WO2003042799A2 - Device and method with reduced information leakage - Google Patents
Device and method with reduced information leakage Download PDFInfo
- Publication number
- WO2003042799A2 WO2003042799A2 PCT/IB2002/004620 IB0204620W WO03042799A2 WO 2003042799 A2 WO2003042799 A2 WO 2003042799A2 IB 0204620 W IB0204620 W IB 0204620W WO 03042799 A2 WO03042799 A2 WO 03042799A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- persistent memory
- data
- key
- cryptographic
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Definitions
- the invention relates to a data-processing system, a method for processing the same, and a method for executing an operation on the same. More particularly the invention relates to a smartcard, a method of processing the smartcard under use of a cryptographic key, and a method for executing an operation on the smartcard under use of the cryptographic key.
- Cryptographic operations are used for a variety of processes such as data encryption and authentication.
- a secret key is known to two or more participants, who use it to secure their communications.
- one party typically performs operations using a secret key, e.g., the so-called private key, while the other performs complementary operations using only non-secret parameters, e.g., the so-called public key.
- the secret parameters must be kept confidential, since an attacker who compromises a key can decrypt communications, forge signatures, perform unauthorized transactions, impersonate users, or cause other problems.
- Ciphers and algorithms believed to be cryptographically secure are known. For example, protocols using triple DES. i.e. a cipher constructed using three applications of the Data
- Encryption Standard using different keys can resist cryptanalytic attacks, provided that attackers only have access to the standard inputs to and outputs from the protocol.
- Smartcards commonly encode their internal data using a cryptographic technique such as the Data Encryption Standard (DES).
- DES Data Encryption Standard
- FIPS Processing Standard
- DES is a block cipher method using a 64 bit key (of which only 56 bits are actually used), which is very fast and has been widely adopted. Though DES can be cracked by a brute-force attack, i.e. simply testing all possible keys, triple DES is still considered very secure. For the purposes of the examples described hereinafter, it is sufficient to know that the DES algorithm performs 16 rounds which effect lookups to eight separate translation tables called S-boxes. Other similar cryptographic techniques are also known in the art, including, triple DES, IDEA, SEAL, and RC4; public key (asymmetric) encryption and decryption using RSA and El Gamal; digital signatures using DSA, El Gamal, and RSA; and Diffie-Hellman key agreement protocols. Despite the theoretical strength and complexity of these cryptographic systems, power analysis techniques have been developed which allow these keys to be cracked much more quickly.
- DES DES
- MACs MACs
- DES DES
- the basic DES encryption algorithm uses a 56-bit key to transform a 64-bit plaintext block into a 64-bit ciphertext block.
- the corresponding decryption operation uses the same key to transform ciphertext blocks into their corresponding plaintexts.
- an attacker can exploit the fact that such a system leaks information.
- the attacker can try to gather data by observing a series of operations, perform statistical analysis on the observations, and use the results to determine the key.
- an attacker monitors a physical property, such as power consumption, of a secure token as it performs a cryptographic operation.
- the attacker collects a small amount of data related to the key each time the token is observed performing a cryptographic operation involving the key.
- the attacker increases the amount of information known about the key by collecting and statistically correlating or combining data from multiple observations of the token as it performs operations involving the key.
- such observations may contain signal information, i.e., information correlated usefully to the key.
- signals i.e., information correlated usefully to the key.
- noise i.e., information and error that hinder or are irrelevant to determination of the key.
- S/N ratio The quality of the information gained from these observations is characterized by a "signal to noise" or S/N ratio, which is a measure of the magnitude of the signal compared to the amount of noise.
- S/N ratio which is a measure of the magnitude of the signal compared to the amount of noise.
- the number of operations that the attacker must analyze to recover the key depends on the measurement and analysis techniques, but is generally inversely proportional to the square of the S/N ratio. The constant of proportionality also depends upon the amount of confidence the attacker requires.
- a relatively low confidence level may be acceptable to an attacker willing to do an optimized brute force search using statistical information about key bit values. Decreasing the signal by a factor of 15 and increasing the amount of measurement noise by a factor of 20 will reduce the signal-to-noise ratio by a factor of 300. This will generally mean that an attacker will require roughly 90,000 times as many observations to extract the same amount of information about the key. An attack requiring 1,000 observations to recover a key before the S N reduction would now require on the order of 90 million observations to gain the same level of confidence in the recovered key.
- a principal objective is to make a cryptosystem that is difficult to attack successfully, for example by increasing the number of observations required by an attacker to compromise a key.
- a system designer can make the so-called work function, i.e. the effort required to break a system, larger.
- the number of samples required to gain any significant amount of useful key information should exceed the maximum number of transactions that can be performed using the key, exceed the number of transactions that can be performed by the device, e.g., before the key expires, or else be so large that monitoring attacks are of comparable or greater difficulty than brute force and other known attacks.
- the term “platform” generally refers to a hardware/software environment capable of supporting computation including the execution of software programs.
- a “sealed” platform refers to a platform purposely built to frustrate reverse-engineering.
- the sealed platforms such as smartcards, may store and process a significantly larger quantity of data using microprocessors, random access memory (RAM), and read only memory (ROM).
- RAM random access memory
- ROM read only memory
- the sealed platforms are typically secured using cryptographic technology which is intended to maintain and manipulate secret parameters in open environments without revealing their values. Compromise of a secret key used to compute a digital signature could, for example, allow an attacker to forge the owner's digital signature and execute fraudulent transactions.
- a sealed platform is intended to perform its function while protecting information and algorithms, such as performing digital signatures as part of a challenge-response protocol, authenticating commands or requests, and encrypting or decrypting arbitrary data.
- a smartcard used in a stored value system may, for example, digitally sign or compute parameters such as the smart card's serial number, balance, expiration date, transaction counter, currency, and transaction amount as part of a value transfer.
- Power analysis is the process of gathering information about the data and algorithms embodied on a platform by means of the "power signature" of the platform.
- the "power signature" of a platform is its power consumption profile measured over time, while executing the software stored on that platform.
- the power consumed by a microprocessor, micro-controller or similar electronic device changes with the state of the electronic components in the device.
- Such devices generally represent data in terms of binary Is and 0s, which are represented in the electronic devices as corresponding high or low voltage levels. For example, a value of 1 may be represented by +5 volts and a value of 0 by 0 volts.
