Estonian Information System Authority (RIA) is organising an international conference on 9th of May in 2018 in Tallinn (Tallinn Creative Hub – Kultuurikatel) to discuss the impact and consequences of the security risk found in the Infineon chips in autumn 2017 by the researchers at Masaryk University in the Czech Republic.
The aim of this conference is to bring together parties affected by the security risk to discuss our lessons, experiences and responsibility, because the security flaw affected many companies and countries in Europe as well as elsewhere in the world. If possible, we aim to agree on a joint plan of follow-up activities or a memorandum to provide input to different authorities who establish regulative rules. Researchers from Masaryk University have announced their participation in the conference – they will make an opening presentation about their research.
The conference is aimed at policymakers as well as specialists in the eID field, opinion leaders, representatives of authorities and companies that are dependent on the functioning of Estonian ID-cards and e-services, developers of e-government and IT systems, and other parties related to the issue from both Estonia and Europe.
09.30-10.00 Delegate registration opens. Welcome coffee
10.00-11.30 Welcome and Opening of the Conference / Session 1
• Welcome by moderator Andres Kütt
• Welcome speech by the Prime Minister Jüri Ratas
• The goal of the research (ROCA vulnerability ) – Petr Svenda, the University of Masaryk
• The influence and the distinctness on Estonian ID-card and its use – Taimar Peterkop, the head of Information System Authority
• The examples of actions of different countries – Ulrich Latzenhofer, Austrian Regulatory Authority for Broadcasting and Telecommunications
11.30-12.00 Coffee break
12.00-13.30 Session 2
• Lessons we learned (Estonia) – Rain Ottis, Associate Professor at Tallinn University of Technology
• The contract of ID-card – who´s responsible of what? – Kaija Kirch, Police and Border Guard Board, ID expert
• Discussion How did we manage and what to do better next time? Expert panel lead by Rain Ottis. Attending: Kaija Kirch, Margus Arm, Ilmar Raag
14.30-16.30 Session 3
• eIDAS perspective of the ROCA vulnerability – Security Expert and Information Security Officer, Marnix Dekker, ENISA
• Lessons we learned (global view) – Liisa Past, Chief research officer, Information System Authority
• Lessons we learned (Commission view) – Andrea Servida, European Commission
• Discussion What can we do better in the future? Expert panel lead by Liisa Past. Attending: Marnix Dekker, Andrea Servida, Ulrich Latzenhofer, Petr Svenda
• Conference conclusion by moderator Andres Kütt
16.30-17.30 Goodbye coffee and networking
Abstract This thesis identifies the card technologies used in loyalty programs across Estonia. These technologies include magnetic-stripe cards, contactless cards (in the form of MIFARE Classic, MIFARE Ultralight, MIFARE DESFire EV1 and low frequency RFID cards) and a smart card known as the Estonian electronic identification card (ID card). Each card type implements its own security features to prevent cloning and/or unauthorized access to the content stored on the card. The contents of each card was read and the method in which it was used in the system analysed. In the cases where possible a clone of the card was created and tested against the real system to verify that it passed the authentication procedures.
This is MSc thesis from TUT Cyber Security curriculum. The thesis was defended in June 2017.
The thesis analyzed cloneability aspects of the loyalty cards used in Estonia. While the magnetic-stripe cards are known to be trivially cloneable, the study also analyzed bunch of contact-less cards: MyFitness, Elron, Tallinn Bus Card, ISIC, SEB ISIC, Tartu Bus Card, Rimi Card. Only the Rimi and Elron card was found to withstand known cloning attacks.
Abstract: The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas.
This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.
The TLDR; of the paper is that when the ID card is used to authenticate to a machine (unless PIN1/PIN2 is involved), the ID card does not provide additional authentication factor. This is not a surprise to anyone who is familiar with the technology, but some still believe that ID card provides some security over the magnetic-stripe card.
The paper describes proof-of-concept implementation of non-cryptographic “ID card emulator” and demonstrates transplantation of the fake chip to a real ID card.
The presentation was given in cybersecurity conference “Cyberchess 2017” held on October 5, 2017 in Riga. The presentation touched upon the recent events such as i-voting and the flaw found in the ID card chip.
The last question from the audience was worth a dime:
Is PPA considering any legal action against the vendor, because, as I understand, you have been informed by the researchers, but the vendor has not informed you.
And the second one: in the new procurement, what are are the lessons learned? Are you planing to change or include some clauses on liability?
The question was not answered in full, but the answer would be interesting indeed.
Most internet bank users using ID-card or Mobile-ID are used to first enter PIN1 and then confirm by PIN2 again when making a payment. Danske Bank, however, has solved the matter differently, and will only ask for PIN1 for both login and for payment confirmation.
Annika Maiste, head of Danske Bank’s e-banking, told that indeed the same PIN code should be used for both login and payment confirmation, and according to the bank, this does not have any effect on security. “In our risk assessment, we have analyzed various attacks and concluded that the use of the digital signing function in Internet Banking may not provide significant additional protection to the user in the case of modern malware,” Maiste said.
She added that the above principle is used for both Mobile-ID and ID-card, and that the company can confirm that, although compared to other banks, Danske Internet Bank does not ask PIN2 from users, it is safe for the users.
Katrin Talihärm, Managing Director of the Banking Association, said that what kind of security code to ask is the responsibility of each service provider and they have not made recommendations to their members about it. She added that both ID-card and Mobile-ID are categorized by their definition as strong authentication tools, when used in an electronic environment in addition to PIN.
If only the modern malware is considered in the threat model than indeed PIN2 does not provide any additional protection. However, there are other attacks where, while the compromise of one key is feasible, the compromise of both keys is not.
On September 5, 2017, Estonian Information System Authority (RIA) informed about a security risk in ID cards:
On 30 August, an international team of researchers informed the Information System Authority (RIA) of a security risk affecting ID-cards issued in Estonia since October 2014 (including cards issued to e-residents), i.e. about 750,000 cards altogether. ID-cards issued before 16 October 2014 have a different chip and are not affected by this risk.
Now we have more details:
The flaw resides in the Infineon-developed RSA Library version v1.02.013, specifically within an algorithm it implements for RSA primes generation. [..] To boost performance, the Infineon library constructs the keys’ underlying prime numbers in a way that makes the keys prone to a process known as factorization. When generated properly, an RSA key with 2048 bits should require several quadrillion years—or hundreds of thousands of times the age of the universe—to be factorized with a general-purpose computer. Factorizing a 2048-bit RSA key generated with the faulty Infineon library, by contrast, takes [..] no more than 17 days and $40,300 using a 1,000-instance machine on Amazon Web Service. On average, it would require half the cost and time to factorize the affected keys. All that’s required is passing the public key through an extension of what’s known as Coppersmith’s Attack.
The researchers examined keys used in electronic identity cards issued by four countries and quickly found two—Estonia and Slovakia—were issuing documents with fingerprinted keys, both of which were 2048 bits in length, making them practically factorizable.[..] While it has closed its public key database, Estonian government officials have also announced plans to rotate all keys to a format that’s not vulnerable, starting in November.
Details from Infineon:
Due to application-specific requirements, it is common practice to employ acceleration algorithms in order to generate key pairs, especially if time resources are sparse. Infineon also utilizes such an acceleration algorithm in time-restricted cases, called “Fast Prime”. [..] The foundations of “Fast Prime” date back to the year 2000. Its use started around ten years later after thorough reviews. [..] this software function was certified by the BSI (Federal Office for Information Security) in Germany. No mathematical weaknesses were known, nor have been discovered during the certification processes. Recently, a research team from the of the Masaryk University, Czech Republic, developed advanced mathematical methods to analyze and exploit weaknesses in acceleration algorithms for prime number selection.
In a way these findings are a blessing for the practical security of Estonian eID. Up to now, at least publicly the chip of Estonian ID card was presumed infallible, and if someone approached these issues in the risk analysis, it was considered a heresy.
There are several lessons to be learned on different levels of management. The current practice of the plain hope that the vendor of the unauditable chip will get it right, may not be a sustainable approach for the state which so heavily relies on the secrecy of the private keys held therein.
The Identity Documents Act was amended declaring the provider of certification services a vital service provider:
(31) The provider of certification service that enables digital identification and digital signing with the certificate which is entered in the documents issued on the basis of this Act is the provider of vital service specified in clause 36 (1) 8) of the Emergency Act.
[RT I, 03.03.2017, 1 – entry into force 01.07.2017]
In practice, at least currently the new status does not introduce significant new requirements, since for SK as a qualified trust service provider the operational requirements set by law were quite high anyway.
The Police and Border Guard (PPA) have a new online portal where citizens can apply for ID cards based on previously issued identification. Beyond their existing ID cards, people could also log in using their Mobile ID or Internet bank, which is good news for Apple users, as the state’s systems typically don’t work to the full extent for anyone coming in using Apple devices. That people could use their bank to log in meant that also those could apply for a new ID whose existing one had already lost its validity, Abram added.
The solution likely to be very welcome, as PPA has limited the number of offices where people can apply for documents to just a handful of service centers, and queues have been a constant problem. There are plans to extend the portal’s services to include passport applications as well other processes that are currently limited to PPA’s service centers, and to include all residents of Estonia that have a personal identification code (isikukood).
The law was changed to remove the requirement for the application to be digitally signed:
§ 5. Electronic filing of application
(1) Upon submission of an application electronically, the documents specified in the Regulation shall be attached to the application electronically.
(2) An electronically filed application shall be signed digitally or submitted uniquely via an electronic channel that allows verification of identity.
(3) If an application is submitted via an electronic channel specified in paragraph 2, the applicant shall, upon issuing his identity document, confirm with the signature that the data and documents submitted by him in the application are correct.
The Police and Border Guard Board (PPA) and French company Oberthur Technologies signed an agreement on Thursday for the production of Estonia’s ID cards, permanent resident cards, digital IDs and diplomatic IDs after the current manufacturer agreement expires at the end of 2018.
Oberthur Technologies will be responsible for the manufacture of the card and chip as well as and linking the document to personal data. It will also be responsible for the functioning of the card. The French company will manufacture and personalize the cards in Estonia.
The value of the five-year contract is approximately €40 million. Under the new agreement, the expenses of the PPA for the manufacture of the ID card will remain at the present level.
A tender committee, which in addition to PPA experts included experts from the Estonian Information System Authority, the Ministry of the Interior and the ministry’s IT and Development Centre, chose the offer by Oberthur from among three different offers.
This was already the second tender. In the first tender Safran Morpho was chosen as the winner. The results of the first tender were appealed by two other participants – Oberthur Technologies and Gemalto/Trüb AG. The result of the appeal was that the current contract with Trub AG was prolonged for one more year.
In a public procurement tender of the Estonian Police and Border Guard Board three renowned European ID producers submitted their offers. The tender committee chose the offer of Safran Morpho as the winner, the Police and Border Guard Board said.
The German company Trub AG, which last year was acquired by Gemalto, has been manufacturing ID cards for Estonia since 2001.
It is notable that this is the first tender in the last 15 years, where PPA decided to make participation in tender available to wider range of companies. Previous contract extensions with Trub AG were justified by “potential security risk avoidance reasons”.
Update: Gemalto and Safran Morpho appealed in court the results of the tender.
The Ministry of Foreign Affairs on Friday acquainted heads of the representations of foreign countries and international organizations with a new diplomatic ID which will provide employees with a digital identity giving them access to Estonian e-services, spokespeople for the ministry said.
“It’s unique in the EU and hopefully will encourage other countries to make more rapid progress in e-Europe development,” said the minister.
Digital diplomatic IDs will enable both the physical and electronic identification of an individual as well as provide access to Estonian e-services. Users will receive an Estonian personal identification number that will make it easier for employees of foreign diplomatic representations to handle official business in Estonia.
New type of identity document. Probably will contain the same data as ID card, but will have a bit different look and will be issued to a specific group of people.