> The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.
I somewhat disagree, the discussion tends to get bent by some populist agent provocateurs and some of the initial reactions from the private sector media. (In Estonia, the government media is the most centered out of all news outlets, go figure). What these statements usually are is that "ID card has a flaw X, therefore we should immidiately ban it, close the R&D and burn it with fire", forgetting that crypto and computing in general, changes over time. My view is that, of course each flaw has to be resolved and sometimes this is political, but this just means the work has to continue.
"The jTOP SLE78-powered ID cards were
issued until the end of 2018. ID cards manufactured currently are powered by the chip platform supplied by IDEMIA (not covered in this work)."
If my memory serves me right, there was an easy way to check if your ID card was affected and it got replaced for free. The flaws described in paper are not known to exist in cards issued since the end of 2018, beginning of 2019.
Yeah, an "offline tester" [0] was made available by the researchers who discovered ROCA [1] and a company with "close links" to the researchers created a "ROCA Vulnerability Test Suite" [2]. The Estonian government also had one on their web site [3] but it is, apparently, no longer available.
ROCA didn't just affect Estonian ID cards, though. It also affected also TPMs (from Infineon), certain Yubikeys [4], and even some PGP keys!
Yes, the Police and Border Guard has an online tool to check. They also supposedly contacted all the people with bad chips (my card was not vulnerable, so I can’t verify that).
Brave guy to publish this, hopefully it won't end up similar to the Dreyfus affair — depends on which the media will roll due to it being "pickled cucumber season" (everybody is on vacation, nothing much happening during summer in Estonia). The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.
Regarding your last point, I have a hard time seeing what you mean. The system is audited both internally and externally fairly regularly, the latest report being released just December last year [0]. There is also frequent news coverage, both supporting and criticizing the system [1][2]. One of the current government parties [3] is an active critic of the system. So it seems like a fair stretch to say that discussing or criticizing the system isn't common or somehow not welcome.
None of this is to say that the system doesn't have flaws, as every other IT system, it does. It is however publicly discussed as you would expect in a democracy.
He is a well-known researcher in Estonia, with his scope of work both known as well as appreciated (at least by the non-politicians). Of course some have the "too big to fail", thus "you don't talk about Vo..." attitude, but those want to turn technical argumentation into political "agreement" and it is hard to debate a 0 to become 1. You can't argue with computers, "lets agree this 0 is as good as 1, even better and greater!"
Having worked for the Estonian government for a bit, I'm not sure that it'll exactly make you a persona non grata but definitely you'll get a ton of pushback if you make any claims about e-ID and e-voting as people have very strong feelings about it.
In general, I had a good experiences. There are a few annoying things, however: my Estonian bank (VUB) discriminates against non-Estonian customers (even if they are EU citizens/residents) by applying a foreigners fee. Also, the local business register seems to be above data protection laws and sells your information. I receive lots of spam just by being in the register. Also, if you think that because your company is private your financial statements will also be private, that won't be the case. They will still sell the information to anyone for a few euros.
Make sure to understand the tax laws when it comes to the company tax residency in scenarios where you're physically not operating in Estonia nor employing people there, nor having majority of your clients there.
See my older comment [1] for some related topcis to research.
> n this paper, we describe several security flaws found in the ID card manufacturing process ..
Like accidentally on purpose,secure up to a point, but weak enough to allow the spooks to generate their own IDs. I mean if the cards were unhackable how would a spy do his job :]
As an American residing in Estonia, I’m not sure what the benefit of a state compromising the card crypto would be. There are four broad categories of uses for the ID cards:
1) Obviously, a government-issued photo ID
2) For an increasing number of shops, as your “frequent shopper” card, which admittedly is slightly related to...
3) Authentication, including: logging into your bank, government websites (the state portal, the tax authority, the the “digital story” - all your medical records, the online booking website for booking some
combination of surgeons/specialists that operate under the public healthcare system), the (one) online pharmacy that exists, etc.
4) Signing things. I’ve signed my lease with it (though “paperless” Estonia still wanted me to sign a paper version as well) and more routinely you have to “digitally sign” any bank transfers... which are the standard way to pay bills in Estonia, so you do it a lot. Finally, voting online.
I don’t see how broadly compromising the crypto would really benefit anyone for any of those things, it would have to be a more specific individual attack, like draining your bank accounts.
The spooks are the same government issuing the ID. They can just call up the department issuing the IDs and ask for a batch of new identities. No technical flaws necessary.
I know your comment was tongue in cheek but this has come up in the digital Id space before. All these things get bootstrapped off government sources and spooks have no problems because governments control those databases. You don’t need technical hacks if you control the systems of record.
So, an argument that I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks. Can anyone in Estonia comment on this? Within the US and U.K., there’s no mandatory ID, which I think is probably a good thing for civil liberties (no papers please, for instance), but also fosters certain industries such as credit reference agencies and has all sorts of weird side effects from bootstrapping things like SSNs and NI numbers into secrets. Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?
> I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks.
Paper signatures and fax are both considered obsolete, the latter is basically never used. Cheques? Never seen them. Logging into any high-value service is done using the eID. If you use local services there's rarely any need for any site specific passwords, password managers, U2F, FIDO(2), GPG or similar identity technology. There's no need to send a pic of yourself to verify your identity anywhere, zero shit like that.
You know how PayPal, Stripe or similar payment processors felt/feel really cool and fast? Yeah, we barely felt that because banklinks have fulfilled that use case for the majority for a really long time now.
There aren't any other examples on the top of my head right now, but they're really not the only things. By now, there's basically an entire generation in Estonia that literally have zero idea how things were before, and are thus often shocked by what and how much is required from them in other countries.
> Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?
This shows the issues in process and attitude. Even in the case of ROCA, you do not really break the crypto part itself, you wiggle around the implementation and procedure issues to bypass it.
Are there any Estonians here on HN who would be willing to chat a bit about digital identities in your country? I'm working on bringing e-ID to more people (https://getpass.app/) and looking to get a better understanding of current solutions.
Feel free to reach out, my email is fabian (at) flapplabs.se
dijit|5 years ago
The new cards issued in 2018 are not known to have any vulnerabilities.
[0]: https://www.linkedin.com/pulse/timeline-estonian-id-card-vul...
kreetx|5 years ago
PrimeDirective|5 years ago
I somewhat disagree, the discussion tends to get bent by some populist agent provocateurs and some of the initial reactions from the private sector media. (In Estonia, the government media is the most centered out of all news outlets, go figure). What these statements usually are is that "ID card has a flaw X, therefore we should immidiately ban it, close the R&D and burn it with fire", forgetting that crypto and computing in general, changes over time. My view is that, of course each flaw has to be resolved and sometimes this is political, but this just means the work has to continue.
C1sc0cat|5 years ago
AhtiK|5 years ago
If my memory serves me right, there was an easy way to check if your ID card was affected and it got replaced for free. The flaws described in paper are not known to exist in cards issued since the end of 2018, beginning of 2019.
jlgaddis|5 years ago
ROCA didn't just affect Estonian ID cards, though. It also affected also TPMs (from Infineon), certain Yubikeys [4], and even some PGP keys!
---
[0]: https://github.com/crocs-muni/roca
[1]: https://roca.crocs.fi.muni.cz/
[2]: https://keychest.net/roca/
[3]: http://www.id.ee/?lang=en&id=38239
[4]: https://www.yubico.com/support/security-advisories/ysa-2017-...
chrismeller|5 years ago
Etheryte|5 years ago
bragh|5 years ago
Etheryte|5 years ago
None of this is to say that the system doesn't have flaws, as every other IT system, it does. It is however publicly discussed as you would expect in a democracy.
[0] https://www.mkm.ee/sites/default/files/e-valimiste_tooruhma_...
[1] https://www.err.ee/keyword/15389
[2] https://www.postimees.ee/term/15008/id-kaart
[3] https://www.valitsus.ee/et/peaminister-ministrid/valitsuse-k...
Svip|5 years ago
Funny, it's called "cucumber time" (agurketid) in Danish. I wonder if it's a related term in Nordic countries + Estonia.
unknown|5 years ago
[deleted]
pisipisipisi|5 years ago
atlasunshrugged|5 years ago
pier25|5 years ago
Anyone else in a similar situation has any recommendations or ideas about this?
edko|5 years ago
AhtiK|5 years ago
See my older comment [1] for some related topcis to research.
[1] https://news.ycombinator.com/item?id=21321451
Stierlitz|5 years ago
Like accidentally on purpose,secure up to a point, but weak enough to allow the spooks to generate their own IDs. I mean if the cards were unhackable how would a spy do his job :]
chrismeller|5 years ago
1) Obviously, a government-issued photo ID
2) For an increasing number of shops, as your “frequent shopper” card, which admittedly is slightly related to...
3) Authentication, including: logging into your bank, government websites (the state portal, the tax authority, the the “digital story” - all your medical records, the online booking website for booking some combination of surgeons/specialists that operate under the public healthcare system), the (one) online pharmacy that exists, etc.
4) Signing things. I’ve signed my lease with it (though “paperless” Estonia still wanted me to sign a paper version as well) and more routinely you have to “digitally sign” any bank transfers... which are the standard way to pay bills in Estonia, so you do it a lot. Finally, voting online.
I don’t see how broadly compromising the crypto would really benefit anyone for any of those things, it would have to be a more specific individual attack, like draining your bank accounts.
Edit: formatting, added voting
roywiggins|5 years ago
xyzzy123|5 years ago
noodlesUK|5 years ago
Avamander|5 years ago
Paper signatures and fax are both considered obsolete, the latter is basically never used. Cheques? Never seen them. Logging into any high-value service is done using the eID. If you use local services there's rarely any need for any site specific passwords, password managers, U2F, FIDO(2), GPG or similar identity technology. There's no need to send a pic of yourself to verify your identity anywhere, zero shit like that.
You know how PayPal, Stripe or similar payment processors felt/feel really cool and fast? Yeah, we barely felt that because banklinks have fulfilled that use case for the majority for a really long time now.
There aren't any other examples on the top of my head right now, but they're really not the only things. By now, there's basically an entire generation in Estonia that literally have zero idea how things were before, and are thus often shocked by what and how much is required from them in other countries.
> Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?
They're basically nonexistent.
JoeAltmaier|5 years ago
pisipisipisi|5 years ago
cordite|5 years ago
fabianlindfors|5 years ago
Feel free to reach out, my email is fabian (at) flapplabs.se