|![[Search]](/images/search.gif?1209136071)
|![[A-Z Index]](/images/az.gif?1209136071)
|![[Contact]](/images/contact.gif?1209136071)
||![[University of Birmingham]](/images/identifier2.gif?1243330508){kind=small} |
![[Talks@bham]](/images/talkslogosmall.gif?1243330508) |
University of Birmingham > Talks@bham > Computer Security Seminars > Polymorphic Encryption and Pseudonymization in the Dutch eID scheme
Polymorphic Encryption and Pseudonymization in the Dutch eID schemeAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Dr Garfield Benjamin. The envisioned Dutch eID scheme is federative. If a citizen want to logon to an e-government service he is redirected to an authentication provider (AP) which can be private party like a bank or a telco. At the AP actual authentication takes place. The citizen is then redirected back to the e-government service with the authentication result. As an involved external consultant, I identified a paradox in 2014. Government services require the Dutch social security number called ‘BSN’ as part of authentication. However, Dutch privacy regulation precludes private parties from processing the BSN . This led to the following question: is it possible to store the BSN in some encrypted form at an authentication provider such that it can be later transformed into a form decipherable by, and only by, the intended governmental organisation? In the setup indicated above, authentication providers know both the identities of citizens and the service providers that they want to login to. There are many cases where just registering that a user accessed a specific service can constitute a breach of privacy. As an illustration, suppose one is regularly logging into an online consultation for alcoholics through a bank acting as authentication provider. How comfortable would one then be to apply for a mortgage or a car insurance application at that bank? This lead to the another question: is it possible that an authentication provider authenticates a user for an organisation without knowing the identity of the user? This is paradoxical as the authentication provider is required to identify the user and to personally provide him with means of authentication. Both questions led to the development of Polymorphic Encryption and Pseudonymisation (PEP). In the talk I will explain PEP principles and indicate how the second issue can be solved via a personal PEP -enabled smart card. Actually in this context the authentication provider will not even be able to recognize the user let alone identify him. PEP implementation currently takes place on Dutch identity card & driver license. Roll-out is expected Q3 2018 . This talk is part of the Computer Security Seminars series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listsCentre for Systems Biology Coffee Mornings Optimisation and Numerical Analysis Seminars Mathematics ColloquiumOther talksTBC Control variates for computing transport coefficients Ultrafast Spectroscopy and Microscopy as probes of Energy Materials Horizontal Mean Curvature Flow and stochastic optimal controls The tragic destiny of Mileva Marić Einstein Quantum Sensing in Space |
Eric Verheul (Radboud)
Thursday 13 July 2017, 11:00-12:00