Security Flaw in Estonian National ID Card

We have no idea how bad this really is:

On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards issued starting from October 2014, including cards issued to e-residents. The ID-cards issued before 16 October 2014 use a different chip and are not affected. Mobile-IDs are also not impacted.

My guess is that it's worse than the politicians are saying:

According to Peterkop, the current data shows this risk to be theoretical and there is no evidence of anyone's digital identity being misused. "All ID-card operations are still valid and we will take appropriate actions to secure the functioning of our national digital-ID infrastructure. For example, we have restricted the access to Estonian ID-card public key database to prevent illegal use."

And because this system is so important in local politics, the effects are significant:

In the light of current events, some Estonian politicians called to postpone the upcoming local elections, due to take place on 16 October. In Estonia, approximately 35% of the voters use digital identity to vote online.

But the Estonian prime minister, Jüri Ratas, said at a press conference on 5 September that "this incident will not affect the course of the Estonian e-state." Ratas also recommended to use Mobile-IDs where possible. The prime minister said that the State Electoral Office will decide whether it will allow the usage of ID cards at the upcoming local elections.

The Estonian Police and Border Guard estimates it will take approximately two months to fix the issue with faulty cards. The authority will involve as many Estonian experts as possible in the process.

This is exactly the sort of thing I worry about as ID systems become more prevalent and more centralized. Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?

Another article.

EDITED TO ADD (9/18): More details.

Posted on September 5, 2017 at 3:23 PM • 65 Comments

Comments

RatioSeptember 5, 2017 3:58 PM

Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?

A foreign country, never. But "patriots", now that's guaranteed.

David MossSeptember 5, 2017 4:35 PM

Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?
It seems like only yesterday that this question turned up but on inspection it turns out to have been 12 May 2014 when the University of Michigan and others could see nothing to stop the Russians, for example, from deciding the result of an election rather than the voters.

ChrisSeptember 5, 2017 4:39 PM

Hi Bruce, have you heard about Civic? They are building an decentralised identity platform on the Ethereum blockchain for "multi-factor authentication without a username, password, third party authenticator, or physical hardware token." You keep control over your data and private keys. https://www.civic.com I would like to hear your thoughts about this.

Markus OttelaSeptember 5, 2017 6:23 PM

This is interesting. I just recently reported an issue in the Finnish National ID Card certificate system to CSO of Population Register Center of Finland. I wonder if these two are related. (note: I'm not under an NDA).

ab praeceptisSeptember 5, 2017 6:57 PM

Markus Ottela

I see it from the other side: I would be surprised, if other countries were *not* affected, too. From what I've seen quite many countries, no matter how much they usually brew their own, when it comes to things like digital id they tend to either go a common and agreed upon route or they pretty much copy from each other. Typically there is a first one then another one, usually one of the larger countries, after a while copies at which a kind of "that's the standard way" attitude is created and the rest just follows.

imo the real and somewhat funny question is more "which ones will 'confess' and which ones will try to cover it up"?

Chairman MaoSeptember 5, 2017 8:24 PM

@Chris

Sounds like you are creating another Estonia.

Without a hardware token? What do you call a mobile phone?

ID Theft Monitoring
Fraud Support
Monitoring Alerts
Identity Fraud Coverage
ID Theft Insurance


I won't buy it. I don't even carry a mobile phone, anymore.


U.S. is no betterSeptember 6, 2017 12:17 AM

Visit the IRS, and you have a private cubicle to speak with an authorized agent about your tax business. They have full names and employee badge numbers and are responsible for what they say to you.

Visit the SSA, and you must compete with hordes of people there, no privacy, and identity thieves listening, looking, and taking notes in the waiting room, the same room in which you must talk out loud about your sensitive personal and financial information. SSA agents do not identify themselves or show you their ID or badge number, even though identity thieves have greatly infiltrated the employ of the SSA.

The difference? Rich people have to visit the IRS a lot, and they do not depend on Social Security for retirement like the poor must.

The government seems to care about identity theft only when it affects very wealthy people. "Nothing of value was stolen. What is your net worth?" Never mind your stolen identity is used to commit various crimes in your name, and the SSA is complicit in this.

B. D. JohnsonSeptember 6, 2017 1:25 AM

@Chris: That page is awfully scant on details and the details that are there say it outright relies on a central server to validate requests. There's no details on how the data is stored or validated, no indication that there's any kind of independent code review, and nothing at all that indicates it's any better than creating a dummy Facebook account to use for signing up for stuff.

RachelSeptember 6, 2017 1:43 AM

@Chris
are you involved with Civic?
This is Etherum we are talking about here. Both the code and those in charge are a total joke. What was that line about fools, and money, and parting them? Nothing to see here
PS I get the relevance to this thread but may be move to Squid

Clive RobinsonSeptember 6, 2017 2:14 AM

@ Bruce,

Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?

Basic logic says,

    If it can be hacked it will be

But that does not mean it will be hacked by "a foreign country" more likely by a group within the country. As Stalin observed,

    It is enough thst thr people know there was an election. The people who cast the vote decide nothing. The people who count decide everything.

However we appear to be sliding towards another Cold War this time with "information" being the WMD of choice. Will it have the scare power to give a MAD stand off or will it require a kinetic device?

If we look at the US they have through their foreign policy interfered directly or indirectly with foreign elections, in South America and the Middle East. And in cases where the vote has not gone the way the US have wanted they declare the vote null and void.

We also know that the various IV agencies involved with US foreign policy can make statments to the US politicians and citizens with impunity. We also know that they do things and give them different names or meanings to aid that process. Further we have good reason to believe that when it comes to what we now call cyber-espionage/spying the US as part of the Five-Eyes swap intel with other countries on their respective citizens. Thus when they say "we do not do XXX" it is highly probable that they do but "politically arms length it".

Thus the probability is that if the Estonian election does get hacked it will be with the assistance of an ALAMO (Arms Length Alternative Media Outlet) to try to "adjust expectations". Need I say which person appears to have set up such a system and which country they have set it up in?

AndersSeptember 6, 2017 2:40 AM

So far the aforementioned scientist have demonstrated this flaw by breaking up one card, so there's no need for ernomous computing power as officials and politicians are telling us. It is possible to calculate private key from the public key.

The real question here is how we can be sure that the next card is secure? Smart cards that companies are selling are black boxes with proprietary software, as we can see no third party auditing/verification certicifate can help. So the whole idea of having a secure "ID card" and building "secure" digital society around it is just a f_u_c_k_e_d up wet dream of the politicians.

Clive RobinsonSeptember 6, 2017 3:26 AM

@ Anders,

It is possible to calculate private key from the public key.

I think something similar to this might have happened befor with a Far East National ID card.

I vaguely remrmber that it was the Malaysian multi card and I think one of the researchers at the UK Cambridge Computer lab was involved with the discovery.

The problem if I remember correctly was the way the card generated the key pair. In that it was predictable.

matteoSeptember 6, 2017 4:10 AM

elections should not be centralized or optimized (for example voting on internet).
yes, it's easier, you don't need to exit from house, easy to count voters... but also easy to hack.

JSeptember 6, 2017 4:18 AM

Problem seems to be what is inside the chips. Be it Gemalto, Yubikey, some phone SIM card running java etc.
We have had this problem for many years, for example the Debian implementation problem shows the ambiguity.
This is not a sw only problem, hw matters as for example for rowhammer etc. I would not be much surprised if the keys generated eg in Yubikeys are weak.

Will a company give out all the code on the chip or is that the most valuable business asset?

I seem to remember that in Estonia all the signed hashes are kept centrally, if it's not there then it's not signed. The past is safe.

ab praeceptisSeptember 6, 2017 4:35 AM

Clive Robinson

"If it can be hacked it will be"

Frankly, I think you are way too mild. We *know* from diverse cases in the us of a but also from european countries that elections *are* "hacked" (crooked and cooked). If you think that some % more voices than legitimate voters in this or that us-american city is a big thing, have a look at Linz in Austria. They managed to have about 500% votes compared to their legitimate voters.

From what I see, what we are discussing here ("election hacking") is just a small not even new add-on and/or some few cases where wide spread, systematic, and common "election" rigging has become *visible*.

AndersSeptember 6, 2017 5:08 AM

Elections are only small fraction of the whole problem.
In Estonia ID card is mandatory and it's digital signature is legally binding.
So you can sign on someone's behalf some legally binding documents via that flaw, you don't necessarily have to break ALL the cards, only handful that you really need. This brings down the needed computation power significally.

Also via ID card you can log into the bank accounts, different e-services etc. The whole Estonian digital way of life is built around that ID card and now it's broken. Rude awakening for the Estonia. And no-one can quarantee that the next card won't have the similar problem.

S_h_i_t hit the vent, that's for sure.

Andres AllaSeptember 6, 2017 5:28 AM

@ ab praeceptis, Markus Ottela

Definetly affects other countries as well. In press conference they said that there are over billion similar chips in use around the world. So Estonian 750k is drop in the bucket.

Probably something to do with key generation on chips.

lbcSeptember 6, 2017 5:57 AM

in my country (UK), people go to the polling station and vote without even showing an ID...

yes, my country is a total joke.

Clive RobinsonSeptember 6, 2017 7:34 AM

@ ab praeceptis,

Frankly, I think you are way too mild.

When you get to my size people demand you be "genial" otherwise they tend to make the point with pitchforks ;-)

More seriously though as I've said in the past "Representational Democracy is not democracy", people get brainwashed into thinking this when young be it by "civics classes" or "religious studies" where morals are deliberately confounded with politicians or deities for the purpose of gulling people. Or more politely propaganda for gain.

Winston Churchill made a comment about democracy is the worst form of government except for all the others that have been tried. And it's clear the US Founding Fathers really did not want it either, believing instead on a "benevolent oligarchy of land owners" held in check by the constitution etc.

But what they saw was not democracy but representational democracy where individuals give away their responsabilities to others and thus give up their rights and freedoms.

The argument has always been that there are to many people to make real democracy work. Thus they take away the right to vote on substantive issues and in return you get the joke of voting for a monkey in a suit, where the monkey has been bred, trained and selected by those with money and power.

The fact that few see a problem with this supprises me more than the majority can imagine.

Douglas Adams had a joke about a planet with a very ancient democracy ruled by lizzards. When asked why the people voted for the lizzards the reply was "Because if they didn't vote for a lizard, the wrong lizard might get in".[1]

Especially with a two party system like the US of A has people only have the illusion of choice, simply because finding a couple of billion dollars to fight a political campaign means in most cases the candidates are bought and payed for. Other countries such as the UK put a cap on campaign spending but there are a lot of waus it can be fiddled (as some of the current encumbrants have demonstrated).

There is another old joke about "I would not join any club that would have me". The point being is power attracts those who realy should not be alowed anywhere near it. Thus by and large politicians are at best sociopaths who care not a jot for others except as a means to an end.

All of which kind of points out why the voting process of representational democracy is a "con job" as my earlier quote from Stalin points out.

[1] https://www.goodreads.com/quotes/162557-it-comes-from-a-very-ancient-democracy-you-see-you

DaveSeptember 6, 2017 9:59 AM

For all the people pointing out that "now the bad guys can do X", since the reports contain zero information on the vulnerability or what its effect is, we can't really say anything. For all we know it could be that the plastic in the card is toxic to pets and you shouldn't let your dog chew on it.

ThomasSeptember 6, 2017 3:23 PM

@lbc

> in my country (UK), people go to the polling station and vote without even showing an ID...

> yes, my country is a total joke.

I prefer a system vulnerable to retail voter-fraud requiring a physical presence to one vulnerable to wholesale voter-fraud over the Internet.

B. D. JohnsonSeptember 6, 2017 10:33 PM

@matteo: It's also possible to do it safely and securely. It just involves people pulling their heads out of their asses when it comes to technology.

ab praeceptisSeptember 7, 2017 9:15 AM

TM

Granted, I picked a shocking and extreme case. But still, such "misunderstandings" shouldn't be even remotely possible.

"There was no evidence of malice or actual fraud however." - Sorry, no. While it's true that, as humans are involved, errors happen there are clear tendencies; the "mishaps" are *not* random. In the us of a, for instance, the tendency was clearly favouring clinton, in austria the tendency was clearly favouring the green candidate and there is something else, both have in common: those elections were not under the guideline "pick one from many" but rather "xyz *must* be avoided!", xyz being the austrian "extreme right" candidate and acroos the ocean it was trump.

There are also plenty of (usually ignored by the msm) cases where anti system parties/candidates were defrauded and/or where local administrations, usually tightly interwoven with one or the other party, acted criminally.

Probably the most visible evidence is wrt us-american electronic/digital voting machines. Although there were many cases and plenty evidence, btw. also of conflicts of interest and of financial links ... next to nothing was ever done. This, let's be clear, is only possible, because the "system", or as we might call it today, the washington swamp, did and does *not want* fair and unbiased elections.

AndersSeptember 7, 2017 2:48 PM

And Estonian National Electoral Committee already decided that the threat is too theoretical, possible only in lab envirinment and so the e-elections is a GO!

For Estonia the image is everything. Who cares if handful of ID are faked, more important is that the rest of the world still considers Estonia as a leading IT country!

TMSeptember 8, 2017 2:41 AM

ab praeceptis. "the "mishaps" are *not* random. In the us of a, for instance, the tendency was clearly favouring clinton, in austria the tendency was clearly favouring the green candidate"

I'll call this out as a blatant lie. There is no evidence for your claim whatsoever. In the Linz case you brought up, the outcome in Linz was exactly the same as in Vienna and other cities, 60% for the Green candidate, while rural areas came out with similar majorities for the candidate of the Right. The overall outcome was very close. Close elections happen. Fortunately, in the repeat election, Austrians gave a clear majority to the Green and nobody doubts his legitimacy any more.

You make a strange claim about the elections being under a "guideline". I can only guess what you are hinting at: some sinister conspiracy tipping the scales against right wing candidates. You are pretty close to fascist-style conspiracy mongering and it shows that you have no clue whatsoever what you are talking about. In Austria, the Right has received the wholehearted support of the country's most influential media conglomerate, the Kronenzeitung, who has been supporting the Right for decades. Likewise, In the UK, Rupert Murdoch's media empire has been supporting the Right in elections for decades, and helped tip the scales for Brexit. In the US, ditto for Fox News, which has supported Trump without reserve (whereas CNN and MSNBC hired Trump surrogates).

Your style of propaganda is pretty transparent: When your preferred rightwing extremist loses the election, it's because of fraud. You are just a sore loser.

TMSeptember 8, 2017 2:47 AM

Re election manipulation:

https://www.nytimes.com/2017/09/07/us/politics/russia-facebook-twitter-election.html

"Sometimes an international offensive begins with a few shots that draw little notice. So it was last year when Melvin Redick of Harrisburg, Pa., a friendly-looking American with a backward baseball cap and a young daughter, posted on Facebook a link to a brand-new website.

“These guys show hidden truth about Hillary Clinton, George Soros and other leaders of the US,” he wrote on June 8, 2016. “Visit #DCLeaks website. It’s really interesting!”

Mr. Redick turned out to be a remarkably elusive character. No Melvin Redick appears in Pennsylvania records, and his photos seem to be borrowed from an unsuspecting Brazilian. But this fictional concoction has earned a small spot in history: The Redick posts that morning were among the first public signs of an unprecedented foreign intervention in American democracy."

ab praeceptisSeptember 8, 2017 6:34 AM

TM

Funny. So the austrian court ordered to repeat the election just for the fun of it?

There *is* evidence and quite some of it. That's why the court ordered as it did.

As for "propaganda" and "sinister conspiracy":

For start, I have no interests in austria or in the us of a. I live in neither. So I can not be a "sour loser" nor can I have a "favourite candidate".

And "guideline" was meant as in "pretty much all the major media - incl. state TV - pushing "Do not vote for XYZ! XYZ must not win! We now must be united to fend off XYZ!". Very similar game in france against Le Pen, in germany against AfD, to name but two more examples.
Arbitrarily marking XYZ as "far right" or even "extreme right" with plenty of "nazi" allusions is just part of the game. Yesteryear XYZ would have been branded "extreme communist".

That does not mean that the right doesn't cheat. It just so happened that it was the "left" (not really. The correct term would be "the incumbent system players" which in europe typically doesn't mean 1 party but multiple parties) which had way more means to do so and in some cases even the publicly hinted readiness.

TMSeptember 8, 2017 9:24 AM

ab praec: I've already explained why the Austrian court ruled that way. If you don't believe me, read the judgment. There was no evidence of wrong-doing, period.

Your claim that "pretty much all the major media" in Austria supported the Green candidate is false. The most influential newspaper supported the Right. I won't repeat myself a third time. If you have no clue about Austria, please go ahead and inform yourself before spreading nonsense. If you are a lying liar, expect to be called out.

