WO2011120974A1 - Exchanging authentication information between a cartridge and an electronic device - Google Patents

Exchanging authentication information between a cartridge and an electronic device Download PDF

Info

Publication number
WO2011120974A1
WO2011120974A1 PCT/EP2011/054836 EP2011054836W WO2011120974A1 WO 2011120974 A1 WO2011120974 A1 WO 2011120974A1 EP 2011054836 W EP2011054836 W EP 2011054836W WO 2011120974 A1 WO2011120974 A1 WO 2011120974A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
cartridge
electronic device
function
white box
Prior art date
Application number
PCT/EP2011/054836
Other languages
French (fr)
Inventor
Ettore Benedetti
Original Assignee
Irdeto Corporate B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Irdeto Corporate B.V. filed Critical Irdeto Corporate B.V.
Publication of WO2011120974A1 publication Critical patent/WO2011120974A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response

Definitions

  • the invention relates to exchanging authentication information between a cartridge and an electronic device, and, in particular, though not necessarily, to a method for
  • Electronics consumables such as ink cartridges and energy cartridges (batteries)
  • a console e.g. a printer console or a mobile phone console
  • an end-user may easily replace it when depleted.
  • the manufacturer of the console produces and markets the consumable parts as separate items for the benefit of the end-user.
  • Such technical measures may include the presence of a small electronic device (e.g. a chip) on the consumable part, so that operation of the console may only be possible when the authenticity of the consumable part is verified.
  • a small electronic device e.g. a chip
  • Established cryptographic algorithms may be used to support such
  • Authentication on the basis of certain protocols may provide a cost- effective method for authentication. If - as part of its normal usage - such cartridges are under control of an adversary, a real treat may exist that the adversary may be able to extract sensitive data, e.g. secret keys and/or algorithms, from the device, in particular from the software therein. With this sensitive data, rogue devices, in
  • rogue cartridges may be produced. Such rogue devices may be used with an associated console without any restriction.
  • the invention may relate to a method for exchanging authentication information between a cartridge and an electronic device, wherein said cartridge may comprise an authentication module comprising at least a first cryptographic function and wherein said
  • electronic device may comprise a secured area associated with at least a first white box encrypted cryptographic function, the method comprising: receiving a transformed first
  • the method uses a white box transformed
  • authentication function may be executed for a least a part in a transformed data space.
  • the secured area allows secured execution of an authentication protocol for authenticating the cartridge to the console. Such method thus avoids the need for hardware-implemented cryptographic functions in the console.
  • transformation functions allows replacement of one or more cryptographic functions and/or authentication keys residing in the secured area by a one or more new cryptographic functions and/or new authentication keys respectively. Moreover, it allows to keep a custom-made cryptographic function secret.
  • said secured area may be provided with at least a second transformation function, said second transformation function being the inverse of said first transformation function.
  • the transform function in the cartridge chip has an associated inverse transform function in the white box encrypted secured area in order to provide secured exchange of authentication parameters between the electronic device and the cartridge chip.
  • said secured area may further comprise at least a second white box encrypted cryptographic function and at least a second authentication key embedded in said first and/or second white box encrypted cryptographic function, wherein said method may further comprise: said second white box encrypted cryptographic function generating a secret key on the basis of said transformed first
  • white box encryption allows effective storage of secret keys in the secured area without the use of hardware measures.
  • the method may comprise: said first white box encrypted cryptographic function generating a first authentication response using said secure key and said challenge as input parameters.
  • the invention allows secured execution of at least part of the authentication method in the secured area and generation of authentication responses and/or keys associated with such authentication method.
  • the method may comprise: receiving a second authentication response from said
  • said second authentication response being generated by said first cryptographic function in said cartridge chip in response to said challenge; and, providing data access to said cartridge on the basis of said first and second authentication response.
  • said secured area may be provided with at least a third transformation function for transforming said authentication response to a transformed data space.
  • said cartridge may be a consumable, preferably a printer cartridge or a battery
  • said first cryptographic function may be a secret customized cryptographic function and/or wherein said first transformation function is a non- trivial bijection suitable for hardware-implementation in an authentication module.
  • the invention may relate to an electronic device configured for exchanging authentication information with a cartridge associated with an authentication module.
  • Said electronic device may comprise: a memory
  • said electronic device may be configured for receiving at least one further white box encrypted cryptographic function and for replacing said first white box encrypted cryptographic function in said secure area with said at least one further white box encrypted function.
  • said electronic device may be configured for receiving at least one update data file, said data file comprising at least one or more white box encrypted cryptographic functions and, optionally, one or more
  • said electronic device may be configured to replace the white box encrypted data in said secure area with the data in said update data file; and wherein said console is configured to select a least at least one of said white box encrypted
  • said selection may be trigged by a revocation message received by said electronic device.
  • the invention thus allows efficient management of secret authentication information, e.g.
  • said secured area in said electronic device may further comprise at least a second transformation function, said second transformation function being the inverse of said first transformation function.
  • the invention may relate to an authentication module configured for exchanging authentication information with an electronic device, said electronic device comprising a secured area associated with at least a first white box encrypted cryptographic function, wherein said authentication module may comprise: at least a hardware- implement first transformation function for transforming a first authentication key into a transformed first
  • the authentication module may further comprise: at least one hardware-implemented first cryptographic function for generating an authentication response in response to a challenge origination from said electronic device.
  • the invention may relate to a cartridge, preferably a printer cartridge or a battery
  • the invention may also relate to a computer program product comprising software code portions configured for, when run on a processor in an electronic device, executing the method according to any the method steps as described above.
  • Fig. 1 depicts schematic of a known system comprising a console and a cartridge for use with an authentication scheme .
  • Fig. 2 depicts a high level schematic of one embodiment of the invention.
  • Fig. 3 is a diagram illustrating the use of transformation functions.
  • Fig. 4. depicts a schematic of an electronic device and a cartridge according to another embodiment of the
  • Fig. 1 depicts a schematic of at least part of a known authentication protocol implemented in a system 100 comprising an electronics console 102 and at least one
  • the system may relate to a system wherein the cartridge is used to provide the electronic console with a consumable.
  • the system may relate to a printer system comprising a cartridge comprising ink or a toner, which may be removably mounted on the printer console.
  • the system may relate to a cartridge comprising an energy source, i.e. a battery, which may be removably mounted to an electronics device, typically a mobile and/or portable electronics device, e.g. a mobile phone, a notebook, a digital camera etc.
  • the console may comprise a re-programmable read-only memory 106, e.g. an EEPROM or a FLASH memory or the like, comprising software code portions, i.e. firmware, associated with a process for authenticating the cartridge to the re-programmable read-only memory 106, e.g. an EEPROM or a FLASH memory or the like, comprising software code portions, i.e. firmware, associated with a process for authenticating the cartridge to the
  • a processor 108 for executing the software code portions of the firmware may communicate with the cartridge, in particular a secured chip 110 in the cartridge, via a interface 112.
  • the secured chip in the cartridge may be provided with a chip secret (CS) 114, which may be generated by a generator function G on the basis of a
  • the chip further comprises an
  • the firmware in the processor may comprise an embedded CMK 118 and a first and second cryptographic algorithm F and G 120,122 respectively, wherein the second cryptographic algorithm G is identical to the cryptographic algorithm in the secured chip.
  • Mounting a cartridge into the console may initiate the execution of the authentication process, wherein
  • the authentication may be exchanged between the processor and the cartridge chip.
  • the authentication may include a first step 124 wherein the CID is sent to the processor. Then, on the basis of the first cryptographic algorithm, using the CID and CMK as input parameters, CS is calculated (step 126) .
  • a random number generator 128 may generate a challenge RNG 129, which is sent to both the cartridge and the processor (step 130) .
  • a cartridge response RES_CR is subsequently generated by the cryptographic
  • a console response RES_CS is generated by the second cryptographic algorithm in the console using the challenge RNG and the CS calculated on the basis of the first cryptographic algorithm (step 132) .
  • the console processor using a comparator compares both responses and if the processor has established that
  • an authorization message 138 is sent to the console logic 140 allowing the console to access the cartridge logic so that access to the resources provided by the cartridge may be allowed.
  • the authorization message may allow transmission of printer data 142 via the printer console logic 140 to the cartridge logic 144 in the printer cartridge (step 146) .
  • first and second cryptographic functions F and G are such that: i) it is not possible to derive a chip secret given any number of challenges and responses for a given CID; and, ii) it is not possible to derive information on the master key given a large number of chip IDs and corresponding (leaked) unique CSs.
  • F and G are established standardized cryptographic MAC functions such as like HMAC- SHA1 or HMAC-MD5.
  • CMK may be embedded in the firmware of the console from where it may be obtained by an adversary with little effort.
  • the unique chip secret (CS) which may appear as a temporary value during execution of the protocol, may be intercepted. Localization of the chip secret in the console may additionally allow the console to be used as an oracle, thereby achieving all results enabled by knowledge of the master key. Further, if no secrets may be extracted and/or localized, an attacker may simply try to undermine the validation step by jamming the random generator or the comparison logic in the console in order to enable replay attacks or to entirely bypass the validation respectively.
  • Fig. 2 depicts a schematic of a system 200 according to one embodiment of the invention.
  • the system may comprise a console 202 and a cartridge 204.
  • the system is generally configured to execute an authentication process wherein the cartridge, in particular a cartridge chip 206 in the
  • the cartridge may authenticate itself to the console.
  • Typical authentication protocols for use in the system are described in standard ISO 9798, in particular ISO 9798-2 relating to symmetric ciphers and ISO 9798-4 relating to MAC-type ciphers.
  • the cartridge chip may comprise one or more secret keys 208 and at least one
  • the present invention provides a software-based solution to provide a secured authentication scheme wherein a part of the firmware in the console is configured as a secured area using a white box encryption scheme, wherein the secured white box encrypted area comprises sensitive data and/or logic
  • the firmware in the processor 212 may comprise an unsecured area and a secured software-implemented area 214, which is protected by white box encryption and which may comprise at least part of the secret keys and algorithms used by the authentication process.
  • the secured area in the console may communicate with the cartridge chip and applications in the unsecure area.
  • authentication processes may include exchange of one or more a keys or identifiers 216 between the cartridge chip and the secure area, and/or reception of challenge 218 originating from a random generator or a predetermined function 220,
  • White box cryptography allows secret keys embedded in the secure area to be intertwined with the algorithm such that the key and the algorithm cannot be separated. Further, white box cryptography may be used to keep a cryptographic algorithm secret. As will be described in more detail hereunder, the use of such secured portion within the firmware of the console may elevate at least part of the drawbacks related to known hardware implementations.
  • transforms 209a and 209b may be implemented as input
  • a key 208 in the cartridge chip may be used as an input for a cryptographic algorithm in the secure area, so that - before being sent to the input of the secure area - the key may be first transformed using an input
  • the input of the secured area comprises the inverse transform function ⁇ for transforming the key back to the original key.
  • cannot be separated from the other cryptographic algorithms comprised in the secure area.
  • the output of secure area 211b may generate an output on the basis of output transform T 2 ⁇ 1 .
  • the input 211a of the cartridge chip may comprise a transform T 2 for transforming the output of the secure area back to the original data space.
  • Similar considerations may apply to other transform functions, e.g transform functions 213a, 213b associated with the transmission of a challenge. In these implementations it is required that the transform functions are located in secured areas, i.e.
  • An input domain ID is associated with input data in a non- transformed data space.
  • An encryption function E may use some key to encrypt data elements of input domain ID in order to deliver a corresponding encrypted data element in an output domain OD.
  • the original data elements of input domain ID may be obtained by applying the decryption function D to the data elements of output domain OD.
  • an adversary is assumed to be able to control the input and output data elements and the operation of the implementation of the encryption function E, in order to discover the confidential information (such as keys) that is embedded in the
  • Security may be obtained in a non-secured environment by applying external, key-independent transformation functions to the input domain ID and output domain OD.
  • Transformation function ⁇ maps data elements from the input domain ID to transformed data elements of
  • transformation function T 2 maps data elements from the output domain OD to the transformed output domain OD' .
  • Transformed encryption and decryption functions E' and D' may now be defined between ID' and OD' using transformed keys.
  • T x and T 2 should be bijections.
  • transformation functions Ti,T 2 together with encryption techniques implies that, instead of inputting data elements of input domain ID to encryption function E to obtain encrypted data elements of output domain OD, transformed data elements of domain ID' are input to transformed encryption function E' by applying transformation function i.
  • Transformed encryption function E' combines the inverse transformation function ⁇ -1 and the direct transformation function T 2 in the encryption operation to protect the confidential information, such as the key. Then transformed encrypted data elements of domain OD' are obtained.
  • keys for encryption functions E or decryption function D can neither be retrieved when analysing input data and output data in the transformed data space nor when
  • White box cryptography it is assumed that the processing in the transformed data space is under full control of an adversary. Under this assumption, an adversary has access to the data elements in ID' , OD' and the white box implementations of the functions E' and/or D' .
  • White box cryptography provides security by securing (parts of) the keys for the functions E and D.
  • Fig. 4 depicts a system 400 comprising a console 402 and a cartridge 404 according to one embodiment of the
  • an authentication protocol is used, which is similar authentication process as described with reference to Fig. 1.
  • the console comprises a secured area 409, wherein at least part of the authentication process is executed in a transformed data space as explained in Fig. 3. Further, the algorithms and secret key information are white-box encrypted.
  • the cartridge may comprise elements, e.g. a cartridge chip 410, a chip secret (CS) 416, a CID 414, which are
  • the cryptographic algorithm 417 used in the cartridge chip (and in the console) may be secret.
  • the cartridge may be provided with one or more input and/or output transform
  • the console may comprise a processor 408 for executing firmware provided by a read-only memory 406.
  • the firmware may comprise software code portions for implementing a comparator 436 and console logic 440.
  • a random generator 428 may be connected to the processor for generating a challenge RNG 429 for used in the authentication process.
  • the console comprises a secured area 409 in which the firmware, in particular the sensitive part of the
  • Input data for the secured area originating from the cartridge chip, e.g. the CID, may be transformed on the basis of transformation
  • White-box encryption functions F' and G' allow intertwining of sensitive data, e.g. secret keys, such as the C K 420 and CS 426, with the (software) algorithms themselves such that they cannot be separated and such that secret keys cannot be used in a different unauthorized environment.
  • Results generated by the white-box encryption functions may be used by software in the unsecured area.
  • White boxes usually take the form of a sequence of table lookup operations.
  • the lookup tables are generally large and random-looking.
  • White boxes do not prevent an attacker from executing the algorithm with the sensitive data, possibly in multiple rogue devices at the same time, but prevent an attacker to modify the code in a meaningful way and/or to extract confidential information from the lookup tables.
  • White boxes in the secured area may be constructed so that its inputs 448,450 and outputs 452 may be pre-conditioned and post-conditioned respectively using data transformations, that may be implemented in hardware or in software. Further, if post conditioning of a first white box matches the preconditioning of a second white box, the two white boxes may be effectively merged into a single white box.
  • the secured area 409 in Fig. 4 may comprise a first and second secured area 418,422.
  • the first secured area may be associated with the first white-box
  • the second secured area may be associated with the second white-box transformed cryptographic function C .
  • white-box encryption may be used in the first secured area
  • CMK traditional way, i.e. the CMK may be blended into the
  • transformed code of algorithm F' which may be the white box implementation of a known public key cryptography primitive.
  • the first secured area 418 may ensure that no attacker may effectively lift the real value of such CMK key even if the firmware image is made public (e.g. via an official software update) and even if the attacker has got complete control of the execution logic using e.g. an
  • the second secured area 422 is associated with a white-box transformed second cryptographic function G' , wherein G may be a non-standard cryptographic encryption algorithm 417 in the cartridge chip.
  • G may be a custom encryption algorithm whose implementation is simple enough to minimize the silicon cost in the cartridge, while still being robust against black box analysis.
  • Reduced and/or tweaked versions of ciphers like DES or AES may be used as a basis for defining G (and G' ) .
  • the second secured area may use white box cryptography in its widest sense in order to protect the secrecy of the algorithm G and the key CS .
  • the first and second secured areas may be merged together into a single white box implementation such that the intermediate result of F' , i.e. CS, is not exposed.
  • the authentication protocol may be initiated wherein
  • authentication information i.e. a message comprising a transformed CID' 424, a random challenge message RNG' 430 and a transformed response RES_CR' from the cartridge chip 434 may be exchanged between the console and the cartridge in a similar way as described with reference to Fig. 1.
  • transformation functions Ti 448b in the white box and ⁇ 1 448a in the secure chip may be used as input transformations for transmitting CID to the secure area.
  • F' may use CID and CMK to produce the intermediate result CS.
  • Using a challenge 430 and CS 426 G' may subsequently calculate the console response RES_CS .
  • the output of the secure area may generate an output, which may be transformed using output transformation function T ⁇ -1 452b.
  • T 2 is not required for comparing RES_CS with RES_CR.
  • T 2 may be a non-trivial
  • RES_CR should be transformed to RES_CR' 434 using T 1 452a in the cartridge chip.
  • transformation functions x and T 2 may be relatively simple (when compared to F and G) but non-trivial functions, which may be implemented in hardware.
  • transformation functions are bijection functions.
  • Other transform functions which may be are described in US6,842,862 and US6,594,761, which are hereby incorporated by reference in the application.
  • an update may also include renewal of the secret cryptographic function or the provisioning of one or more secret cryptographic functions which may be used in the future .
  • revocation may not be immediately executed. Its actual enforcement period may depend on parameters such as the average time it takes to deploy a software upgrade and the number of users who purchased but shelved a genuine cartridge.
  • a given update may include an arbitrary number of master keys and/or secret cryptographic functions (past and present) .
  • the update e.g. a software patch
  • the secret may relate to white box encrypted information
  • the secret may be sent by the manufacturer over the Internet to a population of consoles, wherein the update may have the form of a data file comprising white box encrypted secret algorithms and, optionally, one or more secret authentication keys embedded therein.
  • the secret relate to white box encrypted information
  • the secret e.g. a software patch
  • the console may be configured to receive the data file and to replace the data in the secure area with the data in the data file. Replacement of the data in the secure area does not necessarily mean that a new secret cryptographic algorithm and/or master key is immediately used for
  • the update may contain a list of secret cryptographic functions, e.g. one or more secret cryptographic functions used earlier by the console, the function currently used by the console and functions
  • the console may be configured to receive a revocation message (e.g. in a software update) wherein one or more cryptographic algorithms may be revoked and/or wherein the console is instructed to use a particular secret cryptographic function in the list of secret cryptographic functions.
  • One embodiment of the invention may be implemented as a program product for use with a computer system.
  • program (s) of the program product define functions of the embodiments (including the methods described herein) and can be contained on a variety of computer-readable storage media.
  • Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read ⁇ only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, flash memory, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive or any type of solid-state random-access semiconductor memory) on which alterable information is

