Security

Smart Card Cryptography

RSA, ECC, AES, and post-quantum algorithms on smart cards.

| 4 min read
  1. Smart Card Cryptography
  2. Asymmetric Algorithms — RSA and ECC
  3. Symmetric Algorithms — AES and Legacy
  4. Crypto Coprocessor Architecture
  5. Key Hierarchy and Derivation
  6. Post-Quantum Readiness

Smart Card Cryptography

Modern smart cards carry a dedicated crypto coprocessor that executes symmetric and asymmetric cryptographic operations in hardware, at speeds orders of magnitude faster than the card's general-purpose CPU and without exposing intermediate values to the main bus. Understanding which algorithms a card supports — and their performance trade-offs — is essential before selecting a card platform.

Use the EAL Comparator to cross-reference algorithm support against Common Criteria certification level for specific card families.

Asymmetric Algorithms — RSA and ECC

Asymmetric cryptography on smart cards serves key generation, digital signatures, and key agreement. The two dominant families are RSARSACryptographyPublic-key algorithm for smart card signatures and key exchange.Click to view → and Elliptic Curve Cryptography (ECCECCCryptographyEfficient public-key cryptography using elliptic curves.Click to view →).

Algorithm Key sizes Security bits Signature time (typical) Key generation time Standard
RSA 1024 / 2048 / 4096 80 / 112 / 140 200 ms / 400 ms / 2 s 2 s / 8 s / 60 s PKCS#1, ISO 9796
ECDSA (P-256) 256-bit 128 100–300 ms 50–150 ms FIPS 186-5, RFC 6979
ECDSA (P-384) 384-bit 192 200–500 ms 100–250 ms FIPS 186-5
ECDH (P-256) 256-bit 128 100–300 ms RFC 7748
Ed25519 255-bit 128 50–200 ms 20–80 ms RFC 8032

ECC at 256 bits provides the same security margin as RSA-3072 with significantly smaller key sizes and faster operations — an important consideration for secure element deployments where memory and latency budgets are tight.

Symmetric Algorithms — AES and Legacy

Secure element platforms support AESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view → natively via the crypto coprocessor. AES-128 is used in SCP03 secure channels, AES-256 in high-assurance key storage and wrapping, and 3DES3DESCryptographyLegacy triple-DES symmetric cipher in payment smart cards.Click to view → is retained only for legacy EMVEMVApplicationGlobal chip payment card standard.Click to view → and SCP02 backward compatibility.

Algorithm Key length Block size Modes Status
AES-128 128-bit 128-bit ECB, CBC, CMAC, GCM Current standard
AES-192 192-bit 128-bit ECB, CBC, CMAC Less common
AES-256 256-bit 128-bit ECB, CBC, CMAC, GCM High-assurance
3DES-EDE 112 / 168-bit 64-bit ECB, CBC Legacy (SCP02, EMV)
DES 56-bit 64-bit ECB Deprecated

AES-GCM provides authenticated encryption with associated data (AEAD) and is preferred for in-applet secure messagingsecure messagingProtocolCryptographic protection of APDUAPDUProtocolCommunication unit between card and reader.Click to view → command/response pairs.Click to view →. Cards claiming Common Criteria EAL4+ must implement at least AES-128 in all modes required by their protection profile.

Crypto Coprocessor Architecture

The crypto coprocessor is a hardware accelerator physically isolated from the card's CPU address space. Key material passes to the coprocessor through a dedicated key-loading interface; the CPU never has read access to the key registers.

Internally the coprocessor contains:

  • Arithmetic logic unit — for modular exponentiation (RSA), scalar multiplication (ECC)
  • Key registers — volatile (session) and non-volatile (persistent) storage
  • TRNG — True Random Number Generator, typically based on thermal noise sampling
  • AES engine — pipelined S-box and key schedule hardware
  • DES engine — legacy Feistel hardware for 3DES backward compatibility
  • Hash engineSHASHACryptographyNIST hash functions for smart card integrity and signatures.Click to view →-1 / SHA-256 / SHA-384 / SHA-512 hardware acceleration

Key Hierarchy and Derivation

Keys on a smart card exist in a hierarchy that limits blast radius if a single key is compromised. The root is typically held in a certified HSM at the card management back-end; the card holds only derived or card-unique keys.

Master Key (HSM)
└── Issuer Key (per-batch)
    └── Card Key (per-card, derived from serial number)
        ├── Authentication Key
        ├── Encryption Key (session key wrapped by Card Key)
        └── Applet Key (per-application)

Key derivation uses NIST SP 800-108 counter-mode KDF or EMV-style diversification. The GlobalPlatform specification governs how card-unique keys are structured for SCP03SCP03SoftwareAES-based secure channel protocol.Click to view → sessions. See Key Management for Smart Cards for the complete operational model.

Post-Quantum Readiness

NIST finalised ML-KEM (CRYSTALS-Kyber) and ML-DSA (CRYSTALS-Dilithium) in FIPS 203/204 (2024). Newer secure element platforms are beginning to add post-quantum coprocessors, though embedded memory and power constraints make lattice-based algorithms significantly heavier than ECC on current card silicon. For deployments with 10+ year credential lifetimes, request PQC roadmap documentation from the card vendor.

See Common Criteria for Smart Cards for how algorithm support is verified in formal security evaluations.

Frequently Asked Questions

Modern smart card chips include hardware accelerators for RSA (1024–4096 bit), ECC (NIST P-256, P-384, Brainpool, Curve25519), symmetric ciphers (AES-128/192/256, 3DES), hash functions (SHA-1, SHA-256, SHA-384, SHA-512), and MAC algorithms (HMAC, CMAC). RSA is used for key exchange and digital signatures in ePassports and payment; ECC is preferred for its shorter key sizes in constrained environments like eSIM and IoT secure elements.

Smart card chips employ multiple hardware countermeasures: keys are stored in EEPROM protected by memory access control with no export instruction, the chip package uses active shields and metal mesh layers to detect probing, and environmental sensors (voltage, frequency, temperature) trigger zeroization on attack detection. Side-channel countermeasures (random delays, masked operations) prevent power analysis (SPA/DPA) and electromagnetic attacks from recovering key material indirectly.

RSA at 2048 bits provides roughly equivalent security to ECC at 224 bits, making ECC signatures and key agreements dramatically faster on constrained hardware — a P-256 ECDSA signature takes ~100 ms versus ~500 ms for RSA-2048 on comparable chips. ECC also produces smaller public keys and certificates, reducing EEPROM usage and APDU exchange overhead. New deployments favor ECDH/ECDSA (P-256 or P-384); RSA remains dominant in legacy PKI and payment infrastructure.

A Secure Element (SE) is a tamper-resistant hardware component — either a dedicated smart card chip, an embedded SE (eSE), or an eUICC — that provides an isolated execution environment for cryptographic operations and key storage. SEs implement the same attack-resistance properties as smart cards (physical tamper detection, side-channel countermeasures, certified OS) and are used in NFC payment (Host Card Emulation bypasses the SE; tap-to-pay uses it), mobile credentials, and IoT device attestation.

Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.