FR3002350A1 - CRYPTOGRAPHIC METHOD FOR GENERATING A USER KEY PAIR FOR AN ENTITY HAVING A PUBLIC IDENTIFIER I, AND A SYSTEM - Google Patents

Abstract

Cryptographic method for generating a user key pair for an entity having a public identifier I, and system. The method according to the invention comprises: - the generation (G10) by a certification authority: ○ of a master public key comprising an RSA module n produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and g modulo n and a value h determined from a hazard z; a secret master key comprising p and q; generation (G20) by the entity of a secret user key; - the evaluation (G30) by the entity of a value v = g-s (mod n); - sending (G40) of v to the authority with a proof of knowledge of s; generation (G50) by the authority of a certificate (A, e) in which e is a random associated with I and Aeb = f (h1, v, n), f being a predetermined function; the sending (G60) of (A, e) to the entity; obtaining (G80) a pair of user keys for the entity comprising s and a user public key formed from A, e and I.

Description

BACKGROUND OF THE INVENTION The invention relates to the field of securing data and exchanges between different entities using public key cryptographic techniques. It relates more particularly to the certification of a public key of a device having an identifier in order to improve the security of a mechanism for authenticating this device or for digitally signing a message by this device based on a diagram of the GPS type or "cryptoGPS" (named after its inventors Girault, Poupard and Stern). The GPS scheme is described in detail in the document entitled "On the Fly 10 Authentication and Signature Schemes based on Groups of Unknown Order", Journal of Cryptology, pages 463-488, vol. 19 n ° 4, 2006. This is a protocol with zero knowledge disclosure (or "zero knowledge" in English), offering a secure solution at low cost, in terms of computing power and / or memory. storage. Thus, the GPS scheme has a preferred application in the field of radio-identification or RFID (for Radio Frequency IDentification). In a known manner, radio-identification is a technique used to store and retrieve data remotely using markers called radio-tags or radio tags or RFID tags. It is commonly used in many sectors of activity such as the pharmaceutical industry, distribution, fashion and libraries, for the traceability of various and varied objects. Due to its low complexity, the GPS scheme can be easily embedded in radio-identification systems. It makes it possible for a first device that is not very powerful in terms of computing power and memory, such as an RFID tag, to authenticate and authenticate itself securely with a second, more powerful device, such as a reader. RFID tags. The GPS protocol is advantageously such that the cost of authentication for the least powerful first device can be substantially reduced by means of a series of optimizations. In particular, there is a mode called "coupons", which consists of calculating during a preliminary step all the values that can be and to store these precalculated values (i.e. the coupons) on the RFID tag. In this way, only the RFID tag remains for a minimum of 30 operations to be performed during the actual authentication session. An exemplary implementation of a GPS authentication scheme of a first device E1 with a second device E2 is illustrated in FIG. 1. E1 is for example an RFID tag and E2 is an RFID tag reader. It is conventionally composed of two phases, namely a first configuration phase P1 during which authentication data (parameters, public / private keys and, where appropriate, coupons) are calculated and / or provided to the first device El, then a securite pH, CH of ruthenhhcahon during which lupum.1 (2i dr, pui, M ri Huit Iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii preliminary phase which can be executed only once in the life of the authentication system, unlike the P2 phase which is implemented at each authentication of the device El. During the configuration phase P1, a pair In the example shown in Figure 1, the keys s and v are linked by the following relation: v = modn where n = pq is a so-called RSA module (Rivest Shamir Adleman) resulting from the product of two prime numbers p and q, g es t an element of the multiplicative group Z: = (Z / nZ) \ {0}, where Z denotes the set of relative integers. The parameters n, g, and the key are public there, in other words, they are accessible by the device E2. On the other hand, the private key remains secret and is specific to the device El. It is stored on the device El and is never transmitted to the outside. The P2 authentication phase is carried out in three main steps. The device El randomly selects an integer r and then evaluates a commitment x = grmodn (step E10) which it transmits to the device E2 (step E20). In the so-called coupon mode, a plurality of engagement values or coupons x 1, 1 i 5 N are similarly precalculated by means of hazards r 1, ls 1 N, during the configuration phase P 1. are then stored on the device El in order to limit the calculations made by the device El during the authentication phase P2. On receipt of this commitment, the device E2 randomly chooses a challenge c (step E30), which it transmits to the device El (step E40). The device El evaluates a response to this challenge y = r + cxs (step E50), which it sends to the device E2 for verification (step E60). This check consists for the device E2 to ensure that x = gvtmodn (step E70). If necessary, the device El is validly authenticated. The GPS scheme can also be used by an El device to digitally sign a message m. In this case, the challenge c is generated by the device E1 not randomly but by applying a hash function h to a vector resulting from the concatenation of the message R7 and the commitment x. The digital signature associated with the message m is then formed by the pair (c, y). On receipt of the message m and its signature (c, y), the device E2 verifies that the signature is valid by calculating the value x '= ° cl n and the value c' = h (, t), then in s ensuring that r = r '. To enhance the security of the GPS scheme, the use of PKI (Public Key Infrastructure) public key infrastructure is required in order to establish a public key link. However, such an infrastructure is relatively complex to implement and manage. One solution to overcome this drawback is to use an authentication or signature mechanism that relies on authentication. on the GPS scheme and based on the identity of the device that is trying to authenticate itself or to sign a message For example, the public key of the device El can be replaced by its identity (for example its code EPC (Electronic Product Code) for example, the link between the device and its public key is direct, but with such a solution, when the secret key of the device is compromised, for example because the device on which it is stored is lost, the The identity of the device is also compromised, but it is not always possible to obtain another pair of keys for the same identity.An alternative solution, always based on the id entity of the El device that seeks to authenticate itself or to sign a message, is proposed by Marc Girault in the document entitled "Self-certified public keys", Eurocrypt'91, vol. 547, Lecture Notes in Computer Science, pages 490-497, Springer, 1991. In accordance with this solution, a CA certifies the identity I of the El device by generating a certificate, while respecting the constraints of the GPS scheme ( non-disclosure of the secret key s of the El device, and in particular to