Monday, November 17, 2014

IdCAT: an insecure digital certificate for foreigner in living Catalunya

More and more government services in Spain ask for a electronic DNI in order to authenticate access to services or sign documents. As a foreigner, you obviously don’t have a DNI, and even the residency cards don’t have chips.

Luckily the Catalans have a solution for this called idCAT. It not only works for Catalan stuff, but also with Agencia Tributaria and Seguridad Social.

I tried getting one today and it was actually quite easy:

  1. Go to and fill in the requested information (sol·licitud)
  2. Don’t be surprised if you don’t get a receipt or anything, the information is in there somewhere.
  3. Go to one of the municipal government offices listed with together with your passport/ID and NIE certificate.
  4. You give them a four digit PIN
  5. They will print out a piece of paper
  6. Go home and use the information on paper to download the certificate onto your computer

What no smartcard? If you are worried about security at this point, you should be. By default the private key for your certificate gets installed on your computer without any protection whatsoever. Anyone can copy this key off your computer and use it to impersonate you without you even knowing.

Allegedly you can revoke your key, but keep in mind that the infrastructure for revoking digital certificates has always been a bit broken, and I wouldn’t be surprised if half the sites that accept them don’t check for revocation.

If you want to be a bit more secure, what I would do is:

  1. Run “Manage User Certificates”
  2. Click on “Personal”, “Certificates”
  3. Right click on the certificate with your name on it issued by “EC-IDCat”
  4. Click “All tasks”/“Export…”
  5. Say “Yes export private key”
  6. Select “.PFX”
  7. Select all the options (include certificates, delete private key, export all extended properties)
  8. Save it on a file and give it a secure password
  9. Re-import with “All tasks”/”Import”
  10. Disable export, and keep the password as “high security”

Now whenever you hit a site that wants the certificate, it will also ask you for your password. This isn’t totally secure, since the web browser still loads the private key at some point. The best solution would be to load the key onto a smartcard, but I haven’t gotten around to figuring that out.

No comments: