CA2344429C - Device for supplying output data in reaction to input data, method for checking authenticity and method for encrypted data transmission - Google Patents
Device for supplying output data in reaction to input data, method for checking authenticity and method for encrypted data transmission Download PDFInfo
- Publication number
- CA2344429C CA2344429C CA002344429A CA2344429A CA2344429C CA 2344429 C CA2344429 C CA 2344429C CA 002344429 A CA002344429 A CA 002344429A CA 2344429 A CA2344429 A CA 2344429A CA 2344429 C CA2344429 C CA 2344429C
- Authority
- CA
- Canada
- Prior art keywords
- electronic circuit
- data
- algorithm
- operational data
- output data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/409—Device specific authentication in transaction processing
- G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
- G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/0806—Details of the card
- G07F7/0813—Specific details related to card security
- G07F7/082—Features insuring the integrity of the data on or in the card
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L23/00—Details of semiconductor or other solid state devices
- H01L23/57—Protection from inspection, reverse engineering or tampering
- H01L23/576—Protection from inspection, reverse engineering or tampering using active circuits
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L2924/00—Indexing scheme for arrangements or methods for connecting or disconnecting semiconductor or solid-state bodies as covered by H01L24/00
- H01L2924/0001—Technical content checked by a classifier
- H01L2924/0002—Not covered by any one of groups H01L24/00, H01L24/00 and H01L2224/00
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L2924/00—Indexing scheme for arrangements or methods for connecting or disconnecting semiconductor or solid-state bodies as covered by H01L24/00
- H01L2924/10—Details of semiconductor or other solid state devices to be connected
- H01L2924/11—Device type
- H01L2924/12—Passive devices, e.g. 2 terminal devices
- H01L2924/1204—Optical Diode
- H01L2924/12044—OLED
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/26—Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Accounting & Taxation (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Condensed Matter Physics & Semiconductors (AREA)
- Finance (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Credit Cards Or The Like (AREA)
- Communication Control (AREA)
- Detection And Prevention Of Errors In Transmission (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A device for supplying output data in reaction to input data, so as to determine the authen- ticity of the device in dependence upon the output data, comprises an electronic circuit for executing an algorithm, which generates the output data on the basis of said input data, and a unit for detecting operational data which are influenced by an operation o f the electronic circuit. The operational data detection unit is coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorith m for generating the output data. Safety of the device according to the present invention is enhanced in that a potential counterfeiter wilt have to simulate not only the functionality o f the device but also hardware features of the device, such as power consumption or time response, in order to simulate an authentic card.
Description
DEVICE FOR SUPPLYING OUTPUT DATA IN REACTION TO INPUT DATA
AND METHOD FOR CHECKING AUTHENTICITY AND METHOD FOR
ENCRYPTED DATA TRANSMISSION
Field of the Invention The present invention refers to authenticity checking in manipulation-proof systems and especially to a device for supplying output data in reaction to input data so as to determine the authenticity of the device in dependence upon the output data, and to methods which use such devices.
Background of the Invention and Prior Art Nowadays integrated circuits are often used, which are applied to a chip card or incorpo-rated in a chip card so as to check whether the owner of the integrated circuits is authorized to carry out a certain action, the authenticity of the integrated circuits being additionally checked so as to provide protection against counterfeited cards. Such integrated circuits are used in the form of smart cards, as defined in the ISO 7816 standard, or in the form of PC cards, as defined in the PCMCIA's PC CARD standard, edition 6.1. Other fields of ap-plication, in addition to the above-mentioned possibilities, exist wherever chip cards are used, e.g. in the form of telephone cards or cards permitting access to certain buildings, i.e.
cards which serve as electronic keys.
The essential characteristic of the integrated circuits incorporated in such cards is that only the user who is in possession of such a card is actually granted access or is e.g. able to decrypt an encrypted television programme by means of his smart card. The authorization is granted e.g. on the basis of payment, thinking of telephone cards or smart cards in con-nection with pay TV, or by permitting a specific function, if electronic keys are used.
In order to guarantee that only authorized persons, i.e. persons who acquired e.g. a tele-phone card, will telephone, it is of decisive importance to identify counterfeited cards and, thinking e.g. of telephone cards, to forbid owners.of counterfeited cards to telephone. AI-though a hundred percent protection against imitators does not exist, it is still possible to present counterfeiters of cards, who simulate the function of the card, with as many difficul-ties as possible.
Counterfeiters have exhibited great wealth of imagination in copying the functionality of a chip card and of an integrated circuit, respectively. One possibility is e.g.
to abrade the chip of a chip card and to infer the functionality of the algorithm implemented on the card from the layout of the integrated circuit. The functionality of the card, i.e. the algorithm which generates on the basis of an input value in the card an output value that is evaluated by a card reader, can then be simulated by means of a computer. When a counterfeiter has as-certained the layout of e.g. a telephone card, he could insert a simulation card, which is connected to a computer, into the card reading slot of a card telephone and simulate the behaviour of the card during the authenticity check.
It goes without saying that there are also mechanical protection mechanisms against such attacks, these protection mechanisms preventing e.g. access from outside to the card when the card has been inserted into a read unit. However, as has been described in the techni-cal publication "Tamper Resistance A Cautionary Note; Proceedings - The Second USENIX Workshop on Electronic Commerce" by Markus Kuhn and Ross Anderson, there are a great number of counterfeiting methods which underline the unabating demand for better protection mechanisms for circuits and especially for integrated circuits on a chip card also in the future. Although conventional data encryption methods, which are based e.g. on the DES algorithm (DES Data Encryption Standard) or which comprise check sum algorithms, provide a high degree of safety when the encryption key, which together with the cryptoalgorithm permits decryption, is kept secret, it is, in principle, also here possible to imitate such an algorithm, which is integrated in a chip card in the form of an integrated cir-cuit in terms of hardware, on the basis of the hardware implementation, i.e.
to simulate the functionality of this algorithm e.g. by means of a computer.
Summay of the Invention It is the object of the present invention to provide a concept for improved protection of elec-tronic circuits and to provide thus a counterfeit-proof check of the authenticity of such elec-tronic circuits and a counterfeit-proof authorization of an owner of such electronic circuits.
:3 In accordance with a first aspect of the present invention this object is achieved by a device for supplying output data in reaction to input data, said device comprising:
an electronic cir-cuit for executing an algorithm that generates the output data on the basis of the input data;
and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic cir-cuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data.
In accordance with a second aspect of the present invention this object is achieved by a method for checking the authenticity of a device to be tested in comparison with an exami-nation device, the device to be tested and the examination device each comprising an elec-tronic circuit for executing an algorithm, which generates output data on the basis of input data, and a unit for detecting operational data which are influenced by an operation of the electronic circuit and which depend on the input data, the operational data detection unit of the device to be tested as well as of the examination device being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algo-rithm for producing the output data, said method comprising the following steps: selecting input data; feeding said input data into the device to be tested; in the device to be tested, executing the algorithm by the electronic circuit of the device to be tested, so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an operation of said electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is exe-cuted by said electronic circuit, so as to generate the output data; feeding the input data into the examination device; in the examination device executing the algorithm by the electronic circuit of the examination device so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an opera-tion of the electronic circuit when said electronic circuit executes the algorithm, said opera-tional data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by said electronic circuit, so as to generate the output data; comparing the output data of the device to be tested with the out-put data of the examination device; and affirming the authenticity of the device to be tested in comparison with the examination device if the output data correspond to one another, in such a way that authenticity will only be affirmed if the operational data of the device to be tested and of the examination device correspond to one another.
In accordance with a third aspect of the present invention this object is achieved by a method for encrypted transmission of information from a first to a second location, the sec-ond location being remote from the first location, comprising: producing a random word;
feeding the random word into a first device the first device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an op-eration of the electronic circuit when said electronic circuit executes the algorithm, the op-erational data depending on the input data, said operational data detection unit being cou-pled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the first device being arranged at a first location; generating the output data of the first device, which depend on the operational data of said first device, by executing an algorithm by the electronic circuit of said first device so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected opera-tional data of the electronic circuit being used by the algorithm, which is executed by the electronic circuit, so as to generate the output data; encrypting the information with the generated output data as a key; transmitting the encrypted information and the random word from said first location to said second location; feeding the random word into a second device, the second device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the second device being positioned at the second location; generating the output data of the second device, which depend on the operational data of said second device, by executing the algorithm by the electronic circuit of said second device, so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed kay the electronic circuit, so as to generate the output data; decrypting the encrypted information making use of the output data of the second device as a key, the decrypted information corresponding to the original information prior to encrypting if the operational data of the first device at the first location correspond to the operational data of the second device at the second location.
The present invention is based on the finding that it is comparatively simple to imitate the functionality of a chip, but that it is much more difficult to imitate its time or power behaviour.
A device for supplying output data in reaction to input data so as to determine the authenticity of the device in dependence upon said output data comprises therefore, on the one hand, an electronic circuit for executing an algorithm that generates the output data on the basis of the input data, and, an the other hand, a unit for detecting operational data which are influenced by an operation of the electronic circuit, the data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm for generating the output data.
According to a preferred embodiment of the present invention, the electronic circuit implements an cryptographic algorithm which calls tk~e operational data detection unit so as to carry out time and/or power measurements which, in addition to the input data, are used by the electronic circuit so as to generate the cautput data. hlence, the output data represent a combination of the functionality of the cryptagraph~ic algorithm and of the operational data of the circuit used for executing the cryptographic algorithm. An attack on the device according to the present invention must therefore simulate not only the cryptographic algorithm but also the power consumption andlor the time behaviour of the electronic circuit during the execution of the cryptographic algorithm.
A large number of cryptographic algorithms is shown in the following technical book:
Schneier, Bruce Applied Cryptoc,~raahyy P~tocals, Algorithm"hand Source Code in C
Second Edition, John Willy and sons, 1995, 784 p.
Operational data of the integrated circuit which are used for generating the output data are preferably the power consumption and the run time of the algorithm in the electronic circuit.
Such operational or "environmental" data may, however, be all the data which are influ-enced by an operation of the electronic circuit, such as an electromagnetic radiation emitted by the electronic circuit and the like. Limits to the use of operational data are the possibili-ties of measuring these operational data in a practical implementation, thinking e.g. of elec-tromagnetic radiation. Hence, the data which are preferably used as operational data be-cause they are easy to measure are power data and data concerning the time behaviour of the electronic circuit.
In principle, it will not be necessary that the algorithm is a cryptographic algorithm. It might be any algorithm which has different operational data in dependence upon different input data. However, the protection against counterfeiting will be the better the "more chaotic" the dependence of the operational data on different input data is.
In order to improve protection, the algorithm used is preferably a cryptoalgorithm which pro-vides protection against counterfeits per se, this protection being enhanced by the fact that, according to the present invention, the operational data of the electronic circuit executing this cryptographic algorithm are taken into account. Normally, algorithms are, however, de-signed such that they have a comparatively constant run time behaviour independently of the input values. In order to improve the safety still further, the algorithm executed by the electronic circuit will preferably comprise two sub-algorithms, i.e. one cryptographic algo-rithm and one test algorithm which is programmed exclusively in such a way that its operat-ing behaviour will be as "chaotic" as possible in dependence upon different input data.
In the calculation of the output data, which are used for checking the authenticity of the de-vice, the results of the test algorithm are, however, not taken into account, but the data taken into account are only the operational data of the electronic circuit which executes the test algorithm and the output data of the cryptoalgorithm; hence, a counterfeiter will find it even more difficult to attack the test algorithm, since, in the most advantageous case, he will only find out the input data into the test algorithm but no output data.
The safety will be enhanced still further in particular by the use of a multi-step cryptoalgo-rithm and by the additional use of a multi-step test algorithm; for one step of the cryptoalgo-rithm also the operational data of the test algorithm, which have been generated by the execution of the preceding step of the test algorithm, are used in addition to the intermedi-ate result of the preceding step of the cryptoalgorithm. This "interleaving"
of a multi-step cryptoalgorithm with a multi-step test algorithm provides a high degree of safety against counterfeits.
In contrast to former attempts to counterfeit, which tried to identify the structure of a chip making use of different methods and which then used these data so as to analyze the func-tionality of a chip and integrate it into another chip, or simulate it by a computer, counterfeit-ers who attack the device according to the present invention must redesign the chip com-pletely and perhaps they must even expressly direct the production method thereto. This is necessary because it is not only the functionality of the chip that has to be simulated but also the operating behaviour of the electronic circuit, i.e. the hardware. In contrast to the prior art, where attempts were made to achieve safety by means of increasingly elaborate functionalities, the present invention aims at incorporating hardware aspects into the safety in such a way that a counterfeiter may even have to use exactly the same process for pro-ducing integrated circuits so as to simulate identical power and run time data for simulating, i.e. counterfeiting, an authentic device.
Brief Description of the Drawings In the following, preferred embodiments of the present invention will be explained in more detail making reference to the drawings enclosed, in which:
Fig. 1 shows a schematic representation of a device according to the present invention;
Fig. 2 shows a preferred embodiment according to the present invention;
Fig. 3 shows how a cryptoalgorithm and a test algorithm co-operate according to a preferred embodiment of the present invention;
Fig. 4 shows a flow chart for a method for checking the authenticity making use of two devices according to the present invention; and Fig. 5 shows a flow chart of a method for encrypted transmission of information from a first location to a second location making use of two devices according to the present in-vention.
Detailed Description of Preferred Embodiments Fig. 1 shows as a schematic circuit diagram a device 10 according to the present invention for supplying output data 12 in reaction to input data 14 so as to determine the authenticity of the device 10 in dependence upon the output data 12. The device 10 comprises an elec-tronic circuit 16 for executing an algorithm that generates the output data 12 on the basis of the input data 14, and a unit 18 for detecting operational data that are influenced by an op-eration of the electronic circuit 16, the operational data detection unit 18 being coupled to the electronic circuit 16 in such a way that the operational data of the electronic circuit 16 are used by the algorithm in order to generate the output data 12.
The operational data detection unit 18 detects preferably an elapsed calculation time or the power consumption of the electronic circuit 16 for executing an algorithm. In contrast to the functionality executed by the algorithm, which is implemented by the electronic circuit 16, the operational data are also referred to as environmental data. Such environmental data may be all data which are suitable for describing the operation of a chip, i.e. of an electronic circuit, e.g. the electromagnetic radiation emitted by the electronic circuit 16. A limit only exists with respect to the technical possibilities of integrating measurement means in the device 10.
The device 10 is preferably produced in an integrated form and implemented as smart card, PC card, telephone card, electronic key and the like. The measurement of the operational data by the unit 18 is then carried out on the card itself. Hence, time data and power data are preferred as operational data, since they can be measured easily.
The measurement of the instantaneous power consumption can be realized by a compara-tively simple electronic network comprising a resistor, a capacitor and an analog-digital converter. This circuit arrangement should be as precise as possible. Due to variations of the input power and of the properties of the materials used, the accuracy is, however, a lim-ited one, since repeated executions with the same input values must produce precisely the same results independently of the environmental conditions.
Fig. 2 shows a slightly more detailed view of the device 10 according to the present inven-tion in accordance with a preferred embodiment of the present invention. The electronic circuit 16 for executing an algorithm is subdivided into two sub-circuits 16a and 16b, sub-circuit 16a being capable of executing a cryptoalgorithm, whereas sub-circuit 16b is capable of executing a test algorithm.
The operational data detection unit 18 is also bipartite and comprises time measuring means 18a and, in addition, power measuring means 18b.
The time measurement by means of the operational data detection unit 18 should be car-ried out by means of an internal clock chip, since a supplied clock might vary excessively.
Time control should be as precise as possible, since repeated executions must produce the same results. Time measurements can be carried out on the basis of the clock of the chip;
this will, however, necessitate safety-relevant compromises, since it is then not the actual speed of the electronic circuit 16 that is relevant, but only the clock cycles per command are decisive.
Due to the fact that operational data of the device 16 are used, the algorithm executed by the device 16 is made hardware dependent. Simultaneously, these measurement values must, however, be reproducible in a reliable manner in such a way that, when the authentic-ity is checked, incorrect results caused by parameter variations will be avoided. On the other hand, the demands on the operational data, i.e. the manufacturing tolerances for pro-ducing a device to be tested and a testing device, should be chosen as narrow as possible so as to achieve a high degree of safety.
With respect to time measurement the means 18a is preferably arranged so as to measure absolute times with the aid of an independent clock chip integrated in the means 18a. A
higher degree of safety is achieved in this way, but also a dependence on external clock generators whereby the portability from one equipment to the next will deteriorate.
In the case of the power measurement means 18b the hardware dependence entails certain problems. Digitizing errors of the analog-digital converter, which is contained in the power measurement means 18b, may render the results unpredictable. This problem can either be solved by using very high sampling rates and by rounding generously or it can be solved by implementing complicated noise-reduction algorithms in the power measurement means 18b. Another possibility of trying to solve this problem is the use of pattern recognition algo-rithms which provide certain classification numbers on the basis of the recorded signals, i.e.
time or power consumption values, which can be used by this pattern recognition algorithm.
In this case the device 10 is hardware-dependent insofar as the data used are not absolute operational data but that specific "characteristics", i.e. the power consumption as a function of time, or certain calculation times of individual algorithm steps are used so as to achieve the additional safety aspect of hardware dependence.
With respect to the architecture of the combination of the algorithm executed by the elec-tronic circuit 16 and with respect to the operational data two possibilities are mentioned, only by way of example. One possibility is referred to as test point architecture. An external control coupled to the device 16 e.g. via an auxiliary input interrupts the execution of the algorithm by the electronic circuit 16 e.g. after a certain number of clock cycles or seconds.
Subsequently, a "snapshot" of the execution state of the electronic circuit 16 is taken. This snapshot comprises e.g. data with respect to the progress of the algorithm, register states, the power that has been consumed since the last test point or the time that has been con-sumed since the last test point. This architecture does not necessitate a division of the algo-rithm into parts. If, however, clock cycles are not used for measuring the time, this possibil-ity is difficult to implement in reality, since a slower execution of the algorithm in view of ex-ternal conditions may change a snapshot completely. In addition, a snapshot cannot be rounded, as has already been mentioned. In most cases, the amount of data collected is, moreover, too large; hence data have to be combined. A combinatorial algorithm depends on the data recorded during the snapshot and may range from a simple XOR
operation to complex check sum algorithms, such as "Message-Digest algorithms".
The second possibility, which is referred to as "demand architecture", is therefore preferred.
This possibility is schematically shown in Fig. 3. Fig. 3 shows the interleaving of a cryptoal-gorithm 16a with a test algorithm 16b. The cryptoalgorithm 16a, which may e.g.
be a DES
algorithm that is subdivided into n steps, receives in step 1 the input data 14. In addition, also a test algorithm 16b, which will be discussed in detail hereinbelow, is composed of n steps and also this test algorithm receives the input data 14 in its step 1 When the cryptoalgorithm 16a has calculated the first step, it provides a certain intermedi-ate result. The first step of the test algorithm 16b does not provide the results of the test algorithm, which are not of interest, but it supplies the operational data thereof as input sig-nal to the second step of the cryptoalgorithm 16a, as shown by an arrow 20.
This process is repeated for each of the n steps in such a way that each step of the cryptoalgorithm 16a receives as an input signal the intermediate result of the last step of the cryptoalgorithm as well as the operational data of the test algorithm of the last step. This architecture is called demand architecture, since either the cryptoalgorithm itself or a control demands from the test algorithm the execution of measurements of operational data and the subsequent transmission of the operational data to the cryptoalgorithm.
Although it has been said up to now that, if the cryptoalgorithm as well as the test algorithm are executed by the electronic circuit 16, the results of the test algorithm will not be taken into account and that only the operational data of the electronic circuit, which executes the test algorithm, will in this case be taken into account in the production of the output data 12, it is, of course, also possible to include the result data of the test algorithm in the cryptoal-gorithm. Due to the fact that the result data of the test algorithm are, however, rejected in the device itself and do not appear externally at all, a counterfeiter will find it much more difficult to draw conclusions with respect to the test algorithm for simulating the operational behaviour of this test algorithm so as to obtain the operational data, since in the most fa-vourable case for him he will only know the input data 14 inputted in this test algorithm and the operational data, but not the output data. Hence, it will be almost impossible for him to simulate the functionality of the test algorithm so as to be able to draw conclusion with re-spect to the operational data.
In principle, it would also be possible to simulate the operational data with some other algo-rithm having similar operational conditions. If, however, a test algorithm of sufficient com-plexity is used, e.g. an algorithm for calculating fractals, it is indeed almost impossible to simulate the operational behaviour of the test algorithm without knowing the result data.
Even if the functionality of the test algorithm should be obtained, with very great effort, from the layout of the integrated circuit executing this test algorithm, the safety aspect of the pre-l sent invention is to be see in that the functionality as such is of no use at all, but that in ad-dition to the functionality also the operational behaviour of the electronic circuit 16 would have to be simulated. Furthermore, a counterfeiter will a priori not know whether or not the operational data of the test algorithm are fed into the cryptoalgorithm, nor will he know which combinations or correlations thereof exist. It goes without saying that it would be pos-sible to take the result data of the test algorithm into account only in the case of a few steps and to include, in the case of the other steps, only the operational data into the execution of the cryptoalgorithm.
It follows that, for the present invention, it is not absolutely necessary to measure the opera-tional behaviour of the cryptographic algorithm or cryptoalgorithm. As can be seen from Fig.
AND METHOD FOR CHECKING AUTHENTICITY AND METHOD FOR
ENCRYPTED DATA TRANSMISSION
Field of the Invention The present invention refers to authenticity checking in manipulation-proof systems and especially to a device for supplying output data in reaction to input data so as to determine the authenticity of the device in dependence upon the output data, and to methods which use such devices.
Background of the Invention and Prior Art Nowadays integrated circuits are often used, which are applied to a chip card or incorpo-rated in a chip card so as to check whether the owner of the integrated circuits is authorized to carry out a certain action, the authenticity of the integrated circuits being additionally checked so as to provide protection against counterfeited cards. Such integrated circuits are used in the form of smart cards, as defined in the ISO 7816 standard, or in the form of PC cards, as defined in the PCMCIA's PC CARD standard, edition 6.1. Other fields of ap-plication, in addition to the above-mentioned possibilities, exist wherever chip cards are used, e.g. in the form of telephone cards or cards permitting access to certain buildings, i.e.
cards which serve as electronic keys.
The essential characteristic of the integrated circuits incorporated in such cards is that only the user who is in possession of such a card is actually granted access or is e.g. able to decrypt an encrypted television programme by means of his smart card. The authorization is granted e.g. on the basis of payment, thinking of telephone cards or smart cards in con-nection with pay TV, or by permitting a specific function, if electronic keys are used.
In order to guarantee that only authorized persons, i.e. persons who acquired e.g. a tele-phone card, will telephone, it is of decisive importance to identify counterfeited cards and, thinking e.g. of telephone cards, to forbid owners.of counterfeited cards to telephone. AI-though a hundred percent protection against imitators does not exist, it is still possible to present counterfeiters of cards, who simulate the function of the card, with as many difficul-ties as possible.
Counterfeiters have exhibited great wealth of imagination in copying the functionality of a chip card and of an integrated circuit, respectively. One possibility is e.g.
to abrade the chip of a chip card and to infer the functionality of the algorithm implemented on the card from the layout of the integrated circuit. The functionality of the card, i.e. the algorithm which generates on the basis of an input value in the card an output value that is evaluated by a card reader, can then be simulated by means of a computer. When a counterfeiter has as-certained the layout of e.g. a telephone card, he could insert a simulation card, which is connected to a computer, into the card reading slot of a card telephone and simulate the behaviour of the card during the authenticity check.
It goes without saying that there are also mechanical protection mechanisms against such attacks, these protection mechanisms preventing e.g. access from outside to the card when the card has been inserted into a read unit. However, as has been described in the techni-cal publication "Tamper Resistance A Cautionary Note; Proceedings - The Second USENIX Workshop on Electronic Commerce" by Markus Kuhn and Ross Anderson, there are a great number of counterfeiting methods which underline the unabating demand for better protection mechanisms for circuits and especially for integrated circuits on a chip card also in the future. Although conventional data encryption methods, which are based e.g. on the DES algorithm (DES Data Encryption Standard) or which comprise check sum algorithms, provide a high degree of safety when the encryption key, which together with the cryptoalgorithm permits decryption, is kept secret, it is, in principle, also here possible to imitate such an algorithm, which is integrated in a chip card in the form of an integrated cir-cuit in terms of hardware, on the basis of the hardware implementation, i.e.
to simulate the functionality of this algorithm e.g. by means of a computer.
Summay of the Invention It is the object of the present invention to provide a concept for improved protection of elec-tronic circuits and to provide thus a counterfeit-proof check of the authenticity of such elec-tronic circuits and a counterfeit-proof authorization of an owner of such electronic circuits.
:3 In accordance with a first aspect of the present invention this object is achieved by a device for supplying output data in reaction to input data, said device comprising:
an electronic cir-cuit for executing an algorithm that generates the output data on the basis of the input data;
and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic cir-cuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data.
In accordance with a second aspect of the present invention this object is achieved by a method for checking the authenticity of a device to be tested in comparison with an exami-nation device, the device to be tested and the examination device each comprising an elec-tronic circuit for executing an algorithm, which generates output data on the basis of input data, and a unit for detecting operational data which are influenced by an operation of the electronic circuit and which depend on the input data, the operational data detection unit of the device to be tested as well as of the examination device being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algo-rithm for producing the output data, said method comprising the following steps: selecting input data; feeding said input data into the device to be tested; in the device to be tested, executing the algorithm by the electronic circuit of the device to be tested, so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an operation of said electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is exe-cuted by said electronic circuit, so as to generate the output data; feeding the input data into the examination device; in the examination device executing the algorithm by the electronic circuit of the examination device so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an opera-tion of the electronic circuit when said electronic circuit executes the algorithm, said opera-tional data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by said electronic circuit, so as to generate the output data; comparing the output data of the device to be tested with the out-put data of the examination device; and affirming the authenticity of the device to be tested in comparison with the examination device if the output data correspond to one another, in such a way that authenticity will only be affirmed if the operational data of the device to be tested and of the examination device correspond to one another.
In accordance with a third aspect of the present invention this object is achieved by a method for encrypted transmission of information from a first to a second location, the sec-ond location being remote from the first location, comprising: producing a random word;
feeding the random word into a first device the first device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an op-eration of the electronic circuit when said electronic circuit executes the algorithm, the op-erational data depending on the input data, said operational data detection unit being cou-pled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the first device being arranged at a first location; generating the output data of the first device, which depend on the operational data of said first device, by executing an algorithm by the electronic circuit of said first device so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected opera-tional data of the electronic circuit being used by the algorithm, which is executed by the electronic circuit, so as to generate the output data; encrypting the information with the generated output data as a key; transmitting the encrypted information and the random word from said first location to said second location; feeding the random word into a second device, the second device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the second device being positioned at the second location; generating the output data of the second device, which depend on the operational data of said second device, by executing the algorithm by the electronic circuit of said second device, so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed kay the electronic circuit, so as to generate the output data; decrypting the encrypted information making use of the output data of the second device as a key, the decrypted information corresponding to the original information prior to encrypting if the operational data of the first device at the first location correspond to the operational data of the second device at the second location.
The present invention is based on the finding that it is comparatively simple to imitate the functionality of a chip, but that it is much more difficult to imitate its time or power behaviour.
A device for supplying output data in reaction to input data so as to determine the authenticity of the device in dependence upon said output data comprises therefore, on the one hand, an electronic circuit for executing an algorithm that generates the output data on the basis of the input data, and, an the other hand, a unit for detecting operational data which are influenced by an operation of the electronic circuit, the data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm for generating the output data.
According to a preferred embodiment of the present invention, the electronic circuit implements an cryptographic algorithm which calls tk~e operational data detection unit so as to carry out time and/or power measurements which, in addition to the input data, are used by the electronic circuit so as to generate the cautput data. hlence, the output data represent a combination of the functionality of the cryptagraph~ic algorithm and of the operational data of the circuit used for executing the cryptographic algorithm. An attack on the device according to the present invention must therefore simulate not only the cryptographic algorithm but also the power consumption andlor the time behaviour of the electronic circuit during the execution of the cryptographic algorithm.
A large number of cryptographic algorithms is shown in the following technical book:
Schneier, Bruce Applied Cryptoc,~raahyy P~tocals, Algorithm"hand Source Code in C
Second Edition, John Willy and sons, 1995, 784 p.
Operational data of the integrated circuit which are used for generating the output data are preferably the power consumption and the run time of the algorithm in the electronic circuit.
Such operational or "environmental" data may, however, be all the data which are influ-enced by an operation of the electronic circuit, such as an electromagnetic radiation emitted by the electronic circuit and the like. Limits to the use of operational data are the possibili-ties of measuring these operational data in a practical implementation, thinking e.g. of elec-tromagnetic radiation. Hence, the data which are preferably used as operational data be-cause they are easy to measure are power data and data concerning the time behaviour of the electronic circuit.
In principle, it will not be necessary that the algorithm is a cryptographic algorithm. It might be any algorithm which has different operational data in dependence upon different input data. However, the protection against counterfeiting will be the better the "more chaotic" the dependence of the operational data on different input data is.
In order to improve protection, the algorithm used is preferably a cryptoalgorithm which pro-vides protection against counterfeits per se, this protection being enhanced by the fact that, according to the present invention, the operational data of the electronic circuit executing this cryptographic algorithm are taken into account. Normally, algorithms are, however, de-signed such that they have a comparatively constant run time behaviour independently of the input values. In order to improve the safety still further, the algorithm executed by the electronic circuit will preferably comprise two sub-algorithms, i.e. one cryptographic algo-rithm and one test algorithm which is programmed exclusively in such a way that its operat-ing behaviour will be as "chaotic" as possible in dependence upon different input data.
In the calculation of the output data, which are used for checking the authenticity of the de-vice, the results of the test algorithm are, however, not taken into account, but the data taken into account are only the operational data of the electronic circuit which executes the test algorithm and the output data of the cryptoalgorithm; hence, a counterfeiter will find it even more difficult to attack the test algorithm, since, in the most advantageous case, he will only find out the input data into the test algorithm but no output data.
The safety will be enhanced still further in particular by the use of a multi-step cryptoalgo-rithm and by the additional use of a multi-step test algorithm; for one step of the cryptoalgo-rithm also the operational data of the test algorithm, which have been generated by the execution of the preceding step of the test algorithm, are used in addition to the intermedi-ate result of the preceding step of the cryptoalgorithm. This "interleaving"
of a multi-step cryptoalgorithm with a multi-step test algorithm provides a high degree of safety against counterfeits.
In contrast to former attempts to counterfeit, which tried to identify the structure of a chip making use of different methods and which then used these data so as to analyze the func-tionality of a chip and integrate it into another chip, or simulate it by a computer, counterfeit-ers who attack the device according to the present invention must redesign the chip com-pletely and perhaps they must even expressly direct the production method thereto. This is necessary because it is not only the functionality of the chip that has to be simulated but also the operating behaviour of the electronic circuit, i.e. the hardware. In contrast to the prior art, where attempts were made to achieve safety by means of increasingly elaborate functionalities, the present invention aims at incorporating hardware aspects into the safety in such a way that a counterfeiter may even have to use exactly the same process for pro-ducing integrated circuits so as to simulate identical power and run time data for simulating, i.e. counterfeiting, an authentic device.
Brief Description of the Drawings In the following, preferred embodiments of the present invention will be explained in more detail making reference to the drawings enclosed, in which:
Fig. 1 shows a schematic representation of a device according to the present invention;
Fig. 2 shows a preferred embodiment according to the present invention;
Fig. 3 shows how a cryptoalgorithm and a test algorithm co-operate according to a preferred embodiment of the present invention;
Fig. 4 shows a flow chart for a method for checking the authenticity making use of two devices according to the present invention; and Fig. 5 shows a flow chart of a method for encrypted transmission of information from a first location to a second location making use of two devices according to the present in-vention.
Detailed Description of Preferred Embodiments Fig. 1 shows as a schematic circuit diagram a device 10 according to the present invention for supplying output data 12 in reaction to input data 14 so as to determine the authenticity of the device 10 in dependence upon the output data 12. The device 10 comprises an elec-tronic circuit 16 for executing an algorithm that generates the output data 12 on the basis of the input data 14, and a unit 18 for detecting operational data that are influenced by an op-eration of the electronic circuit 16, the operational data detection unit 18 being coupled to the electronic circuit 16 in such a way that the operational data of the electronic circuit 16 are used by the algorithm in order to generate the output data 12.
The operational data detection unit 18 detects preferably an elapsed calculation time or the power consumption of the electronic circuit 16 for executing an algorithm. In contrast to the functionality executed by the algorithm, which is implemented by the electronic circuit 16, the operational data are also referred to as environmental data. Such environmental data may be all data which are suitable for describing the operation of a chip, i.e. of an electronic circuit, e.g. the electromagnetic radiation emitted by the electronic circuit 16. A limit only exists with respect to the technical possibilities of integrating measurement means in the device 10.
The device 10 is preferably produced in an integrated form and implemented as smart card, PC card, telephone card, electronic key and the like. The measurement of the operational data by the unit 18 is then carried out on the card itself. Hence, time data and power data are preferred as operational data, since they can be measured easily.
The measurement of the instantaneous power consumption can be realized by a compara-tively simple electronic network comprising a resistor, a capacitor and an analog-digital converter. This circuit arrangement should be as precise as possible. Due to variations of the input power and of the properties of the materials used, the accuracy is, however, a lim-ited one, since repeated executions with the same input values must produce precisely the same results independently of the environmental conditions.
Fig. 2 shows a slightly more detailed view of the device 10 according to the present inven-tion in accordance with a preferred embodiment of the present invention. The electronic circuit 16 for executing an algorithm is subdivided into two sub-circuits 16a and 16b, sub-circuit 16a being capable of executing a cryptoalgorithm, whereas sub-circuit 16b is capable of executing a test algorithm.
The operational data detection unit 18 is also bipartite and comprises time measuring means 18a and, in addition, power measuring means 18b.
The time measurement by means of the operational data detection unit 18 should be car-ried out by means of an internal clock chip, since a supplied clock might vary excessively.
Time control should be as precise as possible, since repeated executions must produce the same results. Time measurements can be carried out on the basis of the clock of the chip;
this will, however, necessitate safety-relevant compromises, since it is then not the actual speed of the electronic circuit 16 that is relevant, but only the clock cycles per command are decisive.
Due to the fact that operational data of the device 16 are used, the algorithm executed by the device 16 is made hardware dependent. Simultaneously, these measurement values must, however, be reproducible in a reliable manner in such a way that, when the authentic-ity is checked, incorrect results caused by parameter variations will be avoided. On the other hand, the demands on the operational data, i.e. the manufacturing tolerances for pro-ducing a device to be tested and a testing device, should be chosen as narrow as possible so as to achieve a high degree of safety.
With respect to time measurement the means 18a is preferably arranged so as to measure absolute times with the aid of an independent clock chip integrated in the means 18a. A
higher degree of safety is achieved in this way, but also a dependence on external clock generators whereby the portability from one equipment to the next will deteriorate.
In the case of the power measurement means 18b the hardware dependence entails certain problems. Digitizing errors of the analog-digital converter, which is contained in the power measurement means 18b, may render the results unpredictable. This problem can either be solved by using very high sampling rates and by rounding generously or it can be solved by implementing complicated noise-reduction algorithms in the power measurement means 18b. Another possibility of trying to solve this problem is the use of pattern recognition algo-rithms which provide certain classification numbers on the basis of the recorded signals, i.e.
time or power consumption values, which can be used by this pattern recognition algorithm.
In this case the device 10 is hardware-dependent insofar as the data used are not absolute operational data but that specific "characteristics", i.e. the power consumption as a function of time, or certain calculation times of individual algorithm steps are used so as to achieve the additional safety aspect of hardware dependence.
With respect to the architecture of the combination of the algorithm executed by the elec-tronic circuit 16 and with respect to the operational data two possibilities are mentioned, only by way of example. One possibility is referred to as test point architecture. An external control coupled to the device 16 e.g. via an auxiliary input interrupts the execution of the algorithm by the electronic circuit 16 e.g. after a certain number of clock cycles or seconds.
Subsequently, a "snapshot" of the execution state of the electronic circuit 16 is taken. This snapshot comprises e.g. data with respect to the progress of the algorithm, register states, the power that has been consumed since the last test point or the time that has been con-sumed since the last test point. This architecture does not necessitate a division of the algo-rithm into parts. If, however, clock cycles are not used for measuring the time, this possibil-ity is difficult to implement in reality, since a slower execution of the algorithm in view of ex-ternal conditions may change a snapshot completely. In addition, a snapshot cannot be rounded, as has already been mentioned. In most cases, the amount of data collected is, moreover, too large; hence data have to be combined. A combinatorial algorithm depends on the data recorded during the snapshot and may range from a simple XOR
operation to complex check sum algorithms, such as "Message-Digest algorithms".
The second possibility, which is referred to as "demand architecture", is therefore preferred.
This possibility is schematically shown in Fig. 3. Fig. 3 shows the interleaving of a cryptoal-gorithm 16a with a test algorithm 16b. The cryptoalgorithm 16a, which may e.g.
be a DES
algorithm that is subdivided into n steps, receives in step 1 the input data 14. In addition, also a test algorithm 16b, which will be discussed in detail hereinbelow, is composed of n steps and also this test algorithm receives the input data 14 in its step 1 When the cryptoalgorithm 16a has calculated the first step, it provides a certain intermedi-ate result. The first step of the test algorithm 16b does not provide the results of the test algorithm, which are not of interest, but it supplies the operational data thereof as input sig-nal to the second step of the cryptoalgorithm 16a, as shown by an arrow 20.
This process is repeated for each of the n steps in such a way that each step of the cryptoalgorithm 16a receives as an input signal the intermediate result of the last step of the cryptoalgorithm as well as the operational data of the test algorithm of the last step. This architecture is called demand architecture, since either the cryptoalgorithm itself or a control demands from the test algorithm the execution of measurements of operational data and the subsequent transmission of the operational data to the cryptoalgorithm.
Although it has been said up to now that, if the cryptoalgorithm as well as the test algorithm are executed by the electronic circuit 16, the results of the test algorithm will not be taken into account and that only the operational data of the electronic circuit, which executes the test algorithm, will in this case be taken into account in the production of the output data 12, it is, of course, also possible to include the result data of the test algorithm in the cryptoal-gorithm. Due to the fact that the result data of the test algorithm are, however, rejected in the device itself and do not appear externally at all, a counterfeiter will find it much more difficult to draw conclusions with respect to the test algorithm for simulating the operational behaviour of this test algorithm so as to obtain the operational data, since in the most fa-vourable case for him he will only know the input data 14 inputted in this test algorithm and the operational data, but not the output data. Hence, it will be almost impossible for him to simulate the functionality of the test algorithm so as to be able to draw conclusion with re-spect to the operational data.
In principle, it would also be possible to simulate the operational data with some other algo-rithm having similar operational conditions. If, however, a test algorithm of sufficient com-plexity is used, e.g. an algorithm for calculating fractals, it is indeed almost impossible to simulate the operational behaviour of the test algorithm without knowing the result data.
Even if the functionality of the test algorithm should be obtained, with very great effort, from the layout of the integrated circuit executing this test algorithm, the safety aspect of the pre-l sent invention is to be see in that the functionality as such is of no use at all, but that in ad-dition to the functionality also the operational behaviour of the electronic circuit 16 would have to be simulated. Furthermore, a counterfeiter will a priori not know whether or not the operational data of the test algorithm are fed into the cryptoalgorithm, nor will he know which combinations or correlations thereof exist. It goes without saying that it would be pos-sible to take the result data of the test algorithm into account only in the case of a few steps and to include, in the case of the other steps, only the operational data into the execution of the cryptoalgorithm.
It follows that, for the present invention, it is not absolutely necessary to measure the opera-tional behaviour of the cryptographic algorithm or cryptoalgorithm. As can be seen from Fig.
3 and has already been described to a sufficient extent, a test algorithm can be executed by the electronic circuit 16, this test algorithm being preferably a complex and difficult algorithm whose behaviour is hard to predict or "pseudo-chaotic". When, in the simplest case, input signals of different lengths produce different operational data and when the algorithm as such is kept secret, a good protection has already been achieved, since a counterfeiter who wants to simulate the functionality of the algorithm will not be able to produce an authentic card, since the output data are not the result data of the test algorithm, but, in the simplest case, the operational data. In order to improve the version employing the test algorithm alone, it will, of course, be possible to use not only the operational data alone for the pro-duction of the output data, but the result data may also be combined with the operational data in some way or other. The best protection will, however, be achieved, when the test algorithm is combined with the cryptoalgorithm, e.g. in the manner shown in Fig. 3.
The test algorithm should use special features of the electronic circuit 16, whereby attacks will be made even more difficult. Furthermore, this algorithm should not exhibit a simple run time behaviour, which might be of such a nature that higher-order input signals result in slower calculations. Such a behaviour would again have the effect that the operational be-haviour of the electronic circuit 16, which executes the algorithm, would be made predict-able in a way. Hence, the input signal can be randomized e.g. by means of a series of XOR
operations or it can sent through a function with "pseudo-chaotic" behaviour in such a way that, although there is a defined relationship between the output signal of the function and the input signal, this relationship is extremely complicated and a functional relationship can-not be seen merely by viewing. In this case, the test algorithm itself comprises two parts, viz. a first part which renders the input signal random or at least highly unpredictable and a second part which is the actual test algorithm so as to be able to determine the timing or the power consumption of the integrated circuit 16.
Fig. 4 shows a flow chart for a method of checking the authenticity of a device; this kind of method could be executed e.g. by an electronic door lock, so that only the owner of an au-thentic "key card" is allowed to pass the door. Such an electronic door lock normally com-prises a microcontrol and a card-read/write unit into which a card provided with the device according to the present invention can be inserted as well as a fixedly installed card-read/write unit in which a reference card, which is provided with the device according to the present invention as well, is fixedly installed and arranged such that it is not accessible from outside. The reference or examination device corresponds to the device to be tested insofar as these devices both originate e.g. from the same product batch so that their hardware will be identical so as to exhibit the greatest possible likelihood in their operational behaviour.
When the owner of a card wants to pass through a door which is provided with an electronic key system of this type, he will insert his card, which has attached thereto the device ac-cording to the present invention, in the card reader.
The method of checking the authenticity of the inserted device, i.e. of the device to be tested, is shown in Fig. 4. The microcontrol first selects arbitrary random input data (block 40). In a next step, these input data are fed into the device to be tested as well as into the examination device (block 42). The device to be checked by the user with respect to its au-thenticity, i.e. the device to be tested, as well as the examination device, which is preferably fixedly installed in the door lock, now execute parallel to one another the same steps and produce output data, the output data of the examination device depending on the opera-tional data of the electronic circuit 16 of the examination device and the output data of the device to be tested depending on the operational data of the electronic circuit 16 of the de-vice to be tested.
The output data of the two devices are compared in a block 44. If these output data corre-spond, the authenticity of the device to be tested will be affirmed (block 46). If the output data do not correspond, the authenticity of the device to be tested will be denied (block 48) and the door lock will not be opened. In this case, both the device to be tested and the ex-amination device are "operated" by one and the same microcontrol. This means that e.g.
an external clock for measuring the time behaviour, which is coupled with the operational data detection unit 18, will be identical for both devices. In this case, the operational data can be detected with extremely high accuracy, since clock fluctuations or the like will affect the two devices alike and will therefore not lead to a divergence between the two devices.
This method which consists in that a device has supplied thereto an input signal in such a way that it produces an output signal, the output signal being judged in dependence upon the input signal, is also referred to as "challenge-response" algorithm.
Preferably, some random input signal is supplied to the device which then calculates a result by means of the electronic circuit 16 and outputs the collected operational data, i.e.
processes them in the output data. The verification takes place on the basis of a comparison with a reference or examination device. For an attacker it would, in principle, be possible to listen in to the data communication between the device to be tested and the microcontrol within the card reader, which has to be accessible from outside per definition. Since, in the case of the preferred embodiment of the present invention shown in Fig. 3, the operational data are, however, only processed within the device according to the present invention and are not transmitted to the outside world and since, in addition, also the result data of the test algorithm remain within the device and are not transmitted to the outside world and are not even taken into account at all, listening in to the data communication will not be a great help to a person attacking the device according to the present invention. Hence, the device according to the present invention comprises three secrecy aspects, viz. firstly a conventional secret pass-word for the cryptoalgorithm, secondly the secret test algorithm and finally the concrete hardware design of the electronic circuit 16.
The concept of feeding operational data into respective subsequent steps of a cryptoalgo-rithm, which is the DES algorithm in the preferred embodiment, leads to the preferred use of one-way street functions for safety reasons. This means that on the basis of certain input data only output data can be calculated, but that functionally calculating back from these output data to the input data is impossible, since the use of the operational data determines a chronological sequence of calculation. When the authenticity of a device to be tested is checked in the way shown in Fig. 4, an inversion of the functionality is not even necessary, since both the device to be tested and the examination device execute a one-way-street ZJ
function in parallel and need not use an inverted calculation sequence under any circum-stances.
Safety can be increased still further, when special processors are used for the electronic circuit 16, which are optimized for specific operations in such a way that a standard chip or a computer will not be able to simulate the time response of certain processors.
A further improvement is to be seen in the circumstance that the test algorithm, whose re-sults are not used in the preferred embodiment shown in Fig. 3 and which is only provided for generating the operational data, can be exchanged every now and then. Such an ex-change of the test algorithm can be carried out in a flexible manner;
attention should only be paid to the fact that the device to be tested and the examination device have the same test algorithm so as to have identical operational data in the case of an authentic card.
The present invention can be applied to almost any cryptographic algorithm, i.e. cryptoalgo-rithm. An additional advantage of the present invention is to be seen in the fact that the pre-sent invention can be integrated in existing safety systems.
Fig. 5 shows a further possibility of using the device according to the present invention tak-ing as an example the encrypted transmission of information from one location to another location, this kind of transmission taking place e.g. in the case of "pay TV".
The information to be encrypted must first be encrypted in a transmitter. For this purpose, the transmitter includes a smart card which is provided with a device according to the present invention.
The transmitter first selects random input data as password character chain (block 50). In a block 52, the input data 14 are fed into the transmitter smart card which generates output data 12 in a step 54. The information to be encrypted is now encrypted making use of the output data 12, which have been generated by the transmitter smart card, as a key (block 56). The encrypted information together with the output data selected in block 50 are now transmitted from one location to the other location, i.e. from the transmitter to the receiver, (block 58).
Reference should be made to the fact that, on the one hand, the information is now en-crypted and can therefore only be decrypted by a person who acquired a suitable authori-zation, e.g. in the form of a receiver smart card. On the other hand, the key for encrypting the information is not explicitly transmitted, but what is transmitted are only the input data in the transmitter smart card. A user who does not possess an authorized receiver smart card having the same operational data as the transmitter smart card will not be able to generate on the basis of the input data 14 the correct output data 12 which are required for decrypt-ing the encrypted information.
The first operation to be executed in the receiver is to extract the input data from the trans-mission, which comprises the encrypted information as well as the input data, (block 60).
The input data extracted in block 60 are now fed into the receiver smart card (block 62), which, provided that it is an authentic receiver smart card, will have the same operating be-haviour as the transmitter smart card and will therefore produce the same output data from the input data (block 64). Finally, the encrypted information is decrypted in a block 66 mak-ing use of the output data of the receiver smart card.
If the receiver smart card is a counterfeited card, which does not have the same operating behaviour as the transmitter smart card, this will not be recognized immediately in the case of the method shown in Fig. 5, since, unlike Fig. 4, an authenticity check is not carried out.
The output data, which are required as a key for decrypting, will, however, not correspond to the output data which have been used in block 54 for encrypting, and, consequently, correct decrypting of the encrypted information will not be possible. This means that, in the most simple case, a counterfeited smart card will not be objected to in the receiver immedi-ately, but that, although it will provide output data 12 on the basis of operational data that differ from those of the transmitter smart card, a correct decryption will, however, not be possible on the basis of the output data provided; hence, a counterfeited card will be of no use to the counterfeiter.
It follows that the present invention comprises an electronic circuit, which is preferably inte-grated, and a means for supervising the operation of the electronic circuit by measuring data, the operation of the electronic circuit including the execution of an algorithm which provides output data as the result of a preferably complex calculation. These output data are, however, influenced, by the measured operational data. Preferably, the measured data comprise time or power consumption data. The device according to the present invention can arbitrarily be accommodated on cards, e.g. smart cards or PC cards, electronic keys and the like.
The test algorithm should use special features of the electronic circuit 16, whereby attacks will be made even more difficult. Furthermore, this algorithm should not exhibit a simple run time behaviour, which might be of such a nature that higher-order input signals result in slower calculations. Such a behaviour would again have the effect that the operational be-haviour of the electronic circuit 16, which executes the algorithm, would be made predict-able in a way. Hence, the input signal can be randomized e.g. by means of a series of XOR
operations or it can sent through a function with "pseudo-chaotic" behaviour in such a way that, although there is a defined relationship between the output signal of the function and the input signal, this relationship is extremely complicated and a functional relationship can-not be seen merely by viewing. In this case, the test algorithm itself comprises two parts, viz. a first part which renders the input signal random or at least highly unpredictable and a second part which is the actual test algorithm so as to be able to determine the timing or the power consumption of the integrated circuit 16.
Fig. 4 shows a flow chart for a method of checking the authenticity of a device; this kind of method could be executed e.g. by an electronic door lock, so that only the owner of an au-thentic "key card" is allowed to pass the door. Such an electronic door lock normally com-prises a microcontrol and a card-read/write unit into which a card provided with the device according to the present invention can be inserted as well as a fixedly installed card-read/write unit in which a reference card, which is provided with the device according to the present invention as well, is fixedly installed and arranged such that it is not accessible from outside. The reference or examination device corresponds to the device to be tested insofar as these devices both originate e.g. from the same product batch so that their hardware will be identical so as to exhibit the greatest possible likelihood in their operational behaviour.
When the owner of a card wants to pass through a door which is provided with an electronic key system of this type, he will insert his card, which has attached thereto the device ac-cording to the present invention, in the card reader.
The method of checking the authenticity of the inserted device, i.e. of the device to be tested, is shown in Fig. 4. The microcontrol first selects arbitrary random input data (block 40). In a next step, these input data are fed into the device to be tested as well as into the examination device (block 42). The device to be checked by the user with respect to its au-thenticity, i.e. the device to be tested, as well as the examination device, which is preferably fixedly installed in the door lock, now execute parallel to one another the same steps and produce output data, the output data of the examination device depending on the opera-tional data of the electronic circuit 16 of the examination device and the output data of the device to be tested depending on the operational data of the electronic circuit 16 of the de-vice to be tested.
The output data of the two devices are compared in a block 44. If these output data corre-spond, the authenticity of the device to be tested will be affirmed (block 46). If the output data do not correspond, the authenticity of the device to be tested will be denied (block 48) and the door lock will not be opened. In this case, both the device to be tested and the ex-amination device are "operated" by one and the same microcontrol. This means that e.g.
an external clock for measuring the time behaviour, which is coupled with the operational data detection unit 18, will be identical for both devices. In this case, the operational data can be detected with extremely high accuracy, since clock fluctuations or the like will affect the two devices alike and will therefore not lead to a divergence between the two devices.
This method which consists in that a device has supplied thereto an input signal in such a way that it produces an output signal, the output signal being judged in dependence upon the input signal, is also referred to as "challenge-response" algorithm.
Preferably, some random input signal is supplied to the device which then calculates a result by means of the electronic circuit 16 and outputs the collected operational data, i.e.
processes them in the output data. The verification takes place on the basis of a comparison with a reference or examination device. For an attacker it would, in principle, be possible to listen in to the data communication between the device to be tested and the microcontrol within the card reader, which has to be accessible from outside per definition. Since, in the case of the preferred embodiment of the present invention shown in Fig. 3, the operational data are, however, only processed within the device according to the present invention and are not transmitted to the outside world and since, in addition, also the result data of the test algorithm remain within the device and are not transmitted to the outside world and are not even taken into account at all, listening in to the data communication will not be a great help to a person attacking the device according to the present invention. Hence, the device according to the present invention comprises three secrecy aspects, viz. firstly a conventional secret pass-word for the cryptoalgorithm, secondly the secret test algorithm and finally the concrete hardware design of the electronic circuit 16.
The concept of feeding operational data into respective subsequent steps of a cryptoalgo-rithm, which is the DES algorithm in the preferred embodiment, leads to the preferred use of one-way street functions for safety reasons. This means that on the basis of certain input data only output data can be calculated, but that functionally calculating back from these output data to the input data is impossible, since the use of the operational data determines a chronological sequence of calculation. When the authenticity of a device to be tested is checked in the way shown in Fig. 4, an inversion of the functionality is not even necessary, since both the device to be tested and the examination device execute a one-way-street ZJ
function in parallel and need not use an inverted calculation sequence under any circum-stances.
Safety can be increased still further, when special processors are used for the electronic circuit 16, which are optimized for specific operations in such a way that a standard chip or a computer will not be able to simulate the time response of certain processors.
A further improvement is to be seen in the circumstance that the test algorithm, whose re-sults are not used in the preferred embodiment shown in Fig. 3 and which is only provided for generating the operational data, can be exchanged every now and then. Such an ex-change of the test algorithm can be carried out in a flexible manner;
attention should only be paid to the fact that the device to be tested and the examination device have the same test algorithm so as to have identical operational data in the case of an authentic card.
The present invention can be applied to almost any cryptographic algorithm, i.e. cryptoalgo-rithm. An additional advantage of the present invention is to be seen in the fact that the pre-sent invention can be integrated in existing safety systems.
Fig. 5 shows a further possibility of using the device according to the present invention tak-ing as an example the encrypted transmission of information from one location to another location, this kind of transmission taking place e.g. in the case of "pay TV".
The information to be encrypted must first be encrypted in a transmitter. For this purpose, the transmitter includes a smart card which is provided with a device according to the present invention.
The transmitter first selects random input data as password character chain (block 50). In a block 52, the input data 14 are fed into the transmitter smart card which generates output data 12 in a step 54. The information to be encrypted is now encrypted making use of the output data 12, which have been generated by the transmitter smart card, as a key (block 56). The encrypted information together with the output data selected in block 50 are now transmitted from one location to the other location, i.e. from the transmitter to the receiver, (block 58).
Reference should be made to the fact that, on the one hand, the information is now en-crypted and can therefore only be decrypted by a person who acquired a suitable authori-zation, e.g. in the form of a receiver smart card. On the other hand, the key for encrypting the information is not explicitly transmitted, but what is transmitted are only the input data in the transmitter smart card. A user who does not possess an authorized receiver smart card having the same operational data as the transmitter smart card will not be able to generate on the basis of the input data 14 the correct output data 12 which are required for decrypt-ing the encrypted information.
The first operation to be executed in the receiver is to extract the input data from the trans-mission, which comprises the encrypted information as well as the input data, (block 60).
The input data extracted in block 60 are now fed into the receiver smart card (block 62), which, provided that it is an authentic receiver smart card, will have the same operating be-haviour as the transmitter smart card and will therefore produce the same output data from the input data (block 64). Finally, the encrypted information is decrypted in a block 66 mak-ing use of the output data of the receiver smart card.
If the receiver smart card is a counterfeited card, which does not have the same operating behaviour as the transmitter smart card, this will not be recognized immediately in the case of the method shown in Fig. 5, since, unlike Fig. 4, an authenticity check is not carried out.
The output data, which are required as a key for decrypting, will, however, not correspond to the output data which have been used in block 54 for encrypting, and, consequently, correct decrypting of the encrypted information will not be possible. This means that, in the most simple case, a counterfeited smart card will not be objected to in the receiver immedi-ately, but that, although it will provide output data 12 on the basis of operational data that differ from those of the transmitter smart card, a correct decryption will, however, not be possible on the basis of the output data provided; hence, a counterfeited card will be of no use to the counterfeiter.
It follows that the present invention comprises an electronic circuit, which is preferably inte-grated, and a means for supervising the operation of the electronic circuit by measuring data, the operation of the electronic circuit including the execution of an algorithm which provides output data as the result of a preferably complex calculation. These output data are, however, influenced, by the measured operational data. Preferably, the measured data comprise time or power consumption data. The device according to the present invention can arbitrarily be accommodated on cards, e.g. smart cards or PC cards, electronic keys and the like.
Claims (18)
1. A device for supplying output data in reaction to input data, said device comprising:
an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, whereby an authenticity of the device is determinable by comparing the output data and output data produced by an examination device when the examination device receives similar input data and performs a similar algorithm.
an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, whereby an authenticity of the device is determinable by comparing the output data and output data produced by an examination device when the examination device receives similar input data and performs a similar algorithm.
2. A device according to claim 1, wherein the operational data are selected from a group comprising time data and power data.
3. A device according to claim 1 or 2, wherein the electronic circuit and the detection unit are integrated as a unit.
4. A device according to any one of claims 1 to 3, wherein the device is contained in a smart card or in a PC card.
5. A device according to any one of claims 1 to 4, wherein the electronic circuit is arranged so as to execute a cryptoalgorithm.
6. A device according to claim 5, wherein the cryptoalgorithm is a multi-step algorithm, the operational data of one algorithm step being used as input data for the subsequent algorithm step.
7. A device according to any one of claims 1 to 4, wherein the electronic circuit is arranged so as to execute a check sum algorithm.
8. A device according to any one of claims 1 to 7, wherein the electronic circuit is arranged so as to stop the operation after a predetermined execution time during execution of the algorithm and wherein the detection unit is arranged so as to feed operational data into the algorithm at said predetermined execution time.
9. A device according to any one of claims 1 to 8, wherein the algorithm is of such a nature that it will first randomize the input data, whereby the dependence of the operational data on the input data will be pseudo-random.
10. A device according to claim 9, wherein the output data generated by the algorithm are only the operational data.
11. A device according to any one of claims 1 to 10, wherein the electronic circuit comprises two sub-circuits which each execute a sub-algorithm, the first sub-algorithm being a test algorithm whose operational data are detected by the detection unit, and the second sub-algorithm being a cryptoalgorithm or a check sum algorithm, the operational data of the test algorithm being processed in the cryptoalgorithm.
12. A device according to claim 11, wherein the second sub-circuit is arranged so as to execute a DES algorithm which comprises n steps, and wherein the first sub-circuit is arranged so as to execute a test algorithm which also comprises n steps, the input data being adapted to be fed into the first step of the DES algorithm as well as into the first step of the test algorithm, and data which are adapted to be fed into a further step of the DES
algorithm being result data of the first step of the DES algorithm and operational data of the first step of the test algorithm, whereas a result of one step of the test algorithm is rejected.
algorithm being result data of the first step of the DES algorithm and operational data of the first step of the test algorithm, whereas a result of one step of the test algorithm is rejected.
13. A device according to any one of claims 1 to 12, wherein the operational data detection unit comprises a time measuring means and a power measuring means for measuring the time which the electronic circuit needs for executing a specific task and for measuring the power consumed when said specific task is being executed.
14. A device according to claim 13, wherein the power measuring means comprises a resistor, a capacitor and an analog-digital converter for measuring the power consumed.
15. A device according to claim 13 or 14, wherein the time measuring means comprises an internal clock generator.
16. A device according to any one of claims 1 to 15, wherein the operational data detection unit comprises a pattern recognition algorithm so as to produce the operational data from power or time parameters of the electronic circuit.
17. A method for checking the authenticity of a device to be tested in comparison with an examination device, the device to be tested and the examination device each comprising an electronic circuit for executing an algorithm, which generates output data on the basis of input data, and a unit for detecting operational data which are influenced by an operation of the electronic circuit and which depend on the input data, the operational data detection unit of the device to be tested as well as of the examination device being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm for producing the output data, said method comprising the following step:
selecting input data;
feeding said input data into the device to be tested;
in the device to be tested:
executing the algorithm by the electronic circuit of the device to be tested, so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an operation of said electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by said electronic circuit, so as to generate the output data;
feeding the input data into the examination device;
in the examination device:
executing the algorithm by the electronic circuit of the examination device so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an operation of the electronic circuit when said electronic; circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by said electronic circuit, so as to generate the output data;
comparing the output data of the device to be tested with the output data of the examination device; and affirming the authenticity of the device to be tested in comparison with the examination device if the output data correspond to one another, in such a way that authenticity will only be affirmed if the operational data of the device to be tested and of the examination device correspond to one another.
selecting input data;
feeding said input data into the device to be tested;
in the device to be tested:
executing the algorithm by the electronic circuit of the device to be tested, so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an operation of said electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by said electronic circuit, so as to generate the output data;
feeding the input data into the examination device;
in the examination device:
executing the algorithm by the electronic circuit of the examination device so as to generate the output data on the basis of the input data, detecting operational data of the electronic circuit, which are influenced by an operation of the electronic circuit when said electronic; circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by said electronic circuit, so as to generate the output data;
comparing the output data of the device to be tested with the output data of the examination device; and affirming the authenticity of the device to be tested in comparison with the examination device if the output data correspond to one another, in such a way that authenticity will only be affirmed if the operational data of the device to be tested and of the examination device correspond to one another.
18. A method for encrypted transmission of information from a first to a second location, the second location being remote from the first location, comprising:
producing a random word;
feeding the random word into a first device, the first device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the first device being arranged at first location;
generating the output data of the first device, which depend on the operational data of said first device, by executing an algorithm by the electronic circuit of said first device so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by the electronic circuit, so as to generate the output data;
encrypting the information with the generated output data as a key;
transmitting the encrypted information and the random word from said first location to said second location;
feeding the random word into s second device, the second device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the second device being arranged at second location;
generating the output data of the second device, which depend on the operational data of said second device, by executing the algorithm by the electronic circuit of said second device, so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by the electronic circuit, so as to generate the output data;
decrypting the encrypted information making use of the output data of the second device as a key, the decrypted information corresponding to the original information prior to encrypting if the operational data of the first device at the first location correspond to the operational data of the second device at the second location.
producing a random word;
feeding the random word into a first device, the first device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the first device being arranged at first location;
generating the output data of the first device, which depend on the operational data of said first device, by executing an algorithm by the electronic circuit of said first device so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by the electronic circuit, so as to generate the output data;
encrypting the information with the generated output data as a key;
transmitting the encrypted information and the random word from said first location to said second location;
feeding the random word into s second device, the second device comprising an electronic circuit for executing an algorithm that generates the output data on the basis of the input data; and a unit for detecting operational data of the electronic circuit which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, the operational data depending on the input data, said operational data detection unit being coupled to the electronic circuit in such a way that the operational data of the electronic circuit are used by the algorithm, which is executed by said electronic circuit, for generating the output data, the second device being arranged at second location;
generating the output data of the second device, which depend on the operational data of said second device, by executing the algorithm by the electronic circuit of said second device, so as to generate the output data on the basis of the input data, operational data of the electronic circuit being detected, which are influenced by an operation of the electronic circuit when said electronic circuit executes the algorithm, said operational data depending on the input data, and said detected operational data of the electronic circuit being used by the algorithm, which is executed by the electronic circuit, so as to generate the output data;
decrypting the encrypted information making use of the output data of the second device as a key, the decrypted information corresponding to the original information prior to encrypting if the operational data of the first device at the first location correspond to the operational data of the second device at the second location.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE19843424A DE19843424A1 (en) | 1998-09-22 | 1998-09-22 | Smart card device for delivering output data in response to input data and providing proof of authenticity uses operating data to influence algorithm used to generate output data |
| DE19843424.3 | 1998-09-22 | ||
| PCT/EP1999/006312 WO2000017826A1 (en) | 1998-09-22 | 1999-08-27 | Device for supplying output data in reaction to input data, method for checking authenticity and method for encrypted data transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2344429A1 CA2344429A1 (en) | 2000-03-30 |
| CA2344429C true CA2344429C (en) | 2003-12-23 |
Family
ID=7881831
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002344429A Expired - Lifetime CA2344429C (en) | 1998-09-22 | 1999-08-27 | Device for supplying output data in reaction to input data, method for checking authenticity and method for encrypted data transmission |
Country Status (8)
| Country | Link |
|---|---|
| EP (1) | EP1099197B1 (en) |
| AT (1) | ATE225548T1 (en) |
| CA (1) | CA2344429C (en) |
| DE (2) | DE19843424A1 (en) |
| DK (1) | DK1099197T3 (en) |
| ES (1) | ES2184500T3 (en) |
| PT (1) | PT1099197E (en) |
| WO (1) | WO2000017826A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8832463B2 (en) | 2009-01-14 | 2014-09-09 | Khs Gmbh | Method of verifying an identification circuit |
Families Citing this family (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002008875A2 (en) * | 2000-07-25 | 2002-01-31 | Authentisure, Inc. | Unified trust model providing secure identification, authentication and validation of physical products and entities, and processing, storage, and exchange of information |
| DE10041669A1 (en) * | 2000-08-10 | 2002-02-21 | Deutsche Telekom Ag | Authentication method for chip card, involves determining authenticity of chip card by comparing time dependent output signals of chip card with predetermined time dependent reference signals |
| FR2823397A1 (en) * | 2001-04-04 | 2002-10-11 | St Microelectronics Sa | Extraction of a private datum to authenticate an integrated circuit, uses network parameters and noise to generate datum which has a transient life span, for transmission by circuit to allow its authentication |
| FR2823401A1 (en) * | 2001-04-04 | 2002-10-11 | St Microelectronics Sa | Extraction of a private datum to authenticate an integrated circuit, uses network parameters and noise to generate datum which has a transient life span, for transmission by circuit to allow its authentication |
| FR2823398B1 (en) * | 2001-04-04 | 2003-08-15 | St Microelectronics Sa | EXTRACTION OF PRIVATE DATA FOR AUTHENTICATION OF AN INTEGRATED CIRCUIT |
| FR2825873A1 (en) | 2001-06-11 | 2002-12-13 | St Microelectronics Sa | PROTECTED STORAGE OF DATA IN AN INTEGRATED CIRCUIT |
| DE10145365B4 (en) * | 2001-09-14 | 2004-04-15 | Infineon Technologies Ag | Integrated circuit arrangement |
| EP1391853A1 (en) | 2001-11-30 | 2004-02-25 | STMicroelectronics S.A. | Diversification of the unique identifier of an integrated circuit |
| EP1359550A1 (en) * | 2001-11-30 | 2003-11-05 | STMicroelectronics S.A. | Regeneration of a secret number by using an identifier of an integrated circuit |
| FR2833119A1 (en) * | 2001-11-30 | 2003-06-06 | St Microelectronics Sa | GENERATION OF SECRET QUANTITIES OF IDENTIFICATION OF AN INTEGRATED CIRCUIT |
| FR2834177B1 (en) * | 2001-12-20 | 2004-07-09 | Television Par Satellite Tps | DEVICE FOR DECODING INTERFERED DIGITAL DATA AND METHOD FOR LOCKING THE DESGROWING |
| US7840803B2 (en) * | 2002-04-16 | 2010-11-23 | Massachusetts Institute Of Technology | Authentication of integrated circuits |
| WO2004105125A2 (en) * | 2003-05-26 | 2004-12-02 | Koninklijke Philips Electronics N.V. | Semiconductor device, method of authentifying and system |
| DE102004037801B4 (en) * | 2004-08-03 | 2007-07-26 | Siemens Ag | Method for secure data transmission |
| US7564345B2 (en) | 2004-11-12 | 2009-07-21 | Verayo, Inc. | Volatile device keys and applications thereof |
| WO2007087559A2 (en) | 2006-01-24 | 2007-08-02 | Pufco, Inc. | Signal generator based device security |
| DE102006038877B4 (en) * | 2006-08-18 | 2018-01-25 | Giesecke+Devrient Mobile Security Gmbh | Tamper-proof unit, procedure for a tamper-proof unit and storage medium |
| FR2910657B1 (en) * | 2006-12-22 | 2012-11-16 | Ingenico Sa | METHOD OF VERIFYING THE CONFORMITY OF AN ELECTRONIC PLATFORM AND / OR A COMPUTER PROGRAM PRESENT ON THIS PLATFORM, DEVICE AND CORRESPONDING COMPUTER PROGRAM. |
| CN101542496B (en) | 2007-09-19 | 2012-09-05 | 美国威诚股份有限公司 | Authentication with physical unclonable functions |
| US8683210B2 (en) | 2008-11-21 | 2014-03-25 | Verayo, Inc. | Non-networked RFID-PUF authentication |
| US8811615B2 (en) | 2009-08-05 | 2014-08-19 | Verayo, Inc. | Index-based coding with a pseudo-random source |
| US8468186B2 (en) | 2009-08-05 | 2013-06-18 | Verayo, Inc. | Combination of values from a pseudo-random source |
| WO2015089346A1 (en) | 2013-12-13 | 2015-06-18 | Battelle Memorial Institute | Electronic component classification |
| US10789550B2 (en) | 2017-04-13 | 2020-09-29 | Battelle Memorial Institute | System and method for generating test vectors |
| IL256108B (en) | 2017-12-04 | 2021-02-28 | Elbit Systems Ltd | System and method for detecting usage condition and authentication of an article of manufacture |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3736882C2 (en) * | 1987-10-30 | 1997-04-30 | Gao Ges Automation Org | Method for checking the authenticity of a data carrier with an integrated circuit |
| DE4339460C1 (en) * | 1993-11-19 | 1995-04-06 | Siemens Ag | Method for authenticating a system part by another system part of an information transmission system according to the challenge and response principle |
-
1998
- 1998-09-22 DE DE19843424A patent/DE19843424A1/en not_active Withdrawn
-
1999
- 1999-08-27 DK DK99944537T patent/DK1099197T3/en active
- 1999-08-27 AT AT99944537T patent/ATE225548T1/en active
- 1999-08-27 DE DE59902963T patent/DE59902963D1/en not_active Expired - Lifetime
- 1999-08-27 ES ES99944537T patent/ES2184500T3/en not_active Expired - Lifetime
- 1999-08-27 EP EP99944537A patent/EP1099197B1/en not_active Expired - Lifetime
- 1999-08-27 CA CA002344429A patent/CA2344429C/en not_active Expired - Lifetime
- 1999-08-27 WO PCT/EP1999/006312 patent/WO2000017826A1/en active IP Right Grant
- 1999-08-27 PT PT99944537T patent/PT1099197E/en unknown
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8832463B2 (en) | 2009-01-14 | 2014-09-09 | Khs Gmbh | Method of verifying an identification circuit |
Also Published As
| Publication number | Publication date |
|---|---|
| EP1099197A1 (en) | 2001-05-16 |
| DE19843424A1 (en) | 2000-03-23 |
| WO2000017826A1 (en) | 2000-03-30 |
| ATE225548T1 (en) | 2002-10-15 |
| EP1099197B1 (en) | 2002-10-02 |
| ES2184500T3 (en) | 2003-04-01 |
| CA2344429A1 (en) | 2000-03-30 |
| PT1099197E (en) | 2003-02-28 |
| DK1099197T3 (en) | 2003-02-10 |
| DE59902963D1 (en) | 2002-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2344429C (en) | Device for supplying output data in reaction to input data, method for checking authenticity and method for encrypted data transmission | |
| Anderson et al. | Cryptographic processors-a survey | |
| EP1084543B1 (en) | Using unpredictable informaion to minimize leakage from smartcards and other cryptosystems | |
| EP3220306B1 (en) | Method of testing the resistance of a circuit to a side channel analysis | |
| Pfitzmann et al. | Trusting mobile user devices and security modules | |
| US5832206A (en) | Apparatus and method to provide security for a keypad processor of a transaction terminal | |
| KR100805286B1 (en) | Information processing device, information processing method and smartcard | |
| JPS61139873A (en) | Authorization system | |
| CN101422015A (en) | Noisy low-power PUF authentication without database | |
| US8117449B2 (en) | Method to detect man-in-the-middle (MITM) or relay attacks | |
| Militello et al. | Embedded access points for trusted data and resources access in HPC systems | |
| Zhang et al. | A pragmatic per-device licensing scheme for hardware IP cores on SRAM-based FPGAs | |
| US7500110B2 (en) | Method and arrangement for increasing the security of circuits against unauthorized access | |
| CN108171021A (en) | Applet is protected to be analyzed from hidden channel | |
| JP4062604B2 (en) | Data processing device | |
| Lakshminarasimhan | Electromagnetic side-channel analysis for hardware and software watermarking | |
| Leng | Smart card applications and security | |
| JP2011107930A (en) | Semiconductor integrated circuit, information processor, data processing method and program | |
| EP1926241A2 (en) | Using unpredictable information to minimize leakage from smartcards and other cryptosystems | |
| CN101286249A (en) | Anti-riot method utilizing double code for alarming | |
| US7107616B2 (en) | Method of producing a response | |
| Yang et al. | Security systems of point-of-sales devices | |
| Kaiser | Digital signature transponder | |
| Giancane | Side-channel attacks and countermeasures in the design of secure IC's devices for cryptographic applications | |
| JP2000020631A (en) | Electronic money maintenance management system and ic card used for the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20190827 |
|
| MKEX | Expiry |
Effective date: 20190827 |