Securing Transactions with the eIDAS Protocols

  • Frank Morgner
  • Paul Bastian
  • Marc Fischlin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9895)


The proposed European system for electronic identities, authentication, and trust services (eIDAS) enables remote authentication of an identity card (and selected data of the card) to an eID service. The core system has already been running on the German identity card since 2010. We analyze an extension proposed by Bundesdruckerei that enables the protocol to authenticate further transaction data such as phone numbers or PGP keys. In particular we prove cryptographically that the extension provides strong authenticity guarantees. We also discuss privacy aspects of the solution, preventing the card and the service provider of the eIDAS system to learn the actual transaction data.


Replay Attack Transaction Data Identity Card Random String Card Reader 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank the anonymous reviewers of WISTP 2016 for valuable comments.


  1. 1.
    Bundesamt für Sicherheit in der Informationstechnik (BSI, Federal Office for Information Security): Advanced Security Mechanism for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI), BSI-TR-03110, Version 2.0 (2008)Google Scholar
  2. 2.
    Bundesamt für Sicherheit in der Informationstechnik (BSI, Federal Office for Information Security): Technical Guideline TR-03110-2: Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token, Part 2, Protocols for electronic IDentification, Authentication and trust Services (eIDAS). BSI-TR-03110, Version 2.2 (2015)Google Scholar
  3. 3.
    Morgner, F.: Transaktionsabsicherung mit der Online-Ausweisfunktion. Kryptographische Bindung von Transaktionsdaten an den Personalausweis. Presentation, CeBit 2014, March 2014Google Scholar
  4. 4.
    Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: a case study of the encode-then-encrypt-and-MAC paradigm. ACM Trans. Inf. Syst. Secur. 7(2), 206–241 (2004)CrossRefMATHGoogle Scholar
  5. 5.
    Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE\(|\)AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012)Google Scholar
  6. 6.
    Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: Domain-specific pseudonymous signatures for the german identity card. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 104–119. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Bender, J., Fischlin, M., Kügler, D.: Security analysis of the PACE key-agreement protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 33–48. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Bender, J., Fischlin, M., Kügler, D.: The PACE\(|\)CA protocol for machine readable travel documents. In: Bloem, R., Lipp, P. (eds.) INTRUST 2013. LNCS, vol. 8292, pp. 17–35. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Coron, J.-S., Gouget, A., Icart, T., Paillier, P.: Supplemental access control (PACE v2): security analysis of PACE integrated mapping. In: Naccache, D. (ed.) Cryphtography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 207–232. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    Dagdelen, Ö., Fischlin, M.: Security analysis of the extended access control protocol for machine readable travel documents. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 54–68. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Hanzlik, L., Kutylowski, M.: Restricted identification secure in the extended Canetti-Krawczyk model. J. UCS 21(3), 419–439 (2015)Google Scholar
  13. 13.
    Hanzlik, L., Krzywiecki, Ł., Kutyłowski, M.: Simplified PACE\(|\)AA protocol. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 218–232. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  14. 14.
    Jatz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman & Hall/CRC Cryptography and Network Security Series, 2nd edn (2015)Google Scholar
  15. 15.
    Kutyłowski, M., Krzywiecki, Ł., Kubiak, P., Koza, M.: Restricted identification scheme and diffie-hellman linking problem. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 221–238. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  16. 16.
    Maurer, U., Tackmann, B.: On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 2010, pp. 505–515. ACM Press, October 2010Google Scholar
  17. 17.
    Namprempre, C.: Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 515–532. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Bundesdruckerei GmbHBerlinGermany
  2. 2.Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations