Citizen Card

from Wikipedia, the free encyclopedia

The citizen card is in Austria a technology of electronic signature . It is a combination of an official electronic ID (a smart card , usually the e-card , commonly called the “citizen card”) or the mobile phone (as a mobile phone signature ) and a digital certificate . It is used particularly in e-government (in electronic administrative procedures), but also in economic processes as an equivalent to a handwritten signature , and is equivalent to this as a qualified electronic signature .

The first and currently only Austrian confirmation office is A-SIT, a cooperation between the Ministry of Finance , the National Bank , Graz University of Technology and the Federal Computing Center . The company A-Trust , a cooperation of Austrian chambers and banks, looks after the citizen card technically and provides the digital certificates .

Concept and legal validity

With the citizen card, two central security questions can be solved when dealing with public authorities that are offered electronically:

  1. The citizen can be clearly and securely authenticated by the authority by using his citizen card . This is necessary, for example, before access to the relevant procedural data can be granted. This secure identification can replace the personal appearance at the authority.
  2. Citizens can electronically submit a declaration of intent to the authority , the authenticity of which can be verified beyond doubt. This function makes it possible to offer procedures electronically for which a written input would be necessary in the conventional way.

The term “Austrian Citizen Card” does not stand for a special card that is the same for all citizens, such as the passport . Rather, the citizen card is a model for enabling electronic administrative procedures that defines the requirements that are necessary for secure electronic handling of administrative procedures.

"Citizen card": a logical unit that, regardless of its technical implementation, has a qualified electronic signature ( § 2 Z 3a of the Signature Act - SigG, Federal Law Gazette I No. 190/1999) with a personal link (§ 4 para. 2) and the associated security data and functions as well as, if necessary, with authorization data. "

- § 2 Identification and authentication in electronic communication with public bodies: Definitions Z 10 E-Government Act (E-GovG)

This general definition of a model gives citizens a choice of which citizen card (s) they ultimately use. The citizen card can therefore be compared with an electronic ID card: ID card means a concept that can have different characteristics, such as passport, driver's license, student ID card or membership card. However, official procedures are generally associated with certain security requirements that official identification documents fulfill, such as passports , ID cards or driving licenses . With the citizen card concept, an electronic interface can be transferred to the status of the official identification document. This can be an activated SmartCard ( citizen card in the narrower sense), but also the mobile phone signature as a PIN-TAN process.

In addition to a fully valid "ID on the Internet", the citizen card also offers the function of a signature . The Citizen Card solution complies with Directive 1999/93 / EC (Signature Directive ) - Austria is the first country to implement this - and therefore a qualified electronic signature as defined by the Directive. This means that it is equivalent to the handwritten signature, the legal effect corresponds to the written form within the meaning of § 886 ABGB . It is therefore proof of the unambiguous identity of a legal person as well as the authenticity of the document ( Section 4 (1) E-GovG).

It is also regulated that they can not only confirm the personal power of attorney , but also that they can be registered as a proxy for others ( Section 5 (1) E-GovG).

history

The citizen card was introduced in 2003 with the eGovernment initiative of the Austrian federal government. For a long time it was not widely used, as of 2012 there were only around 200,000 citizen cards in various forms, around a third of which were from corporate customers (ID cards, access cards and the like), private customers (activated e-cards, ATM cards and the like) and with mobile phone signature. That is only about 2½% of the population.

At the beginning of 2014, in addition to 150,000 SmartCards, around 300,000 mobile phone signatures were registered, making this version the much broader one. According to a study in mid-2014, 18% of the online population now have a card reader-compatible citizen card and 21% have a mobile phone signature.

In 2015, the corresponding cards in Belgium, Estonia, Finland, Iceland, Italy, Liechtenstein, Lithuania, Portugal, Sweden, Slovenia and Spain also complied with the strict Austrian regulations, so that the ID cards of these countries are also valid ( E-Government Equivalence Ordinance ). As of September 29, 2018, all electronic identification means that have been issued in other Member States and meet certain quality criteria will also have to be recognized in Austria on the basis of the eIDAS Regulation. The E-Government Equivalence Ordinance is therefore expected to be eliminated by this point in time.

Since January 1, 2018, referendums can also be signed using a mobile phone signature or citizen card. This applies to both the submission of a declaration of support and the signing of a referendum.

Technical framework and use

From a technical point of view, chip cards or smart cards are currently the means of choice to meet security requirements, as well as a chip card reader and a corresponding citizen card environment (such as mocha ). The e-card can be activated as a citizen card. The signing model is not limited to this, however. The mobile phone ( mobile phone signature ) and other devices of daily use, such as USB devices, are also implemented as citizen cards.

The legally required personal link for the electronic signature (Section 4 (2) E-GovG) is carried out using the master number of a (natural or legal) person (Section 6 E-GovG). In the case of residents, this is the number of residents in the register (ZMR number from the Central Register of Residents ), otherwise the commercial register number , that of the association register (ZVR number), and other things (it is not possible to calculate the original number from the root number). This is then the Austria-wide unique identifier of a person for the purpose of signing. It is encrypted - with name, date of birth and public key of the asymmetrical encryption - signed by the master number register authority (StZRegBeh, that is the data protection authority  DSB) and written on the citizen card (exception: mobile phone signature). The authentication takes place via the certificate service provider (in Austria this is the only company A-Trust so far).

On the part of the authorities, the area-specific personal identifier (pBK) is then calculated with the citizen card, which then ensures the necessary data protection that the collected data is only used in a task-oriented manner (Section 8 Unique identification in data applications ff E-GovG).

The first versions were available from 2003 (membership  card of the Austrian Computer Society OCG, or the citizen card of the A-Trust ). Since 2005, the new generation of the Maestro card (i.e. the ATM card ), the e-card of the main association of Austrian social insurance institutions , or the mobile phone have been activated as a citizen card using the A1 signature of mobilkom Austria . Mobilkom's A1 signature was discontinued (October 16, 2007). From the end of 2009 a citizen card was started again on the mobile phone with the mobile phone signature of the A-Trust.

Today other functions are also possible, such as the signing of PDF files , electronic documents according to the Adobe system , which are now the general standard.

In the future, further applications will be added, for example the conclusion of legal transactions in e-commerce in general , where the electronic signature as an official ID should offer more legal security for those involved.

Features, activation and purchase of a citizen card

The citizen cards have the following versions:

  • The activation of the e-card as a citizen card is free of charge and takes place either
    • at activation points z. B. Service points of the health insurance company by means of proof of identity
    • Via FinanzOnline , for whose access proof of identity had to be provided
    • Request for a registered RSa letter
  • In addition, ID cards (such as those issued by the Ministry of Finance or the Federal Chancellery) and professional ID cards can be activated, as well as school ID cards and student ID cards .
  • The activation of ATM cards hardly plays a role in Austria today.
  • In addition, other cards can be activated or ordered directly from A-Trust for a fee (usually referred to as an explicit signature card ). Other solutions are also offered there specifically for corporate customers (activation of company access chip cards, other mobile data carriers).
  • To activate the cell phone (or the cell phone number) see cell phone signature .

Criticism and theoretical technical weaknesses

The e-government law requires a qualified signature for the citizen card, which leads to a number of problems:

  • The process of digital signature and identity link is so complex that only a very small group of experts can judge whether the many components of a signature are really secure, partly because there is no platform for trusted computing among the users . In contrast to the paper signature, the proof of a forgery of a signature must be provided by the signatory, there are hardly any jurisdictions on the subject. If the digital signature were to become more widespread and thereby become attractive for attackers, this would undermine the promised high level of security.
  • The technical implementation of the citizen card requires a proprietary interface that must be explicitly supported by applications. Industry standards such as PKCS 11 and CSP , on the other hand, are widely supported by web browsers, e-mail clients and PDF applications.

As only became known in 2009, there was already an investigation in 2006 by the SecLab of the Vienna University of Technology , which revealed three weak points in the software implementation of the trustDesk basic (PC version) citizen card environment . The weaknesses z. B. can be exploited in connection with a Trojan , lead to the fact that the user signs other documents or content than displayed or intended.

  • Attack against an HTML page or application, such as B. in banking applications
  • Attack against FinanzOnline
  • Attack against mail encryption ( Thunderbird plugin)

The known weaknesses are likely to have been fixed some time ago, but the accusation remains that the software was previously certified as secure by the A-Sit and, according to the investigation by the Vienna University of Technology, a change in the content is possible in connection with a Trojan the signature can never be excluded, not even with other Citizen Card software.

The card reader would also be a possible target.

A study from 2012 showed that although eGovernment is used by 70% of the population in Austria, and Austria is thus among the top players worldwide, the reservations about the citizen card as electronic proof of identity are comparatively high. About one fifth of the population has concerns about data security in particular. The bigger obstacle, however, is likely to be the comparatively complex access.

The personal social security pension account is accessible with the citizen card. In addition, it was criticized that private financial advisors could also activate the citizen card during an advisory contact if they had acquired the corresponding, relatively easily available authorizations and thus had easier access to future state pension data.

Web links

Individual evidence

  1. ^ That can be the citizen card , buergcard.at, accessed December 3, 2014;
    chipkarte.at - SVC, social security chip cards Betriebs- und Errichtungsgesellschaft mbH - SVC, website for the social security card e-card, accessed on March 31, 2011
  2. a b c That can do the Handy-Signatur , buergcard.at, accessed December 3, 2014;
    A-Trust Handy Signature . a-trust.at. Archived from the original on April 25, 2013. Retrieved June 14, 2011 .; A-Trust website for the mobile phone signature, accessed on March 31, 2011.
  3. ^ Authorities on the Net - The Austrian E-Government ABC . Version January 2008, Austrian Federal Chancellery, accessed on March 31, 2011.
  4. Ordinance BGBl. II No. 31/2000 .
  5. Directive 99/93 / EC of the European Parliament and of the Council of December 13, 1999 on Community framework conditions for electronic signatures (as amended online, eur-lex.europa.eu).
  6. a b Peter Kustor, Federal Chancellery: eID in Austria ( Memento from July 14, 2014 in the Internet Archive ), presentation, January 28, 2014, slide 33 E-communication involves risks: Solution in Austria: Citizen card / mobile phone signature and 35 Functions of the Citizen Card (Section 4 (1) E-GovG) (PDF, bka.gv.at, accessed December 12, 2014).
  7. cf. Schüssel: Substantial eGovernment Initiative out of dispute , APA OTS0116, May 13, 2003.
  8. a b c Handy signature in the test: Mühsam zum Ziel , futurezone.at, November 3, 2012, accessed December 7, 2014.
  9. A1 wants to push the mobile phone signature. derStandard online, January 27, 2014, accessed December 7, 2014
  10. egovernment-computing.de, March 27, 2014; cited in BRZ press service: Press review March 2014 ( Memento from December 15, 2014 in the Internet Archive ) , p. 54 (PDF, brz.gv.at)
  11. eGovernment MONITOR 2014 , study by the D21 and ipima initiative, carried out by TNS Infratest;
    E-Government MONITOR 2014 presented , press release APA OTS0108, September 29, 2014;
    Download of the study via egovernment-monitor.de ( PDF ( Memento from December 11, 2014 in the Internet Archive ), from initiatived21.de; accessed December 9, 2014);
    Extracts of the results:     Austria continues to be top in e-government ( memento from December 11, 2014 in the Internet Archive ) , gemeindebund.at, October 7, 2014; The term “online population” refers to the selection of respondents from the online panel , which generally represents an Internet-savvy segment of the population; Information according to eGovernment MONITOR 2014 , section Study profile: Selection , p. 5.
