Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe

Nils Engelbertz, Nurullah Erinola, David Herring, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk

12th USE­NIX Work­shop on Of­fen­si­ve Tech­no­lo­gies (WOOT '18)


In 2014, the European Commission released the eIDAS regulation targeting the compatibility of cross-country electronic services within the European Union. eIDAS (electronic IDentification, Authentication and trust Services) prescribes implementation standards and technologies for electronic signatures, digital certificates, Single Sign-On (SSO), and trust services. It is based on well-established standards like SAML to achieve high security and compatibility between EU countries. In this paper, we present the first security study of authentication schemes used in eID services. Our security analysis shows that 7 of 15 European eID services were vulnerable to XML-based attacks enabling efficient Denial-of-Service (DoS) and Server Side Request Forgery (SSRF) attacks. On 5 of the 15 eID services, we were even able to exfiltrate locally stored files and send these files to an arbitrary domain. To support the developers and security teams of eID services, we implemented a Burp Suite extension working in a fully-automated or semi-automated mode. Additionally, we summarize best practices related to eID-based authentication and SSO in general.