All case studies
Identity

ROCA incident response

When a global chip flaw forced other countries to reissue millions of cards in person, we fixed Estonia's affected cards remotely.

94%of active ID-cards updated

At a glance

  • Sector: National eID
  • Our role: We designed and built the EstEID update mechanism behind the response
  • Timeframe: Groundwork built 2015–2016; re-engineered for ROCA at national scale in 2017

Challenge

Estonia's ID-card is the backbone of the country's digital life — the foundation for legally binding digital signatures, authentication and access to state services. In 2017, researchers disclosed ROCA: a flaw in the Infineon chips used in secure ID documents worldwide, which made it computationally feasible to derive a card's private key from its public key. It forced eID programmes across Europe to act. In Estonia, roughly 800,000 cards were affected, and the obvious route — recalling and physically reissuing them, as most countries did — would have disrupted a system that millions of people and institutions depend on every day.

Approach

Recalling ~800,000 cards was off the table — the fix had to reach citizens wherever they were. RaulWalter had pioneered remote ID-card updating in 2015–2016, so the groundwork existed: a way to renew certificates, and where needed replace the on-card application, remotely through the ID-card utility.

But ROCA was a far harder problem than anything that groundwork had faced. The cards' cryptographic keys themselves were unsafe — so re-issuing certificates was not enough; new keys had to be generated on every affected card and the cards moved to elliptic-curve cryptography, away from the broken RSA keys, securely and remotely. We re-engineered the mechanism for that reality and for a scale it had never run at: a modified card applet, several update channels, and fallback-and-resume points so an interrupted update could safely recover. Working alongside RIA and the national certification provider, we took it from groundwork to a national-scale crisis response in weeks.

Outcome

Estonia became the only affected country able to resolve ROCA remotely — without a mass physical reissue.

  • Estonia was the only nation to offer a remote fix at all; elsewhere meant new cards or office visits — Spain revoked 17 million cards, Slovakia issued new ones, Austria revoked everything
  • 354,000 cards were updated remotely, and 94% of actively-used ID-cards were updated in all
  • Trust held: weeks later a record share of voters cast their ballots online, and annual digital-signature volume rose from 6 to 10 million year-on-year
  • The lasting legacy was strategic: the crisis accelerated Estonia's shift to alternative tokens — Mobile-ID adoption surged, and it helped pave the way for Smart-ID — with the ID-card as the root of trust that newer tokens extend
Next case study

Development & certification of a digital-tachograph infrastructure

Built and certified a digital-tachograph trust infrastructure against European requirements.

View