Estonian Electronic Identity Card: Security Flaws in Key Management

Anyone wondering if this is a new issue; it&#x27;s not, it&#x27;s a more detailed writing of some previous issues, one of which being the Gemalto affair[0].<p>The new cards issued in 2018 are not known to have any vulnerabilities.<p>[0]: <a href="https:&#x2F;&#x2F;www.linkedin.com&#x2F;pulse&#x2F;timeline-estonian-id-card-vulnerability-andres-k%C3%BCtt&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.linkedin.com&#x2F;pulse&#x2F;timeline-estonian-id-card-vul...</a>

&gt; The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.<p>I somewhat disagree, the discussion tends to get bent by some populist agent provocateurs and some of the initial reactions from the private sector media. (In Estonia, the government media is the most centered out of all news outlets, go figure). What these statements usually are is that &quot;ID card has a flaw X, therefore we should immidiately ban it, close the R&amp;D and burn it with fire&quot;, forgetting that crypto and computing in general, changes over time. My view is that, of course each flaw has to be resolved and sometimes this is political, but this just means the work has to continue.

&quot;The jTOP SLE78-powered ID cards were issued until the end of 2018. ID cards manufactured currently are powered by the chip platform supplied by IDEMIA (not covered in this work).&quot;<p>If my memory serves me right, there was an easy way to check if your ID card was affected and it got replaced for free. The flaws described in paper are not known to exist in cards issued since the end of 2018, beginning of 2019.

The aftermath of the issue has been previously discussed here (2018): <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=18104861" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=18104861</a>

Brave guy to publish this, hopefully it won&#x27;t end up similar to the Dreyfus affair — depends on which the media will roll due to it being &quot;pickled cucumber season&quot; (everybody is on vacation, nothing much happening during summer in Estonia). The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.

I&#x27;m from the EU and considering incorporating my next company in Estonia.<p>Anyone else in a similar situation has any recommendations or ideas about this?

&gt; n this paper, we describe several security flaws found in the ID card manufacturing process ..<p>Like accidentally on purpose,secure up to a point, but weak enough to allow the spooks to generate their own IDs. I mean if the cards were unhackable how would a spy do his job :]

So, an argument that I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks. Can anyone in Estonia comment on this? Within the US and U.K., there’s no mandatory ID, which I think is probably a good thing for civil liberties (no papers please, for instance), but also fosters certain industries such as credit reference agencies and has all sorts of weird side effects from bootstrapping things like SSNs and NI numbers into secrets. Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?

Seems interesting, but security flaws were in a countable (small) number of cases. Is this a general issue?

Are these things PIV or something else?

Are there any Estonians here on HN who would be willing to chat a bit about digital identities in your country? I&#x27;m working on bringing e-ID to more people (<a href="https:&#x2F;&#x2F;getpass.app&#x2F;" rel="nofollow">https:&#x2F;&#x2F;getpass.app&#x2F;</a>) and looking to get a better understanding of current solutions.<p>Feel free to reach out, my email is fabian (at) flapplabs.se