Estonian Electronic Identity Card: Security Flaws in Key Management (opens in new tab)

(usenix.org)

222 pointsdcbadacd5y ago80 comments

80 comments

Anyone wondering if this is a new issue; it's not, it's a more detailed writing of some previous issues, one of which being the Gemalto affair[0].

The new cards issued in 2018 are not known to have any vulnerabilities.

[0]: https://www.linkedin.com/pulse/timeline-estonian-id-card-vul...

kreetx5y ago

Didn't read the paper but it appears to be fresh, so maybe the newsworthy part is that they are still not fixed?

Avamander5y ago

The paper is half for giving a technical overview of the issues and part new analysis based on datamining old certificates. The issues have been mostly fixed, compliance violations however are still badly monitored.

1 more reply

PrimeDirective5y ago

> The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.

I somewhat disagree, the discussion tends to get bent by some populist agent provocateurs and some of the initial reactions from the private sector media. (In Estonia, the government media is the most centered out of all news outlets, go figure). What these statements usually are is that "ID card has a flaw X, therefore we should immidiately ban it, close the R&D and burn it with fire", forgetting that crypto and computing in general, changes over time. My view is that, of course each flaw has to be resolved and sometimes this is political, but this just means the work has to continue.

C1sc0cat5y ago

Thinking that compulsory id cards "Papers Bitte" are not a good thing is not an uncommon view.

ZWoz5y ago

ID card is mandatory by law, but there aren't sanctions (in my knowledge). You need some kind document though, in US that is usually drivers license. I don't see big difference here.

1 more reply

bragh5y ago

It's not about it being compulsory, but the system being unverifiable end-to-end and any criticism of that being laughed at.

If you put it into business terms, would you trust an employee or vendor who told you that everything was alright, did not allow you to perform checks and audits and mocked both your and external partners concerns [0] about it? I don't think so. If the government is indeed for the people and not vice versa, then this is not acceptable.

[0] https://www.youtube.com/watch?v=LkH2r-sNjQs Tom Scott's video about e-voting. Funniest rebuttal I saw on Estonian social media was that we are secure, since he is talking about e-voting, but we have i-voting. So I guess once we will call it c-voting, it will be even better...?

2 more replies

p_l5y ago

It's an american view, mostly due to having only experience with ID documents through WW2 movies or cold War propaganda, mixed with religious voices against it ("mark of the beast", wish I was joking).

Elsewhere, "Papers, please" tends to be sign of excessive "stop-and-frisk" or movement restrictions, and the idea of having basic ID card seems to not have much of an opposition. Especially since it's much simpler than sometimes circular requirements of "web of trust" confirmations like in UK (though I heard it got better)

8organicbits5y ago

Correct, wikipedia even documents this:

https://en.m.wikipedia.org/wiki/Your_papers,_please

zo15y ago

Wow - that's like 3 negative "modifier" words. I don't actually know what you're saying with that sentence and I've been reading it for about 3 minutes now.

AhtiK5y ago

"The jTOP SLE78-powered ID cards were issued until the end of 2018. ID cards manufactured currently are powered by the chip platform supplied by IDEMIA (not covered in this work)."

If my memory serves me right, there was an easy way to check if your ID card was affected and it got replaced for free. The flaws described in paper are not known to exist in cards issued since the end of 2018, beginning of 2019.

jlgaddis5y ago

Yeah, an "offline tester" [0] was made available by the researchers who discovered ROCA [1] and a company with "close links" to the researchers created a "ROCA Vulnerability Test Suite" [2]. The Estonian government also had one on their web site [3] but it is, apparently, no longer available.

ROCA didn't just affect Estonian ID cards, though. It also affected also TPMs (from Infineon), certain Yubikeys [4], and even some PGP keys!

---

[0]: https://github.com/crocs-muni/roca

[1]: https://roca.crocs.fi.muni.cz/

[2]: https://keychest.net/roca/

[3]: http://www.id.ee/?lang=en&id=38239

[4]: https://www.yubico.com/support/security-advisories/ysa-2017-...

chrismeller5y ago

Yes, the Police and Border Guard has an online tool to check. They also supposedly contacted all the people with bad chips (my card was not vulnerable, so I can’t verify that).

Etheryte5y ago

The aftermath of the issue has been previously discussed here (2018): https://news.ycombinator.com/item?id=18104861

bragh5y ago

Brave guy to publish this, hopefully it won't end up similar to the Dreyfus affair — depends on which the media will roll due to it being "pickled cucumber season" (everybody is on vacation, nothing much happening during summer in Estonia). The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.

Etheryte5y ago

Regarding your last point, I have a hard time seeing what you mean. The system is audited both internally and externally fairly regularly, the latest report being released just December last year [0]. There is also frequent news coverage, both supporting and criticizing the system [1][2]. One of the current government parties [3] is an active critic of the system. So it seems like a fair stretch to say that discussing or criticizing the system isn't common or somehow not welcome.

None of this is to say that the system doesn't have flaws, as every other IT system, it does. It is however publicly discussed as you would expect in a democracy.

[0] https://www.mkm.ee/sites/default/files/e-valimiste_tooruhma_...

[1] https://www.err.ee/keyword/15389

[2] https://www.postimees.ee/term/15008/id-kaart

[3] https://www.valitsus.ee/et/peaminister-ministrid/valitsuse-k...

bragh5y ago

> The system is audited both internally and externally fairly regularly, the latest report being released just December last year

Can you please clarify the 'fairly regularly' part? One of the members of that commission said that this is the first time that this kind of audit has been undertaken: https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhma-l... To be fair, there are lots of other reviews having taken place, but none of them are regular with the exception of the OECD ones happening during elections: https://et.wikipedia.org/wiki/Elektrooniline_h%C3%A4%C3%A4le...

> There is also frequent news coverage, both supporting and criticizing the system

ERR is government-funded and seems to me quite neutral, not sure how it is relevant here. But it still seems to me that mainstream media is supportive and you have to go to "alternative" news sources to find any true criticism.

> One of the current government parties [3] is an active critic of the system.

Actually 2, if you count both KE and EKRE. And this is one of the major criticisms against those parties and has been so for years.

A good example of the prevailing attitude can be seen in this thread from 2017 about the security hole back then from Hinnavaatlus, probably biggest IT-related forum in Estonia: https://foorum.hinnavaatlus.ee/viewtopic.php?t=715076&postda... The general tonality in the beginning was that this is a tinfoil problem and somehow brought up by KE and EKRE before elections until the reality of the situation sunk in.

1 more reply

raxxorrax5y ago

Being spammed with reviews after mentioning that there might be a disagreement about electronic id data collection drives the original point a bit.

1 more reply

Svip5y ago

> "pickled cucumber season"

Funny, it's called "cucumber time" (agurketid) in Danish. I wonder if it's a related term in Nordic countries + Estonia.

gspr5y ago

We also call it "agurktid"/"agurknyheter" in Norwegian, and I know the Germans use "Sauregurkenzeit".

I've never heard any similar expression in English, nor in any Romance languages. The Brits use "silly season" for the same concept in journalism/news.

1 more reply

sputr5y ago

Yeah, we also use 'time of pickled cucumbers' in Slovenia. So not just a nordic thing ;)

praseodym5y ago

It’s also called “komkommertijd” (“cucumber time”) in Dutch. Not pickled, because we call pickles “augurken”.

krzyk5y ago

and "sezon ogórkowy" (cucumber time) also in Poland :)

kaliszad5y ago

Okurková sezóna in Czech

pisipisipisi5y ago

He is a well-known researcher in Estonia, with his scope of work both known as well as appreciated (at least by the non-politicians). Of course some have the "too big to fail", thus "you don't talk about Vo..." attitude, but those want to turn technical argumentation into political "agreement" and it is hard to debate a 0 to become 1. You can't argue with computers, "lets agree this 0 is as good as 1, even better and greater!"

atlasunshrugged5y ago

Having worked for the Estonian government for a bit, I'm not sure that it'll exactly make you a persona non grata but definitely you'll get a ton of pushback if you make any claims about e-ID and e-voting as people have very strong feelings about it.

pier255y ago

I'm from the EU and considering incorporating my next company in Estonia.

Anyone else in a similar situation has any recommendations or ideas about this?

edko5y ago

In general, I had a good experiences. There are a few annoying things, however: my Estonian bank (VUB) discriminates against non-Estonian customers (even if they are EU citizens/residents) by applying a foreigners fee. Also, the local business register seems to be above data protection laws and sells your information. I receive lots of spam just by being in the register. Also, if you think that because your company is private your financial statements will also be private, that won't be the case. They will still sell the information to anyone for a few euros.

pier255y ago

> Also, the local business register seems to be above data protection laws and sells your information.

Jesus that sounds terrible...

AhtiK5y ago

Make sure to understand the tax laws when it comes to the company tax residency in scenarios where you're physically not operating in Estonia nor employing people there, nor having majority of your clients there.

See my older comment [1] for some related topcis to research.

[1] https://news.ycombinator.com/item?id=21321451

atlasunshrugged5y ago

Yes, I'd definitely echo that, a huge amount of tax implications are based on individual residency/permanent establishment so if you're living in say, Germany, for 1/2 of the year + 1 day, you should be expecting to pay at least your personal income taxes there, and likely the business taxes if you're a sole prop without local employees and local business. Of course, if you're a true 'digital nomad' who doesn't establish residency anywhere it gets much trickier. But in general, my advice it to pay for 1-2 hours with an accountant up front before you go through setting up a new entity somewhere

1 more reply

pier255y ago

Thanks, I will definitely check this out.

Stierlitz5y ago

> n this paper, we describe several security flaws found in the ID card manufacturing process ..

Like accidentally on purpose,secure up to a point, but weak enough to allow the spooks to generate their own IDs. I mean if the cards were unhackable how would a spy do his job :]

chrismeller5y ago

As an American residing in Estonia, I’m not sure what the benefit of a state compromising the card crypto would be. There are four broad categories of uses for the ID cards:

1) Obviously, a government-issued photo ID

2) For an increasing number of shops, as your “frequent shopper” card, which admittedly is slightly related to...

3) Authentication, including: logging into your bank, government websites (the state portal, the tax authority, the the “digital story” - all your medical records, the online booking website for booking some combination of surgeons/specialists that operate under the public healthcare system), the (one) online pharmacy that exists, etc.

4) Signing things. I’ve signed my lease with it (though “paperless” Estonia still wanted me to sign a paper version as well) and more routinely you have to “digitally sign” any bank transfers... which are the standard way to pay bills in Estonia, so you do it a lot. Finally, voting online.

I don’t see how broadly compromising the crypto would really benefit anyone for any of those things, it would have to be a more specific individual attack, like draining your bank accounts.

Edit: formatting, added voting

pisipisipisi5y ago

Getting asked as an expert "can this id card thing be trusted?" my answer has been "for communicating with the government you inherently don't trust, the method or security of an authentication device does not really matter" (filing your taxes or logging to services being the scope). Some claiming encryption privacy issues ... Well, for any meaningful opsec you should not be using the id card for encrypting messages about overthrowing the same government issuing the encryption devices in the first place, if government reading your messages is a threat in your model.

1 more reply

LatNax5y ago

A single leak can be bad, multiple leaks piled into a single actor can be life changing.

roywiggins5y ago

The spooks are the same government issuing the ID. They can just call up the department issuing the IDs and ask for a batch of new identities. No technical flaws necessary.

xyzzy1235y ago

I know your comment was tongue in cheek but this has come up in the digital Id space before. All these things get bootstrapped off government sources and spooks have no problems because governments control those databases. You don’t need technical hacks if you control the systems of record.

dane-pgp5y ago

So what's to stop the ruling party from issuing its loyal spooks thousands of ID cards in key districts, which they then use to cast fraudulent votes in the election?

noodlesUK5y ago

So, an argument that I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks. Can anyone in Estonia comment on this? Within the US and U.K., there’s no mandatory ID, which I think is probably a good thing for civil liberties (no papers please, for instance), but also fosters certain industries such as credit reference agencies and has all sorts of weird side effects from bootstrapping things like SSNs and NI numbers into secrets. Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?

Avamander5y ago

> I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks.

Paper signatures and fax are both considered obsolete, the latter is basically never used. Cheques? Never seen them. Logging into any high-value service is done using the eID. If you use local services there's rarely any need for any site specific passwords, password managers, U2F, FIDO(2), GPG or similar identity technology. There's no need to send a pic of yourself to verify your identity anywhere, zero shit like that.

You know how PayPal, Stripe or similar payment processors felt/feel really cool and fast? Yeah, we barely felt that because banklinks have fulfilled that use case for the majority for a really long time now.

There aren't any other examples on the top of my head right now, but they're really not the only things. By now, there's basically an entire generation in Estonia that literally have zero idea how things were before, and are thus often shocked by what and how much is required from them in other countries.

> Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?

They're basically nonexistent.

JoeAltmaier5y ago

Seems interesting, but security flaws were in a countable (small) number of cases. Is this a general issue?

pisipisipisi5y ago

This shows the issues in process and attitude. Even in the case of ROCA, you do not really break the crypto part itself, you wiggle around the implementation and procedure issues to bypass it.

cordite5y ago

Are these things PIV or something else?

fabianlindfors5y ago

Are there any Estonians here on HN who would be willing to chat a bit about digital identities in your country? I'm working on bringing e-ID to more people (https://getpass.app/) and looking to get a better understanding of current solutions.

Feel free to reach out, my email is fabian (at) flapplabs.se

j / k navigate · click thread line to collapse

80 comments

dijit5y ago

Anyone wondering if this is a new issue; it's not, it's a more detailed writing of some previous issues, one of which being the Gemalto affair[0].

The new cards issued in 2018 are not known to have any vulnerabilities.

[0]: https://www.linkedin.com/pulse/timeline-estonian-id-card-vul...

kreetx5y ago

Didn't read the paper but it appears to be fresh, so maybe the newsworthy part is that they are still not fixed?

Avamander5y ago

1 more reply

PrimeDirective5y ago

> The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.

C1sc0cat5y ago

Thinking that compulsory id cards "Papers Bitte" are not a good thing is not an uncommon view.

ZWoz5y ago

ID card is mandatory by law, but there aren't sanctions (in my knowledge). You need some kind document though, in US that is usually drivers license. I don't see big difference here.

1 more reply

bragh5y ago

It's not about it being compulsory, but the system being unverifiable end-to-end and any criticism of that being laughed at.

2 more replies

p_l5y ago

8organicbits5y ago

Correct, wikipedia even documents this:

https://en.m.wikipedia.org/wiki/Your_papers,_please

zo15y ago

Wow - that's like 3 negative "modifier" words. I don't actually know what you're saying with that sentence and I've been reading it for about 3 minutes now.

AhtiK5y ago

"The jTOP SLE78-powered ID cards were issued until the end of 2018. ID cards manufactured currently are powered by the chip platform supplied by IDEMIA (not covered in this work)."

jlgaddis5y ago

ROCA didn't just affect Estonian ID cards, though. It also affected also TPMs (from Infineon), certain Yubikeys [4], and even some PGP keys!

---

[0]: https://github.com/crocs-muni/roca

[1]: https://roca.crocs.fi.muni.cz/

[2]: https://keychest.net/roca/

[3]: http://www.id.ee/?lang=en&id=38239

[4]: https://www.yubico.com/support/security-advisories/ysa-2017-...

chrismeller5y ago

Yes, the Police and Border Guard has an online tool to check. They also supposedly contacted all the people with bad chips (my card was not vulnerable, so I can’t verify that).

Etheryte5y ago

The aftermath of the issue has been previously discussed here (2018): https://news.ycombinator.com/item?id=18104861

bragh5y ago

Etheryte5y ago

None of this is to say that the system doesn't have flaws, as every other IT system, it does. It is however publicly discussed as you would expect in a democracy.

[0] https://www.mkm.ee/sites/default/files/e-valimiste_tooruhma_...

[1] https://www.err.ee/keyword/15389

[2] https://www.postimees.ee/term/15008/id-kaart

[3] https://www.valitsus.ee/et/peaminister-ministrid/valitsuse-k...

bragh5y ago

> The system is audited both internally and externally fairly regularly, the latest report being released just December last year

> There is also frequent news coverage, both supporting and criticizing the system

> One of the current government parties [3] is an active critic of the system.

Actually 2, if you count both KE and EKRE. And this is one of the major criticisms against those parties and has been so for years.

1 more reply

raxxorrax5y ago

Being spammed with reviews after mentioning that there might be a disagreement about electronic id data collection drives the original point a bit.

1 more reply

Svip5y ago

> "pickled cucumber season"

Funny, it's called "cucumber time" (agurketid) in Danish. I wonder if it's a related term in Nordic countries + Estonia.

gspr5y ago

We also call it "agurktid"/"agurknyheter" in Norwegian, and I know the Germans use "Sauregurkenzeit".

I've never heard any similar expression in English, nor in any Romance languages. The Brits use "silly season" for the same concept in journalism/news.

1 more reply

sputr5y ago

Yeah, we also use 'time of pickled cucumbers' in Slovenia. So not just a nordic thing ;)

praseodym5y ago

It’s also called “komkommertijd” (“cucumber time”) in Dutch. Not pickled, because we call pickles “augurken”.

krzyk5y ago

and "sezon ogórkowy" (cucumber time) also in Poland :)

kaliszad5y ago

Okurková sezóna in Czech

pisipisipisi5y ago

atlasunshrugged5y ago

pier255y ago

I'm from the EU and considering incorporating my next company in Estonia.

Anyone else in a similar situation has any recommendations or ideas about this?

edko5y ago

pier255y ago

> Also, the local business register seems to be above data protection laws and sells your information.

Jesus that sounds terrible...

AhtiK5y ago

See my older comment [1] for some related topcis to research.

[1] https://news.ycombinator.com/item?id=21321451

atlasunshrugged5y ago

1 more reply

pier255y ago

Thanks, I will definitely check this out.

Stierlitz5y ago

> n this paper, we describe several security flaws found in the ID card manufacturing process ..

Like accidentally on purpose,secure up to a point, but weak enough to allow the spooks to generate their own IDs. I mean if the cards were unhackable how would a spy do his job :]

chrismeller5y ago

As an American residing in Estonia, I’m not sure what the benefit of a state compromising the card crypto would be. There are four broad categories of uses for the ID cards:

1) Obviously, a government-issued photo ID

2) For an increasing number of shops, as your “frequent shopper” card, which admittedly is slightly related to...

I don’t see how broadly compromising the crypto would really benefit anyone for any of those things, it would have to be a more specific individual attack, like draining your bank accounts.

Edit: formatting, added voting

pisipisipisi5y ago

1 more reply

LatNax5y ago

A single leak can be bad, multiple leaks piled into a single actor can be life changing.

roywiggins5y ago

The spooks are the same government issuing the ID. They can just call up the department issuing the IDs and ask for a batch of new identities. No technical flaws necessary.

xyzzy1235y ago

dane-pgp5y ago

So what's to stop the ruling party from issuing its loyal spooks thousands of ID cards in key districts, which they then use to cast fraudulent votes in the election?

noodlesUK5y ago

Avamander5y ago

> I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks.

> Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?

They're basically nonexistent.

JoeAltmaier5y ago

Seems interesting, but security flaws were in a countable (small) number of cases. Is this a general issue?

pisipisipisi5y ago

This shows the issues in process and attitude. Even in the case of ROCA, you do not really break the crypto part itself, you wiggle around the implementation and procedure issues to bypass it.

cordite5y ago

Are these things PIV or something else?

fabianlindfors5y ago

Feel free to reach out, my email is fabian (at) flapplabs.se

j / k navigate · click thread line to collapse