WO2001098875A2 - Validation method and device - Google Patents

Validation method and device Download PDF

Info

Publication number
WO2001098875A2
WO2001098875A2 PCT/GB2001/002682 GB0102682W WO0198875A2 WO 2001098875 A2 WO2001098875 A2 WO 2001098875A2 GB 0102682 W GB0102682 W GB 0102682W WO 0198875 A2 WO0198875 A2 WO 0198875A2
Authority
WO
WIPO (PCT)
Prior art keywords
smart card
software
digest
ifd
encrypted
Prior art date
Application number
PCT/GB2001/002682
Other languages
French (fr)
Other versions
WO2001098875A3 (en
Inventor
Martyn Gilbert
Original Assignee
Amino Holdings Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Amino Holdings Limited filed Critical Amino Holdings Limited
Priority to AU2001274245A priority Critical patent/AU2001274245A1/en
Publication of WO2001098875A2 publication Critical patent/WO2001098875A2/en
Publication of WO2001098875A3 publication Critical patent/WO2001098875A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A validation method uses an interface device and a smart card. In operation, software received by the interface device together with an encrypted digest is validated by passing the encrypted digest to the smart card where it is decrypted. A digest of the software is generated and compared with the decrypted digest on the smart card and if the two digests agree, the smart cared confirms to the interface device that the software is valid.

Description

Validation Method and Device
This invention relates to a validation method using an interface device controlled by a smart card and to devices employing the method.
One known method of controlling access to information and services is to employ an interface device (IFD) together with a smart card.
In systems of this type the interface device controls access to information and requests for services and allows access to information or the sending of requests for services only if the presence of a valid smart card connected to the interface device is confirmed. Typically, the smart card carries one or more digital passwords and the IFD allows access to information and the issuing of requests for services only if the correct passwords are received from the smart card.
In a different approach offering a higher level of security digital passwords or encryption/decryption keys from the smart card are actually required by the IFD in order to function. For example, the issue of a password or key from the smart card may be necessary to allow the interface device to decrypt received encrypted data to be provided to a user. In such a system the IFD itself does not know what the passwords or keys from the smart card should be but the issue of the correct password is effectively confirmed by the successful decryption of the encrypted data. Smart cards are portable devices having on-board memory and/or processing capacity. They are commonly produced in the approximate size and shape of a credit card, hence the term smart cards, but in practice can be made in any convenient shape for a particular task.
One advantage of smart card systems is that the provision of access to information and services authorised by the smart card can be separated from interface device to which the smart card is attached. For example, organisations having a computer network may allow access through terminals provided with interface devices which are physically accessible to all personnel, with the degree of access to information held on the system and authority to issue instructions through the system being controlled by smart cards issued to individuals which must be inserted into IFD's associated with the terminals. Also, hardware including the IFD to allow access to information provided by an information provider on a subscription basis may be too expensive and bulky for regular replacement of the IFD's to prevent unauthorised access by lapsed subscribers to be practical . In such systems the issue and periodic replacement of time limited smart cards to individual subscribers or the periodic issue and replacement of smart cards to all subscribers is practical because of the low cost and small size of the smart cards.
In many applications it is desirable for the software within the IFD to be alterable or updateable by the information service provider which has provided the IFD and smart card, or by someone they have authorised. Such alteration or updating of the IFD software can be carried out by uploading software from the information service provider along the communications link.
One problem with allowing amendment or updating of the IFD software by uploading is the risk that the IFD software could be subject to unauthorised alterations, for example to alter the IFD programming to allow it be used to make cryptographic attack on the smart card or to simply delete or alter the IFD software to disable the IFD. In the first case, it is of course possible that the user themselves may attempt to reprogramme the IFD to allow cryptographic attack on the smart card.
Accordingly, it is important that any software to be loaded into the IFD is validated to ensure that it is authorised software before the software replaces existing IFD software and is used.
The present invention is intended to overcome this problem, at least in part, by providing a method and apparatus for such validation.
In a first aspect, this invention provides a validation method using an interface device and a smart card, in which software to be executed by the interface device together with encrypted data including an encrypted digest of the software is received by the interface device; a digest of the received software is calculated; the encrypted digest is loaded onto the smart card; the encrypted digest is decrypted by the smart card; and the calculated digest and the decrypted digest are compared by the smart card in order to validate the received software.
In a second aspect, this invention provides an interface device comprising smart card interface means able to communicate with a smart card and communications means; the device is suitable for receiving software and an encrypted digest thereof by the communications means, passing the encrypted digest in encrypted form to a smart card by the interface means and executing the software only after a validation signal generated by the method of any preceding claim is received by the interface means from the smart card.
In this description references to data or software being unencrypted should be understood only as meaning that the level of encryption handled by the smart card has been decrypted or not yet applied. It is of course possible that this "unencrypted" data has had another level of encryption or encoding applied to it elsewhere.
The invention will now be described by way of example only with reference to the accompanying diagrammatic Figure, in which:
Figure 1 shows a system arranged to validate received software according to the invention.
In the present invention an interface device 1 can be connected to a system or communications network through a communications path 2. The IFD 1 is provided with physical and electrical connections to allow a smart card 5 to be connected to and powered from the IFD 1. Such physical and electrical connections are themselves well known and need not be described in detail herein.
Preferably, a user input device 3 such as a keypad is connected to the interface device 1 in order to allow the user to make request for information to the IFD 1. Further, a display device 4 may be connected to the IFD 1 to display information provided by the IFD 1.
The key difference between the system of the present invention and known systems is that validation of software or instructions is carried out based on decryption and comparison internally within the smart card 5 itself rather than being carried out by the IFD 1 using encryption keys issued by the smart card 5.
An example of the interaction between the IFD 1 and smart card 5 is as follows. Where a request for services is made by the user, the logical data path 4 followed by the request is shown by the dashed line 6 in Figure 1.
The request, which may be a request for access to information or a request for services be provided, is generated by the user using the keyboard 3. This request is sent to the IFD 1 which sends it on to the smart card 5. The request is encrypted by an encryption/decryption element 7 of the smart card 5 and the encrypted request returned to the IFD 1. The IFD 1 then sends the encrypted request to another part of the system or to a separate informational service provider along the communications link 2.
The reverse process is carried out when information is provided to the user, again from another part of host system or from a separate external information provider and the logical data path is shown by the dashed line 8 in Figure 1.
The encrypted information is received by the IFD 1 along the communications link 2 and the encrypted information is supplied to the smart card 5. The encryption/decryption element 7 of the smart card 5 then decrypts the received information and passes the decrypted information back to the IFD 1. The decrypted information is then supplied to the display 4 and displayed to the user.
Thus, the IFD 1 cannot display received information or send requests for information or services without a smart card 5 being present. Further, because the actual encryption and decryption is carried out by the smart card 5, it is not possible to break the security of the system by reading passwords provided by one smart card and providing these passwords to other IFD's 1.
The security or quality of the encryption employed by the system can be altered as required simply by replacing the smart card 5. The IFD 1 only has to transfer encrypted and decrypted data to and from the smart card 5 and does not carry out any encryption or decryption itself and accordingly no changes to the IFD 1 are needed when the encryption level of the smart card 5 is changed. It should be understood that the dashed lines 6 and 8 show logical data paths only. Although the physical path followed by the data will be similar, it need not be identical. For example, there may a single set of connections carrying all data input to and from the smart card 5.
According to the invention, validation of software can be carried out as follows.
The new software purporting to be intended to be loaded into the IFD 1 is uploaded along the communications link 2 together with an encrypted digest signed or encrypted with an encryption key of an agency authorised to alter the IFD 1 software, which may be a private encryption key. The smart card 5 contains the agency's certificate which includes the agency's encryption key required to decrypt the digest which may be a public encryption key.
The digest is derived from the software. Usually the digest will be smaller than the original software, but this is not essential .
A digest of the purported software which has been uploaded is calculated from the uploaded software and compared with a decrypted version of the encrypted digest which was uploaded with the software. Only if the calculated and decrypted digests agree is the upload regarded as authorised and incorporated into the software of the IFD 1. The term incorporated is used because the uploaded software could be intended to be added to existing software or to replace it or both.
The digest of the uploaded software could be calculated by the IFD 1 or the smart card 5 and both options will now be described.
In both methods the purported new software is uploaded along communications link 2 into the IFD 1 and is stored in an IFD memory 9.
In the first method, the IFD 1 calculates the digest of the uploaded software held in the memory 9 and sends the digest result to the smart card 5 together with the encrypted digest which was downloaded together with the software .
The smart card 5 then uses an encryption key of the software issuing agency held in a memory 10 of the smart card 5 to decrypt the encrypted digest. This may be a public encryption key. The smart card 5 then compares the calculated digest and decrypted digest and if they are the same the smart card 5 confirms to the IFD 1 that the uploaded software is valid.
If the smart card 5 confirms that the uploaded software is valid the software is incorporated into the IFD 1 operating software as appropriate. If the smart card 5 does not confirm that the uploaded software is valid, it is rejected and some alert notifying that an attempt to make authorised alterations to the IFD 1 software has occurred may be issued. In the second method, the IFD 1 passes the purported uploaded software held in memory 9 to the smart card 5 together with the encrypted digest which accompanied the upload. The smart card 5 then calculates the digest of the uploaded software and compares this with a decryption of the encrypted digest which is decrypted using the encryption key held in the memory 10. This may be a public encryption key. If the calculated and decrypted digests agree, the smart card 5 confirms to the IFD 1 that the software is valid. The IFD 1 then responds to the confirmation or lack of confirmation as above .
In both methods security is maintained because the decrypted version of the uploaded encrypted digest and the key required to decrypt it exist within the smart card 5 only and are not transmitted to the IFD 1.
1
The above description is intended as a simple example only and it will be understood that many other things could be connected to the IFD 1. In particular, the user input device 3 instead of being a keyboard could itself be a computer system or device issuing requests for information services to the IFD 1 when used by user or automatically. Similarly, the display device 4 could be a conventional VDU or could be a more complex system to which data is provided.
The user input device 3 and display device 4 are not essential for the invention and may not be needed in some applications . One example of a system according to the invention could be where the IFD was incorporated into a television set top box and in this case the requests for information would be requests for particular programs and would be generated by the television in response to user requests and the received information would be encrypted program data which would be displayed on the TV screen after decryption.
The smart card 5 has been illustrated as containing an encryption/decryption element 7 and as including a memory 10 to retain encryption keys. It should be understood that these illustrations are only intended to aid in understanding the invention and do not imply any particular physical arrangement for the smart card 5. In practice, the decryption function of the smart card 5 could be provided by a number of separate elements which may include one or more memory elements.
It is normal and convenient for the encrypted digest to be downloaded together with the software to be validated. However, this is not essential provided that the IFD is able to match the encrypted digest with the correct piece of downloaded software .
In the present application the term smart card is used for clarity because this term is commonly used to refer to devices having onboard processing capacity and/or memory. However, this should not be regarded as implying any particular physical form for the smart card 5. -lilt is expected that the most common and convenient method of connecting the smart card 5 to the IFD 1 to allow data and power transfer will be conductive contact. However, the invention is applicable to other forms of data and power transfer.
In order to carry out the invention, the smart card 5 only needs to be able to carry out decryption. The described embodiment uses a smart card able to carry out encryption and decryption. This is preferred in order to allow the smart card to provide other encryption based services to the IFD 1.
The term encryption key is used above to refer to keys intended both for encryption and decryption for convenience.
This description is given by way of example only and the skilled person will understand that the invention could be carried out in other ways .

Claims

1. A validation method using an interface device and a smart card, in which software to be executed by the interface device together with encrypted data including an encrypted digest of the software is received by the interface device; a digest of the received software is calculated; the encrypted digest is loaded onto the smart card; the encrypted digest is decrypted by the smart card; and the calculated digest and the decrypted digest are compared by the smart card in order to validate the received software.
2. The method of claim 1, in which the calculated digest is calculated by the interface device and loaded onto the smart card.
3. The method of claim 1, in which the software is loaded onto the smart card and the digest is calculated on the smart card.
4. The method of any of claims 1 to 3 , in which the encrypted digest is signed with a private encryption key of an authorised software supplier and the suppliers public encryption key is stored in the smart card. An interface device comprising smart card interface means able to communicate with a smart card and communications means; the device is suitable for receiving software and an encrypted digest thereof by the communications means, passing the encrypted digest in encrypted form to a smart card by the interface means and executing the software only after a validation signal generated by the method of any preceding claim is received by the interface means from the smart card.
PCT/GB2001/002682 2000-06-19 2001-06-18 Validation method and device WO2001098875A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001274245A AU2001274245A1 (en) 2000-06-19 2001-06-18 Validation method and device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0014978.1 2000-06-19
GB0014978A GB2363867A (en) 2000-06-19 2000-06-19 Access control method

Publications (2)

Publication Number Publication Date
WO2001098875A2 true WO2001098875A2 (en) 2001-12-27
WO2001098875A3 WO2001098875A3 (en) 2003-01-23

Family

ID=9893965

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2001/002682 WO2001098875A2 (en) 2000-06-19 2001-06-18 Validation method and device

Country Status (3)

Country Link
AU (1) AU2001274245A1 (en)
GB (1) GB2363867A (en)
WO (1) WO2001098875A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1519775A1 (en) * 2002-07-05 2005-04-06 Cyberscan Technology Inc. Secure game download
FR2888958A1 (en) * 2005-07-19 2007-01-26 France Telecom Application e.g. electronic mail, executing method, involves executing secure application during verification of signature value with correct value, and inhibiting execution of application during absence of verification
EP1993054A1 (en) * 2007-05-16 2008-11-19 Giesecke & Devrient GmbH Method for extracting software from a terminal

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760750B (en) * 2016-02-01 2019-06-14 北京华胜天成科技股份有限公司 Software tamper Detection method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998052163A2 (en) * 1997-05-15 1998-11-19 Mondex International Limited Ic card transportation key set
EP1004992A2 (en) * 1997-03-24 2000-05-31 Visa International Service Association A system and method for a multi-application smart card which can facilitate a post-issuance download of an application onto the smart card
WO2000033196A1 (en) * 1998-11-26 2000-06-08 Aristocrat Technologies Australia Pty Ltd Electronic casino gaming with authentication and improved security

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6084686A (en) * 1983-10-17 1985-05-14 Toshiba Corp Recording system of information recording medium
AU1265195A (en) * 1993-12-06 1995-06-27 Telequip Corporation Secure computer memory card

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1004992A2 (en) * 1997-03-24 2000-05-31 Visa International Service Association A system and method for a multi-application smart card which can facilitate a post-issuance download of an application onto the smart card
WO1998052163A2 (en) * 1997-05-15 1998-11-19 Mondex International Limited Ic card transportation key set
WO2000033196A1 (en) * 1998-11-26 2000-06-08 Aristocrat Technologies Australia Pty Ltd Electronic casino gaming with authentication and improved security

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1519775A1 (en) * 2002-07-05 2005-04-06 Cyberscan Technology Inc. Secure game download
EP1519775A4 (en) * 2002-07-05 2005-11-02 Cyberscan Tech Inc Secure game download
US8321911B2 (en) 2002-07-05 2012-11-27 Igt Secure game download
US8484696B2 (en) 2002-07-05 2013-07-09 Igt Secure game download
FR2888958A1 (en) * 2005-07-19 2007-01-26 France Telecom Application e.g. electronic mail, executing method, involves executing secure application during verification of signature value with correct value, and inhibiting execution of application during absence of verification
EP1993054A1 (en) * 2007-05-16 2008-11-19 Giesecke & Devrient GmbH Method for extracting software from a terminal

Also Published As

Publication number Publication date
GB2363867A (en) 2002-01-09
AU2001274245A1 (en) 2002-01-02
WO2001098875A3 (en) 2003-01-23
GB0014978D0 (en) 2000-08-09

Similar Documents

Publication Publication Date Title
US5402490A (en) Process for improving public key authentication
US5249230A (en) Authentication system
CN100541508C (en) Equipment, messaging device, management method and information processing method
CN100517297C (en) Method and apparatus for digital rights management using certificate revocation list
CN1985466B (en) Method of delivering direct proof private keys in signed groups to devices using a distribution CD
US6304969B1 (en) Verification of server authorization to provide network resources
US7421079B2 (en) Method and apparatus for secure key replacement
US8756421B2 (en) Authentication device using true random number generating element or pseudo-random number generating element, authentication apparatus, and authentication method
KR100913975B1 (en) Apparatus and method for activating individualized software modules in a digital broadcast environment
CN101036096B (en) Method and system for enciphering and deciphering operation
US20030105965A1 (en) Business method for secure installation of a credit authorization key on a remote tcpa compliant system
CN105103488A (en) Policy enforcement with associated data
US7147157B2 (en) Secure remote-control unit
EP1151369A1 (en) Security access and authentication token with private key transport functionality
CN105191207A (en) Federated key management
EP1023794A1 (en) System for detecting unauthorized account access
JPH0675251B2 (en) Method for authenticating a portable object connected to an external medium via a transmission line by the external medium, and a system for implementing the method
KR20030001409A (en) System and process for storing securely secret information, apparatus and server to be used in such a system and method for distribution of a digital content
US6836548B1 (en) Communications security and trusted path method and means
US20100031045A1 (en) Methods and system and computer medium for loading a set of keys
US20040143741A1 (en) Multi-stage authorisation system
CN100459495C (en) Password dynamic enciphering inputmethod of public emipering mode
US7079655B1 (en) Encryption algorithm management system
KR20020022092A (en) Method and device for guaranteeing the integrity and authenticity of a set of data
WO2001098875A2 (en) Validation method and device

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP