RIA handed out the first ID-cards sporting new software for testing late last week. The test cards were distributed primarily to banks so they could rework their e-services to work with the new software.
The change is not extensive, while it is fundamental. If today, nearly 750,000 ID-cards use a 2048-bit RSA algorithm for digital signatures and other services, the update will switch them to an elliptical algorithm instead.
This will allow RIA to bypass a theoretical vulnerability in the base software of the Gemalto chips discovered by Czech researchers. The scientists found that the Gemalto chip can generate weaker encryption keys under certain conditions.
“The vulnerability will not manifest if we switch to elliptical algorithms,” said Margus Arm, head of the eID unit at RIA.
This means that people who download new ID-card software starting from late October and use it to update their card certificates in November will be free of the theoretical vulnerability in their cards. Use of elliptical algorithms is nothing new as the solution has been used with the Estonian Mobile-ID service since 2014.
Even though the solution already exists, it will reach the public in late October, after local government council elections. The reason is simple: the ball is currently in the court of hundreds of e-service providers that need to make sure their services work with the new encryption method. Services like online banking, e-reception et al. cannot be allowed to stop functioning after the update. The older the systems and environments, the greater the chance they will need to be updated for which service providers themselves will have to pay.
“We are not catching our breaths yet – our testers are working round the clock. We need to make sure the entire chain works,” Arm said. Providers of e-services have not reported major problems to RIA so far; however, a lot of the testing work is still to be done.
Director General of RIA Taimar Peterkop said that it was a positive surprise how the serious problem was solved in under three weeks. I saw first-hand how companies jumped on board when they saw the state was in trouble. It is the advantage of a small country, something big ones cannot do,” he said.
The most important part of brainstorming was done during the weekend of September 2-3, before the vulnerability was made public. That is when experts from RIA, the Police and Border Guard Board (PPA), certification center, and Gemalto decided that the best solution would be to change the ID-card’s encryption algorithm.