EP1493242A1 - Procede de securisation d une entite electronique a acces cr ypte - Google Patents
Procede de securisation d une entite electronique a acces cr ypteInfo
- Publication number
- EP1493242A1 EP1493242A1 EP03740554A EP03740554A EP1493242A1 EP 1493242 A1 EP1493242 A1 EP 1493242A1 EP 03740554 A EP03740554 A EP 03740554A EP 03740554 A EP03740554 A EP 03740554A EP 1493242 A1 EP1493242 A1 EP 1493242A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- result
- key
- subkey
- iterative process
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/004—Countermeasures against attacks on cryptographic mechanisms for fault attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
Definitions
- the invention relates to a. method for securing an electronic entity with encrypted access, such as for example a microcircuit card, the improvement more particularly aimed at detecting attacks known by the abbreviation DFA (Differential Fault Analysis, in English).
- DFA Different Fault Analysis, in English
- the invention is particularly aimed at securing known algorithms such as AES or DES.
- Certain electronic entities with encrypted access are vulnerable to so-called DFA attacks consisting in disturbing the progress of the cryptographic algorithm so as to change the value of an intermediate result, to process the difference obtained between the message encrypted normally and the message encrypted with error and to deduce therefrom information on the secret key of the electronic entity.
- Errors are very easy to produce on a microcircuit card, by intervening on the external environment, for example by causing a voltage peak, by subjecting the card to a light flash (in particular using a laser beam) , by suddenly varying the frequency of the external clock, etc ...
- the invention offers a simple and effective defense against this type of attack.
- the invention relates to a method for securing an electronic entity with encrypted access, which comprises means for executing a cryptographic algorithm consisting in applying to a input message a succession of groups of so-called "round" operations making intervene a series of respective sub-keys, successively elaborated by an iterative process implemented from an initial key, characterized in that it consists in memorizing the result of a step of said iterative process, in redoing at least one part of the steps of said iterative process until the recalculation of a result corresponding to that which has been memorized, to compare the value of said memorized result with the value of the corresponding recalculated result and to prohibit the broadcasting of an encrypted message resulting from the setting implementation of said algorithm if these two values are different.
- a stored result can be one of the steps in the process known as key diversification process consisting in applying a non-linear function F to the result of the previous analogous step.
- FIG. 1 is a diagram of an electronic entity such as a microcircuit card, capable of implementing the method of the invention
- FIG. 2 is a flowchart illustrating the so-called AES algorithm
- FIG. 3 is a flowchart illustrating the implementation of the invention as a complement in the execution of the AES.
- FIG. 4 is a flowchart illustrating the DES algorithm to which the invention can also be applied.
- an electronic entity 11 is shown, here forming a microcircuit card with its essential components, namely a set of contact pads 12, metallic, making it possible to connect the microcircuit 13 contained in the card to a reader. card, server or the like with which said microcircuit card will be able to exchange information after an authentication phase implementing a known secret key algorithm, for example the AES algorithm or the DES algorithm.
- the microcircuit 13 is broken down into a microprocessor 14, some of whose accesses are connected to the contact pads, and a memory M coupled to the microprocessor.
- an authentication phase is implemented in the card. This process is programmed in microcircuit 13 and part of the memory
- the authentication phase implements an AES algorithm, the operation of which will be recalled with reference to FIG. 2.
- the AES algorithm operates on the basis of an input message ME transmitted in clear by the outdoor unit to which the electronic entity is coupled.
- the entity 11 also has a secret key K, stored, and the algorithm consists in transforming the message ME until obtaining an encrypted message MC following a certain number of transformations performed with the intervention of a certain number of subkeys Ko, KL K 2 , ..., K n - ⁇ , K n .
- each sub-key is created from one or two successive results elaborated during the process of key extension by the function F.
- the key K is coded on 192 bits. Consequently, the subkey Ko is extracted from the first two thirds of the key K, the subkey Ki is extracted from the other third of the key K and from the first thirds of the intermediate result Ri of the first transformation of this key by the function F, the subkey K 2 is extracted from the last two thirds of the intermediate result Ri, and so on until the elaboration of the last subkey K n .
- the key K has been coded on 192 bits and the attack which has been described in broad outline above does not make it possible to find the key since the result R m is not entirely known. We cannot therefore "go back" to the key K from this incompletely known result.
- security has been considerably weakened since partial information on the key is available, which makes other attacks (for example of the DPA type) known per se more effective.
- the counter to this type of attack consists in memorizing an intermediate result Rj, for example R m , or a subkey, for example here the last subkey K n , to redo at least one part of the stages of elaboration of the succession of said sub-keys, that is to say essentially the process of extension of the key by the function F, until the recalculation of a result corresponding to that which has been stored.
- Rj intermediate result
- K n for example here the last subkey K n
- FIG. 3 where the AES algorithm is completed (according to one embodiment) by redoing all of the steps for developing the succession of said sub-keys and more particularly of the process of extending the key K.
- the AES algorithm described with reference to FIG. 2 is executed for the first time, the result is an encrypted message MC.
- the last subkey K n is stored.
- the previously stored value and the new value are compared (equality test). If the two values are equal, the output of the message MC is authorized. If the two values do not coincide, the MC value is not retransmitted to the outside and an error message can be issued.
- the whole process of extending the key is repeated until the new calculation of the last subkey K n is obtained.
- the invention is not limited to securing the AES algorithm.
- the DES algorithm also known, is described in FIG. 4. Briefly, in this algorithm, the process of extending the key K is as follows. The key K (64 bits) is subjected to a P1 permutation on the bits and reduced to 56 bits. The result is a word 20 split into two 28-bit parts. Each of them is subjected to a permutation R (circular rotation on the bits) of 1 or 2 bits depending on the case.
- the two results are combined to form a new word 21 of 56 bits subjected to a new permutation P2 and concatenated to 48 bits to give a subkey Ki.
- the 56-bit word 21 is processed so as to undergo two circular rotations R to result in a new word 22, again subjected to the permutation P2 to generate a subkey K2 and so on until K16.
- the 64-bit ME input message undergoes the following transformations. It is first subjected to a P3 permutation on the bits and the result is subjected to functions constituting the ROUND 1 involving the subkey K1.
- the invention also relates to any electronic entity, in particular any microcircuit card, comprising means for implementing the method described above.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0204341 | 2002-04-08 | ||
FR0204341A FR2838262B1 (fr) | 2002-04-08 | 2002-04-08 | Procede de securisation d'une electronique a acces crypte |
PCT/FR2003/001032 WO2003085881A1 (fr) | 2002-04-08 | 2003-04-02 | Procede de securisation d'une entite electronique a acces crypte |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1493242A1 true EP1493242A1 (fr) | 2005-01-05 |
Family
ID=28052188
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP03740554A Ceased EP1493242A1 (fr) | 2002-04-08 | 2003-04-02 | Procede de securisation d une entite electronique a acces cr ypte |
Country Status (7)
Country | Link |
---|---|
US (2) | US7796750B2 (fr) |
EP (1) | EP1493242A1 (fr) |
JP (2) | JP2005522912A (fr) |
AU (1) | AU2003260714A1 (fr) |
CA (1) | CA2480896C (fr) |
FR (1) | FR2838262B1 (fr) |
WO (1) | WO2003085881A1 (fr) |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2838262B1 (fr) * | 2002-04-08 | 2004-07-30 | Oberthur Card Syst Sa | Procede de securisation d'une electronique a acces crypte |
DE10328860B4 (de) * | 2003-06-26 | 2008-08-07 | Infineon Technologies Ag | Vorrichtung und Verfahren zum Verschlüsseln von Daten |
US7937595B1 (en) * | 2003-06-27 | 2011-05-03 | Zoran Corporation | Integrated encryption/decryption functionality in a digital TV/PVR system-on-chip |
KR100546375B1 (ko) * | 2003-08-29 | 2006-01-26 | 삼성전자주식회사 | 자체 오류 감지 기능을 강화한 상호 의존적 병렬 연산방식의 하드웨어 암호화 장치 및 그 하드웨어 암호화 방법 |
DE102004008901A1 (de) * | 2004-02-24 | 2005-09-15 | Giesecke & Devrient Gmbh | Sichere Ergebniswertberechnung |
FR2867635B1 (fr) | 2004-03-11 | 2006-09-22 | Oberthur Card Syst Sa | Procede de traitement de donnees securise, base notamment sur un algorithme cryptographique |
FR2875657B1 (fr) * | 2004-09-22 | 2006-12-15 | Trusted Logic Sa | Procede de securisation de traitements cryptographiques par le biais de leurres. |
EP1646174A1 (fr) * | 2004-10-07 | 2006-04-12 | Axalto SA | Méthode et appareil pour générer un jeux d'instructions cryptographique automatiquement et génération d'un code |
KR100817048B1 (ko) | 2005-03-05 | 2008-03-26 | 삼성전자주식회사 | 여러 가지 포인트 표현을 기반으로 한 ecc에서 dfa대책을 위한 암호화 방법 및 장치 |
US20070019805A1 (en) * | 2005-06-28 | 2007-01-25 | Trustees Of Boston University | System employing systematic robust error detection coding to protect system element against errors with unknown probability distributions |
KR100850202B1 (ko) | 2006-03-04 | 2008-08-04 | 삼성전자주식회사 | Ecc 패스트 몽고매리 전력 래더 알고리즘을 이용하여dfa 에 대응하는 암호화 방법 |
US8458790B2 (en) | 2006-10-12 | 2013-06-04 | International Business Machines Corporation | Defending smart cards against attacks by redundant processing |
EP1998488A1 (fr) * | 2007-05-26 | 2008-12-03 | DSI Informationstechnik GmbH | Chiffrement AES personnalisé |
EP2218208B1 (fr) * | 2007-12-13 | 2011-06-15 | Oberthur Technologies | Procede de traitement cryptographique de donnees, notamment a l'aide d'une boite s, dispositif et programme associes |
JP5483838B2 (ja) * | 2008-07-08 | 2014-05-07 | ルネサスエレクトロニクス株式会社 | データ処理装置 |
JP5387144B2 (ja) | 2009-06-01 | 2014-01-15 | ソニー株式会社 | 誤動作発生攻撃検出回路および集積回路 |
FR2949010A1 (fr) | 2009-08-05 | 2011-02-11 | St Microelectronics Rousset | Procede de contremesure pour proteger des donnees memorisees |
WO2011036745A1 (fr) * | 2009-09-24 | 2011-03-31 | 株式会社東芝 | Dispositif et procédé de programmation de clé |
EP2367316B1 (fr) * | 2010-03-12 | 2017-07-05 | STMicroelectronics (Rousset) SAS | Procédé et circuit pour détecter une attaque par injection d'une faute |
JP5776927B2 (ja) * | 2011-03-28 | 2015-09-09 | ソニー株式会社 | 情報処理装置及び方法、並びにプログラム |
US8897440B2 (en) * | 2012-06-28 | 2014-11-25 | Steven W. Cooke | Cryptographic system of symmetric-key encryption using large permutation vector keys |
