Assessing PKI

34 Published by the ieee ComPuter soCiety ■ 1540-7993/09/$25.00 © 2009 ieee ■ ieee seCurity & PrivaCy A public-key infrastructure is a collection of hardware, software, processes, and people that together provide security services based on public-key cryptography. Many countries, including Norway, Sweden, Denmark, Finland, Estonia, Austria, Belgium, and Canada, have introduced large-scale security frameworks implementing PKIs. In particular, nationwide PKIs can provide strong authentication services, reducing the risk of security breaches compared to frameworks that use, for example, fixed or one-time passwords. However, it’s both difficult and costly to design and implement a large PKI correctly, so there’s a real danger of ending up with a flawed solution. The Norwegian banking industry’s PKI, BankID, primarily authenticates Internet banking customers. Currently, the country’s banking industry is pushing for BankID to become a national ID infrastructure that government agencies and commercial companies would use to authenticate individuals and provide legally binding digital signatures with a high degree of non-repudiation. In previous articles, we analyzed Norwegian Internet banking and automatic teller machine systems. Here, we take on BankID and examine how it differs from a typical PKI based on the X.509 ITU-T standard. We then offer a qualitative risk assessment of its user authentication and discuss the non-repudiation service. Because the Norwegian banking community declined to share technical information about BankID, we could evaluate it only from the outside and were unable to assess important aspects of the system, such as contingency planning and disaster recovery. Our evaluation, which we completed in January 2008, is based on publicly available descriptions of the BankID architecture and design, as well as our personal use of the system.