Activation Users of Polymorphic structures are: AD, MU, EB and MR.Usages of Polymorphic structures
Format for Polymorphic Identity or Pseudonym
A Polymorphic Identity or Pseudonym is a combination of points on an elliptic curve. In order for the Identity or Pseudonym to be properly usable in the scheme, some additional information is needed. This information is necessary for practical management and secure implementation of Identity or Pseudonym in the Scheme and consists of elements like versioning (for key management) and recipient. The syntax for expressing an Identity or Pseudonym with this information is listed below.
Values of the notations below SHALL be represented as (the base64 encoding of) the DER-encoded structure in ASN.1 notation.
Polymorphic Identity or Pseudonym
A Polymorphic Identity or Pseudonym consists of 3 points on an elliptic curve. Polymorphic Identity or Pseudonym are provided via the Interface spec BSNk: activate. They are used via the interface Interface spec BSNk: transform. The notation for a complete Polymorphic Identity or Pseudonym is as follows:
PolymorphicIdentity ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-identity), schemeVersion INTEGER, schemeKeySetVersion INTEGER, creator IA5String, recipient IA5String, recipientKeySetVersion INTEGER, points SEQUENCE (SIZE (3)) OF ECPoint } PolymorphicPseudonym ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pseudonym), schemeVersion INTEGER, schemeKeySetVersion INTEGER, creator IA5String, recipient IA5String, recipientKeySetVersion INTEGER, type INTEGER, points SEQUENCE (SIZE (3)) OF ECPoint }
Herein the schemeVersion
indicates the version of the cryptographic scheme and this syntax and SHALL start at 1. The schemeKeySetVersion
is a version that SHALL start at 1 and represents the effective set of long term scheme master keys (PP-M, PD-M, etc...). The schemeVersion
defines the elliptic curve used in the scheme as well. The creator
SHALL contain the entityID (OIN) of the creator, and the recipient
SHALL contain the entityID (OIN) of the recipient. The recipientKeySetVersion
holds the version number for the set of recipient's keys for Polymorphic Identities and Pseudonyms (PA-Di). Note: In schemeVersion
1 the recipientKeySetVersion
for MUs, ADs, MRs and the EB is a sequence starting at 1. The type
defines the identity type the Pseudonym is derived of, e.g. from a BSN or an eIDAS Uniqueness Identifier. This field is not necessary in identity based forms as here the identity type will become clear as part of decryption of the final structure, i.e. the Encrypted Identity. The values currently defined are the ASCII value of 'B
' (0x42) for BSN based and 'E
' (0x45) when based on a eIDAS uniqueness identifier. ECPoint is identical to ECPoint as defined in BSI TR 03111 and ANSI X9.62 (2005). Here two encodings are specified, compressed and compressed. Both encodings are allowed, with a preference for uncompressed encoding.
A Polymorphic Identity of Polymorphic Pseudonym can be signed for integrity protection:
SignedPolymorphicIdentity ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-identity-signed), signedPI SEQUENCE { polymorphicIdentity PolymorphicIdentity, auditElement OCTET STRING, signingKeyVersion INTEGER }, signatureValue ECDSA-Signature } SignedPolymorphicPseudonym ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pseudonym-signed), signedPP SEQUENCE { polymorphicPseudonym PolymorphicPseudonym, auditElement OCTET STRING, signingKeyVersion INTEGER }, signatureValue ECDSA-Signature }
An auditElement
holds an audit value consisting of an identifier for the creator, a timestamp and a sequence number from that creator. This auditElement
is 16 bytes in big-endian (32-bit origin, 32-bit timestamp and 64-bit sequence-number). The origin identifies the party providing the Polymorphic/Encrypted Identity or Pseudonym and the unique device used. The timestamp and sequence number can be used in case of a compromise or dispute, so that mitigating measure or resolution can be accomplished. Note: the timestamp is 32-bit in seconds since 1 jan 1970 UTC. The auditElement
is encrypted under a key only retrievable by the supervisor of the scheme, which is provided to the supervisior by the keymanagement role.
