Options for integrating eID and SAML

Several European countries currently introduce highly sophisticated eID functionality in their national identity cards. This functionality typically has no direct relation to web security standards, but will be integrated with web technologies to enable browser-based access to critical resources. The research challenge to combine eID protocols and web standards like TLS in a secure way proves extremely challenging: The security of many of the proposed systems boils down to HTTP session cookies and TLS server certificates. Therefore, the overall security is not improved and does not justify the additional costs. In this paper, we investigate this security challenge for the German national identity card and its eID functionality. We show that the solution currently standardized by the German government does not offer any additional security, by giving an in-depth analysis of the complete software system. We discuss several possible paths to an enhanced solution based on T LS channel bindings. Finally, we describe a system setup based on the SAML Holder-of-Key Web Browser Profile, which also mitigates interoperability problems.