Insecurity of Anonymous Login with German Personal Identity Cards

                     Lucjan Hanzlik, Kamil Kluczniak,  Miroslaw Kutylowski 
		    Faculty of Fundamental Problems of Technology
                       Wroclaw University of Technology

  One of the major inventions of the new personal identity cards in Germany 
is supporting  anonymous authentication. The intention is to provide 
a cryptographically strong method replacing insecure login-password mechanism
that would work automatically for an unlimited number of services 
and no PKI infrastructure.

The protocol Restricted Identification  (RI) enables to authenticate in 
an unlimited number of domains  with passwords created with strong asymmetric
cryptography. Moreover, the RI scheme guarantees \textit{unlinkability} of user's 
authentication in different domains. 

The Achilles Heel of the RI scheme is Chip Authentication procedure that comes 
before RI. The terminal must make sure that it is talking with a genuine 
identification card and authentication via so-called group key is used. 
The group key is shared by many ID cards in order to create a sufficiently large 
anonymity set. 

While weaknesses of the group key approach have already been pointed to 
(possibility to forge cards authenticating with RI after breaking into just one card), 
we point at a more  serious threat.  We present an attack, where the party holding 
the group key and eavesdropping the communication between a card and a terminal 
can learn  the pseudonym and later authenticate as this user in this domain. 
In this way the party issuing the cards may get an unlimited access to citizens' accounts.
We show how to solve the problem by slight changes in the protocol. 

KEYWORDS: 
German ID card, neuer Personalausweis, Restricted Identification, Chip Authentication, 
authentication, anonymity, unlinkability, domain specific identifier, group key, attack

PRESENTED AT: SocialSec'2015, Hangzhou