Help
Basic knowledge
To ensure that you are actually connected to Mein ELSTER via a secure connection, your Browsers checks whether the automatically transmitted electronic SSL certificate is valid. This is how you determine that your communication partner is really ELSTER. The SSL certificate from ELSTER is used to bind a cryptographic public key to the ELSTER website. The binding of the key to ELSTER is in turn cryptographically secured with an electronic signature from a trustworthy third party, an internationally recognized Trustcenter.
The certificate of the trusted Trustcenter is already included in all Browsers, so that this property can be checked automatically. The following two certificate properties are also checked automatically:
The domain name for which the SSL certificate used for the secure Internet connection was issued must match the actual domain name of the web server (for example www.elster.de).
The SSL certificate must be valid. Server certificates are only issued for a certain period of time for security reasons and are regularly renewed by the operator of the ELSTER websites.
If at least one of the three checks mentioned above fails, the user is shown a Browsers warning. In this case, you should not use Mein ELSTER but contact the Hotline.
The encrypted electronic connection to the ELSTER websites is established via the recognized Internet protocol HTTPS (TLS 1.2) . The basis is a 2048-bit authentication of the ELSTER websites via the SSL certificate to your computer according to the asymmetric, cryptographic RSA method. Data transmission is encrypted using a symmetric , cryptographic procedure that corresponds to the current state of security technology. The required symmetric key is generated on your computer as a random number during registration and communicated to the ELSTER websites in encrypted form using RSA. Only your computer and the ELSTER website know the symmetric key with which the communication can be decrypted.
Within the three authentication methods certificate file, security stick and signature card, an asymmetric cryptographic RSA procedure with certificates is used for security purposes.
The fingerprints of the SSL certificate currently used by elster.de are:
- SHA256: 77:9B:2F:C6:87:E9:CF:74:BD:56:4F:17:B4:31:89:1C:3F:B8:A4:CE:C9:87:82:2F:C6:C1:C0:A2:6F:CE:81:12
- SHA1: 18:BD:14:40:4D:42:54:DA:CD:15:88:74:92:8C:0A:43:3E:B5:A0:E4
Registration
You will receive two separate asymmetric key pairs for your personal access, each with a personal certificate issued by the ELSTER Trustcenter (applies to certificate file and security stick), or the existing asymmetric key pairs of your signature card will be used. One of the key pairs will be used for your personal electronic authentication in all Mein ELSTER security processes and the other for the individual encryption of data that is only intended for you. Your personal certificates are used by Mein ELSTER, among other things, to prove that the public keys contained in the asymmetric key pairs uniquely belong to you.
Certificate file
The asymmetric key pairs are generated on your computer and stored in a file to be protected by an individual password in accordance with the PKCS#12 security standard in a special security environment(PSE) of the computer. Each pair consists of a private and a public key. The respective private key of the asymmetric key pairs is cryptographically protected and can only be activated using the password you have assigned. The ELSTER Trustcenterissues certificates for the corresponding public keys.Security stick
The asymmetric key pairs are generated on your computer in the connected security stick and protected on the crypto chip contained by an individual password and stored and used in a special security environment(PSE). The respective private key of the asymmetric key pairs is cryptographically protected and can only be activated for use via the password you have assigned. The ELSTER Trustcenter issues certificates for the respective public keys . The registration, key generation and certification processes are analogous to the certificate file processes.Signature card
If you have a supported signature card, you can use it. This is possible, for example, using qualified or advanced signature cards from various banks and companies whose Trustcenters are integrated into ELSTER. The asymmetric key pairs contained on your signature card are usually protected by an individual PIN and stored and usable in a special security environment. The respective private key of the asymmetric key pairs is cryptographically protected and can only be activated for use by yourself via the PIN. The certificates of the associated public keys on the signature card are transferred from your computer to the ELSTER Trustcenter so that their validity can be confirmed. In the positive case, your certificates will be integrated into ELSTER.The technological design as well as the registration and issuing processes for signature cards are designed by the respective providers in compliance with the specifications and requirements of the StDÜV and the Signature Act and are compliant with the ELSTER Policy.
The private keys of the asymmetric key pairs can only be activated for use by entering an individual password of your choice. This security is also generally referred to as security based on "knowledge (password) and possession(means of authentication)". You are responsible for the secure handling of your means of authentication and the corresponding password!
Please note that simply changing the password of the certificate file is not sufficient, especially if you suspect unauthorized copying of the certificate file. As a precaution, you should delete your user account in this case.
If you have not received an e-mail from Mein ELSTER within a certain period of time after sending the registration data, you must start the registration process again. The most common cause of this can be a typing error, such as inadvertently entering an incorrect or invalid e-mail address. The recommended waiting time before you can assume an error in the delivery of the e-mail depends on many parameters, such as the current load on the portal, the load on your Internet provider and the quality of your connection to your provider. The e-mail is usually delivered within minutes to a few hours. If you have to wait several days, we recommend contacting the Hotline.
