Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks

Gjøsteen, Kristian

doi:10.1007/978-3-540-69485-4_14

Kristian Gjøsteen¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5057))

Included in the following conference series:

European Public Key Infrastructure Workshop

897 Accesses
3 Citations
1 Altmetric

Abstract

BankID is a PKI-substitute widely deployed by Norwegian banks to provide digital signatures and identification on the internet. We have performed a reverse-engineering of part of the BankID system and analysed the security protocols and the implementation of certain cryptographic primitives. We have found cryptographic weaknesses that may indicate security problems, protocol flaws facilitating man-in-the-middle attacks, and implementation errors facilitating strong insider attacks. We also note that the system suffers from severe privacy problems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Directive 1999/93/EC of the European parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal of the European Communities, L13, 43, 12–20 (2000)
Google Scholar
Cremers, C.J.F.: Scyther - Semantics and Verification of Security Protocols. Ph.D. dissertation, Eindhoven University of Technology (2006)
Google Scholar
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1, RFC 4346 (April 2006)
Google Scholar
Espelid, Y., Netland, L.-H., Klingsheim, A.N., Hole, K.J.: A proof of concept attack against Norwegian internet banking systems. In: Proc. of the 12th International Conference on Financial Cryptography and Data Security (FC 2008), Cozumel, Mexico, January 28-31,2008 (2008)
Google Scholar
Espelid, Y., Netland, L.-H., Klingsheim, A.N., Hole, K.J.: Robbing banks with their own software—an exploit against Norwegian online banks, September 8-10 (2008); To be presented at the 23rd International Information Security Conference (SEC 2008), Milan, Italy (2008)
Google Scholar
Gutmann, P.: Security usability, Draft (February 2008), http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf
Hole, K.J., Tjøstheim, T., Moen, V., Netland, L.-H., Espelid, Y., Klingsheim, A.N.: Next generation internet banking in Norway. Technical Report 371, Department of Informatics, University of Bergen (February 2008), http://www.nowires.org/Papers-PDF/BankIDevaluation.pdf
RSA Laboratories. PKCS #1: RSA cryptography standard, version 2.1 (June 2002)
Google Scholar
Trygg bruk av BankID (in Norwegian) (Feburary 13, 2007), http://www.bankid.no/utskrift.db2?id=4062

Download references

Author information

Authors and Affiliations

Department of Mathematical Sciences, Norwegian University of Science and Technology,
Kristian Gjøsteen

Authors

Kristian Gjøsteen
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Stig F. Mjølsnes Sjouke Mauw Sokratis K. Katsikas

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Gjøsteen, K. (2008). Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks. In: Mjølsnes, S.F., Mauw, S., Katsikas, S.K. (eds) Public Key Infrastructure. EuroPKI 2008. Lecture Notes in Computer Science, vol 5057. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69485-4_14

Download citation

DOI: https://doi.org/10.1007/978-3-540-69485-4_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69484-7
Online ISBN: 978-3-540-69485-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics