ePassports EAC Conformity & Interoperability Tests
Prague, September 7th - 12th 2008

Elliptic curve cryptography: a new era in ID applications

Why Asymmetric cryptography in ID applications?

All the major ID applications (ID cards, signature application, passport...) do rely on asymmetric cryptography. The symmetric cryptography can not be envisioned for these large scale usages. First of all, it requires an a priori unique identification of the card. As the use of contactless cards is getting more and more fashionable, it can not be envisioned as it would enable any attacker to uniquely identify a card holder by scanning a crowd. Moreover, the eService willing to communicate needs to possess the symmetric key to use. It may either request the services of on online HSM, which would provide all the cryptographic services needed to communicate with the microchip, or use the keys it stores in a secure storage area. It requires either a permanent online link to a cryptographic services provider and/or the diffusion of the cryptographic keys to all the e-Services. It mandates either a very constraining infrastructure design or, in the second case, introduces a major treat in the infrastructure as an attack on one eService would break all the system.

The Work achieved by the BIG: a step forward

Today, the main asymmetric cryptography used is the RSA, which proved its strength and efficiency. The work achieved by the BIG on the second generation of biometric passport (Extended Access Control) pushed forward another cryptography hardly used so far: the elliptic curve cryptography, together with the more common RSA. Several States have already chosen it for their biometric passport (Germany) while other is considering it very carefully.

Reasons for the deployment of Elliptic curve cryptography

Electronic passports, as all the ID applications have to be certified according the Common Criteria methodology and shall ensure their cryptographic mechanisms remains secure for their whole life (5 or 10 years depending on the state policy). The security level of the cryptography shall be carefully chosen prior to the passport issuance.

The level of security required for today’s passport issuance for RSA cryptography has a major impact on the performances of the passport. This phenomenon will be more and more pregnant as the demand for higher security level goes on. While the elliptic curve cryptography enables to address higher security level with a modest impact on the performances, the RSA is getting very costly in terms of time execution and type of components. Moreover, the elliptic curve cryptography offers other advantages: it is much more suitable for contactless uses. Its energy consumption is lower than the one required for the RSA cryptography for a given security level. Therefore, it is less sensitive to the distance between the reader and the passport, and to the external perturbations that may be present around the border control.

Consequence in the near future

The deployment of EAC passport based on elliptic curve cryptography in several European countries will lead to the development of the relevant PKI based on elliptic curve cryptography too. “Ready to use solutions” will be available on the market at reasonable costs, so that other applications would rely on it. One can guess that the electronic driving licence as well as some European ID cards may rely on it.

In a near future, the use of elliptic curve cryptography will push forward the use of the AES cryptography as well, as the triple DES commonly used today does not ensure a sufficient security level compared to the one provided by the elliptic curves. This step forward has already been envisioned by the NIST in its cryptographic catalogue called “Suite B”, in which Elliptic curve cryptography is only recommended with AES.

Open issues

Today, several issues are still remaining regarding the elliptic curve cryptography.

Both the e-Services and the personalization process of the chip require cryptographic services provided by so called HSM. Unfortunately, the HSM providers are not as advanced as the chip manufacturers. At the moment, very few HSM compatible with elliptic curve cryptography are available on the market. Moreover, in the same time, while FIPS certification was widely considered to be sufficient for HSM, common criteria certification are more and more requested, which is a big gap for the HSM manufacturer.

As for the RSA, there are no formal security proofs of the strength of the elliptic curves. Their strength is not proven.

Last but not least, the elliptic curve cryptography is a field for which lots of patents exist. Even though it is possible to realize software using elliptic curve cryptography, one to be very careful with patent that exist