Abstract
BankID is a PKI-substitute widely deployed by Norwegian banks to provide digital signatures and identification on the internet. We have performed a reverse-engineering of part of the BankID system and analysed the security protocols and the implementation of certain cryptographic primitives. We have found cryptographic weaknesses that may indicate security problems, protocol flaws facilitating man-in-the-middle attacks, and implementation errors facilitating strong insider attacks. We also note that the system suffers from severe privacy problems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Directive 1999/93/EC of the European parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal of the European Communities, L13, 43, 12–20 (2000)
Cremers, C.J.F.: Scyther - Semantics and Verification of Security Protocols. Ph.D. dissertation, Eindhoven University of Technology (2006)
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1, RFC 4346 (April 2006)
Espelid, Y., Netland, L.-H., Klingsheim, A.N., Hole, K.J.: A proof of concept attack against Norwegian internet banking systems. In: Proc. of the 12th International Conference on Financial Cryptography and Data Security (FC 2008), Cozumel, Mexico, January 28-31,2008 (2008)
Espelid, Y., Netland, L.-H., Klingsheim, A.N., Hole, K.J.: Robbing banks with their own software—an exploit against Norwegian online banks, September 8-10 (2008); To be presented at the 23rd International Information Security Conference (SEC 2008), Milan, Italy (2008)
Gutmann, P.: Security usability, Draft (February 2008), http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf
Hole, K.J., Tjøstheim, T., Moen, V., Netland, L.-H., Espelid, Y., Klingsheim, A.N.: Next generation internet banking in Norway. Technical Report 371, Department of Informatics, University of Bergen (February 2008), http://www.nowires.org/Papers-PDF/BankIDevaluation.pdf
RSA Laboratories. PKCS #1: RSA cryptography standard, version 2.1 (June 2002)
Trygg bruk av BankID (in Norwegian) (Feburary 13, 2007), http://www.bankid.no/utskrift.db2?id=4062
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gjøsteen, K. (2008). Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks. In: Mjølsnes, S.F., Mauw, S., Katsikas, S.K. (eds) Public Key Infrastructure. EuroPKI 2008. Lecture Notes in Computer Science, vol 5057. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69485-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-69485-4_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69484-7
Online ISBN: 978-3-540-69485-4
eBook Packages: Computer ScienceComputer Science (R0)