Download (PDF, 589 KB, Datei ist nicht barrierefrei
Download (PDF, 589 KB, Datei ist nicht barrierefrei Download (PDF, 589 KB, Datei ist nicht barrierefrei
IntErFACEs 3. Application software for users – AusweisApp In order to use their new identity card on line, users require a software that serves as the interface between the ID, the card reader and the service provider’s eID server. this software, called “AusweisApp” (“Ausweis” is the German word for “ID document”), will be available free of charge on a web portal of the German Federal Ministry of the Interior (https://www.ausweisapp.bund.de) for the operating systems Windows, Linux and Mac os. In addition to utilizing the identification function of the new ID cards, AusweisApp also enables qualified electronic signature with multiple signature cards, both conventional contact type cards and contactless devices like the new ID card. Functions of the German health card are also supported. AusweisApp is an implementation of the technical Guideline eCard-API Framework [tr-03112], which defines easy-touse, uniform interfaces for communication between card readers, cards and applications (web-based and local). 4. Security mechanisms for the identification function of the new ID card the security mechanisms and resulting It infrastructures for the new ID card ensure protection of personal data, proof of the authenticity of the identity document and proof against forgery. special attention has been given to solutions for securing the contactless interface between the ID card and the terminal – which, among other things, must meet the requirements for qualified electronic signatures. the following protocols and other measures for achieving the aforementioned security objectives were developed under the active leadership and participation of the BsI. 8 9 Abbreviation Full name Purpose PACE Password Authen ticated Connection Establishment EAC Extended Access Control CA: Chip Authentication TA: Terminal Authentication PA Passive Authentication RI Restricted Identification sECurIty Access control, protects the RF chip from being read at a distance. Extended access control, comprising two subprotocols. Establishment of a secure link and detection of “cloned” RF chips. Authentication of terminal device for reading sensitive data from RF chip. Validation of authenticity and integrity of the data on the RF chip. Generation of chip- and providerspecific pseudonyms.
- Page 1 and 2: Innovations for an eID Architecture
- Page 4: IDEntIFICAtIon FunCtIon IDEntIFICAt
- Page 10: sECurIty PKI Public Key Infrastruct
- Page 14: sECurIty 4.3 Passive Authentication
- Page 18: sECurIty FEAturEs to sum up, the ar
- Page 22: EVoCAtIon MAnAGEMEnt A revocation k
IntErFACEs<br />
3. Application software for<br />
users – AusweisApp<br />
In order to use their new identity card on line, users require<br />
a software that serves as the interface between the ID, the<br />
card reader and the service provider’s eID server. this software,<br />
called “AusweisApp” (“Ausweis” is the German word<br />
for “ID document”), will be available free of charge on a<br />
web portal of the German Federal Min<strong>ist</strong>ry of the Interior<br />
(https://www.ausweisapp.bund.de) for the operating<br />
systems Windows, Linux and Mac os.<br />
In addition to utilizing the identification function of the<br />
new ID cards, AusweisApp also enables qualified electronic<br />
signature with multiple signature cards, both conventional<br />
contact type cards and contactless devices like the new<br />
ID card. Functions of the German health card are also<br />
supported.<br />
AusweisApp is an implementation of the technical Guideline<br />
eCard-API Framework [tr-03112], which defines easy-touse,<br />
uniform interfaces for communication between card<br />
readers, cards and applications (web-based and local).<br />
4. Security mechanisms for the<br />
identification function of the<br />
new ID card<br />
the security mechanisms and resulting It infrastructures for<br />
the new ID card ensure protection of personal data, proof of<br />
the authenticity of the identity document and proof against<br />
forgery.<br />
special attention has been given to solutions for securing the<br />
contactless interface between the ID card and the terminal –<br />
which, among other things, must meet the requirements for<br />
qualified electronic signatures.<br />
the following protocols and other measures for achieving<br />
the aforementioned security objectives were developed<br />
under the active leadership and participation of the BsI.<br />
8 9<br />
Abbreviation<br />
Full name Purpose<br />
PACE Password<br />
Authen ticated<br />
Connection<br />
Establishment<br />
EAC Extended Access<br />
Control<br />
CA: Chip<br />
Authentication<br />
TA: Terminal<br />
Authentication<br />
PA Passive<br />
Authentication<br />
RI Restricted<br />
Identification<br />
sECurIty<br />
Access control, protects the<br />
RF chip from being read at a<br />
d<strong>ist</strong>ance.<br />
Extended access control,<br />
comprising two subprotocols.<br />
Establishment of a secure link and<br />
detection of “cloned” RF chips.<br />
Authentication of terminal<br />
device for reading sensitive data<br />
from RF chip.<br />
Validation of authenticity and<br />
integrity of the data on the RF chip.<br />
Generation of chip- and providerspecific<br />
pseudonyms.
Change language