“The functioning of an e-state is based on trust, and the state cannot afford identity theft happening to the owner of an Estonian ID card,” said Estonia Prime Minister Jüri Ratas.
Estonia on Friday blocked the certificates of 760,000 national ID cards in response to a cryptographic vulnerability that researchers have discovered is even more dangerous than originally reported.
Citizens with cards issued between between Oct. 16, 2014 and Oct. 25, 2017 must now renew them at an Estonia Police and Border Guard Board service point before they can be used for secure electronic services such as “i-voting,” e-banking, and using e-prescriptions. Cards that are not updated can still be used as identification documents, however.
Last month, the Baltic nation issued a public notice about the vulnerability, dubbed ROCA (Return of Coppersmith’s Attack), which researchers from Centre for Research on Cryptography and Security discovered in various cryptographic chips manufactured by Infineon Technologies AG. The researchers described the vulnerability, officially designated CVE-2017-15361, as an algorithmic RSA generation flaw that “makes factorization of commonly used key lengths, including 1024 and 2048 bits, practically possible.”
In other words, even without physical access to an ID card and its corresponding PIN code, attackers can decrypt the card’s security protections and ultimately steal its owner’s identity simply by knowing the public key.
An Oct. 16, 2017 government notice assured the public that it would take expensive computing power to fully exploit such a vulnerability, and that there was no evidence any such attack was attempted in the wild. However, new research has found that cracking ID cards’ keys is quicker and easier than initially thought.
The original researchers stated that on a single core of a common recent CPU, their exploit would on average be expected to compute the private part of a 1024-bit RSA key in fewer than 45 days and a 2048-bit key in fewer than 50 years. And by adding an exponential number of additional CPUs to the mix, these timetables could be reduced to a matter or hours or days.
But in a Nov. 5 posting on “The cr.yo.to blog,” researchers Daniel J. Bernstein and Tanja Lange have reported that they were able to factor Infineon’s 1024-bit and 2048-bit keys even faster than the previous researchers did. Furthermore, the research duo determined that the cost of conducting such attacks on a large scale would be lower than the previous researchers’ estimates of $76 for 1024-bit encryption and $40,000 for 2048-bit encryption.
“We are happy to see Estonia finally blocking the Infineon keys… but tremendous damage could already have been done,” state Bernstein and Lange in their blog post.
“The danger of the security threat becoming real is increased by the fact that it was not a flaw of the Estonian ID card alone, but also included cards and computer systems around the world that use the chips by the same producer,” Ratas continued. “This brought the safety flaw to the attention of international cybercrime networks which have significant means to take advantage of the situation.”
ROCA also has affected keys in products from such major vendors as Microsoft, Google, HP, Lenovo, and Fujitsu, who have already released software updates and guidelines for a mitigation.