University of Birmingham > Talks@bham > Computer Security Seminars > Polymorphic Encryption and Pseudonymization in the Dutch eID scheme

Polymorphic Encryption and Pseudonymization in the Dutch eID scheme

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Dr Garfield Benjamin.

The envisioned Dutch eID scheme is federative. If a citizen want to logon to an e-government service he is redirected to an authentication provider (AP) which can be private party like a bank or a telco. At the AP actual authentication takes place. The citizen is then redirected back to the e-government service with the authentication result. As an involved external consultant, I identified a paradox in 2014. Government services require the Dutch social security number called ‘BSN’ as part of authentication. However, Dutch privacy regulation precludes private parties from processing the BSN . This led to the following question: is it possible to store the BSN in some encrypted form at an authentication provider such that it can be later transformed into a form decipherable by, and only by, the intended governmental organisation?

In the setup indicated above, authentication providers know both the identities of citizens and the service providers that they want to login to. There are many cases where just registering that a user accessed a specific service can constitute a breach of privacy. As an illustration, suppose one is regularly logging into an online consultation for alcoholics through a bank acting as authentication provider. How comfortable would one then be to apply for a mortgage or a car insurance application at that bank? This lead to the another question: is it possible that an authentication provider authenticates a user for an organisation without knowing the identity of the user? This is paradoxical as the authentication provider is required to identify the user and to personally provide him with means of authentication.

Both questions led to the development of Polymorphic Encryption and Pseudonymisation (PEP). In the talk I will explain PEP principles and indicate how the second issue can be solved via a personal PEP -enabled smart card. Actually in this context the authentication provider will not even be able to recognize the user let alone identify him. PEP implementation currently takes place on Dutch identity card & driver license. Roll-out is expected Q3 2018 .

This talk is part of the Computer Security Seminars series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.


Talks@bham, University of Birmingham. Contact Us | Help and Documentation | Privacy and Publicity.
talks@bham is based on from the University of Cambridge.