IRMA versus Frau Mustermann: the advantages of using attribute based credentials over attestation based approaches.
In our IRMA project we develop a platform to support attribute based credentials (ABC) on a smart card. We believe the IRMA scheme is more secure and more flexible than the attestation based approach (as used by the German eID system, that use the placeholder name Mustermann on their sample cards). Below I will explain why.
Many countries that have an electronic identity (eID) system attach the eID chip to a classical identity card. From a historical perspective this is a natural approach (eIDs have evolved from the electronic or biometric passports). However, as a consequence, people can only own at most a single eID, and a significant group of citizens are excluded from owning an eID at all. This severely affects the coverage and inclusiveness of eID applications, and even prevents the implementation of certain types of eID applications.
Ideally, a relying party that needs to verify certain attributes of a user would do so all by himself. However, in the new German eID system there are currently 7 so called eID service providers that handle this task on behalf of many relying parties. The Germans did this to allow service providers to quickly adopt the new eID system, because they can simply contract an eID service provider instead of implementing the functionality themselves. However, this creates a hotspot. For all users the eID service provider sees all attributes verified for all relying parties it services. The eID service provider is therefore in principle able to link a user to all the relying parties it visits, together with the relevant attributes. This appears to be a serious privacy risk. Or isn’t it?
In the IRMA (I Reveal My Attributes) project we are working to make attribute based credentials practical. IRMA provides very efficient implementations of such credentials on (contactless) smart cards. This allows us to use the smart card as a secure and portable container for these credentials. One of the things we have been looking at is possible use cases. Last week I discussed how the IRMA card can be used to stop the resale of event tickets. In this blog post I will discuss an almost trivial application: proving age bounds.
I recently learnt that the new German identity card (or nPA for neuer Personalausweis has security, privacy and usability problems. This was brought to my attention during a number of discussions with experts, as well as a recent publication by a group of researcher from Frauenhofer SIT. The findings have been verified against the official documentation. The issues concern the eID application on the card that is to be used for authentication on the Internet (and not the electronic passport functionality that is also present on the same card).