Researchers find hole in EU-wide identity system – Naked Security


A flaw in a cross-border EU electronic identity system could have allowed anyone to impersonate someone else, a security consulting company has warned.

SEC Consult issued an advisory warning people of the flaw this week. It demonstrated the problem in the electronic identification, authentication and trust services (eIDAS) system by authenticating as 16th-century German writer, Johann Wolfgang von Goethe.

eIDAS came about because of a 2014 EU regulation that laid out the rules for electronic identification in Europe. The regulation, which came into effect in 2016, made it compulsory for EU countries to identify each other’s electronic IDs by the middle of last year. It covered a range of identification assets like electronic signatures and website authentication.

The problem is that there’s a flaw in the software used to manage this cross-border identification process, known as eIDAS-Node. Each country has to run a copy of this software to connect its own national identity management systems to others in the EU, creating a cross-border ID gateway. Using this gateway, citizens in the UK, say, could identify themselves to use electronic services in Germany, such as enrolling in a university or opening a bank account.

Like many federated identity systems, eIDAS uses the Security Assertion Markup Language (SAML). It’s an XML-based protocol from the nonprofit Organization for the Advancement of Structured Information Standards (OASIS). It lets users prove their identities across multiple service providers using a single login. Version 2, launched in 2005, includes support for features like encryption and the exchange of privacy information such as consent. It’s powerful but complex.