Skip to main content
SpringerLink
Log in

Using the Estonian Electronic Identity Card for Authentication to a Machine

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10674))

Included in the following conference series:

  • 1113 Accesses

Abstract

The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas. This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The digital identity cards issued before December 2014 only have the document number (field No. 8) filled. These cards will expire by December 2017.

  2. 2.

    Fingerprints on cards issued after 3 November 2014 are additionally protected using the Extended Access Control (EAC) mechanism, which requires terminal authentication.

  3. 3.

    3B FE 18 00 00 80 31 FE 45 53 43 45 36 30 2D 43 44 30 38 31 2D 6E 46 A9 (ATR of SmartCafe Expert 6.0).

  4. 4.

    3B FA 18 00 00 80 31 FE 45 FE 65 49 44 20 2 F 20 50 4B 49 03 (cold ATR of EstEID v3.5 (10.2014)).

  5. 5.

    The exception is the digital identity cards issued before 2014, which support T=0 only.

  6. 6.

    For various reasons, not all merchants in Estonia accept the ID card as a loyalty card [21]. These merchants provide their own loyalty cards, which are usually magnetic stripe cards or contactless chip cards [15].

References

  1. Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking pins. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_3

    Chapter  Google Scholar 

  2. Cybernetica AS: Cryptographic algorithms lifecycle report 2016. In: Cryptographic protocols over radio connection. 22 June 2016. https://www.ria.ee/public/RIA/Cryptographic_Algorithms_Lifecycle_Report_2016.pdf

  3. e-Governance Academy: Study on the functionality of documents in ID-1 format (in Estonian), December 2013. https://www.siseministeerium.ee/sites/default/files/dokumendid/Uuringud/Isikut_toendavad_dokumendid/2013_id-1_formaadis_dokumentide_funktsionaalsuse_uuring.pdf

  4. Estonian Health Insurance Fund: Digital Prescription, July 2017. https://www.haigekassa.ee/en/digital-prescription

  5. Estonian Information System Authority: Electronic Identity Application Guide: ID card as an entrance card, May 2014. https://eid.eesti.ee/index.php/ID_card_as_an_entrance_card

  6. Estonian Information System Authority: Electronic Identity Application Guide: Using ID-card as a loyalty card, May 2014. https://eid.eesti.ee/index.php/Using_ID-card_as_a_loyalty_card

  7. Estonian Police and Border Guard Board: Online identity document validity check, May 2017. https://www.politsei.ee/en/teenused/inquiries/

  8. Estonian Police and Border Guard Board: Residence card, May 2017. https://www.politsei.ee/en/nouanded/residence-card.dot

  9. Giesecke & Devrient: Sm@rtCafé Expert operating systems: Sm@rtCafé Expert 6.0, February 2013. https://www.gd.gd/gd_media/media/en/documents/brochures/mobile_security_2/nb/SmartCafe-Expert.pdf

  10. GlobalPlatform Inc.: GlobalPlatform Card Specification, Version 2.1.1, March 2013. http://www.win.tue.nl/pinpasjc/docs/Card%20Spec%20v2.1.1%20v0303.pdf

  11. International Civil Aviation Organization: DOC 9303. Machine Readable Travel Documents. Part 11: Security Mechanisms for MRTDs (2015). https://www.icao.int/publications/Documents/9303_p11_cons_en.pdf

  12. Joandi, E., Kuusik, A., Tammet, T.: Analysis of potential RFID usage in the context of extending Estonian ID-card (in Estonian), January 2008. https://www.mkm.ee/sites/default/files/rfid_id_analyys_-_koopia.doc

  13. Krebs, B.: Chip & PIN vs. Chip & Signature, October 2014. http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

  14. Lehmann, A.: New Generation of eID Smartcard, 06 November 2014. https://sk.ee/upload/files/AK2014_New%20Generation%20of%20eID%20Smartcard_Andreas%20Lehmann.pdf

  15. Morgan, D.: Security of Loyalty Cards Used in Estonia. MSc thesis, Tallinn University of Technology (2017). http://kodu.ut.ee/~arnis/loyalty_thesis.pdf

