eid - Page 3

  • E-land archive Vragen bij de EID deel 3

    De doelstelling van de Belgian Security Bloggers is om in de eerste plaats de kennis over ICT security en de aandacht ervoor te verbeteren en te verbreden. We kunnen niet zeggen dat er momenteel in België een normaal kritisch onderzoek en debat is over Belgische ICT security in haar verschillende aspecten. We hopen dan ook dat we geen uitzonderingen blijven. Dit geldt ook voor de EID. Tijdens onze zoektocht naar kritisch onderzoek over onze EID vonden we tot onze verbazing bijna niets.  We vonden ook niet de zogenaamde auditrapporten over onze EID omdat die niet langer publiek zouden zijn. De parlementair Roel Deseyn heeft er naar gevraagd maar heeft er nog steeds geen antwoord op gekregen. Dit is nogal vreemd voor een dergelijk belangrijk project.

    Groot was dan ook onze verbazing toen we in de krant lazen dat de EID volgens een andere parlementair onveilig was en best werd afgeschaft. Hij was naar een congres geweest en had daar iets gehoord over problemen met onze EID en had daar waarschijnlijk niet veel van begrepen. Door zijn verkeerde formulering is echter het enige kritische onderzoek over EID tot nu toe bijna de mist in gegaan.

    Het werd een hectische dag want er moesten verschillende dingen tegelijkertijd gebeuren.
    Ten eerste moest men de totaal foutieve uitspraken van deze parlementair corrigeren. Hij had onder andere ook niets begrepen van onze EID-video.
    Ten tweede was er de verdedigingsnota van de EID-gelovers die ontkende dat er fundamentele problemen waren en aan de hand van deze verkeerde uitspraken alle kritici de mond wilde snoeren. Deze nota moest worden beantwoord.
    Ten derde was er de studie zelf. We hadden die immers reeds ontvangen. Ons emailadres is soms een goudmijn van informatie die we niet altijd publiek maken maar soms doorsturen naar bevoegde diensten. We wilden deze professoren, die waarschijnlijk onder zware druk stonden, overtuigen om zelf de studie te publiceren. We hadden die al op het internet gegooid, maar omdat er onduidelijkheid rees over de versie die we in bezit hadden, hebben we ze weer verwijderd. De professoren hebben waarschijnlijk begrepen dat het niet goed was als verschillende personen  verschillende versies van hun studie zouden gebruiken. Hun studie had enkel belang indien iedereen over dezelfde versie sprak en iedereen ervan overtuigd was dat dit toen hun laatste versie was. Het leek op de discussie over onze EID video.

    Omdat die studie enkele belangrijke elementen bevat waar men misschien te snel over zou lezen, werd er door ons ook een analysestuk gemaakt. Het is immers de eerste onafhankelijke studie van sommige aspecten van de veiligheid en de kwaliteit van de EID die publiek beschikbaar is. Op de aangehaalde punten is er trouwens tot nu toe nog geen enkel volledig antwoord gekomen. De aangehaalde vragen en problemen zullen daarom niet vanzelf verdwijnen. We hopen dat ooit eens de andere auditrapporten weer publiekelijk beschikbaar worden en dat men de nodige onafhankelijke wetenschappelijk verantwoorde studies over onze EID zal laten uitvoeren door niet betrokken gespecialiseerde ITsecurity bedrijven. We hopen tevens dat studenten en vorsers meer aandacht zullen hebben voor de Belgische aspecten van het ITsecurity beleid. De studie van deze professoren geeft hen reeds voldoende hints. Ik kan niet anders afsluiten dan opmerken dat we bewondering hebben voor de moed van deze professoren om deze studie aan te vangen, te presenteren en te publiceren. Het is niet omdat we voorstanders zijn van de EID dat we daarom alles zonder enig kritisch onderzoek zouden moeten aanvaarden. EID is een middel, over de manier waarop je het ontwikkelt en implementeert  moet men vrij kunnen discussiëren

  • E-land archive Vragen bij de EID deel 2

    (van belsec) Op het moment dat parlementair Roel Deseyn in mei 2008 zijn parlementaire vraag stelt, zitten de Belgian Security Bloggers met een enorm probleem. We hadden de video niet willen publiceren vooraleer er een veiligheidsupdate uitkwam. Maar indien we de video niet publiceerden dan zal hetzij welke roddel en gerucht waarheid worden omdat niemand de video  gezien zal hebben en men de personen die ze wel hebben gezien niet zal geloven omdat ze teveel betrokken partij zijn. Het viel al op bij de persaandacht rond onze aanwezigheid op de hoorzittingen dat de pers hard bleef aandringen op hun vraag naar de veiligheid van de EID. Het was dan ook een vraag waarop we weigerden een antwoord te geven, al was het omdat we veel teweinig objectieve elementen hebben om een correct antwoord te kunnen geven. Je kan veronderstellen en hopen maar er is geen gekende publieke objectieve audit om het zeker te weten. Het is daarom dat externe publieke audits zo belangrijk zijn of waarom ze zouden moeten publiek toegankelijk zijn.

    Over de video is ondertussen zoveel geschreven dat het nodig is om er uitleg bij te geven. Die staat onder de video.

    Bij de lancering van de EID stelt de overheid dat we ons geen zorgen moeten maken over onze privacy want er is een specifieke software ontwikkeld die zal verhinderen dat andere applicaties (zoals virussen) de publieke gegevens die op de EID staan zullen kunnen onderscheppen. Deze gegevens kunnen volgens deze publiciteit enkel en alleen worden gebruikt door toepassingen en websites die we hiervoor uitdrukkelijk de toestemming hiervoor hebben gegeven. Men noemt dit de privacyfirewall. Maar deze video toont dus enkel en alleen aan dat deze privacyfirewall op een zeer eenvoudige manier kan omzeild worden en dat hetzij welke virus, applicatie of website die erin slaagt om de naam te gebruiken van één van de applicaties die je voordien al de toestemming had gegeven om de publieke gegevens op de EID te gebruiken ook al deze gegevens op je EID kan lezen, onderscheppen of versturen. Dit heeft alleen nut indien het gecombineerd kan worden met gegevens van kredietkaarten of om te proberen de bijkomende veiligheidsvragen van vb emailaccounts te beantwoorden. Maar het kan op deze manier wel op een industriële schaal gebeuren.

    Het andere belang van de video is dat ze ons kippevel bezorgde. Toen de video bij ons belandde, vielen we even van onze stoel. Als dit al zo simpel was, wat zouden we nog meer ontdekken ? We  hebben dan ook beslist om te stoppen met verder onderzoek naar de veiligheid van de EID.  We wisten niet wat we  zouden vinden en wat we ermee zouden moeten aanvangen en wat onze juridische verantwoordelijkheden zouden zijn.  En als het al zo simpel was om  deze beschermingsfirewall te omzeilen,  hoe moeilijk zou de rest dan  zijn ? Dit is niet aan ons om te doen maar aan professionele auditoren in een publiek rapport.

    Het is daarom aangeraden om bij het gebruik van een EID steeds je computer te voorzien van de nodige veiligheidssoftware. Volgens een enquête heeft ongeveer de helft van de Belgische PC's geen antivirus. Er is momenteel nog altijd geen veiligheidsupdate en dit is echt uw enige bescherming.

    In deel drie morgen behandelen we het onverwachte moedige rapport van enkele onderzoekers uit Antwerpen die hun onthutsende resultaten zaken verzinken in luid gekrakeel door een andere politicus die er helemaal niets van had begrepen

  • E-land archive Vragen bij de EID deel 1

    Naar aanleiding van het jaar dat de Belgian Security Bloggers actief zijn in België wordt hier exclusief een kijkje gegeven achter de schermen van de belangrijkste verhalen waar we deel vanuit maakten. 

    (van Belsec) Onze EID heeft de afgelopen maanden het nieuws gehaald en niet op de meest positieve en meest verhelderende wijze. Het begon allemaal toen de Belgian Security Bloggers begin 2008 aan een krtitisch onderzoek begonnen over die EID. De EID is immers het pronkstuk van de prinsen van de ICT en werd dan ook overal als een vlag rondgedragen. Men had er tevens ook grote plannen mee in het begin. Dus is het normaal dat kritische burgers zich kritische vragen stellen over dat stukje plastiek dat zo belangrijk zou gaan worden voor onze privacy. Aangezien we Informatici zijn of mensen die met informatica bezig zijn, hebben we gewoon de vele vragen afgelopen die we stellen bij elk normaal ITproject van die omvang. Op een bepaald moment werd medegedeeld dat we het onderzoek stillegden, het zou pas later duidelijk worden waarom.

    In januari 2008 werd tijdens de hoorzittingen in het parlement over de veiligheid van het internet door 1 vertegenwoordiger van de vele Belgian Security Bloggers aan parlementair Roel Deseyn een cdrom afgegeven met een video op. We moesten dit op deze manier doen want de Belgische Wet op de Cybercriminaliteit is niet alleen de strengste van België, maar ook de vaagste. In België bestaat er tevens geen procedure voor wat men 'verantwoordelijke bekendmaking'  zou noemen waarbij de securityonderzoeker en het bedrijf een procedure van samenwerking overeenkomen die zowel een technische oplossing als een juridische bescherming garandeert. Roel Deseyn had altijd interesse  getoond voor onze vragen en had zich hard ingezet voor deze hoorzittingen. Hij was bereid om tussenpersoon te spelen. In ruil zouden we in het vervolg  dergelijke informatie steeds eerst proberen  bij de verantwoordelijken te krijgen.  Roel Deseyn ging ervoor zorgen dat deze video en het probleem werd behandeld. De Belgian security bloggers zijn geen hackers of studenten maar professionelen en wilden geen risico lopen. We zijn immers geen Don Quichots. Een gebeurtenis later op het jaar zou ons daar trouwens heel hard aan herinneren. De doelstelling is nog steeds om een degelijke snelle oplossing te vinden voor  deze problemen en niet om verwarring of paniek te zaaien. Het is immers in het belang van iedereen dat we steeds over een veilige EID kunnen beschikken.

    In mei 2008 vond parlementair Roel Deseyn  het nodig om met een parlementaire vraag  de aandacht op het probleem te richten. De video en wat het echt betekent, leest u in deel 2 morgen. Maar toch al zeggen dat de kaart op zich momenteel niet echt onveilig is.

  • EID jokes here is another one

    The best principle is to keep the things clean. If you don't use a server or service anymore, you close it. Period, you make it totally disappear. If you leave it up - in whatever format you may forget it and you may forget to upgrade it or to look at the logs of it and so you have made an entry point. Every old server you are closing down is another entry point you are closing down. This is why several times a year you should control all your external services and servers (if you have many of them). This way you will see that there is always stuff you can close off. I think that the federal government for starters has a lot of servers they could just close down, make disappear and just reroute to a normal homepage of your central gateway.

     

    lentje01 Sep. 17 17.20

  • EID joke of the day

    ScreenHunter_01 Sep. 03 16.00

    official middleware allowed reader xpSP3 and whatever oh yeach the privacyfirewall

    and than you click to see your ID and the computer says..... joke

    it says that this smartcard is not compliant with its minimal requirements to support it (what requirements are there anywhere requirements for this stuff ?)

  • The famous EID video that so many people would like to forget

    You can find it still here (click on divshare)

     

    and since may it ain't fixed yet

    so if you use an EID you should protect your machine with all the securityware you have unless you would like to lose your ID to a crimeware server

  • all behind the Belgian E-ID flag

    The Belgian ICT press is sometimes just a propaganda collection for our national ICT business and the international (publicity buying) firms. This is the impression it gave me the last month.

    Zion security said that we should stay behind the Belgian EID project but install some more security when we include it in our authentification projects. The article said that we should still support such an excellent Belgian industrial project (that in another article in the same magazine was showcased as the one being installed in an African country). All behind the flag and shut up.

    While Zetes is busy selling its software to African countries it should maybe start getting the security patch out that was promised since may. It is not our fault that this didn't happen and that the security awareness, the technical guidance and the security upgrading is a total mess. Some people even told us that the quality controls and oversight of the Zetes products and code is a mess. We don't know if it is true but we didn't see any truly independent audits to show us otherwise.

    By the way, the solution they think they are bringing to the bypass of their security in our video is maybe not the solution. I am curious because I didn't see their solution yet, but from the descriptions I have heard It doesn't sound promising. I don't think it will stand a long time.

    Well the description we have heard is that people would have pop up alerts each time some application would try to read or intercept the information on the EID. The problem was that people wouldn't see that alert after a very easy trick. Now they would see it each time. Well I still have to see it, but as long as there is no sandboxing and encryption I still do not believe that it is not open to manipulation and bypassing and just 'saying yes' by the 'yesclicking idiots' - sorry users - that think that they have seen a changed alert that says that it is safe.

    And that very safe EID is in the same ICT magazine the future for the consultation of your medical information online.....  Trust me, but don't control me and surely don't critize me because I am not used to it.

    meanwhile we are still awaiting the EID patch announced for may. We are september. But don't think any ICT magazine will mention that. That would be too critical and that we can't have around here.....

  • the new Belgian EID middleware is nowhere to be seen

    So it has been a while.

    The workaround which made it possible for whatever infected computer to bypass the internal protection of the EID privacyprotection and to download all the information that is on the card (and to for example collect it from a great number of computers and link it to other databases) was in our hands in january. We transmitted it to parliament and a parliamentarian transmitted it to FEDICT.

    The 15th of may we made the video public because there was a question in parliament and we had to set the record straight. Normally there was enough time between the transmission and half may to fix this little bug (called a security patch). Nothing would be more bad than rumors going around that the card itself would be broken and so on (what happened several months later when another politician spoke before understanding anything of what he had heard). It was also clear that the people had to be made aware that a computer with an EID reader should be a secure pc with an uptodate antivirus and firewall.

    As a reaction on the articles that followed and on the EID study by a professor from Antwerp and in a closed meeting FEDICT said that the update would be there soon.

    Since publication of the bypass we are three months later and nothing in sight. The problem I think is that this is a security update that has been absorbed by a greater update (that includes MAC and other comptabilities) and so every problem anywhere with whatever of all these systems (that meanwhile are getting numerous security patches monthly which can have an impact on your upgrade which obliges you to retest again). Even mac is now getting enormous packages of security updates every so many weeks.

    So one should make a difference between security patches and functional patches. The security patches go immediately and are maybe shorttime fixes but they are important. The functional upgrades are for afterwards when you are sure that the security fixes are installed and working and afterwards you can check your functional upgrades on the newly patched machines.

    We are now three months later and the website is still mentioning that it will come soon and the website does not say that people should protect their pc when they use their EID. This is as not saying to people that you don't have to put your safety belt on when driving (we even fine people for that). The chance of getting hurt or infected maybe the same (in percentages on total numbers) but that prevention can save you a lot of real or virtual harm.

    If you are a network admin you should make sure that machines that use or receive EID's are properly defended and controlled/updated. If you receive EID's from other people than you should buy an expensive reader and not use the free one. The same if you use EID to do a lot of money business with.