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

At least a method for exchanging authentication information between a cartridge and an electronic device is described, wherein said cartridge comprises an authentication module comprising at least a first cryptographic function and said electronic device comprises a secured area associated with at least a first white box encrypted cryptographic function. The method comprising: receiving a transformed first authentication key generated on the basis of at least a first transformation function in said authentication module; and, in response to a challenge, generating a first authentication response by executing said first white box encrypted cryptographic function in a transformed data space on the basis of said transformed first authentication key. Further, an electronic device and a cartridge using such method are described.

Description

Exchanging authentication information between a cartridge and an electronic device
Field of the invention
The invention relates to exchanging authentication information between a cartridge and an electronic device, and, in particular, though not necessarily, to a method for
exchanging authentication information between a cartridge and an electronic device, an electronic device and an
authentication module using such method, a cartridge
comprising such authentication module and a computer program product using such method.
Background of the invention
Electronics consumables such as ink cartridges and energy cartridges (batteries) , are typically implemented as devices which may be removably mounted to a console, e.g. a printer console or a mobile phone console, so that an end-user may easily replace it when depleted. Usually, the manufacturer of the console produces and markets the consumable parts as separate items for the benefit of the end-user. These
consumable parts suffer from a long track of piracy. Products not originating from the original manufacturer may be of inferior quality and/or do not meet the safety requirements as the original. Hence, manufactures implement measures,
including technical measures, to prevent, or at least suppress piracy.
Such technical measures may include the presence of a small electronic device (e.g. a chip) on the consumable part, so that operation of the console may only be possible when the authenticity of the consumable part is verified. Established cryptographic algorithms may be used to support such
verification. Typically consumables are low-cost high-volume products. Hence, any security measure may only rely on a limited number of computational resources and/or on inexpensive technological processes. Public key cryptography- based protocols relying on an external entity, e.g. a trusted server, are therefore not suitable for securing consumables.
Authentication on the basis of certain protocols, e.g. a Message Authentication Code (MAC), may provide a cost- effective method for authentication. If - as part of its normal usage - such cartridges are under control of an adversary, a real treat may exist that the adversary may be able to extract sensitive data, e.g. secret keys and/or algorithms, from the device, in particular from the software therein. With this sensitive data, rogue devices, in
particular rogue cartridges, may be produced. Such rogue devices may be used with an associated console without any restriction.
Traditional solutions for preventing such unauthorized use consist of isolating the sensitive data and the environment where it is employed into a physical, tamper- prove element (e.g. a smart card), which is co-located with or in the console. Such hardware-based solution however may not be desirable for low-cost solutions. More importantly, a hardware-based solution is not suitable for renewal of sensitive data. Such renewal is desirable, as cartridge chips typically comprise a secret algorithm. Using well-known side- channel attacks (part of the knowledge of) the secret
algorithm may be used in order to derive secret key material, which may be used to produce rogue cartridges. Since the cartridge is necessarily a low-cost device and since
established hardware and software side-channel countermeasures add up to the final platform costs, it may be expected that cartridge chips will be heavily exposed to such class of attacks. Therefore, renewal of authentication algorithms in the console is desirable, because cartridges have a limited lifespan so that the manufacturer may phase out old algorithms and introduce new ones.
Hence, there is a need in the art for improved methods and systems, which allow authentication of a cartridge to a console without the need for secured hardware measures and which allow secure renewal of one or more secrets used in the authentication method.
Summary of the invention
It is an object of the invention to reduce or eliminate at least one of the drawbacks of known service provisioning systems. In a first aspect the invention may relate to a method for exchanging authentication information between a cartridge and an electronic device, wherein said cartridge may comprise an authentication module comprising at least a first cryptographic function and wherein said
electronic device may comprise a secured area associated with at least a first white box encrypted cryptographic function, the method comprising: receiving a transformed first
authentication key generated on the basis of at least a first transformation function in said authentication module; and, in response to a challenge, generating a first authentication response by executing said first white box encrypted
cryptographic function in a transformed data space on the basis of said transformed first authentication key.
The method uses a white box transformed
authentication function in the console in combination with a hardware-implemented transformation function in the cartridge chip in order to define a secured area in a memory of the console wherein a authentication method using the
authentication function may be executed for a least a part in a transformed data space. The secured area allows secured execution of an authentication protocol for authenticating the cartridge to the console. Such method thus avoids the need for hardware-implemented cryptographic functions in the console.
The combined use of white box encryption and
transformation functions allows replacement of one or more cryptographic functions and/or authentication keys residing in the secured area by a one or more new cryptographic functions and/or new authentication keys respectively. Moreover, it allows to keep a custom-made cryptographic function secret. In one embodiment said secured area may be provided with at least a second transformation function, said second transformation function being the inverse of said first transformation function. In this embodiment, the transform function in the cartridge chip has an associated inverse transform function in the white box encrypted secured area in order to provide secured exchange of authentication parameters between the electronic device and the cartridge chip.
In another embodiment said secured area may further comprise at least a second white box encrypted cryptographic function and at least a second authentication key embedded in said first and/or second white box encrypted cryptographic function, wherein said method may further comprise: said second white box encrypted cryptographic function generating a secret key on the basis of said transformed first
authentication key and said second authentication key. Hence, white box encryption allows effective storage of secret keys in the secured area without the use of hardware measures.
In a further embodiment the method may comprise: said first white box encrypted cryptographic function generating a first authentication response using said secure key and said challenge as input parameters. The invention allows secured execution of at least part of the authentication method in the secured area and generation of authentication responses and/or keys associated with such authentication method.
In yet a further embodiment the method may comprise: receiving a second authentication response from said
authentication module, said second authentication response being generated by said first cryptographic function in said cartridge chip in response to said challenge; and, providing data access to said cartridge on the basis of said first and second authentication response.
In one variant, said secured area may be provided with at least a third transformation function for transforming said authentication response to a transformed data space.
In another variant said cartridge may be a consumable, preferably a printer cartridge or a battery
cartridge . In a further variant said first cryptographic function may be a secret customized cryptographic function and/or wherein said first transformation function is a non- trivial bijection suitable for hardware-implementation in an authentication module.
In another embodiment, the invention may relate to an electronic device configured for exchanging authentication information with a cartridge associated with an authentication module. Said electronic device may comprise: a memory
comprising a secured area associated with at least a first white box encrypted cryptographic function; an interface for receiving a transformed first authentication key generated in said authentication module on the basis of at least a first transformation function; and, a processor for generating a first authentication response by executing said first white box encrypted cryptographic function in a transformed data space on the basis of said transformed first authentication key and a challenge.
In one embodiment said electronic device may be configured for receiving at least one further white box encrypted cryptographic function and for replacing said first white box encrypted cryptographic function in said secure area with said at least one further white box encrypted function.
In another embodiment said electronic device may be configured for receiving at least one update data file, said data file comprising at least one or more white box encrypted cryptographic functions and, optionally, one or more
authentication keys embedded in said one or more white box encrypted cryptographic functions. In a further embodiment, said electronic device may be configured to replace the white box encrypted data in said secure area with the data in said update data file; and wherein said console is configured to select a least at least one of said white box encrypted
cryptographic functions. In yet a further embodiment said selection may be trigged by a revocation message received by said electronic device. The invention thus allows efficient management of secret authentication information, e.g.
authentication keys and/or algorithms, without risking disclosure of the secret information. Further it allows the use of one console with cartridges with different secret cryptographic functions.
In another embodiment said secured area in said electronic device may further comprise at least a second transformation function, said second transformation function being the inverse of said first transformation function.
In a further aspect, the invention may relate to an authentication module configured for exchanging authentication information with an electronic device, said electronic device comprising a secured area associated with at least a first white box encrypted cryptographic function, wherein said authentication module may comprise: at least a hardware- implement first transformation function for transforming a first authentication key into a transformed first
authentication key allowing said first white box encrypted cryptographic function in said electronic device to be
executed in a transformed data space; and, an interface for sending said transformed first authentication key to said secure area of said electronic device.
In one embodiment, the authentication module may further comprise: at least one hardware-implemented first cryptographic function for generating an authentication response in response to a challenge origination from said electronic device.
In yet another aspect, the invention may relate to a cartridge, preferably a printer cartridge or a battery
cartridge, comprising an authentication module as described above .
The invention may also relate to a computer program product comprising software code portions configured for, when run on a processor in an electronic device, executing the method according to any the method steps as described above.
The invention will be further illustrated with reference to the attached drawings, which schematically show embodiments according to the invention. It will be understood that the invention is not in any way restricted to these specific embodiments. Brief description of the drawings
Fig. 1 depicts schematic of a known system comprising a console and a cartridge for use with an authentication scheme .
Fig. 2 depicts a high level schematic of one embodiment of the invention.
Fig. 3 is a diagram illustrating the use of transformation functions.
Fig. 4. depicts a schematic of an electronic device and a cartridge according to another embodiment of the
invention .
Detailed description
Fig. 1 depicts a schematic of at least part of a known authentication protocol implemented in a system 100 comprising an electronics console 102 and at least one
cartridge 104. The system may relate to a system wherein the cartridge is used to provide the electronic console with a consumable. In one embodiment, the system may relate to a printer system comprising a cartridge comprising ink or a toner, which may be removably mounted on the printer console. In another embodiment, the system may relate to a cartridge comprising an energy source, i.e. a battery, which may be removably mounted to an electronics device, typically a mobile and/or portable electronics device, e.g. a mobile phone, a notebook, a digital camera etc.
The console may comprise a re-programmable read-only memory 106, e.g. an EEPROM or a FLASH memory or the like, comprising software code portions, i.e. firmware, associated with a process for authenticating the cartridge to the
console. A processor 108 for executing the software code portions of the firmware may communicate with the cartridge, in particular a secured chip 110 in the cartridge, via a interface 112. During production, the secured chip in the cartridge may be provided with a chip secret (CS) 114, which may be generated by a generator function G on the basis of a
identifier, e.g. chip ID (CID) 116, and a common master key (CMK) : CS = G(ID,CMK) . The chip further comprises an
established cryptographic algorithm 117, which may be used during the authentication process. Similarly, the firmware in the processor may comprise an embedded CMK 118 and a first and second cryptographic algorithm F and G 120,122 respectively, wherein the second cryptographic algorithm G is identical to the cryptographic algorithm in the secured chip.
Mounting a cartridge into the console may initiate the execution of the authentication process, wherein
authentication information may be exchanged between the processor and the cartridge chip. The authentication may include a first step 124 wherein the CID is sent to the processor. Then, on the basis of the first cryptographic algorithm, using the CID and CMK as input parameters, CS is calculated (step 126) . A random number generator 128 may generate a challenge RNG 129, which is sent to both the cartridge and the processor (step 130) . A cartridge response RES_CR is subsequently generated by the cryptographic
algorithm in the cartridge chip using the challenge RGN and the CS (step 134) . Similarly, a console response RES_CS is generated by the second cryptographic algorithm in the console using the challenge RNG and the CS calculated on the basis of the first cryptographic algorithm (step 132) .
The console processor using a comparator compares both responses and if the processor has established that
RES_CR and RES__CS are identical (step 136), an authorization message 138 is sent to the console logic 140 allowing the console to access the cartridge logic so that access to the resources provided by the cartridge may be allowed. In one embodiment, the authorization message may allow transmission of printer data 142 via the printer console logic 140 to the cartridge logic 144 in the printer cartridge (step 146) .
In the authentication scheme as depicted in Fig . 1 first and second cryptographic functions F and G are such that: i) it is not possible to derive a chip secret given any number of challenges and responses for a given CID; and, ii) it is not possible to derive information on the master key given a large number of chip IDs and corresponding (leaked) unique CSs. In known implementations F and G are established standardized cryptographic MAC functions such as like HMAC- SHA1 or HMAC-MD5.
The protocol as depicted in Fig. 1 suffers however from a number of drawbacks. In typical implementations, the CMK may be embedded in the firmware of the console from where it may be obtained by an adversary with little effort.
Similarly, the unique chip secret (CS), which may appear as a temporary value during execution of the protocol, may be intercepted. Localization of the chip secret in the console may additionally allow the console to be used as an oracle, thereby achieving all results enabled by knowledge of the master key. Further, if no secrets may be extracted and/or localized, an attacker may simply try to undermine the validation step by jamming the random generator or the comparison logic in the console in order to enable replay attacks or to entirely bypass the validation respectively.
At least part these drawbacks may be lifted by implementing at least part of the storage and handling of secrets and the random generator in a tamper-proof chip (e.g. a smart card) . Such hardware-based solution however may not be desirable for low-cost solutions. Moreover, a hardware-based solution is not suitable for renewal of global secrets. Such renewal is desirable, as each cartridge chip will comprise a global secret cryptographic algorithm. Using well-known side- channel attacks (part of) the cryptographic algorithm may be used in order to derive secret key material. Since the
cartridge is necessarily a low-cost device and since
established hardware and software side-channel countermeasures add up to the final platform costs, it may be expected that cartridge chips will be heavily exposed to such class of attacks .
Hence, over time secret key material associated with the authentication procedure may become public. In such situations, the security provided by established hardware- based solutions relying on functions, which are hardcoded into the tamper-free chip in the console and which cannot be changed, may become seriously and irreparably compromised.
Fig. 2 depicts a schematic of a system 200 according to one embodiment of the invention. The system may comprise a console 202 and a cartridge 204. The system is generally configured to execute an authentication process wherein the cartridge, in particular a cartridge chip 206 in the
cartridge, may authenticate itself to the console. Typical authentication protocols for use in the system are described in standard ISO 9798, in particular ISO 9798-2 relating to symmetric ciphers and ISO 9798-4 relating to MAC-type ciphers. For the purpose of the authentication, the cartridge chip may comprise one or more secret keys 208 and at least one
cryptographic algorithm 210.
In contrast with known hardware implementations, the present invention provides a software-based solution to provide a secured authentication scheme wherein a part of the firmware in the console is configured as a secured area using a white box encryption scheme, wherein the secured white box encrypted area comprises sensitive data and/or logic
associated the authentication protocol. Hence, the firmware in the processor 212 may comprise an unsecured area and a secured software-implemented area 214, which is protected by white box encryption and which may comprise at least part of the secret keys and algorithms used by the authentication process. The secured area in the console may communicate with the cartridge chip and applications in the unsecure area. Typical
authentication processes may include exchange of one or more a keys or identifiers 216 between the cartridge chip and the secure area, and/or reception of challenge 218 originating from a random generator or a predetermined function 220,
and/or the comparison of responses originating from the secure area 222 and the cartridge chip 226 respectively using certain decision logic 224 in the unsecured area.
White box cryptography allows secret keys embedded in the secure area to be intertwined with the algorithm such that the key and the algorithm cannot be separated. Further, white box cryptography may be used to keep a cryptographic algorithm secret. As will be described in more detail hereunder, the use of such secured portion within the firmware of the console may elevate at least part of the drawbacks related to known hardware implementations.
In order to further enhance security at least part of the process step associated with the authentication
procedure may be executed in a transformed data space using input transforms and output transforms. For example,
transforms 209a and 209b may be implemented as input
transforms Τ 1 and ΊΊ. A key 208 in the cartridge chip may be used as an input for a cryptographic algorithm in the secure area, so that - before being sent to the input of the secure area - the key may be first transformed using an input
transform Τχ"1 209a in the hardware-implemented cartridge chip. The input of the secured area comprises the inverse transform function ΤΊ for transforming the key back to the original key. As i is part of the white box encrypted secure area, Τχ cannot be separated from the other cryptographic algorithms comprised in the secure area.
Similarly, the output of secure area 211b may generate an output on the basis of output transform T2 ~1. If during authentication this result is used by the cartridge logic in the cartridge chip, the input 211a of the cartridge chip may comprise a transform T2 for transforming the output of the secure area back to the original data space. Similar considerations may apply to other transform functions, e.g transform functions 213a, 213b associated with the transmission of a challenge. In these implementations it is required that the transform functions are located in secured areas, i.e.
either as part of the white box or hardware-implemented in a chip .
The concept of the transformed data domain and transformation functions is illustrated with reference to Fig. 3. An input domain ID is associated with input data in a non- transformed data space. An encryption function E may use some key to encrypt data elements of input domain ID in order to deliver a corresponding encrypted data element in an output domain OD. By applying a decryption function D, the original data elements of input domain ID may be obtained by applying the decryption function D to the data elements of output domain OD. In a non-secure environment, an adversary is assumed to be able to control the input and output data elements and the operation of the implementation of the encryption function E, in order to discover the confidential information (such as keys) that is embedded in the
implementation .
Security may be obtained in a non-secured environment by applying external, key-independent transformation functions to the input domain ID and output domain OD. Such
transformation functions are thus input- and output
operations. Transformation function ΊΊ maps data elements from the input domain ID to transformed data elements of
transformed input domain ID' of a transformed data space.
Similarly, transformation function T2 maps data elements from the output domain OD to the transformed output domain OD' .
Transformed encryption and decryption functions E' and D' may now be defined between ID' and OD' using transformed keys. In such scheme Tx and T2 should be bijections.
Using transformation functions Ti,T2 together with encryption techniques implies that, instead of inputting data elements of input domain ID to encryption function E to obtain encrypted data elements of output domain OD, transformed data elements of domain ID' are input to transformed encryption function E' by applying transformation function i. Transformed encryption function E' combines the inverse transformation function Τχ-1 and the direct transformation function T2 in the encryption operation to protect the confidential information, such as the key. Then transformed encrypted data elements of domain OD' are obtained. By performing i and/or T2 in a secured portion, keys for encryption functions E or decryption function D can neither be retrieved when analysing input data and output data in the transformed data space nor when
analysing the white box implementation of E' and/or D' . One of the transformation functions Τχ,Τ2 should be a non-trivial function. In case Tl is a trivial function, the input domains ID and ID' are the same domain. In case T2 is a trivial function, the output domains are the same domain.
In white box cryptography, it is assumed that the processing in the transformed data space is under full control of an adversary. Under this assumption, an adversary has access to the data elements in ID' , OD' and the white box implementations of the functions E' and/or D' . White box cryptography provides security by securing (parts of) the keys for the functions E and D. By applying transformation
functions Τχ and T2 in a secured portion, the white box
algorithm cannot be resolved in the transformed space as this requires knowledge of ΊΊ and/or T2.
Fig. 4 depicts a system 400 comprising a console 402 and a cartridge 404 according to one embodiment of the
invention. In this non-limiting example an authentication protocol is used, which is similar authentication process as described with reference to Fig. 1. The console comprises a secured area 409, wherein at least part of the authentication process is executed in a transformed data space as explained in Fig. 3. Further, the algorithms and secret key information are white-box encrypted.
The cartridge may comprise elements, e.g. a cartridge chip 410, a chip secret (CS) 416, a CID 414, which are
substantially similar to those described with reference to
Fig. 1. In contrast with the example depicted in Fig. 1, the cryptographic algorithm 417 used in the cartridge chip (and in the console) may be secret. Further, the cartridge may be provided with one or more input and/or output transform
functions 448a, 450a, 452a for transforming authentication data into a transformed data space vice-versa. The advantages associated with this implementation will be explained
hereunder in more detail hereunder.
The console may comprise a processor 408 for executing firmware provided by a read-only memory 406. The firmware may comprise software code portions for implementing a comparator 436 and console logic 440. Further, a random generator 428 may be connected to the processor for generating a challenge RNG 429 for used in the authentication process.
The console comprises a secured area 409 in which the firmware, in particular the sensitive part of the
authentication process, is executed in a transformed data space as explained with reference to Fig. 3. Input data for the secured area originating from the cartridge chip, e.g. the CID, may be transformed on the basis of transformation
function Tx: CPID'
Figure imgf000015_0001
.
In the secured area cryptographic algorithms F and G may be executed in their white-box transform: F'=Ti_1-F 418 and G'=Ti_1-G 422. White-box encryption functions F' and G' allow intertwining of sensitive data, e.g. secret keys, such as the C K 420 and CS 426, with the (software) algorithms themselves such that they cannot be separated and such that secret keys cannot be used in a different unauthorized environment.
Results generated by the white-box encryption functions (e.g. a response generated by G' upon reception of a challenge) may be used by software in the unsecured area.
White boxes usually take the form of a sequence of table lookup operations. The lookup tables are generally large and random-looking. White boxes do not prevent an attacker from executing the algorithm with the sensitive data, possibly in multiple rogue devices at the same time, but prevent an attacker to modify the code in a meaningful way and/or to extract confidential information from the lookup tables. White boxes in the secured area may be constructed so that its inputs 448,450 and outputs 452 may be pre-conditioned and post-conditioned respectively using data transformations, that may be implemented in hardware or in software. Further, if post conditioning of a first white box matches the preconditioning of a second white box, the two white boxes may be effectively merged into a single white box.
The secured area 409 in Fig. 4 may comprise a first and second secured area 418,422. In one embodiment, the first secured area may be associated with the first white-box
transformed cryptographic function F' . In another embodiment, the second secured area may be associated with the second white-box transformed cryptographic function C . In the first secured area white-box encryption may be used in the
traditional way, i.e. the CMK may be blended into the
transformed code of algorithm F' , which may be the white box implementation of a known public key cryptography primitive. This way, the first secured area 418 may ensure that no attacker may effectively lift the real value of such CMK key even if the firmware image is made public (e.g. via an official software update) and even if the attacker has got complete control of the execution logic using e.g. an
emulator .
The second secured area 422 is associated with a white-box transformed second cryptographic function G' , wherein G may be a non-standard cryptographic encryption algorithm 417 in the cartridge chip. In contrast with the first secure area which is used for securing key information, in particular the CMK, in the second secure area white box encryption is employed in order to keep G' and CS secret. Here G may be a custom encryption algorithm whose implementation is simple enough to minimize the silicon cost in the cartridge, while still being robust against black box analysis. Reduced and/or tweaked versions of ciphers like DES or AES may be used as a basis for defining G (and G' ) .
The second secured area may use white box cryptography in its widest sense in order to protect the secrecy of the algorithm G and the key CS . The first and second secured areas may be merged together into a single white box implementation such that the intermediate result of F' , i.e. CS, is not exposed.
If a cartridge is connected to the console, the authentication protocol may be initiated wherein
authentication information, i.e. a message comprising a transformed CID' 424, a random challenge message RNG' 430 and a transformed response RES_CR' from the cartridge chip 434 may be exchanged between the console and the cartridge in a similar way as described with reference to Fig. 1.
When executing the authentication procedure, transformation functions Ti 448b in the white box and Τ 1 448a in the secure chip may be used as input transformations for transmitting CID to the secure area. In the secure area, F' may use CID and CMK to produce the intermediate result CS. Using a challenge 430 and CS 426 G' may subsequently calculate the console response RES_CS . The output of the secure area may generate an output, which may be transformed using output transformation function T^-1 452b.
In one embodiment, T2 may be simply an identity function f (x)=x. In that case, the use of the inverse
transformation T2 is not required for comparing RES_CS with RES_CR. In another embodiment, T2 may be a non-trivial
function. In that case, data should be correctly mapped to an appropriate data space (i.e. the transformed data space or the original data space) so that e.g. the comparator 436 in the unsecure area may compare the console response with the cartridge response. For example, in order to compare the transformed output RES__CS' 432 with the response of the cartridge RES_CR, RES_CR should be transformed to RES_CR' 434 using T 1 452a in the cartridge chip.
Preferably, transformation functions x and T2 may be relatively simple (when compared to F and G) but non-trivial functions, which may be implemented in hardware. Examples of transformation functions are bijection functions. A simple example is the function h(x)=x+2. Other transform functions which may be are described in US6,842,862 and US6,594,761, which are hereby incorporated by reference in the application.
The presence of the secured area as described with reference to Fig. 2-4 provides the same advantages as a known hardware implementation. In addition however, the secured area using data transformations in combination with white box encryption provides a simpler design of the console as no security sensitive, custom piece of hardware needs to be integrated into the console. Moreover, secret information, in particular the secret cryptographic function, may be
effectively renewed in the console by replacing the code in the secure area comprising the white box encrypted algorithms and keys with new code. Such renewal may be achieved during e.g. a software update, even long after its purchase date. Software updates of the firmware in consoles connected to the Internet are nowadays regularly executed for reasons of eliminating bugs, improving software, adding new features, security fixes, etc. It is therefore convenient to pair renewal of the with the release of an official firmware updates. In that way, old master keys and cartridge chips that were possible produced using these old keys may be effectively revoked. Further, an update may also include renewal of the secret cryptographic function or the provisioning of one or more secret cryptographic functions which may be used in the future .
Such revocation may not be immediately executed. Its actual enforcement period may depend on parameters such as the average time it takes to deploy a software upgrade and the number of users who purchased but shelved a genuine cartridge. In one embodiment, a given update may include an arbitrary number of master keys and/or secret cryptographic functions (past and present) .
The update, e.g. a software patch, may be sent by the manufacturer over the Internet to a population of consoles, wherein the update may have the form of a data file comprising white box encrypted secret algorithms and, optionally, one or more secret authentication keys embedded therein. As the data relate to white box encrypted information, the secret
information contained therein cannot be extracted by an adversary .
The console may be configured to receive the data file and to replace the data in the secure area with the data in the data file. Replacement of the data in the secure area does not necessarily mean that a new secret cryptographic algorithm and/or master key is immediately used for
authentication with a cartridge. The update may contain a list of secret cryptographic functions, e.g. one or more secret cryptographic functions used earlier by the console, the function currently used by the console and functions
associated with future use.
The console may be configured to receive a revocation message (e.g. in a software update) wherein one or more cryptographic algorithms may be revoked and/or wherein the console is instructed to use a particular secret cryptographic function in the list of secret cryptographic functions. Hence, from the above it follows that the invention allows efficient management of secret authentication information, e.g.
authentication keys and/or algorithms, without risking
disclosure of the secret information. Further it allows the use of one console with cartridges with different secret cryptographic functions.
It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Further, although the examples illustrated on the basis of a MAC type authentication protocol using two
cryptographic functions, other types of protocols using two or more cryptographic functions e.g. https, ssl, tls and other key agreement protocol may be used without departing from the invention ..
One embodiment of the invention may be implemented as a program product for use with a computer system. The
program (s) of the program product define functions of the embodiments (including the methods described herein) and can be contained on a variety of computer-readable storage media. Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read¬ only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, flash memory, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive or any type of solid-state random-access semiconductor memory) on which alterable information is
stored. Moreover, the invention is not limited to the
embodiments described above, which may be varied within the scope of the accompanying claims.

Claims

1. Method for exchanging authentication information between a cartridge and an electronic device, said cartridge comprising an authentication module comprising at least a first cryptographic function and said electronic device comprising at least one secured area associated with at least a first white box encrypted cryptographic function comprising:
receiving a transformed first authentication key generated on the basis of at least a first hardware- implemented transformation function in said authentication module, said transformation function being associated with a transformed data space; and,
in response to a challenge, generating a first authentication response by executing said first white box encrypted cryptographic function in said transformed data space on the basis of said transformed first authentication key .
2. Method according to claim 1, wherein said secured area is provided with at least a second transformation
function, said second transformation function being the inverse of said first transformation function.
3. Method according to claims 1 or 2 wherein said secured area further comprises at least a second white box encrypted cryptographic function and at least a second
authentication key embedded in said first and/or second white box encrypted cryptographic function, said method further comprising :
said second white box encrypted cryptographic function generating a secret key on the basis of said
transformed first authentication key and said second
authentication key.
4. Method according to claim 3 comprising: said first white box encrypted cryptographic function generating a first authentication response using said secure key and said challenge as input parameters.
5. Method according to any of claims 1-4, comprising: receiving a second authentication response from said authentication module, said second authentication response being generated by said first cryptographic function in said cartridge chip in response to said challenge;
providing data access to said cartridge on the basis of said first and second authentication response.
6. Method according to any of claims 1-5, wherein said secured area is provided with at least a third
transformation function for transforming said authentication response to a transformed data space.
7. Method according to any of claims 1-6, wherein said cartridge is a consumable, preferably a printer cartridge or a battery cartridge.
8. Method according to any of claims 1-6, wherein said first cryptographic function is a secret customized cryptographic function and/or wherein said first
transformation function is a non-trivial bijection suitable for hardware-implementation in an authentication module.
9. Electronic device configured for exchanging authentication information with a cartridge associated with an authentication module, said electronic device comprising:
a memory comprising a secured area associated with at least a first white box encrypted cryptographic function;
an interface for receiving a transformed first authentication key generated in said authentication module on the basis of at least a first hardware-implemented
transformation function, said transformation function being associated with a transformed data space; a processor for generating a first authentication response by executing said first white box encrypted
cryptographic function in said transformed data space on the basis of said transformed first authentication key and a challenge .
10. Electronic device according to claim 9, wherein said secured area further comprises at least a second
transformation function, said second transformation function being the inverse of said first transformation function.
11. Electronic device according to claims 9 or 10, wherein said electronic device is configured for receiving at least one update data file, said data file comprising at least one or more white box encrypted cryptographic functions and, optionally, one or more authentication keys embedded in said one or more white box encrypted cryptographic functions.
12. Electronic device according to claim 11, wherein said console is configured to replace the white box encrypted data in said secure area with the data in said update data file; and wherein said console is configured to select a least at least one of said white box encrypted cryptographic
functions .
13. Electronic device according to claim 12, wherein said selection is trigged by a revocation message received by said electronic device.
14. Authentication module configured for exchanging authentication information with an electronic device, said electronic device comprising a secured area associated with at least a first white box encrypted cryptographic function, comprising :
at least a hardware-implement first transformation function for transforming a first authentication key into a transformed first authentication key allowing said first white box encrypted cryptographic function in said electronic device to be executed in a transformed data space;
an interface for sending said transformed first authentication key to said secure area of said electronic device .
15. Authentication module according to claim 14, further comprising:
at least one hardware-implemented first cryptographic function for generating an authentication response in response to a challenge origination from said electronic device.
16. A cartridge, preferably a printer cartridge or a battery cartridge, comprising an authentication module
according to claims 14 or 15.
17. A computer program product comprising software code portions configured for, when run on a processor in an electronic device, executing the method according to any of claims 1-8.
PCT/EP2011/054836 2010-03-30 2011-03-29 Exchanging authentication information between a cartridge and an electronic device WO2011120974A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP10158423 2010-03-30
EP10158423.3 2010-03-30

Publications (1)

Publication Number Publication Date
WO2011120974A1 true WO2011120974A1 (en) 2011-10-06

Family

ID=42102974

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/054836 WO2011120974A1 (en) 2010-03-30 2011-03-29 Exchanging authentication information between a cartridge and an electronic device

Country Status (1)

Country Link
WO (1) WO2011120974A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016534626A (en) * 2013-08-30 2016-11-04 ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P. Supply device authentication by measuring time for challenge and response
JP2016535868A (en) * 2014-01-15 2016-11-17 エーペックス マイクロエレクトロニクス カンパニー リミティドApex Microelectronics Co., Ltd. Ink cartridge chip and ink cartridge using the chip
JP2018107805A (en) * 2017-12-25 2018-07-05 ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P. Supply authentication via timing challenge response
US10505378B2 (en) 2016-06-30 2019-12-10 Infineon Technologies Ag Ensuring backward compatibility in battery authentication applications
US11329835B2 (en) * 2019-08-01 2022-05-10 Electronics And Telecommunications Research Institute Apparatus and method for authenticating IoT device based on PUF using white-box cryptography

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009145774A1 (en) * 2008-05-29 2009-12-03 Hewlett-Packard Development Company, L.P. Authenticating a replaceable printer component

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009145774A1 (en) * 2008-05-29 2009-12-03 Hewlett-Packard Development Company, L.P. Authenticating a replaceable printer component

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHOW S ET AL: "A WHITE-BOX DES IMPLEMENTATION FOR DRM APPLICATIONS", DRM. ACM WORKSHOP ON DIGITAL RIGHTS MANAGEMENT, ACM, US, 15 October 2002 (2002-10-15), pages 1 - 15, XP002471830 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016534626A (en) * 2013-08-30 2016-11-04 ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P. Supply device authentication by measuring time for challenge and response
US10987936B2 (en) 2013-08-30 2021-04-27 Hewlett-Packard Development Company, L.P. Supply authentication via timing challenge response
US11014370B2 (en) 2013-08-30 2021-05-25 Hewlett-Packard Development Company, L.P. Supply authentication via timing challenge response
US11020976B2 (en) 2013-08-30 2021-06-01 Hewlett-Packard Development Company, L.P. Supply authentication via timing challenge response
US11027554B2 (en) 2013-08-30 2021-06-08 Hewlett-Packard Development Company, L.P. Supply authentication via timing challenge response
US11123994B2 (en) 2013-08-30 2021-09-21 Hewlett-Packard Development Company, L.P. Supply authentication via timing challenge response
US11691429B2 (en) 2013-08-30 2023-07-04 Hewlett-Packard Development Company L.P. Supply authentication via timing challenge response
JP2016535868A (en) * 2014-01-15 2016-11-17 エーペックス マイクロエレクトロニクス カンパニー リミティドApex Microelectronics Co., Ltd. Ink cartridge chip and ink cartridge using the chip
US10505378B2 (en) 2016-06-30 2019-12-10 Infineon Technologies Ag Ensuring backward compatibility in battery authentication applications
JP2018107805A (en) * 2017-12-25 2018-07-05 ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P. Supply authentication via timing challenge response
US11329835B2 (en) * 2019-08-01 2022-05-10 Electronics And Telecommunications Research Institute Apparatus and method for authenticating IoT device based on PUF using white-box cryptography

Similar Documents

Publication Publication Date Title
US10292049B2 (en) Enabling a software application to be executed on a mobile station
EP3522580B1 (en) Credential provisioning
US9602282B2 (en) Secure software and hardware association technique
US8677144B2 (en) Secure software and hardware association technique
JP7277270B2 (en) Personalization of Integrated Circuits Generated with Embedded Root of Trust Secrets
Busold et al. Smart keys for cyber-cars: Secure smartphone-based NFC-enabled car immobilizer
US20210012008A1 (en) Method of initializing device and method of updating firmware of device having enhanced security function
CN1708942A (en) Secure implementation and utilization of device-specific security data
US9042553B2 (en) Communicating device and communicating method
CN106953732B (en) Key management system and method for chip card
JP2018500823A (en) Device key protection
JP2009124520A (en) Data transmission method, and electronic apparatus
WO2011120974A1 (en) Exchanging authentication information between a cartridge and an electronic device
BE1024812B9 (en) A SECURITY APPROACH FOR THE STORAGE OF CREDENTIALS FOR OFFLINE USE AND AGAINST COPY PROTECTED CLEAN CONTENT IN DEVICES
Kostiainen et al. Towards user-friendly credential transfer on open credential platforms
CN110740036A (en) Anti-attack data confidentiality method based on cloud computing
KR20170041463A (en) Creation Method of Signature Key to use Security Token efficiently
Drimer et al. Protecting multiple cores in a single FPGA design
CN110858246B (en) Authentication method and system of security code space, and registration method thereof
EP3035589A1 (en) Security management system for authenticating a token by a service provider server
KR101188659B1 (en) Method for protecting the digital contents between player and cartridges
JP2011171936A (en) Device and method for processing information, and authentication system
KR101668366B1 (en) Method and Apparatus for Password Based User Authentication Using Portable Storage Medium
KR20220137557A (en) Authentication of a device by a cryptographic process
WO2014182154A1 (en) A method for protecting a programmable gate array design

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11713998

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11713998

Country of ref document: EP

Kind code of ref document: A1