- the amount of power that a sealed platform consumes may be correlated with the number of binary Is in a data word, at a given moment in time. It follows that the amount of current drawn by, and the electromagnetic radiation emanated from a sealed platform, may be correlated to the secrets being manipulated within it. Such signals can be measured and analyzed by attackers to recover secret keys. State transitions are also a major influence on the power consumption of a device performing a computation. As the value of a bit changes, transistor switches associated with that bit change state. Therefore, there is an increase in the amount of power consumed when the system is in transition. Attackers can non-invasively extract secret keys using external measurement and analysis of a device's power consumption, electromagnetic radiation, or processor cycle timing during performance of cryptographic operations.
- the current and voltage being supplied to the smartcard may be monitored while it is executing.
- simple power analysis SPA
- the power signature for the execution of a given algorithm is used to determine information about the algorithm and its data.
- power data is gathered from many executions and averaged at each point in time in the profile.
- DP A Differential power analysis
- DPA Data Encryption Standard
- DES Data Encryption Standard
- Low-cost smart cards performing DES have proven, in recent experience, to be highly vulnerable to DPA.
- Any form of encryption or decryption which is similar to DES would necessarily have similar vulnerabilities when incarnated on low-cost smart cards or similar sealed platforms.
- Implementation of a DPA attack to find a DES key involves two phases, namely data collection followed by data analysis.
- Data collection for DPA may be performed by sampling a device's power consumption during cryptographic operations as a function of time or number of clock cycles.
- For DPA a number of cryptographic operations using the target key are observed.
- To perform such an attack on a smart card one processes a large number (a thousand or more) DES encryptions (or decryptions) on distinct plaintexts (or ciphertexts), recording the power profile, the input, chosen at random by the attacker; and the output, computed by the smartcard as the encrypted of decrypted value with the hidden key for each.
- Each power profile is referred to as a sample.
- the output of a given S-box is dependent on both the data to be encrypted (or decrypted) and the key. Since the attacker knows the input text, he guesses what the value of the key is, that was used to generate a particular power signature sample, so he can determine whether a particular output bit of a given S-box is 1 or 0 for the particular data used in the sample.
- Each standard S-box has a 6-bit input and a 4-bit output. Typically, this analysis begins in round 1 or 16 since those are the ones where the attacker knows either the exact inputs (for round 1) or outputs (for round 16) for the respective S-box.
- the samples For each guess of the values of these six bits, one divides the samples into two groups: those in which the targeted output bit, that is, one of the four output bits from a targeted S-box which is chosen as a target in the first round of the attack, is a 1 if the attacker's guess of the six key bits is correct (the 1-group), and those in which it is a 0 if the attacker's guess of the six key bits is correct (the 0-group).
- the power samples in each group are then averaged.
- those portions of the averaged power profiles which are affected only by bits other than the particular output bit mentioned above should be similar, since on average, in both groups, they should be 1 for about half of the samples in each group, and 0 for about half of the samples in each group.
- those portions of the averaged power profiles which are affected by the above-mentioned output bit should show a distinct difference between the 1-group and the 0-group. The presence of such a difference, or multiple such differences, indicates that the guessed value of the six key bits was correct. Its absence, or the absence of such differences, shows that the guessed value of the six key bits was incorrect.
- the attacker does not have to know the specific code used to implement DES, the memory layout used for storing the S-boxes, where in the power profile the distinct difference or difference, if any, is expected to appear for a correct guess; how many such distinct differences are expected to appear in the power profile for a correct guess; or whether the chosen S-box output bits are normal or complemented as flipping Is and 0s will produce the same kind of distinct difference.
- DPA is only dependent on whether such a difference exists, not in the sign, i.e. + or -, of any given difference.
- DPA are able to reliably identify extraordinarily small differences in power consumption.
- Physical measures to protect sealed platforms against attack are known to include enclosing systems in physically durable enclosures, physical shielding of memory cells and data lines, physical isolation, and coating integrated circuits with special coatings that destroy the chip when removed. While such techniques may offer a degree of protection against physical damage and reverse engineering, these techniques do not protect against non-invasive power analysis methods.
- Physical protection is generally inapplicable or insufficient due to reliance on external power sources, the physical impracticality of shielding, cost, and other characteristics imposed by a sealed platform's physical constraints such as size and weight.
- smartcards may also be protected from a power analysis attack to an extent, at the software level, by representing data in a "Hamming-neutral" form.
- the Hamming weight of a bit string such as a data word or byte, is the quantity of bits in the bit string with a value of 1. For example, 10100 will have a Hamming weight of 2, and 1111 will have a Hamming weight of 4.
- a set of "Hamming neutral" bit-strings is a set of bit-strings that all have the same number of Is, for example, the set ⁇ 011, 101, 110 ⁇ is a
- PA resistance is applicable to a much wider variety of platforms.
- Improved security is therefore useful for such devices to be securely used in a broad range of applications in addition to traditional retail commerce, including parking meters, cellular and pay telephones, pay television, banking, Internet-based electronic commerce, storage of medical records, identification and security access. There is therefore a need for a method, apparatus and system to reduce the amount of useful information leaked to attackers without resulting in excessive overheads.
- Reducing leakage refers generally to reducing the leakage of any information that is potentially useful to an attacker trying to determine secret information.
- WO 01/61915 the vulnerability of a system is reduced by introducing a randomness to the observable operation, thereby frustrating the correlation if output power emissions with any meaningful internal processing.
- An improved DES implementation of the invention instead uses two 56-bit keys (Kl and K2) and two 64-bit plaintext messages (Ml and M2), each associated with a permutation (i.e., KIP, K2P and M1P, M2P) such that KIP ⁇ Kl ⁇ XOR K2P ⁇ K2 ⁇ equals the "standard” DES key K, and M1P ⁇ Ml ⁇ XOR M2P ⁇ M2 ⁇ equals the "standard" message.
- the tables are preferably periodically updated, by introducing fresh entropy into the tables faster than information leaks out, so that attackers will not be able to obtain the table contents by analysis of measurements.
- the technique is implementable in cryptographic smartcards, tamper resistant chips, and secure processing systems of all kinds.
- WO 01/08012 describes an apparatus and a method for preventing information leakage attacks on a microelectronic assembly performing a cryptographic algorithm by transforming a first function, used by the cryptographic algorithm, into a second function, - l i ⁇
- the method including the steps of receiving a masked input data having n number of bits that is masked with an input mask, wherein n is a first predetermined integer; processing the masked input data using a second function based on a predetermined masking scheme; producing a masked output data having m number of bits that is masked with an output mask, wherein m is a second predetermined integer.
- a cryptographic client device maintains a secret key value as part of its state.
- the client can update its secret value at any time, for example before each transaction, using an update process that makes partial information that might have previously leaked to attackers about the secret no longer usefully describe the new updated secret value.
