Study on EU Information Security Situation - ipa.go.jp · This includes the analysis of European research ... The general specification of the European Citizen Card provides a

2008 情財第 0142 号

2009 年 3 ⽉

欧州における情報セキュリティ関連調査報告書 Study on EU Information Security Situation Study on Migration Plan about Cryptography in PKI Systems in

the EU

Study on Migration Plan about Cryptography in PKI Systems in the EU

Migration of PKI Cipher Technology Activities in the Academic Sector in the EU Policy and Migration Plan of the Public Sector Activities of Enterprises in the EU Final Report

February 10th, 2009

Customer: IT Security Center IPA/ISEC JAPAN Akira Yamada Wolfgang Schneider

Status of Document

This document is the Final Report of the “Study on Migration Plan about Cryptography in PKI Systems in the EU”.

Editors:

Dr. Dirk Scheuermann [email protected] Ulrich Waldmann [email protected] Further contributors: Thomas Schroeder [email protected] Thomas Kunz [email protected]

Rheinstraße 75 64295 Darmstadt (Germany) Phone +49 (0)6151 / 869-399 Fax +49 (0)6151 / 869-224 www.sit.fraunhofer.de

Study on Migration Plan about Cryptography iii in PKI Systems in the EU

Management Summary

This report presents the results of the “Study on Migration Plan about Cryptography in PKI Systems in the EU” performed by SIT on behalf of IPA. For this purpose, the report looks at various aspects relevant for the application of PKI technology. This includes the analysis of European research programs with corresponding specific projects, the activities of European organizations as well as specific mathematical problems being analyzed within research projects. The report also takes a look at national policies and activities in the public sector, concentrating on Germany and completed by some examples from known activities in the neighbor countries. The major part of the legal framework is provided by the EU Signature Directive. This directive classifies different levels of electronic signatures and provides the legal foundation for individual national signature regulations and national PKI projects. The Manchester Declaration from 2005 as well as a recently decided new action plan gives some further contribution to the European framework for the use of PKI technology. It turns out that electronic resp. digital signatures, to be used for eGovernment and eID applications, are the most common applications of PKI technology for which European as well as national regulations have been defined (in contrast to other applications like encryption or authentication protocols). Therefore, it is especially important to carefully study the individual aspects of digital signatures (in addition to general mathematical aspects of asymmetric cryptography). The general specification of the European Citizen Card provides a framework an interesting application of PKI technology in connection with smart cards. Following this specification, national eID cards may be used for different applications, also as a potential Secure Signature Creation Device (SSCD). When looking at the academic sector in the EU, it is obvious that ECRYPT is the most important project to be watched for the migration plan of PKI. This Network of Excellence covers not only PKI techniques directly but also very important other cryptographic background to be studied for future deployment of PKI.

Key length is an important criterion for the security of a cryptographic method. The key length must be large enough to prevent a brute force attack, i.e. a complete search of the key space. Progress in electronics and mathematics makes it necessary, to reconsider from time to time, what a safe key length is. This also includes the comparison of necessary key lengths for asymmetric algorithms against those of symmetric algorithms with equivalent security levels. Although no successful factorisation of an RSA-1024 modulus has been achieved so far, the actual state-of-the-art in integer factorisation shows that factoring 1024 bits

iv Study on Migration Plan about Cryptography in PKI Systems in the EU

integers is not out of range any more, hence, long-term security is no more reachable with RSA-1024. The national policies on key lengths, thought to be secure for a definite time period, are different. In Germany, the BSI gave a list of recommendations currently reaching until 2015. Up to this time, RSA 2048 and ECDSA with 224 Bits are considered secure enough. While France gave another individual catalog of key lengths recommendations, the UK obviously decided to adopt the international recommendations made by NIST.

Different national projects in Europe already show the beginning introduction of citizen cards equipped with PKI technology. In this area, Germany, Austria, Finland and Sweden belong to the most advanced European countries from the technical point of view (although Sweden shows some deficiencies in unique federal regulations). The concept of card verifiable certificates, developed within the German eHealth activities, opens the way for using smart cards to fulfil the task of certificate verification which otherwise needs to be done outside of the card (in case of X.509 certificates).

It turns out that there exist many institutions and activities in the EU that are strongly relevant for the migration plan of PKI. Such activities do not only concentrate on academic institutions and working groups. In addition to the fact that the contents of FP7 are also of special interest to the industry, there also exist further funding programs and expert groups specifically related to enterprises. The example of the EU Gateway shows that the influence of activities of enterprises in the EU is not limited to the EU region, but also concerns Japanese enterprises.

When looking at specific activities of German enterprises, there already appear companies providing PKI products really usable for the public sector and adopting the BSI recommendations. However, there also exist examples of companies using lower security features for private or internal applications.

Study on Migration Plan about Cryptography v in PKI Systems in the EU

Table of Contents

Management Summary iii

Table of Contents v

List of Tables viii

List of Figures ix

Abbreviations and Acronyms x

1 Introduction 12

2 Terms and Definitions 14

2.1 Advanced Electronic Signature 14

2.2 Asymmetric Cryptography Schemes 14

2.3 Collision Attack 14

2.4 Digital Signature 15

2.5 Electronic Signature 15

2.6 Hybrid Methods 15

2.7 Optimal Asymmetric Encryption Padding 15

2.8 Pairing-based Cryptography 16

2.9 Preimage Attack 16

2.10 Qualified Electronic Signature 16

2.11 Symmetric Cryptography Schemes 16

3 Migration of PKI Cipher Technology 16

vi Study on Migration Plan about Cryptography in PKI Systems in the EU

3.1 Framework and Legislation 17

3.2 Standardization Activities 18

3.3 Digital Signatures 21

4 Academic Activities 26

4.1 Sixth and Seventh Framework Program 26

4.2 Grants Work Program 27

4.3 EU Gateway to Japan 28

4.4 IDABC 28

4.5 Activities of ENISA 29

4.6 STORK 29

4.7 Failsafe and Algorithm Changeover 30

4.8 Further Academic Activities in Germany 32

4.9 Mathematical Research Areas 33

5 National Policies and Activities in the Public Sector 42

5.1 Austria 43

5.2 France 43

5.3 Germany 44

5.4 United Kingdom 51

5.5 Norway 53

5.6 Finland 53

5.7 Sweden 55

6 Selected national Projects 55

6.1 The German eID Card 55

Study on Migration Plan about Cryptography vii in PKI Systems in the EU

6.2 HBA, HPC 58

6.3 eSignature, Austria 63

6.4 eID Card, Finland 58

6.5 eID Card, Sweden 58

7 Activities Relevant for Enterprises in the EU 65

7.1 European Policy Centre (EPC) 66

7.2 Fraud Prevention Expert Group (FPEG) 66

7.3 Product and System Security Working Group (PSSWG) 67

7.4 Enterprises in Germany 67

8 References 70

Appendix A: Contact Information and Links 76

viii Study on Migration Plan about Cryptography in PKI Systems in the EU

List of Tables

Table 1 DCSSI recommended Algorithms and Key Lengths (2007) 44 Table 2 BSI recommended Signature Algorithms and Key Lengths (2008) 46 Table 3 BSI recommended Algorithms (2008) 47 Table 4 BSI recommended Algorithms and Key Lengths for National

eCard Projects (2007) 48 Table 5 NIST Key length Recommendations (2007) 52 Table 6 German telematics specification of algorithms and key lengths

(2008) 61 Table 7: International Links 76 Table 8: European Links 77 Table 9: Contact Information about European Organisations 78 Table 10: French Links 78 Table 11: Contact Information about French Organisations 79 Table 12: Belgian and Dutch Links 79 Table 13: Contact Information about Belgian and Dutch Organisations 79 Table 14: German Links 80 Table 15: Contact Information about German Organisations and

Enterprises 81 Table 16: United Kingdom Links 82 Table 17: Contact Information about Organisations in the United Kingdom 82 Table 18: Scandinavian Links 82 Table 19: Contact Information about Organisations in Scandinavia 82

Study on Migration Plan about Cryptography ix in PKI Systems in the EU

List of Figures

Figure 1 – Key and certificate management of the German eID Card 57

x Study on Migration Plan about Cryptography in PKI Systems in the EU

Abbreviations and Acronyms

AFNOR Association Français de Normalisation, French Standardization Body AZTEC Asymmetric Techniques Virtual Lab BERR Department for Business, Enterprise and Regulatory Reform, UK BITKOM Bundesverband Informationswirtschaft, Telekommunikation und neue Medien,

Association for Information Technology, Telecommunications and New Media, GER

BSI Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security, GER

CA Certification Authority CCITT Commité Consultatif Internationale Télégrafique et Téléfonique CEN Comité Européan de Normalisation (European Committee for Standardization) CESG Communications Electronics Security Group, UK CORDIS Community Research and Development Information Service, EU CWI Centrum Wiskunde and Information Security DCSSI Direction Centrale de la Sécurité des Systèmes d'Information, Central Directorate

for Information Systems Security, FRA DG Directorate General, EU DIUS Department for Innovation, Universities and Skills, UK DSSC Data Structure for the Security Suitability of Cryptographic Algorithms EAC Extended Access Control ECC Elliptic Curve Cryptography ECGDSA Elliptic Curve German Digital Signature Standard eCIRT European CIRTs ECITT Enhanced Competitiveness and Co-operation through Information Technology

and Telecommunications, EU EESSI European Electronic Signature Standardization Initiative EGC European Government CSIRTs Group eHC Electronic Health Card eID electronic IDentity management ENISA European Network Information Security Agency EPC European Policy Centre ERC Evidence Record System EU European Union FICORA Finnish Communications Regulatory Authority FPEG Fraud Prevention Expert Group FP6 6th Framework Program, EU FP7 7th Framework Program, EU GCHQ Government Communications Headquarters HECC Hyperelliptic Curve Cryptography HPC Health Professional Card

Study on Migration Plan about Cryptography xi in PKI Systems in the EU

ICT Information and Communication Technologies ICTSB Information and Communication Technologies Standards Board IDABC Interoperable Delivery of European eGovernment Services to public

Administrations, Businesses and Citizens IDS Intrusion Detection System IND-CPA Indistinguishability under Chosen Plaintext Attack ISCI International Security Certification Initiative IST Information Society Technologies, EU ITU International Telecommunication Unit JHAS JIL Hardware Related Attack Subgroup JIL Joint Interpretation Library JIWG Joint Interpretation Working Group JRC Joint Research Centre, EU LDAP Leightweight Directory Access Protocol LTANS Long–Term Archive and Notary Services MRZ Machine Readable Zone NCP National Contact Point, EU NGO Non Governmental Organization NIS Network and Information Security, EU NIST National Institute of Standards and Technology NTRU N-th degree truncated polynomial ring OAEP Optimal Asymmetric Encryption Padding PACE Password Authenticated Connection Establishment PEGS Political Economy for Good Service PKIX Public key Infrastructure X.509 R&D Research & Development, EU PRC Population Register Center (Finland) RFC Request for Comments RI Restricted Identification RTD Research & Technology Development, EU SCVP Server-Based Certificate Validation Protocol SMC Security Module Card SSCD Secure Signature Creation Device STFC Science and Technology Facility Council STORK Secure Identity Across Borders Linked SWEDAC Swedish Board for Accreditation and Conformity Assessment TAMP Trust Anchor Management Protocol TCL Trusted Component List TKG Trusted Key Generator TSL Trust Service Status List TTT TeleTrusT Deutschland e.V. VAHTI Government Information Security Management Board (Finnish abbrevation) WG-CS Working Group CERT Services, EU

12 Study on Migration Plan about Cryptography in PKI Systems in the EU

1 Introduction

For getting an overview about the European migration plan for PKI, many different aspects have to be considered. The present report tries to perform an analysis by examining the following points:

Policies or plans on the migration of PKI cipher technology including the relation with the EU cryptographic policy,

Activities in the academic sector in the EU, Policies and migration plan of the public sector, including the amendment of the

Digital Signature Act, Activities relevant to enterprises, service providers and product vendors in the EU. A public key system is so constructed that calculation of one key (the “private key”) from the other (the “public key”) is computationally infeasible. In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The RSA algorithm has been among the most widely used. Others include the Diffie-Hellman algorithm, the Cramer-Shoup cryptosystem, the ElGamal encryption, and various elliptic curve techniques. A significant disadvantage of symmetric ciphers is the key management necessary to use them securely. Each distinct pair of communicating parties must share a different key. The number of keys required increases as the square of the number of communicating participants. The difficulty of securely establishing a secret key between two communicating parties presents a considerable practical obstacle for users of cryptography. Hybrid encryption is the usually chosen method to circumvent this problem.

Public-key algorithms are mostly based on the computational complexity of “hard” problems, often from number theory. For example, the hardness of RSA is related to the integer factorisation problem, while Diffie-Hellman and DSA are related to the discrete logarithm problem. More recently, elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curve groups. With the development of the World Wide Web and its rapid spread, the need for authentication and secure communication became acute. The effort toward legal recognition and protection from liability fostered the demand for ways by which users could communicate securely. The enacted laws and regulations differed, as questions of privacy, access, and liability have been taken into consideration to a varying degree. PKI arrangements enable computer users without prior contact to

Study on Migration Plan about Cryptography 13 in PKI Systems in the EU

be authenticated to each other and to use the public key information in their public key certificates to encrypt messages to each other.

For reasons given above, the question of key length has to be viewed in both regards, symmetric and asymmetric encryption: Given symmetric encryption methods with certain key lengths, the necessary key lengths for asymmetric methods must be determined in order to provide the same security level. PKIs of one type or another have many uses, including providing public keys and bindings to user identities which are used for:

Encryption and/or sender authentication of e-mail messages (e.g., using OpenPGP or S/MIME).

Encryption and/or authentication of documents (e.g., the XML Signature or XML Encryption standards if documents are encoded as XML).

Authentication of users to applications (e.g., smart card logon, client authentication with SSL).

Bootstrapping secure communication protocols, such as Internet key exchange (IKE) and SSL. In both of these, initial set-up of a secure channel (a “security association”) uses asymmetric key (public key) methods, whereas actual communication uses faster secret key (symmetric key) methods.

The rest of the report is structured in the following way: After some general terms and definitions in Chapter 2, Chapter 3 starts with some general aspects of PKI migration in the EU, including the framework as well as standardisation activities. Specific academic activities in the EU are listed in Chapter 4. This includes some known research projects in the EU as well as specific mathematical research areas. Chapter 5 gives an overview about national policies and organisations in the different countries of the EU. After that, a closer look on specific national PKI related projects are given in Chapter 6. Finally, Chapter 7 deals with enterprise activities. This includes some research programs and other activities specifically related to enterprises as well as internal and external activities of specific enterprises occupied with PKI technology.


2 Terms and Definitions

2.1 Advanced Electronic Signature

An advanced electronic signature (according to the EU Directive) means an electronic signature (see below) with the following additional requirements:

The signature is uniquely linked to the signer.

The signer may be uniquely identified with the aid of the signature.

Later changes of the document may be detected with the aid of the signature.

2.2 Asymmetric Cryptography Schemes

Asymmetric cryptography schemes have the property that encryption and decryption are not performed with the same encryption key. Instead, a public key (which may be known to everyone) is used for encryption and a private key (only known to its owner as a personal secret) is used for decryption. Therefore, asymmetric cryptography is also called “public key cryptography”. (Please note that the term “secret key” is not used for private keys to avoid confusions with keys used for symmetric cryptography.) Asymmetric cryptography schemes also provide the foundation for digital signatures, created by the private key and verified by the public key.

2.3 Collision Attack

A collision attack on a cryptographic hash is an attempt to find two different messages having identical hash values:

Find two messages m1, m2 with the property hash(m1) = hash(m2).

Since the complexity for a collision attack (against a hash function with N different possible values) by brute force is O(sqrt(N)), it is also called “square root attack” or “birthday attack” (remembering the ”birthday paradoxon” that a number of sqrt(365) 19 people already contain two people with the same birthday with a probability higher than 50 %).


2.4 Digital Signature

The term “digital signature” denotes the production of an electronic signature with an asymmetric cryptography scheme. According to the EU directive, digital signatures at least fulfil the requirements of advanced electronic signatures, whereas the fulfilment of the requirements for qualified electronic signatures depends on the public key's certificate.

2.5 Electronic Signature

The term “electronic signature” means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. Please note that this definition alone does not include the necessity to use any sort of cryptography schemes.

2.6 Hybrid Methods

Hybrid encryption methods provide an efficient way of combining asymmetric and symmetric cryptography to save computation time. Most public-key algorithms involve multi-precision operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers. As a result, public-key cryptosystems are commonly hybrid cryptosystems, in which fast high-quality symmetric-key encryption is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm.

2.7 Optimal Asymmetric Encryption Padding

Optimal Asymmetric Encryption Padding (OAEP) is a padding scheme often used together with RSA encryption. The OAEP algorithm is a form of Feistel network which uses a pair of random oracles G and H to process the plaintext prior to asymmetric encryption. When combined with any secure trapdoor one-way permutation f, this processing is proved in the random oracle model to result in a combined scheme which is semantically secure under chosen plaintext attack (IND-CPA). When implemented with certain trapdoor permutations (e.g., RSA), OAEP is also proved secure against chosen cipher text attack. OAEP satisfies the following two goals: (1) Add an element of randomness which can be used to convert a deterministic encryption scheme (e.g., traditional RSA) into a probabilistic scheme. (2) Prevent partial decryption of cipher texts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without being able to invert the trapdoor one-way permutation.


2.8 Pairing-based Cryptography

Pairing-based cryptography is the use of a pairing between elements of two groups to a third group to construct cryptographic systems. Usually the same group is used for the first two groups, making the pairing in fact a mapping from two elements from one group to an element from a second group. In this way, pairings can be used to reduce a hard problem in one group to a different, usually easier problem in another group. While first used for cryptanalysis, pairings have since been used to construct many cryptographic systems for which no other efficient implementation is known, such as identity based encryption.

2.9 Pre-image Attack

A pre-image attack on a cryptographic hash is an attempt to find a message that has a specific hash value. There are two types of pre-image attacks:

Given a hash h, find a message m such that hash(m) = h.

Given a fixed message m1, find a different message m2 such that hash(m2) = hash(m1)..

2.10 Qualified Electronic Signature

A qualified electronic signature (according to the EU Directive) is an advanced electronic signature with the additional requirement that a public key with a “qualified certificate” is used. Special properties required for qualified certificates are specified within an annex of the EU Directive.

2.11 Symmetric Cryptography Schemes

Symmetric cryptography schemes are cryptography schemes where encryption and decryption is performed with the same key that needs to be known to everyone involved in the process of confidential data exchange. Since the key represents a secret agreed between the parties, symmetric cryptography is also called “secret key cryptography”.

3 Transition of PKI Cipher Technology

In the following, we will have a closer look on several general aspects relevant for the migration of PKI cryptography. For this purpose, we first have to consider


existing technical frameworks as well as legislation in Europe. Furthermore, it is important to look at the European as well as international standardisation activities. It turns out that digital (electronic) signatures represent the most frequent application of PKI technology for which a couple of European regulations exist (as opposed to other applications like data encryption or authentication protocols). Therefore, we will highlight this subject in a separate section.

3.1 Framework and Legislation

EU Directive for Electronic Signatures

The “EU Directive for Electronic Signatures” has been approved by the European Parliament in 1999 and has been implemented in all member states in the following 18 month. The original approach of the European Directive was based on the so-called “Liability Approach”, as opposed to the “Licensing Approach“, used for instance in the German act in its early version. The route ultimately taken by the EU was a combination of these two approaches, i.e., a list of abstract requirements and a number of partially optional annexes containing technical specifications. The EU Directive standardises “advanced electronic signatures” and “qualified electronic signatures” in connection with “qualified certificates”, requiring the installation of an appropriate security level. However, there is room left for “electronic signatures” with less stringent security requirements. It also standardises the term “secure signature creation device” (SSCD) by setting requirements for devices being eligible to produce electronic signatures.

New Action Plan

Based on the EU Directive mentioned above, a new action plan on e-signatures and e-identification has been recently published by the EU [EU-APSig08]. The major objective of this action plan consists in cross-border interoperability of e-signatures and e-identification. One important aspect is the mutual validation of advanced and qualified signatures by different countries.

This action plan initiates a couple of academic activities in Europe and is also strongly relevant for future R&D support (see also further sections on this topic as well as part II of our study).

Manchester Declaration

Within the framework for use of PKI for European eGovernment and eID applications, the Manchester Declaration of 2005 [EU-Manch05] plays a fundamental role. This declaration was approved at the Ministerial eGovernment Conference 2005 during the UK Presidency of the EU. The major goal of this declaration was to offer easy-to-use eGovernment applications with appropriate data security to all EU citizens by 2010.


General Role of Certificate Authorities

A public key infrastructure (PKI) is a means that binds public keys with respective user identities by a certificate authority (CA). The user identity must be unique for a CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. For each user, the user identity, the public key, their binding, validity conditions and other attributes are contained in certificates issued and signed by the CA. The term trusted third party (TTP) may also be used for CA. A signer’s public key certificate may also be used by a third party to verify the digital signature of a message.

Most PKI systems rely on certificate chains to establish a party’s identity, as a certificate may have been issued by a certificate authority computer whose “legitimacy” is established for such purposes by a certificate issued by a higher-level certificate authority, and so on. This produces a certificate hierarchy likely composed of several computers, often more than one organization, and often different interoperating software packages from several sources. Today’s leading directory technology is LDAP and in fact, the most common certificate format (X.509) stems from its use in LDAP’s predecessor, the X.500 directory schema.

There are alternative approaches to the problem of public authentication like the web of trust scheme and assorted cryptographic protocols, which will not be covered in detail. However, such schemes can interoperate with a PKI CA fully-trusted by all parties. A PKI provides enhanced security, greater scalability and easier administration, control and management of the infrastructure.

European Citizen Card

Across Europe, there are a lot of projects for electronic ID cards and other sorts of cards making use of PKI cryptography (as later described in more detail in Chapters 5 and 6). For these eCard projects, the specification of the European Citizen Card (see also further information on CEN in 3.2) provides a general technical framework. However, this framework is not prescribed by the EU to be followed by the individual countries. The development rather works in the opposite way: The European countries are contributing their concepts into the specification. The recommendations for issuance, operations and use of the European Citizen Card are currently under revision [prTS15480]. For this revision, Germany is going to contribute its intended profile for the planned German eID.

3.2 Standardization Activities

There are a couple of international standardisation activities that have to be considered for the European migration plan of PKI. Standardisation has been done by EESSI (European Electronic Signature Standardisation Initiative) under the


auspices of ICTSB (Information and Communication Technologies Standards Board). The working groups PKIX and LTANS are especially important. Furthermore, the European standardisation organization CEN owns a technical committee especially occupied with signatures.

PKIX Working Group

The PKIX (Public-Key Infrastructure X.509) Working Group (PKIX-WG) has been assigned by the Internet Engineering Task Force (IETF) to develop the necessary Internet standards needed to support a Public Key Infrastructure, based on the X.509 protocol. The PKIX Working Group was established in 1995 with the goal of developing Internet standards to support X.509-based Public Key Infrastructures (PKIs). Initially, PKIX pursued this goal by profiling X.509 standards developed by the CCITT (later the ITU-T). Later, PKIX initiated the development of standards that are not profiles of ITU-T work, but rather are independent initiatives designed to address X.509-based PKI needs in the Internet. PKIX has produced a number of standards track and informational RFCs. RFC 3280 (Certificate and CRL Profile), and RCF 3281 (Attribute Certificate Profile) are recent examples of standards track RFCs that profile ITU-T documents. RFC 2560 (Online Certificate Status Profile), RFC 3779 (IP Address and AS Number Extensions), and RFC 3161 (Time Stamp Authority) are examples of standards track RFCs that are IETF-initiated. RFC 4055 (RSA) and RFC 3874 (SHA2) are examples of informational RFCs that describe how to use public key and hash algorithms in PKIs.

PKIX will continue to track the evolution of ITU-T X.509 documents, and will maintain compatibility between these documents and IETF PKI standards, since the profiling of X.509 standards for use in the Internet remains an important topic for the working group. PKIX does not endorse the use of specific cryptographic algorithms with its protocols. However, PKIX does publish standards track RFCs that describe how to identify algorithms and represent associated parameters in these protocols, and how to use these algorithms with these protocols. We anticipate efforts in this arena will continue to be required over time.

PKIX will pursue new work items in the PKI arena. For example, certificate validation under X.509 and PKIX standards calls for a relying party to use a trust anchor as the start of a certificate path.

There is considerable interest to define a standard model for trust anchor management, and standard protocols to allow remote management. Thus a future work item for PKIX is the definition of such protocols and associated data models. Some work about trust anchor management protocols (TAMP) and trust anchor format is already in progress ([PKIX-TAF08], [PKIX-TAMP08]).

LTANS Working Group


Besides PKIX, the activities of the LTANS Working Group are also mentionable since it deals with long-term non-repudiation of digitally signed data. The LTANS (Long–Term Archive and Notary Services) Working Group was established in 2003 by the IETF.

In many scenarios, users need to be able to ensure and prove the existence and validity of data, especially digitally signed data, in a common and reproducible way over a long period of time. The goal of LTANS is to standardise processing procedures and data structures to preserve all necessary data (e. g. timestamps) for a non-repudiable proof of existence of digital data.

LTANS has produced three RFCs: [RFC 4810] (Long-Term Archive Service Requirements) describes long-term archive services and the technical requirements for interacting with such services. [RFC 4998] (Evidence Record Syntax, ERS) specifies the syntax and the processing of an evidence record, a data structure designed to support long-term non-repudiation of the existence of data. [RFC 5276] (Using the Server-Based Certificate Validation Protocol (SCVP) to Convey Long-Term Evidence Records) describes the usage of SCVP to convey evidence records, enabling SCVP responders to provide preservation evidence for certificates and certificate revocation lists (CRLs). Furthermore, two drafts are in progress: LTAP (Long-Term Archive Protocol) describes an architecture framework and a protocol allowing clients to interact with a long-term archive service (LTA).

Fraunhofer SIT also participates in the activities of LTANS and proposed DSSC (Data Structure for the Security Suitability of Cryptographic Algorithms) as a specified data structure that enables automated analysis of the security suitability of cryptographic algorithms. Especially with regard to PKI migration, DSSC plays an important role and will therefore be described in the following.

DSSC

It is important to periodically evaluate a cryptographic algorithm’s fitness and to consider the results of these evaluations when creating or verifying signatures, or when maintaining the validity of signatures made in the past. One result is a projected validity period for the algorithm, i.e., a prediction of the period of time during which the algorithm is fit for use. This prediction can help to detect whether a “weak” algorithm is used in a signature and whether that signature has been properly protected in due time by another signature made using an algorithm that is suitable at the present point of time. In Germany, the Federal Network Agency annually publishes evaluations of cryptographic algorithms, see 5.3. Examples of other European and international evaluations are NIST and ETSI.

These evaluations are only published in documents intended to be read by humans. For this reason, DSSC has been defined to express the content of the evaluations to enable automated processing. The current status of DSSC is “draft”.


It is expected to reach RFC status in 2009. After standardisation process of DSSC has finished, it is planned to recommend supporting the specification to the Federal Network Agency.

Algorithm evaluations are pooled in a so called security suitability policy. Besides some metadata like information about the publisher, such a policy contains all cryptographic algorithms, including the already expired ones. The algorithms are identified by their object identifiers (OID). If an algorithm has any parameters (e.g., modulus length), the algorithm is broken down into the algorithm with its respective parameter values. This means that, for example, RSA with 1024 bit key length and RSA with 2048 bit key length are treated as different algorithms. For each algorithm, the predicted validity period is indicated.

An algorithm is suitable at a time of interest if it is contained in the current policy and the time of interest is within the validity period. Additionally, if the algorithm has any parameters, these parameters must meet the requirements defined in the policy constraints. If an algorithm appears in a policy for the first time, it is assumed that the algorithm has already been suitable in the past. Assertions made in the policy are valid at least until the next policy is published. Publishers may extend the lifetime of an algorithm prior to reaching the end of the algorithm’s validity period by publishing a revised policy.

The DSSC policies may be interpreted by signature generation and verification tools to ensure that only valid algorithms are used. In the context of long-term security, such policies provide information about suitable and also threatened algorithms to allow a timely signature renewal.

DSSC may also play an important role for fail safe concepts. See 4.7 for further details on this topic.

CEN/TC 224

Similar as ISO regarding international standardisation, CEN is responsible for European standardisation and is divided into several technical committees. TC224 is especially responsible for the standardisation in the area of personal identification and electronic signatures. They produced the multipart standard about the European citizen card (see also 3.1) as well as further standards for the use of smart cards with electronic signatures [EN14890-1].

3.3 Digital Signatures

A very common application of PKI cipher technologies is provided by digital signatures. Therefore, it is especially important to carefully look at all aspects related to digital signatures in order to analyse the migration plan of PKI.


A digital signature is an asymmetric cryptographic scheme used to simulate the security properties of a handwritten signature on paper. According to the EU Directive described in the last section, digital signatures may be classified as enhanced or qualified electronic signatures depending on the quality of the public key's certificate.

Digital signature schemes provide two algorithms, one for signing which involves the user’s private key, and one for verifying signatures which involves the user’s public key. The output of the signature process is called a “digital signature”. A signature authenticates the message it is attached to. Digital signatures can be used to create PKI schemes in which a user's public key (whether for public-key encryption, digital signatures, or any other purpose) is tied to the identity of a user by a digital certificate issued by a certificate authority. In some countries, including the United States and the European Union, electronic signatures have legal significance.

A digital signature scheme typically consists of three algorithms:

A key generating algorithm G that randomly produces a “key pair” (PK, SK) for the signer. PK is the verifying key, which is to be public, and SK is the signing key, to be kept private.

A signing algorithm that on input of a message together with a signing key produces a signature.

A signature verifying algorithm that on input of a message, a verifying key and a signature, either accepts or rejects.

Two main properties are required. First, signatures computed honestly should always be accepted, all others be rejected. Secondly, it should be computationally hard for any adversary, knowing only the public key, to create a valid signature for any text. The basic RSA scheme not being very secure, in order to prevent attacks, one can first apply a cryptographic hash function to the message and then apply the RSA algorithm to the result. There are several other reasons to sign such a hash (or message digest) instead of the whole document.

Efficiency: The signature will be much shorter and thus save time since hashing is generally much faster than signing in practice.

Compatibility: Messages are typically bit strings, but some signature schemes operate on other domains (such as, in the case of RSA, numbers modulo a composite number N). A hash function can be used to convert an arbitrary input into the proper format.


Integrity: Without the hash function, the text “to be signed” may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. However, the receiver of the signed blocks is not able to recognise if all the blocks are present and in their appropriate order.

For a digital signature scheme, the following attack models are considered:

In a key-only attack, the attacker is only given the public verification key.

In a known message attack, the attacker is given valid signatures for a variety of messages known by the attacker but not chosen by the attacker.

In a chosen message attack, the attacker learns signatures on arbitrary messages of the attacker’s choice.

There is also a hierarchy of attack results:

A total break results in the recovery of the signing key.

A universal forgery attack results in the ability to forge signatures for any message.

A selective forgery attack results in a signature on a message of the adversary’s choice.

An existential forgery merely results in some valid message/signature pair not already known to the adversary.

One of the main differences between a digital signature and a written signature is that the user does not “see” what he signs. An attacker who gains control of the user’s PC can possibly replace the user application with a foreign substitute, in effect replacing the user’s own communications with those of the attacker. This could allow a fraudulent application to make a user sign any document by displaying the user’s original on-screen, but presenting the attacker’s own documents to the signing application. To protect against this threat, an authentication system can be set up between the user’s application and the signing application. The general idea is to provide some means for both the user application and signing application to verify each other’s integrity. For example, the signing application may require all requests to be digitally signed in turn.

Authentication


Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature private key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in finance.

Integrity

In many applications, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message will invalidate the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is considered to be computationally infeasible.

Drawbacks of Digital Signatures

Despite their usefulness, digital signatures on their own do not solve any of the following problems:

Association of digital signatures and trusted time stamping

Digital signature algorithms and protocols do not inherently provide certainty about the date and time at which the underlying document was signed. The signer might have included a time stamp with the signature, or the document itself might have a date mentioned on it. Regardless of the document’s contents, a reader cannot be certain the signer did not, for example, put back the date or time of the signature. Such misuse can be made impracticable by using trusted time stamping in addition to digital signatures.

Non-repudiation

The word repudiation refers to any disclaiming responsibility for a message. A message’s recipient may insist the sender attach a signature in order to make later repudiation more difficult, since the recipient can show the signed message to a third party to reinforce a claim as to its signatories and integrity. However, loss of control over a user's private key will mean that all digital signatures using that key, and so ostensibly “from” that user, are suspect. Nonetheless, a user cannot repudiate a signed message without repudiating their signature key. This is aggravated by the fact there is no trusted time stamp, so new documents (after the key compromise) cannot be separated from old ones, further complicating signature key invalidation.


Putting the Private Key on a Smart Card

All public key/private key cryptosystems depend entirely on keeping the private key secret. A private key can be stored on a user's computer, and protected by a local password, but this has two disadvantages: the user can only sign documents on that particular computer and the security of the private key depends entirely on the security of the computer. In addition, security breaches may be difficult to detect.

A more secure means is to store the private key on a smart card, which mostly are designed to be tamper-resistant. If all security conditions regarding the EU Directive are satisfied, the smart card by this way plays the role of an SSCD. In a typical digital signature implementation, the hash calculated from the document is sent to the smart card, whose CPU encrypts the hash using the stored private key of the user, and then returns the encrypted hash. Typically, a user must activate his smart card by entering a PIN code. It should be arranged that the private key never leaves the smart card. If the smart card is stolen, the thief will still need the PIN code to generate a digital signature. This reduces the security of the scheme to that of the PIN system, although it still requires an attacker to possess the card. A beneficial factor is that private keys, if generated and stored on smart cards, are usually regarded as difficult to copy, and are assumed to exist in exactly one copy. Thus, the loss of the smart card may be detected by the owner and the corresponding certificate can be immediately revoked.

Entering a PIN code to activate the smart card commonly requires a numeric keypad. Some card readers have their own (numeric) keypad. This is safer than using a card reader integrated into a PC, and then entering the PIN using that computer's keyboard. Readers with a numeric keypad are meant to circumvent the eavesdropping threat where the computer might be running a keystroke logging program, potentially compromising the PIN code. Specialized card readers are also less vulnerable to tampering with their software or hardware and thus may meet the requirement of EAL (Evaluation Assurance Level) 3 or greater.

The Current State of Use — Legal and Practical

Only if all of the following is taken care of, a digital signature actually will be any evidence of the sender of the message, and, in consequence, of his approval of its contents.

Some public-key algorithms are known to be insecure, since practicable attacks against them have been published.

A faulty implementation of an algorithm or protocol will not be secure, however well designed the latter may be.


The private key must remain secret; if it eventually becomes known to another person, that person can produce perfect digital signatures of any text or data.

Distribution of public keys must be done in such a way that the public key claimed to belong to, say, a person, actually belongs to that person. This is mostly done by certification via a public key infrastructure, the public key/user association being attested by a certification authority.

Users (and their software) must carry out the signature protocol properly.

Enactments cannot change the reality of the existing engineering possibilities. Enactments (or proposed enactments) vary from place to place, having typically embodied expectations at variance with the state of the underlying cryptographic engineering. Adoption of technical standards for digital signatures has lagged behind much of the legislation, delaying a more or less unified engineering position on interoperability, algorithm choice, and key lengths.

In several countries, a digital signature has a status somewhat like that of a pen and paper signature. That means that digitally signing legally binds the signer of the document to the terms therein. For that reason, it is deemed necessary to use separate key pairs for encrypting and signing. Using the encryption key pair, a person can engage in an encrypted conversation, but the encryption does not legally sign every message he sends.

4 Academic Activities

4.1 Sixth and Seventh Framework Program

The 7th Framework Program (FP7, 2007-2013) has a strong ambition to continue the research activities of the 6th Framework Program (FP6, 2002-2006) and to promote the European science and technology areas by research activities carried out jointly between research organisations and enterprises in trans-national cooperation. Within FP7, the industry plays a strong role in defining industry-relevant topics for EU research support, i.e., the activities of enterprises in the EU are also strongly influenced by this research program. This program always


contains new calls for security research strongly relevant for the area of cryptography including PKI technology.

The following activities are included in the objective of the research programme:

Development of technologies and knowledge needed to ensure the security of citizens from threats such as terrorism and crime, natural disasters and industrial accidents,

Ensuring optimal and concerted use of available and evolving technologies to the benefit of civil European security, and,

Stimulating the cooperation of providers and users for civil security solutions; improving the competitiveness of the European security industry and delivering mission-oriented results to reduce security gaps.

When looking for specific projects funded by FP6 and FP7 and strongly related to the migration plan of PKI, the EU project ECRYPT – a European network of excellence (funded by FP6) – is of special importance. At the current state, ECRYPT may be considered the leading EC opinion maker in scientific cryptology. The goal of ECRYPT is to translate high level requirements into key research issues and challenges for FP7 (2007-2013) and beyond. The main challenges are to integrate cryptology in ever shrinking devices (from sensor nodes over RFID to nano-scale devices) and to develop and further deploy advanced cryptographic techniques for secure computations and increased privacy.

In the view of ECRYPT, cryptology, becoming more mature as a scientific discipline, needs ongoing research, both in the area of foundations and in the area of applied cryptology. Firstly, the threats to the security of cryptosystems are likely to increase. This calls for monitoring of breaking methods in order to assess the security of systems deployed. Secondly, future development presents new challenging applications, which need to be addressed differently, e.g., by hybrid systems that employ bit-precise cryptographic techniques and fuzzy signal processing techniques such as watermarking and perceptual hashing.

ECRYPT was first set up for a period of 4 years, lasting from 2004 until 2008. Now the activities are continued by the follow-up project ECRYPT II funded by FP7.

4.2 Grants Work Program

Similar as in 2007, the Enterprise and Industry Directorate General (DG) has published in its “Grants Work Program 2008”1 a set of specific current calls for

1 http://ec.europa.eu/enterprise/funding/files/themes_2008/grants_pgm.htm


proposals that shall ensure that EU policies contribute to the competitiveness of EU enterprises.

The list of planned actions also contains the topic “Security”. One important aspect is to develop the technologies and knowledge for building capabilities needed to ensure the security of citizens from threats such as acts of terrorism and (organized) crime, natural disasters and industrial accidents while respecting fundamental human rights including privacy. This will also include activities regarding the European migration plan of PKI.

Furthermore, there also is a planned action for establishing an EU-JAPAN Centre for Industrial Cooperation.

4.3 EU Gateway to Japan

The third EU Gateway to Japan2 campaign (2002-2006) was already extended until June 2007 for eight sectors including the Information and Communication Technology sector. Now, the EU Gateway Programme (2008-2015) has been extended to include Korea, in order to support a broader European Union strategy to develop trade and investment with both Japan and Korea. The EU Gateway Programme now also provides more coaching and mentoring to EU companies with promising business plans.

4.4 IDABC

IDABC is a community programme of the Directorate-General for Informatics at the European Commission. IDABC issues recommendations, develops solutions and provides services that enable national and European administrations to make use of information and communication technology for cross-boarder services and to improve efficiency and collaboration between European public administrations.

Specific actions are performed in the area of eSignatures. Based on the existing EU Directive and the corresponding action plan [EU-APSig08], interoperability requirements for eGovernment applications and services are analysed. This also includes the classification of signature attributes like signature type, token type, document type or type of eGovernment application.

2 http://www.gatewaytojapan.org


Among currently funded research projects relevant for PKI migration, the project “eID Interoperability for PEGS”3 – running from 2005 until 2009 - is especially important. Within this project, 32 countries delivered a national eID scheme. However, only a few of the countries are planning the introduction of an eID card with a signature function in a similar way as in Germany. (More information about the German eID card and some examples from other European countries are given in Chapter 6).

4.5 Activities of ENISA

The European Network and Information Security Agency (ENISA) was set up to enhance the capability of the European Union, the EU Member States and the business community to prevent, address and respond to network and information security problems. In order to achieve this goal, ENISA is a Centre of Excellence in Network and Information Security and is stimulating the cooperation between the public and private sectors.

For 2008, an EU program was defined to remove network and information security-related barriers in the internal market. Two specific security-related topics within the 2008 work programme concern security competence circles for CERT communities and interoperable eIDs in Europe.

A key objective of the 2008 work programme was to build up synergies with other academic activities in Europe like the FP7 and IDABC as described before. This also included the set up of so called Multi-annual thematic programmes (MTPs), which are now continued in the recently published work programme for 2009. A lot of documents describing the activities and work programmes of ENISA, as well as specific publications and deliverables may be downloaded from the ENISA homepage4.

4.6 STORK

In connection with the formerly mentioned action plan for interoperability in e-signatures and e-identification, the pilot project STORK5 plays an important role. It is a large scale pilot project, performed by a big consortium of over 20 partners (including governments) and co-funded by the EU.

3 http://ec.europa.eu/idabc/en/document/6484/5938 4 http://www.enisa.europa.eu/pages/01_03.htm , http://www.enisa.europa.eu/pages/05_01.htm 5 http://www.eid-stork.eu


One important goal of the STORK project is to develop common rules and specifications to assist mutual recognition of eIDs across national borders. Furthermore, tests of secure and easy-to-use eID solutions in real life environments will also be performed. The project is also going to interact with other EU initiatives to maximize the usefulness of eID services. It already shows influences on national eCard projects like the Austrian eCard system (see 6.3).

According to their action plan, the European Commission will decide about further necessary actions depending on the final results of the STORK project in 2012.

4.7 Failsafe and Algorithm Changeover

Security Suitability Policy

One promising approach of suitability proof of cryptographic algorithms [Frye03] is being introduced by Fraunhofer SIT into international standardisation [Kunz08]. See also DSSC in 3.2. A technical solution of periodical evaluation of the security suitability is required as algorithms become weak over the years. The draft specifies a data structure as XML scheme and ASN.1 definition that enables an automated analysis of documents, which contain information about recommended algorithms and key lengths as given in [SigAlg08]. Possible use cases are:

Long-term archiving: Signatures and time-stamps have to be periodically renewed. Security Suitability Policies can support the verification of achieved and re-signed documents.

Information services as regards suitability and obsolescence of algorithms. These services can be carried out by verification tools or archiving systems.

Signature services that create and verify signatures and use them in their protocols, e.g., CMS, XML or LDAP services.

Services for re-encryption.

Part of the data structure is the name of policy, address, date of issue, date of next update, information about evaluated algorithms and a signature to protect the integrity and authenticity of the policy. The information can be used, e.g., to check the algorithm suitability at a certain point of time or to search for a suitable algorithm.

PKI Failsafe


A failsafe concept for public key infrastructures is published in [Maseberg02]. The concept takes into account that more and more governments, companies and customers use PKI technology and trust in the provided security, although PKIs have risks. On the one hand, the mathematical problems on the hardness of which public key cryptography depends are not provably hard; on the other hand, failures in implementations may happen. A mechanism to restore the security of an infrastructure is to revoke damaged areas. Depending on the extent a breakdown would restrict the functionality of the PKI which would imply costly consequences for business and society. To maintain the PKI, new components would be developed, produced, distributed, and installed, which would cost time and money. Furthermore, a failure would imply the loss of the provability of digital signatures and of the confidence in sensitive data. The developed failsafe concept proposes a solution of the following problems:

Lost of provability of electronic signatures that have an impact on the legal equality of electronic signatures and handwritten signatures,

Lost of confidentiality of highly sensitive data to be transmitted in a protection mode,

Lost of feasible and legally binding revocation mechanisms, and,

Lost of availability of PKI applications, when certificates are revoked because of damage, and the secure communication with affected certificate holders is interrupted.

The concept includes the following four components: multiple cryptographic mechanisms integrated into a single PKI, which has the possibility of dynamic update, multiple electronic signatures, extended revocation mechanisms, and ite-rative encryption. The failsafe concept is compliant with existing standards, the German Signature Law and with existing PKIs, which have not implemented any failsafe concept. A proof of the concept has been achieved by implementing a respective update management protocol, an extended timestamp protocol as well as an extended certificate status protocol as part of the PKI of the TU Darmstadt.

PKI Disaster Recovery and Key Rollover

PKI disaster recovery and key rollover are essential for executing disaster recovery plans in case of a private key-compromise or a private key-loss. This may happen to end-entity keys, certification authorities, revocation authorities, attribute authorities, or time-stamping authorities. Since certificates have finite validity, CA key-rollover should be planned in advance. A useful framework had been defined [PKIX PkiRec07] in order to assist the writers of policy or practice statements and the designers of a PKI to prepare appropriate disaster recovery plans. This framework provides a comprehensive list of potential key-compromise or key-loss conditions


that, in the opinion of the authors, should be addressed so that it is possible to quickly recover from exceptional situations. Unfortunately, the draft has expired, and has been deleted from the Internet-Drafts directory without being published as an RFC.

A key may be compromised while the corresponding certificate and all higher-level certificates are still valid. However, the key-compromise may also occur after the certificated has expired, what is relevant for long-term archiving. CAs are not obliged to provide revocation information beyond the validity period of the certificate, i.e., usually no such information is available in the CRLs or OSCP later on. Therefore, it is recommended to restrict the useful life of the private key and to provide electronic signatures with time stamps. These measures can enforce the protection of the signature key within the validity period of the certificate. By this means, only the time stamp must be protected against attacks, i.e., time stamping makes it possible that signatures based on a short key length remain effective over a long period.

Two mechanisms can be used to protect the decryption key of encrypted data: the private key may be lodged at a third entrusted party (key escrow) or key recovery. Applying the first measure, a copy of the key will be retrieved from the escrow without revoking the certificate. In case of key recovery however, a new key pair and a new certificate must be generated.

4.8 Further Academic Activities in Germany

In Germany, there exist some further working groups doing academic work on the PKI sector. These working groups are either established at universities or research institutions or consist of members coming from different institutions. The following two are especially important to be mentioned:

Activities of Provet

Regarding national academic activities in Germany, the Provet group (“Projektgruppe verfassungsverträgliche Technikgestaltung e.V.”) associated to the faculty of law of the University of Kassel plays an important role. The activities of Provet basically cover judicial aspects of impact assessment, design and evaluation of information and communication technologies. This also includes new applications and corresponding requirements for PKI. One recent important application is the planned German eID card (see also 6.1 for further details).

Activities of TeleTrusT


TeleTrusT Deutschland e.V. (TTT) 6 is a “Non-profit Organisation for the Promotion of Trustworthiness of Information and Communication Technology”. The members consist of enterprises, product vendors, research institutions as well as other public institutions.

TTT consists of many different working groups dealing with different topics of IT security. Beside the development of new secure PKI technologies, it is also important to develop interfaces facilitating the integration of PKI into existing applications. This is the major objective of a TTT working group called “PKI Reference Project” who is currently defining a service oriented interface for this purpose, also including an effective central management of key generation and key backup.

4.9 Mathematical Research Areas

Within this section, we want to have a closer look at specific mathematical research areas that may be relevant to the PKI migration plan. As already mentioned with the FP6 and FP7, the activities in the academic sector in the EU are obviously dominated by ECRYPT. Among other publications, the available reports of this EU project provide the major sources for any mathematical results.

The main challenges are the following:

Long term security is needed for many applications. Crypto-systems considered robust at one time have been broken, e.g., some of the hash functions developed in the 1990s. In the long, quantum computers of practical use could be built; this would require an upgrade of most symmetric cryptographic algorithms and a completely new generation of public-key algorithms (RSA, and discrete log-based systems including ECC and HECC would become obsolete). Generally, a revival of the analogue computer can be expected, e.g., using optical phenomena.

Provable security has been successful in developing security models based on a finite set of assumptions. However, proofs become increasingly complex when it comes to real life situations; many protocols have a security definition of several pages and manually generated security proofs of dozens of pages. This is susceptible to errors, and new automated techniques are required to assist in such proofs.

Even if theoretically sound cryptographic algorithms and protocols are available at specification level, faults still may creep in at implementation level. In addition to

6 http://www.teletrust.de - Complete actual information currently in German only, English website still under construction.


the direct communication channels considered, attackers may exploit side-channels that may accidentally leak sensitive information; these channels include timing information, power consumption, and electromagnetic radiation.

Privacy is often at risk because of proliferation of electronic sensing, location based services, growth of storage capacity and communication mechanisms, and data mining technologies. Advances in technology make privacy violations much easier, while protecting privacy is a thorny problem. It is generally agreed that a sound level of privacy is essential for a democracy.

Now we want to have a closer look at the different mathematical aspects regarding PKI cryptography and the corresponding statements made by European research, primarily by ECRYPT.

Hash Functions

The application of hash functions is a preparatory step before performing signature operations with PKI technology. Therefore, an appropriate redesign of hash functions also belongs to a proper migration plan of PKI. It appears that the state of the art of hash function design lags somewhat behind that of block cipher design and yet, at the same time, we see hash functions widely deployed and used in many important cryptographic applications. There is much need for formalisation of the properties of hash functions. Hash functions are often used in places and ways that were not envisioned by their designers. It is therefore important to decide what properties are needed when used in different applications, e.g., the properties of being collision-free or being one-way. So, too, is a consideration of other properties such as partial pre-image resistance and pseudo-randomness.

Regarding collision attacks, ECRYPT made some recommendations within a position paper in 2005 [EC CollAtt]. At this time, it was already obvious that hash functions using a simple message schedule such as those derived from the MD4 type construction are at risk for use in real-life implementations and that more complex hash functions are needed such as those listed in [FIPS180-2]. In 2007, the cryptology working group of CWI made some common considerations of collisions for MD5 hash values as well as for X.509 certificates [CWI_EUCR07].

The SHA-1 algorithm is not considered as secure any more ever since results of collisions have been published in [Wang05]. The paper describes collision search attacks on the hash function SHA-1 with collisions of complexity less than 269 hash operations. This was the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound. Wang has claimed in 2005 that she has improved the attack to 263 hash operations; this result is unpublished. At the CRYPTO 2006 conference, a further severe attack against SHA-1 was presented, which may have a practical impact. For this attack, part of the forged message


(currently up to 25%) can freely be chosen in contrast to previous collision attacks that uses so-called hash twins which were built of meaningless letter scrambling within the plaintext and thus could easily be recognized. A research group at the Graz University of Technology (Austria) tries to find SHA-1 collisions via distributed computing and has claimed a successful attack to 260 hash operations; this result has not been published, but advertised on the web site7. Other recent results on SHA-1 include pre-images for reduced versions [Canniere08] and collisions for 70-step versions [Canniere07]8 .

In answer to emerging attacks on SHA-1, NIST and some authoritative European offices for information security, e.g., the German BSI (see 5.3), recommend the changeover from SHA-1 to hash functions of the SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512). On the long term, these are to be replaced by a new standard SHA-3. For this purpose, NIST has called for contributions of newly designed hash algorithms and scheduled the final selection and specification of the hash standard for 2012.

Currently, there is considerable effort in providing a greater understanding of the design principles available for hash functions. These might include different modes of operations, in contrast to the widely used Merkle-Damgård design, or an extension of the security notion for such a design approach, i.e., identifying the properties of the underlying compression functions required for secure hash functions. Undoubtedly, there will be considerable effort in the design of new hash functions. New ideas are expected in the design of compression functions. This will go hand-in-hand with the evaluation of existing designs and recent proposals. Unfortunately, regarding recent proposals, one cannot be sure of the security they offer. This will hamper their use in practical applications. One future strand of research is that of building symmetric algorithms with some element of provable security. This requires finding suitable hard problems on which to base hash functions, perhaps including those already studied within asymmetric cryptography.

Compromising RSA-1024

No real successes regarding a factorisation of an RSA-1024 modulus have been achieved so far. However, there have been many relevant academic activities in the past years. A good overview can be found on the web site of a MIT research group9. Furthermore, the ECRYPT reports10 contain reflections in the academic community of the impact of this research.

7 http://boinc.iaik.tugraz.at 8 http://www.cosic.esat.kuleuven.be/publications/retrieve.php?author=cdecanni 9 http://people.csail.mit.edu/tromer/cryptodev


Relevant works placed the bottleneck at the sieving step of the Number Field Sieve Algorithm. Several papers published in 2003, e.g., [Shamir03] and [Lenstra03], have shown that factoring 1024 bits integers is not out of range any more. The proposed design increases the efficiency by many orders of magnitude using a hypothetical device, which might allow for breaking a 1024-bit RSA key in one year by investing only about $10M in hardware for the sieving and the matrix step. The open community has not invested the predicted amount to realize the suggested design yet but rather uses software programs on PC clusters. In 2005, a parallelized lattice sieving device was proposed in [Franke05], which completed the sieving step of the General Number Field Sieve (GNFS) for a 1024-bit number in one year. Its architecture was modular and consisted of small ASICs connected by a specialized butterfly transport system.

An important milestone was reached in 2007 by the publication of a successful factorisation of an integer longer than 1024 Bits (the Mer¬senne number 21039-1) with the aid of the special number field sieve [Aoki07]. Although this factorisation is orders of magnitude easier than a factorisation of a 1024-bit RSA modulus is believed to be, the methods used to obtain the result shed new light on the feasibility of the latter computation.

Different Asymmetric Techniques

RSA is the oldest asymmetric cryptography technique, in general, also best known to everyone. Later, some other techniques came up, like ElGamal or ECC methods. Within ECRYPT, AZTEC did a lot of studies on alternative methods and their different variations [EC DAZTEC2], [EC DAZTEC7]. As viewed by AZTEC, RSA as well as systems designed around the discrete logarithm problem (DLP) in the multiplicative group of a finite field, such as the original ElGamal cryptosystem, started quite soon to age. The main reason has been the tremendous progress in integer factoring methods and, because of the similarities of some of the techniques involved, in solving the DLP in finite fields. In fact, few computational problems have seen successes as spectacular as those in integer factorization.

ECC and HECC are just two specific types of curved based systems. However, ECRYPT did not identify any advantage of generalisation to other types regarding speed and security.

Lattice based cryptosystems, as far as considered by ECRYPT, are not seen as really secure and practical cryptographic techniques. Just the NTRU cryptosystem can be viewed as a lattice based cryptosystems in disguise and would therefore also be one of the few cryptosystems to survive quantum computation.

10 http://www.ecrypt.eu.org/ecrypt1/documents.html


A big advantage is seen in the use of homomorphic schemes combining the trapdoor property of RSA with the homomorphic property of ElGamal.

Furthermore, ECRYPT points out the advantages of so called identity-based public-key encryption schemes. Hereby, the problem of distributing the public keys is avoided by making the public key derivable from some known aspect of the user identity (for example, the email address). For obtaining the secret keys, instead, identity-based encryption requires the existence of a TKG that, after having authenticated a user, releases the secret key associated with the identity of the user. The main advantage of identity-based is that it dispenses with the need of an authenticated public-key directory. This can be replaced by a directory containing the public parameters of the trusted party. It is expected that the number of TKG’s is substantially smaller than the number of users which facilitates the maintenance of the directory.

Cryptographic Hardness Assumptions

In general, asymmetric cryptographic schemes and protocols used today assume that it is hard to solve certain specific mathematical problems [EC DAZTEC6]. Most schemes are based on the difficulties of factoring composites or computing discrete logarithms. These hardness assumptions have been introduced almost thirty years ago and there is very little direct evidence for their soundness. The problem is that they are not directly verifiable through first-hand methods, but only indirectly, through the absence of successful methods to break them. Cryptography research has recently also introduced many variations of these problems, in particular, new assumptions related to the discrete logarithm problem in elliptic curves groups. How secure are these assumptions? What are the relations between the newly introduced variations and the established hardness assumptions? Research in assessing the hardness of these problems seems to have almost stopped. Therefore, algorithms for solving the new and the established hard problems should be investigated more intensively. When necessary, new hardness assumptions should be introduced in order to simplify the landscape of security proofs for cryptographic protocols.

At present, public key algorithms focus on the two problems of factoring large numbers or solving discrete logarithms in finite groups. This implies that any breakthrough in quantum computing would lead to a break of most systems used today. To have more variety here, new approaches, such as lattice based techniques (e.g., NTRU), schemes based on codes (e.g., McEliece), schemes based on multivariate quadratic polynomials (e.g., HFE), and schemes based on hash functions need to be investigated.

Apart from evaluating these schemes, we also need to look into new problems, or how the already known problems can be used for new applications. One example would be to find a secure encryption scheme based on multivariate


schemes or new cryptographic algorithms based on error-correcting codes. A related topic for future research will be to exploit new mathematical structures for cryptography. For example, pairings on elliptic curves have been widely used. Perhaps there are other systems which will allow exciting new frontiers of research. Perhaps there are also mathematical systems which can be used in cryptography which are secure against quantum computers. The ultimate goal of this work is the elimination of any hardness assumptions in cryptography and the construction of practical cryptographic protocols that do not rely on any assumptions that are hard to verify. But this goal may be elusive.

Provable Security

ECRYPT resp. AZTEC also addresses the problem of provable security [EC DAZTEC5]. This problem needs to be considered from different view points. When specifying security definitions for protocol, one has to distinguish between adversarial goals and adversarial models. The adversary’s goal captures what it means to break the protocol, while the model describes what powers an adversary has at its disposal when trying to achieve its goal. (According to digital signatures, adversary’s goals are represented by the attack results while adversary’s models are represented by the attack models described; see further explanations in 3.3 part II of our study.) Cryptographic hardness assumptions (as described before) are just one important aspect of provable security. The security of cryptographic techniques also depends on the use of key agreement schemes. Several schemes have been analyzed and still show up unresolved problems regarding the proof of security. It is also important to consider provable security together with other desired properties of cryptographic techniques like size or time reduction. A useful model for proving security of a cryptographic scheme is the Random Oracle Model (see below).

Random Oracle Model

The random oracle model is a simplified model in which one can analyze the security of a cryptographic scheme. It is known that there are schemes that are secure in the random oracle model and insecure in practice, but these schemes seem all to be artificial. Furthermore, there are very efficient schemes that can only be proven secure in the random oracle model. In the years to come, ECRYPT expects more research on the similarities and differences between the standard (real world) model and the random oracle model.

In this context, it is worth to mention that the cryptology group at CWI recently studied alternative methods for deterministic public key encryption without random oracles to achieve similar goals as intended with the Random Oracle Model studied by ECRYPT [CWI_Crypt08].

Pairings in Cryptography


Recently, the use of pairings (bilinear mappings) provided on certain types of elliptic curves has been used to create new types of cryptosystems and to give functionality that was not possible before. Within the BCRYPT project (see part II of our study for further details), a special workshop on ECC cryptography was hold, also covering the topic of pairing [BCRYPT Ver08]. However, it is not yet clear how best to implement these pairings to create new products. In the near future, ECRYPT expects there to be a concentration of research on techniques to implement pairings in practice. It is also important to assess whether the resulting cryptosystems should be considered secure, since the paring schemes have introduced new computational problems which have not previously been studied.

Advanced applications of asymmetric primitives

In recent years, the use of pairings in cryptography resulted in a number of interesting new primitives, which have been used to solve several important open problems. Thus, it is reasonable to imagine that the study of such primitives can help to solve other important open problems and/or to build new useful tools for emerging applications. These tools will form the new building blocks.

Tool-supported Security Proofs

Security- and safety-critical systems are increasingly verified through automated tools, both in theory and in practice. Given the lack of universally composable protocols for very basic functionalities, assessing the security of large cryptographic protocols designed by putting together simpler building blocks is a complex task. Some seemingly correct protocols for simple tasks like exchanging a secret key using public keys have turned out to be insecure when considered in a larger context. Hence it is essential to be able to formally prove their security, ideally through tool-supported formal verification methods. Cryptography provides precise and realistic definitions of the security of cryptographic primitives and protocols. However, such definitions are long and difficult to grasp because they are full of details. They typically consider all possible attacks that an adversary might carry out, place a computational restriction on the adversary, and the resulting properties may fail with some small error probability. Consequently, these models are not easily amenable to formal analysis, and many proofs have remained rather sketchy.

Formal methods, on the other hand, have well-defined protocol languages, which support a systematic presentation of protocols and properties. Most importantly, they provide tool support for proofs, such as model checking or theorem proving. Tools are particularly useful for distributed protocols, which are tedious and error-prone if proved by hand. Hence it is natural to apply formal methods also to distributed cryptographic protocols.


In order to be able to apply verification tools to cryptographic protocols, however, the cryptographic primitives have to be expressed in a symbolic way that hides the complexity inherent in the cryptographic models. This approach has been known as the Dolev-Yao model, which represents cryptographic objects as terms and not bit strings. However, such symbolic composition rules cannot blindly be applied to most cryptographic primitives.

The required work is three-fold: First, a suitable model for expressing cryptographic protocols abstractly has to be defined and agreed upon. Second, a library of cryptographic primitives has to be expressed in the model, which is not trivial because the right tradeoffs between desirable “universal” composability of symbolic notions and the need to implement them using existing cryptographic security notions has yet to be determined. And last but not least, suitable formal verification tools have to be developed or adapted to support the flexible composition of symbolically expressed cryptographic protocols.

As a prerequisite, we still need to prove that we can realize these abstract primitives in cryptographic computational models. As such proofs are error-prone and tedious, formal technique can be very useful there too.

Privacy-Preserving Online Interactions

ECRYPT envisions that individuals will be able to interact in the information society in a secure and safe way while retaining control of their privacy. While there exist already a fair number of privacy-enhancing technologies allowing one build identity management systems that come surprisingly close to realize this vision, there still are considerable gaps between these technologies and whole areas, where privacy-respecting solutions are completely missing. Indeed, the field of privacy-enhancing identity management is still relatively young and many challenging problems require solutions. From the current public debate, one might sometimes draw the conclusion that people do not care about privacy. For instance, current electronic payment systems have little or no privacy protection, and people seem to generally accept this state of affairs. However, as soon as the threat becomes tangible, as with RFID tags, people react very strongly to what they see as a possible invasion of privacy. These problems will continue to exist as pervasive computing develops. Hence it will be important to develop solutions that are satisfactory from a privacy point of view and sufficiently light-weight to fit into a pervasive computing environment. However, research should not only develop new solutions, but also influence public opinion and policy by formulating the requirements for future privacy standards. This will give an opportunity to judge new products from a privacy perspective, as has already been the case with RFID tags and electronic passports.

Secure Protocols in Economic Contexts


The construction of secure protocols strongly depends on available secure cryptography. A classical result says that any function of private data can be computed in a secure and distributed manner. Recently, this has attracted the interest of economists. The most direct example of this situation is the case of an auction. Such cryptographic protocols are usually analyzed under the assumption that an adversary may attack the protocol in any way possible, and that his only goal is to make the system malfunction. But in economics and game-theoretic models, players want to optimize their pay-off rather than make a protocol fail. Put another way: they show rational, rather than adversarial behaviour.

This situation poses two challenges to cryptographers. To design efficient protocols for secure implementations of auctions, cost sharing mechanisms and other important multiparty decision protocols of interest to economists. Indeed economists design their protocols in such a way that a certain solution concept (e.g., Nash equilibrium, truthfulness with respect to dominant strategy, etc.) is guaranteed. A straightforward application of known secure function protocols does not guarantee that, for example, the resulting secure protocol has the same equilibriums as the non-secure one and would thus be useless as all its economics (i.e., game-theoretic) properties are lost.

To propose a model for describing the behaviour of agents which are motivated by economic incentives. Rational cryptographic protocols differ from ordinary cryptographic protocols through the motivation and actions of its participants. The typical models for cryptographic protocols divide the participants into two sets, those that behave exactly according to their specification (they are “honest”) and those that may behave arbitrarily (they are “malicious”). It has been observed that this bimodal behaviour is not always representative of reality. The concept of rational behaviour used in economics assumes that every participant simply maximizes his own pay-off, according to his individual pay-off function. Hence, rational protocols allow for a generalized and more refined treatment of adversarial actions and blur the distinction of “honest” versus “malicious” participants. On the other hand, most of the existing literature in economics assumes that the participants act independently and do not collude against others; this is a strong restriction that is usually not imposed on the “malicious” participants of cryptographic protocols.

Post Quantum-Computing Protocols

The security of most asymmetric cryptographic protocols in use today can easily be broken as soon as quantum computers are available. This would present a serious challenge for open networks (for which quantum cryptology is not a solution either). The actual PKI migration plan needs to prepare us for this situation. Alternatives can be found in cryptosystems based on different computational


hardness assumptions, in exploiting physical assumptions for implementing secure protocols, and, by turning the weapon into a tool, by exploiting quantum information processing. One can study in this context several alternative models for cryptography. For cryptology based on alternative physical models, one could explore protocols based on noisy channels, based on weaker laws than quantum mechanics (such as nosignalling).

Several IT research groups of the Technical University of Darmstadt in cooperation with the spin-off company FlexSecure are engaged in future-reliable signature algorithms and quantum-computing proof cryptographic methods [Buchmann08], [Bernstein08], which are not based on algebraic number theory. The research is supported by the German BSI. The Merkle Public Key Method is one of the investigated candidates for quantum-computer resistant signature functions. The overall security of this method is based on the security of the deployed hash function. Since the integrated hash function is basically replaceable and, furthermore, any signature algorithm can be considered as a hash function (by mapping a long message one-way on a short value under collision avoidance), the method can be considered secure as long as secure hash algorithms are available. Since each signature key pair must not be used for more than one signature, a hierarchy of hash trees is constructed and partly sent with the signature, in order to communicate the corresponding public keys. The research focuses on reducing the computational times, key and signature sizes and on preventing side channel attacks. The McEliece algorithm is a promising method for quantum-computer resistant encryption [Strenzke08]. It is based on error correction codes and has been optimised to public key size of 100KB and private key size of 4-140KB showing encryption and decryption times in the range of milliseconds. Research is needed that targets at timing attacks and operations with vectors, matrices, permutations and polynomials.

5 National Policies and Activities in the Public Sector

This chapter describes examples of national policies and activities related to the migration plan for PKI, focusing primarily on Germany, completed by some examples in the neighbor countries, Austria, France, Norway and the United Kingdom. Only few EU member states compile an own official catalog on suited algorithms and key lengths. Actually, only Germany and France maintain adequate cryptographic catalogs. The United Kingdom aligns its national activities with the corresponding NIST guidelines.


5.1 Austria

Signature Act and eGovernment Act

In Austria, there exist two federal acts that are basically relevant for PKI applications: The Federal Act on Electronic Signatures (introducing the previously mentioned EU Directive) and the Federal Act on eGovernment. Both have been revised in 2008.

The last amendment contained the adaption to the EU terms of “enhanced” and “qualified” signatures and secure signature creation devices as well as the possibility to also allow the creation of signatures by judicial persons. However, qualified certificates for qualified signatures may only be issued to natural persons.

The Austrian eGovernment Act was created in order to facilitate (and finally introduce as a mandatory procedure) the electronic communication with public authorities. It is also based on the Austrian Signature Act as well as European signature regulations. One of the recent amendments consists in the definition of a new procedure for enabling signature cards of foreign people via online forms. The eGovernment Act is an important foundation for the current eCard strategy in Austria (see next chapter for further details).

5.2 France

Activities of Juriscom.net

Regarding migration plans and policies for PKI in France, it is worth to mention the Juriscom.net association11. It is an academic association consisting of students and staff of universities in France. Their activities concentrate on judicial aspects of information technology. A lot of articles on different themes have been published. Although Juricom.net is not a legislative or law enforcement agency, their activities represent important national activities in Europe to be considered for the European migration plan of PKI.

Activities of the Central Information Systems Security Division

The Central Information Systems Security Division (DCSSI) is under the authority of the General Secretary for National Defence. The DCSSI acts as the national regulation authority for information system security, by issuing approvals, guarantees and certificates for National information systems, cryptological

11 http://www.juriscom.net


processes and products used by public bodies and services, and by controlling the security evaluation centres. The DCSSI recommends the following algorithms and key lengths12, see Table 1. It is the first level of recommendations from the DCSSI that contributes to the definition and the expression of the French government policy concerning information systems security. Second and third levels contain classified information that will not be released.

Table 1 DCSSI recommended Algorithms and Key Lengths (2007)

Year Sym. Integer Fact.

Discrete Logarithm GF(p) Discrete Logarithm GF(2n) Elliptic Curve Hash parameter q parameter p parameter q parameter p GF(p) GF(2n)

2009-2010 80 1536 160 1536 160 2048 160 160 160 2011-2020 100 2048 256 2048 256 2048 256 256 256 > 2020 100 4096 256 4096 256 4096 256 256 256 Advised Minimum 128 2048 256 2048 - - - - -

All key sizes in Table 1 are provided in bits and meant as minimal sizes for security. The following rules are given: with regard to symmetric schemes 64-bit is stated as minimal block length for block ciphers (advised 128-bit). The use of block ciphers instead of stream ciphers is recommended. AES-CBC according to FIPS 197 is recommended for symmetric encryption, AES-CBC-MAC “retail” for authentication and integrity purposes.

As regards RSA algorithms, RSAES-OAEP according to PKCS#1 v2.1 is required for encryption, RSASSA-PSS according to PKCS#1 v2.1 for signature. The public exponents must be strictly higher than 216 = 65536 and the secret exponents must have the same length as the module. With regard to elliptic curves the ECDSA algorithm is prescribed based on the curves P-256, P-384 and P-521 GF(p) or B-283, B-409 and B-571 for GF(2n) according to FIPS 186-2. The recommended hash algorithm is SHA-256 according to FIPS 180-2.

5.3 Germany

Activities of Federal Network Agency

12 http://www.ssi.gouv.fr/site_documents/politiqueproduit/Mecanismes_cryptographique_v1_10_standard.pdf


The Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (short: Federal Network Agency, Bundesnetzagentur) is the responsible authority in accordance with the Electronic Signatures Act [SigG01]. The security evaluation of cryptographic procedures used under the Signature Act is in the responsibility of the Federal Network Agency, but actually assigned to the Federal Office for Information Security (BSI), see below.

The agency identifies suitable algorithms, their minimal or recommended key length, and other related parameters. The time horizon is six years. Asymmetric algorithms as well as hash functions are covered in as far as they are used for digital signatures. The last evaluation was February 2007.

Multimedia services get much of their economical relevance in so far, as business transactions are done by them. The legal rules necessary in this regard have been conceived largely in analogy to the traditional paper based procedures. In the first instance, transactions have to be sufficiently secure. They have to warrant that a transaction has not been altered and its issuer can be identified reliably. Both requirements are satisfied by a digital signature based on public key encryption. The anchoring of trust is achieved by certificates issued by a hierarchy of certification authorities, the so-called public key infrastructure (PKI).

Electronic Signature Act and Signature Regulation

Regarding digital signatures (compliant to the EU Directive), the corresponding national rules are laid down in the Electronic Signature Act (Signatur-Gesetz) [SigG01] and Electronic Signature Regulation (Signatur-Verordnung) [SigV01]. For a multimedia application to be legally binding, it is recommended to have, in addition, specific regulations that in turn mandate the application of Electronic Signature Act and Electronic Signature Regulation. However, other electronic means to achieve the necessary degree of trust may be agreed upon and used. The German Electronic Signature Act and Electronic Signature Regulation have been adapted to the according EU regulations, especially regarding the mutual recognition of certification authorities and procedural implementations. Suitable cryptographic algorithms and key lengths are evaluated by the BSI, see next paragraph.

Activities of Federal Office for Information Security

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) is the official body for creating IT security concepts and evaluating/certifying the respective implementations. The BSI is particularly recognized by the Federal Network Agency for examination of electronic signature concepts and implementations according to the Electronic Signature Act [SigG01]. One significant activity is the annual evaluation of suitable algo-rithms for electronic signatures, their minimal or recommended key length, and


other related parameters. The time horizon is seven years. Asymmetric algorithms as well as hash functions are covered as far as they are used for electronic signatures. The Federal Network Agency publishes the resulting report as mandatory regulation once a year. The latest regulation13 completed in November 2008 will be officially published at the beginning of 2009 (in German). It specifies the algorithms as suited for the next seven years, i.e., 2009 through 2015, as shown in Table 2. The previous regulation is also available as unofficial English version14.

Table 2 BSI recommended Signature Algorithms and Key Lengths (2008)

Year Integer Fact.

Discrete Logarithm Elliptic Curve Hash Parameter p Parameter q p and n q

2008 1280 1280 160 192 for GF(p) 191 for GF(2n)

180 SHA-1 (for digital certificates only) RIPEMD-160 SHA-224, -256, -384, -512

2009 1536 1536 160 192 for GF(p) 191 for GF(2n)

180 SHA-1 (for digital certificates only) RIPEMD-160 SHA-224, -256, -384, -512

2010 1728 2048 224 no contraints 224

SHA-1 (for digital certificates only with a minimum of 20 bits of entropy) RIPEMD-160 SHA-224, -256, -384, -512

2011-2015 1976 2048 224 no contraints 224 SHA-224, -256, -384, -512

All key sizes in Table 2 are the minimal sizes for security provided in bits. Due to the shortly raised security level from 80 up to 100 bits in general, the head start of security concerning the current status of cryptanalysis is large. By the viewpoint of the BSI, this means that all algorithms and key lengths which are stated in the report 2008 to be suitable until the end of 2014 are specified in the report 2009 as appropriated until the end of 2015. The report must be used for cryptographic key length in electronic signatures only.

The recommended asymmetric algorithm is RSA to be used in a digital signature mechanism according to ISO/IEC 14888-3. For long-term security level, the RSA key size of 2048 bits is recommended for the complete evaluation period through 2015. The recommended discrete logarithm algorithm is DSA according to FIPS

13 http://www.bundesnetzagentur.de/media/archive/14953.pdf (latest regulation in German) 14 http://www.bundesnetzagentur.de/enid/7aaec7ce6bee173b9390d561824b631b,0/Publications_and_Notifications/

Suitable_Algorithms_z8.html (previous regulation in English)


186-2 to be used in according to ISO/IEC 14888-3. Similarly as for RSA, for long-term security level, a DSA key size of 2048 bits is recommended. With regard to elliptic curve cryptography the following signature algorithms are recommended:

EC-DSA according to IEEE P1363, FIPS 186-2, ANSI X9.62-2005 and ISO/IEC 15946-2,

EC-KDSA and EC-GDSA according to ISO/IEC 15946-2, and,

Nyberg-Rueppel according to ISO/IEC 9796-3 and ISO/IEC 15946-4.

The BSI issued a basic technical guideline on evaluation of selected cryptographic algorithms for use in the long term [BSI TR-02102]. This guideline contains recommendations targeted at developers which are involved in the introduction of cryptographic infrastructures as of 2008 and is considered reliable for the next 6 years. All recommended algorithms achieve the security level 100 Bits, i.e., are basically suited for data with high protection requirement. The recommended security level equals the symmetric encryption and MAC of 100 Bits, RSA 2048 Bits, DSA 224/2048 Bits and ECDSA 200 Bits. The recommended algorithms are summarized in Table 3.

Table 3 BSI recommended Algorithms (2008)

No. Cryptographic Use Case Suited Algorithms Reference

1 Symmetric Block Chiffres

AES-128, AES-192, AES-256 FIPS 197 SERPENT-128, SERPENT-192, SERPENT-256 [Serpent00]

Twofish-128, Twofish-192, Twofish-256 [Twofish98] 2 Stream Chiffre No recommendation at this time

3 Asymmetric Encryption RSA PKCS#1 v2.1 DLIES IEEE P1363 ECIES IEEE P1363

4 Hash Function SHA-224, -256, -384, -512 FIPS 180-2

5 Message Authentication Code

CMAC NIST SP800-38B HMAC [HMAC97]

6 Electronic Signature

RSA ISO 14888-3: 1999 DSA ISO 14888-3: 1999, FIPS 186-2 DSA variant ECDSA [BSI TR-03111] DSA variant ECKDSA, ECGDSA ISO 15946-2: 2002 DSA variant Nyberg-Rueppel Signatures ISO 15946-4: 2004


No. Cryptographic Use Case Suited Algorithms Reference

Merkle Signatures [Merkle06] 7 Asymmetric Key Agreement Diffie-Hellman, EC Diffie-Hellman [DiffieHellman96] 8 Key Derivation Function Chapter 5.6.3 in ANSI X9.63 ANSI X9.63

A further important BSI technical guideline on suited algorithms and key lengths beyond qualified signature algorithms has been published in 2007 [BSI TR-03116] and broadly accepted as basis for technical specifications in national eCard projects. It provides recommendations for a period of 6 years (2008-2013). The guideline is mandatory especially for technical components in the German health care telematics system, see 6.2. Some significant definitions of the guideline are given in Table 4.

Table 4 BSI recommended Algorithms and Key Lengths for National eCard Projects (2007)

No. Cryptographic Use Case Suited Algorithms Remarks

1

Asymmetric device authentication without key agreement (card-2-card authentication)

- RSA through 2007: 1024 Bits - RSA through 2013: 1976 Bits - Public RSA key 1024 Bits: 216+1 ≤ e ≤ 2864-1 - Public RSA key 2048 Bits 216+1 ≤ e ≤ 21824-1 - DSA through 2007: p: 1024 Bits, q: 160 Bits - DSA through 2013: p: 2048 Bits, q: 224 Bits - ECDSA through 2007: q: 160 Bits - ECDSA through 2013: q: 224 Bits

- For RSA, a key length of 2048 Bits is recommended - For DSA, a length of 224 Bits (key) and 2048 Bits (group) is recommended - For ECDSA, a length of 224 Bits (parameter q) is recommended

Hash functions for signature creation: - SHA-1 through 2007 - RIPEMD-160 through 2009 - SHA-224, -256, -384, -512 through 2013

The hash functions of the SHA-2 familiy are recommended, especially SHA-256, -384, -512.

2

Asymmetric authentication of CA components without key agreement (PKI of CV certificates)

Padding for signature creation: EMSA-PKCS1-v1_5, EMSA-PSS, DIN SIG und ISO 9796-2 through 2013

Signing of CV certificates: the same as for authentication - Public RSA key 1024 Bits: 216+1 ≤ e ≤ 2864-1 - Public RSA key 2048 Bits: 216+1 ≤ e ≤ 21824-1 Requirements for Root-CA - RSA: 2048 Bits through 2013 - DSA: p: 2048 Bits, q: 224 Bits through 2013 - ECDSA: q: 224 Bits through 2013

For cards issued after 2010 with a validity beyond 2013, a key length of 2048 Bits is recommended.

- Hash functions for signing of CV certificates: The hash function of SHA-2



SHA-1, RIPEMD-160 through 2009 and 2010; SHA-224, -256, -384, -512 through 2013

family is recommended in the long-term, especially SHA-256, -384 or -512.

Padding of CV certificates: EMSA-PKCS1-v1_5, EMSA-PSS, DIN SIG and ISO 9796-2 through 2013

The padding format ISO 9796-2 is the de facto Stan-dard for creating signatures in CV certificates.

3 Asymmetric device authen-tication with key agreement (card-2-card authentication)

Authentication and cration of CV certificates as described above.

Key agreement: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 through 2013

With use of a specific hash function, the target key length must be taken into account. Appropriate adap-tations are required in the future.

4

Symmetric authentication acc. to CWA14890-1 and key agreement acc. to ANSI X9.63 (card-2-server authentication)

Authentication: 2TDES through 2009, 3TDES through2013 AES-128, AES-192, AES-256 through 2013 For cards issued from 2010 a changeover from 2TDES to AES or 3TDES must take place.

The use of AES is recom-mended in the long term.

Key agreement: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 through 2013

See asymmetric authentication with key agreement

5 Client-server authentication (card authentication towards server)

- RSA through 2007: 1024 Bits - RSA trough 2013: 2048 Bits - DSA through 2013: p: 2048 Bits, q: 224 Bits - ECDSA over DF(p) through 2013: q: 224 Bits

6

Hash functions for documents (e.g. disnature of medical documentation)

Signature creation: - SHA-1 trough 2007 - RIPEMD-160 through 2009 - SHA-224, -256, -384, -512 through 2013

The use of hash function SHA-256 is recommended

7 Signature algorithms for documents

- RSA through 2007: 1024 Bits - RSA through 2008: 1280 Bits - RSA through 2009: 1536 Bits - RSA through 2010: 1728 Bits - RSA through 2013: 1976 Bits

For RSA, a key length of 2048 Bit is recommended.

- DSA through 2007: p: 1024 Bits, q: 160 Bits - DSA through 2008: p: 1280 Bits, q: 160 Bits - DSA through 2009: p: 1536 Bits, q: 160 Bits - DSA through 2013: p: 2048 Bits, q: 224 Bits

For DSA, the length 224 Bits (key) and 2048 Bits (group) is recommended.

- DSA variants based on groups E(Fp) through 2007: q: 160 Bits - DSA variants based on groups E(Fp) through 2009: q: 180 Bits, p 192 Bits minimum - through 2013: q: 224 Bits

p and q must differ by a small factor only. For elliptic curves, the length of 224 Bits (parameter q) is recommended.



8 Padding methods for documents

- EMSA-PKCS1-v1_5 acc. to PKCS #1 v2.1, - EMSA-PSS acc. to PKCS #1 v2.1, - DIN SIG [DINSIG], - ISO-9796-2, DS2 and DS3 through 2013

The EMSA-PKCS1-v1_5 padding will probably be no longer recommended in the next guideline version as suited according to the Signature Law. In general, EMSA-PSS padding is recommended.

9 Hash for certificate signatures - SHA-1 through 2009 or 2010 - RIPEMD-160 through 2010 - SHA-224, -256, -384, -512 through 2013

The validity of SHA-1 and RIPEMD-160 will be exten-ded through 2010, if the issuing certification authority meets the BSI requirements, for issuance, of X.509 certificates. The hash function SHA-256 is recommended as appro-priate in the long term.

10 Signature algorithms for certificates As for signature of documents

As for signature of documents

11 Padding methods for certificates As for padding of documents

The EMSA-PSS padding is recommended as appro-priate in the long term.

12

Hybrid encryption [XMLEnc] (encryption of document data, which are stored on central servers)

Asymmetric encryption of the document encryption key (key transport) - RSA through 2007: 1024 Bits - RSA through 2013: 2048 Bits - RSAES-PKCS1-v1_5 through 2013 - RSAES-OAEP, MFG1 with SHA-1 through 2013

RSAES-OAEP is recom-mended as appropriate in the long term.

Encryption of document data: - AES-256 CBC with random initialization vector through 2013 - AES-256 CTR with random initialization vector through 2013

AES-256 CBC is recom-mended as appropriate in the long term.

13

Secure Messaging between chip cards (card-2-card com-munication and protection of communication between card and server)

Symmetric key agreement according to CWA14890-1 and ANSI X9.63

Asymmetric key agreement according to DINSIG-4 or CWA14890-1

RSA is used for both CVC authentication and protected exchange of random values.

- 2TDES CBC encryption with random initialization vector through 2009 - 3TDES CBC or AES-128 CBC or AES-192 CBC or AES-256 CBC encryption with random initialization vector through 2013

AES-256 CBC with random initialization vector is recommended as appro-priate in the long term.



- DES Retail CBC MAC, 112 Bits key according to ANSI X9.19 through 2009 - AES-128 CMAC acc. to FIPS 197 and NIST SP800-38B through 2013

Encryption with AES-256 CBC with random initialization vector is recom-mended as appropriate in the long term.

5.4 United Kingdom

Department for Business, Enterprise and Regulatory Reform (BERR)

Regarding national activities in the UK, the British Department for Business, Enterprise and Regulatory Reform is of special importance. Since June 2007, it replaces the earlier Department of Trade and Industry (DTI). It now has a wide range of responsibilities for different sort of business. A recent press release shows up activities together with the British credit card industry [BERR_Press].

Information Security is one important business sector covered by BERR. The Department (in partnership with industry) produces a biennial Information Security Breaches Survey which is intended to help businesses understand the information security risks they face. Among other things, the recently presented survey [BERR_InfSec] covers the encryption of backup data and hard disks.

Department for Innovation, Universities and Skills (DIUS)

At the same time as BERR, the new Department for Innovation, Universities and Skills arose as a replacement of the earlier Office of Science and Innovation. The Department for Innovation, Universities and Skills (DIUS) is responsible for the development, funding and performance management of the science and research base across the UK, so that the UK continues to develop a world-class research base responsive to users and the economy, with sustainable and financially strong universities and public laboratories and a strong supply of scientists, engineers and technologists. DIUS funds the seven Research Councils, which allocate public funds to support research projects and teams. One of them is the Science and Technology Facility Council (STFC) with the associated eScience Center15.

Communications-Electronics Security Group

15 http://www.e-science.stfc.ac.uk/


The Communications-Electronics Security Group (CESG) is a branch of the Government Communications Headquarters (GCHQ). GCHQ works to secure the communications and information systems of the government and critical parts of UK national infrastructure. On behalf of the GCHQ, the CESG provides assistance to Government Departments on their own communications security and serves the UK national technical authority for information assurance, including cryptography. The CESG does not provide for own lists of recommended crypto-graphic algorithms, but seems to adopt the appropriate NIST recommendations. For this reason, the NIST key length recommendations are shown in the following table.

Table 5 NIST Key length Recommendations (2007)

Years Min. of Strength

Sym. Alg.

Integer Fact.

Discrete Logarithm Elliptic Curve

Hash (A) HASH (B) Key Group

2009 to 2010 80 2TDES 1024 160 1024 160

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512


2011 to 2030 112 3TDES 2048 224 2048 224

SHA-224 SHA-256 SHA-384 SHA-512


> 2030 128 AES-128 3072 256 3072 256 SHA-256 SHA-384 SHA-512


>> 2030 192 AES-192 7680 384 7680 384 SHA-384 SHA-512

SHA-224 SHA-256 SHA-384 SHA-512

>>> 2030 256 AES-256 15360 512 15360 512 SHA-512 SHA-256 SHA-384 SHA-512

The TDES algorithms are specified in [NIST SP800-67]. The listed Hash (A) algo-rithms are meant for electronic signatures and hash-only applications. The Hash (B) algorithms can be used for HMAC, Key Derivation Functions and Random Number Generation.


The assessment of at least 80 bits of security for 2TDES is based on the assumption that an attacker has at most 240 matched plaintext and ciphertext blocks. SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures. The security strength against collisions is assessed at 69 bits. The use of SHA-1 is not recommended for the generation of digital signatures in new systems. New systems should use one of the larger hash functions. For the present time, SHA-1 is included in HASH (A) for 2009 to 2011 to reflect its widespread use in existing systems, for which the reduced security strength may not be of great concern when only 80 bits of security are required.

5.5 Norway

Electronic Signature Act

In 2001, the Norwegian Signature Act16 was set up (with last revision in 2005) quite similar to the German Signature Act. The structure is very closely related to the EU Directive for electronic signatures. Some requirements for signatures are explicitly specified within this Signature Act, whereas other aspects – e.g., detailed contents of qualified certificates – are explicitly left to the individual decision of the Norwegian King. Furthermore, the Norwegian Ministry of Trade and Industry is authorized to establish voluntary schemes for certification, approval and self-declaration.

Norwegian Policy on eSignature and eID

In 2003, the Norwegian Ministry of Trade and Industry presented a policy on the use of PKI and electronic signatures for eIDs. The major objective of this policy was to develop an infrastructure for electronic ID and electronic signature supposed to be market-based and to ensure interoperability and traffic exchange. Developing this infrastructure is seen as a great step in building up cooperations between the public and the private sector.

5.6 Finland

Activities of VAHTI

Regarding information security and the resulting impact on PKI migration, the Finnish Ministry of Finance plays an important role. For this purpose, the Ministry

16 English version available at http://www.npt.no/iKnowBase/Content/1379/1379-electronic_signatures_act.pdf


has set up the Government Information Security Management Board (VAHTI). A continuous activity of VAHTI is to handle the Finnish Government Information Security Development Plan. This general program contains several development areas including data security in communication and IT systems as well as end user data security. One important work of VAHTI to be mentioned is the publication of instructions for e-mail handling for the state government [VAHTI06].

Finnish Act on Electronic Signatures

Finland also has an act on electronic signatures17 , last revised in 2003. As a speciality against other signature laws in Europe, special regulations are contained that also allow certification service providers outside of Finland to issue qualified certificates. Furthermore, special care is taken on the subject of Secure Signature Creation Devices (SSCDs): The Finnish Communications Regulatory Authority (FICORA, s.b.) may designate inspection bodies (which may be private or public) to evaluate signature creation devices regarding compliance with corresponding EU regulations.

Responsibility of FICORA

FICORA is the responsible supervision body regarding the Finnish Signature Act. By this way, FICORA plays a similar role as the German Federal Network Agency. The Data Protection Ombudsman shall supervise the compliance with the provisions of the Act on Electronic Signatures concerning personal data. However, FICORA is not responsible for accreditation (and no other accreditation authority, comparable to the German Federal Network Agency, exists).

5.7 Sweden

Ministry of Enterprise, Energy and Communications

The Swedish Ministry of Enterprise, Energy and Communication represents an important agency responsible for IT security. Important responsibility areas consist in a general IT policy as well as specific aspects of efficient and secure electronic communication. In this context, a new Electronic Communication Act (replacement of earlier one established in 1993) was published in 2003 [Swe03], strongly considering security aspects.

Qualified Electronics Signature Act

17 English version available at http://www.finlex.fi/en/laki/kaannokset/2003/en20030014.pdf


Sweden also belongs to the countries having introduced the EU Directive on electronic signatures by an appropriate national signature act (introduced in 2000)18. In contrast to signature acts of other EU countries, the Swedish one specifically concerns qualified electronic signatures. The major part of it consists of requirements for certificate providers being eligible to issue qualified certificates. At the current state, the law still provides just a framework for future applications without practical meaning since qualified certificates are still not issued in Sweden. (By this way, the Swedish legislation on current signature applications is somehow deficient, see also 6.5).

Responsibility of SWEDAC

In Sweden, the Swedish Board for Accreditation and Conformity Assessment (SWEDAC) essentially plays the role of the German Federal Network Agency. SWEDAC is responsible for accreditation as well as supervision regarding the EU Directive on electronic signatures and the corresponding Swedish act on qualified signatures.

6 Selected National Projects

6.1 The German eID Card

An important national activity in the public sector is provided by the planned introduction of the German eID Card. Institutions as well as enterprises are now called up to participate in an application test of the eID Card. After that application test, lasting about one year probably until October 2010, the new eID Card with PKI functionality shall be rolled out for citizens. Its advantages will be the easy and secure identification of the citizen in the Internet and the protected and standardized realization of online services.

The eID card will use PKI for several purposes. The card contains three applications realized solely by a contactless chip: Firstly, the ePassport function that include the data of the machine-readable zone (MRZ) and optional biometric data for governmental inspection authorities only, secondly, the eID function (authen-tication function) that includes personal and document-related data for eGovernment and eCommerce services. The third application is the optional

18 English version available at http://www.pts.se/en-gb/Industry/Internet/Electronic-signatures/


advanced or qualified signature function. The eID Card can be used for authentication of the card holder towards online service providers. The service providers use individual authorization certificates to proof their identity and access rights towards the eID Card. A further eID Card feature is the secure verification of the card holder’s age.

The underlying security functions of the eID Card are based on the protocols of Extended Access Control (EAC) known in the context of ePassports: chip authentication, terminal authentication and passive authentication. A further EAC protocol, called Passport Authenticated Connection Establishment (PACE) has been developed by the BSI. This new protocol includes entry of a secret PIN by the card holder, a Diffie-Hellman key exchange with generation of an ephemeral key pair between eID card and card reader allows for the exchange of public keys. PACE takes place prior to the other EAC protocols [BSI TR-03110]. The entered PIN is used for symmetric encryption of an eID card’s random number. The asym-metric algorithms of the EAC protocols are based on elliptic curve cryptography, i.e., ECDH and ECDSA according to [BSI TR-03111]. These algorithms allow for relatively short key sizes of 224 Bits [BSI TR-02102], whereas AES is used for secure messaging.

The terminal authentication serves for the verification of the card reader and, in case of the eID application, for verification of the online service provider. The PKI includes the authorization certificates that realize graded reading access rights of online services. The PKI consists of the BSI as root authority, CAs for authorisation certificates, and online services providers of eGovernment and eBusiness. An overview of the key and certificate management is shown in Figure 1.


Figure 1 – Key and certificate management of the German eID Card

The process flow of the online authentication is as follows: A citizen uses his eID Card to access an Internet site of an eGovernment or eBusiness service, e.g., the website of his bank. The service provider sends its authorization certificate. The first-time registration starts with the selection of data groups indicated in the authorization certificate, which the service intends to read from the eID Card. At the user interface, the displayed data groups, which the service wants to access, can be approved or crossed out. Then, the secret user PIN has to be entered for PACE and the other EAC protocols to be executed. After successful connection establishment, the permitted data groups are read from the eID Card and transmitted to the service. Then an important process, called Restricted Identification (RI), takes place: the eID Card generates a sector-specific chip identifier out of a card secret and a unique service identifier. This RI value is transferred to the service provider and stored as index in order to allow for unique recognition of the eID Card in future interactions. Then, the eID Card holder may finally use the service.

Restricted Identification allows for pseudonymous follow-up logins with the service without further reading of personal data, i.e., the online service can be used after PIN entry, execution of EAC protocols and RI generation. The RI value serves as

X.509 certificate

Authorizes

Issues

eID Card manufacturer

Root X.509certificate

Root CV authorizationcertificate

CA authorizationcertificates

eID Card Service Provider

Issues Signspublic keys

Serv

ice

PKI of authorizationcertificates

Static DH key pair of

eID Card

The signed public keyserves as certificate

Issues CV certificates

eID Card verifiesauthorization certificate

Verifies signature used to sign the public key

Signs with secretkey the public key

eID

Car

d

BSI

Variable DH key pair ofserviceprovider

Authorization certificate (CV)

Root CV certificate in eID Card chip


sector-specific pseudonym that can not be misused for cross-service tracking and tracing of users. Since the eID Card is not able to verify certificate black lists, each authorisation certificates will be valid few days only. Thus, the public key of the service provider must frequently be re-certified.

The security functions including PACE have been introduced into European standardisation processes and will become part of the European Signature Standard [EN14890-1]. The technical profile of the German eID Card becomes part of the emerging technical specification of the European Citizen Card [prTS 15480] as the first application profile called “National ID Card”.

6.2 HBA, HPC

The German Electronic Health Card (eHC) and Health Professional Card (HPC) will serve as personal access tools of insurants and health professionals to the German health telematics system that is currently under development and test. In addition, Security Module Cards (SMC) will be used in card terminals and system connecting devices of the health institutions to identify organisational units and work stations. The system will enable electronic data exchange between more than 80 million insurants, 200,000 medical practises, 22,000 pharmacies, 2,000 hospitals, other care providers, and a large number of health insurance institutions throughout Germany. The main services will include the electronic transfer of ad-ministrative data, electronic prescription, emergency data, documentation of medication, and medical reports. The rollout of the cards is expected to start at the end of 2009.

The eHC is specified by the association of all head organizations of the German self-administrative health care system, by the name of Gematik,19 and will be issued by respective insurance institutions. The HPC and SMC are specified by Fraunhofer SIT on behalf of the central organization in the system of medical self-administration in Germany, by the name of Bundesärztekammer,20 and will be issued by the respective medical associations.

Card Applications

For reasons of card interactions, the microprocessor card platforms of eHC, HPC and SMC support nearly the same commands, algorithms and functions. The eHC contains in addition to administrative and medical data, the QES application with one qualified electronic signature creation key (optionally to be activated) and the cryptographic ESIGN application with two decryption and two authentication keys. Among the HPC applications are the mandatory QES application, the ESIGN

19 http://www.gematik.de 20 http://www.bundesaerztekammer.de/page.asp?his=1.134.3421.4132


application with one key for decryption and authentication, respectively, and an optional application for organisation-specific authentication. The SMCs include an application for card terminal authentication and an ESIGN application with one key for advanced signature, decryption and authentication, respectively. All mentioned card applications use X.509 certified RSA keys of 2048 bits length.

Qualified Signature Application of HPC

The HPC will be Common Criteria certified according to a protection profile for card usage as Secure Signature Creation Device and health professional card. This will include the use of the qualified signature creation key for stack and comfort signatures. Since the health professionals have to frequently sign electronic prescriptions and other medical data, a special solution for multi-signatures in health care was defined which abandon the need to enter the signature PIN before each single signature. The HPC allows for multi-signature creation after verifying the secure operation environment of the health telematics. After entering the signature PIN once, a stack of documents can serially be signed under control of the certified telematics system connecting device. The comfort signature mode enables multiple signature creation even over a specific period asking the health professional to trigger each signature operation by presenting a special RFID token. The concepts of multi-signatures are defined in technical guidelines of the German BSI ([BSI TR-03114],[BSI TR-03115]) and have to be approved by the Federal Network Agency. The approval of qualified multi-signatures in health care might have influence on other multi-signature fields, e.g., notarial and governmental offices.

X.509 Certificates

X.509 certificates and the corresponding private keys are used in the telematics infrastructure in order to achieve confidentiality, integrity, identity protection and non-repudiation concerning personal and organisational identities, information processing devices, server systems, and infrastructural and network services. A central hierarchical root model of X.509 certificate issuance was not feasible due to the heterogeneity and complexity of the involved certificates (e.g., for qualified signatures, encryption, authentication, organisation-specific signatures, compo-nents) and the diversity involved organisations (large number of compulsory and private health insurances, health professional associations, device manufacturers etc.). Therefore, the higher-level X.509 certificates of the issuing organizations are verified by central Trust Service Providers (TSP) realizing a direct online verification instead of a hierarchical control of certificate issuance.

The information of certificate verification are recorded by the TSPs and summarized in Trust Service Status Lists (TSL) that in turn are signed by Gematik acting as kind of policy authority or by an authorized third party. In the special case of component certificates, a separate list, called Trusted Component List (TCL)


is generated. By means of a Gematik Trust Service List and a common policy, a sufficient security level for signature, encryption and authentication certificates can be realised and published. This infrastructure allows for a flexible registration of new user group and a cross-certification of hierarchical models (e.g. of selected CAs). A proxy permits centralized certificate information queries. The ETSI standard related to Trust Service Lists [TS102231] allows for a convenient management and automatic distribution of trust status information via XML syntax. Several European countries have already realised this concept.

The principle of local online-verification via Online Certificate Status Protocol (OCSP) is realised as regards end user certificates, i.e. certificates of insurants, health professionals, organisations, and technical components. Each TSP, which issues end user certificates, is obliged to run an efficient information service based on OCSP at minimum over the entire validity period of each certificate. In addition to the entries of OCSP service information in the TSL or TCL, each X.509 certificate already contains the address of the OCSP responder, which holds the relevant check information.

Card-Verifiable Certificates

Card-verifiable certificates (CV certificates, CVCs) serve as public key certificates for card-2-card authentication procedures of microprocessor cards. In the context of the telematics system, especially eHC, HPC and SMC use CV certificates. During mutual authentication between eHC, HPC or SMC, the public key of an application-specific role identifier of the counterpart is loaded into and verified by each card. Then, the corresponding private keys of the cards are used providing evidence that the claimed role identifier actually belongs to the respective card. The successful authentication opens access to card data and functions whose card-internal access rules contain the verified role identifier. In contrast to X.509 certificates, that usually would overstrain the card capabilities, chip cards can directly use CV certificates and evaluate the certificate fields. Further advantages of CV certificates are that they can also be used in offline scenarios and that authorization concepts of card owners can be carried out automatically via role identifier without need of PIN entry. CV certificates and their use are specified in [ISO 7816-4] and in the European multi-part standard for signature cards [EN 14890-1] that has replaced the former multi-part specification [CWA 14890-1].

CV certificates for eHC, HPC or SMC are issued by a second-level CVC certification authority within the specific health telematics PKI. The CV certificates and the corresponding private keys are stored in the cards during production. Further-more, the respective CV certificate of the CA and the root CA key that is common to all involved cards are stored in each card.

Use of Cryptographic Algorithms


Cryptographic algorithms for data authenticity, integrity and confidentiality as well as for qualified electronic signatures that legally bind declarations of intent will be used within the German telematics infrastructure. These algorithms are the essential part of the telematics security architecture. The requirements are specified in [gemSpec_Krypt] that extends the technical guideline [BSI-TR03116], see Table 4 in 5.3. The following table shows some selected stipulations for the telematics infrastructure. The table entries in the right columns indicate, whether the algorithm is to be expired (EXP), issued (ISS), in use (USE) or optional (OPT) in the respective years.

Table 6 German telematics specification of algorithms and key lengths (2008)

No. Use Case Algorithm Key Length

2008 2009 2010 2011 2012 2013

1 Use of X.509 certified keys for qualified signatures

RSA 1024 EXP EXP EXP EXP EXP EXP

RSA 2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

2 Signature of X.509 user certificate and CA certificate for qualified signatures

sha1withRSA-Encryption 1024 (OID 1.2.840.113549.1.1.5)

1024 EXP EXP EXP EXP EXP EXP


sha256withRSA-Encryption (OID 1.2.840.113549.1.1.11)


2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

3 Use of X.509 certified keys for TLS/SSL authentication

RSA 1024 ISS/ USE

ISS/ USE

ISS/ USE USE USE USE

RSA 2048 OPT OPT OPT ISS/ USE

ISS/ USE

ISS/ USE

4 Signature of X.509 user certificate and CA certificate for TLS/SSL authentication


1024 ISS/ USE

ISS/ USE


2048 OPT OPT OPT OPT OPT OPT sha256withRSA-Encryption (OID 1.2.840.113549.1.1.11)

1024 OPT OPT OPT OPT OPT OPT

2048 OPT OPT OPT ISS/ USE

ISS/ USE

ISS/ USE

5 Use of X.509 certified keys for IPSec authentication

RSA 1024 ISS/ USE

ISS/ USE


RSA 2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

6 Signature of X.509 user certificate and CA certificate for IPSec authentication


1024 ISS/ USE

ISS/ USE


2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE


1024 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

7 Use of X.509 certified keys for encryption

RSA 1024 EXP EXP EXP EXP EXP EXP RSA 2048 ISS/ ISS/ ISS/ ISS/ ISS/ ISS/


No. Use Case Algorithm Key Length

2008 2009 2010 2011 2012 2013

USE USE USE USE USE USE

8 Signature of X.509 user certificate and CA certificate for encryption






2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

9 Use of CV certified keys for authentication

authS_ISO9796-2 With rsa_sha256_mutual (OID 1.3.36.3.5.2.4)


2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

10 Signature of user CV certificate and CA certificate

sigS_ISO9796-2Withrsa_sha1 1024 (OID 1.3.36.3.4.2.2.1)



sigS_ISO9796-2Withrsa_sha256 (OID 1.3.36.3.4.2.2.4)


2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

11 Use of CV certified keys for signing CV certificates of CAs

sigS_ISO9796-2 Withrsa_sha256 (OID 1.3.36.3.4.2.2.4)


2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

12 Signature of user CV certificate and CA certificate

sigS_ISO9796-2 Withrsa_sha1 1024 (OID 1.3.36.3.4.2.2.1)



sigS_ISO9796-2 Withrsa_sha256 (OID 1.3.36.3.4.2.2.4)


2048 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

13 Card-2-server authentication and encryption

3TDES im CBCMode (OID 1.3.6.1.4.1.4929.1.8)

168 ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

ISS/ USE

The card validity period is scheduled to be 5 years. The test cards that are already issued support RSA 2048 with SHA-1 for signature, decryption and authentication (based on X.509 and CV certificates) and 2TDES for Secure Messaging. The “Generation 1 cards” for real operation will be issued from the end of 2009 through 2010. This first generation will support RSA 2048 with SHA-256 and 3TDES. From 2011 on the “Generation 2 cards” will be issued. Then, RSA will be replaced by Elliptic Curve Cryptography as well as 3TDES by AES. The planned changeover of algorithms is not considered in the current version of [gemSpec_Krypt] and thus not shown in Table 6.


6.3 eSignature, Austria

Austria is the leading country in Europe as regards implementation of eGovern-ment applications21 . According to the eGovernment Law, both the electronic registers of unique citizen identification data and the eCard22 form the basis of electronic transactions. The qualified electronic signature is the core element for electronic identification. The Austrian eCard system is being introduced since 2002 (number of active eCards: 8.4 Millions) and supports administrative processes bet-ween insured people, employers, doctors, hospitals and social security institutions. The eCard includes health insurance card functions as well as an optional citizen card function23, which a number of projects are planned for, e.g., information on insurance data, annual tax declaration, child and student allowance applications, criminal records, residence registration confirmation, and usability for commercial applications.

Electronic Signature Application

The citizen card function includes electronic signature applications for qualified signatures according to the Austrian Signature Law and an application for advanced signatures and encryption. The activation of the citizen card function can be carried out, e.g., via the social insurance website. Thereby, the citizen card certificates and person identity link parameters are stored on the eCard. The elec-tronic signature application is activated by the citizen through entering an activa-tion code. The certificates for qualified signatures are issued by the Austrian trust center A-Trust, whereas the certificates for advanced signatures are issued by the Main Association of Austrian Social Security Institutions. Since January 2008, 11,939 certificates for qualified signatures have been implemented.

Personal Identification

The person identity link, the so-called sourcePIN, is an integral part of the citizen card concept and is stored on each citizen card. It is a structure signed by the issuing public authority that assigns a unique identification feature of a person to one or more certificates belonging to this person. The sourcePIN is derived from the unique number in the central register of residents, but not used directly for identification purposes. Instead, a derivation of this number is created for each process referred to as a sector-specific personal identifier (ssPIN). This derivation prevents tracking and connecting transactions of a used citizen card. The personal identification data are not part of the certificates but cryptographically linked to certificates by using SAML assertions. By this means, public and private personal

21 http://www.digital.austria.gv.at/site/6573/default.aspx 22 http://www.chipkarte.at/portal/index.html 23 http://www.buergerkarte.at/en/index.html


identification data can be handled independently and according to data protec-tion rules.

Interoperability within EU

Signature cards, which are used for identification purposes in administrative processes of other EU member states, can be used as well in the Austrian eCard system according to governmental ordinances. Within the already mentioned EU Large Scale Pilot STORK (see 4.6) the eCard functions are put on a broad basis and tested in pilot applications for eID and authentication. The results will enable businesses, citizens and government employees to use their national electronic identities in any EU member state.

6.4 eID Card, Finland

With the National eID Card Framework (called FINEID), Finland was the first European country introducing a national eID card. The roll out started in 1999.

Existing Certificates

The eID card contains two different certificates for basically the same purposes as the eID cards in Austria: One for qualified signatures, and one for authentication. In addition, the authentication certificate may also be used for encryption. Only the signature certificate is considered to be qualified while the authentication certificate has not been given this label. In the mean time, more than 200,000 certificates have been issued.

Issuance of eID Card and Certificates

Although the Finnish eID card is unique for the whole country, its use is optional. Therefore, only comparably few people are currently owning this card. Nevertheless, one central authority is responsible for issuing the card as well as the certificates, namely the Population Register Centre (PRC). The PRC alone maintains a population register, which includes nationals and non-nationals. Persons registered in the population register are issued an identity card only if applied, and since 1999, no other identity card than the FINEID card is available.

6.5 eID Card, Sweden

From the technical point of view, Sweden also belongs to the most advanced European countries already having eID cards with signature functions. However, the legal resp. organizational framework is still kind of rough compared to other countries mentioned before.

Technical Features


A common feature of all existing solutions is the presence of two different certificates, one for signatures and one for authentication. As a key feature, Swedish eID cards now provide – beside the German eID card – the only solution of a card with an ICAO application over a contactless interface and an integrated signature function. However, the PKI application is provided by a contact interface only (in contrast to the German solution).

Legal Situation

At the current state, there are no federal regulations about using or issuing eIDs or eID cards in Sweden. The use of eID cards is optional, and no central authority is responsible for issuing the cards and their corresponding certificates. As a result, Swedish eID cards are handled as commercial products by different (private) providers.

For lack of responsible central issuance authorities, the compliance of the existing solutions with the EU Directive has not been verified, and no qualified certificates have been issued. As a result, the current Act on Qualified Signatures (see also 5.7) is not applicable to the current state of Swedish eID cards.

In the mean time, the Swedish Government established a law24 authorizing the Swedish Po-lice Service to issue eID cards to any Swedish citizen who is at least 16 years old. After some initial delays, the regulation shall come into effect by the middle of 2009.

7 Activities relevant for Enterprises in the EU

This chapter lists some activities that especially concern the interest of enterprises in the EU. As far as information is available, this also includes activities of particular enterprises.

24 http://www.regeringen.se/sb/d/10044/a/112185 - in Swedish only


7.1 European Policy Centre (EPC)

As an independent, not-for-profit think tank, the European Policy Centre (EPC)25 plays an important role also for enterprises occupied with PKI technology. Its major business is to make European integration work. The EPC works at the “cutting edge” of European and global policy-making providing its members and the wider public with rapid, high-quality information and analysis on the EU and global policy agenda. One of its important goals is to promote a balanced dialogue between the different constituencies of its membership, spanning all aspects of economic and social life.

In line with its multi-constituency approach, members of the EPC comprise companies, professional and business federations, trade unions, diplomatic missions, regional and local bodies, as well as NGOs representing a broad range of civil society interests, foundations, international and religious organizations.

Within the EPC programs, the program for EU integration and citizenship is especially relevant for IT security resp. PKI since interoperable eID in Europe may become an important topic.

7.2 Fraud Prevention Expert Group (FPEG)

The FPEG is an expert group whose activities are especially relevant for enterprises in the banking and payment sector. The FPEG was established by the Commission under its Action Plans to prevent fraud in non-cash means of payment. It is an experts’ group at EU level which includes representatives of different parties involved in fraud prevention. Beside banks, potential stakeholders also consist of national public authorities, European and international law enforcement agencies (e.g. Europol, Interpol), retailers, consumer groups, network operators, etc. The FPEG provides for a platform where stakeholders can effectively exchange information and best practice to prevent fraud. It contributes to intensify cooperation between interested parties, especially at cross-border level. It provides advice to the Commission.

Within several subgroups, the FPEG covers the following topics relevant to Fraud Prevention:

Identity Theft and Identity Fraud

Data Management

25 http://www.epc.eu/


ATM and POS Security

Commerce Issues

Furthermore, another subgroup is occupied with Security Evaluation which is an important topic when looking for fraud prevention with the aid of PKI technology.

7.3 Product and System Security Working Group (PSSWG)

Another European Service with special relevance for the activities of enterprises in the PKI sector is the Product and System Security Working Group (PSSWG)26 established by the European Non-Profit-Organization EUROSMART. PSSWG gathers a body of experts combining knowledge of the major players of the smart security industry, from the semiconductors manufacturers, to the software developers, smart devices personalisers and issuers.

The main mission of the group is to optimize the smart security efficiency in term of assurance, methodology and cost. PSSWG launched two technical groups involving main actors of the evaluation and certification chain (CC accredited laboratories, Certification authorities):

ISCI-WG1 group mission is to define the methodology and best practices for smart security device evaluation with Common Criteria.

JHAS (formerly ISCI-WG2) mission is to define and maintain the state of art of attack potential for the smart security devices.

PSSWG has also published technical papers on algorithm constraints (a possible aspect for PKI techniques) and also participates in the FPEG described above.

7.4 Enterprises in Germany

Secunet

Security Networks AG (Secunet) is one of the best known German SME specialized in the development of IT security solutions. The company has recently been re-organized into business segments belonging to the public sector (government, high security) and others belonging to the private sector (business security, automotive). Secunet strongly works together with the German BSI. Due

26 http://www.eurosmart.com/index.php/expertise/security.html


to the reference applications in the public sector, the activities of Secunet when integrating PKI technology into their solutions must always keep up with the corresponding European migration plan.

One of Secunet’s best known activities on the public sector was the development of SINA, a secure inter-network architecture especially for agencies, including military as well as the Foreign Ministry. Nevertheless, a business variant of SINA also exists for providing IT security in enterprises. The SINA architecture has been developed together with the BSI and is officially approved for transfer of electronic documents classified as “top secret”. It is always enlarged with new components. The recent developments are the SINA Virtual Desktop, the SINA Virtual Sever and the SINA Security Gateway. The most recent architecture description has been published within a white paper in 2007 [SINA07].

SINA supports several PKI schemes for data encryption and digital signatures. As a signature scheme, the ECGDSA scheme [ECGDSA06] developed by Siemens Corporate Technology is used as a special variant of elliptic curve methods.

SECUDE

SECUDE was founded in Darmstadt (Germany) in 1996. After expansion into 9 different countries in the world, the headquarters was moved to Switzerland, but the German location – “SECUDE IT Security GmbH” – has been kept.

SECUDE performs IT security consulting as well as the development of IT security products for various applications. Regarding PKI technology, the most relevant activities are provided by the development of e-mail security products. With the aid of these products, e-mail clients are enlarged by the functionality of signing, encrypting and decrypting e-mails as well as signature verification. The security level may be adapted to the individual needs of individual enterprises. This includes not only the provision of secure asymmetric cryptographic algorithms but also the availability of different solutions for key storage like smart cards, soft tokens or USB tokens.

Virtual Forge

The Virtual Forge GmbH was founded in 2001 and first acted as a general security consulting company. In the mean time, Virtual Forge has specialized on business application security. Beside the German headquarters, the company owns further locations in the UK, USA and Australia. Their major activities concern the security of SAP applications. For this purpose, Virtual Forge works for the SAP itself as well as for SAP customers.

An important aspect for the development of software solutions is an efficient license management to provide a sufficient amount of protection against software


piracy. Virtual Forge is making use of PKI technology to achieve these goals: License keys are generated by signing hash values of license data. By this way, the security against creation of forged license keys directly depends on the security of the corresponding signature scheme.

Since Virtual Forge’s activities concentrate on business application security (i.e., the private sector), the full amount of security policies for sovereign and governmental applications does not apply. Therefore, the company follows the best practices on the German and European market for private applications regarding security levels for PKI schemes (using RSA with 1024 Bits).

Giesecke & Devrient (G&D)

Among the larger enterprises occupied with PKI technology, it is especially important to look at the German technology concerning Giesecke & Devrient (G&D). When founded in 1852, G&D first concentrated on printing banknotes or other high secure paper documents. Later, G&D migrated to the technology leader regarding smart cards and other system solutions for different security applications.

With the smart card operating system STARCOS, G&D already provides ISO conformant smart card solutions for PKI cryptography for a long time. Their latest development in the area of security solutions now consists in the product family Star Sign®. This product family provides a combination of a smart card and an USB token with PKI cryptography. The implemented algorithms, containing RSA 2048 and ECC up to 255 bits, are compliant with the official recommendations of the German BSI.

With the aid of the developed middleware, StarSign® is usable for many different security applications like e-mail security, authentication, Single Sign On as well as other applications for signing or encrypting documents. This makes StarSign® usable for applications in the private as well as the public sector.

Fraunhofer (PKI Card)

The Fraunhofer-Gesellschaft, the largest organisation for applied research in Europe, has introduced in 2008 PKI cards for its approximately 12,000 employees. It serves as a visual staff identity card for use throughout the Fraunhofer-Gesellschaft, as it has the name and photograph of the employee printed on it. It serves also as a chip card with its own memory and integrated processor that allows identifying the employee for IT applications, generating digital signatures as well as encrypting, decrypting and signing confidential data and e-mails. Although this primarily represents an internal application of Fraunhofer, it also influences their external business since it may also be used for signing e-mails for external partners or receiving encrypted e-mails from them.


The technical concept and establishment of the PKI was designed by the company-owned Competence Center PKI27 that now runs the Fraunhofer CA maintaining a PKI at two separate Fraunhofer locations. The CA certificates are signed by the Deutsche Telekom Root CA. Since the respective root CA certificate is integrated by default into common web browsers, usually there is no problem with the verification of the certificate chain. The certificates on the Fraunhofer-Smart card are valid for six years. Once this period of time has expired, it is no longer possible to authenticate with the card or to create digital signatures, but the card can still be used to read e-mails which were received in an encrypted form. The Fraunhofer-Smart card is protected against unauthorized use by means of a personal identification number (PIN). The Fraunhofer directory service holds the names, phone numbers, fax numbers of employees. It is also part of the PKI and is used to publish certificates and certificate status information, e.g., certificate revocation lists.

The PKI card comes with both a mandatory contact-based microprocessor chip for PKI functions and, optionally, a second chip with contactless interface for RFID applications. The contact-based chip of the Fraunhofer PKI card contains three RSA keys for advanced electronic signature, secure data encryption and strong authentication together with the corresponding X.509 certificates. The RSA keys have a length of 2048 Bits and are used according to PKCS#1 with SHA-1. The PKI functions are easily integrated into the common mail clients and web browsers and can also be used for secure access to the institute's VPN. The RFID chip can accommodate RFID applications at the discretion of the respective Fraunhofer institute, e.g., for physical access systems, working time registration and payment systems. Several Fraunhofer institutes already use some kind of RFID applications. Using additional PKI functionality for the RFID applications is optional in the same way as the RFID applications themselves. However, the same keys with the same certificates used for the fundamental PKI functions must not be used also for the additional RFID functions in order to securely separate different applications.

8 References

[Aoki07] K. Aoki, J. Franke, T. Kleinjung, A.K. Lenstra, D.A. Osvik, A kilobit special number field sieve factorization, May 2007, Asiacrypt 2007, Springer-Verlag 2007, LNCS 4833, pp 1-12.

27 http://www.cc-pki.fraunhofer.de/english/


[BCRYPT Ver08] Fré Vercauteren: Pairings on Elliptic Curves. BCRYPT ECC Workshop, Leuven,

March, 2008. [Bernstein08] D. J. Bernstein, J. Buchmann, E. Dahmen (Eds.): Post Quantum Cryptography,

Springer-Verlag 2008, ISBN: 978-3-540-88701-0 [BERR_Press] ”Government to hold credit card summit”: Press Release of BERR, November 25,

2008. [BERR_InfSec] BERR: 2008 Information Security Breaches Survey. April 22, 2008. [BSI TR-02102] Federal Office for Information Security (BSI): Kryptographische Verfahren:

Empfehlungen und Schlüssellängen, TR-02102, Version1.0, June 20, 2008. (Recommendations and key lengths for cryptographic methods, in German only).

[BSI TR-03110] Federal Office for Information Security (BSI): Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI), TR-03110, Version 2.0, October 27, 2008, www.bsi.de/english/ publications/techguidelines/tr03110/TR-03110_v200.pdf

[BSI TR-03111] Federal Office for Information Security (BSI): Elliptic Curve Cryptography Based on ISO 15946, TR-03111, Version 1.00, February 14 2007, www.bsi.bund.de/literat/tr/tr03111/BSI-TR-03111.pdf

[BSI TR-03114] Federal Office for Information Security (BSI): Stapelsignatur mit dem Heilberufs-ausweis, TR-03114, Version 2.0, October 19, 2007, www.bsi.de/literat/tr/tr03114/BSI-TR-03114.pdf

[BSI TR-03115] Federal Office for Information Security (BSI): Komfortsignatur mit dem Heilberufs-ausweis, TR-03115, Version 2.0, October 19 2007, www.bsi.de/literat/tr/tr03115/BSI-TR-03115.pdf

[BSI TR-03116] Federal Office for Information Security (BSI): Technische Richtlinie für die eCard-Projekte der Bundesregierung, TR-03116, Version1.0, March 23, 2007. (Technical guideline for eCard projects of German government, in German only).

[Buchmann08] J. Buchmann, J. Ding: Post-Quantum Cryptography, Second International Workshop, PQCrypto 2008, Cincinnati, OH, USA, October 17-19, 2008, LNCS 5299, Springer, 2008.

[Canniere07] C. De Cannière, F. Mendel, C. Rechberger: Collisions for 70-Step SHA-1: On the Full Cost of Collision Search, In Selected Areas in Cryptography, 14th Annual


International Workshop, SAC 2007, Lecture Notes in Computer Science 4876, C. Adams, A. Miri, and M. J. Wiener (eds.), Springer-Verlag, pp. 56-73, 2007.

[Canniere08] C. De Cannière, C. Rechberger: Preimages for Reduced SHA-0 and SHA-1, In Advances in Cryptology - CRYPTO 2008, Lecture Notes in Computer Science 5157, D. Wagner (ed.), Springer-Verlag, pp. 179-202, 2008.

[CWA14890-1] CEN Workshop Agreement: Application Interface for Smart Cards used as Secure Signature Creation Devices, Part 1 – Basic Requirements, March 8, 2004

[CWI_Crypt08] S. Boldyreva, S. Fehr, A. O'Neill: On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles. Advances in Cryptology - CRYPTO 2008, Vol. 5157, 2008, pp. 335 – 359.

[CWI_EUCR07] M. M. J. Stevens, A. K. Lenstra, B. de Weger: Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities In: IACR EUROCRYPT 2007, Series: Lecture notes in computer science, Vol. 4515, 2007, pp. 1 – 22.

[DiffieHellman96] A. Menezes, P. van Oorschot und O. Vanstone. Handbook of Applied Crypto-graphy. CRC Press, 1996.

[DINSIG] DIN-Spezifikation der Schnittstelle zu Chipkarten mit Digitaler Signatur-Anwendung/Funktion nach SigG und SigV, DIN NI-17.4, Version 1.0, December 15, 1998

[DINSIG-4] DIN V66291-4: Chipkarten mit Digitaler Signatur-Anwendung/Funktion nach SigG und SigV, Teil 4: Grundlegende Sicherheitsdienste, DIN NI-17.4, 2002

[EC DAZTEC2] ECRYPT D.AZTEC.2 – Alternatives to RSA (revised version), August, 2005.

[EC DAZTEC5] ECRYPT D.AZTEC.5 – Update to Provable Security: Designs and Open Questions, January, 2007.

[EC DAZTEC6] ECRYPT D.AZTEC.6 – Hardness of the Main Computational Problems Used in Cryptography, March, 2007.

[EC DAZTEC7] ECRYPT D.AZTEC.7 – New Trends in Asymmetric Cryptography, February, 2007.

[ECGDSA06] E. Hess, M. Schafheutle, P. Serf: The Digital Signature Scheme ECGDSA. White Paper published by Siemens AG Corporate Technology Dpt. CT IC3, October, 2006.

[EC ColAtt] Recent Collision Attacks on Hash Functions: ECRYPT Position Paper, February, 2005.


[ENISA08] ENISA: Relations with Industry & International Organization, April, 2008. http://www.enisa.europa.eu/doc/pdf/FACsheets/FactSheet_IND2008_April.pdf

[EN14890-1] European Standard EN 14890-1: 2008, Application Interface for smart cards used as secure signature creation devices, Part 1: Basic services.

[EU-APSig08] EU Commision: Action Plan on e-signatures and e-identification to facilitate the provision of crossborder public services in the Single Market. November, 2008.

[EU-Manch05] Ministerial Declaration on Ministerial eGovernment Conference, Manchester, UK, November, 2005. http://archive.cabinetoffice.gov.uk/egov2005conference/documents/proceedings/pdf/051124declaration.pdf.

[FIPS180-2] Federal Information Processing Standards (FIPS) Publication 180-2, Secure Hash Standard (SHS), August 2002.

