Attribute-based Access Control Architectures with the eIDAS - PowerPoint PPT Presentation

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank Morgner (Bundesdruckerei) Paul Bastian (Bundesdruckerei) Marc Fischlin (TU Darmstadt) 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

German electronic identity card since November 2010 Cryptographic protocols of German identity card:  also used for machine readable travel documents (ICAO Doc 9303)  candidate for European eIDAS protocol electronic identification, authentication, and trust services for electronic transactions Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 2

Basic Setting of German eID card ID card eID server Extended Access Control (EAC) Terminal Authentication (TA) Chip Authentication (CA) key k key k {Secure Messaging} Secure extension to attribute-based access control in different scenarios? Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 3

Architectures Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 4

Integrated Architecture ID card Reader Management secure channel TA CA {„Read Att“} secure msging { Attributes } secure msging Attributes Decision Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 5

Distributed Architecture ID card Reader Controller Management secure secure channel channel TA CA {„Read Att“} secure msging { Attributes } secure msging Attributes Decision Decision Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 6

eID-Service Architecture ID card Reader Controller eID server Management secure secure secure channel channel channel TA CA {„Read Att“} secure msging { Attributes } secure msging Attributes Attributes Decision Decision Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 7

Authentication-Service Architecture ID card Reader Controller Auth server Management secure secure secure S channel channel channel Sig Request TA Signature CA {„Read Att“} secure msging { Attributes } secure msging Attributes Decision Decision Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 8

Security Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 9

Goals for Integrated Architecture ID card Reader Management secure channel TA CA Impersonation Resistance {„Read Att“} secure msging { Attributes } secure msging Attributes Decision Attribute Privacy Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 10

Dolev-Yao adversary (for both properties) adversary can: − eavesdrop − inject/modify messages − determine schedule − corrupt parties − determines data T requires some notion of sessions and session identifiers Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 11

EAC Protocol ID card session identifier SID=(nonce C ,Compr(epk)) certified key pair sk C , pk C certified key pair sk S , pk S pk S , certificate S pick ephemeral esk, epk Compr(epk) pick nonce C nonce C s←Sig (sk S , nonce C ||Compr(epk)) s terminal authentication chip authentication pk C , certificate C epk pick nonce* C K = KDF(DH(sk C ,epk) nonce* C ) tag=MAC(K,epk) tag, nonce* C K = KDF(DH(epk,pk C ) nonce* C ) verify tag partner through certificate Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 12

Defining security: impersonation resistance (a) If party accepts in session SID for partner and attributes A, then partner also accepts SID and A in some session (b) at most two SIDs collide, one at a card, one at a reader formalized in common game- Example: „passive security“ based style pretends to be card accepts with SID and A (a) → can only happen if card has also accepted with SID and A → adversary has only relayed data Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 13

Defining security: impersonation resistance (a) If party accepts in session SID for partner and attributes A, then partner also accepts SID and A in some session (b) at most two SIDs collide, one at a card, one at a reader Example: replay attacks accepts with SID and A (b) → SID*≠SID accepts with SID pretends to be card (a) → can only happen if card has also accepted with SID* and A → adversary has only relayed data Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 14

Proving security: impersonation resistance Theorem: EAC with secure messaging protocol provides impersonation resistance (assuming random oracles and security of GapDH, MAC, Enc, Sig, Cert). Proof idea: EAC is secure key key exchange protocol [Dagdelen, Fischlin, 2010] + ISO/IEC 10116, ISO/IEC 9797-1 channel protocol is secure [Rogaway, 2011] ⇒ [Brzuska, 2014] integrity of attribute transmissions Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 15

Defining security: attribute privacy Adversary cannot distinguish betweendifferent attributes A0 and A1 used in executions between honest parties formalized again in game-based style Follows again from security of channel: EAC is secure key key exchange protocol [Dagdelen, Fischlin, 2010] + ISO/IEC 10116, ISO/IEC 9797-1 channel protocol is secure [Rogaway, 2011] ⇒ [Brzuska, 2014] confidentiality of attribute transmissions Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 16

Restoring Sessions Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 17

Restoring sessions ID card Reader Management secure channel TA CA {„Read Att“} { Attributes } store key and store key and sequence counter sequence counter „Restore Session“ {„Read Att“} only symmetric- key crypto { Attributes } Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 18

Restoring sessions ID card Reader Management secure channel TA CA {„Read Att“} impersonation resistance + attribute privacy { Attributes } still guaranteed store key and store key and sequence counter sequence counter „Restore Session“ easy to integrate via {„Read Att“} EAC‘s persistent session contexts { Attributes } Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 19

Conclusion Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 20

Conclusion EAC protocol easy to adapt for ID card Reader Controller eID server Management secure secure secure attribute-based access control channel channel channel provides strong impersonation resistance and attribute privacy „Restore Session“ {„Read Att“} easy to restore sessions { Attributes } Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 21

Thank you! Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 22