“In the cases we found, the chance that keys were generated by the cards themselves was microscopic. That is why it is as good as certain that the keys have not been generated on the cards,” Ansper explained.
What happened? Ansper said it is likely Gemalto had programmed the system to generate keys outside chips during that period.
“It probably followed some sort of practical consideration, perhaps to save time. Generating the keys outside the card can probably be done relatively quickly. Having the chip do it could take quite a bit of time,” he said.
Generating the private keys on the chips can take minutes, but it can also take much longer depending on the situation. It seems that Gemalto was able to fix the bottleneck after 2014 and no more keys were generated outside chips.
This recent vulnerability is very different from the fault found by Czech scientists. The cards that sport the weakness are not in risk of being hacked. It is only possible to steal that faulty key.
New lawsuit in the air
Ansper said that it is impossible to speculate whether any weak keys have been stolen. “There might be no such keys. It would take a very thorough investigation to determine something like that. Frankly, I do not even know whether it would be possible,” he added.
Director General of RIA Taimar Peterkop said that the agency has been aware of a potential security fault from the beginning of last year, and that it has been very difficult to move forward with this knowledge.
“It has constantly been at the back of my mind; I’ve been losing sleep over it from last February,” Peterkop said. He added that there are no new ID-card security issues on the agency’s radar.
The PPA has filed a new claim for damages with Gemalto over the fault. The agency’s document expert Kaija Kirch said that the company replied yesterday that it does not recognize the violation or accept the claim. The PPA and RIA do not rule out suing Gemalto over the former and recent security faults.
“We filed a claim when we had finished our initial analysis. They replied late yesterday evening and denied everything. They have not said anything else,” Kirch said. She is not at liberty to disclose the volume of the claim.
Margus Arm said that the analysis suggests the fault lied with the process Gemalto had created. “We find that we hit the wall every time we talk to the manufacturer. They say nothing of the sort has happened,” Arm said.
The PPA has also carried out a service audit. It found that the agency had no idea the manufacturer was generating keys outside chips.
“We also have no reason to believe that affected cards have been misused or that someone has access to their private keys. While it is theoretically possible, there are no signs of any incidents at this time,” the police communicated.
Gemalto will continue to manufacture ID-card chips until the end of this year. Postimees contacted the company’s representative for comments but did not receive a reply by the time the article went to print.