the certification authority). Then the device El uses a public user key formed by the certificate and its identity to authenticate with an E2 device using a GPS authentication scheme. An exemplary implementation of this solution is illustrated in FIG. 2. In a first step (step F10), a so-called "master" key pair is generated for the CA from: a module RSA n = pq defined as the product of two prime numbers pet q; an integer e prime with (p-1) and (q-1) and an integer d = e-1 (mod (p -1) (q -1)); And an element g of the multiplicative group Z = (Z / nZ) \ {0}, where Z denotes the set of relative integers. The master key pair of the certification authority includes a MasterPubK master public key and a MasterSecK master private key defined by: MasIcrPubK = '11 .e, g) = (1.1.d) 30 At the El device, during of a configuration step, a secret key s of the device El is generated randomly (step F20). Then the device El generates the value r mod n (step F30) and sends it to the CA with its identity / and a proof of knowledge of the secret key s to zero knowledge disclosure (step F40). This proof is provided via the implementation of a scherna (iP5, After verifying the knowledge of the secret key s by the device El, the certification authority C1 calculates a certificate A (step F50) according to: A = - (modn) then transmits it to the device El (step F60) On receiving the certificate A, the device El verifies that (step F70): = A '+ I (modn). user key pair comprising a user public key UPubK = (A, /) and a user secret key USecK = s (step F80) .The authentication of the device El with a device E2 is then performed using 10 of a GPS authentication mechanism as described above with reference to FIG. 1, applied to the secret user key s of the device El, to the element g and to a public key y = Ae + I generated by the device E2 from the public key UPubK = (A, I) of the device El (step F90) .The advantage of Such a solution is that it makes it possible to certify the identity / device El 15 without using a PKI public key infrastructure and while remaining compatible with the implementation of an authentication scheme or GPS signature. . However, according to this solution, it is easy for an adversary to obtain a valid user key pair, without the intervention of the certification authority. Indeed, the adversary may randomly choose a secret key s ', a value A' and then calculate an identity = g + A * c (modn). Although in practice, the probability of operation of such an attack is very low, the opponent can not control the value of identity, this attack is still possible. There is therefore a need for a mechanism for generating a certified public key based on the identity of a device and compatible with an authentication scheme or GPS signature, not presenting the disadvantages of the state of the device. technical in terms of security and without resorting to a PKI infrastructure. OBJECT AND SUMMARY OF THE INVENTION The invention responds in particular to this need by proposing a cryptographic method 30 for generating a user key pair for an entity having a public identifier /, this method comprising: a generation step, by a a certification authority, a master key pair comprising a master public key, comprising a PSA module n produced of two prime numbers n and a higher integer or quadratic numbers and g inociulo n and in "\ /, 11 (1Jr ././(Jaermirp,r, from d wi; o a secret master key comprising the prime numbers p and; a step of generation by the entity of a secret user key s to from a hazard, an evaluation step by the entity, from the user secret key and the master public key, of a value v g-5 (mod n); entity of this value v to the CA with proof of knowledge this of the secret user key according to a protocol with zero disclosure of knowledge; a generation step by the certification authority, based on the public identifier / entity and the value y, of a certificate consisting of a pair of values (A, e) in which e is a 10 random associated with the public identifier / and: Aeb = f (hi, v, n) where f is a predetermined function; and a step of sending the certificate (A, e) to the entity by the certification authority; these steps resulting in obtaining a user key pair for the entity comprising the secret user key s and a user public key formed from the values A and e and the identifier / entity. Thus, according to the invention, and as in the diagram proposed by M. Girault, the relationship between the public identity of the entity and its public key is established by a certification authority via the generation of a certificate allowing the signing of the certificate. public identity of the entity, so that the public user key of the entity consists of its public identity and the certificate thus generated by the certification authority. The secret key of the entity is also never disclosed, including to the certification authority, since only a proof of knowledge of the secret key to zero knowledge disclosure is provided to it, without ever disclosing the secret key. The zero knowledge disclosure protocol used by the entity relies, for example, on a GPS type authentication scheme. However, according to the invention, on the one hand, the hazard e used in the certificate is specific to each public identifier /, and on the other hand, the relationship linking the certificate, the secret key and the public identity is now tamper-proof due in particular to the presence by exposing the identity of the entity in the certificate generated by the certification authority. The function r makes it possible to ensure that no entity, without knowing the factorization of the RSA module n, can find a pair of values (A, e) which will verify the relation Aeb f (111, v, n). Only the certification authority can generate such a pair of values. To better illustrate the advantages of the invention and in particular this tamper-proof character, we will consider several examples of functions r that can be used by the certification authority to generate the certificate (-. it h = (mod n), and the certificate (A, e) generated by the CA verifies: A = (ah 'v) d (mod n), with d = od (p - 1) (q - 1)) and b greater than 1. Furthermore, to enhance the security of the schema thus proposed, the generation method may further comprise a verification step by the entity that: Ae V = '(mod n). ah In this first embodiment, an adversary can certainly randomly choose a secret key s *, a value 11: and then calculate, from the master public key, the value 10 hr = a-1 'eh ge (modn) . However, from this value, it can not generate a public identity /, because of the complexity of the discrete logarithmic problem to be solved. The use of an RSA module to generate the master public key of the certification authority also reinforces this complexity. The user key pair generated according to the invention is therefore unfalsifiable, the opponent being unable to generate a valid user key pair from the information published by the certification authority and by the entity. The proof of the level of security attained by this first embodiment of the invention (in other words the tamper-proof nature of the user key pair generated) can be provided by relying on a demonstration similar to that conducted by Mr. Joye in the document entitled "An efficient on-line / off-line signature scheme without random oracles", CANS'08, vol. 5339 of Lecture Notes in Computer Science, pages 98-107, Springer, 2008. This document proposes indeed a method of signature of a message, presented as an alternative to the GPS signature scheme but which contrary to the GPS scheme, does not exist. not rely on a random oracle model. According to this method, the message is signed using a signature verifying a relationship similar to that binding the public / entity identity, the certificate (A, e) generated by the certification authority and the element g published by the certification authority in accordance with the invention. The inventors have had the judicious idea of transposing the signature scheme of a message described in the M. bye document to the problem of identity certification of the entity 30 posed in a GPS mechanism based on identity. , in order to generate a pair of user keys compatible with a GPS authentication or signature mechanism of a message. In this way, the invention can easily be part of a low-cost cryptography logic allowing the entity to authenticate itself or to sign a message according to a GPS mechanism. For this purpose, it suffices for the verifier device in charge of authenticating the entity having a line pair of ", iitiW, ateto gt: qlorne according to the irivenift.) n do, orify icl quI nue of a message produced. by such an entity, applies a GPS type authentication or signature mechanism as described above with reference to FIG. 1 based on: the user's private key of the entity, on the element g published by the certification authority, and on a public key generated by the verifier device from the user public key of the entity according to A '- (mod n) (ah l) The invention therefore provides a secure solution to the certification of the identity of the entity as part of a GPS-type authentication or signature mechanism It should be noted that the method of generating a user key pair proposed by the invention also makes it possible to 'consider dimensions for the secret key used Reason, randomness, RSA module, etc., with an appropriate choice of the function f, so that the complexity of realization of the invention remains limited and is compatible with low cost cryptography logic. This is particularly the case when the pair (A, e) generated by the certification authority verifies: A = (h) (mod n), with d = -2 (mod (p-1) (q -11) )) and b greater than 1. The dimensions of these parameters depend, of course, on a compromise between security and complexity. However, preferentially, a low value is chosen for the integer b, such as for example b = 4, an identifier of the entity of dimension greater than or equal to 160 bits, and a secret user key s comprising at least 400 bits. . The invention is not limited to the aforementioned function f. Thus, in another embodiment of the invention, the certificate (A, e) generated by the certification authority verifies: A '= ah' v (mod n) (ie, b = 1 in this mode of production). The verifier device in charge of authenticating the entity having a user key pair generated according to this embodiment of the invention or verifying the signature of a message produced by such an entity, applies an authentication mechanism or GPS type signature based on the user's private key of the entity, on the element g issued by the certification authority, and on a public key t. generated by the verifier device from the user public key of the entity according to V = (Pym. "Io_ This solution, although very advantageous in terms of security, however, requires parameter sizes, including secret key, more In yet another embodiment, the certificate (A, e) generated by the certification authority verifies: A '= + v (mod n) The verifier device in charge of authenticating the entity having a pair generated user key according to this embodiment of the invention, or to verify the signature of a message produced by such an entity, applies a authentication or signature mechanism 10 of the GPS type based on the user private key of the entity, on the element g published by the certification authority, and on a public key generated thereon by the verifier device from the public user key of the entity according to: y = A '- li "( mod n) These examples are of course not exhaustive. Other functions providing benefits similar to those described above and which make it possible to generate a pair of user keys compatible with an authentication or GPS signature scheme can be envisaged. As a corollary, in another aspect, the invention is directed to a method of authenticating an entity having a public identifier / with a verifier device, by using a pair of user keys generated in accordance with the generation method according to the invention, the authentication of the entity being performed using a GPS type authentication scheme implemented between the entity and the verifier device. This method has both the advantages of the generation method according to the invention and the advantages of a GPS authentication method, recalled above, in terms of complexity (computing power and / or storage memory). Such a method, because of its low complexity, can be easily implemented between an RFID tag and an RFID tag reader. According to another aspect, another aspect of the invention is a method of signing a message by an entity having a public identifier I by using a pair of user keys generated in accordance with the generation method of the invention, the signature of the message being realized. using a GPS type signature scheme. This method also benefits both the advantages of the generation method according to the invention and the advantages of a GPS signature method, mentioned above. The invention relies, as mentioned above, on one hand on an entity 35 having a public identifier and seeking to authenticate itself or to sign a message according to a Gps nniquette on a ": mitorité dc". certification, telation between the public identifier of rent and its de. Thus, the invention also provides a method for obtaining by an entity having a public identifier I a pair of user keys comprising a user public key and a user private key, this method comprising: a step of generating the secret key user s from a hazard; an evaluation step from: o this secret user key; and o a public key master of a certification authority comprising an RSA module n, produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and g modulo n, and a value h determined from a hazard z, a value y = (mod n); a step of sending the value y to the certification authority with a proof of knowledge of the secret user key according to a protocol with null disclosure of knowledge; a step of receiving the certificate authority of a certificate consisting of a pair of values (A, e), wherein e is a random associated with the public identifier I, and: Aeb = f (hi, y , n) where [is a predetermined function; and a step of obtaining the public user key from the values A and e and the identifier I of the entity. Correlatively, the invention relates to an entity having a public identifier I comprising: a module for generating a secret user key from a random; an evaluation module, able to evaluate from: o this secret user key; and o a public key master of a certification authority comprising an RSA module n, produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and g modulo n, and a value fi determined from a hazard z, a value y = 9S (mod n); a module for sending the value y to the certification authority with a proof of knowledge of the secret user key according to a protocol with null disclosure of knowledge; a receiving module from the certification authority, a certificate consisting of a pair of values (, 1, e) in which is a random associated with the public identifier! and: = f (1-11, y, n where f is a predetermined function, and a module for obtaining a public user key from the values .1 and e and the identifier I.

The invention also relates to a method of sending by a certification authority a certificate to an entity having a public identifier / for forming a public user key for this entity, this method comprising: a step of generating a master key pair comprising: o a master public key, comprising an RSA modulus n, produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and g modulo n, and a determined value h from a hazard z; a secret master key comprising the prime numbers p and q; a step of receiving from the entity a value y = g-5 (mod n) generated by the entity using its user private key s, and a proof of knowledge of the key secret user according to a protocol with zero disclosure of knowledge; a step of generating, from the public identifier / entity and the value y, a certificate formed of a pair of values (A, e) in which e is a random associated with the identifier public /, and: Aeb [(h ', y, n)) where f is a predetermined function; and a step of sending the certificate (A, e) to the entity. Correlatively, the invention is directed to a certification authority comprising: a module for generating a master key pair comprising: o a master public key, comprising an RSA module n, produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and g modulo n, and a value h determined from a hazard z; O a secret master key comprising the prime numbers p and q; a receiving module from the entity of a value y = g-5 (mod n) generated by the entity using its user private key s, and a proof of knowledge of the key secret user according to a protocol with zero disclosure of knowledge; a verification module of said proof of knowledge; a generation module, from the public identifier / entity and the value y, of a pair of (A, e) in which e is a random associated with the public identifier /, and: A - = f (111, v, n) where f is a predetermined function; and a torque sending module) to the entity. The obtaining method, the sending method, the entity and the certifying authority benefit from the same advantages as mentioned above for the method of generating a pair of user keys. In a conventional manner, the differences and the sending method are implemented by a silicon chip which includes transistoists adapted to constitute logic gates of a non-programmable wired logic. This embodiment is particularly advantageous in the context of RFID tags. In another particular embodiment, the various steps of the method of obtaining and the method of sending are determined by computer program instructions. Consequently, the invention also relates to a computer program on an information medium, this program being capable of being implemented in an entity or more generally in a computer, this program comprising instructions adapted to the implementation of steps of a production process as described above.

