NemID in Denmark

Denmark have introduced a new so called digital signature, NemID to be used by citizens communicating with government institutions, banks, and the system is also being sold to private enterprises and organizations.

It is not actually a signature because the private keys are stored not by owners of the certificates but by a company called DanID owned by Nets (Danish and Norwegian banks). Nets store the keys in hardware security modules (HSM)

Users access their certificates using a signed Java applet. There are plugins to email plugins that allow users to encrypt and sign messages. Presumably they obtain session keys from DanID.

The Danish law "Lov om elektroniske signaturer" implements the Electronic signatures directive. The old signature did not fulfill the requirements in the law because it was not a qualified signature. The official position has been that the national signature is not regulated by the Danish law on digital signatures as long as they do not refer to it as a using qualified certificates. And that the directive is old and unsuccessful anyways, After the introduction of NemID by DanID they have restated that position. What they do not say is that NemID not only is no better than the old signature, it is a step backwards because now we do not even have an advanced signature. That does not stop DanID from marketing Medarbejdersignatur Avanceret (Employee signature Advanced) where all the company's signatures are centrally located at DanID.

The government have mentioned that NemID could be upgraded to fulfill the requirement in the law. DanID also have announced plans to sell a hardware token, that will store and generate keys. So they will probably sometime offer an expensive device that we have to trust generating our private keys and then claim that the NemID is now an advanced signature solution. The new token will not work with internet banks.

Are the private keys secure?

No, they are not private. DanID claims that they store private key on HSM so they cannot access the keys themselves. In the Danish parliament MP asked about backup-procedure. The minister replied (IT-Pol translation)

It cannot be ruled out that, by circumventing all practical, technical and procedural safeguards that DanID via certificate policies and DanID's certification policies are subject to, DanID will be able to create a pure software clone/backup of the server with the users private crypto keys. However that would require multiple independent trusted persons at DanID acting in violation of terms of the certificate policy and it would be a clear breach of the obligations and requirements that govern DanID.

And how do we even know that all private keys go into HSM in the first place?

The Dangers of signed Java code

IT-Pol have criticized both the idea of having banks storing personal keys and the implementation where state/bank applets have full access to users computers (or at least user accounts).

The DanID applet is signed. The reason for this according to DanID is that it need to do logging and caching on the local harddisk and to make TCP-connection to other servers than the webserver it was downloaded from. A signed Java applet by default is not limited to a sandbox in the browser. It can do everything the user that started the browser can do. (according to the Oracle documentation it should be possible to configure the java browser plugins to limit the priviledges of java applets to e.g. only accessing one folder in the filesystem but that is very complicated to do and because it is not known what the applet actually do). It can read files, write files, execute programs, record from microphones and webcams, etc.

To demonstrate what signed Java applets can do, IT-Pol produced applets that snoop in the local filesystem and download programs from the internes and executes them on the client PC

Man In the Middle Attacks

In September 2011 eight Nordea customers were defrauded in Man-In-The-Middle acctacks made possible by phishing-emails using links to fake NemID webpages. DanID pointed out that users should know better that to follow links in emails. A few weeks later SKAT (Danish Tax Authorities started to do mass-email with links to NemID webpages) Version2 created created a fake page using NemID, and made a video of a MITM using on NemID Because NemID applets are embedded in the webpages they give access to (opposed to e.g. PayPal where stores redirect to paypal.com) it is very easy to make MITM attacks.

Binary code hidden in GIF-files

In November 2011 the java applet was caught by McAfee anti-virus. Online magazine v2.dk investigated. It turned out that the java applet contains files named 'error.gif', 'large.gif', 'logo2.gif' and 'pause.gif'. But they are not GIF-files or images at all. They are binary code for Microsoft Windows, Linux, mac. It seems this code is executed via JNI from the applet and is used to:

  • monitor resolution
  • browser
  • Operating System

and

  • collect unique identification of the PC (check-sum fingerprint)
  • log with time-stamps for access to a given web-page (is is just as unclear in danish)
  • IP-address
  • Information about service providers if that option is selected (This must be web-sites that use DanID for authorization or signing. I.e.,. DanID knows what dating-sites you visit).
  • These informations are not correlated to the personal information (according to DanID)

This informations is collected for technical purposed to improve the service and for security. In the previous version 1.1 of the policy the argument was to investigate abuse or attempted abuse of the system.

This is mentioned in the DanID privacy policy https://www.nets-danid.dk/om_nets_danid/privatlivspolitik/index_12.html Which until now did not get much attention.

It was known that this was possible since IT-POL brought attention to it in the summer of 2010. But this sneaky way of running binary code on our computers does make us even more suspicious.

For example, it would be frightfully easy to make a Danish bundes-trojaner. Or rather to take advantage of the trojaner, that is already in place.

Also we are wondering if these kinds of hidden and obfuscated collections of information are really necessary in relation to the privacy laws.

McAfee updated their software to ignore the GIF-files but is advising DanID to do it in another way.

DanID argue that There is nothing wrong about security by obscurity and have refused to reveil how the checksum calculation is implemented

DanID have offered to let serious organizations inspect their source code and specifically offered to let IT-Pol review the code. IT-Pol declined the offer because there were strings attached (not sharing the code and maybe findings, although we did not see any terms in writing) and because it would be pointless to review the source code and having no way of ensuring that the code was beeing used in every java applet used by citizens. And of course, we would also have to check the entire tool-chain.

PET-trojans?

The Danish Security and Intelligence Service (PET) make a report to parliament, September 2010 on the experience from 2002 to 2006 with anti-terror legislation. PET informs that they in many cases used what they call data-reading which includes installing software keyloggers on computers.

There is no evidence that PET have used NemID applets (and it would not be in the report as NemID was introduced after 2006). But a special NemID applet served only to suspects would be a very efficient way of accessing data on the computers of suspects.

Privacy Implications

Apart from security breeches and lack of trust in DanID to manage the private keys the business model of DanID raise questions. DanID was expensive by Danish standards (more than € 100 million). DanID was commissioned by the Danish government but is developed and serviced by Nets. It is mostly used by banks for their internet banking, replacing their previous solutions and a few public services, e.g. SKAT (tax). The banks covers a substantial cost of DanID.

If that was all NemID was used for, there would be few implications for privacy. Danes do not have any privacy with banks, tax authories, health care, etc.

But DanID is marketing NemID to private businesses. E.g., to pension funds, trade unions (the Christian union already use NemID) to handle communication with their memberships. Blogs, chat-sites and datingsites can use NemID to e.g., verify the age and sex of its users.

State signature pushed under threat of censorship

From 2011 Denmark can block Internet access to international gambling sites that do not cooperate with the Danish authorities. I.e., to not be censored they must pay Tax to Denmark. As of January 1., 2012 there is a new requirement. All Danish customers on gambling sites must sign on using a digital signature according to criteria that only permit NemID unless the connection is made from a mobile phone. The gambling site will get the CPR numbers (SSIDs) of their custumers.

Mandatory Digital Mail with NemID, etc

The new Danish government have made a proposal on Public Digital Mail that makes it mandatory for companies and citizens to join this digital mail. This digital mail will be run by the Company E-Boks A/S that have a similar service that can only be used with NemID.

It will also be required to use NemID to apply for admission to universities.