Search

US-12621166-B2 - Creation of a cryptographically secure electronic identity

US12621166B2US 12621166 B2US12621166 B2US 12621166B2US-12621166-B2

Abstract

The method includes performing a remote security inspection of the security infrastructure of a mobile device by a personalization server over a network; receiving a result of the inspection; upon a positive result of the inspection, sending a key generation request of a provisioning component of the ID application program to a security element of the mobile device; in response to the key generation request, generating two asymmetric key pairs assigned to the ID application program by the security element; sending a certificate request by the provisioning component to the personalization server with the public cryptographic keys of the two asymmetric key pairs to the personalization server; receiving a certificate of the ID application program generated by the personalization server with the first public cryptographic key and a root certificate of a root instance of a PKI; and storing the certificate and the root certificate on the mobile device.

Inventors

  • Frank Dietrich
  • Matthias Schwan

Assignees

  • BUNDESDRUCKEREI GMBH

Dates

Publication Date
20260505
Application Date
20220401
Priority Date
20210421

Claims (19)

  1. 1 . Method for creating a cryptographically secured electronic identity of a user on a mobile device which comprises a security element, wherein an identification (ID) application program for providing the electronic identity is installed on the mobile device, wherein the ID application program on the mobile device is personalized using an ID token, wherein the ID application program comprises a control component for controlling the creation of the electronic identity, wherein the ID application program further comprises a provisioning component for executing a provisioning of the ID application program in the course of the creation of the cryptographically secured electronic identity, wherein the ID application program further comprises a personalization component for personalizing the ID application program, wherein the provisioning of the ID application program comprises: in response to a security inspection request from the provisioning component, performing a remote security inspection of the security infrastructure of the mobile device using the control component by a personalization server over a network; receiving a result of the remote security inspection of the personalization server, which the control component forwards to the provisioning component; upon a positive result of the remote security inspection, sending a key generation request from the provisioning component to the control component, which the control component forwards to the security element; in response to the key generation request, generating by the security element a first asymmetric key pair associated with the ID application program and a second asymmetric key pair associated with the ID application program, the first asymmetric key pair comprising a first private cryptographic key and a first public cryptographic key, the second asymmetric key pair comprising a second private cryptographic key and a second public cryptographic key, wherein the security element sends the first and second public cryptographic keys to the control component, which forwards the two public cryptographic keys to the provisioning component; upon receipt of the two public cryptographic keys, generating a certificate request by the provisioning component for generating a certificate of the ID application program comprising the first public cryptographic key, wherein the certificate request comprises the first public cryptographic key; sending the certificate request by the provisioning component over the network to the personalization server, the certificate request comprising the first public cryptographic key, wherein the provisioning component sends the second public cryptographic key to the personalization server in addition to the certificate request; in response to the certificate request, receiving the certificate generated by the personalization server with the first public cryptographic key and a root certificate of a root instance of a PKI; storing the certificate of the ID application program and the root certificate on the mobile device; and wherein the personalizing comprises: establishing a first encrypted communication channel between the mobile device and the personalization server over the network, wherein the personalization component is used to establish the first encrypted communication channel; establishing a first encrypted sub-channel between the ID token and the personalization server within the first encrypted communication channel via the mobile device, wherein the personalization component is used to establish the first encrypted sub-channel; reading one or more of the attributes from the ID token by the personalization server via the first encrypted sub-channel within the first encrypted communication channel; establishing a second encrypted sub-channel between the control component and the personalization server within the first encrypted communication channel, wherein the personalization component is used to establish the second encrypted sub-channel; receiving the read attributes by the control component from the personalization server via the second encrypted sub-channel within the first encrypted communication channel, storing the received attributes by the control component on the mobile device, wherein the ID application program is configured to use the attributes to prove an identity of the user to another computer system.
  2. 2 . Method according to claim 1 , wherein the personalization component forwards the root certificate to the control component for storage.
  3. 3 . Method according to claim 1 , the mobile device further comprising one or more authentication sensors for detecting one or more authentication factors of the user, wherein the user is registered on the mobile device and one or more reference values of the registered user are stored in the security element for verifying at least one detected authentication factor of the registered user; wherein the security element is configured such that a prerequisite for the generation of the first asymmetric key pair is a successful authentication of the user to the security element, wherein the user declares consent to the generation of the first asymmetric key pair with the authentication; wherein the security element is further configured so that a prerequisite for use of the first private cryptographic key by the security element is in each case a further successful authentication of the user to the security element, wherein the user declares in each case with the further authentications consent to the corresponding use of the first private cryptographic key.
  4. 4 . Method according to claim 1 , wherein the security element is a device-specific security element.
  5. 5 . Method according to claim 1 , wherein the first encrypted communication channel is encrypted with a first channel-specific ephemeral symmetric cryptographic session key, wherein the first encrypted sub-channel is encrypted with a second channel-specific ephemeral symmetric cryptographic session key, wherein the second encrypted sub-channel is encrypted with a third channel-specific ephemeral symmetric cryptographic session key.
  6. 6 . Method according to claim 1 , wherein the personalizing further comprises: generating, by the security element, a third asymmetric key pair associated with the ID application program, the third asymmetric key pair comprising a third private cryptographic key and a third public cryptographic key, wherein the third asymmetric key pair is for authenticating the ID application program in the course of using the attributes.
  7. 7 . Method according to claim 1 , wherein the personalizing further comprises: receiving, by the control component, one or more root signature verification keys from the personalization server via the second encrypted sub-channel within the first encrypted communication channel; storing the received root signature verification keys by the control component on the mobile device, wherein the ID application program is configured to use the root signature verification keys for verifying certificate signatures of one or more root instances having certificates each used in the course of a readout of the attributes for authenticating a readout computer system to the ID application program.
  8. 8 . Method according to claim 1 , wherein the personalizing further comprises: receiving a signature of the attributes from the personalization server by the control component via the second encrypted sub-channel within the first encrypted communication channel, wherein the signature serves as proof of authenticity of the attributes; storing the received signature of the attributes by the control component on the mobile device.
  9. 9 . Method according to claim 5 , wherein establishing the first encrypted communication channel comprises negotiating the first channel-specific ephemeral symmetric cryptographic session key, wherein negotiating the first channel-specific ephemeral symmetric cryptographic session key comprises: generating a first random value by the mobile device; generating the first channel-specific ephemeral symmetric cryptographic session key using the first random value by the mobile device; receiving a first certificate of the personalization server with a fourth public cryptographic key of a fourth asymmetric cryptographic key pair of the personalization server by the mobile device from the personalization server; encrypting the first random value using the received first public cryptographic key of the personalization server by the mobile device; sending the encrypted first random value to the personalization server by the mobile device for generating the first channel-specific ephemeral symmetric cryptographic session key by the personalization server.
  10. 10 . Method according to claim 1 , wherein establishing the first encrypted sub-channel comprises authenticating the user to the ID token via the mobile device, wherein authenticating the user to the ID token comprises: receiving, by the personalization component, a further authentication factor of the user detected by one or more authentication sensors; generating a symmetric cryptographic key using the received further authentication factor; receiving an encrypted second random value by the personalization component from the ID token, wherein the encrypted second random value is encrypted using the symmetric cryptographic key generated by the ID token using a further reference value of the registered user stored in the ID token for verifying the further authentication factor; decrypting the received encrypted second random value using the generated symmetric cryptographic key; generating a first ephemeral asymmetric cryptographic key pair of the ID application program by the security element comprising a first ephemeral private cryptographic key and a first ephemeral public cryptographic key of the ID application program; sending the first ephemeral public cryptographic key of the ID application program to the ID token; receiving an ephemeral public cryptographic key of the ID token; generating a first secret shared with the ID token by the security element using the decrypted second random value, the first ephemeral private cryptographic key of the ID application program and the ephemeral public cryptographic key of the ID token; receiving the shared first secret by the control component; generating a first shared authentication key for mutually authenticating the ID application program and the ID token by the control component using the shared first secret; generating a first authentication token using the first authentication key and the first ephemeral public cryptographic key of the ID token by the control component; sending the first authentication token generated by the control component to the ID token by the personalization component; receiving a second authentication token from the ID token by the personalization component, which forwards the second authentication token to the control component, verifying the received second authentication token by the control component using the first authentication key and the first ephemeral public cryptographic key of the ID application program.
  11. 11 . Method according to claim 1 , wherein establishing the first encrypted sub-channel comprises authenticating the personalization server by the ID token via the mobile device, wherein authenticating the personalization server by the ID token comprises: receiving a second certificate of the personalization server, comprising a second public cryptographic key of a second asymmetric cryptographic key pair of the personalization server, via the first encrypted communication channel, verifying a signature of the received second certificate of the personalization server; generating a third random value by the ID token; sending the third random value as a challenge to the personalization server via the first encrypted communication channel; receiving a first signature of the challenge as a response from the personalization server via the first encrypted communication channel, wherein the challenge is signed using a second private cryptographic key of the personalization server; verifying the received first signature using the second public cryptographic key of the personalization server and the sent third random value.
  12. 12 . Method according to claim 1 , wherein establishing the first encrypted sub-channel comprises authenticating the ID token ( 200 ) to the personalization server via the mobile device, wherein authenticating the ID token to the personalization server comprises: sending the public cryptographic key of the ID token from the ID token to the personalization server via the first encrypted communication channel; receiving the a second ephemeral public cryptographic key of the personalization server by the ID token from the personalization server via the first encrypted communication channel; generating a second secret shared with the personalization server by the ID token using the private cryptographic key of the ID token and the second ephemeral public cryptographic key of the personalization server; generating a fourth random value by the ID token; generating a second shared authentication key for authenticating data sent over the first encrypted sub-channel by the ID token, wherein the second shared authentication key is generated using the shared second secret and the fourth random value; generating a third authentication token by the ID token using the second authentication key and the second ephemeral public cryptographic key of the personalization server to authenticate the ID token to the personalization server; sending the fourth random value together with the third authentication token for authenticating the ID token by the ID token to the personalization server via the first encrypted communication channel.
  13. 13 . Method according to claim 1 , wherein establishing the second encrypted sub-channel further comprises authenticating the personalization server by the control component, wherein authenticating the personalization server by the control component comprises: sending a challenge from the control component to the personalization server via the first encrypted communication channel; receiving a response from the personalization server by the control component, wherein the response is a signature of the challenge created using a third private cryptographic key of a third asymmetric key pair of the personalization server; receiving a third ephemeral public cryptographic key of the personalization server by the control component; verifying the received response using a third public cryptographic key of the third asymmetric key pair of the personalization server and the sent challenge; storing the third ephemeral public cryptographic key of the personalization server by the control component on the mobile device.
  14. 14 . Method according to claim 1 , wherein establishing the second encrypted sub-channel further comprises authenticating the control component to the personalization server, wherein authenticating the ID application program by the control component to the personalization server comprises: sending, from the control component to the security element, a request to generate a third secret shared with the personalization server, the request comprising a third ephemeral public cryptographic key of the personalization server; in response to the request, receiving by the control component the shared third secret generated by the security element, wherein the generation of the shared third secret by the security element is performed using the second private cryptographic key of the ID application program and the third ephemeral public cryptographic key of the personalization server; generating a sixth random value by the control component; generating a third shared authentication key for authenticating data sent over the second encrypted sub-channel by the control component, wherein the third shared authentication key is generated using the shared third secret and the sixth random value; generating a fourth authentication token by the control component using the third authentication key and the third ephemeral public cryptographic key of the personalization server to authenticate the ID application program to the personalization server; sending the sixth random value together with the fourth authentication token for authenticating the ID application program by the control component to the personalization server via the first encrypted communication channel.
  15. 15 . Method according to claim 1 , wherein the method further comprises using the cryptographically secured electronic identity, wherein one or more of the contributed attributes are provided to an ID provider server, wherein the using comprises: establishing a second encrypted communication channel between the mobile device and the ID provider server over the network; receiving a read request from an ID provider server to read one or more of the attributes of the electronic identity; authenticating the ID provider server by the ID application program using the control component; authenticating the ID application program to the ID provider server by the security element using the control component; reading out the attributes to be read from the mobile device by the ID provider server via the network using the control component.