    I know some people will say that they are busy, that we should be patient, that it will come soon etc.... but if microsoft or another firm would say that about a necessary security update the online press would go nuts about that. So it is not because a public service is making the project (or doing the project managment of it) that it shouldn't be held to the same standards and expectations. Surely for something as vital as an EID.

    The incident proofs that they should really set up a security center, a security research team, a security patch update mechanism and distribution and a communication policy. Just like Microsoft does (and everyone that is following their example and learning from a few mistakes made).

    The older articles and video can be found at your right in the section EID In the picture. The video will have to be replaced we've seen. This will be the case in the coming days.

  • EID v3 security may be more important than usability

    They seem to have enlarged their team and to be preparing a new major release of the EID fedict Middleware. The major overhaul seems to be that after the release of our video they seem to be convinced that security is (at last) much more important than usability (or the impression that you have more control over the use of your own data).

    The argument was that the data on your EID were public anyway, but the big difference is that now these public data could be collected massively and automatically - which wasn't the case before. For this reason it is important that the EID has more access controls over who uses your data on your EID and why.

    Let's hope the political decisionmakers will understand that if people have the impression that their EID isn't so safe and that anything or anyone can have automatic access to their information - even if it is public - without their knowledge than you will have a trust problem and you won't be able to develop the EID for other purposes. You must first further develop a secure, permanently updated official middleware that is guided by public free and permanently updated norms, standards, guides and best practices for each step of the production process. Each step should be permanently externally audited and tested for individual problems and against complex attack schemes (timing attacks for example). Each year a public report should be handed over to the parliament about the issues and successes of the last year and the needed investments and legal initiatives for the coming year.

    If it is the decision of the EID development team to upgrade the security of their EID which would make it a bit less userfriendly, than this is a decision we can only applaud and fully support.

    We should however also draw their attention to all the other issues that were published in the university test report and that need to be addressed.

    Even if the middleware is open-source and anybody can make and do anything with it, than at the least we should have one robust, official, permanently automatically updated middleware that can be trusted, audited and built upon. We would appreciate more external testing and also the publication of standards, best practices and development practices that should be open for comment, revision and enlargement just like the NIST does in the US.

    For this to succeed we need some political courage. We need in fact to authorize and finance a public institution that - eventually together with the private sector and the ITsecurity research world - would be responsable for identifying those general and very specific norms and standards and guides. We don't need necessarily new guides, a translation/adaption of the best of those that already exist elsewhere would already be a huge step forward.

    We see forward to those initiatives and releases to come and forgive us to be ever so critical. But be warned, we will not support those that want EID to roll back into a userfriendly EID card that nobody really wants to use for anything more than as a dumb card because security has been no priority at all.

    As the release will be major we think it is critical to have one information portal (wiki, blog, RSS feeds) that will group all the technical and administrative information one needs to work with the official belgian Middleware. That there is a community of developers that have their own portals and informationwiki's is a good thing, but there should always be one official and complete portal for the official middleware that is permanently and quickly updated.

    And while we are at it. THat middleware should have an automatic self-updating function without which the card won't work. So you are sure that you will always use an updated version. The cardreaders should also be certified and tested on a permanent basis. Cardreaders that have no real security against interception of the data should be disbanded.

  • EID Rijksregister teaches the wrong lesson

    It is important that EID uses safe online services that give a sense of trust to the users. One of the things that are important is that the certificates are in order. Now this doesn't seem to be the case when you want to look up your information in your national file with your national unique number (RRN, Rijksregister).

    THis service should be a showcase - an example of how it should be done ? ScreenHunter_01 Jun. 27 08.55

    How do you want to educate the population how to work correctly with certificates and what is the sense of working with certificates and the whole very expensive infrastructure behind it, if you teach them that you should click on anything without checking or controlling. There is not much explanation in the text why people see this and what they should do here and why they shouldn't do this when they go to a bank for example.

  • EID : online webservice is opt-out not opt-in

    There is a lot of discussion between privacy advocates and service operators. The first are mostly for an opt-in in which the person has to make clear that he or she wants to use that service, the second are mostly advocates of the opt-out in which one has to say that he or she doesn't want to use those additional services.

    Security persons are mostly for the opt-in because it is much more simple to secure a situation by having all additional services off and securing one after another if you would like to add them, than by going through all the activated services and trying to secure or cut them all. This is a bit the difference between NT/2000 and 2003 and later. And between a secure basic setup of a program and a standard one.

    Now it has been said that every citizen that receives an EID at the cityhall in Belgium has automatically all the certificates activated that are needed for the online services. It is up to the citizen to phone or to send in a form to desactivate these services/certificates (for example because he or she doesn't has a computer at home).

    There is also the following tip. Go to an EID reader where you have to put in your pincode and type three times a wrong ping code. The certificates will be automatically desactivated as any possible online use of your EID.

  • EID how to make it unusable online directly or from now on (updated)

    You can make your EID unusable online if you don't activate any of the digital certificates that are on it when you go to the cityhall to get yours.

    You won't be able to use it for any online service but if you refuse the activation that is probably your intention.

    Probably they won't say you aren't obliged to activate both and just try to do it, but I have been hearing from several sources that you have the right to do so. Contradict me if I am wrong.

