Cryptology ePrint Archive: Report 2017/880

Using the Estonian Electronic Identity Card for Authentication to a Machine (Extended Version)

Danielle Morgan and Arnis Parsovs

Abstract: The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas.

This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.

Category / Keywords: applications / smart cards, implementation

Original Publication (with major differences): NordSec 2017

Date: received 7 Sep 2017, last revised 19 Sep 2017

Contact author: arnis at ut ee

Available format(s): PDF | BibTeX Citation

Version: 20170919:101224 (All versions of this report)

Short URL: ia.cr/2017/880

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]