EP2545483A1 - Protection contre l'espionnage dans la réalisation d'une séquence d'opérations dans un support de données portatif - Google Patents

Protection contre l'espionnage dans la réalisation d'une séquence d'opérations dans un support de données portatif

Info

Publication number
EP2545483A1
EP2545483A1 EP11707595A EP11707595A EP2545483A1 EP 2545483 A1 EP2545483 A1 EP 2545483A1 EP 11707595 A EP11707595 A EP 11707595A EP 11707595 A EP11707595 A EP 11707595A EP 2545483 A1 EP2545483 A1 EP 2545483A1
Authority
EP
European Patent Office
Prior art keywords
cache
data
data value
data values
cache line
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP11707595A
Other languages
German (de)
English (en)
Inventor
Christof Rempel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Giesecke and Devrient Mobile Security GmbH
Original Assignee
Giesecke and Devrient GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke and Devrient GmbH filed Critical Giesecke and Devrient GmbH
Publication of EP2545483A1 publication Critical patent/EP2545483A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/75Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
    • G06F21/755Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack

Definitions

  • the invention generally relates to the technical field of spying protection in portable data carriers. More particularly, the invention relates to the technical field of preventing the spying of secret data when a portable data carrier is executing an operation sequence while doing cache accesses.
  • a portable data carrier in the sense of the present document may e.g. a chip card (smart card) in different designs or a chip module or other resource-limited system with at least one processor core, a main memory and a cache memory.
  • Portable data carriers are often used for safety-critical applications, for example in financial transactions, for authentication in mobile communications, as a signature card for electronic signatures and so on. Since unauthorized use could cause a high level of damage, secret data stored on such data media must be reliably protected against spying and manipulation.
  • v2 vl d mod N.
  • the access pattern to the data values vi and v2 during the calculation depends on the bits of the exponent d to be kept secret.
  • data values vi and v2 may be 256 bytes (2048 bits) in size.
  • Some microcontrollers provide special instructions to permanently cache data; this is called "blocking" the cache. Each time the blocked data is accessed, only cache hits occur. However, the volume of securely processable data is limited to the cache size. It would be desirable not to be subject to this restriction.
  • the invention accordingly has the object of solving the abovementioned problems in whole or in part and to provide a technique for protecting a spyware operation sequence executed by a portable data carrier, wherein the attack scenario to be guarded is based on an evaluation of the cache accesses - in particular the cache access. Hits and cache misses - while executing the operation sequence.
  • the invention is also intended to be applicable when the operation sequence accesses large amounts of data or when the volume does not support cache block instructions.
  • this object is achieved in whole or in part by a method having the features of claim 1, a computer program product according to claim 11 and a device, in particular a portable data carrier, according to claim 12.
  • the dependent claims relate to optional features of some embodiments of the invention.
  • the invention is based on the basic idea of arranging at least two data values which can be accessed during the execution of the operation sequence such that a part of a second data value is contained in each cache line which contains a part of a first data value. This ensures that if one of the two data values is accessed, the occurrence of a cache miss or a cache miss occurs. Regardless of whether the first or second data value is accessed. In other words, an attacker can not infer from the pattern of cache misses and cache hits in what order data values were accessed. Only the total number of cache accesses can be read from the cache behavior, but it is not possible to tell by which operation an access was made.
  • the occupation of the cache memory according to the invention is achieved in some embodiments in that the first and the second data value are stored in the main memory interlocked or entangled, so that when loading a portion of one of these data values in a cache line necessarily also a part of another data value is loaded into this cache line.
  • additional data values are provided. If each cache line is sufficiently large to hold a portion of each data value that the processor core is capable of accessing when executing the operation sequence, then in some embodiments these further data values are interleaved or interleaved with the first and second data values in main memory such that each field in main memory that contains a portion of one of the data values also contains a portion of each other data value.
  • field groups are formed in main memory so that each field group containing a portion of one of the data values also contains a portion of each other data value.
  • the operation sequence may be configured in such a way that when the processor core refers to a part of a field contained in a field of a field group Data value, access to all other fields of this field group is also possible.
  • the data values are conceptually divided into several equal parts, with the number of bits in each part being equal to each other
  • data value is a smooth power of 2 and a smooth fraction of the number of bits in the payload of each cache line.
  • each part may have 8 bits or 16 bits if the number of bits in the payload of each cache line is 32 bits or 64 bits.
  • the operational sequence implements a method of the type mentioned in the introduction, for example a "quadrature and multiply” method for modular exponentiation.
  • Embodiments of the invention can also be used in other sequences of operations, for example for exponentiation window methods, as described, for example, in the aforementioned "Handbook of Applied Cryptography" in Chapter 14.82.
  • a first step a small number of values (vi, vi, ..., im) are calculated first.
  • a second step in each case a multiplication with one of the values vi is carried out in a loop depending on the exponent to be kept secret.
  • Another application of the invention are "double and add" methods for multiplication, especially in the calculation in elliptic curves, such as in Bodo Möller: “Securing Elliptic Curve Point Multiplication against Side-Channel Attacks", ISC 2001, Springer LNVS, pp. 324-334 or described in WO 02/091332 A2.
  • Such a "doubling and adding” method can also be linked to a window method, the exponent of which being brought into a suitable representation for this purpose.
  • the inventive computer program product has program instructions in order to implement the method according to the invention.
  • Such a computer program product may be a physical medium, eg a semiconductor memory or a floppy disk or a CD-ROM.
  • the computer program product may also be a non-physical medium, eg, a signal transmitted over a computer network.
  • the computer program product may contain program instructions that are inserted into it in the course of the production or the initialization or the personalization of a portable data carrier.
  • the device according to the invention may in particular be a portable data carrier, e.g. a smart card or a chip module.
  • a data carrier contains, in a manner known per se, at least one processor core, a plurality of memories and various auxiliary subassemblies, such as e.g. Interface circuits, timers and connectors.
  • Fig. 1 shows a block diagram of a data carrier according to an embodiment of the invention
  • 2 shows a schematic representation of the manner in which, in one exemplary embodiment, m data values are stored in k fields of the main memory.
  • the portable data carrier 10 shown in FIG. 1 is configured as a chip card or as a chip module.
  • the data carrier 10 contains a Mikrocontr oller 12, which is configured as an integrated semiconductor chip with a processor core 14, a main memory 16, a cache memory 18 and a 20 interface interface Schalrung.
  • the main memory 16 is divided into a plurality of memory fields.
  • a read-only memory 22 designed as a ROM, a non-volatile overwritable memory 24 designed as an EEPROM and a main memory 26 designed as a RAM are provided as memory fields.
  • the cache memory 18 includes a plurality of cache lines 28.1, 28.2, ..., collectively referred to as cache lines 28.x.
  • Each cache line 28.x contains administration data 30 in a manner known per se-for example a validity bit and a tag-as well as payload data 32.
  • the payload data 32 of each cache line 28.x. consist of a predetermined number m of memory words.
  • the cache lines 28.x are the smallest unit of the cache memory 18.
  • the microcontroller 12 is designed such that accesses to at least one area 34 of the main memory 16 via the cache memory 18. In the exemplary embodiments described here, it is assumed for the sake of simplicity that this "cacheable" area 34 coincides with the working memory 26. However, embodiments are also possible in which the area 34 comprises only parts of the main memory 26 and / or additionally parts of the non-volatile rewritable memory 24.
  • each field 36.x also contains m words which are transferred to exactly one cache line 28.x in each reload. In other words, data that is in a single field 36.x is always loaded together into a single cache line 28.x. This does not imply that a field 36.x is always loaded into the same cache line 28.x each time it is loaded, even though there are embodiments in which it does.
  • the fields 36.x subdivide the area 34 into groups of m memory words without gaps, beginning with an address 0.
  • the fields 36.x. can also be designed and arranged differently.
  • the fields 36.x need neither be uniformly large nor be arranged without gaps or overlaps. Rather, fields 36.x may be any subsets of region 34 that need only have the property that the memory words of each field 36.x are always acquired in common from a cache line 28.x.
  • FIG. 1 is an example of one of two different types of
  • Example with very short data values vi and vi, each of which is only as long as the payload data 32 in a cache line 28.x are explained.
  • the first data value vi is conceptually divided into two parts and vli, and accordingly, the second data vi is divided into two parts and u2 2 divided.
  • the data values vi and vi are stored interlocked in the main memory 16, such that each part of each data value vi, vi is located in each field 36.x. More specifically, the first field 36.1 contains the first two parts of the two data values vi, vi, and the second field 36.2 contains the two second parts ul 2 and vli of the two data values vi, vi.
  • the interleaved arrangement of the data values vi and vi is automatically transferred from the main memory 16 to the cache memory 18 because, as mentioned above, each time a reload operation one field 36.x of the main memory 16 is completely inserted into exactly one cache line 28. x is loaded.
  • the property holds that if a part (eg vli) one of the data values (eg vi) is located in the cache line 28.x, also a part (eg v2i) of the other data value (eg vi) is contained therein.
  • the occurrence of a cache hit or a cache miss is independent of whether the processor core 14 is accessing the first data value vi or the second data value v2.
  • each data value vi, v2 includes, for example, 256 bytes, while each field 36.x and each cache line 28.x contain, for example, 4 bytes of payload data.
  • the data values vi, v2 must be distributed to a total of 128 fields 36.x, so that each of these fields 36.x contains at least a part of each of the data values vi, v2. This can be done, for example, by writing the data values vi, v2 alternately in portions of one byte or two bytes into the range 34, beginning with a field boundary.
  • a uniform field length is provided for efficiency reasons, which may be, for example, 1 bit or 1 byte or 2 bytes or 1 memory word.
  • the data values vi do not necessarily have to be the same length. However, in some embodiments, data values vi of uniform length are provided. For this purpose, for example, shorter data values vi can be supplemented by adding any data (padding) to the common length.
  • the parts vi j can then, for example, alternately as follows are stored in the main memory 16, beginning at a start address, which is an integer multiple of the field length m: v, v2i, vmi, vli, v2i, vmi, vlk, vlk , vmk
  • the fields 36.x conceptually JOINT to groups are Asst this, so that each field group j of each of the data values vi has a total of sufficient memory for each part vi.
  • the sequence of operations is then changed so that, when accessing a field 36.x which is contained in a field group, all other fields 36.x of this field group are always accessed, even if those in the other fields 36. x data are not needed for the calculation to be performed.
  • n data values vi are provided, which in turn - each having k pieces vi j to a respective memory word - as in the embodiment of Fig. 2.
  • the uniform length of the data values vi may be established by appending dummy data, as appropriate.
  • each field 36.x in main memory includes m memory words, but in the present example, n> m.
  • the data values vi are then stored in the main memory 16 in the following alternating sequence, similar to the embodiment of FIG.
  • the cache behavior in accessing a data value vi is independent of i, because of hits within the range vl j, vl j, vrri j and V within the range of (m + l) j , v (m + 2) j , v (2-m) j, and so on, each covered by a single cache line 28.x, and because by the

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Memory System Of A Hierarchy Structure (AREA)

Abstract

Selon l'invention, dans un procédé de protection d'une séquence d'opérations réalisée par un support de données (10) portatif contre l'espionnage, le support de données (10) comporte au moins un cœur de processeur (14), une mémoire principale (16) et une mémoire cache (18) comportant une pluralité de lignes de cache (28.x). Le cœur de processeur (14) est capable, lorsqu'on réalise la séquence d'opérations, d'avoir accès à au moins deux valeurs de données (vi, vi,..., vn), les valeurs de données (vi, vi,..., vn) occupant au moins une ligne de cache (28.x) dans la mémoire cache (18) et étant respectivement fractionnées en plusieurs parties (vij), de sorte que l'apparition d'un défaut de cache ou d'un succès de cache est indépendante de la valeur de données (vi, vi,..., vn) à laquelle on accède. Un produit de programme informatique et un dispositif présentent des caractéristiques correspondantes. L'invention sert à la défense contre les attaques qui reposent sur une évaluation des accès au cache pendant que l'on réalise la séquence d'opérations.
EP11707595A 2010-03-10 2011-03-03 Protection contre l'espionnage dans la réalisation d'une séquence d'opérations dans un support de données portatif Withdrawn EP2545483A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102010010851A DE102010010851A1 (de) 2010-03-10 2010-03-10 Ausspähungsschutz bei der Ausführung einer Operationssequenz in einem tragbaren Datenträger
PCT/EP2011/001054 WO2011110307A1 (fr) 2010-03-10 2011-03-03 Protection contre l'espionnage dans la réalisation d'une séquence d'opérations dans un support de données portatif

Publications (1)

Publication Number Publication Date
EP2545483A1 true EP2545483A1 (fr) 2013-01-16

Family

ID=44201846

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11707595A Withdrawn EP2545483A1 (fr) 2010-03-10 2011-03-03 Protection contre l'espionnage dans la réalisation d'une séquence d'opérations dans un support de données portatif

Country Status (5)

Country Link
US (1) US9589157B2 (fr)
EP (1) EP2545483A1 (fr)
CN (1) CN102792310B (fr)
DE (1) DE102010010851A1 (fr)
WO (1) WO2011110307A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL2702524T3 (pl) * 2011-04-27 2018-02-28 Seven Networks Llc Wykrywanie i filtrowanie złośliwego oprogramowania, oparte na obserwacji ruchu wykonywanego w rozproszonym układzie zarządzania ruchem w sieciach mobilnych
WO2014200631A1 (fr) 2013-06-11 2014-12-18 Seven Networks, Inc. Optimisation d'entretien et d'autre trafic d'arrière-plan dans un réseau sans fil
CN105468543B (zh) * 2014-09-11 2020-06-16 中兴通讯股份有限公司 一种保护敏感信息的方法及装置
KR102415875B1 (ko) * 2017-07-17 2022-07-04 에스케이하이닉스 주식회사 메모리 시스템 및 메모리 시스템의 동작 방법

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE325478T1 (de) 1998-01-02 2006-06-15 Cryptography Res Inc Leckresistentes kryptographisches verfahren und vorrichtung
US7587044B2 (en) 1998-01-02 2009-09-08 Cryptography Research, Inc. Differential power analysis method and apparatus
CA2885956C (fr) 1998-05-18 2016-07-12 Giesecke & Devrient Gmbh Support de donnees a acces protege
DE19822218B4 (de) 1998-05-18 2018-01-25 Giesecke+Devrient Mobile Security Gmbh Zugriffsgeschützter Datenträger
EP1090480B1 (fr) 1998-06-03 2019-01-09 Cryptography Research, Inc. Perfectionnement de normes cryptographiques et autres procedes cryptographiques a reduction des fuites pour cartes a puces et autres systemes cryptographiques
US6983374B2 (en) * 2000-02-14 2006-01-03 Kabushiki Kaisha Toshiba Tamper resistant microprocessor
FR2818771A1 (fr) * 2000-12-21 2002-06-28 Bull Cp8 Procede d'allocation dynamique de memoire par blocs de memoire elementaires a une structure de donnees, et systeme embarque correspondant
DE10122504A1 (de) 2001-05-10 2003-01-02 Giesecke & Devrient Gmbh Berechnung eines Vielfachen eines Gruppenelements für kryptographische Zwecke
US7472285B2 (en) * 2003-06-25 2008-12-30 Intel Corporation Apparatus and method for memory encryption with reduced decryption latency
WO2005103908A1 (fr) * 2004-04-26 2005-11-03 Matsushita Electric Industrial Co., Ltd. Systeme informatique et programme informatique de codage et de decodage
US7565492B2 (en) * 2006-08-31 2009-07-21 Intel Corporation Method and apparatus for preventing software side channel attacks
US8781111B2 (en) * 2007-07-05 2014-07-15 Broadcom Corporation System and methods for side-channel attack prevention
JP4729062B2 (ja) * 2008-03-07 2011-07-20 株式会社東芝 メモリシステム
US20090311945A1 (en) * 2008-06-17 2009-12-17 Roland Strasser Planarization System
US8549208B2 (en) * 2008-12-08 2013-10-01 Teleputers, Llc Cache memory having enhanced performance and security features
US20100325374A1 (en) * 2009-06-17 2010-12-23 Sun Microsystems, Inc. Dynamically configuring memory interleaving for locality and performance isolation
US8375225B1 (en) * 2009-12-11 2013-02-12 Western Digital Technologies, Inc. Memory protection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
None *
See also references of WO2011110307A1 *

