Current page:  Layout / German ID card

German ID card - verification of user's personal information

Electronic ID card the AusweisApp

On 1. November 2010, the electronic ID card (nPA) was introduced in Germany with an integrated RFID-Chip, which can provide similar personal information as the ID card itself in an electronic way. The owner of the card can request the activation of this feature at the local administration and receives a PIN, and the card is used in a similar fashion as credit cards.

In order to read the chip's data, specific card readers are requred, which come in different styles (with or without PIN input field and some can be used for electronic signatures). Additionally, it is required to install the 'AusweisApp', which shows the accessed data and requires the user's confirmation. When using a card reader without PIN input field, the AusweisApp can also be used to input the PIN with the computer's keyboard.

The elctronic ID card enables their owners to verify their identity in the Internet. However, some functionality is restricted to government-only institutions, about which personal data can be accessed.

eID-Service

In order to use the electronic ID card, a website has to use a so-called eID-Service, which provides the according functionality. These services handle the entire comminucation with the AusweisApp and the nPA, checks the validity of the according licences and finally provides the website with the data.

This data is signed electronically and can be checked with a public verification key, which is published by a government institution. Beside the actual personal information, it also contains the time of access and its time of validity.

Security

There are different opinions to the security of the nPA and the electrc ID (eID) services:

  • On one hand, the underlying protocols for encryption and mutual verification are state-of-the-art and cryptographically provable secure.

  • On the other hand, the Chaos Computer Club (CCC) has shown as the nPA's introduction, that specific malware can be used in order to attack the AusweisApp and the entire process, especially if a card reader without PIN input field is used. However, this scenario is very specific, and even after a successfull attack the possible actions are limited.

  • Because the CCC's attack is based on malware, the usual security measures like virus scanners and firewalls can provide a certain level of security. However it should be noted, that these measures can not provide absolute security.