Category Archives: Electronic Identity

Concerns about European Commission’s plans to backdoor Estonian ID card

idcard_backdoor

The European Commission presented a new plan for internal security, which is driven by the concern that powerful encryption is helpful to crime and terrorism. The initiative will not leave Estonia untouched as currently ID card provides encrypted communication ability.

Prime Minister Taavi Rõivas announced that Estonia should not give up to pressure by allowing to create a backdoor in ID card. Taavi Rõivas confirmed to Eesti Päevaleht and Delfi that cybersecurity and data confidentiality is fundamentally important.

He added that the law enforcement authority will have to find other ways to control crime, “Estonia is of the view that the fight against crime will have to find other means and not at the expense of ID card security“.

While the ID card software package includes utility that can be used to encrypt files, average Estonian does not use ID card to encrypt his communications, but merely use it as an authentication tool. Unless this significantly changes, the encryption ability provided by ID card will not be of significant interest to law enforcement authorities.

Even today, If a law enforcement authority would want to decrypt files encrypted with ID card, they could use official feature built into the ID card which lets ID card manufacturer to reset PIN code and gain authorization to private key operations (i.e., decryption).

Anto_Veldre_RIA

Anto Veldre: This it is not very likely that some criminal would like to go to migration authority, give biometrics to the government and start to encrypt. Isn’t there any easier way to do it? Western world do not like that terrorist can send encrypted emails.
Interviewer: Is Estonian ID card in danger on the background of Europol requirements/thoughts?
Anto Veldre: I don’t think so. Estonian representatives in EU can handle this problem on political level (show the danger and peoples’ trust in current system). Police have their own techniques and they can handle their work.

Links:
http://epl.delfi.ee/news/eesti/politseile-oigus-id-kaardi-koodi-murda-euroopas-tahetakse-krupteerimisele-ametlikke-tagauksi?id=71438223
http://epl.delfi.ee/news/eesti/roivas-id-kaarti-kompromiteerida-ei-tohi-kuritegevusega-voitlemiseks-tuleb-leida-teised-viisid?id=71443761
http://etv.err.ee/v/meelelahutus/terevisioon/saated/4d030bd7-c496-476c-9f21-551007d89c06 (39:32 – 46:43)
http://uus.minut.ee/tagauksed-kruptos-ja-id-kaart/

SignWise Chrome plugin leaks ID card certificate to arbitrary web sites

signwise_privacy_leak

If you have installed the SignWise plugin (available for Windows and OSX, up to at least version 1.10) to your computer, beware of privacy considerations. SignWise Chrome extension forwards the end-user certificate of the inserted eID smart card without any user interaction to any website, in plain text!

A malicious web site has to embed only a few lines of JavaScript code to collect certificate information from its visitors:

var s = new SignWiseChromePlugin();
s.getAuthenticationCertificate(function(v, e) {…

Similar flaw in 2010 was observed in the official EstEID browser plugin. Will see how much time it will take for SignWise to fix this flaw.

Update from the SignWise Team:

SignWise is happy that our software and services are used by the experts who value the high level security. We are sorry that our provided software had such a problem as described in your post. As of today (12.03.2015) we are happy to inform that your described problem is solved and user information is not shared anymore as described in your post. Our products: SignWise Services (https://www.signwise.org) and SignWise Portal (https://portal.signwise.org) have been built following highest standards of security and strict confidentiality in mind and following the business and security requirements and demands to e-sign high-value electronic documents both in-country and cross borders.

Links:
http://martinpaljak.net/sign/swhack.html
http://id.anttix.org/leak/leak.html

Attacks against Gemalto do not endanger the security of Mobile-ID

gemalto_ceo

Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.

Some mobile operators in Estonia use Mobile-ID SIM cards supplied by Gemalto. Here is Estonian Certification Centre response:

Attacks against Dutch SIM card manufacturer Gemalto which became public yesterday does not endanger Mobile-IDs. AS SK (Certification Centre) confirmed that the attacks against the world’s largest SIM card manufacturer Gemalto does not threaten the security of Estonian Mobile-ID.

