Innovations for an eid Architecture in Germany www.bsi.bund.de
The BSI Contents Contents 1. The new identity card secure, standardized proof of identity in the digital world 4 2. User-oriented requirements for the identification function of the new identity card 6 3. Application software for users AusweisApp 8 4. Security mechanisms for the identification function of the new ID card 9 The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) is Germany s central IT security service provider: a neutral, independent authority for issues relating to IT security in the information society. The BSI provides information on risks and threats relating to the use of information and communication technology, develops security guidelines, advises manufacturers, distributors and users. The BSI primarily advises public administrations on the national, state and local levels, but also seeks to exchange information with businesses and private users. 4.1 Password Authenticated Connection Establishment (PACE) 10 4.2 Extended Access Control (EAC), readers and EAC box 11 4.3 Passive Authentication (PA) 14 4.4 Public Key Infrastructures (PKI) for electronic identity documents 15 4.4.1 Country Signing Certificate Authority (CSCA) 15 4.4.2 Country Verifying Certificate Authority () 16 5. The eid server interface for web applications 19 6. Revocation management in the new German identity card 20 7. References 23 Imprint 24 2 3
Identification function Identification function 1. The new identity card secure, standardized proof of identity in the digital world Starting November 1 st, 2010, the new identity card will be introduced in Germany as an electronic, multi-functional card in credit-card format, valid as a travel document and as proof of identity both personally and in the electronic world. This identity card implements an innovative concept based on a contactless interface that is already in use for electronic passports world-wide. The new identity card not only represents a modern sovereign document that will significantly improve the identification of persons e.g. when crossing borders. The ID card will also be equipped with additional electronic functions, in par ticular electronic ID (eid) and the optional Qualified Electronic signature (QES), which offer users significant advantages. These functionalities enable individuals to positively identify themselves online and issue legally binding electronic declarations of will. They are thus a key instrument for enabling legally valid contacts to be con cluded over the Internet, and are intended to promote streamlined egovernment and ebusiness services. The introduction of the identification function of the new identity card entailed preparing, developing and deploying a sophisticated IT infrastructure and embedding it in a complex overall system with more than 60 million participating individuals. This required firstly that the associated organizational, legal and technical prerequisites be created. The German ID Card Act [PAuswG 2010] sets out the general legal framework for identity documentation and electronic proof of identity; the corresponding regulation [PAuswV 2010] defines in particular the requirements for security and data protection of the eid infrastructure. These are augmented by close to 20 Technical Guidelines and protection profiles promulgated by the Federal Office for Information Security (BSI), which are published in binding form in the German Federal Gazette. Some of these requirements are explained as examples in this brochure. The infrastructure of the new identity card is intended to realize a trustworthy and efficient identity management. The combination of a sovereign identity document with eid functionality for ebusiness and egovernment will also provide users with a secure identity in the electronic world and afford them better protection against many types of cybercrime, such as phishing and identity theft. Particular priority was placed on data protection, data security and preserving information self-determination. All disclosures and transmissions are reliably protected using internationally recognized and established encryption processes. As part of the eid function, user data are exchanged only between the provider of the service and the holder of the identity document. Biometrically relevant data, i.e. photo, where applicable fingerprints, eye color, height and personal signature, are never transmitted to service providers or via the Internet. Only sovereign authorities possess the authorization and the technical means to query such sensitive information. 4 5
Data protection Data protection 2. User-oriented requirements for the identification function of the new identity card As a protective function for the personal data stored on the ID card chip, legal requirements stipulate that all institutions that want to access some or all of this data must possess an appropriate authorization. Before such an authorization is issued, government authorities review which data the service provider (e.g. an online retailer, or also public offices) absolutely requires for his pur poses, and whether he is trustworthy. The authorization is always issued for only a limited period and can be re voked. technically, the authorization is implemented using authorization certificates whose status is queried at terminal authorization. determine whether the pseudonyms registered there belong to one and the same person. In the event that the new identity card is lost, the eidfunctionality can be revoked using a personal password (revocation management, see chapter 6). If the personal identification number is entered incorrectly three times, its reactivation requires a PIN un