Cybernetica and the Estonian Information System Authority keep investing into digital identity research

Pixellated image of an office building

The field of cyber security is developing very fast and the risk environment is constantly changing. Estonia’s cyber security is born out of and constantly improved by daily cooperation between companies and the state, and this cooperation has produced several outstanding results. Cybernetica has a long history in leading and participating in applied research projects with the Estonian Information System Authority (RIA), hence securing sustainable and secure development digital identity tools and services.

Below is a brief overview of the projects from 2022 and future research perspectives for the digital identity (eID) space.

Certificate as a platform

An official proof of identity usually is either a passport or a plastic card – both of which have various security features or chips installed. But in addition to proving one’s identity, one often has to prove one’s right to enter an institution, participate in an activity or even prove one’s right to acquire some items that have restrictions. To prove the rights, authorities issue various certificates of different forms, such as an entry in a database, a smart card, a plastic card, etc. Thus, one may need to have several different forms of evidence to prove their various rights. In addition to providing a specific proof of right, one has to present the proof of identity, too, to make sure the holder of a certificate is really the same person to whom it was issued.

Generally, documents can be used in two ways – for physical, face-to-face, verification, or for digital authentication and usage of e-services. However, technology makes it possible to create new and more user-friendly solutions. To date, there are new smart device-based technological possibilities for both creating digital evidence and transferring identity documents to a smart device. In this way, it is possible to create a digital certificate and a digital identity document, which can be used both face-to-face, to verify identity and to prove a person's right, as well as to perform the same actions in a digital environment.

In this project, Cybernetica analysed what to consider when using digital certificates and digital identity documents in one’s device. We aimed to find out whether it is possible to replace carrying numerous physical documents with a single digital document inside one’s smart device.

At present, none of the analysed solutions support authentication and signing sufficiently to be immediately adopted for government transactions. Although the frameworks seem potentially capable of this, the execution of these functionalities needs further development and consideration.

Authentication Protocols (SPOF2.1 - Single Point of Failure)

In 2019-2020, Cybernetica conducted the eID infrastructure fault tolerance analysis (SPoF) pointing at the weak links in the Estonian eID ecosystem. The main weakness identified was the amount of various authentication protocols in use in Estonia.

On one hand, having multiple authentication tools (e.g., ID card) at once is a backup option in case there is a problem with one of them or in case a security risk has been discovered. On the other hand, IT systems utilising multiple authentication tools and services at once would have to bear multiple expenses since all of them have different API-s.

Thus, the goal of the SPOF2.1 project was to study the authentication tools and services used in Estonia to find out whether it would be possible to harmonise their API and how to avoid man-in-the-middle attacks.

During the project, the authentication protocols in use were studied and a draft of a unified authentication protocol was developed. The protocol is suitable for both authentication services and tools.

In addition to the implementation of additional standards, a unique, Estonian-specific extension was created for the authentication protocol suite. It enables the signature created by the authentication tool to be transmitted in the authentication confirmation, which is mediated by the authentication service provider. Introducing such an extension would reduce the risk of the authentication service provider being taken over by an attacker and the attacker falsifying authentication confirmations.

In conclusion, continuing with the steps outlined in the draft of the authentication protocol suite, Estonia can successfully continue developing the secure eID ecosystem.

Validation Proxy Service (SPoF2.2)

Each time one uses an authentication tool for digital signature or authentication, a CA (Certificate Authority) issues a certificate so the service provider can be sure of the validity of the authentication/signing certificate. To check the validity, the CA offers a corresponding service – the validity confirmation service. A problem arises if this process becomes interrupted – in that case all e-services, and their users, in Estonia are generally disrupted, as logging into an e-service or signing digitally becomes impossible.
Hence, the primary focus of the risk analysis SPOF2.2 was to examine how to reduce the dependence on the validity confirmation service and to ensure the functionality in a situation where the validity confirmation service does not work.

As a possible mitigation idea stemming from an earlier study, it was argued whether it might not be reasonable for the state to create a special proxy service that would provide validity confirmation data in a situation where the primary CA is not working.

This idea was discussed in depth and four solutions were analysed. At present, there is clearly no single best solution to reduce all risks. In fact, in some cases, the risk level even increased. Thus, it is difficult to recommend one specific solution. The most probable option might be to look at each e-service separately. Then it would be up to the service provider to conduct its own risk analysis to then consider the reliability and usability of the authentication result.

Analysis of the Possibility to Use ID1 Card’s NFC Interface for Authentication and Electronic Signing

NFC (Near-Field Communication) is a technology used daily for paying with a smartwatch or a smartphone, validating one’s public transportation card, etc. NFC is also used as a standardised technology requirement for passports enabling people to travel to countries all over the world.

Since November 2018, Estonia started issuing ID cards equipped with a contactless interface. This created a new opportunity for performing authentication and electronic signing without the card holder having to insert the card into a smartcard reader. However, this function is currently not in use, due to uncertainties about its legal and security issues.

The aim of the project was to study the potential usage of the Estonian ID card via NFC for authentication and electronic signing. For this, Cybernetica identified and mapped the risks, made the evaluation, and proposed risk mitigation tools as a list of requirements to ensure a secure deployment and usage of ID cards via NFC. From the legal stand point, we concluded that as long as the generated digital signature qualifies with a number of eIDAS articles, the NFC option is good to go.

In conclusion, using the Estonian ID-card over NFC interface is safe and there are no significant risks for the confidentiality of the user’s private keys and knowledge-based factors (PINs).