    The law says that we don't have to activate the necessary keys for online authentification that would be necessary for digital signatures or online services.

    art 14 §2 (...)
    De elektronisch leesbare gegevens van persoonlijke aard betreffen :
    1° de identiteits- en handtekeningsleutels;
    2° de identiteits- en handtekeningcertificaten;
    3° de geaccrediteerde certificatiedienstverlener;

    4° de informatie nodig voor de authentificatie van de kaart en voor de beveiliging van de elektronisch leesbare gegevens voorkomend op de kaart en voor het gebruik van de bijhorende gekwalificeerde certificaten;
    5° de andere vermeldingen, opgelegd door de wetten;
    6° de hoofdverblijfplaats van de houder.
    De houder van de kaart kan desgewenst afzien van de activering van de onder 1° tot 3° van het vorige lid vermelde gegevens.
    http://www.juridat.be/cgi_loi/loi_N.pl?cn=2003032530

    So some questions

    1. Are people informed in an understandable manner that they don't have to activate that ?

    2. Can you - except by 'losing' the card and asking a new one - desactivate it if it has been activated without your consent ?

    3. So how many people didn't activate it or asked to desactivate it - if they were told they could do so. I have heard and read about communes where it was activated by default.

    It shows the importance of having a very secure and robust security-organisation, audit and upgrading backoffice for this enormous project. It is not something to be taken lightly and to be done 'between the croissant and the coffee'. Because every scandal, vulnerability or problem that arise can have an impact on the (des)activation of these certificates (and so on your ability to use it for online services). The very smart card will become so dumber each time. And the nirvana of all those technological wet dreams of our evangelistic technopriests will  become fata morgana's (except that they have cost millions).

  • EID not integrated in MSN chat or Microsoft

    Bill Gates came to Belgium and was presented before the international press with a fake Belgian EID. He was impressed he said and he wanted to use the technology to integrate it with MSN chat so that children (again them, how we love them) could be protected against pedophiles.

    Today Saferchat.be that does just that has for the whole of Belgium 75 members and there is no promotion anymore. It is a dead duck that doesn't even swim anymore (it is drowned in their own haste for publicity instead of quality).

    Microsoft MSN manager for the Benelux says that parental supervision has been integrated within the whole of MSN throughout the world and that EID is not really of any interest anymore. And probably that just confirms the signals that Microsoft is sending since a while about the whole of the EID project.

    In fact Microsoft is saying what we were saying all along :

    Norms, standards, controls, audits, penetration tests, quality tests, certifications ..... 

  • EID : the press announcement of the Administration

    The administration of the Interior who is responsable for the security aspect of the EID has published a press statement about the research that was published last week about the EID.

    They say that the EID is safe and that the article was misinterpreted or represented but that the card an sich was safe. So what. That is like having a bank without alarms, officers and procedures but saying that your money is safe because in the cellar there is a big safe that is very secure.

    They state that the problem is in the middleware and that the middleware is being adapted (the safer the better, f..... usability if it makes the card or its applications unsecure). It is clear that this will take more time than was announced before. (beginning of may)

    Beginning september there will be organizing a roadshow to show what can be done with the card and we hope how to use it in a secure way.

    Fedict will also - and that is new (finally) - give securitylabels to EID applications. We would hope that this would be done by a thorough examination (which also takes into consideration a 'responsable disclosure and patching policy' and penetration tests) and that it would not be definitive and could be retracted if it seems that there are other problems with the software, the implementation or the the organisation responsable for it.

    They say that digital signatures are safe and legal but here we would like to refer to the article itself. This is only the case in certain conditions and under certain presumptions.

    The first thing to do if you are confronted with such research is not to panick and throw the whole weight of your communication budget in just denying that it ain't so. This is a webworld. The articles and the research are online and will stay online for anyone to see, whatever you are saying. You should read the article very carefully, line by line (as we have done) and note each problem on a seperate page and than ask yourself two questions.

    1. What can we do to resolve the problem and how can it be done so it won't come back anymore ?

    2. They did some research, but what should have been researched even more ? Or set up a counter-research fund or workgroup. Their goal would just be to organise the anti-research and to try to find storylines to manipulate the card. The manipulation of the card or the interception of the card is not the problem an sich, it becomes a problem if it will be used in a greater fraud scheme.  And than you go back to question 1.

    We would also like to remind the minister that if he really finds that the Belgian computers should use their EID and if he really believes that those computers should be safe so his citizens can use that card with a certain acceptable level of security, than that it is maybe time that the articles in the New Telecommunation Law that obliges the ISP's (like skynet and Telenet) to give every customer a free security-package should be enforced. The ISP's don't like it, but there is not one industry that liked security regulations and investments untill the moment they saw the advantages of it for everybody. Imagine that every Belgian PC had a securitypackage on its computer and would be able to use the EID with secured middleware.....

    Nowadays half of all the Belgian computers on the internet have no antivirus. That is like driving without brakes.

  • Nieuwe versie EID software loopt vertraging op ?

    dit staat op de http://eid.belgium.be site

    "Bij wijze van voorbereiding op deze nieuwe certificaten komt begin mei eveneens een nieuwe versie (3.0) van de middleware, de software waarmee de gegevens op de eID-chip kunnen gelezen worden en die de interface toelaat met toepassingen die de eID gebruiken. Deze versie wordt door Fedict ter beschikking gesteld van alle burgers. De documentatie met betrekking tot deze versie 3.0 van de middleware wordt in diezelfde periode op deze website geplaatst."

    (for english readers : beginning of may the new middleware 3.0 will be made available here)

    but the version that you download is

    1_22

  • updated What does the study about EID say ?

    My own comments are written like this 

    Verbaasd The use of the Uniqe Identifier

    The study says that the unique identifier in Belgium (RRN like the social security number in the USA) should be better protected when the EID card is used online. Now it is only hashed and that is not enough. One reason to do that is that when in the future databases would like to interlink information about users so they can do some profiling it wouldn't work because it wouldn't be possible to link the hashes of the users EID cards. Secondly the unique identifier RRN is not protected enough during a digital signature because it has to stay readable for authentification so it can be verified.

    Verbaasd The card reader

    the card reader that is freely distributed to the general public gives the user no way of seeing what is happening or the possibility to abort the operation. The same freely distributed readers have no keyboard so the user has to use the keyboard of his computer and if that computer is infected with malware that malware can intercept the datastream with the pincodes and the commands.

    Verbaasd Access control

    Access to the card and its data itself is not protected enough (password and pincode are not always needed or are kept cached during too long time)

    Verbaasd The protective (leaking) privacyfirewall

    The film everybody is talking about is the film that has been posted on this blog. It is about a very simple way to bypass the privacywall and has nothing to do with breaking the chip itself. The privacywall is software that is installed on the computer of the user. It should control and limit which applications can read the information that is on the EID. It will ask in a popup if the user accepts a change (a program that also wants to read the EID data) and as you know as a security officer there are many 'yes clicking idiots' who will accept whatever to make something 'work'. The upgrade of the privacywall use the same method to warn the users and isn't really a solution. It will probably not take that long before it also will be bypassed or neglected.

    So according to the study the card and its privacywall is for the moment not recommended to secure chatsites for kids (as was the well publicized intention of the card for Microsoft). In fact the card should not be used on computers that are not fully secured and are not known by the holder of the card because he will have no control over the efficiency of the privacywall or which applications in the privacywall of another computer have given access to each EID that is inserted in the EID cardreader of that computer.

    The EID card can still be used if the protective software by Fedict  is not present on the computer and so the EID card (and its data) and the transactions have less protection. It is wiser that the card would only function is the security software by FEDICT is present in the computer. If one decides wisely in the near future to make a real fullblown securityshield for the card, its data and transactions of that leaking privacywall than the fact that the card wouldn't function without that software present (hashcontrol) than security would rise to a higher level.

    It is also to easy to desactivate the privacyservice if the user is administrator on his machine. Some banks like KBC try to use also the EID for their online services but ask their users to turn off the privacyprotecting service. After that any application can read any data on the EID

    It is too difficult to see which applications you did give permission in the privacywall to read the data on your EID and they didn't find a normal way to change a permission. Logging and monitoring are important functions that are many times forgotten in software development.

    Verbaasd Use with online applications

    If the EID card is used as a single sign authenticator,  the applet that is used by online webapplications can read and change the EID data on that card without notifying the user. It is not possible to disable the single sign on function on the card, even if that is described in the documentation.

    Not all the certificate services of online EID enabled services from the Belgian government are professionaly installed and the user have to trust them blindly (the Middle in the Man or DNS rerouting attack ). Some of these services even run on webservers that shouldn't be allowed for such important services.

    Verbaasd Digital signatures

    It is not absolutely safe without any doubt to trust the digital signatures that are made with the EIDcards. There is a possibility that you didn't sign what you saw, but what else did you sign ? That is not possible to know for the moment because there is no mention of which document (name and or hash) you have signed in the popup that arrives after you have signed a document with the EID. Because the same PINcode is used for authentification and for placing your digital signature there are scenarios possible to mislead the user.

    Verbaasd Code and documentation

    The code has comments that show that it isn't finished yet. These are comments like  /* FIXME ... */, /* correct? */, /* to be implemented */. and the code is public open source for anyone to download without authentification....  In the code there are still functions like strcpy to be found even if they can be responsable for buffer overflows

    The documentation is not really uptodate neither complete (and very chaotically organised through the web if you ask us)

    So now it is time to respond to these facts and suppositions with facts and propositions.

  • EID study nobody read but everybody talks about is online again

    The professors want to make some things clear before

    * they are not responsable for the panicking remarks by the political representative

    * they have seen at the congress that even with this study internationally the whole world is looking at how Belgium is trying to develop their EID and they don't want to put that into danger. They want to make clear that there are some problems and procedures that need to be changed, they don't want to restart at 0

    The belsec blog doesn't agree with the actionpoints at all. For the rest we salute the research as just another effort in trying to do some security research (even if it is not fully compatible with university research but if you read the interuniversity report about evoting what is ?)

     

  • some remarks with the answer from the KUL

    First you can't lay all the responsability for the safety of the use and the material (EID card) on the shoulders of the user. It should have as much security in itself as a basis, not ask from the users to do and check a long list of things before they actually can begin to use it.

    Secondly those best of practices are first not free and I doubt they are dynamic and open and revised continually. I don't think they correspond with the way NIST and CERT make and maintain such practices. I am not asking anyone to make warm water. If one would start with translating the existing norms and standards that are being used elsewhere in the world, that would already be an enormous progress.

    Thirdly it is mentioned that when one programs something, there are always choices to be made between security and user friendlyness. I have the impression that even banks are nowadays sometimes more interested in the latter than the first and that the losses and risks are just business costs to them. For the citizen it is a lot more trouble than one could imagine. At the other hand if one sees and read how the malware industry is perfecting its business model and modernizing its techniques, one could ask the question if security shouldn't be put more on the forefront ?

    Fourth it is good to read that more privacyprotection technologies can be added to the card in the future. It should have been the case from the beginning. But there has been no concrete decision about this until now. We also hope that the privacywall will be reviewed and will have a better protection against bypassing and attacks. We hope you have a look at the video about the effectiveness of this privacywall.

    Fifth we have read the study of the professors that is being mentioned in the media and we find that there are a lot of other questions and scheme's that are maybe possible that aren't addressed in this response. They should all be treated and corrected as fast as possible.  Surely what they see as programming errors.

    We think that their study should be made public so that everybody knows what we are talking about because it is all good and well to have a study it is a totally different thing when there is democratic debate about a study that nearly nobody else than a few has actually read. If everybody at least would have the possibility to read the study and eventually the comments on the facts in the study by other scientists than we should at least have a basis for a normal rational debate.

    PUBLISH THE STUDY AND THE RESPONSE ON THE FACTS IN IT

    But we agree with three things

    * development, distribution and funding in EID should be accelerated but it should be done in a dramatically different way

    * We have no knowledge for the moment - but we haven't seen any tests neither - that breaks the chip.

    * It is not that simple to do a identitytheft with an EID card. But some procedures should be changed to diminish further the risk.

  • EID Officieel antwoord van KUL onderzoeksgroep op artikel en studie

    Persbericht - De Elektronische Identiteitskaart is Veilig

    COSIC, K.U.Leuven, 13 juni 2008

    Recente berichten in de pers geven aan dat de elektronische identiteitskaart gemakkelijk te kraken zou zijn. Er wordt beweerd dat men zich met een gekraakte chip kan uitgeven voor zijn buurman en dan ook diens belastingaangifte kan bekijken. Deze berichten zouden steunen op een bijdrage van het team van Prof. Bart De Decker (Dept. Computerwetenschappen, K.U.Leuven) die deze week gepresenteerd werd op de European e-ID Card Conference in den Haag.

    Deze beweringen zijn volledig uit de lucht gegrepen. Er is op dit moment geen enkele methode bekend om de beveiliging van de elektronische identiteitskaart te kraken; bij de huidige stand van zaken in de wetenschap is het niet mogelijk om gevoelige gegevens (geheime sleutels) uit de chip te halen die het mogelijk maken om zich als iemand anders voor te doen of om digitale handtekeningen te vervalsen. De beveiligingsarchitectuur van de elektronische identiteitskaart is ontworpen en geverifieerd in samenwerking met verschillende onderzoekers van de K.U.Leuven (Prof. Jos Dumortier, ICRI en Prof. Bart Preneel en Danny De Cock, COSIC).

    Juist zoals een papieren elektronische identiteitskaart of een bankkaart met chip bevat een elektronische identiteitskaart gevoelige gegevens over een persoon (zoals het adres en het rijksregisternummer). De meest gevoelige gegevens laten toe om persoonsgegevens te raadplegen (gegevens in het rijksregister, tax-on-web) en om documenten elektronisch te ondertekenen. Deze functies zijn beveiligd door een geheime code (de PIN code), die zorgvuldig beschermd moet worden.

    Het is belangrijk dat de gebruiker met de nodige voorzichtigheid omspringt met een elektronische identiteitskaart, juist zoals hij dat doet met zijn bankkaart of kredietkaart. Dit houdt in dat men thuis een veilige kaartlezer moet gebruiken (bij voorkeur met eigen scherm en toetsenbord). Daarnaast moet men zijn PC correct beheren en de basisregels van goed gebruik respecteren: software en besturingssysteem geregeld updaten, een anti-virus en anti-spyware programma gebruiken en tenslotte voorzichtig zijn bij het bezoeken van websites of bij het installeren van nieuwe toepassingen. Deze regels gelden niet alleen voor het gebruik van de elektronische identiteitskaart, maar voor alle toepassingen op een PC zoals internetbankieren.

    Aan de andere kant is het belangrijk om te begrijpen dat 100% perfecte veiligheid niet bestaat. De zwakste schakel in het gebruik van de elektronische identiteitskaart is zeker niet de kaart zelf, maar de software die de kaart aanstuurt (de middleware) en de toepassingen. Software is nooit perfect, maar de huidige software aangeboden door Fedict wordt geregeld geëvalueerd; als er problemen zijn, worden die snel en efficiënt opgelost. Op dit moment is er geen enkel incident bekend waarbij de kaart zelf zou aangevallen zijn. Bij het ontwikkelen van de software moet men ook keuzes maken: gaat men aan de gebruiker voor elke identificatie zijn PIN code vragen of gaat men dit maar doen als er naar een nieuwe website gesurfd wordt? Deze beslissing wordt genomen op basis van een afweging tussen de de gebruiksvriendelijkheid en risico’s; hierbij is het van belang om deze risico’s grondig te evalueren. Om de programmeurs te helpen bij het maken van deze keuzes is er door een aantal bedrijven een document ontwikkeld “Best Practices for Applications using the electronic Identity Card (eID).” Tenslotte is het belangrijk om aan te geven dat voor authenticatie van gebruikers het alternatief heel vaak gebruikersnaam en paswoord is. Het is overduidelijk dat dit veel minder veiligheid biedt (en ook eisen oplegt aan het correct beheer van de computer).

    Conclusie: de recente berichten in de pers zijn onjuist. Op dit moment is het absoluut niet mogelijk om de elektronische identiteitskaart te kraken. Het is wel zo dat de kaart een element vormt in een complex beveiligingssysteem; de risico’s bij het gebruik van de kaart moeten correct afgewogen worden, maar het is bij de huidige stand van zaken van de wetenschap perfect mogelijk om met de bestaande software en hardware een adequaat beveiligingsniveau te bereiken.

    Aanvulling: antwoord op een aantal opmerkingen in de studie van Prof. De Decker

    De studie van Prof. De Decker suggereert dat de elektronische identiteitskaart een stap is naar Big Brother. Op dit moment is er geen enkele aanwijzing dat dit het geval is; de Belgische overheid springt zeer zorgvuldig om met de gegevens van de burgers. In eerste instantie is er een adequate juridische bescherming die het gebruik van het rijksregisternummer beperkt (onder controle van de privacycommissie). De K.U.Leuven heeft in opdracht van Fedict een technische oplossing uitgewerkt om voor elke toepassing een specifiek applicatienummer te gebruiken dat verschillend is voor elke toepassing en dat niet gekoppeld kan worden aan het rijksregisternummer of aan enig ander nummer. Daarnaast is het zo dat het gebruik van een elektronische identiteitskaart in de toekomst een nog betere privacybescherming kan bieden door gesofisticeerde beveiligingstechnieken die bijvoorbeeld toelaten om – met behulp van de kaart - te bewijzen dat men ouder is dan 18 jaar zonder enige andere informatie vrij te geven. Dit wordt o.a. bestudeerd in het IWT project ADAPID (geavanceerde toepassingen van de elektronische identiteitskaart) dat geleid wordt door de onderzoeksgroep COSIC van de K.U.Leuven (https://www.cosic.esat.kuleuven.be/adapid/).

    De studie wijst er ook op dat indien men zijn kaart in de kaartlezer stopt, de basisgegevens (digitale foto, identiteitsgegevens, adres) leesbaar zijn door software die actief is op de PC. Het zou zeker niet gebruiksvriendelijk zijn om deze gegevens maar beschikbaar te stellen als de gebruiker een PIN code zou ingeven: dat zou bijvoorbeeld bij een grenscontrole heel onpraktisch worden. Dit verschilt niet met de papieren kaart, waar de basisgegevens ook leesbaar zijn als men de kaart bekijkt. Net zoals men deze kaart niet zomaar aan iedereen overhandigt, moet men ook voorzichtig zijn bij het gebruik van de elektronische kaart. Daarnaast biedt Fedict een privacy service, die de kaartlezer vergrendelt en toepassingen verplicht om gebruik te maken van de Fedict software. Deze beveiliging is – zoals alle beveiliging in software - niet 100% waterdicht, maar biedt volgens ons een redelijk niveau van bescherming tegen aanvallen door kwaadaardige software en hackers. De meeste PCs bevatten heel wat meer persoonlijke informatie (financiële gegevens, foto’s, adresbestanden) die meestal helemaal niet bijkomend beveiligd zijn.

    Contact: Prof. Bart Preneel, Dept. Elektrotechniek-ESAT, COSIC, K.U.Leuven

    016/32 11 48 Bart.Preneel@esat.kuleuven.be

  • EID : representative Jambon makes some mistakes

    First it is not that simple and automatic that you can steal an identity with simple the EID of your neighbor. We didn't publish that information but there is a procedure that makes it possible under certain conditions. One of these procedures has already been published but involves pictures of (or possession of) several cards and bits of information.

    It seems necessary for us to stop the way that online new passwords are distributed and to change it into a physical presence procedure where you will have to present yourself in your city or commune. This doesn't sound too much digital and new, but this is the standard for all safe bankcards and identitypapers.

    Secondly the films are not about the chip, they are about the privacywall that should have protected the information on the card against interception by non-authorized applications

    THere are much more important political and IT problems around EID that need to be addressed. As fast and as coordinated as possible. It is not now the time to have political, intellectual or industrial fights. We are all in this together and solving this problem won't take too much effort if everybody agrees on the normal best practices and certifications that need to be in place.

    We hope the government will survive the 15th of July because we need a government to do these things (among many others). These are much bigger issues than the interpretation of a word or sentence in a global agreement.