WO2006005685A1 - Storage of keys of a public key algorithm in an integrated environment - Google Patents

Storage of keys of a public key algorithm in an integrated environment Download PDF

Info

Publication number
WO2006005685A1
WO2006005685A1 PCT/EP2005/053084 EP2005053084W WO2006005685A1 WO 2006005685 A1 WO2006005685 A1 WO 2006005685A1 EP 2005053084 W EP2005053084 W EP 2005053084W WO 2006005685 A1 WO2006005685 A1 WO 2006005685A1
Authority
WO
Grant status
Application
Patent type
Prior art keywords
key
object
public key
method
public
Prior art date
Application number
PCT/EP2005/053084
Other languages
French (fr)
Inventor
Charles Coulier
Olwehn Morvan
Original Assignee
Gemplus
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards

Abstract

The invention concerns a method for storing a key of a public key algorithm in a portable apparatus provided with a programme interpreter written in an object-oriented language, said method comprising the following steps: creating in the apparatus at least one container object (5), storing the elements of a private key (54, 72) and at least one element (53, 73) of an associated public key; creating in the apparatus at least one key object (3) not containing any element of the private key or of the associated public key; associating the key object with at least one method for accessing the stored elements in the container object. The invention enables the space occupied by the elements of the keys to be reduced.

Description

KEY STORAGE ALGORITHM IN PUBLIC KEY

AN ENVIRONMENTAL BOARD

The invention relates to the storage keys for public key algorithms and especially key storage in embedded environments, for example in smart cards.

The public key algorithms require the implementation of a public key and a private key. These keys are mathematically related to form a pair. While the public key is to be distributed without restriction, the private key must be kept confidential to ensure the security of the algorithm. These keys are therefore generally compartmentalised rather strictly.

Some smart cards or portable devices have an embedded virtual machine for example of the JavaCard (trademark), as well as applications that use public key algorithms such as RSA (encryption, electronic signature). For this type of virtual machine, it imposed a strict exclusive access respectively between the public key and private key. A public key object contains eg n and e elements (modulus and public exponent). The methods associated with this key object used to read its elements by the user. A private key object contains either the elements and n if the key is stored in standard format (d is the private exponent and the modulus n) or the elements p, q, dp, dq iq and if the key is stored in CRT format. In addition, a class called KeyPair taking the example JavaCard is planned in order to associate a public key and a private key, thereby generating pairs of mathematically related keys.

The storage and use of such keys are problematic in embedded devices and especially in smart cards.

stored keys occupy an important space in the device memory, to the detriment of other applications. This occupied space may represent a relatively large proportion of the available memory. In addition, to meet the constraints of strict independence between the public key and private key, the module is duplicated in each of these keys. For example, the module of RSA 2048 key occupies at least 256 bytes.

Some methods of attack are to force the smart card to generate false signatures, submitting the example to disruption of power supply. A mathematical operation of the wrong signature to determine private items. Some cards implement verification algorithms the generated electronic signature. In principle, the signature verification should be done by the public exponent. However, due to the strict independence between the public and private keys, or exposing the public or other public items are stored in the private key object. The security level of verification of signatures generated is then not optimal.

There is therefore a need for a method of storing a key of a public key algorithm in a portable device with an interpreter program written in an object oriented language, comprising the steps of: - creating in the device at least one container object (5), storing at least one of a private key (54, 72) and at least one element (53, 73) of an associated public key;

- create in the device at least one key item (3) not containing any element of the private key and the public key; - associate the object key with at least one method of access to items stored within the container object.

Alternatively, the association step of the key object to an access method is to associate with the object, said public key object, a method of access only the public key elements stored in the container object. According to another embodiment, the step of associating the key object to an access method is to associate with the object, said private key object, a method for accessing only the private key stored in the elements container object.

It is then possible that the method further comprises the steps of:

- create in the device at least one other key item (3) not containing any element of the private key or the public key;

- associate other key object, said public key object, at least one method of access to those parts of the public key stored in the container object.

According to another alternative:

- the private key and public key associated with an RSA encryption algorithm in standard mode;

- the container object stores the elements n, e and n is the RSA modulus, e is the public exponent and d is the private exponent; - the access method associated with the private key object provides further access to n and d;

- the access method associated with the public key object provides access only to items n and e. According to yet another variant:

- the private key and public key associated with an RSA encryption algorithm in CRT mode;

- the container object stores the components n, e, p, q, dp, dq and iq, such as dp = d mod (p-1), dq = d mod (q-1) and iq = q "1 modulo p, n is the RSA modulus, p and q are distinct primes, n is the RSA modulus and e is the public exponent;

- the access method associated with the private key object also provides access to p, q, dp, dq and iq;

- the access method associated with the public key object provides access only to items n and e.

We can still provide that the portable unit is controlled by a Java interpreter or JavaCard kind.

The invention also relates to a signature method wherein the private key and the public key are associated with an RSA encryption algorithm, said method comprising the steps of the above storage methods and the steps of:

- generate a digital signature associated with the private key;

- read the public exponent e by a method associated with the container object;

- verify the electronic signature generated by the public exponent e;

- provide the electronic signature verified on an output of the electronic device.

The invention also relates to a portable electronic apparatus having a memory storing an application implementing a public key algorithm, a private key stored in memory by any of the above methods, and a calculation unit capable of executing said application. Alternatively, the portable electronic device is a smart card. ç

Other features and advantages of the invention will be apparent from the description which is Feite following indicative and not limiting, with reference to the accompanying drawings, wherein:

FIG 1 illustrates objects stored in a smart card according to a first embodiment of the invention;

2 illustrates objects stored in a smart card according to a second variant of the invention.

The invention proposes to create an object associated with a key from a public key algorithm. This object contains no element of public key and private key. A container object is created to store the elements of the private key and some elements of the public key. An access method is associated with the key object to access items stored in the container object.

Storage of different elements in a single container object allows to reduce the memory space occupied by these elements, due to the sharing of some of them (e.g. module).

The invention is applicable to a portable digital device (not shown), which carry at least one application using a public key algorithm. This device also features a program interpreter written in object-oriented language such as Java or JavaCard (trademark). The interpreter and application are for example stored in a nonvolatile memory included in the portable digital apparatus, such as an EEPROM. The device is also provided with means of execution of the Public Key application. 1 illustrates a first variant of the invention. In this variant, is created initially an object "key pair" 1 in the nonvolatile memory device. This object 1 has a header 11 and is associated with at least one method of generating a pair of keys by the field 14. This method is called and known manner to generate a pair of mathematically related keys, including a public key and a private key. It is also conceivable that the keys are created in advance and stored in an in-camera charging.

An object 2 is created for the public key and a 3 object is created for the private key. The object 1 has fields 12 and 13 each including respectively a reference to the public key object 2 and from the private key object 3. The articles 2 and 3 respectively show the headers 21 and 31. The key-like objects 2 and 3 are stored in a nonvolatile memory of the device. Note that these objects 2 and 3 contain no element of the key pair created. The key pair generation method also includes creating a container object 5, shared with the public key and private key. Items 2 and 3 respectively have fields 22 and 32 containing references to the container object 5. Within the methods of each key object, one can access predefined elements of the container object 5. This container object 5 comprises a header 51 and all the elements divided into several fields 52 to 54. the container object 5 is also stored in a nonvolatile memory of the device. The key pair of the items are not stored in the key objects but in the container object 5. Thus, access to an item in the container object 5 can be managed simply in terms of methods associated with key items 2 and 3 . the division between the public key and private key object object is thus achieved by the respective access methods object to items 2 and 3 of the container object 5.

