Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe


Nils Engelbertz, Nurullah Erinola, David Herring, Juraj Somorovsky, Vladislav Mladenov, and Jörg Schwenk, Ruhr University Bochum


In 2014, the European Commission released the eIDAS regulation to target the compatibility of cross-country electronic services within the European Union. eIDAS (electronic IDentification, Authentication, and Trust Ser- vices) defines implementation standards and technologies for electronic signatures, digital certificates, Single Sign-On (SSO), and trust services. It is based on well-established standards, such as SAML, to achieve high security and compatibility between EU countries. In this paper, we present the first security study of authentication schemes used in eID services. Our security analysis shows that 7 of the 15 European eID services were vulnerable to XML-based attacks which enabled efficient Denial-of-Service (DoS) and Server Side Request Forgery (SSRF) attacks. On 5 of the 15 eID services, we were even able to exfiltrate locally stored files and send these files to an arbitrary domain. To support the developers and security teams of eID services, we implemented a Burp Suite extension to execute fully-automated or semi-automated tests. Additionally, we summarize best practices related to eID-based authentication and SSO in general.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {220570,
author = {Nils Engelbertz and Nurullah Erinola and David Herring and Juraj Somorovsky and Vladislav Mladenov and J{\"o}rg Schwenk},
title = {Security Analysis of {eIDAS} {\textendash} The {Cross-Country} Authentication Scheme in Europe},
booktitle = {12th USENIX Workshop on Offensive Technologies (WOOT 18)},
year = {2018},
address = {Baltimore, MD},
url = {},
publisher = {USENIX Association},
month = aug