US9152801B2 (en) | 2012-06-28 | 2015-10-06 | Steven W. Cooke | Cryptographic system of symmetric-key encryption using large permutation vector keys |
US9594769B2 (en) * | 2012-12-21 | 2017-03-14 | Koninklijke Philips N.V. | Computing device configured with a table network |
JP7063628B2 (ja) * | 2018-01-11 | 2022-05-09 | Necプラットフォームズ株式会社 | 暗号化装置、暗号化方法およびプログラム |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10154976A (ja) | 1996-11-22 | 1998-06-09 | Toshiba Corp | タンパーフリー装置 |
WO1998035467A1 (fr) * | 1997-02-07 | 1998-08-13 | Bell Communications Research, Inc. | Procede d'utilisation de defauts transitoires afin de verifier la securite d'un systeme cryptographique |
US5991415A (en) * | 1997-05-12 | 1999-11-23 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for protecting public key schemes from timing and fault attacks |
US6182216B1 (en) * | 1997-09-17 | 2001-01-30 | Frank C. Luyster | Block cipher method |
US6108419A (en) * | 1998-01-27 | 2000-08-22 | Motorola, Inc. | Differential fault analysis hardening apparatus and evaluation method |
US6219420B1 (en) * | 1998-09-02 | 2001-04-17 | Motorola, Inc. | High assurance encryption system and method |
US6985581B1 (en) * | 1999-05-06 | 2006-01-10 | Intel Corporation | Method and apparatus to verify circuit operating conditions |
FR2829331B1 (fr) * | 2001-09-04 | 2004-09-10 | St Microelectronics Sa | Procede de securisation d'une quantite secrete |
FR2838262B1 (fr) * | 2002-04-08 | 2004-07-30 | Oberthur Card Syst Sa | Procede de securisation d'une electronique a acces crypte |
TW574660B (en) * | 2002-05-16 | 2004-02-01 | Ind Tech Res Inst | Method targeting at range search and for information search complying with specified rule |
JP2005527853A (ja) * | 2002-05-23 | 2005-09-15 | アトメル・コーポレイション | 高度暗号化規格(aes)のハードウェア暗号法エンジン |
US7190791B2 (en) * | 2002-11-20 | 2007-03-13 | Stephen Laurence Boren | Method of encryption using multi-key process to create a variable-length key |
US7340053B2 (en) * | 2003-07-18 | 2008-03-04 | National Institute Of Information And Communications Technology | Cipher strength estimating device |
US7949883B2 (en) * | 2004-06-08 | 2011-05-24 | Hrl Laboratories, Llc | Cryptographic CPU architecture with random instruction masking to thwart differential power analysis |
DE102004062825B4 (de) * | 2004-12-27 | 2006-11-23 | Infineon Technologies Ag | Kryptographische Einheit und Verfahren zum Betreiben einer kryptographischen Einheit |
US20080298642A1 (en) * | 2006-11-03 | 2008-12-04 | Snowflake Technologies Corporation | Method and apparatus for extraction and matching of biometric detail |
CN100495961C (zh) * | 2007-11-19 | 2009-06-03 | 西安西电捷通无线网络通信有限公司 | 一种基于分组密码算法的加密处理方法 |
JP4748227B2 (ja) * | 2009-02-10 | 2011-08-17 | ソニー株式会社 | データ変調装置とその方法 |
-
2002
- 2002-04-08 FR FR0204341A patent/FR2838262B1/fr not_active Expired - Lifetime
-
2003
- 2003-04-02 JP JP2003582947A patent/JP2005522912A/ja active Pending
- 2003-04-02 WO PCT/FR2003/001032 patent/WO2003085881A1/fr active Application Filing
- 2003-04-02 CA CA2480896A patent/CA2480896C/fr not_active Expired - Lifetime
- 2003-04-02 EP EP03740554A patent/EP1493242A1/fr not_active Ceased
- 2003-04-02 AU AU2003260714A patent/AU2003260714A1/en not_active Abandoned
- 2003-04-02 US US10/510,284 patent/US7796750B2/en active Active
-
2010
- 2010-08-09 US US12/852,637 patent/US8180046B2/en not_active Expired - Fee Related
-
2011
- 2011-01-04 JP JP2011000207A patent/JP2011103686A/ja active Pending
Non-Patent Citations (3)
Title |
---|
