EP2471214A1 - Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation - Google Patents

Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation

Info

Publication number
EP2471214A1
EP2471214A1 EP10742821A EP10742821A EP2471214A1 EP 2471214 A1 EP2471214 A1 EP 2471214A1 EP 10742821 A EP10742821 A EP 10742821A EP 10742821 A EP10742821 A EP 10742821A EP 2471214 A1 EP2471214 A1 EP 2471214A1
Authority
EP
European Patent Office
Prior art keywords
document
server
eld
authorization
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP10742821A
Other languages
English (en)
French (fr)
Inventor
Bruno Rouchouze
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
Gemalto SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemalto SA filed Critical Gemalto SA
Priority to EP10742821A priority Critical patent/EP2471214A1/de
Publication of EP2471214A1 publication Critical patent/EP2471214A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Definitions

  • the invention relates to an electronic authorization method.
  • the invention relates in particular to the establishment of authorizations relying on an electronic document.
  • places are subject to access permissions. These places are for example confidential areas such as computer archiving areas, or areas considered to pose a risk of intrusion: airport areas, politico / military zones.
  • the second approach is subject to acceptance by the issuing authorities to reply in due time to a request for validation of one of his issued documents.
  • the plurality of documents for one and the same individual can lead to risky situations.
  • the authorization of embarkation published on the basis of the French passport, becomes obsolete. Any checkpoint is not necessarily sufficiently trained to verify the veracity of an identity document. Identity fraud can therefore be a reality and cause significant damage.
  • the present invention proposes to solve electronically this potential security flaw while providing greater comfort of use to its wearer. For this, the invention proposes a method for creating and validating a digital authorization request, as well as the method of controlling this authorization.
  • the method according to the invention makes it possible, thanks to a combination of successive signatures, to guarantee, at any moment, the identity of the bearer, the document and the validating body.
  • the invention describes, as a first step:
  • An establishment method an electronic authorization linked to an elD electronic identity document, comprising at least one private / public key pair called UtilPriv and UtilPub, as well as an ASYM asymmetric cryptographic algorithm.
  • the document being able to communicate with a second electronic device said server comprising at least a private / public key pair called ServPriv and ServPub, and an ASYM asymmetric cryptographic algorithm.
  • This method comprises at least the steps of:
  • the server may store it in non-volatile memory.
  • the signed eAuthorization can be stored in non-volatile memory accessible by the elD document, for example in non-volatile memory contained in the elD document.
  • the signed eAuthorization can be stored in a non-volatile memory accessible by the server for example in a non-volatile memory contained in the server.
  • the digital "object” called eAuthorization may contain all or part of the information contained in the eQuery, as well as at least information on the acceptance of this request.
  • the bearer of the document elD may have authenticated to the document elD, for example through a personal code.
  • the invention writes a method of taking into account an electronic authorization eAuthorization, linked to an electronic identity document said elD, comprising at least a pair of private / public key called UtilPriv and UtilPub, and as an ASYM asymmetric cryptographic algorithm, the document being able to communicate with a second electronic device called terminal comprising at least one access to the public keys, UtilPub, of the elD document, and ServPub of the ServPub / ServPriv pair of a third party electronic device called server , as well as an algorithm asymmetric cryptographic ASYM, the eAuthorization being signed with said key ServPriv, and comprising at least one request, signed with the key UtilPriv, as well as at least information on the acceptance of this request.
  • the method comprises at least the steps of:
  • Figure 1 shows the establishment of an authorization according to the invention.
  • FIG. 2 represents the verification of an authorization according to the invention.
  • an individual 1 requests access to an aircraft.
  • user 1 presents a passport 2, equipped with an electronic chip, containing at least one PKI certificate 3.
  • the recording terminal prepares, based on the data present on the ticket of the user, a request for authorization to embark 4.
  • This request includes among other things the flight number, the reserved seat, the schedules, as well as the take-off and landing locations.
  • This application for boarding authorization is sent to the chip of passport 2, which signs it. This signature is done using a cryptographic algorithm, and a key.
  • the boarding terminal serves as a relay between the electronic document and the other actors of the system.
  • identity document is materialized by a communicating electronic device (mobile phone, or communicating electronic calendar ...), or embedded in such a device, its presence is useless.
  • the algorithm used is an asymmetric algorithm, for example RSA (for Rivest, Shamir and Adleman).
  • Asymmetric cryptography, or public-key cryptography is based on the existence of one-way functions.
  • public key cryptography is an asymmetric method using a pair of keys.
  • These keys generally called “public key” and “private key”, are constructed in such a way that what is encrypted with the help of one of these keys can only be deciphered by the second.
  • the principle is to distribute the public key while keeping the private key secret.
  • anyone with a copy of the public key can encrypt information that only the owner of the private key can decrypt.
  • the passport 2 contains, in its electronic chip, at least one asymmetric cryptographic algorithm, as well as the public and private key of the user 1.
  • the signature 6 is made using this algorithm and the private key 3 of the user.
