Johannes Schmölz

Options for integrating eID and SAML

Several European countries currently introduce highly sophisticated eID functionality in their national identity cards. This functionality typically has no direct relation to web security standards, but will be integrated with web technologies to enable browser-based access to critical resources. The research challenge to combine eID protocols and web standards like TLS in a secure way proves extremely challenging: The security of many of the proposed systems boils down to HTTP session cookies and TLS server certificates. Therefore, the overall security is not improved and does not justify the additional costs. In this paper, we investigate this security challenge for the German national identity card and its eID functionality. We show that the solution currently standardized by the German government does not offer any additional security, by giving an in-depth analysis of the complete software system. We discuss several possible paths to an enhanced solution based on TLS channel bindings. Finally, we describe a system setup based on the SAML Holder-of-Key Web Browser Profile, which also mitigates interoperability problems.

The evolution of identity management using the example of web-based applications

Abstract The typical identity management (IdM) techniques used in web-based applications are about to change from application-specific means for identification, authentication and authorization towards the support of standardized, secure and privacy friendly mechanisms for Single Sign-On (SSO). In this paper we outline the different phases of this evolution, which started with the introduction of standardized interfaces for authentication and authorization and allowed to shift these sensitive tasks from the application towards the web application server. In a second phase the interfaces were extended to support authentication and authorization in distributed systems and feature SSO-techniques. The third phase adds identification and aims at providing more security for distributed authentication infrastructures and finally there is a trend towards providing more privacy friendly mechanisms for identity management in the future.

Sicherheitsaspekte beim chipkartenbasierten Identitätsnachweis

Mit der Einfuhrung des neuen Personalausweises wurde insbesondere auch der elektronische Identitatsnachweis gemas § 18 PAuswG ermoglicht, mit dem Ausweisinhaber ihre Identitat gegenuber offentlichen und nicht-offentlichen Stellen elektronisch nachweisen konnen. In analoger Weise konnen auch andere Chipkarten, wie z. B. die elektronische Gesundheitskarte oder Bank- und Signaturkarten fur die sichere Authentisierung und den Chipkarten-basierten Identitatsnachweis genutzt werden. Damit hierbei jeweils dem Stand der Technik entsprechende Masnahmen zur Sicherstellung von Datenschutz und Datensicherheit vorgesehen werden konnen, sollen in diesem Beitrag die typischen Bedrohungen, Risiken und Sicherheitsaspekte fur den Chipkarten-basierten Identitatsnachweis in systematischer Weise betrachtet werden.

New Authentication Concepts for Electronic Identity Tokens

The national funded project [BioP@ss] researches the possibilities of an IP based smart card interface based on the international smart card application interface standards [CEN 15480] and [ISO/IEC 24727]. Instead of the classical APDU based communication a TCP/IP based web service communication with the smart card is established. This solution offers the benefit that this interface relies on well established standardized Internet protocols and hence reduces the necessity of an intermediate middleware implementation which translates web service calls into APDU’s. Additionally, we define a [SAML(v2.0)] profile, which allows the implementation of an Identity Provider directly on a smart card.

Authentisierung mit der Open eCard App

ZusammenfassungFür die starke Authentisierung und den elektronischen Identitätsnachweis stehen unterschiedliche Mechanismen zur Verfügung. Aus dem Blickwinkel des Datenschutzes reicht die Bandbreite von der Authentisierung mit X.509-Zertifikaten über das vom neuen Personalausweis unterstützte Extended Access Control Protokoll bis hin zu datenschutzfreundlichen Credentials. Der vorliegende Beitrag erläutert, wie diese unterschiedlichen Technologien mit der Open eCard App genutzt werden können.