Paper 2021/910

SECDSA: Mobile signing and authentication under classical ``sole control''

Eric Verheul
Abstract

The 2014 European eIDAS regulation regulates strong electronic authentication and legally binding electronic signatures. Both require user "sole control". Historically smartcards are used based on direct interaction between user and relying party. Here sole control is provided by giving users both physical possession and control of the cryptographic key used for signing/authentication through a PIN. Such **classical** sole control is required in the 1999 electronic signature directive by some interpretations. The eIDAS regulation repeals the directive and explicitly relaxes its sole control requirements in a trade-off between security and usability. This allows user interaction to be outsourced to intermediary parties (authentication providers, signing services). This also allows mobile applications as user friendly alternatives for smartcards. However, current mobile platforms are only equipped with limited cryptographic hardware not supporting secure knowledge factors (PINs) controlling keys. The eIDAS relaxation raises concerns on sole control; intermediary parties should not be able to act as man-in-the-middle and impersonate users. In this paper we present a simple cryptographic design for signing and authentication on standard mobile platforms providing classical sole control. We argue that our design can meet the highest eIDAS requirements, effectively introducing a new signature category in a 2016 decision of the European Commission. We also sketch a SECDSA based implementation of the European Digital Identity Wallet recently proposed by the European Commission as part of the eIDAS regulation update.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
legally binding signinglimited cryptographic hardwaremobile platformssole controlnon-repudiationstrong authentication
Contact author(s)
eric verheul @ keycontrols nl
History
2024-03-16: last of 5 revisions
2021-07-05: received
See all versions
Short URL
https://ia.cr/2021/910
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/910,
      author = {Eric Verheul},
      title = {SECDSA: Mobile signing and authentication under classical ``sole control''},
      howpublished = {Cryptology ePrint Archive, Paper 2021/910},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/910}},
      url = {https://eprint.iacr.org/2021/910}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.