FI112707B - A method for handling a secret key - Google Patents

Description

Ί12707

The present invention relates to the processing of a secret key in such a way as to ensure that, in the course of processing the secret key, no information can be leaked to an outside attacker which would allow him to determine the secret key.

Secret keys are typically used, for example, in authentication operations to ensure, for example, that a particular smart card is authentic by providing the smart card with an input into which the smart card responds by utilizing a predetermined counting algorithm and smart card specific secret key. Other uses of a secret key include encryption and electronic signature. In encryption, the sender encrypts the message to be sent with the public key and the recipient decrypts with the private key. The message to be sent in the electronic signature is signed using the secret 15 keys, while the recipient can check with the public key whether the electronic signature is correct. Cryptography and electronic signatures are commonly referred to as so-called. RSA algorithm. This algorithm was developed in 1977 by Ronald Rivest, Adi Shamir and Leonadr Adelman.

One problem with the processing of a secret key is that reading the secret key from memory and utilizing it in counting operations may provide the outside attacker with information that enables him / her to: retrieve the secret key. That is, if an outside attacker could, for example, feed several thousand inputs to the smart card and statistics on the responses generated by the smart card, the 25 currents used to generate the responses, and the radiation generated by the response, there is a risk that the secret key could be revealed.

The object of the present invention is to solve the problem described above and to provide a solution which makes the handling of the secret key more secure and which results in the outsourcing of the secret key; : 30 for the attacker tougher. This object is achieved by a method for processing a secret key according to the invention, characterized by dividing the secret key into components such that the sum of the components corresponds to the value of the secret key and that at least one element consists of mutually multiplicative numbers. is a random number 35, storing said components in memory, wherein said at least one component is stored in memory, said numbers which are multiplied with each other are separately stored in memory, and the components are retrieved from the memory to produce a response, and through.

The invention further relates to apparatus for applying the method according to the invention. The apparatus of the invention comprises an input for receiving an input, an output for further transmitting the response, and calculation means which produce a response in response to an input received through the input by utilizing a predetermined calculation algorithm. The apparatus of the invention is characterized in that the apparatus comprises a memory having 10 secret key components stored therein, the sum of said components corresponding to the secret key value, and at least one of said components consisting of mutually multiplied numbers, at least one of which is a random number the multiplicative component being stored in the memory as discrete numbers, and that the calculating means 15 are arranged to utilize said black stored components for calculating the response by said computation algorithm.

The invention is based on the idea that processing a secret key becomes more secure by dividing the secret key into components that are stored in memory and utilized to calculate the response. Thus, the 20 secret keys do not need to be stored or processed in plain language, but it is sufficient that the necessary operations are performed by the components of the secret key. The response calculation is thus performed as if by pieces, in which; the value of the final response depends on the calculation operations performed on the individual components:

The major advantage of the solution according to the invention is thus that it is more difficult for an outside attacker to find out the secret key against; . based on the information available in the computation, since even in the computation of the response it is not necessary to deal with the secret key, but only:, its components.

In a preferred embodiment of the method of the invention, the secret key is recoded by changing at least two of its components such that the values of the components change but the sum of the changed components corresponds to the value of those components before the change. Thus, it is possible to change the components of a secret key at desired times, for example in the calculation of each response, but despite this change, the secret key consisting of the sum of the components of 112707 remains unchanged. The preferred embodiment of the present invention provides a solution in which the response count changes, if desired, even with each count, whereby an outside attacker will no longer benefit from it even if he is able to compile data during the count because the data collected at different counts are not comparable.

Preferred embodiments of the method and apparatus of the invention are disclosed in the appended dependent claims 2 to 3 and 5 to 6.

The invention will now be described, by way of example, in greater detail with reference to the accompanying drawings, in which: Figure 1 is a flowchart of a first preferred embodiment of the method of the invention, Figure 2 is a flowchart of a second preferred embodiment of the method

Figure 1 shows a flow chart of a first preferred embodiment of the method according to the invention. The flowchart of Figure 1 is suitable for use in, for example, smart card authentication with a challenge / response procedure.

In block A, the secret key is divided into components K0 ... Kn, which are selected such that the value of the secret key C corresponds to the sum of the components. Partial; the factors are selected so as to include elements consisting of two mutually exclusive numbers, one of which is a random number.

; In block B, the components are stored in the memory of the smart card or the like. It or those 'components that consist of multiplicative numbers are stored so that the individual component numbers are stored separately. The operations in blocks A and B are performed, for example, in connection with the manufacture of a smart card. Therefore, it is not necessary to store the secret key in the smart card memory:: 30 but it is sufficient for the smart card memory to store the aforementioned: components.

In block C, a wait is received until an input is received. Then, in section D, the secret key components stored therein are retrieved from the smart card memory. In block E, these components compute the response using a predetermined computation algorithm.

112707 4

Figure 2 shows a flow chart of another preferred embodiment of the method according to the invention.

