The New German ID Card

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The New German ID Card"

Transcription

1 The New German ID Card Marian Margraf Federal Ministry of the Interior Abstract Besides their use in identity verification at police and border controls, national ID cards are frequently used for commercial applications, too. One objective of the introduction of the new national ID card on 1 November 2010 is to extend the conventional use of ID documents to the digital world. In order to meet this objective, the new ID card offers two electronic functionalities for e-business and e-government service providers: an electronic authentication and a digital signature. In the following paper we describe the electronic authentication mechanism used by the ID card, explain the differences between authentication and signature and discuss the security and privacy properties of the two applications used for e-government and e-business. 2. Introduction On 1 November 2010 Germany will start issuing new identity cards. One of the main differences compared to the previous version is the integration of an ISO compliant chip which contains a government application, e.g. for border control purposes, and two applications for e-government and e-business (authentication and signature). IT security and privacy considerations played a crucial role during the design phase of the electronical functionalities. Reliable protection for personal information required a coordinated approach to legal provisions, organisational measures and technical implementation. The legislative framework for the (current) national ID card (Personalausweisgesetz) already contains various provisions about the use of the national ID card, including restrictions. Thus, only in exceptional cases it is permitted to make a paper copy of the ID document; the serial number of the ID card must not be used for data mining purposes; and the machine-readable zone (MRZ) and the data in it must only be used for government purposes. These provisions were transferred into the legal framework for the new, electronic national ID card. However, because of the new electronic functionalities, additional security mechanisms have to be specified and implemented. Therefore, the following requirements were taken into account during the design phase of the chip functionalities: 1. all data transmissions must be encrypted; 1. all transmissions of data have to be approved by the cardholder; 1. an illicit use of the ID card by a third party must be impossible; 1. the cardholder must know to whom their personal data will be transmitted;

2 2 The New German ID Card 1. only personal data that are necessary and approved by the cardholder may be transmitted; 1. the usage of the card cannot be monitored by government institutions or other parties; 1. the ID card must enable pseudonymous authentication; 1. lost ID cards must be revocable; 1. unique identifiers must not be used, neither for the citizen nor for the ID card. The last three requirements, in particular, require a careful design of the revocation management for lost ID cards which is described in [1]. For an overview of the security mechanisms of the German ID card, please refer to [2]. In [6] you will find an overview of the privacy features and data protection mechanisms of European eid cards. 1. Commercial applications Besides their use in identity verification at police and border controls, national ID cards are frequently used for commercial applications. In all these scenarios, the cardholder identifies him-or-herself, using the ID card (and the biometric information on it), to the business partner or government officer, thereby proving a claimed identity. In normal situations, the cardholder knows the person to whom he or she proves identity because this takes place either on the premises of the commercial partner or the government, or both persons involved show each other their ID cards. This is usually the basis of the trust between the two persons and/or whether they are acting on behalf of the institution(s) they represent. In a technical sense, a mutual authentication takes place. However, both parties receive just a snap shot of the authentication, and they cannot prove the other person s identity to a third party. A signature, which can, if necessary, be presented to a court or in administrative proceedings, constitutes such a proof. The objective of the introduction of the new national ID card on 1 November 2010 is to extend the conventional use of ID documents to the digital world. In order to meet this objective, the new ID card offers two electronic functionalities for e-business and e- government service providers: 1. electronic authentication: which enables mutual authentication of two parties via the Internet in such a way that each party knows the person with whom it is communicating; 1. qualified digital signature (Qualifizierte Elektronische Signatur (QES)): which is a digital equivalent to a legally binding, hand-written signature according to the German Digital Signature Act (Signaturgesetz). The cardholder has full control over the use of both functionalities: the ability of the card to perform an electronic authentication will be enabled or disabled when the citizen receives the card (and can be changed later), and a digital signature requires the prior loading of a (qualified) certificate onto the card.

