By the time Prime Minister Jüri Ratas unveiled a vulnerability in the Estonian ID-card in early September, a State Information System’s Authority (RIA) workgroup already knew what had to be done to address it. By today, the agency has completed a prototype of new ID-card software and is set to start updating ID-cards in November.
RIA handed out the first ID-cards sporting new software for testing late last week. The test cards were distributed primarily to banks so they could rework their e-services to work with the new software.
The change is not extensive, while it is fundamental. If today, nearly 750,000 ID-cards use a 2048-bit RSA algorithm for digital signatures and other services, the update will switch them to an elliptical algorithm instead.
This will allow RIA to bypass a theoretical vulnerability in the base software of the Gemalto chips discovered by Czech researchers. The scientists found that the Gemalto chip can generate weaker encryption keys under certain conditions.
“The vulnerability will not manifest if we switch to elliptical algorithms,” said Margus Arm, head of the eID unit at RIA.
This means that people who download new ID-card software starting from late October and use it to update their card certificates in November will be free of the theoretical vulnerability in their cards. Use of elliptical algorithms is nothing new as the solution has been used with the Estonian Mobile-ID service since 2014.
Even though the solution already exists, it will reach the public in late October, after local government council elections. The reason is simple: the ball is currently in the court of hundreds of e-service providers that need to make sure their services work with the new encryption method. Services like online banking, e-reception et al. cannot be allowed to stop functioning after the update. The older the systems and environments, the greater the chance they will need to be updated for which service providers themselves will have to pay.
“We are not catching our breaths yet – our testers are working round the clock. We need to make sure the entire chain works,” Arm said. Providers of e-services have not reported major problems to RIA so far; however, a lot of the testing work is still to be done.
Director General of RIA Taimar Peterkop said that it was a positive surprise how the serious problem was solved in under three weeks. I saw first-hand how companies jumped on board when they saw the state was in trouble. It is the advantage of a small country, something big ones cannot do,” he said.
The most important part of brainstorming was done during the weekend of September 2-3, before the vulnerability was made public. That is when experts from RIA, the Police and Border Guard Board (PPA), certification center, and Gemalto decided that the best solution would be to change the ID-card’s encryption algorithm.
Because RIA is a systems’ operator and not a developer, it involved employees of Nortal and Cybernetica in the work. Several other companies contributed, including Guardtime that volunteered to help.
Two sets of software were updated: the ID-card software in people’s computers and software on the card’s chip. RIA is responsible for the former, while it is up to Gemalto to make sure new ID-cards that will be adopted in November already include the new software.
It remains unclear how much bypassing the vulnerability will cost, while Peterkop believes the sum will have seven figures. “If everything goes to plan, we will have handled it – prevented the risk from manifesting by spending a few million euros, which rather makes this a chapter in our e-state’s success story,” the director said.
This requires an ambitious plan to be executed in the coming months: to have everyone who uses the ID-card to access e-services update the software from home in two months. People will have from November until the end of the year to download and install the updates.
“We are racing against time; we believe potential attacks will not be carried out in that time,” Peterkop said.
People who fail to update their card software will not be able to access e-services. Considering the number of cards that need to be updated and technical restrictions, RIA believes there could be considerable pressure on the updating process.
Tech journalist Henrik Roonemaa said that a prototype solution does not mean there is no more risk. “People will have to go through with these updates, it will take time, and some cards will probably be closed from April. Because until then it will be impossible to claim no one has defeated the encryption,” Roonemaa said.
He added that negative attention and damage to Estonia’s reputation can still be turned around. “If fixing the problem is communicated as forcefully and thoroughly as its discovery, I believe we will have done very well indeed. It should definitely boost the credibility of the e-state in the big picture,” he said.