Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Health Insurance Card CA Loses Secret Key

Posted by timothy on from the your-replacement-papers-please dept.

Christiane writes "The SSL Root CA responsible for issuing the German digital health insurance card lost its secret private key during a test enrollment. After their Hardware Security Module (HSM) dutifully deleted its crypto keys during a power outage, it was all 'Oops, why is there no backup?' All issued cards must be replaced: 'Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out a test without backing up the root CA private keys. "We did not decide against a back-up service. The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfills this obligation is its own responsibility."'"

6 of 174 comments (clear)

  1. The big question... by Anonymous Coward · · Score: 1, Interesting

    Is the cost of re-establishing the chain of trust (ie a new root and replacing all of the cards) higher than the value of the data that this system was protecting?

  2. Re:Could be worse by Opportunist · · Score: 3, Interesting

    What's worst about it is that this is probably presumed to be worse. Had the key be stolen, they'd probably not even report it because business could continue as usual, maybe nobody finds out...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. You can fall off the road on either side by starfishsystems · · Score: 3, Interesting

    There are two fundamental ways to fail as a CA. There must be exactly one party in effective possession of the private key of the root cert. If the number of parties becomes less than or more than one, fail.

    Mistakes happen, of course, and certificate infrastructures can be enormously complex. But if you're going to do any kind of risk mitigation, the absolutely most basic place to start would be with these two scenarios.

    --
    Parity: What to do when the weekend comes.
  4. Re:Could be worse by Anonymous Coward · · Score: 2, Interesting

    It could be worse, but this incident exposes a design flaw: The loss of a private key should not stop them from issuing new cards which are compatible with the existing cards.

    If a CA key is lost, then there should be a layer above it which can create a new CA key. Cards are checked against the top CA public key, so the old and the new cards can both be verified. Because the top CA is only used to create intermediate CAs, its private key can be kept safer than the key of a CA which is regularly used for signing certificates. Should it get lost anyway, at least the intermediate CA still exists and can continue signing new cards.

  5. Re:Could be worse by Anonymous Coward · · Score: 1, Interesting

    ...or maybe the key was stolen and to cover their ass made up a convienent story that the key was lost to reissue new cards before the real shit hit the fan.

  6. Re:Wrong Title, Wrong summary by WarlockD · · Score: 3, Interesting
    I don't know..

    "We did not decide against a back-up service ..."

    That double negative sounds awful like "At the time, we didn't know what they were asking":P I guess its just with personal experence. Evey time I hear a manager use double negatives to defend a decision, its because they didn't really know what they were deciding in the first place. Atleast in IT.