back to article Confusion reigns over crypto vuln in Spanish electronic ID smartcards

The impact of a recently discovered cryptographic vulnerability involving smartcards is causing issues in Spain similar to those previously experienced in Estonia. RSA keys produced by smartcards, security tokens, laptops and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and …

  1. Anonymous Coward
    Anonymous Coward

    I wonder if it'll stop there

    Other countries, like Portugal, also adopted digital ID cards with digital signature possibilities (although, as in Spain, adoption is so-so). We'll keep checking the news...

    1. Dan 55 Silver badge

      Re: I wonder if it'll stop there

      If the card was manufactured by Infineon (Germany) then it will probably have a vulnerability, as that's the manufacturer for Estonia and Spain's cards.

  2. Dan 55 Silver badge

    Here's how it went

    There are self-service machines at police stations to do card operations on e-ID cards. The police turned all the machines off then realised that older non-vulnerable cards issued prior to April 2015 could still be used with self-service machines. Only they can't turn them on again because of the newer vulnerable cards. So instead people with older cards have to book an appointment to see someone at the police station who will change the PIN for them or renew the certificate on it or whatever.

    People with newer vulnerable cards will not be able to renew the certificate on it or change the PIN because the people at the police station won't let them. Also people who get brand new cards (e.g. every five years) will still get a vulnerable one and won't be given the PIN. link

    And it seems people can still use vulnerable cards over the Internet, maybe because the there's one certificate to rule them all and if it's revoked then older non-vulnerable cards could stop working.

    And the newer vulnerable cards also have another problem - when they are used to sign something, they don't certify the date it was signed, so the two vulnerabilities could be used together with online banking (if it supports it). link

    However this will probably blow over because hardly anyone uses the e-ID feature of their ID cards, it means going to the police station anyway or spending hours persuading IE or Firefox and Java to work with a card reader and hoping it doesn't stop working if anything gets updated.

  3. Anonymous Coward
    Anonymous Coward

    I was going to explain how to pronounce Dan Cvrček's last name. But then I realised that saying "just the way it's written" was not going to be all that helpful.

    It means "cricket" (as in the animal) btw.

    1. hplasm Silver badge
      Big Brother

      Are you hearing this, Blunkett?

      This is the sort of half-arsed shit the UK would be in if you and your ilk had prevailed in 2006.

      (We are just in a different flavour of half-arsed shit now...)

      1. EnviableOne Silver badge

        Re: Are you hearing this, Blunkett?

        at least one would hope the UK would have been more estonia than spain and had it all sorted in a fairly organised manner ......

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020