Pseudonymous Signature on eIDAS Token – Implementation Based Privacy Threats
- Cite this paper as:
- Kutyłowski M., Hanzlik L., Kluczniak K. (2016) Pseudonymous Signature on eIDAS Token – Implementation Based Privacy Threats. In: Liu J., Steinfeld R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science, vol 9723. Springer, Cham
We investigate eIDAS Token specification for Pseudonymous Signature published recently by German security authority BSI, German Federal Office for Information Security. We analyze how far the current specification prevents privacy violations by the Issuer by malicious or simply careless implementation. We find that, despite the declared design goal of protecting privacy of the citizens, it is quite easy to convert the system into a “Big Brother” system and enable spying the citizens by third parties.
We show that there is a simple and elegant way for preventing all attacks of the kind described. Moreover, we show that it is possible with relatively small amendments to the scheme.