JPH1069222A - Ic card - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an IC card capable of preventing the contents of key information used for ciphering processing or deciphering processing when response information for a command is transmitted from being estimated. SOLUTION: In this IC card provided with a CPU and a memory accessible by the CPU, performing the ciphering processing or deciphering processing of the data by using the key information stored in the memory based on an external command and transmitting the response information related to the result to the outside, the delay processing delaying (S314-S316) the transmission time of the response information is executed so as to make lose a correlation with the contents of the key information while or before/after executing the ciphering processing or deciphering processing.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an IC card for encrypting or decrypting data according to an external command.

[0002]

2. Description of the Related Art In recent years, an IC card has attracted attention as a new information storage medium replacing a magnetic card. Especially,
An IC card having a built-in CPU has not only a function as an information storage medium but also an information processing function and can realize a high level of security, and is therefore expected to be used in various fields of a highly information-oriented society. . Generally IC
The card has a built-in nonvolatile memory such as an EEPROM, and information is stored as a file in the EEPROM. To access the EEPROM, an external command is given to the IC card, and the command is stored in the built-in C card.
This is performed by the PU interpreting and executing. Each file has a predetermined access condition set in advance.
U accesses the file only when the command argument satisfies the access condition. As a result, the IC card can be illegally EEPRO
M data is prevented from being falsified or stolen.

Further, in the IC card system, when data is transmitted and received between the IC card and the reader / writer, the data is encrypted. This is to prevent the contents of the communication signal between the reader / writer and the IC card from being stolen even if the information is illegally acquired by a third party. FIG. 8 is a diagram illustrating transmission of information from an external device such as a reader / writer to an IC card. The external device performs a predetermined encryption process on the plaintext A to obtain the ciphertext X, and transmits this to the IC card. The IC card decrypts the ciphertext X by performing a decryption process corresponding to the encryption process used by the external device. When the decryption processing is completed, the IC card edits the response information indicating that the processing has been completed, and transmits this to the external device. Further, the external device receives the response information and ends a series of processing.

[0004] Normally, plaintext encryption is performed by calculating a mathematical expression using plaintext and predetermined key information as variables. Typical examples of such encryption methods currently proposed include, for example, R.I. L. Rivest, A .; S
Hamir, and L.M. M. Adleman. "A
method for observing digit
tal signatures and public
-Key cryptosystems "(Commu
nations of the ACM, Vol.
21, no. 2: pp. 120-126, Feb. , 1
978). The RSA encryption is a so-called asymmetric key encryption method in which key information used when encrypting a plaintext is different from key information used when decrypting an encrypted text. Of the two types of asymmetric key information, one is used as a secret key secretly stored in a EEPROM or the like of an IC card for a third party, and the other is used as a public key widely disclosed to a third party.

[0005] The decryption processing of the RSA encryption is performed by the equation "A = X ^Y
(Mod N) ". Where A is plaintext,
X is a ciphertext, Y is a secret key, and N is a public key. As is clear from the above equation, in the RSA encryption, the decryption process is performed by calculating the power remainder. Therefore,
The complexity is usually very large. For this reason, when executing the RSA encryption, a calculation algorithm for reducing the calculation of the modular exponentiation is usually used. As a calculation algorithm for reducing the calculation amount of the power-residue, for example, “binary power calculation method” is known (DEKn).
uth. The Art of Computer P
rogaraming, volume 2, Semi
numerical Algorithms. Addi
son-Wesley, 2nd edition, 19
81).

For the calculation of the RSA encryption, a calculation algorithm called the Montgomery method, which makes it possible to perform the remainder operation with a small amount of calculation by applying the “power binary calculation method”, is used (P. L. Montgo
merge. "ModularMultiplicati
on with Trial Divisio
n ", Mathematicals of Computa
tion, Vol. 44, no. 170, pp. 519
-521, Apr. , 1985). Montgo
In the mery method, the calculation of the power remainder “A = X ^Y (mod N)” is executed by the algorithm shown in FIG.

