eID Online Authentication Network Threat Model, Attacks and Implications - Prof. Dr. Norbert Pohlmann
eID Online Authentication Network Threat Model, Attacks and Implications
Since November 2010, the new electronic German ID cardprovides a facility to perform an online remote authentica-tion of the ID card holder. This method is called eID onlineauthentication and is defined in the Technical Guideline TR-03110 of the Federal Office for Information Security. Aspart of the eID online authentication, personal data can betransmitted from the electronic ID card to its counterpart,the eID server. All data transmitted between the eletronicID card and the eID server is supposed to be subject tosecure messaging.
We develop a threat model and address the feasibility of network-level man-in-the-middle attacks against the eID on-line authentication functionality of the new German electronic ID card. Furthermore, we perform a number of man-in-the-middle attacks against the most-widely used eCardAPI client implementation for the eID Service, called Ausweis-App. As personal data is increasingly valuable nowadays, weimpersonate an attacker trying to intercept personal datathat is transmitted as part of the eID online authentication.
Weitere Informationen zum Thema “Identifikation”:
Vorlesung: „Identifikation und Authentifikation“
Informationen über das Lehrbuch: „Cyber-Sicherheit“