blocking key (PUK). If desired, the card s eid functionality can be disabled by the issuing authority. A QES function can also be activated on the new identity card. Using this signature, it is possible to fulfill requirements for the written form under contract law by electronic means. The electronic certificates required for this process can be purchased from commercial providers. Before the new ID card releases data to a service provider with an authorization certificate, the service provider must display his certificate, and thus also the data he is allowed to read. The holder of the identity card always has the option of restricting the read authorization to less data. The ID card holder must then enter a six-digit personal identi fication number (PIN). If the electronic verification of the authorization certificate is positive, the data are released. All data are transmitted in encrypted form. The read authorization can be restricted so that for example, only age-related information can be queried. There is also a pseudonym function that enables users to log onto and be recognized by a service provider such as an Internet forum without revealing any personal data to the service provider. This function is card- and service-specific: in other words, service providers who compare their databases cannot 6 7
Interfaces Security 3. Application software for users AusweisApp In order to use their new identity card on line, users require a software that serves as the interface between the ID, the card reader and the service provider s eid server. This software, called AusweisApp ( Ausweis is the German word for ID document ), will be available free of charge on a web portal of the German Federal Ministry of the Interior (https://www.ausweisapp.bund.de) for the operating systems Windows, Linux and Mac OS. In addition to utilizing the identification function of the new ID cards, AusweisApp also enables qualified electronic signature with multiple signature cards, both conventional contact type cards and contactless devices like the new ID card. Functions of the German health card are also supported. 4. Security mechanisms for the identification function of the new ID card The security mechanisms and resulting IT infrastructures for the new ID card ensure protection of personal data, proof of the authenticity of the identity document and proof against forgery. Special attention has been given to solutions for securing the contactless interface between the ID card and the terminal which, among other things, must meet the requirements for qualified electronic signatures. The following protocols and other measures for achieving the aforementioned security objectives were developed under the active leadership and participation of the BSI. AusweisApp is an implementation of the Technical Guideline ecard-api Framework [TR-03112], which defines easy-touse, uniform interfaces for communication between card readers, cards and applications (web-based and local). Abbreviation PACE Full name Password Authen ticated Connection Establishment Purpose Access control, protects the RF chip from being read at a distance. EAC Extended Access Control Extended access control, comprising two subprotocols. CA: Chip Authentication Establishment of a secure link and detection of cloned RF chips. TA: Authentication Authentication of terminal device for reading sensitive data from RF chip. PA Passive Authentication Validation of authenticity and integrity of the data on the RF chip. RI Restricted Identification Generation of chip- and providerspecific pseudonyms. 8 9
Security Security PKI Public Key Infrastructure CSCA: Country Signing Certificate Authority : Country Verifying Certificate Authority Hierarchy of digital certificates. Hierarchy of digital certificates for signing data in electronic identity documents. Hierarchy of digital certificates for read authorization of electronic identity documents. 4.1 Password Authenticated Connection Establishment (PACE) Password Authenticated Connection Establishment (PACE) ensures that the contactless RF chip in the new identity card cannot be read without explicit access, and that data are exchanged with the terminal device in encrypted form [Bender 2008]. The password that can be used for PACE depends on the authorization certificate of the reader (terminal) device used. Usually, this is the six-digit personal identification number (PIN), which is known only to the holder of the identity card. For reader devices with authorization certificates for sovereign use, e.g. border control, either a Machine readable Zone (MRZ) printed on the back of the new identity card or the six-digit card access number (CAN) printed on the front is sufficient. 4.2 Extended Access Control (EAC), readers and EAC box Extended Access Control (EAC) comprises an array of protocols that are always executed in a specific order, depending on which electronic identity document is to be read [TR-03110]. The EAC protocols include Chip Authentication (CA) and terminal Authentication (TA). The two protocols are executed together with Password Authenticated Connection Establishment (PACE) and Passive Authentication (PA). The purpose of Chip Authentication is to confirm that the chip is a real chip (and not a forgery or a clone) and to establish a secure connection between the chip and the reader, or between the chip and the service provider in the case of online authentication. Chip Authentication is based on Diffie-Hellman key exchange, in which the reader or terminal device uses an ephemeral key pair and the chip a static pair. The chip s public key is signed during the process of generating it (Passive Authentication see section 4.3). The use of the signed key verifies the authenticity of the chip; at the same time, a strongly-encrypted and authenticated end-to-end channel is established between the chip and in the case of online authentication the service provider. The advantage of PACE is that the length of the password has no effect on the security level of the encryption. In other words, even when the CAN or PIN are used, which are short compared to the MRZ, the data on the RF chip of the electronic identity card are strongly protected during transmission. All data on the new identity card are treated as confidential and must be protected against being read by unauthorized persons. The Authentication (TA) protocol was developed for this purpose. Sensitive data can only be read when this protocol has been successfully executed on the reader. The RF chip in the identity document is designed so that it enables reading of specific data only when the reader 10 11
Security Security device (terminal) can demonstrate an explicit read authorization for these specific data (e.g. only date of birth). The Country Verifying Certificate Authority certificate ( certificate) is stored on the RF chip to verify this authorization. This certificate forms the root of the Country Verifier Public Key Infrastructure (CV-PKI), a hierarchy of authorization certificates for reading sensitive data from identity documents. In Authentication, the reader (terminal) transmits its read authorization to the RF chip in the form of a terminal certificate. It also transmits the certificate and all certificates in the hierarchy between these two certificates. This enables the RF chip to verify the authenticity and integrity of the terminal s certificate. A positive result requires that each of the subsequent certificates in the hierarchy is signed with the private key of its predecessor, starting with the certificate. The RF chip knows that this certificate is trustworthy because it was stored on the RF chip when it was manufactured. Once the authenticity and integrity of the terminal certificate transmitted by the reader has been established, the RF chip must verify that this certificate was really issued for this device. To this end, the RF chip transmits a random number to the reader, which signs it with a private key belonging to the terminal certificate. The reader device then transmits the signed random number back to the RF chip. Using the terminal device s public key, which is contained in the terminal certificate, the RF chip can verify the signature of the random number and determine whether the possesses has the private key that matches the certificate. EAC box Key component for ID card amendment Registration office PC Authorization PKI <SOAP> Flow control Crypto protocols Stored certificates and keys EAC box core Specification: BSI Technical Guideline TR-03131 EAC-Box Architecture and Interfaces Protection profile: CC Protection Profile for Inspection Systems Each reader that wants to access the data of the electronic identity card requires corresponding authorization certificates, each with their own private and public keys, which must be renewed regularly via a PKI. The EAC box provides these functions in an encapsulated form in an evaluated and certified environment and communicates with external components and services via standardized interfaces [TR-03131]. Once the electronic identity card has been introduced, the EAC box will be used as a reader device for changing address data on the eid at municipal registration offices. Further uses in addition to this scenario are conceivable (e.g. border control). Secure channel Card reader Display PIN pad 12 13
Security Infrastructures 4.3 Passive Authentication (PA) The purpose of Passive Authentication (PA) is to validate the authenticity and integrity of the data on the RF chip of the identity document. In the course of manufacturing the electronic identity document, the data stored on the RF chip are digitally signed. This process uses something called a document signing certificate, which in turn is signed with the Country Signing Certificate Authority certificate (CSCA certificate) of the issuing nation and is available only to the officially authorized ID manufacturer. This certificate forms the bedrock of the Country Signing Certificate Authority Public Key Infrastructure (CSCA-PKI), a hierarchy of certificates that verify the integrity of data on identity documents. When an identity document is read, Passive Authentication verifies the signature of the data stored on the RF chip and traces it back to the CSCA certificate. This enables it to determine whether the data in the identity document were written on the RF chip by the officially authorized ID manufacturer and that their integrity is not compromised. 4.4 Public Key Infrastructures (PKI) for electronic identity documents The new identity card requires two Public Key Infrastructures (PKI): one PKI for verifying the authenticity of electronic identity documents (Passive Authentication), the Country Signing Certificate Authority (CSCA); and one PKI to protect the fingerprints on electronic identity documents ( Authentication), the Country Verifying Certificate Authority (). Technical Guideline TR-03128 describes the basic functionalities and requirements of these infrastructures. 4.4.1 Country Signing Certificate Authority (CSCA) The Country Signing Certificate Authority (CSCA) is operated by the BSI. This authority generates the German root certificates (CSCA certificates) on a regular basis, which in turn serve as the source for the private keys of the document signing certificates of the passport or ID card manufacturer. The passport or ID card manufacturer uses the private keys of the document signing certificates to sign files on the electronic identity document that represent the document s data. The document signing certificate is also electronically stored on the identity document. Using the root certificate, it is possible to verify whether an electronic identity document was really created on behalf of the issuing nation, and whether the data have been changed in any way since production. This is realized using Passive Authentication. To enable the authenticity and integrity of German electronic identity documents to be verified at border control points in other countries, and passports of other countries to be tested 14 15
