The basic principle of the lanyards and badge holders states that without knowing the PIN, no data from the RF chip can be read. enter upon inspection, the officials of the printed on the six-digit ID CAN (Access Card Number) to read out the stored biometric data. Unnoticed reading from a short distance while wearing the badge in his pocket, is thus impossible. For some quick checks on the border with the card on the back also a machine-PIN (in the Machine Readable Zone MRZ), to capture the reader automatically. What PIN is valid, the chip detects the identity certificate on the reader. Basically, he communicates only with certified equipment.

When you call the e-ID function using a button on the side of the operator's Web server sends a special MIME type. This provides a plug-in to start the browser to the software for the new ID card, called AusweisApp. It receives the address of the server responsible eID notified and initiates the connection between it and the chip on the card.

Access control is achieved by the PACE protocol (Password Authenticated Connection Establishment). It is generated from short passwords, such as the six-digit PIN that must be present sent in clear text, a long session key to the connection between the chip and standard or id badge holder necklace or the computer (the baseline reader who has mastered not PACE) secure. To exchange a shared secret while the Diffie-Hellman algorithm is used to generate the two parties from unsecured data transmitted a secret key.

Next, show the reader must read his rights with a certificate. In the online authentication is the e-ID of this server device, has either the operator of the site itself or as a service provider. Kit includes all the authorization certificate, a service-dependent block list to identify blocked passes.

The registration authority for authorization certificates reviewed an application process, whether the operator of the website the data that he wants to read from the statements of its customers really need. According to the principle of data avoidance. To use the eID in at all, he must demonstrate a business purpose for it or show that he wants to meet legal requirements.

Eleven data fields of the card. For anybody who wants to read the operator, he must give an explicit explanation. To test as whether a visitor is of age, he can not access on the date of birth, but must use the age verification. He sends a borderline date (today, 18 years ago) to the card and get an answer, whether before or after birth, the stored content. A similar function exists for the destination and allows it to offer services nationwide.

Granted, the contracting authority a permit, the operator receives authorization from a Name Badge Holders in which the rights are held. It applies only to a few days and must be constantly renewed. He also receives from the CA a constantly updated list of statements that have been revoked.