In the example of Figure 1, the elements stored in the container object 5 are associated with a standard RSA algorithm. 2 The public key object is associated with a method to access public parts of the container object 5. These elements are in this case n (module) and e (public exponent) and are stored respectively in the fields 52 and 53. the public key object 2 is also associated with a method to access public parts of the container object 5. the public key object 2 is however not associated with an access method a private part of the container object 5. Thus, no method associated with the public key object 2 only allows access to elements of the private key.

The private key 3 object is associated with an access method only private parts of the container object 5. The field 54 contains the private elements (in this case of matching the private exponent). No access method associated with the private key object allows you to retrieve the public key elements.

According to the variant shown in Figure 2, the device only stores a private key object 6 and no public key object. The object 6 contains a header 61 and a field 62 containing a reference to the container object 7. The object 6 is associated with an access method only private elements (p, q, dp, dq and iq).

The container 7 includes an object header field 71 and elements 72 and 73. The field 72 includes the private elements p, q, dp, dq and iq (elements for RSA encryption in CRT mode, with dp = d mod (p-1), dq = d mod (q-1) and iq = q 1 mod p) and the field 73 comprises the public element e.

In both examples, the container object 5 or 7 can store a recovery method of public elements and in particular the public exponent e. This method is made only usable by a verification function that uses the public exponent e to test the validity of signatures generated from private items. An invalid signature will not be applied to the output of the electronic device. A fault injection attack when generating the signature will be inoperative.

This cryptographic check function can be included without unduly increasing the space occupied in non-volatile memory of the digital camera. Indeed, a single copy of the exponent e is accessible by an access method for public key object and is used by the audit function.

Claims

1. A method of storing a key of a public key algorithm in a portable device with an interpreter program written in an object oriented language, characterized in that it comprises the steps of:
- creating in the device at least one container object (5), storing at least one of a private key (54, 72) and at least one element (53, 73) of an associated public key;
- create in the device at least one key item (3), said private key object, not containing any element of the private key and the public key;
- involve the private key object with at least one access method only the private key elements stored in the container object;
- create in the device at least one other key item (3), said public key object, not containing any element of the private key or the public key; - associate the public key object, at least one method of access only the public key elements stored in the container object.
2. A method for storing according to claim 1, characterized in that:
- the private key and public key associated with an RSA encryption algorithm in standard mode;
- the container object stores the elements n, e and n is the RSA modulus, e is the public exponent and d is the private exponent;
- the access method associated with the private key object provides further access to n and d; - the access method associated with the public key object provides access only to items n and e.
3. A storage method according to claim 1, characterized in that:
- the private key and public key associated with an RSA encryption algorithm in CRT mode;
- the container object stores the components n, e, p, q, dp, dq and iq, such as dp≈ d modulo (p-1), dq = d mod (q-1) and iq = q "1 modulo p, n is the RSA modulus, p and q are distinct primes, n is the RSA modulus and e is the public exponent;
- the access method associated with the private key object also provides access to p, q, dp, dq and iq; - the access method associated with the public key object provides access only to items n and e.
4. A storage method according to any one of the preceding claims, characterized in that the portable unit is controlled by a Java interpreter or Javacard kind.
5. A method of signature in which the private key and the public key are associated with an RSA encryption algorithm, said method comprising the steps of the method for storing according to any one of the preceding claims and the following steps:
- generate a digital signature associated with the private key;
- read the public exponent e by a method associated with the container object;
- verify the electronic signature generated by the public exponent e;
- provide the electronic signature verified on an output of the electronic device.
6. portable electronic apparatus, characterized in that it has a memory storing an application implementing a public key algorithm, a private key stored in the memory by the process according to any one of claims 1 to 5 and a body calculation capable of executing said application.
7. A portable electronic device according to claim 6, characterized in that it is a chip card.
PCT/EP2005/053084 2004-07-12 2005-06-29 Storage of keys of a public key algorithm in an integrated environment WO2006005685A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
FR0407761 2004-07-12
FR0407761A FR2872936B1 (en) 2004-07-12 2004-07-12 an algorithm Key Storage has embeds public key in an environment

