Classifications

• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
  • G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
  • G06Q20/409—Device specific authentication in transaction processing
  • G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
  • G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
  • H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
  • H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/20—Manipulating the length of blocks of bits, e.g. padding or block truncation
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/80—Wireless

Definitions

• the present invention describes a system making it possible to generate digital signatures or cryptograms requiring the drawing of hazards (typically DSA, El-Gamal, Fiat-Shamir, Guillou-Quisquater for signatures, El-Gamal and McEliece for encryption), by signature or encryption devices (typically microprocessors) devoid of hardware or software resources allowing the drawing of risks.
• hazards typically DSA, El-Gamal, Fiat-Shamir, Guillou-Quisquater for signatures, El-Gamal and McEliece for encryption
• signature or encryption devices typically microprocessors
• a great limitation of smart cards as a support for implementing public key algorithms is the need (frequently encountered), to have a device generating random numbers on board the card. Indeed, the development of such a device, also called generator, turns out to be complex and often unstable (sensitivity to phenomena external to the card such as the ambient temperature or the voltage applied to the card). In the case where such cryptographic systems are implemented on a computer, other phenomena, due to the very nature of the software random generators disturb the quality of the hazards.
• a very popular hazard generation method consists of measuring the time elapsed between two keyboard keys pressed by the user. Recent cases of fraud show that this kind of generator can be biased by simulating the keyboard using a fraudulent device whose time between the various keys is known to the attacker.
• the present invention provides an alternative solution allowing the implementation of cryptographic systems requiring the drawing of a good quality hazard on software or hardware platforms:
• the first family of applications concerns signature schemes of the El-Gamal type.
• the DSA algorithm Once illustrated in the context of the DSA, the application of the present invention to other algorithms of the same family can easily be implemented by a person skilled in the art. In the following, it is called the DSA algorithm.
• DSA Digital Signature Standard
• US Patent No. 5,231,668 entitled “Digital Signature Algorithm” was proposed by the US National Institute of Standards and Technology to provide an appropriate basis for applications requiring a digital signature instead classic signatures.
• a DSA signature is a pair of large numbers represented in a computer by strings of binary digits.
• the digital signature is calculated using a series of calculation rules (the DSA) and a set of parameters in a way to certify both the identity of the signatory and the integrity of the data.
• the DSA is used to generate and verify signatures.
• the signature generation process makes use of a private key (in order to produce a digital signature).
• the verification process uses a public key which corresponds to the secret key without however being identical to it.
• Each user has a pair of keys (public, secret). It is assumed that public keys are known to all, while secret keys are never disclosed.
• Anyone has the ability to verify a user's signature using their public key, but signatures cannot be generated other than by using the user's secret key.
• a prime module q such that 2 ⁇ q ⁇ 2 and p-1 is a multiple of q.
• the integers p, q and g are system parameters that can be published and / or shared by a group of users.
• the keys, secret and public, of a signatory are respectively x and y.
• the parameters x and k are used for the generation of the signature and must be kept secrets.
• the parameter k must be regenerated for each signature.
• the second family also relates to signature schemes; these are schemas derived from zero disclosure protocols
• a second family of signature algorithms to which the invention applies are those derived from zero disclosure protocols (typically Fiat-Shamir or Guillou-Quisquater patented in the United States respectively under the references 4.748.668 and 5.140.634) . Also, only one of these protocols will be described. Once applied to the Guillou and Quisquater algorithm, the extension of the invention to other algorithms of this family is obvious to those skilled in the art.
• the parameters of the Guillou-Quisquater algorithm are:
• the third family of applications concerns public key encryption schemes requiring a hazard.
• the first encryption algorithm requiring a hazard described below is that of El Gamal.
• the parameters of this algorithm are:
• a first p module (at least 512 bits); ⁇ A number g, of order p-1 odulo p (ie such that, for any integer u, 0 ⁇ u ⁇ p-1, g u ⁇ 1 mod p;
• y g x mod p; ⁇ A number k randomly generated or pseudo randomly such that 0 ⁇ k ⁇ q.
• the integers p and g are system parameters that can be published, and / or shared by a group of users.
• the public encryption key is the number y
• the secret decryption key is the number x.
• the parameter k is used for the generation of the cryptogram, and must not be disclosed. In addition, it must be regenerated each time it is encrypted.
• the cipher of a message m, 0 ⁇ m ⁇ p-1, is the pair of integers (r, s), where: To find the message m, the receiver of the cryptograms (which has x), calculates: s / r x mod p, which is precisely m.
• a second encryption algorithm requiring the generation of a hazard is the McEliece scheme, based on a problem in code theory, more precisely using a particular class of codes known as Goppa codes.
• the general idea is to disguise a Goppa code as any linear code; there is indeed an efficient algorithm for decoding a Goppa code but on the other hand decoding a general linear code is a difficult problem.
• the receiver knowing the information which has made it possible to disguise the code, will therefore be able to decipher the message by decoding the Goppa code obtained.
• a secret key composed of: • A generator matrix G of a binary Goppa code of size n and dimension k correcting t errors and the corresponding decoding algorithm;
• An RSA cryptogram is a large number represented in a computer by strings of binary or hexadecimal digits.
• the cryptogram is calculated using a software (program) and / or hardware (electronic circuit) calculation resource implementing a series of calculation rules (the encryption algorithm) to be applied during the processing of a set of parameters accessible to all in order to hide the content of the data processed.
• the cryptogram is decrypted using a software or hardware calculation resource implementing a series of calculation rules (the decryption algorithm) applied (by the receiver of the cryptogram) to a set of parameters. secrets and the cryptogram.
• the encryption process uses a public key to produce the cryptogram.
• the decryption process uses a private key which corresponds to the secret key without however being identical to it.
• Each user has a pair of keys (public, secret) and it is assumed that the public keys are known to all while the secret keys are never revealed.
• anyone has the ability to encrypt a message for a user using the user's public key, but cryptograms cannot be decrypted other than by using the user's secret key.
• the parameters of the RSA algorithm are:
• the exponent e is accessible to everyone while the “decryption exponent” d must remain secret.
