CN1438784A - Method for generating screat key for cipher algorithm - Google Patents

Method for generating screat key for cipher algorithm Download PDF

Info

Publication number
CN1438784A
CN1438784A CN 02154353 CN02154353A CN1438784A CN 1438784 A CN1438784 A CN 1438784A CN 02154353 CN02154353 CN 02154353 CN 02154353 A CN02154353 A CN 02154353A CN 1438784 A CN1438784 A CN 1438784A
Authority
CN
China
Prior art keywords
key
subclass
intensity
algorithm
keys
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 02154353
Other languages
Chinese (zh)
Inventor
E·布里尔
C·克拉维尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gemplus SA
Original Assignee
Gemplus SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemplus SA filed Critical Gemplus SA
Publication of CN1438784A publication Critical patent/CN1438784A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method and a corresponding device for generating secret secure keys for a cryptographic algorithm. The inventive method comprises the following steps: E1) the whole set (IK) of possible keys is analyzed; E2) a subset (SK) of keys is extracted; E3) the secret keys are generated on the basis of the subset of keys.

Description

Generation is used for the method for the privacy key of cryptographic algorithm
Technical field
The present invention relates to the method that a kind of generation is used for the safe key of cryptographic algorithm.In general, the present invention can be used to prevent any algorithm of decryption completely or partially.
Background technology
Cryptographic algorithm generally is used for the application that the visit to data or service is strictly controlled.These algorithms especially are used in some application of smart card.Existing application for example is included in the remote payment of visit, banking application, for example TV, oiling or the freeway toll of certain database and uses.These algorithms also are used in the so-called SIM card of mobile phone application.
Cryptographic algorithm generally is used to have a kind of in the electronic unit of the architecture that forms around microprocessor and the memory, and memory comprises the nonvolatile memory that stores privacy key.
In succinct general introduction, the function of these algorithms is to utilize the privacy key and the host computer system (remote server, banking distributor etc.) that comprise in the card to calculate encrypting messages as the plain code message that (parts) input provides, and provides the encrypting messages that obtains as answer to host computer system.This makes host computer system to verify parts before swap data.Can be from the external reference encrypting messages.But, can't not find plain code message again when knowing to be used to obtain the privacy key of encrypting messages.
The cryptographic algorithm of the most generally knowing is DES, AES and RSA Algorithm.Under the situation of mobile phone, the most widely used algorithm is Comp128.It obviously is not exhaustive more than enumerating.Suppose the following feature of knowing cryptographic algorithm: the computing of execution and the parameter of use.It is unknown having only privacy key, and privacy key is that each parts is peculiar, and can't derive out from plain code message and/or encrypting messages simply.
The present invention can be applied to symmetry algorithm (as DES or AES) or asymmetric algorithm (as RSA) equally well.The unique key of term " privacy key " expression symmetry algorithm or the private key of asymmetric algorithm.
Under the situation of symmetry algorithm, privacy key is that length is the binary number of N0, and its length depends on used algorithm.For example, the DES algorithm uses the key of N0=56 bit.The Comp128 algorithm uses the key of N0=128 bit.Therefore, a kind of like this algorithm exists and comprises N=2 N0The set of individual possibility key.
During the individualized parts stage, generate privacy key.Then, this privacy key is stored in the nonvolatile memory of parts.Utilization can produce quantity and generate key for the random number generator of Len req N0 according to known way.
The algorithm that parts and this parts use can be responsive to analyzing, and the purpose of analysis is " cracking " algorithm, that is to say the privacy key that finds algorithm to use.If this behavior success can have serious consequence, even these parts are cloned.
This analysis, those known analyses at present have two types: cryptanalysis and side-channel attack basically at least.
Cryptanalysis is made of following mathematics or statistic processes, thereby this process only utilizes the knowledge of algorithm and one or more plain code/encryption to finding the used privacy key of this algorithm.
Side-channel attack is analyzed formation by the simple or difference (statistics) of pair certain physical parameters relevant with these parts when the parts execution algorithm.This attack is based on the following fact: data that the track of the parts of execution command (variation in the certain physical parameters, for example current consumption, electromagnetic radiation etc.) is just being handled according to it and then change according to used privacy key.Specifically, when the parts execution algorithm, the track of parts depends on plain code message, privacy key and/or encrypting messages.By this track being measured and statistical research being carried out in these measurements, can find privacy key.
At last, in all situations, all be possible by means of the attack of exhaustive search.It comprises systematically seeks privacy key.In this case, by plain code message and known associated encryption message, with all keys execution algorithm systematically one by one, up to obtaining used privacy key.Exhaustive search needs considerable time (time increases by index law with the bit length of key) and/or high performance especially hardware is so that successfully finish.
Different with exhaustive search, the duration of cryptanalysis or side-channel attack can be depending on the value of privacy key.
The fail safe of algorithm or anti-attack are the abilities of the attack of its any key of resisting any nature and its use.So-called security algorithm be meant the too high situation of its required time that cracks (from about several weeks to the several years).
The fail safe of algorithm is along with the length of used key increases greatly.On the other hand, the fail safe of algorithm reduces in time, is increasing as any assailant's knowledge because be easy to be used to crack its hardware performance.
The solution that adds the fail safe of strong algorithms offside channel attack is known: comprise the layout layer that acts on algorithm and it is made amendment, make its track become unpredictable: for example, may reverse the step of method with random fashion, thereby the data of algorithm operating are mixed with one or more random parameters etc.
These solutions are effective.But they are difficult to realize more or less, because they need revise the layout of part algorithm.These schemes also are expensive aspect algorithm execution time, because increased step number total in the algorithm usually.
If proof can not or not want to provide the protection of these methods of placement algorithm, may consider to replace this algorithm with safer algorithm.But the alternative needs in this existing parts are revised the used foundation structure of parts in addition, and this may need too high technological investment.
Summary of the invention
In view of the above problems, an object of the present invention is to realize a kind of method of simple especially inexpensive again protection cryptographic algorithm.
Therefore, the present invention relates to the method that a kind of generation is used for the secret secure keys of cryptographic algorithm, described method is characterised in that it may further comprise the steps:
E1: analyze the set (IK) of possibility key,
E2: from set (IK), extract the subclass (SK) of key,
E3: generate privacy key from subclass (SK).
Attack performance not simultaneously when the key value that cryptographic algorithm uses according to it with respect to identification, the present invention is applicable to responsive any described algorithm is attacked at least a identification.The notion of its supposition strong encryption keys and weak key is relevant with discern attack.So-called strong encryption keys is meant that with respect to described key completing successfully identification attack required time is too high situation.So-called weak key is meant reverse situation.
According to the present invention, attack with opposing identification from the key subclass generation privacy key of preliminary election.Therefore, utilize this privacy key that the probability of this success attack of parts and/or algorithm is reduced greatly.
During analytical procedure E1, to estimating with respect to the intensity of identification attack by key.Then, according to the order of successively decreasing of intensity the key in the cipher key sets is classified.
Under the situation of having discerned several attacks, during step e 1, determine the intensity that key is attacked with respect to each identification.Next, the key strength that obtains is defined as the minimum strength that this key is attacked with respect to all identifications.At last, with the order of the intensity of successively decreasing that obtains the key in the cipher key sets is classified.
During the step e 2 of extracting the key subclass, under the situation of only having discerned a kind of attack, from the strong encryption keys of set that may key, extract the key of sufficient amount.According to first kind of modification, the number of keys of extraction is fixed.According to another kind of modification, the number of keys of extraction is to extract the function of key mean intensity, and this point will be seen clearlyer in the illustration below.
During the step e 2 of extracting the key subclass, under the situation of having discerned several attacks, from being those keys of the intensity possible the set of key, the intensity that obtains extracts the key of sufficient amount.According to first kind of modification, the number of keys of extraction is fixed.According to another kind of modification, the number of keys of extraction is to extract the function of the mean value of the resultant intensity of key.
During the step e 3 that generates privacy key, picked at random privacy key from the key subclass.The key that obtains thus finally be stored in will the nonvolatile memory of personalized parts in.
Therefore, the privacy key that obtains of the method according to this invention must be the strong encryption keys with respect to one or more attacks of being discerned.So, if attacking, identification utilize privacy key to attack parts, it can not obtain any result.In addition, the privacy key of selecting in the key subclass comprises the key of sufficient amount, and exhaustive search can not obtain any result yet.
Therefore, method of the present invention makes the such key of generation become possibility: its feasible this cipher key application of utilizing can not be successful to identification attack or exhaustive search on the parts.
The present invention can be used to generate the privacy key of any algorithm, has wherein discerned at least a possible attack and key and more or less identification has been attacked responsive.In an illustrative embodiments, the present invention is used to the algorithm of Comp128 type.
Description of drawings
By reading following description, the present invention and advantage thereof will be clearer.An illustrative embodiments of the method that generates safe key will be provided.Description will with read with reference to the accompanying drawings, wherein:
-Fig. 1 is the block diagram of architecture of realizing the device of method of the present invention, and
-Fig. 2 is the sketch of the method according to this invention.
Embodiment
Fig. 1 with the formal description of block diagram can realize generating the electronic installation 1 of the method for key according to the present invention.In illustration, device 1 is the reader that is used for the personalized smart card of SIM card type.Device 1 comprises communication interface 10 and computation module able to programme, and this assembly is made up of central location 2, and this central location 2 is connected to storage stack on function, and this group memory comprises:
-memory 4 can only be the mask ROM type in illustration with read-only mode access, is also referred to as english term " mark read-only memory ",
-electric Reprogrammable memory 6, EEPROM type (come from English " electrically erasable programmable ROM) for example, and
-working storage 8 can conduct interviews with the read and write pattern, is RAM type (coming from English " random access memory ") in illustration.Sort memory specifically comprises the register that device 1 is used.
In program storage, comprise corresponding to method of the present invention and be used to generate executable code for the privacy key of wanting personalized card to use.This code is actual can be included in the memory 4, with read-only form visit, and/or in memory 6, can rewrite.
Central location 2 is connected to communication interface 10, and this interface provides with the handshaking of wanting personalized card and to its chip power supply.Communication interface 10 connects (not contacting card) by physical connection (contact card) or radio frequency and contacts (not shown in figure 1) with the chip of wanting personalized card.
The used algorithm of supposition is the Comp128 type in following illustration.This algorithm utilizes the key of length N 0=128 bit, comprising the sub-key of 8 16 bits.Therefore, the possible key sum of this algorithm equals N=(2 16) 8=2 128Individual possibility key.
Known this algorithm is to the cryptanalysis sensitivity of so-called " collision attack ".This attack comprises seeks the different plain code message that identical encrypting messages is provided.This phenomenon is called as collision and makes and find the value of sub-key to become possibility.This collision search can repeat, up to the value that obtains used privacy key.
In the following description, method of the present invention produces the privacy key that the protection privacy key is avoided this identification attack (collision attack).
During the method that realizes generating according to key of the present invention, carry out following steps (Fig. 2):
E1: analyze the set of possibility key,
E2: from the set (IK) of described possibility key, extract the subclass of key,
E3: generate privacy key from the subclass (SK) of key.
Then, the privacy key of generation can be stored in the nonvolatile memory of wanting personalized card.Execution in step E1 and E2 once.To wanting personalized each card repeating step E3.
During step e 1, check the set (IK) of possibility key.Specifically, be the intensity of estimating these keys, just under the situation of key K i, make the required active force T (Ki) of success attack that is discussed.The knowledge and technology performance that has assailant's equipment according to supposition is determined this active force.Next, used key is classified, provides thus with the order of successively decreasing of intensity T (Ki):
T (Ki) 〉=T (Kj), wherein i<j.
Therefore, first step E1 makes according to the intensity of key it is classified, and then distinguishes strong encryption keys and weak key becomes possibility.The estimation of key strength does not need accurately to carry out.Similarly, if the difference between strong encryption keys and the weak key is essential, then the classification of key can not fully strictly be carried out.
In second step e 2, from the set IK of possibility key, extract the subclass SK of key, make:
Key among the-subclass SK is strong as much as possible, so that the attack that opposing is discerned, and
Number of keys among the-subclass SK is enough resisted exhaustive search.
Hereinafter, provide a kind of method that is used for optimizing the extraction key subclass SK that describes in step e 2.Yet this optimization is not to be necessary to benefiting from the present invention.In fact, any and unoptimizable key subclass SK that comprises enough strong encryption keys be can extract and identification attack (by key strength) and exhaustive search (by number of keys) resisted.
Specifically, make the identification success attack mean effort that will provide equal used key provides among the subclass SK active force sum divided by the number of keys among the subclass SK, just:
T1=(1/NS) * ∑ T (Ki), wherein i 1 and NS between change,
NS is the quantity of element among the key subclass SK.
In addition, equal for the active force of successfully finishing exhaustive search and providing according to key subclass SK:
T2=NS*T0,
Wherein T0 is an algorithm execution time.
Because the assailant can select to carry out exhaustive search or identification is attacked, the mean effort that provides for the key that obtains subclass SK is given by the following formula:
T3=Min[T1;T2]=Min[(1/NS)×∑T(Ki);NS×T0]
In order to strengthen algorithm, manage to make mean effort T3 maximization., the order of successively decreasing of key with intensity T (Ki) is inserted among the subclass SK, number of keys reaches optimal number NSO in SK for this reason.
Function T 1=(1/NS) * ∑ T (Ki) is the decreasing function of NS, because the key that is inserted among the subclass SK has the intensity of successively decreasing.On the contrary, function T 2=NS*T0 is the linear increasing function of NS.
Mathematics Research shows fast, and in this case, T3 is maximum when T1=T2.This makes that calculating the optimum number of keys NSO that is inserted among the key subclass SK according to following formula in the ordinary course of things becomes possibility:
T0* (NSO) 2=∑ T (Ki), wherein i 1 and NS between change.
Then during step e 3, generate privacy key, select privacy key in the key subclass that during step e 2, obtains at random mode.Selected privacy key finally is stored in the nonvolatile memory of wanting personalized parts.
In the actual conditions of the parts that utilize the Comp128 algorithm, key is made of the sub-key of 8 16 bits, and and if only if, and 8 sub-keys that constitute key itself are that strong time this key is only strong.
During step e 1, to 2 16Individual 16 bit subkeys are analyzed, and 769 keys wherein are identified as the hadron key.These 769 sub-keys are those keys with such attribute: can not cause the collision that the identification attack is considered.
Then, step e 2 comprises orientates subclass SK as cipher key sets, and wherein all sub-keys are formed in the part of 769 hadron cipher key sets of step e 1 identification.
During step e 3,8 sub-keys of picked at random in 769 hadron key subclass are with the strong privacy key of final formation.
These 8 sub-keys are strong, and therefore the privacy key that obtains can be resisted identification and attack (collision attack).In addition, resulting privacy key also can be resisted exhaustive search, because the length (privacy key comes from wherein) of the subspace SK of identification equals 769 8≈ 2 76.7

Claims (13)

1. a generation is used for the method for the secret secure keys of cryptographic algorithm.Described method is characterised in that it may further comprise the steps:
E1: analyze the set (IK) of possibility key,
E2: from described set (IK), extract the subclass (SK) of key,
E3: generate privacy key from described subclass (SK).
2. the method for claim 1 is characterized in that during described analytical procedure (E1), and key described in the described possibility cipher key sets (IK) is estimated with respect to the intensity of certain attack of discerning.
3. as any one the described method in claim 1 and 2, it is characterized in that during the step (E2) of described extraction subclass (SK), extract the strong encryption keys of attacking sufficient amount with respect to described identification from described cipher key sets (IK).
4. method as claimed in claim 3 is characterized in that described sufficient amount (NSO) fixes.
5. method as claimed in claim 3 is characterized in that determining described sufficient amount according to the mean intensity of key described in the described key subclass (SK).
6. the method for claim 1 when it is characterized in that during described analytical procedure (E1) attacking in the face of several identifications, is estimated with respect to the described intensity of each attack in these described attacks key described in the described cipher key sets (IK).
7. method as claimed in claim 6 is characterized in that it is that described key is with respect to all described several minimum strength of attacking of discerning that the described described key strength that obtains is defined as.
8. as any one described method in the claim 1,6 or 7, it is characterized in that during the step (E2) of described extraction subclass (SK), extract the strong encryption keys of attacking sufficient amount with respect to described several identifications from described cipher key sets (IK).
9. method as claimed in claim 8 is characterized in that described sufficient amount (NSO) fixes.
10. method as claimed in claim 8 is characterized in that determining described sufficient amount (NSO) according to resulting described key with respect to the described mean value of the described intensity of described several identifications attacks.
11. as one of claim 1 to 5 described method, it is characterized in that during described analytical procedure (E1), then key described in the described cipher key sets (IK) classified by the order of successively decreasing of intensity.
12. as any one the described method in the claim 1,6 to 10, it is characterized in that during described analytical procedure (E1), then key described in the described cipher key sets (IK) classified by the order of successively decreasing of resulting intensity.
13. one kind is used for by means of the privacy key from key subclass (SK) picked at random electronic unit being carried out personalized device, it is characterized in that described device comprises programmable unit (1), be used for realizing any one the described method according to claim 1 to 12, described programmable unit comprises central location (2) and program storage.
CN 02154353 2002-02-15 2002-11-26 Method for generating screat key for cipher algorithm Pending CN1438784A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0201883A FR2836312B1 (en) 2002-02-15 2002-02-15 SECURE KEY GENERATION METHOD FOR CRYPTOGRAPHIC ALGORITHM
FR02/01883 2002-02-15

Publications (1)

Publication Number Publication Date
CN1438784A true CN1438784A (en) 2003-08-27

Family

ID=27636184

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 02154353 Pending CN1438784A (en) 2002-02-15 2002-11-26 Method for generating screat key for cipher algorithm

Country Status (4)

Country Link
CN (1) CN1438784A (en)
AU (1) AU2003222888A1 (en)
FR (1) FR2836312B1 (en)
WO (1) WO2003071733A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102124469A (en) * 2008-09-11 2011-07-13 高通股份有限公司 Method for securely communicating information about the location of a compromised computing device
US8850568B2 (en) 2008-03-07 2014-09-30 Qualcomm Incorporated Method and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BRPI0408923A (en) 2003-04-01 2006-03-28 Mi Kyoung Park physical contactless type communication tag, portable tag reading device, method of providing product information, and product to which a physical contactless type communication tag is attached

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839460B2 (en) 2008-03-07 2014-09-16 Qualcomm Incorporated Method for securely communicating information about the location of a compromised computing device
US8850568B2 (en) 2008-03-07 2014-09-30 Qualcomm Incorporated Method and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access
CN102124469A (en) * 2008-09-11 2011-07-13 高通股份有限公司 Method for securely communicating information about the location of a compromised computing device

Also Published As

Publication number Publication date
AU2003222888A1 (en) 2003-09-09
FR2836312B1 (en) 2004-11-19
WO2003071733A1 (en) 2003-08-28
FR2836312A1 (en) 2003-08-22

Similar Documents

Publication Publication Date Title
US9361440B2 (en) Secure off-chip processing such as for biometric data
CN1302407C (en) Equipment identifying system
US20100153719A1 (en) Lightweight Authentication Method and System for Low-Cost Devices Without Pseudorandom Number Generator
US20100153731A1 (en) Lightweight Authentication Method, System, and Key Exchange Protocol For Low-Cost Electronic Devices
CN1934823A (en) Anonymous authentication method
CN1648967A (en) Cryptographic apparatus, cryptographic method, and storage medium thereof
CN1818923A (en) Enciphering authentication for radio-frequency recognition system
Reddy et al. Performance of iris based hard fuzzy vault
CN1638327A (en) Encryption device and program and method used along with the same
EP3284066B1 (en) Multi-factor authentication using a combined secure pattern
CN1859095A (en) Method for verifying user's identity by biology identification
CN106385320B (en) RFID anti-counterfeiting device and anti-counterfeiting method based on PUF and digital signature
CN1427345A (en) Method and apparatus for increasing circuit safety and preventing unauthorized use
Han et al. A novel hybrid crypto-biometric authentication scheme for ATM based banking applications
CN1438784A (en) Method for generating screat key for cipher algorithm
CN1885227A (en) Portable electronic apparatus and data output method therefor
CN106156615A (en) Based on class separability sentence away from bypass circuit sectionalizer method and system
Simoens et al. Reversing protected minutiae vicinities
CN1218277C (en) Countermeasure method in microcircuit, micro circuit therefor and smart card comprising said microcircuit
CN1166111C (en) Countermeasure method in an electronic component using a secret key cryptographic algorithm
CN102194067A (en) Method for signing electronic document with fingerprint based on Internet
CN113987446A (en) Authentication method and device
CN1183495C (en) Secret code security access to data processing means
CN1761966A (en) Methods, computer program products and devices for check of identity
KR100687725B1 (en) Method and apparatus for secure authentication of fingerprint data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication