Category Archives: Electronic Identity

Document counterfeiting case “Maarika” comes to court

Harju County Court on Thursday accepted plea bargains reached between the Office of the Prosecutor General and those charged in connection with a criminal organization found to be illegally issuing official documents and will make a decision regarding their confirmation in early February.

This is what happened in 2015:

Estonian police has detained 12 people, including four Police and Border Guard (PPA) employees, in what is believed to be the biggest scam the country has seen for years. The suspects allegedly issued official documents that need state approval, such as language test certificates, living permits, papers needed to receive Estonian citizenship, and medical certificates. The scam involved forgery, entering false information and accomplices who used fake identity.

PPA employees were abusing state databases and ignoring suspicious applications:

Four Police and Border Guard employees, who are now bribery suspects, are believed to have been involved in the process of issuing the forged documents, but were not organizers of the scam. They released confidential information, knowingly accepted application forms with false information and issued official documents in return for bribes. Two are specialists and two are customer servants.

This is how the scam got discovered:

Nobody would have ever noticed, if not for the personnel changes at PPA last year. As a result of this, a new person ended up working with follow-up check of citizenship applications, to whom lots of cases seemed an anomaly. People with positive responses to applications looked like they had nothing to do with Estonia whatsoever. As the cases were dozens, the official told internal audit.

The scam was organized by 65-year-old woman calling herself Maarika. Most “clients” who received counterfeit documents were pardoned as exchange from criminal charges. We can see here that if the base identity is not sufficiently protected, no eID system, however well designed, can help.

Links:
http://news.err.ee/v/news/politics/society/77509022-4164-4fb2-81ec-5dab57316f13/enormous-document-factory-scam-exposed
http://news.postimees.ee/3379293/passport-mafia-led-by-babushka
http://news.err.ee/v/news/927817f2-8c7c-435b-a9d9-bde9dc48d934/court-accepts-plea-bargains-in-large-scale-document-counterfeiting-case
http://news.postimees.ee/3996169/members-of-the-passport-mafia-stand-trial

Ahto Truu presentation “Next-gen Key Infrastructure with Smart-ID”

XII. Tartu Software Development Guild Meeting, Friday, January 13, 2016, 18.00 – 20.00, Turu 2 (Tasku), 5th Floor, SaleMove Office

Presenter: Ahto Truu (Software Architect at Guardtime)
Title: Next-gen Key Infrastructure with Smart-ID
Abstract: With more and more people using smartphones and tablets as their computing devices of choice, and with the upcoming migration away from physical SIM cards, a question arises: what will replace the ID-cards and mobile-ID SIM cards as the carriers of the private keys for Estonian national digital signature infrastructure? In this talk we will look at the Smart-ID solution recently jointly proposed by Sertifitseerimiskeskus and Cybernetica. There will be quite a bit of math in the talk, but we will start with a crash course of the basics of the current systems for those who either missed it in school or have since forgotten the details.

About Ahto
During his three decades in ICT, Ahto has worked in hardware installations and user support, as a software developer and architect, and as a systems analyst. Currently he is busy helping Guardtime’s customers preserve the integrity of their important data. Outside his day job he coaches Estonia’s team to the high school students’ programming competitions. He has also been writing programming columns for the popular science magazines A&A and Horisont.

Seems that Ahto plans to describe the underlying details of key generation in the Smart-ID solution.

Links:
https://www.facebook.com/events/225528061227851/

SK introduced new eID solution Smart-ID

SK introduced its new electronic identity solution Smart-ID, which works on all the most popular smart devices, is not dependent on a SIM card and is usable all around the world.

Using Smart-ID is easy: the user downloads the Smart-ID app from the Google Play or App Store. To use Smart-ID, the user can be identified via ID-card or Mobile-ID. Just like with the ID-card and Mobile-ID, PIN1 and PIN2 codes are required to use Smart-ID. The user creates both in the app. In developing Smart-ID, a lot of emphasis has been placed on ease of use.

Basically, the Mobile-ID functionality has been implemented in mobile app. The private key sharing between the server and mobile device is pretty neat way how to achieve the same security level as in Mobile-ID, where private key is stored in SIM card.

However, we cannot expect Smart-ID to replace Mobile-ID anytime soon, since the solution have not been certified yet as a qualified electronic signature creation device.

Links:
https://sk.ee/en/News/sk-introduced-the-new-e-identity-solution-smart-id/
https://sk.ee/upload/files/8_SK%20uus%20eID%20lahendus_Urmo%20Keskel_AK2016.pdf

Privacy concerns over fingerprint collecting from e-residents

Biometric data of all individuals who have applied for or own Estonian identity cards, irrespective of whether they are national identity documents or digital identity documents meant exclusively for e-identification, are stored in digital database, archived and retained for 50 years (in case of e-residency, this is done to avoid conferring duplicate identities to one person).

From the perspective of e-residents, this is immaterial — the digital identity documents issued do not serve as travel documents, as has been established above. Nevertheless, due to the fact that under the Estonian Identity Documents Act the term “digital identity card” denotes both the e-IDs of nationals as well as e-residents’ e-ID cards, the requirement of biometric identifiers also applies to both.

Drawing on the aforementioned, the authors of the given chapter claim that the failure to differentiate between the two types of documents leads to unnecessary collection of biometric data that is in contradiction with the Data Protection Directive Article 6 principles of purpose and proportionality.

Biometrics as security technology cannot be “thrown in” for good measure, as Estonia seems to have done, without proper analysis of risks for the protection of fundamental rights and freedoms, not considering whether the purpose to be achieved could not be achieved by less intrusive means.

The practice is indeed questionable, since in case EU citizen applies for Estonian residency, the objective of “avoiding conferring duplicate identities to one person” is achieved by less intrusive means without fingerprints being collected.

Links:
http://link.springer.com/chapter/10.1007%2F978-3-319-26896-5_4

60 percent of Swedbank’s customers use password card for online banking

Swedbank_password_card

Nearly 60 percent of Swedbank’s private customers use password cards for online banking. This is in 2016, when already for several years there are much more comfortable and safer identification tools available, which do not involve the EUR 200 transaction limit.

By studying the reasons, it appears that people are not willing to change their habits. Password cards are familiar to them, they are used to them for a long time, they know exactly where the password card is located and know how to use it. They do not need to use it to learn something new.

One of the barrier also highlights the lack of trust in relation to the new authentication. People do not trust the things that they actually do not get to keep. They are not willing to go along with the changes quickly. Many assert that the EUR 200 payment limit does not hinder them.

Links:
http://kasulik.delfi.ee/news/uudised/e-riigi-hammastavad-numbrid-eesti-pangakliendid-kasutavad-ammu-iganenud-lahendust?id=73795383

ID card or Mobile-ID required to post comments on ERR

err_comment_auth

In the Estonian and Russian language versions of Estonian public broadcasting portal Err.ee comments will be allowed only after identification with ID card or Mobile-ID.

Err.ee reported that for a wider audience commentators still remain anonymous and can use nicknames. However, their identification data – name and personal identity number – if necessary, will be available only to the chief editor, but not other media staff or readers. As explained ERR, user identification will allow if necessary to contact the commentators, for example, to find out further information.

Changes do not affect the English version of ERR.ee, because its users are mainly foreigners.

Links:
http://uudised.err.ee/v/eesti/d631cdc9-8393-4fc1-8fd7-96f5260c7d41/

Hundred thousand ID card certificates issued with invalid public key encoding

ESTEID_RSA_negative_modulus

From the Chrome bug report:

Estonian IDs issued between September 2014 to September 2015 are broken and use negative moduli.

Not content with signing negative RSA moduli, still other Estonian IDs have too many leading zeros.

In Estonia there are 100 000+ such ID-cards and without any change with chrome 46 those card owners could not use chrome any more for every day usage.

ASN.1 DER encoding specifies that positive integer [having msb of MSB set] has to be encoded with 0-byte prefix. However, the certificates in question omit 0-byte prefix for RSA public key modulus and therefore standards complying Chrome DER decoder interprets public key value as an [invalid] negative integer.

