Estonian ID card uses 2048 byte keys which means generating a private key from a public key takes 140.8 CPU years which is quite fast/trivial/cheap using a distributed approach (botnet, your already existing HW that you use for mining etc).. considering the implications.
Who claimed there is cracking software in the black market? I don't find it hard to believe, of course.
The Estonian government is legally bound to applying such countermeasures as soon as there is reasonable doubt about the security of the system. It's pretty important that such things are encoded in law and are not up to whim.
> As of October 31, all users of faulty ID cards can update their security certificates remotely and at Estonian police and border guard service points.
I have been trying every day to do so but constantly getting “server is overloaded” errors.
Spain does the same. With you ID card chip, you can:
- sign your emails digitally
- login to secure websites with your id card (bank, DMV, taxes, …). Sometimes you can only do it with the ID card
- they opened many of their tools, so you can design your website to allow login with Spain's ID cards (that was a fun project)
Were these cards affected? Were there any official notices from authorities?
Even if not affected, it would be nice to hear an official comment.
I was discussing this with someone from Belgium and we agreed that silence from the Belgian government meant only one thing: nobody used the service. (Specifically: Belgian cards are the older Gemalto generation, thus not affected, like the older Estonian IDs.)
We have a similar system in Austria and I got curious when ROCA was announced. Turns out the cards here generate ECDSA keys and are thus not affected. Naturally, there was no announcement of any kind, so this took quite a bit of sleuthing to figure out.
Am Estonian. The remote upgrade system is still working, but only enabled for high-priority users right now because of the high load - medical professionals, social workers, people who used the card more than 100 times over the past 3 months. It will be re-enabled for all users at the start of next week, maybe earlier if the high-priority users have all been serviced.
Slovakia invalidated them 3 days ago and is moving to 3072bit keys.
However, our minister of the interior "Robert Kalinak" announced that they should hack his if its real threat. The only thing which he didn't mention is that his public key isn't publicly available...
In the U.S. we also put all our eggs in one basket, but instead of that basket being a digital certificate/smartcard, it's a nine-digit number that we use as both userid and password.
Except all eggs aren't in one basket - ID card cert usage will be blocked but you can still use Mobile-ID to sign documents, log into govt websites and do everything else that you can do with your ID card.
More like 3 baskets. Estonians can also use a Mobile ID, where private keys, authentication and signature functions are stored on a special SIM card. More recently, an app based Smart ID was also introduced.
If you're on one of those services, the certificate revocation doesn't really affect you.
There is only one basket that is made to look that there are three baskets.
To get a Mobile-ID need to have an ID-card with valid certificates. If the certs are revoked you can't activate your Mobile-ID. Also you have to pay a monthly fee for Mobil-ID service.
Smart-ID requires that you have an ID-Card or Mobile-ID and more importantly it's practically useless as you can't use it for any government services.
So what's your actual threat model here? The Government decides to ban people from accessing Government services? Err... Or that some person might not be able to activate their Mobile ID for a short period of time while they sort out their ID cards?
The threat model is exactly people getting locked out of government services.
If this seems silly or not important to you then you aren't aware just how widespread the usage of digital government services are in Estonia.
As one example most government procurements over a certain amount od money happen as e-procurements with strict time limits that can't be changed and bids need to be digitally signed. If you can't access digital government services you can neither access e-procurment site nor digitally sign you bid.
Right, but point is, you can quite easily have Mobile-ID and your ID card, and if something happens to your ID card you can still use Mobile-ID. I think.
If there's no redundancy measure for the ID card system failing - for example, automatically extending deadlines - that's a problem, and an easily solvable one at that, since it's mostly policy. It's not something against the ID card system.
Yes, but you need to already have Mobile-ID for that. To get a Mobile-ID you need ID-Card with valid certs.
So if a person doesn't already have Mobile-ID and their ID-Card certs are blocked they can't get a Mobile-ID and thus they can't access any digital government services.
It's not like this is purely theoretical - large number of Estonian Id-Card will have their certs blocked and not everyone has Mobile-ID.
Just like you need a valid e-mail to sign up somewhere. Except that here you won't need it afterwards (even if your ID is compromised, it can be blocked and the other systems provide secure identity.)
All of this is backed by the "single basket" of people actually showing up in the population registry office...
PS: I see, you have just joined HN to write these unsubstantiated comments.
Clarification: Smart ID does not (yet) have the same functionality as Mobile-ID or ID Card (you can log into some supported services with it but that's about it).
AFAIK they're working on it to get it to the same level so you could give official signatures and log into govt services etc using that as well.
Although people are unhappy and annoyed, I think it is right decision to close the ID cards. This can be recovered from. If they were compromised, the trust would be gone.
So it's not quite as simple as Google or Facebook oAuth. But the government does support the idea that if you want then add this as a login option to your forum for dogs or an e-store for sweaters.
The main value is still in the fact that the authentication gives you the ability to create legally binding contracts that get signed online.
To be precise: the system offers both identification and authentication (by using two different certificates, with two different pin codes.)
Even if you don't sign-up and whitelist your service you can sign documents or verify other people documents signatures (both online or with a desktop client). There are usage quotas, though.
"Information System Authority (RIA) Director General Taimar Peterkop likewise confirmed that the threat assessment had changed after the research published by the Czech researchers on Monday revealed that the security flaw affecting Estonian ID cards is easier to exploit than previously believed."
is what you are reffering to "the research published by the Czech researchers"?
One interesting thing. As Gemalto was the first frontier, the stock market reacted quickly to them (-25%). However, the Infineon stock went to the other direction (+27%) since the vulnerability was discovered. Ok, they are also 9 times larger and digital security is not their main market.
Estonian ID card uses 2048 byte keys which means generating a private key from a public key takes 140.8 CPU years which is quite fast/trivial/cheap using a distributed approach (botnet, your already existing HW that you use for mining etc).. considering the implications.
https://www.schneier.com/blog/archives/2017/09/security_flaw...