Germany to Roll Out ID cards with Embedded RFID; They Will Also Be Used for Establishing Identity Online
Via: International Business Times:
The production of the RFID chips, an integral element of the new generation of German identity cards, has started after the government gave a 10 year contract to the chipmaker NXP in the Netherlands. Citizens will receive the mandatory new ID cards from the first of November.
The new ID card will contain all personal data on the security chip that can be accessed over a wireless connection.
The new card allows German authorities to identify people with speed and accuracy, the government said. These authorities include the police, customs and tax authorities and of course the local registration and passport granting authorities.
German companies like Infineon and the Dutch NXP, which operates a large scale development and manufacturing base in Hamburg, Germany are global leaders in making RFID security chips. The new electronic ID card, which will gradually replace the old mandatory German ID cards, is one of the largest scale roll-outs of RFID cards with extended official and identification functionality.
The card will also have extended functionality, including the ability to enable citizens to identify themselves in the internet by using the ID card with a reading device at home. After registering an online account bonded to the ID card, are able to do secure online shopping, downloading music and most importantly interact with government authorities online, for example.
august 2010 @ http://cryptogon.com/?p=17169
__________
22 September 2010
CCC reveals security problems with German electronic IDs
The Chaos Computer Club (CCC) has repeated its criticism of Germany's new electronic IDs (eIDs). They claim that the system used with the basic scanner, 1 million of which are to be handed out for free, is inherently unsafe.
The electronic identity cards with their integrated RFID chips are being introduced in Germany to allow the authorities to quickly and reliably identify citizens. Card holders can, by using the basic reader, also use the card to identify themselves online and lock accounts on government web sites to the eID on the identity card. The mandatory electronic identity cards are being issued from the start of November.
But, back in August, CCC members demonstrated on German TV news show "Plusminus" how attackers can use malicious software on a PC to sniff the input of the eID's PIN. The basic scanner does not have a keyboard that would allow the PIN to be entered manually and prevent sniffing.
Tonight, another German news show, "Bericht aus BrĂ¼ssel"(German language link), will be broadcasting a similar demonstration by the CCC starting at 8:55 PM GMT. The show will demonstrate that software freely available to everyone on the Internet can be used to remotely control the electronic ID using the stolen PIN. The CCC said in a press release(German language link) that once an attacker has the PIN, they can use the eID for anything, as long as the identity card is inserted in a scanner. Attackers could hide in the background and act as the holder of the ID without even having to access the transmitted data. It's even possible, say the CCC, for attackers to change the ID's ‘secret’ PIN”.
Tricks like virtual keyboards operated via a mouse apparently do not provide additional security, and even scanners with their own PIN keyboards only offer limited protection. Man-in-the-browser attacks can be conducted to modify the content of transactions without the knowledge of users. Users can only see what transactions they are conducting if the scanner displays the most important transaction data, such as the recipient account and the amount for online banking, before the PIN is input.
The CCC also criticises the new electronic identity card's optional signature function, which provides a legally binding signature for digital documents. Attackers have reportedly already managed to use Switzerland's SuisseID card to put a legally binding signature on a foreign identity. The CCC says the German ID card has similar vulnerabilities.
In particular, the CCC complains that there are no guidelines for how documents to be signed must be set up. They argue that it is generally a bad idea to put digital signatures into complex document formats because users cannot be certain that the document will always be displayed the same way in different applications.
For example, the "SwissSigner" program can sign a PDF file containing active JavaScript even though the application cannot correctly display the document and the document has a different appearance in the widely used Acrobat Reader. Nonetheless, under certain conditions, it has been shown that the qualified signature can remain intact.
An expert from the BSI, Jens Bender noted the criticism of the CCC and acknowledged that users would be making "a big mistake" if the identity card was left in a reader for longer than necessary. But apart from services such as age verification, it would be impossible for online criminals to carry out fraudulent financial transactions on the Internet because a separate signature feature would need to be activated. This signature, he says, is protected by a second PIN which can only be entered into a reader with an integrated keypad.
Under no circumstances, Bender says, would an attacker gain access to the personal data of the eID card holder as this would be transmitted in an encrypted form. He did concede that it was possible to change the PIN number but regarded that as an improbable scenario as the owner would immediately realise that something was wrong. The BSI stresses that even with the known weaknesses of the basic readers, the authentication procedure is significantly safer than the combination of user name and password that is in use now.
sept. 2010 @ http://www.h-online.com/security/news/item/CCC-reveals-security-problems-with-German-electronic-IDs-1094577.html
Via: International Business Times:
The production of the RFID chips, an integral element of the new generation of German identity cards, has started after the government gave a 10 year contract to the chipmaker NXP in the Netherlands. Citizens will receive the mandatory new ID cards from the first of November.
The new ID card will contain all personal data on the security chip that can be accessed over a wireless connection.
The new card allows German authorities to identify people with speed and accuracy, the government said. These authorities include the police, customs and tax authorities and of course the local registration and passport granting authorities.
German companies like Infineon and the Dutch NXP, which operates a large scale development and manufacturing base in Hamburg, Germany are global leaders in making RFID security chips. The new electronic ID card, which will gradually replace the old mandatory German ID cards, is one of the largest scale roll-outs of RFID cards with extended official and identification functionality.
The card will also have extended functionality, including the ability to enable citizens to identify themselves in the internet by using the ID card with a reading device at home. After registering an online account bonded to the ID card, are able to do secure online shopping, downloading music and most importantly interact with government authorities online, for example.
august 2010 @ http://cryptogon.com/?p=17169
__________
22 September 2010
CCC reveals security problems with German electronic IDs
The Chaos Computer Club (CCC) has repeated its criticism of Germany's new electronic IDs (eIDs). They claim that the system used with the basic scanner, 1 million of which are to be handed out for free, is inherently unsafe.
The electronic identity cards with their integrated RFID chips are being introduced in Germany to allow the authorities to quickly and reliably identify citizens. Card holders can, by using the basic reader, also use the card to identify themselves online and lock accounts on government web sites to the eID on the identity card. The mandatory electronic identity cards are being issued from the start of November.
But, back in August, CCC members demonstrated on German TV news show "Plusminus" how attackers can use malicious software on a PC to sniff the input of the eID's PIN. The basic scanner does not have a keyboard that would allow the PIN to be entered manually and prevent sniffing.
Tonight, another German news show, "Bericht aus BrĂ¼ssel"(German language link), will be broadcasting a similar demonstration by the CCC starting at 8:55 PM GMT. The show will demonstrate that software freely available to everyone on the Internet can be used to remotely control the electronic ID using the stolen PIN. The CCC said in a press release(German language link) that once an attacker has the PIN, they can use the eID for anything, as long as the identity card is inserted in a scanner. Attackers could hide in the background and act as the holder of the ID without even having to access the transmitted data. It's even possible, say the CCC, for attackers to change the ID's ‘secret’ PIN”.
Tricks like virtual keyboards operated via a mouse apparently do not provide additional security, and even scanners with their own PIN keyboards only offer limited protection. Man-in-the-browser attacks can be conducted to modify the content of transactions without the knowledge of users. Users can only see what transactions they are conducting if the scanner displays the most important transaction data, such as the recipient account and the amount for online banking, before the PIN is input.
The CCC also criticises the new electronic identity card's optional signature function, which provides a legally binding signature for digital documents. Attackers have reportedly already managed to use Switzerland's SuisseID card to put a legally binding signature on a foreign identity. The CCC says the German ID card has similar vulnerabilities.
In particular, the CCC complains that there are no guidelines for how documents to be signed must be set up. They argue that it is generally a bad idea to put digital signatures into complex document formats because users cannot be certain that the document will always be displayed the same way in different applications.
For example, the "SwissSigner" program can sign a PDF file containing active JavaScript even though the application cannot correctly display the document and the document has a different appearance in the widely used Acrobat Reader. Nonetheless, under certain conditions, it has been shown that the qualified signature can remain intact.
An expert from the BSI, Jens Bender noted the criticism of the CCC and acknowledged that users would be making "a big mistake" if the identity card was left in a reader for longer than necessary. But apart from services such as age verification, it would be impossible for online criminals to carry out fraudulent financial transactions on the Internet because a separate signature feature would need to be activated. This signature, he says, is protected by a second PIN which can only be entered into a reader with an integrated keypad.
Under no circumstances, Bender says, would an attacker gain access to the personal data of the eID card holder as this would be transmitted in an encrypted form. He did concede that it was possible to change the PIN number but regarded that as an improbable scenario as the owner would immediately realise that something was wrong. The BSI stresses that even with the known weaknesses of the basic readers, the authentication procedure is significantly safer than the combination of user name and password that is in use now.
sept. 2010 @ http://www.h-online.com/security/news/item/CCC-reveals-security-problems-with-German-electronic-IDs-1094577.html