Indirect proof of identity is provided by sending the activation Code by standard post and sending the activation ID by email. Proof of your identity or the identity of the organization you represent is provided in that only the authentic person can receive both pieces of information and thus activate the user account in Mein ELSTER.
The activation code is an essential security mechanism when activating a user account. Initiated by Mein ELSTER, it is generated and printed in a separately secured system of the tax authorities. It is then sent to you in a closed letter from the tax authorities.
The Trustcenter of ELSTER is a dedicated key and certificate manager to be operated together with Mein ELSTER. It is used to create and manage certificates that enable individual authentication and encryption for users of Mein ELSTER. The Trustcenter is operated on the basis of its own operating, organizational and security concept in accordance with globally recognized guidelines.
In future, you will only be able to use the personalized services via the Login if you authenticate yourself using the certificate contained in your certificate file / security stick / signature card. When using personalized services, the electronic data records transmitted to Mein ELSTER contain personal authentication data. On the one hand, this ensures that you are the author via your certificate from Mein ELSTER and, on the other hand, it can be ruled out that your data has been changed during transmission.
Your certificate file / security stick / signature card has two asymmetric key pairs and a corresponding certificate. One for authentication and one for encryption. The responses generated by Mein ELSTER (e.g. query results and transmission confirmations) are encrypted with your public key and made available to you in your inbox in Mein ELSTER. Only you can decrypt these using your private key from your authentication tool.
Certificate file
The certificate file is a file in a special format in which a personal security environment is stored. The data is cryptographically protected and can only be activated for use with a password. A certificate file can be stored on different storage media (e.g. hard disk, USB stick) and can be copied as often as required.
Further information can be found in the Help.
The certificate file contains cryptographic keys and certificates. The certificate file creates the link to a user account in Mein ELSTER. As the certificate file can be copied as often as required, like any other file, a backup copy can be easily created.
As copying can also take place unnoticed, e.g. when stored on a network drive or by malicious software, the certificate file entails risks that the user should be aware of.
It is technically possible to gain access to one and the same user account from several workstations. However, this option harbors security risks and is prone to errors. Securing a user account is based on a combination of knowledge (password for the certificate file) and possession of the certificate file. If the certificate file is passed on, the owner of the user account relinquishes this security feature on their own responsibility. If the ELSTER infrastructure is misused by a copy of the certificate file, the original owner can be identified and held responsible.
Mein ELSTER user accounts are designed to be personal. The parallel (in the sense of simultaneous) use of a user account by several users with certificate files is technically possible. However, the flow control of Mein ELSTER does not explicitly support multiple user operation for a user account. The results of other users' actions are only visible with a time delay or only after a new Login. This can lead to confusion and errors. Parallel use is therefore not recommended.
When passing on the file, please note that
- the number of copies cannot be restricted,
- all copies of the certificate file are equivalent,
- it is not possible to trace which copy of a certificate file was used to carry out a transaction,
- all copies of the certificate file are affected when a user account is revoked,
- and it is not possible to block a single misused copy.
There is another possible source of error when updating the certificate file. For security reasons, the validity of the certificate file is limited (currently to 3 years). The user is informed by e-mail with a certain safety interval to the end of the validity period that a certificate renewal can be carried out. The next time you login to Mein ELSTER, the renewal will start automatically and you will receive a new certificate file once the process is complete. From this update onwards, only this new certificate file will be valid. All other copies lose their validity and Login with these copies is no longer possible. The old copies must therefore be replaced with the new version as a follow-up action to the certificate renewal.
In order to maintain security aspects, we therefore recommend the use of a security stick in the case of multiple use of a user account, e.g. for married couples or within an organizational unit of a company. In this case, use can be controlled by organizational means; it is not possible to copy a security stick certificate.
You should store the response to the security prompt required to delete your user account securely and separately from your means of authentication. Because the certificate file is stored on your hard disk during registration, you must also ensure that your computer is adequately secured. If you use your computer for surfing the Internet or it is shared by other people, the file could be read or copied unnoticed. In the event of such an attack, your certificate would only be protected by your personal password. You can find out how you can protect your computer from the dangers of the Internet on the website of the Federal Office for Information Security: https://www.bsi-fuer-buerger.de.
Security stick
You can download the security stick from the Online-Shop
The security stick is a USB security chip that contains a card reader and a chip. The format is similar to a USB memory stick. The functions of the integrated chip are identical to those of a chip card in terms of hardware and software. This makes the security stick a miniature computer. The security stick stores the user's PSE. Sensitive cryptographic operations with the user's secret key are carried out within the security stick. In addition, the secret keys cannot be read from the security stick. This means that the security stick also meets high security requirements with regard to the storage of individual PSEs. Further information can be found in the Help.
Signature card
A list of the signature cards supported by ELSTER for authentication can be found on the "System requirements" page.
Signature cards are an electronic replacement for your handwritten signature and are issued by banks, for example. A document signed with a signature card is considered legally binding. The tax authorities require a minimum level of security when using signature cards, which is set out in the ELSTER Policy .
Note: Signature cards with pseudonyms are expressly not supported!