Minister's letter on chip EMD vulnerability
Letter Min. VWS on chip card (UZI) vulnerability
Letter Ministry of Health, Welfare and Sport to the Speaker of the House of Representatives–General
Our reference MEVA/ICT-2922193
The letter of 19 February 2009 (MEVA/ICT-2914041) following the Electronic Patient Record Bill reported that measures are being taken to address a vulnerability recently identified in a laboratory environment in the computational mechanism of the chip on the UZI–pass undercatch.
The smart cards affected by this vulnerability are widely (international) applied, both in the public and private sectors. In the Netherlands behits in the public sector the UZI–pass and the Defence Pass. The Ministry of Transport, Public Works and Water Management also uses them in the Digital Tachograph and has provided them for the On-board Taxi computer.
The vulnerability identified concerns
the application of the Chinese Remainder Theorem (CRT) to far the performance of certain calculationssnellen. In a laboratory setting, experts have been able to figure out the private key of a chip. Each time, to retrieve a private key, it is necessary to have the smart card and associated PIN, great expertise and specialised equipment. With this, a private key of a chip can be obtained. Incidentally, this can then only be used as long as the original smart card has not been revoked by its rightful owner.
Implications for UZI–pass
After contacting suppliers, VWS has determined that the vulnerability poses a very low operational risk to the use of the UZI–pass for accessing the EHR. This partly in view of the fact that the UZI–pass is not the only security measure. A healthcare provider must, for example, prior toclosure on the national link point meet the requirements for a Well-Managed Care System (GBZ). This involves guarantees regarding correct and carefilling registration, processing and provision of data. For access to the EPD, the UZI pass can only be used within a HIS within which the relevant pass is authorised. In addition, the national switch point and the HPS permanently record who has access to which data and when, the so-callednaming log data.
However, it is important to remove vulnerability in the short term. For the UZI–pass, this transition to a more modern chip (without the identified vulnerability) is scheduled for mid-third quarter 2009. From then on, every new UZI pass will be fitted with the new chip.
In communicating to current users of the UZI–pass will be additionally emphasised that the pass and PIN should be kept separate and ensuremust be managed with care. If the pass is lost or stolen, it should be withdrawn immediately. This can be done 24 hours a day via the website of the UZIregister.
The validity of UZI–passes is three years. From the time the new chip is available, passes already issued will not be replaced after three years, but after two years. If a user wishes, exchange can take place earlier.
Impact on Defence Pass
For Defence, the vulnerability is not relevant at the moment because the private key is not yet in use. Defence has taken measures to eliminate the vulnerability in the computing mechanism before the private key is put into use.
Consequences for on-board computer taxi–pass
Implications for Digital Tachograph Pass
To what extent the discovered vulnerability is an issue for digital tachograph passes is currently under discussion with colleagueMinistries of Transport and the European Commission. As soon as more is known about this, you will be further informed.
The Minister of Health, Welfare and Sport,
Dr A. Klink
the State Secretary for Defence
Drs J.G. de Vries
Secretary of State for Transport,