Tuesday, September 18th, 2018

Obscurity in the Swedish BankID

The Swedish BankID is a digital authentication and signature framework. As mentioned in a previous post it has been a huge success.

So why complain? I do complain because, as BankID has become ubiquitous in all kinds of Swedish internet services, it has set a dubious standard. BankID contains elements of security by obscurity that abuses the rights of the general public. The obscurity is not limited to technicalities. It also involves legally questionable practices that have become de facto standard.

Security by obscurity is a term used in computing. It refers to the idea that security can be attained by hiding part of a mechanism. However, the well established state of the art in computing security is that security mechanisms should depend only on the strength of encryption. Knowing all the details of a security mechanism should not help an attacker, only having the encryption key.

Now, BankID originally was targeted at banks. Finansiell ID-Teknik, the company behind BankID, really cannot be blamed for the landslide popularity of BankID in the public sector and elsewhere. There was a void waiting to be filled. A commercial entity is entitled to protect its trade secrets. Even so it might shoot itself in the foot by departing from the state of the art.

BankID relies on a generally accepted encryption method called public key. This method involves two encryption keys. One is private and is never shared. The other is public (hence the name) and should be openly distributed. The scheme solves the problem of communicating encryption keys between senders and receivers of encrypted messages. The more widely the public key is distributed the more difficult it is to promulgate fake keys and forged signatures. Publicity equals security in this case.

Public key encryption drives the Internet. Most people never notice, but every web browser comes with hundreds of public keys. This means that those public keys have been distributed to billions of computers and smart phones all over the earth. Billions of people rely on public key encryption to determine if the web site they interact with is the one they expect and not a fake. It’s kind of crucial to be assured that what appears on your screen is really your bank and not a mock-up, set up just to collect private information.

BankID uses a public key method, but the key that should be public is hidden. Only licensees are given access to it. Deviating from the public key scheme introduces a weakness. Third parties are prevented from determining if a BankID digital signature is valid. Only licensees can validate a BankID signature. This is unwanted obscurity. It helps fake signatures go undetected. Publicity equals security, remember.

A different question arises: who owns a signature? In the age of ink and paper signatures used to be made twice. There were two originals of the agreement that was signed (assuming there were two parties involved). The purpose was assurance. Neither party would be able to modify the agreement. So each party owned an original signature of all the other parties and their own.

In the digital age the distinction between original and copy is gone. The signature itself is a small data package laid out according to international standards. How come digital signatures are standardised? The answer is a fundamental insistence on transparency. A signature should not be obscure. It must be possible for a third party to challenge and validate a signature. Otherwise there is no way to arbitrate between the parties if a disagreement arises. That is why we invented signatures in the first place.

However, as mentioned above, a signature cannot be validated if the key that should be public is hidden.

It does not stop there. I know of no service using BankID that gives users access to their own signatures. This is not a technical issue, it is just a bad habit that has become entrenched with time. I have asked several services to send me the signature of a transaction I made. Their helpdesks simply do not understand the question, try as they may. Letting a client have a copy of their own digital signature is absolutely unheard of.

Unfortunately, even if I got access to a signature I would not be able to validate it because I am not a BankID licensee.

The result is that you are totally defenseless if a bank, the Swedish Tax Agency or a Swedish county tells you they have an agreement digitally signed by you that means you owe it 100.000 Euros. Since copies of digital signatures are never handed out you don’t have one in the first place. And if you had, neither you nor your lawyer would be able to validate the signature, that is, find out if you really did sign it.

I am waiting for the legal community to wake up to these realities. The methods for creating digital signatures are indeed reliable and hold in court since the Electronic Signatures Directive 1999. The problem is that widespread bad habits are allowed to obfuscate the purpose of digital signatures to the disadvantage of the general public.

Note 1: Technical details have been omitted in this post to make it readable to a wide audience. Principles and conclusions still hold.

Note 2: The Swedish BankID is different from the Norwegian counterpart with the same name that was broken in 2007.

Comments are closed.