The invention also relates to a computer program on an information medium, this program being capable of being implemented in a certification authority or more generally in a computer, this program comprising instructions adapted to the implementation steps of a sending method as described above. Each of these programs can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any form what other form is desirable. The invention also relates to a computer-readable information medium, comprising instructions of a computer program as mentioned above.

The information carrier may be any entity or device capable of storing the program. For example, the medium may comprise storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or a magnetic recording medium, for example a diskette (floppy disc) or a disk hard. On the other hand, the information medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means. The program according to the invention can be downloaded in particular on an Internet type network. Alternatively, the information carrier may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question. According to another aspect, the invention also provides a system comprising: an entity having a public identifier / according to the invention; and a certification authority according to the invention; In a particular embodiment, this system further comprises a verifier device, able to authenticate the entity by applying a GPS authentication scheme or to check the validity of a signature of a message generated by the entity by applying a diagram of GPS flatness.

It can also be envisaged, in other embodiments, that the generation method, the sending method, the method of production, the system, the entity and the certification authority according to the invention present in combination all or some of the aforementioned features. BRIEF DESCRIPTION OF THE DRAWINGS Other characteristics and advantages of the present invention will emerge from the description given below, with reference to the drawings and the appendix which illustrate exemplary embodiments which are not limiting in any way. In the figures: FIG. 1, already described, schematically represents a GPS authentication scheme of the state of the art; Figure 2, already described, schematically shows a GPS authentication scheme based on the identity proposed in the state of the art; Figure 3 schematically shows a system according to the invention comprising an entity and a certification authority according to the invention in a particular embodiment; FIG. 4 illustrates the main steps of a generation method, a sending method and a method of obtaining according to the invention as they are implemented in a particular embodiment respectively by the system, the certification authority and the entity of FIG. 3; and FIG. 5 illustrates an application of the user key pair generated in accordance with the invention to a GPS authentication mechanism of the entity of FIG. 3 with a verifier device. Appendix 1 recalls the cryptographic parameter dimension recommendations of the ECRYPTII instance. DETAILED DESCRIPTION OF THE INVENTION As mentioned above, the invention proposes a secure mechanism based on the generation, by a certification authority, of a public key (A, E, I) certified for an entity and based on an entity. on its identity / (or public identifier), this public key being advantageously tamper-proof and compatible with an authentication scheme or GPS signature. More specifically, in accordance with the invention, the certification authority generates, for the public identifier I of the entity, a certificate formed of a pair of values (rl, c) where ('is a randomness specific to the public identifier I of the entity and .1 is in the form A '- 1 (Ii', o, n), where f is a predetermined function, n is an RSA module, b is an integer greater than or equal to 1 , y is a value generated by the entity using its private key s and passed to the CA, and h is a value determined by the CA from a randomly kept secret by the CA. The function f is such that no entity, without knowing the factorization of the RSA module n, can find a pair of values (A, e) satisfying the relation Ah = f (hi, y, n). the certification authority can advantageously generate such a pair of values, so that the public key (A, e, 1) generated according to the invention is infalsive Various examples of functions f are proposed in the remainder of the description for illustrative purposes. FIG. 3 represents, in its environment, a system 1 according to the invention, in a particular embodiment. This system 1 comprises an entity 2, a certification authority 3 and a verifier device 4, in accordance with the invention. In the example envisioned here, the entity 2 is an RFID tag seeking to authenticate itself to the verifier device 4, using an identity-based GPS authentication scheme as previously discussed. The verifier device 4 is here an RFID tag reader. However, no limitation is attached to the nature of the entity 2 and the verifier device 4. The invention applies to other types of systems in which an authentication mechanism between two devices or a mechanism of Signing of a message can be implemented. Thus, for example, the entity 2 may be a terminal and the verifier device 4 a server from which the entity 2 seeks to authenticate. Furthermore, although the invention has a preferred application in combination with a GPS type authentication or signature mechanism, the invention can be used in conjunction with other asymmetric cryptographic mechanisms using a certificate of a certification authority. Entity 2 has an identifier /, such as for example an electronic product code or EPC (Electronic Product Code). This identifier is public, that is to say accessible by or known to other entities, such as, for example, the certification authority 3 or by the verifier device 4. The identifier / is, in the example envisaged here , an integer of 160 bits. In the embodiment described here, the entity 2 integrates a silicon chip 2A and communication means 2B with the certification authority 3 and the verifier device 4. The silicon chip 2A comprises transistors adapted to constitute logic gates of non-programmable wired logic for executing the steps of the method of obtaining a user key pair described later with reference to FIG. 4. In another embodiment of the invention, the Entity 2 has the hardware architecture of a computer, and notably comprises a processor, a read-only memory, a random access memory, non-volatile memory and communication means (device verification device 4). Entity 2 constitutes a recording medium in accordance with the invention, readable by the processor and on which is recorded a computer program according to the invention, comprising instructions for executing ution of the steps of the method of obtaining a pair of user keys. This computer program defines, in an equivalent way, functional modules of the entity 2 able to implement the steps of the obtaining method. The certification authority 3 has, in the embodiment described here, the hardware architecture of a computer. It comprises in particular a processor 3A, a read-only memory 3B, a random access memory 3C, a nonvolatile memory 3D and communication means 3E with the entity 2. The ROM 3B of the certification authority constitutes a support for recording according to the invention, readable by the processor 3A and on which is recorded a computer program according to the invention, comprising instructions for carrying out the steps of a method of sending a certificate according to the the invention described now with reference to Figure 4, in a particular embodiment. This computer program defines, in an equivalent manner, functional modules of the certification authority capable of implementing the steps of the obtaining method. We will now describe, with reference to FIG. 4, the main steps of a method for generating a user key pair intended for the entity 2, as implemented by the system 1 in a mode particular embodiment. This generation method is based on the method of sending a certificate associated with the public identifier / of the entity 2 implemented by the certification authority 3, and on the method of obtaining a user key pair by entity 2 from this certificate. According to the invention, the certification authority 3 generates a pair of master keys comprising a master public key mpk and a master secret key msk (step G10). For this purpose, the certification authority 3 determines an RSA module n = pq, for example of 768-bit dimension, where p and q denote two prime numbers. It also chooses an integer b greater than 1, for example b = 4, and two quadratic residues a and g modulo n, i.e., a, g E Zn *. The certification authority 3 generates from these numbers and a hazard z, a value 30 h such that: hg '(mod n In the embodiment described here, the master key pair is then given by: mpk (n, y, o, h, b) and nisk = (y, j, z) The public key master nipt \ - of the certification authority 3 is published 35 The entity 7 generc one of .-) ecretic user i, sk part ii (ni) f, iitier 400 bl step G20), The tisk s.

