Hilfe
Basic knowledge
To ensure that you are actually connected to My BOP via a secure connection, your browser will check to see if the automatically transmitted electronic certificate is valid. In that way you can be sure that your communication partner really is My BOP or that you are dealing with the associated ELSTER SSL certificate. The ELSTER SSL certificate serves to provide a cryptographic, public key to ties to My BOP. The binding of the key to My BOP is again cryptographically secured using an electronic signature from a trusted third party, an internationally recognized Trust Centre.
The reliable Trust Centre certificate is already included in all browsers, so this property can be automatically verified. In addition, the following two certificate properties are automatically checked:
The domain name used for the secure Internet connection ELSTER SSL certificate has been issued, must match the actual domain name of the web server (for example www.elsteronline.de).
The certificate must be valid. For security reasons, server certificates are only issued for a certain period of time and are regularly renewed by the operator of My BOP.
If at least one of the above three checks fails, the user will see a browser alert. In this case, My BOP should not be used, but the hotline should be contacted.
The encrypted electronic connection to My BOP takes place via the recognized Internet protocol HTTPS(TLS 1.2). The base is a 2048-bit authentication of My BOP via the SSL certificate towards your computer according to the asymmetric, cryptographic RSA-procedures. The communication encryption is done via a symmetric, cryptographic method, which corresponds to the current state of safety technology. The necessary symmetric key is generated during registration on your computer as a random number, encrypted and communicated to My BOP using the RSA procedure. Only your computer and My BOP will know the symmetric key with which the communication can be decrypted.
Within the three authentication methods Certificate File, Security Stick and Signature Card, an asymmetric cryptographic method and security are used certificate used. This refers to the world recognized RSA procedure, which uses a Minimum key length of 2048-bits.
In Internet Explorer for example, you can check the validity of the ELSTER SSL certificate via the menu "File / Properties / Certificates". Compare the electronic fingerprint in the further explanations to the ELSTER SSL Certificate. You can also contact the ELSTER hotline - 0800 52 35 055 (for callers from abroad: + 49 180 5 23 50 55) - which can give you the electronic fingerprint of the ELSTER SSL Certificate for comparison.
Registration
From a security point of view, you will receive two separate asymmetrical key pairs, each with a personal certificate for your personal access which is issued by the Trust Centre of My BOP (valid for registration with certificate file and registration with security stick), or the already existing asymmetric key pairs of your signature card are used (this applies to registration with signature card). One of your key pairs will serve as your personal electronic authentication in all BOP security processes, and the other, for the individual encryption of data, which are intended only for you. Your personal certificate serve My BOP to, among other things, prove the clear affiliation of the public key found in the asymmetric key pairs, to your person.
Depending on the BOP registration type selected, you will need one of the following three means for your personal access:
Login option certificate file
The asymmetric key pairs are generated on your computer as a file to be protected by an individual PIN according to the security standard PKCS#12 then saved in a special security environment (PSE) on the computer. Each pair consists of a private and a public key, The respective private keys of the asymmetric key pairs are cryptographically protected and can only be activated via the PIN assigned by you. The Trust Centre of My BOP issues certificate for the associated public keys.Login option security stick
The asymmetric key pairs are generated on your computer in the connected security stick and are saved on the crypto chip, protected by an individual PIN and saved in a special security environment (PSE) where they can be used. The respective private keys of the asymmetric key pairs are cryptographically protected and can only be activated for use via the PIN assigned by you. The Trust Centre of My BOP issues the certificate for the respective public keys. The registration, key generation and certification processes are analogous to the processes of the certificate file.Login option signature card
If you have a BOP supported signature card, you can use it. This is possible for example by means of qualified or advanced signature cards of various banks and companies whose Trust Centre is integrated into My BOP. Usually, the asymmetric key pairs contained on your signature card are protected by an individual PIN and then stored and made usable in a special security environment. The respective private keys of the asymmetric key pairs are cryptographically protected and can only be activated by you using the PIN. The certificate of the associated public key found on the signature card are transmitted from your computer to the Trust Centre of My BOP so that its validity can be confirmed for My BOP. If positively confirmed, your certificate gets integrated into My BOP.
The currently supported signature cards can be found under "PB 6 - Sicherheit". The technological realization as well as the registration and distribution processes for these cards are organized by the particular provider with respect to the regulations of the StDÜV or the Signature law and conform to ELSTER Policy.
Thee private keys of asymmetric key pairs can only be activated for use by entering an individual PIN of your choice. This security is also commonly referred to as security based on knowledge (PIN) and ownership (authentication means) ". You are responsible for the safe handling of your authentication means and the associated PIN!
Login option certificate file
Should you have not received an Email from My BOP within a certain period of time after submitting your personal data, you will have to start the registration process again. The most common cause of this may be a typo, such as the inadvertent entry of an incorrect or invalid Email address. The recommended waiting time before an Email delivery error can occur depends on many parameters, such as the current load on the Portal, the load on your ISP, and the quality of your connection to your provider. Usually, the Email will be delivered within minutes to a few hours. For waiting times over several days, we recommend contacting the hotline.
From the point of view of your computer's operating system, the certificate file is a file. It can therefore be stored on different storage media (e.g. hard disk, floppy disk, memory stick). It contains cryptographic keys and certificates. The certificate file links to a user account in My BOP. Since the certificate file can be copied as often as any other file, a backup copy can easily be created.
Since the copying can also be done unnoticed, for example, when stored on a network drive or by malicious software - so-called Malware (English malicious software), the certificate file has risks that the user should consider.
It is technically possible to get access to the same user account from multiple workstations. However, this possibility entails security risks and is susceptible to error. The protection of a user account is based on a combination of knowledge (PIN for the certificate file) and possession of the certificate file. When passing on the certificate file, the owner of the user account surrenders this security feature at his own responsibility. In case of misuse of the ELSTER infrastructure by a copy of the certificate file, the original owner can be identified and held responsible.
User accounts are personalized. The parallel (in the sense of simultaneous) use of a user account by several users with certificate file is technically possible. The My BOP process control system does not explicitly support multi-user operation for a user account. The results of the actions of other users are only visible after a delay or only after a new login. This can lead to irritations and errors. Parallel use is therefore discouraged.
Please note when passing the file that
- the number of copies cannot be restricted
- all copies of the certificate file are of the same value,
- it is not possible to trace with which copy of a certificate file a transaction was carried out,
- when blocking a user account all copies of the certificate file are affected,
- and it is not possible to block a single misused copy.
Another possible source of error is when updating the certificate file. For security reasons, the validity of the certificate file is limited (currently to 3 years). Within a certain time frame before the end of the validity period, the user is informed by Email that his new certificate has been created and provided for him. The next time you log in to My BOP, it will be updated automatically. From the point of view of the operating system of your computer, the certificate file is thereby changed and as of this update, only this copy of the certificate file is valid. All other copies lose their validity and a login at My BOP with these copies is no longer possible. The old copies must therefore be replaced by the new version as a follow-up to the certificate renewal.
In order to safeguard the safety aspects, we therefore recommend the use of a security stick in the case of multiple uses of a user account, e.g. for married couples or within an organizational unit of a company. Here, the use of organizational means can be controlled, copying of a security stick certificate is not possible. In addition, the security stick offers greater security within My BOP.
You should keep the answer to the security question, required to delete your user account, secure and separate from your means of authentication. With a registration with certificate file, the certificate file is stored on your hard disk, you must therefore pay additional attention here to sufficient protection of your computer. If you use your computer for surfing the Internet or sharing it with other people, the file could be read or copied unnoticed. In case of such an attack, your certificate would only be protected by your personal password (PIN). You can read how to protect your computer from the dangers of the Internet on the pages of the Federal Office for Information Security: https://www.bsi-fuer-buerger.de
An indirect proof of identity takes place by the sending of the Activation codes in the normal post as well as sending the Activation ID by Email. Proof of your identity is provided by the fact that only the authentic person can receive both pieces of information and thus activate the personal user account at My BOP.
The personal Activation code is an essential security mechanism when activating a personal user account at My BOP. Initiated by My BOP, it is generated and printed in a separately secured system of the fiscal authorities. It will then be sent by the fiscal authorities to you in a closed letter.
The Trust centre of My BOP is a dedicated key and certificate manager to be operated together with My BOP. It is used to create and manage certificate which allow for individual electronic authentication and encryption for users of My BOP. The Trust Centre is operated on the basis of its own operating, organizational and security concept based on globally recognized guidelines.
For security reasons, two certificates are required or issued per user. One for the electronic authentication of data that is used in addition to the authentication check when logging in to My BOP and one for the encryption for the transmission of confidential data or feedback from My BOP to the user.
Registering on many Internet Portals such as Amazon or eBay is done by specifying a username and the associated password. This authentication is sufficient in terms of the protection requirements of the data stored there. However, the authentication used by My BOP offers greater security. Here you can log in to My BOP by specifying the path to your certificate file and your PIN. Your certificate file contains not only the private keys but also the associated certificate, via which My BOP checks your electronic identity. Instead of just stating your name when signing up, you show your ID to the Portal. Once you have completed the registration process and have logged in, the electronic data records you have transferred to My BOP will always contain authentication data for personal allocation. On the one hand, by means of the corresponding certificate you will be identified by My BOP as the author and on the other hand it can be ruled out that your data was changed during the transfer. The signature used from your certificate file private keys corresponds to that for the authentication.
Your certificate file contains two asymmetric key pairs (private and public key) and for each one an associated certificate. One for the authentication and one for encryption. The feedback generated by the use of the personalized services of My BOP (for example, query results and delivery confirmations) as well as the public key which belongs to the encryption certificate (this is known to My BOP) will be encrypted and provided in My BOP in your personal mailbox. Only you can decrypt them with your private key (contained in the certificate file).
The safety of your authentication is based on the approved RSA Method with a key length of 2048-bits. Following the recommendations of the BSI and the Federal Network Agency, ELSTER recommends the use of the 2048-bit key lengths and the hash algorithm SHA256 to ensure a long-term security level. The encryption of the data transfer takes place via a symmetric cryptographic method, which corresponds to the current state of security technology. The necessary symmetric key is generated as a random number and communicated to the ElsterOnline Portal, using the encrypted RSA Method. Only your computer will know the currently used symmetric key used to decrypt your data.
The authentication is based on the world-renowned RSA Method with a key length of 2048-bits. Following the recommendations of the BSI and the Federal Network Agency, ELSTER recommends the use of 2048-bit key lengths and the hash algorithm SHA256 to ensure a long-term security level. After entering your PIN your computer generates an electronic authentication signature from the private keys included in your certificate file.
This electronic authentication signature and certificate contained in the certificate file of the associated public key, sends your computer to My BOP for authentication. Your certificate is known to My BOP because the Trust Centre of My BOP issued it and keeps it in its own directory. In this way, My BOP can verify that the public key really belongs to you by comparing the certificates, and if all checks of My BOP are positive, you will be forwarded to your personalized services.
Only you can get access to your personalized services. The strong security is based here on your knowledge (PIN) and your possession (certificate file). The certificate file has only personal, individual safety-related content. Without the knowledge of PIN and certificate file, access to your personalized services is not possible. You are responsible for the safekeeping of the two crypto means Unauthorized persons may not have access to these means, ensuring that the security of your communication with My BOP can be maintained.
Login option security stick
Should you not have received an Email from My BOP within a certain period of time after submitting your personal data, you will have to start the registration process again. The most common cause of this may be a typo, such as the inadvertent input of an incorrect or invalid Email address. The recommended waiting time before an Email delivery error can occur depends on many parameters, such as the current load on the Portal, the load on your ISP, and the quality of your connection to your provider. Usually, the Email will be delivered within minutes to a few hours. For waiting times over several days, we recommend contacting the hotline.
An indirect proof of identity can be achieved by transmission of the Activation code by regular post as well as sending the Activation ID by Email. The proof of your identity is provided by the fact that only the authentic person can receive both pieces of information and thus activate the relevant access to My BOP.
The personal Activation code is an essential security mechanism when activating access to My BOP. Initiated by My BOP, it is generated and printed in a separately secured system of the fiscal authorities. It will then be sent to you in a closed letter from the fiscal authorities.
The Trust Centre of My BOP is a dedicated key and certificate manager to be operated together with My BOP. It is used to create and manage certificate which allow for individual authentication and encryption for users of My BOP. The Trust Centre is operated on the basis of its own operating, organizational and security concept based on globally recognized guidelines.
For security reasons, two electronic certificates (or asymmetric key pairs) are issued for each security stick. One for the authentication of data, which is used in addition to the authentication check when logging in to My BOP and one for encryption for the transmission of confidential data or feedback from My BOP to the user.
In the future, you will only be able to use the personalized services of My BOP via the login if you authenticate yourself with your security stick. Your security stick contains the necessary private keys and the associated certificate, via which My BOP can check your electronic identity. When using personalized services of the Portal, the electronic data records transmitted to My BOP contain personal authentication data. On the one hand, by means of your certificate My BOP can verify that you are the author, and on the other hand, it can be ruled out that your data has been changed during the transfer. The private keys used from your security stick is the same as for authentication purposes.
Your security stick has exactly two asymmetric key pairs and one for each corresponding certificate. One for the authentication and one for encryption. The feedback generated during the use of the personalized services of My BOP (for example, query results and delivery confirmations) will in future be encrypted and along with your public key(or certificate- which is known to My BOP) be provided for you in your personal My BOP mailbox. Only you can decrypt them with your security stick.
The safety of your authentication is fundamentally based on the recognized RSA method with a key length of 2048-bits for the "G&D StarSign USB Token for ELSTER" (on sale since October 2008). In line with the recommendations of the BSI and the Federal Network Agency, ELSTER recommends the use of a security key with 2048-bit key lengths and the hash algorithm SHA256 to ensure a long-term security level. The encoding of the data transfer takes place via a symmetric cryptographic method, which corresponds to the current state of safety technology. The necessary symmetric key is generated by your security stick as a random number, encrypted and communicated to My BOP using the RSA method. Only your security stick and My BOP will be aware of the symmetric key with which the corresponding data can now be decrypted.
The security of your authentication is fundamentally based on the recognized RSA method with a key length of 2048-bits for the "G&D StarSign USB Token for ELSTER" (on sale since October 2008). Following the recommendations of the BSI and the Federal Network Agency, ELSTER recommends the use of the 2048-bit key lengths and the hash algorithm SHA256 to ensure a long-term security level. After entering your PIN with the private key included in the stick, an electronic authentication signature is generated. This electronic authentication signature and the certificate from the associated public key sends your computer for authentication to My BOP. Your certificate is known to My BOP because the Trust Centre of My BOP issued this and keeps it in its own directory. This allows My BOP to verify that the public key really belongs to you by comparing the certificates. If all examinations of My BOP are successful, you will be forwarded to your personalized services.
Only you can get access to your personalized services. The strong security here is based on your knowledge (PIN) and your possession (security stick). The security stick has only personal and individual safety-related content. Without knowing the PIN and possession of the security stick, access to your personalized services is not possible. You are responsible for the safekeeping of the two crypto means Unauthorized persons are not allowed access to these means. Only then can your secure connection to My BOP be maintained.
Login option signature card
If the user has a signature card for authentication supported by ELSTER, he can also use it in the context of My BOP. For a list of ELSTER-supported signature cards for authentication, see the Requirements page in the section "Operating System and Type of Registration - Type of Login".
Signature cards for authentication represent the electronic replacement of your handwritten signature and are issued for example by banks. A document signed with a signature card for authentication is considered legally binding. The fiscal authorities require a minimum level of security when using signature cards for authentication which is held in the ELSTER Policy.
Note: Signature cards for authentication with pseudonyms are explicitly not supported!
If you have not received an Email from My BOP within a certain time after submitting your personal data, you will have to start the registration process again. The most common cause of this may be a typo, such as the inadvertent input of an incorrect or invalid Email address. The recommended waiting time before an Email delivery error can occur depends on many parameters, such as the current load on the Portal, the load on your ISP, and the quality of your connection to your provider. Usually, the Email will be delivered within minutes to a few hours. For waiting times over several days, we recommend contacting the hotline.
An indirect proof of identity takes place through the transmission of the Activation code by regular post as well as sending the Activation ID by Email. The proof of your identity is provided by the fact that only the authentic person can receive both pieces of information and thus activate the relevant access to My BOP.
The personal Activation code is an essential security mechanism when activating access to My BOP. Initiated by My BOP, it is generated and printed in a separately secured system of the fiscal authorities. It will then be sent to you in a closed letter from the fiscal authorities.
The Trust Centre of My BOP is a dedicated key and certificate manager to be operated together with My BOP. It is used to create and manage certificates which allow for individual authentication and encryption for users of My BOP. The Trust Centre is operated on the basis of its own operating, organizational and security concept based on globally recognized guidelines. The Trust Centre of My BOP incorporates directory services various external Trust Centres accepted by My BOP in order to use the certificate based encryption and authentication functions of your signature card for My BOP. If your signature card is supported by My BOP, your relevant certificates are contained in such an integrated directory service of your card issuer. This allows My BOP to quickly check the validity of the certificates contained on your signature card.
In the future, you will only be able to use the personalized services of My BOP via the login if you authenticate yourself with your signature card. Your signature card contains the necessary private keys and the associated certificate, via which My BOP checks your electronic identity. Once you have completed the registration process and have logged in, the electronic records to be communicated will always be provided with your personal electronic signature. On the one hand, this ensures that you are the author of the associated certificate from My BOP, and on the other hand, the integrity of the data records can be checked. The private key used in your signature card is the same as that for authentication purposes.
In the future, the feedback generated by your application of the personalized services of My BOP (for example, query results and input confirmations) will be encrypted and sent with the public key provided in your signature card (or certificate- known to My BOP) to My BOP for you personally. Only you can decrypt and use these on your computer with your associated private keys contained in the signature card.
The safety of your authentication is fundamentally based on the recognized RSA method with a key length of 2048-bits, depending on the signature card used for authentication. In line with the recommendations of the BSI and the Federal Network Agency, ELSTER recommends the use of a signature card for authentication with 2048-bit key lengths and the hash algorithm SHA256 to ensure a long-term security level. The encryption takes place by means of a symmetric cryptographic method which corresponds to the current state of safety technology. The necessary symmetric key is generated for authentication by your signature card as a random number and communicated to My BOP, encrypted using the RSA method. Only your signature card for authentication and My BOP will know the symmetric key with which the corresponding data can now be decrypted.
The security of your authentication is fundamentally based on the recognized RSA method with a key length of 2048-bits, depending on the signature card used for authentication. In line with the recommendations of the BSI and the Federal Network Agency, ELSTER recommends the use of a signature card for authentication with 2048-bit key lengths and the hash algorithm SHA256 to ensure a long-term security level. After entering your PIN with the private keys contained in your signature card, the card generates your personal electronic authentication signature. This electronic authentication signature and the certificate contained in the associated public key of your signature card sends your computer for authentication to My BOP. As your certificate is saved in a separate directory of My BOP as part of your registration, My BOP can ensure that the public key really belongs to you by comparing certificates. If all examinations of My BOP are successful, you will be forwarded to your personalized services.
Only you can get access to your personalized services. The strong security here is based on your knowledge (PIN) and your possession (signature card). Your signature card has only personal, individual safety-related content. Without knowing the PIN and the possession of the signature card, access to your personalized services is not possible. You are responsible for the safekeeping of the two crypto means Unauthorized persons are not allowed access to these means. Only then can your secure connection to My BOP be maintained.