Due to the vulnerability in the formation of cryptographic keys, Estonia has canceled hundreds of thousands of national ID cards

In early November, the Estonian government suspended hundreds of thousands of national ID cards. They can be used as an identity card in everyday life, but the owners of these cards are denied access to electronic resources, the authentication procedure in which is carried out using the ID chip card. The problem is that during the exploitation of a cryptographic key vulnerability, an attacker can depersonalize the owner of this key.

Despite the fact that the vulnerability was discovered three weeks ago, Estonia decided to postpone the suspension of electronic systems, including voting systems. Local media claim that this was done in order to complete the election process without any problems, because they voted for the candidates with the help of cards. If the country canceled their action before the elections, the latter would have to be declared invalid, which the government did not do.

According to information security experts, who discovered the vulnerability three weeks ago , its presence allows an attacker to crack a 1024-bit encryption key in just 25 minutes using a cloud instance. The price of hacking in this case costs $ 38. Hacking a 2048-bit key requires $ 20,000 and nine days already.
')
Initially, the Estonian authorities stated that vulnerability is not too dangerous, since its operation is a complex and expensive process. Representatives of the government apparatus said the following: Large-scale attacks are hardly possible due to the high cost of the attack and the large amount of computing power to generate a private key. "

Affected smartcard companies Gemalto , whose office is located in Switzerland. Its cards have been sold for more than ten years, they are used for two-factor authentication by employees of Microsoft and other companies. Recently it became known that the vulnerability that led to the suspension of the Estonian cards has existed since 2008.

Information security specialists Daniel Bernstein and Tanya Lange stated that they were able to use a less expensive way of exploiting vulnerabilities than previously stated. In addition, this method and much faster than the one mentioned above. As far as can be judged, intruders can use the same method - often in teams of cybercriminals work professionals of the highest class.

According to the Estonian government, in order to avoid cybersecurity problems, it was decided to suspend the operation of all digital IDs, both citizens and “electronic residents” until a new digital certificate is obtained that is not subject to vulnerability. This is a precautionary measure that allows you to avoid the use of data of citizens of the country by potential attackers.

In other matters, the vulnerability is relevant not only for Estonia - as already mentioned above, Microsoft and other companies that use cards from the same manufacturer as the “digital ID” cards also change certificates. But Estonia is more than any corporation, so the problems are more serious. “As far as we know, there are no cases of theft of electronic IDs, but ... this threat is real. By blocking card certificates, a country can be convinced of their security, ”the country's Prime Minister, Jüri Ratas , said in a statement. He also added that the decision was not easy, but it was practically the only possible one.

The problem concerns not all digital IDs, but only those that were issued between October 16, 2014 and October 25, 2017. This number includes absolutely all e-resident cards, most of which have decided to use the “digital citizenship” feature to to open a new business.

Worst of all, residents of the country use digital certificates to obtain medical services, interact with the tax service, pay staff and other similar tasks. Cards can not be thrown away, but simply renew the electronic certificate that is contained in the chip. But if you consider that there are not so many centers, at the same time hundreds of thousands of certificates can not be updated.

The government’s decision to suspend digital cards has affected, in particular, companies that provide accounting services. And it happened just before the payment of wages and pensions. At the same time, employers transfer profit taxes to the treasury. Companies whose work is suspended due to problems with the cards are unhappy.



“Of course, the state is guilty if an Estonian in his native country cannot understand what he needs to do. And the state simply decides to stop the operation of ID cards, ” said Lars Petter Leinonen, Chairman of the Management Board of Leinonen Accounting Company.

The problem is irrelevant for mobile ID and cards issued until October 2014. Estonian cards are changed in two ways - electronically or by the police. According to the Department of State Information System (RIA), by Friday evening only 62,000 people updated ID-cards with security risks. The police departments lined up in long lines. The government had to introduce a 7/7 mode of operation. That is, the centers operate seven days a week.

According to information security experts, attackers can reduce the cost of decoding the code, as well as reduce the time to conduct this operation. If desired, cybercriminals can buy specialized hardware, equipped with a GPU, programmers, specialized chips and create their own systems for the depersonalization of cardholders. Also, card information can be used during the same voting. At the moment, the number of vulnerable maps is such that attackers can use these 10% of voters, or even more.

Estonian Prime Minister Jüri Ratas said that a large number of people are working to eliminate the vulnerability of Estonian ID-cards, and the problem is getting closer every day.

However, Estonia is far from the only country whose national maps are subject to this vulnerability. A similar problem is relevant for Slovakia, where cybersecurity experts are now checking their own electronic ID of the country.

Actually, the vulnerability is relevant for a large number of smart-cards of a number of manufacturers. Most of the chips in these cards use the RSA encryption protocol. The way out may be to work with another protocol. The Estonian government has announced that e-cards will soon be protected by elliptical cryptography .

The method of elliptic cryptography is to use the algebraic properties of elliptic curves. It was proposed in 1985 by Neil Koblitz and Victor Miller. In the method, the role of the main cryptographic operation is performed by the operation of scalar multiplication of a point on an elliptic curve by a given integer, determined through the operations of addition and doubling of points of an elliptic curve. The advantages of this method for the entire field of information technology are indisputable, since this type of encryption is fast, plus a small key length is used.

As for RSA , this cryptosystem is also quite reliable, since a composite number is rather difficult to decompose into prime factors. But the manufacturer’s mistake, as in the case of Estonian ID cards, can be a reason for simplifying the task of decrypting protected keys. If, however, algorithms are used on elliptic curves, then the possibility of using algorithms to solve the discrete logarithm problem in groups of their points is excluded. By the way, the NSA uses just elliptical cryptography algorithms, protecting its documents with relatively short 384-bit keys. Perhaps, the elliptic cryptography method will be used in the future instead of RSA.

As for Estonia, the government hopes to bring everything back to normal within a few days. In particular, this week the remote renewal of ID card certificates is resumed. This is the fastest way to avoid the need to visit the centers for working with cards.