iPIN and mTAN for Secure eID Applications

  • Johannes Braun
  • Moritz Horsch
  • Alexander Wiesmaier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7232)


Recent attacks on the German identity card show that a compromised client computer allows for PIN compromise and man-in-the-middle attacks on eID cards. We present a selection of new solutions to that problem which do not require changes in the card specification. All presented solutions protect against PIN compromise attacks, some of them additionally against man-in-the-middle attacks.


eID iPIN onetime PIN nPA mTAN man-in-the-middle PIN compromise identity theft smartcard 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Federal Office for Information Security. Architektur elektronischer Personalausweis und elektronischer Aufenthaltstitel. Technical Guideline BSI-TR-03127, Version 1.14 (2011),
  2. 2.
    International Civil Aviation Organization (ICAO). Machine Readable Travel Documents - Part 1: Machine Readable Passport, Specifications for electronically enabled passports with biometric identification capabilities. ICAO Doc 9303 (2006)Google Scholar
  3. 3.
    International Civil Aviation Organization (ICAO). Machine Readable Travel Documents - Part 3: Machine Readable Official Travel Documents, Specifications for electronically enabled official travel documents with biometric identification capabilities. ICAO Doc 9303 (2008)Google Scholar
  4. 4.
    International Civil Aviation Organization (ICAO). Supplemental Access Control for Machine Readable Travel Documents. ISO/IEC JTC1 SC17 WG3/TF5 for ICAO, Version 0.8, Draft of 12.10.2009 (2009)Google Scholar
  5. 5.
    ISO/IEC. ISO/IEC 14443-1: Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 1-4. International Standard (2001)Google Scholar
  6. 6.
    Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). Advanced Security Mechanism for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI). Technical Directive (BSI-TR-03110), Version 2.05 (2010),
  7. 7.
    Bender, J., Fischlin, M., Kügler, D.: Security Analysis of the PACE Key-Agreement Protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 33–48. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Ullmann, M., Kügler, D., Neumann, H., Stappert, S., Vögeler, M.: Password Authenticated Key Agreement for Contactless Smart Cards. Communications of the ACM (2008)Google Scholar
  9. 9.
    Dagdelen, Ö., Fischlin, M.: Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 54–68. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Chaos Computer Club. Practical demonstration of serious security issues concerning swissid and the german electronic identity card, November 01 (2010),
  11. 11.
    Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003)Google Scholar
  12. 12.
    Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC 1988, pp. 1–10. ACM, New York (1988)CrossRefGoogle Scholar
  14. 14.
    Damgård, I., Keller, M.: Secure Multiparty AES. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 367–374. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. 15.
    Cramer, R., Damgård, I., Maurer, U.M.: General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 316–334. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Cramer, R., Damgård, I.B., Nielsen, J.B.: Multiparty Computation from Threshold Homomorphic Encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  18. 18.
    VIFF. VIFF, the Virtual Ideal Functionality Framework, January 19 (2012),
  19. 19.
    Bouncy Castle. Bouncy Castle Crypto APIs, January 19 (2012),
  20. 20.
    Horsch, M.: Mobile Authentisierung mit dem neuen Personalausweis (MONA). Master thesis, Technische Universität Darmstadt (July 2011)Google Scholar
  21. 21.
    Buchmann, J., Wiesmaier, A., Hühnlein, D., Braun, J., Horsch, M., Kiefer, F., Strenzke, F.: Towards a mobile eCard Client. Tagungsband zum 13. KryptoTag, p. 4 (December 2010)Google Scholar
  22. 22.
    Wiesmaier, A., Horsch, M., Braun, J., Kiefer, F., Hühnlein, D., Strenzke, F., Buchmann, J.: An efficient mobile PACE implementation. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 176–185. ACM, New York (2011)Google Scholar
  23. 23.
    Braun, J., Horsch, M., Wiesmaier, A., Hühnlein, D.: Mobile Authentisierung und Signatur. In: Schartner, P., Taeger, J. (eds.) D-A-CH Security 2011: Bestandsaufnahme, Konzepte, Anwendungen, Perspektiven, pp. 32–43. Syssec Verlag (September 2011)Google Scholar
  24. 24.
    Hühnlein, D., Petrautzki, D., Schmölz, J., Wich, T., Horsch, M., Wieland, T., Eichholz, J., Wiesmaier, A., Braun, J., Feldmann, F., Potzernheim, S., Schwenk, J., Kahlo, C., Kühne, A., Veit, H.: On the design and implementation of the Open eCard App. In: GI SICHERHEIT 2012 Sicherheit - Schutz und Zuverlässigkeit (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Johannes Braun
    • 1
  • Moritz Horsch
    • 1
  • Alexander Wiesmaier
    • 2
  1. 1.Technische Universität DarmstadtDarmstadtGermany
  2. 2.AGT Group (R&D) GmbHDarmstadtGermany

Personalised recommendations