Google developer hints that SK’s recently passed annual audit falsely attests that SK operations confirm to the standards:

It would seem each of these certificates fails to conform to the ETSI TS 102 042 policies (for which sk.ee was audited), which would invalidate them for use as QCP-SSD/QCP/NCP, nor would they conform to the sk.ee CPS in force at this time. If so, wouldn’t all of these certificates need to be revoked, per sk.ee’s CPS?

First SK asked for a “temporary” workaround, later committing to recall the ID cards in question in the next 6 months:

Is there possible to make temporary (for 5 years) workaround for such cards in chrome 46 and beyond?

AFAIK, no more certificates with incorrect encoding are being generated and the renewal of the issued ones is being planned. It shall require time, less than 5 years but obviously not a month or two, due to the sheer number of the cards out there.
6 months seems like a realistic target.

Translation of Postimees article:

Due to a software failure by Estonian ID card software vendor AS Sertifitseerimiskeskus about 250 000 ID cards have an error that may in the future cause its usage problem. ID cards with software faulty certificates were issued for one year since September 2014 and if error is not fixed in the following six month, then people will not be able to authenticate themselves anymore in the future versions of the world’s second most popular web browser Google Chrome.

“This is certainly non-compliance with standards on our side. We let error through in our software development. Reason, why this error went through and was permanent is that no browser had discovered it until now and our ID card so far works with them excellent” head of SK Kalev Pihl explains to Postimees. The thing come to light when Google made a big software update which controls subtlety, what no other software have done so far. “It came out that some certificates on Estonian ID cards do not conform to requirements,” says Kalev Pihl, who says that the error came out during the beta-testing of the new browser software.

Pihl confirms that SK agreed with Google for a half year long transition period. Result is that Chrome will not add the new software at the moment and people can use this browser for authentication with no problem. “That half a year of development time should be really enough in order to provide to a person a solution where he/she can renew ID card certificates behind the computer with one button press,” adds Pihl. “Usually during our testing we discover bugs introduced by browser developers, this time they discovered error on our side,” summarized Pihl.

RIA plans a remote update feature for Estonian ID cards / e-residency cards:

The functionality, prompting card owners to update the certificates online, has once been part of the Estonian ID card software suite and will now be re-implemented. The procedure of initiating the remote update procedure on the certificates is to be implemented in a way that is both easy to use and secure. Veinthal said the security and risk of the new functionality were to be analysed before implementation. “The eID framework has to be aware that interoperation glitches are becoming more frequent in the world of technology, increasing the necessity to create fast and convenient solutions,” commented Veinthal.

Links:
https://code.google.com/p/chromium/issues/detail?id=532048
https://code.google.com/p/chromium/issues/detail?id=534766
http://tehnika.postimees.ee/3342861/eestis-on-kaibel-sadu-tuhandeid-tarkvaraveaga-id-kaarte
http://news.err.ee/v/scitech/d95562b3-2d28-4d1c-bfce-487a6420caa5/250000-estonian-id-cards-could-be-faulty
https://blog.ria.ee/probleem-nr-532048/
http://news.postimees.ee/3348383/all-e-residents-got-faulty-cards
https://www.ria.ee/ria-plans-a-remote-update-for-estonian-id-cards/
http://news.err.ee/v/scitech/e6f4c240-b0f4-4543-a9fe-fa83a2101f10/id-card-bug-could-damage-estonias-it-image

Four thousand ID card certificates issued with duplicate email addresses

idcard

Upon manufacturing the ID card, residence card, Mobile-ID and Digi-ID certificate, email address in the form of name.surname@eesti.ee will be generated. In the case of namesakes, the software compares the email address to the previously used addresses and next people with the same name will get an email address in the following form: name.surname.1@eesti.ee, name.surname.2@eesti.ee etc., depending on how many people there are with the same name.

Due to the software error, duplicate email addresses were created for namesakes, these addresses were also inserted to the certificates of identity documents. We have fixed the error and we can assure that such a situation will not reoccur in the future,” explained Kalev Pihl, the Member of the Board of the Certification Centre. Altogether 40 000 ID and residence cards were issued in June and July, 4120 of them were with duplicate email addresses.

Email address name.surname@eesti.ee is an alias to personalidentificationcode@eesti.ee, which is unique. For sending information, state authorities use the email address personalidentificationcode@eesti.ee.

After the software error was detected, the State Portal suspended the email forwarding right of all of these persons, who had received a duplicate email address with their certificates. These persons can start using their eesti.ee email address only after the renewal of the certificates.

Links:
https://www.politsei.ee/en/uudised/uudis.dot?id=471347

SEB Estonia Internet bank ID card authentication bypass

SEB_Estonia_authentication_bypass

The flaw in SEB Estonia Internet bank allows to login just by knowing the victim’s username. The consequences of the flaw go beyond the read-only access to victim’s transaction history. The victim can be impersonated in any website that supports authentication through SEB (eesti.ee, mnt.ee, tele2.ee, etc.). The flaw can be abused to buy goods from online merchants (as shown in the video) since SEB does not require signature authorization for “banklink” transactions.

Timeline:
2015.05.11. 13:00 – reported to CERT-EE
2015.05.14. 12:00 – fixed by SEB Estonia

The time that was required for SEB to fix such a critical flaw surprises a bit.

SEB’s response:

SEB spokesman commented that “referred security issue existed in so-called laboratory conditions meaning that it needed several conditions to coincide and a specific knowledge”.

“Security issue got fixed and we also checked that the flaw was not maliciously exploited” said SEB’s spokesman and added that the problem got fixed faster than in an hour, after all the needed information was received.

Anto_Veldre_RIA_SEB_turvaauk

Anto Veldre (RIA): It is better that ethical people with academic degree are looking for security holes than cyber criminals doing it. People should understand that new technology is complicated, systems at home and servers need to have updates everyday there is no such a thing like secure system (security) but there are people and control methods, if there is a problem it will be handled and afterwards logs are checked if something really happened.

Silver_Vohu_SEB_turvaauk

Silver Vohu (SEB): It took less than an hour to make a fix. But reproducing the situation took most of the days and asking additional questions from CERT-EE was needed. In normal situation it was impossible to reproduce the problem.

Links:
https://www.youtube.com/watch?v=rRB8jZnS5nY
http://forte.delfi.ee/news/tarkvara/tosine-turvaauk-seb-internetipanka-sai-sisse-ainuuksi-kasutajanimega?id=72291205
http://tehnika.postimees.ee/3306453/seb-internetipangas-oli-tosine-turvaauk-sisenemiseks-piisas-vaid-kasutajanimest
http://seitsmesed.ee/eesti/uudis/2015/08/26/tosine-turvaauk-seb-internetipanka-sai-sisse-vaid-kasutajanimega/
http://www.tv3play.ee/sisu/seitsmesed-uudised-2015/648229

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2014/2015

university_of_tartu_logo

An Empirical Comparison of Approaches for Security Requirements Elicitation
Abstract: Security Quality Requirements Engineering (SQUARE) and Security Requirements Elicitation from Business Processes (SREBP). This thesis compares the two methods based on an empirical case study of the Estonian Football Association. The elicited security requirements are categorized and the completeness of their coverage is compared.
Student: Karl Kolk
Curriculum: Cyber Security (MSc)
Supervisor: Raimundas Matulevicius
Reviewer: Fredrik Payman Milani
Defense: 26.02.2015

The Analysis and Design of a Privacy-Preserving Survey System
Abstract: This master’s thesis describes the design and business processes of the prototype of a secure survey system using secure multi-party computation. The design of the system is also described in this paper and is illustrated with a deployment model.
Student: Meril Vaht
Curriculum: Cyber Security (MSc)
Supervisor: Dan Bogdanov
Reviewer: Raimundas Matulevicius
Defense: 04.06.2015, 09:00, Liivi 2-405

Pattern Based Security Requirement Derivation with Security Risk-aware Secure Tropos
Abstract: In this master thesis we investigate the integration of a pattern based security requirement elicitation process in the goal-oriented IS development. By performing this integration we aim at providing a process that enables the elicitation of security requirements from Security Risk-aware Secure Tropos (RAST) models. The contribution of this thesis are five Security Risk-aware Patterns expressed using RAST.
Student: Atilio Rrenja
Curriculum: Software Engineering (MSc)
Supervisor: Raimundas Matulevicius
Reviewer: Peep Küngas
Defense: 04.06.2015, 09:00, Liivi 2-405.

