Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks
- 712 Downloads
BankID is a PKI-substitute widely deployed by Norwegian banks to provide digital signatures and identification on the internet. We have performed a reverse-engineering of part of the BankID system and analysed the security protocols and the implementation of certain cryptographic primitives. We have found cryptographic weaknesses that may indicate security problems, protocol flaws facilitating man-in-the-middle attacks, and implementation errors facilitating strong insider attacks. We also note that the system suffers from severe privacy problems.
KeywordsSmart Card Impersonation Attack Attack Model Internet Banking Security Goal
Unable to display preview. Download preview PDF.
- 1.Directive 1999/93/EC of the European parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal of the European Communities, L13, 43, 12–20 (2000)Google Scholar
- 2.Cremers, C.J.F.: Scyther - Semantics and Verification of Security Protocols. Ph.D. dissertation, Eindhoven University of Technology (2006)Google Scholar
- 3.Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1, RFC 4346 (April 2006)Google Scholar
- 4.Espelid, Y., Netland, L.-H., Klingsheim, A.N., Hole, K.J.: A proof of concept attack against Norwegian internet banking systems. In: Proc. of the 12th International Conference on Financial Cryptography and Data Security (FC 2008), Cozumel, Mexico, January 28-31,2008 (2008)Google Scholar
- 5.Espelid, Y., Netland, L.-H., Klingsheim, A.N., Hole, K.J.: Robbing banks with their own software—an exploit against Norwegian online banks, September 8-10 (2008); To be presented at the 23rd International Information Security Conference (SEC 2008), Milan, Italy (2008)Google Scholar
- 6.Gutmann, P.: Security usability, Draft (February 2008), http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf
- 7.Hole, K.J., Tjøstheim, T., Moen, V., Netland, L.-H., Espelid, Y., Klingsheim, A.N.: Next generation internet banking in Norway. Technical Report 371, Department of Informatics, University of Bergen (February 2008), http://www.nowires.org/Papers-PDF/BankIDevaluation.pdf
- 8.RSA Laboratories. PKCS #1: RSA cryptography standard, version 2.1 (June 2002)Google Scholar
- 9.Trygg bruk av BankID (in Norwegian) (Feburary 13, 2007), http://www.bankid.no/utskrift.db2?id=4062