In block A 'of Figure 2, the secret key is divided into components. In this case, the components are selected so as to include elements which consist of two mutually exclusive numbers, one of which is a random number. In the case of Fig. 2, it is assumed that there are three components, i.e., K0, K1, the value of which is a random number RND1 multiplied by L1, and K2, the value of which is a random number RND2 multiplied by L2. In practice, the selection of the components is done by first randomizing 10 RND1 and RND2, followed by the other numbers, KO, L1 and L2, so that the sum of the components corresponds to the secret key C. Hence C = K0 + (RND1 * L1) + ( RND2 * L2).

In block B ', the components are stored in memory. In this case, all the figures included in the components are stored separately. KO, RND1, L1, RND2 and L2 are thus stored in the present example case.

In block C, a wait is received until an input is received. When the input is received, the components stored in memory in block D 'are retrieved. Using these elements and a predetermined computation algorithm, a response to the input is then generated in block E '.

In block F ', it is checked whether the re-encoding of the secret key is current. According to the invention, the secret key may be re-encoded ·; for example, after each count, at predetermined count times, or randomly. The main thing is to avoid a situation where i share the same secret key or, in fact, the same components of the secret key: 25 are repeatedly used to generate a response. In that case, an outside attacker may be offered the opportunity to investigate the secret. key to compiling response data.

. In block G ', the secret key is re-encoded. The re-coding is carried out according to the invention by modifying at least two; 'Secret key component value in such a way that the sum of the modified components is equal to the sum of those components before the change. That's it; : thus, the value of the secret key remains unchanged. In addition, the calculations according to the invention should be performed in such a way that there is no need at any time to calculate the value of the secret key.

5 ί 10 η n r7 I I Li U /

In the following, it is assumed that the first and last components described in connection with block A 'are modified. That is, the components to be changed are KO and (RND2 * L2). Initially, a new random number is selected to replace the previous random number RND2. Suppose RND2 'is selected.

5 In block H ', the other numbers included in the components to be changed are selected. Initially, a new L2 'is selected in place of L2 such that (L2' * RND2 ') <K0 + (RND2 * L2). Finally, a new KO 'is replaced with a KO. This is done by the following calculation: K0, = K0 + (RND2 * L2) - (L2, * RND2 ').

Thus, the components of the secret key have changed in such a way that the value of the secret key has not changed, so that the responses produced by the secret key are also comparable to those produced by the previous components. The components can then be stored in the memory so that the individual numbers K0 ', RND1, L1, RND2' and L2 'contained in the components are stored separately.

The following is a practical calculation example of how the embodiment of Figure 2 can be applied. Suppose that smart card authentication is performed by a computational algorithm that utilizes a sliding window method to perform individual count operations. The sliding window method is a known method for calculating the multiplication or exponentiation in a binary system. The following is an example of performing the multiplication C * B using the sliding window method when using only summation, and • to prevent an outside attacker from gaining access to: information that would allow him to determine the secret key C.

: The value of the secret key is assumed to be C = 11010101. Secret key; It is desirable to divide 25 into two components such that it has the form '. C = K0 + RND1 * L1. The multiplier used in the sliding window method is drawn. ice, that is, a random number RND1 of 5 (101 in the binary system). Then try to find the values of KO and L1 by the following calculation:

EXAMINED BITS EXPLANATION WINDOW POSITION

: 'UNDERWRITTEN___. : 11010101_Reduce multiplier by 101 J_; : 00110101_Reduce 001__ 00010101_Move window__. , 00010101_Download 001_2_ 00000101_Move window__ 112707 6 00000101_Move window_3_ 00000101_Move window_4_ 00000101_Move window_5_ 00000101_Room out 101 6

From the above table it is observed that the randomly selected multiplier RND1 = 101 has been used when the window was in positions 1 and 6. The bits 1 and 6 of L1 are then set to "1" and the other bits to "0", i.e. L1 = 1000001. Correspondingly, it is found that the number 001 has been used when the window was in positions 1 and 2. In this case, bits 1 and 6 are set to "1" in KO, while other bits are set to "0", i.e. K0 = 110000. (block B 'of Figure 2) thus includes the numbers: K0 = 110000, RND1 = 101, and L1 = 1000001.

10 When the secret key C is decomposed into the components as described above, i.e. C = KO + (RND1 * L1), and when the multiplication A = C * B is computed, this corresponds to the following calculation: A = B * K0 + (RND1 * B). That is, if the numbers C * B to be multiplied, when the secret key C is stored in the above form, i.e., the above numbers having values K0 = 110000, 15 RND1 = 101 and L1 = 1000001, the next calculation is made assuming B = 101 .

; BIT NO L1 L1 CALCULATION INTERIM RESULT

: 1 11 B + 5B 6B = i____11110_ 2 1 0 2 * 6B + B 13B =: j____ 1000001 3 0 0 2 * 13B 26B =: ·; ____ 10000010; . 4 0 0 2 * 26B 52B = ____ 100000100 5 0 0 2 * 52B 104B =: ': ____ 1000001000 I ·. 6 0 1 2M04B + 5B 213B = lii [10000101001 112707 7

In the table above, invoices are denoted by decimal and multiplication to make it easier to track the progress of the invoices. However, in practice, all calculations are performed with binary system numbers and 5 only with addition operations. The calculations proceed as follows: - when moving to the next bit in the turn, KO and L1 multiply the previous intermediate result by two, - when the value of the bit under KO is 1 is added to intermediate 001, and - when the value of The value of 10 corresponding multipliers is 5 (RND1 = 101, ie 5 in decimal system).

Not only does the solution of the invention divide the secret key into components by providing advantages in terms of protecting the secret key, this division also facilitates the utilization of the secret key in algorithms using the sliding window method, as shown in the previous calculation example.

Fig. 3 is a block diagram of a first preferred embodiment of the apparatus according to the invention. In the case of Figure 3, the hardware 1 is assumed to be a smart card, in which case the method described in Figure 1 or 2 for authenticating the smart card may be applied.

20 When manufacturing hardware 1, the secret key C of hardware 1

is decomposed into components such that C = K0 + (RND1 * L1) + ... + (RNDn * Ln). This! thereafter, the numbers K0, RND1, L1, ..., j RNDn, Ln included in the components are stored in the memory M. When hardware is authenticated, input 2 is input. such

i the processor P computes a predetermined computation algorithm as well as the memory M

• 25 stored secret key components, a response which is further provided by the hardware 1 via the output 3.

If the re-encoding of the secret key becomes timely, the processor P will perform the necessary computation to divide the secret key into new components, for example, as described in connection with the flow chart of Figure 2. New random numbers processor P gets random number generator; 'dispute RND. After calculating the new components of the secret key, store the hardware *: 1 in memory M to replace the previous components.

•: Unlike the above, the hardware 1 of Figure 3 may be other than a smart card. The invention can also be applied, for example, to the transmission of confidential information over an unreliable communication channel such as the Internet. In this case, it may be necessary to either encrypt the message in such a way that it cannot be read by an external party, or alternatively, provide the message with an electronic signature so that the recipient of the message can verify that the message is from the correct source.

Similarly, the electronic signature is produced with a secret key, 5 and the correctness of the signature is verified with a public key. Thus, according to the invention, the apparatus 1 of Figure 3 can be, for example, a computer receiving a message with an electronic signature, and using the method and secret key of the invention to check whether the electron signature is correct. The response then consists of information indicating whether the 10 signatures are correct.

Yet another alternative is that the hardware 1 of Figure 3 is a computer that uses a secret key to decrypt the received encrypted message encrypted with a public key corresponding to the secret key. Therefore, the response consists of a plain language message.

It is to be understood that the foregoing description and the accompanying drawings are merely intended to illustrate the present invention. Various variations and modifications of the invention will be apparent to those skilled in the art without departing from the scope and spirit of the invention set forth in the appended claims.

> I

s t

Claims (6)

A method of handling a secret key, characterized in that the secret key is subdivided into sub-factors, such that the sum of the sub-factors corresponds to the value of the secret key, and that at least a sub-factor consists of tai to be multiplied by one another, of which said at least one is a random number, said subfactors being stored in a memory, said eating at least one subfactor being stored in memory such that said tai to be multiplied with each other is stored separately in memory, and to generate a response, the subfactors are searched from memory, and On the input data, the response is calculated using the sub-factors and a predetermined calculation algorithm. 2. A method according to claim 1, characterized in that for encoding the secret key, at least two sub-factors are changed, such that the value of the sub-factors changes but the sum of the changed sub-factors corresponds to the sum of said sub-factors before the change. Method according to Claim 1 or 2, characterized in that the sub-factors consisting of tai to be multiplied, of which tai at least one is a random number, are changed by using new random numbers: instead of the former, after which the the other numbers are chosen so that the sum of the changed sub-factors corresponds to the sum of the sub-factors before the change. A device (1) comprising: an input (2) for receiving input, an output (3) for passing on a response, and counters (P) which, in response to input received via the input, generate a response using a predetermined counting algorithm, characterized in that the device (1) comprises a memory (M) in which has been stored a secret key's subfactors, the sum of said subfactors corresponding to the value of the secret key and at least one of said subfactors being tai to be multiplied by each other, of which tai is at least one tai is a random number, said sub-factor comprising tai to be multiplied with each other has been stored in memory as separate tai, and the counters (P) are arranged to utilize the the memory (M) stored subfactors in the computation of the response by said counting algorithm. 5. Device according to claim 4, characterized in that for encoding the secret key, the device (1) is arranged to change at least two sub-factors, such that the value of the sub-factors changes but the sum of the changed sub-factors corresponds to the sum of the sub-factors to be changed before the change, and storing said changed subfactors in memory (M) instead of the previous subfactors. Apparatus according to claim 4, characterized in that in case of the sub-factors to be changed belong to such sub-factors consisting of tai to be multiplied, of which tai at least one is a random number, the device is arranged to change said sub-factors by selecting in use new random numbers instead of the previous random numbers, and after that the other numbers say that the sum of the changed sub-factors corresponds to the sum of the sub-factors to be changed before the change. I · t * I t 1 I 1 «(