EP2471214A1 - Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation - Google Patents
Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisationInfo
- Publication number
- EP2471214A1 EP2471214A1 EP10742821A EP10742821A EP2471214A1 EP 2471214 A1 EP2471214 A1 EP 2471214A1 EP 10742821 A EP10742821 A EP 10742821A EP 10742821 A EP10742821 A EP 10742821A EP 2471214 A1 EP2471214 A1 EP 2471214A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- document
- server
- eld
- authorization
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
Definitions
- the invention relates to an electronic authorization method.
- the invention relates in particular to the establishment of authorizations relying on an electronic document.
- places are subject to access permissions. These places are for example confidential areas such as computer archiving areas, or areas considered to pose a risk of intrusion: airport areas, politico / military zones.
- the second approach is subject to acceptance by the issuing authorities to reply in due time to a request for validation of one of his issued documents.
- the plurality of documents for one and the same individual can lead to risky situations.
- the authorization of embarkation published on the basis of the French passport, becomes obsolete. Any checkpoint is not necessarily sufficiently trained to verify the veracity of an identity document. Identity fraud can therefore be a reality and cause significant damage.
- the present invention proposes to solve electronically this potential security flaw while providing greater comfort of use to its wearer. For this, the invention proposes a method for creating and validating a digital authorization request, as well as the method of controlling this authorization.
- the method according to the invention makes it possible, thanks to a combination of successive signatures, to guarantee, at any moment, the identity of the bearer, the document and the validating body.
- the invention describes, as a first step:
- An establishment method an electronic authorization linked to an elD electronic identity document, comprising at least one private / public key pair called UtilPriv and UtilPub, as well as an ASYM asymmetric cryptographic algorithm.
- the document being able to communicate with a second electronic device said server comprising at least a private / public key pair called ServPriv and ServPub, and an ASYM asymmetric cryptographic algorithm.
- This method comprises at least the steps of:
- the server may store it in non-volatile memory.
- the signed eAuthorization can be stored in non-volatile memory accessible by the elD document, for example in non-volatile memory contained in the elD document.
- the signed eAuthorization can be stored in a non-volatile memory accessible by the server for example in a non-volatile memory contained in the server.
- the digital "object” called eAuthorization may contain all or part of the information contained in the eQuery, as well as at least information on the acceptance of this request.
- the bearer of the document elD may have authenticated to the document elD, for example through a personal code.
- the invention writes a method of taking into account an electronic authorization eAuthorization, linked to an electronic identity document said elD, comprising at least a pair of private / public key called UtilPriv and UtilPub, and as an ASYM asymmetric cryptographic algorithm, the document being able to communicate with a second electronic device called terminal comprising at least one access to the public keys, UtilPub, of the elD document, and ServPub of the ServPub / ServPriv pair of a third party electronic device called server , as well as an algorithm asymmetric cryptographic ASYM, the eAuthorization being signed with said key ServPriv, and comprising at least one request, signed with the key UtilPriv, as well as at least information on the acceptance of this request.
- the method comprises at least the steps of:
- Figure 1 shows the establishment of an authorization according to the invention.
- FIG. 2 represents the verification of an authorization according to the invention.
- an individual 1 requests access to an aircraft.
- user 1 presents a passport 2, equipped with an electronic chip, containing at least one PKI certificate 3.
- the recording terminal prepares, based on the data present on the ticket of the user, a request for authorization to embark 4.
- This request includes among other things the flight number, the reserved seat, the schedules, as well as the take-off and landing locations.
- This application for boarding authorization is sent to the chip of passport 2, which signs it. This signature is done using a cryptographic algorithm, and a key.
- the boarding terminal serves as a relay between the electronic document and the other actors of the system.
- identity document is materialized by a communicating electronic device (mobile phone, or communicating electronic calendar ...), or embedded in such a device, its presence is useless.
- the algorithm used is an asymmetric algorithm, for example RSA (for Rivest, Shamir and Adleman).
- Asymmetric cryptography, or public-key cryptography is based on the existence of one-way functions.
- public key cryptography is an asymmetric method using a pair of keys.
- These keys generally called “public key” and “private key”, are constructed in such a way that what is encrypted with the help of one of these keys can only be deciphered by the second.
- the principle is to distribute the public key while keeping the private key secret.
- anyone with a copy of the public key can encrypt information that only the owner of the private key can decrypt.
- the passport 2 contains, in its electronic chip, at least one asymmetric cryptographic algorithm, as well as the public and private key of the user 1.
- the signature 6 is made using this algorithm and the private key 3 of the user.
- This application for boarding authorization is sent to a trusted third party.
- This trusted third party also called server by its position in the system.
- the terms “trusted third party” and “server” both refer to the same entity.
- this trusted third party can advantageously be an entity of the air force and borders, or customs.
- This trusted third party has the mission to validate or not the boarding authorization, and to stamp this authorization.
- This trusted third party must also have his own means of electronic signature, as well as means to verify the electronic signatures, for example users.
- this trusted third party In the implementation mode based on an asymmetric cryptographic scheme, this trusted third party must have its own set of private / public keys, but also the public keys of the users.
- the invention can rely on a secret key cryptographic scheme (also called symmetric cryptographic scheme).
- Symmetric cryptography or secret key cryptography, is based on shared knowledge of a secret between two actors.
- the algorithms used such as for example the DES, 3DES, AES, ... are based on the fact that it is almost impossible, knowing the cipher of a message, to find the clear message without knowing the key used to encryption.
- this scheme imposes that the trusted third party and the electronic passport of the user share a secret. It is strongly recommended that this secret be limited to one user, and that it is not the same for several users.
- the electronic chip of the passport 2 of the user comes into direct contact with the trusted third party 7, and authenticates with him. This authentication is intended to prove the validity of the document presented, as well as the legitimacy of its owner.
- Electronic certificates can be used to authenticate the document presented, the potential use of an external element, for example a secret code, can legitimize the wearer.
- This authentication can be done with any of the authentication algorithms known to those skilled in the art.
- a signed authorization request 5 is obtained. This request must be sent to the trusted third party 7 for validation.
- this trusted third party is in possession of means enabling him to check the validity of the signature 6, he does so.
- This operation not only verifies the identity of the signer (or at least passport 2), but also to verify that the application 5 has not been changed since its signature. Indeed, if all or part of the document 5 has been modified, the electronic signature 6 will lapse.
- the trusted third party 7 studies the content of the authorization request 5, and makes a decision.
- the third of Trust accepts the boarding request. Its agreement is notified on the application for authorization, which, by the same becomes a valid authorization 9. This authorization is signed in turn by the trusted third party, and returned to the electronic component of the passport 2, which records it.
- the trusted third party keeps a copy of the valid authorization in a non-volatile memory 9.
- This authorization was established according to a user 1, an electronic identity document 2, a content 4 and a trusted third party 7.
- Figure 2 illustrates the verification of authorization 22 by an agent 24.
- This agent can be a natural person such as a security agent, or an automated module, for example a computer program or an electronic module (control terminal). In all cases, this agent must be in possession of an electronic device (called terminal) capable of reading the electronic components of passport 21.
- terminal an electronic device capable of reading the electronic components of passport 21.
- this check can be done when boarding the plane or landing.
- the following will focus on the example of landing control of an airplane.
- the user 20 must, in order to disembark from his aircraft, present his valid authorization. For this, it presents 26 to the agent 24 his identity document 21 provided with an electronic component, and stored in a non-volatile memory, having a valid authorization 22 established in accordance with the invention.
- the agent 24 extracts the authorization 22, as well as the means 27 to verify the signature of the user, affixed to the authorization 22.
- Authentication is requested from the user, in order to prove the legitimacy of the holder, as well as the validity of his identity document 21.
- the agent 24 can now check the validity of the signature present on the authorization. In the case where this verification is done correctly, the officer is now certain that the authorization was not modified, and that it was established with the help of the document 21 submitted, and by the holder 20.
- the agent 24 must now verify the signature affixed to the authorization by the trusted third party who issued this authorization.
- Several possibilities either he is in possession of a means 28 to verify this signature by himself, or he is in contact with a trusted third party 29, having such means 30 of verification.
- this trusted third party is not necessarily identical to that, illustrated in Figure 1, which issued this authorization.
- these trusted third parties are independent of each other but have agreements that provide mutual trust.
- all the exchanges between the various electronic actors can be secured by applying the mechanisms well known to those skilled in the art. In particular the establishment of secure channels.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP10742821A EP2471214A1 (de) | 2009-08-24 | 2010-08-11 | Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP09305782A EP2290876A1 (de) | 2009-08-24 | 2009-08-24 | Verfahren zum Einrichten einer elektronischen Authorisierung für einen Nutzer mit einem elektronischen Identifikationsdokument und zur Kontrolle der besagten Authorisierung |
PCT/EP2010/061706 WO2011023555A1 (fr) | 2009-08-24 | 2010-08-11 | Procede d'etablissement d'une autorisation electronique pour un utilisateur porteur d'un document d'identite electronique et procede de controle de ladite autorisation |
EP10742821A EP2471214A1 (de) | 2009-08-24 | 2010-08-11 | Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2471214A1 true EP2471214A1 (de) | 2012-07-04 |
Family
ID=42025062
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP09305782A Withdrawn EP2290876A1 (de) | 2009-08-24 | 2009-08-24 | Verfahren zum Einrichten einer elektronischen Authorisierung für einen Nutzer mit einem elektronischen Identifikationsdokument und zur Kontrolle der besagten Authorisierung |
EP10742821A Withdrawn EP2471214A1 (de) | 2009-08-24 | 2010-08-11 | Verfahren zur erteilung einer elektronischen autorisation für einen benutzer mit einem elektronischen ausweis und verfahren zur überwachung dieser autorisation |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP09305782A Withdrawn EP2290876A1 (de) | 2009-08-24 | 2009-08-24 | Verfahren zum Einrichten einer elektronischen Authorisierung für einen Nutzer mit einem elektronischen Identifikationsdokument und zur Kontrolle der besagten Authorisierung |
Country Status (3)
Country | Link |
---|---|
US (1) | US20120198238A1 (de) |
EP (2) | EP2290876A1 (de) |
WO (1) | WO2011023555A1 (de) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013010172A2 (en) * | 2011-07-14 | 2013-01-17 | Docusign, Inc. | Online signature identity and verification in community |
US9824198B2 (en) | 2011-07-14 | 2017-11-21 | Docusign, Inc. | System and method for identity and reputation score based on transaction history |
CN113489592B (zh) * | 2021-07-01 | 2023-03-24 | 公安部第三研究所 | 针对eID电子证照实现快捷通关能力开通处理的系统及其方法 |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
SE502424C2 (sv) * | 1994-02-17 | 1995-10-16 | Telia Ab | Metod och anordning vid certifikathanteringssystem |
US6747564B1 (en) * | 1999-06-29 | 2004-06-08 | Hitachi, Ltd. | Security guarantee method and system |
US7020778B1 (en) * | 2000-01-21 | 2006-03-28 | Sonera Smarttrust Oy | Method for issuing an electronic identity |
US6970862B2 (en) * | 2001-05-31 | 2005-11-29 | Sun Microsystems, Inc. | Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL) |
EP1417555A2 (de) * | 2001-06-18 | 2004-05-12 | Daon Holdings Limited | Ein elektronischer datentresor zur bereitstellung von biometrisch gesicherten elektronischen unterschriften |
US20030023858A1 (en) * | 2001-07-26 | 2003-01-30 | International Business Machines Corporation | Method for secure e-passports and e-visas |
KR100698517B1 (ko) * | 2002-03-11 | 2007-03-21 | (주)케이사인 | 공개키 기반구조 전자서명 인증서를 기반으로 한전자여권시스템 |
US7170391B2 (en) * | 2002-11-23 | 2007-01-30 | Kathleen Lane | Birth and other legal documents having an RFID device and method of use for certification and authentication |
US7693797B2 (en) * | 2004-06-21 | 2010-04-06 | Nokia Corporation | Transaction and payment system security remote authentication/validation of transactions from a transaction provider |
US7370202B2 (en) * | 2004-11-02 | 2008-05-06 | Voltage Security, Inc. | Security device for cryptographic communications |
US7720221B2 (en) * | 2005-05-20 | 2010-05-18 | Certicom Corp. | Privacy-enhanced e-passport authentication protocol |
DE102005025806B4 (de) * | 2005-06-02 | 2008-04-17 | Bundesdruckerei Gmbh | Verfahren zum Zugriff von einer Datenstation auf ein elektronisches Gerät |
US7661136B1 (en) * | 2005-12-13 | 2010-02-09 | At&T Intellectual Property Ii, L.P. | Detecting anomalous web proxy activity |
US7930554B2 (en) * | 2007-05-31 | 2011-04-19 | Vasco Data Security,Inc. | Remote authentication and transaction signatures |
GB2459662B (en) * | 2008-04-29 | 2012-05-23 | Cryptomathic Ltd | Secure data cache |
-
2009
- 2009-08-24 EP EP09305782A patent/EP2290876A1/de not_active Withdrawn
-
2010
- 2010-08-11 WO PCT/EP2010/061706 patent/WO2011023555A1/fr active Application Filing
- 2010-08-11 EP EP10742821A patent/EP2471214A1/de not_active Withdrawn
- 2010-08-11 US US13/392,046 patent/US20120198238A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
See references of WO2011023555A1 * |
Also Published As
Publication number | Publication date |
---|---|
US20120198238A1 (en) | 2012-08-02 |
EP2290876A1 (de) | 2011-03-02 |
WO2011023555A1 (fr) | 2011-03-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9900309B2 (en) | Methods for using digital seals for non-repudiation of attestations | |
US10127378B2 (en) | Systems and methods for registering and acquiring E-credentials using proof-of-existence and digital seals | |
WO2020051365A1 (en) | Systems and methods for creating a digital id record and methods of using thereof | |
CA3058240C (en) | Cryptographic key management based on identity information | |
EP3665600B1 (de) | Verfahren zur elektronischen signierung eines dokuments durch eine vielzahl von unterzeichnern | |
WO2011138558A2 (fr) | Procede d'authentification d'un utilisateur requerant une transaction avec un fournisseur de service | |
EP1442557A2 (de) | System und verfahren zur erzeugung eines gesicherten netzes unter verwendung von beglaubigungen von verfahrensgruppen | |
LU100497B1 (fr) | Méthode et système d'inscription sécurisé de clés cryptographiques sur un support physique pour clés cryptographiques, et support physique produit | |
EP2226966A1 (de) | Verfahren zur gesicherten Herstellung eines virtuellen, durchführbaren Mehrparteienvertrags | |
FR2892252A1 (fr) | Procede et dispositif de creation d'une signature de groupe et procede et dispositif de verification d'une signature de groupe associes. | |
WO2011023555A1 (fr) | Procede d'etablissement d'une autorisation electronique pour un utilisateur porteur d'un document d'identite electronique et procede de controle de ladite autorisation | |
WO2019092327A1 (fr) | Procédé d'obtention d'une identité numérique de niveau de sécurité élevé | |
FR3002056A1 (fr) | Authentification de signature manuscrite numerisee. | |
Bissessar et al. | Mobile Travel Credentials | |
CA2831167C (fr) | Infrastructure non hierarchique de gestion de bi-cles de securite de personnes physiques ou d'elements (igcp/pki) | |
WO2017005644A1 (fr) | Procédé et système de contrôle d'accès à un service via un média mobile sans intermediaire de confiance | |
WO2022079110A1 (fr) | Procede et dispositif de signature et de certification a distance de donnees d'identification d'une personne | |
EP4333367A1 (de) | Verfahren zur zugangskontrolle mit verpackter authentifizierung | |
EP4092954A1 (de) | Verfahren und system zur verarbeitung von biometrischen daten | |
Bissessar | Engineering Ecosystems of Systems: UML Profile, Credential Design, and Risk-balanced Cellular Access Control | |
WO2002065411A2 (fr) | Methode et systeme de securisation d'une transaction commerciale au moyen d'une carte a memoire | |
WO2023001845A1 (fr) | Procédé d'enrôlement d'un utilisateur par un organisme sur une chaîne de blocs | |
WO2017077210A1 (fr) | Procédé de verification d'identité lors d'une virtualisation | |
Bissessar et al. | Architecture and Assessment: Privacy Preserving Biometrically Secured Electronic Documents | |
FR2945650A1 (fr) | Procede de securisation de documents par application d'un numero d'identification propre et appareil pour l'authentification dudit numero. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20120326 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20180301 |