- update process By repeatedly applying the update process, information leaking during cryptographic operations that is collected by attackers rapidly becomes obsolete.
- the present invention can be used in connection with a client and server using such a protocol.
- the server obtains the client's current transaction counter. The server then performs a series of operations to determine the sequence of transformations needed to re-derive the correct session key from the client's initial secret value. These transformations are performed, and the result is used as a transaction session key.
- WO 99/67909 proposes a leak minimization for smartcards and other cryptosystems using a reduction of the amount of useful information leaked during processing. This is accomplished by implementing critical operations using "branchless" or fixed execution path routines whereby the execution path does not vary in any manner that can reveal new information about the secret key during subsequent operations. More particularly, various embodiments of the invention include: implementing modular exponentiation without key-dependent conditional jumps; implementing modular exponentiation with fixed memory access patterns; implementing modular multiplication without using leak-prone multiplication-by-one operations; and implementing leak-minimizing multiplication and other operations for elliptic curve cryptosystems.
- WO 99/67766 methods and apparatus are disclosed for performing computations in which the representation of data, the number of system state transitions at each computational step, and the Hamming weights of all operands are independent of computation inputs, intermediate values, or results.
- Exemplary embodiments implemented using conventional leaky hardware elements such as electronic components, logic gates, etc. as well as software executing on conventional leaky microprocessors are described. Smartcards and other tamper-resistant devices of the invention provide improved resistance to cryptographic attacks involving external monitoring.
- WO 99/63696 methods and apparatus are disclosed for securing cryptosystems against external monitoring attacks by reducing the amount and signal to noise ratio of useful information leaked during processing. This is generally accomplished by incorporating unpredictable information into the cryptographic processing.
- Various embodiments of the invention use techniques such as reduction of signal to noise ratios, random noise generation, clock skipping, and introducing entropy into the order of processing operations or the execution path.
- the techniques may be implemented in hardware or software, may use a combination of digital and analog techniques, and may be deployed in a variety of cryptographic devices.
- a data-processing system comprising a cryptographic key stored in a memory that has a lower level of information leakage than another memory.
- the use of this key brings in the advantage that the information that is encrypted under use of this key is protected thereby from external attacks, in particular differential power analysis. The key itself is less prone to such attacks due to the higher level of attack immunity through less information leakage.
- a typical data-processing system would be a machine-readable medium such, more particularly a sealed platform like a chipcard, also referred to as smartcard, i.e. a machine-readable device that comprises its own processor and memory.
- a cryptographic device or system can be used as the data-processing system.
- the first unencrypted information comprises a second cryptographic key usable for decrypting second encrypted information for the operation
- a two-stage encryption process is used which advantageously combines local security through the second cryptographic key, with a global security through the first cryptographic key.
- the second cryptographic key is typically a personal key, unique to the data-processing system or its user.
- the first cryptographic key is typically a key not unique to the data-processing system or its user but unknown to external entities. A person knowing the first cryptographic key can not access the secret information protected by the second cryptographic key without using DPA, and a person knowing the second cryptographic key can nevertheless not find out the first cryptographic key in order to use that information for accessing secret information on other machine-readable media.
- the personalizing entity only need execute that step via the data-processing system in order to achieve the personalized state, including the use of the first cryptographic key. Thereby the use of that key can be transparent, i.e. not visible, to the personalizing entity.
- the data-processing system comprises stored code for executing an operation execution step
- that step can include the decryption step to reveal the information that was previously encrypted with the first cryptographic key.
- the decryption step is executed transparently to the outside world, including personalizing entity and the user of the data-processing system.
- a typical example for the data-processing system would be a smartcard.
- a method of processing such a data-processing system is proposed.
- the processing can be interpreted as a personalization step in which the data-processing system is turned from a non-customized product into a customized product by enhancing it with specific information, unique to that data-processing system.
- the personalization step can be performed by writing the unencrypted information to its target memory location, e.g. the EEPROM, afterwards scanning the EEPROM for any such information and executing the encryption on it. That sensitive information in the EEPROM is encrypted and thereby protected.
- a typical example for that sensitive information are cryptographic keys. Those can comprise personal keys or other keys. In object- or type-based programming languages, no change to the APIs, or the applications making use of such keys are required.
- a method of executing an operation on such a data-processing system comprises a decryption step before the actual execution of the operation. That decryption step is executed on the encrypted information that has been loaded from the first persistent memory to a less-leaking memory. The decryption step is hence executed in an environment which is less-leaking and hence less prone to power analysis attack. The decryption step itself remains unnoticed by the external user and merely effects a longer, although not significantly longer, execution time for that operation.
- a computer program product comprising program code means for performing a method as described above is proposed.
- the computer program product can be in its simplest form a storage medium loaded with the program code.
- the storage medium advantageously could be integrated into the data-processing system.
- Smartcard memory including EEPROM, leaks information about its contents, when those contents are accessed for reading stored information.
- One way for an attacking entity to make use of that leakage is by means of differential power analysis (DPA), when read-operations are monitored by means of chip-power consumption, and the actual EEPROM contents are derived. If such EEPROM content is a secret key guarding an electronic transaction for example, the security of the whole electronic transaction system is in peril.
- DPA differential power analysis
- the invention is directed to a data-processing system comprising a processor and first encrypted information in a first persistent memory whose level of information leakage is higher than that of a second persistent memory.
- a first cryptographic key for decrypting the first encrypted information, thereby generating therefrom first unencrypted information that is usable by the processor for executing an operation.
- the invention is also directed to a data-processing system comprising a processor and first encrypted information in a first persistent memory whose level of information leakage is higher than that of a second persistent memory.
- a first cryptographic key may be used for decrypting the first encrypted information, thereby generating the first unencrypted information.
- the invention is also directed to a method of processing such a data-processing system that has an operating system, the method comprising a writing step for writing first unencrypted information into the first persistent memory, an encryption step for encrypting the first unencrypted information under use of the first cryptographic key, creating therefrom first encrypted information in the first persistent memory, and an access-limitation step for setting the data-processing system to a state in which writing into the first persistent memory is controlled by the operating system.
- the invention is also directed to a method of executing an operation on such a data-processing system, the method comprising a decryption step for decrypting the first encrypted information under use of the first cryptographic key, thereby generating therefrom first unencrypted information and an execution step for executing an operation by the processor, using the first unencrypted information.
- the invention is also directed to a computer program product comprising program code means for performing such method or methods.
- the invention is applicable to any object- or type-based programming language running on any data-processing system running that stores sensitive information in a data storage medium that is susceptible to external probing. An example would be the JavaCard runtime environment.
- the sensitive information By tracking sensitive information within the first persistent memory and protecting it by means of a first cryptographic key that is used to encrypt the sensitive information when stored in the persistent memory, the sensitive information is protected from being analyzed through DPA.
- the first cryptographic key is again used to decrypt the sensitive information when the sensitive information is read from the persistent memory for actual use.
- An example for the sensitive information is a second cryptographic key.
- the sensitive information stored in the persistent memory of a probing-attack-prone storage technology operating on object- or type-based programming language, such as an EEPROM in a smartcard, is hence better protected against fraudulent probing e.g. by differential power attacks.
- Fig. 1 a schematic block diagram of a smartcard with its components.
- a smartcard typically embeds an electronic chip in a plastic card.
- the electronic chip may include, for example, a microprocessor or similar device, read-only memory (ROM), and/or read- write random access memory (RAM).
- the electronic-chip may also include other electronic components such as digital signal processors (DSPs), field-programmable gate arrays (FPGAs), electrically-erasable programmable read-only memory (EEPROM) and miscellaneous support logic.
- DSPs digital signal processors
- FPGAs field-programmable gate arrays
- EEPROM electrically-erasable programmable read-only memory
- miscellaneous support logic Generally, the electronic chip is glued into a recessed area of a plastic card and is covered by a printed circuit which provides the electrical interface to an external smartcard reader.
- the standard configuration of the input and output pads of the printed circuit generally includes power (VCC), ground (GND), a clock input (CLK) and a serial input/output pad (I7O).
- VCC power
- GND ground
- CLK clock input
- I7O serial input/output pad
- N/C additional unconnected pads
- the plastic card is somewhat flexible, the electronic chip should be small enough to avoid breaking. This limits the physical size of the electronic chip to a few millimeters across, and also limits the number of electronic components that can be supported.
- Contactless smartcards are also in use, which communicate with an external smartcard reader using radio frequencies or other wireless communication media. Such smartcards are generally equipped with an internal antenna, rather than the input and output pads of the printed circuit.
- a data-processing system 10 which here is a smartcard, is depicted that comprises an EEPROM 20, also referred to as first persistent memory, a second persistent memory 40, also referred to as ROM, and a volatile memory 30, also referred to as RAM. These three memories 20, 30, 40 are connected to a processor 50 which is again connected to a DES co-processor 55.
- the smartcard 10 further comprises a connector field 60 for connection to an external device.
- ROM 40 are located an operating system 41 and a first cryptographic key, also referred to as cryptographic master key 45.
- a second cryptographic key 21 and an third cryptographic key 22 are stored.
- the RAM 30 second encrypted information 33 is stored.
- the co-processor 55 can perform any type of cryptographic operation, here DES is selected for exemplary purposes. For sake of better understanding, first a process without use of the cryptographic master key
- the second cryptographic key 21 and third cryptographic key 22 are in such a case present in the EEPROM 20 in a non-encrypted form and are present for being used in an encryption process respectively decryption process performed by the DES co-processor 55 in assistance to the processor 50. If during the execution of an application the processor 50 is instructed to perform an operation that needs to make use of one or more of the cryptographic keys 21, 22, the DES co-processor 55 is activated. It is assumed for this example, that the second cryptographic key 21 is here needed to perform a decryption. The processor 50 accesses the EEPROM 20 to retrieve therefrom the second cryptographic key 21. The second cryptographic key 21 is loaded from the EEPROM 20 via the processor 50 to the RAM 30.
- the DES co-processor 55 retrieves the second cryptographic key 21 from the RAM 30 via the processor 50 and retrieves via the processor 50 also the data that is to be decrypted under use of the cryptographic key 21, from one of the memories 20, 30, 40. Here that data comprises the second encrypted information 33. Then the DES co-processor 55 performs the decryption and delivers the decrypted data to the processor 50.
- a malicious user could perform a DPA attack on that operation, in particular, sniffing on the leakage of the signal between the EEPROM 20 and the processor 50 by using a suitable leakage-detecting probe in combination with corresponding software.
- the cryptographic master key 45 is used in accordance with the invention.
- the cryptographic keys 21, 22 reside in the EEPROM 20 in an encrypted form, namely having been previously encrypted under use of the cryptographic master key 45. They are hence present as first encrypted information.
- the corresponding encryption process shall be explained further below, but first the decryption shall be addressed here.
- An operation is assumed that needs the second cryptographic key 21. That operation is executed by the processor 50 in an operation execution step. Since the second cryptographic key 21 resides in the EEPROM 20 in encrypted form, the operation execution step comprises a decryption step to enable access to the second cryptographic key 21 in a decrypted form and to thereby enable use of it. Therefor the processor 50 not only retrieves the encrypted second cryptographic key 21 from the EEPROM 20 but also initiates the execution of a decryption step of the encrypted second cryptographic key 21.
- the encrypted second cryptographic key 21 is loaded from the EEPROM 20 via the processor 50 to the RAM 30.
- the cryptographic master key 45 is loaded from the ROM 40 via the processor 50 to the RAM 30.
- the DES co-processor 55 retrieves the cryptographic master key 45 from the RAM 30 via the processor 50 and retrieves via the processor 50 also the encrypted second cryptographic key 21 that is to be decrypted under use of the cryptographic master key 45, from the RAM 30. Then the co-processor 55 performs the decryption step on the encrypted second cryptographic key 21 and delivers the resulting decrypted second cryptographic key 21 to the RAM 30.
- the co-processor 55 retrieves the decrypted second cryptographic key 21 from the RAM 30 via the processor 50 and retrieves via the processor 50 also the data 33 that is to be decrypted under use of the decrypted second cryptographic key 21, from the RAM 30. Then the co-processor 55 performs the decryption and delivers the decrypted data to the processor 50. This is hence a series of decryption processes.
- the advantage is that the operation of retrieving the second cryptographic key 21 from the EEPROM 20 is less prone to a DPA attack, since the information that is transferred from the EEPROM 20 and that suffers from the information leakage of the EEPROM 20, namely the second cryptographic key 21, is transferred in encrypted form. Since the leakage of the ROM 40 and the RAM 30 is lower than the leakage of the EEPROM 20, the susceptibility of the overall system to DPA attacks is reduced.
- the smartcard 10 is manufactured by a smartcard manufacturer to comprise the plastic carrier with the embedded chip.
- the chip already contains the pre-stored cryptographic master key 45 in the ROM 40.
- the receiving entity which typically is a smartcard-issuing entity, then processes the card in a personalization step, i.e. prepares this smartcard 10 for future use by a specific person. Therefore the smartcard issuer equips the smartcard 10 with personal information, namely here the cryptographic keys 21, 22 which are first written into the EEPROM 20. This writing step is performed in a secure environment, i.e. an environment that does not allow accessing the sensitive personal information.
- the smartcard issuer himself is a trusted party in that it may be assumed that it does not perform an attack on the system by using the cryptographic keys 21, 22 or even the cryptographic master key 45.
- the smartcard 10 arrives at the smartcard issuer with the operating system 41 pre-stored.
- a personalization step is contained in a programmed form, which step is initiated by the smartcard issuer after writing the personal information 21, 22 to the EEPROM 20.
- the personalization step encompasses two substeps, an encryption step and an access-limitation step.
- the personalization step starts by performing the encryption step that encrypts the first unencrypted information, i.e. the cryptographic keys 21, 22.
- the EEPROM 20 is scanned for all information that is to be encrypted under use of the cryptographic master key 45.
- This information here comprises the cryptographic keys 21, 22.
- the cryptographic keys 21, 22 can be recognized in a scanning step by the scanning algorithm and once these have been located, they are encrypted and written as encrypted cryptographic keys 21, 22 back into the EEPROM 20.
- the smartcard issuer himself does for the encryption step not need to know the cryptographic master key 45 and in fact does not even need to know that there is a cryptographic master key 45 at all.
- the encryption step can be executed without the smartcard issuer knowing about it.
- the access-limitation step effects that the smartcard 10 is set to a state in which the writing into the EEPROM 20 is limited, namely limited by the access control through the operating system 41. That limitation ensures that writing is no longer allowed into certain areas of the smartcard 10 amongst which is the area in which the encrypted cryptographic keys 21, 22 are located. Thereby a later modification in that forbidden area, including fraudulous attempts, is excluded.
- the smartcard is in the so-called personalized state. The smartcard 10 is issued to the end-customer or user in this state.
- the decryption runs via the DES coprocessor 55, which loads the cryptographic keys 21, 22 from the EEPROM 20. That loading step is prone to DPA but since the cryptographic keys 21, 22 are present only in the encrypted form, and hence also transmitted in that form, that attack has a lower success rate.
- the cryptographic master key 45 is loaded to the DES coprocessor 55 from the ROM 40 and since the ROM 40 is less power-consuming than the EEPROM 20 or the RAM 30, a successful attack via DPA is much harder and hence less probable.
- the operation execution step can be executed without that the environment around the smartcard knows about the use of the cryptographic master key 45. From the perspective of the result of the operation that is executed, there is no difference.
- the advantage lies in the fact that the described method and system increase system security but are totally transparent to the outside environment. It is hence suggested that the sensitive data, i.e., the cryptographic keys 21, 22 stored in the
- EEPROM 20 are stored in an encrypted form, not as plain data prone to the attack stated above.
- the encryption step is performed under use of another secret key, the cryptographic master key 45, that may either be unique to the chip, or unique to a piece of software, called mask, containing the program logic accessing the EEPROM 20. This is achieved transparently to an application possibly making use of the cryptographic keys 21, 22.
- the encrypting cryptographic key 45 resides in non- or less leaking storage, such as the ROM 40.
- the introduction of the cryptographic master key 45 effects a reduction of the attackability of the smartcard 10, through a reduction of information leakage, also referred to as power dissipation, or attack susceptibility.
- the cryptographic master key 45 is applied for encryption of the first unencrypted information 31, 32, e.g. comprising clear-text keys, to form therefrom the first encrypted information 21, 22. Therefore the writing process is amended, and the clear-text keys are encrypted under use of the cryptographic master key 45, that is an internal chip- or mask-specific key, before they are stored into the EEPROM 20.
- the key-reading or -using method is intercepted, and the encrypted cryptographic keys 21, 22 are first decrypted in non- or less-leaking memory, such as the RAM 30, to gain the first unencrypted information 31, 32, before actual use thereof.
- the processing method for personalization provides for a scanning of the complete EEPROM 20 for the therein-stored cryptographic keys 21, 22, and encrypting them all according to the same procedure as outlined above. This means, a complete
- EEPROM image consisting of non-sensitive and sensitive information in plain form can be converted to an EEPROM image consisting of non-sensitive information in plain form and sensitive information in encrypted form.
- a technology employable to do this is a memory-walking technology seeking out object types, i.e., cryptographic keys in the given scenario.
- object types i.e., cryptographic keys in the given scenario.
- the known garbage collection mechanism can be utilized for this, as it also traverses the complete EEPROM 20.
- the smartcard 10 can be prepared and tested with all data, i.e. sensitive and non-sensitive, in plain form, and only at the end of testing and production be changed over to the secure mode in which the cryptographic keys 21, 22 are encrypted for use.
- the present invention can be realized in hardware, software, or a combination of these. Also, it can be implemented in a centralized fashion on one single computer system, or in a distributed fashion where different elements are spread across several interconnected computers or computer systems, whereby any kind of a computer system - or other apparatus adapted for carrying out the methods described herein - is suited.
- a typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
- the present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which - when loaded in a computer system - is able to carry out these methods.
- Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA2465333A CA2465333A1 (en) | 2001-11-14 | 2002-11-05 | Device and method with reduced information leakage |
KR10-2004-7001298A KR20040053101A (en) | 2001-11-14 | 2002-11-05 | Device and method with reduced information leakage |
IL16165202A IL161652A0 (en) | 2001-11-14 | 2002-11-05 | Device and method with reduced information leakage |
US10/495,345 US7543159B2 (en) | 2001-11-14 | 2002-11-05 | Device and method with reduced information leakage |
EP02781474A EP1449045A2 (en) | 2001-11-14 | 2002-11-05 | Device and method with reduced information leakage |
JP2003544566A JP2005510095A (en) | 2001-11-14 | 2002-11-05 | Apparatus and method for reducing information leakage |
IL161652A IL161652A (en) | 2001-11-14 | 2004-04-29 | Data-processing method with reduced information leakage |
US12/114,024 US20080222427A1 (en) | 2001-11-14 | 2008-05-02 | Device and method with reduced information leakage |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP01811093.2 | 2001-11-14 | ||
EP01811093 | 2001-11-14 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/114,024 Continuation US20080222427A1 (en) | 2001-11-14 | 2008-05-02 | Device and method with reduced information leakage |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2003042799A2 true WO2003042799A2 (en) | 2003-05-22 |
WO2003042799A3 WO2003042799A3 (en) | 2003-11-27 |
Family
ID=8184241
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2002/004620 WO2003042799A2 (en) | 2001-11-14 | 2002-11-05 | Device and method with reduced information leakage |
Country Status (8)
Country | Link |
---|---|
US (2) | US7543159B2 (en) |
EP (1) | EP1449045A2 (en) |
JP (1) | JP2005510095A (en) |
KR (1) | KR20040053101A (en) |
CN (1) | CN100390695C (en) |
CA (1) | CA2465333A1 (en) |
IL (2) | IL161652A0 (en) |
WO (1) | WO2003042799A2 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005041000A1 (en) * | 2003-10-23 | 2005-05-06 | Koninklijke Philips Electronics N.V. | Method for protecting information carrier comprising an integrated circuit |
JP2005235225A (en) * | 2004-02-20 | 2005-09-02 | Hewlett-Packard Development Co Lp | Standalone memory device, and system and method using it |
WO2006003558A2 (en) * | 2004-06-30 | 2006-01-12 | Koninklijke Philips Electronics N.V. | Device for using encrypted data and method thereto |
CN100353276C (en) * | 2004-06-24 | 2007-12-05 | 株式会社东芝 | Microprocessor |
CN100354787C (en) * | 2004-06-24 | 2007-12-12 | 株式会社东芝 | Microprocessor |
WO2008078216A2 (en) * | 2006-12-22 | 2008-07-03 | Nxp B.V. | A method for storing data in a rfid transponder |
WO2008078217A2 (en) * | 2006-12-22 | 2008-07-03 | Nxp B.V. | A method for storing data as well as a transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
WO2008081370A2 (en) * | 2006-12-27 | 2008-07-10 | Nxp B.V. | A method for storing data in a rfid transponder |
WO2011038443A1 (en) * | 2009-09-29 | 2011-04-07 | Silverbrook Research Pty Ltd | Communication system, method and device with limited encryption key retrieval |
US8732455B2 (en) | 2008-07-25 | 2014-05-20 | Infotect Security Pte Ltd | Method and system for securing against leakage of source code |
TWI673609B (en) * | 2014-10-10 | 2019-10-01 | 美商波音公司 | System and method for reducing information leakage from memory |
Families Citing this family (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9323955B2 (en) * | 2000-12-21 | 2016-04-26 | Gemalto Sa | Method for protecting a logic or mathematical operator installed in an electronic module with a microprocessor as well as the associated embedded electronic module and the system |
WO2003075506A1 (en) * | 2002-03-07 | 2003-09-12 | Axalto Sa | Method for making safe an electronic cryptography assembly with a secret key |
JP2005316284A (en) * | 2004-04-30 | 2005-11-10 | Hitachi Ltd | Portable terminal and data security system |
US7877621B2 (en) * | 2004-09-03 | 2011-01-25 | Virginia Tech Intellectual Properties, Inc. | Detecting software attacks by monitoring electric power consumption patterns |
US7809283B2 (en) * | 2004-10-29 | 2010-10-05 | Finisar Corporation | Multi-transceiver module control with single microcontroller |
US7457960B2 (en) * | 2004-11-30 | 2008-11-25 | Analog Devices, Inc. | Programmable processor supporting secure mode |
JP4896595B2 (en) * | 2006-01-18 | 2012-03-14 | 株式会社Pfu | Image reading apparatus and program |
US7870336B2 (en) * | 2006-11-03 | 2011-01-11 | Microsoft Corporation | Operating system protection against side-channel attacks on secrecy |
DE602008005443D1 (en) * | 2007-04-12 | 2011-04-21 | Intrinsic Id Bv | CONTROLLED ACTIVATION OF A FUNCTION |
US7974409B2 (en) * | 2007-06-28 | 2011-07-05 | Samsung Electronics Co., Ltd. | Changing the order of public key cryptographic computations |
US8473751B2 (en) * | 2007-12-13 | 2013-06-25 | Oberthur Technologies | Method for cryptographic data processing, particularly using an S box, and related device and software |
WO2009083971A2 (en) * | 2007-12-27 | 2009-07-09 | Safend Ltd. | System and method for contextual and behavioral based data access control |
US8422685B2 (en) | 2008-02-26 | 2013-04-16 | King Fahd University Of Petroleum And Minerals | Method for elliptic curve scalar multiplication |
US20090214023A1 (en) * | 2008-02-26 | 2009-08-27 | Al-Somani Turki F | Method for elliptic curve scalar multiplication |
JP4701260B2 (en) * | 2008-03-31 | 2011-06-15 | 株式会社エヌ・ティ・ティ・データ | Information processing apparatus, information processing method, and information processing program |
KR101472777B1 (en) | 2008-06-24 | 2014-12-16 | 한양대학교 에리카산학협력단 | Cryptographic apparatus and method for protecting secret key against scan based side channel attack |
EP2154604A1 (en) * | 2008-08-06 | 2010-02-17 | Gemalto SA | Countermeasure securing exponentiation based cryptography |
JP5447790B2 (en) * | 2009-04-22 | 2014-03-19 | 大日本印刷株式会社 | Derivation method of security token and scramble key |
US8386800B2 (en) | 2009-12-04 | 2013-02-26 | Cryptography Research, Inc. | Verifiable, leak-resistant encryption and decryption |
US8356358B2 (en) * | 2009-12-04 | 2013-01-15 | Altera Corporation | Preventing information leakage between components on a programmable chip in the presence of faults |
US9525548B2 (en) | 2010-10-21 | 2016-12-20 | Microsoft Technology Licensing, Llc | Provisioning techniques |
US8805434B2 (en) * | 2010-11-23 | 2014-08-12 | Microsoft Corporation | Access techniques using a mobile communication device |
US9509686B2 (en) | 2010-12-03 | 2016-11-29 | Microsoft Technology Licensing, Llc | Secure element authentication |
US8752210B2 (en) * | 2012-01-10 | 2014-06-10 | International Business Machines Corporation | Implementing data theft prevention |
US8797059B2 (en) | 2012-03-01 | 2014-08-05 | International Business Machines Corporation | Implementing carbon nanotube based sensors for cryptographic applications |
US8819842B2 (en) | 2012-11-20 | 2014-08-26 | International Business Machines Corporation | Implementing conductive microcapsule rupture to generate a tamper event for data theft prevention |
US9172718B2 (en) * | 2013-09-25 | 2015-10-27 | International Business Machines Corporation | Endpoint load rebalancing controller |
DE102014208855A1 (en) * | 2014-05-12 | 2015-11-12 | Robert Bosch Gmbh | Method for carrying out communication between control units |
EP2950229B1 (en) * | 2014-05-28 | 2018-09-12 | Nxp B.V. | Method for facilitating transactions, computer program product and mobile device |
EP2998977B1 (en) | 2014-09-19 | 2018-07-04 | ABB Schweiz AG | A method for determining the operating status of a mv switching device of the electromagnetic type |
EP3226460A1 (en) * | 2016-04-01 | 2017-10-04 | Institut Mines-Telecom | Secret key estimation methods and devices |
US10771235B2 (en) * | 2016-09-01 | 2020-09-08 | Cryptography Research Inc. | Protecting block cipher computation operations from external monitoring attacks |
FR3061580A1 (en) * | 2017-01-03 | 2018-07-06 | Stmicroelectronics (Rousset) Sas | METHOD AND DEVICE FOR MANAGING POWER CONSUMPTION OF AN INTEGRATED MODULE. |
JP7155173B2 (en) * | 2017-10-18 | 2022-10-18 | クリプトグラフィ リサーチ, インコーポレイテッド | Protecting Modular Inversion Operations from External Observation Attacks |
CN108764892A (en) * | 2018-05-29 | 2018-11-06 | 广东通莞科技股份有限公司 | A kind of encryption system of mobile payment platform |
CN113536351B (en) * | 2021-07-27 | 2023-01-20 | 中国电子科技集团公司第五十八研究所 | Encryption method with permanent encryption based on FLASH type FPGA |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1995016238A1 (en) * | 1993-12-06 | 1995-06-15 | Telequip Corporation | Secure computer memory card |
EP0753816A1 (en) * | 1995-07-07 | 1997-01-15 | Thomson Consumer Electronics, Inc. | A method and apparatus for storing sensitive information securely in a relatively insecure storage medium |
US5745571A (en) * | 1992-03-30 | 1998-04-28 | Telstra Corporation Limited | Cryptographic communications method and system |
WO1999019846A2 (en) * | 1997-10-14 | 1999-04-22 | Visa International Service Association | Personalization of smart cards |
GB2356469A (en) * | 1999-11-17 | 2001-05-23 | Motorola Ltd | Portable data carrier memory management system and method |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH025158A (en) | 1988-06-22 | 1990-01-10 | Fujitsu Ltd | Expanded ic card and its accessing method |
US4888802A (en) | 1988-06-17 | 1989-12-19 | Ncr Corporation | System and method for providing for secure encryptor key management |
US5457748A (en) | 1992-11-30 | 1995-10-10 | Motorola, Inc. | Method and apparatus for improved security within encrypted communication devices |
JPH0895942A (en) | 1994-09-27 | 1996-04-12 | Sanyo Electric Co Ltd | One-chip microcomputer |
JPH09114731A (en) | 1995-10-17 | 1997-05-02 | Sanyo Electric Co Ltd | Microcomputer |
JPH10214232A (en) | 1997-01-30 | 1998-08-11 | Rohm Co Ltd | Ic card, and ic card operating method |
JPH10254848A (en) | 1997-03-10 | 1998-09-25 | Sanyo Electric Co Ltd | One chip micro computer |
JPH10334205A (en) | 1997-05-30 | 1998-12-18 | Toshiba Corp | Ic card and memory package |
ATE325478T1 (en) * | 1998-01-02 | 2006-06-15 | Cryptography Res Inc | LEAK RESISTANT CRYPTOGRAPHIC METHOD AND APPARATUS |
WO1999038078A1 (en) | 1998-01-21 | 1999-07-29 | Tokyo Electron Limited | Storage device, encrypting/decrypting device, and method for accessing nonvolatile memory |
ATE397254T1 (en) | 1998-09-30 | 2008-06-15 | Nxp Bv | DATA PROCESSING DEVICE AND METHOD FOR POWER SUPPLY THEREOF |
CA2258338C (en) | 1999-01-11 | 2009-02-24 | Certicom Corp. | Method and apparatus for minimizing differential power attacks on processors |
JP4083925B2 (en) | 1999-06-24 | 2008-04-30 | 株式会社日立製作所 | Information processing apparatus, card member, and information processing system |
JP4348790B2 (en) | 1999-09-20 | 2009-10-21 | ソニー株式会社 | Semiconductor memory device and semiconductor memory device operation setting method |
JP2002229861A (en) | 2001-02-07 | 2002-08-16 | Hitachi Ltd | Recording device with copyright protecting function |
US7194633B2 (en) * | 2001-11-14 | 2007-03-20 | International Business Machines Corporation | Device and method with reduced information leakage |
-
2002
- 2002-11-05 IL IL16165202A patent/IL161652A0/en unknown
- 2002-11-05 JP JP2003544566A patent/JP2005510095A/en active Pending
- 2002-11-05 EP EP02781474A patent/EP1449045A2/en not_active Ceased
- 2002-11-05 WO PCT/IB2002/004620 patent/WO2003042799A2/en not_active Application Discontinuation
- 2002-11-05 US US10/495,345 patent/US7543159B2/en not_active Expired - Fee Related
- 2002-11-05 CA CA2465333A patent/CA2465333A1/en not_active Abandoned
- 2002-11-05 CN CNB028227395A patent/CN100390695C/en not_active Expired - Fee Related
- 2002-11-05 KR KR10-2004-7001298A patent/KR20040053101A/en not_active Application Discontinuation
-
2004
- 2004-04-29 IL IL161652A patent/IL161652A/en not_active IP Right Cessation
-
2008
- 2008-05-02 US US12/114,024 patent/US20080222427A1/en not_active Abandoned
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5745571A (en) * | 1992-03-30 | 1998-04-28 | Telstra Corporation Limited | Cryptographic communications method and system |
WO1995016238A1 (en) * | 1993-12-06 | 1995-06-15 | Telequip Corporation | Secure computer memory card |
EP0753816A1 (en) * | 1995-07-07 | 1997-01-15 | Thomson Consumer Electronics, Inc. | A method and apparatus for storing sensitive information securely in a relatively insecure storage medium |
WO1999019846A2 (en) * | 1997-10-14 | 1999-04-22 | Visa International Service Association | Personalization of smart cards |
GB2356469A (en) * | 1999-11-17 | 2001-05-23 | Motorola Ltd | Portable data carrier memory management system and method |
Non-Patent Citations (1)
Title |
---|
FERREIRA R: "THE PRACTICAL APPLICATION OF STATE OF THE ART SECURITY IN REAL ENVIRONMENTS" ADVANCES IN CRYPTOLOGY - AUSCRYPT. SYDNEY, JAN. 8 - 11, 1990, PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON CRYPTOLOGY - AUSCRYPT, BERLIN, SPRINGER, DE, vol. CONF. 1, 8 January 1990 (1990-01-08), pages 334-355, XP000145211 ISBN: 3-540-53000-2 * |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005041000A1 (en) * | 2003-10-23 | 2005-05-06 | Koninklijke Philips Electronics N.V. | Method for protecting information carrier comprising an integrated circuit |
JP2005235225A (en) * | 2004-02-20 | 2005-09-02 | Hewlett-Packard Development Co Lp | Standalone memory device, and system and method using it |
CN100353276C (en) * | 2004-06-24 | 2007-12-05 | 株式会社东芝 | Microprocessor |
CN100354787C (en) * | 2004-06-24 | 2007-12-12 | 株式会社东芝 | Microprocessor |
WO2006003558A2 (en) * | 2004-06-30 | 2006-01-12 | Koninklijke Philips Electronics N.V. | Device for using encrypted data and method thereto |
WO2006003558A3 (en) * | 2004-06-30 | 2006-03-30 | Koninkl Philips Electronics Nv | Device for using encrypted data and method thereto |
US8395488B2 (en) | 2006-12-22 | 2013-03-12 | Nxp B.V. | Method for storing data as well as a transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
WO2008078217A2 (en) * | 2006-12-22 | 2008-07-03 | Nxp B.V. | A method for storing data as well as a transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
WO2008078217A3 (en) * | 2006-12-22 | 2008-08-21 | Nxp Bv | A method for storing data as well as a transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
WO2008078216A3 (en) * | 2006-12-22 | 2008-08-21 | Nxp Bv | A method for storing data in a rfid transponder |
WO2008078216A2 (en) * | 2006-12-22 | 2008-07-03 | Nxp B.V. | A method for storing data in a rfid transponder |
US8341361B2 (en) | 2006-12-22 | 2012-12-25 | Nxp B.V. | Method for storing data as well as a transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
US8688929B2 (en) | 2006-12-22 | 2014-04-01 | Nxp B.V. | Method for storing data as well as a transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
US9003133B2 (en) | 2006-12-22 | 2015-04-07 | Nxp, B.V. | Apparatus for storing/reading data in a memory array of a transponder |
WO2008081370A2 (en) * | 2006-12-27 | 2008-07-10 | Nxp B.V. | A method for storing data in a rfid transponder |
WO2008081370A3 (en) * | 2006-12-27 | 2008-08-28 | Nxp Bv | A method for storing data in a rfid transponder |
US8362881B2 (en) | 2006-12-27 | 2013-01-29 | Nxp B.V. | Method for storing data as well as a transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
US9342776B2 (en) | 2006-12-27 | 2016-05-17 | Nxp B.V. | Method for storing data as well as transponder, a read/write-device, a computer readable medium including a program element and such a program element adapted to perform this method |
US8732455B2 (en) | 2008-07-25 | 2014-05-20 | Infotect Security Pte Ltd | Method and system for securing against leakage of source code |
WO2011038443A1 (en) * | 2009-09-29 | 2011-04-07 | Silverbrook Research Pty Ltd | Communication system, method and device with limited encryption key retrieval |
US8635455B2 (en) | 2009-09-29 | 2014-01-21 | Zamtec Ltd | Encrypted communication device with restricted rate of encryption key retrievals from memory |
KR101347001B1 (en) | 2009-09-29 | 2014-01-02 | 잼텍 리미티드 | Communication system, method and device with limited encryption key retrieval |
US8615085B2 (en) | 2009-09-29 | 2013-12-24 | Zamtec Ltd | Encrypted communication system with limited number of stored encryption key retrievals |
TWI673609B (en) * | 2014-10-10 | 2019-10-01 | 美商波音公司 | System and method for reducing information leakage from memory |
Also Published As
Publication number | Publication date |
---|---|
EP1449045A2 (en) | 2004-08-25 |
CN1589424A (en) | 2005-03-02 |
KR20040053101A (en) | 2004-06-23 |
JP2005510095A (en) | 2005-04-14 |
WO2003042799A3 (en) | 2003-11-27 |
US20080222427A1 (en) | 2008-09-11 |
CN100390695C (en) | 2008-05-28 |
US7543159B2 (en) | 2009-06-02 |
US20060090081A1 (en) | 2006-04-27 |
CA2465333A1 (en) | 2003-05-22 |
IL161652A0 (en) | 2004-09-27 |
IL161652A (en) | 2013-05-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7543159B2 (en) | Device and method with reduced information leakage | |
US7194633B2 (en) | Device and method with reduced information leakage | |
US20040025032A1 (en) | Method and system for resistance to statiscal power analysis | |
CA2333095C (en) | Improved des and other cryptographic processes with leak minimization for smartcards and other cryptosystems | |
Messerges et al. | Examining smart-card security under the threat of power analysis attacks | |
Kocher et al. | Introduction to differential power analysis and related attacks | |
US20030140240A1 (en) | Hardware-level mitigation and DPA countermeasures for cryptographic devices | |
RU2579990C2 (en) | Protection from passive sniffing | |
JP2004304800A (en) | Protection of side channel for prevention of attack in data processing device | |
Borst et al. | Cryptography on smart cards | |
JP4386766B2 (en) | Error detection in data processing equipment. | |
Cayrel et al. | Secure implementation of the stern authentication and signature schemes for low-resource devices | |
AU2002348963A1 (en) | Device and method with reduced information leakage | |
EP1802024B1 (en) | Balanced cryptographic computational method and apparatus for leak minimization in smartcards and other cryptosystems | |
EP1933496A2 (en) | Improved DES and other cryptographic processes with leak minimization for smartcards and other cryptosystems | |
CA2397615A1 (en) | Method and system for resistance to statistical power analysis | |
CA2398441A1 (en) | Method and apparatus for balanced electronic operations | |
David | Lightweight Cryptography for Passive RFID Tags | |
CA2397077A1 (en) | Encoding method and system resistant to power analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1020047001298 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2465333 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 161652 Country of ref document: IL |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2002781474 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2002348963 Country of ref document: AU |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003544566 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 20028227395 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2002781474 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2006090081 Country of ref document: US Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10495345 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 10495345 Country of ref document: US |
|
WWR | Wipo information: refused in national office |
Ref document number: 2002781474 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2002781474 Country of ref document: EP |