Should even one of Estonia's national ID cards be cracked, the certification center of the Police and Border Guard Board (PPA) would be obliged under law to void all of the approximately 750,000 cards containing the chip in which a security flaw was discovered at the end of August.
"In principle, if someone manages to crack the card and the Information System Authority (RIA) confirms this, the certificate will be revoked," PPA spokesperson Kirsti Ruul told BNS. "In such case all the cards with the security risk must be closed."
PPA Identity and Status Bureau chief Margit Ratnik likewise said that realization of the security risk in one case would mean that the certificates of all cards affected by the security risk will be revoked.
"In the event that there is sound evidence that the risk has materialized, the PPA as the issuer of the document will revoke the certificates of all the cards affected by the security risk," she confirmed. "This means that it will not be possible to use these cards electronically anymore after the certificates have been revoked. The ID cards not affected by the security risk will remain valid and it will remain possible to continue to use them electronically."
The legal obligation to revoke the certificate arises from the Identity Documents Act, which states that the issuer of the document may revoke the certificate if there is a reason to believe that it is possible to use the private key corresponding to the public key contained in the certificate without the consent of the certificate holder.
In addition, the Electronic Identification and Trust Services for Electronic Transactions Act puts an obligation on the trust service provider, that is, the certification center, to revoke a certificate if requested by a competent authority or the holder of the certificate. If a certificate holder has any doubts that it is possible to use the private key corresponding to a public key contained in the certificate without his or her consent, the certificate holder has the obligation to request revocation of the certificate.
Ruul noted that the discovery of the theoretical security risk by Czech scientists of which Estonia was notified does not provide sufficient grounds for revoking the certificates of all the cards affected by the risk. Such an obligation would arise if an actual card is cracked, however.
750,000 ID cards affected
On Aug. 30, an international group of researchers informed the RIA that they had discovered a security risk affecting all ID cards issued in Estonia beginning in Oct. 2014, including ID cards issued to Estonian e-residents. Nearly 750,000 ID cards are affected by the issue.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk. The security risk likewise do not affect Mobile-ID users.
According to available information, the security risk has yet to materialize. Nonetheless, Estonia has closed the public key database of the electronic ID cards, as the security flaw cannot be exploited for cracking the encryption on the chip of a card without knowing the public key.
Editor: Aili Vahtla