Citizen Electronic Identities using TPM 2.0

TL;DR

This paper proposes a new eID architecture leveraging TPM 2.0's advanced authorization model to enhance security and usability over traditional smart card solutions, providing a detailed accessible description of TPM 2.0.

Contribution

It introduces a novel eID architecture based on TPM 2.0's rich authorization model and offers the first accessible explanation of this model.

Findings

Enhanced security and usability compared to traditional solutions

First accessible description of TPM 2.0 authorization model

Proposed architecture leverages trusted hardware for secure eID storage

Abstract

Electronic Identification (eID) is becoming commonplace in several European countries. eID is typically used to authenticate to government e-services, but is also used for other services, such as public transit, e-banking, and physical security access control. Typical eID tokens take the form of physical smart cards, but successes in merging eID into phone operator SIM cards show that eID tokens integrated into a personal device can offer better usability compared to standalone tokens. At the same time, trusted hardware that enables secure storage and isolated processing of sensitive data have become commonplace both on PC platforms as well as mobile devices. Some time ago, the Trusted Computing Group (TCG) released the version 2.0 of the Trusted Platform Module (TPM) specification. We propose an eID architecture based on the new, rich authorization model introduced in the TCGs TPM 2.0. The goal of the design is to improve the overall security and usability compared to traditional smart card-based solutions. We also provide, to the best our knowledge, the first accessible description of the TPM 2.0 authorization model.