FR3029722A1 - METHOD FOR CONDITIONALLY TRANSMITTING DATA FROM A SERVER TO A TERMINAL, TERMINAL AND ASSOCIATED SERVER - Google Patents

Abstract

The invention relates to a method of conditional data transmission from a server to a terminal (T), comprising the following steps: - generating a challenge by a processor (P) of the terminal (T); transmitting the challenge to a secure execution environment (C) hosted by the terminal (T); - Generation of a cryptogram in the secure execution environment (C) by application to the challenge of a cryptographic algorithm; - transmission by the terminal (T) challenge and cryptogram to the server (S) via a telecommunications network (I, R); - verification, at the server (S), of the concordance of the cryptogram and the challenge for the authentication of the terminal (T); - When said match is verified at the verification step, starting a data preparation mechanism and sending the prepared data to the terminal (T) via said telecommunications network (I, R). An associated terminal and server set are also provided.

Description

TECHNICAL FIELD TO WHICH THE INVENTION RELATES The present invention relates to the authentication of a terminal by a server and the preparation of data intended for the terminal by the server. It relates more particularly to a method of conditional data transmission from a server to a terminal, and a terminal and an associated server set. The invention applies particularly advantageously in the case where the terminal hosts a secure execution environment, for example a trusted execution environment or a secure module such as a microcircuit card. BACKGROUND ART WO 2014/086652 discloses a method of authenticating a secure element by a server in which an agent is executed in an environment separate from the secure element. According to this document, the agent transmits to the secure element a challenge provided by the server and receives in return a one-time password calculated by the secure element according to the challenge and secret data stored in the server. secure element. OBJECT OF THE INVENTION In this context, the present invention proposes a method of conditional data transmission from a server to a terminal, comprising the following steps: - generating a challenge by a terminal processor; - transmitting the challenge to a secure execution environment hosted by the terminal; - Generating a cryptogram in the application-safe execution environment to the challenge of a cryptographic algorithm; 30 - transmission by the terminal challenge and cryptogram to the server via a telecommunications network; - verification, at the server level, of the concordance of the cryptogram and the challenge for the authentication of the terminal; when said match is verified at the verification step (and in this case only), launching a data preparation mechanism and sending the prepared data to the terminal via said telecommunications network. The terminal can thus prepare the authentication data constituted by the cryptogram on its own initiative, without requiring a prior exchange with the server. For its part, the server does not launch the data preparation mechanism (for example commands for the terminal processor) until the terminal is authenticated by verifying the concordance of the cryptogram and the challenge, that is to say by verifying that the cryptogram is the result of the application to the challenge of the aforementioned cryptographic algorithm, which avoids unnecessary data preparation when the terminal is not authenticated. The transmission of the challenge to the secure execution environment is for example carried out by means of an INITIALIZE UPDATE command defined in the GlobalPlatform specification relating to the SCP03 protocol (for "Secure Channel Protocol 03") or by means of an INITIALIZE command. UPDATE defined in the GlobalPlatform specification for SCP02 protocol (for "Secure Channel Protocol 02"). The execution of this command by the secure execution environment can then implement the aforementioned step of generating the cryptogram. We thus use the features usually present in such a secure execution environment, without having to install a dedicated software in this secure environment. Other optional (and therefore non-limiting) features of the invention are as follows: the steps of generating the challenge, transmitting the challenge and transmitting the challenge and the cryptogram are implemented because of the execution an application by the processor; - the challenge is generated by random draw; the cryptographic algorithm uses a secret key stored in the secure execution environment; - the secure execution environment is realized by a secure module; the method comprises a step of transmitting the cryptogram generated from the secure module to the processor (before the challenge and the cryptogram are transmitted by the terminal); - the secure execution environment is realized by a trusted execution environment; The terminal is designed to operate selectively in a multi-purpose execution environment or in said trusted execution environment; the aforementioned application is executed in the multipurpose execution environment; The verification step is implemented by a hardware security module associated with the server; the method comprises a step of comparing, at the server level, the challenge received and challenges previously received and stored at the server level, the data preparation mechanism being launched only if the challenge received is different from each of the challenges beforehand received, which makes it possible to verify as explained below that the challenge received is not the replay of a previous challenge; said data preparation is a generation of a script; the generated script is a personalization script or a card management script; The method comprises a step of encrypting the script by means of an encryption cryptographic algorithm using an encryption key obtained by using the challenge; the steps of generating the cryptogram and checking the concordance are in accordance with a protocol of the SCP02 or SCP03 type.

The invention also proposes a terminal comprising a processor and means for implementing a secure execution environment designed to generate a cryptogram by applying a cryptographic algorithm to a challenge, characterized in that an associated memory the processor stores an application designed to generate the challenge, to convey the challenge to the secure execution environment, to receive the cryptogram from the secure execution environment, and to issue the challenge and cryptogram to the secure execution environment. a server via a telecommunication network, when the application is executed by the processor. The invention also proposes a server assembly comprising means for receiving a challenge and a cryptogram from a terminal via a telecommunications network; means for checking the concordance of the cryptogram and the challenge for the authentication of the terminal; and means, activated only in case of verification of concordance by the verification means, to initiate a data preparation mechanism and send the prepared data to the terminal via said telecommunication network. In addition, a system comprising a terminal as described above and a server set as just indicated is proposed.

DETAILED DESCRIPTION OF AN EXEMPLARY EMBODIMENT The following description with reference to the accompanying drawings, given as non-limiting examples, will make it clear what the invention consists of and how it can be achieved. In the accompanying drawings: FIG. 1 represents an example of a system in which the invention can be implemented; FIG. 2 represents a method according to the invention implemented within the system of FIG. 1. FIG. 1 schematically represents the main elements of a system in which the invention can be implemented. Such a system comprises a terminal T connected, by means of a network infrastructure R, to a public network I, such as the Internet network. The terminal T is here a mobile terminal (such as a cellular phone) and the network infrastructure R is here a mobile network infrastructure.

The terminal T here comprises a processor P (for example a microprocessor) capable of executing computer program instructions (stored in a non-represented memory associated with the processor P) in order to implement a method such as that described. below in the context of Figure 2.

The terminal T also receives in a dedicated reader (not shown) a microcircuit card C. The reader is connected to the processor P so as to allow data exchange between the microcircuit card C and the processor P, as shown schematically by a solid line in FIG. 1. The microcircuit card C comprises a microprocessor and a memory 3029722 5 (for example a rewritable non-volatile memory). The memory stores computer program instructions which, when executed by the microprocessor of the microcircuit card C, allow the implementation of methods by the microcircuit card C, in particular the method described below in reference. FIG. 2. The memory also stores secret cryptographic keys used as described hereinafter, in particular a first K-MAC static key and a second K-ENC static key. The microcircuit card C is here of UICC type (for "Universal Integrated Circuit Circuit") Alternatively, it could be another type of secure module, for example an integrated secure element (or eSE for "embedded Secure Element ") The microcircuit card C defines a secure execution environment, for example with a security level in accordance with the common criteria EAL 15 (for" Evaluation Assurance Lever "), corresponding to the ISO 15408 standard, with a level understood 2 to 7, or the Federal Information Processing Standard (FIPS) 140-2 In the example of FIG. 1, the terminal T thus comprises the processor P, which defines an execution environment with a view to general, and the microcircuit card C (with its own microprocessor), which defines a secure execution environment Alternatively, the terminal T could include only one processor P on which selectively executes a control system. 'exploitation polyva to operate the terminal T in a versatile execution environment (or REE for "Rich Execution Environment"), or a trusted operating system (or "Trusted OS") in order to to operate the terminal T in a trusted execution environment (or TEE for "Trusted Execution Environment"). Such a trusted execution environment forms a secure execution environment (usable in place of the microcircuit card C), with for example a security level as defined above. The terminal T further comprises a communication module (not shown) in order to establish a communication with the network infrastructure R (here with a base station of this infrastructure), which allows the terminal T (and precisely in practice the processor P) to exchange data with other electronic devices or computers connected to the public network I, in particular as explained below with a server S connected to the public network I. A security hardware module M (or HSM for "Hardware Security 5 Module") is connected, here connected via a local network L, to the server S. Moreover, a data preparation computer D is also connected to this local network L. The security hardware module M stores in particular secret data associated with microcircuit cards used in terminals, in particular, in association with an identifier ID of the microcircuit card C, data secret cards associated with the microcircuit card C, such as the first static key K-MAC and the second static key K-ENC. FIG. 2 represents a method according to the invention, implemented here within the system of FIG. 1.

The method shown in FIG. 2 begins with an optional step E0 of transmission from the server S to the processor P of an instruction to start the authentication process described hereinafter. This step E0, however, is not necessarily implemented. Indeed, the processor P can initiate the method described hereinafter (from step E2) on the basis of another event, for example the expiration of a counter (within the terminal T), a given action of the user (such as launching a particular application by means of a man-machine interface, not shown, of the terminal T), a call of the method by another application executed by the processor P.

As already indicated above, the method implemented by the processor P as described below is carried out because of the execution of the instructions of an application (or computer program) by the processor P. In the variant mentioned above where a trusted execution environment is used (by means of a trusted operating system run by the processor P), this application is executed as part of the operation in the runtime environment versatile. The processor P generates in step E2 an ACH challenge, for example by random draw. Hereinafter called "application challenge" this ACH challenge, because it is generated by the application executed by the processor P T terminal for 3029722 7 implement particular step E2. The processor P then emits at step E4 an instruction of beginning of the authentication process, accompanied by the challenge of the application ACH, to the microcircuit card C.

This authentication process start instruction is here an INITIALIZE UPDATE command defined in the GlobalPlatform specification for the SCP03 protocol (for "Secure Channel Protocol 03") or, alternatively, an INITIALIZE UPDATE command defined in the GlobalPlatform specification relating to the SCP02 protocol (for "Secure Channel Protocol 02"). In both cases, the challenge of the ACH application generated in step E2 is used instead of the host challenge ("Host Challenge") in the INITALIZE UPDATE command. Note that the start of authentication process instruction is generated by the processor P (due to the execution of the application), and therefore does not correspond to the simple transmission of such an instruction received from the user. 'outside. The microcircuit card C determines in step E6 a CAC card cryptogram and a CCH card challenge. These elements are here determined in accordance with the specification SCP03 mentioned above or, in the variant already envisaged, the specification SCP02. In each case, the challenge of host 20 ("host challenge") is, however, replaced by the challenge of the ACH application. The CCH card challenge is for example determined by random draw. Alternatively, it could be determined pseudo-randomly, as described in the protocol specification SCP03 (or SCP02 if applicable). The CAC card cryptogram is determined by applying to the challenge of the ACH application (received in step E4) a cryptographic function (here of symmetric cryptography) using a secret key, for example a session key (corresponding to the S-MAC key in the SCP03 protocol) derived from the first stored K-MAC static key (as indicated above) in the non-volatile memory of the microcircuit card C.

The CCH card challenge may possibly be used in determining the CAC card cryptogram, for example by concatenating with the challenge of the ACH application prior to application of the cryptographic function as indicated above. The microcircuit card C can then send to step E8 the card cryptogram CAC and the card challenge CCH (as a response to the command INITIALIZE UPDATE). In some cases (for example in the case of the predictive mode of the SCP03 protocol, or in all cases of the variant already envisaged where the SCP02 protocol is used), the value of a counter is also transmitted from the microcircuit card C to the processor P during step E8. The processor P then emits at step E10 (due to the execution by the processor P of the application already mentioned) a connection request to the server S, for example in the form of a secure connection request of the type TLS (for "Transport Layer Security"). The server S responds to this request, here by accepting the establishment of a secure connection between the server S and the terminal T (step E12). The terminal T then sends in step E14 the following data to the server S, here via the secure connection established in steps E10 and E12 and for example by means of an HTTP POST command: the identifier ID of the secure execution environment (here of the microcircuit card C); the challenge of the ACH application generated in step E2; the CAC card cryptogram determined in step E6; The CCH card challenge determined in step E6; optionally, the value of the counter used, as indicated above, in the case of the predictive mode of the SCP03 protocol or in the case of the variant where the SCP02 protocol is used. The server S transfers these data to the security hardware module M in the step E16 so that it verifies that the CAC card cryptogram generated in the step E6 corresponds to that normally associated with the challenge of the ACH application by application of the cryptographic function using the secret key derived from the first K-MAC static key stored in the microcircuit card C, thereby authenticating the microcircuit card C.

30 Note that the challenge used here was not generated server side and it is not possible to ensure server side that the challenge is very random and that the answer does not come from a replay an earlier answer. To remedy this, the server S can memorize for example all the previously used challenges and only authenticate the microcircuit card C in the presence of a new challenge (that is to say a challenge different from each one). previous challenges memorized). In practice, to perform the aforementioned verification, during step E18, the security hardware module M reads, for example in a storage unit 5 of this module M, the first static key K-MAC associated with the identifier ID of the microcircuit card C, derives the session key S-MAC (according to the same process as above in step E6) and applies the cryptographic function mentioned above to the challenge of the application ACH, using the key of S-MAC derived session, which provides the expected CAC * cryptogram, normally associated with the challenge of the ACH application. It is noted that the application of the cryptographic function is carried out in accordance with the SCP03 protocol (or, in the variant already envisaged, the SCP02 protocol), using the challenge of the ACH application instead of the challenge. host ("host challenge"), and therefore not only uses the challenge of the ACH application, but here also the challenge of the CCH card and possibly the value of the counter. The security hardware module M can thus determine whether the CAC card cryptogram received in step E16 is identical to the expected cryptogram CAC * calculated in step E18.

The security hardware module M sends back to the server S information representative of the result of the verification (step E20). If the verification was a failure (that is to say when the CAC card cryptogram calculated in step E16 by the microcircuit card C is different from the expected cryptogram CAC *), the server S implements for example an error processing (not shown), for example by terminating the connection with the terminal T. If the verification was successful, the process continues as described below by preparing a script to to execute by the microprocessor of the microcircuit card C. It will be noted that this script preparation is thus performed only after authentication of the microcircuit card C, which makes it possible to avoid unnecessary script preparation in cases where the microcircuit card C can not finally be authenticated. In some applications, it would be possible to use the CAC card cryptogram, possibly associated with the ACH application challenge, as a 3029722 word for one-time password (or OTP) since these elements are known at the same time. server S (precisely in the security hardware module M associated with the server S) and at the terminal T (precisely in the microcircuit card C).

Thus, the CAC cryptogram could for example be used as a shared secret key in the context of the SSL protocol (instead of the ephemeral key of Diffie-Hellman), or likewise in the context of the TLS protocol, or in HTTPS headers. Note that these elements are obtained by the use of the command INITIALIZE UPDATE, usually available in the secure execution environment (here the microcircuit card C), without the need to install a dedicated application in this environment (application commonly referred to as "cardief" in the case of a microcircuit card or "trustler in the case of a trusted execution environment).

Furthermore, the secrets used are contained in the secure execution environment, and not in the application installed and executed by the processor P to implement the method performed by this processor P, as indicated above, this which is preferable because this application is not running in a secure runtime environment.

In the case of FIG. 2, the preparation of the script is triggered by the sending, by the server S, of a script request to the data preparation computer D (step E22), by appending to this request the identifier ID of the microcircuit card C and possibly the value of the counter.

The data preparation computer D can thus determine, on the basis of the identifier ID, which processes are to be started within the microcircuit card C (for example in order to update certain parts of the non-volatile memory. rewritable volatile microcircuit card C) and generates on this basis in step E24 a script for the microcircuit card C, that is to say a list of 30 commands (here of type APDU) for the microcircuit card C. The data preparation computer D then transmits in step E26 the script generated to the security hardware module M for encryption purposes (for example by attaching the identifier ID of the microcircuit card C and possibly the counter value).

