WO2006039967A1 - Secure loading and storing of data in a data processing device - Google Patents

Secure loading and storing of data in a data processing device Download PDF

Info

Publication number
WO2006039967A1
WO2006039967A1 PCT/EP2005/009624 EP2005009624W WO2006039967A1 WO 2006039967 A1 WO2006039967 A1 WO 2006039967A1 EP 2005009624 W EP2005009624 W EP 2005009624W WO 2006039967 A1 WO2006039967 A1 WO 2006039967A1
Authority
WO
WIPO (PCT)
Prior art keywords
data item
data
hash value
version
processing device
Prior art date
Application number
PCT/EP2005/009624
Other languages
French (fr)
Inventor
Christian Gehrmann
Bernard Smeets
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP04388069A external-priority patent/EP1645931A1/en
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to US11/577,084 priority Critical patent/US8627086B2/en
Priority to JP2007535036A priority patent/JP4856080B2/en
Publication of WO2006039967A1 publication Critical patent/WO2006039967A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • Embedded systems like mobile phones and other data processing devices depend on the execution of correct software that has not been manipulated in an unauthorised way. Manipulation of the software might lead to incorrect behavior of the device or even a breaking of the fundamental security features of the device. Hence, it is particularly important to protect the core software of the device. This can for example be achieved by storing the program into a protected memory.
  • the memory can either be physically protected from illegal access or protected by cryptographic methods. In practice it is hard or expensive to produce memory with good physical protection and especially to protect the memory interfaces. Consequently, the most attractive solution is to use some type of cryptographic protection of the software stored in the memory.
  • US patent no. 6,026,293 discloses a method for preventing electronic memory tampering in an electronic device. According to this prior art method, when the electronic device is to be reprogrammed by a data transfer device, the electronic device initiates a public/private key based challenge-response authentication scheme to authenticate the data transfer device. Once authenticated, the data transfer device is permitted access to reprogram the memory. Following the reprogramming of the memory, the electronic device performs a hash calculation of the modified memory contents.
  • the calculated hash value is sent to the data transfer device for a digital signature, and the signed hash value is returned to the electronic device for storage.
  • the signed hash value is subsequently used for auditing the integrity of the memory content, e.g. during boot-up or periodically.
  • performing a cryptographic authentication process comprises calculating an audit hash value of at least the received data item; and wherein the integrity protecting further comprises calculating a reference message authentication code value of at least the audit hash value using a secret key stored in the data processing device as an input.
  • the audit hash value calculated during the loading process is calculated from the received payload data, and the audit hash value is subsequently re-used during the calculation of the message authentication code, the number of necessary computations performed during the software loading is reduced, thereby increasing the computational efficiency of the method.
  • the integrity protection is independent of any external cryptographic keys and, in particular, does not depend on a public key signature mechanism. It is an advantage that symmetric key based integrity checks, i.e. integrity checks based on a message authentication code, are computationally more efficient than public key based integrity checks involving signature verification.
  • the term data processing device is intended to comprise any electronic device comprising a data memory on which data can be loaded from an external source, e.g. from a data transfer system.
  • the term data processing device is intended to comprise any electronic equipment portable radio communications equipment and other handheld or portable devices.
  • portable radio communications equipment includes all equipment such as mobile telephones, pagers, communicators, electronic organisers, smart phones, personal digital assistants (PDAs), handheld computers, or the like.
  • payload data item is intended to include any data loaded into the data processing device.
  • payload data item is intended to include configuration data, program code, e.g. platform software or application software intended for execution by the device, or the like.
  • the cryptographic authentication process may be any suitable cryptographic process for verifying the authenticity of the received data, i.e. to ensure that the data was in fact sent by the entity whose name it carries and that it was not forged or modified.
  • the cryptographic authentication process includes - receiving a reference hash value
  • the cryptographic authentication process includes digitally signing the data item according to a public key cryptosystem.
  • the digital signing of software is an efficient and secure principle for the verification of software loaded into a mobile device. Successful verification of the signature guarantees that the software has been issued by a legitimate source.
  • digital signatures based on public key techniques have the advantage that the public key used for verification does not need to be confidentiality protected at transfer or storage. Hence, the same public key can be installed in a large number of devices without compromising security. This allows efficient procedures for fast and secure software upgrade.
  • the method comprises - receiving the payload data item, a digital signature data item and a digitally signed digital certificate data item, wherein the digital certificate data item includes a first public key and wherein the digital signature data item includes a reference hash value encrypted with a first private key corresponding to the first public key;
  • the data processing device may receive more than one digital certificate forming a certificate chain, wherein one certificate of the chain is verified by the public root key stored in the data processing device.
  • the reference hash value is cryptographically authenticated; and calculating the reference message authentication code value is performed only if the reference hash value is successfully authenticated. Consequently, execution of the message authentication code procedure in the data processing device is conditioned on the receipt of an authenticated reference hash value, thereby reducing the risk of an adversary utilising the message authentication code procedure of the data processing device to calculate unauthorised message authentication code values.
  • MAC Message authentication codes
  • a MAC is a function that takes a variable length input and a key to produce a fixed-length output, the so-called MAC value or tag value.
  • MACs are typically used between two parties that share a secret key in order to validate information transmitted between these parties.
  • a MAC is calculated by applying a one-way hash function to the payload data and encrypting the result using a secret key.
  • suitable MAC functions that can be combined with a cryptographic hash function include HMAC (Keyed-Hashing for Message Authentication), Cipher Block Chaining (CBC) MAC using for example AES or a secure one-way hash function.
  • a message authentication code is used to check the integrity of data stored in an unreliable or insecure medium, i.e. in this situation the MAC is used by only one party, i.e. the data processing device, when storing and retrieving the payload data item.
  • the integrity protecting comprises storing the calculated reference message authentication code value in relation to the received payload data item, thereby making it available for subsequent memory audits of the payload data item by the data processing device.
  • the device calculates the message authentication code value of the stored payload data item using the secret key stored in the device, and compares the result with the previously stored reference MAC value. Consequently, in this embodiment, the secret key need only be known to the digital processing device.
  • the secret key is a secret data item unique to the data processing device, e.g. a secret data item known only to the data processing device.
  • calculating the reference message authentication code value further comprises calculating the reference message authentication code value of a combined data item derived from at least the audit hash value and a random number. It is an advantage of this embodiment, that the input to the MAC is not entirely dependant on the result of the authentication process, thereby further increasing the security of the data protection.
  • calculating the reference message authentication code value further comprises calculating the reference message authentication code value of a combined data item derived from at least the audit hash value and a version control data item, the integrity protection is efficiently combined with a version control mechanism, since a subsequent memory audit will only be successful if both the memory content and the version control information are consistent.
  • the version control data record is stored in a version control data structure, the version control data record including information about the received payload data item including at least the version control data item.
  • the control data structure is integrity protected.
  • the version control data record comprises a version counter. In some embodiments, the version control data record further comprises a back counter identifying a number of previous versions that may replace the current version of the payload data item, thereby providing a simple and efficient version control mechanism including a mechanism for controlling backward compatibility.
  • delta file In known software upgrade schemes where existing software is upgraded by a new version of the software, the software upgrade is often received as a so-called delta file or delta update. Such delta updates include differences of the new (updated) software relative to the current software, thereby reducing the size of the upgrade packet.
  • the update file also includes commands to control the generation of the updated software version from the current software and the received update.
  • Delta-file techniques as such are known in the art and described in e.g. "Delta storage for arbitrary non-text files", by Christian Reichenberger, Proc. Of the 3rd International Workshop on Software Configuration Management, pp. 144- 152, Norway, June 1991. It is desirable to provide an efficient security mechanism that can also be applied to delta updates.
  • receiving the payload data item comprises receiving a delta update of a previously received current data item, and generating the payload data item as an updated payload data item from the previously received current data item and the received delta update.
  • the updated payload data item is generated and the audit hash value is calculated from the generated updated payload data item. Consequently, the audit hash value can again be re-used for the calculation of the reference message authentication code of the updated payload data that is stored in the device.
  • calculating the reference message authentication code value comprises calculating the reference message authentication code value from a combined data item derived from the determined reference hash value and at least a part of a version, control data record, the version control data record including version control information about the current version of the data item.
  • the integrity protection of the stored payload data is efficiently combined with a secure version control of the stored data.
  • the reference hash value of at least the data item may be determined by calculating the hash value from the data item or by receiving the hash value together with the data item or from an authentication process in connection with the receipt of the data item as described herein.
  • combined data item is intended to comprise any data item generated as a function of two or more data items, e.g. as a concatenation of the two or more data items where one data item is appended to the other.
  • the combined data item derived from the determined reference hash value and at least a part of a version control data record is generated as a function of at least the reference hash value and of at least a part of a version control data record.
  • the version control data record is integrity protected.
  • the version control data record comprises a version counter; and calculating the reference message authentication code value comprises calculating a reference message authentication code value from a combined data item derived from the determined audit hash value and at least the version counter.
  • the version control data record further comprises a back counter identifying a number of previous versions that may replace the current version of the payload data item, thereby providing a simple and efficient version control mechanism including a mechanism for controlling backward compatibility.
  • calculating the reference message authentication code value comprises calculating a reference message authentication code value from a combined data item derived from the determined reference hash value and at least the back counter.
  • the version control data record further comprises the reference hash value for the current version of the data item, thereby providing a compact fingerprint of the data item.
  • the secret key is only known to the digital processing device. Furthermore, the secret key may be a secret data item unique to the data processing device.
  • the payload data is loaded by the first-mentioned method, thereby efficiently combining a secure loading and storing with a secure version control.
  • the method further comprises
  • the method further comprises generating the version control data record; and storing the version control data record in a version control data structure, thereby making it available for a subsequent memory audit.
  • a method of verifying the integrity of a current version of a data item stored in a data processing device comprises
  • the method further comprises retrieving a version control data record, the version control data record including version control information about the current version of the data item;
  • calculating the audit message authentication code value comprises calculating an audit message authentication code value from a combined data item derived from the calculated audit hash value and at least a part of the version control data record.
  • a data processing device comprises a first processing circuit adapted to perform the method of loading data into a data processing device described above and in the following.
  • the security mechanism described herein may advantageously be applied to devices having a multi-chip architecture.
  • a first one of the chips accesses a memory via a second one of the chips, it is particularly important for the first chip to ensure data authenticity and integrity of the memory content.
  • the data processing device further comprises storage means adapted to store the received payload data item; and a second processing circuit connected to the storage means and to the first processing circuit; wherein the second processing circuit is adapted to provide to the first processing circuit at least read access to the storage means.
  • the first processing circuit comprises local storage means for storing a root public key of an asymmetric cryptographic system. In a further embodiment, the first processing circuit comprises local storage means for storing said secret key, thereby providing secure storage under the control of the first chip of the cryptographic keys used in the data authenticity and integrity mechanism.
  • a data processing device comprises storage means for storing a current version of a data item and a version control data record, the version control data record including version control information about the current version of the data item; and processing means adapted to perform the method of verifying the integrity of a current version of a data item described above and in the following.
  • processing means comprises any circuit and/or device suitably adapted to perform the above functions.
  • the above term comprises general- or special-purpose programmable microprocessors, Digital Signal Processors (DSP), Application Specific Integrated Circuits (ASIC), Programmable Logic Arrays (PLA) 1 Field Programmable Gate Arrays (FPGA), special purpose electronic circuits, etc., or a combination thereof.
  • DSP Digital Signal Processors
  • ASIC Application Specific Integrated Circuits
  • PDA Programmable Logic Arrays
  • FPGA Field Programmable Gate Arrays
  • special purpose electronic circuits etc., or a combination thereof.
  • a computer program comprises program code means adapted to cause a data processing device to perform the steps of the method described above and in the following, when said computer program is run on the data processing device.
  • the program code means may be loaded in a memory, such as a RAM (Random Access Memory), from a storage medium or from another computer via a computer network.
  • a memory such as a RAM (Random Access Memory)
  • RAM Random Access Memory
  • the described features may be implemented by hardwired circuitry instead of software or in combination with software.
  • fig. 1 shows a schematic block diagram of a system for loading data into a mobile terminal
  • fig. 2 shows a schematic block diagram of an example of a mobile terminal with a single chip architecture
  • fig. 3 shows a schematic block diagram of an example of a mobile terminal with a two-chip architecture
  • fig. 4 shows a schematic block diagram of another example of a mobile terminal with a two-chip architecture
  • fig. 5 illustrates an example of a message structure used in a loading process for loading software into a mobile terminal
  • fig. 6 shows a flow diagram of a software loading process for a first-time load of a software version
  • fig. 7 illustrates the calculation of an embodiment of a message authentication code
  • fig. 8 illustrates the calculation of another embodiment of a message authentication code including a version control mechanism
  • fig. 9 shows a flow diagram of the version control process
  • fig. 10 illustrates an example of a version control mechanism
  • fig. 11 shows a flow diagram of a software loading process for a software upgrade
  • Fig. 1 shows a schematic block diagram of a system for loading data into a mobile terminal.
  • the system comprises a loading station 101 and a mobile terminal 102.
  • the loading station may be a conventional, suitably programmed computer, e.g. a PC, comprising a suitable communications interface.
  • the loading station may generate the payload data, e.g. a software version, configuration data, and/or the like, to be loaded.
  • the loading station may generate the digital signature and certificate to be loaded together with the payload data.
  • the loading station receives the payload data and the header information from a remote computer, e.g. a personal computer, a work station, a network server, etc.
  • the data may be received via a computer network, e.g. the Internet, a local area network, an intranet, an extranet, etc., or by any other suitable means, e.g.
  • the calculation of the signature and the generation of the certificate may be performed by the remote computer rather than the loading station.
  • the loading station performs, in cooperation with the mobile terminal, the loading of the data into the mobile terminal.
  • the mobile terminal 102 comprises a communications interface 104 comprising circuitry and/or devices suitable for enabling the mobile terminal to communicate data with the loading station via a wired or wireless communications link 103 such as a direct data link, a communications network, or the like.
  • a wired or wireless communications link 103 such as a direct data link, a communications network, or the like.
  • the data may be loaded via a local short range wireless communications link, e.g. a Bluetooth connection, an infrared connection, or the like, or via a wired interface.
  • the data may be loaded into the mobile terminal via a communications network, e.g. over-the-air (OTA) via a cellular telecommunications network, e.g. GSM WCDMA, or the like.
  • OTA over-the-air
  • suitable communications units include a wired serial connection, such as an RS-232 link, a USB connection, a FireWire connection as described in the IEEE 1394 standard, or the like.
  • Further examples include a wireless infrared interface, or an RF interface, such as the main antenna of a cellular telephone (not shown), or another antenna within the cellular telephone, such as a Bluetooth transceiver, or the like.
  • Other examples of suitable interfaces include a cable modem, a telephone modem, an Integrated Services Digital Network (ISDN) adapter, a Digital Subscriber Line (DSL) adapter, a satellite transceiver, an Ethernet adapter, or the like.
  • ISDN Integrated Services Digital Network
  • DSL Digital Subscriber Line
  • the mobile terminal further comprises a processing unit 105 for controlling the operation of the mobile terminal, and a memory 106.
  • the processing unit may comprise a general- or special-purpose programmable microprocessor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an Programmable Logic Array (PLA), a Field Programmable Gate Array (FPGA), etc., or a combination thereof.
  • the memory 106 may be a flash memory, an EPROM, an EEPROM, or any other type of memory or storage device, such as a non-volatile memory.
  • the processing unit 105 When data is loaded into the mobile terminal, the processing unit 105 performs the data authentication and integrity protection described herein and stores the data in the memory 106.
  • the processing unit can retrieve the loaded data from the memory 106.
  • the processing unit loads the software from the memory 106 in a RAM for execution.
  • Fig. 2 shows a block diagram of an example of a mobile terminal with a single-chip architecture.
  • the mobile terminal 101 comprises a controller 105 for controlling the operation of the mobile terminal.
  • the controller 105 operates in conjunction with a flash program memory 106, and a random access memory (RAM) 209.
  • the controller 105 includes a microprocessor 208, an internal read-only memory (ROM) 207, and a securely stored secret key 218.
  • the secret key 218 may be a chip-unique key, e.g. stored in hardware e.g. using so-called e-fuse technology.
  • the secret key may be stored in the ROM 207.
  • the ROM 207 contains boot code, hashing code, MAC code, authentication code, and a public root key.
  • the hashing code and/or the MAC code may be implemented at least partly in hardware instead or in addition to the implementation in ROM.
  • Instruction code involved with the general operation of the cellular telephone is contained in the flash program memory 106.
  • the RAM memory 209 is used for operations which are part of the normal mobile terminal call processing. In some embodiments, operations involving sensitive data, hash value calculations and authentication processes are carried out in conjunction with a protected static random access memory (PSRAM) (not shown) included in the microcontroller 105.
  • PSRAM protected static random access memory
  • the controller 105 communicates with the flash program memory 106 and the RAM 209 via a memory bus 219.
  • Fig. 3 shows a schematic block diagram of an example of a mobile terminal with a two-chip architecture.
  • the controller 105 comprises two chips 310 and 313, respectively, an external memory 106 and an internal memory 209.
  • the two chips each contain at least one microprocessor 312 and 315, respectively, and a ROM 311 and 314, respectively.
  • the external memory 106 is any suitable kind of non-volatile memory, for example a flash memory.
  • the internal memory 209 is a fast access memory, for example a RAM.
  • the two chips share the internal memory 209. Furthermore, in this embodiment, only chip 313 has direct access to the external memory 106.
  • both ROMs 311 and 314 comprise boot code, but only ROM 311 comprises hashing code, MAC code, authentication code, and a public root key, and only chip 310 comprises a secret key 318.
  • the secret key 318 may be stored in hardware e.g. using so-called e-fuse technology.
  • the secret key may be stored in the ROM 311.
  • the hashing code and/or the MAC code may be implemented at least partly in hardware instead or in addition to the implementation in ROM.
  • Fig. 4 shows a schematic block diagram of another example of a mobile terminal with a two-chip architecture.
  • This embodiment is similar to the embodiment of fig. 3, except that the two chips 310 and 313 of this embodiment do not share a common internal memory. Instead, each chip has its own internal memory 416 and 417, respectively. As in the embodiment of fig. 3, only chip 313 has direct access to the external memory 106. Hence, when the processor 312 of chip 310 is to execute software stored in the external memory 106, the software to be executed is loaded into the internal memory 416 of chip 310 via chip 313 before it can be executed.
  • both chips may have direct access to an external non ⁇ volatile memory and directly run the software to be executed from that memory or first load it into RAM and then execute.
  • Fig. 5 illustrates an example of a message structure used in a loading process for loading software into a mobile terminal.
  • the message 520 comprises a header section 521 , a payload section 522, a digital certificate section 523, and a digital signature 524.
  • the payload section 522 comprises the actual payload data to be loaded into the mobile terminal.
  • the payload data may comprise software, such as application software, pre-loader software for organising and/or controlling the loading of other software, parts of the operating system of the mobile terminal, or the like.
  • the payload data may comprise other data, e.g. configuration data for storage into the flash memory or other memories of the mobile terminal, e.g. an EPROM, an EEPROM or the like.
  • the header section 521 comprises information relevant to the loading process, such as information about the payload data, e.g. version control data, information about the mobile terminal, control parameters that determine how the mobile terminal should process the data, and/or the like.
  • the signature section comprises a digital signature of the payload 522.
  • the digital signature is calculated using a public-private key pair of an asymmetric
  • cryptosystem e.g. the RSA (Rivest, Shamir, and Adleman) system.
  • the digital signature is calculated by initially calculating a one-way hash function of the payload data, i.e. of the software and/or data to be loaded into the mobile terminal.
  • the calculated hash value is then encrypted with the private key of the public-private key pair.
  • a one-way hash function is used to derive the hash value representative of the payload data 522.
  • the public/private key system is used to provide security for the valid hash value and authenticate the loading station or data transfer device from which the message 520 is sent.
  • a one-way hash function is a function that is simple to compute in a forward direction, but difficult to compute in a reverse direction.
  • a one-way hash function, H(M) operates on an arbitrary-length input, M, which in some embodiments is comprised of the payload data 522 or selected parts of the payload data.
  • the aim of the one-way hash is to provide a unique signature, or fingerprint of M.
  • the output of a hash function is referred to as the hash value or a message digest.
  • a secure one-way hash function is performed on the payload data 522, or selected contents thereof, to produce a reference hash value.
  • the reference hash value is included into the message 520 as a digital signature as further described below.
  • the mobile terminal Upon receipt of the message 520, the mobile terminal calculates an audit hash value of the payload data 522 (or the selected contents thereof) and compares the audit hash value with the reference hash value received as part of the message 520.
  • a suitable one-way hash function is for example the SHA-1 function.
  • Other examples of suitable functions include the MD5 algorithm, Snerfu, H-Hash, MD2, MD4, or the like.
  • Public key algorithms use two keys, one publicly available and one privately held (secret) for tasks such encrypting and decrypting messages, message authentication, and digital signatures.
  • secret a public key algorithm
  • any recipient with a corresponding public key can be assured of the sender's authenticity, since only a sender in possession of the private key was able to encrypt the message. It is the latter scheme that is utilized to authenticate the payload data in accordance with the loading process described herein.
  • a suitable public key algorithm is the RSA algorithm.
  • Other suitable examples include the Fiat-Shamir (FS) algorithm, ELGAMAL, DSA, Fiege-Fiat-Shamir, or the like.
  • the calculated hash value is encrypted with the private key of the loading station (or of the generator of the payload) to produce the digital signature 524 that is included in the message 520.
  • the corresponding public key is included in a certificate that is included in the digital certificate section 523 of the message 520.
  • a digital certificate is a data structure used in a public key system to bind a particular, authenticated individual to a particular public key.
  • a digital certificate is a digital representation of information which identifies a certification authority issuing it, names or identifies the individual whose public key is included, and contains the individual's public key. The digital certificate is digitally signed by the certification authority issuing it, thereby allowing the recipient to authenticate the certificate by using the certification authority's public key.
  • the digital certificate section may comprise a single digital certificate or a chain of certificates.
  • the certificate or chain of certificates can be authenticated by the mobile terminal by means of a root public key corresponding to the single certificate or the last certificate in the certificate chain.
  • An example of a key hierarchy in connection with the loading of software into mobile phones is described in WO 03/060673.
  • the payload may, for the purpose of calculating the digital signature, be split up in smaller parts, as described in e.g. WO 03/060673, or the signature may only be calculated .
  • the above encryption of the calculated hash value further comprises encryption of a hash value calculated over the header data 521 , e.g. by encrypting/signing a concatenation h(SW)
  • Fig. 6 shows a flow diagram of a software loading process for a first-time load of a software version.
  • the mobile terminal receives a software data packet from a reprogramming tool over a local or a remote interface, e.g. GSM, WCDMA, etc., as described above.
  • the packet contains the new software SW, one or more certificates C, and a digital signature S(h r ) of the protected software and data, as described in connection with fig. 5 above.
  • the new software may include data, e.g. configuration data.
  • the signature S(h r ) comprises at least an encrypted hash value calculated from the software and data.
  • the corresponding public key is included in a certificate that is included in the software data packet.
  • the mobile terminal Upon receipt of the software and data packet, the mobile terminal stores the software, data, certificate(s), and the signature in the external memory 106.
  • the signature may protect not only the payload but also the header data, e.g. by encrypting a combination of a hash value calculated from the software and of a hash value calculated from the header.
  • step 602 the processor of the mobile terminal reads the newly stored software and data, SW, the certificate(s), C, and the signature, S(h r ), into its internal memory.
  • the processor reads a root public key, PK from a memory 605.
  • the root public key is securely stored, i.e. integrity protected.
  • the root public key is stored in the internal ROM of the processor, as described above.
  • the processor uses the root public key PK to verify the signature S(h r ) of the new software and data. If only one certificate is used, then the signature S(h r ) is verified against the public key in the certificate C. The certificate C in turn is then verified against the root public key PK. If several certificates are used, the whole chain of certificates is verified. In that case, the signature of the last certificate in the chain is verified against the root public key.
  • the processor verifies the public key used to sign the new software and data. If the verification succeeds the processor proceeds at step 606 with verifying the signature. Otherwise, the software loading process is aborted.
  • step 606 the processor decrypts the digital signature S(h r ) of the software and data using the public key verified in step 604, resulting in the reference hash value h r .
  • step 607 the decrypted signature, i.e. the reference hash value h r , is verified against the one-way audit hash value h a calculated in step 603. If the verification succeeds, i.e. if the audit hash value h a and the reference hash value h r are equal, the processor proceeds at step 608 with calculating a reference message authentication code (MAC). Otherwise, the software loading process is aborted.
  • MAC reference message authentication code
  • the output value of the MAC function is the reference MAC value of the new software and data.
  • the chip unique key K is stored in a secure memory that is only accessible by the processor. For example the unique key K may be burnt into the chip during the fabrication process using e.g. so-called e-fuse technology.
  • Embodiments of the message authentication code will be described below.
  • the processor stores the new reference MAC value t r in the external memory 106 together with the new software and data SW.
  • the certificate(s) and the digital signature values are removed from the external memory.
  • the loading process described above is controlled by the processor of the mobile terminal.
  • the above steps are carried out by the chip 311 that is intended to subsequently execute the software.
  • the cryptographic functions for authenticating the received data and, in particular, the MAC function may be performed by special-purpose software that is stored, e.g. as part of the boot code, in the internal ROM of the processor that performs the above steps.
  • the stored reference MAC value is now available for subsequent audits of the software and data by the processor.
  • the processor compares the calculated audit MAC value t a with the stored reference MAC value t r . If the two values are equal, the integrity of the software is verified.
  • such an audit may be performed during the boot process of the mobile terminal and/or each time the software is to be executed and/or periodically in predetermined time intervals, e.g. as described in US 6,026,293.
  • Fig. 7 illustrates the calculation of an embodiment of a message authentication code (MAC).
  • the MAC is defined such that for an intruder with knowledge of M but without information about the value of K, it is computationally hard (infeasible) to find a message M' different from M but with the same tag value.
  • the MAC function may be defined such that it is hard for an intruder with knowledge of a message M but without information about the value of K to predict the correct tag value t.
  • a MAC is used to check the integrity of data stored in an unreliable or insecure medium, i.e. in this situation the MAC is used by only one party, i.e. the mobile terminal, when storing and retrieving the payload data.
  • the MAC function is based on a cryptographic hash function and, in particular, on the hash function H used for authenticating the received payload data as described above. This allows reuse of the hash value calculated during authentication of the received payload data when calculating the MAC value for subsequent integrity protection, thereby considerably reducing the computational effort for the computation of the MAC value and, thus, reducing the installation time.
  • Fig. 7 shows a block diagram of a MAC calculation module.
  • the MAC calculation module comprises a MAC function calculator 732.
  • the MAC function 732 receives a secret key K ' that is derived from a chip unique key K.
  • the key K' may be generated using a pseudo random function 731 , e.g. a pseudo random function that is based on a hash function, e.g.
  • the chip unique key K may be a random number generated during ASIC production of the chip.
  • Deriving the key K ' from the master key K has the advantage that different keys K ' may be used for different purposes, e.g. for the protection of different types of software, of different parts of the software, etc., thereby assuring cryptographic separation and increasing the flexibility of the method.
  • the mode identifier 735 allows the selection of different modes. For example, in a multi-chip scenario a different mode may be used for each target chip for which the software is intended.
  • Suitable MAC functions include HMAC (Keyed-Hashing for Message Authentication), Cipher Block Chaining (CBC) MAC using for example AES or a secure one ⁇ way hash function, e.g. CBC-MAC as specified in "Handbook of Cryptology", by AJ. Menezes, P. C van Oorschot, S.A. Vanstone, p. 353, CRC Press, 1997, where the AES block encryption cipher is used as block cipher E.
  • the MAC function 732 produces a corresponding tag value t as described above.
  • the MAC circuitry To prevent unauthorised MAC value computations, the MAC circuitry only releases the computed MAC value t when successful signature verification preceded the computations. Hence, the MAC calculation module receives a further input 733 from the signature verification process 736 indicating whether the digital signature of the received payload data was verified successfully. Block 734 receives the tag value and the signal 733 as inputs and releases the calculated tag value only if the signal 733 indicates that the hash value h is a verified, i.e. authentic, hash value. For example, in the method of fig. 6, the signal 733 is generated by step 607.
  • the MAC computation module may be implemented as a separate MAC computation circuitry on the processor chip. Furthermore, the subsequent comparison between a computed MAC value and a reference value can be performed inside a comparison circuit attached to the MAC circuitry. Furthermore, the secret key K may be stored as part of that circuitry.
  • the entire MAC computation may be confined in a special- purpose circuit and, thus, does not require an exposure/release of the computed MAC outside the circuitry.
  • the MAC calculation of fig. 7 can be further improved at very little computational cost to further include a secure version control and to break the predictability of the input h to the MAC computation.
  • This alternative embodiment of a MAC calculation will now be described with reference to fig. 8 and fig. 9.
  • Fig. 8 illustrates the calculation of another embodiment of a message authentication code including a version control mechanism
  • fig. 9 shows a flow diagram of the version control process.
  • the MAC computation in block 732 is performed on a four-tuple (rand, h , cnt , back_cnt) 844.
  • the four-tuple 844 comprises a short, (e.g. 64 bit) random value, rand, that assures that the input to the MAC computation is not under full control by the inputs from the signature verification process 736.
  • the four-tuple further comprises the verified hash value h as in the previous embodiment.
  • the four-tuple comprises a version control counter, cnt, and a version control back counter, back_cnt, of a version control mechanism described in the following.
  • the MAC function 732 e.g.
  • HMAC HMAC
  • CBC-MAC CBC-MAC
  • the calculated tag value t is only released if the signature signal 703 indicates that the signature verification process has verified the hash value h.
  • the four-tuple 844 is generated by a version control module 841 that maintains a version control list 842 of previously received software versions.
  • the version control list 841 comprises a list of data records where each data record comprises a four-tuple corresponding to a previously observed hash value.
  • the record with the most recent hash value is referred to as the top element of the list 842 which corresponds to the software that is actually installed/in use.
  • the version control module 841 receives the verified hash value h and a digital signal 733 indicating that the signature was verified successfully from the signature verification process as described above. Furthermore, the version control module 841 receives from the signature verification process 736 the software version counter, cnt, and a number back_cnt.
  • back_cnt implements a simple but effective mechanism for controlling backwards and forward compatibility of the loaded software.
  • the values of cnt and back_cnt are received as part of the software packet that is received during the loading process, e.g. as part of the header section of the received software packet.
  • the version control module 841 uses the signal 733 to verify (step 902) whether the hash value h has been verified during the signature verification process 736. If this is not the case, the version control module 841 blocks the value of h, i.e. the version control and MAC calculation process is aborted. If the signal 733 indicates that the hash value is authentic, the version control module 841 continues at step 903.
  • the version control module 841 compares the received hash value with the hash values in the version control list 842. If the received hash value h equals one of the previous hash values h pre v in the version control list 842, the version control module 841 continues at step 904; otherwise the process continues at step 906.
  • the process retrieves the corresponding four-tuple (rand, h , cnt , back_cnt) pr ⁇ V , and determines whether the counter value cnt pre v of the previous version is in the allowed range as defined by the values cnt and back_cnt received from the signature verification process 736.
  • the allowed range is defined as the range [cnt top -back_cnt, ⁇ ), where cnt tO p is the cnt value of the current top element of the list.
  • an upper limit may be defined.
  • step 903 reveals that h is not equal to one of the previous hash values
  • the new random value, hash value h, and counter are stored together with the allowed back_cnt (associated with this h) in the version control list (step 906).
  • min__allowed_version is the current lowest allowed version by any tuple in the update list.
  • the min_allowed_version is recomputed as cnt top -back_cnttop, i.e. from the counter cntt op and the back_cnt version of the top element (step 907).
  • all elements in the list are updated (step 908) so that their back_cnt values are the largest possible values that do not give a version number that is lower than the least allowed version min_allowed_version. If the list contains an entry with a version that falls out of the allowed range, this entry will be deleted.
  • a MAC check value (MACLIST) is associated with the version control list to prevent unauthorized manipulation of the entries in the list, thereby further increasing the security of the method.
  • the MACLIST value is updated only when the list has been updated, i.e. after a successful signature verification. Prior to accessing/using the version control list the current MAC check value can be checked against the MACLIST value. To prevent unauthorised MACLIST value computations, the MAC circuitry will only release the computed MAC value when a successful signature verification preceded the computations (as controlled by block 734 in figs. 7 and 8).
  • the stored reference MAC value and the version control list are now available for subsequent audits of the software and data by the processor.
  • such an audit may be performed during the boot process of the mobile terminal and/or each time the software is to be executed and/or periodically in predetermined time intervals.
  • Fig. 10 illustrates an example of a version control mechanism where a version control list of size 3 is used, i.e. the version control list can store three tuples.
  • the version control list can store three tuples.
  • Version 2 (H2.2.1), Version 3: (H3,3,2), Version 4: (H4, 4,3), Version 5: (H5, 5, 2), Version 6: (H6, 6, 3),
  • Version 7 (H7, 7, 4), and Version 8: (H8, 8, 4).
  • FIG. 10 shows the version control list 1001 after installation of version 8.
  • Each row of the version control list 1001 includes the corresponding four-tuple for one of the installed versions: Row 1002, the top element of the list, corresponds to version 8, row 1003 corresponds to version 6, and row 1004 corresponds to version 5.
  • the back_cnt values of the remaining entries in the list were adjusted during the installation of version 8 to meet the limit on the lowest allowed version after version 8 has been added.
  • the back_cnt value in row 1002 was set to 2 and the back_cnt value in row 1003 was set to 1.
  • the lowest allowed version was 3, but this value was raised to 4 through version 8.
  • Fig. 10 further shows the version control table 1011 after installation of version 7.
  • the counter value cnt of version 7 is 7, i.e. in the allowed range of the current version.
  • the hash value H7 does not yet exist in the version control list 1001, hence a new four-tuple 1007 with the new hash value H7 is stored as the new top element 1012 of the version control table 1011.
  • the previous top element is moved down in the list and corresponds to row 1013.
  • Version 6 is now placed in row 1014, while version 5 is removed from the list, because in this example, there is only room for three four-tuples in the version control list.
  • Fig. 11 shows a flow diagram of a software loading process for a software upgrade. The process is similar to the process shown in fig. 6 for loading a software for the first time.
  • the mobile terminal receives a software upgrade data packet from a reprogramming tool over a local or a remote interface, e.g. GSM, WCDMA, etc., as described above.
  • the packet contains the new software upgrade ⁇ , one or more certificates C, and a digital signature S(h r ) of the protected software, as described in connection with fig. 5 above.
  • the software may further include data, e.g. updated configuration data.
  • the new software is loaded as a so-called delta-file including the differences of the new software relative to the current software, thereby reducing the size of the upgrade packet. Delta-file techniques are known in the art and described in e.g.
  • the signature S(h r ) comprises an encrypted hash value calculated from the new software.
  • the corresponding public key is included in a certificate that is included in the software upgrade packet.
  • the mobile terminal Upon receipt of the software upgrade packet, the mobile terminal stores the software upgrade, certificate(s), and the signature in the external memory 106.
  • step 1102 the processor of the mobile terminal reads the newly stored software upgrade, the certificate(s), C, and the signature, S(h r ), into its internal memory.
  • step 1122 the processor performs a version control.
  • the mobile terminal has received a software version number of the new software version as part of the upgrade packet.
  • the software version number of the new software image is checked against the version number of the current software stored on the external memory (protected by a MAC). If the new software version number is lower than the old software version number, the mobile terminal aborts the update process.
  • the version control process described in connection with figs. 8 and 9 is performed.
  • step 1122 If the version control of step 1122 has succeeded, the process continues at step 1123, where the processor generates the new software SW new from the received delta-file ⁇ and the current software version SW pre v stored on the external memory (protected by a MAC).
  • the processor reads a root public key, PK, from a memory 1105.
  • the root public key is securely stored, i.e. integrity protected.
  • the root public key is stored in the internal ROM of the processor, as described above.
  • the processor uses the root public key PK to verify the signature S(h r ) of the new software. If only one certificate is used, then the signature S(h r ) is verified against the public key in the certificate C. The certificate C in turn is then verified against the root public key PK. If several certificates are used, the whole chain of certificates is verified. In that case, the signature of the last certificate in the chain is verified against the root public key.
  • the processor verifies the public key used to sign the new software. If the verification succeeds, the processor proceeds at step 1106 with verifying the signature. Otherwise, the software loading process is aborted.
  • step 1106 the processor decrypts the digital signature S(h r ) of the software using the public key verified in step 1104, resulting in the reference hash value h r .
  • step 1107 the decrypted signature, i.e. the reference hash value h r , is verified against the one-way audit hash value h a calculated in step 1103. If the verification succeeds, i.e. if the audit hash value h a and the reference hash value h r are equal, the processor proceeds at step 1108 with calculating a reference message authentication code (MAC). Otherwise, the software loading process is aborted.
  • MAC reference message authentication code
  • the output value of the MAC function is the reference MAC value of the new software.
  • the chip unique key K is burnt into the chip during the fabrication process using e.g. so-called e- fuse technology.
  • the key K is stored in another secure memory that is only accessible by the processor.
  • Embodiments of the message authentication code have been described above.
  • the processor stores the new reference MAC value t r in the external memory 106 together with the new software.
  • the previous MAC value is deleted.
  • the certificate(s) and the digital signature values are removed from the external memory.
  • the new software version SW ne w is stored in the external memory and the old software version is deleted.
  • the loading process described above is controlled by the processor of the mobile terminal.
  • the above steps are carried out by the chip 311 that is intended to subsequently execute the software.
  • the provided integrity protection at storage is particular advantageous in connection with a two CPU architecture, when the non-volatile memory is connected to an untrusted CPU, and where there is a need for SW updates.
  • the method, product means, and device described herein can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed microprocessor.
  • several of these means can be embodied by one and the same item of hardware, e.g. a suitably programmed microprocessor, one or more digital signal processor, or the like.
  • a suitably programmed microprocessor one or more digital signal processor, or the like.

Abstract

Disclosed is a method of loading data into a data processing device. The method comprises receiving a payload data item by the data processing device; performing a cryptographic authentication process to ensure the authenticity of the payload data item; storing the authenticated received payload data item in the data processing device; and integrity protecting the stored payload data item. The cryptographic authentication process comprises calculating an audit hash value of at least the received data item. Integrity protecting further comprises calculating a reference message authentication code value of at least the audit hash value using a secret key stored in the data processing device as an input.

Description

Secure loading and storing of data in a data processing device
Disclosed is a method, product means, and a device for secure loading and storing of data in a data processing device.
Embedded systems like mobile phones and other data processing devices depend on the execution of correct software that has not been manipulated in an unauthorised way. Manipulation of the software might lead to incorrect behavior of the device or even a breaking of the fundamental security features of the device. Hence, it is particularly important to protect the core software of the device. This can for example be achieved by storing the program into a protected memory. The memory can either be physically protected from illegal access or protected by cryptographic methods. In practice it is hard or expensive to produce memory with good physical protection and especially to protect the memory interfaces. Consequently, the most attractive solution is to use some type of cryptographic protection of the software stored in the memory.
Furthermore, software even for rather small systems becomes increasingly complex, thereby increasing the risk of errors and unintended features, especially in early releases during a software life cycle. Furthermore, the functionality of early software releases is typically limited. Consequently, there is an increasing need for frequent updates of the software stored in embedded devices.
The need for frequent updates and the desire to provide sufficient protection for the software of a data processing device create a need for security solutions that protect the software of a data processing device at storage and that allow for secure software upgrades. US patent no. 6,026,293 discloses a method for preventing electronic memory tampering in an electronic device. According to this prior art method, when the electronic device is to be reprogrammed by a data transfer device, the electronic device initiates a public/private key based challenge-response authentication scheme to authenticate the data transfer device. Once authenticated, the data transfer device is permitted access to reprogram the memory. Following the reprogramming of the memory, the electronic device performs a hash calculation of the modified memory contents. The calculated hash value is sent to the data transfer device for a digital signature, and the signed hash value is returned to the electronic device for storage. The signed hash value is subsequently used for auditing the integrity of the memory content, e.g. during boot-up or periodically.
Even though the above prior art method provides both authentication protection during the loading stage and integrity protection of the memory contents of the electronic device, it involves a rather complicated scheme of generating and signing the generated hash value, thereby causing the loading process to take a rather long time.
Hence, it is a problem to provide a computationally more efficient security mechanism that protects the software both during the loading of the software into the device and subsequently while the software is stored in the device.
The above and other problems are solved by a method of loading data into a data processing device, the method comprising:
- receiving a payload data item by the data processing device;
- performing a cryptographic authentication process to ensure the authenticity of the payload data item;
- storing the authenticated received payload data item in the data processing device; and
- integrity protecting the stored payload data item; wherein performing a cryptographic authentication process comprises calculating an audit hash value of at least the received data item; and wherein the integrity protecting further comprises calculating a reference message authentication code value of at least the audit hash value using a secret key stored in the data processing device as an input.
In particular, since the audit hash value calculated during the loading process is calculated from the received payload data, and the audit hash value is subsequently re-used during the calculation of the message authentication code, the number of necessary computations performed during the software loading is reduced, thereby increasing the computational efficiency of the method.
Furthermore, since the regular integrity protection is based on a secret key stored in the data processing device, the integrity protection is independent of any external cryptographic keys and, in particular, does not depend on a public key signature mechanism. It is an advantage that symmetric key based integrity checks, i.e. integrity checks based on a message authentication code, are computationally more efficient than public key based integrity checks involving signature verification.
The term data processing device is intended to comprise any electronic device comprising a data memory on which data can be loaded from an external source, e.g. from a data transfer system. In particular, the term data processing device is intended to comprise any electronic equipment portable radio communications equipment and other handheld or portable devices.
The term portable radio communications equipment includes all equipment such as mobile telephones, pagers, communicators, electronic organisers, smart phones, personal digital assistants (PDAs), handheld computers, or the like.
The term payload data item is intended to include any data loaded into the data processing device. In particular, the term payload data item is intended to include configuration data, program code, e.g. platform software or application software intended for execution by the device, or the like.
The cryptographic authentication process may be any suitable cryptographic process for verifying the authenticity of the received data, i.e. to ensure that the data was in fact sent by the entity whose name it carries and that it was not forged or modified.
In some embodiments, the cryptographic authentication process includes - receiving a reference hash value; and
- comparing the received reference hash value with the calculated audit hash value to verify the authenticity of the received payload data item.
In a further embodiment, the cryptographic authentication process includes digitally signing the data item according to a public key cryptosystem. The digital signing of software is an efficient and secure principle for the verification of software loaded into a mobile device. Successful verification of the signature guarantees that the software has been issued by a legitimate source. Furthermore, digital signatures based on public key techniques have the advantage that the public key used for verification does not need to be confidentiality protected at transfer or storage. Hence, the same public key can be installed in a large number of devices without compromising security. This allows efficient procedures for fast and secure software upgrade.
In some embodiments, the method comprises - receiving the payload data item, a digital signature data item and a digitally signed digital certificate data item, wherein the digital certificate data item includes a first public key and wherein the digital signature data item includes a reference hash value encrypted with a first private key corresponding to the first public key;
- authenticating the digitally signed digital certificate data item against a root public key stored in the data processing device;
- authenticating the digital signature data item against the authenticated digital certificate; - comparing the received reference hash value with the calculated audit hash value to verify the authenticity of the received payload data item.
Hence, the authenticity of the digital signature is ensured by the digital certificate, thereby further increasing the security of the loading process. It is understood that the data processing device may receive more than one digital certificate forming a certificate chain, wherein one certificate of the chain is verified by the public root key stored in the data processing device.
In a further embodiment, the reference hash value is cryptographically authenticated; and calculating the reference message authentication code value is performed only if the reference hash value is successfully authenticated. Consequently, execution of the message authentication code procedure in the data processing device is conditioned on the receipt of an authenticated reference hash value, thereby reducing the risk of an adversary utilising the message authentication code procedure of the data processing device to calculate unauthorised message authentication code values.
Message authentication codes (MAC) are a known mechanism for integrity protecting messages. A MAC is a function that takes a variable length input and a key to produce a fixed-length output, the so-called MAC value or tag value. MACs are typically used between two parties that share a secret key in order to validate information transmitted between these parties. In some embodiments, a MAC is calculated by applying a one-way hash function to the payload data and encrypting the result using a secret key. Examples of suitable MAC functions that can be combined with a cryptographic hash function include HMAC (Keyed-Hashing for Message Authentication), Cipher Block Chaining (CBC) MAC using for example AES or a secure one-way hash function. In the loading method described herein, a message authentication code is used to check the integrity of data stored in an unreliable or insecure medium, i.e. in this situation the MAC is used by only one party, i.e. the data processing device, when storing and retrieving the payload data item.
Consequently, in some embodiments, the integrity protecting comprises storing the calculated reference message authentication code value in relation to the received payload data item, thereby making it available for subsequent memory audits of the payload data item by the data processing device. Hence, when auditing the memory content, the device calculates the message authentication code value of the stored payload data item using the secret key stored in the device, and compares the result with the previously stored reference MAC value. Consequently, in this embodiment, the secret key need only be known to the digital processing device. In some embodiments, the secret key is a secret data item unique to the data processing device, e.g. a secret data item known only to the data processing device.
In another embodiment, calculating the reference message authentication code value further comprises calculating the reference message authentication code value of a combined data item derived from at least the audit hash value and a random number. It is an advantage of this embodiment, that the input to the MAC is not entirely dependant on the result of the authentication process, thereby further increasing the security of the data protection.
When calculating the reference message authentication code value further comprises calculating the reference message authentication code value of a combined data item derived from at least the audit hash value and a version control data item, the integrity protection is efficiently combined with a version control mechanism, since a subsequent memory audit will only be successful if both the memory content and the version control information are consistent.
In some embodiments, the version control data record is stored in a version control data structure, the version control data record including information about the received payload data item including at least the version control data item. In some embodiments, the control data structure is integrity protected.
In some embodiments, the version control data record comprises a version counter. In some embodiments, the version control data record further comprises a back counter identifying a number of previous versions that may replace the current version of the payload data item, thereby providing a simple and efficient version control mechanism including a mechanism for controlling backward compatibility.
In known software upgrade schemes where existing software is upgraded by a new version of the software, the software upgrade is often received as a so-called delta file or delta update. Such delta updates include differences of the new (updated) software relative to the current software, thereby reducing the size of the upgrade packet. In some delta-file techniques, the update file also includes commands to control the generation of the updated software version from the current software and the received update. Delta-file techniques as such are known in the art and described in e.g. "Delta storage for arbitrary non-text files", by Christian Reichenberger, Proc. Of the 3rd International Workshop on Software Configuration Management, pp. 144- 152, Norway, June 1991. It is desirable to provide an efficient security mechanism that can also be applied to delta updates. This problem is solved when receiving the payload data item comprises receiving a delta update of a previously received current data item, and generating the payload data item as an updated payload data item from the previously received current data item and the received delta update. Hence, according to this embodiment, the updated payload data item is generated and the audit hash value is calculated from the generated updated payload data item. Consequently, the audit hash value can again be re-used for the calculation of the reference message authentication code of the updated payload data that is stored in the device.
According to a second aspect it is a problem of the above prior art system to provide an efficient and secure method of protecting the integrity of a current version of a data item stored in a data processing device in a situation where frequent upgrades of different versions of the stored data item occur.
The above and other problems are solved by a method of protecting the integrity of a current version of a data item stored in a data processing device, the method comprising
- determining a reference hash value of at least the data item;
- calculating a reference message authentication code value from the determined reference hash value using a secret key stored in the data processing device;
- storing the calculated reference message authentication code value in relation to the data item;
characterised in that calculating the reference message authentication code value comprises calculating the reference message authentication code value from a combined data item derived from the determined reference hash value and at least a part of a version, control data record, the version control data record including version control information about the current version of the data item.
Consequently, by calculating the reference message authentication code from a combined data item derived from the determined reference hash value and at least a part of the version control data record, the integrity protection of the stored payload data is efficiently combined with a secure version control of the stored data.
The reference hash value of at least the data item may be determined by calculating the hash value from the data item or by receiving the hash value together with the data item or from an authentication process in connection with the receipt of the data item as described herein.
The term combined data item is intended to comprise any data item generated as a function of two or more data items, e.g. as a concatenation of the two or more data items where one data item is appended to the other.
Hence, the combined data item derived from the determined reference hash value and at least a part of a version control data record is generated as a function of at least the reference hash value and of at least a part of a version control data record.
In some embodiments, the version control data record is integrity protected.
In some embodiments, the version control data record comprises a version counter; and calculating the reference message authentication code value comprises calculating a reference message authentication code value from a combined data item derived from the determined audit hash value and at least the version counter.
In some embodiments, the version control data record further comprises a back counter identifying a number of previous versions that may replace the current version of the payload data item, thereby providing a simple and efficient version control mechanism including a mechanism for controlling backward compatibility. In some embodiments, calculating the reference message authentication code value comprises calculating a reference message authentication code value from a combined data item derived from the determined reference hash value and at least the back counter.
In another embodiment, the version control data record further comprises the reference hash value for the current version of the data item, thereby providing a compact fingerprint of the data item.
In some embodiments, the secret key is only known to the digital processing device. Furthermore, the secret key may be a secret data item unique to the data processing device.
In some embodiments, the payload data is loaded by the first-mentioned method, thereby efficiently combining a secure loading and storing with a secure version control.
