Abstract
In 2017, the encryption vulnerability of a widespread chip led to major, nation-wide eID card incidents in several EU countries. In this paper, we investigate the Estonian case. We start with an analysis of the Estonian eID field in terms of stakeholders and their responsibilities. Then, we describe the incident management from the inside perspective of the crisis management team, covering the whole incident timeline (including issues in response, continuity and recovery). From this, we are able to derive key factors in coping with large-scale security vulnerabilities in the eID field (public-private partnership, technical factors, crisis management, documentation), which encourages further research and systematization.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Marsalek, A., Zefferer, T., Reimair, F., Karabat, Ç., Soykan, E.U.: Leveraging the adoption of electronic identities and electronic-signature solutions in Europe. In: Proceedings of the Symposium on Applied Computing, SAC 2017, pp. 69–71. ACM, New York (2017)
Luna-Reyes, L.F., Sandoval-Almazan, R., Puron-Cid, G., Picazo-Vela, S., Luna, D.E., Gil-Garcia, J.R.: Understanding public value creation in the delivery of electronic services. In: Janssen, M., et al. (eds.) EGOV 2017. LNCS, vol. 10428, pp. 378–385. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64677-0_31
Muldme, A., Pappel, I., Lauk, M., Draheim, D.: A survey on customer satisfaction in national electronic ID user support. In: 2018 International Conference on eDemocracy eGovernment (ICEDEG), pp. 31–37, April 2018
Tsap, V., Pappel, I., Draheim, D.: Key success factors in introducing national e-identification systems. In: Dang, T.K., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E.J. (eds.) FDSE 2017. LNCS, vol. 10646, pp. 455–471. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70004-5_33
Republic of Estonia: Electronic identification and trust services for electronic transactions act. https://www.riigiteataja.ee/en/eli/527102016001/
Pappel, I., Pappel, I., Tepandi, J., Draheim, D.: Systematic digital signing in estonian e-government processes. In: Hameurlain, A., Küng, J., Wagner, R., Dang, T.K., Thoai, N. (eds.) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI. LNCS, vol. 10720, pp. 31–51. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-56266-6_2
European Union: Regulation (EU) no. 910/2014 of the European Parliament and of the council of 23 july 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing directive 1999/93/EC (2014)
Republic of Estonia: Identity documents act. https://www.riigiteataja.ee/en/eli/521062017003/
Republic of Estonia: Aliens act. https://www.riigiteataja.ee/en/eli/501112017003/
E-Governance Adacemy: e-Estonia - e-governance in practice. eGA, Tallinn (2016). https://goo.gl/JfpwNN
Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V.: The return of coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1631–1648. ACM, New York (2017)
Svenda, P., et al.: The million-key question - investigating the origins of RSA public keys. In: 25th USENIX Security Symposium, pp. 893–910. USENIX Association (2017)
První certifikační autorita: Safety of starcos cards. I.CA News Feed, November 2017. http://www.ica.cz/News?IdNews=363
Meyer, D.: ID card security - Spain is facing chaos over chip crypto flaws. ZDNet, November 2017. https://goo.gl/8xWizW
Leyden, J.: Confusion reigns over crypto vuln in Spanish electronic ID smartcards - certs revoked, but where are the updates? The register, November 2017
Paide, K., Pappel, I., Vainsalu, H., Draheim, D.: On the systematic exploitation of the Estonian data exchange layer X-road for strengthening public private partnerships. In: 11th International Conference on Theory and Practice of Electronic Governance, ICEGOV 2018. ACM (2018)
British Standards Institution: Business continuity management - part 1: code of practice, British Standard BS 259991:2006. BSI Group, London (2006)
British Standards Institution: Societal security - business continuity management systems - requirements. BSI Group, London (2014)
Draheim, D.: Smart business process management. In: 2011 BPM and Workflow Handbook, Digital Edition. Future Strategies, Workflow Management Coalition, pp. 207–223 (2012)
Draheim, D., Pirinen, R.: Towards exploiting social software for business continuity management. In: Workshops on Database and Expert Systems Applications (DEXA), pp. 279–283. IEEE Press, September 2011
Buldas, A., Saarepera, M.: Are the current system engineering practices sufficient to meet cyber crime? In: Tryfonas, T. (ed.) HAS 2017. LNCS, vol. 10292, pp. 451–463. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58460-7_31
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Lips, S., Pappel, I., Tsap, V., Draheim, D. (2018). Key Factors in Coping with Large-Scale Security Vulnerabilities in the eID Field. In: Kő, A., Francesconi, E. (eds) Electronic Government and the Information Systems Perspective. EGOVIS 2018. Lecture Notes in Computer Science(), vol 11032. Springer, Cham. https://doi.org/10.1007/978-3-319-98349-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-98349-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98348-6
Online ISBN: 978-3-319-98349-3
eBook Packages: Computer ScienceComputer Science (R0)