EBICS key: how long is the key to success?

On 21 April 2021, an EBICS manufacturer workshop of the German Banking Industry Committee (DK) took place. In terms of content, the core adjustments to EBICS coming with version 3.0.1 were presented. However, much more interesting for me are the cryptographic adjustments presented at the same time, which will become mandatory for EBICS customer systems in November 2021. EBICS uses 3 RSA key pairs for communication: one pair for authorisation signatures, one pair for authentication of the EBICS fragment, and one pair for encryption/decryption of messages.

For EBICS V2.5, this adjustment means that authorisation signatures (A keys) must have at least a 2048-bit key length. For authentication (X keys) and encryption (E keys), a compromise of at least 1984 bits was decided. The reason for this is probably that Seccos smartcards with keys of this length still exist in the market. The so-called DS key of these Seccos cards has a 2048-bit key length and is located in the special area of the card chip protected by an alternative PIN. 

In addition, it was again confirmed to all participants that with the use of EBICS 3.0.1, all keys used for authentication (X00x), encryption (E00x) and authorisation signature (A00x) may no longer be shorter than 2048 bits.

For the customer product manufacturers, this means that a key extension process must start in the foreseeable future so that all customers can easily and simply switch to the new EBICS 3.0.1 version as of November. If this does not happen, a switch to EBICS 3.0.1 is not possible with the existing – too short – keys.

Customer products that do not offer key changes fall behind here; their users then have to generate new, longer keys in a time-consuming and complicated process, then have their access reset at the financial institution and then resubmit the keys and the INI letter to their financial institution. After that, it is a matter of waiting until the EBICS access is activated again.

EBICS customer products which offer their customers a key change still have to deal with the challenge that with EBICS 3.0.1, only X509 certificates may be used in EBICS communication. The customer products use completely new internal processes for this. The implementation must therefore be well planned and will generally not be easy. However, TRAVIC-EBICS-Kernel by PPI AG helps by providing the necessary functions for an easy switchover. It would be advisable to change from the previous key format (RDH2) to the PKCS#12 format (p12 file) for key files in the course of this.

A challenge arises for smartcards, because they often do not have the necessary key lengths and may have to be replaced, if this is possible at all. 

In conclusion: 

It is time to address the users of EBICS who use short keys so that they can update their keys in good time before the switch to EBICS 3.0.1 or before November 2021, generate their new keys and ideally submit them to their financial institution signed with the previous keys. Users who do not want to communicate with the key requirements applicable from November 2021 would face a fatal dysfunctionality of the EBICS access.

Author: Michael Schunk