jaseg/epa-sgd-paper
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update with fixes from Konrad, proof references

Browse source
This commit is contained in:
jaseg 2025-05-26 17:28:49 +02:00
parent 46da9173c5
commit 2f0fc89b99
2 changed files with 134 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

119
paper.bib
View file

@ -10,6 +10,33 @@
pagetotal = {1}
}
@article{abelsonKeysDoormats2015,
title = {Keys under Doormats},
author = {Abelson, Harold and Anderson, Ross and Bellovin, Steven M. and Benaloh, Josh and Blaze, Matt and Diffie, Whitfield "Whit" and Gilmore, John and Green, Matthew and Landau, Susan and Neumann, Peter G. and Rivest, Ronald L. and Schiller, Jeffrey I. and Schneier, Bruce and Specter, Michael A. and Weitzner, Daniel J.},
date = {2015-09-28},
journaltitle = {Commun. ACM},
volume = {58},
number = {10},
pages = {24--26},
issn = {0001-0782},
doi = {10.1145/2814825},
url = {https://dl.acm.org/doi/10.1145/2814825},
urldate = {2025-05-26},
abstract = {Mandating insecurity by requiring government access to all data and communications.},
file = {/home/jaseg/Sync/Research/Zotero/2015_Abelson et al_Keys under doormats.pdf}
}
@article{abelsonRisksKeyRecovery1997,
title = {The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption},
author = {Abelson, Hal and Anderson, Ross and Bellovin, Steven M. and Benalob, Josh and Blaze, Matt and Diffie, Whitfield and Gilmore, John and Neumann, Peter G. and Rivest, Ronald L. and Schiller, Jeffrey I. and Schneier, Bruce},
date = {1997-06-01},
journaltitle = {World Wide Web J.},
volume = {2},
number = {3},
pages = {241--257},
issn = {1085-2301}
}
@online{adhikariDonLookUbiquitous2022,
title = {Don't {{Look Up}}: {{Ubiquitous Data Exfiltration Pathways}} in {{Commercial Spaces}}},
shorttitle = {Don't {{Look Up}}},
@ -373,18 +400,15 @@
file = {/home/jaseg/Sync/Research/Zotero/Barooti et al_2023_Public-Key Encryption with Quantum Keys.pdf}
}
@article{barrettUSSuspectsHackers2015,
entrysubtype = {newspaper},
@online{barrettUSSuspectsHackers2015,
title = {U.{{S}}. {{Suspects Hackers}} in {{China Breached About}} 4 {{Million People}}s {{Records}}, {{Officials Say}}},
author = {Barrett, Devlin and Yadron, Danny and Paletta, Damian},
date = {2015-06-04T21:04:00Z},
journaltitle = {Wall Street Journal},
issn = {0099-9660},
url = {http://www.wsj.com/articles/u-s-suspects-hackers-in-china-behind-government-data-breach-sources-say-1433451888},
urldate = {2025-05-15},
abstract = {The Federal Bureau of Investigation is probing an apparently far-reaching penetration of data held by the Office of Personnel Management, in which the records of approximately four million individuals were compromised.},
journalsubtitle = {US},
langid = {american},
organization = {Wall Street Journal},
keywords = {Asia,Asia Pacific,BRICS Countries,C&E Executive News Filter,China,Content Types,courts,crime,Crime/Courts,cybercrime,Cybercrime/Hacking,Developing Economies,Eastern Asia,Emerging Market Countries,Factiva Filters,general news,Greater China,hacking,North America,OASN,OCHN,political,Political/General News,SYND,United States,US News},
file = {/home/jaseg/Zotero/storage/86GYMVME/u-s-suspects-hackers-in-china-behind-government-data-breach-sources-say-1433451888.html}
}
@ -1729,6 +1753,44 @@
file = {/home/jaseg/Zotero/storage/68BWJ8CR/Garb et al. - 2022 - The Wiretap Channel for Capacitive PUF-Based Secur.pdf}
}
@online{gematikSpezifikationAktensystemEPA2025,
title = {Spezifikation Aktensystem ePA für alle v1.4.1},
author = {{gematik}},
date = {2025-05-09},
url = {https://gemspec.gematik.de/docs/gemSpec/gemSpec_Aktensystem_ePAfueralle/latest/},
urldate = {2025-05-16},
langid = {ngerman},
file = {/home/jaseg/Zotero/storage/7UYIC2N4/latest.html}
}
@online{gematikSpezifikationSchluesselgenerierungsdienstEPA2023,
title = {Spezifikation Schlüsselgenerierungsdienst ePA v1.6.0},
author = {{gematik}},
date = {2023-03-31},
url = {https://gemspec.gematik.de/downloads/gemSpec/gemSpec_SGD_ePA/gemSpec_SGD_ePA_V1.6.0.pdf},
urldate = {2025-05-26},
langid = {ngerman},
file = {/home/jaseg/Zotero/storage/79DUVAQG/Spezifikation Schlüsselgenerierungsdienst ePA.pdf}
}
@online{gematikUbergreifendeSpezifikationVerwendung2024,
title = {Übergreifende {{Spezifikation Verwendung}} Kryptographischer {{Algorithmen}} in Der {{Telematikinfrastruktur}} v2.28.1},
author = {{gematik}},
date = {2024-02-23},
url = {https://gemspec.gematik.de/downloads/gemSpec/gemSpec_Krypt/gemSpec_Krypt_V2.28.1.html},
urldate = {2025-05-16},
file = {/home/jaseg/Zotero/storage/4G4DKG53/gemSpec_Krypt_V2.28.1.html}
}
@online{gematikUebergreifendeSpezifikationVerwendung2025,
title = {Übergreifende Spezifikation Verwendung kryptographischer Algorithmen in der Telematikinfrastruktur v2.40.0},
author = {{gematik}},
date = {2025-03-28},
url = {https://gemspec.gematik.de/downloads/gemSpec/gemSpec_Krypt/gemSpec_Krypt_V2.40.0.pdf},
langid = {ngerman},
file = {/home/jaseg/Zotero/storage/PTWL3X45/Übergreifende Spezifikation Verwendung kryptograph.pdf}
}
@software{GerbonaraToolsHandle,
title = {Gerbonara: {{Tools}} to Handle {{Gerber}} and {{Excellon}} Files in {{Python}}},
shorttitle = {Gerbonara},
@ -2684,6 +2746,18 @@
file = {/home/jaseg/Zotero/storage/4NYR9495/Koblah et al. - 2022 - Hardware Moving Target Defenses against Physical A.pdf}
}
@online{kochMoreMoreExperts2025,
title = {More and More Experts Warn against Electronic Patient Records},
author = {Koch, Marie-Claire},
date = {2025-01-10},
url = {https://www.heise.de/en/news/More-and-more-experts-warn-against-electronic-patient-records-10235907.html},
urldate = {2025-05-26},
abstract = {The electronic patient file is due to be launched in a few days, but more and more experts are advising against it or do not consider it advisable.},
langid = {english},
organization = {heise online},
file = {/home/jaseg/Zotero/storage/XQRRKELL/More-and-more-experts-warn-against-electronic-patient-records-10235907.html}
}
@inproceedings{kodwaniSecurityKeyDerivation2021,
title = {On {{Security}} of {{Key Derivation Functions}} in {{Password-based Cryptography}}},
booktitle = {2021 {{IEEE International Conference}} on {{Cyber Security}} and {{Resilience}} ({{CSR}})},
@ -5137,16 +5211,6 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
file = {/home/jaseg/Sync/Research/Zotero/2021_Sozio et al_Patchable Hardware Security Module (PHaSM) for Extending FPGA Root-of-Trust.pdf;/home/jaseg/Zotero/storage/D5BLNRV7/9707698.html}
}
@standard{SpezifikationAktensystemEPA,
title = {Spezifikation Aktensystem ePA für alle},
url = {https://gemspec.gematik.de/docs/gemSpec/gemSpec_Aktensystem_ePAfueralle/latest/},
urldate = {2025-05-16},
langid = {ngerman},
pubstate = {2025-05-09},
version = {1.4.1`},
file = {/home/jaseg/Zotero/storage/7UYIC2N4/latest.html}
}
@standard{SpezifikationFachmodulEPA2023,
title = {Spezifikation Fachmodul ePA},
date = {2023-04-03},
@ -5155,14 +5219,6 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
file = {/home/jaseg/Zotero/storage/J79W78KS/Spezifikation Fachmodul ePA.pdf}
}
@standard{SpezifikationSchluesselgenerierungsdienstEPA2023,
title = {Spezifikation Schlüsselgenerierungsdienst ePA},
date = {2023-03-31},
langid = {ngerman},
version = {1.6.0},
file = {/home/jaseg/Zotero/storage/79DUVAQG/Spezifikation Schlüsselgenerierungsdienst ePA.pdf}
}
@article{sproHighVoltageInsulationDesign2021,
title = {High-{{Voltage Insulation Design}} of {{Coreless}}, {{Planar PCB Transformers}} for {{Multi-MHz Power Supplies}}},
author = {Spro, Ole Christian and Mauseth, Frank and Peftitsis, Dimosthenis},
@ -5458,23 +5514,6 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
file = {/home/jaseg/Sync/Research/Zotero/Tyagi et al_Orca.pdf}
}
@standard{UbergreifendeSpezifikationVerwendung2024,
title = {Übergreifende {{Spezifikation Verwendung}} Kryptographischer {{Algorithmen}} in Der {{Telematikinfrastruktur}}},
date = {2024-02-23},
url = {https://gemspec.gematik.de/downloads/gemSpec/gemSpec_Krypt/gemSpec_Krypt_V2.28.1.html},
urldate = {2025-05-16},
version = {2.28.1},
file = {/home/jaseg/Zotero/storage/4G4DKG53/gemSpec_Krypt_V2.28.1.html}
}
@standard{UebergreifendeSpezifikationVerwendung,
title = {Übergreifende Spezifikation Verwendung kryptographischer Algorithmen in der Telematikinfrastruktur},
langid = {ngerman},
pubstate = {2025-03-28},
version = {2.40.0},
file = {/home/jaseg/Zotero/storage/PTWL3X45/Übergreifende Spezifikation Verwendung kryptograph.pdf}
}
@report{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002,
title = {Security {{Requirements}} for {{Cryptographic Modules}}},
author = {{(US) National Institute of Standards and Technology}},

75
paper.tex
View file

@ -24,6 +24,16 @@
\usepackage{hyperref}
\usepackage{makecell}
\DeclareSourcemap{
\maps[datatype=bibtex, overwrite=true]{
\map{
\step[fieldsource=url, final]
\step[fieldsource=institution, fieldtarget=organization]
\step[typesource=report, typetarget=online]
}
}
}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\DeclareSIUnit{\rpm}{rpm}
@ -45,15 +55,16 @@
\begin{abstract}
Germany is currently rolling out an opt-out, nation-scale database of the medical records of the majority of its
population, with low-income people being over-represented in the system's user base. While there has been
population, with low-income people being disproportionally represented among its users. While there has been
considerable criticism of the system coming from civil society, independent academic analysis of the system by the
cryptography and information security community has been largely non-existent. In this paper, we want to raise
awareness of the system's existance, and based on the system's public specifications, we want to highlight some
moderately spicy cryptographic engineering decisions. In particular, most sensitive, long-term user keys in the
system are derived by an unsophisticated, home-grown centralized key escrow system from a per-use salt and only 256
bit of entropy shared globally across millions of users. Physically, only the insecure level 3 of the obsolete FIPS
140-2 security standard (requiring ``hard, opaque potting'' but no active tamper sensing) is required in the
system's standardization, leaving it open to attacks by nation-state and other well-funded adversaries.
cryptography and information security community has been largely absent. In this paper, we aim to raise awareness of
the system's existence and, based on the system's public specifications, highlight several concerning cryptographic
engineering decisions. Our core observations is that the system's most sensitive long-term user keys are derived by
a rudimentary, home-grown centralized key escrow mechanism. This mechanism relies on a per-use salt and only 256 bit
of entropy, shared globally across millions of users. Furthermore, the system's specification mandates only Level 3
compliance with the obsolete FIPS 140-2 security standard, which requires ``hard, opaque potting'', but lacks active
tamper sensing. As a result, the system remains vulnerable to attacks by nation states and other well-funded
adversaries.
\end{abstract}
\section{Introduction}
@ -66,8 +77,8 @@ patient's medical records. Data in scope for the system includes medical letters
imaging files.
Due to Germany's mandatory health insurace laws, the system's user base encompasses the majority of all German
residents. People who have replaced their public health insurance with private insurance are not (yet) subject to the
system. In Germany, by law private health insurance is only available to people from the top 10th percentile of
residents. People who have replaced their public health insurance with private insurance currently are not subject to
the system. In Germany, by law private health insurance is only available to people from the top 10th percentile of
household income. This means that the system disproportionally affects people who have low income, creating an equity
issue. While it is possible to opt out from the use of the system, the process of opting out is difficult. Additionally,
both the government through advertising campaigns and health insurance providers have publically depicted the system in
@ -76,20 +87,19 @@ comprehensive understanding of the system's benefits and risks that would be nec
opting out.
While there has been loud criticism of the system's security from civil society organizations such as digital rights
nonprofit organization Chaos Commputer Club (CCC) and several severe security flaws have been demonstrated practically,
this criticism has largely been ignored by the political structures in charge. We observe that despite this civil
society outrage and the system's large scale, it has received little attention from the academic cryptography and
information security community.
nonprofit organization Chaos Commputer Club (CCC) \cite{kochMoreMoreExperts2025} and several severe security flaws have
been demonstrated practically, this criticism has largely been ignored by the political structures in charge. We observe
that despite this civil society outrage and the system's large scale, it has received little attention from the academic
cryptography and information security community.
In this paper, we wish to point out some spicy cryptographic engineering decisions in the system. In particular, we
point out that the system's core per-user secrets are kept in an unsophisticateed key escrow system whose security is
based on engineering assumptions, not on cryptographic principles. Furthermore, we observe that by specification, the
individual user keys of the system are derived from a per-user cleartext salt based a system-wide long-term
secret with only 256 bits of entropy\footnote{
% FIXME reference
In this paper, we aim to point out some perplexing cryptographic engineering decisions in the system. In particular, we
point out that the system's core per-user secrets are kept in a rudimentary key escrow system whose security is based on
engineering assumptions, not on cryptographic principles. Furthermore, we observe that by specification, the individual
user keys of the system are derived from a per-user cleartext salt based on a system-wide long-term secret with only 256
bits of entropy\footnote{
In previous versions of the standard \cite{
SpezifikationSchluesselgenerierungsdienstEPA2023,
UbergreifendeSpezifikationVerwendung2024
gematikSpezifikationSchluesselgenerierungsdienstEPA2023,
gematikUebergreifendeSpezifikationVerwendung2025,
}, there were two escrow services, with both keys used in layers to reduce the risk of a compromise of either one.
The current standard only requires one escrow service, and drops the entropy requirement of the root keys from 512
bit to 256 bit.
@ -98,8 +108,8 @@ highly sensitive secret is a ``hard, opaque potting material'', with no tamper d
We base our analysis on the system's publicly available standards in their latest version as of writing of this paper in
April 2025, describing version 3.0 of the healthcare record system \cite{
UebergreifendeSpezifikationVerwendung,
SpezifikationAktensystemEPA
gematikSpezifikationAktensystemEPA2025,
gematikUbergreifendeSpezifikationVerwendung2024,
}. We note that the implementation might well deviate from these standards and be more secure - however, with the
system's history of flaws, we believe that is unlikely to be the case and the reference implementation provided by the
specification authority \cite{GithubRepositoryERPFD} follows the standards' minimum requirements closely. As of now,
@ -147,8 +157,8 @@ dimension of the key escrow service used in an older version of the standard, an
\textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on the
cryptography of the inner protocol layers spoken between the system's components. Industry research organization
Fraunhofer SIT were comissioned for a structured, theoretical assessment of attack paths to the
system\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of independent
academic security research on the system.
system \cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of
independent academic security research on the system.
The design and operation of the system have been independently described in detail by civil society activists, who have
demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder0100} demonstrated how they
@ -156,9 +166,9 @@ could trivially acquire each of the smartcards as well as the Konnektor necessar
\textcite{tschirsichKonnteBisherNoch0100} summarize the history of attacks demonstrated on the system and show multiple
practical attacks on various parts of the system's implementation.
\section{Interesting Cryptographic Engineering Choices}
\section{Concerning Cryptographic Engineering Choices}
In this paper, we wish to highlight some of the design choices in the system that we believe stray from current best
In this paper, we aim to highlight some of the design choices in the system that we believe stray from current best
practice. This is by no means an exhaustive list, and is only meant to underscore why we believe the system deserves
more scrutiny.
@ -170,8 +180,13 @@ centralized security risk. The system's designers made this decision since it wa
encrypted record can be restored quickly after an insurance ID card is lost, without requiring cooperation of the
healthcare providers holding the primary copies of the person's medical records.
While key escrow services have been a topic of political debate in decades past, today, consensus generally is that they
are a bad idea since they pose a centralized target for attack, and increase the damage of a single attack.
While key escrow services have been a topic of political debate in decades past, in the cryptographic community,
consensus generally is that they are a bad idea since they pose a centralized target for attack, and increase attack
surface \cite{
abelsonRisksKeyRecovery1997,
abelsonKeysDoormats2015,
andersonSecurityEngineeringGuide2020,
}.
\subsection{Cryptographic Design}