The signatureValue
can be used to assert the authenticity of the (polymorphic/encrypted) Identity or Pseudonym. The signature is applied to the byte sequence of the complete DER-encoded signed sequence (e.g. signedPP in a SignedPolymorphicPseudonym). The public key for verification can be retrieved from the Metadata using the creator from the structure covered under the signature and the signingKeyVersion
.
-- ECPoint is described in ANSI X9.62 (2005), annex E.6. -- In particular, encoding from point to octet string and -- from octet string to a point is defined in annex A.5.7 -- and A.5.8 of ANSI X9.62. ECPoint ::= OCTET STRING ECDSA-Signature ::= SEQUENCE { signatureType OBJECT IDENTIFIER (ecdsa-with-SHA384), signatureValue EC-Sig-Value } -- EC-Sig-Value is identitical to BSI TR 03111 ECDSA-Sig-Value. -- which is identical to ECDSA-Sig-Value defined in RFC5480 as well. EC-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } id-BSNk-scheme-nl OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) logius-beheer-usve(10) } id-BSNk-identifiers OBJECT IDENTIFIER ::= { id-BSNk-scheme-nl 1 } id-BSNk-polymorphics OBJECT IDENTIFIER ::= { id-BSNk-identifiers 1 } id-BSNk-polymorphic-identity OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 1 } id-BSNk-polymorphic-pseudonym OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 2 } id-BSNk-polymorphic-identity-signed OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 3 } id-BSNk-polymorphic-pseudonym-signed OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 4 }
PIP – PPCA optimized
For privacy enhanced implementation, Polymorphic Identities and Pseudonyms can be implemented on a smartcard. This is called a PP-card application, or PPCA. A Polymorphic Identity and a Polymorphic Pseudonym can be combined to 5 points on an elliptic curve rather than six, for optimization in a smartcard implementation. The PPCA-optimized PIP version of Polymorphic Identities or Pseudonyms are provided in Interface spec BSNk: activate.
The combined notation for an Polymorphic Identity and Pseudonym is as follows:
PIP ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pip), schemeVersion INTEGER, schemeKeySetVersion INTEGER, creator IA5String, recipient IA5String, recipientKeySetVersion INTEGER, type INTEGER, points SEQUENCE (SIZE (5)) OF ECPoint }
The first, second and fourth ECPoint of the points
in a PIP correspond to those of a PI. Similarly, the first, third and fifth correspond to those of a PP. In this fashion one can extract a PI and PP from a PIP.
There also exists a signed version of a PIP:
SignedPIP ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pip-signed), signedPIP SEQUENCE { pip PIP, auditElement OCTET STRING, signingKeyVersion INTEGER }, signatureValue ECDSA-Signature }
Which follows the same concepts as described for a Polymorphic Identity or Polymorphic Pseudonym.
id-BSNk-polymorphic-pip OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 5 } id-BSNk-polymorphic-pip-signed OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 6 } -- the following OID is reserved for usage in the specifications of the protocol for PP on smartcard (polymorphic card application) id-PCA OBJECT IDENTIFIER ::= { id-BSNk-scheme-nl 9 }
Verifiable PIP
When a PIP is personalized onto a smartcard, the issuer typically wants to perform some quality assurance prior to issuing the card. This is not straightforward due to the use of privacy enhancing technology. To allow quality assurance in combination with a PIP, a Verifiable PIP is described.
This Verifiable PIP is a PIP accompanied by a Proof of Conformity. Using this proof, a means issuer can verify a PIP is personalized correctly without the need to reveal the original stem (BSN) in the verifiable representation.
VerifiablePIP ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pip-verifiable), signedPIP SignedPIP, proofOfConformity SEQUENCE { p1 ECPoint, t ECPoint, zp1 SEQUENCE { r1 INTEGER, s1 INTEGER }, zp2 SEQUENCE { r2 INTEGER, s2 INTEGER } } }
The signedPIP
is the signed PIP structure as defined above and allows for verification of authenticity. The proofOfConformity
can be used to verify the PIP is personalized correctly.
id-BSNk-polymorphic-pip-verifiable OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 11 }