biometric feature by the user 102 is unlocked. Only this activation allows the start of the program instructions 132 and 134 and thus the authentication of the ID provider computer system 136 ,

In the second case is a start of the program instructions 132 and 134 also already possible if the user 102 not yet opposite the ID token 106 has authenticated. In this case, for example, the program instructions 134 designed so that the ID provider computer system 136 only then a read access to the protected memory area 124 for reading out one or more of the attributes, after the program instructions 130 the successful authentication of the user as well 102 has been signaled. The same applies to the ID token 107 ,

Of particular advantage is the utilization of ID tokens 106 and 107 for example, eGovernment applications, namely media-free and legally secure due to the need for authentication of the user 102 and the ID provider computer system 136 opposite the ID token 106 formed trust anchor. Of particular advantage is further that a central storage of the attributes of different users 102 is not required, so that the existing in the prior art privacy problems are hereby resolved. As far as the convenience of the application of the method is concerned, it is of particular advantage that a prior registration of the user 102 to use the ID provider computer system 136 is not required.

The 4 shows an embodiment of a method according to the invention. In the step 200 a service request is sent from the user computer system to the service computer system. For example, the user starts an Internet browser of the user computer system and enters a URL for calling a web page of the service computer system. The user then enters his service request into the accessed web page, for example to update his ID token B.

For this update, it is necessary to establish a connection A or B between the ID token A and the ID provider as well as between the ID token B and the ID provider, via which the ID provider attributes from the ID tokens A and B can read. In the embodiment considered here, the structure of the compounds A and B is carried out sequentially, wherein, for example, first the compound A is built up. This is done in the step 201 the currently used ID token is set equal to the ID token A.

In the step 202 specifies the service computer system 150 then one or more attributes that it needs to check the user's authorization for the service request. In particular, the service computer system may specify such attributes as the digital ones Identity of the user 102 determine. This specification of the attributes by the service computer system 150 may be fixed or depending on the service request in the individual case by the service computer system 150 determined by given rules.

In the step 204 becomes the attribute specification, ie the one in the step 202 specification of the one or more of the attributes transmitted from the service computer system to the ID provider computer system, either directly or through the user computer system.

To allow the ID provider computer system to retrieve attributes from its ID token, the user authenticates in the step 206 opposite the ID token.

In the step 208 a connection is established between the ID token and the ID provider computer system. This is preferably a secure connection, for example according to a so-called secure messaging method.

In the step 210 At least one authentication of the ID provider computer system to the ID token takes place via that in the step 208 established connection. In addition, authentication of the ID token against the ID provider computer system may be provided.

After both the user and the ID provider computer system have been successfully authenticated against the ID token, the ID provider computer system obtains the access to read the attributes from the ID token. In the step 212 The ID provider computer system sends one or more read commands to read out the attributes required by the attribute specification from the ID token. The attributes are then transmitted via end-to-end encryption over the secure connection to the ID provider computer system and decrypted there.

The read attribute values are in the step 214 signed by the ID provider computer system. In the step 216 The ID provider computer system sends the signed attribute values over the network. The signed attribute values reach the service computer system either directly or through the user computer system. In the latter case, the user may have the opportunity to take note of the signed attribute values and / or to supplement them with further data. It can be provided that the signed attribute values, if appropriate with the supplemented data, are forwarded by the user computer system to the service computer system only after release by the user. This provides the greatest possible level of transparency for the user with regard to the attributes sent by the ID provider computer system to the service computer system.

After that, in the step 218 the currently processed ID token is set equal to the ID token B, and the flow goes to the step 202 back. Alternatively, also to the step 206 if the service computer system in the step 202 also specified the attributes B to be read out of the ID token B, and if that specification in the step 204 already transferred to the ID provider and cached there. Preferably, however, such an intermediate storage is dispensed with in order to be able to train the ID provider without status.

The step 206 can be omitted with regard to the ID token B.

After the repeated execution of the steps 202 to 216 with respect to the ID token B, the service computer system has thus received the attributes A and B.

In the step 220 then determines the service computer system based on the attributes A and / or B, the data for updating or initialization of the ID token B. This can be done so that the service computer system generates this data, queries from a database or the database for access by the ID provider computer system for reading this data over the network.

In the step 220 The service computer system sends a release signal for writing the data to the ID token B to the ID provider. The ID provider then reads the information from the computer system in the step 220 determined data in the step 224 for example, by the ID provider computer system accessing the service computer system over the network. Then, the ID provider computer system writes the data in the step 226 in the ID token B over the connection B, under the condition that the connection A still exists.

The 5 shows a further embodiment of a method according to the invention. By a user input of a user 102 into a user computer system 100 specifies the user 102 a service of a service computer system which he or she wants to use. This is done, for example, by calling an Internet page of the service computer system and a selection of one of the services offered there. The service request of the user 102 is from the user computer system 100 to the service computer system 150 transfer.

For example, the service computer system includes 150 a web service 176 , in particular according to a Web Services Architecture specified by W3C. The web service 176 serves as the interface of the service computer system 150 towards the user computer system 100 and / or the ID provider computer system 136 ,

The service computer system 150 responds to the service request with attribute specification of attributes A, ie, for example, a list of attribute names. Upon receipt of the attribute specification, the user computer system requests 100 the user 102 for example, by a prompt, for authentication against the ID token 106 on.

The user 102 then authenticates to the ID token 106 , for example by entering his PIN. After successful authentication, the attribute specification is obtained from the user computer system 100 to an ID provider computer system 136 forwarded. For this purpose, the connection A is established. The ID provider computer system 136 then authenticates to the ID token 106 and directs a read request to read the attributes according to the attribute specification to the ID token 106 ,

Assuming the previous successful authentication of the user 102 and the ID provider computer system 136 the ID token answers 106 to the read request with the desired attributes A. The ID Provider computer system 136 signs the attributes A and sends the signed attributes to the user computer system 100 , After approval by the user 102 the signed attributes are then sent to the service computer system 150 transfer.

The in the 5 marked partial sequence 178 with the steps to transfer attributes A to the web service 176 is then executed again, with respect to the ID token B, to also the attributes B according to the attribute specification to the web service 176 transferred to. In this case, the steps for the authentication of the user compared to the ID token B can be omitted.

The partial sequence provided for this purpose 178 ' For example, it can be performed as follows:
The service computer system 150 responds to the receipt of the attributes A with an attribute specification of the attributes B, ie, for example, a list of attribute names. The attribute specification is provided by the user computer system 100 to an ID provider computer system 136 forwarded. For this purpose, the connection B is established. The ID provider computer system 136 then authenticates to the ID token 107 and directs a read request to read the attributes according to the attribute specification to the ID token 107 ,

Assuming the previous successful authentication of the user 102 and the ID provider computer system 136 the ID token answers 107 to the read request with the desired attributes B. The ID provider computer system 136 signs the attributes B and sends the signed attributes to the user computer system 100 , After approval by the user 102 the signed attributes are then sent to the service computer system 150 transfer.

The web service 176 then routes attributes A and B to a component 180 of the service computer system 150 which serves as an attribute provider, ie for determining the updated or initial attribute values for writing into the ID token B.

This can be done so that the component 180 using the attributes A and / or B, a database query of the database 174 performs. The in the database 174 Database entries identified by the database query that contain the data to be written to the ID token B may be retrieved from the component 180 be marked with a so-called flag. Then it is from the database 174 or from the component 180 to the webservice 176 reported that the data is provided. This signal is from the webservice 176 to the ID provider computer system 136 forwarded. The ID provider computer system 136 then reads the data via the web service 176 from the database 174 and then write the data in the ID token B, provided that both connections A and B still exist until the completion of the write operation.

To secure the component 180 provided data against unauthorized access can be proceeded so that of the component 180 A key is generated along with the "data ready" signal to the ID provider computer system 136 is sent. The subsequent reading of the data by the ID provider computer system 136 is only possible if the ID provider computer system 136 has this key. For example, the ID provider computer system must be 136 authenticate to the web service with this key first in order to access the data.

Alternatively or additionally, the provision of the data by the component 180 only for a limited period of time. To do this starts the component 180 after the data has been provided or after the signal "data ready" to the ID provider computer system 136 has been sent, a timer. Reading the data through the ID provider computer system 136 is only possible if this happens before the timer expires.

In the embodiment of the 6 is the user computer system 100 trained as a client computer. At the ID token A 106 this is an electronic identity card "ePA". In the ID token B 107 it is an electronic motor vehicle document, such as an electronic vehicle registration document or an electronic vehicle registration document "eKFZ". The web service 176 is here designed as an admission service, ie the web service provides various services for the online registration or registration of motor vehicles. The web service 176 and the attributes provider 180 may be connected to a connection for reading and / or writing data.

• 1. Der Nutzer 102 ruft von seinem Nutzer-Computersystem 100 mit Hilfe einer Dienstanforderung einen von dem Webservice 176 zur Verfügung gestellten Dienst auf.
• 2. Der Webservice 176 antwortet auf diese Dienstanforderung mit einer Authentifizierungsanfrage, d. h. der Webservice 106 spezifiziert diejenigen Attribute A mit Hilfe einer Attributspezifizierung A, welche er bezüglich des Nutzers 102 benötigt. Diese Authentifizierungsanfrage wird von dem Webservice 176 an das Nutzer-Computersystem 100 gesendet. Außerdem sendet der Webservice 176 an das Nutzer-Computersystem 100 eine Information, wonach eine Multidokument-Session folgt, d. h. eine Session, bei der parallel zwei Verbindungen zu den ID-Token 106 und 107 bestehen sollen.
• 3. Von dem Nutzer-Computersystem 100 wird eine Anfrage zur Benutzer-ID-Betätigung an den ID-Provider 136 gesendet. Diese Anfrage beinhaltet die Attributspezifizierung A, d. h. eine Spezifizierung der Attribute A, die aus dem ID-Token 106 ausgelesen werden sollen. Ferner wird von dem Nutzer-Computersystem 100 an das ID-Provider-Computersystem 136 die Information gesendet, wonach die mit dem ID-Token 106 aufzubauende Verbindung A nach Abfrage der Attribute A aus dem ID-Token 106 aufrechterhalten werden soll.
• 4. Zwischen dem ID-Provider-Computersystem 136 und dem ID-Token 106 wird dann die Verbindung A aufgebaut und das ID-Provider-Computersystem 136 liest die Attribute A aus dem ID-Token A aus. Nach dem Auslesen der Attribute A bleibt die Verbindung A, d. h. die Session, bestehen.
• 5. Das ID-Provider-Computersystem 136 sendet die Attribute A an das Nutzer-Computersystem 100 als Antwort auf die Anfrage Schritts 3.
• 6. Das Nutzer-Computersystem 100 sendet die Attribute A an den Webservice 176 als Antwort auf die Authentifizierungsanfrage des Schritts 2.
• 7. Der Webservice 176 sendet eine Authentifizierungsanfrage bezüglich von Attributen B an das Nutzer-Computersystem 100, d. h. bezüglich solcher Attribute B, die in dem ID-Token 107 gespeichert sind. Die Authentifizierungsanfrage beinhaltet also eine Attributspezifizierung der Attribute B. Ferner wird eine Information übertragen, dass die Multidokument-Session erweitert werden soll, d. h. dass eine weitere Verbindung B aufgebaut werden soll.
