Analytics, Estonia, Internet, Legislation, Technology
International Internet Magazine. Baltic States news & analytics
Thursday, 25.04.2024, 02:51
Cracking of one ID card would require Estonia to deactivate 750,000 cards
Print version |
|---|
"In principle, if someone manages to crack the card and the Information System Authority confirms this, the certificate will be revoked. In such case all the cards with the security risk must be closed," Kirsti Ruul, spokesperson for the Police and Border Guard Board, told BNS.
Margit Ratnik, head of the office for identity and status at the Police and Border Guard Board, said that realization of the security risk in one case would mean that the certificates of all cards affected by the security risk will be revoked.
"In the event that there is sound evidence that the risk has materialized, the Police and Border Guard Board as the issuer of the document will revoke the certificates of all the cards affected by the security risk. This means that it will be no longer possible to use these cards electronically after the certificates have been revoked. The ID cards not affected by the security risk will continue to be valid and it will continue to be possible to use them electronically," Ratnik said.
The legal obligation to revoke the certificate arises from the Identity Documents Act, which says that the issuer of the document may revoke the certificate if there is a reason to believe that it is possible to use the private key corresponding to the public key contained in the certificate without the consent of the certificate holder.
Besides, the Electronic Identification and Trust Services for Electronic Transactions Act puts an obligation on the trust service provider, that is, the certification center, to revoke a certificate if this is sought by a competent authority or the holder of the certificate. If a certificate holder has a doubt that it is possible to use the private key corresponding to a public key contained in the certificate without his or her consent, the certificate holder has the obligation to request revocation of the certificate.
Ruul added, however, that the discovery of the theoretical security risk by Czech scientists of which Estonia was notified does not provide sufficient grounds for revoking the certificates of all the cards affected by the risk. But such an obligation would arise if a concrete card is cracked.
The government, the Information System Authority and the Police and Border Guard Board announced at the beginning of September that Czech scientists have discovered a security flaw in the chip of the electronic ID card. The risk affects cards issued after October 2014, which number approximately 750,000.
According to available information the security risk has never materialized. Estonia has closed the public key database of the electronic ID cards, as the security flaw cannot be exploited for cracking the encryption on the chip of a card without knowing the public key.
«The Baltic Course» Is Sold and Stays in Business!
