|
|
Subscribe / Log in / New account

Forging votes: how to get the public keys?

Forging votes: how to get the public keys?

Posted Nov 15, 2017 14:41 UTC (Wed) by arnout (subscriber, #94240)
Parent article: ROCA: Return Of the Coppersmith Attack

There is something I don't understand about the example of rigging votes in Estonia. As far as I understand, in order to be able to get a private key, you still first need to get the certificate from the eID card that contains the public key. How do you get these? I can't imagine that they are just available for everyone. So forging 30,000 votes would require to first get access to 30,000 eID cards, no?

It is of course not impossible to do this. E.g. you could set up a honeypot shop that gives a reduction when you log in with eID. But I feel that acquiring the eID certificate will easily reach the cost of €80,000 for breaking the private key.

to post comments

Forging votes: how to get the public keys?

Posted Nov 15, 2017 17:00 UTC (Wed) by dottedmag (subscriber, #18590) [Link] (5 responses)

They had an open public key registry until recently when they had to shut it down due to this attack.

Can't find the relevant links right now.

Forging votes: how to get the public keys?

Posted Nov 16, 2017 23:50 UTC (Thu) by giraffedata (guest, #1954) [Link] (4 responses)

What good is eID if the public keys are not publicly available in a registry that associates each public key with a meaningful identity?

Forging votes: how to get the public keys?

Posted Nov 18, 2017 21:19 UTC (Sat) by JanC_ (guest, #34940) [Link] (3 responses)

All relevant information is in the certificate, which is signed by a government CA?

Forging votes: how to get the public keys?

Posted Nov 19, 2017 18:53 UTC (Sun) by jem (subscriber, #24231) [Link] (2 responses)

"Public keys" and "certificates" are essentially the same for this discussion. The certificate contains the public key together with personal information linking the public key with the identity of the key holder.

I guess the question boils down to: If every transaction involving a signature performed with a private key also conveys the corresponding certificate, what is the public registry containing the certificates of the whole population of a nation needed for?

If you have all the CA certificates up to a trust point, then you can verify that the certificate is valid and belongs to the subject. The registry does not provide any additional information.

Forging votes: how to get the public keys?

Posted Nov 20, 2017 17:17 UTC (Mon) by ScottMinster (subscriber, #67541) [Link] (1 responses)

If I want to encrypt something to send to you, I might not yet have your public key (maybe we haven't met, or I otherwise don't have an copy of your public key). A public database is useful for that scenario.

Forging votes: how to get the public keys?

Posted Nov 20, 2017 20:04 UTC (Mon) by jem (subscriber, #24231) [Link]

Fair enough, even if this is not the main use for electronic ID cards.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds