Paper 2017/880

Using the Estonian Electronic Identity Card for Authentication to a Machine (Extended Version)

Danielle Morgan and Arnis Parsovs

Abstract

The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas. This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. MAJOR revision.NordSec 2017
Keywords
smart cardsimplementation
Contact author(s)
arnis @ ut ee
History
2017-09-19: revised
2017-09-17: received
See all versions
Short URL
https://ia.cr/2017/880
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/880,
      author = {Danielle Morgan and Arnis Parsovs},
      title = {Using the Estonian Electronic Identity Card for Authentication to a Machine (Extended Version)},
      howpublished = {Cryptology ePrint Archive, Paper 2017/880},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/880}},
      url = {https://eprint.iacr.org/2017/880}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.