Machine translations by Deepl

Minister's letter on chip EMD vulnerability

Letter Min. VWS on chip card (UZI) vulnerability



Letter Ministry of Health, Welfare and Sport to the Speaker of the House of RepresentativesGeneral


Our reference MEVA/ICT-2922193

Date 31 March 2009
Subject Smartcard

Dear Chairman,

The letter of 19 February 2009 (MEVA/ICT-2914041) following the Electronic Patient Record Bill reported that measures are being taken to address a vulnerability recently identified in a laboratory environment in the computational mechanism of the chip on the UZIpass under­catch.

The smart cards affected by this vulnerability are widely (inter­national) applied, both in the public and private sectors. In the Netherlands be­hits in the public sector the UZIpass and the Defence Pass. The Ministry of Transport, Public Works and Water Management also uses them in the Digital Tachograph and has provided them for the On-board Taxi computer.


The vulnerability identified concerns

the application of the Chinese Remainder Theorem (CRT) to far the performance of certain calculations­snellen. In a laboratory setting, experts have been able to figure out the private key of a chip. Each time, to retrieve a private key, it is necessary to have the smart card and associated PIN, great expertise and specialised equipment. With this, a private key of a chip can be obtained. Incidentally, this can then only be used as long as the original smart card has not been revoked by its rightful owner.

Implications for UZIpass

After contacting suppliers, VWS has determined that the vulnerability poses a very low operational risk to the use of the UZIpass for accessing the EHR. This partly in view of the fact that the UZIpass is not the only security measure. A healthcare provider must, for example, prior to­closure on the national link point meet the requirements for a Well-Managed Care System (GBZ). This involves guarantees regarding correct and care­filling registration, processing and provision of data. For access to the EPD, the UZI pass can only be used within a HIS within which the relevant pass is authorised. In addition, the national switch point and the HPS permanently record who has access to which data and when, the so-called­naming log data.

However, it is important to remove vulnerability in the short term. For the UZIpass, this transition to a more modern chip (without the identified vulnerability) is scheduled for mid-third quarter 2009. From then on, every new UZI pass will be fitted with the new chip.

In communicating to current users of the UZIpass will be additionally emphasised that the pass and PIN should be kept separate and ensure­must be managed with care. If the pass is lost or stolen, it should be withdrawn immediately. This can be done 24 hours a day via the website of the UZI­register.

The validity of UZIpasses is three years. From the time the new chip is available, passes already issued will not be replaced after three years, but after two years. If a user wishes, exchange can take place earlier.

Impact on Defence Pass

For Defence, the vulnerability is not relevant at the moment because the private key is not yet in use. Defence has taken measures to eliminate the vulnerability in the computing mechanism before the private key is put into use.

Consequences for on-board computer taxipass

Due to the identified vulnerability in the smart cards, the supplier of the intended smart cards of the on-board computer has informed me that it cannot deliver them by 1 November. This will shift the introduction of the on-board computer by three to five months. Verkeer en Waterstaat is closely monitoring the development together with the supplier. This will not affect the planned publication of the regulations in July 2009.

Implications for Digital Tachograph Pass

To what extent the discovered vulnerability is an issue for digital tachograph passes is currently under discussion with colleague­Ministries of Transport and the European Commission. As soon as more is known about this, you will be further informed.


The Minister of Health, Welfare and Sport,

Dr A. Klink

the State Secretary for Defence

Drs J.G. de Vries

Secretary of State for Transport,

J.C. Huizinga-Heringa