Also Published As

Publication number Publication date
WO2011110307A1 (fr) 2011-09-15
US20120324168A1 (en) 2012-12-20
US9589157B2 (en) 2017-03-07
DE102010010851A1 (de) 2011-09-15
CN102792310A (zh) 2012-11-21
CN102792310B (zh) 2016-05-11

Similar Documents

Publication Publication Date Title
EP3593483B1 (fr) Transition d'un masquage booléen à un masquage arithmétique
WO2001048974A1 (fr) Support de donnees portatif a acces protege par repartition des codes
EP3254227B1 (fr) Procédé de protection de données à sécuriser dans une mémoire cache
EP0981115B1 (fr) Méthode d'exécution d'un programme de chiffrage pour chiffrer des données dans un support de données portable avec microprocesseur
EP1496420B1 (fr) Unité de traitement de données et méthode associée
DE10313318A1 (de) Kontrollierte Ausführung eines für eine virtuelle Maschine vorgesehenen Programms auf einem tragbaren Datenträger
EP2545483A1 (fr) Protection contre l'espionnage dans la réalisation d'une séquence d'opérations dans un support de données portatif
EP1540880B1 (fr) Calcul cryptographique securise
DE102014214792A1 (de) Vorrichtung und Verfahren zum Zugreifen auf einen verschlüsselten Speicherabschnitt
DE112018002723T5 (de) System, verfahren und vorrichtung zur verschleierung von vorrichtungsoperationen
DE60022840T2 (de) Verfahren zum sichern einer oder mehrerer elektronischer baugruppen, unter zuhilfenahme eines privatschlüssel-krypto-algorithmus, sowie elektronische baugruppe
DE102005057104A1 (de) Smartcard und Steuerverfahren hierfür
DE102012015158A1 (de) Gegen Ausspähen geschützte kryptographische Berechnung
EP3804209B1 (fr) Procédé avec mesure de défense safe-error
DE60220793T2 (de) Verwürfelung bzw. Verschleierung (Scrambling) einer Berechnung, bei welcher eine modulare Funktion zur Anwendung kommt
DE102012219205A1 (de) Vorrichtung und Verfahren zur Ausführung eines kryptographischen Verfahrens
DE102012025416A1 (de) Verfahren zum Betreiben eines portablen Datenträgers sowie ein solcher portabler Datenträger
DE102015209120A1 (de) Recheneinrichtung und Betriebsverfahren hierfür
WO2002019065A2 (fr) Procede et dispositif permettant d'executer une exponentiation modulaire dans un processeur cryptographique
DE10253285B4 (de) Verschleierung eines geheimen Wertes
EP3251281B1 (fr) Authentification intrinsèque d'un code de programme
DE19960047B4 (de) Verfahren und Einheit zur sicheren Informationsbehandlung in einem kryptographischen Informationsverarbeitungssystem
DE102021101697B3 (de) Datenverarbeitungsvorrichtung und verfahren zum verarbeiten geheimer daten
EP3504616B1 (fr) Module et procédé de calcul sécurisé d'opérations mathématiques
EP2230617B1 (fr) Verrouillage d'un support de données portable

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20121010

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GIESECKE+DEVRIENT MOBILE SECURITY GMBH

17Q First examination report despatched

Effective date: 20171023

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

INTG Intention to grant announced

Effective date: 20190711

INTC Intention to grant announced (deleted)
GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20190924

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20191022