Help

Basic knowledge

To ensure that you are actually connected to authega via a secure connection, your browser checks whether the automatically transmitted electronic certificate is valid. This is how you determine that your communication partner is really authega or that it is the corresponding authega certificate. The authega certificate is used to bind a cryptographic, public key to authega. The binding of the key to authega is in turn cryptographically secured with an electronic signature from a trustworthy third party, an internationally recognized trust center.

  • The certificate of the trusted trust center is already included in all browsers, so this property can be checked automatically. In addition, the following two certificate properties are automatically checked:
  • The domain name for which the authega certificate used for the secure internet connection was issued must match the actual domain name of the web server (e.g. www.authega.bayern.de).
  • The certificate must be valid. For security reasons, server certificates are only issued for a certain period of time and are regularly renewed by the operator of the authega website.

If at least one of the three checks above fails, a browser warning is displayed to the user. In this case, authega should not be used, but the hotline should be contacted.

The encrypted electronic connection to authega is made via the recognized internet protocol HTTPS (TLS 1.2). The basis is a 3072 bit authentication from authega via the authega certificate to your computer according to the asymmetrical, cryptographic RSA procedure. The data transmission is encrypted using a symmetrical, cryptographic procedure that corresponds to the current state of security technology (see BSI Technical guidelines). The necessary symmetrical key is generated as a random number on your computer during registration and is communicated to authega, encrypted using the RSA method. Only your computer and authega know the symmetric key with which the communication can be decrypted.

In terms of security, an asymmetrical cryptographic RSA procedure with certificates is used within the two authentication methods, certificate file and signature card for authentication.

  • Authega crypto algorithms with certificate file
  • Signature card crypto-algorithms

In Internet Explorer you can, for example, check the validity of the authega certificate via the "File / Properties / Certificates" menu. Compare the electronic fingerprint in the further explanations on the authega certificate. You can also contact the Hotline contact, who can give you the electronic fingerprint of the authega certificate for comparison.

Registration

From a security perspective, you will receive two separate asymmetrical key pairs for your personal access, each with a personal certificate issued by the authega trust center (authega with certificate file), or the existing asymmetrical key pairs on your signature card will be used for authentication. One of your key pairs is used for your personal electronic authentication at authega.

For your personal access you need a software certificate or a signature card:

  • Software certificate
    The asymmetrical key pairs are generated on your computer and saved in a file to be protected by an individual password in accordance with the security standard PKCS # 12 in a special security environment (PSE) of the computer. Each pair consists of a private and a public key. The respective private key of the asymmetrical key pairs is cryptographically protected and can only be decrypted using the password you have assigned. The authega trust center issues a certificate for the associated public keys.
  • Signature card for authentication
    If you have an authega-supported signature card for authentication, you can use it. The asymmetrical key pairs contained on your signature card for authentication are usually protected by an individual password and stored and usable in a special security environment. The respective private key of the asymmetrical key pairs is cryptographically protected and can only be used by yourself via the password. The certificates for the associated public keys on the signature card for authentication are transferred from your computer to the authega trust center so that their validity can be confirmed for authega. In the positive case, your certificates will be integrated into authega.
    The currently supported signature cards for authentication are on the website of the Bayern-PKI visible.

The private keys of the asymmetrical key pairs can only be decrypted for use by entering an individual password of your choice. This security is also generally referred to as security based on "knowledge (password) and possession (means of authentication)". You are responsible for the secure handling of your authentication medium and the associated password!
Please note that simply suspecting that the certificate file has been copied without authorization, simply changing the password of the certificate file is not sufficient. In this case, as a precaution, you should delete your user account or carry out a certificate renewal. When the certificate is renewed, your software certificate is generated again.

authega with certificate file

The certificate file is a file in a special format in which the generated keys are securely stored. The data is cryptographically protected and can only be decrypted using a password. A certificate file can be stored on different storage media (e.g. hard disk, USB stick) and copied as often as required.

Your computer's operating system treats the certificate file as a normal file. It can therefore be stored on different storage media (e.g. hard disk, USB stick). It contains cryptographic keys and certificates. The certificate file creates a link to an authega user account. Since the certificate file can be copied as often as any other file, a backup copy can be created easily. Since copying can also take place unnoticed, e.g. B. when stored on a network drive or by malicious software - so-called malware, the certificate file entails risks that the user should take into account. It is technically possible to use the same authega user account from several workplaces. However, this possibility poses security risks. Securing a user account is based on a combination of knowledge (password for the certificate file) and possession of the certificate file. If the certificate file is passed on, the owner of the user account gives up this security property on his own responsibility. If authega access is misused by copying the certificate file, the original owner can be identified and held responsible.
authega user accounts are designed to be personal. The parallel (in the sense of simultaneous) use of a user account by severalWhen passing the file on, please note that

  • the number of copies cannot be limited,
  • all copies of the certificate file are equivalent,
  • it is not possible to trace the copy of a certificate file with which a transaction was carried out,
  • if a user account is blocked / extended, all copies of the certificate file are affected,
  • and it is not possible to lock a single misused copy.

There is a possible source of error when updating the certificate file. For security reasons, the validity of the certificate file is limited (currently 3 years). With a certain time interval after the end of the validity period, the user will be informed by email about the expiry of their certificate. The extended software certificate is a new file for your computer. The "old" certificate file and its copies will therefore become invalid and can no longer be used to register with authega.

You should keep the answer to the security question and the lock code required to delete your user account safe and separate from your means of authentication. Since registration with a certificate file is saved on your hard drive, you must also ensure that your computer is adequately secured. If someone else is using your computer, the file could be read or copied unnoticed. In such an attack, your certificate would only be secured with your personal password. You can find support for securing your computer on the website of the Bundesamtes für Sicherheit in der Informationstechnik receive.

If you have not received an email from authega within a certain time after sending the registration data, you have to start the registration process again. The most common cause of this can be a typo, such as the unintentional entry of an incorrect or invalid email address. The recommended waiting time before you can assume an error in the delivery of the e-mail depends on many parameters, such as the current load at authega or the selected portal, the load on your Internet provider and the quality of your connection Your provider. The email is usually delivered within minutes to a few hours. For waiting times over several days, we recommend the Hotline to contact.

There is an indirect proof of identity by sending the activation code by letter and sending the activation ID by email. Your identity is verified by only the authentic person receiving both information and thus being able to activate the authega user account.

The activation code is an essential security mechanism when activating a user account with authega. Initiated by authega, it will be sent to you in a closed letter.

The authega trust center is a dedicated key and certificate manager. It is used to create and manage certificates that enable individual authentication for users at authega. The trust center is operated on the basis of its own operating, organizational and security concept based on globally recognized guidelines.

You can only use the personalized services at authega in the future by logging in if you authenticate yourself in your software certificate. Your software certificate contains the necessary private key, which authega can use to verify your electronic identity. When using portals that are connected to authega, personal authentication data is transmitted electronically.

Your software certificate has two asymmetrical key pairs and a corresponding certificate. The data is encrypted.

The security of your authentication is based on the recognized RSA procedure. The key length of your certificate corresponds to a key length of 3072 bits. The data transmission is encrypted using a symmetrical cryptographic procedure that corresponds to the current state of security technology. The necessary symmetric key is generated as a random number and communicated to authega in encrypted form.

Only you can access your personalized services. The security here is based on your knowledge (password) and your possession (certificate file). Without knowledge of the password and possession of the individual certificate file, access to your personalized services is not possible. You are responsible for the safe storage of the two crypto products! Unauthorized persons may not have access to these funds. Only then will the security of your connection to authega be guaranteed.

Signature cards for authentication

If the user has a signature card for authentication supported by authega, he can also use it.
Signature cards for authentication represent the electronic replacement of your handwritten signature and are used by Bayern-PKI spent. A document signed with a signature card for authentication is considered legally binding.

If you have not received an email from authega within a certain time after sending the registration data, you have to start the registration process again. The most common cause of this can be a typo, such as the unintentional entry of an incorrect or invalid email address. The recommended waiting time before you can assume an error in the delivery of the e-mail depends on many parameters, such as the current load at authega or the selected portal, the load on your Internet provider and the quality of your connection Your provider. The email is usually delivered within minutes to a few hours. For waiting times over several days, we recommend the Hotline to contact.

There is an indirect proof of identity by sending the activation code by standard mail and sending the activation ID by email. Your identity is verified by only the authentic person receiving both information and thus being able to activate the authega user account.

The activation code is an essential security mechanism when activating a user account with authega. Initiated by authega, it will be sent to you in a closed letter.

The authega trust center is a dedicated key and certificate manager. It is used to create and manage certificates that enable individual authentication for users at authega. The trust center is operated on the basis of its own operating, organizational and security concept based on globally recognized guidelines.

The trust center of Bayern-PKI is through that IT-DLZ operated.

In future, you can only use authega's personalized services via login if you authenticate yourself with your signature card for authentication. Your signature card for authentication contains the necessary private key and the associated certificate, which authega can use to verify your electronic identity. When using portals that are connected to authega, personal authentication data is transmitted electronically.

Your signature card for authentication has two asymmetrical key pairs and a corresponding certificate. One key pair each for authentication and encryption.

The security of your authentication is fundamentally based on the recognized RSA procedure. The data transmission is encrypted using a symmetrical cryptographic procedure that corresponds to the current state of security technology. The necessary symmetric key is generated as a random number and authega, encrypted.

Only you can access your personalized services. The security here is based on your knowledge (password) and your possession (signature card). Without knowledge of the password and possession of the signature card, access to your personalized services is not possible. You are responsible for the safe storage of the two crypto products! Unauthorized persons may not have access to these funds. Only then is the security of your connection to authega guaranteed.