Paper 2023/1232

Privacy-Preserving Outsourced Certificate Validation

Tarek Galal, Hasso-Plattner Institute, University of Potsdam
Anja Lehmann, Hasso-Plattner Institute, University of Potsdam
Abstract

Digital Covid certificates are the first widely deployed end-user cryptographic certificates. For service providers, such as airlines or event ticket vendors, that needed to check that their (global) customers satisfy certain health policies, the verification of such Covid certificates was challenging though - not because of the cryptography involved, but due to the multitude of issuers, different certificate types and the evolving nature of country-specific policies that had to be supported. As Covid certificates contain sensitive health information, their (online) presentation to non-health related entities also poses clear privacy risk. To address both challenges, the EU proposed a specification for outsourcing the verification process to a validator service, that executes the process and informs service providers of the result. The WHO announced to adopt this approach for general vaccination credentials beyond Covid-19. While being beneficial to improve security and privacy for service providers, their solution requires strong trust assumption for the (central) validation service that learns all health-related details of the users. In our work, we propose and formally model a privacy-preserving variant of such an outsourced validation service. Therein the validator learns the attributes it is supposed to verify, but not the users identity. Still, the validator's assertion is blindly bound to the user's identity to ensure the desired user-binding. We analyze the EU specification in our model and show that it only meets a subset of those goals. Our analysis further shows that the EU protocol is unnecessarily complex and can be significantly simplified while maintaining the same (weak) level of security. Finally, we propose a new construction for privacy-preserving certificate validation that provably satisfies all desired goals.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Privacy Enhancing Technologies Symposium 2023
DOI
10.56553/popets-2023-0113
Keywords
digital certificatesauthenticationprivacy
Contact author(s)
mail @ tgalal com
anja lehmann @ hpi de
History
2023-08-15: approved
2023-08-14: received
See all versions
Short URL
https://ia.cr/2023/1232
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1232,
      author = {Tarek Galal and Anja Lehmann},
      title = {Privacy-Preserving Outsourced Certificate Validation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1232},
      year = {2023},
      doi = {10.56553/popets-2023-0113},
      url = {https://eprint.iacr.org/2023/1232}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.