The Flaw in the Estonian ID Card (11)

Photo: Postimees/Scanpix
10/29/2013 10:56 AM
Category: Opinion

There is a theoretical flaw in the Estonian ID card system which seriously undermines its trustworthiness. Now that we know that a certain spying agency of a major ally actively engages in the weakening and subversion of cryptographic systems, we should seriously consider the possibility that any flaw is being exploited and could even speculate that it was introduced on purpose.

In recent months, reports in ProPublica, The New York Times and The Guardian reveal that the US National Security Agency (NSA) has been actively working to undermine the cryptographic systems that form the backbone of the Internet - in particular those that are relied on by the general public and businesses for the safety of their communications.

According to the reports, the NSA has apparently successfully attacked several cryptographic systems that were previously thought to be secure. These include TLS (and its predecessor SSL), the protocol every one of us relies on to safely communicate with our bank via the Internet, and VPN, the system that businesses rely on to shield their distributed internal networks from unauthorized incursions and eavesdropping.

However, there are very few details available on how this was done. At this time, it is not clear whether these attacks on the security of the Internet have compromised the very basis of the cryptographic systems, something that seems unlikely from a mathematical point of view but could be achieved through exploiting software flaws known only to the NSA, or whether the NSA has simply been successful at retrieving the cryptographic keys used by some major web services. The latter is possible through legal coercion such as a warrant or national security letter with a gag order. A gag order prohibits the recipient from talking about a national security letter or warrant that they have received.

At the very least we should now assume that the NSA can eavesdrop on our communications with major US web services such as Facebook, Google and Yahoo. Which means that the NSA can spy on any traffic to and from those services without needing any pesky warrants.

This also means that the disclosure, by those major US web companies, of the total number of users whose data was requested through warrants is essentially meaningless. Those probably only concerned stored data that the NSA for some reason did not collect when the data was in transit (maybe due to technical failures) or had previously chosen not to keep.

Meanwhile in e-Stonia

President Ilves regularly extols the blessings of Estonia's advanced e-governance and ID card system. The technology is indeed very forward looking and is based on the principles of public key cryptography. This is the very technology that the NSA hates the public to have easy access to.

For users of Estonian ID cards, the complexities of the underlying cryptography are hidden and all they know is that they have two PIN codes, one to identify themselves to online services and the other to sign documents - a signature that, incidentally, is legally binding. It is also possible to use it to encrypt e-mails and files.

There is no doubt that making a complex cryptographic technology usable for all citizens, to identify themselves and sign contracts, is in itself an incredible feat, not to mention a huge benefit to the economy in allowing almost any transaction to take place via the Internet. President Ilves is right to mention it as one of Estonia's great achievements.

The Basics of Cryptography

To understand the theoretical weakness we will need to explain a little bit about cryptography, so bear with me. Public key cryptography is based on the concept of a key pair. Two keys that are mathematically linked in such a way that if you use one key for a specific action you need the other for the opposite action.

For instance, if one key is used to encrypt a message, the other is needed to decrypt it. This is quite convenient, because if I want you to send me a secret message all I need to do is to give you one of those keys, a key that we shall now call my public key. With that key you can encrypt a message to me, but no one can decrypt it even if they know my public key. Only I can decrypt it with the other key, which we will now call my secret key or private key.

Similarly, if I sign a document with my secret key, the signature can be verified with the public key, but no one can fake my signature with the public key.

Estonian ID cards contain such private keys and the related public keys are published online.

We will not linger too much on the question of what happens when you lose your ID card, as you then also lose your private keys and can no longer read encrypted e-mails sent to you or decrypt files that you once encrypted. This problem in itself seems like a good reason not to use the Estonian ID card system for those purposes. Personally I have opted to use an open source tool named Gnu Privacy Guard (GPG), which has the additional benefit of not being restricted to one small country in Northern Europe.

Key Authenticity

But I digress, my short overview of public key cryptography would not be complete without covering the question of key authenticity. Or simply put: how does someone know for sure that they have my key and not one issued by an imposter?