[Franke05] J. Franke, T. Kleinjung, C. Paar, J. Pelzl, C. Priplata, and C. Stahlke. SHARK - a

realizable special hardware sieving device for factoring 1024-bit integers. Workshop on Special Purpose Hardware for Attacking Cryptographic Systems (SHARCS) 2005.

[Frye03] Christian Frye: Berücksichtigung der Bewertungen der Sicherheitseignung von

Algorithmen für qualifizierte elektronische Signaturen, Diploma thesis at the TU Darmstadt, 2003.

[gemSpec_Krypt] gematik: Einführung der Gesundheitskarte - Verwendung kryptographischer

Algorithmen in der Telematikinfrastruktur, Version 1.4.0, July 10, 2008

[HMAC97] M. Bellare, R. Canetti und H. Krawczyk. HMAC: Keyed-Hashing for Message Authentication. RFC 2104, 1997.

[ISO7816-4] ISO/IEC 7816-4: 2005, Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange

[Kunz09] Thomas Kunz, Susanne Okunick, Ulrich Pordesch: Data Structure for Security Suitabilities of Cryptographic Algorithms, Internet Draft draft-ietf-ltans-dssc-06, January, 2009.

[Lenstra03] A. K. Lenstra, E. Tromer, A. Shamir, W. Kortsmit, B. Dodson, J. Hughes, P. Leyland: Factoring estimates for a 1024-bit RSA modulus. Proc. Asiacrypt 2003, LNCS 2894, Springer-Verlag, pp 331-346, 2003.

[Maseberg02] Jan Söhnke Maseberg: Fail-Safe-Konzept für Public-Key-Infrastrukturen, Dissertation at the TU Darmstadt, 2002.


[Merkle06] J. Buchmann, L.C. Coronado García, E. Dahmen, M. D¨–oring und E. Klintsevich. CMSS An Improved Merkle Signature Scheme. Progress in Cryptography – INDOCRYPT 2006, Springer LNCS 4329, pp. 349-363 (2006).

[NIST SP800-38B] NIST Special Publication 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005, http://csrc.nist.gov/publications/nistpubs/ 800-38B/SP_800-38B.pdf

[NIST SP800-67] NIST Special Publication 800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Version 1.1, June, 2008, http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf

[PKIX PkiRec07] PKIX Working Group: Internet X.509 PKI Disaster Recovery and Key Rollover, Internet-Draft, June, 2007.

[PKIX-TAF08] R. Hously, S. Ashmore, C. Wallace: Trust Anchor Format. draft-ietf-pkix-ta-format-00, 6th October, 2008. (Internet Draft describing work in progress, expiring 9th Apr 2009). http://www.ietf.org/internet-drafts/draft-ietf-pkix-ta-format-00.txt.

[PKIX-TAMP08] R. Hously, S. Ashmore, C. Wallace: Trust Anchor Management Protocol (TAMP). draft-ietf-pkix-tamp-00, October 6, 2008. (Internet Draft describing work in progress, expiring April 9, 2009). http://www.ietf.org/internet-drafts/draft-ietf-pkix-tamp-00.txt .

[prTS 15480] CEN: prTS 15480 European Citizen Card, Part 1: Physical, electrical and transport protocol characteristics, Part 2: Logical data structures and card services, Part 3 (preliminary): ECC Interoperability using an application interface, Part 4 (preliminary): Recommendations for ECC issuance, operation and use.

[RFC 4810] C. Wallace, U. Pordesch, R. Brandner: Long-Term Archive Service Requirements. RFC 4810, March, 2007.

[RFC 4998] T. Gontrom, R. Brandner, U. Pordesch: Evidence Record Syntay (ERC). RFC 2998, August, 2007.

[RFC 5276] C. Wallace: Using the Server-Based Certificate Validation Protocol (SCVP) to Convey Long-Term Evidence Records. RFC 5276, August, 2008.

[SINA07] SINA System Architecture. White Paper, Version 2.1, Jan 2007. http://www.secunet.com/fileadmin/Downloads/Englisch/Sonstiges/SINA_Whitepaper_engl_2.1_January_2007_FINAL.pdf .

[Serpent00] R. Anderson, E. Biham, and L. Knudsen. Serpent. www.cl.cam.ac.uk/~rja14/serpent.html


[Shamir03] A. Shamir, E. Tromer: On the cost of factoring RSA-1024. RSA CryptoBytes, vol. 6 no. 2, pp 10-19, 2003.

[SigAlg08] Federal Network Agency: Notification in Accordance with the Electronic Signatures Act and the Electronic Signatures Ordinance (Overview of Suitable Algorithms), Published of 5 February, 2008.

[SigG01] Electronic Signature Act, Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations (Gesetz über Rahmenbedingungen für elektronische Signaturen und zur Änderung weiterer Vorschriften), Bundesgesetzblatt Nr. 22, 2001, p. 876.

[SigV01] Ordinance on Electronic Signatures (Verordnung zur elektronischen Signatur – SigV), 2001, Bundesgesetzblatt Nr. 509, 2001, p. 3074.

[Swe03] Electronic Communication Act. Swedish Ministry of Enterprise, Energy and Communication, 2003. http://www.sweden.gov.se/sb/d/2025/a/18454

[Strenzke08] F. Strenzke, E. T., H. G. Molter, R. Overbeck, A. Shoufan: Side Channels in the McEliece PKC, in: J. Buchmann and J. Ding (Eds.): PQCrypto 2008, LNCS 5299, pp. 216–229, Springer-Verlag, 2008

[TS102231] ETSI Technical Specification TS 102231 – Provision of harmonized Trust Service Provider (TSP) status information, V2.1.1, March, 2006

[Twofish98] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson. Twofish: A 128-Bit Block Cipher. www.schneier.com/paper-twofish-paper.html.

[VAHTI06] Electronic mail-handling instruction for state government. VAHTI, February, 2006. http://www.vm.fi/vm/fi/04_julkaisut_ja_asiakirjat/01_julkaisut/05_valtionhallinnon_tietoturvallisuus/20060622Electr/name.jsp .

[Wang05] X. Wang, Y. L. Yin, H. Yu: Finding Collisions in the Full SHA-1. In: Shoup, V. (Ed.), Advances in Cryptology - CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer-Verlag, 2005.

[XMLEnc] XML Encryption Syntax and Processing, W3C Recommendation, December 10, 2002.


Appendix A: Contact Information and Links

Table 7: International Links

ORGANIZATION OR TOPIC ACRONYM OR LOGO

LINK

IETF Internet Engineering Task Force

http://www.ietf.org/

ISO International Standardization Organization

http://www.iso.org

ITU International Telecommunication Union

http://www.itu.int/home

Table 8: European Links

ORGANIZATION OR TOPIC

7th Framework Program - Capacities

CEN Comité Européen de Normalisation

CORDIS Community Research and Development Information Service European Innovation Portal

ENISA European Network and Information Security Agency

EU Gateway to Japan

ERA European Research Area

EUROSMART Association

IDABC Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens

Innovation Relay Center IRC Network

IST Information Society Technologies

Joint Research Centre

Study on Migration Plan about Cryptography

OPIC ACRONYM OR LOGO

LINK

http://cordis.europa.eu/fp7/capacities/home_en.html

http://www.cen.eu

European Innovation

http://cordis.europa.eu/en/home.html http://cordis.europa.eu/innovation/en/home.html

mation Security Agency http://www.enisa.europa.eu/

http://www.gatewaytojapan.org

ERA http://ec.europa.eu/research/era/index_en.html

EUROSMART http://www.eurosmart.com

European eGovernment Services http://ec.europa.eu/idabc/en/home

Innovation Relay Center IRC

http://irc.cordis.lu/ http://www.ircnet.lu/ http://www.innovationrelay.net/

Information Society Technologies

http://cordis.europa.eu/ist/

http://www.jrc.ec.europa.eu

Migration Plan about Cryptography 77 in PKI Systems in the EU

http://cordis.europa.eu/fp7/capacities/home_en.ht

http://cordis.europa.eu/en/home.html

http://cordis.europa.eu/innovation/en/home.html

http://www.enisa.europa.eu/

http://www.gatewaytojapan.org

http://ec.europa.eu/research/era/index_en.html

http://www.eurosmart.com

http://ec.europa.eu/idabc/en/home

http://www.innovationrelay.net/

http://cordis.europa.eu/ist/

eu/


Table 9: Contact Information about European Organisations

ORGANIZATION PHONE FAX ADDRESS / E-MAIL

CEN Comité Européen de Normalisation

+ 32 2 550 08 11

+ 32 2 550 08 19

CEN Avenue Marnix 17 B-1000 Brussels [email protected]

ENISA European Network Information Security Agency

+30 28 1039 1280

+30 28 1039 1410

ENISA - European Network and Information Security Agency, PO Box 1309, 710 01, Heraklion, Greece, [email protected]

EU Gateway to Japan +32 2 282 08 70

+32 2 230 00 38 [email protected]

EUROSMART +32 2 506 88 38

+32 2 506 88 25

Rue du Luxembourg 19-21,B-1000 Brussels, [email protected]

Joint Research Centre JRC +32 2 2957624

+32 2 2996322

Joint Research Centre, Internal and External Communication Unit, SDME 10/78, B-1049 Brussels, [email protected]

Table 10: French Links

ORGANIZATION OR TOPIC ACRONYM OR LOGO

LINK

AFNOR Standardization Body

http://www.afnor.fr/portail.asp

DCSSI Central Information Systems Security Division

DCSSI http://www.ssi.gouv.fr/en/dcssi/index.html

Juriscom.net Droit des Technologies de l'information

http://www.juriscom.net/

Table 11: Contact Information about French Organi

ORGANIZATION

AFNOR Association Français de NORmalisation

SGDN/DCSSI Communication unit

Table 12: Belgian and Dutch Links


CWI Centrum Wiskunde and Information Security

TNO Nederlandse Organisatie voor Toegepast Natuurwetenschappelijk Onderzoek

COSIC Computer Security and Industrial Cryptography Group (K. U. Leuven)

Table 13: Contact Information about Belgian and

ORGANIZATION

COSIC K.U.Leuven, ESAT/SCD

CWI Centrum Wiskunde & Informatica


Information about French Organisations

PHONE FAX ADDRESS / E-M

ais +33 1 42 91 5555

+33 1 42 91 5656

Tour Europe, 92049 Paris La Défense Cedex 7

+33 1 71 75 84 04

+33 1 71 75 84 00

51 bd de la Tour Maubourg75700 PARIS 07 [email protected]

Belgian and Dutch Links


LINK

CWI Centrum Wiskunde and http://www.cwi.nl

TNO Nederlandse Organisatie

http://www.tno.nl

Computer Security and Industrial Cryptography Group (K. U.

http://www.esat.kuleuven.be/scd/index.php?view=2

Contact Information about Belgian and Dutch Organisations

PHONE FAX ADDRESS / E-M

+32-16-321050

+32-16-321969

Kasteelpark Arenberg 10, bus 2446B-3001 Leuven-HeverleeBelgium [email protected]

+31 20 592 9333

+31 20 592 4199

CWI, Science Park 123, Amsterdam, [email protected]


MAIL

Tour Europe, 92049 Paris La Défense

51 bd de la Tour Maubourg 75700 PARIS 07 SP [email protected]

http://www.esat.kuleuven.be/scd/index.php?view=

MAIL

Kasteelpark Arenberg 10, bus 2446 Heverlee

[email protected]

CWI, Science Park 123, NL-1090 GB Amsterdam, Netherlands


Table 14: German Links


BITKOM IT Industry Organization

BSI Federal Office for Information Security, GER

FlexSecure GmbH

Giesecke & Devrient (G&D)

Provet Projektgruppe verfassungsverträgliche Technikgestaltung

SAP AG

Secunet Security Networks AG

TeleTrusT Deutschland e.V.

TUD Technical University of Darmstadt (Cryptology Working Group)

Virtual Forge GmbH


LINK

http://www.bitkom.org/

Federal Office for Information http://www.bsi.bund.de/

http://www.flexsecure.de/

http://www.gi-de.com

http://www.provet.org/

http://www.sap.com

ecunet Security Networks AG

http://www.secunet.com

http://www.teletrust.de

(Cryptology Working Group)

http://www.cdc.informatik.tudarmstadt.de/kontakt.html

http://www.virtualforge.de/

http://www.flexsecure.de/

http://www.cdc.informatik.tu-darmstadt.de/kontakt.html

http://www.virtualforge.de/


Table 15: Contact Information about German Organisations and Enterprises

ORGANIZATION PHONE FAX ADDRESS / E-MAIL

BSI Federal Office for Information Security

+49 228 9582 141

+49 228 9582 455 P.O.Box: 200363, D-53133 Bonn

Federal Network Agency +49 228 14-0 +49 228 148872 [email protected]

FlexSecure GmbH +49 6151 50 12 3-0

+49 6151 50 12 3-19

FlexSecure GmbH, Industriestraße 12, D-64297 Darmstadt [email protected]

Giesecke & Devrient – G&D +49 89 4119-0

+49 89 4119-1535

Giesecke & Devrient GmbH, Prinzregentenstraße 159, D-81677 München

SAP AG +49 6227 / 7-47474

+49 6227 / 7-57575

SAP AG, Dietmar-Hopp-Allee 16 , D-69190 Walldorf

SECUDE IT Security GmbH +49 61 51-8 28 97-0

+49 61 51-8 28 97-26

SECUDE IT Security GmbH, Goebelstrasse 21, D-64293 Darmstadt [email protected]

secunet Security Networks AG

+49 201 5454-0

+49 201 5454-123

secunet Security Networks AG Kronprinzenstr. 30 D-45128 Essen [email protected]

TeleTrusT Deutschland e.V. +49 361 3460 531

+49 361 3453 957

TeleTrusT Deutschland e.V., Chamissostraße 11, D-99096 [email protected]

Technical University of Darmstadt (TUD)

+49 6151 16-4889

+49 6151 16-6036

TUD Department of Computer Science, Working Group Cryptography and Computer Algebra Hochschulstraße 10, D-64289 Darmstadt

Virtual Forge GmbH +49 6221 - 86 89 0-0

+49 6221 - 86 89 0-11

Virtual Forge GmbH Speyerer Straße 6, D-69115 Heidelberg [email protected]


Table 16: United Kingdom Links


BERR British Department for Business, Enterprise and Regulatory Reform

BSI British Standards Institute

CESG Communications-Electronics Security Group

DIUS Department for Innovation, University and Skills (DIUS)

Table 17: Contact Information about Organi

ORGANIZATION P

BSI British Standards, Customer Services

+44 20 8996 9001

CESG Communications Electronics Security Group Fast Track Assessment Portal CAPS Policy

+44 1242 221491 ext 39365


LINK

British Department for Business, BERR <logo not readable in this size>

http://www.berr.gov.uk/

http://www.bsi-global.com

Electronics

http://www.cesg.gov.uk

Department for Innovation,

DIUS <logo not readable in this size>

http://www.dius.gov.uk/

ontact Information about Organisations in the United Kingdom

PHONE FAX ADDRESS / E-MAIL

+44 20 8996 9001

+44 20 8996 7001

389 Chiswick High RoadLondon W4 4AL, United [email protected]

+44 1242 221491 ext 39365

+44 1242 221491 ext 39365

Hubble Road, Cheltenham Gloucestershire GL51 OEX, UK [email protected] [email protected]@cesg.gsi.gov.uk [email protected]

global.com

389 Chiswick High Road United Kingdom

[email protected]

Hubble Road, Cheltenham Gloucestershire GL51

[email protected]

Table 18: Scandinavian Links


FICORA Finnish Communications Regulatory Authority

Finnish Ministry of Finance

Norwegian Ministry of Trade and Industry

SWEDAC Swedish Board for Accreditation and Conformity Assessment

Government Offices of Sweden

Table 19: Contact Information about Organi

ORGANIZATION P

Finnish Ministry of Finance

+01

FICORA Finnish Communications Regulatory Authority

+35 8 9 69 661

Norwegian Ministry of Trade and Industry

+47 22 24 90 90

SWEDAC Swedish Board for Accreditation and Conformity Assessment

+46 800

Swedish Ministry of Enterprise, Energy and Communications

+ 00



LINK

http://www.ficora.fi/en/index.html

http://www.vm.fi/vm/en/02_ministry/index.jsp

Norwegian Ministry of Trade and http://www.regjeringen.no/en/dep/nhd.html?id=709

Swedish Board for Accreditation and Conformity Assessment

http://www.swedac.se/sdd/System.nsf/(GUIview)/index_english.html

Government Offices of Sweden

http://www.sweden.gov.se/

ontact Information about Organisations in Scandinavia

PHONE FAX ADDRESS / E-MAIL

+ 35 8 9 160 01

+ 35 8 9 160 33123

Snellmaninkatu 1 A, HelsinkiPO Box 28, FIN-00023 GOVERNMENT [email protected]

+35 8 9 69 661

+35 8 9 6966 410

Itämerenkatu 3 A P.O. Box 313 00181 HELSINKI, [email protected]

+47 22 24 90 90

P.O.Box 8014 Dep 0030 Oslo, Norway [email protected]

+46 8-406 83 00

+46 8-791 89 29

Box 2231, 103 15 Stockholm, [email protected]

+ 46 8 405 10 00

+46 8 411 36 16

Mäster Samuelsgatan 70,103 333 Stockholm, Sweden


http://www.ficora.fi/en/index.html

http://www.vm.fi/vm/en/02_ministry/index.jsp

http://www.regjeringen.no/en/dep/nhd.html?id=7

http://www.swedac.se/sdd/System.nsf/(GUIview)/i

http://www.sweden.gov.se/

Snellmaninkatu 1 A, Helsinki 00023 GOVERNMENT FINLAND

[email protected]

00181 HELSINKI, Finland

[email protected]

Box 2231, 103 15 Stockholm, Sweden

Mäster Samuelsgatan 70, 103 333 Stockholm, Sweden