Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks

BankID is a PKI-substitute widely deployed by Norwegian banks to provide digital signatures and identification on the internet. The paper has performed a reverse-engineering of part of the BankID system and analysed the security protocols and the implementation of certain cryptographic primitives. The paper has found cryptographic weaknesses that may indicate security problems, protocol flaws facilitating man-in-the-middle attacks, and implementation errors facilitating strong insider attacks. The paper also notes that the system suffers from severe privacy problems.