Confusion reigns over crypto vuln in Spanish electronic ID smartcards
Certs revoked, but where are the updates?
The impact of a recently discovered cryptographic vulnerability involving smartcards is causing issues in Spain similar to those previously experienced in Estonia.
RSA keys produced by smartcards, security tokens, laptops and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and therefore need to be regenerated with stronger algorithms. The security weakness arises from faulty crypto libraries bundled with Infineon TPMs – AKA trusted platform modules. Vendors were given time to address the issue before security researchers went public last month.
The Estonian government suspended the use of the Baltic country’s identity smartcards earlier this month in response to a recently discovered flaw, as recently reported. Residents of the Baltic country will still be able to use smartphone equivalent of the technology to access government services and online banking. Use of eResidents cards was suspended until holders obtained new certificates.
Something similar in happening on the opposite side of the continent in Spain but on a larger scale and (arguably) with less co-ordination, involving Spain's electronic ID card, the Documento Nacional de Identidad electrónico (DNIe).
While the Spanish government – via the country's National Police body, which oversees the cards – claims to have revoked all affected certificates, some people say they can still sign documents with them. Policia Nacional said:
“Until the necessary technical solutions are implemented (which will be done in the near future), the functionality of the digital certificates will be deactivated by the current DNIe. [When updates] are available, they can be updated directly by their holders...”
Bilbao-based anti-virus expert Luis Corrons, of Panda Security, confirmed the issue is causing minor inconvenience for locals in the Basque country. "This affected people using certificates to deal via internet with local authorities in the Basque Country, as the entity in charge of that cancelled all vulnerable ones."
"This is caused by the same thing that affected the Estonian ID card," he added.
Dan Cvrcek, chief exec of Enigma Bridge and one of the team of researchers who uncovered the so-called ROCA vulnerability, told El Reg: "While the digital signature adoption is not very high (IE9 may be one of the issues ), the number of affected ID cards and certificates could be somewhere in the region of 5-10 million."
He added: "The Spanish government seems to say they 'will revoke' without any particular date."
The need to have a specific properly configured reader, combined with a lack of browser compatibility and poor mobile support mean that the electronic ID card technology has not reached its full potential in Spain.
Even when dealing with the government, Spaniards only use DNIe to book appointments rather than to submit papers or digitally sign contracts, as El Pais reports. Adoption of the technology in the country is far behind that in Estonia, for example. ®