First, four values of N, X, Y and R are inputted (S902). Here, X is 0 <X <for N.
The relationship of N is satisfied. Moreover, the private key Y is the binary representation shall be expressed as _{Y = e j e j-1} ··· e 2 e 1. However, e _i denotes the value of the i-th bit. R
Is a numerical value defined as R = 2 ^j using the number of bits j of Y. Next, from the input numerical value, Montgomer
The y remainders A ^* and B ^* are obtained (S904). Mont
The remainder is a remainder “a (mod
n)) so that “a ^* = ar (mod
n) ". Where n is k-bi
ts is an integer, 2 ^k-1 ≤n <2 ^k , r = 2 ^k , gc
d (r, n) = 1.

Next, Montg for each bit of the exponent Y
The calculation of the primary product is performed (S906 to S91).
2). That is, when the exponent Y is composed of j bits, the calculation of the Montgomery product in S910 is j
It is executed repeatedly. The Montgomery product is defined as “MonPro (a ^* , b ^* ) = a ^* b ^* r
^-1 (mod n) ". FIG.
9 is a flowchart showing processing contents of a Montgomery product. S1002 and S1 for the Montgomery product
006 are included. The calculation process in S1002 is always performed for each bit of the exponent Y, regardless of whether it is 1 or 0. On the other hand, S100
The arithmetic processing of No. 6 is executed only for one of the bits constituting the exponent Y. Mont in FIG.
When the iterative calculation of the goaly product (S906 to S912) is completed for all the bits constituting the exponent Y, the Montgomery product for A ^* and 1 is executed (S914). As a result, the plaintext A obtained by decrypting the ciphertext X is obtained, and a series of decryption processing ends.

[0009]

As described above, in the decoding processing of the conventional IC card, 1 is set for each bit digit of the exponent Y displayed in binary, The content of the processing is different from the one without. That is, in the processing in FIG. 10, if the corresponding bit is 1, two steps of S1002 and S1006,
If the corresponding bit is 0, calculation of only one step of S1002 is performed. Therefore, the time required for the decoding process depends on the number of 1 bits in the exponent of the exponent, and becomes longer as the number of 1 bits increases.

[0010] For this reason, the third party sets the time required by the IC card for the decryption processing to be shorter than the time from when the command for instructing the IC card to decrypt the ciphertext to when the response is returned. It was possible to estimate the ratio of 1 bit and 0 bit in the exponent (exponent key) Y of the modular exponentiation calculation from the obtained time and the obtained time. That is, the conventional IC card has a problem in that the content of the secret key Y is decrypted from the time of transmitting the response, and the security of the IC card may be harmed.

[0011] Therefore, an object of the present invention is to prevent the contents of key information used for encryption processing or decryption processing from being inferred from transmission of response information to an external command.
To provide a C card.

[0012]

According to a first aspect of the present invention, there is provided an information processing apparatus comprising a CPU, a memory accessible by the CPU, and a key stored in the memory in accordance with an external command. An IC card that performs data encryption or decryption processing using information and transmits response information relating to the result to the outside has delay means for delaying the transmission of the response information, By executing the delay unit during or before or after execution of the decryption processing, the correlation between the content of the key information and the time of transmitting the response information is lost.

According to a second aspect of the present invention, in the IC card according to the first aspect, the delay means is executed by the CPU for a random time and is substantially unrelated to the encryption processing or the decryption processing. It is characterized by arithmetic processing. The “substantially irrelevant process” refers to a process that can normally execute an encryption process or a decryption process without performing the process. Also, "run at random time"
This means that a process that requires a certain time is executed randomly a number of times, or a process whose execution time is randomly determined once or twice or more is executed.

According to a third aspect of the present invention, in the IC card according to the first aspect of the present invention, the IC card has a timer for notifying the elapse of a predetermined time. Up to this point, the start or continuation of the encryption process or the decryption process is interrupted. According to a fourth aspect of the present invention, in the IC card according to any one of the first to third aspects, the delay unit performs the encryption or decryption regardless of the bit configuration of the key information. It is characterized in that the time required for processing is constant.

[0015]

Embodiments of the present invention will be described below in more detail with reference to the drawings. (First Embodiment) A first embodiment according to the present invention relates to an IC card capable of encrypting plaintext or decrypting ciphertext using RSA, which is an asymmetric key encryption method. is there. In the present embodiment, the encryption process or the decryption process by the RSA is performed by the Montgomery shown in FIG.
It is performed according to the calculation algorithm by the method. FIG. 1 is a diagram showing a configuration of an IC card according to the present embodiment. FIG.
As shown in FIG. 1, an IC card 10 includes a ROM 12 that is a read-only memory and a RAM 1 that is a volatile memory.
4. EEPROM that can be rewritten at any time
M16, a CPU 18 for accessing these memories, and a timer module 20 are provided. The timer module is a timepiece that operates independently of the operation of the CPU 18 and notifies the CPU 18 of an interruption when a designated time has elapsed.

The IC card 10 has an I / O line for exchanging electric signals and the like with a reader / writer (not shown). When the IC card is inserted into the reader / writer, the contact of the reader / writer is connected to this I / O line, and transmission and reception of electric signals are performed. The command is given to the CPU 18 via the I / O line. The command is information sent from the reader / writer to the IC card and is used to cause the IC card to perform a predetermined operation. When the command is given, the CPU 18
2 or by executing a program stored in the EEPROM 16 to process the command.

FIG. 2 is a diagram showing a format of an RSA_CALC command which is one of the commands used in the present embodiment. The RSA_CALC command is a command that causes the IC card 10 to decrypt the ciphertext and return the resulting plaintext as a response. RS
The first 5 bytes of the A_CALC command are CLA indicating the class of the command, INS indicating the type, parameters P1 and P2 of the command, and LC indicating the length (number of bytes) of the following DATA. DATA after the sixth byte is ciphertext X to be decrypted. The one-byte data LE following the DATA is the expected value of the response. In this embodiment, the value of LE is set so that all of the encrypted or decrypted data is returned as a response with a maximum of 256 bytes.

FIG. 3 is a flowchart showing the operation of the IC card 10 when executing the RSA_CALC command.
When the RSA_CALC command is received, first, RS
The ciphertext X is obtained from the data of A_CALC, and the public key N, the secret key Y, and the constant R stored at a predetermined address of the EEPROM are read (S30).
2). Next, Montgome is obtained from the obtained numerical value.
The ry remainders A ^* and B ^* are calculated (S304). Further, the counter i is set to the number of digits (number of bits) j of the secret key Y displayed in binary (S306). Next, it is determined whether the counter i is greater than 0 (S308).

As a result of the determination in S308, the counter i is 0
If the value is larger, it means that there is a bit of the bits constituting the secret key Y for which the Montgomery product has not been calculated yet. In this case, the CPU 18
Executes the Montgomery product calculation for the bit of the digit indicated by the counter i at that time (S31).
0). In S310, the same processing as that described in S910 of FIG. 9 is performed. At the same time as starting the process of S310, the CPU 18 calls the timer module 20 by designating a predetermined time (S312). Here, the predetermined time refers to the bit in which 1 is set, the value of Mo in S310.
The time equal to or longer than the time required to execute the ntgomery product. This allows the CPU
In parallel with 18 executing the process of S310, the timer module 20 counts a predetermined time.

After ending the processing in S310, the CPU 18 waits until there is an interrupt from the timer module 20 (S314). If there is an interrupt, C
The PU 18 decrements the counter i by 1 (S
316) Then, the processing from S308 to S316 is repeated. On the other hand, in S308, the counter i indicates “i>
If the condition of “0” is not satisfied, it means that the Montgomery product has been calculated for all the bits constituting the secret key Y. In this case, the CPU 18
Is the Montg for A ^* and 1 shown in S318.
The calculation of the "omery product" is executed to obtain the plaintext A. Further, the CPU 18 edits the response information indicating that the RSA_CALC command has been normally processed, and transmits this to the reader / writer (S320).

As described above, in the IC card of this embodiment, when the Montgomery product of S310 is executed in order to perform the ciphertext decryption processing, the timer module is simultaneously called to measure a certain time. Until the fixed time elapses, even if Mont
Even if the calculation of the goaly product has been completed,
The following processing is not executed. Thus, in the present embodiment, the calculation time of the decryption processing is always constant regardless of the bit configuration of the secret key Y.
The time from when the RS 0 receives the RSA_CALC command until when it returns a response is also constant regardless of the contents of the secret key. Therefore, in the present embodiment, the bit configuration of the secret key is not estimated than when the response is transmitted, and it is possible to provide an IC card with extremely high security.

Second Embodiment Next, a second embodiment according to the present invention will be described.
An embodiment will be described. In the following description, portions that perform the same functions as in the first embodiment will be denoted by the same reference numerals, and redundant description will be omitted as appropriate. FIG.
FIG. 2 is a diagram illustrating a configuration of an IC card 30 according to the embodiment. I
The C card 30 is different from the IC card 10 of the first embodiment in that the C card 30 does not have the timer module 20 but has a coprocessor 32 and causes the coprocessor 32 to execute the calculation of the Montgomery product. Also, I
The C card 30 decrypts the cipher text X by transmitting the RSA_CALC command from the reader / writer similarly to the IC card 10, and transmits a response to that effect to the reader / writer when the command processing is completed. The decryption process is performed based on the RSA encryption as in the first embodiment, and the calculation of the RSA encryption is performed according to the algorithm of the Montgomery method.

FIG. 5 is a flowchart showing the operation of the IC card 30 when executing the RSA_CALC command.
5, steps S502 to S508 correspond to step S302 in FIG.
To S308, and the IC card 30
There is no difference in operation between the IC card 10 and the IC card 10. S508
When the counter i satisfies the condition of “i> 0”,
The CPU 18 transfers the values of A ^* , B ^* , N, and R and the value of the corresponding bit of the secret key Y to the coprocessor 32.
The coprocessor 32 that has received the value such as A ^* executes the calculation of the Montgomery product shown in FIG. The present embodiment allows the coprocessor to perform the calculation of the Montgomery product in this manner, thereby enabling the decoding process to be performed at a higher speed.

On the other hand, the coprocessor 32 is a Montgo
During the calculation of the "mery" product, the CPU 18 performs a loop calculation having a content unrelated to the decoding process a predetermined number of times (S512). Here, the predetermined number of times means that the CPU 18 determines in S5
The time required for the processing in step S12 is determined by the coprocessor 32 as S51.
It means the number of times sufficient to make it equal to or longer than the maximum time required for processing 0. When the loop calculation of S512 ends, the CPU 18 decrements the counter i by 1, and thereafter repeats the processing of S508 to S514. The repetition of the processing from S508 to S514
The process is continued until the condition of “i> 0” is not satisfied in 508, that is, until the process of S510 is performed on all bits forming the secret key Y. On the other hand, S
If the condition of “i> 0” is no longer satisfied in 508, the same processing as S318 and S320 in FIG. 3 is executed (S516 and S518), and a series of decoding processing ends.

Third Embodiment Next, a third embodiment according to the present invention will be described.
An embodiment will be described. FIG. 6 shows an IC of the present embodiment.
FIG. 3 is a diagram showing a configuration of a card 40. The IC card 40
The IC card 10 of the first embodiment differs from the IC card 10 of the first embodiment in that neither the timer module 20 nor the coprocessor 32 is provided.
This is different from the IC card 30 of the embodiment.

FIG. 7 is a flowchart showing the operation of the IC card 40 when executing the RSA_CALC command.
The operation of the IC card 40 when executing the RSA_CALC command is the same as the operation of the IC card 10 shown in FIG. 3 from S302 to S708 from S702 to S708. In S708, the counter i is set to “i
If the condition of “> 0” is satisfied, the CPU 18 executes the calculation of the Montgomery product shown in FIG. 10 (S71).
0). When the calculation of the Montgomery product is completed, C
The PU 18 generates a random number (S712), and executes a predetermined loop calculation the number of times corresponding to the obtained random number (S7).
14). The predetermined loop calculation is a calculation having contents irrelevant to the decoding process, similarly to the loop calculation in S512 of FIG.

When the loop calculation in S714 is completed, the CP
U18 decrements the counter i by one, and then mounts Mont for all bits constituting the secret key Y.
Until the calculation of the goaly product is performed, from S708 to S7
The processing up to 16 is continued. Further, from S708 to S71
When all of the processes up to step S4 are completed, S318 and S3 in FIG.
20 are executed (S718, S720), and a series of decoding processes ends.

As described above, in the present embodiment, S
After the calculation of the Montgomery product at 710, a loop calculation is performed. Therefore, at the end of the decryption process,
At the time of transmitting the response in S720 and S720, the response is delayed by the time for performing the loop calculation. Moreover, since the number of times the loop calculation is performed is randomly determined by random numbers,
The length of the delay is uncertain. Therefore, in the present embodiment, there is no correlation between the time when the response is transmitted and the calculation time of the Montgomery product performed in S710. It is impossible to predict the bit configuration of Y.

(Other Embodiments) The present invention is not limited to the above embodiment. The above embodiment is an exemplification, and has substantially the same configuration as the technical idea described in the scope of the claims of the present invention. It is included in the technical scope of the invention.

For example, in the above-described embodiment, an example has been described in which the ciphertext is externally provided to the IC card and the ciphertext is decrypted. It may be encrypted. Also, in the above embodiment, the IA using the RSA encryption is used.
Although the C card has been described, this does not limit the technical scope of the present invention in any way. The technical idea of the present embodiment is widely applied to an IC card that performs encryption or decryption processing using key information, and the time required for the encryption or decryption processing depends on the bit configuration of the key information. Applicable. Further, in the above-described embodiment, the process for delaying the end of the decoding process and the transmission of the response signal is performed during or after the execution of the decoding process. May be executed before the execution of.

[0031]

As described above in detail, according to the present invention, when the response information is transmitted, there is no correlation with the content of the key information, so that the content of the key information is estimated by a third party,
There is no risk that the security of the IC card is harmed.

[Brief description of the drawings]

FIG. 1 is a diagram showing a configuration of an IC card 10 according to a first embodiment of the present invention.

FIG. 2 is a diagram showing a format of an RSA_CALC command.

FIG. 3 is a diagram showing an I when executing an RSA_CALC command;
4 is a flowchart showing the operation of the C card 10.

FIG. 4 is a diagram showing a configuration of an IC card 30 according to a second embodiment of the present invention.

FIG. 5 shows I when executing an RSA_CALC command.
4 is a flowchart showing the operation of the C card 30.

FIG. 6 is a diagram showing a configuration of an IC card 40 according to a third embodiment of the present invention.

FIG. 7 is a diagram showing an I when executing an RSA_CALC command;
4 is a flowchart showing the operation of the C card 40.

FIG. 8 is an explanatory diagram showing a state when information is transmitted from an external device such as a reader / writer to an IC card.

FIG. 9 is a diagram showing an algorithm for calculating a modular exponentiation by the Montgomery method.

FIG. 10 is a flowchart showing processing contents of a Montgomery product.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 IC card 12 ROM 14 RAM 16 EEPROM 18 CPU 20 Timer module 32 Coprocessor

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁶ Identification number Agency reference number FI Technical display location H04L 9/08 H04L 9/00 601Z 9/10 621A 9/30 663A

Claims (4)

[Claims] 1. A CPU comprising: a CPU; and a memory accessible by the CPU, wherein data is encrypted or decrypted using key information stored in the memory in accordance with an external command, and a response relating to the result is performed. An IC card that transmits information to the outside, comprising: a delay unit that delays transmission of the response information; and executing the delay unit during or before or after execution of the encryption or decryption processing. An IC card, wherein the correlation between the content of the key information and the time of transmitting the response information is lost. 2. The IC card according to claim 1, wherein the delay unit executes the CPU for a random time.
An IC card, which is an arithmetic process that is substantially unrelated to the encryption process or the decryption process. 3. The IC card according to claim 1, further comprising a timer for notifying the elapse of a predetermined time, wherein the delayer is configured to execute the encryption processing or the CPU until the CPU receives the notification from the timer. An IC card characterized by interrupting the start or continuation of the decryption process. 4. One of claims 1 to 3
3. The IC card according to claim 1, wherein the delay unit keeps the time required for the encryption process or the decryption process constant regardless of the bit configuration of the key information.