DE102013014214A1 - Microprocessor device with access-protected data object - Google Patents

Abstract

The invention provides a microprocessor device with a data object (K) stored in an access-protected manner, and with an access protection device which is set up to perform secure access to the data object (K) and which comprises a verification device and an access device, wherein - the verification device is arranged to perform a verification process in which a verification input entered into the access protection device is processed into a verification output, and - the access device is adapted to perform an access operation of accessing the data object (K) in dependence on the verification output, characterized that the access protection device is secured against error attacks in that - the data object (K) is encrypted (eK) stored, - the verification device is set up as a verification device to generate an access token, and - the access device is adapted to perform the access operation in dependence on the verification output, thereby decrypting the encrypted data object (eK) using the generated access token.

Description

The invention relates to a microprocessor device having a data object stored therein in an access-protected manner and having an access security device which is set up to perform secure access to the data object, according to the preamble of claim 1.

The microprocessor device is optionally implemented in a mobile security device. As a mobile security device can optionally be provided: a disk, such as chip module, smart card, smart card or token; or a mobile terminal, for example a mobile phone, smartphone, tablet PC or PDA.

In microprocessor devices widely estimated data objects are stored. For example, if the microprocessor device is set up in a signature chip card or in a mobile terminal with a signature application, a signature key is stored in the microprocessor device, by means of which a digital signature can be generated. The signature may be used by the owner of the signature key to authenticate himself to applications set up outside of his signature chip card or mobile terminal on a remote server. An example of a signature chipcard is the German identity card with signature function, which allows the use of a number of applications, with the signature generated in the identity card as authentication means.

To protect data objects two different approaches are pursued. One is to prevent access to the data object. The other is to disable the data object for an attacker.

Access protection is achieved, for example, by the requirement of entering an access code, for example a PIN (personal identification number), or a password. Entering the correct access code grants access to the data object. If an incorrect access code is entered, access to the data object is denied. In this case, by means of a binary decision access code is set correctly / incorrectly, whether the access is granted or not.

Making data unusable for attackers is achieved, for example, by encrypting the data. Anyone can access the encrypted data. Only the owner of the decryption key necessary for decryption can decrypt the data. Thus, only the owner of the decryption key has access to the data in a usable form.

Encrypted stored data can additionally be secured by an access code (eg PIN), so that even encrypted, in itself useless data can not be read out without authorization.

For a long time, error attacks on microprocessor devices have been known. In this case, the operation of the microprocessor device is disturbed by a fault, such as a flash of light or a voltage spike. In particular, the binary decision about an access code can be tipped by an error attack, so that despite the input of an incorrect access code, the further workflow in the microprocessor proceeds as if the correct or a correct access code had been entered. Error attacks are described for example in D. Boneh, RA DeMillo, and RJ Lipton, in Advances in Cryptology - EUROCRYPT '97, vol. 1233 of Lecture Notes in Computer Science, pages 37-51. Springer-Verlag, 1997 ,

EP 1 569 118 B1 describes a double-computation against error attacks protected calculation of a memory address. Here, the memory address is calculated twice and used only if both results are equal. Otherwise, it is assumed that an error attack has occurred and prevents memory access with the memory address.

Double calculations may be vulnerable to multiple attacks. In turn, multiple calculations with, for example, four calculations are used against this.

Double calculations and multiple calculations, on the other hand, offer scope for statistical evaluations since the same calculation is performed twice. Thus, a solution would be advantageous in which a double calculation is not even necessary.

According to the preamble of claim 1, the invention is based on a microprocessor device with a data object (asset) stored in an access-protected manner, and with an access protection device which is set up to perform secure access to the data object and which comprises a verification device and an access device , In this case, the verification device is set up to perform a verification process, in which a verification input entered into the access assurance device is processed into a verification output. For a PIN fuse according to the Prior art would z. For example, a PIN is entered as the verification input, and in the verification process as the verification output, a PIN decision of "entered PIN is correct" or "entered PIN is false" is generated. The access device is configured to perform an access operation of accessing the data object depending on the verification output. In the case of the conventional PIN backup, the dependence of the access process on the verification output is realized by the fact that the access is performed with the correct PIN and the access is not carried out if the PIN is incorrect. As described above, a PIN decision can be tipped by error attacks.

The invention is based on the object to provide a microprocessor device with a reliable access secured stored data object.

The object is achieved by a microprocessor device according to claim 1. Advantageous embodiments of the invention are specified in the dependent claims.

• – das Datenobjekt verschlüsselt abgespeichert ist,
• – die Verifizierungseinrichtung dazu eingerichtet ist, als Verifizierungsausgabe ein Zugriffstoken zu erzeugen, und
• – die Zugriffseinrichtung dazu eingerichtet ist, den Zugriffsvorgang derart in Abhängigkeit von der Verifizierungsausgabe durchzuführen, dass dabei das verschlüsselte Datenobjekt unter Verwendung des erzeugten Zugriffstokens entschlüsselt wird.

The microprocessor device according to claim 1 is characterized in that the access protection device is secured against error attacks by

• The data object is stored in encrypted form,
• The verification device is set up to generate an access token as the verification output, and
• - The access device is adapted to perform the access operation in such a manner in dependence on the Verification output, that while the encrypted data object is decrypted using the generated access token.

The abstract reason that the conventional PIN decision can easily be tipped from the value "false", which leaves the access to the data object locked, to the value "true", which grants access to the data object the low entropy of the PIN decision. The binary PIN decision has the entropy one. The PIN may be long and thus have a high entropy. The binary PIN decision between the PIN and the access to the data object is a weak point.

In contrast, in the inventive solution, the verification output flows from the verification process, i. H. the access token used to decrypt the data object in the access process. As a result, the verification process and the access process are interwoven. The high entropy of the verification input (e.g., PIN) flows into the access process without the low-order vulnerability of a binary decision, as discussed below.

If the access token (i.e., the verification output) or the verification process is successfully manipulated by an error attack, then for the subsequent access process, instead of the correct access token, any other, most likely useless, false token is provided that is unlikely to properly decrypt the data object. In the abstract, the existence of a large number of possible false tokens compared to the single correct access token means that the verification output of the invention (i.e., the access token) has high entropy. Since the decryption key is formed by the access token, with which the data object can be decrypted to clear text form, a high degree of entropy is maintained during the transition from the verification process to the access process. A simple compromise of access security by tilting the Verification output, as is possible with the conventional PIN fuse is structurally impossible in the invention.

Therefore, according to claim 1, a microprocessor device is provided with a reliably secured access protected data object.

The data object is optionally encrypted with a (symmetric) encryption algorithm, for example AES, in particular AES-CTR (counter mode), or AES XTS-mode ("hard disk encryption standard").

As an access token, the decryption key is optionally generated, which corresponds to the encryption key used to encrypt the data object. For symmetric decryption is used as access token z. B. generates the encryption and decryption key.

Optionally, the data object has been encrypted in a secure environment and stored in encrypted form. As a safe environment, for example, a production plant for the production of microprocessor devices or security devices with such microprocessor devices is provided to which the later user of the microprocessor device or the security device has no access. Optionally, the microprocessor device or the security device has a special access-secured area in which the data object is encrypted, without the possibility of influencing a user. The access-secured area within the microprocessor device or the security device has been set up, for example, at an upstream point in time in a secure production facility.

Optionally, the access device is further configured to decrypt the encrypted data object to the unencrypted data object in the event that the verification input or / and the verification device corresponds to predetermined criteria. For example, if a PIN is entered as the verification input, the verification input corresponds to the criteria if the input PIN is the same as the correct PIN.

Optionally, the access device is further configured to decrypt the encrypted data object to a decryption result different from the unencrypted data object in the event that the verification input or / and the verification device does not meet predetermined criteria. In this case, therefore, any false token other than the decryption key is generated as an access token. An error attack generates from the false token any other manipulated false token that is most likely also different from the decryption key. The probability that the correct access token is generated by an error attack on a false token, is, as long as some specifications are considered arbitrarily small.

Thus, according to the last-mentioned embodiment, the data object is decrypted with the access token even if an incorrect verification input (eg, PIN) has been input. This embodiment has the advantage that an attacker between right and wrong input verification input (e.g., PIN) will not notice a difference. In both cases, an access token is generated and a decryption operation is performed on the data object with the access token. Only if the verification input was correct, the decryption process restores the data object in plain text. In all other cases, the decryption result is usually useless.

Optionally, the verification input has an input entropy and the access token generated as a verification output has token entropy, and wherein the token entropy is at least equal to a minimum token entropy, for example at least 32 (thirty-two) or 64 (sixty-four). Alternatively or additionally, the token entropy is optionally not reduced compared to the input entropy or at least not significantly reduced, in particular at least reduced by a small factor. According to these embodiments, the provision is considered that the access token has a sufficiently high entropy. A PIN decision has one entropy, as it only has the two possible values, "PIN false" and "PIN correct," which correspond to the two values of a single binary bit. Due to the low entropy of the PIN decision, the PIN decision can easily be reversed. Even with a very long PIN, which has a high entropy, the binary PIN decision PIN wrong / correct always has only the entropy one. Thus, in the conventional PIN verification method, the entropy of the verification output (PIN decision wrong / proper)) is significantly reduced from the entropy of the verification input (input PIN). By contrast, the access token according to the invention has a high degree of entropy and therefore can not be reliably tilted from an incorrect value to the only correct value. There are many possible incorrect values of the access token, but only one correct value of the access token.

Optionally, the verification input has an input entropy and the access token generated as a verification output has a token entropy, and wherein the token entropy and / or the input entropy is chosen to be particularly high enough that the probability, starting from a verification input, which does not meet the predetermined criteria, by randomly varying the verification input, the verification output, and / or the verification process to generate a verification token that decrypts the encrypted data object to the unencrypted data object, does not exceed, or at least does not exceed, a predetermined probability limit. The higher the token entropy, the more possible values are available for the access token. Of the possible values of the access token, one is usually correct, and all others are wrong. Only with the correct access token can the data object be successfully decrypted. The higher the input entropy is (for example, the longer the bit length of a PIN), the more possible values are available for the verification input (eg, PIN), and thus the more possible access tokens derived from incorrect verification input.

Optionally, the verification input has a bit length and the access token a (shorter or equal length) bit length, and wherein the input entropy is determined by the bit length of the verification input and the token entropy is determined by the bit length of the access token. A 256-bit verify input thus has entropy 256. A 32-bit access token has entropy 32.

According to one embodiment of the invention, the verification input (eg PIN) is used as the access token, ie the data object is encrypted with the verification input. Verification input, verification output, and access token are the same. The mapping rule for deriving the access token from the verification input is the identity. In particular, the access token has the same entropy (and bit length) as the Verification input, in particular the entropy of the access token is not reduced compared to the high entropy of the verification input, ie the high entropy of the verification input is preserved.

According to an embodiment of the invention, further, either in the verification process or in an additional decision verification process, a decision verification output is generated which, if the verification input meets predetermined criteria, has a first decision value and if the verification input does not meet predetermined criteria , has a second decision value. In this case, an access token is still generated in the verification process. In addition, either in the verification process itself or in an additional process, for example, a PIN decision is generated, with the value either "PIN wrong" or "PIN correct". Some formal requirements, such as guidelines, laws, ordinances, standards, etc., require that a saved data object be protected by a PIN-check routine. According to the embodiment described here, z. For example, in addition to the conventional PIN check with PIN decision PIN right / wrong provided to meet formal requirements. The actual protection of the data object is achieved by means of encryption and the access token.

Optionally, in the embodiment described above, if the decision verification output has the first decision value, the access to the data object is made, and / or if the decision verification output has the second decision value, access to the data object is not performed. For example, if a correct PIN has been entered, access will be made with the generated access token and, if an incorrect PIN has been entered, access will not be made. The PIN check fulfills formal requirements.

Optionally, one of the following is provided as a verification input: a PIN; a password; a random number to be recreated before each access operation; a hash value; a predecessor access token generated in a previous execution of the verification operation (i.e., verification and generation of an access token are performed cascaded two or more times in succession); a sequence of multiple predecessor access tokens.

Optionally, one of the following is provided as a data object: a secret key, in particular a signature key for generating a digital signature; a biometric record; User data; Personal data; an erroneous operation counter, in particular a counter reading of a misoperation counter or a counter reading difference of a misoperation counter; a data processing program, in particular an operating system; a partial functionality of a data processing program, in particular a partial functionality of an operating system.

The case that a data processing program, in particular an operating system or a partial functionality of a data processing program, in particular a partial functionality of an operating system, is provided as the data object is considered in greater detail. The data processing program or operating system or a subfunctionality thereof is preferably provided in a broadly encrypted (i.e., deactivated) form. For example, in a data processing program, operating system or a partial functionality of the encryption is effected in that a necessary completion key is not yet implemented, so that the data processing program, operating system or the sub-functionality is not functional. By means of a completion key, the data processing program, operating system or the partial functionality can be decrypted, i. H. complete and make it functional. In this case, the completion key is generated in the verification process as a verification output. Only if the correct verification input is entered is the correct completion key generated which renders the data processing program, operating system or subfunctioning functional. If an incorrect verification input is entered, a completion key may be generated, depending on the embodiment. However, this does not make the data processing program, operating system or subfunctionality functional.

As a partial functionality, a charging functionality for downloading an applet into a security device (smartcard, smartphone, etc.) is optionally provided. Without this loading functionality, no applets can be downloaded. The access token enables the ability to download applets (enablement of applet loading).

Optionally, the microprocessor device is implemented in a mobile security device, for example a data carrier, for example chip module, chip card, smart card or token; or in a mobile terminal, for example a mobile phone, smartphone, tablet PC or PDA. Optionally, the mobile security device is located in the field, ie delivered to a user. Optionally, in the field in the safety device in particular as a partial functionality of a Operating system provided a charging functionality, which makes it possible to load applications in the field located in the field. Through the verification process, the charging functionality for reloading applications is enabled for the device in the field.

The microprocessor device is, according to one embodiment, implemented in a signature card (signature smart card), in which further a signature key is stored in encrypted form. The microprocessor device is set up to calculate a digital signature by means of the signature key. To effect the calculation of a digital signature in the signature card, it is necessary to input a PIN as a verification input. An access token is derived from the entered PIN, optionally using in particular the PIN as the access token. The encrypted signature key is decrypted with the access token, if necessary directly with the PIN. The result of decrypting the encrypted signature key computes a digital signature.

According to one embodiment of the invention, the derived access token contains information about the data object (asset-specific token).

In the following the invention will be explained in more detail with reference to exemplary embodiments and with reference to the drawing, in which:

1 a PIN-secured signature card, according to the prior art;

2 a PIN-secured signature card, with optional PIN decision, according to an embodiment of the invention.

1 shows a PIN-secured signature card, according to the prior art. As a signature card SC, for example, an identification document with signature functionality may be provided, for. B. the German identity card nPA. A user contacts the signature card SC via any suitable contactless or contact card terminal (not shown) having at least one card reader, an input interface (eg, keyboard), and an output interface (eg, display). The card terminal is understood in the broadest sense and can, for. B. a separate card reader with attached input / output interface, a smartphone, a fixed service terminal, a PC with keyboard card reader, etc. be. In the signature card, a signature key K is stored with which a digital signature S (K) can be generated. On the occasion of a request from a user to the signature card SC to generate a digital signature S (K), the signature card SC to the user a request to enter a PIN. The output of the request to the user is z. Example, via an interface (eg display) of the card terminal or a device connected to the card terminal. Upon request, the user inputs a PIN into the signature card SC via the input interface of the card terminal (eg keyboard). The key K is typically the private key K = PrK of an asymmetric key pair (PuK, PrK), with PuK as the public key.

Now the conventional PIN check is performed in the signature card SC. The signature card SC checks whether the entered PIN is correct. If the entered PIN is correct, the generation of a digital signature S (K) in the signature card SC is initiated. If the entered PIN is incorrect, no digital signature S (K) is generated (and if necessary, the misoperation counter of the signature card SC is incremented).

2 shows a PIN-secured signature card SC, according to an embodiment of the invention.

The contacting of the signature card SC with a card terminal takes place in a conventional manner. The user conventionally requests the signature card SC to generate a digital signature S (K). The signature card SC issues a request to enter a PIN in response to the user. As usual, the user enters a PIN into the signature card SC via the card terminal. Optionally, the PIN is checked for correctness. If the PIN is correct, the procedure continues. If the PIN is incorrect, the procedure is either continued or aborted depending on the embodiment. The cancellation due to the wrong PIN is z. B. to meet formal requirements, he would not be necessary.

In contrast to the prior art, the signature key K is stored in encrypted form eK in the signature card SC. In the example off 2 the signature key K is encrypted with a symmetric method and key. The key to encrypting the signature key K is in the example 2 used the correct PIN. K is thus stored as eK, encrypted according to eK = ENC (TOK) K = ENC (PIN) K, in the signature card SC.

With the PIN entered in the verification process, the encrypted signature key eK is decrypted, according to K * = DEC (TOK) eK = DEC (ENC (TOK)) K = DEC (PIN) eK = DEC (ENC (PIN)) K.

If the entered PIN is correct, the decryption result K * is equal to the original signature key K in plain text. In all other cases, the decryption result K * is different from the original signature key K in plain text.

Finally, with the decrypted signature key K, the digital signature S (K) is calculated in a manner known per se.

The direct use of the PIN for encryption / decryption is a particularly simple example. Optionally, the access token is derived from the verification input according to a more complex mapping policy.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• EP 1569118 B1 [0009]

Cited non-patent literature

• D. Boneh, RA DeMillo, and RJ Lipton, in Advances in Cryptology - EUROCRYPT '97, vol. 1233 of Lecture Notes in Computer Science, pages 37-51. Springer-Verlag, 1997 [0008]

Claims (11)

Microprocessor device, with a data object (K) stored therein secured with access protection, and with an access protection device which is set up to perform secure access to the data object (K) and which comprises a verification device and an access device, wherein - the verification device is adapted to perform a verification operation in which a verification input entered into the access protection device is processed into a verification output, and - the access device is adapted to perform an access operation of accessing the data object (K) in dependence on the verification output, characterized in that the access protection device against Error attacks is secured by - the data object (K) is encrypted (eK) is stored, - the verification device is set up as an access token as a verification output and the access device is arranged to perform the access operation in dependence on the verification output, thereby decrypting the encrypted data object (eK) using the generated access token. The microprocessor device of claim 1, wherein the access device is further configured to decrypt the encrypted data object (eK) to the unencrypted data object (K) in case the verification input and / or the verification output meet predetermined criteria. Microprocessor device according to claim 1 or 2, wherein the access device is further configured to decrypt the encrypted data object (eK) to a decryption result different from the unencrypted data object (K) in the event that the verification input or / and the verification device does not meet predetermined criteria , A microprocessor device according to any one of claims 1 to 3, wherein the verification input has an input entropy and the access token generated as a verification output has a token entropy, and wherein the token entropy and / or the input entropy is chosen to be, in particular, so high in that the probability of generating, on the basis of a verification input that does not meet the predetermined criteria, by randomly varying the verification input, the verification action or / and the verification process, a verification token with which the encrypted data object (eK) to the unencrypted data object (K) is decipherable, falls below a predetermined probability threshold or at least does not exceed. A microprocessor device according to claim 4, wherein the input entropy is equal to the token entropy. Microprocessor device according to one of claims 1 to 5, wherein the verification device is adapted to provide the verification input (PIN) as an access token (PIN). The microprocessor device of claim 1, further configured to generate, in the verification process or in an additional decision verification process, a decision verification output that, if the verification input meets predetermined criteria, has a first decision value, and if the verification input does not satisfy predetermined criteria, has a second decision value. Microprocessor device according to claim 7, wherein, if the decision verification output has the first decision value, the access to the data object (K) is performed, and / or, if the decision verification output has the second decision value, access to the data object (K) either not performed or performed. Microprocessor device according to one of claims 1 to 8, wherein as Verifying input one of the following is provided: a PIN; a password; a random number to be recreated before each access operation; a hash value; a predecessor access token generated in a previous performance of the verify operation; a sequence of multiple predecessor access tokens. Microprocessor device according to one of claims 1 to 9, wherein as a data object one of the following is provided: a secret key, in particular signature key for generating a digital signature; a biometric record; User data; Personal data; an erroneous operation counter, in particular a counter reading of a misoperation counter or a counter reading difference of a misoperation counter; a data processing program, in particular an operating system; a partial functionality of a data processing program, in particular a partial functionality of an operating system. Microprocessor device according to claim 10, wherein as a data object is provided: a Data processing program, in particular an operating system; or a partial functionality of a data processing program, in particular a partial functionality of an operating system; and wherein as access token a completion key is provided which is adapted to make the data processing program or the operating system or the partial functionality functional.

Images