AusweisApp

from Wikipedia, the free encyclopedia
AusweisApp

Screenshot of the AusweisApp
A data field of the AusweisApp
Basic data

Maintainer BSI
developer OpenLimit SignCubes AG
Current  version 1.8 {referred to as "2.0"}
(June 1, 2016)
operating system Windows , Linux up to version 1.13 ( Debian , Ubuntu , openSUSE ), Mac
programming language Java
category eID client
License Proprietary ( Freeware )
German speaking Yes
www.ausweisapp.bund.de

The AusweisApp ( Bürgerclient until July 2010 ) is free application software for the PC in order to be able to use electronic authentication via the Internet with the help of the new German ID card and the electronic residence permit . The AusweisApp is available for the Microsoft Windows , Linux and Mac OS operating systems . The software was developed by OpenLimit SignCubes AG on behalf of Siemens IT Solutions and Services GmbH and financed by the Federal Ministry of the Interior (BMI).

The AusweisApp is not open source software that could be checked by independent security experts. This is particularly important against the background of security gaps or increasing state surveillance (for example the so-called “ Federal Trojan ”).

On November 1, 2014, the AusweisApp was replaced by the AusweisApp2 .

introduction

The software creates an encrypted connection between the new identity card or the electronic residence permit and the eID server on the other side. The AusweisApp is used to securely carry out the certificate and authenticity checks, to offer the citizen a surface to use the new identity card or the electronic residence permit. With the help of the program that ID card holders have to install on their PC beforehand, citizens can identify themselves on the Internet and electronically sign documents. Before the new ID card was introduced on November 1, 2010, around 200 companies and authorities checked the software as part of a user test.

The program was initially made available for free download by the Federal Office for Information Security (BSI) from November 8-10, 2010 , but was then withdrawn due to two security vulnerabilities. On January 3, 2011, a new, corrected version of the program was available.

development

The Federal Ministry of the Interior commissioned the general contractor Siemens IT Solutions and Services as well as the Bundesdruckerei and Open SignCubes AG early November 2009, to create the application software for the new ID card. The three companies won the tender against a consortium made up of IBM and bremen online services . The order volume was around four million euros.

Certification

OpenLimit has registered the AusweisApp for certification in accordance with the EAL4 + Common Criteria guidelines. In addition, an application was made to the BSI for confirmation of the program in accordance with the Signature Act . According to heise online , the certification has not yet been completed.

Renaming of Bürgerclient to AusweisApp

Originally the AusweisApp was called Bürgerclient . The name was changed to AusweisApp in July 2010 based on a proposal from the design specialists from the Hasso Plattner Institute in Potsdam . They had used the term in a report commissioned by the BMI on the acceptance and use of the ID. According to the Federal Ministry of the Interior , the term Bürgerclient has turned out to be too bulky and difficult to understand for citizens. The meaning of the term “client” is not clear to many, and the umlaut “ü” in “Bürger” makes it difficult to use it in Internet domains. In addition, the supposedly male term “citizen” should not be used without the female form “citizen”.

Procedure

In the technical definition, the AusweisApp is a middleware in accordance with the eCard API Framework TR-03112 of the Federal Office for Information Security (BSI), which establishes communication with the card reader , chip card and the server component eID server. In the future, users will be able to identify themselves to portals and platforms, online banking and electronic trading . The "authenticity" of the Internet provider is determined beforehand. At the request of the service provider, after checking his identity, he will receive an authorization certificate from a government agency, the Federal Administration Office. If a citizen registers in an online portal, this certificate is automatically sent to him before the user releases his data. The authorization certificate is therefore a "certificate" for the card holder. It confirms the authenticity of the provider and is intended to protect against unwanted manipulation (e.g. phishing ). The validity of the certificate is limited to two days. This short period of validity is intended to avoid having to keep lists of blocked certificates or to carry out product recalls.

In the next step, the citizen proves his identity to the service provider. The AusweisApp reads the data of the user from his ID via the card reader and secures the communication with an eID server. The eID server is to use a public key infrastructure to ensure that only authorized persons can read the ID data and that citizens can use the desired online service. After reading out the data, the citizen decides whether to transmit the data required for this process to the online portal and which optional data to send in addition. With a personally determined (six-digit) PIN , he releases the data to the online service provider. The authenticity of the PIN is confirmed to the chip by the Password Authenticated Connection Establishment (PACE) security protocol . The encrypted transmission of the selected data concludes the registration process.

With the AusweisApp it is possible to move around the Internet using pseudonyms . If only age verification is necessary for a certain internet service (for example for online games or film portals), no personal data need to be released by the user. Even the age is not transmitted, only information as to whether the ID card holder is over or under the required minimum age. The pseudonym is generated from a character string. This is made up of the ID of the ID card and an ID supplied by the online service provider. It is sent to the service provider in place of the name, provided that the real name is not relevant for the functions, e.g. B. a web-based platform. The pseudonym guarantees the provider that a real person is hiding behind it, as he has already stored his identity with the ID application. It is structured by the character sequence in such a way that it is mathematically not possible to calculate back to the real person. Each portal automatically generates a new pseudonym for a user. The merging of user profiles from several websites ( tracking ), for example to determine the purchasing behavior of the user, should thus be prevented. According to the proponents of the AusweisApp, pseudonymised surfing with the help of the AusweisApp and the new identity card or electronic residence permit should offer a higher level of data protection.

With the AusweisApp and the citizen client, the previous types of use of the identity card and the electronic residence permit are to be expanded beyond those of the visual identity card to a comprehensive digital identity management on the Internet.

Technical framework

With version 1.1 published on May 13, 2011 and the new version 1.2 published on June 14, 2011, the Windows XP , Vista and Windows 7 operating systems are supported. AusweisApp has been supporting Linux for the Debian and Ubuntu distributions since June 16, 2011 . The Linux distribution openSUSE has been supported by AusweisApp since August 16, 2011. With version 1.4, which was published on September 16, 2011, the AusweisApp also supports the electronic residence permit, which has been issued since the beginning of September 2011. From version 1.10, Windows 8 is also supported.

On February 27, 2012, the version for Mac OS X 10.6 and 10.7 was made available. Support for 10.8 was originally announced in October 2012, later postponed to November and will not be available on December 3, 2012. AusweisApp only supports Firefox as a browser, not Safari.

Suitable Internet browsers for using the online identification function are Internet Explorer version 6 or higher ( 32-bit ), Mozilla Firefox version 17 (no longer supported by Mozilla since December 13) and the Iceweasel browser version 3 or higher (under Debian Linux ). In its FAQ, the BSI points out that only version 24 of Mozilla Firefox is currently supported. Alternatively, the Federal Office for Information Security (BSI) recommends the ESR version of Firefox for secure use for companies, authorities, universities and users who can do without the rapid introduction of innovations. This should also be supported by the AusweisApp in the long term. The BSI does not currently address the use of Firefox in other versions. According to Section 27 (3) of the Personalausweisgesetz (PAuswG), this actually means that these versions may not be used even if the AusweisApp would work: "The ID card holder should take technical and organizational measures to ensure that the electronic proof of identity in accordance with Section 18 PAuswG is only is used in an environment that is considered safe according to the current state of the art. In particular, he should use those technical systems and components that are rated by the Federal Office for Information Security as safe for this purpose. “A security assessment by the BSI for Firefox from version 11 has not been published. Permanent use of the new ID card is currently not guaranteed with current Firefox versions.

A number of card readers were tested for their functionality in connection with the new ID card and the AusweisApp. This list of card readers supported by AusweisApp can be viewed on the official AusweisApp portal.

Furthermore, screen readers such as JAWS and NVDA are supported in order to achieve greater accessibility .

