posted at: 14:02 | path: | permanent link to this entry
So now it's going to be obligatory to use NemID for authenticating and securing transactions with public services in Denmark (for instance, taxes, social security information) but also for Electronic Banking (i.e. "netbank"), after the 1st of July 2010.
The problem is that there's a perfectly functional solution existing today in the form of "Digital Signature", which is widely used. It's an X.509 solution using public key cryptography. In layman's terms: a private key is owned and maintaned by you, and no one else, and a public key, widely distributed, is signed by a trusted public authority. The key (no pun intended) element here is "private key". You are the sole administrator of that key, in fact if you lose that key or forget the password that protects (decrypts) it, you will have to contact the issuer (DanID) and ask for a new key pair to be generate (a new "Digital Signature").
Apart from the new pricing model (NemID will be more expensive for businesses), and the fact that the signature will be combined with a "one-time password" list of passwords (which is always an improvement) there is a major flaw in how NemID will be implemented:
The public and private keys will be stored by NemID. What it means is that your private key, is no longer private. This is not mentioned on the NemID website, but a couple of articles (in Danish -- the NemID website itself is in Danish only as well) have detailed the problem:
Here are the issues as I see them:
NemID argues that if they wanted to abuse their position of trusted party and defraud their customers, they could have done so long ago. The issue is not so much that of trust (an entire discussion by itself) but the fact that NemID becomes a choice target for industrial attacks ("hacking"). Except it's not credit card numbers we're talking about, but entire digital identities. Before, this was mitigated by the fact that one had to install spyware on many personal computers and use keyboard loggers to capture passphrases. Now, it's the old Egyptian tomb raider solution: forget the big granite door in front, just dig around the limestone walls.
Finally, NemID argues that since the certificates are not "qualified" (the identity of the person to which the certificate is assigned is not physically verified, but only implied through you Danish CPR number and paper post), there is no requirement to treat NemID as a "Digital Signature". So why market it/promote it as such ?
As a result of this, I've written to my bank, Danske Bank, with which I have been very happy so far. Here is a list of the mails exchanged so far. I'm relatively positive about the answer I have received, but I'm not holding my breath.
I encourage you to write to your bank and ask them to which extent they intend to enforce NemID as the sole solution to access your electronic banking. Maybe we can make enough noise to attract the attention of lawmakers and politicians. If we make it their problem, they'll get grumpy and start asking questions to the Danish National IT and Telecom Agency (the regulators, who until now have been suspiciously quiet in this matter), and maybe to PBS/NemID themselves...
From: me To: Danske Bank Hej, Jeg har et spørgsmål angående NemID. Planlægger Danske Bank om at sk over til NemID også ? Jeg har nemlig et problem me NemID, idet den ikke overholder lovkrave om Digital Signatur, og det vil tvinge mig væk fra Danske Bank hvis I bruger NemID :( - - - - From: Danske Bank To: me Hej Som det fremgår af nedenstående planlægger Danske Bank og alle andre pengeinstitutter at overgå til NemID. For at der i Danmark kan udbredes en standardiseret digital signatur, er de danske pengeinstitutter enedes om at drive en fælles sikkerhedsløsning til netbanker. Løsningen kaldes NemID, og den er også accepteret af Staten som adgangsgivende til f.eks. Skat, Borgerservice, eTinglysning m.m. Dermed bliver en væsentlig forudsætning for en digitalisering af samfundet opfyldt. - - - - From: me To: Danske Bank Hej Xxxxx, Problemet er at DanID bevarer en kopi af signaturen -- det er stik imod lovkrav. Det er ikke tilfældet med den nuværende Digital Signatur løsning, hvor kun brugeren har en kopi af private nøgle. http://www.version2.dk/artikel/14483-banker-tvinger-nemid-igennem-til-alle-netbank-brugere "NemID bryder nemlig med princippet bag den nuværende digitale signatur ved at opbevare både den offentlige og den private nøgle for en signatur centralt hos DanID" Det er mit job til daglig om at designe og implementere sikkerheds løsninger, og her har PBS/NemID begået for alvorlig en overtrædelse af sikkerhedsprincipper. Jeg bliver desværre nødt til at meddele at jeg vil begynde at lede efter en bank der ikke tvinger deres kunde til at bruge NemID løsningen som eneste login mulighed til deres netbank. - - - - - From: Danske Bank To: me Hej Vi er i gang med at undersøge sagen og vender tilbage snarest muligt til dig. Med venlig hilsen - - - -
posted at: 14:02 | path: | permanent link to this entryComments? Hah!