A cryptography security flaw, present in 750,000 Estonian e-Residency cards and elsewhere, has a five-year history, researchers say.
Since news broke earlier this year that the code library by Infineon, the company responsible for dishing out multiple countries’ ID schemes, was vulnerable to hacking, attempts have been underway to assess the scale of the problem.
Now, experts have realized the weakness stretches back to 2012 and could affect citizens throughout the world, including Slovakia’s digital ID scheme.
“It means that if you have a document digitally signed with someone’s private key, you can’t prove it was really them who signed it,” Ars Technica quotes Graham Steel, CEO of encryption consultancy Cryptosense, as saying.
“Or if you sent sensitive data encrypted under someone’s public key, you can’t be sure that only they can read it.”
Known as ‘factorizing,’ the revelations mark a rare instance of mass failure of cryptographic technology issued on a wide scale.
“In public key cryptography, a fundamental property is that public keys really are public – you can give them to anyone without any impact in security. In this work, that property is completely broken.”
Estonia’s e-Residency scheme has gained international praise as an example of liberal yet secure policy, with even non-Estonians able to procure a digital identity.
Meanwhile, international governments are increasingly considering Blockchain or distributed ledger-based national identity schemes.