Becoming an e-Estonian

Yesterday I picked up my Digital Identity card (ID card) for my Estonian e-residency. WTF you might say? Let me explain!

Estonia has a long history of eGovernment and being a digital society, it is said to have one of the most sophisticated technology when it comes to digital identities and the legally binding signing of personal and administrative documents. The small, Eastern-european country, which suffered from but survived a cyber attack in 2007, is now exporting it’s expertise in digital identity and eGovernment.

And that is what Estonian e-residency is all about: Providing digital identities and ID cards, very much like the ones Estonian residents get, to citizens of other countries. This enables every ID card holder to use services provided by state agencies and the private sector in Estonia. Running an EU-based company from abroad, without ever having to appear in a bank or at a local office, has never been easier. E-residency is a success story expanding, it is basically the German Neuer Personalausweis done right.

Enough for the intro, let’s have a closer look into the process of getting the ID card. I joined the beta program in 2014 and was waiting since then for the corresponding laws to be passed by the Estonian parliament. Once that was done, I was invited to apply for E-residency. At that point I would have been required to pick up my ID card in Tallinn, which is quite a journey from Munich for just receiving a piece of plastic with an embedded certificate. Fortunately, the people behind e-residency were more interested in handing out ID cards than to support short-trip tourism to Tallinn. Today you can apply for e-residency and pick up your ID card at your local Estonian embassy, given you pass the mandatory security background check that the Estonian police and border control will conduct. As you can see, I passed it :)

Picking up the ID card was a straightforward process. I called the embassy last week when I heard about my ID card being ready for collection, made an appointment and then travelled to Berlin. I rang the bell and entered the public area of the embassy. Hint: The consulate office is downstairs, hidden behind more prominent stairs going upward. Yes, it is confusing. Once there, I had to show my passport, sign (by hand, not digitally) the reading and understanding of a document explaining how the ID card works and finally provide my index finger prints. The latter part is a bit tricky, as the reader is not the best. But the embassy staff was friendly and trained to help me through the process. That’s all you have to do, next step is to receive a blue box containing the ID card.

e-residency box closed

After I left the embassy I sat down in a nice cafe and began to examine the box. It contains the ID card, an USB card reader, a copy of the document I signed at the embassy and a sealed envelop with PIN and PUK codes.

e-residency box contents

Distribution of ID cards across Europe and the rest of the world seems to be a manual process. On the PIN and PUK envelope someone wrote “BERLIN” by hand. That could be automated I think, because in the application form you already provide the pickup location digitally.

e-residency envelope berlin

Using the ID card is quite easy. I had to plug the card reader into a free USB slot, install the driver software and then decide what additional software I would like to install. I chose the ID card plugin for Firefox, so I can use the ID card on Estonian websites. Furthermore, I installed the official ID card application from the OS X AppStore.

e-residency card reader

When I first tried to load the photo from the ID card, which is only available after you enter the PIN, I ran into a problem. (Side note: Interesting fact that the photo is protected by PIN, while in Germany we have unprotected photos everywhere, from personal ID to employee passes and train bonus cards.)

e-residency error certificate

My first thought was, that I may have received a broken ID card. A few minutes later, however, I got the following email:


Certificates for e-Resident Digi-ID XXXXXXX have been activated and the document is ready for digital use.

Welcome to e-Estonia!

Sincerely, Police and Border Guard Board

I may have been too impatient :) After the activation, which is claimed to take an hour max, I was able to access my certificate. The encryption looks strong enough to me, the algorithms used are fine for digital signing and also the expiration date (2018) is a reasonable choice.

e-residency certificate

Now I am an e-Estonian. Feels strange :)

Securing Dovecot and Postfix (Logjam Attack)

This week’s attack on TLS, called Logjam, did not come with a logo, to everyones surprise. I missed the good old attacks that don’t require artwork to grab attention :)

In short, the attack pre-calculates parts of the discrete logarithm for the 512-bit variant. After that, a MITM would use a downgrade attack to force client and server to use old export-grade cryptography. According to the statistics of the Logjam authors, between 8.4 and 14.8 percent of all legacy IP mail servers are vulnerable to the Logjam attack. Time for us to check our configs, right?

I use 2048 bit DH parameters and let dovecot regenerate them every three days (72 hours). The corresponding part of my dovecot.conf looks similar to this:

# ssl
disable_plaintext_auth = yes
ssl = required
ssl_cert =< /etc/my-server-crt.crt
ssl_key =< /etc/my-server-key.key
ssl_cipher_list = HIGH
ssl_dh_parameters_length = 2048
ssl_parameters_regenerate = 72hours

For postfix the configuration looks a bit confusing, because the config option is named smtpd_tls_dh1024_param_file, but it handles 2048 bit DH parameters just fine. I also suggest using tls_preempt_cipherlist to make sure the server selects the cipher. That requires SSLv3 or higher, but from my point of view there is no reason to use anything below TLSv1 anyway. Please make sure you set the ciphers correctly, e.g. as advised by the Logjam attack authors.

An excerpt from my postfix

smtpd_tls_protocols = TLSv1
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
tls_preempt_cipherlist = yes

ICMPv6 Captive Portal URI Option

Ever wondered how your wifi-capable device knows whether or not you are behind a captive portal? Well, depending on the implementation it is a ugly business, that involves DNS requests and fetching text files from well-known locations. This is an ugly solution to an even uglier problem.

But there is hope! The (currently experimental) captive portal URI option as proposed in draft-wkumari-dhc-capport-12 might make things go smoother, as the information about an active captive portal is advertised in the IPv6 Router Advertisement.

If you like to start fiddling around with that option, wait no longer! I put together a ratools module called cpuri which stands for captive portal uniform resource identifier. Until IANA assigns an official option number, it will use the experimental option number 253.

The following demo uses the next branch of ratools. Make sure you install the latest version before starting your own experiments!

First we create a new RA on interface enp0s3

# ractl ra@enp0s3 create

Then we add a cpuri option. Until we have a final RFC, I will allow having multiple cpuri options in a single RA, although it makes only little sense.

# ractl cpuri0@enp0s3 create

Finally we set the captive portal URI.

# ractl cpuri0@enp0s3 set uri

Let’s have a look at our masterpiece:

# ractl show
Router Advertisement `ra@enp0s3':
  State:                  Disabled
  Created:                2015-03-24 21:54:54
  Updated:                2015-03-24 21:55:03
  Version:                0/9             (Compilation scheduled)
  Interface ID:           2               (enp0s3)
  Interface State:        1               (Up)
  Interface MTU:          1500
  Hardware Address:       08:00:27:64:14:c0
  Link-local Address:     ::
  Maximum Interval:       600             (0d 0h 10m 0s)
  Minimum Interval:       198             (0d 0h 3m 18s)
  Solicited/Unsolicited:  0/0
  Unicast/Multicast:      0/0
  Total RAs:              0               (0 Bytes)
  Current Hop Limit:      64
  Managed Flag:           0               (No Managed Address Configuration)
  Other Managed Flag:     0               (No Other Managed Configuration)
  Home Agent Flag:        0               (No Mobile IPv6 Home Agent)
  Router Preference:      00              (Medium)
  NDP Proxy Flag:         0               (No NDP Proxy)
  Lifetime:               1800            (0h 30m 0s)
  Reachable Time:         0               (0h 0m 0s 0ms)
  Retransmission Timer:   0               (0h 0m 0s 0ms)
  Captive Portal URI Option `cpuri0@enp0s3':
    State:                Disabled

Looks good! We give it a shot!

# ractl cpuri0@enp0s3 enable
# ractl ra@enp0s3 enable

Proof of concept is provided by wireshark: