WO2007003446A1 - Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques - Google Patents

Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques Download PDF

Info

Publication number
WO2007003446A1
WO2007003446A1 PCT/EP2006/060434 EP2006060434W WO2007003446A1 WO 2007003446 A1 WO2007003446 A1 WO 2007003446A1 EP 2006060434 W EP2006060434 W EP 2006060434W WO 2007003446 A1 WO2007003446 A1 WO 2007003446A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
central computer
time password
computer
signature
Prior art date
Application number
PCT/EP2006/060434
Other languages
German (de)
English (en)
Inventor
Anja Rose
Elmar Waltereit
Original Assignee
Deutscher Sparkassen Verlag Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deutscher Sparkassen Verlag Gmbh filed Critical Deutscher Sparkassen Verlag Gmbh
Priority to EP06792445A priority Critical patent/EP1854241A1/fr
Publication of WO2007003446A1 publication Critical patent/WO2007003446A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the invention relates to a method for providing electronic certificates for use for electronic signatures of a user.
  • the object of the invention is to provide a method for providing electronic certificates for use for electronic signatures, which can be handled by a user in a simple manner.
  • a user card such as a credit card or a credit card of a credit institution
  • a user card can be activated or activated by the user himself to then use the card for generating the electronic certificates for use for an electronic Signature to use.
  • it can also be a separate card, which can also be used for other purposes, such as an identity card or health card.
  • a card has a chip on which the required data and algorithms are stored.
  • Such a chip or such a memory element can be provided instead of in a card in a corresponding device, such as in combination with a Mob ⁇ ltelefon.
  • a one-time password is first provided on a central computer.
  • the one-time password can be generated by the central computer, for example via a random number generator.
  • Each one-time password is uniquely assigned to a reference identifier, in particular a reference number.
  • the reference identifier may be, for example, a sequential number.
  • the user of the card, which has the function to be unlocked as a signature card, the one-time password and the associated reference identifier is communicated.
  • the notification of the one-time password as well as the reference identifier preferably takes place in such a way that both parties are not aware of both data. This can be done, for example, by an envelope in which the one-time password is contained and on which the reference identifier, which in a preferred embodiment of the method must also be readable by third parties, is provided on the outside of the envelope.
  • Such an envelope or the like may be sent to the user by mail, for example.
  • a registry which is, for example, a financial institution, an authority or the like.
  • the registry can verify the identity of the user. Since in a preferred embodiment by an employee of the registry, the reference identifier can be read, the reference identifier associated, for example, provided within the envelope one-time password the registrar staff is not known, the registrar staff can assign the Make reference identifier to the user data.
  • this is known at this time only the central computer. In a first preferred embodiment, however, it is sufficient that the one-time password is provided on the central computer and uniquely assigned to a reference identifier and the user is notified of the one-time password and the associated reference identifier.
  • the user To unlock the card or equivalent means for generating a qualified electronic signature, the user establishes a data transfer connection between a user's computer and the central computer (SSL connection). Furthermore, it is necessary to establish a connection between the user's computer and a reading device, such as a card reader. If the required data are stored in a chip of a mobile phone, the reading device is the mobile phone itself, so that a connection between the mobile phone and the user computer has to be established.
  • the reference identifier and a public signature key i. a cryptographic key, transmitted to the central computer.
  • the reference identifier is known to the user and can be entered by the user directly into the user computer or the reading device.
  • the public signature key is stored on the card or in the chip and is read out with the aid of the reading device and transmitted via the user computer to the central computer.
  • the central computer Since the central computer knows which one-time password is assigned to the transmitted reference identifier, in the next step the central computer assigns the reference identifier and the public key to the one-time password stored in the central computer.
  • the user can follow the steps below to know the one-time password.
  • This proof is given to the central computer without third parties being able to gain knowledge of it.
  • the proof can be carried out according to a first method in that the one-time password is transmitted encrypted to the central computer.
  • the encryption can z. B. in the context of a previously established SSL connection.
  • the user signs the one-time password with the private key. From the user computer then the signature, but not the one-time password itself, not even in encrypted form, sent to the central computer.
  • the central computer knows the one-time password and the central computer can thus check the validity of the signature with the aid of the previously received public key of the user. The check of the one-time password is thus implicit.
  • the central computer After successful verification of the one-time password or the signature by the central computer by means of the public key, the central computer generates possibly with the support of another computer, preferably several user-specific certificates.
  • the user-specific certificates are transmitted to the user computer and can then be stored on the card or in the chip.
  • the user After carrying out the method according to the invention, the user now has the option of using the card or a corresponding device in which the chip is provided to perform qualified electronic signatures using the electronic certificates.
  • the user computer and the central computer are spatially separated from one another.
  • the communication between the two computers is controlled by an additional component, such as a certificate management system.
  • This additional component depending on user input and information stored in a database, enables the user to access the user's signature functions.
  • this additional component makes it possible to introduce further usage data, such as certificates, into the card, which are required for the application of the signature as well as the encryption and decryption functions of the card.
  • a particular advantage of the method according to the invention is that the production process is significantly simplified. Another advantage is that the user does not yet have to decide with the output of the signature card whether or when the card is provided with a certificate. The decision may be made by the user at any time during the entire life of the card.
  • Fig. 1 a schematic representation of an activation of a card
  • FIG. 2 a schematic representation of a download of certificates * The individual steps of the card initialization in FIG. 1 are designated A - G.
  • step A the printed one-time password is inserted into an envelope 10 on which a reference number is printed. This takes place after the one-time password has been generated by the central computer or another computer, in particular with the aid of a random number generator, and subsequently assigned to a specific reference identifier or reference number. The assignment between the one-time password and the reference number can be requested by the central computer 12 or stored on it.
  • the envelope 10 is transmitted to a registration authority 14, such as a financial institution or a public agency, for example by mail.
  • a registration authority 14 such as a financial institution or a public agency
  • the transfer of the envelope 10 is carried out by security mail.
  • a user or customer 16 in the registration office 14, for example with the aid of an identity card, identified in the illustrated preferred embodiment of the invention (step C).
  • a registration office employee hands over the envelope 10 and a card 18 (step E) to the user 16 in step D.
  • the transfer of the envelope 10 and the card 18 is carried out by two different persons, so that the four-eyes principle is maintained and misuse is avoided.
  • the registrar collect the reference number printed on the envelope 10 and add it to the recorded identification data such as the name, first name, date of birth, place of birth, etc.
  • the identification data are recorded electronically. It is particularly preferred that the registration office employee confirms the recorded data by means of an electronic signature.
  • the registration record (step F) thus generated which comprises the identification data of the user 16, the reference number present on the envelope 10 and the electronic signature of the registration authority employee, is transmitted to the central computer 12. From the ZentraS computer 12 then takes place an assignment of the user or the identification data of the user by means of the reference number to the one-time password (step G). This is possible since the central computer is aware of the association between the reference number and the one-time password.
  • the electronic signature of the registration authority employee is checked by the central computer.
  • the user or customer 16 can use the card 18 given to him, for example, over a longer period of time than a conventional debit card. Only at a later time can the customer 16 decide to also use the card for the electronic signature. For this purpose, it is necessary to carry out the steps illustrated in FIG. 2, which are designated by 1.-14.
  • a user computer 22 for data transmission is connected to a card reader 20.
  • a page of the central computer is called or a connection is established between the user computer 22 and the central computer 12.
  • the reference number is transmitted to the central computer.
  • the reference number is preferably entered by the user in the user computer 22.
  • step 3 the public key is transmitted to the central computer 12.
  • the stored in the chip, public key is read out with the help of the card reader 20 and transmitted to the user computer 22 to then from this to the central computer 12th to be transferred. Possibly. Further data can be read from the chip. This is, for example, the card number or identification data of the user stored in the chip. Such additional data can be checked by the central computer 12 to increase security.
  • Increased security can also be achieved by having to release the card itself using a transport PI N (step 4).
  • a transport PI N For this purpose, an example, five-digit number is stored as transport PI N in the chip of the card.
  • the transport PIN is known to the user.
  • a signature P ⁇ N In order to use the card 18 at a later time for an electronic signature, a signature P ⁇ N must be entered by the user 16. For example, this is a six-digit PIN that can be dialed by the user.
  • the signature PIN (step 5) is transmitted to the reader 20 or input directly to the reader 20 and stored in the chip of the card 18.
  • the transport PIN is not known to the user, but is communicated to the user as part of the download from the central computer. This has the advantage that the user does not know the transport PIN until then, and therefore the private keys of the card can not be used.
  • the transport PIN described above can also be calculated from customer data via a secure method. It is always ensured that the transport PIN can not be read out.
  • the user After entering the six-digit signature PIIM in the exemplary embodiment, the user has the option of generating an electronic signature. At this point in time, no certificate can be generated to verify the signature.
  • step 6 the central computer 12 transmits the registration data as a registration data record to the user computer 22 and displays it to the user 16. The user thus has the opportunity to check the entered data.
  • step 7 the user is prompted in step 7 by the central computer 12 to enter the one-time password.
  • the central computer 12 After entering the E ⁇ nmal password in the user computer 22 this and other data is signed using the private key of the user. The signature thus created is transmitted to the central computer 12.
  • the correctness of the one-time password is checked with the help of the public key of the user (step 10). This is possible because there is a unique mathematical relationship between the public key and the private key and since the one-time password has entered the signature transmitted in step 9 and since the central computer 12 already has the one-time password. In the subsequent step 11, an assignment of user, public key, one-time password and registration data can then take place. Since the central computer 12, the assignment between the reference number and the one-time password is known, thus the correctness of the one-time password can be checked.
  • step 12 the generation of one or more certificates by means of the central computer 12 and by means of a processing center 24. From the processing center 24 technical services for generating and managing the certificates are taken.
  • the certificate specifically includes the following information:
  • the certificate is customary for the certificate to be additionally electronically signed by a trust center (step 13).
  • the certificate or the certificates is transmitted in step 34 to the user computer 22 and from there to the card reader 20 and stored in the chip.
  • the user uses special software that is available as a standard product, such as Adobe Acrobat (version 6.0 or later) or e-mail projectns.
  • Adobe Acrobat version 6.0 or later
  • e-mail e-mail

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de délivrance de certificats électroniques à utiliser pour des signatures électroniques d'un utilisateur (16). Ce procédé consiste à: Prendre, dans un ordinateur central (12), un mot de passe unique qui est associé de manière univoque à un identificateur de référence ; Communiquer à l'utilisateur (16) le mot de passe unique et l'identificateur de référence associé; Etablir une liaison de transmission de données entre un ordinateur-utilisateur (22) et un dispositif de lecture (20) ; Etablissement d'une liaison de transmission de données entre l'ordinateur-utilisateur (22) et l'ordinateur central (12) ; retransmettre à l'ordinateur central (12) l'identificateur de référence et une clé signature publique; affecter, dans l'ordinateur central (12), l'identificateur de référence et une clé signature publique au mot de passe unique enregistré; vérifier le mot de passe par transfert du mot de passe unique codé ou d'une signature du mot de passe unique de l'ordinateur utilisateur (22) à l'ordinateur central (12) ; vérifier le mot de passe unique par l'ordinateur central, notamment à l'aide de la clé publique; produire un certificat spécifique à l'utilisateur et retransmettre le certificat à l'ordinateur utilisateur (22).
PCT/EP2006/060434 2005-03-04 2006-03-03 Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques WO2007003446A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP06792445A EP1854241A1 (fr) 2005-03-04 2006-03-03 Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE200510009867 DE102005009867A1 (de) 2005-03-04 2005-03-04 Verfahren zum Bereitstellen von elektronischen Zertifikaten zur Verwendung für elektronische Signaturen
DE102005009867.3 2005-03-04

Publications (1)

Publication Number Publication Date
WO2007003446A1 true WO2007003446A1 (fr) 2007-01-11

Family

ID=36848120

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2006/060434 WO2007003446A1 (fr) 2005-03-04 2006-03-03 Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques

Country Status (3)

Country Link
EP (1) EP1854241A1 (fr)
DE (1) DE102005009867A1 (fr)
WO (1) WO2007003446A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102005063541B4 (de) 2005-12-08 2019-05-29 Giesecke+Devrient Mobile Security Gmbh Tragbarer Datenträger
DE102010033232A1 (de) 2010-08-03 2012-02-09 Siemens Aktiengesellschaft Verfahren und Vorrichtung zum Bereitstellen eines Einmalpasswortes
DE102010033231B4 (de) * 2010-08-03 2013-08-22 Siemens Aktiengesellschaft Verfahren und Vorrichtung zur manipulationssicheren Bereitstellung eines Schlüssel-Zertifikates

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5420927A (en) * 1994-02-01 1995-05-30 Micali; Silvio Method for certifying public keys in a digital signature scheme
US5825300A (en) * 1993-11-08 1998-10-20 Hughes Aircraft Company Method of protected distribution of keying and certificate material
WO2001039143A1 (fr) * 1999-11-19 2001-05-31 Swisscom Mobile Ag Procede et systeme de demande et de mise a disposition de certificats numeriques
US20020144109A1 (en) * 2001-03-29 2002-10-03 International Business Machines Corporation Method and system for facilitating public key credentials acquisition
EP1263164A1 (fr) * 2001-05-23 2002-12-04 Daniel Büttiker Procédé et jeton pour enregistrer des utilisateurs d'une infrastructure à clé publique et système d'enregistrement

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6763459B1 (en) * 2000-01-14 2004-07-13 Hewlett-Packard Company, L.P. Lightweight public key infrastructure employing disposable certificates
US6834795B1 (en) * 2001-06-29 2004-12-28 Sun Microsystems, Inc. Secure user authentication to computing resource via smart card

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5825300A (en) * 1993-11-08 1998-10-20 Hughes Aircraft Company Method of protected distribution of keying and certificate material
US5420927A (en) * 1994-02-01 1995-05-30 Micali; Silvio Method for certifying public keys in a digital signature scheme
US5420927B1 (en) * 1994-02-01 1997-02-04 Silvio Micali Method for certifying public keys in a digital signature scheme
WO2001039143A1 (fr) * 1999-11-19 2001-05-31 Swisscom Mobile Ag Procede et systeme de demande et de mise a disposition de certificats numeriques
US20020144109A1 (en) * 2001-03-29 2002-10-03 International Business Machines Corporation Method and system for facilitating public key credentials acquisition
EP1263164A1 (fr) * 2001-05-23 2002-12-04 Daniel Büttiker Procédé et jeton pour enregistrer des utilisateurs d'une infrastructure à clé publique et système d'enregistrement

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
KALISKI RSA LABORATORIES B: "Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services", IETF STANDARD, INTERNET ENGINEERING TASK FORCE, IETF, CH, February 1993 (1993-02-01), XP015007211, ISSN: 0000-0003 *
MENEZES A J ET AL: "Handbook of Applied Cryptography , ROLES OF THIRD PARTIES", HANDBOOK OF APPLIED CRYPTOGRAPHY, CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS, BOCA RATON, FL, CRC PRESS, US, 1997, pages 547 - 549,556, XP002280619, ISBN: 0-8493-8523-7 *

Also Published As

Publication number Publication date
DE102005009867A1 (de) 2006-09-07
EP1854241A1 (fr) 2007-11-14

Similar Documents

Publication Publication Date Title
DE102009027723A1 (de) Verfahren zum Lesen von Attributen aus einem ID-Token
EP2289016B1 (fr) Utilisation d'un appareil de télécommunication mobile comme carte de santé électronique
DE10124111A1 (de) System und Verfahren für verteilte Gruppenverwaltung
DE102009027681A1 (de) Verfahren und Lesen von Attributen aus einem ID-Token
WO2003013167A1 (fr) Dispositif de signature numerique d'un document electronique
EP4224786A1 (fr) Procédé et dispositif de génération de signatures électroniques
EP3422274A1 (fr) Procédé de configuration ou de modification d'une configuration d'un terminal de paiement et/ou d'attribution d'un terminal de paiement à un exploitant
EP1964042A1 (fr) Procede de preparation d'une carte a puce pour des services de signature electronique
EP1854241A1 (fr) Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques
DE102020118716A1 (de) Verfahren zur sicheren Durchführung einer Fernsignatur sowie Sicherheitssystem
DE102005011166A1 (de) Computersystem und Verfahren zur Signierung, Signaturverifizierung und/oder Archivierung
EP2080144A1 (fr) Procédé pour la libération d'une carte à puce
DE102008042406B4 (de) Verfahren zum sicheren Austausch von Daten
DE10020562C1 (de) Verfahren zum Beheben eines in einer Datenverarbeitungseinheit auftretenden Fehlers
DE10242673B4 (de) Verfahren zur Identifikation eines Benutzers
EP3107029B1 (fr) Procede et dispositif de signature electronique personnalisee d'un document et produit-programme d'ordinateur
EP3840321B1 (fr) Procédé et système d'authentification d'un id mobile au moyen des valeurs de hachage
DE10112166A1 (de) Verfahren zum Transaktionsnachweis
EP2052345B1 (fr) Procédé d'analyse anonyme de codes d'identité d'authentification d'un utilisateur ou d'un objet
WO2022002502A1 (fr) Fourniture d'un service de manière anonyme
DE102005061999A1 (de) Verfahren zum sicheren, elektronischen Übertragen von Daten von einer ersten Datenverarbeitungseinrichtung an eine zweite Datenverarbeitungseinrichtung
EP1358734A1 (fr) Protocole, systeme et dispositifs de telecommunication pour effectuer un vote electronique de maniere anonyme et authentique
DE102020105668A1 (de) Verfahren und System zur elektronischen Fernsignatur
EP1378843A1 (fr) Méthode et système de traitement de données pour la communication sécurisée entre l' administration et le public
DE102020134933A1 (de) Verfahren zum Erstellen einer qualifizierten elektronischen Signatur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2006792445

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

WWW Wipo information: withdrawn in national office

Country of ref document: RU

WWP Wipo information: published in national office

Ref document number: 2006792445

Country of ref document: EP