It will be possible to communicate wirelessly with the electronic ID cards, which will be available from November 2010. In order to ensure the data stored on the ID card cannot be accessed by any unauthorized persons, the PACE encryption procedure, which was developed by the BSI, will be used when the initial connection is established. With the PACE procedure, a PIN needs entering before the ID card and the scanner can negotiate a cryptographic key, which is then used to establish a secure connection.

The latest results of the researchers, regarding the PACE procedure, prove that the keys generated during the negotiation process are secure. This even applies in environments where an attacker establishes communication with multiple ID cards and scanners at the same time. “Establishing complete proof of security for such an encryption procedure is very complex and can only be provided in rare cases”, explained Fischlin. The famous cryptologist went on to say that “no such proof exists for the SSL/TLS procedure, for example, which is commonly used nowadays for secure online banking”.

In contrast to other more common security procedures, PACE does not require a so-called public key infrastructure (PKI), a networked computer system that is used for generating, distributing and checking digital keys. This means a wireless connection can be established quickly between the chip and the scanner, even without an Internet connection.

It is envisaged that PACE will also be used for checking electronic passports in future and will replace the so-called Basic Access Control (BAC) procedure, which is used for protecting less sensitive passport and personal data, such as the date of birth or size. This data can also be retrieved directly from the passport when scanned. Although the BAC procedure can prevent passport data from being “passively heard” or retrieved by attackers under realistic conditions, the encryption used when transferring the information is comparatively weak. PACE will therefore provide a secure alternative in the future.

Conclusion: PACE will enable data to be transferred between the chip and scanner in an extremely secure and fast manner. The utilization of PACE together with the well-established PKI-based Extended Access Control (EAC), offers maximum cryptographic security while providing individual control of access rights, which is required, for example, with online identification systems for Internet or eGovernment services.

The details of the proof of security will be presented during the Information Security Conference 2009 and published by the ‘Springer-Verlag’.

Contacts

CASED

Technical Information
Dr. Marc Fischlin
marc.fischlincased.de
www.fischlin.de

Dr. Marc Fischlin is Principal Investigator at CASED and heads the ‘Emmy Noether-Nachwuchsgruppe’ (a program for promoting young researchers) - “Minimizing Cryptographic Assumptions (MiniCrypt)” - in the Computer Science Department of the Darmstadt University of Technology.

Press Contact BSI

Federal Office for Information Technology Security
PO Box 20 03 63, 53133 Bonn

Press office
Phone: +49 228 99 9582-5850
Email: pressebsi.bund.de
www.bsi.bund.de/cln_136/DE/Home/home_node.html