Skip to main content
SpringerLink
Log in

Vulnerability of State-Provided Electronic Identification: The Case of ROCA in Estonia

  • Conference paper
  • First Online:
Book cover Electronic Government and the Information Systems Perspective (EGOVIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12926))

Abstract

The purpose of this research is to provide a detailed description of the 2017 ROCA (Return of the Coppersmith’s Attack) case in Estonia and to explore what implications this large-scale security risk poses on a fully rolled-out state-provided eID scheme. The analysis focuses on three areas, i.e., (i) the state’s political tasks and responsibilities, (ii) the role of the ICT industry in the eID provision process; and, (iii) the opportunities and obligations for the end users, including the state itself as the primary end user of the eID. We have conducted a thematic analysis of 32 semi-structured interviews of 41 Estonian high-level experts closely involved in solving the 2017 ROCA vulnerability case in Estonia. These interviews provide a deep insight into the crisis management process as well as into the characteristics of the Estonian eID area. Based on the insights from the Estonian case, we suggest a paradigm shift of eID management that recognises eID as the citizens’ right and its provision as the state’s obligation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.ria.ee/en.html.

  2. 2.

    https://www.riigiteataja.ee/akt/128062017043.

  3. 3.

    https://www.smit.ee/#siseministeeriumi-infotehnoloogia-ja-arenduskeskus.

  4. 4.

    https://www.riigiteataja.ee/en/eli/516052020003/consolide.

  5. 5.

    https://www.ria.ee/en/state-information-system/electronic-identity-eid.html.

  6. 6.

    https://eur-lex.europa.eu/eli/reg/2019/881/oj.

  7. 7.

    https://www.sogis.eu/.

  8. 8.

    https://www.enisa.europa.eu/topics/standards/certification.

  9. 9.

    https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme/.

  10. 10.

    https://www.ria.ee/en/news/estonia-offers-recommendations-light-eid-vulnerability.html.

  11. 11.

    https://www.valimised.ee/en/archive/statistics-about-internet-voting-estonia.

  12. 12.

    https://www.ria.ee/en/news/estonia-offers-recommendations-light-eid-vulnerabilit y.html.

  13. 13.

    https://www.ria.ee/en/state-information-system/electronic-identity-eid.html.

References

  1. Bharosa, N., Lips, S., Draheim, D.: Making e-government work: learning from the Netherlands and Estonia. In: Hofmann, S., et al. (eds.) ePart 2020. LNCS, vol. 12220, pp. 41–53. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58141-1_4

    Chapter  Google Scholar 

  2. Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3(2), 77–101 (2006)

    Article  Google Scholar 

  3. Buldas, A., et al..: Id-kaardi kaasuse õppetunnid. Tallinn University of Technology, School of Information Technolgy, Technical Report (2018)

    Google Scholar 

  4. Compton, M., Hart, P.: Great policy successes. Oxford University Press, Oxford (2019)

    Google Scholar 

  5. van Dijck, J., Jacobs, B.: Electronic identity services as sociotechnical and political-economic constructs. New Media Soc. 22(5), 896–914 (2020)

    Article  Google Scholar 

  6. Hedström, K., Wihlborg, E., Gustafsson, M.S., Söderström, F.: Constructing identities-professional use of eID in public organisations. Transf. Govt: People Process Policy 9(2), 143–158 (2015)

    Google Scholar 

  7. Information System Authority: Estonia offers recommendations in the light of eID vulnerability (2018). https://www.ria.ee/en/news/estonia-offers-recommendations-light-eid-vulnerability.html

  8. Kattel, R., Mergel, I.: Estonia’s digital transformation: mission mystique and the hiding hand. In: Compton, M., Hart, P. (eds.) Great Policy Successes, pp. 143–160. Oxford University Press, Oxford (2019)

    Google Scholar 

  9. Koppenjan, J., Groenewegen, J.: Institutional design for complex technological systems. Int. J. Technol. Policy Manag. 5(3), 240–257 (2005)

    Article  Google Scholar 

  10. Latour, B.: Technology is society made durable. Sociol. Rev. 38(1), 103–131 (1990)

    Article  Google Scholar 

  11. Lips, S., Aas, K., Pappel, I., Draheim, D.: Designing an effective long-term identity management strategy for a mature e-state. In: Kő, A., Francesconi, E., Anderst-Kotsis, G., Tjoa, A., Khalil, I. (eds.) EGOVIS 2019. LNCS, vol. 11709, pp. 221–234. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27523-5_16

  12. Lips, S., Bharosa, N., Draheim, D.: eIDAS implementation challenges: the case of Estonia and the Netherlands. In: Chugunov, A., Khodachek, I., Misnikov, Y., Trutnev, D. (eds.) EGOSE 2020. CCIS, vol. 1349, pp. 75–89. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-67238-6_6

    Chapter  Google Scholar 

  13. Lips, S., Pappel, I., Tsap, V., Draheim, D.: Key factors in coping with large-scale security vulnerabilities in the eID field. In: Kő, A., Francesconi, E. (eds.): EGOVIS 2018. LNCS, vol. 11032 , pp. 60–70. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98349-3_5

  14. Muldme, A., Pappel, I., Lauk, M., Draheim, D.: A survey on customer satisfaction in national electronic id user support. In: Proceedings of ICEDEG 2018 - the 5th International Conference on eDemocracy & eGovernment. pp. 31–37. IEEE (2018)

    Google Scholar 

  15. Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V.: The return of Coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceeding of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1631–1648 (2017)

    Google Scholar 

  16. Parsovs, A.: Solving the Estonian ID card crisis: the legal issues. In: Proceeding of ISCRAM’2020 - the 17th International Conference on Information Systems for Crisis Response and Management, pp. 459–471 (2020)

    Google Scholar 

  17. Pedak, M.: ID-1 formaadis dokumentide funktsionaalsuse uuring. Tech. rep., e-Governance Academy (2013)

    Google Scholar 

  18. Produit, B.: Optimization of the ROCA (CVE-2017-15361) Attack. Master’s thesis, University of Tartu, Institute of Computer Science, Estonia (2019)

    Google Scholar 

  19. Saputro, R., Pappel, I., Vainsalu, H., Lips, S., Draheim, D.: Prerequisites for the adoption of the X-Road interoperability and data exchange framework: a comparative study. In: Proceeding of ICEDEG’2020 - the 7th International Conference on eDemocracy & eGovernment, pp. 216–222. IEEE (2020)

    Google Scholar 

  20. Tsap, V., Lips, S., Draheim, D.: Analyzing eID public acceptance and user preferences for current authentication Options in Estonia. In: Kő, A., Francesconi, E., Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) EGOVIS 2020. LNCS, vol. 12394, pp. 159–173. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58957-8_12

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Systems Group, Tallinn University of Technology, Estonia, Akadeemia tee 15a, 12618, Tallinn, Estonia

    Astrid Valtna-Dvořák, Silvia Lips, Valentyna Tsap & Dirk Draheim

  2. Centre for Digital Forensics and Cyber Security, Tallinn University of Technology, Estonia, Akadeemia tee 15a, 12618, Tallinn, Estonia

    Rain Ottis & Jaan Priisalu

Authors
  1. Astrid Valtna-Dvořák
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Silvia Lips
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Valentyna Tsap
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rain Ottis
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jaan Priisalu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Dirk Draheim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Valentyna Tsap .

Editor information

Editors and Affiliations

  1. Corvinus University Budapest, Budapest, Hungary

    Andrea Kö

  2. National Research Council and European Parliament, Florence, Italy

    Enrico Francesconi

  3. Johannes Kepler University of Linz, Linz, Austria

    Gabriele Kotsis

  4. Vienna University of Technology, Vienna, Austria

    A Min Tjoa

  5. Johannes Kepler University of Linz, Linz, Austria

    Ismail Khalil

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Valtna-Dvořák, A., Lips, S., Tsap, V., Ottis, R., Priisalu, J., Draheim, D. (2021). Vulnerability of State-Provided Electronic Identification: The Case of ROCA in Estonia. In: Kö, A., Francesconi, E., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Electronic Government and the Information Systems Perspective. EGOVIS 2021. Lecture Notes in Computer Science(), vol 12926. Springer, Cham. https://doi.org/10.1007/978-3-030-86611-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86611-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86610-5

  • Online ISBN: 978-3-030-86611-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation