Insecurity of Anonymous Login with German Personal Identity Cards

One of the major inventions of the new personal identity cards in Germany is supporting anonymous authentication. The Restricted Identification protocol enables to authenticate in an unlimited number of domains with passwords created with strong asymmetric cryptography and not using the insecure login-password mechanism. Moreover, the RI scheme guarantees unlinkability of user´s authentication in different domains. The Achilles Heel of the RI scheme is Chip Authentication procedure. The terminal must make sure that it is talking with a genuine identification card and authentication via so-called group key is used. The group key is shared by many ID´s in order to create a sufficiently large anonymity set. We present an attack, where the party holding the group key and eavesdropping the communication between a card and a terminal can learn the pseudonym and later authenticate as this user in this domain. In this way the party issuing the cards may get an unlimited access to citizens accounts. We show how to solve the problem by slight changes in the protocol.