Skip to main content

iPIN and mTAN for Secure eID Applications

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7232)

Abstract

Recent attacks on the German identity card show that a compromised client computer allows for PIN compromise and man-in-the-middle attacks on eID cards. We present a selection of new solutions to that problem which do not require changes in the card specification. All presented solutions protect against PIN compromise attacks, some of them additionally against man-in-the-middle attacks.

Keywords

  • eID
  • iPIN
  • onetime PIN
  • nPA
  • mTAN
  • man-in-the-middle
  • PIN compromise
  • identity theft
  • smartcard

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Federal Office for Information Security. Architektur elektronischer Personalausweis und elektronischer Aufenthaltstitel. Technical Guideline BSI-TR-03127, Version 1.14 (2011), https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03127/BSI-TR-03127_pdf.pdf

  2. International Civil Aviation Organization (ICAO). Machine Readable Travel Documents - Part 1: Machine Readable Passport, Specifications for electronically enabled passports with biometric identification capabilities. ICAO Doc 9303 (2006)

    Google Scholar 

  3. International Civil Aviation Organization (ICAO). Machine Readable Travel Documents - Part 3: Machine Readable Official Travel Documents, Specifications for electronically enabled official travel documents with biometric identification capabilities. ICAO Doc 9303 (2008)

    Google Scholar 

  4. International Civil Aviation Organization (ICAO). Supplemental Access Control for Machine Readable Travel Documents. ISO/IEC JTC1 SC17 WG3/TF5 for ICAO, Version 0.8, Draft of 12.10.2009 (2009)

    Google Scholar 

  5. ISO/IEC. ISO/IEC 14443-1: Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 1-4. International Standard (2001)

    Google Scholar 

  6. Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). Advanced Security Mechanism for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI). Technical Directive (BSI-TR-03110), Version 2.05 (2010), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03110/TR-03110_v205_pdf.pdf

  7. Bender, J., Fischlin, M., Kügler, D.: Security Analysis of the PACE Key-Agreement Protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 33–48. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  8. Ullmann, M., Kügler, D., Neumann, H., Stappert, S., Vögeler, M.: Password Authenticated Key Agreement for Contactless Smart Cards. Communications of the ACM (2008)

    Google Scholar 

  9. Dagdelen, Ö., Fischlin, M.: Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 54–68. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  10. Chaos Computer Club. Practical demonstration of serious security issues concerning swissid and the german electronic identity card, November 01 (2010), http://www.ccc.de/de/updates/2010/sicherheitsprobleme-bei-suisseid-und-epa

  11. Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003)

    Google Scholar 

  12. Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)

    CrossRef  MathSciNet  MATH  Google Scholar 

  13. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC 1988, pp. 1–10. ACM, New York (1988)

    CrossRef  Google Scholar 

  14. Damgård, I., Keller, M.: Secure Multiparty AES. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 367–374. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  15. Cramer, R., Damgård, I., Maurer, U.M.: General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 316–334. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  16. Cramer, R., Damgård, I.B., Nielsen, J.B.: Multiparty Computation from Threshold Homomorphic Encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–299. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  17. Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)

    Google Scholar 

  18. VIFF. VIFF, the Virtual Ideal Functionality Framework, January 19 (2012), http://viff.dk/

  19. Bouncy Castle. Bouncy Castle Crypto APIs, January 19 (2012), http://www.bouncycastle.org

  20. Horsch, M.: Mobile Authentisierung mit dem neuen Personalausweis (MONA). Master thesis, Technische Universität Darmstadt (July 2011)

    Google Scholar 

  21. Buchmann, J., Wiesmaier, A., Hühnlein, D., Braun, J., Horsch, M., Kiefer, F., Strenzke, F.: Towards a mobile eCard Client. Tagungsband zum 13. KryptoTag, p. 4 (December 2010)

    Google Scholar 

  22. Wiesmaier, A., Horsch, M., Braun, J., Kiefer, F., Hühnlein, D., Strenzke, F., Buchmann, J.: An efficient mobile PACE implementation. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 176–185. ACM, New York (2011)

    Google Scholar 

  23. Braun, J., Horsch, M., Wiesmaier, A., Hühnlein, D.: Mobile Authentisierung und Signatur. In: Schartner, P., Taeger, J. (eds.) D-A-CH Security 2011: Bestandsaufnahme, Konzepte, Anwendungen, Perspektiven, pp. 32–43. Syssec Verlag (September 2011)

    Google Scholar 

  24. Hühnlein, D., Petrautzki, D., Schmölz, J., Wich, T., Horsch, M., Wieland, T., Eichholz, J., Wiesmaier, A., Braun, J., Feldmann, F., Potzernheim, S., Schwenk, J., Kahlo, C., Kühne, A., Veit, H.: On the design and implementation of the Open eCard App. In: GI SICHERHEIT 2012 Sicherheit - Schutz und Zuverlässigkeit (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Braun, J., Horsch, M., Wiesmaier, A. (2012). iPIN and mTAN for Secure eID Applications. In: Ryan, M.D., Smyth, B., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2012. Lecture Notes in Computer Science, vol 7232. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29101-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29101-2_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29100-5

  • Online ISBN: 978-3-642-29101-2

  • eBook Packages: Computer ScienceComputer Science (R0)