X-Road Security Architecture. Source: https://x-road.global/security
The Information System produces or consumes services via X-Road and is owned by an X-Road member. X-Road supports both REST and SOAP as communication methods, however X-Road does not provide automatic conversions between different types of messages and services. The Information System is capable of discovering registered X-Road members and their available services by using the X-Road metadata protocol.
All messages sent via X-Road are time-stamped and logged by the Security Server. The purpose of the time-stamping is to certify the existence of data items at a certain point in time. The Time-Stamping Authority (TSA) provides a time-stamping service that the Security Server uses for time-stamping all the incoming/outgoing requests/responses. Only trusted TSAs that are defined in the Central Server can be used.
The certification authority (CA) issues certificates to Security Servers (authentication certificates) and X-Road member organizations (signing certificates). Authentication certificates are used for securing the connection between two Security Servers. Signing certificates are used for digitally signing messages sent by X-Road members. Only certificates issued by trusted certification authorities defined in the Central Server can be used.
From X-Road’s publicly available documentation we can get a grasp of the encryption algorithms used within the different components of the platform. All the protocols mentioned in the documentation are widely used and well documented. This is a good indicator regarding access control, but it does not mean the system is flawless.
Proof of this is the fact that Estonia’s e-ID had fundamental implementation failures when in 2011 the government distributed 120,000 faulty ID cards that were found to have programming errors allowing the card to be used by whoever was physically holding it without the need of knowing the respective PIN code.
More worrying, and not limited to 120,000 faulty cards affected, is a core design feature regarding the way private encryption keys were generated and handled. The ID card’s private encryption key used to authenticate digital signatures should be generated inside the card chip to ensure only that card knows it – a good example of privacy by design. Instead, keys were generated in a server operated by the card manufacturer and copied to the card over the internet.
Another software bug was reported in which the same private key was copied to several different ID-cards, allowing cardholders that were assigned non-unique private keys to use one another’s identity.
These above bugs’ origins have been tracked down to Gemalto, the contractor tasked with manufacturing and maintaining functionality within Estonia’s ID cards. This resulted in Gemalto being ordered to pay €2.2 million compensation to the Police and Border Guard Board. Since 2019 another company called Oberthur Technologies has taken over the manufacturing and maintenance of Estonia’s ID cards .
Very little is publicly available about the deduplication undertaken in e-Estonia, except that the processes of verification and deduplication during identification are overseen by the Police and Border Guard Board (PBGB), according to the Identity Documents Act. Where the applicant for the digital ID has not previously been issued any ID under the Act, it is the PBGB that conducts the process of verification/deduplication. The Identity Documents Act also allows the Authority, who collects the personal data, to transfer it to third parties for the “identification and verification of facts relevant to the issue” and for the “issue and revocation of an identity document.”
The use of biometrics when registering is optional, but there are talks of turning to fingerprints for authentication when using ID cards instead of PIN codes.
Principles of Engagement
Estonia’s e-governance principles were published as follows:
- Decentralisation – There’s no central database and every stakeholder, whether a government department, ministry, or business, gets to choose its own system.
- Interconnectivity – All system elements exchange data securely and work smoothly together.
- Integrity – All data exchanges, M2M communications, data at rest, and log files are independent and fully accountable .
- Open platform – Any institution may use the infrastructure and it works as an open source.
- No legacy – Continuous legal change and organic improvement of the technology and law.
- Once-only – Data is collected only once by an institution, eliminating duplicated data and bureaucracy.
- Transparency – Citizens have the right to see their personal information and check how it is used by the government via log files.
The story of the Nordic Institute for Interoperability Solutions (NIIS) is one of two European countries that throughout history joint forces to collaborate and face challenges together. In 2013, the challenge to overcome was data sharing in and between national governments. Estonia and Finland decided to find mutually beneficial solutions together. The framework for the collaboration was set up in 2017 and called the Nordic Institute for Interoperability Solutions, using X-Road as its underlying technology. Iceland joined NIIS on 1st June 2021 and became the third member government in the international consortium after initial founders Estonia and Finland.
NIIS partners are countries which implemented X-Road and have signed a partnership agreement with the NIIS aiming to deepen their cooperation, meaning they can one day may become members.
The remaining countries where X-Road is implemented have deployed the technology while not being tied to NIIS.