SlideShare a Scribd company logo

Codebits 2011

Martin Paljak
Martin Paljak

Some eID related thoughts from Estonia.

TechnologyBusiness
1 of 40
Download to read offline
Paranoid crypto citizen A story of Estonian eID, OpenSC and FUD
Topics • Estonian ID-card history • Client software evolution & OpenSC • Misc uses for the card and some “hacks” • Generic PKI-paranoia mixed with FUD
# id • Martin Paljak, ~30 • From periphery of Estonia • ID-card user/hacker since 2003 • Wearing my (invisible) tinfoil hat today
Estonian ID-card • Introduced in 2002 (conceived in ~1999) • Currently ~1.1million cards (~1.35 million citizens) • ~400000 active electronic users • 4th generation of card in circulation + Mobile-ID • Non/pre-standard on-card structures
What can it do? • Authentication (certificate) • Legally binding signatures (certificate) • Visual ID (electronic ID as well) • Decryption (for data in motion)
In the beginning ...
SOFTWARE • Initially no client drivers procured with cards • Windows-only binary effort by the (commercial) CA • Signature is THE product for the CA • CA makes money from signatures (OCSP)
Say WHAT? • €€€ for one of the pillars of PKI (OCSP)? • Paranoia alert: binary only software? • FUD alert: if I sell my car, how do I know that I’m not selling my home instead?
“Das Bundestrojaner” anyone?
Volunteers to the rescue! • “Open Source is about scratching your own itch” • I haz Debian • Create card driver with open source • I buy Mac • Y U NO MAKE MAC SOFTWAREZ ?
No real documentation
Y U NO GIVE DOCS ?
Extreme measures • People smashing the chip with a hammer • Cryptographers disabling their certificates • “I did not generate those keys!” • Tinfoil envelopes (and hats!) • But no ICAO/RFID on the card... • Knowledgeable people writing satire...
OpenSC • Started by a Finn named JuhaYrjölä in ~2001 • Open source smart card middleware • Includes support for several cryptographic smart cards (national eID-s,“blank” cards, etc) • Not necessarily the cutest piece of software • It uses OpenSSL ;)
Born from desperation ... of not having any software ...
OpenSC the software • First custom Linux code & PKCS#11 • Then OS X - Tokend • Now deprecated from 10.7+ • Now slowly Windows code - MiniDriver • Extra cruft to support not a single card but many cards with common goals • A framework, sort of
Purpose “Implement API-s and platform modules used by real life applications, to provide those applications access to on-card capabilities”
Avoid “NASCAR effect”
OpenSC the project • Not to be confused with opensc.ws, a trojan forum • Not to be confused with opensc-vdr, some SAT-TV card-sharing thing (also illegal) • An umbrella for people, code and projects with one goal: use various cryptographic hardware.With open source. Especially smart cards. • New goal: reduce fragmentation in Linux and improve interoperability between libraries (OpenSSL, NSS, GnuTLS etc) with PKCS#11
Back to Estonia ...
2007 • Government finally opens a tender for eID middleware software • Based on existing open source code ;) • Official E-voting happened in 2005 without official middleware to use the card on “other” platforms... • New, slightly different version of the card
2007 • Campaign to increase electronic users of the PKI system to 400000 in 3 years • Cheap (6€) OmniKey card readers subsidized by government made available • Mobile-ID (WPKI) for driverless operation introduced
2010 • eID usage has increased tremendously • People depend on it for online lifestyle • “Temporary-ID” card introduced (incompatible with original card), to have a backup card if needed. Electronic use only. • Software procurement failed, a fork of forked open source code is created.
2011 • A new (incompatible) card is introduced, with 2048 bit RSA keys. • There is finally “official software” available to everyone, with real support. Open source. Uses OpenSC for some parts. • Smartphones make Mobile-ID an interesting subject • I get to plant paranoia on Codebits :)
What has changed?
IMPORTANT • Smart card authentication != PIN verification!!! • Presenting your ID-card without the security guy doing a face<>card check != ID verification. •Identification •Authentication •Authorization
Door lock with ID+PIN • Enter your ID card • Type the PIN on keypad • Simsalabim, door opens • Remember EMV “CHIP+PIN” ?
In Bigger cities of Estonia • Pay money to a company for credit • Present your ID-card to public transport workers when asked • Checked from database, if your ID-code has a ticket. • But municipal workers are not border guards ;)
A Public Library • Pay money to secretary for credit • Insert ID-card at copy machine • Machine does: • database_lookup(id_code_on_card)->credit--; • You do: • A card that “looks” like your roommates card • TIP: always do cryptographic verification!
Common patterns • Actually abusing the system • Developing a “database nation” • For the government, your identity becomes just a primary key in the database ...
PARANOIA ALERT! “One Card to rule them all, One Card to find them, One Card to bring them all and in the darkness bind them.”
E-voting • You encrypt your vote with the e-voting system’s public key (anonymous) • You sign the encrypted vote and send it over the internet to the “ballot collector” • Ballot box checks your eligibility to vote, removes your signature and forwards the encrypted vote to the “ballot box” • Anonymous votes get decrypted and counted offline
Things to consider • Vote-forging it not tied to ID-card • Don’t care (but authentication is) • Things are heavily monitored • Don’t care (police will knock on door) • ZEUS trojan has a smart card module • Don’t care (but precautions are taken) • Haters gonna hate.
Trust? “It is OK to use card you don’t trust to interact with a government you don’t trust”
Use and abuse • “Automatically select certificate” • Identification of visitors, for fun or profit • Remove your card if not using it! • Trojans steal PIN codes and send to ... • Use pinpad readers! • Secure pinpad readers coming to market.
The good, the bad, the awful • Biggest issue: fault in infrastructure • The basic “SSL/PKI” complaints apply • No breach from systematic failure has happened, AFAIK. • DON’T PANIC! • Do business from anywhere, like Sintra!
Transparency FTW • ... helps to fight FUD • ... helps to fight paranoia • ... helps to keep things auditable • Use open source software • Use public documentation • If it is hackable, it will be hacked anyway.
Thanks for listening! Questions? See you at FOSDEM 2012 Security/Crypto devroom! www.opensc-project.org

Recommended

Io t privacy and security considerations
Io t privacy and security considerationsIo t privacy and security considerations
Io t privacy and security considerationsYves Goeleven
 
Types of computer_hardware
Types of computer_hardwareTypes of computer_hardware
Types of computer_hardwareAbdul Basit
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 
Brightbox infographic Key paradigms
Brightbox infographic Key paradigmsBrightbox infographic Key paradigms
Brightbox infographic Key paradigmsJoel Martin
 
Biometric identification
Biometric identificationBiometric identification
Biometric identificationBozhidar Bozhanov
 
JavaCard development Quickstart
JavaCard development QuickstartJavaCard development Quickstart
JavaCard development QuickstartMartin Paljak
 
OpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareOpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareMartin Paljak
 
Veebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaVeebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaMartin Paljak
 

Recommended

Io t privacy and security considerations
Io t privacy and security considerationsIo t privacy and security considerations
Io t privacy and security considerationsYves Goeleven
 
Types of computer_hardware
Types of computer_hardwareTypes of computer_hardware
Types of computer_hardwareAbdul Basit
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 
Brightbox infographic Key paradigms
Brightbox infographic Key paradigmsBrightbox infographic Key paradigms
Brightbox infographic Key paradigmsJoel Martin
 
Biometric identification
Biometric identificationBiometric identification
Biometric identificationBozhidar Bozhanov
 
JavaCard development Quickstart
JavaCard development QuickstartJavaCard development Quickstart
JavaCard development QuickstartMartin Paljak
 
OpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareOpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareMartin Paljak
 
Veebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaVeebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaMartin Paljak
 
OpenDNIe Hackfest
OpenDNIe HackfestOpenDNIe Hackfest
OpenDNIe HackfestMartin Paljak
 
ID-kaardist 100%
ID-kaardist 100%ID-kaardist 100%
ID-kaardist 100%Martin Paljak
 
Security applications with Java Card
Security applications with Java CardSecurity applications with Java Card
Security applications with Java CardJulien SIMON
 
Javacardtech
JavacardtechJavacardtech
JavacardtechVivek Bajpai
 
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM serviceseSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM servicesYiannis Hatzopoulos
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitiesYiannis Hatzopoulos
 
Electronic identification
Electronic identificationElectronic identification
Electronic identificationBozhidar Bozhanov
 
Innovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIBInnovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIBPéter Harang
 
The Internet of Things and You
The Internet of Things and YouThe Internet of Things and You
The Internet of Things and YouTechWell
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceMartijn Oostdijk
 
E-voting
E-votingE-voting
E-votingBozhidar Bozhanov
 
How... Do you know?
How... Do you know?How... Do you know?
How... Do you know?Aleksandra Gavrilovska
 
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letSmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letOKsystem
 
The Future of Secure Documents
The Future of Secure DocumentsThe Future of Secure Documents
The Future of Secure DocumentsDarren Corbett
 
Securing Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten TofuSecuring Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten TofuBitcoin Barcamp
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Abzetdin Adamov
 
Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3Saurav Chaudhary
 
smartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfsmartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfssuser5b47c8
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfKristina Yasuda
 
Cybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxCybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxVivekanandaGN1
 
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...EC-Council
 

More Related Content

Viewers also liked

Security applications with Java Card
Security applications with Java CardSecurity applications with Java Card
Security applications with Java CardJulien SIMON
 