BIHAM E ET AL: "DIFFERENTIAL FAULT ANALYSIS OF SECRET KEY CRYPTOSYSTEMS", ADVANCES IN CRYPTOLOGY - CRYPTO '97. SANTA BARBARA, AUG. 17 - 21, 1997; [PROCEEDINGS OF THE ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE (CRYPTO)], BERLIN, SPRINGER, DE, vol. CONF. 17, 17 August 1997 (1997-08-17), pages 513 - 526, XP001060384, ISBN: 978-3-540-63384-6 * |
DAEMEN J ET AL: "Specification of Rijndael", 1 January 2002, THE DESIGN OF RIJNDAEL. AES - THE ADVANCED ENCRYPTION STANDARD, SPRINGER, PAGE(S) 31 - 51, ISBN: 978-3-540-42580-9, XP007919936 * |
See also references of WO03085881A1 * |
Also Published As
Publication number | Publication date |
---|---|
US7796750B2 (en) | 2010-09-14 |
JP2005522912A (ja) | 2005-07-28 |
FR2838262A1 (fr) | 2003-10-10 |
US8180046B2 (en) | 2012-05-15 |
JP2011103686A (ja) | 2011-05-26 |
CA2480896C (fr) | 2012-10-30 |
CA2480896A1 (fr) | 2003-10-16 |
AU2003260714A1 (en) | 2003-10-20 |
US20100322421A1 (en) | 2010-12-23 |
FR2838262B1 (fr) | 2004-07-30 |
US20060104438A1 (en) | 2006-05-18 |
WO2003085881A1 (fr) | 2003-10-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2480896C (fr) | Procede de securisation d'une entite electronique a acces crypte | |
EP1064752B1 (fr) | Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique | |
EP1358733A1 (fr) | Procede securise de calcul cryptographique a cle secrete et composant mettant en oeuvre un tel procede | |
WO2003024017A2 (fr) | Procede de securisation d'une quantite secrete | |
FR3018934A1 (fr) | Procede d'enrolement de donnees dans une base pour la protection desdites donnees | |
EP0346180B1 (fr) | Dispositif de communication sécurisée de données | |
EP2166696A1 (fr) | Protection de l'intégrité de données chiffrées en utilisant un état intermédiare de chiffrement pour générer une signature | |
EP1159797A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete | |
EP1198921B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete | |
EP1122909A1 (fr) | Procédé d'exécution d'un protocole cryptographique entre deux entités électroniques. | |
EP1119940B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete | |
EP1387519A2 (fr) | Procédé de sécurisation d'un ensemble électronique contre des attaques par introduction d'erreurs | |
WO2000024155A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete | |
EP1180260B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete et dynamique | |
EP0566512A1 (fr) | Procédé de contrôle d'accès du type autorisant l'accès à une fonction d'exploitation d'un module d'exploitation à l'aide d'un mot de contrôle | |
EP1591866A1 (fr) | Contrôle de l'exécution d'un algorithme par un circuit intégré | |
FR2566155A1 (fr) | Procede et systeme pour chiffrer et dechiffrer des informations transmises entre un dispositif emetteur et un dispositif recepteur | |
EP1199628B1 (fr) | Unité de calcul dans laquelle on détermine l'inverse d'un entier modulo un grand nombre | |
FR2807245A1 (fr) | Procede de protection d'une puce electronique contre la fraude | |
FR3133251A1 (fr) | Procédé de signature cryptographique d’une donnée, dispositif électronique et programme d’ordinateur associés | |
WO2003069841A1 (fr) | Procede de detection des attaques par mise en defaut contre les algorithmes cryptographiques | |
WO2001039466A1 (fr) | Dispositif informatique pour securiser des messages au niveau d'une couche reseau |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20041018 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK |
|
17Q | First examination report despatched |
Effective date: 20100901 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20121127 |