Vulnerabilities

On November 9, 2010 it emerged that version 1.0.1 of AusweisApp could theoretically be loaded onto the user's computer by an attacker due to two errors in the auto-update function. The Federal Office for Information Security then announced a new version of the AusweisApp. Downloading was deactivated until the beginning of January 2011 until the new version of the program was available. Version 1.7 for Windows was released on January 18, 2011.

Web links

Individual evidence

  1. Release Notes on the download page
  2. a b Article from OpenLimit - New citizen client update handed over to BMI
  3. Detlef Borchers: AusweisApp for Linux is here . heise.de. Retrieved June 20, 2011.
  4. a b OpenLimit: AusweisApp . Retrieved February 28, 2012
  5. OpenLimit: AusweisApp ( Memento of the original from November 13, 2010 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. . Retrieved February 2, 2011 @1@ 2Template: Webachiv / IABot / www.openlimit.com
  6. a b c d AusweisApp portal: AusweisApp download page - as of August 18, 2011
  7. a b Sebastian Weßling et al .: Offline - BSI blocks the download of the ID card app . Spiegel Online , November 10, 2010. Retrieved November 12, 2010.
  8. BSI: Participants in the application test for the new ID card receive a preliminary version of the AusweisApp . Retrieved December 3, 2010.
  9. Article in the authorities' mirror - the federal government awards citizen client ( memento of the original from December 2, 2010 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.behoerden-spiegel.de
  10. Electronic identity card: Citizen client on the way to the user at www.heise.de
  11. Montega AG - Equity Research: Montega OpenLimit Study , April 23, 2010 p. 11. ( pdf ). Retrieved November 12, 2010.
  12. OpenLimit: Half-year report 2010 (PDF; 2.4 MB). Retrieved November 12, 2010.
  13. BSI: Products that are currently being evaluated / confirmed ( memento of the original from May 29, 2015 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. , Retrieved November 12, 2010. @1@ 2Template: Webachiv / IABot / www.bsi.bund.de
  14. Detlef Borchers: Electronic identity card: New AusweisApp is coming soon. In: heise online. November 10, 2010, accessed November 12, 2010 .
  15. heise security: AusweisApp delivered to the new ID card . Retrieved November 12, 2010.
  16. Study: Usability and acceptance of the AusweisApp software for the use of the new ID card (full text) . personalausweisportal.de. October 18, 2010. Archived from the original on December 25, 2015. Info: The archive link was automatically inserted and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved June 21, 2013. @1@ 2Template: Webachiv / IABot / www.personalausweisportal.de
  17. Authorities Spiegel : Citizen client is now called AusweisApp ( memento of the original from October 8, 2010 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. . Retrieved November 12, 2010. @1@ 2Template: Webachiv / IABot / www.behoerden-spiegel.de
  18. Technical guideline eCard-API-Framework. Federal Office for Information Security, accessed on January 9, 2010 .
  19. Andreas Reisen: An identity card for the real and the electronic world. In: Innovative Verwaltung, 3/2009. P. 2 , archived from the original on April 1, 2010 ; Retrieved June 21, 2013 .
  20. New ID card fit for Linux - Article at OpenLimit, from June 16, 2011
  21. Article from OpenLimit - AusweisApp 1.4 supports electronic residence permits
  22. Version history AusweisApp for Windows
  23. Operating Systems . AusweisApp portal. Retrieved June 21, 2013.
  24. Mozilla Firefox ESR overview - as of January 13, 2014
  25. a b Which browsers are supported by the AusweisApp? - As of May 5, 2012
  26. Service FAQ - Browser . AusweisApp portal. Retrieved June 21, 2013. Source: ESR-Firefox
  27. AusweisApp portal: Suitable card readers - as of August 18, 2011
  28. New version of AusweisApp published - article on Heise online , May 13, 2011
  29. Jan Schejbal: AusweisApp hacked (malware via auto update)
  30. BSI press release: New version of the AusweisApp will be available shortly , November 10, 2010. Accessed November 10, 2010.
  31. heise online: Electronic identity card: AusweisApp for Windows is here