Researchers find hole in EU-wide identity system

A flaw in a cross-border EU electronic identity system could have allowed anyone to impersonate someone else, a security consulting company has warned.

SEC Consult issued an advisory warning people of the flaw this week. It demonstrated the problem in the electronic identification, authentication and trust services (eIDAS) system by authenticating as 16th-century German writer, Johann Wolfgang von Goethe.

eIDAS came about because of a 2014 EU regulation that laid out the rules for electronic identification in Europe. The regulation, which came into effect in 2016, made it compulsory for EU countries to identify each other’s electronic IDs by the middle of last year. It covered a range of identification assets like electronic signatures and website authentication.

The problem is that there’s a flaw in the software used to manage this cross-border identification process, known as eIDAS-Node. Each country has to run a copy of this software to connect its own national identity management systems to others in the EU, creating a cross-border ID gateway. Using this gateway, citizens in the UK, say, could identify themselves to use electronic services in Germany, such as enrolling in a university or opening a bank account.

Like many federated identity systems, eIDAS uses the Security Assertion Markup Language (SAML). It’s an XML-based protocol from the nonprofit Organization for the Advancement of Structured Information Standards (OASIS). It lets users prove their identities across multiple service providers using a single login. Version 2, launched in 2005, includes support for features like encryption and the exchange of privacy information such as consent. It’s powerful but complex.

The flaw lay in the integration software that the EU provides for coupling eIDAS nodes together. Its SAML parsing allowed an attacker to avoid the signature verification process, meaning that they could tamper with a SAML message to impersonate anyone.

When an eIDAS node provides a service to someone in another country, it asks that country’s eIDAS node to send an authentication message. It must check that the message is signed by a trusted node to avoid imposters and it does this by looking for a digital certificate.

To do this, it first checks its local collection of trusted certificates, known as a trust store. If it can’t find the certificate there, it looks for other (supplemental) certificates in the SAML message.

The problem is that when the software looks for those other certificates, it only checks to see if the distinguished name (DN) of the authority that issued the certificate matches the DN of the other eIDAS system. The software misses an important step by not checking to see if the issuer’s certificate actually signed the other eIDAS system’s certificate. SEC Consult also said:

Moreover, other checks, such as whether the basic constraints of the issuer certificate allow it to act as a certificate issuer are not verified.

Luckily, the EU fixed the problem after SEC Consult contacted the relevant authorities on 4 July this year. It updated the software and released it for general download on Wednesday 28 October.

Exploiting the vulnerability would have required an attacker to have control of the eIDAS node or impersonate one, and the researchers point out that another study of eIDAS security last year didn’t pick up the bug. That makes it highly possible that it was only recently introduced, they concluded.