• 8. Das Nutzer-Computersystem 100 sendet eine Anfrage für eine Kraftfahrzeug-ID-Bestätigung an das ID-Provider-Computersystem 136, d. h. eine Anfrage zur Lieferung der Attribute B, so wie sie in der mit der Authentifizierungsanfrage des Schritts 7 empfangenen Attributspezifizierung B spezifiziert sind. Ferner wird eine Information gesendet, wonach die hierzu aufzubauende Verbindung B mit dem ID-Token 107 nach Auslesen der Attribute B bestehen bleiben soll.
• 9. Das ID-Provider-Computersystem 136 baut die Verbindung B mit dem ID-Token 107 auf und liest hierüber die Attribute B aus. Nach dem Auslesen der Attribute B bleibt die Verbindung B bestehen. Beispielsweise wird ein sogenanntes Session Binding der Verbindung A und B durchgeführt.
• 10. Als Antwort auf die Anfrage des Schritts 8 sendet das ID-Provider-Computersystem 136 an das Nutzer-Computersystem 100 die Attribute B.
• 11. Als Antwort auf die Authentifizierungsanfrage des Schritts 7 sendet das Nutzer-Computersystem 100 die Attribute B an den Webservice 176.
• 12a. Der Webservice 176 sendet ein Freigabesignal zum Schreiben von Daten, wie zum Beispiel des neuen amtlichen Kennzeichens, auf den ID-Token 107 an das Nutzer-Computersystem 100.
• 12b. Der Webservice 176 sendet ein Freigabesignal zum Lesen der auf den ID-Token 107 zu schreibenden Daten von dem Attribute-Provider 180.
• 13. Das Nutzer-Computersystem 100 sendet an das ID-Provider-Computersystem 136 aufgrund des in dem Schritt 12a empfangenen Freigabesignals eine Anforderung zum Beschreiben des ID-Tokens 107.
• 14. Das ID-Provider-Computersystem 136 liest noch einmal die Attribute A aus dem ID-Token 106 über die Verbindung A, da diese in dem ID-Provider-Computersystem 136 nach dem ersten Lesevorgang nicht zwischengespeichert worden sind.
• 15. Das ID-Provider-Computersystem 136 liest von dem Attribute-Provider 180 die Daten zum Beschreiben des ID-Tokens 107, was möglich ist, da der Attribute-Provider 180 in dem Schritt 12b das Freigabesignal zum Lesen empfangen hatte.
• 16. Das ID-Provider-Computersystem 136 generiert aus den Attributen A und den vom den Attribute-Provider 180 gelesenen Daten einen Datensatz zum Schreiben auf den ID-Token 107 und schreibt diesen Datensatz dann über die Verbindung B in den ID-Token 107.
• 17. Das ID-Provider-Computersystem 136 sendet eine Bestätigung an das Nutzer-Computersystem 100, und zwar als Bestätigung für die in dem Schritt 13 empfangene Anforderung.
• 18. Das Nutzer-Computersystem 100 sendet an den Webservice 176 eine Bestätigung bezüglich des Freigabesignals des Schritts 12a.
• 19. Der Webservice 176 sendet an das Nutzer-Computersystem 100 eine Bestätigung bezüglich der Dienstanforderung des Schritts 1, um zu bestätigen, dass der ID-Token 107 erfolgreich aktualisiert worden ist.

To update the ID token 107 , for example with a new registration number, proceed as follows:

• 1. The user 102 calls from his user computer system 100 using a service request, one from the web service 176 provided service.
• 2. The web service 176 responds to this service request with an authentication request, ie the web service 106 specifies those attributes A with the help of an attribute specification A, which it relates to the user 102 needed. This authentication request is made by the web service 176 to the user computer system 100 Posted. In addition, the web service sends 176 to the user computer system 100 an information that follows a multi-document session, ie a session, in parallel two connections to the ID tokens 106 and 107 should exist.
• 3. From the user computer system 100 becomes a request for user ID operation to the ID provider 136 Posted. This request contains the attribute specification A, ie a specification of the attributes A, which is the ID token 106 should be read. Further, by the user computer system 100 to the ID provider computer system 136 the information is sent, after which the one with the id token 106 Established connection A after requesting the attributes A from the ID token 106 should be maintained.
• 4. Between the ID provider computer system 136 and the ID token 106 then the connection A is established and the ID provider computer system 136 reads the attributes A from the ID token A. After reading out the attributes A, the connection A, ie the session, remains.
• 5. The ID provider computer system 136 sends the attributes A to the user computer system 100 in response to the request step 3 ,
• 6. The user computer system 100 sends attributes A to the web service 176 in response to the step's authentication request 2 ,
• 7. The web service 176 sends an authentication request regarding attributes B to the user computer system 100 ie, for those attributes B that are in the ID token 107 are stored. The authentication request thus includes an attribute specification of the attributes B. Furthermore, information is transmitted that the multidocument session is to be extended, ie that a further connection B is to be established.
• 8. The user computer system 100 sends a request for a motor vehicle ID confirmation to the ID provider computer system 136 ie, a request for the delivery of the attributes B, as in the step with the authentication request 7 received attribute specification B are specified. Furthermore, information is sent, after which the connection B to be established for this purpose with the ID token 107 after reading out the attributes B should remain.
• 9. The ID provider computer system 136 builds connection B with the ID token 107 and reads out the attributes B over this. After reading out the attributes B, the connection B remains. For example, a so-called session binding of the connection A and B is performed.
• 10. In response to the request of the step 8th sends the ID provider computer system 136 to the user computer system 100 the attributes B.
• 11. In response to the step's authentication request 7 sends the user computer system 100 the attributes B to the webservice 176 ,
• 12a. The web service 176 sends a release signal to write data, such as the new license plate, to the ID token 107 to the user computer system 100 ,
• 12b. The web service 176 sends an enable signal to read the ID token 107 data to be written from the attribute provider 180 ,
• 13. The user computer system 100 sends to the ID provider computer system 136 because of in the step 12a received enable signal a request to describe the ID token 107 ,
• 14. The ID Provider Computer System 136 again reads the attributes A from the ID token 106 over the connection A, since these in the ID Provider computer system 136 have not been cached after the first read.
• 15. The ID provider computer system 136 read from the attribute provider 180 the data describing the ID token 107 which is possible because of the attribute provider 180 in the step 12b had received the enable signal for reading.
• 16. The ID Provider Computer System 136 generated from the attributes A and the attributes provider 180 read data a record for writing to the ID token 107 and then writes this record over the connection B in the ID token 107 ,
• 17. The ID Provider Computer System 136 sends a confirmation to the user computer system 100 , as a confirmation for in the step 13 received request.
• 18. The user computer system 100 sends to the webservice 176 an acknowledgment regarding the enable signal of the step 12a ,
• 19. The web service 176 sends to the user computer system 100 a confirmation regarding the service request of the step 1 to confirm that the ID token 107 has been successfully updated.

Of particular advantage here is that the ID provider computer system 136 act as an intermediary between the different data sources, which are subject to different jurisdictions. Furthermore, it is of particular advantage that the ID provider computer system 136 is the trust point for binding the different sessions.

100

User computer system

101

connection A

102

user

103

connection B

104

interface

106

ID token

107

ID token

108

interface

110

processor

112

program instructions

114

Network interface

116

network

118

electronic Storage

120

protected storage area

122

protected storage area

124

protected storage area

126

storage area

128

processor

130

program instructions

131

program instructions

132

program instructions

134

program instructions

136

ID provider computer system

138

Network interface

140

Storage

142

private key

144

certificate

145

processor

146

program instructions

147

program instructions

148

program instructions

149

program instructions

150

Service computer system

151

program instructions

152

Network interface

154

processor

156

program instructions

158

Configuration record

160

Configuration record

161

Configuration record

162

user input

166

attribute specification

168

Requirement

170

answer

172

motor vehicle

174

Database

176

web

178

subsequence

180

component

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited patent literature

• US 2007/0294431 A1 [0004]
• - DE 2008000067 [0005]
• US 2003/0023858 A1 [0006]

Claims (21)

Method for storing data with the following steps: - establishment of a first connection ( 101 ) between a first ID token ( 106 ) and a first computer system ( 136 ) via a second computer system ( 100 ) for reading at least a first attribute from the first ID token, - establishing a second connection ( 103 ) between a second ID token ( 107 ) and the first computer system via the second computer system for reading at least one second attribute from the second ID token, - sending the first and second attributes from the first computer system to a third computer system ( 150 Receiving the data from the third computer system by the first computer system; writing the data from the first computer system to the second ID token over the second connection to store the data in the second ID token, provided that the Writing the data is that the first connection still exists, with the first and second connections each being end-to-end encryption connections and a connection-oriented protocol. The method of claim 1, wherein the first and / or the second ID token to a document, in particular a value or security document. The method of claim 1 or 2, wherein it is at the connection-oriented protocol is TCP. Method according to claim 1, 2 or 3, wherein in order to establish each of the first and second connections, the following steps are respectively performed: authentication of a user ( 102 Authentication of the first computer system with respect to the respective ID token, wherein after successful authentication of the user and the first computer system relative to the respective ID token read access of the first computer system to the at least first or second in the attributed ID token stored attribute for transmission after its signature to the third computer system. Method according to claim 4, wherein the authentication of the first computer system with respect to the relevant ID token by means of a certificate ( 144 ) of the first computer system, wherein the certificate includes an indication of the attributes stored in the respective ID token for which the first computer system is authorized for read access. The method of claim 5, wherein the subject ID token the read permission of the first computer system for the read access to at least the first or the second attribute checked with the help of the certificate. Method according to claim 5 or 6, wherein the certificate a specification of the write permissions of the first computer system for writing the data into the second ID token, wherein the second ID token the write permission of the first computer system for write access to write the data with help of the certificate. Method according to one of the preceding claims, with the following further steps: Signing the at least first or second read from the respective ID tokens Attribute by the first computer system, - Transmission of the signed computer system from the first computer system the third computer system. Method according to one of the preceding claims, with the following further steps: - Send a service request from the second computer system to the third computer system, - Specification one or more attributes by the third computer system, - Send an attribute specification from the third computer system to the first computer system, wherein the read access of the first computer system the first and second ID tokens are the ones specified in the attribute specification specified one or more attributes. The method of claim 9, wherein the service request an identifier for identifying the first computer system involves building the first computer system the first and second connections and the writing of the data select. Method according to one of the preceding claims, wherein the at least first and second of the first computer system attribute read from the respective ID token to the second computer system is sent from where it is after approval by the user to the third Computer system is forwarded. The method of claim 11, wherein the user receives the at least first or second attribute before forwarding to the third computer system can supplement by more data. Method according to one of the preceding claims, the first computer system being re-written before writing the data accesses the first ID token via the first connection, to reread the first attribute, and the first computer system from the first attribute and that received from the third computer system Data generates the write data, which is then from the first computer system written to the second ID token. Method according to one of the preceding claims, wherein the first ID token is associated with a user and wherein the second ID tokens of a thing, in particular a motor vehicle assigned where the second attribute uniquely identifies the thing. Computer program product with from a computer system executable instructions for carrying out a Method according to one of the preceding claims. ID tokens with - a protected memory area ( 124 ' ) for storing at least one attribute and for storing data, means ( 134 ) for authenticating a first computer system ( 136 ) against the ID token, - means ( 131 ' ) to establish a connection ( 103 ) to the first computer system according to a connection-oriented protocol, via which the first computer system can read out the at least one attribute, wherein a necessary prerequisite for the reading out of the at least one attribute from the ID token by the first computer system is the successful authentication of the first computer system ID token is and where the data can be written over the connection in the memory area. The ID token of claim 16, wherein the connection-oriented protocol about TCP. An ID token according to claim 16 or 17, wherein it is to a document, in particular a value or security document, is. Computer system with - means ( 138 . 147 ) to establish a first connection ( 101 ) between a first ID token ( 106 ) via a user computer system ( 100 ) for reading at least a first attribute from the first ID token, - means ( 138 . 147 ) to establish a second connection ( 103 ) between a second ID token ( 107 ) via the second computer system for reading at least one second attribute from the second ID token, - means ( 138 . 147 ) for sending the first and second attributes from the first computer system to a third computer system ( 150 ), - means ( 138 ) for receiving the data from the third computer system, - means ( 138 . 147 . 151 ) for writing the data from the first computer system into the second ID token over the second connection to store the data in the second ID token, the prerequisite for writing the data is that the first connection still exists, wherein each of the first and second connections is end-to-end encryption and a connection-oriented protocol. Computer system according to claim 19, comprising - means ( 138 ) for receiving an attribute specification over a network ( 116 ), wherein the attribute specification specifies at least a first and / or second attribute, - means ( 142 . 144 . 146 ) for authenticating against the first and second ID tokens, wherein reading the first and second attributes respectively requires that a user has authenticated against at least the first ID token and the computer system against the first and second ID tokens. A computer system according to claim 19 or 20, wherein the Means for building the first and second connections so formed are that the first and second connections are maintained at the same time can be.