  • This application for boarding authorization is sent to a trusted third party.
  • This trusted third party also called server by its position in the system.
  • the terms “trusted third party” and “server” both refer to the same entity.
  • this trusted third party can advantageously be an entity of the air force and borders, or customs.
  • This trusted third party has the mission to validate or not the boarding authorization, and to stamp this authorization.
  • This trusted third party must also have his own means of electronic signature, as well as means to verify the electronic signatures, for example users.
  • this trusted third party In the implementation mode based on an asymmetric cryptographic scheme, this trusted third party must have its own set of private / public keys, but also the public keys of the users.
  • the invention can rely on a secret key cryptographic scheme (also called symmetric cryptographic scheme).
  • Symmetric cryptography or secret key cryptography, is based on shared knowledge of a secret between two actors.
  • the algorithms used such as for example the DES, 3DES, AES, ... are based on the fact that it is almost impossible, knowing the cipher of a message, to find the clear message without knowing the key used to encryption.
  • this scheme imposes that the trusted third party and the electronic passport of the user share a secret. It is strongly recommended that this secret be limited to one user, and that it is not the same for several users.
  • the electronic chip of the passport 2 of the user comes into direct contact with the trusted third party 7, and authenticates with him. This authentication is intended to prove the validity of the document presented, as well as the legitimacy of its owner.
  • Electronic certificates can be used to authenticate the document presented, the potential use of an external element, for example a secret code, can legitimize the wearer.
  • This authentication can be done with any of the authentication algorithms known to those skilled in the art.
  • a signed authorization request 5 is obtained. This request must be sent to the trusted third party 7 for validation.
  • this trusted third party is in possession of means enabling him to check the validity of the signature 6, he does so.
  • This operation not only verifies the identity of the signer (or at least passport 2), but also to verify that the application 5 has not been changed since its signature. Indeed, if all or part of the document 5 has been modified, the electronic signature 6 will lapse.
  • the trusted third party 7 studies the content of the authorization request 5, and makes a decision.
  • the third of Trust accepts the boarding request. Its agreement is notified on the application for authorization, which, by the same becomes a valid authorization 9. This authorization is signed in turn by the trusted third party, and returned to the electronic component of the passport 2, which records it.
  • the trusted third party keeps a copy of the valid authorization in a non-volatile memory 9.
  • This authorization was established according to a user 1, an electronic identity document 2, a content 4 and a trusted third party 7.
  • Figure 2 illustrates the verification of authorization 22 by an agent 24.
  • This agent can be a natural person such as a security agent, or an automated module, for example a computer program or an electronic module (control terminal). In all cases, this agent must be in possession of an electronic device (called terminal) capable of reading the electronic components of passport 21.
  • terminal an electronic device capable of reading the electronic components of passport 21.
  • this check can be done when boarding the plane or landing.
  • the following will focus on the example of landing control of an airplane.
  • the user 20 must, in order to disembark from his aircraft, present his valid authorization. For this, it presents 26 to the agent 24 his identity document 21 provided with an electronic component, and stored in a non-volatile memory, having a valid authorization 22 established in accordance with the invention.
  • the agent 24 extracts the authorization 22, as well as the means 27 to verify the signature of the user, affixed to the authorization 22.
  • Authentication is requested from the user, in order to prove the legitimacy of the holder, as well as the validity of his identity document 21.
  • the agent 24 can now check the validity of the signature present on the authorization. In the case where this verification is done correctly, the officer is now certain that the authorization was not modified, and that it was established with the help of the document 21 submitted, and by the holder 20.
  • the agent 24 must now verify the signature affixed to the authorization by the trusted third party who issued this authorization.
  • Several possibilities either he is in possession of a means 28 to verify this signature by himself, or he is in contact with a trusted third party 29, having such means 30 of verification.
  • this trusted third party is not necessarily identical to that, illustrated in Figure 1, which issued this authorization.
  • these trusted third parties are independent of each other but have agreements that provide mutual trust.
  • all the exchanges between the various electronic actors can be secured by applying the mechanisms well known to those skilled in the art. In particular the establishment of secure channels.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
EP10742821A 2009-08-24 2010-08-11 Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation Withdrawn EP2471214A1 (de)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP10742821A EP2471214A1 (de) 2009-08-24 2010-08-11 Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP09305782A EP2290876A1 (de) 2009-08-24 2009-08-24 Verfahren zum Einrichten einer elektronischen Authorisierung für einen Nutzer mit einem elektronischen Identifikationsdokument und zur Kontrolle der besagten Authorisierung
PCT/EP2010/061706 WO2011023555A1 (fr) 2009-08-24 2010-08-11 Procede d'etablissement d'une autorisation electronique pour un utilisateur porteur d'un document d'identite electronique et procede de controle de ladite autorisation
EP10742821A EP2471214A1 (de) 2009-08-24 2010-08-11 Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation

Publications (1)

Publication Number Publication Date
EP2471214A1 true EP2471214A1 (de) 2012-07-04

Family

ID=42025062

Family Applications (2)

Application Number Title Priority Date Filing Date
EP09305782A Withdrawn EP2290876A1 (de) 2009-08-24 2009-08-24 Verfahren zum Einrichten einer elektronischen Authorisierung für einen Nutzer mit einem elektronischen Identifikationsdokument und zur Kontrolle der besagten Authorisierung
EP10742821A Withdrawn EP2471214A1 (de) 2009-08-24 2010-08-11 Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP09305782A Withdrawn EP2290876A1 (de) 2009-08-24 2009-08-24 Verfahren zum Einrichten einer elektronischen Authorisierung für einen Nutzer mit einem elektronischen Identifikationsdokument und zur Kontrolle der besagten Authorisierung

Country Status (3)

Country Link
US (1) US20120198238A1 (de)
EP (2) EP2290876A1 (de)
WO (1) WO2011023555A1 (de)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013010172A2 (en) * 2011-07-14 2013-01-17 Docusign, Inc. Online signature identity and verification in community
US9824198B2 (en) 2011-07-14 2017-11-21 Docusign, Inc. System and method for identity and reputation score based on transaction history
CN113489592B (zh) * 2021-07-01 2023-03-24 公安部第三研究所 针对eID电子证照实现快捷通关能力开通处理的系统及其方法

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE502424C2 (sv) * 1994-02-17 1995-10-16 Telia Ab Metod och anordning vid certifikathanteringssystem
US6747564B1 (en) * 1999-06-29 2004-06-08 Hitachi, Ltd. Security guarantee method and system
US7020778B1 (en) * 2000-01-21 2006-03-28 Sonera Smarttrust Oy Method for issuing an electronic identity
US6970862B2 (en) * 2001-05-31 2005-11-29 Sun Microsystems, Inc. Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL)
EP1417555A2 (de) * 2001-06-18 2004-05-12 Daon Holdings Limited Ein elektronischer datentresor zur bereitstellung von biometrisch gesicherten elektronischen unterschriften
US20030023858A1 (en) * 2001-07-26 2003-01-30 International Business Machines Corporation Method for secure e-passports and e-visas
KR100698517B1 (ko) * 2002-03-11 2007-03-21 (주)케이사인 공개키 기반구조 전자서명 인증서를 기반으로 한전자여권시스템
US7170391B2 (en) * 2002-11-23 2007-01-30 Kathleen Lane Birth and other legal documents having an RFID device and method of use for certification and authentication
US7693797B2 (en) * 2004-06-21 2010-04-06 Nokia Corporation Transaction and payment system security remote authentication/validation of transactions from a transaction provider
US7370202B2 (en) * 2004-11-02 2008-05-06 Voltage Security, Inc. Security device for cryptographic communications
US7720221B2 (en) * 2005-05-20 2010-05-18 Certicom Corp. Privacy-enhanced e-passport authentication protocol
DE102005025806B4 (de) * 2005-06-02 2008-04-17 Bundesdruckerei Gmbh Verfahren zum Zugriff von einer Datenstation auf ein elektronisches Gerät
US7661136B1 (en) * 2005-12-13 2010-02-09 At&T Intellectual Property Ii, L.P. Detecting anomalous web proxy activity
US7930554B2 (en) * 2007-05-31 2011-04-19 Vasco Data Security,Inc. Remote authentication and transaction signatures
GB2459662B (en) * 2008-04-29 2012-05-23 Cryptomathic Ltd Secure data cache

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2011023555A1 *

Also Published As

Publication number Publication date
US20120198238A1 (en) 2012-08-02
EP2290876A1 (de) 2011-03-02
WO2011023555A1 (fr) 2011-03-03

Similar Documents

Publication Publication Date Title
US9900309B2 (en) Methods for using digital seals for non-repudiation of attestations
US10127378B2 (en) Systems and methods for registering and acquiring E-credentials using proof-of-existence and digital seals
WO2020051365A1 (en) Systems and methods for creating a digital id record and methods of using thereof
CA3058240C (en) Cryptographic key management based on identity information
EP3665600B1 (de) Verfahren zur elektronischen signierung eines dokuments durch eine vielzahl von unterzeichnern
WO2011138558A2 (fr) Procede d'authentification d'un utilisateur requerant une transaction avec un fournisseur de service
EP1442557A2 (de) System und verfahren zur erzeugung eines gesicherten netzes unter verwendung von beglaubigungen von verfahrensgruppen
LU100497B1 (fr) Méthode et système d'inscription sécurisé de clés cryptographiques sur un support physique pour clés cryptographiques, et support physique produit
EP2226966A1 (de) Verfahren zur gesicherten Herstellung eines virtuellen, durchführbaren Mehrparteienvertrags
FR2892252A1 (fr) Procede et dispositif de creation d'une signature de groupe et procede et dispositif de verification d'une signature de groupe associes.
WO2011023555A1 (fr) Procede d'etablissement d'une autorisation electronique pour un utilisateur porteur d'un document d'identite electronique et procede de controle de ladite autorisation
WO2019092327A1 (fr) Procédé d'obtention d'une identité numérique de niveau de sécurité élevé
FR3002056A1 (fr) Authentification de signature manuscrite numerisee.
Bissessar et al. Mobile Travel Credentials
CA2831167C (fr) Infrastructure non hierarchique de gestion de bi-cles de securite de personnes physiques ou d'elements (igcp/pki)
WO2017005644A1 (fr) Procédé et système de contrôle d'accès à un service via un média mobile sans intermediaire de confiance
WO2022079110A1 (fr) Procede et dispositif de signature et de certification a distance de donnees d'identification d'une personne
EP4333367A1 (de) Verfahren zur zugangskontrolle mit verpackter authentifizierung
EP4092954A1 (de) Verfahren und system zur verarbeitung von biometrischen daten
Bissessar Engineering Ecosystems of Systems: UML Profile, Credential Design, and Risk-balanced Cellular Access Control
WO2002065411A2 (fr) Methode et systeme de securisation d'une transaction commerciale au moyen d'une carte a memoire
WO2023001845A1 (fr) Procédé d'enrôlement d'un utilisateur par un organisme sur une chaîne de blocs
WO2017077210A1 (fr) Procédé de verification d'identité lors d'une virtualisation
Bissessar et al. Architecture and Assessment: Privacy Preserving Biometrically Secured Electronic Documents
FR2945650A1 (fr) Procede de securisation de documents par application d'un numero d'identification propre et appareil pour l'authentification dudit numero.

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20120326

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20180301