  16. 16 . Method according to claim 15 , wherein authenticating the ID provider server using the control component comprises: sending a challenge from the control component to the ID provider server via the second encrypted communication channel; receiving a response from the ID provider server by the control component, wherein the response is a signature of the challenge created using the private cryptographic key of an asymmetric key pair of the ID provider server; receiving a fourth ephemeral public cryptographic key of an ephemeral key pair of the ID provider server by the control component; verifying the received response using a public cryptographic key of the asymmetric key pair of the ID provider server and the sent challenge; storing the fourth ephemeral public cryptographic key of the ID provider server by the control component on the mobile device.
  17. 17 . Method according to claim 15 , wherein authenticating the ID application program to the ID provider server by the security element using the control component comprises: sending a request to generate a fourth secret shared with the ID provider server from the control component to the security element, the request comprising a fourth ephemeral public cryptographic key of the ID provider server; in response to the request, receiving by the control component the shared fourth secret generated by the security element, wherein the generation of the shared fourth secret by the security element is performed using the first private cryptographic key of the ID application program and the fourth ephemeral public cryptographic key of the ID provider server; generating a tenth random value by the control component; generating a fourth shared authentication key for authenticating data to the ID provider server by the control component, wherein the fourth shared authentication key is generated using the shared fourth secret and the tenth random value; generating a fifth authentication token by the control component using the fourth authentication key and the fourth ephemeral public cryptographic key of the ID provider server to authenticate the ID application program to the ID provider server; sending the tenth random value together with the fifth authentication token for authenticating the ID application program by the control component to the ID provider server via the second encrypted communication channel.
  18. 18 . Mobile device, the mobile device comprising a processor and a memory, the memory storing an identification (ID) application program for providing an electronic identity, wherein the processor is configured to execute a method for creating a cryptographically secured electronic identity of a user on a mobile device, wherein the ID application program on the mobile device is personalized using an ID token, wherein the ID application program comprises a control component for controlling the creation of the electronic identity, the ID application program further comprising a provisioning component for executing provisioning of the ID application program in the course of creating the cryptographically secured electronic identity, wherein the ID application program further comprises a personalization component for personalizing the ID application program, wherein the mobile device further comprises a security element, wherein the mobile device further comprises a communication interface for communicating via a network with a personalization server; wherein provisioning the ID application program comprises: in response to a security inspection request from the provisioning component; performing a remote security inspection of the security infrastructure of the mobile device using the control component by a personalization server over a network; receiving a result of the remote security inspection of the personalization server, which the control component forwards to the provisioning component; in response to a positive result of the remote security inspection, sending a key generation request from the provisioning component to the control component, which the control component forwards to the security element; in response to the key generation request, generating by the security element a first asymmetric key pair associated with the ID application program and a second asymmetric key pair associated with the ID application program, the first asymmetric key pair comprising a first private cryptographic key and a first public cryptographic key wherein the second asymmetric key pair comprises a second private cryptographic key and a second public cryptographic key, wherein the security element sends the first and second public cryptographic keys to the control component, which forwards the two public cryptographic keys to the provisioning component; upon receipt of the two public cryptographic keys, generating a certificate request by the provisioning component for generating a certificate of the ID application program comprising the first public cryptographic key, wherein the certificate request comprises the first public cryptographic key; sending the certificate request by the provisioning component over the network to the personalization server, the certificate request comprising the first public cryptographic key, wherein the provisioning component sends the second public cryptographic key to the personalization server in addition to the certificate request; in response to the certificate request, receiving the certificate generated by the personalization server with the first public cryptographic key and a root certificate of a root instance of a PKI, storing the certificate of the ID application program and the root certificate on the mobile device; and wherein the personalizing comprises: establishing a first encrypted communication channel between the mobile device and the personalization server over the network, wherein the personalization component is used to establish the first encrypted communication channel; establishing a first encrypted sub-channel between the ID token and the personalization server within the first encrypted communication channel via the mobile device, wherein the personalization component is used to establish the first encrypted sub-channel; reading one or more of the attributes from the ID token by the personalization server via the first encrypted sub-channel within the first encrypted communication channel; establishing a second encrypted sub-channel between the control component and the personalization server within the first encrypted communication channel, wherein the personalization component is used to establish the second encrypted sub-channel; receiving the read attributes by the control component from the personalization server via the second encrypted sub-channel within the first encrypted communication channel; storing the received attributes by the control component on the mobile device, wherein the ID application program is configured to use the attributes to prove an identity of the user to another computer system.
  19. 19 . System, the system comprising a mobile device according to claim 18 and a personalization server, wherein the personalization server is configured to perform a remote security inspection of the security infrastructure of the mobile device via the network, to receive the certificate request with the first public cryptographic key generated by the security element of the mobile device, for receiving the second public cryptographic key generated by the security element of the mobile device, for creating a certificate with the first public cryptographic key, for providing a root certificate of a root instance of a PKI, and for reading attributes from an ID token via the mobile device and for personalizing the ID application program of the mobile device.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a national phase under 35 U.S.C. § 371 of PCT International Application No. PCT/EP2022/058739 which has an International filing date of Apr. 1, 2022, which claims priority to German Application No. 10 2021 110 143.3, filed Apr. 21, 2021, the entire contents of each of which are hereby incorporated by reference. DESCRIPTION The invention relates to a method for creating a cryptographically secured electronic identity of a user on a mobile device, as well as to a mobile device and a system for executing the method. Mobile end devices, such as smartphones, are ubiquitous. They are used in many areas of life and situations to perform a wide variety of tasks in the digital domain or with the aid of digital tools. Consequently, corresponding mobile devices must also be able to meet high security requirements. The security of mobile devices, such as smartphones, has therefore become a relevant requirement for the manufacturers of the devices, for the manufacturers of the programs installed on the devices and for providers of services that can be used with the devices. In order to ensure the cryptographic security of such mobile devices, the manufacturers provide these devices with means, such as security elements, for the provision of cryptographic procedures and key material. However, these means are exclusively at the disposal of the device manufacturers. Manufacturers and providers of applications for such mobile devices are therefore faced with the challenge of how they can independently ensure the cryptographic security of the application programs they provide. This challenge arises in particular if a corresponding application program is to manage an electronic identity of a user of the mobile device as an ID application program. It is therefore an object of the present invention to create an improved method for creating a cryptographically secured electronic identity on a mobile device. The task underlying the invention is solved in each case with the features of the independent patent claims. Some embodiments of the invention are given in the dependent claims. Embodiments comprise a method for creating a cryptographically secured electronic identity of a user on a mobile device comprising a security element. An ID application program for providing the electronic identity is installed on the mobile device. The ID application program comprises a control component for controlling the creation of the electronic identity. The ID application program further comprises a provisioning component for executing provisioning of the ID application program in the course of the creation of the cryptographically secured electronic identity. Provisioning the ID application program comprises: in response to a security inspection request from the provisioning component, performing a remote security inspection of the security infrastructure of the mobile device using the control component by a personalization server over a network,receiving a result of the remote security inspection of the personalization server, which the control component forwards to the provisioning component,upon a positive result of the remote security inspection, sending a key generation request from the provisioning component to the control component, which the control component forwards to the security element,in response to the key generation request, generating by the security element a first asymmetric key pair associated with the ID application program and a second asymmetric key pair associated with the ID application program, wherein the first asymmetric key pair comprises a first private cryptographic key and a first public cryptographic key, wherein the second asymmetric key pair comprises a second private cryptographic key and a second public cryptographic key, wherein the security element sends the first and second public cryptographic keys to the control component, which forwards the two public cryptographic keys to the provisioning component,upon receipt of the two public cryptographic keys, generating a certificate request by the provisioning component for generating a certificate of the ID application program comprising the first public cryptographic key, wherein the certificate request comprises the first public cryptographic key,sending the certificate request by the provisioning component over the network to the personalization server, the certificate request comprising the first public cryptographic key, wherein the provisioning component sends the second public cryptographic key to the personalization server in addition to the certificate request,in response to the certificate request, receiving the certificate generated by the personalization server with the first public cryptographic key and a root certificate of a root instance of a PKI by the personalization component,storing the certificate of the ID application program and the root certificate on the mobile device. Some