Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks
نویسنده
چکیده
BankID is a PKI-substitute widely deployed by Norwegian banks to provide digital signatures and identification on the internet. We have performed a reverse-engineering of part of the BankID system and analysed the security protocols and the implementation of certain cryptographic primitives. We have found cryptographic weaknesses that may indicate security problems, protocol flaws facilitating man-in-the-middle attacks, and implementation errors facilitating strong insider attacks. We also note that the system suffers from severe privacy problems.
منابع مشابه
Assessing PKI
34 Published by the ieee ComPuter soCiety ■ 1540-7993/09/$25.00 © 2009 ieee ■ ieee seCurity & PrivaCy A public-key infrastructure is a collection of hardware, software, processes, and people that together provide security services based on public-key cryptography. Many countries, including Norway, Sweden, Denmark, Finland, Estonia, Austria, Belgium, and Canada, have introduced large-scale secur...
متن کاملAchieving Payoffs from an Industry Cloud Ecosystem at BankID
This article describes a successful cloud community—BankID—established in Norway, with the cloud infrastructure shared and owned by the Norwegian banking industry. The set of capabilities running on the BankID industry cloud3 enables electronic identification (eID), authentication and electronic signing (e-signing). Using these capabilities, the Norwegian banks have generated significant busine...
متن کاملRobbing Banks with Their Own Software-an Exploit Against Norwegian Online Banks
The banking industry in Norway has developed a new security infrastructure for conducting commerce on the Internet. The initiative, called BankID, aims to become a national ID infrastructure supporting services such as authentication and digital signatures for the entire Norwegian population. This paper describes a man-in-the-middle vulnerability in online banking applications using BankID. An ...
متن کاملAssessing and Mitigating Risks in Computer Systems
The authors assess risks associated with the authentication service and discuss the non-repudiation service of BankID, a security infrastructure owned by the Norwegian banks.
متن کاملNext Generation Internet Banking in Norway
The Norwegian banking industry has introduced a new security infrastructure for web applications, including Internet banking. The infrastructure, called BankID, has the potential to increase the security of today’s web applications and facilitate new business opportunities. The authors consider BankID from the customers’ point of view, analyze the risk the customers take when using BankID, and ...
متن کامل