As simple as and as secure as postal mail.

Transcription

1 Stay up-to-date Page 1 The advantages of D for individuals, businesses and Page 2 government agencies Unencrypted, unprotected, unverified what does that mean? Page 3 Encrypted, protected, verified what does that mean? Page 3 D in detail: More protection for your data Page 4 More security when logging in Page 5 Verification and options for sending Page 6 End-to-end encryption and electronic signature Page 7 Government and private industry set the framework together; Page 7 private industry operates D Support for government agencies and businesses introducing D Page 8 Information on approval of D providers Page 9 Stay up-to-date This brochure offers an update on the status of the D project. You can find more information about D , including the D newsletter and answers to 70 frequently asked questions, provided by the Federal Ministry of the Interior at (in German only). Individuals, businesses and public agencies that would like to use D services can find more information about D and about protecting their data and IT systems at (in German). Businesses and public agencies that would like to offer D services can find specialized information such as technical guidelines and the list of certified D inspection agencies and auditors at (in German). Approved D providers offer information about their D products on their own websites. You can find a list of accredited D providers at (in German). 1

2 The advantages of D for individuals, businesses and government agencies D allows you to send documents electronically that would otherwise require a regular mailing. This offers many advantages for individuals, businesses and government agencies: Unlike ordinary , D is encrypted. The identity of D senders and recipients can be verified, as can the delivery of a D message. That is important for both senders and recipients. Verification also helps fight Internet crime, since senders of spam or phishing messages can no longer remain anonymous. Individuals can take care of transactions with businesses and government agencies easily and conveniently wherever and whenever they like. Businesses and government agencies can process many transactions electronically from start to finish even legal transactions requiring a documented date of receipt. In this way, D helps increase efficiency in the public and private sectors. It also saves money on paper and postage. In short: D can save you time and money. D is based on widely used technologies, so it can take advantage of existing interfaces without requiring a lot of additional effort. You don't need any special skills to use D it is as easy as . You can use Web applications very similar to widely used services without having to install any new hardware or software on your computer. You can also connect the infrastructure of your business or organization to D via a gateway, so you can continue using your existing client. All D providers must meet the same high standards for IT security and data protection, so you can be sure that every D provider offers the same, verified level of security. You can also be sure that your D messages will reach their intended recipients. It makes no difference whether recipients have an account with a different D provider: The systems of all D providers are connected. 2

3 Unencrypted, unprotected, unverified what does that mean? In Germany, more than 95% of all s are not encrypted. This means: Little effort is needed to intercept s, read them like postcards and alter their content. Senders and recipients can never be entirely sure who they are communicating with. Senders never know for certain whether their messages reached the intended recipients and have no proof that they did. The volume of spam messages unsolicited, mass s from senders who are difficult or impossible to identify has greatly expanded in recent years. Criminals are increasingly using phishing techniques to gain information needed to access accounts, typically for the purpose of identity theft. Encrypted, protected, verified what does that mean? D messages have important security features that conventional s lack: D s cannot be intercepted and altered by third parties because they are always encrypted for transport via the Internet. Senders and recipients of D s can always be identified because users have to verify their identity before they can open a D account. Users can request a proof of mailing and delivery for their D messages ("electronic registered mail"). D prevents spam because senders are clearly identified. D fights phishing and identity theft because users can register by using a dually secure procedure. With these security features, D helps users protect their personal data effectively. 3

4 D in detail: More protection for your data D is an important tool to help you better protect your data and make them more secure, thanks to the following: Mandatory transport encryption: Unlike ordinary , all data you send are always encrypted as they travel via the Internet. Optional security components: D supports the use of additional security components such as end-to-end encryption and signatures. Strict requirements for D providers' technical and organizational security measures: The minimum standards for secure electronic communication are regulated by the D Act, which entered into force on 3 May The Act also ensures orderly procedures for checking the compliance of all D providers with these standards. Certified data protection: D providers must have a data protection certificate issued by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) documenting that they have taken comprehensive measures to protect personal data. With D , everyone can enjoy a high level of security and data protection for their electronic communications. 4

5 D in detail: More security when logging in There are two ways to log into your D account: For the regular level of security, you can log in with your username and password, just as for an ordinary account. This is usually referred to as "authentication through something you know". For log-ins with extra security, you will need your username, password and a token, such as Germany's new digital national identity card, a signature card or other approved procedure based on a USB stick or mobile telephone (such as mtan, in which an SMS containing a randomly generated combination of numbers is sent to your mobile telephone for you to use to log in to your D account). Log-in requiring a token is known as two-factor authentication using "something you know and something you have". D providers must offer at least two log-in procedures with extra security, including the procedure with the new national identity card. You can decide which token to use for secure log-ins to your D account. The extra level of security is by law the default setting for accessing D accounts. Most D sending options will require log-ins with extra security. Upon request, your D provider can let you access your account by using only your username and password. In this case, you will only be able to use the basic D functions. 5

6 D in detail: Verification and options for sending If no additional sending options have been selected, standard D messages are always encrypted. Both the message (text and attachments) and header data (sender's/recipient's address, time sent, etc.) are encrypted and protected against eavesdropping and alteration by third parties. Both the sender and recipient are clearly identified. Even a standard D message has a highly binding nature and can be used in a variety of situations. In addition to the standard D , users may choose one or more of the following options: Sending confirmation: The D provider issues the sender confirmation with a qualified electronic signature that the message has been sent. Sending confirmation with a high authentication level: The sender's D provider issues both sender and recipient confirmation with a qualified electronic signature that the sender was logged in with a high level of authentication when he or she sent the D message. Delivery confirmation: When the D message has been delivered to the recipient's mailbox, the recipient's D provider gives both the sender and the recipient a delivery confirmation with a qualified electronic signature.. In all three cases, the signature of the D provider includes the entire message content (text and attachments) and header data (sender's and recipient's address, time sent, etc.). This gives you a reliable documentation of your electronically transmitted message. For messages requiring especially confidential treatment, you can select an additional security option: Personal: The sender determines that the recipient can read the message only if he or she is logged in with a high level of authentication. You can combine the various sending options and confirmations in different ways depending on the purpose or content of your D message. 6

7 D in detail: End-to-end encryption and electronic signature If you want to use additional security components, you can sign your message with a qualified electronic signature or send it with end-to-end encryption. D providers are required to offer a directory service where the public keys or encryption certificates needed for encryption can be stored. This makes it much easier to use end-to-end encryption. Government and industry set the framework together; industry operates D The government only creates the framework in close consultation with private industry for secure D communication on the Internet; companies are responsible for implementing D by creating specific products that comply with this framework. The Federal Government and private industry worked together to define the basic requirements for security, functionality and interoperability in the form of technical guidelines. An accreditation procedure regulated by law is used to check whether De- Mail providers meet these guidelines. D services are provided by competing companies, which can offer additional services based on the standard framework in order to distinguish themselves from their competitors. In this way, D serves as the foundation for secure electronic communication while ensuring nationwide coverage and encouraging competition. You can recognize approved D providers by this seal, awarded by the Federal Office for Information Security: 7

8 Support for government agencies and businesses introducing D In 2011, the D Competence Centre helped numerous federal, state and local government agencies as well as companies connect to D and integrate it into their existing processes. The D Competence Centre was set up by the Federal Ministry of the Interior with funds from the IT investment programme. As part of its advisory efforts, the D Competence Centre has created concepts including organizational, economic and technical priorities as well as a catalogue of standard D use scenarios. It also created sample procedures and best practices for identifying and selecting use scenarios. Further results include economic analyses, adaptations of processes and specialized applications, procedures for technical integration and for necessary adjustments to standard software applications when introducing D . Companies and government agencies that want to start using D can use both the outlines and the results derived from advisory projects on their own. The Competence Centre's conclusions on D in German public administration are published at 8

9 Information on the approval of D providers No matter which D provider you choose, you can be certain that D ensures a uniform, verified level of security. This is guaranteed by the D Act: All D providers are checked for compliance with uniform criteria using a transparent procedure. This is important for creating trust in the security and quality of D services. D providers must document compliance in the following areas: Security, functionality and interoperability checked by the Federal Office for Information Security (BSI). The current criteria for approval are published at Data protection checked by the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The current criteria for approval are published at If you would like to become a D provider, please contact d @bsi.bund.de. Contact Federal Ministry of the Interior IT Staff Unit, Division IT 4 Alt-Moabit 101 D Berlin, Germany Tel.: +49 (0) d @bmi.bund.de 9