The security hardware module M then proceeds to step E28 at the encryption of each of the script's commands (except the initial INITIALIZE UPDATE command as explained hereinafter), for example by means of a symmetric cryptographic encryption algorithm using an encryption key (S-ENC session key defined in the SCP03 protocol) derived herein (as provided by the SCP03 protocol or, alternatively, the SCP02 protocol) based on the associated second K-ENC static key to the microcircuit card C, the challenge of the ACH application and the challenge of the CCH card received in step E18, and possibly the value of the counter.

It should be noted that the security hardware module M determines the data to be used in this step (static key, challenge of the ACH application, challenge of the CCH card, value of the counter) on the basis of the identifier ID of the card with microcircuit C received in step E26 (the second static key K-ENC being as already indicated pre-recorded in the security hardware module M in association with the identifier ID, while the challenges ACH, CCH and the value of the counter were received with this identifier ID in step E16 and thus stored at that time in association with the identifier ID). The security hardware module M returns the encrypted script to the data preparation computer D in step E30, which transmits this encrypted script to the server S in step E32. The server S can thus send to step E34 the script encrypted to the processor P, for example within an HTTP response to the POST command issued in step E14 by the application executed on the processor P. The processor P thus receives the encrypted script and sends, one by one, the encrypted commands forming this script to the microcircuit card C. The processor P sends a first command in step E36, for example an INITIALIZE UPDATE command (as defined in the above specifications). It is proposed here to send again an INITIALIZE UPDATE command to the microcircuit card C so as to ensure proper initiation of the protocol concerned (here SCP03) because the logical channel set up in step E4 may have been interrupted during the implementation of step E36. According to one conceivable variant, this first INITIALIZE UPDATE command could however be omitted. The command INITIALIZE UPDATE is accompanied by a host challenge 3029722 12 HCH '(introduced for example in the script during its generation in step E24). The microcircuit card C executes in step E38 the command received in step E36, here by implementing a processing of the same type as that performed in step E6, which makes it possible to obtain a new card challenge. CCH 'and a new CAC card cryptogram'. The processor P receives in step E39 the result of the processing performed in step E38 (here the new card challenge CCH 'and the new card cryptogram CAC') and thus emits at step E40 the following command (here the second command) to the microcircuit card C, here an EXTERNAL AUTHENTICATE command. Such a command is accompanied by a cryptogram of the host ("host cryptogram") which allows the microcircuit card C to authenticate the sender of the script. (Note that such a cryptogram of the host may be prepared in advance using certain modes of operation of the SCP03 protocol, including the generation of the card challenge in pseudo-random mode.) The microcircuit card C receives the second command, decrypts it and proceeds to the processing requested in step E42, here by verifying the cryptogram of the host in order to authenticate the issuer of the script. If the authentication is successful (as envisaged in FIG. 2), the microcircuit card C returns to step E43 a positive result to the processor P and waits for further commands. The processor P sends the third command (here an APDU command) to the microcircuit card C in step E44. The microcircuit card C decrypts this third command (and furthermore also checks a message authentication code to guarantee integrity), then executes it to perform the processing corresponding to the step E46 and send the result of the execution at the processor P in step E47. The processor P thus proceeds for all successive commands until the last command: the processor P sends the last command (here an APDU command) to the microcircuit card C in step E48; the microcircuit card C receives and decrypts the latter command, then executes it to perform the processing corresponding to the step E50 and to send the result of the execution to the processor P in the step E51. The processor P sends in step E52 all the results of the successive commands (results respectively received from the microcircuit card C in steps E39, E43, E47 and E51 as indicated above) to the server S, for example in an HTTP POST request. The server S transmits this data (results) to the data preparation computer D. The data preparation computer D can then prepare and issue a new script, when necessary for the application concerned, according to steps similar to steps E24 to E32 described above. In the case of FIG. 2, there is no new script to be transmitted and the data preparation computer D emits in step E56 a response indicating that the processing is finished (for example a response without data annexed) to the server S. The server S then responds to the step E58 to the processor P with an indication of the same type, for example an HTTP response comprising the code "204, meaning that the previously transmitted request (here the request HTTP POST of step E52) was processed but did not generate any data in response, the processor P then terminates step E60 at the secure connection initiated during steps E10 and E12.

Claims (16)

REVENDICATIONS1. A method of conditional data transmission from a server (S) to a terminal (T), comprising the following steps: - generation (E2) of a challenge (ACH) by a processor (P) of the terminal (T); - challenge transmission (E4) (ACH) to a secure execution environment (C) hosted by the terminal (T); generation (E6) of a cryptogram (CAC) in the secure execution environment (C) by challenge application (ACH) of a cryptographic algorithm; - transmission (E14) by the terminal (T) challenge (ACH) and cryptogram (CAC) to the server (S) via a telecommunications network (I, R); checking (E18), at the server (S) level, the concurrency of the cryptogram (CAC) and the challenge (ACH) with a view to the authentication of the terminal (T); when said match is verified at the checking step (E18), starting (E22) of a data preparation mechanism and sending (E34) of the data prepared to the terminal (T) via said telecommunications network (I , R). 20 The conditional transmission method according to claim 1, wherein the steps of generating (E2) challenge (ACH), challenge transmission (E4) (ACH) and challenge (E14) (ACH) and cryptogram (CAC) are implemented because of the execution of an application by the processor (P). 3. The conditional transmission method according to claim 1 or 2, wherein the challenge (ACH) is generated by random draw. 4. conditional transmission method according to one of claims 1 to 3, wherein the cryptographic algorithm uses a secret key stored in the secure execution environment (C). 5. conditional transmission method according to one of claims 1 to 4, wherein the secure execution environment is performed by a secure module (C) or by a trusted execution environment. The conditional transmission method according to claim 5, wherein the secure execution environment is performed by said secure module, the method comprising a step of transmitting (E8) the generated cryptogram 3029722 (CAC) of the secure module ( C) to the processor (P). The conditional transmission method according to claim 5, wherein the terminal is adapted to operate selectively in a multi-purpose execution environment or in said trusted execution environment. 8. Conditional transmission method according to one of claims 1 to 7, wherein the verification step (E18) is implemented by a security hardware module (M) associated with the server (S). 9. conditional transmission method according to one of claims 1 to 8, comprising a step of comparison, at the server (S), the challenge received (ACH) and challenges previously received and stored at the server, and in which the data preparation mechanism is launched only if the challenge received is different from each of the previously received challenges. The conditional transmission method according to one of claims 1 to 9, wherein said data preparation is a generation of a script. The conditional transmission method according to claim 10, wherein the generated script is a personalization script or a card management script. The conditional transmission method according to claim 10 or 11, comprising an encryption step (E28) of the script using an encryption cryptographic algorithm using an encryption key obtained using the challenge (ACH). 13. The conditional transmission method according to one of claims 1 to 12, wherein the cryptogram generation and concordance checking steps are in accordance with a SCP02 or SCP03 type protocol. 14. Conditional transmission method according to one of claims 1 to 13, wherein the challenge transmission step is performed by a command type INITIALIZE UPDATE. 15. Terminal (T) comprising a processor (P) and means (C) for implementing a secure execution environment designed to generate a cryptogram (CAC) by applying a cryptographic algorithm to a challenge ( ACH), characterized in that a memory associated with the processor stores an application designed to generate the challenge (ACH), to transmit the challenge (ACH) 3029722 16 to the secure execution environment, to receive the cryptogram (CAC) from the secure execution environment and to issue the challenge (ACH) and the cryptogram (CAC) to a server (S) via a telecommunication network (I, R), when the application is executed by the processor (P). 5 16. A server assembly comprising: - receiving means (S) of a challenge (ACH) and a cryptogram (CAC) from a terminal (T) via a telecommunications network (I, R); means (C) for checking the concordance of the cryptogram (CAC) and the challenge (ACH) for the authentication of the terminal (T); Means, activated only in case of verification of the concordance by the verification means, to start (E22) a data preparation mechanism and send the prepared data to the terminal (T) via said telecommunication network (I); , R). 15