Key Factors in Coping with Large-Scale Security Vulnerabilities in the eID Field

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11032)


In 2017, the encryption vulnerability of a widespread chip led to major, nation-wide eID card incidents in several EU countries. In this paper, we investigate the Estonian case. We start with an analysis of the Estonian eID field in terms of stakeholders and their responsibilities. Then, we describe the incident management from the inside perspective of the crisis management team, covering the whole incident timeline (including issues in response, continuity and recovery). From this, we are able to derive key factors in coping with large-scale security vulnerabilities in the eID field (public-private partnership, technical factors, crisis management, documentation), which encourages further research and systematization.


e-identity e-governance e-services IT security Crisis management Business continuity management 


  1. 1.
    Marsalek, A., Zefferer, T., Reimair, F., Karabat, Ç., Soykan, E.U.: Leveraging the adoption of electronic identities and electronic-signature solutions in Europe. In: Proceedings of the Symposium on Applied Computing, SAC 2017, pp. 69–71. ACM, New York (2017)Google Scholar
  2. 2.
    Luna-Reyes, L.F., Sandoval-Almazan, R., Puron-Cid, G., Picazo-Vela, S., Luna, D.E., Gil-Garcia, J.R.: Understanding public value creation in the delivery of electronic services. In: Janssen, M., et al. (eds.) EGOV 2017. LNCS, vol. 10428, pp. 378–385. Springer, Cham (2017). Scholar
  3. 3.
    Muldme, A., Pappel, I., Lauk, M., Draheim, D.: A survey on customer satisfaction in national electronic ID user support. In: 2018 International Conference on eDemocracy eGovernment (ICEDEG), pp. 31–37, April 2018Google Scholar
  4. 4.
    Tsap, V., Pappel, I., Draheim, D.: Key success factors in introducing national e-identification systems. In: Dang, T.K., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E.J. (eds.) FDSE 2017. LNCS, vol. 10646, pp. 455–471. Springer, Cham (2017). Scholar
  5. 5.
    Republic of Estonia: Electronic identification and trust services for electronic transactions act.
  6. 6.
    Pappel, I., Pappel, I., Tepandi, J., Draheim, D.: Systematic digital signing in estonian e-government processes. In: Hameurlain, A., Küng, J., Wagner, R., Dang, T.K., Thoai, N. (eds.) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI. LNCS, vol. 10720, pp. 31–51. Springer, Heidelberg (2017). Scholar
  7. 7.
    European Union: Regulation (EU) no. 910/2014 of the European Parliament and of the council of 23 july 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing directive 1999/93/EC (2014)Google Scholar
  8. 8.
    Republic of Estonia: Identity documents act.
  9. 9.
    Republic of Estonia: Aliens act.
  10. 10.
    E-Governance Adacemy: e-Estonia - e-governance in practice. eGA, Tallinn (2016).
  11. 11.
    Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V.: The return of coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1631–1648. ACM, New York (2017)Google Scholar
  12. 12.
    Svenda, P., et al.: The million-key question - investigating the origins of RSA public keys. In: 25th USENIX Security Symposium, pp. 893–910. USENIX Association (2017)Google Scholar
  13. 13.
    První certifikační autorita: Safety of starcos cards. I.CA News Feed, November 2017.
  14. 14.
    Meyer, D.: ID card security - Spain is facing chaos over chip crypto flaws. ZDNet, November 2017.
  15. 15.
    Leyden, J.: Confusion reigns over crypto vuln in Spanish electronic ID smartcards - certs revoked, but where are the updates? The register, November 2017Google Scholar
  16. 16.
    Paide, K., Pappel, I., Vainsalu, H., Draheim, D.: On the systematic exploitation of the Estonian data exchange layer X-road for strengthening public private partnerships. In: 11th International Conference on Theory and Practice of Electronic Governance, ICEGOV 2018. ACM (2018)Google Scholar
  17. 17.
    British Standards Institution: Business continuity management - part 1: code of practice, British Standard BS 259991:2006. BSI Group, London (2006)Google Scholar
  18. 18.
    British Standards Institution: Societal security - business continuity management systems - requirements. BSI Group, London (2014)Google Scholar
  19. 19.
    Draheim, D.: Smart business process management. In: 2011 BPM and Workflow Handbook, Digital Edition. Future Strategies, Workflow Management Coalition, pp. 207–223 (2012)Google Scholar
  20. 20.
    Draheim, D., Pirinen, R.: Towards exploiting social software for business continuity management. In: Workshops on Database and Expert Systems Applications (DEXA), pp. 279–283. IEEE Press, September 2011Google Scholar
  21. 21.
    Buldas, A., Saarepera, M.: Are the current system engineering practices sufficient to meet cyber crime? In: Tryfonas, T. (ed.) HAS 2017. LNCS, vol. 10292, pp. 451–463. Springer, Cham (2017). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.PolitseiTallinnEstonia
  2. 2.Large-Scale Systems GroupTallinn University of TechnologyTallinnEstonia

Personalised recommendations