|Security of Estonian ID card authentication implementations|
|Kokkuvõte||Estonian e-service providers in both the public and private sectors have enabled electronic authentication using the Estonian ID card. On the technical level, the authentication is implemented by the service provider's web server using the TLS client certificate authentication protocol.|
In 2013, a study was conducted analyzing TLS client certificate authentication implementations of 87 Estonian service providers (A.Parsovs, "Practical Issues with TLS Client Certificate Authentication"). The implementations were analyzed based on several criteria, checking whether revocation checks are performed, whether the web session is bound to the certificate, etc. In the course of this study, an authentication bypass flaw was discovered in the ID card authentication implemented by the two biggest banks in Estonia.
The aim of this work is to perform an updated study analyzing the ID card authentication implementations deployed today.
- Collect an updated list of public e-services providing ID card authentication.
- Add some new tests based on the new TLS protocol features (e.g. TLSv1.2, session tickets).
- Develop some heuristics for automating the tests.
|Lõputöö kaitsmise aasta||2019-2020|