EP2449495A1 - Verfahren zur fernvalidierung ausführbarer codes - Google Patents

Verfahren zur fernvalidierung ausführbarer codes

Info

Publication number
EP2449495A1
EP2449495A1 EP10726074A EP10726074A EP2449495A1 EP 2449495 A1 EP2449495 A1 EP 2449495A1 EP 10726074 A EP10726074 A EP 10726074A EP 10726074 A EP10726074 A EP 10726074A EP 2449495 A1 EP2449495 A1 EP 2449495A1
Authority
EP
European Patent Office
Prior art keywords
control program
integrity
code
computer
hpc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP10726074A
Other languages
English (en)
French (fr)
Inventor
Jacques Fournier
Pierre Girard
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
Gemalto SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemalto SA filed Critical Gemalto SA
Priority to EP10726074A priority Critical patent/EP2449495A1/de
Publication of EP2449495A1 publication Critical patent/EP2449495A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Definitions

  • the invention relates to a method for remote validation of an executable code.
  • the invention relates in particular to remote and secure execution of a computer code.
  • Intelligent Keys have the particularity of having a memory, an electronic intelligence, and access to a secure electronic module.
  • executable computer code one or more software
  • This particular code is commonly called CDROM because in most cases, this code is stored as an 'ISO' image on a 'Read Only' partition that emulates a CD-ROM that will be seen as such (ie in the manner of a "compact disc") by the host electronic device (the computer).
  • the computer detects, recognizes and activates it.
  • the activation phase involves, among other things, mounting on the operating system the different 'discs' presented by the Intelligent Key including the one containing the CD-ROM. Once activated, the Smart Key then sends the contents of the CDROM to the computer running the content.
  • This technology can transport executable code, potentially large, on a non-fixed media, and this through a USB communication interface widely deployed on computers. Indeed, the compact disk, and its subsequent generations can transport such a computer code, but in a static manner.
  • Intelligent Keys offer the possibility to upgrade this computer code, but also a whole set of features related to embedded intelligence and secure electronic module. These features can for example be related to security.
  • these devices make it possible to execute computer applications on a device (called an execution device) with the least possible support for the software resources of this execution device. Most often, only the operating system will be exploited to execute the computer code contained in the smart key.
  • the first solution happens to be unrealistic given the size of the executable code. Indeed, the verification of the integrity of such a computer code, with the electronic resources of an electronic device such as an intelligent key, takes a time incompatible with any usability.
  • the second solution assumes the verification of the integrity of the executable code on the resources of the execution device.
  • smart keys can execute computer code in insecure environments. To entrust the verification of the integrity of the code on the resources of such a device is problematic because it It is not possible to trust the result of such an analysis.
  • the present invention proposes to solve these drawbacks, and thus to guarantee the integrity of the executable code, with performances totally acceptable to the user, without delegating security to the execution device.
  • the present invention is a method for securing the remote execution of an executable computer code, comprising at least one electronic device ST, able to communicate with at least one electronic device HPC, and a secure electronic device SC, the electronic device ST comprising a mass memory in which executable computer code is stored, access to a second executable computer code called a control program, and a communication controller capable of managing the data exchanges with the HPC and SC devices, the computer code executable AP being intended to be executed by the HPC device, this method comprises at least the steps of:
  • control program can for example be recorded in a non-memory volatile of said device SC, or in a non-volatile memory of said device ST.
  • integrity values may have been associated with all or part of the executable code AP.
  • integrity values may have been associated with all or part of the control program.
  • Integrity values can, for example, be Checksums.
  • the verification step of the control program may, for example, be performed by the SC device (13), or by the controller of the device ST.
  • control program may only allow the loading and verify the integrity, only portions of the AP code to execute.
  • control program may allow loading and verify the integrity of the AP code in successive portions.
  • control program may allow the loading of the entire AP code and then check the integrity of the entire AP code.
  • the device SC can be integrated in said device ST, or be integrated in the HPC device, or be an independent electronic device.
  • FIG. 2 represents a mode of implementation of the invention in which the integrity of the control program is guaranteed by its hosting in the secure electronic device SC (13).
  • FIG. 3 represents a mode of implementation of the invention in which the integrity of the control program is validated by the smart key.
  • FIG. 4 represents an embodiment of the invention in which the integrity of the control program is validated by the secure electronic device SC (13).
  • Smart keys often use the USB communication protocol, as shown in Figure 1. This allows them to be easily connected to an individual computer such as Computer 2 in Figure 1, and recognized by it (through software low-level commonly called “drivers” that are present in the majority of operating systems).
  • the most advanced keys contain a security module 3 such as a smart card.
  • controller 6 in the smart keys.
  • This controller illustrated by the box 6 of Figure 1, implies the presence in the key intelligent 1 of at least one computing component
  • microprocessor a working memory (volatile memory), and a non-volatile memory (eg EEPROM, Flash, or ROM).
  • working memory volatile memory
  • non-volatile memory eg EEPROM, Flash, or ROM
  • the key includes a nonvolatile memory 4, called mass memory, which contains executable computer code 5 which we will call "application” in the remainder of this document.
  • the key When connecting the key 1 to the computer 2, the key receives the energy necessary to start it. Therefore, the controller 6 enters into communication with the computer 2.
  • the controller initiates a communication session, this passes, among other things, by identifying the key by its type of electronic device (mass storage unit, multimedia device, etc.).
  • the controller 6 of the key 1 sends the application 5 to the computer 2 which executes it 7.
  • This computer system makes it possible, among other things, the execution of an application 5 on a computer 2 not having it not.
  • the use of the security module 3 allows to restrict the use of the application 5 with the most advanced cryptographic tools. For example, it is possible to associate, with any invasive command for the application, authentication delegated to the security module (for example through the use of a personal code ("PIN code" in English). But nothing protects the computer or its user from a malicious or corrupt application, we are here in the context where the application would have been corrupted, for example by a malicious act or a computer virus.
  • the use of the key 1 can have serious consequences for the resources available to the computer 2 (for example network services, online payment application, etc.), but also for the user who thinks use a reliable application.
  • Figure 2 provides an implementation of the invention that solves this problem.
  • FIG. 2 shows an intelligent key 11, containing a secure module 13, a controller 17, a mass memory 15 itself containing an application 16, connected to a computer 12.
  • This smart key 11 also contains an additional program 14 called a control program.
  • control program 14 will guarantee the integrity of the application 16.
  • the control program 14 is hosted in the smart card 13, itself embedded in the key 11.
  • the fact that the control program is thus kept safe in the secure module 13 guaranteed its integrity. Indeed, the control program thus stored can not be modified from outside the secure module 13, because of the nature of the secure module.
  • the controller informs the computer that it has a program to execute. This can be done by presenting the program as a CDROM. Unlike the prior art, it is not the application 16, but the control program 14 that the controller has the computer 12 execute.
  • control program 14 is integrity. Once executed by the computer 12, it is the only software component of the computer in which the key 11 can fully trust.
  • the system now enters another phase, phase in which the control program will, from the computer 12, load the application 16 present in the mass memory of the key 11.
  • the control program can now check the integrity of the application 16, using the electronic resources of the computer 12.
  • control program can load them at the same time as it loads the application itself.
  • a preferred solution is to record the integrity values in the secure module 13.
  • the control program establishes a connection with the secure module before downloading the application to obtain these integrity values. This communication is generally done through the controller of the key 11 itself.
  • control program In the case where the security module 13 is not integrated in the key 11, the control program must establish a connection with this module before loading the application 16.
  • a solution may also lie in the insertion of the security values in the same code of the control program. Thus, during its execution, the control program already has the integrity values.
  • this integrity value may be a hash of the application code 16, generated from a hash function.
  • a hash function is a function, which, to an element is capable of associating a fingerprint (also called hash) retaining 3 essential characteristics:
  • SHA-I Secure Hash Algorithm 1: 160-bit
  • SHA-2 SHA-256, SHA-384 or SHA-512-bit choice
  • control program 18 contains a means of checking these values. In the majority of cases this implies that the code of the control program contains the necessary algorithm.
  • control program must be able to obtain the integrity values, if necessary, and use them to verify that the application 16 is the one from which these integrity values were generated.
  • the control program authorizes its execution 19 on the computer 12. If the verification of the integrity of the application 16 concludes that the application is not integrates, we will talk about failure of verification. This failure can be due to several parameters: it can be linked to a real alteration of the application 16, but also to an error by example in communications between the computer and the key.
  • control program in case of failure of the verification of the integrity of the application 16, the control program takes note of this failure (for example by updating a counter), and starts over again. loading operation. Several consecutive failures can result in a pure and simple refusal of the execution of the application 16 on the computer 12. In order to guarantee the durability of this information, the control program may record a verification failure in the key 11, even in the secure module 13.
  • control program may cause a reaction at the key 11 or even the secure module 13.
  • reactions may for example consist of a neutralization of all or part of these devices, for example by erasing data.
  • Verification of the integrity of the application 16 can be done at once or in several times. Indeed, in the case where the application 16 is for example very large, or for example in the case where the communication between the key 11 and the computer 12 is limited, it may be wise to load the application 16 by parts, and to independently verify those parts.
  • FIG. 3 illustrates an embodiment of the invention in which the control program 28 is stored in the mass memory 26, with the application 27.
  • the controller 29 obtains, from the secure module 23, at least one integrity value for verifying the integrity of the control program 24. Once the integrity of the control program is ensured, it is loaded and executed on the computer as illustrated in Figure 2.
  • the controller 29 in the case where verification of the integrity of the control program fails, the controller 29 does not propose its loading to the computer.
  • This implementation of the invention involves, in a preliminary step, the creation of integrity values related to the control program, and stored in the security module 23.
  • a variant of implementation of the previous case consists in delegating the verification of the security. integrity of the control program 45 to the security module 43, which has the integrity values related to the control program 45.
  • the mechanisms described above for generating the integrity values related to the application 16, apply mutatis mutandis, the generation of the integrity values related to the control program 23 and 45 as well as the mechanisms described for managing application integrity check failures 16 shall apply mutatis mutandis to the verification of the integrity of the application. the integrity of the control program 23 and 45.
  • the invention applies advantageously to the case where the control program is on an electronic device third party.
  • the controller establishes a communication session with this device to to obtain the control program, and to implement the following process according to the invention.
  • the integrity values related to the control program can also be loaded from a remote electronic slide. This embodiment makes it possible to entrust the management of the control program to a trusted third party.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
EP10726074A 2009-07-03 2010-06-18 Verfahren zur fernvalidierung ausführbarer codes Withdrawn EP2449495A1 (de)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP10726074A EP2449495A1 (de) 2009-07-03 2010-06-18 Verfahren zur fernvalidierung ausführbarer codes

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP09305645 2009-07-03
EP10726074A EP2449495A1 (de) 2009-07-03 2010-06-18 Verfahren zur fernvalidierung ausführbarer codes
PCT/EP2010/058673 WO2011000722A1 (fr) 2009-07-03 2010-06-18 Procédé de validation distante d'un code exécutable

Publications (1)

Publication Number Publication Date
EP2449495A1 true EP2449495A1 (de) 2012-05-09

Family

ID=42727535

Family Applications (1)

Application Number Title Priority Date Filing Date
EP10726074A Withdrawn EP2449495A1 (de) 2009-07-03 2010-06-18 Verfahren zur fernvalidierung ausführbarer codes

Country Status (2)

Country Link
EP (1) EP2449495A1 (de)
WO (1) WO2011000722A1 (de)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7020384B2 (ja) * 2018-11-29 2022-02-16 日本電信電話株式会社 アプリケーション動作制御装置、アプリケーション動作制御方法、および、アプリケーション動作制御プログラム

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8667580B2 (en) * 2004-11-15 2014-03-04 Intel Corporation Secure boot scheme from external memory using internal memory
JP4885473B2 (ja) * 2005-04-19 2012-02-29 株式会社ユニバーサルエンターテインメント 遊技機および遊技用情報の認証取込装置並びに遊技用情報の取込装置
FR2901038A1 (fr) * 2006-05-15 2007-11-16 France Telecom Procede et dispositif de configuration securisee d'un terminal au moyen d'un dispositif de stockage de donnees de demarrage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2011000722A1 *

Also Published As

Publication number Publication date
WO2011000722A1 (fr) 2011-01-06

Similar Documents

Publication Publication Date Title
US8887295B2 (en) Method and system for enabling enterprises to use detachable memory devices that contain data and executable files in controlled and secure way
EP2110742B1 (de) Tragbare Vorrichtung und Verfahren zum externen Starten einer IT-Anlage
EP1987653B1 (de) Verfahren und vorrichtung zur sicheren konfiguration eines endgeräts
EP2688010A1 (de) Aktualisierung eines Betriebssystems für ein gesichertes Element
FR2989799A1 (fr) Procede de transfert d'un dispositif a un autre de droits d'acces a un service
EP2741466A1 (de) Verfahren und System zur Steuerung eines integrierten Sicherheitselements (ESE)
EP1687717A1 (de) Gesichertes herauffahren einer elektronischen einrichtung mit smp-architektur
EP2077515B1 (de) Vorrichtung, Systeme und Verfahren zum gesicherten Starten einer IT-Anlage
WO2005101725A1 (fr) Procede d'authentification dynamique de programmes par un objet portable electronique
EP3531729B1 (de) Konfiguration eines integrierten teilnehmeridentitätsmoduls
WO2019129937A1 (fr) Contrôle d'intégrité d'un dispositif électronique
EP2048576B2 (de) Verfahren zur gesicherten Aktualisierung eines automatisch startenden Programms und tragbare elektronische Einheit zu dessen Ingangsetzung
EP2449495A1 (de) Verfahren zur fernvalidierung ausführbarer codes
EP2860660A1 (de) Gesichertes Ladesystem und -verfahren von Daten in einen mit einem gesicherten Prozessor verbundenen Cache-Speicher
EP2813962A1 (de) Methode der Zugangskontrolle zu einem bestimmten Typ von Diensten, und Authentifizierungsvorrichtung für die Zugangskontrolle zu einem solchen Typ von Diensten
WO2009138641A1 (fr) Procede d'utilisation d'un terminal hote par un dispositif externe connecte au terminal
WO2011003722A1 (fr) Module logiciel de securisation utilisant le chiffrement du hache d ' un mot de passe concatene avec une graine
EP3166252B1 (de) Verfahren zur sicheren speicherung von daten, entsprechendes gerät und programm
WO2019175482A1 (fr) Traitement sécurisé de données
EP3179400B1 (de) Verfahren zum hochladen einer it-ressource in einem elektronischen gerät, elektronisches modul und entsprechendes computerprogramm
EP1494461B1 (de) Verfahren oder Vorrichtung zur Authentifizierung digitaler Daten mittels eines Authentifizierungs-Plugins
EP3948596A1 (de) Verfahren zum ausführen eines sicheren codes, entsprechende vorrichtungen, system und programme
EP2933767A1 (de) Deaktivierungsverfahren eines zahlungsmoduls, entsprechendes computerprogrammprodukt, speichermedium und zahlungsmodul
EP2302518B1 (de) Verfahren und Vorrichtung zur Einrichtung einer MIFARE Anwendung in einem MIFARE Speicher
CA3179748A1 (fr) Proced de verrouillage d'une memoire non-volatile reinscriptible et dispositif electronique mettant en oeuvre ledit procede

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20120203

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20180103