Comparing Security Risk-oriented Modelling Languages to Manage Social Engineering Risks
Abstract: The paper applies structured approach in identification of one security risk management standard that can be applied with different modelling languages. For a more in-depth analysis in this paper considered several modelling languages as BPMN, Secure Tropos and Misuse case.
Student: Sarbar Tursunova
Curriculum: Cyber Security (MSc)
Supervisor: Raimundas Matulevicius
Defense: 04.06.2015, 09:00, Liivi 2-405.
Reviewer: Olga Altuhhova

Analysis and Mitigation of Recent Attacks on Mobile Communication Backend
Abstract: This thesis presents a broad and thorough overview and analysis of the known attacks against mobile network signaling protocols and the possible mitigation strategies. The attacks are presented in a uniform way, in relation to the mobile network protocol standards and signaling scenarios. Moreover, this thesis also presents a new attack that enables a malicious party with access to the signaling network to remove lost or stolen phones from the blacklist that is intended to prevent their use.
Student: Siddharth Prakash Rao
Curriculum: NordSecMob (MSc)
Supervisor: Tuomas Aura
Supervisor: Dominique Unruh
Supervisor: Silke Holtmanns
Supervisor: Ian Oliver
Reviewer: Arnis Paršovs
Defense: 09.06.2015, 09:00, Liivi 2-405.

Entropy Based Robust Watermarking Algorithm
Abstract: In this work, multiple robust watermarking algorithms are introduced. They embed watermark image into singular values of host image’s blocks with low entropy values. The quantitative and qualitative experimental results are indicating that the proposed algorithms are imperceptible and robust against many signal processing attacks.
Student: Lauri Laur
Curriculum: Software Engineering (MSc)
Supervisor: Gholamreza Anbarjafari
Supervisor: Mary Agoyi
Reviewer: Kaveh Khoshkhah
Defense: 09.06.2015, 09:00, Liivi 2-405.

NFC Security Solution for Web Applications
Abstract: This thesis compares existing and possible security solutions for web applications, analyses NFC compatibility for security solutions and proposes a new NFC authentication and signing solution using Google Cloud Messaging service and NFC Java Card. This new proposed solution enables authentication and signing via NFC enabled mobile phone and NFC Java Card without any additional readers or efforts to be made.
Student: Jonas Kiiver
Curriculum: Software Engineering (MSc)
Supervisor: Eero Vainikko
Reviewer: Meelis Roos
Defense: 09.06.2015, 09:00, Liivi 2-404.

Applying Estonian Internet Voting Individual Verification System to Other Electoral Systems
The current paper gives an overview of the Estonian internet voting individual verification system and introduces different ballot styles. It proposes and describes modifications to the Estonian system, so it could be used for individual verification with the introduced ballot styles and multiple elections.
Student: Joonas Lõmps
Curriculum: Informatics (BSc)
Supervisor: Sven Heiberg
Reviewer: Arnis Paršovs
Defense: 12.06.2015, 09:00, Liivi 2-404

Secure Bitcoin Wallet
This report outlines various methods and solutions targeting security concerns and aims to understand their effectiveness. It also describes Secure Bitcoin Wallet, standard Bitcoin transactions client, enhanced with various security features and services.
Student: Sevil Guler
Curriculum: NordSecMob (MSc)
Supervisor: Sead Muftic, Vitaly Skachek
Reviewer: Arnis Paršovs
Defense: 27.08.2015

Links:
http://comserv.cs.ut.ee/forms/ati_report/index.php?language=en
http://www.cs.ut.ee/en/msc/theses/deadlines