3 The New German ID Card 3 1. Electronic authentication According to the definitions in the Guidelines for Information Security Audits (Grundschutzkatalog) of the Federal Office for Information Security (Bundesamt fuer Sicherheit in der Informationstechnik (BSI)) the term electronic authentication refers to a procedure or an operation for the verification of an identity. The current procedure for service providers is normally to check the security features of an ID card that is produced and compare the photo to the customer; an equivalent online procedure requires other mechanisms. Smart-card based cryptographic protocols can replace the verification of security features, i.e., the verification of the trustworthiness of the ID card. A secret PIN, only known to the cardholder, acts as a substitute for the verification of biometric features (comparing the photo). By proving his knowledge of the PIN, the claimant proves to be the legitimate owner of the ID card. Another objective, in addition to the authentication of the cardholder to the service, is the authentication of the service to the cardholder. The means for doing this are card-verifiable certificates (CV certificates) which can be verified by the chip on the ID card. Besides the expiry date and the name of the institution that owns the certificate, they contain fine-grained information about which data categories the service provider is allowed to access. A new government institution, the Issuing Office for Certicates (Vergabestelle für Berechtigungszertifikate (VfB)) which is part of the Federal Office of Administration (Bundesverwaltungsamt (BVA)), issues these certificates to service providers. A service provider applying for a certificate has to submit evidence as to why access to personal data on their customers electronic ID cards is necessary for the service; the Issuing Office verifies, in a formal procedure, that this evidence meets the requirements. One of the main aspects of this procedure is the selection of the data fields (of the eid card) to which the access will be granted. The principle of minimal disclosure applies; for example, service providers who only need to verify whether a customer is above a certain age, will only obtain access rights to a binary inquiry function for exactly this purpose (age verification). Other services, for example online shops, might get granted access to additional personal information such as name or address. Service providers will receive their certificates from one of the trust centers that act as Certification Authorities (eid CA). A trust center that wants to provide certificates for the German electronic ID card must fulfill the requirements for issuing qualified digital signature certificates according to the German Digital Signature Act and be registered at the Federal Network Agency (Bundesnetzagentur (BNetzA)) A special option offered by the German eid card is a card-specific and service-specific identifier which enables pseudonymous authentication. If requested, the chip generates a cryptographic token from the sector ID, which is part of the certificate, and a secret key stored in the chip. Thus, this token is unique for each combination of card and service provider but different for different service providers (even using the same card) or different cards. This token or pseudonym, therefore, enables a service provider to recognize an eid card without the possibility of cross-referencing with another service provider's authentication data.

4 4 The New German ID Card 1. Qualified Digital Signature As already mention above, for the electronic authentication both parties receive just a snap shot of the authentication, and they cannot prove the other person s identity to a third party. A signature, which can, if necessary, be presented to a court or in administrative proceedings, constitutes such a proof. Moreover, in an authentication procedure we are going to show who we are, a signature shows our will, for example if we sign a contract. Therefore, authentication and signature are different mechanisms and there are use cases for both mechanisms. In Germany, qualified digital signatures are regulated by the German Digital Signature Act. By this act, qualified digital signatures are equivalent to hand-written signatures, up to the regularities of some special laws. The chip of the new ID card is designed to be a signature card in the sense of the German Digital Signature Act, i.e. citizen can use this card to load a qualified digital certificate and to sign electronic documents in the usual way. 1. Realization of the electronic authentication Main idea of the electronic authentication of the ID card is to establish a trusted and secure channel between the chip and the service provider. This will be done by using an authenticated Diffie-Hellman key agreement protocol. With this, we achieve to goals: 1. Both communication parties know with whom they interact (authentication). 1. The communication parties can establish a secure channel (key agreement). In order to guarantee authenticity of the communication parties, the public keys must be assigned to the respective party. This will be done, as described in the following subsections, by digital signatures and, to achieve the bond of card and cardholder, by using the secret PIN. For a description of the cryptographic protocols in detail please refer to [4]. 1. E n t e r t h e P I N ( P a s s w o r d A u t h e n t i c a t i o n Communication Protocol (PACE)) As already mentioned above a communication with the chip of the ID card can only be performed if the cardholder enter his PIN to the chip. This guarantees a so-called two-factorauthentication based on ownership (the ID card) and knowledge (the PIN). Remember that the chip is contactless, hence the PIN cannot be send over the air without additional protection. The PACE protocol that is used for PIN sharing in this context is a password authenticated Diffie-Hellman key agreement protocol that provides secure communication and explicit password-based authentication of the chip and the card reader. A proof of the security features as well as a detailed description of PACE can be found in [77].

5 The New German ID Card 5 1. Mutual Authentication (Extented Access Control (EAC)) 1. Public Key Infrastructure In order to guarantee the authenticity of ID cards and service providers, two public key infrastructures (PKI) are used. Terminal Authentication (see Subsection 3.2.2) requires the service provider to prove to the chip that it is entitled to access data on the chip. A service provider holds at least one certificate encoding its public key and access rights, and the corresponding private key. The PKI required for issuing and validating certificates for service providers consists of the following entities: 1. Country Verifying Certification Authority (CVCA) hosted by the BSI 1. eid Certification Authorities hosted by the Trust Centers 1. Service Providers Chip Authentication (see subsection 3.2.3) requires the chip of the ID card to prove to the service provider that it is an official chip belonging to a German ID card. The chip holds a static Diffie-Helmann key pair where the public key is signed by the card-manufactor. The PKI required for issuing and validating certificates and public keys for chips of German ID cards consists of the following entities: 1. Country Signing Certification Authorithy (CSCA) hosted by the BSI 1. Document Signer (DS) hosted by the card-manufactor 1. ID cards These PKIs form the basis of Extended Access Control. 1. Authentication of the Service Provider (Terminal Authentication) When a citizen wants to use the electronic authentication mechanism of his ID card he usually goes to the web-site of a service provider. The service provider sends its certificate to the citizen. This certificate then will be displayed on the screen to show the content of the certificate (data such name of the institution that owns the certificate, expiry data of the certificate and which data categories the institutions is allowed to read from the chip), the citizen confirms by entering his PIN. After this, following steps are performed by the service provider and the ID card chip: 1. The service provider sends a certificate chain to the chip. The chain starts with a certificate verifiable with the root public key stored on the chip and ends with the service provider's certificate. 1. The chip verifies the certificates. 1. The chip verifies that the service provider also holds the associated secret key to the public key (by a challenge response protocol). 1. The service provider generates an ephemeral Diffie-Hellman key pair, signs the Diffie- Hellman public key with its secret key and sends both data to the chip.

6 6 The New German ID Card 1. The chip verifies the signature using the public key which is stored in the certificate of the service provider. If all certificates and keys could be successfully verified, the chip has an authenticated Diffie- Hellman public key from the service provider. 1. Authentication of the Document (Chip Authentication) The chip of the ID card has a static Diffie-Hellman key pair. The secret key is stored on a secure storage of the chip, so can neither be read nor cloned. The public key is signed by the card manufacturer (in Germany the Bundesdruckerei) during the production process. Now the following steps are performed by the ID card chip and the service provider: 1. The chip sends its public key, the signature of the public key and the certificate of the manufacturer to the service provider. 1. The service provider checks the manufacturer's certificate using the root certificate and the signature of the chip's public key using the manufacturer's certificate. If the public key of the chip could be successfully verified, the service provider has an authenticated Diffie-Hellman public key from a chip of an official ID card. As we have seen in Section 1 one design principle was the non-use of unique identifiers for the ID card. On account of this, the Diffie-Hellman key pairs are not unique for a chip. Chips that will be produced within a period of three month will get the same key pair to use for chip authentication. As chip authentication does not authenticate the card holder but only shows, that the chip belongs to an official ID card, in fact, this is non-usual, but has no security effect. 1. Authentication of the Cardholder At this step chip and service provider have exchanged authenticated Diffie-Hellman public keys to each other. Now they can generate a common secret and derive symmetric keys to establish an encrypted and authenticated channel (using AES as the symmetric cipher and AES-MAC as the message authentication code). Now the data which can be read by the service provider will be transmitted from the chip to the service provider. As the channel is authenticated, the cardholder is authenticated too. Moreover, since the channel is encrypted, only the service provider that has sent its certificate to the chip can read these data. 1. Revocation Management 1. Revocation of Documents In order to impede the illegitimate use of lost or stolen ID cards, the cardholder has to be able to revoke them. A very common mechanism for chip cards, e.g., qualified digital signature cards, is the creation of a global revocation list that includes the (unique) public keys or the serial numbers of all revoked cards and/or certificates. The disadvantage of this mechanism is that a unique public key or serial number constitutes a card-specific identifier which acts as a direct link to the cardholder's identity. Such a mechanism therefore contradicts the design principle of minimal disclosure. For example, if one service provider has only access rights for age

7 The New German ID Card 7 verification (see above) whereas another one also has access to other personal information, such as the name, even full access to both service provider's databases must not allow a link to their client's authentication data. This notably applies in the case when pseudonyms are used. A solution to this problem is the use of service-provider-specific revocation lists, i.e., each card provides a service-provider-specific and card-specific revocation token to the service provider who verifies it against their individual service-provider-specific revocation list. The technical and organizational implementations of this concept are described in [1]. 1. Revocation of Service Providers Of course, the concession to read data from the ID card must be revocable, too. As it is not possible to store revocation lists on the chip, here another mechanism with a similar security level must be found. CV certificates have a very short validity (depending on the data that can be read from the chip 2 up to 30 days). Therefore, a recall of such a certificate can be realized by the non-issuing of a new one for this service provider. References [BKMN10] [BKMN08] [BeFK09] [Marg09] [BMI 09] [BSI 10] [BSI 10] [ENIS09] Bender, Jens; Kügler, Dennis; Margraf, Marian; Naumann, Ingo: Das Sperrmanagement im neuen deutschen Personalausweis - Sperrmanagement ohne globale chipindividuelle Merkmale, Datensicherheit und Datenschutz (DuD), 2010, p Bender, Jens, Kügler, Dennis, Margraf, Marian, Naumann, Ingo: Sicherheitsmechanismen für kontaktlose Chips im deutschen elektronischen Personalausweis. Datenschutz und Datensicherheit (DuD), 2008, p Bender, Jens, Fischlin, Marc, Kügler Kügler: Security Analysis of the PACE Key-Agreement Protocol. Information Security Conference (ISC) 2009, Lecture Notes in Computer Science, Volume 5735, Springer-Verlag, 2009, p Margraf, Marian: Der elektronische Identitätsnachweis des zukünftigen Personalausweises. in: 19. SIT-SmartCard Workshop (Fraunhofer-Institut für Sichere Informationstechnologie), Darmstadt 3./ , p Federal Ministry of Interior: Gesetz über Personalausweise und den elektronischen Identitätsnachweis, Federal Office for Information Security (BSI): Technical Guideline TR-03110, Advanced Security Mechanisms for Machine Readable Travel Documents Extended Access Control (EAC) and Password Authentication Connection Establishment (PACE), and Restricted Authentication, Version 2.03, Federal Office for Information Security (BSI): Technical Guideline TR-03127, Technical Architecture of the New German ID Card, ENISA Position Paper, Privacy Features of European eid Card Specifications, Januar 2009,

Innovations for an eid Architecture in Germany

Innovations for an eid Architecture in Germany Innovations for an eid Architecture in Germany www.bsi.bund.de The BSI Contents Contents 1. The new identity card secure, standardized proof of identity in the digital world 4 2. User-oriented requirements

More information

Sicherheitsaspekte des neuen deutschen Personalausweises

Sicherheitsaspekte des neuen deutschen Personalausweises Sicherheitsaspekte des neuen deutschen Personalausweises Dennis Kügler Bundesamt für Sicherheit in der Informationstechnik egov Fokus 2/2013: Identity- und Access Management im E-Government Rethinking

More information

Preventing fraud in epassports and eids

Preventing fraud in epassports and eids Preventing fraud in epassports and eids Security protocols for today and tomorrow by Markus Mösenbacher, NXP Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001,

More information

Integration of the New German ID- Card (npa) in Enterprise Environments

Integration of the New German ID- Card (npa) in Enterprise Environments Integration of the New German ID- Card (npa) in Enterprise Environments Technics Prospects Costs - Threats Troopers 2011 By Friedwart Kuhn & Michael Thumann Agenda Introduction The New German ID-Card (npa)

More information

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke Agenda eidas Regulation TR-03110 V2.20 German ID card POSeIDAS Summary cryptovision mindshare 2015: eidas

More information

FAQs - New German ID Card. General

FAQs - New German ID Card. General FAQs - New German ID Card General 1) How to change from the old ID card to the new one? The new Law on Identification Cards came into effect on 1 November 2010. Since then, citizens can apply for the new

More information

FAQs Electronic residence permit

FAQs Electronic residence permit FAQs Electronic residence permit General 1) When was the electronic residence permit introduced? Since 1 September 2011, foreigners in Germany have been issued with the new electronic residence permit

More information

Identification Card Digital Identity Security and Services Siniša Macan, DG of Agency

Identification Card Digital Identity Security and Services Siniša Macan, DG of Agency Agency for Identification Documents, Registers and Data Exchange of Bosnia and Herzegovina Identification Card Digital Identity Security and Services Siniša Macan, DG of Agency sinisa.macan@iddeea.gov.ba

More information

Security analysis of OpenID, followed by a reference implementation of an npa-based OpenID provider

Security analysis of OpenID, followed by a reference implementation of an npa-based OpenID provider Security analysis of OpenID, followed by a reference implementation of an npa-based OpenID provider Sebastian Feld Norbert Pohlmann Institute for Internet-Security Gelsenkirchen University of Applied Sciences

More information

eid Services as Part of the new German ID Card Ecosystem 27/10/2011

eid Services as Part of the new German ID Card Ecosystem 27/10/2011 eid Services as Part of the new German ID Card Ecosystem The new German ID Card Features ID CARD New Electronic Features 1. Biometrics Digital photo and (if desired), two electronic fingerprints Only legitimate

More information

Keywords: German electronic ID card, e-government and e-business applications, identity management

Keywords: German electronic ID card, e-government and e-business applications, identity management From Student Smartcard Applications to the German Electronic Identity Card Lucie Langer, Axel Schmidt, Alex Wiesmaier Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany

More information

The German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik

The German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik The German eid-card Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik eid Workshop KU Leuven / The German Electronic ID-Card (Elektronischer Personalausweis) Motivation

More information

Electronic machine-readable travel documents (emrtds) The importance of digital certificates

Electronic machine-readable travel documents (emrtds) The importance of digital certificates Electronic machine-readable travel documents (emrtds) The importance of digital certificates Superior security Electronic machine-readable travel documents (emrtds) are well-known for their good security.

More information

Biometrics for Public Sector Applications

Biometrics for Public Sector Applications Technical Guideline TR-03121-2 Biometrics for Public Sector Applications Part 2: Software Architecture and Application Profiles Version 2.3 Bundesamt für Sicherheit in der Informationstechnik Postfach

More information

Secure Card based Voice over Internet Protocol Authentication

Secure Card based Voice over Internet Protocol Authentication Secure Card based Voice over Internet Protocol Authentication By GOWSALYA.S HARINI.R CSE-B II YEAR (IFET COLLEGE OF ENGG.) Approach to Identity Card-based Voiceover-IP Authentication Abstract Voice-over-IP

More information

Facts about the new identity card

Facts about the new identity card Facts about the new identity card Contents The new identity card At a glance... 4 In detail... 6 Photographs... 8 New ID card, new possibilities...10 Special functions... 11 The online function...12 Reader

More information

Electronic Identity Cards for User Authentication Promise and Practice

Electronic Identity Cards for User Authentication Promise and Practice Electronic Identity Cards for User Authentication Promise and Practice Andreas Poller Ulrich Waldmann Sven Vowé Sven Türpe Fraunhofer Institute for Secure Information Technology (SIT) Rheinstraße 75, 64295

More information

Implementation of biometrics, issues to be solved

Implementation of biometrics, issues to be solved ICAO 9th Symposium and Exhibition on MRTDs, Biometrics and Border Security, 22-24 October 2013 Implementation of biometrics, issues to be solved Eugenijus Liubenka, Chairman of the Frontiers / False Documents

More information

An innovative system gains acceptance

An innovative system gains acceptance The new German ID card An innovative system gains acceptance Author: Dipl. Ing. Thomas Löer Senior Vice President Marketing & Support Bundesdruckerei GmbH Oranienstrasse 91D-10969 Berlin German citizens

More information

Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government

Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government Part 1: Assurance levels and mechanisms Version 1.0 This translation is informative only. The normative version is

More information

Technical Guideline eid-server. Part 2: Security Framework

Technical Guideline eid-server. Part 2: Security Framework Technical Guideline eid-server Part 2: Security Framework BSI TR-03130-2 Version 2.0.1 January 15, 2014 Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 9582-0 E-Mail:

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES BSI TR-03139 Version 2.1 27 May 2013 Foreword The present document

More information

A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach.

A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach. 1 of 8 15.03.2004 14:09 Issue January 2002 A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach. Lothar Fritsch,

More information

White Paper PalmSecure truedentity

White Paper PalmSecure truedentity White Paper PalmSecure truedentity Fujitsu PalmSecure truedentity is used for mutual service and user authentication. The user's identity always remains in the possession of the user. A truedentity server

More information

Secure & privacy-preserving eid systems with Attribute-based credentials

Secure & privacy-preserving eid systems with Attribute-based credentials University of Twente Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) Master Thesis Secure & privacy-preserving eid systems with Attribute-based credentials Brinda Badarinath

More information

The ID card with eid function at a glance

The ID card with eid function at a glance The ID card with eid function at a glance New possibilities, more security Since 1 November 2010, Germany has been issuing the new ID card in smart card format and with a chip. With this chip, the ID card

More information

3D SECURE. System Overview. We have seen merchants reduce fraud by up to 95% when integrating to 3D Secure...

3D SECURE. System Overview. We have seen merchants reduce fraud by up to 95% when integrating to 3D Secure... 3D SECURE We have seen merchants reduce fraud by up to 95% when integrating to 3D Secure... System Overview This document is intended for merchant and developers that want to gain a high level overview

More information

Advanced Security Mechanisms for Machine Readable Travel Documents

Advanced Security Mechanisms for Machine Readable Travel Documents Technical Guideline TR-03110-3 Advanced Security Mechanisms for Machine Readable Travel Documents Part 3 Common Specifications Version 2.10 20. March 2012 History Version Date Comment 1.00 2006-02-08 Initial

More information

Moving to the third generation of electronic passports

Moving to the third generation of electronic passports Moving to the third generation of electronic passports A new dimension in electronic passport security with Supplemental Access Control (SAC) > WHITE PAPER 2 Gemalto in brief Gemalto is the world leader

More information

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1 PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority

More information

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 Background In the last ten years Arkansas has enacted several laws to facilitate electronic transactions

More information

A Survey on Untransferable Anonymous Credentials

A Survey on Untransferable Anonymous Credentials A Survey on Untransferable Anonymous Credentials extended abstract Sebastian Pape Databases and Interactive Systems Research Group, University of Kassel Abstract. There are at least two principal approaches

More information

eid Service

eid Service eid Service Pocket guide 2011 www.bundesdruckerei.de Contents 05 Section 1 Identity management in the 21 st century 11 Section 2 the new german id card facts and features 17 Section 3 the technology in

More information

The Legal Classification of Identity-Based Signatures

The Legal Classification of Identity-Based Signatures The Legal Classification of Identity-Based Signatures Christoph Sorge University of Paderborn 33098 Paderborn, Germany christoph.sorge@uni-paderborn.de Abstract Identity-based cryptography has attracted

More information

All you need to know about the electronic residence permit (eat)

All you need to know about the electronic residence permit (eat) All you need to know about the electronic residence permit (eat) www.bamf.de/eaufenthaltstitel Contents Contents 1 The electronic residence permit 5 2 Photo and fingerprints 7 3 Additional provisions

More information

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 141 PURPOSE (CT-IM-112; 07-30-2010) (Office of Origin: IRM/OPS/ITI/SI/IIB) The purpose of this FAM chapter is to enable the Department to

More information

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages

More information

Server based signature service. Overview

Server based signature service. Overview 1(11) Server based signature service Overview Based on federated identity Swedish e-identification infrastructure 2(11) Table of contents 1 INTRODUCTION... 3 2 FUNCTIONAL... 4 3 SIGN SUPPORT SERVICE...

More information

Identities Exposed. Privacy Risks with Using Client Certificates for Authentication. David Johansson Senior Consultant Cigital Ltd.

Identities Exposed. Privacy Risks with Using Client Certificates for Authentication. David Johansson Senior Consultant Cigital Ltd. Identities Exposed Privacy Risks with Using Client Certificates for Authentication David Johansson Senior Consultant Cigital Ltd. Objectives Objectives for this Tech Talk: Know the risks to user privacy

More information

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) The World Internet Security Company Solutions for Security Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) Wherever Security relies on Identity, WISeKey has

More information

VoIP Security. Seminar: Cryptography and Security. 07.06.2006 Michael Muncan

VoIP Security. Seminar: Cryptography and Security. 07.06.2006 Michael Muncan VoIP Security Seminar: Cryptography and Security Michael Muncan Overview Introduction Secure SIP/RTP Zfone Skype Conclusion 1 Introduction (1) Internet changed to a mass media in the middle of the 1990s

More information

Description of the Technical Component:

Description of the Technical Component: Confirmation concerning Products for Qualified Electronic Signatures according to 15 Sec. 7 S. 1, 17 Sec. 4 German Electronic Signature Act 1 and 11 Sec. 2 and 15 German Electronic Signature Ordinance

More information

Test plan for eid and esign compliant terminal software with EACv2

Test plan for eid and esign compliant terminal software with EACv2 Technical Guideline BSI TR-03105 Part 5.3 Test plan for eid and esign compliant terminal software with EACv2 Version: 2.0 Date: 2015-05-22 Bundesamt für Sicherheit in der Informationstechnik Postfach 20

More information

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Security by Politics - Why it will never work Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Agenda Motivation Some basics Brief overview epassport (MRTD) Why cloning? How to attack the

More information

Strong Authentication based on the German ID Card

Strong Authentication based on the German ID Card Strong Authentication based Protocols and Use Cases 10th ICCC / 2009-09-22 / Present Registration / Identification filling in an (electronic) form (print out with hand-written signature) copy of id card

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

Extended SSL Certificates

Extended SSL Certificates Introduction Widespread usage of internet has led to the growth of awareness amongst users, who now associate green address bar with security. Though people are able to recognize the green bar, there is

More information

PUBLIC KEY INFRASTRUCTURE

PUBLIC KEY INFRASTRUCTURE PUBLIC KEY INFRASTRUCTURE http://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm Copyright tutorialspoint.com The most distinct feature of Public Key Infrastructure PKC is that it uses

More information

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure

More information

Qualified Electronic Signatures Act (SFS 2000:832)

Qualified Electronic Signatures Act (SFS 2000:832) Qualified Electronic Signatures Act (SFS 2000:832) The following is hereby enacted 1 Introductory provision 1 The purpose of this Act is to facilitate the use of electronic signatures, through provisions

More information

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES 21.11.2013. 21 CFR Part 11 Compliance PLA 2.1

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES 21.11.2013. 21 CFR Part 11 Compliance PLA 2.1 21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES Compliance of PLA 2.1 21.11.2013 21 CFR Part 11 Compliance PLA 2.1 SEC. 11.2 IMPLEMENTATION. (a) For records required to be maintained but not submitted

More information

Asymmetric cryptosystems fundamental problem: authentication of public keys

Asymmetric cryptosystems fundamental problem: authentication of public keys Network security Part 2: protocols and systems (a) Authentication of public keys Università degli Studi di Brescia Dipartimento di Ingegneria dell Informazione 2014/2015 Asymmetric cryptosystems fundamental

More information

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012 Federal CIO Council Information Security and Identity Management Committee IDManagement.gov What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form December 3, 2012 HSPD-12

More information

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016 National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION

More information

Secure Communication Using Electronic Identity Cards for Voice over IP Communication, Home Energy Management, and emobility

Secure Communication Using Electronic Identity Cards for Voice over IP Communication, Home Energy Management, and emobility 152 Secure Communication Using Electronic Identity Cards for Voice over IP Communication, Home Energy Management, and emobility Rainer Falk, Steffen Fries, Hans Joachim Hof Corporate Technology Siemens

More information

Privacy in E-Learning

Privacy in E-Learning Privacy in E-Learning Hauptseminar E-Learning Sommersemester 2008 Florian Schulz LFE Medieninformatik 7/22/08 LMU Munich Media Informatics Hauptseminar SS 2008 Florian Schulz Slide 1 / 18 overview network

More information

BSI TR-03108-1: Secure E-Mail Transport. Requirements for E-Mail Service Providers (EMSP) regarding a secure Transport of E-Mails

BSI TR-03108-1: Secure E-Mail Transport. Requirements for E-Mail Service Providers (EMSP) regarding a secure Transport of E-Mails BSI TR-03108-1: Secure E-Mail Transport Requirements for E-Mail Service Providers (EMSP) regarding a secure Transport of E-Mails Version: 1.0 Date: 05/12/2016 Document history Version Date Editor Description

More information

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION COMMON CRITERIA PROTECTION PROFILE EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION Draft Version 1.0 TURKISH STANDARDS INSTITUTION TABLE OF CONTENTS Common Criteria Protection Profile...

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Best Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council

Best Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity Management January 2007 Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity

More information

ISO/IEC 24727 for secure mobile web applications

ISO/IEC 24727 for secure mobile web applications ISO/IEC 24727 for secure mobile web applications Jan Eichholz 1 Detlef Houdeau 2 Detlef Hühnlein 3 Manuel Bach 4 1 Giesecke & Devrient GmbH, jan.eichholz@gi-de.com 2 Infineon Technologies AG, detlef.houdeau@infineon.com

More information

The introduction of online authentication as part of the new electronic national identity card in Germany

The introduction of online authentication as part of the new electronic national identity card in Germany IDIS (2010) 3:87 110 DOI 10.1007/s12394-010-0051-1 The introduction of online authentication as part of the new electronic national identity card in Germany Torsten Noack & Herbert Kubicek Received: 14

More information

Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors

Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors Background On Aug. 27, 2004, the President issued a Homeland Security Presidential

More information

Discover Germany s Electronic Passport

Discover Germany s Electronic Passport Discover Germany s Electronic Passport Starting 1 Nov. 2007 E-Passport 2nd Generation www.epass.de 1 Introducing Germany s e-passport If you want to know why there are electronic passports and how to recognize

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent

More information

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used? esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents

More information

Electronic Signatures for Legal Persons. Michael Sonntag 1

Electronic Signatures for Legal Persons. Michael Sonntag 1 Electronic Signatures for Legal Persons Michael Sonntag 1 Electronic signatures are an important part of E-Commerce. Contracts can be concluded mostly in any form, but to proof their existence and content

More information

Operational and Technical security of Electronic Passports

Operational and Technical security of Electronic Passports European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union Operational and Technical security of Electronic Passports Warsaw, Legal

More information

Information & Communication Security (SS 15)

Information & Communication Security (SS 15) Information & Communication Security (SS 15) Electronic Signatures Dr. Jetzabel Serna-Olvera @sernaolverajm Chair of Mobile Business & Multilateral Security Goethe University Frankfurt www.m-chair.de Agenda

More information

An Open ecard Plug-in for accessing the German national Personal Health Record

An Open ecard Plug-in for accessing the German national Personal Health Record An Open ecard Plug-in for accessing the German national Personal Health Record Raik Kuhlisch 1 Dirk Petrautzki 2 Johannes Schmölz 3 Ben Kraufmann 1 Florian Thiemer 1 Tobias Wich 3 Detlef Hühnlein 3 Thomas

More information

Module 7 Security CS655! 7-1!

Module 7 Security CS655! 7-1! Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

HKUST CA. Certification Practice Statement

HKUST CA. Certification Practice Statement HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of

More information

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010)

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010) Common Criteria Protection Profile for BSI-CC-PP-0064 Version 1.01 (15 th April 2010) Federal Office for Information Security Postfach 20 03 63 53133 Bonn Phone: +49 228 99 9582-0 e-mail: zertifizierung@bsi.bund.de

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Authentication Types. Password-based Authentication. Off-Line Password Guessing Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:

More information

Security of Identity Management. Professor Brian Collins

Security of Identity Management. Professor Brian Collins Security of Identity Management Professor Brian Collins Headline issues Purpose of ID management and ID security Practical process and technology issues Enrolment processes Identity verification Limitations

More information

End User Encryption Key Protection Policy

End User Encryption Key Protection Policy End User Encryption Key Protection Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization.

More information

ECCA 2014 Conference Santander 26.05.2014

ECCA 2014 Conference Santander 26.05.2014 ECCA 2014 Conference Santander 26.05.2014 Introducing -Technology For Strong Authentication Section 3- IT-Systems, Softwareintegration Department 6 Information And Communication Services Dezernat6 - Informations-

More information

Savitribai Phule Pune University

Savitribai Phule Pune University Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

More information

PostSignum CA Certification Policy applicable to qualified personal certificates

PostSignum CA Certification Policy applicable to qualified personal certificates PostSignum CA Certification Policy applicable to qualified personal certificates Version 3.0 7565 Page 1/60 TABLE OF CONTENTS 1 Introduction... 5 1.1 Review... 5 1.2 Name and clear specification of a document...

More information

Ericsson Group Certificate Value Statement - 2013

Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 1 (23) Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 2 (23) Contents 1 Ericsson Certificate Value Statement... 3 2 Introduction... 3 2.1 Overview... 3 3 Contact information...

More information

Necessary processing of personal data: the need-toknow principle and processing data from the new German identity card

Necessary processing of personal data: the need-toknow principle and processing data from the new German identity card Necessary processing of personal data: the need-toknow principle and processing data from the new German identity card Harald Zwingelberg 1 1 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein,

More information

What security and assurance standards does Trustis use for TMDCS certificate services?

What security and assurance standards does Trustis use for TMDCS certificate services? Frequently Asked Questions What is a Digital Certificate? What is a Root Certificate? How do Digital Certificates Work? Who needs a Digital Certificate? How do I get a Digital Certificate Can I use my

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

New security features for ID documents trends and expectations

New security features for ID documents trends and expectations New security features for ID documents trends and expectations Author: Dipl. Ing. Thomas Löer Senior Vice President Marketing & Support Bundesdruckerei GmbH Oranienstrasse 91D-10969 Berlin Secure identities

More information

Qualified mobile electronic signatures: Possible, but worth a try?

Qualified mobile electronic signatures: Possible, but worth a try? Qualified mobile electronic signatures: Possible, but worth a try? Lothar Fritsch 1, Johannes Ranke 2, Heiko Rossnagel 1 Interest level of audience: 3 - for application developers (interested in IT security)

More information

ORDINANCE ON THE ELECTRONIC SIGNATURE CERTIFICATES IN THE. Chapter One GENERAL PROVISIONS

ORDINANCE ON THE ELECTRONIC SIGNATURE CERTIFICATES IN THE. Chapter One GENERAL PROVISIONS ADMINISTRATIONS Effective as of 13 June 2008 Adopted by Decree of the Council of Ministers No 97 of 16 May 2008 Promulgated SG, No. 48 of 23 May 2008 Chapter One GENERAL PROVISIONS Article 1. This Ordinance

More information

white paper E-passport overview Dan Butnaru - Trusted Identity Product Line Manager

white paper E-passport overview Dan Butnaru - Trusted Identity Product Line Manager white paper E-passport overview Dan Butnaru - Trusted Identity Product Line Manager www.opentrust.com contents 1 Objective 4 2 Introduction 4 3 The Challenge 5 3.1 Secure Travel Document s Objectives...

More information

Den Gode Webservice - Security Analysis

Den Gode Webservice - Security Analysis Den Gode Webservice - Security Analysis Cryptomathic A/S September, 2006 Executive Summary This report analyses the security mechanisms provided in Den Gode Web Service (DGWS). DGWS provides a framework

More information

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory Procedures for the ICAO Public Key Directory last modification final 1/13 SECTION 1 INTRODUCTION 1.1 As part of the MRTD initiative by ICAO, the Participants will upload to and download from the PKD, their

More information

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application

More information

esign Online Digital Signature Service

esign Online Digital Signature Service esign Online Digital Signature Service Government of India Ministry of Communications and Information Technology Department of Electronics and Information Technology Controller of Certifying Authorities

More information

Neutralus Certification Practices Statement

Neutralus Certification Practices Statement Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3

More information

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Arkansas Department of Information Systems Arkansas Department of Finance and Administration Arkansas Department of Information Systems Arkansas Department of Finance and Administration Title: Electronic Signature Standard Document Number: SS 70 011 Effective Date: Act 722 of 2007 requires state

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

L@Wtrust Class 3 Registration Authority Charter

L@Wtrust Class 3 Registration Authority Charter Class 3 Registration Authority Charter Version 1.0 applicable from 09 November 2010 Building A, Cambridge Park, 5 Bauhinia Street, Highveld Park, South Africa, 0046 Phone +27 (0)12 676 9240 Fax +27 (0)12

More information

Protection Profile for UK Dual-Interface Authentication Card

Protection Profile for UK Dual-Interface Authentication Card Protection Profile for UK Dual-Interface Authentication Card Version 1-0 10 th July 2009 Reference: UNKT-DO-0002 Introduction This document defines a Protection Profile to express security, evaluation

More information