EP1854241A1 - Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques - Google Patents
Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniquesInfo
- Publication number
- EP1854241A1 EP1854241A1 EP06792445A EP06792445A EP1854241A1 EP 1854241 A1 EP1854241 A1 EP 1854241A1 EP 06792445 A EP06792445 A EP 06792445A EP 06792445 A EP06792445 A EP 06792445A EP 1854241 A1 EP1854241 A1 EP 1854241A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- user
- central computer
- time password
- computer
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Definitions
- the invention relates to a method for providing electronic certificates for use for electronic signatures of a user.
- the object of the invention is to provide a method for providing electronic certificates for use for electronic signatures, which can be handled by a user in a simple manner.
- a user card such as a credit card or a credit card of a credit institution
- a user card can be activated or activated by the user himself to then use the card for generating the electronic certificates for use for an electronic Signature to use.
- it can also be a separate card, which can also be used for other purposes, such as an identity card or health card.
- a card has a chip on which the required data and algorithms are stored.
- Such a chip or such a memory element can be provided instead of in a card in a corresponding device, such as in combination with a Mob ⁇ ltelefon.
- a one-time password is first provided on a central computer.
- the one-time password can be generated by the central computer, for example via a random number generator.
- Each one-time password is uniquely assigned to a reference identifier, in particular a reference number.
- the reference identifier may be, for example, a sequential number.
- the user of the card, which has the function to be unlocked as a signature card, the one-time password and the associated reference identifier is communicated.
- the notification of the one-time password as well as the reference identifier preferably takes place in such a way that both parties are not aware of both data. This can be done, for example, by an envelope in which the one-time password is contained and on which the reference identifier, which in a preferred embodiment of the method must also be readable by third parties, is provided on the outside of the envelope.
- Such an envelope or the like may be sent to the user by mail, for example.
- a registry which is, for example, a financial institution, an authority or the like.
- the registry can verify the identity of the user. Since in a preferred embodiment by an employee of the registry, the reference identifier can be read, the reference identifier associated, for example, provided within the envelope one-time password the registrar staff is not known, the registrar staff can assign the Make reference identifier to the user data.
- this is known at this time only the central computer. In a first preferred embodiment, however, it is sufficient that the one-time password is provided on the central computer and uniquely assigned to a reference identifier and the user is notified of the one-time password and the associated reference identifier.
- the user To unlock the card or equivalent means for generating a qualified electronic signature, the user establishes a data transfer connection between a user's computer and the central computer (SSL connection). Furthermore, it is necessary to establish a connection between the user's computer and a reading device, such as a card reader. If the required data are stored in a chip of a mobile phone, the reading device is the mobile phone itself, so that a connection between the mobile phone and the user computer has to be established.
- the reference identifier and a public signature key i. a cryptographic key, transmitted to the central computer.
- the reference identifier is known to the user and can be entered by the user directly into the user computer or the reading device.
- the public signature key is stored on the card or in the chip and is read out with the aid of the reading device and transmitted via the user computer to the central computer.
- the central computer Since the central computer knows which one-time password is assigned to the transmitted reference identifier, in the next step the central computer assigns the reference identifier and the public key to the one-time password stored in the central computer.
- the user can follow the steps below to know the one-time password.
- This proof is given to the central computer without third parties being able to gain knowledge of it.
- the proof can be carried out according to a first method in that the one-time password is transmitted encrypted to the central computer.
- the encryption can z. B. in the context of a previously established SSL connection.
- the user signs the one-time password with the private key. From the user computer then the signature, but not the one-time password itself, not even in encrypted form, sent to the central computer.
- the central computer knows the one-time password and the central computer can thus check the validity of the signature with the aid of the previously received public key of the user. The check of the one-time password is thus implicit.
- the central computer After successful verification of the one-time password or the signature by the central computer by means of the public key, the central computer generates possibly with the support of another computer, preferably several user-specific certificates.
- the user-specific certificates are transmitted to the user computer and can then be stored on the card or in the chip.
