Credential to link government, private businesses
Germany began issuing the new contactless national ID to citizens in November. The program is one of the first contactless-only electronic ID programs. It also employs a unique privacy scheme to protect cardholders.
National ID cards aren’t new in the European Union and many countries use smart card technology to power the credentials. But the contactless German ID is a bit of a departure from what other countries have done and thus necessitated a slightly different take on existing contactless smart cards.
The country expects to issue 60 million cards over the next 10 years to replace existing paper documents, says Rudy Stroh, executive vice president of the ID business and country manager for Germany at NXP Semiconductors. NXP is providing the chip–its 128-kilobyte SmartMX secure contactless microcontroller–for the German e-ID.
“The contactless technology used in the e-ID enables strong privacy protection,” Stroh says.
The first difference between the German ID card and other contactless smart cards is that is can only be read from four centimeters, whereas most other cards can be read from eight to 10 centimeters, Stroh says.
The chip is also PIN protected and will not release any personal information until the correct six-digit code has been entered. Communication between the card and the reader is encrypted and the card generates a unique number to begin each session with a reader, Stroh explains.
Typically when a card and reader are in close proximity, they share a number as a means to cryptographically authenticate one and other in a process called mutual authentication. By ensuring that the number shared for mutual authentication is unique for each session, there is no chance to track a card and thus an individual via this shared number.
Securing both physical and virtual worlds
“With the contactless application,” says Stroh, “there will be opportunities to use the card for a lot of services.”
The German program uses the electronic passport standards developed by the International Civil Aviation Organization and can be used in place of a passport for travel between European Union countries. “It’s based on the ICAO EAS passport,” Stroh says. “There’s a common terminology being used and commonality between the documents for travel in Europe.”
When traveling to other countries fingerprint templates stored on the card are verified to ensure the identity of the cardholder. Use as a travel document is optional so citizens can choose whether or not to enroll and store fingerprint templates.
The credential can be used for access to government and commercial Web sites as well, explains Stroh, to digitally sign documents, auto fill forms, verify age and login to bank accounts and other services. Stroh estimates that 150 companies–including financial institutions, retailers, and airlines–are working on applications to take advantage of the card technology.
In addition to verifying a cardholder’s identity online, it can protect cardholders from online threats as well. Using mutual authentication techniques between the card and the service provider, cardholders can better trust the authenticity of the service provider.
This is designed to make it faster, more economical and more secure to open and log into accounts while guarding against identity theft. It also can protect young people, for example, by preventing underage cardholders from buying cigarettes from vending machines or accessing other age-defined products and services.
From the ground up, the German e-ID was created with privacy protection in mind. This is evident in the handling of age verification as well. Rather than disclose the age of the cardholder to the service provider, only a pass or fail indicator is provided based on the date of acceptability. Card expiration is managed in the same way disclosing only whether the card is valid or invalid, rather than providing the actual date of expiry.