Security Analysis of eIDAS - The Cross-Country Authentication Scheme in Europe.

In 2014, the European Commission released the eIDAS regulation to target the compatibility of cross-country electronic services within the European Union. eIDAS (electronic IDentification, Authentication, and Trust Services) defines implementation standards and technologies for electronic signatures, digital certificates, Single Sign-On (SSO), and trust services. It is based on well-established standards, such as SAML, to achieve high security and compatibility between EU countries. In this paper, we present the first security study of authentication schemes used in eID services. Our security analysis shows that 7 of the 15 European eID services were vulnerable to XML-based attacks which enabled efficient Denial-of-Service (DoS) and Server Side Request Forgery (SSRF) attacks. On 5 of the 15 eID services, we were even able to exfiltrate locally stored files and send these files to an arbitrary domain. To support the developers and security teams of eID services, we implemented a Burp Suite extension to execute fully-automated or semi-automated tests. Additionally, we summarize best practices related to eID-based authentication and SSO in general.