The Ministry of the Interior of Spain has informed through the National Police Body of a serious security problem in the electronic certificate of the electronic DNI. This has provoked an immediate reaction: the functionality of the digital certificates has been deactivated. The problem was detected after discovering that the same vulnerabilities had been presented in Estonia, where this document is an integral part of the entire operation of its services and where more than 750,000 digital certificates have been deactivated to avoid further trouble.
How to know if your ID is affected by the security breach
The affected documents were issued as of April 2015. To know if our DNIe is affected we will have to pay attention to the number that is under the so-called IDEPS or NUM SOPORT (depending on the type of electronic ID that we have in each case) . The official statement states that “it is reported that the documents whose certificates could be affected, are those that have support number after the ASG160.000, which were issued as of April 2015”.
Your ID is still valid as an identification document
It is important to note that although the digital certificate of these DNIe has been disabled as a security measure, the DNIe is still perfectly valid as an identification document.
What to do if your DNIe is among those affected?
The deactivation of these functions will be maintained while the security of the electronic DNI is improved, and according to the National Police, this process “will be done in the near future”. In case of making an active use of the digital certificate and being affected by the problem, the best solution to request the renewal of the DNIe
The origin of the problem
The vulnerability is found in a software library widely used in this field. Due to this problem an attacker could calculate the private portion of a vulnerable key using only the public portion. This would result in an attacker being able to impersonate the victim’s personality to decipher sensitive data, hide malicious software in digitally signed software or overcome protection based on these systems. This software library was developed by the German chip manufacturer Infineon, and according to studies has been generating weak keys since at least 2012. This problem caused the government of Estonia to indicate that more than 750,000 electronic identity documents were vulnerable to this attack, which led to the deactivation of digital certificates to avoid the abuse of this vulnerability, as explained by Kaspar Korjus, the head of the department. Estonian “Electronic Residence” that manages these documents. Korjus explained that there are no known cases of misuse of those documents or that the security breach had been exploited, and in the Estonian government department they are updating the security of their documents with a new encryption system that “is more secure and faster than SSL certificates that were previously used. ” The vulnerability could be exploited for that identity spoofing in a really simple way through the so-called ROCA (Return of the Coppersmith Attack). The experts who analyzed the problem estimated that renting a service in the cloud to break a vulnerable 1024-bit key would take 25 minutes and 38 dollars. Breaking a 2.048-bit key would cost much more: $ 20,000 and nine days of calculations on those services. The Estonian government officials themselves indicate that taking advantage of the attack would be “complicated and not cheap”, and that using it for example to use it in large-scale frauds in electronic voting would not be affordable