Paper Info
Title
Options for integrating eID and SAML
Abstract
Several European countries currently introduce highly sophisticated eID functionality in their national identity cards. This functionality typically has no direct relation to web security standards, but will be integrated with web technologies to enable browser-based access to critical resources. The research challenge to combine eID protocols and web standards like TLS in a secure way proves extremely challenging: The security of many of the proposed systems boils down to HTTP session cookies and TLS server certificates. Therefore, the overall security is not improved and does not justify the additional costs. In this paper, we investigate this security challenge for the German national identity card and its eID functionality. We show that the solution currently standardized by the German government does not offer any additional security, by giving an in-depth analysis of the complete software system. We discuss several possible paths to an enhanced solution based on TLS channel bindings. Finally, we describe a system setup based on the SAML Holder-of-Key Web Browser Profile, which also mitigates interoperability problems.
Year
DOI
Venue
2013
10.1145/2517881.2517892
Digital Identity Management
Keywords
Field
DocType
sophisticated eid functionality,web security standard,eid functionality,web standard,tls channel binding,overall security,eid protocol,security challenge,tls server certificate,additional security,authentication
Single sign-on,Internet security,World Wide Web,Internet privacy,Authentication,Computer security,Interoperability,Computer science,Web standards,Communication channel,Software system,Government
Conference
Citations 
PageRank 
References 
1
0.40
18
Authors
9
Name
Order
Citations
PageRank
Detlef Hühnlein113041.35
Jörg Schwenk289988.54
Tobias Wich376.59
Vladislav Mladenov4279.22
Florian Feldmann572.90
Andreas Mayer6231.89
Johannes Schmölz723.13
Bud P. Bruegger8124.18
Moritz Horsch975.65