Text size




Police and Border Guard Board: International Research Work Addresses Security of Estonian ID Card

For their research report “Efficient Padding Oracle Attacks on Cryptographic Hardware”, an international group of cryptologists tested the security of several encryption systems, including the standards used by the Estonian ID card. The theoretical security risk emphasised in the report cannot actually be abused to attack an ID card, since it would require the person to know the ID card’s PIN code.
Research publications on theoretical security risks are published constantly and the institutions responsible for the security of Estonian ID cards keep themselves up to date on the newest information. In order to offer residents the most secure ID card solution possible, we work together actively with the private sector and research institutions both in Estonia and internationally. We gave an Estonian ID card to this group for testing purposes last year and Estonian experts have analysed the results of the study.
Since the tests carried out by the cryptologists required both the ID card and knowledge of its password, their discoveries are purely theoretical. In essence they were evaluating a situation in which one can pick open a lock if he is first given the key.
The cryptologists used a 2011 ID card for their testing. The ID cards issued in 2012 contain a newer chip, so the cryptologists’ theoretical discovery does not apply to the newer cards.
Over the past few weeks false information has been spreading across the internet that suggests that in this research the cryptologists discovered the possibility of breaking through the encryption system in a matter of 13 minutes. There are no grounds for this claim. See also the RSA blog post from 26 June.
We recommend that all ID card users follow basic security precautions. Do not allow your ID card to land in the hands of a stranger and do not write your PIN code on the card or keep it in the same place as the card in your wallet. Also be sure that your computer has updated virus protection and do not keep the ID card in the card reader for longer than necessary.

Police and Border Guard Board

Topic: CERT, PKI

Added 05.07.2012

Back to page "News"