SlideShare a Scribd company logo

Codebits 2011

Martin Paljak
Martin Paljak

Some eID related thoughts from Estonia.

TechnologyBusiness
1 of 40
Download to read offline
Paranoid crypto citizen A story of Estonian eID, OpenSC and FUD
Topics • Estonian ID-card history • Client software evolution & OpenSC • Misc uses for the card and some “hacks” • Generic PKI-paranoia mixed with FUD
# id • Martin Paljak, ~30 • From periphery of Estonia • ID-card user/hacker since 2003 • Wearing my (invisible) tinfoil hat today
Estonian ID-card • Introduced in 2002 (conceived in ~1999) • Currently ~1.1million cards (~1.35 million citizens) • ~400000 active electronic users • 4th generation of card in circulation + Mobile-ID • Non/pre-standard on-card structures
What can it do? • Authentication (certificate) • Legally binding signatures (certificate) • Visual ID (electronic ID as well) • Decryption (for data in motion)
In the beginning ...
SOFTWARE • Initially no client drivers procured with cards • Windows-only binary effort by the (commercial) CA • Signature is THE product for the CA • CA makes money from signatures (OCSP)
Say WHAT? • €€€ for one of the pillars of PKI (OCSP)? • Paranoia alert: binary only software? • FUD alert: if I sell my car, how do I know that I’m not selling my home instead?
“Das Bundestrojaner” anyone?
Volunteers to the rescue! • “Open Source is about scratching your own itch” • I haz Debian • Create card driver with open source • I buy Mac • Y U NO MAKE MAC SOFTWAREZ ?
No real documentation
Y U NO GIVE DOCS ?
Extreme measures • People smashing the chip with a hammer • Cryptographers disabling their certificates • “I did not generate those keys!” • Tinfoil envelopes (and hats!) • But no ICAO/RFID on the card... • Knowledgeable people writing satire...
OpenSC • Started by a Finn named JuhaYrjölä in ~2001 • Open source smart card middleware • Includes support for several cryptographic smart cards (national eID-s,“blank” cards, etc) • Not necessarily the cutest piece of software • It uses OpenSSL ;)
Born from desperation ... of not having any software ...
OpenSC the software • First custom Linux code & PKCS#11 • Then OS X - Tokend • Now deprecated from 10.7+ • Now slowly Windows code - MiniDriver • Extra cruft to support not a single card but many cards with common goals • A framework, sort of
Purpose “Implement API-s and platform modules used by real life applications, to provide those applications access to on-card capabilities”
Avoid “NASCAR effect”
OpenSC the project • Not to be confused with opensc.ws, a trojan forum • Not to be confused with opensc-vdr, some SAT-TV card-sharing thing (also illegal) • An umbrella for people, code and projects with one goal: use various cryptographic hardware.With open source. Especially smart cards. • New goal: reduce fragmentation in Linux and improve interoperability between libraries (OpenSSL, NSS, GnuTLS etc) with PKCS#11
Back to Estonia ...
2007 • Government finally opens a tender for eID middleware software • Based on existing open source code ;) • Official E-voting happened in 2005 without official middleware to use the card on “other” platforms... • New, slightly different version of the card
2007 • Campaign to increase electronic users of the PKI system to 400000 in 3 years • Cheap (6€) OmniKey card readers subsidized by government made available • Mobile-ID (WPKI) for driverless operation introduced
2010 • eID usage has increased tremendously • People depend on it for online lifestyle • “Temporary-ID” card introduced (incompatible with original card), to have a backup card if needed. Electronic use only. • Software procurement failed, a fork of forked open source code is created.
2011 • A new (incompatible) card is introduced, with 2048 bit RSA keys. • There is finally “official software” available to everyone, with real support. Open source. Uses OpenSC for some parts. • Smartphones make Mobile-ID an interesting subject • I get to plant paranoia on Codebits :)
What has changed?
IMPORTANT • Smart card authentication != PIN verification!!! • Presenting your ID-card without the security guy doing a face<>card check != ID verification. •Identification •Authentication •Authorization
Door lock with ID+PIN • Enter your ID card • Type the PIN on keypad • Simsalabim, door opens • Remember EMV “CHIP+PIN” ?
In Bigger cities of Estonia • Pay money to a company for credit • Present your ID-card to public transport workers when asked • Checked from database, if your ID-code has a ticket. • But municipal workers are not border guards ;)
A Public Library • Pay money to secretary for credit • Insert ID-card at copy machine • Machine does: • database_lookup(id_code_on_card)->credit--; • You do: • A card that “looks” like your roommates card • TIP: always do cryptographic verification!
Common patterns • Actually abusing the system • Developing a “database nation” • For the government, your identity becomes just a primary key in the database ...
PARANOIA ALERT! “One Card to rule them all, One Card to find them, One Card to bring them all and in the darkness bind them.”
E-voting • You encrypt your vote with the e-voting system’s public key (anonymous) • You sign the encrypted vote and send it over the internet to the “ballot collector” • Ballot box checks your eligibility to vote, removes your signature and forwards the encrypted vote to the “ballot box” • Anonymous votes get decrypted and counted offline
Things to consider • Vote-forging it not tied to ID-card • Don’t care (but authentication is) • Things are heavily monitored • Don’t care (police will knock on door) • ZEUS trojan has a smart card module • Don’t care (but precautions are taken) • Haters gonna hate.
Trust? “It is OK to use card you don’t trust to interact with a government you don’t trust”
Use and abuse • “Automatically select certificate” • Identification of visitors, for fun or profit • Remove your card if not using it! • Trojans steal PIN codes and send to ... • Use pinpad readers! • Secure pinpad readers coming to market.
The good, the bad, the awful • Biggest issue: fault in infrastructure • The basic “SSL/PKI” complaints apply • No breach from systematic failure has happened, AFAIK. • DON’T PANIC! • Do business from anywhere, like Sintra!
Transparency FTW • ... helps to fight FUD • ... helps to fight paranoia • ... helps to keep things auditable • Use open source software • Use public documentation • If it is hackable, it will be hacked anyway.
Thanks for listening! Questions? See you at FOSDEM 2012 Security/Crypto devroom! www.opensc-project.org

Recommended

Io t privacy and security considerations
Io t privacy and security considerationsIo t privacy and security considerations
Io t privacy and security considerations
Yves Goeleven
 
Types of computer_hardware
Types of computer_hardwareTypes of computer_hardware
Types of computer_hardware
Abdul Basit
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
Andreas Leicher
 
Brightbox infographic Key paradigms
Brightbox infographic Key paradigmsBrightbox infographic Key paradigms
Brightbox infographic Key paradigms
Joel Martin
 
Biometric identification
Biometric identificationBiometric identification
Biometric identification
Bozhidar Bozhanov
 
JavaCard development Quickstart
JavaCard development QuickstartJavaCard development Quickstart
JavaCard development Quickstart
Martin Paljak
 
OpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareOpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source software
Martin Paljak
 
Veebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaVeebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardiga
Martin Paljak
 

Recommended

Io t privacy and security considerations
Io t privacy and security considerationsIo t privacy and security considerations
Io t privacy and security considerations
Yves Goeleven
 
Types of computer_hardware
Types of computer_hardwareTypes of computer_hardware
Types of computer_hardware
Abdul Basit
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
Andreas Leicher
 
Brightbox infographic Key paradigms
Brightbox infographic Key paradigmsBrightbox infographic Key paradigms
Brightbox infographic Key paradigms
Joel Martin
 
Biometric identification
Biometric identificationBiometric identification
Biometric identification
Bozhidar Bozhanov
 
JavaCard development Quickstart
JavaCard development QuickstartJavaCard development Quickstart
JavaCard development Quickstart
Martin Paljak
 
OpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareOpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source software
Martin Paljak
 
Veebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaVeebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardiga
Martin Paljak
 
OpenDNIe Hackfest
OpenDNIe HackfestOpenDNIe Hackfest
OpenDNIe Hackfest
Martin Paljak
 
ID-kaardist 100%
ID-kaardist 100%ID-kaardist 100%
ID-kaardist 100%
Martin Paljak
 
Security applications with Java Card
Security applications with Java CardSecurity applications with Java Card
Security applications with Java Card
Julien SIMON
 
Javacardtech
JavacardtechJavacardtech
Javacardtech
Vivek Bajpai
 
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM serviceseSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
Yiannis Hatzopoulos
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
Yiannis Hatzopoulos
 
Electronic identification
Electronic identificationElectronic identification
Electronic identification
Bozhidar Bozhanov
 
Innovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIBInnovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIB
Péter Harang
 
The Internet of Things and You
The Internet of Things and YouThe Internet of Things and You
The Internet of Things and You
TechWell
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
Martijn Oostdijk
 
E-voting
E-votingE-voting
E-voting
Bozhidar Bozhanov
 
How... Do you know?
How... Do you know?How... Do you know?
How... Do you know?
Aleksandra Gavrilovska
 
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letSmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
OKsystem
 
The Future of Secure Documents
The Future of Secure DocumentsThe Future of Secure Documents
The Future of Secure Documents
Darren Corbett
 
Securing Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten TofuSecuring Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten Tofu
Bitcoin Barcamp
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
Abzetdin Adamov
 
Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3
Saurav Chaudhary
 
smartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfsmartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdf
ssuser5b47c8
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
Cybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxCybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptx
VivekanandaGN1
 
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
EC-Council
 

More Related Content

Viewers also liked

eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
Yiannis Hatzopoulos
 

Viewers also liked (6)

OpenDNIe Hackfest
OpenDNIe HackfestOpenDNIe Hackfest
OpenDNIe Hackfest
 
ID-kaardist 100%
ID-kaardist 100%ID-kaardist 100%
ID-kaardist 100%
 
Security applications with Java Card
Security applications with Java CardSecurity applications with Java Card
Security applications with Java Card
 
Javacardtech
JavacardtechJavacardtech
Javacardtech
 
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM serviceseSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
 

Similar to Codebits 2011

The Internet of Things and You
The Internet of Things and YouThe Internet of Things and You
The Internet of Things and You
TechWell
 
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letSmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
OKsystem
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
EC-Council
 
From alias to SPID
From alias to SPIDFrom alias to SPID
From alias to SPID
Raffaele Poli
 

Similar to Codebits 2011 (20)

Electronic identification
Electronic identificationElectronic identification
Electronic identification
 
Innovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIBInnovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIB
 
The Internet of Things and You
The Internet of Things and YouThe Internet of Things and You
The Internet of Things and You
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
 
E-voting
E-votingE-voting
E-voting
 
How... Do you know?
How... Do you know?How... Do you know?
How... Do you know?
 
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letSmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
 
The Future of Secure Documents
The Future of Secure DocumentsThe Future of Secure Documents
The Future of Secure Documents
 
Securing Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten TofuSecuring Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten Tofu
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
 
Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3
 
smartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfsmartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdf
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
Cybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxCybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptx
 
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
 
The Internet of Things and You - A Developers Guide to IoT
The Internet of Things and You - A Developers Guide to IoTThe Internet of Things and You - A Developers Guide to IoT
The Internet of Things and You - A Developers Guide to IoT
 
From alias to SPID
From alias to SPIDFrom alias to SPID
From alias to SPID
 
Indjic fintech module 3
Indjic fintech module 3Indjic fintech module 3
Indjic fintech module 3
 
Internet security
Internet securityInternet security
Internet security
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Codebits 2011

  • 1. Paranoid crypto citizen A story of Estonian eID, OpenSC and FUD
  • 2. Topics • Estonian ID-card history • Client software evolution & OpenSC • Misc uses for the card and some “hacks” • Generic PKI-paranoia mixed with FUD
  • 3. # id • Martin Paljak, ~30 • From periphery of Estonia • ID-card user/hacker since 2003 • Wearing my (invisible) tinfoil hat today
  • 4. Estonian ID-card • Introduced in 2002 (conceived in ~1999) • Currently ~1.1million cards (~1.35 million citizens) • ~400000 active electronic users • 4th generation of card in circulation + Mobile-ID • Non/pre-standard on-card structures
  • 5. What can it do? • Authentication (certificate) • Legally binding signatures (certificate) • Visual ID (electronic ID as well) • Decryption (for data in motion)
  • 7.
  • 8.
  • 9. SOFTWARE • Initially no client drivers procured with cards • Windows-only binary effort by the (commercial) CA • Signature is THE product for the CA • CA makes money from signatures (OCSP)
  • 10. Say WHAT? • €€€ for one of the pillars of PKI (OCSP)? • Paranoia alert: binary only software? • FUD alert: if I sell my car, how do I know that I’m not selling my home instead?
  • 12. Volunteers to the rescue! • “Open Source is about scratching your own itch” • I haz Debian • Create card driver with open source • I buy Mac • Y U NO MAKE MAC SOFTWAREZ ?
  • 14. Y U NO GIVE DOCS ?
  • 15. Extreme measures • People smashing the chip with a hammer • Cryptographers disabling their certificates • “I did not generate those keys!” • Tinfoil envelopes (and hats!) • But no ICAO/RFID on the card... • Knowledgeable people writing satire...
  • 16. OpenSC • Started by a Finn named JuhaYrjölä in ~2001 • Open source smart card middleware • Includes support for several cryptographic smart cards (national eID-s,“blank” cards, etc) • Not necessarily the cutest piece of software • It uses OpenSSL ;)
  • 17. Born from desperation ... of not having any software ...
  • 18. OpenSC the software • First custom Linux code & PKCS#11 • Then OS X - Tokend • Now deprecated from 10.7+ • Now slowly Windows code - MiniDriver • Extra cruft to support not a single card but many cards with common goals • A framework, sort of
  • 19. Purpose “Implement API-s and platform modules used by real life applications, to provide those applications access to on-card capabilities”
  • 21. OpenSC the project • Not to be confused with opensc.ws, a trojan forum • Not to be confused with opensc-vdr, some SAT-TV card-sharing thing (also illegal) • An umbrella for people, code and projects with one goal: use various cryptographic hardware.With open source. Especially smart cards. • New goal: reduce fragmentation in Linux and improve interoperability between libraries (OpenSSL, NSS, GnuTLS etc) with PKCS#11
  • 23. 2007 • Government finally opens a tender for eID middleware software • Based on existing open source code ;) • Official E-voting happened in 2005 without official middleware to use the card on “other” platforms... • New, slightly different version of the card
  • 24. 2007 • Campaign to increase electronic users of the PKI system to 400000 in 3 years • Cheap (6€) OmniKey card readers subsidized by government made available • Mobile-ID (WPKI) for driverless operation introduced
  • 25. 2010 • eID usage has increased tremendously • People depend on it for online lifestyle • “Temporary-ID” card introduced (incompatible with original card), to have a backup card if needed. Electronic use only. • Software procurement failed, a fork of forked open source code is created.
  • 26. 2011 • A new (incompatible) card is introduced, with 2048 bit RSA keys. • There is finally “official software” available to everyone, with real support. Open source. Uses OpenSC for some parts. • Smartphones make Mobile-ID an interesting subject • I get to plant paranoia on Codebits :)
  • 28. IMPORTANT • Smart card authentication != PIN verification!!! • Presenting your ID-card without the security guy doing a face<>card check != ID verification. •Identification •Authentication •Authorization
  • 29. Door lock with ID+PIN • Enter your ID card • Type the PIN on keypad • Simsalabim, door opens • Remember EMV “CHIP+PIN” ?
  • 30. In Bigger cities of Estonia • Pay money to a company for credit • Present your ID-card to public transport workers when asked • Checked from database, if your ID-code has a ticket. • But municipal workers are not border guards ;)
  • 31. A Public Library • Pay money to secretary for credit • Insert ID-card at copy machine • Machine does: • database_lookup(id_code_on_card)->credit--; • You do: • A card that “looks” like your roommates card • TIP: always do cryptographic verification!
  • 32. Common patterns • Actually abusing the system • Developing a “database nation” • For the government, your identity becomes just a primary key in the database ...
  • 33. PARANOIA ALERT! “One Card to rule them all, One Card to find them, One Card to bring them all and in the darkness bind them.”
  • 34. E-voting • You encrypt your vote with the e-voting system’s public key (anonymous) • You sign the encrypted vote and send it over the internet to the “ballot collector” • Ballot box checks your eligibility to vote, removes your signature and forwards the encrypted vote to the “ballot box” • Anonymous votes get decrypted and counted offline
  • 35. Things to consider • Vote-forging it not tied to ID-card • Don’t care (but authentication is) • Things are heavily monitored • Don’t care (police will knock on door) • ZEUS trojan has a smart card module • Don’t care (but precautions are taken) • Haters gonna hate.
  • 36. Trust? “It is OK to use card you don’t trust to interact with a government you don’t trust”
  • 37. Use and abuse • “Automatically select certificate” • Identification of visitors, for fun or profit • Remove your card if not using it! • Trojans steal PIN codes and send to ... • Use pinpad readers! • Secure pinpad readers coming to market.
  • 38. The good, the bad, the awful • Biggest issue: fault in infrastructure • The basic “SSL/PKI” complaints apply • No breach from systematic failure has happened, AFAIK. • DON’T PANIC! • Do business from anywhere, like Sintra!
  • 39. Transparency FTW • ... helps to fight FUD • ... helps to fight paranoia • ... helps to keep things auditable • Use open source software • Use public documentation • If it is hackable, it will be hacked anyway.
  • 40. Thanks for listening! Questions? See you at FOSDEM 2012 Security/Crypto devroom! www.opensc-project.org