Formal Analysis of the Estonian Mobile-ID Protocol

  • Peeter Laud
  • Meelis Roos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5838)


In this paper, we report the results of the formal analysis performed on the Estonian Mobile-ID protocol (deployed since 2008), allowing citizens and permanent residents of Estonia to authenticate themselves and issue digital signatures with the help of a signature-capable SIM-card inside their mobile phone. We analyze the resiliency of the protocol to network attacks under various threat models (compromised infrastructure, client application, etc., confusing user interface) and give suggestions for improvement.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Blanchet, B.: Computer-Assisted Verification of a Protocol for Certified Email. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 316–335. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Abadi, M., Blanchet, B., Fournet, C.: Just Fast Keying in the Pi Calculus. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 340–354. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), London, UK, January 2001, pp. 104–115 (2001)Google Scholar
  4. 4.
    AS Sertifitseerimiskeskus. DigiDocService specification, v. 2.122, April 24 (2007),
  5. 5.
    Backes, M., Hritcu, C., Maffei, M.: Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus. In: 21st IEEE Computer Security Foundations Symposium, CSF 2008, Pittsburgh, Pennsylvania, June 2008, pp. 195–209 (2008)Google Scholar
  6. 6.
    Backes, M., Maffei, M., Unruh, D.: Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol. In: 2008 IEEE Symposium on Security and Privacy, May 2008, pp. 202–215 (2008)Google Scholar
  7. 7.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), Cape Breton, Nova Scotia, Canada, June 2001, pp. 82–96 (2001)Google Scholar
  8. 8.
    Blanchet, B.: From Secrecy to Authenticity in Security Protocols. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 342–359. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Blanchet, B., Chaudhuri, A.: Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage. In: IEEE Symposium on Security and Privacy, Oakland, CA, May 2008, pp. 417–431 (2008)Google Scholar
  10. 10.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.1. IETF Network Working Group, RFC 4346 (April 2006)Google Scholar
  11. 11.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–207 (1983)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally Composable Security Analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Golovanov, S., Gostev, A., Maslennikov, D.: Kaspersky Security Bulletin 2008: Malware Evolution (January- June 2008),
  14. 14.
    Haack, C.: Verification of Security Protocols, ProVerif’s Resolution Method, lecture slides (March 2008),
  15. 15.
    idBlog. EMT Launches the Mobiil-ID Service, May 2 (2007),
  16. 16. Mobile-ID main page, November 20 (2008),
  17. 17.
    Kremer, S., Ryan, M.: Analysis of an Electronic Voting Protocol in the Applied Pi Calculus. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 186–200. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Mao, W.: Modern Cryptography: Theory and Practice. Prentice Hall, Englewood Cliffs (2003)Google Scholar
  19. 19.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. IETF Network Working Group, RFC 2560 (June 1999)Google Scholar
  20. 20.
    Šablinskas, R.: Summary of Mobile-ID launch in Lithuania. Minutes of the Baltic WPKI Forum Steering Committee, October 31 (2007),
  21. 21.
    Security Analysis of Mobile ID (Summary, in Estonian). Ordered by Department of State Information Systems, fulfilled by Jaak Tepandi, July 11 (2008),
  22. 22.
    Carst Tankink, Pim Vullers. Verification of the TLS Handshake protocol, May 20 (2008),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Peeter Laud
    • 1
    • 2
  • Meelis Roos
    • 1
    • 2
  1. 1.Cybernetica ASEstonia
  2. 2.Institute of Computer ScienceTartu UniversityEstonia

Personalised recommendations