NetKey/ IDKey, the key to identity

Assigning an action to a specific person or a specific system (identity) usually involves two steps. The instigator of an action first claims to have a specific identity and permission to execute an action (identification). In a second step, a check is made to ascertain whether the action can actually be assigned to this identity (authentication).



The above functions are based on using specific digital identity attributes. Different systems may demand different identity attributes. These different identity attributes represent the various roles or capacities in which the owner is acting. As a rule, an individual is a citizen with a name, first name and date of birth. In another role, they may be an employee of a company or its authorized signatory, in their leisure time they may be the chairman of an association or have some other voluntary role in society. Depending on the particular role, there are extra attributes which may be used on their own or in combination with a name. Such attributes are also referred to as claims.

An X.509 certificate, for example, is a suitable way of summarizing such identity attributes. In this case these identity attributes are sealed, together with the public part of a cryptographic key, in such a way that the certificate can be checked by using the public part of the certification key. The public part of the user key thereby becomes another digital identity attribute of the certificate holder. Technically, there are various ways of aggregating digital identity attributes in an appropriate manner. For example, an authentic server can also present a collection of identity attributes. In order to make this review simpler, only one variant of X.509 certificates will be considered in this document.

When there is a need to identify a person or a technical component, they prove their identity by means of a certificate. However, until now the checking authority has only been able to ascertain whether or not a certificate is valid. This only proves that the person or component exists. It means that a certification authority has checked the existence of the person or component, and thus the identification attributes, and that the certificate has been generated in a valid manner.



NetKey/ IDKey, the smartcard with premium keys, gives the cardholder a chance to prove his identity. The card proves that the cardholder is permitted to use the presented identity attributes that reflect the respective role. This proof is obtained by technically linking identity attributes and providing proof of a secret. NetKey/ IDKey offers various applications that can be used depending on the particular application area.


Confidentiality and encrypted data storage

As already described, NetKey/ IDKey builds on state-of-the-art encryption technology (cryptology) know-how. Encryption is always required when there is a need to protect information against unauthorized reading or processing. To achieve this, a key is exchanged between an author or sender of a message (A) and the processor or recipient (B). This makes it possible for A to encrypt the information so that only B can read it again or process it.

If there is a requirement to exchange data among a larger group of participants so that each individual communicates with every other person and no third party can intercept the information, the key management that this requires soon becomes very time-consuming. Public key cryptology makes this key management far simpler. Each participant requires precisely one key pair consisting of a public key and a secret key.

Public keys can be distributed through public directories. This makes it possible to send every participant information from the directory confidentially. To achieve this, the information simply has to be encrypted by using the public key. Only the owner of the relevant secret key can reproduce the plain data.

In the case of encrypted data storage, the actual author, for example, can store his data in encrypted format using their own public key. This protects this data against unauthorized access.


Quality of NetKey/ IDKey components

The TeleSec NetKey/ IDKey TCOS smartcard consists of two crucial components whose quality ensures NetKey/ IDKey's unique selling point – the quality of the operating system and the quality of the internal keys.


Quality of the operating system

TeleSec NetKey/ IDKey is based on the TeleSec Chipcard Operating System (TCOS) which has been developed and maintained for many years under the constant supervision of independent security evaluators.

TCOS provide the basis, for instance, for Deutsche Telekom AG's qualified signature cards, for the chip in German passports and the latest German identity card.

These are just three examples of how TCOS has achieved the requisite levels of quality and trust.


Quality of internal keys

The keys for NetKey/ IDKey are generated in T-Systems' trust center. TeleSec NetKey 3.0 provide the technical basis for NetKey. This means that a separate application (SigG) of NetKey is evaluated and confirmed as a Secure Signature Creation Device (SSCD) in accordance with the German Digital Signature Law. The key material for this application also originates from an evaluated and confirmed key generator. This confirmation makes sure that the key material of a generator can only be written to appropriate TCOS modules. This SSCD can therefore be used in combination with an appropriate certification service provider for qualified electronic signatures.

Another application of NetKey/ IDKey includes several asymmetrical keys that are also generated in the trust center by a technologically equivalent key generator. These keys meet the requirements placed on so-called advanced certificates. IDKey doesn´t include the SigG application.