Preventing identity theft with electronic identity cards and the trusted platform module

Abstract

Together with the rapidly growing number of services in the Internet, authentication becomes an issue of increasing importance. A very common situation is that for each service, users must remember the associated name and password they are registered under. This method is prone to identity theft and its usability leaves much to be desired. The Trusted Platform Module (TPM) is a microcontroller with cryptographic functions that is integrated into many computers. It is capable to protect against software attacks. TPM can generate and store non-migratable keying material for authentication and is an effective safeguard against the acquisition and use of an identity by an adversary. Even though TPM prohibits identity theft, Internet services still have few options to verify the true identity of a user. Electronic identity cards (eID) assert for the identity of their owner. Their large-scale deployment can be expected in the near future. The use of eIDs is impaired, though. They must be present for each authentication, and all devices must be equipped with a compatible card reader. We mitigate the problems of both approaches by using eIDs for establishing trust in user specific TPM authentication credentials. The eID and a compatible reader must be present only at one time for establishing the initial trust. We integrated our identity theft resistant authentication method with the OpenID identity system to allow a large number of services to profit from verified and trustworthy identity assertions.