Paper 2021/910
SECDSA: Mobile signing and authentication under classical ``sole control''
Abstract
The 2014 European eIDAS regulation regulates strong electronic authentication and legally binding electronic signatures. Both require user "sole control". Historically smartcards are used based on direct interaction between user and relying party. Here sole control is provided by giving users both physical possession and control of the cryptographic key used for signing/authentication through a PIN. Such **classical** sole control is required in the 1999 electronic signature directive by some interpretations. The eIDAS regulation repeals the directive and explicitly relaxes its sole control requirements in a trade-off between security and usability. This allows user interaction to be outsourced to intermediary parties (authentication providers, signing services). This also allows mobile applications as user friendly alternatives for smartcards. However, current mobile platforms are only equipped with limited cryptographic hardware not supporting secure knowledge factors (PINs) controlling keys. The eIDAS relaxation raises concerns on sole control; intermediary parties should not be able to act as man-in-the-middle and impersonate users. In this paper we present a simple cryptographic design for signing and authentication on standard mobile platforms providing classical sole control. We argue that our design can meet the highest eIDAS requirements, effectively introducing a new signature category in a 2016 decision of the European Commission. We also sketch a SECDSA based implementation of the European Digital Identity Wallet recently proposed by the European Commission as part of the eIDAS regulation update.
Metadata
- Available format(s)
- Category
- Applications
- Publication info
- Preprint.
- Keywords
- legally binding signinglimited cryptographic hardwaremobile platformssole controlnon-repudiationstrong authentication
- Contact author(s)
- eric verheul @ keycontrols nl
- History
- 2024-07-01: last of 7 revisions
- 2021-07-05: received
- See all versions
- Short URL
- https://ia.cr/2021/910
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/910, author = {Eric Verheul}, title = {{SECDSA}: Mobile signing and authentication under classical ``sole control''}, howpublished = {Cryptology {ePrint} Archive, Paper 2021/910}, year = {2021}, url = {https://eprint.iacr.org/2021/910} }