Pseudonymous Signature on eIDAS Token – Implementation Based Privacy Threats

  • Mirosław Kutyłowski
  • Lucjan Hanzlik
  • Kamil Kluczniak
Conference paper

DOI: 10.1007/978-3-319-40367-0_31

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9723)
Cite this paper as:
Kutyłowski M., Hanzlik L., Kluczniak K. (2016) Pseudonymous Signature on eIDAS Token – Implementation Based Privacy Threats. In: Liu J., Steinfeld R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science, vol 9723. Springer, Cham

Abstract

We investigate eIDAS Token specification for Pseudonymous Signature published recently by German security authority BSI, German Federal Office for Information Security. We analyze how far the current specification prevents privacy violations by the Issuer by malicious or simply careless implementation. We find that, despite the declared design goal of protecting privacy of the citizens, it is quite easy to convert the system into a “Big Brother” system and enable spying the citizens by third parties.

We show that there is a simple and elegant way for preventing all attacks of the kind described. Moreover, we show that it is possible with relatively small amendments to the scheme.

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Mirosław Kutyłowski
    • 1
  • Lucjan Hanzlik
    • 1
  • Kamil Kluczniak
    • 1
  1. 1.Faculty of Fundamental Problems of TechnologyPolitechnika WrocławskaWrocławPoland

Personalised recommendations