Estonian identity card

Last updated
Estonian identity card
New Estonian ID card (2021)(front).jpg
Front of new Estonian identity card
TypeMandatory identity document
Issued byFlag of Estonia.svg  Estonia
First issued23 August 2021
PurposeIdentification, travel
Valid inFlag of Europe.svg  European Union
Flag of the United Kingdom.svg  United Kingdom (EU Settlement Scheme) [1]
Rest of Europe (except Belarus, Russia, and Ukraine)
Flag of Georgia.svg  Georgia
Flag of Montserrat.svg  Montserrat (max. 14 days)
Flag of France.svg Overseas France
Flag of Tunisia.svg  Tunisia (organized tours)
Eligibility Estonian citizenship or EEA/Switzerland if residing
Expiration5 years

The Estonian identity card (Estonian : ID-kaart) is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe (except Belarus, Russia, Ukraine and United Kingdom) [2] [3] as well as French overseas territories, Georgia and Tunisia (on organized tours only) [4] the Estonian ID-card can be used by the citizens of Estonia as a travel document.

Contents

The mandatory identity document of a citizen of the European Union is also an identity card, also known as an ID card. The Estonian ID-card can be used to cross the Estonian border, however Estonian authorities cannot guarantee that other EU member states will accept the card as a travel document. [5]

In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. With the Estonian ID-card the citizen will receive a personal @eesti.ee e-mail address, which is used by the state to send important information. In order to use the @eesti.ee e-mail address, the citizen has to forward it to his or her personal e-mail address, using the State Portal eesti.ee.

The Police and Border Guard Board (PPA) on 25 September 2018 introduced the newest version of Estonia's ID-card, featuring additional security elements and a contactless interface. The new cards also utilizes Estonia's own font and elements of its brand. One new detail is the inclusion of a QR code, which makes it easier to check the validity of the ID-card. The new design also features a color photo of its bearer, which doubles as a security element and is made up of lines; looking at the card at an angle, another photo appears. The new chip has a higher capacity, allowing the addition of new applications to it. [6]

Scope

The Estonian ID-cards are used in health care, electronic banking, signing contracts, public transit, encrypting email and voting. Estonia offers over 600 e-services to citizens and 2,400 to businesses. [7] The card's chip stores digitized data about the authorized user, most importantly: the user's full name, gender, national identification number, and cryptographic keys and public key certificates.

Types of Estonian ID cards

There are several types of identity documents issued by the Estonian state that are usually referred to as the Estonian ID-card. These are the identity card, the digital identity card, the residence permit card, the e-resident’s digital identity card and the diplomatic identity card.

While these identity documents are issued to different categories of persons and have a different appearance, all these documents provide the same electronic functionality via a smart card chip. [8] :52

Types of Estonian ID cards
typefrontback
Identity card New Estonian ID card (2021)(front).jpg New Estonian ID card (2021)(back).jpg
Digital identity card

(and e-resident's digital identity card)

Estonian digital identity card starting 2018-12-03 (Front).jpg Estonian digital identity card starting 2018-12-03 (Back).jpg
Residence permit card Estonian residence permit card starting 2020-10-01 (Front).jpg Estonian residence permit card starting 2020-10-01 (Back).jpg
Diplomatic identity card Estonian diplomatic identity card starting 20181203 (Front).jpg Estonian diplomatic identity card starting 2018-12-03 (Back).jpg

Electronic functionality of the ID card

From its introduction in 2002 until now, the core electronic functionality provided by the Estonian ID-card has stayed the same. The ID-card contains two asymmetric (RSA or ECC) key pairs with the corresponding X.509 public-key certificates, and symmetric keys to perform card management operations. [8] :25

Authentication key. The authentication key is used to log into e-services by providing a signature in the TLS client certificate authentication process. This key can also be used to decrypt documents encrypted for the cardholder. This is used only infrequently, as such documents would become unreadable if the card were lost or destroyed. Cryptographic signature and decryption operations with this key have to be authorized using the 4-digit PIN1 code.

Digital signature key. The digital signature key is used to give legally binding digital signatures that under eIDAS are recognized as qualified electronic signatures. Each signature operation with the key has to be authorized using the 5-digit PIN2 code.

Personal data file. The ID card chip contains a publicly readable personal data file, which consists of 16 records containing the same information as is printed on the card.

Card management operations. The cards are preloaded with symmetric keys that can be used by the manufacturer to perform various card management operations in the post-issuance phase. This provides a method to reset PIN codes in the event the cardholder forgets them, generate new keys, write new certificates, and even reinstall the whole smart card applet if needed. [8] :25

The Estonian state provides DigiDoc software allowing users to cryptographically sign digital documents. Since 2016 the DigiDoc software can create files that follow the EU-wide ETSI standard called ASiC-e. [9] [10]

By 7 September 2021, 1,391,704,193 electronic signatures were given, thus averaging to 50 signatures per card user per year. [11]

Under Estonian law, since 15 December 2000 the cryptographic signature is legally equivalent to a manual signature. [12] This law has been superseded by the EU-wide eSignature Directive since 2016. [13]

Uses for identification

The card's compatibility with standard X.509 and TLS infrastructure by providing a client certificate to each person has made it a convenient means of identification for use of web-based government services in Estonia (see e-Government). All major banks, many financial and other web services support ID-card based authentication. Adding support of Estonian ID-card based identification is very simple nowadays because majority of used browsers, web servers and other software supports TLS (SSL) client-certificate based authentication and Estonian ID-card use exactly that system.

Web discussion forums

Web commentary columns of some Estonian newspapers, most notably Eesti Päevaleht , used to support ID-card based authentication for comments. This approach caused some controversy in the internet community. [14]

Public transport

Larger cities in Estonia, such as Tallinn and Tartu, have arrangements making it possible for residents to purchase "virtual" transportation tickets linked to their ID-cards.

Period tickets can be bought online via electronic bank transfer, by SMS, or at public kiosks. This process usually takes less than a few minutes and the ticket is instantly active from the moment of purchase or since the first use of the ticket. [15]

Customers also have the option of requesting e-mail or SMS notification alerting them when the ticket is about to expire, or of setting up automatic renewal through internet banking services.

To use the virtual ticket, customers must carry their ID-card with them whenever they use public transport. During a routine ticket check, users are asked to present their ID-card, which is then inserted into a special device. This device then confirms that the user holds a valid ticket, and also warns if the ticket is about to expire. The ticket check usually takes less than a second.

Ticket information is stored in a central database, not on the ID-card itself. Thus, to order a ticket, it is not necessary to have an ID-card reader. Ticket controllers have access to a local archive of the master database. If the ticket was purchased after the local archive was updated, the ticket device is able to confirm the ticket from the master database over mobile data link.

Electronic voting

The Estonian ID-card is also used for authentication in Estonia's Internet-based voting program called i-Voting.

In February 2007, Estonia was the first country in the world to institute electronic voting for parliamentary elections. Over 30,000 voters participated in the country's e-election. [16] In the Parliamentary election of 2011 140,846 votes were cast electronically representing 24% of total votes. [17]

The software used in this process is available for Microsoft Windows, macOS and Linux.

Use as a travel document

Since Estonia's accession to the European Union (EU) in 2004, Estonian citizens who possess an Estonian identity card have been able to use it as an international travel document, in lieu of a passport, for travel within the European Economic Area, as well as the French overseas departments and territories, Andorra, San Marino, Monaco, Vatican City, Northern Cyprus, and Georgia.

However, non-Estonian citizens resident in Estonia are unable to use their Estonian identity cards as an international travel document.

Security issues

Over the years the Estonian ID-card and its ecosystem has experienced several security incidents and similar issues. [8] :118 Below are listed some of the most significant security incidents that have been encountered.

Infineon's RSA key generation flaw

In August 2017, a security threat was discovered that affected 750,000 ID and e-residency cards issued between 16 October 2014 and 26 October 2017. [18]

It was reported that a code library developed by Infineon, which had been in widespread use in security products such as smartcards and TPMs, had a flaw (later dubbed the ROCA vulnerability) that allowed private keys to be inferred from public keys. [19] As a result, all systems depending upon the privacy of such keys were vulnerable to compromise, such as identity theft or spoofing. [19] Affected systems include 750,000 Estonian national ID-cards, [19] and Estonian e-residency cards.

On 2 November 2017, the Estonian government decided to suspend the affected certificates on the midnight of November 3. For the next five months until 31 March 2018 (incl.), the holders of the suspended certificates were still able to update their ID-cards at PPA customer service points and remotely over the internet. On 1 April 2018, the certificates of the non-renewed ID-cards were revoked and the renewal service for the affected ID-cards was discontinued. [8] :132 The governments decision to postpone the revocation of the affected certificates and allowing the remote renewal of suspended certificates have been criticized for not being in compliance with eID legal requirements. [20]

The incident resulted in a litigation process as the ID-card manufacturer Gemalto failed to inform the Estonian state about the vulnerability in a timely manner. In February 2021, it was reported that Gemalto and the Estonian state reached a compromise agreement, with Gemalto agreeing to pay the state 2.2 million EUR in compensation. [8] :139

Security flaws in key management

There have been several isolated cases of security flaws being discovered in the ID-card key management process. In particular, in some cases, contrary to the security requirements, the ID-card manufacturer Gemalto had generated private keys outside the chip. In several cases, copies of the same private key have been imported in the ID-cards of different cardholders, allowing them to impersonate each other. In addition, as a result of a separate flaw in the manufacturing process, corrupted RSA public key moduli have been included in the certificates, which in one case led to the full recovery of the corresponding private key. [21]

See also

Related Research Articles

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with authentication circuitry

A smart card (SC), chip card, or integrated circuit card, is a card used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

<span class="mw-page-title-main">Identity document</span> Any document that may be used to identify a person

An identity document is any document that may be used to prove a person's identity. If issued in a small, standard credit card size form, it is usually called an identity card, or passport card. Some countries issue formal identity documents, as national identification cards that may be compulsory or non-compulsory, while others may require identity verification using regional identification or informal documents. When the identity document incorporates a person's photograph, it may be called photo ID.

<span class="mw-page-title-main">Electronic identification</span> Digital proof of identity

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

<span class="mw-page-title-main">Gemalto</span> International digital security company

Gemalto was an international digital security company providing software applications, secure personal devices such as smart cards and tokens, e-wallets and managed services. It was formed in June 2006 by the merger of two companies, Axalto and Gemplus International. Gemalto N.V.'s revenue in 2018 was €2.969 billion.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

<span class="mw-page-title-main">Estonian passport</span> Passport of the Republic of Estonia issued to Estonian citizens

An Estonian passport is an international travel document issued to citizens of Estonia, and may also serve as proof of Estonian citizenship. Besides enabling the bearer to travel internationally and serving as indication of Estonian citizenship, the passport facilitates the process of securing assistance from Estonian consular officials abroad or other European Union member states in case an Estonian consular is absent, if needed. If an Estonian citizen wishes to receive an identity document, especially an Estonian passport, somewhere other than the foreign representation of the Republic of Estonia, then the bearer of the Estonian citizenship staying abroad could receive the travel documents in embassies of any EU country worldwide by paying 50 Euro. Many countries require passport validity of no less than 6 months and one or two blank pages.

Mobile identity is a development of online authentication and digital signatures, where the SIM card of one's mobile phone works as an identity tool. Mobile identity enables legally binding authentication and transaction signing for online banking, payment confirmation, corporate services, and consuming online content. The user's certificates are maintained on the telecom operator's SIM card and in order to use them, the user has to enter a personal, secret PIN code. When using mobile identity, no separate card reader is needed, as the phone itself already performs both functions.

<span class="mw-page-title-main">Albanian identity card</span> National identity card of Albania

The Albanian identity card (Letërnjoftim) is a national identity card issued by Albanian authorities to Albanian citizens. It is proof of identity, citizenship and residence. The current version is in ID1 format and biometric. The ID card is compulsory for citizens over 16 years of age, costs 1,500 lekë and is valid for 10 years.

<span class="mw-page-title-main">Finnish identity card</span> National identity card of Finland

The Finnish identity card is one of two official identity documents in Finland, the other being the Finnish passport. Any citizen or resident can get an identification card. Finnish citizens will get indication of citizenship on the card. It is available as an electronic ID card, which enables logging into certain services on the Internet, local computers or adding digital signatures into LibreOffice ODF documents or creating DigiDoc formatted containers that also allows encryption during content transfer. ID card is applied at a police station and it is issued by the police.

<span class="mw-page-title-main">German identity card</span> German identity document

The German Identity Card is issued to German nationals by local registration offices in Germany and diplomatic missions abroad, while it is produced at the Bundesdruckerei in Berlin.

<span class="mw-page-title-main">Identity card (Portugal)</span> Identity document of Portugal

The Portuguese identity card, is an identity document issued by the Government of Portugal to its citizens. The card replaces several previous documents, including the Bilhete de Identidade, Social Security card, National Health Service card, Taxpayer card and voter registration card, in one secure card. The Citizen Card was first issued in the Azores in mid-2006. However, as of 2017 BIs continued to be issued in some cases.

The Lebanese identity card is a compulsory Identity document issued to citizens of the Republic of Lebanon by the police on behalf of the Lebanese Ministry of Interior or in Lebanese embassies/consulates (abroad) free of charge. It is proof of identity, citizenship and residence of the Lebanese citizens.

Biometrics refers to the automated recognition of individuals based on their biological and behavioral characteristics, not to be confused with statistical biometrics; which is used to analyse data in the biological sciences. Biometrics for the purposes of identification may involve DNA matching, facial recognition, fingerprints, retina and iris scanning, voice analysis, handwriting, gait, and even body odor.

<span class="mw-page-title-main">National identity cards in the European Economic Area and Switzerland</span> Identity cards issued by member states of the European Economic Area

National identity cards are identity documents issued to citizens of most European Union and European Economic Area (EEA) member states, with the exception of Denmark and Ireland. As a new common identity card model replaced the various formats in use from 2 August 2021, recently issued ID cards are harmonized across the EEA, while older ID cards are currently being phased out according to Regulation (EU) 2019/1157.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

<span class="mw-page-title-main">DigiDoc</span> File format family

DigiDoc is a family of digital signature- and cryptographic computing file formats utilizing a public key infrastructure. It currently has three generations of sub formats, DDOC-, a later binary based BDOC and currently used ASiC-E format that is supposed to replace the previous generation formats. DigiDoc was created and is developed and maintained by RIA.

The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". The vulnerability has been given the identifier CVE-2017-15361.

<span class="mw-page-title-main">National Identity Card (Peru)</span> National identity card of Peru

The Documento Nacional de Identidad (DNI) (Spanish for 'National Identity Document') is the only personal identity card recognized by the Peruvian Government for all civil, commercial, administrative, judicial acts and, in general, for all those cases in which, by legal mandate, it must be presented. It is a public document, personal, and non-transferable and also constitutes the only title of right to the suffrage of the person in whose favor it has been granted. Its issuance is in charge of the National Registry of Identification and Civil Status (RENIEC).

Smart-ID is an electronic authentication tool developed by SK ID Solutions, an Estonian company. Users can log in to various electronic services and sign documents with an electronic signature.

<span class="mw-page-title-main">Icelandic identity card</span> National identity card of Iceland

The Icelandic identity card, is a voluntary identity document issued by Registers Iceland since 12 April 1965. It is one of three official identity documents issued by the Icelandic Government, along with the Icelandic passport and Icelandic driving licence. It is only issued to Icelandic citizens regardless of age and may indicate citizenship, so that it can be used as a travel document facilitating freedom of movement within the European Free Trade Association and the rest of the European Economic Area. For travel within the Nordic countries no identity documentation is legally required for Nordic citizens due to the Nordic Passport Union.

References

  1. "Visiting the UK as an EU, EEA or Swiss citizen". GOV.UK. 27 May 2022. Retrieved 2023-05-11.
  2. "Validity of ID Card". North Cyprus. 4 March 2014.
  3. "Visiting the UK as an EU, EEA or Swiss citizen". GOV.UK. Retrieved 2021-10-01.
  4. "Visa information - Tunisia embassy in Berlin".
  5. "Estonian ID Card Information by Estonian Police and Border Guard Board". Police and Border Guard Board. Archived from the original on 2021-02-26. Retrieved 2017-02-28.
  6. "New Estonian ID Card 2019". ERR. Retrieved 2018-10-01.
  7. "Estonia takes the plunge". The Economist. ISSN   0013-0613 . Retrieved 2024-07-10.
  8. 1 2 3 4 5 6 Parsovs, Arnis (March 2021). Estonian Electronic Identity Card and its Security Challenges (PhD). University of Tartu.
  9. https://www.etsi.org/deliver/etsi_en/319100_319199/31916201/01.01.01_60/en_31916201v010101p.pdf [ bare URL PDF ]
  10. "Mis vahe on .bdoc ja .asice laiendiga digiallkirjastatud dokumentidel?".
  11. Estonian ID-card
  12. Elektrooniline Riigi Teataja: Digitaalallkirja seadus (this version valid from 8 January 2004 up to 31 December 2007)
  13. "Introduction to e-signature". Archived from the original on 2019-08-09. Retrieved 2019-08-09.
  14. Archived 2007-09-26 at the Wayback Machine PRIIT HÕBEMÄGI: Anonüümsete kommentaaride lõpetamise kommentaarid
  15. "Bussikaardi korduma kippuvad küsimused". 24 July 2023.
  16. "IdBlog » the Number of Electronic Voters Tripled". Archived from the original on 2012-03-01. Retrieved 2012-12-09. idBlog - The number of electronic voters tripled
  17. "Valimised".
  18. "Possible security risk affects 750,000 Estonian ID-cards". Estonian World. Retrieved 2017-09-17.
  19. 1 2 3 Goodin, Dan (16 October 2017). "Millions of high-security crypto keys crippled by newly discovered flaw". Ars Technica. Retrieved 16 October 2017.
  20. Parsovs, Arnis (May 2020). "Solving the Estonian ID Card Crisis: the Legal Issues" (PDF). Proc. 17th International Conference on Information Systems for Crisis Response and Management ISCRAM 2020. Retrieved 7 September 2021.
  21. Parsovs, Arnis (14 August 2020). "Estonian Electronic Identity Card: Security Flaws in Key Management". Proc. 29th USENIX Security Symposium. Retrieved 2 September 2020.