jaseg/epa-sgd-paper
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Text mostly done

Browse source
This commit is contained in:
jaseg 2025-05-15 17:45:38 +02:00
parent 3f1f1aacaf
commit 9863ed460e
2 changed files with 267 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

121
paper.bib
View file

@ -1594,6 +1594,17 @@
keywords = {twisted-inductors}
}
@report{fischlinKryptographischeAnalyseSpezifikation2021,
title = {Kryptographische Analyse Spezifikation Schlüsselgenerierungsdienst ePA},
author = {Fischlin, Marc},
date = {2021-12},
institution = {Technische Universität Darmstadt},
url = {https://www.gematik.de/media/erezept/SGD_Analyse_2021.pdf},
urldate = {2025-05-15},
langid = {german},
file = {/home/jaseg/Zotero/storage/E6VVYUK5/SGD_Analyse_2021.pdf}
}
@book{flemingPrinciplesElectricWave1910,
title = {The {{Principles}} of {{Electric Wave Telegraphy}} and {{Telephony}}},
author = {Fleming, J. A.},
@ -2359,6 +2370,17 @@
file = {/home/jaseg/Zotero/storage/K9YRK595/Implementation Security of Quantum Cryptography - .pdf}
}
@online{ISOIEC19790,
title = {{{ISO}}/{{IEC}} 19790:2025},
shorttitle = {{{ISO}}/{{IEC}} 19790},
url = {https://www.iso.org/standard/82423.html},
urldate = {2025-05-15},
abstract = {Information security, cybersecurity and privacy protection — Security requirements for cryptographic modules},
langid = {english},
organization = {ISO},
file = {/home/jaseg/Zotero/storage/CVBBSX3N/82423.html}
}
@online{ISOIEC24759,
title = {{{ISO}}/{{IEC}} 24759:2025},
shorttitle = {{{ISO}}/{{IEC}} 24759},
@ -3512,6 +3534,14 @@
file = {/home/jaseg/Zotero/storage/AM4Q8Y76/Mohan et al. - 1999 - Simple accurate expressions for planar spiral indu.pdf}
}
@online{molexMolexSilverFlexible,
title = {Molex {{Silver Flexible Circuit Solutions}}},
author = {{Molex}},
url = {https://my.avnet.com/wcm/connect/d5fa4b27-de81-4aac-9bcb-cff3844b9eb3/Silver-Flexible-Circuit-Solutions-Brochure-EN-Brochure.pdf?MOD=AJPERES&CVID=oMyo8ki},
urldate = {2025-05-07},
file = {/home/jaseg/Zotero/storage/SY87W3RX/Silver-Flexible-Circuit-Solutions-Brochure-EN-Brochure.pdf}
}
@inproceedings{monfaredLeakyOhmSecretBits2023,
title = {{{LeakyOhm}}: {{Secret Bits Extraction}} Using {{Impedance Analysis}}},
shorttitle = {{{LeakyOhm}}},
@ -4212,6 +4242,12 @@
file = {/home/jaseg/Zotero/storage/RLBAU32H/Patra et al. - ABY2.0 Improved Mixed-Protocol Secure Two-Party C.pdf}
}
@article{PavingWayFull,
title = {Paving the {{Way}} to {{Full Security}} in {{eHealth}} {{Ensuring}} Complete Security for Digital Data, Connected Environments and Devices in {{eHealth}}},
langid = {english},
file = {/home/jaseg/Zotero/storage/CCJFZZ34/Paving the Way to Full Security in eHealth Ensur.pdf}
}
@standard{pcisecuritystandardscouncilPaymentCardIndustry2021,
title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Security Requirements}}},
author = {{PCI Security Standards Council}},
@ -4923,6 +4959,29 @@
file = {/home/jaseg/Sync/Research/Zotero/2018_Skorobogatov_Hardware Security Implications of Reliability, Remanence, and Recovery in.pdf}
}
@report{slanySicherheitsanalyseZurSicherheit2020,
title = {Sicherheitsanalyse zur Sicherheit der kritischen Komponenten der elektronischen Patientenakte nach §291a SGB V},
author = {Slany, Wolfgang},
date = {2020-03},
institution = {Technische Universität Graz},
url = {https://www.gematik.de/media/gematik/Medien/Newsroom/Presse/Dokumente/Sicherheitsanalyse_TU_Graz_zur_ePA_mit_Vorwort_der_gematik.pdf},
urldate = {2025-05-15},
langid = {german},
file = {/home/jaseg/Zotero/storage/SVMJG2SZ/Sicherheitsanalyse_TU_Graz_zur_ePA_mit_Vorwort_der_gematik.pdf}
}
@online{SmaugDracheUnd,
title = {Smaug, der Drache, und die ePA: Ein zentraler Schlüsselgenerierungsdienst, ein zentrales Risiko},
shorttitle = {Smaug, der Drache, und die ePA},
url = {https://de.linkedin.com/pulse/smaug-der-drache-und-die-epa-ein-zentraler-zentrales-risiko-block-vh3ue},
urldate = {2025-05-10},
abstract = {Stell Dir vor, wir befinden uns in Tolkiens Welt von Der Hobbit: Smaug, der mächtige Drache, liegt auf einem Berg aus Gold, überzeugt davon, dass er unbesiegbar ist. Doch in seiner scheinbar uneinnehmbaren Festung gibt es eine winzige Schwachstelle eine kleine Stelle in seinem Panzer.},
langid = {ngerman},
annotation = {Archive 1: https://archive.is/PVJO8\\
Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pulse/smaug-der-drache-und-die-epa-ein-zentraler-zentrales-risiko-block-vh3ue},
file = {/home/jaseg/Zotero/storage/FIPZSEGC/smaug-der-drache-und-die-epa-ein-zentraler-zentrales-risiko-block-vh3ue.html}
}
@article{smithDesignOptimizationVoice2015,
title = {Design and {{Optimization}} of a {{Voice Coil Motor With}} a {{Rotary Actuator}} for an {{Ultrasound Scanner}}},
author = {Smith, Kristopher J. and Graham, David J. and Neasham, Jeffrey A.},
@ -5280,6 +5339,34 @@
file = {/home/jaseg/Zotero/storage/ZCJLJ7JB/6484979.html}
}
@video{tschirsichHackerHinOder0100,
entrysubtype = {video},
title = {"{{Hacker}} Hin Oder Her": {{Die}} Elektronische {{Patientenakte}} Kommt!},
shorttitle = {"{{Hacker}} Hin Oder Her"},
editor = {Tschirsich, Martin and Brodowski, cbro-Dr med Christian and Zilch, Dr André},
editortype = {director},
year = {01:00:00 +0100},
url = {https://media.ccc.de/v/36c3-10595-hacker_hin_oder_her_die_elektronische_patientenakte_kommt},
urldate = {2025-05-15},
abstract = {Herzstück der digitalen Gesundheitsversorgung für 73 Millionen Versicherte ist die hochsichere, kritische Telematik-Infrastruktur mit ber...},
langid = {english},
file = {/home/jaseg/Zotero/storage/XVJB3U43/36c3-10595-hacker_hin_oder_her_die_elektronische_patientenakte_kommt.html}
}
@video{tschirsichKonnteBisherNoch0100,
entrysubtype = {video},
title = {„{{Konnte}} Bisher Noch Nie Gehackt Werden“: {{Die}} Elektronische {{Patientenakte}} Kommt - Jetzt Für Alle!},
shorttitle = {„{{Konnte}} Bisher Noch Nie Gehackt Werden“},
editor = {Tschirsich, Martin and Kastl, Bianca},
editortype = {director},
year = {00:00:00 +0100},
url = {https://media.ccc.de/v/38c3-konnte-bisher-noch-nie-gehackt-werden-die-elektronische-patientenakte-kommt-jetzt-fr-alle},
urldate = {2025-05-15},
abstract = {In wenigen Wochen werden die Gesundheitsdaten von rund 73 Millionen in Deutschland Krankenversicherten ohne deren Zutun über Praxis- und ...},
langid = {english},
file = {/home/jaseg/Zotero/storage/FYNQN7QX/38c3-konnte-bisher-noch-nie-gehackt-werden-die-elektronische-patientenakte-kommt-jetzt-fr-alle.html}
}
@article{tyagiOrcaBlocklistingSenderAnonymous,
title = {Orca: {{Blocklisting}} in {{Sender-Anonymous Messaging}}},
author = {Tyagi, Nirvan and Len, Julia and Miers, Ian and Ristenpart, Thomas},
@ -5302,6 +5389,20 @@
file = {/home/jaseg/Sync/Research/Zotero/2002_Technology_Security Requirements for Cryptographic Modules.pdf}
}
@report{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019,
title = {Security {{Requirements}} for {{Cryptographic Modules}}},
author = {{(US) National Institute of Standards and Technology}},
date = {2019-03-22},
number = {Federal Information Processing Standard (FIPS) 140-3},
institution = {U.S. Department of Commerce},
doi = {10.6028/NIST.FIPS.140-3},
url = {https://csrc.nist.gov/pubs/fips/140-3/final},
urldate = {2025-05-15},
abstract = {The selective application of technological and related procedural safeguards is an important responsibility of every federal organization in providing adequate security in its computer and telecommunication systems.~ ~This standard is applicable to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106 and the Federal Information Security Management Act of 2002, Public Law 107-347.~ This standard shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract.~ The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments.~ The security requirements cover areas related to the secure design,...},
langid = {english},
file = {/home/jaseg/Sync/Research/Zotero/2019_Technology_Security Requirements for Cryptographic Modules.pdf}
}
@inproceedings{uzunCryptographicKeyDerivation2021,
title = {Cryptographic {{Key Derivation}} from {{Biometric Inferences}} for {{Remote Authentication}}},
booktitle = {Proceedings of the 2021 {{ACM Asia Conference}} on {{Computer}} and {{Communications Security}}},
@ -5664,6 +5765,26 @@
file = {/home/jaseg/Zotero/storage/S93U8AF3/Wang et al. - 2020 - Topological optimization of hybrid quantum key dis.pdf}
}
@article{wangTwinfieldQuantumKey2022,
title = {Twin-Field Quantum Key Distribution over 830-Km Fibre},
author = {Wang, Shuang and Yin, Zhen-Qiang and He, De-Yong and Chen, Wei and Wang, Rui-Qiang and Ye, Peng and Zhou, Yao and Fan-Yuan, Guan-Jie and Wang, Fang-Xiang and Chen, Wei and Zhu, Yong-Gang and Morozov, Pavel V. and Divochiy, Alexander V. and Zhou, Zheng and Guo, Guang-Can and Han, Zheng-Fu},
date = {2022-02},
journaltitle = {Nature Photonics},
shortjournal = {Nat. Photon.},
volume = {16},
number = {2},
pages = {154--161},
publisher = {Nature Publishing Group},
issn = {1749-4893},
doi = {10.1038/s41566-021-00928-2},
url = {https://www.nature.com/articles/s41566-021-00928-2},
urldate = {2025-05-08},
abstract = {Quantum key distribution (QKD) provides a promising solution for sharing information-theoretic secure keys between remote peers with physics-based protocols. According to the law of quantum physics, the photons carrying signals cannot be amplified or relayed via classical optical techniques to maintain quantum security. As a result, the transmission loss of the channel limits its achievable distance, and this has been a huge barrier towards building large-scale quantum-secure networks. Here we present an experimental QKD system that could tolerate a channel loss beyond 140\,dB and obtain a secure distance of 833.8\,km, setting a new record for fibre-based QKD. Furthermore, the optimized four-phase twin-field protocol and high-quality set-up make its secure key rate more than two orders of magnitude greater than previous records over similar distances. Our results mark a breakthrough towards building reliable and efficient terrestrial quantum-secure networks over a scale of 1,000\,km.},
langid = {english},
keywords = {Quantum information,Single photons and quantum effects},
file = {/home/jaseg/Zotero/storage/FCHS9D49/Wang et al. - 2022 - Twin-field quantum key distribution over 830-km fi.pdf}
}
@article{wegmanNewHashFunctions1981,
title = {New Hash Functions and Their Use in Authentication and Set Equality},
author = {Wegman, Mark N. and Carter, J.Lawrence},

191
paper.tex
View file

@ -36,39 +36,44 @@
\begin{document}
\author{Jan Sebastian Götte\inst{1} \and Björn Scheuermann\inst{2}}
\institute{Technical University of Darmstadt, Darmstadt, Germany, \email{research@jaseg.de}\and
Technical University of Darmstadt, Darmstadt, Germany, \email{bjoern.scheuermann@kom.tu-darmstadt.de}}
\title{Position Paper: Germany Is Rolling Out Nation-Scale Key Escrow And Nobody Is Talking About It}
\author{Jan Sebastian Götte\inst{1}}
\institute{Technical University of Darmstadt, Darmstadt, Germany, \email{research@jaseg.de}}
\title{Perspective Paper: Germany Is Rolling Out Nation-Scale Key Escrow And Nobody Is Talking About It}
\maketitle
\keywords{Physical Security\and Tamper Resistance\and Hardware Security Module
(HSM)\and Cryptography\and Governance\and Healthcare}
\begin{abstract}
Germany is currently rolling out a nation-scale database of the medical records of the majority of its population,
particularly of vulnerable people. While there has been considerable criticism of the system coming from civil
society, independent academic analysis of the system by the cryptography and information security community has been
largely non-existent. In this paper, we want to raise awareness of the system's existance, and we want to point out
a number of \emph{spicy} cryptographic engineering decisions: The most sensitive, long-term user keys in the system
are derived by a cryptographically primitive centralized key escrow system from a per-user cleartext salt and only
1024 bit of entropy shared across all users. Physically, only the insecure level 3 of the obsolete FIPS 140-2
security standard is required in the system's standardization, leaving it open to attacks by nation-state and other
well-funded adversaries.
Germany is currently rolling out an opt-out, nation-scale database of the medical records of the majority of its
population, with low-income people being over-represented in the system's user base. While there has been
considerable criticism of the system coming from civil society, independent academic analysis of the system by the
cryptography and information security community has been largely non-existent. In this paper, we want to raise
awareness of the system's existance, and we want to highlight some moderately spicy cryptographic engineering
decisions. In particular, most sensitive, long-term user keys in the system are derived by a simple, home-grown
centralized key escrow system from a per-use cleartext salt and only 1024 bit of entropy shared globally across all
users. Physically, only the insecure level 3 of the obsolete FIPS 140-2 security standard (requiring ``hard, opaque
potting'' but no active tamper sensing) is required in the system's standardization, leaving it open to attacks by
nation-state and other well-funded adversaries.
\end{abstract}
\section{Introduction}
Beginning end of April 2025, after several delays, Germany has started the nation-scale rollout of its new electronic
health record system. The aim of this system is to have a national database of all electronic medical records of all
publically insured people living in Germany that can be accessed by any healthcare provider. The system aims to replace
paper-based workflows that are error-prone and lead to healthcare providers often only having access to a subset of
patient's medical records. Data in scope for the system includes, among others, medical letters, laboratory results, and
imaging results.
medical record system. The system aims to create a national database holding the complete electronic medical records of
all publically insured people living in Germany that can be accessed by any healthcare provider. The system aims to
replace paper-based workflows that are error-prone and lead to healthcare providers often only having access to a subset
of patient's medical records. Data in scope for the system includes, among others, medical letters, laboratory results,
and medical imaging files.
Due to Germany's mandatory health insurace laws, the system's user base encompasses the majority of all German
residents. People who have replaced their public health insurance with private insurance are not (yet) subject to the
system. As private insurance tends to be more expensive than public insurance, this means that the system
disproportionally affects people who have low income.
system. In Germany, by law private health insurance is only available to people from the top 10th percentile of
household income. This means that the system disproportionally affects people who have low income, creating an equity
issue. While it is possible to opt out from the use of the system, the process of opting out is difficult. Additionally,
both the government through advertising campaigns and health insurance providers have publically depicted the system in
a one-sidedly positive way, meaning that it is unlikely the majority of people subject to the system have a
comprehensive understanding of the system's benefits and risks that would be necessary for an informed decision on
opting out.
While there has been loud criticism of the system's security from civil society organizations such as digital rights
nonprofit Chaos Commputer Club (CCC) and several severe security flaws have been demonstrated practically, this
@ -76,12 +81,13 @@ criticism has largely been ignored by the political structures in charge. We obs
outrage, the system has received very little attention from the academic cryptography and information security
community.
In this paper, we wish to point out some \emph{spicy} cryptographic engineering decisions in the system. In particular,
we point out that the system's core per-user secrets are kept in a crytographically primitive key escrow system.
Furthermore, we observe that by specification, the individual user keys of the system are derived from a per-user
cleartext salt and system-wide long-term secrets with only 1 kbit of entropy. Finally, we note that according to
specification, the only physical security requirement for the protection of these highly sensitive secrets is a ``hard,
opaque potting material'', with \emph{no} tamper detection and response required.
In this paper, we wish to point out some spicy cryptographic engineering decisions in the system. In particular, we
point out that the system's core per-user secrets are kept in an unsophisticateed key escrow system whose security is
based on engineering assumptions, not on cryptographic principles. Furthermore, we observe that by specification, the
individual user keys of the system are derived from a per-user cleartext salt based on a pair of system-wide long-term
secrets with a combined entropy of only 1 kbit. Finally, we note that according to specification, the only physical
security requirement for the protection of these highly sensitive secrets is a ``hard, opaque potting material'', with
no tamper detection and response required.
Given that nation-state adversaries are well within the scope of an attacker model of the system, we conclude that the
combination of a small amount of entropy as well as the system's bare minimum of physical security requirements are
@ -92,39 +98,134 @@ We note that the implementation might well deviate from these standards and be m
history of flaws, we believe that is unlikely to be the case. As of now, there is no meaningful way for either the
public or for researchers such as us to ascertain the concrete implementation security of the system.
\section{ePA's Intended Operation}
\section{The Design of ePA}
ePA is embedded into Germany's national public healtcare backend system ``telematikinfrastruktur'' (TI). TI is a highly
complex system, and a detailed description would exceed the limits of this paper. Briefly put, TI consists of a shared
DMZ that parties like insurance providers and healthcare providers connect to through a VPN. At the client location,
this VPN connection is created from a specialized VPN appliance named ``Konnektor'' that simultaneously hosts as a
trusted environment executing some software for purposes such as authentication. The Konnektor hosts several smart cards
that store keys used for authentication.
Every person enrolled in the system as well as every healthcare professional providing services in it is issued a ID
card that contains a smart card that contains keys used to authenticate towards the central infrastructure. The primary
use of these smart cards up to now is that when someone visits a healthcare provider, they will insert their ID card
into a terminal so the healthcare provider can automatically fetch their personal information such as name, birth date
and address from their insurance provider.
ePA is implemented inside the TI system.Its centralized services are reached through the TI's VPN, and encryption and
decryption of files stored in ePA are done on the Konnektor. The various smart cards are used to authenticate parties to
each other. Each insurance provider picks one of several implementations of ePA's server-side infrastructure to run for
its clients. Currently, there are two approved implementations of this server-side infrastructure.
The primary services offered by the server side are authentication services, one of two instances of the key escrow
service (``Schlüsselgenerierungsdienst'' or SGD) a database storing wrapped record keys, and a database storing the
encrypted records themselves. Records are symmetrically encrypted twice. One encryption layer is done at the client
side, inside the Konnektor, and the other encryption layer is processed inside a trusted execution environment (TEE,
tranlated to ``VAU'' in the German specifications) at the server side. The keys for both encryption layers are wrapped
and unwrapped in the Konnektor, and the wrapped keys are stored in the key database on the server side. For wrapping,
two layers of encryption are used with a second set of two keys. This second set of keys is generated by the key escrow
service every time the record is accessed. To generate these keys, the Konnektor separately requests them from each of
two instances of the escrow service. One of these instances is run as part of the insurance provider's server
infrastructure. The other instance is a single instance for the whole system shared across all insurance providers. This
instance is run by a state-owned company. When a new record is created, each of these escrow services generates a salt
that is stored along with the wrapped keys. The keys are deterministically generated from the escrow service's master
key, this salt, and the healthcare ID number of the person owning the record. According to the standards, this key
derivation step must be done inside of a Hardware Security Module (HSM).
\section{Related Work}
\section{A realistic attacker model}
The state-owned company specifying the system commissioned two academic security assessments of the system relating to
the key escrow service: \textcite{fischlinKryptographischeAnalyseSpezifikation2021} focuses on the cryptographic
dimension of the key escrow service. \textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a
higher level, and focuses on the cryptography of the inner protocol layers spoken between the system's components. We
are not currently aware of independent academic security research on the system.
\section{ePA's Cryptographic Design}
The design and operation of the system have been independently described in detail by civil society activists, who have
demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder0100} demonstrated how they
could trivially acquire each of the smartcards as well as the Konnektor necessary for accessing the system.
\textcite{tschirsichKonnteBisherNoch0100} summarize the history of attacks demonstrated on the system and show multiple
practical attacks on various parts of the system's implementation.
\section{ePA's Key Escrow System (``SGD'')}
\section{Interesting Cryptographic Engineering Choices}
In this paper, we wish to highlight some of the design choices in the system that we believe stray from current best
practice.
\subsection{Use of Key Escrow}
First, the system's general approach of using a key escrow service instead of securely storing the keys inside the
system's already existing smart card infrastructure is concerning, given that this key escrow service poses as a
centralized security risk. The system's designers made this decision since it was deemed important that access to an
encrypted record can be restored quickly after an insurance ID card is lost, without requiring cooperation of the
healthcare providers holding the primary copies of the person's medical records.
While key escrow services have been a topic of political debate in decades past, today, consensus generally is that they
are a bad idea since they pose a centralized target for attack, and increase the damage of a single attack.
\subsection{Cryptographic Design}
The system's overall cryptographic design is intentionally kept simple. The standard explicitly mentions that symmetric
primitives have been preferred over asymmetric primitives due to the risk of an attack on asymmetric primitives in the
long term. Notably, besides asymmetric encryption, other advanced cryptographic techniques such as secret sharing
schemes, oblivious pseudo-random functions or multiparty computation that could help with the security of the key escrow
service are also absent.
The system trusts its components to a large degree. For instance, the system leaks a person's insurance ID number
to each of the two key escrow services every time record keys are requested. Along with the timing and frequency of
these requests, this leaks information on the person's condition to each SGD in an identifiable way.
\subsection{A Realistic Attacker Model}
We observe that the system as a whole does not appear to be designed to defend against well-resourced adversaries. The
series of practical attacks that have been demonstrated on the system\cite{tschirsichKonnteBisherNoch0100} confirm this
impression. We believe that a system like this must be designed to withstand well-resourced adversaries such as enemy
secret services, since the medical data stored in such as information on chronic illness, sexually transmittable disease
or severe food allergies has intelligence value. Repeated breaches of national digital infrastructure such as the 2015
breach of the US Office of Personnel Management\cite{barrettUSSuspectsHackers2015} or the 2024 compromise of US
telecommunications wiretapping systems\cite{mennChineseGovernmentHackers2024} demonstrate that such state-sponsored
attacks on national digital infrastructure are a realistic concern.
\section{Physical Security}
Physical security has received some consideration in the system's specification. First, smart cards are used extensively
for authentication. Second, Hardware Security Modules are used in key locations of the system to process some
cryptographic secrets. In particular, the core of the system's key escrow sevice is implemented inside an HSM. However,
it is notable that the actual security level required of these HSMs is only FIPS 140-2 level
3\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. Not only has FIPS 140-2
been superseded by FIPS 140-3 since
2019\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security level 3 mostly
provides logical separation of cryptographic functions from other logic and is not very meaningful in the context of
physical attacks. The only physical requirement of FIPS 140-2 level 3 is that the HSM has a hard, opaque coating. This
coating is specified to be tamper-evident, but notably no active tamper detection or response features are required by
this standard. In contrast to the newer FIPS 140-3 standard and the related ISO/IEC 19790\cite{ISOIEC19790} as well as
ISO/IEC 24759\cite{ISOIEC24759} standards, it does not make any particular requirements regarding resistance to
side-channel attacks. The lack of tamper response, unspecified resistance to side-channel attacks and the fact that the
ePA specification only requires the key escrow master key inside the HSM to have 512 bit of security combined lead to an
unsatisfactory overall constellation.
\section{Conclusion}
In conclusion, we observe that in Germany's ePA national medical record database, despite the decade-long
standardization and implementation process, several questionable cryptographic compromises ended up in the system's
final deployment. Even assuming that nation-scale key escrow is a good idea, the implementation of this key escrow
system is questionable. With no justification given, the system uses secret keys with only 1 kbit of entropy to derive
highly sensitive secret keys for several tens of millions of people. The cryptographic design of this escrow system is
primitive, ignoring the past three decades in crytographic developments in particular in multiparty computation (MPC)
and other secret sharing techniques in favor of a simplistic engineering approach. In the engineering dimension, the
system's physical security is only held to the basic level 3 of the obsolete FIPS 140-2 standard, which is considerably
less secure an average credit card payment terminal. The low-entropy secret keys are only protected by a ``hard, opaque
potting material'' and no tamper detection and response is required. We estimate that the system poses an attractive and
easy target to nation-state adversaries.
standardization and implementation process, several cryptographic compromises ended up in the system's final deployment.
Even assuming that nation-scale key escrow is a good idea, the implementation of this key escrow system seems to stray
from current best practice. The system uses secret keys with only 1 kbit of entropy to derive highly sensitive secret
keys for several tens of millions of people. The cryptographic design of this escrow system is primitive, ignoring the
past three decades in crytographic developments in particular in multiparty computation (MPC) and other secret sharing
techniques in favor of a simplistic engineering approach. In the engineering dimension, the system's physical security
is only held to the basic level 3 of the obsolete FIPS 140-2 standard, which is considerably less secure an average
credit card payment terminal. The low-entropy secret keys are only protected by a ``hard, opaque potting material'' and
no tamper detection and response is required. We estimate that the system poses an attractive and easy target to
nation-state adversaries. The system's shortcomings are made more severe by the fact that the system disproportionally
affects the lives of people with low income.
\begin{credits}
This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository with the
\LaTeX source for this paper, all hardware design files, and firmware and analysis source code can be found at:
%\begin{credits}
%This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository with the
%\LaTeX source for this paper, all hardware design files, and firmware and analysis source code can be found at:
\center{Note: URL elided for peer review}
%\center{Note: URL elided for peer review}
% \center{\url{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git}}
\end{credits}
%\end{credits}
\printbibliography[heading=bibintoc]