3 March 2010

Belgian EID risks

Interesting papers on Belgian EID by Pieter Verhaegen: 

Belgian e-ID description
The Belgian e-ID card is a smart card that allows Belgian citizens to prove their identity and to sign electronic documents. Private information such as the owner's name, his address, a digital picture of the owner and his National Registry Number (Social Security Number) is stored on the card and signed by the government. Two PIN-protected key pairs allow digital authentication and signing.
Pilot projects for foreigner and kids e-ID cards are being executed.
To use the card in (web) applications the user needs a card reader and a middleware application (by the fedict government service). Applications typically interact with the card via an API  offered by this middleware, which is documented in the developer guide.
The card's public keys are embedded in a certificate containing the RRN and the name of the card holder, signed by the government. The private keys can only be activated (not read) with a PIN code.

Some of Pieter's remarks
  • The unique identity key is the National Registry Number (RRN).  The Belgian Privacy commission states that this key may only be stored by applications after official approval by them (National register act of 8/8/1983, ammended 25/3/2003, art 5), as mentioned in the FAQ. The FAQ sugggests to use a hash instead of the RRN.
  • As the RRN is not protected by the PIN, developers tend to think that just reading it is sufficient for authentication, rather that using client side SSL authentication.
  • Once the authentication PIN is entered, the authentication certificate can be used multiple times without notifying the user. A malicious application might authenticate to other sites on the user's behalf
The FEDICT middleware application is not mandatory. It can be replaced by another application. This is at once a risk (malicious middleware application) and a  feature (openness, extensibility). The eid-applet, for instance, can be used with or without the middleware and comes with an excellent developer guide.

Some tips on using e-ID in an application.