Method for generating a soft token, computer program product and service computer system

摘要

A method is provided for generating a soft token by which attributes of a user may be authenticated. A request to generate the soft token is transmitted from an electronic device of the user to a service provider computer via a first secure connection. After receiving the request, the service computer generates a one-time password, records the password as a session identifier, and transmits the password to the electronic device. The password is output by the electronic device via a user interface. The user enters the password into a user computer system, from where it is transmitted, via a second secure connection, to the service computer system. If the recorded password agrees with the received password, one or more attributes are read from an ID token of the user and a corresponding soft token is generated and transmitted to the electronic device or user computer system.

主权项

1. A method for generating a soft token, comprising:
making a secure element available, wherein a secret key of a first asymmetric cryptographic key pair is stored in a protected memory area of the secure element; establishing a first cryptographically secure connection between an electronic device and a service computer system; transmitting a request for the generation of a soft token from the electronic device to the service computer system via the first connection; generating, by the service computer system, a one-time password after having received the request; recording, by the service computer system, the one-time password as an identifier of the first connection; transmitting the one-time password from the service computer system to the electronic device via the first connection; outputting the one-time password via a user interface of the electronic device; establishing a second cryptographically secure connection between a user computer system and the service computer system; entering the one-time password into the user computer system; transmitting the entered one-time password from the user computer system to the service computer system via the second connection; and checking, by the service computer system, whether the recorded one-time password agrees with the one-time password received via the second connection, and only if this is the case reading at least one attribute stored in an ID token, generating the soft token by signing the at least one attribute and the public key of the first cryptographic key pair, transmitting the soft token to the electronic device via the first connection and/or transmitting the soft token to the user computer system via the second connection.