FR2984648A1 - Method for providing response to request by individual electronic system for banking transaction, involves analyzing specific signature using cryptographic unit, where part of unit is selected based on result of analysis of signature - Google Patents

Abstract

The method involves receiving a command that includes a characteristic of a specific action, and analyzing the specific action. A specific signature is analyzed (4000) using a cryptographic unit (4100), and the analyzed signature is transmitted. A part of the cryptographic unit is selected based on a result of analysis of the signature. The cryptographic unit is arranged with a cryptographic key that is selected according to the result of analysis of the signature. The cryptographic unit is arranged with an encryption algorithm (4300). Independent claims are also included for the following: (1) a computer program comprising instructions for performing a method for providing response to a request by an individual electronic system (2) an individual electronic system (3) a method for authentication of relative information (4) a computer program comprising instructions for performing the method for authentication of relative information (5) a server.

Description

TECHNICAL FIELD AND PRIOR ART The invention is in the field of individual electronic devices, including in particular electronic payment solutions using portable payment means, such as bank cards, communicating with payment terminals.

The EMV ("Europay Mastercard Visa") standard currently defines the specifications that the banking payment actors must respect. The payment tools involved include payment cards with microcircuit (smart cards) and payment terminals available at merchants. Beyond smart cards, other mobile payment means - portable - with a microcircuit or a microcontroller capable of performing at least some electronic operations, or even more, are used or expected to develop. This is the case for example NFC devices (that is to say communicating according to the "Near Field Communication" standard), integrated for example in mobile phones. These systems involve several actors, among which the holder of the means of payment, the merchant with a payment terminal and the issuer of the means of payment, which is typically a bank or group of card management or payment means. In addition, a certification authority separate from the bank is responsible for delivering to these various actors authentication elements such as keys or electronic certificates. A transaction at a merchant includes, in accordance with the EMV standard, described in the document "EMV Integrated Circuit Card 30 Specifications for Payment Systems version 4.2" an analysis of the transaction envisaged by the terminal and an analysis of the transaction by the means of payment . The result of this double analysis is transmitted to the issuer of the means of payment, with a cryptogram signing the analysis and thereby authenticating the means of payment.

For ease of language, it is said that a cryptogram comprising the result of the analysis is generated and transmitted. This is done systematically whether the result of the analysis is positive or negative. In some cases, the result of the analysis is a decision to request authorization from the issuer of the means of payment. This authorization request is also signed by a cryptogram. In all cases, the cryptogram is generated in the same way from a master key contained in the card and which has been previously entered by the issuer, after being issued by the certification authority. This solution presents a problem because it offers, to a certain extent, a flaw with respect to the attacks consisting in recording the responses of a card to which is successively requested a large number of transactions of an amount greater than the authorized threshold. in the memory of the card. These attacks, carried out by a malicious third party having obtained the card and having an adequate card reader, are made by accumulating a large number of responses of the card. This allows the attacker in certain circumstances to determine, by analyzing the electrical signals generated by the card, the cryptographic means, such as keys, authenticating the payment means.

SUMMARY OF THE INVENTION The invention aims to solve this problem and for this purpose proposes a method of response by an individual electronic device to a solicitation, the method comprising receiving a command comprising at least one characteristic of an intended action. , an analysis of said envisaged action, then a signature of said analysis using cryptographic means and the transmission of said signed analysis, characterized in that at least a part of said cryptographic means is chosen according to a result of said analysis. Such a method constitutes a considerable advance in the field of security actions performed using a portable electronic device, for example banking transactions, and electronic payments in general, because it significantly secures portable electronic devices against attacks of the type mentioned above. Indeed, the accumulation of responses to requests for action - or solicitation - for example for excessively high amounts, can not make it possible to discover the master key or the cryptographic means used to generate acceptance by the card, since at least part of the cryptographic means used is dependent on the result of the analysis. The new process does not derive from the knowledge available until then. It will be noted, for example, that document JP2004184959 evokes, without particular application to electronic payments, the generation of several cryptograms from a single key. It does not disclose the use of a result of an analysis of a contemplated transaction to choose cryptographic means. According to an implementation characteristic, the cryptographic means comprise a cryptographic key, or / and an encryption algorithm, for example a triple DES algorithm. They may also include a message authentication code generation algorithm. According to an implementation characteristic, the message authentication code generation algorithm is applied to data dependent on said transaction comprising for example a transaction counter, an amount of the transaction or a date of the transaction. Typically, however, the result is an acceptance, a denial, or a request for agreement from a remote third authority, for example a sender of the individual electronic device. The invention also proposes a computer program comprising instructions able to implement, when they are executed by a device comprising a microcontroller and a memory, each of the steps of a method as mentioned above.

According to another aspect, the invention consists of an individual electronic device comprising a microcontroller and a memory, the individual electronic device responding, when it is solicited for a planned action, by analyzing the action envisaged, and by setting implement cryptographic means to sign the generated analysis, characterized in that the individual electronic device selects at least a portion of said cryptographic means according to a result of the analysis. Advantageously, the individual electronic device comprises a microcircuit card in a memory of which the cryptographic means are recorded. The device, which may be a means of payment, may be in accordance with the EMV standard, or comprise an NFC communication interface, and be for example integrated in a mobile telephone terminal. According to another aspect of the invention, it consists of a method for authenticating information relating to an action by a remote authority, the method comprising the verification using cryptographic means, the authenticity of a signature received with the transaction information, characterized in that the cryptographic means are chosen according to an analysis result also received with the transaction information.

The invention also proposes a computer program comprising instructions able to implement, when they are executed by a device comprising a microprocessor and a memory, each of the steps of a method according to the preceding authentication method claim. Finally, according to another aspect of the invention, the latter consists of a server which, when it receives signed action-related information from terminals, verifies by means of cryptographic means, the authenticity of a message. signature received with the information relating to an action, characterized in that the cryptographic means are chosen according to a result of analysis also received by the server with the information. BRIEF DESCRIPTION OF THE FIGURES The invention will now be described with reference to the following appended figures: FIG. 1 shows the hardware elements implementing the invention FIG. 2 shows the messages exchanged between these different hardware elements. Figures 3 and 4 show the actions performed by the elements of Figure 1. Figure 5 shows a detail of Figures 3 and 4, which is a signature step. FIG. 6 shows a detail of FIGS. 3 and 4, which constitutes an authentication step. DETAILED DESCRIPTION OF THE INVENTION FIG. 1 shows the material elements used in the invention. A payment card 100, held by a natural person customer of a bank, is used in connection with a payment terminal 200. The card 100 constitutes an individual electronic device. The payment terminal is in the possession of a merchant, has been provided to it by a bank, and has means for reading cards similar to the payment card 100. The banks having respectively provided the payment card 100 and the payment terminal 200 may be different. The payment terminal 200 is connected by a communication network 400 to a bank server 300 belonging to the bank that issued the payment card 100 or to a management group of payment cards. The connection of the terminal 200 and the server 300 is made, if necessary, at the moment a transaction is envisaged or shortly after a transaction. The payment card 100 comprises a microcontroller and a memory, in which the computer resources required for the response method according to the invention are recorded. In Figure 2, there is shown the exchanges between the elements that have just been presented. The scenario described is that of a transaction at a merchant. The transaction begins with steps, not shown, in which the merchant launches the application of the terminal 200 and then enters the transaction data, including the amount thereof, during which the terminal 200 performs a risk assessment. related to the transaction (for example taking into account insurance characteristics) and the cardholder 100 authenticates by entering his personal code. In addition, the card 100 and the terminal 200 mutually authenticate with a DDA (Dynamic Data Authentication) type method, using asymmetric cryptography keys and certificates. Once these operations are completed, the terminal 200 performs an analysis of the data of the transaction, then sends the card 100 a GENERATE command AC 1000 (this is an APDU command, which means "Application" Protocol Data Unit ", or basic communication unit for microcircuit cards - AC stands for" Application Cryptogram "). This command constitutes a solicitation of the card 100 by the terminal 200, in view of a transaction. It contains the data of the transaction. The card 100 then proceeds to analyze the transaction and sends the terminal 200 a response message 1100 (APDU response). Depending on the contents of the response message 1100, the terminal 200 may need to issue a request for authorization 1200 to the bank server 300. In this case, the bank server 300 then proceeds to an analysis of the data of the transaction. and then sends to the terminal 200 a response from the bank 1300. The terminal 200 then generates a second GENERATE AC command 1400 (APDU command), which is transmitted to the payment card 100, which interprets this command and responds to it by a second response message 1500 (APDU response) transmitted to the payment terminal 200. This makes the transaction 1600 at this stage, if it has been authorized. The terminal then performs a final transmission step 1700 to the bank server 300, for final verification of the transaction and update of 20 databases. In some cases, depending on the content of the response message 1100, steps 1200 to 1500 are not performed because it is not necessary for the terminal 200 to request authorization from the bank server 300. In this case, the transmission of the response message 1100 is directly followed by the transaction 1600, if it has been authorized, then by a final transmission step 1700, transmission made from the payment terminal 200 to the bank server 300. The fact that the steps 1200 to 1500 are not always performed is shown in the figure by dashed lines.

The final transmission step 1700 can be performed while the card 100 is no longer connected to the terminal 200, for example when the terminal is a portable terminal and has been rested on its base. This is known as off-line, off-line verification.

Figure 3 shows the operations performed by the different actors. As already mentioned, the transaction includes an analysis step by the terminal 3000, which is performed on the basis of security rules defined therein, such as the amounts authorized for the merchant, and the insurance rules.

This analysis by the terminal is followed by the transmission of the command GENERATE AC 1000, which includes the amount of the transaction envisaged and a result of analysis by the terminal. Then an analysis step by the 3100 card is conducted. It takes into account information and security rules defined in its memory, such as a maximum transaction amount, a payment cap on a week and a payment history. The analysis by the card also takes into account the result of the analysis by the terminal that has been transmitted previously. In particular, if the terminal has refused the transaction, the card in turn refuses the transaction. And if the terminal has indicated that it wants an authorization from the bank, the card can not by itself approve the transaction. An analysis result 3150 is obtained at this stage. This analysis result 3150 is either an approval of the transaction by the card, denoted TC (for "Transaction Certtficate"), or an authorization request decision to the bank, noted ARQC (for "ReQuest Cryptogram Authorization"), or finally a definitive refusal of the transaction, noted AAC (for "Application Authentication Cryptogram"). At this time, a step is taken to generate a message signed by the card 4000, and this message is transmitted to the payment terminal 200, as part of the response message 1100.

If the analysis result 3150 is of the TC type, the transaction is then carried out during a transaction step 1600 by the payment card 100 and the payment terminal 200. Then a final transmission step 1700 is performed, for the bank server 300, which performs an authentication step 5000, followed by a final information step of the bank 3300, which consists inter alia of updating the database. If the analysis result 3150 is of the ARQC type, an authorization request is made by the bank, via the authorization request 1200, comprising the elements transmitted by the card in the response message 1100. The bank performs first of all an authentication step 5000, then a step of analyzing the data of the transaction, this last step being referenced 3400 in the figure. If the bank decides to give its authorization to the transaction, the terminal 200 and the card 100 are informed by the response of the bank 1300 and the second command GENERATE AC 1400, represented subsequently in FIG. 4. This second command 1400 is processed by the This map generates a 3550 result of type TC. The response of the card 1500 is transmitted to the terminal and the terminal and the card then proceed together to the transaction during the transaction step 1600. The process continues with a final transmission step 1700, the authentication 5000 and the 3350 Bank's final information, which includes updating the database. If, on the contrary, the bank decides not to give its authorization to the transaction, it is, as before, proceeded to the transmission of the response of the bank 1300 and the issuance of the second command GENERATE AC 1400. The card performs the 3500 processing of this command, and generates a result 3550 of AAC type. It is then proceeded to the transmission to the terminal 200 by the card 100 of a second response message 1500 comprising the result 3550, the final transmission 1700 to the bank and an authentication step 5000, performed by the bank. The process ends with a final information step of the bank 3600, similar to that evoked in the previous scenarios, that is to say consisting among others in updating the database. Turning now to FIG. 3, in the case where the analysis result 3150 is of the AAC type, it is proceeded directly, after the transmission of the response message 1100, to the final transmission 1700 towards the bank. The latter proceeds to an authentication step 5000 which makes it possible to carry out the final information step of the bank 3700, similar to that evoked for the previous scenarios, that is to say, consisting inter alia in the setting database update. In all these scenarios, the authentication step 5000 allows the server 300 to ensure that the information transmitted is integrity and has been produced by a card issued by the bank. In the particular case of the transaction refusal, the bank is able to trace the refusal, the integrity of the information transmitted being certified. The details of a process for generating a message signed by the card 4000 will now be described in FIG. 5. This process uses a master key 4100, contained in a secure memory of the payment card 100 (here in the microcircuit). ) and which has been registered by the certification authority for authentication of the card during transactions. The process also uses a transaction counter 4200, stored in a memory of the credit card 100, which is incremented with each transaction or with each transaction attempt involving the card. These two elements are used by an encryption algorithm 4300 (stored in the microcircuit of the card), which in a particular embodiment of the invention is a triple DES algorithm (DES3 - DES stands for "Data Encryption Standard") as indicated in the EMV standard, for example, in Appendix A1.3 of EMV 4.2 Book 2. The 4300 algorithm generates, using at least these two elements, a session key 4400. The session key 4400 and particular data of the transaction 4500 are then used by a message authentication code generation algorithm 4600 ("MAC Algorithm"), as indicated in the EMV standard, for example in Appendix A1.2 of the version EMV 4.2 Book 2, to generate a cryptogram 4700. The algorithm 4600 is stored in the microcircuit of the card. The particular transaction data 4500 contains, for example, the amount of the transaction 4510, the date of the transaction 4520, as well as other information, such as the currency used, the account number, bank details or a maximum authorized transaction level. . The analysis result 3150 (or the analysis result 3550), the cryptogram 4700, the transaction data 4500, and the transaction counter 4200 are then concatenated 4800 leading to the generation of a message signed by the card 4900. This message 4900 includes a result field 4910 (called CID for "Cryptogram Information Data") containing the analysis result 3150 (or the analysis result 3550), a cryptogram field 4920 containing the cryptogram 4700, a data field 4930 showing the particular data of the transaction 4500 and a counter field containing the current value of the counter 4200. According to the invention, the analysis result 3150 (or the analysis result 3550) is used in the process of generating a message signed by the card 4000 to modify the master key 4100, in a first embodiment or, in variants for modifying the encryption algorithm 4300 or the algorithm of ge In a particular variant, the master key 4100 and the encryption algorithm 4300 are both modified according to the analysis result 3150 (or the analysis result 3550). and in a particular embodiment, both the master key 4100, the encryption algorithm 4300 and the message authentication code generation algorithm 4600 are modified. In a particular embodiment, three different master keys are used: one for the AAC result, another for the TC result and one for the ARQC result. The message signed by the card 4900 is transmitted to the terminal 200 as part of the response message 1100, or the second response message 1500. It is then transmitted to the server 300 as part of the request for Authorization 1200 or the final transmission 1700. In Figure 6, there is shown the authentication process 5000 implemented by the bank after receiving a message, such as the authorization request 1200 or the final transmission 1700.

This authentication process 5000 uses a key associated with a client 5100. This key is linked by a correspondence or is identical to the master key 4100 contained in the payment card 100. It was delivered to the bank server 300 by the client. the certification authority, in parallel with the registration of the master key 4100 in the memory of the payment card 100. The key 5100 is used, in conjunction with the result field 4910 to generate a keying algorithm 5300 key intermediate 5400. This intermediate key 5400 is used, in conjunction with the cryptogram field 4920 to cause a message authentication code generating algorithm 5600 to generate a cryptogram 5800. The cryptogram 5800 is compared with the contents of the data field 4930, at the During a comparison step 5900. In the case where it is found that the two cryptograms are identical, the card 100 is considered authentic. e and it is proceeded either to the analysis of the transaction by the bank during the step 3400, or to the information of the bank during the steps 3300, 3600 or 3700. In the case where it is found that the two cryptograms are not identical, the server 300 considers that the card is not authenticated and sets up the appropriate procedure in case of unauthenticated card 3800. In accordance with the invention, the key associated with the client 5100, the encryption algorithm 5300, or the authentication code generation algorithm 5600, or several of these cryptographic means are chosen according to the content of the result field 4910, according to the same rule as that implemented in FIG. During the process of generating a message signed by the card 4000. In a particular embodiment, three different master keys are used: one for the AAC result, another for the TC result and one for the ARQ result. vs. A rule of choice of cryptographic means similar to that used in the card 100 (signed message generation process 4000) is used. In a variant, the signature and authentication processes described in FIGS. 5 and 6 do not include generation of a message authentication code, but during the signature a cryptogram is reversibly generated instead of step 4600, and during authentication, an inverse algorithm is executed from the cryptogram field 4920 to compare the result obtained with the intermediate key 5400. The process then resumes at step 5900. In a variant, the processes of signature and authentication implemented by the invention comprise, for cryptographic means, asymmetric encryption / decryption algorithms based on a private key / public key, hashing functions (function which has similarities with a generation algorithm message authentication code), or pseudo-random number generators. These cryptographic means are chosen according to the result of the analysis of the action to be authorized. The invention is not limited to the embodiments described but encompasses all variants within the scope of the claims. The invention also applies to payment by NFC (mentioned in the introduction), and in this case, the payment means can be incorporated into a mobile terminal, for example a cellular phone, having a SIM card ("Subscriber Identification Module "), a micro-SD card (pSD, SD stands for" Secure Digital ") or an integrated secure microcircuit, the card or circuit hosting a banking application. The cryptographic means are stored in a microcircuit card, or in a secure set consisting of a microcircuit and a memory.

The invention applies to other fields for which it is necessary to sign the data of an action performed by means of an individual instrument for executing an action. For example, the fields of electronic transport tickets, electronic identity documents, and more generally electronic devices for security checks are areas of application of the invention.

Claims (14)

REVENDICATIONS1. A method of response by an individual electronic device (100) to a solicitation, the method comprising receiving a command (1000; 1400) comprising at least one characteristic of an intended action, an analysis (3100) of said intended action, then a signature of said analysis (4000) using cryptographic means (4100, 4300, 4600) and the transmission (1100; 1500) of said signed analysis, characterized in that at least a part of said cryptographic means ( 4100, 4300, 4600) is selected based on a result (3150; 3550) of said analysis. 2. Response method according to the preceding claim, wherein the cryptographic means comprise a cryptographic key (4100), chosen according to the result. 3. Response method according to one of the preceding claims, wherein the cryptographic means comprise an encryption algorithm (4300), chosen according to the result. The response method according to one of the preceding claims, wherein the cryptographic means comprises a message authentication code generating algorithm (4600), selected according to the result. The response method according to one of the preceding claims, wherein the result is an acceptance, a refusal, or a request for agreement from a remote third authority, for example a transmitter of the individual electronic device. 6. Response method according to one of the preceding claims, the action envisaged being a transaction. 7. Computer program comprising instructions able to implement, when they are executed by a device comprising a microcontroller and a memory, each of the steps of a response method according to one of the preceding claims. 8. An individual electronic device (100) comprising a microcontroller and a memory, the responding device (3100, 4000), when it is solicited for a planned action, analyzing (3100) the action envisaged, and setting implementing (4000) cryptographic means (4100, 4300, 4600) for signing the generated analysis, characterized in that the device chooses at least a part of said cryptographic means (4100, 4300, 4600) according to a result (3150 ) of the analysis. An individual electronic device according to the preceding individual electronic device claim, comprising a microcircuit card in a memory of which the cryptographic means are recorded. An individual electronic device according to one of the preceding individual electronic device claims, in accordance with the EMV standard. 11. Individual electronic device according to one of the preceding individual electronic device claims, comprising an NFC communication interface, and being for example integrated in a mobile telephone terminal. A method for authenticating information relating to an action by a remote authority (300), the method comprising verifying (5000) using cryptographic means (5100, 5300, 5600), the authenticity of a received signature (1200; 1700) with information relating to an action, characterized in that the cryptographic means (5100, 5300, 5600) are selected according to an analysis result (3150) also received with the information. 13. Computer program comprising instructions able to implement, when executed by device comprising a microprocessor and a memory, each of the steps of a method according to the preceding authentication method claim. 14. A server (300) which, when it receives (1200, 1700) signed action information from terminals verifies (5000) using cryptographic means (5100, 5300, 5600), the authenticity of a signature of the information received with the transaction information, characterized in that the cryptographic means (5100, 5300, 5600) are chosen according to an analysis result (3150) also received with the transaction information.