The invention relates to methods for pseudonymously agreeing on a key between a stationary and/or a portable data carrier, preferably in the form of a security document, and a terminal. Further, the invention concerns a correspondingly configured portable data carrier as well as a correspondingly configured terminal.
Portable data carriers are often employed as security documents, for example in the form of a national identity card, a passport, a signature card or the like. Modern security documents now as a rule have a memory as well as a processor and are arranged for executing security applications. Examples of use for such security applications are an authenticating vis-à-vis a terminal, the establishing of a secure data communication channel, the electronic signing of data, and the verifying of signatures and the like. In this manner, such data carriers can be used for interacting with arbitrary service providers, in order for example to authenticate themselves for electronic transactions, e.g. over the Internet, and to carry these out in a secure manner. Further, the security documents can be used for storing data, such as personal and/or security-relevant data as well as other useful data, and support access control systems for example.
Frequently, portable data carriers configured as a security document have a suitable communication interface, for example, an RF or NFC communication interface to be able to communicate contactlessly with a terminal.
Such a portable data carrier configured as a security document is the new German identity card (nPA) or electronic national identity card, in which among other things the protocol “Chip Authentication” (CA) is used. This protocol serves to set up a secure connection between a portable data carrier and a terminal and to be able to recognize a “cloned” data carrier. The CA protocol provides that in every portable data carrier an individual key pair is deposited which consists of a private one and a public key. For data protection reasons, e.g. to make the tracking of a portable data carrier impossible, the key of the portable data carrier as a rule is a group key, i.e. a key which is common to a group of portable data carriers.
For the CA protocol, the public key is sent to the terminal together with a random number. For each reading process, the terminal likewise generates a separate key pair consisting of a public and a private (secret) key, and sends its public key to the portable data carrier. Now the data carrier as well as the terminal respectively can compute the same secret key with their own private key, the public key of the communication partner and the random number. In the further communication between the portable data carrier and the terminal, this derived secret key secures the strong encryption of the data transferred between the data carrier and the terminal.
With the help of the derived secret key, the terminal can now check whether the portable data carrier possesses the “right” private key. A “cloned” portable data carrier cannot possess the original private key. If it would simply utilize another private key, the common secret would be wrong. If a new key pair had been generated for a “cloned” data carrier, this would stand out during the passive authentication because the public key is protected against unnoticed changes by a digital signature.
A further option which a portable data carrier offers in the form of an nPA is known to the skilled person under the term “Restricted Identification (RI)”. The RI protocol between a portable data carrier and a terminal serves for generating pseudonyms which are specific to the chip of the portable data carrier and the terminal sector (e.g. all terminals of a service provider). It thereby becomes possible for a (authenticated) terminal to recognize the chip of a portable data carrier based on the previously obtained pseudonym without reading out personal data. Besides, the RI protocol is configured so that it is not possible to interlink the pseudonyms of different sectors.
For further details on the CA protocol and on the RI protocol, reference is made to the technical guideline “BSI TR-03110 Technical Guideline Advanced Security Mechanisms for Machine Readable Travel Documents” of the German Federal Office for Information Security (see https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/B SITR03110.html).
In the technical guideline mentioned hereinabove, it is described how the RI protocol can be employed for the purpose of revoking lost or stolen portable data carriers. However, the embodiment of the known RI protocol does not allow revoking an individual portable data carrier if its CA protocol key has been compromised. In this case the secure CA channel can no longer guarantee the correct computation of the pseudonym on the basis of an RI key of the portable data carrier. If an attacker has control over the secure CA channel, he can readily choose an arbitrary pseudonym. He is thus not forced to compute this by means of a known secret key. Thus the attacker can pretend to be a certain, real portable data carrier, by employing its pseudonym. Consequently, in case that the CA protocol key of a portable data carrier has been compromised, all portable data carriers which belong to the group of the compromised data carrier, i.e. employ the same group key as a key for the CA protocol, must be revoked, which is evidently hardly user-friendly.