Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks

  • Authors:

  • Kristian Gjøsteen

  • Affiliations:

  • Department of Mathematical Sciences, Norwegian University of Science and Technology,

  • Venue:
  • EuroPKI '08 Proceedings of the 5th European PKI workshop on Public Key Infrastructure: Theory and Practice
  • Year:
  • 2008

  • Password-Based signatures

    EuroPKI'11 Proceedings of the 8th European conference on Public Key Infrastructures, Services, and Applications

Quantified Score

Hi-index 0.00

Visualization

Abstract

BankID is a PKI-substitute widely deployed by Norwegian banks to provide digital signatures and identification on the internet. We have performed a reverse-engineering of part of the BankID system and analysed the security protocols and the implementation of certain cryptographic primitives. We have found cryptographic weaknesses that may indicate security problems, protocol flaws facilitating man-in-the-middle attacks, and implementation errors facilitating strong insider attacks. We also note that the system suffers from severe privacy problems.