Then it evaluates from its secret key s and the public key mpk of the certification authority 3, a value y = g-5 (mod n) (step G30). The entity 2 then sends the certification authority 3 its public identifier /, the value y and a proof of knowledge of the secret user key s according to a protocol with zero disclosure of knowledge (step G40). This protocol is based for example on a GPS type authentication scheme as described above or as illustrated in the document by Mr. Girault. Such a protocol is known per se and will not be described in more detail here. On receipt of these elements, the certification authority 3 verifies the proof of knowledge sent by the entity 2, then generates, from the public identifier / and the value y, a certificate formed of a pair of values (A, e) (step G50). More specifically, e is an integer chosen randomly by the certification authority 3 and associated with the public identifier / (i.e. a distinct integer e is chosen for each public identifier /), of 128-bit dimension here. Moreover, in the embodiment described here, the certification authority 3 generates the value A according to: A = (ahl Y) d (mod n), with d = (mod (p-1) (q-1)) . In other words, Aeb is written in the form: Aeb = f (h ', y, n) with [(h', y, n) = (mod n) and b greater than 1. Then the certification authority 3 sends the certificate (A, e) thus generated to the entity 2 (step G60). In the embodiment described here, upon receipt of this certificate, the entity 2 verifies that (step G70): v = od n).

If necessary, the user public key upk is formed from the certificate (A, e) received from the certification authority 3 and the public identifier / from the entity 2 (step G80), in other words: upk = (A, e, I). Advantageously, the user key pair (upk, usk) thus obtained by the entity 2 is compatible with an authentication or signature scheme of a GPS type message. More in (1)):: kificluernent., C..11 refle.in this Figure 5, we find out how the key pair used in this way can be easily extended to the entity. .2 to authenticate with the verifier device 4 using a GPS authentication scheme based on the public / entity identifier 2. Following the implementation of the generation method described with reference to FIG. 4 (step H10), the entity 2 thus obtains the user key pair (upk, ttsk generated in accordance with the invention (step H20) .To authenticate according to a GPS scheme with the verifier device 4, it sends to it its public key upk = (A, e, 1) certified by the certification authority 3 (step H30) On receipt of the upk public key, the verifier device 4 evaluates a new public key therein. according to: Aeh modn) using the master public key issued by the certification authority 3 (step H40). GPS authentication is then implemented between the entity 2 and the verifier device 4, in a manner similar to that described above with reference to FIG. 1, but applied to the public key y 'evaluated by the device verifier 4, to the element g published by the certification authority 3, and to the secret key usk of the entity 2 (step H50). The steps of this diagram being identical to those described with reference to Figure 1, they will not be described again here. Similarly, the entity 2 can sign a message m according to a GPS signature mechanism as described above, using the user key pair (upk, usk) generated in accordance with the invention. The verifier device 4 then verifies, upon receipt of the message m and its signature, that the signature is valid by applying the verification steps detailed previously and using as public key 1. In the preceding example, an identifier / of the entity 2 of dimension 160 bits, an RSA module n of 768 bits dimension, an integer to = and a secret key s of the entity 2 of dimension 400 bits. However, the invention is not limited to these numerical values. Other numerical values may be considered depending on the level of security required, as illustrated now. In the remainder of the description, there are: LEV, the required security level and LS a security parameter, Ln, the bit size of the RSA module n, Lz the bit size of the random number 7, LI the size in bits of the identifier I of the entity 2, Lc the size in bits of the element and the size in bits of the denial c-4 (, of the entity According to the works of Mr. Joye cited previously, the following relationships can be established between these parameters in order to maintain the LEV security level: Ln> 2 (Le + 2) (1) b (Le - 1)> Lusk + 1 (2) Ln - 4> Lusk> Lz + LI + LS (3) LE = LEV + 30 (4) Relations (2) and (3) also lead to the following relation: b (Le - 1)> Lusk> Lz + LI + LS (5) In general, the LEV, LS, Ln, Lz and LI parameters are set according to the level of security that is desired for the underlying cryptographic problems resulting from the certification proposed by the invention (ie factoring, discrete logarithms, etc.). These problems being relatively standard in the state of the art, the setting of these parameters does not pose any difficulty in itself to the skilled person. The values of the parameters Le, b and Lusk can then be set according to the values chosen for the parameters LEV, LS, Ln, Lz and LI. For example, one can choose as a secret key dimension Lusk, a dimension consistent with the recommendations of various instances in cryptography, and in particular for example by the consortium ecrypt2. These recommendations are recalled at the following URL: http://www.keylength.com/en/3/ and an excerpt is reproduced in Appendix 1. More details on these recommendations are available in the document entitled "Yearly Report on Algorithms and KeySizes (2011) ", D.SPA.17 Rev. 1.0, ICT-2007-216676 ECRYPT II, June 2011. As an illustration, according to these recommendations, if one chooses a level of security LEV = 80 bits (extract from the "symmetrical" column of the table in appendix 1), we have: Ln = 1248 bits (extracted from the "asymmetric" column of the table in appendix 1), Lz = 160 bits (extracted from the "discrete key" column of the table in appendix 1), Li = 160 bits ( extracted from the "hash" column of the table in appendix 1), LS = 80 bits (extracted from the "symmetrical" column of the table in appendix 1), and Le = 110 bits (see in application of the relation (4 )). It follows from relation (5) that b = 4 and Lusk = 400 bits. According to another example, if a LEV-128 bit security level is chosen, Ln = 3248 bits, Lz 256 bits, LI = 256 bits, LS = 128 bits, and Le = 158 bits (cf. in application of relation (4)). It follows from relation (5) that b, 5 and Lu1 = 640 bits. For example, in order to guarantee a sufficient level of security, a public identifier I is preferably chosen for the purpose of implementing the invention. entity 2 comprising at least 160 bits and a user secret key of at least 400 bits In the example illustrated in Figure 4, the certification authority 3 used in step G50 to generate the certificate (A, e), a function of the form: f (hi, y, n) = ahi v (mod n) with Aeb f (hi, v, n Il = gz (mod n) and b being greater than 1 ( This example, although very advantageous, is not, however, limiting in itself, and other functions may alternatively be envisaged.

Thus, in an alternative embodiment, the certification authority 3 generates during the step G50 a certificate (A, e) for the public identifier .4 where e is an integer chosen randomly by the certification authority 3 and associated with the public identifier / (ie a distinct integer e is chosen for each public identifier A, and the value A is generated according to: A '= (ahi v) (mod n), where the value h is a random value of the same dimension as n, determined from a randomness z. The randomness z is for example the seed of a pseudo-random generator, that is, Aeb is written as: 24'1 '= [( h ', y, n) with f (111, y, n) = ah' v (mod n) and 6 = 1 in step G10. Correlatively, on receipt of this certificate, entity 2 then checks during In step G70, it is understood that, with reference to FIG. r 4 a new public key V during step H40 according to: ah ') (nic) (111) using the master public key issued by the certification authority 3. For such a function, in s' building on the work described in 1 Camenisch et al. entitled "A signature scheme with efficient protocols", SCN'02, vol. 2576 of Lecture Notes in Computer Science, pages 268-289, Springer 2002, one can consider- (I use the parameter dimensions, 'following, with the notations introduced earlier Lii .... 1024 bits ..

LI = 160 bits, Le = 162 bits, Lusk = 1346 bits. Moreover, for an 80-bit security, Lz = 80 bits can be taken. In another variant embodiment, the certification authority 3 generates during the step G50 a certificate (A, e) for the public identifier /, where e is an integer chosen randomly by the certification authority 3 and associated with the public identifier / (ie a distinct integer e is chosen for each public identifier /), and the value A is generated according to: Ae = ( h '+ v) (mod n), where the value h is a random value of the same dimension as n, determined from a randomness z. The hazard z is for example the seed of a pseudo-random generator. In other words, As "is written in this variant in the form: Aeb = [(h ', y, n) with f (h', y, n) = (h '+ y) (mod n) and b = 1 at step G10. Correspondingly, upon receipt of this certificate, entity 2 then verifies in step G70 that: = A + h "(mod n). Furthermore, with reference to FIG. 5, the authentication of the entity 2 by the verifier device 4 is based on the evaluation by the verifier device 4 of a new public key y 'during the step H40 according to: = A '+ (mod n) 20 using the master public key issued by the certification authority 3.

Appendix 1 Excerpt from the recommendations ECRYPT 11 (2011) Symmetric level Asymmetric Discrete key Group Flash curve Logarithmic elliptic 32 2 64 816 128 816 128 128 72 1008 144 1008 144 144 4 80 1248 160 1248 160 160 96 1776 192 1776 192 192 6 112 2432 224 2432 224 224 7 128 3248 256 3248 256 256 8 256 15424 512 15424 512 512 5

Claims (16)

REVENDICATIONS1. A cryptographic method for generating a user key pair for an entity (2) having a public identifier /, the method comprising: - a step of generating (G10), by a certification authority (3), a pair of master key comprising: o a master public key, comprising an RSA module n, produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and g modulo n, and a value h determined from a hazard z; a secret master key comprising the prime numbers p and q; a generation step (G20) by the entity (2) of a user secret key s from a random; an evaluation step (G30) by the entity (2), from the user secret key and the master public key, of a value y = g-s (mod n); a step of sending (G40) by the entity (2) this value y to the certification authority (3) with a proof of knowledge of the secret user key according to a protocol with null disclosure of knowledge; a generation step (G50) by the certification authority, based on the public identifier / entity and the value y, of a certificate consisting of a pair of values (A, e) in which e is a randomness associated with the public identifier I and: Aeb = f (hi, y, n) where f is a predetermined function; and a step of sending (G60) the certificate (A, e) to the entity by the certification authority; these steps resulting in obtaining (G80) a user key pair for the entity comprising the user secret key s and a user public key formed from the values A and e and the identifier / entity . 2. Method according to claim 1 wherein: h = g '(mod n), and A = (ah' (mod n), with d = - (p - 1) (ci - 1)) and b greater than 1 . The method of claim 1 or 2 further comprising a step of verification (G70) by the entity (2) that: 4. Method according to any one of claims 1 to 3 wherein the public identifier I comprises at least 160 bits. 5. Method according to any one of claims 1 to 3 wherein the secret user key s comprises at least 400 bits. 6. The method of claim 1 wherein: ile = ah 'v (mod n). 10 7. Method according to any one of claims 1 to 6 wherein the zero knowledge disclosure protocol is based on a GPS type authentication scheme. 8. A method of authenticating an entity (2) having a public identifier / from a verifier device (4), using a user key pair generated according to the generation method according to any one of claims 1 at 7, the authentication (H50) of the entity (2) being performed using a GPS type authentication scheme implemented between the entity and the verifier device. 20 9. A method of signing a message by an entity (2) having a public identifier / using a user key pair generated according to the generation method according to any one of claims 1 to 7, the signature of the message being realized using a GPS type signature scheme. 25 10. Method of obtaining by an entity (2) having a public identifier I of a user key pair comprising a user public key and a user private key, this method comprising: a step of generating (G20) the secret key users from a hazard; an evaluation step (G30) starting from: 30 0 of this user secret key; and 0 of a public key master of a certification authority (3) comprising an RSA module n, produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and p modulo n, and a value h determined from a random value .7, of a value nod n); a step of sending (G40) the value y to the certification authority (3) with a proof of knowledge of the secret user key according to a protocol with zero disclosure of knowledge; a step of receiving (G60) the certification authority (3) of a certificate consisting of a pair of values (A, e), in which e is a random associated with the public identifier /, and: Aeb (hl y, n), where f is a predetermined function; and a step of obtaining (G80) the user public key from the values A and e and the identifier / entity. 10 11. A method of sending by a certificate authority (3) a certificate to an entity (2) having a public identifier / for forming a user public key for that entity, said method comprising: a generation step ( G10) of a master key pair comprising: a master public key, comprising an RSA modulus n, produced of two prime numbers p and q, an integer b greater than or equal to 1, two quadratic residues a and g modulo n , and a value h determined from a hazard z; 0 a master secret key comprising the prime numbers p and q; a receiving step (G40) from the entity of a value y = gs (mod n) generated by the entity using its user private key s, and a proof of knowledge of the secret user key according to a protocol with zero disclosure of knowledge; a generation step (G50), from the public identifier / entity and the value y, of a pair of (A, e) in which e is a random associated with the public identifier /, and: Aeb [(h ', y, n), where f is a predetermined function; and a step of sending (G60) the pair (A, e) to the entity. 12. Entity (2) having a public identifier / comprising: a module for generating a secret user key s from a random; An evaluation module, able to evaluate from: c. this secret user key; anda public key master of a certification authority comprising an RSA module n, produced of two prime numbers p and g, an integer h greater than or equal to 1, two quadratic residues n and q modulo n, and a value / determined from a hazard a value mr, d); a modi fi cation of the value L to the certification authority with the permission of the secret user according to a protocol with no disclosure of knowledge, a receiving module from the certifying authority, a certificate consisting of a pair of values (A, e) in which e is a random associated with the public identifier /, and: = fn where f is a predetermined function, and a module for obtaining a key public user from the values A and e and the identifier I. A certification authority (3) comprising: a module for generating a master key pair comprising: a master public key, comprising an RSA module n, produced of two prime numbers p and q, a higher integer b or equal to 1, two quadratic residues a and g modulo n, and a value h determined from a hazard z; a secret master key comprising the prime numbers p and q; a receiving module from the entity of a value y = gs (mod n) generated by the entity using its user private key s, and a proof of knowledge of the user secret key according to a protocol with zero disclosure of knowledge; a verification module of said proof of knowledge; a generation module, from the public identifier / entity and the value y, of a pair of (A, e) in which e is a random associated with the public identifier /, and: Aeb = f (h1, y, n), where f is a predetermined function; and a module for sending the pair (A, e) to the entity. A system (1) comprising: - an entity (2) having a public identifier / according to claim 12; and - a certification authority (3) according to claim 13; 15. System (1) according to claim 14 further comprising a verifier device (4), able to authenticate the entity (2) by applying a GPS authentication scheme or to verify the validity of a signature of a message. generated by the entity (2) by applying a GPS signature scheme. A computer program comprising instructions for performing the steps of the obtaining method according to claim 10 or the sending method according to claim 11 when said program is executed by a computer.