Federal Office for Information Security (BSI)

BSI TR-03110 eIDAS Token Specification

As part of the Digital Agenda for Europe 2020, the European Parliament and the Council of the European Union have passed in July 2014 the Regulation (EU) No 910/2014 on "electronic identification and trust services for electronic transactions in the internal market" (eIDAS regulation) that repeals the Directive 1999/93/EC (Signature Directive). The eIDAS regulation constitues a great basis for building trust in the online environment in Europe.

This regulation covers different aspects of electronic transactions:

  • electronic identification
  • trust services, and
  • electronic documents

The eIDAS token specification is a contribution from the German and French IT security agencies BSI and ANSSI, supported by European industry partners, to the Interoperability Framework for electronic identification. It allows the development of token-based and customized solutions for electronic identification, authentication and signatures that are directly interoperable, without the need of translation via proxies.

The specification provides a modular and homogeneous Secure element API to protect the

  • Authenticity,
  • Integrity,
  • Originality,
  • Confidentiality and
  • Privacy

of the data stored on tokens for electronic identification, authentication and signatures (eIDAS token). Examples are the German ID card or the German Residence Permit.

The eIDAS token specification is covering all existing eService use cases, and opening the door to new applications. The technology is based on a direct mutual authentication between eIDAS token and service provider and facilitates real end-to-end encryption. The approach is to build on the technology of machine readable travel documents and the corresponding infrastructures that are already in use in the European member states and includes enhancements and extended services.

Structure of TR-03110

This picture illustrates the TR structure. Structure of TR-03110

Features of TR-03110:

  • Privacy by design features:

    • Real User Consent
    • 2-Factor authentication (PIN + Secure element)
    • Strong authentication procedures

      • PACE
      • Extended Access Control

        • Terminal Authentication (Version 2)
        • Passive Authentication
        • Chip Authentication (Version 2 & 3)
    • Data minimization procedures

      • Restricted Identification
      • Pseudonymous Signatures
      • Enhanced Role Authentication
      • Age Verification
  • Interoperable electronic logical data structure (LDS) covering all data fields in use in deployed European eID infrastructures that can be easily extended by new attributes
  • Modular approach:

    • Allowing token configuration according to the issuers needs
    • Allowing future extensibility
  • Achieving highest levels of assurance (LoA “high”)

BSI TR-03110-2 Advanced Security Mechanisms for Machine Readable Travel Documents – Part 2 - Version 2.21 (PDF, 754KB, File is accessible)

BSI TR-03110-3 Advanced Security Mechanisms for Machine Readable Travel Documents – Part 3 – Version 2.21 (PDF, 2MB, File is accessible)

BSI TR-03110-4 Advanced Security Mechanisms for Machine Readable Travel Documents – Part 4 – Version 2.21 (PDF, 1MB, File is accessible)