Re election cheating: in the US, a handful of illegal voters have been identified and surprise surprise, they voted for Trump (ex. http://www.huffingtonpost.com/entry/north-carolina-voter-fraud_us_5901f0f6e4b081a5c0fb4a1c; there even was a noncitizen immigrant Trump fan voting illegally).

In the Swiss state of Wallis, a right-winger of the FPÖ/FN/AfD mold claimed voter fraud after he lost an election. It turned out there had been fraud, but from his own side. (https://www.srf.ch/news/regional/bern-freiburg-wallis/verhafteter-mann-ist-ein-mitglied-der-svp) In this case, citizens reported the fraud when they discovered that somebody had already voted in their names. That btw is what you'd expect to happen in cases of voter impersonation - it will almost always be discovered.

Please kindly spare us further rants about issues you are ignorant about.

ab praeceptisSeptember 8, 2017 10:11 AM

TM

Yes, please do elaborate about the austrian court case. Certainly that high court did *not* find the complete absence of fraud but, just for the fun of it, ordered the elections to be repeated anyway.

According to official statements a) there *were* cases of improperly handling the elections and b) after the normal elections the green candidate had lost and then surprisingly won based on the mailed votes - which according to official statements of the austrian authorities were handled incorrectly. It is also worthwhile to do some math and to see that even in the second round the green candidate could only win if an absurd and unrealistic part of the voters voted for him.

And, what a surprising coincidence, voting by mail "problems" now again rear their ugly head, this time in the upcoming german elections.
Have a look at "votebudy" who say plainly and openly that they were created expressly for the purpose of handing legal votes to people who are not entitled to vote. They even go so far as to clearly state that what they are doing being illegal they operate out of another country.
The criminal mechanism is laid down publicly: A legal voter fills in the necessary papers and signs them and then hands the ballot to the *illegal, not entitled* person.

It just so happens that the "evil right" party AfD would be the main victim. I would, however, bring that issue to attention just the same if the left party were the main victim, as my point isn't left or right but correct and trustworthy elections.

(also to the attention of @Moderator)

Please, note that the rules here ask for civilized discussion. You calling me repeatedly a liar is *not* civilized nor "in good faith".

If you are not capable to have a civilized discussion you should stay away from it.

ModeratorSeptember 8, 2017 10:32 AM

@TM, please refrain from name-calling and personally insulting those with whom you disagree.

JamesMSeptember 8, 2017 1:06 PM

Can someone think of another time where a security problem was bad enough that they have had to shut down a public key server?

Clive RobinsonSeptember 8, 2017 1:55 PM

@ JamesM,

Can someone think of another time where a security problem was bad enough that they have had to shut down a public key server?
Only when the server it's self had been attacked in some way.

I know that the key generator on another National ID / multi card had had issues (I think it was Malaysia, as I mentioned above, but can not find a link to an article). But I do not remember them taking a PK server or anyother related infrastructure server.

Dirk PraetSeptember 8, 2017 2:16 PM

@ Moderator

@TM, please refrain from name-calling and personally insulting those with whom you disagree.

However deplorable the outburst of @TM, I can easily see how people at some point lose their temper over the irritating and often equally insulting tone of a commenter who even in his very moniker can't hide his authoritarian disposition.

There have recently been some off-line communications between several long-time commenters in good standing, all of whom deeply regret the way this forum is going down the drain. The signal to noise ratio is horrible and it has become nearly impossible - especially for newcomers - to weed through the huge amounts of felgerkarb posted by idiots, (paid) trolls and sockpuppets, several of whom previously banned commenters back with a vengeance. One person (or entity) with a very recognizable style is even mass-posting under no less than four different aliases.

Suffice it to say that one commenter is no longer feeling comfortable posting here, another one for all practical purposes has moved to other fora and two more just hang around for old times sake.

The open nature of this blog is more and more becoming its undoing. And which is why we would once again urge you and our host to adopt a different form of moderation like for example on Hacker News or lobste.rs . This is not Slashdot or 4Chan. It's Schneier on Technology.

RazzikSeptember 9, 2017 6:54 AM

It is possible to calculate private key from the public key.

If this is true then this may not be risk to election, depends on how much compute time to crack single key. Finding private keys of 750,000 may be infeasible to do in time for this vote.

Clive RobinsonSeptember 9, 2017 8:37 AM

@ Razzik,

It is true, due to the defects in the way the card generates the primes.

In essence you take a few cards where you know both the public
and private keys and simply get the primes. You then see if there is correlation between the primes.

If there is you can use this as a "predictive tool" to guess at other primes and by a relatively simple process check if the guesses are in the public keys you can find in effect by just collecting them via an online or commercial transaction etc.

Any you find you will then use to refine your predictive tool.

It's the sort of "industrial process" activity SigInt agencies would routinely do.

Similar has been done in the academic community with "embedded systems" such as routers that generate public key certs at startup/installation.

TMSeptember 11, 2017 3:00 AM

ab praec is making false factual claims about the Austrian election, claiming fraud without any evidence. He has also claimed fraud on behalf of Hillary Clinton, again without any evidence. These false claims are part of a well-known right-wing propaganda campaign to systematically undermine confidence in liberal democracy.

I have provided evidence contradicting ap prac's claims (and I could provide plenty more, e.g. https://arxiv.org/abs/1609.00506, but that is beside the point since ab praec is immune to facts). He has chosen to repeat demonstrably false claims, always without providing evidence. So Moderator if spreading falsehoods is acceptable in this forum but calling them out is not, then count me out. It's your forum that is being degraded (note that ab praec's tirade was off-topic from the beginning). It's your decision.

Teemu TukiainenSeptember 11, 2017 8:59 AM

@Markus Ottela,

Where it comes to Finnish National ID Cards and to the issue you reported, I can confirm that these are _not_ related to each other. As stated in Population Register Centre's press release, Finnish National ID Cards do not suffer from the vulnerability which was found from the Estonian ID cards.

RatioSeptember 12, 2017 6:36 AM

@Dirk Praet,

The signal to noise ratio is horrible and it has become nearly impossible - especially for newcomers - to weed through the huge amounts of felgerkarb posted by idiots, (paid) trolls and sockpuppets, several of whom previously banned commenters back with a vengeance.

So I just met Mr. Pragma. Sounds like anybody you know?

(I can't be the first to notice this!)

And then there's this bystander whose comment accidentally led me to Mr. Pragma: quick to defend him and eager to applaud his foul mouth. Coincidence?

I think I'll take a break from this …

WaelSeptember 12, 2017 7:56 AM

@Ratio, @Dirk Praet,

I can't be the first to notice this!

You're not. Either they broke out of the same asylum or they are one and the same. The funny thing is it miss-spelled the translation. Cockroaches, my friend, either get squashed or they crawl back to the commode they slinked out from ;)

And once in a while, the owners of the house notice them and quickly flush them down a squat toilet. Until whichever event happens first, do ignore them.

ab praeceptisSeptember 12, 2017 8:26 AM

Ratio, Wael

OK, let's look at that hypothesis.

That was 2014. Now is 2017. One might translate that to "He got jailed for 2 years". In fact, one might also note that, according to your own reporting, he seems to have *accepted* the "sentence" and didn't try to play games with multiple nicks. Seems quite OK to me; we all know people who play with diverse nicks, use vpns to hide themselves behind diverse IPs etc etc. He did not do that. He accepted his ban and stayed away.

Speaking of "vpn". It would be an interesting question whether, if your hypothesis is correct and he did come back, he used his plain and simple dsl IP or whether he used a vpn to play hide and seek games.
In case you mean myself I can provide that information: I use a plain and simple dsl IP and I'm sure that our host can see that.

And finally and most importantly: The decisive question is whether anyone here stays within the rules. Being a human I probably sometimes fail, but I try hard and I think I succeed pretty well.

Finally I'd like to note that I peacefully, friendly, and in good faith stretched out my hand to everyone who seemed to be unhappy about me. Unfortunately the members of a rather noisy and acting behind the scenes group didn't take my hand.
Also kindly note that not only did I largely leave you alone but I did, in fact, publically agree with you in cases were I thought you are right.

I'm interested in the matters we discuss here and in understanding and getting closer to security, not in people, let alone in personal fights. My hand was and still is stretched out to anyone and the frame to which I intend to stick is that provided by our host.

Btw, re "trolls": I have never, not at any point in time used multiple names.

ModeratorSeptember 12, 2017 8:48 AM

@TM, thank you for your longtime participation here and thoughtful contributions. I am not in a position to judge the accuracy of assertions made about European elections. References to the Austrian election originally seemed relevant in a discussion of election security, so I did not delete them. The evidence you provided will help readers make up their own minds. With yesterday's post, I sought to offer a mild and equitable reminder of forum rules. I have also deleted further posts on the subject, in order to put an end to a contentious, unproductive conversation, including removing one whose author appeared to be spoofing your handle, and that linked to a site well known for broadcasting inaccurate, conspiracist interpretations of current events. So, I hope you won't count yourself out of future discussions, and welcome you to continue calling out falsehoods where you see them.

Dirk PraetSeptember 12, 2017 9:34 AM

@ Ratio

I can't be the first to notice this!

I feel you. Unfortunately, I cannot break colloque singulier protocol and - at least for now - will refrain from any further comments on the issue.

ModeratorSeptember 12, 2017 10:05 AM

@Dirk, @Wael, @Ratio: Bruce and I share your concern about the health of this blog's comments section. Thank you for calling attention to banned visitors who might have returned under a new name, but with a similar voice. Identifying commenters who are "paid" is somewhat beyond our investigative capabilities. Unfortunately, when rooting out sockpuppets and recidivists, we often run into the attribution problem. Analyzing IPs can help, but has its limits; many people use Tor, so their IP may be different from one session to the next. Your institutional memory is helpful here, as are your comments calling attention to problematic visitors. The comments section here generates more verbiage than can be reasonably tracked in real time by one person (me) working very part-time, or by Bruce, who reads and responds to comments when he can.

@ab praeceptis, those to whom you allude as a "noisy and acting behind the scenes group" are longtime, constructive contributors to discussions here. They are free to communicate with each other privately, and to note their observations publicly. I deleted two of your posts yesterday: one addressed to TM that was the verbal equivalent of pounding on the table to reiterate a point already made in a contentious discussion that deserved to end; the second one included wholesale disparagement of "most western countries" that would certainly have led to another conflagration.

ab praeceptisSeptember 12, 2017 10:06 AM

Dirk Praet

"Het colloque singulier is de zwijgplicht die van kracht is nadat men door de Koning der Belgen in audiëntie is ontvangen. Dit geldt niet alleen voor politici en ministers van Staat, maar voor iedere burger die ontvangen wordt in audiëntie door de vorst of vorstin."

[The colloque singular is the duty of confidentiality in force after one was received in audience by the King of the Belgium. This applies not only to politicians and ministers of state, but to every citizen received in audience by the king or queen.]

Someone here is an object of interest to the king and you know that after an audience at the king? Impressive!

From what I know one of the kings highest priorities is peace in the country and constructive collaboration. Witchhunts and conspiracies don't serve that, stretched out hands do - as does taking them and acting in good faith.

Let us please the king by acting constructively and in good faith.

ab praeceptisSeptember 12, 2017 10:32 AM

Moderator

Of course, they are (free to ...). But conspiring against another user and typically hunting and attacking another user personally rather than topically doesn't exactly help to have a peaceful and constructive dialogue.

I don't care for myself. I'm acting in good faith, I try hard to stick to the rules and to be always polite. I don't use other names, I don't troll (at least not intentionally or knowingly), I (intentionally) don't use a vpn or tor but a normal end user DSL IP (easy to check), I don't run sock puppet conversation series, and I usually stick to matters of security.

"I deleted two of your posts yesterday: one addressed to TM that was the verbal equivalent of pounding on the table to reiterate a point already made in a contentious discussion"

which is exactly what TM did, too, yet you saw no problem there. That comes down to you tolerating that someone repeatedly calls me a liar and to not tolerating when I point to verifiable and objective facts.
Well, you are the moderator and so "right" and "wrong" here are whatever you decide they are and I respect that. But to be utterly unfair and to then add to that admonishing me publicly is a bit too much, pardon me.

It was btw not me who brought that matter up again. For me the case was closed. It was TM who started it up again, yet I'm painted and treated as the evil guy when I respond politely to a personal attack while others who contribute, pardon me being frank, quite little in terms of beef wrt security, get a private audience at the king.

I don't know what triggered you, what made you think that I'm writing under diverse names or that I'm a paid troll or whatever but I certainly feel a strong bias against me, no matter how hard I try to play by the rules and to actually contribute to the topic of security.

ModeratorSeptember 12, 2017 11:27 AM

@ab praeceptis, others may suspect that you are writing under diverse names, and using a variety of IPs, but I am not persuaded. Neither do I assume that you are paid to post, or that you have been previously banned, then returned under a new name. Trolls (paid or no), and people who post under multiple names to deceptively amplify their own message or bypass a ban, are problems that we must frequently address -- including this weekend, when I had to ban another poster whose IP turned out to be the same as that of a previous argumentative visitor. Although @Dirk, @Wael and @Ratio were responding to your exchange with and my comment addressed to @TM, my reply was not all about you, it was a general statement. Re your interchange yesterday with TM: It deserved to end. Your contributions remain intact. You both made your points, and it was clear that no good would come of further discussion. If TM had continued to argue his positions, I would have deleted that, too.

ab praeceptisSeptember 12, 2017 11:44 AM

Moderator

Thank you for that clarifying statement. It means something to me.

You see, I am actually working in the field. I'm very really and very seriously concerned about the state of security and I'm concretely working to contribute my small share to enhance the sad state of security.

And that's also my reason to be here. I sincerely hope to "wake up" some colleagues and to generally contribute to a better and more wide spread understanding of the many, many serious problems we have.

This *necessarily* touches politics, too. After all, some of the very major players are state players or parties close to the states.

Maybe the reason for some suspicion (e.g. "payed troll") arises from the fact that I often defend Russia. Let me assure you that I'm not payed, ordered, or otherwise stimulated by any government. I do that simply based on my sense for justice and because there are so many attacks against Russia, many of which are obviously not tenable, let alone proven but are repeated over and over. I would do the same if it happened to be france, the us of a, or China who got unfairly attacked again and again.

Again, thank you for your statement. Whoever wins by infighting here, it will not be us. So, once more and clearly: I have no animosity (beyond an angry moment) against anyone here and my hand remains open for a friendly shake with anyone here. If we want to enhance the security situation the more of work towards the common goal, the better!

Dirk PraetSeptember 12, 2017 11:50 AM

@ ab praeceptis

Someone here is an object of interest to the king ...

There are much bigger problems on this forum than just one commenter not everybody is seeing eye to eye with. Like @Moderator said, not everything is about you.

AndersSeptember 12, 2017 11:53 AM

It's funny how they started the "damage control".

So the whole thing is that we have now powerful computers enough to break the cryptoalgorithm on the card? Strange that only Estonian ID card is using that "specific" cryptoalgorithm that is now beakable and rest of the world is not only using it, it doesn't even know about it?

What will be next? How much dust will they stir up to protect their image?

https://www.forbes.com/sites/kalevleetaru/2017/09/11/estonias-id-card-and-the-march-of-cryptography/

WaelSeptember 12, 2017 12:12 PM

@ab praeceptis,

This is the last post I address to you. I'll try to make it as short and succint as possible to bring things to a closure.

I'm interested in the matters we discuss here and in understanding and getting closer to security, not in people, let alone in personal fights. My hand was and still is stretched out to anyone and the frame to which I intend to stick is that provided by our host.

You haven't been playing "by the rules". I can give you all the links that you called me and others names. Remember this one, that the moderator deleted? I vividly remember what you said to @Ratio.

From day one, you came with a baggage and felt that everyone is ganging up aginst you - which wasn't the case. Yet, you still called me names later (means nothing to me, really.) Therefore I ignored you after this reply

Then you really pushed with this one and other posts in the same thread! I'm not going to spend the time and collect all of the insults and name-calling you used in the past.

I ignored you not becuase I am not capable of replying in kind, but becuase I don't like that sort of disucssion. No one on this blog cares who's right and who's wrong. They look at the discussion and make up thier own minds, if they happen to follow a certain thread. And I am using my real name as opposed to your alias which is not conected to a real world identity. It's not very courageous to attack someone with a real name while you hide behind an alias, right? You want to show some real courage, then use your real identity - I really couldn't be bothered to care who you really are. That, or behave.

Lastly, you shouldn't reasonably expect to repeatidly insult someone personally, then go back and chat with them, then wonder why they won't give you the time of day. Right?

Still, don't take it personally. There are those that like discussing things with you and appreciate your contributions. I'm just not one of them. So one or two people out of many should be acceptable. I think I owe you this so I clarify why I will continue to ignore you (and to spare readers from further rants.)

Whether you're a sockpuppet or not is not the issue -- I had two or three sockpuppets of my own, but they were really "known", and they are gone now. It's the attitude you adopt in discussions. As usual, feel free to have the last word. Just think twice before you give me your "standard reply". Either way, I won't respond.

Best wishes.

ab praeceptisSeptember 12, 2017 12:35 PM

@Dirk Praet

I don't think that I wrote that that person of interest is me. But anyway: I'm pleased to see that you and me are largely in agreement on this.


@Wael

a) I never played with sock puppets or diverse names. One reason being that I strongly dislike such games.
b) not everyone is at liberty to write using his real name (e.g. due to sensitivities in an organization). But I can assure you that at least, I never act under more than 1 nick during a time period. Concrete: since ab praeceptis wrote his first post here I have never, no exceptions whatsoever, used another name.
c) I largely agree with you simply ignoring me. I can offer to largely do the same except in occasional technical matters.
d) Maybe we simply have a rather different understanding of "insult", "polite", etc. I can assure you, however, that I have no interest (nor do I find it in my personality) to insult, belittle, or personally attack you - or anyone else for that matter.
d 2) I freely confess that I tend to be rather direct which probably some take as affront or even insult. I have no problem, however, to apologize if someone simply tells me what he perceived as an aggression in a way that I am able to understand and can find credible.

To follow words by deeds: I hereby - and honestly - apologize to users who feel that I have attacked them. Attacking anyone here was and is not my intention. Just like you I rather tend to simply ignore.

AndersSeptember 12, 2017 12:54 PM

ab praeceptis and Dirk Praet,

Exchange your contacts with each other in and go and argue in private.
I'm tired with your arguing here, this is about Estonian ID card
vulnerability not the place constantly arguing who is sock puppeting who.

Is it clear?

TMSeptember 13, 2017 3:00 AM

ab praec and everybody else: Just a suggestion. If you wish to contribute to a respectful and constructive atmosphere, make it clear that you are arguing in good faith. Repeating the same claim several times after counter-evidence has been offered does not make that impression. At least show that you have considered the arguments of the other side. If you are only superficially familiar with a topic, don't make sweeping claims about it. And even if you are familiar with a topic, don't make sweeping claims if you can't prove them and always distinguish between speculation and fact.

Respectfully
TM

ab praeceptisSeptember 13, 2017 11:35 AM

@all interested

First a compilation of the reasonably credible facts spread all over the place and diverse publications, some of them official (e.g. ee police):

- cards with old chips (pre oct. 2014) are safe
- since oct. 2014 a new (credibly said to be faster) chip had been used. It is those new cards we are talking about.
- the problem is described as "the keys can be breached"
- the problem is described as one of the "identity theft" class
- the situation is described as not (yet?) disastrous and as only potentially dangerous
- it is stated that an attack would need a very resourceful Eve to succeed
- the worst disaster scenario I found mentioned is "the Russians meddling with upcoming elections"
- the above can highly likely be understood as "only a major state player would have the resources needed to make use of the vulnerability"
- there are no more detailed informations of a more technical nature available to the public
- the problem was discovered by, so it seems, Czech university security researchers using a "new algorithm" and seemingly supported by gemalto (the chip? card? manufacturer).
- Some infineon chip is mentioned which may or may not be the "new chip" used since oct 2014
- the PK algorithm seems to be rsa (of unknown size?)

Thoughts:

- the security reduction of rsa is that (sufficiently large number) factorization is supposed to be NP hard or quite close to NP hard.
- We can reasonably presume that this case isn't factorization related. If it were the ee id card problem would hardly be a drop in disaster ocean. Moreover it is extremely unlikely that a certain chip would be a necessary ingredient.
=> One can almost certainly *not* somehow derive the private key from the public key (as is suggested in some articles)

- there are in principle two ways to generate the keys, namely "burners" (centrally generated key pairs are "burned" into the cards) and self generators (which, based on some trigger/seed/... generate a key pair)
- there are strong reasons to presume that in this case it's self generators.
- one very strong clue is the problem being related to the "new chip".
- there is concrete fear that a very resourceful Eve can get at a considerably high number of private keys
=> it seems highly likely that the problem is somehow Xprng related.

In particular the last point provides interesting pointers. Consider: Besides ominous magic ways there is only one way to get at a large number of private keys, namely by just relatively few keys successfully discovered having access to all or at least a very large number of them within a practically reasonable amount of compute time.
The fear mentioned by (half political, half practical) sources of "Russia meddling in the upcoming elections" clearly hints at a systemic vulnerability (as opposed to crack one, then the next one, then ... aso).
In other words: it seems very highly likely that the problem comes down to a very significantly reduced candidate space due to some algorithmic (or implementation?) weakness.

My current *preliminary* resumé or "educated guess":

The available information (as well as crypto mechanisms) strongly suggest that the private keys aren't "cracked" but rather found by creating a large number of key pairs and such having both private and public key (the public ones then being compared to the cards).

With rsa 1k the number of primes of adequate size is in the range of about 2^100 iirc (or was it 2^140? I sometimes calculated it and wrote it on this blog). Whatever the exact number and assuming that the ee id cards almost certainly use at least rsa 1.5k (and probably rather 2k or higher) it is currently computationally not feasible to try a "dumb run" against that vast candidate space.
We should hence assume that some weakness in the random generation of the "new chip" *very considerably* trims that number down so as to become computationally feasible for "Russian election meddling", which to be any relevant would need Eve to get at least at some hundred thousand private keys.

And indeed there are studies that show that ssl libraries have "preferences" or bias wrt (probable) primes/rsa up to the point that just relatively few samples are sufficient to know which library was (very highly likely) used to generate a rsa key pair.

Unfortunately, there is not enough information of a technical nature available to get much closer to the likely problem. The likely candidates, however, appear to be either poor seeding or poor random generation in the "new chip" (my guess is poor rng as otherwise there would be other problems known, e.g. collisions).

Such, for a very resourceful Eve, in particular state players (-> e.g. border control) it would be within the practically feasible space to collect both a sample pool of sufficient size and some card samples to hw analyze to first get at the prng sequence and to then create a well computable - and storable - set of all rsa key pairs with which it would be trivial to have the private keys of a significant part of the ee population.
Note: Keep in mind that those chips have rather limited resources (which highly likely translates i.a. to relatively short periods - and - the fact that only a quite small part of those , say, 2^64 random numbers are probable primes).

Side note: While I generally strongly object to the common "evil Russia!" meme, in this case it seems theoretically reasonable for estonia to assume Russia being a likely Eve and moreover that in itself provides clues considering that, as is plenty mentioned, other countries use the same "new chip", seem, however, to be far less concerned. That makes sense when considering that a by far larger part of the estonian population crosses russian borders - which provides russian authorities physical access to their documents - than, say spanians or canadians. [Warning: This might be false as it is based on the possibly wrong assumption that estonians can and do pass the russian border using their id card].

KSeptember 14, 2017 5:10 AM

@ab praeceptis

Thanks for the analysis. Was an interesting read.

AFAIK, the keys (one pair for auth, another for digital signing) are 2048 bit rsa and are indeed generated on the card (to those wondering, priv keys never exactly 'travel' anywhere from the card in that case). At least that's the idea.

The current plan seems to be to come up with a solution that would allow people to update (fix) their cards from home. The idea as such has been used before (sha1->sha2, replacing some faulty certs etc). So far it seems that the informed parties are confident about being able to pull this off, as for the issue at hand. Obviously, the trick lies in how to make 750 k people update their cards but it is likely that the faulty cards will just be disabled at some point.

In fact, even doing so may not have the desired effect (as for updating). There are many who use 'mobile-id' (English intro) instead. All one needs is a phone and a special SIM (with certs) (+ a monthly fee of about 1€). And yes, it is more secure than it sounds at first.

KSeptember 14, 2017 5:16 AM

I forgot to mention that the update is obviously a great deal more difficult this time. Not just something they can enable. New code being developed. The press releases hint at bypassing the defect in the chip. Who knows what it really means though...

ab praeceptisSeptember 14, 2017 9:26 AM

K

I forgot to mention that the update is obviously a great deal more difficult this time. Not just something they can enable. New code being developed. The press releases hint at bypassing the defect in the chip. Who knows what it really means though...

Oh, I understand them; they are in a rather ugly position. From what I see what the update is is obvious (if I'm about right with my hypothesis): the Xrng. But that will be plagued by mainly 2 problems:

a) There aren't that many algorithms with the needed properties. Plus, in those devices (highly application specialized, massively produced) resources are very scarce. Even a few functions and some state space can be hard to fit in. And note that that would not be a replacement (replacing some prng code with some other code) but rather squeezing some new code in (which until now was largely done in hw, hence all the talk about the "new chip").
Add to that the necessity to properly verify the new version (incl. sw/hw interaction, em, and other furry beasts which can get quite tricky).
And again, for a new Xrng there aren't exactly many algorithms available that can cope with the tight constraints and have all the needed properties. Keep in mind that on those cards there is often less ram than we have in our caches on a smartphone.

b) chain and chain length. Until now their world was simple. Some police transporter brought batches of the cards and that was about it. Now, however, with the update they will be confronted with an longer chain, in fact even multiple ones.
The update is kind of the crown jewels. They must make sure that it isn't tampered with. They must provide it, so servers and networking will be involved; that opens a very, very ugly can of worms. The whole process - down to getting the update onto the card - must be Jane and John compatible. At the same time the update pretty much is source code to a resourceful Eve, and Eve *will* get it; that's all but guaranteed by the servers/network problem. And, of course, it would be extremely desirable to verify the update using the card itself; that, however, might turn out to be problematic with Eve supposedly having her finger in it already.

To end constructively: If I were tasked with that I'd go a compromise route. I'd do the update distribution through a at least somewhat controlled chain, namely the police. I'd give them a specifically designed small (system) box for each police station (a couple of hundred I guess; estland isn't exactly large) with which I would do the update of the id cards. Plus, of course, a strict procedere like "there must at any point in time be no less than 3 cops in the room and no more than 5 which have to each sign the 'batches' done during their presence", etc.
That way I'd avoid multiple very ugly and frankly, not really controllable problems like the server/network problem and at the same time the citizens would have an acceptably easy route too; all they needed to do was to go to a police station within, say, 2 weeks (plus, of course some mobile units for hospitals, the elderly, etc).

Final remark: From what I see the real cause of the whole mess is quite probably that some half-politician/half-bureaucrats were involved, that "good relations" and "trust"(blabla) played a role, and other factors like that.
Long story short: You f*cking do *not* change algorithms in flight, no matter how nicely faster or whatever it promises to be.
Lesson 2 (sorry, estonians, but that's what I seem to see, too) With long-term projects you do not stop thinking, once you got the problem per se solved, but you also think about/prepare for desaster scenarios. That they think *now* about how to do and roll out an update is a confession of having been unprofessional in the first place.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.