Modelo de negocios como sistema generador de valor

ture in nPA

Restricted Identification (using pseudonyms) is a special option that is provided by the German eID where an eID cardholder can identify to an online service under a pseudonym. BSI proposed Restricted Identification (RI) protocol for the purpose of an eID cardholder’s authentication over the Internet where the cardholder does not get directly recognized by her original name and data. The RI protocol is sup- posed to be executed after a secure trusted channel has been established through

secure messaging between the eID card and the service provider. Although the chip on the card is authenticated to the service provider during the chip authen- tication phase, the card’s certified public key is shared among a large group of eID cards, thus the card is not uniquely identified. But the pseudonyms has to be unique for that service; so RI protocol generates the pseudonyms by combining the card owner’s identity and the service provider’s public domain value such that each pseudonym is unique to an eID card and a service. In the case of nPA, a user can acquire a single pseudonym for any sector like eHealthcare and the user can access services within this sector by identifying herself under that pseudonym. These pseudonyms are issued once and their lifetime ends when the card gets re- voked due to expiry or the card gets lost. The pseudonyms have to satisfy the following requirements [18] when they are used for an online authentication:

• The pseudonyms must allow the service provider to recognize an eID card without requiring the cardholder’s personal data. The cardholder should be able to maintain a state and history for a specific service. Hence, a terminal within a domain (e.g. which is associated to a service provider), is able to profile cards (i.e users). This property is called domain-specific linkability. Moreover, we require that the pseudonym under which a chip card authenticates to a terminal is unique in order to prevent Sybil attacks13 and identity transfer.

• However, the pseudonyms should only be linkable within a domain. Two service providers (associated to different domains) should be unable to link interactions of the same user. We call this property cross-domain anonymity. • For privacy reasons, full disclosure of the user’s identity is unacceptable. A cardholder should not reveal more information than necessary for the specific service. For instance, an age verification should only reveal the age or even merely that the owner is above 18 years old. As such, the authentication process should be privacy-friendly.

BSI addressed all of the aforementioned requirements when they designed the Re- stricted Identification (RI) protocol for the German electronic identity card. The Restricted Identification Protocol is a static Diffie-Hellman key agreement protocol that generates a sector-specific identifier of the eID card chip. The pseudonyms are derived using only the unique secret key of a card and the certified domain-specific public key of a service provider.

In the Restricted Identification protocol the service provider terminal ’T’ and the chip of the eID card ’C’ perform the following steps:

13_{In Sybil attacks, a malicious party can illicitly acquire many pseudonyms. In our scenario, a} malicious card could identify to the same service provider terminal using multiple pseudonyms.

1. T sends its certified public domain key PKSector and certain domain param- eters dparam (distinct from the domain specific parameters used for PACE and EAC which were provided by the chip) to C.

2. C is able to verify the validity of the public domain key PKSectorusing public key of the CA, PKCAthat was a part of Terminal certificate exchanged during EAC.

3. The chip C computes the domain-specific pseudonym DSnym as:

DSnym = Hash(DH((PKSector, dparam), SKID)) where Hash of Diffie-

Hellman value is calculated by combining the chip’s secret key SKID with the service provider terminal’s (PKSector, dparam). Then, C sendsDSnym over to

T.

4. T checks whether the received domain-specific pseudonym DSnym is listed in

the blacklist. If yes, T rejects and C is not identified. Otherwise, DSnym is

authenticated.

During the chip authentication phase, if the chip of the eID card sends its infor- mation to the service providers through its public key, then the service providers from different domains could link exactly this key and, consequently, link the pseudonyms, as well. This implies that cross-domain anonymity of RI is lost when applied after the chip authentication protocol. For this reason, the BSI proposed to share the public key between a group of cards. That is, several chip cards share the same public key, and, thus, the chip cards identity is hidden in this group of chip cards. Certainly, the size of these groups needs to be large enough to provide enough obfuscation and make the probability of linking the correct chip cards neg- ligibly small.

Issues with nPA pseudonyms are listed below:

• The nPA proposes one pseudonym for a sector, meaning many services in that service sector identify the user under the same pseudonym and these services can still map the user across services in the same domain and link the transactions made by that user. This compromises the privacy to an extent and it may not be acceptable when the information can be consid- ered sensitive and private for instance, health sector. But this issue can be addressed by suitably deciding on the granularity of the services.

• As the pseudonyms are generated using the secret key SKID of the card,

if the eID card is lost then the pseudonym has to be revoked and a new pseudonym corresponding to a new secret key (of the new card) must be reissued. This results in the user losing all the previous transaction history

w.r.t the service provider. No identical pseudonyms can be reissued in such cases.

• It is not possible to use the same pseudonym on different authentication devices for instance, nPA authentication via a pseudonym on mobile phone or tablet as the pseudonyms are closely bound to the smartcard due to the fact that its secret key is being used for the pseudonym generation. This curbs the flexibility of using pseudonyms.