Options for Integrating eID and SAML
Hühnlein, Detlef, Jörg Schwenk, Wich, Tobias, Vladislav Mladenov, Florian Feldmann, Andreas Mayer, Schmölz, Johannes, Bruegger, Bud P., Horsch, Moritz
CCS 2013 Post-Conference Workshop, Digital Identity Management (DIM)
Several European countries currently introduce highly sophisticated eID functionality in their national identity cards. This functionality typically has no direct relation to web security standards, but will be integrated with web technologies to enable browser-based access to critical resources. The research challenge to combine eID protocols and web standards like TLS in a secure way proves extremely challenging: The security of many of the proposed systems boils down to HTTP session cookies and TLS server certi cates. Therefore, the overall security is not improved and does not justify the additional costs. In this paper, we investigate this security challenge for the German national identity card and its eID functionality. We show that the solution currently standardized by the German government does not o er any additional security, by giving an in-depth analysis of the complete software system. We discuss several possible paths to an enhanced solution based on TLS channel bindings. Finally, we describe a system setup based on the SAML Holder-of-Key Web Browser Pro le, which also mitigates interoperability problems.