ARNIS PARSOVS ARNIS DISSERTATIONES INFORMATICAE UNIVERSITATIS TARTUENSIS 24 Estonian Electronic Card Identity and its Security Challenges ARNIS PARSOVS Estonian Electronic Identity Card and its Security Challenges Tartu 2021 1 ISSN 2613-5906 ISBN 978-9949-03-570-0 DISSERTATIONES INFORMATICAE UNIVERSITATIS TARTUENSIS 24 DISSERTATIONES INFORMATICAE UNIVERSITATIS TARTUENSIS 24 ARNIS PARSOVS Estonian Electronic Identity Card and its Security Challenges Institute of Computer Science, Faculty of Science and Technology, University of Tartu, Estonia. Dissertation has been accepted for the commencement of the degree of Doctor of Philosophy (PhD) in computer science on February 26, 2021 by the Council of the Institute of Computer Science, University of Tartu. Supervisors Dr. Jan Willemson Cybernetica AS Tartu, Estonia Prof. Dr. Dominique Unruh University of Tartu Tartu, Estonia Opponents Prof. Dr. George Danezis University College London London, United Kingdom Assoc. Prof. Dr. Petr Svenda Masaryk University Brno, Czech Republic The public defense will take place on April 9, 2021 at 14:15 via Zoom. The publication of this dissertation was financed by the Institute of Computer Science, University of Tartu. Copyright © 2021 by Arnis Parsovs ISSN 2613-5906 ISBN 978-9949-03-570-0i(print) ISBN 978-9949-03-571-7i(PDF) University of Tartu Press http://www:tyk:ee/ To Estonia – the world’s most advanced digital society ABSTRACT For more than 18 years, the Estonian electronic identity card (ID card) has provided a secure electronic identity for Estonian residents. The public-key cryptography and private keys stored on the card enable Estonian ID card holders to access e-services, give legally binding digital signatures and even cast an i-vote in national elections. This work provides a comprehensive study on the Estonian ID card and its security challenges. We introduce the Estonian ID card and its ecosystem by describing the involved parties and processes, the core electronic functionality of the ID card, related technical and legal concepts, and the related issues. We describe the ID card smart card chip platforms used over the years and the identity document types that have been issued using these platforms. We present a detailed analysis of the asymmetric cryptography functionality provided by each ID card platform and present a description and security analysis of the ID card remote update solutions that have been provided for each ID card platform. As yet another contribution of this work, we present a systematic study of security incidents and similar issues the Estonian ID card has experienced over the years. We describe the technical nature of the issue, mitigation measures applied and the reflections on the media. In the course of this research, several previously unknown security issues were discovered and reported to the involved parties. The research has been based on publicly available documentation, collection of ID card certificates in circulation, information reflected in media, information from the involved parties, and our own analysis and experiments performed in the field. 6 CONTENTS 1. Introduction 12 1.1. Research questions and tasks.................... 12 1.2. Methods and data sources...................... 14 1.3. Contributions............................ 14 1.4. Structure of the thesis........................ 16 2. Estonian ID card ecosystem 17 2.1. Historical background........................ 17 2.2. Main parties............................. 18 2.3. Document issuance......................... 19 2.4. ID card manufacturing....................... 20 2.5. Certificate Authority........................ 21 2.5.1. Legal framework....................... 22 2.5.2. Business model....................... 23 2.5.3. Customer service points................... 24 2.6. Oversight and development of eID field.............. 24 2.7. Electronic functionality of the ID card............... 25 2.8. Authentication function....................... 26 2.8.1. TLS client certificate authentication............. 27 2.9. Decryption function......................... 28 2.9.1. CDOC format........................ 29 2.9.1.1. Elliptic Curve (EC) support.............. 29 2.10. Digital signature function...................... 30 2.10.1. Signature creation devices.................. 31 2.10.2. Signature file formats.................... 33 2.10.3. Signature validation..................... 34 2.10.4. Long-term validity...................... 35 2.10.4.1. Collision attacks against SHA-1............ 35 2.10.4.2. TeRa (Tembeldamisrakendus)............. 37 2.11. PIN verification mechanism..................... 37 2.11.1. PIN envelope......................... 38 2.11.2. Preventing PIN guessing................... 39 2.11.3. PIN change.......................... 39 2.11.4. Issuance of new PIN envelopes............... 40 2.12. Personal data file.......................... 41 2.13. ID card software........................... 42 2.13.1. Vulnerabilities........................ 43 2.13.1.1. Certificate leakage in ID card browser extension... 43 2.13.1.2. Directory traversal vulnerability............ 43 7 2.13.1.3. ID card authentication man-in-the-middle attack using browser signing extension............... 44 2.13.1.4. Other vulnerabilities.................. 44 2.14. Smart card readers.......................... 45 2.14.1. Smart card readers with PIN pad.............. 45 2.15. Validity lifecycle of the ID card and its certificates......... 46 2.16. Certificates and personal data therein................ 48 2.17. LDAP certificate repository..................... 48 2.17.1. Certificates analyzed in this study.............. 50 2.18. @eesti.ee email address...................... 51 3. Chip platforms and identity document types 52 3.1. MICARDO platform........................ 52 3.1.1. Identity card ......................... 53 3.1.2. MICARDO-powered ID cards................ 54 3.1.2.1. MICARDO platform versions............. 55 3.1.3. ITSEC certification..................... 58 3.2. MULTOS platform......................... 59 3.2.1. Digital identity card ..................... 59 3.2.2. MULTOS-powered ID cards................. 60 3.3. jTOP SLE66 platform........................ 61 3.3.1. JavaCard and GlobalPlatform................ 61 3.3.2. jTOP SLE66-powered ID cards............... 61 3.3.3. Identity card ......................... 62 3.3.4. Residence permit card .................... 63 3.3.5. Common Criteria certification peculiarities......... 65 3.4. jTOP SLE78 platform........................ 66 3.4.1. jTOP SLE78-powered ID cards............... 66 3.4.1.1. EstEID applet versions................. 67 3.4.2. Identity card ......................... 67 3.4.3. Residence permit card .................... 68 3.4.4. Digital identity card ..................... 69 3.4.5. E-resident’s digital identity card .............. 69 3.4.6. NFC-enabled digital identity card .............. 70 3.4.7. Diplomatic identity card ................... 70 3.5. IDEMIA platform.......................... 71 3.5.1. IAS-ECC applet....................... 73 3.5.2. EE-GovCA2018....................... 74 3.5.3. Contactless interface..................... 74 3.5.4. Residence permit card .................... 75 3.5.5. Common Criteria certification................ 76 3.5.5.1. Compliance issues................... 76 3.6. ID card test cards.......................... 77 8 3.7. SEB employee card......................... 78 4. Asymmetric cryptography provided by ID card platforms 80 4.1. MICARDO platform........................ 80 4.1.1. RSA key generation..................... 81 4.1.2. RSA private key operations................. 83 4.2. MULTOS platform......................... 85 4.2.1. RSA key generation..................... 85 4.2.2. RSA private key operations................. 86 4.3. jTOP SLE66 platform........................ 87 4.3.1. RSA key generation..................... 87 4.3.2. RSA key import....................... 90 4.3.3. RSA private key operations................. 91 4.4. jTOP SLE78 platform........................ 92 4.4.1. RSA key generation..................... 92 4.4.2. RSA private key operations................. 94 4.4.3. ECC key generation..................... 95 4.4.4. ECC private key operations................. 95 4.4.4.1. Invalid ECDSA signatures............... 97 4.4.4.2. Randomness in ECDSA signing process....... 97 4.5. IDEMIA platform.......................... 98 4.5.1. ECC private key operations................. 98 4.6. Summary comparison........................ 99 5. ID card remote update solutions 100 5.1. EstEID secure messaging...................... 100 5.1.1. EstEID secure messaging protocol............. 101 5.1.2. Session key negotiation phase................ 101 5.1.3. Secure messaging phase................... 102 5.1.4. Card impersonation attack.................. 102 5.1.4.1. Attack......................... 102 5.1.4.2. Mitigation....................... 103 5.1.4.3. Disclosure....................... 104 5.1.4.4. Failure of ITSEC certification process......... 104 5.1.5. MAC protection using the CMK directly.......... 105 5.2. MICARDO-powered ID cards................... 105 5.2.1. Remote update protocol................... 106 5.2.2. Security analysis....................... 107 5.2.2.1. Bringing a card to an inconsistent state........ 108 5.2.2.2. Exporting the generated key.............. 108 5.2.2.3. Obtaining a certificate for a key generated outside the card........................... 108 5.2.2.4. Disclosure....................... 108 9 5.3. jTOP SLE66-powered ID cards................... 108 5.4. jTOP SLE78-powered