Sicherheitsaspekte des neuen deutschen Personalausweises

Similar documents
eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

The German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik

Preventing fraud in epassports and eids

Electronic Identity Cards for User Authentication Promise and Practice

FAQs Electronic residence permit

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Smart Card Solutions: Bringing Value to Citizens

Test plan for eid and esign compliant terminal software with EACv2

FAQs - New German ID Card. General

Keywords: German electronic ID card, e-government and e-business applications, identity management

A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach.

Using etoken for SSL Web Authentication. SSL V3.0 Overview

SecureStore I.CA. User manual. Version 2.16 and higher

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

Identity Management. Critical Systems Laboratory

Implementation of biometrics, issues to be solved

Secure Card based Voice over Internet Protocol Authentication

The Concept of Trust in Network Security

Glossary of Key Terms

Technical Guideline TR Electronic Identities and Trust Services in E-Government

Security Digital Certificate Manager

Server based signature service. Overview

D . A reliable and secure online communication platform. Armin Wappenschmidt (secunet) More information:

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate (Personal eid) WISeKey 2010 / Alinghi 2010 Smartcards

White Paper PalmSecure truedentity

IDaaS: Managed Credentials for Local & State Emergency Responders

HIGHSEC eid App Administration User Manual

A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL

All you need to know about the electronic residence permit (eat)

An Open Source eid Simulator Open Identity Summit 9th -11th September 2013

Technical Guideline eid-server. Part 2: Security Framework

Position Paper European Citizen Card: One Pillar of Interoperable eid Success

Online E-Signing. Send and Sign Documents on the Internet Anywhere

Mobile Driver s License Solution

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Secure Cloud Identity Wallet

esign Online Digital Signature Service

Network Security Protocols

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Common Criteria Protection Profile. Electronic Identity Card (ID_Card PP) BSI-CC-PP Approved by the Federal Ministry of Interior. Version 1.

User Manual. For. Digitally Signing of your application

Facts about the new identity card

Security Digital Certificate Manager

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

Digital identity: Toward more convenient, more secure online authentication

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Biometrics for Public Sector Applications

Guide to building a secure and trusted BYOID environment

E-Democracy and e-voting

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Remote e-signing via the Web

World Summit on Information Society (WSIS) Forum May 2013

Moving to the third generation of electronic passports

ISO/IEC for secure mobile web applications

The ID card with eid function at a glance

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate on Aladdin etoken (Personal eid)

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

Secure your Privacy. jrsys, Inc. All rights reserved.

Technical Guideline BSI TR Requirements for Smart Card Readers Supporting eid and esign Based on Extended Access Control

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

The Convergence of IT Security and Physical Access Control

User Guide. Digital Signature

Common Criteria Protection Profile

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

why PKI and digital signatures suck

HOW IT WORKS E-SIGNLIVE 1 INTRODUCTION 2 OVERVIEW

Electronic Citizen Identities and Strong Authentication

More effective protection for your access control system with end-to-end security

Description of the Technical Component:

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

Directorate Of Health Service s ONLINE NURSING HOME & CLINICAL ESTABLISHMENT LICENSING SYSTEM

Using Contactless Smart Cards for Secure Applications

eauthentication in Estonia and beyond Tarvi Martens SK

IT-Security All safe and sound?

Banking. Extending Value to Customers. KONA Banking product matrix. is leading the next generation of payment solutions.

What security and assurance standards does Trustis use for TMDCS certificate services?

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

An Open ecard Plug-in for accessing the German national Personal Health Record

Strong Security in Multiple Server Environments

Discover Germany s Electronic Passport

e-authentication guidelines for esign- Online Electronic Signature Service

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Encryption-based 2FA for Server-side Qualified Signature Creation

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

HOW SECURE ARE CURRENT MOBILE OPERATING SYSTEMS?

Information Security

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Embedding digital signature technology to other systems - Estonian practice. Urmo Keskel SK, DigiDoc Product Manager

The Mobile Phone Signature in edemocracy and egovernment Applications.

D.I.M. allows different authentication procedures, from simple confirmation to electronic ID.

Registering the Digital Signature Certificate for Bank Officials

6. Is it mandatory to have the digital certificate issued from NICCA? Is it mandatory for the sender and receiver to have a NIC id?...

Transcription:

Sicherheitsaspekte des neuen deutschen Personalausweises Dennis Kügler Bundesamt für Sicherheit in der Informationstechnik egov Fokus 2/2013: Identity- und Access Management im E-Government

Rethinking the ID Card Motivation Stronger link of document and holder via biometry analogous to electronic passport Cryptography as new security feature New technologies require secure electronic identity e.g. for ebusiness egovernment Therefore: Integration of a chip ID-1 size Purely contactless Lots of cryptographic protocols

Design Criteria Infrastructure Citizens are reluctant to spend money......on readers, on certificates, for service providers,... No Users No Services Privacy by Design User must remain control of his personal data Complete Roll-Out takes time... 10 years to replace all cards in circulation Updates in the field are difficult Be ahead of time or you'll end up with an outdated system

eid vs. esign German ID-Card separates eid and esign Applications Electronic Identification For online authentication Available by default (opt out) Qualified Electronic Signatures For signing legally binding contracts Electronic Identity EMustermann64 Mustermann, Erika, 12.08.1964? = Electronic Signature Optional, must be bought separately Why shouldn't eid and esign be mixed up?

Authentication Mechanisms Identity Verification is volatile Verifier allows someone to do something Successful verification cannot be proven. Transactions are legally binding Signer authorizes someone to do something Declaration of intent Signature can be verified by any 3 rd party! Authentication Level Traditional Authentication Electronic Authentication 1-factor 2-factor Identity Verification Showing ID Card Password eid Transaction Written Signature PIN/TAN Electronic Signature

Electronic Identity Mutual Authentication Citizen: Can the service provider prove its identity? Service provider proves identity using its access certificate Service Provider: Is the citizen able to prove his/her identity? Both, the citizen and the service provider, have reliable proof of the identity of the other party Citizen uses eid to prove identity Privacy/Data Protection friendly design Full user control Reading data only after entering the PIN

Example: Online Authentication Service Provider Identity Requested Access Rights PACE Terminal Authentication Display Service Provider Identity (Restrict and ) approve access rights by entering PIN Chip Authentication End-to-End Secure Messaging User Approved Access Rights EAC 2

Costs Card Reader Categories Basic reader (eid only) Suitable for mobile usage No specific formfactor Standard reader PIN-Pad for entering PIN for applications with higher security requirements Display, optional Comfort reader (eid + QES) PIN-Pad and display required Suitable for qualified signature, approved according to German Electronic Signature Law ID-Card enforces use of comfort reader for qualified electronic signature

Is the Basic Reader a Security Flaw? No PIN-Pad + no Display Intercept PIN entered on the PC keyboard......pin alone is not sufficient Manipulation of information on the Service Provider......only authorized Service Provider can access personal data...maximum access rights are determined by certificates End-to-End Encryption Personal data cannot be eavesdropped Cost It's better to have many users with high security than a few users with highest security Password ****** Security

Pseudonyms and Privacy Pseudonymous Identifier Identifier allows to uniquely recognize each Card Setup a user account Login later as the same user Card generates different identifiers for different Service Providers 6D58...4E0F6 Linking identities across Service Providers is impossible Additional Privacy Features Minimizing disclosed data Age Verification Document Validity Community ID A481...3314

From eid to esign Set esign PIN Holder eid Secure Channel Access Certificate Erika Mustermann, 12.08.1964... Generate Key Pair Public Key... Qualified Certificate Certificate Service Provider Authenticate with Access Certificate: Read First Name, Last Name, DoB,... Install Qualified Certificate Generate & Publish Qualified Certificate

eid-client Open Specification: ecard API Communication Protocol ID-Card Service Provider Based on ISO 24727 (Draft) Testspecification available eid-clients currently available AusweisApp: the official eid-client provided by the government PersoApp: An Open Source Project funded by the government Open ecard: Another Open Source Project AuthentApp: An Open Source Java Applet Commercial Clients,...

Summary Focus on eid! Low costs High security Basic Reader sufficient for eid NFC-Phones are Basic Readers Ad-hoc QES possible, but more expensive reader required How to get citizens on board? Be patient! Make use of existing Infrastructure Privacy protection is important for citizens egovernment Services as an enabler Don't forget the eid-client software

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information