Abstract
The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas. This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The digital identity cards issued before December 2014 only have the document number (field No. 8) filled. These cards will expire by December 2017.
- 2.
Fingerprints on cards issued after 3 November 2014 are additionally protected using the Extended Access Control (EAC) mechanism, which requires terminal authentication.
- 3.
3B FE 18 00 00 80 31 FE 45 53 43 45 36 30 2D 43 44 30 38 31 2D 6E 46 A9 (ATR of SmartCafe Expert 6.0).
- 4.
3B FA 18 00 00 80 31 FE 45 FE 65 49 44 20 2 F 20 50 4B 49 03 (cold ATR of EstEID v3.5 (10.2014)).
- 5.
The exception is the digital identity cards issued before 2014, which support T=0 only.
- 6.
References
Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking pins. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_3
Cybernetica AS: Cryptographic algorithms lifecycle report 2016. In: Cryptographic protocols over radio connection. 22 June 2016. https://www.ria.ee/public/RIA/Cryptographic_Algorithms_Lifecycle_Report_2016.pdf
e-Governance Academy: Study on the functionality of documents in ID-1 format (in Estonian), December 2013. https://www.siseministeerium.ee/sites/default/files/dokumendid/Uuringud/Isikut_toendavad_dokumendid/2013_id-1_formaadis_dokumentide_funktsionaalsuse_uuring.pdf
Estonian Health Insurance Fund: Digital Prescription, July 2017. https://www.haigekassa.ee/en/digital-prescription
Estonian Information System Authority: Electronic Identity Application Guide: ID card as an entrance card, May 2014. https://eid.eesti.ee/index.php/ID_card_as_an_entrance_card
Estonian Information System Authority: Electronic Identity Application Guide: Using ID-card as a loyalty card, May 2014. https://eid.eesti.ee/index.php/Using_ID-card_as_a_loyalty_card
Estonian Police and Border Guard Board: Online identity document validity check, May 2017. https://www.politsei.ee/en/teenused/inquiries/
Estonian Police and Border Guard Board: Residence card, May 2017. https://www.politsei.ee/en/nouanded/residence-card.dot
Giesecke & Devrient: Sm@rtCafé Expert operating systems: Sm@rtCafé Expert 6.0, February 2013. https://www.gd.gd/gd_media/media/en/documents/brochures/mobile_security_2/nb/SmartCafe-Expert.pdf
GlobalPlatform Inc.: GlobalPlatform Card Specification, Version 2.1.1, March 2013. http://www.win.tue.nl/pinpasjc/docs/Card%20Spec%20v2.1.1%20v0303.pdf
International Civil Aviation Organization: DOC 9303. Machine Readable Travel Documents. Part 11: Security Mechanisms for MRTDs (2015). https://www.icao.int/publications/Documents/9303_p11_cons_en.pdf
Joandi, E., Kuusik, A., Tammet, T.: Analysis of potential RFID usage in the context of extending Estonian ID-card (in Estonian), January 2008. https://www.mkm.ee/sites/default/files/rfid_id_analyys_-_koopia.doc
Krebs, B.: Chip & PIN vs. Chip & Signature, October 2014. http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/
Lehmann, A.: New Generation of eID Smartcard, 06 November 2014. https://sk.ee/upload/files/AK2014_New%20Generation%20of%20eID%20Smartcard_Andreas%20Lehmann.pdf
Morgan, D.: Security of Loyalty Cards Used in Estonia. MSc thesis, Tallinn University of Technology (2017). http://kodu.ut.ee/~arnis/loyalty_thesis.pdf
Morgan, D., Parsovs, A.: Using the Estonian Electronic Identity Card for Authentication to a Machine (Extended Version). Cryptology ePrint Archive, Report 2017/880 (2017). http://eprint.iacr.org/2017/880
Murdoch, S.J.: Do you know what you’re paying for? How contactless cards are still vulnerable to relay attack, August 2016. https://www.benthamsgaze.org/2016/08/02/do-you-know-what-youre-paying-for-how-contactless-cards-are-still-vulnerable-to-relay-attack/
NIST: FIPS PUB 201–2: Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf
Paljak, M.: FakeEstEID JavaCard applet, 16 January 2015. https://github.com/martinpaljak/esteid-applets/blob/master/docs/FakeEstEID.md
Paljak, M.: Off-line ID card (in Estonian), 18 October 2016. http://kliendikaart.publicon.ee/userfiles/RIA/idkaart/Martin_Paljak.pdf
Postimees: No plans to connect Kaubamaja Partnercard with ID-card (in Estonian), 5 August 2011. http://www.postimees.ee/521494/partnerkaarti-id-kaardiga-uhendada-ei-kavatse
Postimees: The new ID-cards will be refused (in Estonian), 23 January 2015. http://tarbija24.postimees.ee/3067299/uued-id-kaardid-voivad-torkuda
Postimees: Contactless Estonian ID-card has been built (in Estonian), 5 March 2016. http://tehnika.postimees.ee/3607697/video-valminud-on-kontaktivaba-eesti-id-kaart
Riigi Teataja: Identity Documents Act (2000). https://www.riigiteataja.ee/en/eli/504112013003/consolide/current
Roland, M., Hlzl, M.: Evaluation of Contactless Smartcard Antennas, June 2015. https://arxiv.org/abs/1507.06427
SecureIDNews: Defense Department order RF shields from National Laminating, November 2010. https://www.secureidnews.com/news-item/defense-department-order-rf-shields-from-national-laminating/
SK ID Solutions AS: Cards for testing 01 July 2017. https://sk.ee/en/services/testcard/
Smartcard Focus: Giesecke & Devrient: SmartCafe Expert 6.0 80K Dual, 11 April 2017. https://www.smartcardfocus.com/shop/ilp/id~684/smartcafe-expert-6-0-80k-dual-/p/index.shtml
The European Parliament, the Council of the European Union: Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014)
Trüb Baltic AS: EstEID v3.4 card specification, 11 June 2012. http://www.id.ee/public/TB-SPEC-EstEID-Chip-App-v3.4.pdf
Trüb Baltic AS: EstEID v3.5 card specification, 14 March 2017. http://www.id.ee/public/TB-SPEC-EstEID-Chip-App-v3.5-20170314.pdf
Acknowledgements
We would like to thank Martin Paljak for his feedback and the technical support he provided for this study, and all the people who gave their feedback on this paper. This work was supported by the European Regional Development Fund through the Estonian Centre of Excellence in ICT Research (EXCITE) and the Estonian Doctoral School in Information and Communication Technologies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Morgan, D., Parsovs, A. (2017). Using the Estonian Electronic Identity Card for Authentication to a Machine. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds) Secure IT Systems. NordSec 2017. Lecture Notes in Computer Science(), vol 10674. Springer, Cham. https://doi.org/10.1007/978-3-319-70290-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-70290-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70289-6
Online ISBN: 978-3-319-70290-2
eBook Packages: Computer ScienceComputer Science (R0)