Germany Overview - RUB-NDS/FutureTrust GitHub Wiki

According to Section 2 of (BSI TR-03124-1, 2015)[1] the Online-Authentication of the eID-Client at the eID-Server is performed via Extended Access Control Version 2.

According to Section 2.1 of (BSI TR-03124-1, 2015)[1], the infrastructure consists of the following parts:

  • browser
  • Web site/eService
  • eID-Client: client which interfaces with the eID card
  • eID-Server: server component of the eID infrastructure

The online authentication at the eService can be performed in two different ways: SOAP and SAML (see SOAP profile and SAML profile).

SOAP profile

In the first variant, the eID-Server communicates directly with the eService via SOAP as described in Section 3 of (BSI TR-03130-1, 2016)[2]. This variant consists of three message flows:

  • SOAP Initiation
  • SOAP Interaction
  • SOAP Completion

In the first message flow (SOAP initiation) the eService generates a unique URL, which the eID-Client visits. See Figure 1.

General message flow during initiation (SOAP) (BSI TR-03130-1, 2016)

Figure 1: General message flow during initiation (SOAP) (BSI TR-03130-1, 2016)[2]

In the second message flow (SOAP interaction) the following steps are performed (see Figure 2):

1-2) The eService requests an authentication.

3) The eService transmits necessary parameters for the connection from the eID-Server to the eID-Client.

4) The eID-Client establishes a secure connection to the eID-Server and performs necessary steps for the authentication.

5) The eID-Client signals that step 4 is done and initiates a reconnection.

6-7) The eService fetches the result of the authentication.

General message flow during SOAP interaction (BSI TR-03130-1, 2016)

Figure 2: General message flow during SOAP interaction (BSI TR-03130-1, 2016)[2]

In the last message flow (SOAP completion) the following steps are performed (see Figure 3):

1) The eService responds to the reconnection of the eID-Client with a new URL.

2-3) The eID-Client forwards the URL to the browser, the browser visits the URL.

General message flow during completion (SOAP) (BSI TR-03130-1, 2016)

Figure 3: General message flow during completion (SOAP) (BSI TR-03130-1, 2016)[2]

SAML Profile

In the second variant, the eID-Server communicates with the eService indirectly via SAML as described in Section 4 of (BSI TR-03130-1, 2016)[2]. This profile also consists of three message flows:

  • SAML Initiation
  • SAML Interaction
  • SAML Completion

In the first message flow (Initiation) the following steps are performed (see Figure 4):

1-3) These steps are identical to the steps in the SOAP profile.

4-5) The eID-Client is redirected to the SAML Processor with an AuthnRequest.

General message flow during SAML Initiation (BSI TR-03130-1, 2016)

Figure 4: General message flow during SAML Initiation (BSI TR-03130-1, 2016)[2]

The second message flow (Interaction) is identical to the message flow presented in the SOAP message profile. The eID-Client communicates with SAML Processor instead of eService. See Figure 5.

General message flow during SAML Interaction (BSI TR-03130-1, 2016) [2] Figure 5: General message flow during SAML Interaction (BSI TR-03130-1, 2016)

The last message flow (Completion) proceeds in these steps (See Figure 6):

1-2) SAML Processor redirects the eID-Client with an AuthnResponse to the eService.

3) The eService responds with a new URL.

4-5) The eID-Client forwards the URL to the browser; the browser visits the URL.

General message flow during SAML Completion (BSI TR-03130-1, 2016)

Figure 6: General message flow during SAML Completion (BSI TR-03130-1, 2016)[2]

Implementations

There are several implementations of German eID services.

eID Connect[3]

The goal of eID Connect is to use OpenID with the German eID card. The information on the German eID card is used to authenticate the user at an OpenID identity provider instead of requiring a username and password.

There is no information available on status of the project.

Open eID[4]

Open eID is a Java implementation of the PACE, Terminal Authentication and Chip Authentication protocols for the German eID. It provides an eID-client in form of browser extensions for Firefox, Firefox Mobile and Chrome and an Android app. It claims to conform to (BSI TR-03110, 2015)[5] and (BSI TR-03112, 2015)[6]. A closed-source eID-Server is being developed. There is no information available on the status of the project.

References

1. ^ ^ BSI TR-03124-1. (2015, February 24). Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). eID-Client – Part 1: Specifications. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03124/TR-03124-1.pdf?__blob=publicationFile&v=1: Technical Guideline 03124-1, Version 1.2.
2. ^ ^ ^ ^ ^ ^ ^ ^ BSI TR-03130-1. (2016, November 16). Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). eID-Server Part 1: Functional Specification. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03130/TR-03130_TR-eID-Server_Part1.pdf?__blob=publicationFile: Technical Guideline 03130-1, Version 2.0.2.
3. ^ eID Connect. (2012). Research Center for Information Technology (FZI). eID Connect: Home. http://www.eid-connect.de/index.php?name=17&L=2.
4. ^ Fraunhofer Open eID. (2016). Fraunhofer. Open eID Fraunhofer download | SourceForge.net. https://sourceforge.net/projects/open-eid/.
5. ^https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03110/index_htm.html
6. ^ https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03112/index_htm.html

FutureTrust
⚠️ **GitHub.com Fallback** ⚠️