Advertisement

Using the Estonian Electronic Identity Card for Authentication to a Machine

  • Danielle Morgan
  • Arnis ParsovsEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10674)

Abstract

The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas. This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.

Notes

Acknowledgements

We would like to thank Martin Paljak for his feedback and the technical support he provided for this study, and all the people who gave their feedback on this paper. This work was supported by the European Regional Development Fund through the Estonian Centre of Excellence in ICT Research (EXCITE) and the Estonian Doctoral School in Information and Communication Technologies.

References

  1. 1.
    Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking pins. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32946-3_3 CrossRefGoogle Scholar
  2. 2.
    Cybernetica AS: Cryptographic algorithms lifecycle report 2016. In: Cryptographic protocols over radio connection. 22 June 2016. https://www.ria.ee/public/RIA/Cryptographic_Algorithms_Lifecycle_Report_2016.pdf
  3. 3.
    e-Governance Academy: Study on the functionality of documents in ID-1 format (in Estonian), December 2013. https://www.siseministeerium.ee/sites/default/files/dokumendid/Uuringud/Isikut_toendavad_dokumendid/2013_id-1_formaadis_dokumentide_funktsionaalsuse_uuring.pdf
  4. 4.
    Estonian Health Insurance Fund: Digital Prescription, July 2017. https://www.haigekassa.ee/en/digital-prescription
  5. 5.
    Estonian Information System Authority: Electronic Identity Application Guide: ID card as an entrance card, May 2014. https://eid.eesti.ee/index.php/ID_card_as_an_entrance_card
  6. 6.
    Estonian Information System Authority: Electronic Identity Application Guide: Using ID-card as a loyalty card, May 2014. https://eid.eesti.ee/index.php/Using_ID-card_as_a_loyalty_card
  7. 7.
    Estonian Police and Border Guard Board: Online identity document validity check, May 2017. https://www.politsei.ee/en/teenused/inquiries/
  8. 8.
    Estonian Police and Border Guard Board: Residence card, May 2017. https://www.politsei.ee/en/nouanded/residence-card.dot
  9. 9.
    Giesecke & Devrient: Sm@rtCafé Expert operating systems: Sm@rtCafé Expert 6.0, February 2013. https://www.gd.gd/gd_media/media/en/documents/brochures/mobile_security_2/nb/SmartCafe-Expert.pdf
  10. 10.
    GlobalPlatform Inc.: GlobalPlatform Card Specification, Version 2.1.1, March 2013. http://www.win.tue.nl/pinpasjc/docs/Card%20Spec%20v2.1.1%20v0303.pdf
  11. 11.
    International Civil Aviation Organization: DOC 9303. Machine Readable Travel Documents. Part 11: Security Mechanisms for MRTDs (2015). https://www.icao.int/publications/Documents/9303_p11_cons_en.pdf
  12. 12.
    Joandi, E., Kuusik, A., Tammet, T.: Analysis of potential RFID usage in the context of extending Estonian ID-card (in Estonian), January 2008. https://www.mkm.ee/sites/default/files/rfid_id_analyys_-_koopia.doc
  13. 13.
    Krebs, B.: Chip & PIN vs. Chip & Signature, October 2014. http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/
  14. 14.
    Lehmann, A.: New Generation of eID Smartcard, 06 November 2014. https://sk.ee/upload/files/AK2014_New%20Generation%20of%20eID%20Smartcard_Andreas%20Lehmann.pdf
  15. 15.
    Morgan, D.: Security of Loyalty Cards Used in Estonia. MSc thesis, Tallinn University of Technology (2017). http://kodu.ut.ee/~arnis/loyalty_thesis.pdf
  16. 16.
    Morgan, D., Parsovs, A.: Using the Estonian Electronic Identity Card for Authentication to a Machine (Extended Version). Cryptology ePrint Archive, Report 2017/880 (2017). http://eprint.iacr.org/2017/880
  17. 17.
    Murdoch, S.J.: Do you know what you’re paying for? How contactless cards are still vulnerable to relay attack, August 2016. https://www.benthamsgaze.org/2016/08/02/do-you-know-what-youre-paying-for-how-contactless-cards-are-still-vulnerable-to-relay-attack/
  18. 18.
    NIST: FIPS PUB 201–2: Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf
  19. 19.
    Paljak, M.: FakeEstEID JavaCard applet, 16 January 2015. https://github.com/martinpaljak/esteid-applets/blob/master/docs/FakeEstEID.md
  20. 20.
    Paljak, M.: Off-line ID card (in Estonian), 18 October 2016. http://kliendikaart.publicon.ee/userfiles/RIA/idkaart/Martin_Paljak.pdf
  21. 21.
    Postimees: No plans to connect Kaubamaja Partnercard with ID-card (in Estonian), 5 August 2011. http://www.postimees.ee/521494/partnerkaarti-id-kaardiga-uhendada-ei-kavatse
  22. 22.
    Postimees: The new ID-cards will be refused (in Estonian), 23 January 2015. http://tarbija24.postimees.ee/3067299/uued-id-kaardid-voivad-torkuda
  23. 23.
    Postimees: Contactless Estonian ID-card has been built (in Estonian), 5 March 2016. http://tehnika.postimees.ee/3607697/video-valminud-on-kontaktivaba-eesti-id-kaart
  24. 24.
    Riigi Teataja: Identity Documents Act (2000). https://www.riigiteataja.ee/en/eli/504112013003/consolide/current
  25. 25.
    Roland, M., Hlzl, M.: Evaluation of Contactless Smartcard Antennas, June 2015. https://arxiv.org/abs/1507.06427
  26. 26.
    SecureIDNews: Defense Department order RF shields from National Laminating, November 2010. https://www.secureidnews.com/news-item/defense-department-order-rf-shields-from-national-laminating/
  27. 27.
    SK ID Solutions AS: Cards for testing 01 July 2017. https://sk.ee/en/services/testcard/
  28. 28.
    Smartcard Focus: Giesecke & Devrient: SmartCafe Expert 6.0 80K Dual, 11 April 2017. https://www.smartcardfocus.com/shop/ilp/id~684/smartcafe-expert-6-0-80k-dual-/p/index.shtml
  29. 29.
    The European Parliament, the Council of the European Union: Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014)Google Scholar
  30. 30.
    Trüb Baltic AS: EstEID v3.4 card specification, 11 June 2012. http://www.id.ee/public/TB-SPEC-EstEID-Chip-App-v3.4.pdf
  31. 31.
    Trüb Baltic AS: EstEID v3.5 card specification, 14 March 2017. http://www.id.ee/public/TB-SPEC-EstEID-Chip-App-v3.5-20170314.pdf

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Tallinn University of TechnologyTallinnEstonia
  2. 2.Software Technology and Applications Competence CenterTartuEstonia
  3. 3.University of TartuTartuEstonia

Personalised recommendations