To prevent such ugly abuse, we practice something called key signing. If we sign the keys of people whose keys we have verified and trust, sooner or later a network of trust will appear. For instance if Alex signed Birgit's key, who signed Doris' key and Alex trusts Birgit, then he can trust that Doris' key is indeed hers. Maybe Doris in turn signed Emma's key, giving Alex a degree of certainty about Emma's key, too.

With the Estonian ID card system, this problem has been solved with one clean stroke: the state signs all our keys. For Alex to trust Emma's key, he now only needs to trust the signature of the Estonian state on Emma's key. This is another major benefit of the Estonian ID card system - keys certified by the state.

Secret Keys Must Be Secret

For any cryptographic scheme to work, one thing is paramount: no one, absolutely no one else, should have a copy of your secret key.

If someone else did hold a copy, they could decrypt communications you received, identify themselves as you. More worryingly, in Estonia with the ID card system, they could access your bank account, and sign legally binding documents in your name.

Ever since receiving my first Estonian ID card many years ago, there has been an itch that I wanted to scratch: How can we trust that we have the only copies of the secret keys on the ID cards - secret keys that we did not create, that were issued to us by the state, and that we cannot replace with self generated keys?

Were I living in the United States, France, the United Kingdom, Russia or China, it would take me less than a microsecond to relegate to fantasy land the assumption that the state kept no copy.

There just is no way in the world that a government in one of those countries, so bent on surveillance of everything people do, would empower their citizens through a government created technology, to communicate in a secure fashion that even the state itself could not decipher.

No. No way. There would be a secret backdoor or a secret key escrow scheme. You can bet on that. The excuses to justify surveillance of the general public are just too many; child porn, terrorism, national security, foreign spies, extremism and what have you. The Snowden leaks prove this assumption to be true for the US and the UK, and we can quite safely assume that the other big countries in the world, most of which have historically had even less respect for civil liberties, are no better.

Of course, unlike Estonia, none of those countries even pretend to provide a secure cryptographic system to all their citizens in the first place.

Because this is Estonia, I am willing to entertain the possibility that the state is honest towards us and has not kept a copy. If this is so, it would truly set Estonia apart from nearly all other countries. It would be a privacy utopia with the state actively empowering us to protect our privacy, at least online.

Everything in me hopes this is so, and that I've somehow magically picked one of the best countries to live in when it comes to privacy and respect of our civil liberties.

A Glaring Flaw

I have tried to find out more about the technical details of the card and the cryptographic keys stored on them. Supposedly the key pair generation is a function of the card and it is claimed that the secret keys never leave the card. In that case, one wonders what reason there could be not to let users generate their own keys? If key generation is a function of the chip on the card, then this should be trivial, the initial key could be used to allow users to register a new one, and this process could be repeated as often as the user wants, each time identifying their new key with the previous one.

Secondly, I have seen no absolute guarantee that the keys cannot be retrieved from the card with some specialized hardware and software. It might be expensive, but that would not be an issue for the state or a well funded agency.

In fact even the statement that the secret keys never leave the card could be technically true, while still not guaranteeing that there is no copy of those keys. This is because key generation requires random data, and that random data must somehow be provided to the card externally as there are no random events on the card itself to generate random data. If you can control the random data fed to the card, or even just log it, you can in theory determine what key will be generated or at the very least significantly reduce the possible keys that it could generate. Such a reduction would make the key vulnerable to a simple brute force attack over a limited set of possibilities.

Alternatively, simply using flawed random data generators will produce weakened keys, vulnerable to attack by a well funded organization. Leaked documents have shown that the NSA has abused its influence to introduce such weakened random number generators into standards that were adopted worldwide.

Thus it appears to me that it is possible that copies of our keys are being made and kept or that our keys have been weakened. A cryptographic system that relies on the need to blindly trust others is not safe by definition, and unfortunately trust that our keys have not been tampered with is an essential part of the Estonian ID card system. Nothing short of allowing people to generate their own keys in an environment they control themselves with random data they generate themselves can ever really alleviate such fears.

If it turns out that our private keys have been compromised, did this happen on Estonia's own initiative, or was Estonia pressured into doing so by a foreign agency like the NSA in the same way that the NSA has managed to subvert other cryptographic systems? If it is the latter, the flaw may have been introduced on purpose when the system was designed. This might have sounded crazy just a few weeks ago, but with what we now know about the NSA it is suddenly well inside the realm of possibilities.

On the other hand, it would be foolish for the Estonian state to compromise the system in this way, as it would undermine the legality of elections and digital signatures. There would also always be a serious risk that someone would blow the whistle on this activity and expose the scheme. Why take such a risk?

Thus hopefully my fears are unfounded, but given the current climate of distrust created by the actions of US and UK spying agencies, members of our own government in Estonia would do well to do everything in their power to close any flaw in the ID card system, even if only theoretical. Their good intentions can be shown by allowing us henceforth to generate our own keys in environments under our own control.

Until then I would refrain from relying too much on the Estonian ID card system.

Otto de Voogd is a digital freedom warrior, a member of the non-profit Internet Society Estonia Chapter and a volunteer Mozilla contributor. 

The name field cannot be empty
No more than 50 characters
Comment field cannot be empty
No more than 50 characters
Comment field cannot be empty
No more than 1024 characters

Message forwarded to the editor

This Ip-address has limited access

See also

There are no comments yet. Be the first!

Reply to comment

Reply to comment

Laadi juurde ({{take2}})
The name field cannot be empty
No more than 50 characters
Comment field cannot be empty
No more than 1024 characters
Add new comment
  • foto
    Opinion digest: Open Enterprise Estonia’s consultation services and assessments to competition

    Enterprise Estonia handed out advice to companies, and assessed whether or not they should receive public support, without being economically accountable, lawyer Taivo Ruus wrote in a Postimees opinion piece on Monday. This needed to change, and these activities delegated to professionals.

  • foto
    Opinion digest: The Reform Party’s new role

    After 17 years in government, Reform needed to find to a new role, and instead of being the manager of the Estonian state become a debater. How the party would get used to its new position, no longer able to dictate the political agenda, remained to be seen, said political scientist Mari-Liis Jakobson in a comment on Vikerraadio on Friday.

  • foto
    Andrus Karnau: Minister of Rural Affairs likely to be replaced

    Speaking on Sunday’s Raadio 2 broadcast of "State of the Union," radio show host Andrus Karnau found that the scandal to break out last week involving Martin Repinski’s goat farm was likely to culminate on Monday in his replacement as a minister of the newly-installed Estonian government.

  • foto
    Opinion digest: Baltic states on front line of new Cold War

    While the Baltic states would prefer full defensive capability, NATO is emphasizing its reinforcements’ function as a deterrent. The alliance would have to round off its military presence in the area with diplomacy, and political stability and dedication to liberal democratic values would play an important role maintaining the West’s solidarity, columnist Ahto Lobjakas wrote in an opinion piece published in daily Postimees.

  • foto
    Opinion digest: Putting Rail Baltica in its strategic context

    In an opinion piece in daily Postimees, former EU commissioner Siim Kallas points out that Rail Baltica goes far beyond considerations of its route on Estonian soil, and the money the government will have to invest. On the contrary, there is a broader European meaning that includes considering the strategic situation of Estonia.

  • foto
    Opinion digest: Dynasties and democracy don't go well together

    Speaking about the recent US presidential elections on Vikerraadio’s Sunday broadcast of "Samost and Rumm," hosts Anvar Samost and Hannes Rumm recognized that Donald Trump’s election win is being considered as the destruction of two political dynasties there, however democracy and dynasties don’t go well together anyway.

  • foto
    Opinion: Estonia’s lasting isolation

    The fact that too many foreign journalists do not understand the Estonian language, and that they have no access to the local political culture and its players, has distorted reports abroad of what happened this week, writes ERR News editor Dario Cavegn.

  • foto
    Alo Lõhmus: Left turns and ‘silent submission’

    The embarrassing conflation of the Reform Party’s self-image with the Estonian state is proof that it is high time they are sent into opposition, says journalist Alo Lõhmus.

  • foto
    Opinion: Getting rid of ruling party's privileges doesn't damage Estonia's reputation

    On Friday, the ministers of the Social Democrats (SDE) and the Pro Patra and Res Publica Union (IRL) began calling back Reform Party members from the boards of state-owned companies and funds. The Reform Party’s reaction was an announcement published on Sunday — a rather strange one, finds ERR News editor Dario Cavegn.

  • foto
    Opinion digest: Ärma is more than just numbers

    Ärma Farm’s funding scandal was overshadowing the achievements of Toomas Hendrik Ilves’ presidency, including the fact that Estonia had benefited from state visits that Ilves hosted in Ärma, Prime Minister Taavi Rõivas (Reform) said to ERR on Thursday.

  • foto
    Benno Schirrmeister: Do Estonians dream of electric sheep?

    On a journalist exchange in Estonia, Benno Schirrmeister of Bremen’s TAZ is highly informed, yet a blank slate as far as a foreigner’s experience of Estonia is concerned. In his first op-ed about Tallinn, he spots something beyond IT that Estonia could advertise — but doesn’t.

  • foto
    Erkki Bahovski: Was 1940 approach better than modern journalism's 'war hysteria'?

    Linguist Urmas Sutrop has claimed that Estonian journalism is scaring people with the specter of war. Editor-in-Chief of monthly magazine Diplomaatia Erkki Bahovski, however, doesn’t agree.

  • foto
    Opinion digest: Kremlin in danger of losing sense of reality

    According to Ingo Mannteufel, head of the Department for Russia and Europe at Deutsche Welle, there is a possibility of the Kremlin starting to believe its own propaganda, which could lead to dangerous decisions both domestically and internationally.

  • foto
    Opinion digest: Estonia’s stagnating politics

    Estonia’s largest political parties had been going through the most serious crisis in their existence, and on top of that they had lost their most important function, namely to formulate a vision of the country’s future, daily Postimees wrote in its Friday editorial.

  • foto
    Opinion digest: Putin exploiting power vacuum created by U.S. presidential elections

    According to director of Tallinn’s International Centre for Defence and Security and former ambassador to Russia, Jüri Luik, the increased tensions over the past few weeks between Russia and the West indicate Putin’s wish to exploit the ambiguous mood before the U.S. presidential elections as much as possible.

  • foto
    Opinion digest: Time to return to discussing serious issues

    In a stinging opinion piece in published in the daily Eesti Päevaleht, member of the Riigikogu Eerik-Niiles Kross (Reform) condemned the Estonian media as well as the country’s elites for their obsession with what he sees as pointless topics, while disregarding the last few weeks’ unsettling developments concerning Russia.

  • foto
    Opinion digest: Legally speaking, everything is proper

    After Toomas Hendrik Ilves’ decade in office, and after he promoted Estonia like no other president did before him, his legacy is now tainted by the fact that he seems to have gone for a substantial state grant in 2006 that he never put to use — and of which he will now pay back just a tenth.

  • foto
    Opinion digest: Closer to Warsaw, farther away from Estonia

    In a recent opinion piece in daily Postimees, columnist Ahto Lobjakas wrote that one way to look at Rail Baltic was as a step towards the level other countries had already reached in terms of speed and comfort of their railway connections. The main weakness of this point of view was the fact that in Estonia, it lacked the necessary social context.

  • foto
    Opinion digest: Leadership change in Reform needed for potential coalition with Center Party

    For a potential future coalition with the Center Party, the Reform Party needed to change its leader as well, Social Democratic MP and chairman of the Riigikogu’s Foreign Affairs Committee Sven Mikser wrote in a comment on social media on Friday.

  • foto
    Matthew Crandall: President Ilves’ global impact

    The greatest accomplishment of President Toomas Hendrik Ilves is that he branded Estonia as a modern and innovative 21st century country, and brought it out of post-Soviet obscurity, writes Tallinn University’s Matthew Crandall.

  • foto
    The shackles of history and modern life in the fast lane: Estonia's experience in the migration crisis

    The uncertain public performances of Estonian politicians and poor explanatory work were to blame for a considerable increase in public distrust during the migration crisis, found ERR journalist Greete Palmiste, working in Bremen on an international journalists' exchange, in an opinion piece written for German publication taz.die Tageszeitung.

  • foto
    Opinion digest: Kersti Kaljulaid on the concepts of ethical nationalism and confident Estonians

    On Friday, Aug. 12, Estonian representative to the European Court of Auditors Kersti Kaljulaid delivered a patriotic speech on the Postimees Stage at the 2016 Opinion Festival in Paide in which she expanded on two words and two respective ideas she found important for her country that were represented by the two letter Es in its native-language name Eesti: eetiline (ethical) and enesekindel (confident).

  • foto
    This mess we're in: Picking up the pieces after Saturday's elections

    From Saturday’s election fiasco to Tuesday’s sudden emergence of a likely cross-party candidate: ERR News editor Dario Cavegn makes an attempt at explaining Estonia’s seemingly chaotic quest to find its next president.

  • foto
    Opinion: The decline of Estonian as a language of science starts abroad

    The Estonian language as a language of science is only sustainable in those subject areas that offer undergraduate courses in Estonian, and with which students begin their university education, finds ERR science portal editor Marju Himma.

  • foto
    Opinion digest: Current approach to reform won't help municipalities

    The Center Party’s presidential candidate, Mailis Reps, wrote in an opinion piece published in daily Postimees on Sunday that the Administrative Reform Act was a disappointment to Estonia’s municipalities, and that relations between local and central government were in a crisis.

  • foto
    Opinion: Jüri Nikolajev in response to the Ida-Viru secret memo

    Describing himself as "wearily spiteful" instead of angry, ERR's Narva correspondent Jüri Nikolajev responded to the top secret memo on Ida-Viru County that leaked recently, calling Estonians to figuratively not leave their property laying around if they did not want anyone else to take it for themselves.

  • foto
    Opinion digest: Sulev Vedler on the secret memo on Ida-Viru County

    In 2015, the Government Security Committee received a secret memo containing a dark assessment of the future of Ida-Viru County, Estonia's most northeastern and predominantly Russian-speaking county, which was compiled by Ilmar Raag, who worked as a strategic communicatins advisor at the Stenbock House at the time. Estonian journalist Sulev Vedler responded to the memo by compiling various reactions to issues it addressed.

  • foto
    Opinion: Alo Lõhmus on the definition of Estonian citizen by blood

    Journalist Alo Lõhmus explored the right to Estonian citizenship by "jus sanguinis," Latin for right of blood, as it relates to one's eligibility to run for president — an issue which has had particular attention drawn to it recently after members of a competing political party attempted to cast doubt on the status of presidential candidate Marina Kaljurand's Estonian citizenship.

  • foto
    Opinion digest: Erkki Bahovski on Finland and the alleged Baltic scheming

    Columnist Erkki Bahovski commented on the curious, decidedly defensive turn that seemed to be taken by Finland's Social Democrats following the release of a lengthy report by the Finnish Institute of International Affairs (UPI) which suggested that Russia, in its own self-interest, is attempting to hamper Finland's total integration with the West.

  • foto
    Opinion digest: Siim Kallas thinks real estate tax effective way to finance local government

    The Reform Party’s presidential candidate, Siim Kallas, said in an opinion piece published in daily Postimees that an estate tax, more precisely a tax levied on real estate, could be considered to finance local government.