Security of Estonian ID card authentication implementations

Organisatsiooni nimi
Cybersecurity
Kokkuvõte
Estonian e-service providers in both the public and private sectors have enabled electronic authentication using the Estonian ID card. On the technical level, the authentication is implemented by the service provider's web server using the TLS client certificate authentication protocol.

In 2013, a study was conducted analyzing TLS client certificate authentication implementations of 87 Estonian service providers (A.Parsovs, "Practical Issues with TLS Client Certificate Authentication"). The implementations were analyzed based on several criteria, checking whether revocation checks are performed, whether the web session is bound to the certificate, etc. In the course of this study, an authentication bypass flaw was discovered in the ID card authentication implemented by the two biggest banks in Estonia.

The aim of this work is to perform an updated study analyzing the ID card authentication implementations deployed today.

Potential tasks:
- Collect an updated list of public e-services providing ID card authentication.
- Add some new tests based on the new TLS protocol features (e.g. TLSv1.2, session tickets).
- Develop some heuristics for automating the tests.

Links:
http://kodu.ut.ee/~arnis/tlscca.pdf
http://kodu.ut.ee/~arnis/tlscca_slides.pdf
Lõputöö kaitsmise aasta
2019-2020
Juhendaja
Arnis Paršovs
Suhtlemiskeel(ed)
inglise keel
Nõuded kandideerijale
Tase
Märksõnad
#acs

Kandideerimise kontakt

 
Nimi
Arnis Paršovs
Tel
E-mail
arnis@ut.ee
Vaata lähemalt
https://acs.cs.ut.ee/