ERR News recently published an opinion piece by Internet freedom advocate Otto de Voogd that called into question the security of Estonia's much-touted ID card system. The following rebuttal is from Agu Kivimägi, head of the cyber security department at SMIT, the Interior Ministry's IT and development center, in response to our request.
A certain amount of paranoia about IT security is a good thing. It forces the implementers to provide explanations. Otto de Voogd's recent article was based on the general fear unleashed recently when the public learned that superpowers are capable of cracking secure systems. But the article also expressed some specific concerns in connection with the Estonian ID card - namely, that the Estonian state could possess the private keys of all ID card holders and thus be able to spy on people.
To explain why this concern is unfounded, a brief explanation of how the private keys are generated is in order. Each ID card has two pairs of keys - one pair for authentication and another for signing. In each pair, one key is public, the other private. The keys are not loaded on to the ID card; rather, the card generates them itself. The ID card's processor and memory are designed so that the private key itself never leaves the card. When it is time to use the key, data is sent to the card, manipulated with the key; the card then outputs the result.
The problem is how to ensure that the cards, which are produced using an identical manufacturing process, contain different keys. The solution employs random number generators. True randomness isn't attainable by a mathematical algorithm alone, so a special technology called a voltage-controlled oscillator is used. The electronics in this scheme are characterized by constant fluctuation resulting from noise. Exceedingly tiny changes in ambient temperature or the surrounding EM fields impact the device. The keys generated on a given card thus depend on the background noise, not a random number seed supplied by the chip manufacturer or by the card issuer.
The output from the hardware random number generator is used as the input for a pseudorandom number generator, which in turn generates the actual cryptographic keys.
There are many chip makers in the world and they don't reveal the randomization algorithm they use. It is a very good question whether an algorithm does in fact ensure sufficient randomness and protection against attacks. While cryptologists develop and improve cryptographic algorithms, cryptoanalysts are constantly looking for faults. The quality of Estonian ID cards have been verified with regard to a problem seen in one case in Taiwan, where a small fraction of cards - 104 out of 2 million - had identical keys. The random number generator for cards used in Estonia does ensure sufficient entropy.
Thus the fear that the Estonian state has the power of recording or checking up on citizens' or residents' private keys is ruled out by the technological scheme used.
As to the proposal that a citizen or resident could himself generate keys and obtain a certificate, this poses significant security risks. If keys are generated outside the card and loaded onto the card by the user, that means the keys were at some point in a computer whose security is unverifiable and certainly lower than the ID card's security level.
Nor is it a good idea to design a card such that the citizen/resident could make changes to it independently. The keys for the cards used in Estonia are generated in the course of personalizing the card. The card is then locked, and no more changes can be made to it. If the cards were write-enabled, we would weaken the card's security concept.
Generating keys independently would be, for most users, an additional and complicated procedure that is not worth the effort. It would also be necessary to separately verify the possession and identity of the keys after the keys were generated. There do exist systems where the user goes to a notary and proves possession of a private key and the person is issued a certificate on the basis of the notary's statement. A certificate obtained by such a process tends to cost around 100 euros, however.