A group of Czech security researchers earlier this year discovered a way to steal identities from electronic ID cards used in a number of countries, known in the cryptography industry as a ROCA vulnerability. So far, the vulnerability has caused problems in Estonia — the country with perhaps the most comprehensive e-identification and e-government system in the world — and in Spain. Former Estonian President Toomas Hendrik Ilves, a tireless promoter of his country’s e-democracy, has said that other countries and institutions have the same problem, too; they’re just not talking openly about it. He’s very likely right. The discovery poses an important question: Could we perhaps be overeager to adopt technological solutions to problems that don’t necessarily require them?
Cryptographic smartcards use two mathematically linked keys to encrypt and decrypt information: A public one and a private one. The owner is free to hand out the former but must hold on to the latter. She can, for example, sign a document with the private key, and the public one can then be used to verify the signature. The researchers from Masaryk University discovered that a software library from the German company Infineon, used in many smartcards, made it too easy to compute private keys from public ones. That potentially creates opportunities for identity theft or the dissolution of millions of electronically signed contracts.
Infineon has changed the key generation algorithm to fix the flaw, but millions of cards out there, including 750,000 Estonian ones, ended up needing a certificate update. For tiny Estonia, which has made advanced technology its global differentiation point, a single case of identity theft could be a reputational disaster, so the nation’s government decided to be transparent about the update. Predictably, though, when tens of thousands of people attempted to install the update, waiting times and failures mounted. After spending hours trying to update her ID card, Theresa Bubbear, the U.K. ambassador to Estonia, wondered in a tweet on Nov. 2 whether “eEstonia” might be “losing its shine.” Only on Nov. 16, she finally tweeted “Hallelujah!” as the update came through.
Full Article: E-Government Sounds Great Until the First Hack – Bloomberg.