Security of Estonian ID card authentication implementations
Organization
Cybersecurity
Abstract
Estonian e-service providers in both the public and private sectors have enabled electronic authentication using the Estonian ID card. On the technical level, the authentication is implemented by the service provider's web server using the TLS client certificate authentication protocol.
In 2013, a study was conducted analyzing TLS client certificate authentication implementations of 87 Estonian service providers (A.Parsovs, "Practical Issues with TLS Client Certificate Authentication"). The implementations were analyzed based on several criteria, checking whether revocation checks are performed, whether the web session is bound to the certificate, etc. In the course of this study, an authentication bypass flaw was discovered in the ID card authentication implemented by the two biggest banks in Estonia.
The aim of this work is to perform an updated study analyzing the ID card authentication implementations deployed today.
Potential tasks:
- Collect an updated list of public e-services providing ID card authentication.
- Add some new tests based on the new TLS protocol features (e.g. TLSv1.2, session tickets).
- Develop some heuristics for automating the tests.
Links:
http://kodu.ut.ee/~arnis/tlscca.pdf
http://kodu.ut.ee/~arnis/tlscca_slides.pdf
In 2013, a study was conducted analyzing TLS client certificate authentication implementations of 87 Estonian service providers (A.Parsovs, "Practical Issues with TLS Client Certificate Authentication"). The implementations were analyzed based on several criteria, checking whether revocation checks are performed, whether the web session is bound to the certificate, etc. In the course of this study, an authentication bypass flaw was discovered in the ID card authentication implemented by the two biggest banks in Estonia.
The aim of this work is to perform an updated study analyzing the ID card authentication implementations deployed today.
Potential tasks:
- Collect an updated list of public e-services providing ID card authentication.
- Add some new tests based on the new TLS protocol features (e.g. TLSv1.2, session tickets).
- Develop some heuristics for automating the tests.
Links:
http://kodu.ut.ee/~arnis/tlscca.pdf
http://kodu.ut.ee/~arnis/tlscca_slides.pdf
Graduation Theses defence year
2019-2020
Supervisor
Arnis Paršovs
Spoken language (s)
English
Requirements for candidates
Level
Keywords
Application of contact
Name
Arnis Paršovs
Phone
E-mail
See more