Cryptography Reference
In-Depth Information
eID card
holder
eID card
(reader)
Web
browser
r
Web
server
PIN
h(r)
sig
(
h
(
r
))
Cert
sig
(
h
(
r
))
Cert
Figure 12.12.
eID card holder authentication
may include a PIN pad. This provides an interface between the eID card and the
card holder's computer. A typical card holder authentication process is illustrated
in Figure 12.12. In this example, a visited web server is requesting authentication
of the card holder:
1. The web server randomly generates a challenge
r
. This is sent to the card
holder's browser, which displays a request to login.
2. The card holder enters their PIN into the eID card reader which, if correct,
authorises the eID card to proceed with the authentication.
3. The card holder's browser computes a hash
h
(
r
) of the challenge
r
, using a
suitable hash function (see Section 6.2) and sends this to the eID card via the
card reader.
4. The eID card digitally signs
h
(
r
) using the authentication signature key and sends
this to theweb server via the card holder's browser, alongwith the card holder's
authentication verification key certificate.
5. The web server verifies the received certificate and, if this is successful, verifies
the signature and checks that it corresponds to the challenge
r
. If everything is
in order, the card holder is successfully authenticated.
This process is a straightforward application of challenge-response to provide
entity authentication (see Section 8.5). Note that the overall security of the
authentication process relies on the security of the card holder's PIN. An attacker
with access to both the eID card and the PIN can falsely authenticate to the
web server.
DIGITAL SIGNATURE CREATION
The digital signature creation process is as described in Section 7.3.4, except
that the card holder enters their PIN before the digital signature is created.
The digital signature is generated using the non-repudiation signature key.