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM serviceseSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM servicesYiannis Hatzopoulos
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitiesYiannis Hatzopoulos
 

Viewers also liked (6)

OpenDNIe Hackfest
OpenDNIe HackfestOpenDNIe Hackfest
OpenDNIe Hackfest
 
ID-kaardist 100%
ID-kaardist 100%ID-kaardist 100%
ID-kaardist 100%
 
Security applications with Java Card
Security applications with Java CardSecurity applications with Java Card
Security applications with Java Card
 
Javacardtech
JavacardtechJavacardtech
Javacardtech
 
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM serviceseSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
 

Similar to Codebits 2011

Innovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIBInnovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIBPéter Harang
 
The Internet of Things and You
The Internet of Things and YouThe Internet of Things and You
The Internet of Things and YouTechWell
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceMartijn Oostdijk
 
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letSmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letOKsystem
 
The Future of Secure Documents
The Future of Secure DocumentsThe Future of Secure Documents
The Future of Secure DocumentsDarren Corbett
 
Securing Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten TofuSecuring Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten TofuBitcoin Barcamp
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Abzetdin Adamov
 
Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3Saurav Chaudhary
 
smartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfsmartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfssuser5b47c8
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfKristina Yasuda
 
Cybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxCybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxVivekanandaGN1
 
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...EC-Council
 
The Internet of Things and You - A Developers Guide to IoT
The Internet of Things and You - A Developers Guide to IoTThe Internet of Things and You - A Developers Guide to IoT
The Internet of Things and You - A Developers Guide to IoTJim McKeeth
 
Indjic fintech module 3
Indjic fintech module 3Indjic fintech module 3
Indjic fintech module 3Drago Indjic
 

Similar to Codebits 2011 (20)

Electronic identification
Electronic identificationElectronic identification
Electronic identification
 
Innovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIBInnovating the hell out of banking #withCIB
Innovating the hell out of banking #withCIB
 
The Internet of Things and You
The Internet of Things and YouThe Internet of Things and You
The Internet of Things and You
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
 
E-voting
E-votingE-voting
E-voting
 
How... Do you know?
How... Do you know?How... Do you know?
How... Do you know?
 
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 letSmartCard Forum 2011 - Chytré karty dnes a za 20 let
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
 
The Future of Secure Documents
The Future of Secure DocumentsThe Future of Secure Documents
The Future of Secure Documents
 
Securing Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten TofuSecuring Your Bitcoins - Kitten Tofu
Securing Your Bitcoins - Kitten Tofu
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
 
Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3Introduction to iot and arduino uno r3
Introduction to iot and arduino uno r3
 
smartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfsmartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdf
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
Cybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxCybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptx
 
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
 
The Internet of Things and You - A Developers Guide to IoT
The Internet of Things and You - A Developers Guide to IoTThe Internet of Things and You - A Developers Guide to IoT
The Internet of Things and You - A Developers Guide to IoT
 
From alias to SPID
From alias to SPIDFrom alias to SPID
From alias to SPID
 
Indjic fintech module 3
Indjic fintech module 3Indjic fintech module 3
Indjic fintech module 3
 
Internet security
Internet securityInternet security
Internet security
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Codebits 2011

  • 1. Paranoid crypto citizen A story of Estonian eID, OpenSC and FUD
  • 2. Topics • Estonian ID-card history • Client software evolution & OpenSC • Misc uses for the card and some “hacks” • Generic PKI-paranoia mixed with FUD
  • 3. # id • Martin Paljak, ~30 • From periphery of Estonia • ID-card user/hacker since 2003 • Wearing my (invisible) tinfoil hat today
  • 4. Estonian ID-card • Introduced in 2002 (conceived in ~1999) • Currently ~1.1million cards (~1.35 million citizens) • ~400000 active electronic users • 4th generation of card in circulation + Mobile-ID • Non/pre-standard on-card structures
  • 5. What can it do? • Authentication (certificate) • Legally binding signatures (certificate) • Visual ID (electronic ID as well) • Decryption (for data in motion)
  • 7.
  • 8.
  • 9. SOFTWARE • Initially no client drivers procured with cards • Windows-only binary effort by the (commercial) CA • Signature is THE product for the CA • CA makes money from signatures (OCSP)
  • 10. Say WHAT? • €€€ for one of the pillars of PKI (OCSP)? • Paranoia alert: binary only software? • FUD alert: if I sell my car, how do I know that I’m not selling my home instead?
  • 12. Volunteers to the rescue! • “Open Source is about scratching your own itch” • I haz Debian • Create card driver with open source • I buy Mac • Y U NO MAKE MAC SOFTWAREZ ?
  • 14. Y U NO GIVE DOCS ?
  • 15. Extreme measures • People smashing the chip with a hammer • Cryptographers disabling their certificates • “I did not generate those keys!” • Tinfoil envelopes (and hats!) • But no ICAO/RFID on the card... • Knowledgeable people writing satire...
  • 16. OpenSC • Started by a Finn named JuhaYrjölä in ~2001 • Open source smart card middleware • Includes support for several cryptographic smart cards (national eID-s,“blank” cards, etc) • Not necessarily the cutest piece of software • It uses OpenSSL ;)
  • 17. Born from desperation ... of not having any software ...
  • 18. OpenSC the software • First custom Linux code & PKCS#11 • Then OS X - Tokend • Now deprecated from 10.7+ • Now slowly Windows code - MiniDriver • Extra cruft to support not a single card but many cards with common goals • A framework, sort of
  • 19. Purpose “Implement API-s and platform modules used by real life applications, to provide those applications access to on-card capabilities”
  • 21. OpenSC the project • Not to be confused with opensc.ws, a trojan forum • Not to be confused with opensc-vdr, some SAT-TV card-sharing thing (also illegal) • An umbrella for people, code and projects with one goal: use various cryptographic hardware.With open source. Especially smart cards. • New goal: reduce fragmentation in Linux and improve interoperability between libraries (OpenSSL, NSS, GnuTLS etc) with PKCS#11
  • 23. 2007 • Government finally opens a tender for eID middleware software • Based on existing open source code ;) • Official E-voting happened in 2005 without official middleware to use the card on “other” platforms... • New, slightly different version of the card
  • 24. 2007 • Campaign to increase electronic users of the PKI system to 400000 in 3 years • Cheap (6€) OmniKey card readers subsidized by government made available • Mobile-ID (WPKI) for driverless operation introduced
  • 25. 2010 • eID usage has increased tremendously • People depend on it for online lifestyle • “Temporary-ID” card introduced (incompatible with original card), to have a backup card if needed. Electronic use only. • Software procurement failed, a fork of forked open source code is created.
  • 26. 2011 • A new (incompatible) card is introduced, with 2048 bit RSA keys. • There is finally “official software” available to everyone, with real support. Open source. Uses OpenSC for some parts. • Smartphones make Mobile-ID an interesting subject • I get to plant paranoia on Codebits :)
  • 28. IMPORTANT • Smart card authentication != PIN verification!!! • Presenting your ID-card without the security guy doing a face<>card check != ID verification. •Identification •Authentication •Authorization
  • 29. Door lock with ID+PIN • Enter your ID card • Type the PIN on keypad • Simsalabim, door opens • Remember EMV “CHIP+PIN” ?
  • 30. In Bigger cities of Estonia • Pay money to a company for credit • Present your ID-card to public transport workers when asked • Checked from database, if your ID-code has a ticket. • But municipal workers are not border guards ;)
  • 31. A Public Library • Pay money to secretary for credit • Insert ID-card at copy machine • Machine does: • database_lookup(id_code_on_card)->credit--; • You do: • A card that “looks” like your roommates card • TIP: always do cryptographic verification!
  • 32. Common patterns • Actually abusing the system • Developing a “database nation” • For the government, your identity becomes just a primary key in the database ...
  • 33. PARANOIA ALERT! “One Card to rule them all, One Card to find them, One Card to bring them all and in the darkness bind them.”
  • 34. E-voting • You encrypt your vote with the e-voting system’s public key (anonymous) • You sign the encrypted vote and send it over the internet to the “ballot collector” • Ballot box checks your eligibility to vote, removes your signature and forwards the encrypted vote to the “ballot box” • Anonymous votes get decrypted and counted offline
  • 35. Things to consider • Vote-forging it not tied to ID-card • Don’t care (but authentication is) • Things are heavily monitored • Don’t care (police will knock on door) • ZEUS trojan has a smart card module • Don’t care (but precautions are taken) • Haters gonna hate.
  • 36. Trust? “It is OK to use card you don’t trust to interact with a government you don’t trust”
  • 37. Use and abuse • “Automatically select certificate” • Identification of visitors, for fun or profit • Remove your card if not using it! • Trojans steal PIN codes and send to ... • Use pinpad readers! • Secure pinpad readers coming to market.
  • 38. The good, the bad, the awful • Biggest issue: fault in infrastructure • The basic “SSL/PKI” complaints apply • No breach from systematic failure has happened, AFAIK. • DON’T PANIC! • Do business from anywhere, like Sintra!
  • 39. Transparency FTW • ... helps to fight FUD • ... helps to fight paranoia • ... helps to keep things auditable • Use open source software • Use public documentation • If it is hackable, it will be hacked anyway.
  • 40. Thanks for listening! Questions? See you at FOSDEM 2012 Security/Crypto devroom! www.opensc-project.org