Tag Archives: Kalev Pihl

SK Annual Conference 2017

E-identity event SK Annual Conference 2017 will take place on November 2, 2017, Baltic Station old waiting area (Toompuiestee 37, Tallinn).

09:00-09:30 Registration and morning coffee
09:30-10:30 Overview of SK 2017, Kalev Pihl, SK
10:30-11:00 Smart-ID: fast start and future plans, Kaido Irval and Georg Nikolajevski, SK
11:00-11:15 Cofee Break
11:15-11:45 The future of authentication in SEB. When will the code cards disappear? Ragnar Toomla, SEB
11:45-12:15 DeepScan, Lauri Ilison, Nortal
12:15-13:00 Lunch
13:00-14:00 Keynote: The Future of Technology Through the Mind of a Hacker, Pablos Holman
14:00-14:45 Panel discussion, Pablos Holman and Taavi Kotka
14:45-15:00 Cofee Break
15:00-15:30 RSA (implementations) attack history and lessons, Arne Ansper, Cybernetica
15:30-16:00 eID year in retrospect, Anto Veldre, RIA
16:10-16:40 Round of question and answers
16:40-17:00 Summary of the day by digital world enthusiasts
17:00-18:00 Evening snack

Registration till October 20.


ETV “Suud Puhtaks” debate on internet voting security

Is the cyber security in Estonia ensured? Why the government wants to change the period of i-voting and what signal with that we send to the world? Talk show host Urmas Vaino helps to set things straight.

Indrek Saar, Minister of Culture, Social Democratic Party
Jaanus Karilaid, Member of Parliament, Center Party
Priidu Pärna, Member of Tallinn City Council, Pro Patria and Res Publica Union
Anto Veldre, RIA analytic
Kristjan Vassil, UT senior researcher
Märt Põder, organizer of journalism hackathon
Arti Zirk, TUT IT faculty student
Tarvi Martens, Electoral Committee, Head of Internet Voting
Kristen Michal, Member of Parliament, Reform Party
Mihkel Slovak, UT senior researcher
Henrik Roonemaa, Geenius.ee editor
Erki Savisaar, Member of Parliament, Center Party
Andres Kutt, RIA, IT architect
Sven Heiberg, Cybernetica AS, Project Manager of Internet Voting System
Jaak Madison, Member of Parliament, Conservative People’s Party
Jaanus Ojangu, Chairman of Free Party
Agu Kivimägi, Stallion cyber security consultant
Jaan Priisalu, TUT researcher
Silver Meikar, Adviser to Minister of Culture
Kalev Pihl, SK ID Solutions, Board Member
Oskar Gross, Head of Cyber Crime Unit of Central Criminal Police
Klaid Mägi, RIA, Head of the department for handling incidents (CERT-EE)
Heiki Kübbar, Founder of ICEfire OÜ
Birgy Lorenz, Board Member of Network of Estonian Teachers of Informatics and Computer Science
Andres Kahar, KAPO Bureau Manager
Sven Sakkov, Director of NATO Cooperative Cyber Defence Centre
Heiki Pikker, TUT Cyber Security MSc student


SK Annual Conference 2016


E-identity event SK Annual Conference 2016 will take place on November 3, 2016, Kultuuri Katel (Põhja pst 27a, Tallinn).

09:00-09:30    Registration and morning coffee
09:30-09:40    Presentation of the exhibitors
09:40-10:30    Overview of SK 2016, Kalev Pihl, SK
10:30-11:00    Updates to SK services portfolio, Liisa Lukin, SK
11:00-11:15    Cofee Break
11:15-12:15    Keynote Peter Zinn: We’re All Gonna Д13
12:15-13:00    Lunch
13:00-13:30    From e-Estonia to e-Europe, Katrin Laas-Mikko, SK
13:30-14:00    Future plans of ID-software, Margus Arm, Riigi Infosüsteemi Amet
14:00-14:30    Overview of near markets: Baltikum and Nordic countries, Lauri Immonen, Telia
14:30-15:00    Cofee Break
15:00-15:20    From physical to virtual: SIM and eSIM convergence, Jürgen Niinre, Telia
15:20-15:50    New SK eID solution, Urmo Keskel, SK
15:50-16:10    Renewed DigiDoc portal, Gintas Balčiūnas, Estina
16:10-16:40    Round of question and answers
16:40-17:00    Summary of the day by digital world enthusiasts
17:00-17:30    Evening snack


SK Annual Conference 2015


E-identity event SK Annual Conference 2015 will take place on November 5, 2015, Vabal Laval Telliskivi Loomelinnakus (Telliskivi 60a, C1-hoone)

09:00-09:30 Registration and morning coffee
09:30-09:45 Overview of SK 2015, Kalev Pihl, SK
09:45-10:45 Identification physically and digitally, Joseph Leibenguth, Gemalto
10:45-11:15 Coffee Break
11:15-11:55 eIDAS and international interoperability, Katrin Laas-Mikko, SK
11:55-12:25 New Mobile-ID and alternatives, Urmo Keskel, SK
12:25-12:45 NutiKaitse 2017: development of security, Andri Möll, Monday Calendar
12:45-13:30 Lunch
13:30-14:00 Life of cryptography, Anto Veldre, RIA
14:00-14:30 Underlying technologies of cryptocurrency, Asse Sauga, Eesti Krüptoraha Liit
14:30-15:40 Tech trends 2030 & company of the future, Richard van Hooijdonk
15:40-16:00 Coffee Break
16:00-16:35 Questions and answers
16:35-16:55 Summary of the day
16:55-17:30 Evening snack


Hundred thousand ID card certificates issued with invalid public key encoding


From the Chrome bug report:

Estonian IDs issued between September 2014 to September 2015 are broken and use negative moduli.

Not content with signing negative RSA moduli, still other Estonian IDs have too many leading zeros.

In Estonia there are 100 000+ such ID-cards and without any change with chrome 46 those card owners could not use chrome any more for every day usage.

ASN.1 DER encoding specifies that positive integer [having msb of MSB set] has to be encoded with 0-byte prefix. However, the certificates in question omit 0-byte prefix for RSA public key modulus and therefore standards complying Chrome DER decoder interprets public key value as an [invalid] negative integer.

Google developer hints that SK’s recently passed annual audit falsely attests that SK operations confirm to the standards:

It would seem each of these certificates fails to conform to the ETSI TS 102 042 policies (for which sk.ee was audited), which would invalidate them for use as QCP-SSD/QCP/NCP, nor would they conform to the sk.ee CPS in force at this time. If so, wouldn’t all of these certificates need to be revoked, per sk.ee’s CPS?

First SK asked for a “temporary” workaround, later committing to recall the ID cards in question in the next 6 months:

Is there possible to make temporary (for 5 years) workaround for such cards in chrome 46 and beyond?

AFAIK, no more certificates with incorrect encoding are being generated and the renewal of the issued ones is being planned. It shall require time, less than 5 years but obviously not a month or two, due to the sheer number of the cards out there.
6 months seems like a realistic target.

Translation of Postimees article:

Due to a software failure by Estonian ID card software vendor AS Sertifitseerimiskeskus about 250 000 ID cards have an error that may in the future cause its usage problem. ID cards with software faulty certificates were issued for one year since September 2014 and if error is not fixed in the following six month, then people will not be able to authenticate themselves anymore in the future versions of the world’s second most popular web browser Google Chrome.

“This is certainly non-compliance with standards on our side. We let error through in our software development. Reason, why this error went through and was permanent is that no browser had discovered it until now and our ID card so far works with them excellent” head of SK Kalev Pihl explains to Postimees. The thing come to light when Google made a big software update which controls subtlety, what no other software have done so far. “It came out that some certificates on Estonian ID cards do not conform to requirements,” says Kalev Pihl, who says that the error came out during the beta-testing of the new browser software.

Pihl confirms that SK agreed with Google for a half year long transition period. Result is that Chrome will not add the new software at the moment and people can use this browser for authentication with no problem. “That half a year of development time should be really enough in order to provide to a person a solution where he/she can renew ID card certificates behind the computer with one button press,” adds Pihl. “Usually during our testing we discover bugs introduced by browser developers, this time they discovered error on our side,” summarized Pihl.

RIA plans a remote update feature for Estonian ID cards / e-residency cards:

The functionality, prompting card owners to update the certificates online, has once been part of the Estonian ID card software suite and will now be re-implemented. The procedure of initiating the remote update procedure on the certificates is to be implemented in a way that is both easy to use and secure. Veinthal said the security and risk of the new functionality were to be analysed before implementation. “The eID framework has to be aware that interoperation glitches are becoming more frequent in the world of technology, increasing the necessity to create fast and convenient solutions,” commented Veinthal.


Four thousand ID card certificates issued with duplicate email addresses


Upon manufacturing the ID card, residence card, Mobile-ID and Digi-ID certificate, email address in the form of name.surname@eesti.ee will be generated. In the case of namesakes, the software compares the email address to the previously used addresses and next people with the same name will get an email address in the following form: name.surname.1@eesti.ee, name.surname.2@eesti.ee etc., depending on how many people there are with the same name.

Due to the software error, duplicate email addresses were created for namesakes, these addresses were also inserted to the certificates of identity documents. We have fixed the error and we can assure that such a situation will not reoccur in the future,” explained Kalev Pihl, the Member of the Board of the Certification Centre. Altogether 40 000 ID and residence cards were issued in June and July, 4120 of them were with duplicate email addresses.

Email address name.surname@eesti.ee is an alias to personalidentificationcode@eesti.ee, which is unique. For sending information, state authorities use the email address personalidentificationcode@eesti.ee.

After the software error was detected, the State Portal suspended the email forwarding right of all of these persons, who had received a duplicate email address with their certificates. These persons can start using their eesti.ee email address only after the renewal of the certificates.


Attacks against Gemalto do not endanger the security of Mobile-ID


Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.

Some mobile operators in Estonia use Mobile-ID SIM cards supplied by Gemalto. Here is Estonian Certification Centre response:

Attacks against Dutch SIM card manufacturer Gemalto which became public yesterday does not endanger Mobile-IDs. AS SK (Certification Centre) confirmed that the attacks against the world’s largest SIM card manufacturer Gemalto does not threaten the security of Estonian Mobile-ID.

“We analyzed the information available to us about the attack and verified that the Mobile-ID security is not affected, Mobile-ID is still secure, and users do not need to make adjustments to their normal behavior in any way,” said the head of the Certification Center Kalev Pihl.

Gemalto has released a public report where the company tries to downplay the significance of NSA and GCHQ hack. But that is understandable:

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.

Fortunately, the exploitation of the stolen symmetric keys requires the attacker to be in close proximity of the victim’s mobile phone and requires to perform active MITM attack at the moment when the victim performs Mobile-ID transaction.

Update about Estonian mobile network operators’ use of Gemalto SIM cards:

Estonian National Electoral Commission’s e-voting commission’s deputy chairwoman Epp Maaten said that among Estonian mobile operators, only EMT uses SIM cards issued by Gemalto, but only as pre-paid call cards and Gemalto is not the only vendor of the cards.


SK Annual Conference 2014


SK Annual Conference 2014 took place in November 6, 2014.

9:00-9:45 Registration and coffee
9:45-9:55 Drone presentation, Jaan Kronberg
10:00-10:05 Opening remarks by SK CEO Kalev Pihl
10:05-10:30 SK overview of the 2014 and NutiKaitse 2017, Kalev Pihl​​, SK
10:30-10:45 e-Residence, Kaspar Korjus, Estonian Development Fund
10:45-11:20 What will happen in January 1, 2015? (BDOC and Mobile-ID), Liisa Lukin, SK
11:20-11:45 Coffee break
11:45-12:20 eIDAS, Mait Heidelberg, MKM
12:20-12:45 International DigiDoc client, Jaan Murumets, SK
12:45-13:30 Lunch
13:30-14:30 Online Arms Race, Mikko Hyppönen, F-Secure
14:30-15:00 Coffee break
15:00-15:30 New Generation of eID Smartcard, Andreas Lehmann, Trüb Baltic AS
15:30-16:00 eID future trends, Tarvi Martens, SK
16:00-16:20 Questions and Answers
16:20-16:30 Closing remarks and prize lottery
16:30-17:00 Scandinavian experience, Alev Ström
17:00-17:30 Evening snack