Publications (1)

Publication Number Publication Date
WO2006005685A1 true true WO2006005685A1 (en) 2006-01-19

Family

ID=34947691

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2005/053084 WO2006005685A1 (en) 2004-07-12 2005-06-29 Storage of keys of a public key algorithm in an integrated environment

Country Status (2)

Country Link
FR (1) FR2872936B1 (en)
WO (1) WO2006005685A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020120842A1 (en) * 2000-11-29 2002-08-29 Helge Bragstad Method, apparatus and computer program product for interoperable cryptographic material

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020120842A1 (en) * 2000-11-29 2002-08-29 Helge Bragstad Method, apparatus and computer program product for interoperable cryptographic material

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
BURTON S. KALISKI, MATTHEW J.B. ROBSHAW: "Comments on Some New Attacks on Cryptographic Devices" RSA LABORATORIES BULLETIN, [Online] no. 5, 1997, XP002321070 Extrait de l'Internet: URL:http://www.comms.scitech.susx.ac.uk/ff t/crypto/RSAbulletin/bulletn5.pdf> [extrait le 2005-03-04] *
JAVA CRYPTOGRAPHY ARCHITECTURE, [Online] 4 août 2002 (2002-08-04), XP002321071 API SPECIFICATION AND REFERENCE Extrait de l'Internet: URL:http://java.sun.com/j2se/1.4.2/docs/gu ide/security/CryptoSpec.html#KeystoreLocat ion> [extrait le 2005-03-10] *
SCHEIBELHOFER K.: "Using Opencard in combination with the java cryptographic architecture for digital signing"" PROCEEDINGS OF GEMPLUS DEVELOPER CONFERENCE GDC'200, [Online] 20 juin 2000 (2000-06-20), XP002321069 MONTPELLIER Extrait de l'Internet: URL:http://www.iaik.tu-graz.ac.at/research /publications/2000/gdc2000.pdf> [extrait le 2005-03-10] *

Also Published As

Publication number Publication date Type
FR2872936B1 (en) 2007-02-16 grant
FR2872936A1 (en) 2006-01-13 application

Similar Documents

Publication Publication Date Title
Suh et al. Aegis: A single-chip secure processor
Pfitzmann et al. Trusting mobile user devices and security modules
Gennaro et al. Algorithmic tamper-proof (ATP) security: Theoretical foundations for security against hardware tampering
US4438824A (en) Apparatus and method for cryptographic identity verification
US4944007A (en) Public key diversification method
Kumar On the Weaknesses and Improvements of an Efficient Password Based Remote User Authentication Scheme Using Smart Cards.
US8290150B2 (en) Method and system for electronically securing an electronic device using physically unclonable functions
US20160085955A1 (en) Secure Storing and Offline Transferring of Digitally Transferable Assets
Gassend Physical random functions
US5200999A (en) Public key cryptosystem key management based on control vectors
US8386800B2 (en) Verifiable, leak-resistant encryption and decryption
US20060259790A1 (en) Implementation of an integrity-protected secure storage
US20060090081A1 (en) Device and method with reduced information leakage
US6233685B1 (en) Establishing and employing the provable untampered state of a device
US6839437B1 (en) Method and apparatus for managing keys for cryptographic operations
US6328217B1 (en) Integrated circuit card with application history list
US20070206786A1 (en) Rfid security system
US6539092B1 (en) Leak-resistant cryptographic indexed key update
US20030093684A1 (en) Device and method with reduced information leakage
US5414772A (en) System for improving the digital signature algorithm
Micali et al. Physically observable cryptography
US20050091496A1 (en) Method and system for distributed key management in a secure boot environment
US20040059925A1 (en) Secure memory device for smart cards
US6892301B1 (en) Method and system for securely handling information between two information processing devices
Bichsel et al. Anonymous credentials on a standard java card

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

NENP Non-entry into the national phase in:

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct app. not ent. europ. phase