• the security of the algorithm allows for a choice of parameters made in the rules of the art to ensure in the general case of the encryption of messages the size of the module and having no special relationships between them confidentiality between the sender and receiver of the encrypted information.
• the exact methods of message padding may vary depending on standards, application needs, or the level of security required.
• the fifth family concerns the blindness factors and blank signatures.
• a basic functionality, called primitive by those skilled in the art, used in many cryptographic schemes and protocols is the mechanism for signing a blank message.
• This functionality discovered and patented by Chaum (US patent n ° 4,759,063 and European patent n ° 0139313) makes it possible to have a message signed without the signer being able to read the message. It requires the generation of a blindness factor, making it possible to conceal the message, known only to the requester of the signature.
• the mechanism used applies to both El Gamal-type signature schemes and RSA.
• the random makeup method is used for example in the case where a device A wants to subcontract operations to a device B while not wishing to reveal the operands completely to it.
• A can camouflage the number to be reduced modulo n by multiplying it by a random multiple of the module.
• the two devices perform the following operations:
• the two devices can then use the secret “key” quantity to exchange messages over a secure channel using a symmetric encryption algorithm taking as parameters the “key” quantity and the message to be encrypted.
• the main advantage of the inventive method compared to the previous proposals in terms of digital signatures or encryption lies in the ability to calculate signatures or perform encryption operations without requiring a random generator on board the signing circuit or encrypting.
• the present invention relates to a cryptographic system, normally requiring the drawing of a hazard k, the hazard being an integer; the system is characterized in that it is implemented by replacing said random k by the quantity h (m
• the cryptographic system of the invention comprises at least:
• the random error vector e, renewed by the encryptor at each encryption is derived from the quantity h (m), where m is the message to encrypt.
• i) as necessary so that the length of the concatenated k A is at least equal to 1/6 of the size of the module n (in the case of RSA encryption for example) or else generate k h (m
• ⁇ ) and expand it; b. Compose m r such that m r size (m)
• said protocol comprises at least the following steps: a.
• a first device, wishing to send the message m, calculates g h (m
• a second device, receiver, generates a hazard a and calculates b 2 g a mod p; c.
• the two devices exchange b x and b 2 and compute key d.
• the first device figures c f (m, key) where f is a symmetric encryption mechanism; the first device sends c to the second device which decrypts it and finds m.
• the communicating devices are smart cards, PCMCIA cards, badges, contactless cards or any other portable device.
• the communication between said devices implementing the invention is carried out by means of exchanges of electronic signals, radio waves or infrared signals.
• the invention is presented in a more detailed manner by taking up the notations used in the description of the families of applications.
• h will take as its parameter a secret datum, namely the secret key of the signer, and a public datum, the message to be signed.
• h will take as parameter only the message to sign.
• m is the hash of the message M to be signed
• x the signer's secret key.
• the rest of the generation of the signature (r, s) is carried out in an identical manner to the original process. Similarly, the verification of the generated signature remains unchanged.
• k h (m
• B the hash of the message M to be signed
• B the secret key of the signatory.
• the rest of the generation of the signature (d, D) is carried out in an identical manner to the original process. Similarly, the verification of the generated signature remains unchanged.
• the McEliece algorithm is then carried out as described above.
• the decryption also remains unchanged.
• this method of generating e solves the problem of encrypting the same message twice. Indeed, in the case of the generic McEliece, it is unwise to encrypt the same message twice (therefore with two different error vectors), because we can guess part of the support of the error vectors, and consequently find the clear message more easily.
• the invention applies as follows to the fourth family, which relates to cryptographic schemes requiring random padding: - as specified, a recommendable security measure is to “pad” the messages with a random sequence. But here again, if the sequence varies for several ciphers of the same message, an attack is still possible revealing the clear message.
• k.j_ h (m
• ⁇ ) then expand k before concatenating it to the message; ⁇ Compose m r such that m r size (m)
• the invention applies as follows to the sixth family, which relates to said key exchange schemes based on the Diffie-Hellman method.
• the device also called a device, which wishes to send a message m, uses, instead of a hazard, the quantity h (m
• FIG. 1 describes the flow diagram of a signature or decryption apparatus implementing the system proposed by the present invention.
• FIG. 2 describes the flowchart of a verification or encryption apparatus implementing the system proposed by the present invention.
• FIG. 3 represents the data exchanged by the signature device and the verification device.
• FIG. 4 represents the data exchanged by the encryption device and the decryption device.
• each signature / decryption device (typically a smart card) consists of a processing unit (CPU), a communication interface, a random access memory (RAM) and / or a non-volatile memory.
• the CPU and / or ROM of the signature / decryption device contain calculation programs or resources corresponding to the stages of the signature / decryption algorithm (rules for calculating and using the hash function, multiplication, squared, addition, modular inverse and modular reduction). Some of these operations can be grouped together: for example, modular reduction can be directly integrated into multiplication.
• the RAM contains the message M to which the hash function or the calculation rules for the generation of signatures or the calculation rules for the generation of cryptograms apply.
• the E (E) PROM contains at least the parameters m, x and k generated and used as specified in the description which follows.
• the CPU controls, via the address and data buses, the communication interface, the memory read and write operations.
• each signature device is protected from the outside world by physical protections. These protections should be sufficient to prevent any unauthorized entity from obtaining the secret key.
• the techniques most used today in this area are the integration of the chip into a security module and the equipment of the chips with devices capable of detecting variations in temperature, light as well as voltages and frequencies. abnormal clock. Particular design techniques, such as scrambling the memory access, are also used.
• the verification device consists of at least one processing unit (CPU) and memory resources.
• the CPU controls, via the address and data buses, the communication interface, the memory read and write operations.
• the authority's CPU and / or ROM contain calculation programs or resources allowing the signature or encryption protocol to be implemented (calculation rules and hash, multiplication, exponentiation and modular reduction function). Some of these operations can be grouped together (for example, the modular reduction can be directly integrated into the multiplication).

Landscapes

• Engineering & Computer Science (AREA)
• Business, Economics & Management (AREA)
• Computer Security & Cryptography (AREA)
• Physics & Mathematics (AREA)
• Accounting & Taxation (AREA)
• General Physics & Mathematics (AREA)
• Computer Networks & Wireless Communication (AREA)
• Strategic Management (AREA)
• General Business, Economics & Management (AREA)
• Theoretical Computer Science (AREA)
• Signal Processing (AREA)
• Finance (AREA)
• Microelectronics & Electronic Packaging (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=9507074

Family Applications (1)

Country Status (7)

Families Citing this family (6)

Family Cites Families (2)

• 1997
  • 1997-05-07 FR FR9706198A patent/FR2763194B1/fr not_active Expired - Fee Related
• 1998
  • 1998-05-05 JP JP54778798A patent/JP2001507479A/ja not_active Abandoned
  • 1998-05-05 EP EP98924379A patent/EP0980607A1/de not_active Withdrawn
  • 1998-05-05 CN CN 98806980 patent/CN1262830A/zh active Pending
  • 1998-05-05 CA CA002288767A patent/CA2288767A1/fr not_active Abandoned
  • 1998-05-05 WO PCT/FR1998/000901 patent/WO1998051038A1/fr not_active Application Discontinuation
  • 1998-05-05 AU AU76595/98A patent/AU7659598A/en not_active Abandoned

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events