Estonia renews certificates of 760,000 ID cards for vulnerable RSA keys

The Estonian government has announced that the certificates of 760,000 electronic ID cards will be blocked on Friday evening. These must be renewed because they are vulnerable to an attack where the private rsa key can be retrieved.

In a message, the government wrote that the ID cards can still be used as traditional means of identification, but that the certificates must be renewed at special points or online. That process should take about 15 minutes, a second message states. According to the government, no cases of identity theft have been identified so far. Citizens and so-called e-residents have until the end of March to renew their certificates.

Estonian Prime Minister Jüri Ratas writes: “The functioning of the e-state is based on trust and the state cannot afford identity theft to the owner of an Estonian ID card.” Despite the fact that this hasn’t happened yet, that risk would exist. The cards affected are ID cards that were issued between October 16, 2014 and October 25, 2017. Those cards will no longer work with digital services if an update is not forthcoming.

The government is calling on people not to update their maps all at once, because the systems cannot handle this. Only individuals who depend on proper operation, such as doctors and government officials, will be able to get started with the update this weekend. It is estimated that 35,000 people are involved.

The problems arose after the researchers behind the recently presented Roca attack discovered that Infineon chips produce insecure RSA keys, allowing the private key to be retrieved from the public key. This is an issue for products that use the affected software library from German Infineon. In addition to the ID cards, TPMs from Microsoft, Google, Lenovo and HP, among others, were affected. It was also found that certain Gemalto smart cards are vulnerable.