  16. Morgan, D., Parsovs, A.: Using the Estonian Electronic Identity Card for Authentication to a Machine (Extended Version). Cryptology ePrint Archive, Report 2017/880 (2017). http://eprint.iacr.org/2017/880

  17. Murdoch, S.J.: Do you know what you’re paying for? How contactless cards are still vulnerable to relay attack, August 2016. https://www.benthamsgaze.org/2016/08/02/do-you-know-what-youre-paying-for-how-contactless-cards-are-still-vulnerable-to-relay-attack/

  18. NIST: FIPS PUB 201–2: Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf

  19. Paljak, M.: FakeEstEID JavaCard applet, 16 January 2015. https://github.com/martinpaljak/esteid-applets/blob/master/docs/FakeEstEID.md

  20. Paljak, M.: Off-line ID card (in Estonian), 18 October 2016. http://kliendikaart.publicon.ee/userfiles/RIA/idkaart/Martin_Paljak.pdf

  21. Postimees: No plans to connect Kaubamaja Partnercard with ID-card (in Estonian), 5 August 2011. http://www.postimees.ee/521494/partnerkaarti-id-kaardiga-uhendada-ei-kavatse

  22. Postimees: The new ID-cards will be refused (in Estonian), 23 January 2015. http://tarbija24.postimees.ee/3067299/uued-id-kaardid-voivad-torkuda

  23. Postimees: Contactless Estonian ID-card has been built (in Estonian), 5 March 2016. http://tehnika.postimees.ee/3607697/video-valminud-on-kontaktivaba-eesti-id-kaart

  24. Riigi Teataja: Identity Documents Act (2000). https://www.riigiteataja.ee/en/eli/504112013003/consolide/current

  25. Roland, M., Hlzl, M.: Evaluation of Contactless Smartcard Antennas, June 2015. https://arxiv.org/abs/1507.06427

  26. SecureIDNews: Defense Department order RF shields from National Laminating, November 2010. https://www.secureidnews.com/news-item/defense-department-order-rf-shields-from-national-laminating/

  27. SK ID Solutions AS: Cards for testing 01 July 2017. https://sk.ee/en/services/testcard/

  28. Smartcard Focus: Giesecke & Devrient: SmartCafe Expert 6.0 80K Dual, 11 April 2017. https://www.smartcardfocus.com/shop/ilp/id~684/smartcafe-expert-6-0-80k-dual-/p/index.shtml

  29. The European Parliament, the Council of the European Union: Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014)

    Google Scholar 

  30. Trüb Baltic AS: EstEID v3.4 card specification, 11 June 2012. http://www.id.ee/public/TB-SPEC-EstEID-Chip-App-v3.4.pdf

  31. Trüb Baltic AS: EstEID v3.5 card specification, 14 March 2017. http://www.id.ee/public/TB-SPEC-EstEID-Chip-App-v3.5-20170314.pdf

Download references

Acknowledgements

We would like to thank Martin Paljak for his feedback and the technical support he provided for this study, and all the people who gave their feedback on this paper. This work was supported by the European Regional Development Fund through the Estonian Centre of Excellence in ICT Research (EXCITE) and the Estonian Doctoral School in Information and Communication Technologies.

Author information

Authors and Affiliations

  1. Tallinn University of Technology, Tallinn, Estonia

    Danielle Morgan

  2. Software Technology and Applications Competence Center, Tartu, Estonia

    Arnis Parsovs

  3. University of Tartu, Tartu, Estonia

    Arnis Parsovs

Authors
  1. Danielle Morgan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arnis Parsovs
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arnis Parsovs .

Editor information

Editors and Affiliations

  1. University of Tartu, Tartu, Estonia

    Helger Lipmaa

  2. Chalmers University of Technology, Gothenburg, Sweden

    Aikaterini Mitrokotsa

  3. University of Tartu, Tartu, Estonia

    Raimundas Matulevičius

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Morgan, D., Parsovs, A. (2017). Using the Estonian Electronic Identity Card for Authentication to a Machine. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds) Secure IT Systems. NordSec 2017. Lecture Notes in Computer Science(), vol 10674. Springer, Cham. https://doi.org/10.1007/978-3-319-70290-2_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70290-2_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70289-6

  • Online ISBN: 978-3-319-70290-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation