Smart Card Workshop 2011: Smart cards are open for all purposes

Smart Card Workshop 2011: Smart cards are open for all purposes

The new identity card (NPA) and the new electronic health card (health card) were the focus of this year's Smart Card Workshop of the CAST in Darmstadt. New developments in the security of smart cards were also discussed, but the focus was clearly on the use and benefits of the cards to citizens.

The NPA is characterized by steadily and slowly, the electronic residence permit since 1 September in spite of open questions remain outstanding, and the health card is to be spent this year to 10 percent of all legally insured. In the next year shall be the duty of the health insurance rate increase to 70 percent, also in the summer of 2012, the qualified digital signature to go with a one-year delay to the start. Smart cards come in your wallet so that the citizens who question the usefulness of these systems or are afraid of them: fears that the transparent citizen, the glass should really be patient, be dispelled through better education.

One way leads to improved acceptance of the systems on the transparency. Anyone who has purchased for the use of a standard or the new ID-card reader convenience, usually a device in the house, read out that the contact-type card can health. Since insurance data unencrypted in the so-called off-stage in an unprotected area are, anyone with programs like the EGK manager of smart card or other tools the content of his ECSC read and checked, for example, which he has insured status. He also can read that chronic diseases are saved with a letter to the technical specification of the insurance card on him.

Another way to put in front of the little chicken Detlef Esec company that deals with the European standard card info files, those XML descriptions of the capabilities of these smart cards. These descriptions are sometimes very extensive and are, according to Hühnlein hardly cope with an XML editor: 4000 lines describe the new ID, the description of the electronic health card even comes to 11,000 lines. Accordingly, the company wants at least this year provide a tree service for free, with the detection tree for the Card Information Information can be easily created. In this context Hühnlein pointed to the paragraph 6c of the Federal Privacy Act, which enshrines the rights of cardholders to access the data stored in a map. ESEC is working with the BMWi-funded project SkIdentity, which can be logging into secure cloud services over new ID and health card.

The first tangible benefit, the insured should have the health card is the storage of the emergency data set are on the map. In addition to medical information, especially information stored about where living wills, organ donation and precautionary statement powers are kept - in the absence of qualified electronic signature such declarations may not be stored directly on the map. Them accordingly plays the 12-Kbyte emergency data set in the emergency room and intensive care a role, but hardly in the prehospital care at the scene by the ambulance service. Georgios Raptis of the Federal Chamber of Physicians (BAK), which specifies the emergency data set, presented in front of the emergency data management considerations. Because of the emergency data set exists only on the cards, there must be mechanisms of how the data can be reconstructed if a health card is lost or illegible. In addition to the voluntary on-line backup that will realize the BÄK itself to the introduction of certified providers to retain data are used to test contingency data. As the emergency health card data encrypted on the present, the health card key but with the loss of the card is no longer available, the backup will be backed by the principle of hybrid encryption. The insured receives in this case a separate activation key to its emergency information, he can open the letter with a PIN and transferred to a new health card. What companies want as an online service for emergency data sets to be launched, could not say Raptis.

In the new identity card, there is progress. As Hanno Koop by the Federal Office for Information Security (BSI) explained, in the summer under the direction of the BSI "German industry forum on eID infrastructure" was established, which meets every three months and aims to accelerate deployment options of the pass. While the current version of AusweisApp 1.4 in September to support the electronic residence permit and the embedding into Firefox 6, brought to version 1.5 from December 2011 for the first time Mac OS X support. For 2012, the release is planned for 1.6, which will bring better next Firefox Plugins especially dealing with card info files, on the other cards can be recognized and managed by the AusweisApp. Finally, the qualified electronic signature (QES) to accelerate the handling of the NPA. You should, according to Carsten Schwarz (Bundesdruckerei) in summer 2012 are available.

As Martin Stein of the German Savings Bank Association pointed out, could replace the QES or advanced signature in online banking in the fourth generation of the procedures currently used SMS-TAN, TAN, and HBCI chip. Here, the user would have to use readers, however, be certified by the Secoder standard of the German banking industry. Otherwise, the new ID is attractive only for direct banks, which can realize with him the media-Open an account on the Internet. Stone is not particularly happy about was the use of smartphones and banking apps, since many users ignore the warnings and text messages, Tan received on the same device on which they are connected online with the bank. However, no dramatic development yet is recognizable in the damage. In two thirds of all cases are brought back as a refund or refund customers' money.

New developments in the field of smart card security were discussed during the workshop. Berndt Gammel Infineon Technologies introduced the Cipurse standard, promoted by the OSPT Alliance is a consortium of companies, which would take care of the "Open Standard for Public Transport". Cipurse should pay particular the securing of public transport by NCF smartphones and integrated chips. Gisela Meister, Giesecke and Devrient said, which have advantages and disadvantages of the new protocols and m-PCA ERA as part of the signature standards EN 14890th m-ERA is a French development, one can query the service provider (eg a shop) on an identity provider specific criteria (such as "over 18") to a user, without having to retrieve the entire identity of the user.