  12. Legal framework for e-government in Austria: E-Government Equivalence Ordinance, digitales.oesterreich.gv.at.
  13. Information (official text) on the equivalence of foreign identification means in Austria
  14. HELP.gv.at: referendum . Retrieved February 12, 2018.
  15. Mocca is a Java-based free open source software for PC, Mac and Linux, recommended by the Federal Chancellery; in addition, the company A-Trust itself offers solutions. Compare Tools and downloads for your citizen card: Citizen card environments , buergcard.at; Mocca local , wiki.a-trust.at; both accessed December 3, 2014.
  16. a b cf. Web link for expert information , buergcard.at, section The heart of the citizen card: identity link ; also stem number and area-specific personal identifier , digitales.oesterreich.gv.at; Area-specific personal identification numbers (bPK) , Stammzahlenregister.gv.at;
  17. Peter Kustor, Federal Chancellery: eID in Austria ( Memento of 14 July 2014 Internet Archive ), presentation, January 28, 2014 Slide 37 people bond and 38 master number (AN) production (§ 6 Abs. 2 E-GovG) (PDF , bka.gv.at, accessed December 12, 2014).
  18. Curator: eID in Austria , 2014, slide 41 Citizen card function .
  19. Curator: eID in Austria , 2014, slides 39/40 bPK: Generation
  20. The fact that "one authority does not know what the other is doing", which is often criticized in public, is actually a great achievement of data protection for the citizen, and is expressly provided by the legislature as follows: An authority is generally not entitled to to pass on any documents to other authorities, unless there is a legitimate interest in information. Therefore, the citizen often has to submit it several times to different authorities. Only if there is a clear legal basis (administrative assistance, consent) does an authority have the right to procure documents from the registers of other authorities itself without having to submit these documents to citizens again (Section 17 (2) of the E-Government Act , in the explanations given as an example: birth certificates). The authorities are required to ex officio those data that are available in public registers - provided that the required data has not already been provided by the person concerned, e.g. B. be presented in the form of public documents - to determine and not to pass this task on to the citizen or the company Government Bill 981 of the enclosures to the shorthand minutes of the National Council (Budget Accompanying Act 2011), XXIV. Legislative period, p. 45.
  21. Expert information: What happens when the citizen card is activated? , buergkarte.at - website on encryption technology (accessed December 3, 2014).
  22. PDF signature with the citizen card , buergkarte.at, accessed December 3, 2014.
  23. See buergcard.at , digitales.oesterreich.gv.at , help.gv.at ( Memento of December 7, 2014 in the Internet Archive ); and curator: eID in Austria , 2014, slide 50 Citizen card concept: characteristics ff (description of the individual, more common forms).
  24. For example, a major bank such as Raiffeisenbank refers to the A-Trust signature cards : signature card, banking.raiffeisen.at, accessed December 12, 2014
  25. heise.de: Security holes in the Austrian citizen card.
  26. Florian Nentwich, Engin Kirda, Christopher Kruegel; Secure Systems Lab, Technical University Vienna: Practical Security Aspects of Digital Signature Systems. Technical Report, June 2006 ( as PDF ( Memento from June 12, 2010 in the Internet Archive ), iseclab.org).
  27. ↑ In 2012, a vulnerability was found in the Mocca software . Weak point discovered in citizen card , Martin Stepanek on futurezone.at, May 25, 2012, accessed December 7, 2014.
  28. According to another study. E-Government: Austria at the top , futurezone.at, August 3, 2012, accessed December 7, 2014.
  29. a b Austrians do not trust citizen cards: Study shows skepticism towards e-government and digital identity , futurezone.at, August 3, 2012, accessed December 7, 2014.
  30. Social security pension account
  31. Financial service providers advertise with pension accounts on Ö1 , from February 28, 2013, accessed on March 1, 2013.