Abstract
Recent attacks on the German identity card show that a compromised client computer allows for PIN compromise and man-in-the-middle attacks on eID cards. We present a selection of new solutions to that problem which do not require changes in the card specification. All presented solutions protect against PIN compromise attacks, some of them additionally against man-in-the-middle attacks.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Federal Office for Information Security. Architektur elektronischer Personalausweis und elektronischer Aufenthaltstitel. Technical Guideline BSI-TR-03127, Version 1.14 (2011), https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03127/BSI-TR-03127_pdf.pdf
International Civil Aviation Organization (ICAO). Machine Readable Travel Documents - Part 1: Machine Readable Passport, Specifications for electronically enabled passports with biometric identification capabilities. ICAO Doc 9303 (2006)
International Civil Aviation Organization (ICAO). Machine Readable Travel Documents - Part 3: Machine Readable Official Travel Documents, Specifications for electronically enabled official travel documents with biometric identification capabilities. ICAO Doc 9303 (2008)
International Civil Aviation Organization (ICAO). Supplemental Access Control for Machine Readable Travel Documents. ISO/IEC JTC1 SC17 WG3/TF5 for ICAO, Version 0.8, Draft of 12.10.2009 (2009)
ISO/IEC. ISO/IEC 14443-1: Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 1-4. International Standard (2001)
Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). Advanced Security Mechanism for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI). Technical Directive (BSI-TR-03110), Version 2.05 (2010), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03110/TR-03110_v205_pdf.pdf
Bender, J., Fischlin, M., Kügler, D.: Security Analysis of the PACE Key-Agreement Protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 33–48. Springer, Heidelberg (2009)
Ullmann, M., Kügler, D., Neumann, H., Stappert, S., Vögeler, M.: Password Authenticated Key Agreement for Contactless Smart Cards. Communications of the ACM (2008)
Dagdelen, Ö., Fischlin, M.: Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 54–68. Springer, Heidelberg (2011)
Chaos Computer Club. Practical demonstration of serious security issues concerning swissid and the german electronic identity card, November 01 (2010), http://www.ccc.de/de/updates/2010/sicherheitsprobleme-bei-suisseid-und-epa
Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003)
Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC 1988, pp. 1–10. ACM, New York (1988)
Damgård, I., Keller, M.: Secure Multiparty AES. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 367–374. Springer, Heidelberg (2010)
Cramer, R., Damgård, I., Maurer, U.M.: General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 316–334. Springer, Heidelberg (2000)
Cramer, R., Damgård, I.B., Nielsen, J.B.: Multiparty Computation from Threshold Homomorphic Encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–299. Springer, Heidelberg (2001)
Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)
VIFF. VIFF, the Virtual Ideal Functionality Framework, January 19 (2012), http://viff.dk/
Bouncy Castle. Bouncy Castle Crypto APIs, January 19 (2012), http://www.bouncycastle.org
Horsch, M.: Mobile Authentisierung mit dem neuen Personalausweis (MONA). Master thesis, Technische Universität Darmstadt (July 2011)
Buchmann, J., Wiesmaier, A., Hühnlein, D., Braun, J., Horsch, M., Kiefer, F., Strenzke, F.: Towards a mobile eCard Client. Tagungsband zum 13. KryptoTag, p. 4 (December 2010)
Wiesmaier, A., Horsch, M., Braun, J., Kiefer, F., Hühnlein, D., Strenzke, F., Buchmann, J.: An efficient mobile PACE implementation. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 176–185. ACM, New York (2011)
Braun, J., Horsch, M., Wiesmaier, A., Hühnlein, D.: Mobile Authentisierung und Signatur. In: Schartner, P., Taeger, J. (eds.) D-A-CH Security 2011: Bestandsaufnahme, Konzepte, Anwendungen, Perspektiven, pp. 32–43. Syssec Verlag (September 2011)
Hühnlein, D., Petrautzki, D., Schmölz, J., Wich, T., Horsch, M., Wieland, T., Eichholz, J., Wiesmaier, A., Braun, J., Feldmann, F., Potzernheim, S., Schwenk, J., Kahlo, C., Kühne, A., Veit, H.: On the design and implementation of the Open eCard App. In: GI SICHERHEIT 2012 Sicherheit - Schutz und Zuverlässigkeit (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Braun, J., Horsch, M., Wiesmaier, A. (2012). iPIN and mTAN for Secure eID Applications. In: Ryan, M.D., Smyth, B., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2012. Lecture Notes in Computer Science, vol 7232. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29101-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-29101-2_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29100-5
Online ISBN: 978-3-642-29101-2
eBook Packages: Computer ScienceComputer Science (R0)