- the user After carrying out the method according to the invention, the user now has the option of using the card or a corresponding device in which the chip is provided to perform qualified electronic signatures using the electronic certificates.
- the user computer and the central computer are spatially separated from one another.
- the communication between the two computers is controlled by an additional component, such as a certificate management system.
- This additional component depending on user input and information stored in a database, enables the user to access the user's signature functions.
- this additional component makes it possible to introduce further usage data, such as certificates, into the card, which are required for the application of the signature as well as the encryption and decryption functions of the card.
- a particular advantage of the method according to the invention is that the production process is significantly simplified. Another advantage is that the user does not yet have to decide with the output of the signature card whether or when the card is provided with a certificate. The decision may be made by the user at any time during the entire life of the card.
- Fig. 1 a schematic representation of an activation of a card
- FIG. 2 a schematic representation of a download of certificates * The individual steps of the card initialization in FIG. 1 are designated A - G.
- step A the printed one-time password is inserted into an envelope 10 on which a reference number is printed. This takes place after the one-time password has been generated by the central computer or another computer, in particular with the aid of a random number generator, and subsequently assigned to a specific reference identifier or reference number. The assignment between the one-time password and the reference number can be requested by the central computer 12 or stored on it.
- the envelope 10 is transmitted to a registration authority 14, such as a financial institution or a public agency, for example by mail.
- a registration authority 14 such as a financial institution or a public agency
- the transfer of the envelope 10 is carried out by security mail.
- a user or customer 16 in the registration office 14, for example with the aid of an identity card, identified in the illustrated preferred embodiment of the invention (step C).
- a registration office employee hands over the envelope 10 and a card 18 (step E) to the user 16 in step D.
- the transfer of the envelope 10 and the card 18 is carried out by two different persons, so that the four-eyes principle is maintained and misuse is avoided.
- the registrar collect the reference number printed on the envelope 10 and add it to the recorded identification data such as the name, first name, date of birth, place of birth, etc.
- the identification data are recorded electronically. It is particularly preferred that the registration office employee confirms the recorded data by means of an electronic signature.
- the registration record (step F) thus generated which comprises the identification data of the user 16, the reference number present on the envelope 10 and the electronic signature of the registration authority employee, is transmitted to the central computer 12. From the ZentraS computer 12 then takes place an assignment of the user or the identification data of the user by means of the reference number to the one-time password (step G). This is possible since the central computer is aware of the association between the reference number and the one-time password.
- the electronic signature of the registration authority employee is checked by the central computer.
- the user or customer 16 can use the card 18 given to him, for example, over a longer period of time than a conventional debit card. Only at a later time can the customer 16 decide to also use the card for the electronic signature. For this purpose, it is necessary to carry out the steps illustrated in FIG. 2, which are designated by 1.-14.
- a user computer 22 for data transmission is connected to a card reader 20.
- a page of the central computer is called or a connection is established between the user computer 22 and the central computer 12.
- the reference number is transmitted to the central computer.
- the reference number is preferably entered by the user in the user computer 22.
- step 3 the public key is transmitted to the central computer 12.
- the stored in the chip, public key is read out with the help of the card reader 20 and transmitted to the user computer 22 to then from this to the central computer 12th to be transferred. Possibly. Further data can be read from the chip. This is, for example, the card number or identification data of the user stored in the chip. Such additional data can be checked by the central computer 12 to increase security.
- Increased security can also be achieved by having to release the card itself using a transport PI N (step 4).
- a transport PI N For this purpose, an example, five-digit number is stored as transport PI N in the chip of the card.
- the transport PIN is known to the user.
- a signature P ⁇ N In order to use the card 18 at a later time for an electronic signature, a signature P ⁇ N must be entered by the user 16. For example, this is a six-digit PIN that can be dialed by the user.
- the signature PIN (step 5) is transmitted to the reader 20 or input directly to the reader 20 and stored in the chip of the card 18.
- the transport PIN is not known to the user, but is communicated to the user as part of the download from the central computer. This has the advantage that the user does not know the transport PIN until then, and therefore the private keys of the card can not be used.
- the transport PIN described above can also be calculated from customer data via a secure method. It is always ensured that the transport PIN can not be read out.
- the user After entering the six-digit signature PIIM in the exemplary embodiment, the user has the option of generating an electronic signature. At this point in time, no certificate can be generated to verify the signature.
- step 6 the central computer 12 transmits the registration data as a registration data record to the user computer 22 and displays it to the user 16. The user thus has the opportunity to check the entered data.
- step 7 the user is prompted in step 7 by the central computer 12 to enter the one-time password.
- the central computer 12 After entering the E ⁇ nmal password in the user computer 22 this and other data is signed using the private key of the user. The signature thus created is transmitted to the central computer 12.
- the correctness of the one-time password is checked with the help of the public key of the user (step 10). This is possible because there is a unique mathematical relationship between the public key and the private key and since the one-time password has entered the signature transmitted in step 9 and since the central computer 12 already has the one-time password. In the subsequent step 11, an assignment of user, public key, one-time password and registration data can then take place. Since the central computer 12, the assignment between the reference number and the one-time password is known, thus the correctness of the one-time password can be checked.
- step 12 the generation of one or more certificates by means of the central computer 12 and by means of a processing center 24. From the processing center 24 technical services for generating and managing the certificates are taken.
- the certificate specifically includes the following information:
- the certificate is customary for the certificate to be additionally electronically signed by a trust center (step 13).
- the certificate or the certificates is transmitted in step 34 to the user computer 22 and from there to the card reader 20 and stored in the chip.
- the user uses special software that is available as a standard product, such as Adobe Acrobat (version 6.0 or later) or e-mail projectns.
- Adobe Acrobat version 6.0 or later
- e-mail e-mail
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE200510009867 DE102005009867A1 (de) | 2005-03-04 | 2005-03-04 | Verfahren zum Bereitstellen von elektronischen Zertifikaten zur Verwendung für elektronische Signaturen |
PCT/EP2006/060434 WO2007003446A1 (fr) | 2005-03-04 | 2006-03-03 | Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1854241A1 true EP1854241A1 (fr) | 2007-11-14 |
Family
ID=36848120
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06792445A Withdrawn EP1854241A1 (fr) | 2005-03-04 | 2006-03-03 | Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1854241A1 (fr) |
DE (1) | DE102005009867A1 (fr) |
WO (1) | WO2007003446A1 (fr) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102005063541B4 (de) | 2005-12-08 | 2019-05-29 | Giesecke+Devrient Mobile Security Gmbh | Tragbarer Datenträger |
DE102010033231B4 (de) * | 2010-08-03 | 2013-08-22 | Siemens Aktiengesellschaft | Verfahren und Vorrichtung zur manipulationssicheren Bereitstellung eines Schlüssel-Zertifikates |
DE102010033232A1 (de) | 2010-08-03 | 2012-02-09 | Siemens Aktiengesellschaft | Verfahren und Vorrichtung zum Bereitstellen eines Einmalpasswortes |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0682832A4 (fr) * | 1993-11-08 | 1996-03-13 | Hughes Aircraft Co | Protocole de distribution protege d'elements d'authentification et de codage. |
US5420927B1 (en) * | 1994-02-01 | 1997-02-04 | Silvio Micali | Method for certifying public keys in a digital signature scheme |
ES2200598T3 (es) * | 1999-11-19 | 2004-03-01 | Swisscom Mobile Ag | Procedimiento y sistema para encargar y suministrar certificados digitales. |
US6763459B1 (en) * | 2000-01-14 | 2004-07-13 | Hewlett-Packard Company, L.P. | Lightweight public key infrastructure employing disposable certificates |
US20020144109A1 (en) * | 2001-03-29 | 2002-10-03 | International Business Machines Corporation | Method and system for facilitating public key credentials acquisition |
EP1263164B1 (fr) * | 2001-05-23 | 2006-06-07 | Daniel Büttiker | Procédé et jeton pour enregistrer des utilisateurs d'une infrastructure à clé publique et système d'enregistrement |
US6834795B1 (en) * | 2001-06-29 | 2004-12-28 | Sun Microsystems, Inc. | Secure user authentication to computing resource via smart card |
-
2005
- 2005-03-04 DE DE200510009867 patent/DE102005009867A1/de not_active Ceased
-
2006
- 2006-03-03 EP EP06792445A patent/EP1854241A1/fr not_active Withdrawn
- 2006-03-03 WO PCT/EP2006/060434 patent/WO2007003446A1/fr not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO2007003446A1 * |
Also Published As
Publication number | Publication date |
---|---|
DE102005009867A1 (de) | 2006-09-07 |
WO2007003446A1 (fr) | 2007-01-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102009027723A1 (de) | Verfahren zum Lesen von Attributen aus einem ID-Token | |
EP2289016B1 (fr) | Utilisation d'un appareil de télécommunication mobile comme carte de santé électronique | |
DE10124111A1 (de) | System und Verfahren für verteilte Gruppenverwaltung | |
DE102009027681A1 (de) | Verfahren und Lesen von Attributen aus einem ID-Token | |
WO2003013167A1 (fr) | Dispositif de signature numerique d'un document electronique | |
EP4224786A1 (fr) | Procédé et dispositif de génération de signatures électroniques | |
EP3422274A1 (fr) | Procédé de configuration ou de modification d'une configuration d'un terminal de paiement et/ou d'attribution d'un terminal de paiement à un exploitant | |
EP1964042A1 (fr) | Procede de preparation d'une carte a puce pour des services de signature electronique | |
WO2007003446A1 (fr) | Procede de delivrance de certificats electroniques a utiliser pour des signatures electroniques | |
DE102020118716A1 (de) | Verfahren zur sicheren Durchführung einer Fernsignatur sowie Sicherheitssystem | |
DE102005011166A1 (de) | Computersystem und Verfahren zur Signierung, Signaturverifizierung und/oder Archivierung | |
DE102008042406B4 (de) | Verfahren zum sicheren Austausch von Daten | |
DE102015208098B4 (de) | Verfahren zur Erzeugung einer elektronischen Signatur | |
DE10020562C1 (de) | Verfahren zum Beheben eines in einer Datenverarbeitungseinheit auftretenden Fehlers | |
EP3107029B1 (fr) | Procede et dispositif de signature electronique personnalisee d'un document et produit-programme d'ordinateur | |
EP3840321B1 (fr) | Procédé et système d'authentification d'un id mobile au moyen des valeurs de hachage | |
DE10112166A1 (de) | Verfahren zum Transaktionsnachweis | |
EP2052345B1 (fr) | Procédé d'analyse anonyme de codes d'identité d'authentification d'un utilisateur ou d'un objet | |
DE102005061999A1 (de) | Verfahren zum sicheren, elektronischen Übertragen von Daten von einer ersten Datenverarbeitungseinrichtung an eine zweite Datenverarbeitungseinrichtung | |
EP1358734A1 (fr) | Protocole, systeme et dispositifs de telecommunication pour effectuer un vote electronique de maniere anonyme et authentique | |
EP3933633A1 (fr) | Fourniture anonymisée d'un service | |
DE102020105668A1 (de) | Verfahren und System zur elektronischen Fernsignatur | |
EP1378843A1 (fr) | Méthode et système de traitement de données pour la communication sécurisée entre l' administration et le public | |
DE102020134933A1 (de) | Verfahren zum Erstellen einer qualifizierten elektronischen Signatur | |
EP4405840A1 (fr) | Procédé d'échange numérique d'informations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070824 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: WALTEREIT, ELMAR Inventor name: WEIDERT, ANJA |
|
17Q | First examination report despatched |
Effective date: 20080411 |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20081022 |