“We analyzed the information available to us about the attack and verified that the Mobile-ID security is not affected, Mobile-ID is still secure, and users do not need to make adjustments to their normal behavior in any way,” said the head of the Certification Center Kalev Pihl.

Gemalto has released a public report where the company tries to downplay the significance of NSA and GCHQ hack. But that is understandable:

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.

Fortunately, the exploitation of the stolen symmetric keys requires the attacker to be in close proximity of the victim’s mobile phone and requires to perform active MITM attack at the moment when the victim performs Mobile-ID transaction.

Update about Estonian mobile network operators’ use of Gemalto SIM cards:

Estonian National Electoral Commission’s e-voting commission’s deputy chairwoman Epp Maaten said that among Estonian mobile operators, only EMT uses SIM cards issued by Gemalto, but only as pre-paid call cards and Gemalto is not the only vendor of the cards.

Links:
https://theintercept.com/2015/02/25/gemalto-doesnt-know-doesnt-know/
https://sk.ee/uudised/runnakud-gemalto-vastu-ei-ohusta-mobiil-id-turvalisust/
http://democracychronicles.com/estonian-internet-voting-safety/

Estonian ID card users detected Lenovo’s malware months ago

lenovo_mitm_malware

Lenovo’s been caught going a bit too far in its quest for bloatware money, and the results have put its users at risk. The company has been preloading Superfish, a “visual search” tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.

While the rest of the world is just starting to talk about Lenovo’s malware, it turns out that Estonians have detected it already in the beginnning of 2015. This is due to the TLS client certificate authentication used by Estonian ID card, which has protection against these kind of MITM attacks.

Congratulations to Estonian ID card!
Unfortunately, Mobile-ID users are not protected against these MITM attacks.

Links:
http://id.ee/index.php?id=37045
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html

Workshop about smart card programming in Tartu hackerspace

hakkerikoda_hackEST

In 20 January, 2015 16:00 at Tartu Hackerspace there will be a workshop (in Estonian) about JavaCard development, with focus on EstEID and open eID software.

Introduction of smart card programming, a practical example.

  • Programmable smart cards (JavaCard) – what, why, how and from where
  • JavaCard development lifecycle overview
  • Related technologies, standards (from ISO 7816-3 to PKCS#11)
  • Opensource development tools in the development process: javacard.pro
  • Hands on! Estonian ID-card “clone” in your computer!

EUR 30 participation fee (for the white plastic). The necessary skills are to orientate in the Linux command line, average level of Java programming, and the ability to distinguish hashing from encryption.

Registration: martin@martinpaljak.net

Links:
http://javacard.pro/#news
https://hackest.org/syndmused:2015-01-20-platskaart-vol2

Estonian Banking Association publishes new technical specification for Banklink

eesti-pangaliitbanklink_authentication

Press Release 09.10.2014 Banks will raise the banklink service security

Estonian banking association managing director Katrin Talihärmi said the most important changes concern the comfort and security. “Merchants now have much easier way to set up e-services. In the the past banks used a variety of solutions. Now you can use banklink service to accept payments from customers with similar technical solutions,” explained Talihärm. According to her, the banklink service is made even more secure, since widely implemented digital signatures allow to determine whether the customer uses for authentication ID card, Mobile-ID, PIN-calculator or code card. The new service allows for merchants to use also the IBAN format account numbers.

During the transition period, which lasts until the end of 2015, banks will support both the old and the new banklink protocol format.

The renewed specification is supposed to fix protocol level security flaws discovered previously.

Links:
http://pangaliit.ee/et/uudised-list/356-pressiteade-pangad-tostavad-pangalingi-teenuse-turvalisust
http://math.ut.ee/~arnis/bankauth/