Infrastructures Infrastructures at the German border for their authenticity and integrity, the various nations must exchange their root certificates in a secure manner. This is achieved either via diplomatic pouches or via the ICAO Public Key Directory (ICAO-PKD). Public Key Infrastructure in international context Country A Country B 4.4.2 Country Verifying Certificate Authority () The BSI also operates the Country Verifying Certificate Authority (). This authority generates the German root certificates on a regular basis; the private keys of these certificates are used to sign the document verifier certificate of the document verifier instances (DV instances). DV DV DV DV The DV instances are responsible for issuing the certificates authorizing the reading of electronic identity documents, and also define the individual read rights, i.e. what information can be read from the identity documents. This authorization is verified by the RF chip of the electronic identity document on reading during Authentication. Public Key Infrastructure for citizen applications of the new identity card DV(s) Inspection authorities BSI VfB BerCa(s) Service providers eid DV eid Identity card authority esign DV QES Verified signature terminal Authorization certificates are issued solely to control authorities (e.g. Federal Police) and registry offices (to enable citizens to check the correctness of data). These certificates are also required to read fingerprints. The diagram Public Key Infrastructure for citizen applications of the new identity card illustrates the spectrum of variants of national authorization certificates for the new identity card. In addition to applications for sovereign purposes, and for electronic identification, the also supports the qualified electronic signature. The new identity card also requires that authorization certificates be issued for the control authorities of other nations that are empowered to access the sovereign functions of the new identity card. This authorization is issued separately for each nation. - Country Verifying Certificate Authority DV - Document Verifier VfB - Issuing Unit for certificates BerCA - Certification Authority for eid service providers QES - Qualified Electronic Signature 16 17
Security features eid Server To sum up, the array of cryptographic protocols described above offer protection against a range of attacks: PACE has the advantage that the length of the password has no effect on the security level of encryption. This means that even when the CAN or PIN are used, which are short compared to the MRZ, the data on the RF chip of the electronic identity card are strongly protected during transmission. PACE protects cards against being accessed in passing and creates an encrypted, integrity-secure channel between the card and the reader. PACE also enables entry/verification of a PIN, thus tying authentication to the person and providing protection against unauthorized use of the new identity card. Authentication ensures that the reader/ service provider can perform only authorized access operations. The read rights for the various data fields are granted separately. 5. The eid server interface for web applications To simplify the use of the electronic identification function in web applications, an eid server is required. The eid server provides a simple interface for web applications, encapsulating the complexity of the electronic identification function. The guideline TR-03130 specifies the interface used by web applications and the corresponding data formats for exchanging information. The eid server as a hardware and software component establishes communication with AusweisApp and handles the communication for requesting terminal authorization certificates (DVCA certificates), revocation lists and CSCA certificates. The eid server is realized as a logically independent server, so that it can be used by multiple web applications (principals); it can also e.g. be operated remotely by a third party. To preserve the confidentiality and integrity of the processed data, the data must be encrypted and signed for transfer between Chip Authentication creates a secure end-to-end channel between the chip and the service provider. Together with Passive Authentication, Chip Authentication also verifies the authenticity of the chip. The integrity and authenticity of the read data are implicitly ensured through authentication of the chip. eid server The steps of the electronic identification process Citizen Browser ➂ AusweisApp ➀ ➁ ➃ CA - Certification Authority PKD - Public Key Directory Service provider Webserver eid server CA, PKD, revocation lists ➀ Citizen selects authentication using electronic ID on service provider s website. ➁ The webserver of the service provider transmits the parameters necessary for establishing the connection. ➂ The browser starts the local AusweisApp application. ➃ AusweisApp establishes a secure channel to the eid server of the service provider and authentication commences. 18 19
Revocation management Revocation management the eid server and application server when transmitted via a public network. 6. Revocation management in the new German identity card To prevent abuse of stolen or lost identity cards, the card holder must be able to block or cancel them via revocation management [Bender 2010]. Currently, chip cards, e.g. cards for the qualified electronic signature, are cancelled by means of a chip-specific public key that can be compared with a revocation list in other words, a global, chip-specific feature. However, a chipspecific feature is always person-related, as it uniquely identifies the chip and consequently the card holder. Such a mechanism would thus undermine the data protection-friendly design of the eid function, in which only those data from the chip are transmitted that are necessary for the service. For example, an online service that only requires proof of age for age-restricted services must not be able to use a unique revocation attribute to cross-reference these data with a service that receives name, address and similar data from the identify document (this is particularly important for the pseudonym). One solution to this conflict is to use service-specific revocation lists, i.e. every identity card transmits a service- and card-specific revocation attribute to the service provider during the electronic identification process, which the provider then checks against his individual, i.e. service-specific revocation list. For each service that uses the eid function of the new identity card, a service-specific revocation list is generated from a global revocation list. A service- and card-specific attribute sent to the service provider from the chip of the identity card during the eid function can then be compared with a specific revocation list in order to identify cancelled IDs. The use of service- and card-specific revocation attributes ensures that service providers cannot exploit these to recognize identity documents across services. This applies analogously for the revocation service: this central authority is unable to derive the service- and card-specific revocation attributes from the revocation key without the assistance of the service providers and the authorization CAs it is not possible to trace identity cards via the revocation mechanism. The use of revocation passwords and checksums also promotes data protection. Revocation management Overview Police Loss reported Revocation initiated Loss reported Lost and stolen list Revocation initiated Citizen ID card authority Revocation initiated with revocation password Revocation password in PIN letter ID manufacturer Revocation password for entry in register of IDs Revocation initiated with revocation checksum General revocation list Service provicer-specific revocation list eid revocation service Berechtigungs-CA Berechtigungs-CA Authorization CA Dienstanbieter Dienstanbieter Service provider Hotline 20 21
Revocation management References A revocation key is required for generating service-specific revocation lists. To ensure that the process complies with the security requirements described above, this key has a length of 256 bits something the identity card holder will certainly be unable to memorize. Cancellation of lost identity cards must be possible at any time: seven days a week, 24 hours a day, and especially while travelling as well. One solution would be to store the personal data of the card holder required for identification in the revocation service, together with the revocation key, which would in practice be equivalent to a nation-wide registry of persons. The methods used in the identity card take a different approach: only the hash value (revocation checksum) corresponding to the last and first names, date of birth and cancellation password are stored with the revocation key. This implementation permits effective cancellation of identity cards without requiring a central registry holding personal data. 7. References [PAuswG 2010] German ID Card Act (Gesetz über Personalausweise und den elektronischen Identitätsnachweis Personalausweisgesetz PAuswG), 17 August 2010, German Federal Law Gazette (Bundesanzeiger) I, p. 1346 [PAuswV 2010] German ID Card Regulation (Verordnung über Personalausweise und den elektronischen Identitätsnachweis PAuswV), 2010, German Federal Law Gazette (Bundesanzeiger) I [Bender 2008] Jens Bender, Dennis Kügler, Marian Margraf, Ingo Naumann, Sicherheitsmechanismen für kontaktlose Chips im deutschen elektronischen Personalausweis, DuD Datenschutz und Datensicherheit 3 2008, p. 173-177 [Bender 2010] Jens Bender, Dennis Kügler, Marian Margraf, Ingo Naumann, Das Sperrmanagement im neuen deutschen Personalausweis, DuD Datenschutz und Datensicherheit 5 2010, p. 295-298 [TR-03110] BSI Technical Guideline, Advanced Security Mechanisms for Machine Readable Travel Documents (BSI TR-03110) [TR-03112] BSI Technical Guideline, ecard-api-framework (BSI TR-03112) [TR-03128] BSI Technical Guideline, EAC-PKI n für den elektronischen Personalausweis, Rahmenkonzept für den Aufbau und den Betrieb von Document Verifiern (BSI TR-03128) [TR-03130] BSI Technical Guideline, eid-server (BSI TR-03130) [TR-03131] BSI Technical Guideline, EAC-Box Architecture and Interfaces (BSI TR-03131) 22 23
Published by Federal Office for Information Security (BSI) Godesberger Allee 185-189 53175 Bonn, Germany Version September 2010 Editorial TeleTrusT Deutschland e.v., Berlin, Germany Design / Production Kesberg Consulting, Bonn, Germany Printing Buersche Druckerei Neufang KG, Gelsenkirchen, Germany Photos German Federal Ministry of the Interior (cover pictures), German Federal Office for Information Security (graphics)