In yet another embodiment, the method further comprises
- receiving a delta update of a previously received current data item; and
- generating the data item as an updated data item from the previously received current data item and the received delta update. In yet another embodiment, the method further comprises generating the version control data record; and storing the version control data record in a version control data structure, thereby making it available for a subsequent memory audit.
Accordingly, in another aspect, a method of verifying the integrity of a current version of a data item stored in a data processing device comprises
- calculating an audit hash value of the data item;
- calculating an audit message authentication code value from the calculated audit hash value using a secret key stored in the data processing device;
- comparing the calculated audit message authentication code value with a reference message authentication code value stored in relation to the data item.
According to this aspect, the method further comprises retrieving a version control data record, the version control data record including version control information about the current version of the data item; and
calculating the audit message authentication code value comprises calculating an audit message authentication code value from a combined data item derived from the calculated audit hash value and at least a part of the version control data record.
The present invention relates to different aspects including the methods described above and in the following, corresponding devices, and computer programs, each yielding one or more of the benefits and advantages described in connection with one of the above-mentioned methods, and each having one or more embodiments corresponding to the embodiments described in connection with one of the above-mentioned methods. More specifically, according to another aspect, a data processing device comprises a first processing circuit adapted to perform the method of loading data into a data processing device described above and in the following.
In particular, it is been found that the security mechanism described herein may advantageously be applied to devices having a multi-chip architecture. In particular, when a first one of the chips accesses a memory via a second one of the chips, it is particularly important for the first chip to ensure data authenticity and integrity of the memory content.
Consequently, in some embodiments, the data processing device further comprises storage means adapted to store the received payload data item; and a second processing circuit connected to the storage means and to the first processing circuit; wherein the second processing circuit is adapted to provide to the first processing circuit at least read access to the storage means.
In a further embodiment, the first processing circuit comprises local storage means for storing a root public key of an asymmetric cryptographic system. In a further embodiment, the first processing circuit comprises local storage means for storing said secret key, thereby providing secure storage under the control of the first chip of the cryptographic keys used in the data authenticity and integrity mechanism.
According to another aspect, a data processing device comprises storage means for storing a current version of a data item and a version control data record, the version control data record including version control information about the current version of the data item; and processing means adapted to perform the method of verifying the integrity of a current version of a data item described above and in the following. It is noted that the features of the methods described above and in the following may be implemented in software and carried out on a data processing device or other processing means caused by the execution of program code means such as computer-executable instructions. Here and in the following, the term processing means comprises any circuit and/or device suitably adapted to perform the above functions. In particular, the above term comprises general- or special-purpose programmable microprocessors, Digital Signal Processors (DSP), Application Specific Integrated Circuits (ASIC), Programmable Logic Arrays (PLA)1 Field Programmable Gate Arrays (FPGA), special purpose electronic circuits, etc., or a combination thereof.
Hence, according to another aspect, a computer program comprises program code means adapted to cause a data processing device to perform the steps of the method described above and in the following, when said computer program is run on the data processing device.
For example, the program code means may be loaded in a memory, such as a RAM (Random Access Memory), from a storage medium or from another computer via a computer network. Alternatively, the described features may be implemented by hardwired circuitry instead of software or in combination with software.
The above and other aspects will be apparent and elucidated from the embodiments described in the following with reference to the drawing in which:
fig. 1 shows a schematic block diagram of a system for loading data into a mobile terminal;
fig. 2 shows a schematic block diagram of an example of a mobile terminal with a single chip architecture; fig. 3 shows a schematic block diagram of an example of a mobile terminal with a two-chip architecture;
fig. 4 shows a schematic block diagram of another example of a mobile terminal with a two-chip architecture;
fig. 5 illustrates an example of a message structure used in a loading process for loading software into a mobile terminal;
fig. 6 shows a flow diagram of a software loading process for a first-time load of a software version;
fig. 7 illustrates the calculation of an embodiment of a message authentication code;
fig. 8 illustrates the calculation of another embodiment of a message authentication code including a version control mechanism;
fig. 9 shows a flow diagram of the version control process;
fig. 10 illustrates an example of a version control mechanism; and
fig. 11 shows a flow diagram of a software loading process for a software upgrade;
Fig. 1 shows a schematic block diagram of a system for loading data into a mobile terminal. The system comprises a loading station 101 and a mobile terminal 102.
The loading station may be a conventional, suitably programmed computer, e.g. a PC, comprising a suitable communications interface. In some embodiments, the loading station may generate the payload data, e.g. a software version, configuration data, and/or the like, to be loaded. In particular, the loading station may generate the digital signature and certificate to be loaded together with the payload data. In other embodiments, the loading station receives the payload data and the header information from a remote computer, e.g. a personal computer, a work station, a network server, etc. For example, the data may be received via a computer network, e.g. the Internet, a local area network, an intranet, an extranet, etc., or by any other suitable means, e.g. on a computer-readable medium such as a floppy disk, a CD ROM, etc. In this embodiment, the calculation of the signature and the generation of the certificate may be performed by the remote computer rather than the loading station. The loading station performs, in cooperation with the mobile terminal, the loading of the data into the mobile terminal.
The mobile terminal 102 comprises a communications interface 104 comprising circuitry and/or devices suitable for enabling the mobile terminal to communicate data with the loading station via a wired or wireless communications link 103 such as a direct data link, a communications network, or the like. For example, the data may be loaded via a local short range wireless communications link, e.g. a Bluetooth connection, an infrared connection, or the like, or via a wired interface. In other embodiments, the data may be loaded into the mobile terminal via a communications network, e.g. over-the-air (OTA) via a cellular telecommunications network, e.g. GSM WCDMA, or the like.
Consequently, examples of suitable communications units include a wired serial connection, such as an RS-232 link, a USB connection, a FireWire connection as described in the IEEE 1394 standard, or the like. Further examples include a wireless infrared interface, or an RF interface, such as the main antenna of a cellular telephone (not shown), or another antenna within the cellular telephone, such as a Bluetooth transceiver, or the like. Other examples of suitable interfaces include a cable modem, a telephone modem, an Integrated Services Digital Network (ISDN) adapter, a Digital Subscriber Line (DSL) adapter, a satellite transceiver, an Ethernet adapter, or the like.
The mobile terminal further comprises a processing unit 105 for controlling the operation of the mobile terminal, and a memory 106. For example, the processing unit may comprise a general- or special-purpose programmable microprocessor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an Programmable Logic Array (PLA), a Field Programmable Gate Array (FPGA), etc., or a combination thereof. The memory 106 may be a flash memory, an EPROM, an EEPROM, or any other type of memory or storage device, such as a non-volatile memory.
When data is loaded into the mobile terminal, the processing unit 105 performs the data authentication and integrity protection described herein and stores the data in the memory 106.
During subsequent operation of the mobile terminal, the processing unit can retrieve the loaded data from the memory 106. For example, in the case of software, the processing unit loads the software from the memory 106 in a RAM for execution.
Fig. 2 shows a block diagram of an example of a mobile terminal with a single-chip architecture. The mobile terminal 101 comprises a controller 105 for controlling the operation of the mobile terminal. The controller 105 operates in conjunction with a flash program memory 106, and a random access memory (RAM) 209. The controller 105 includes a microprocessor 208, an internal read-only memory (ROM) 207, and a securely stored secret key 218. For example, the secret key 218 may be a chip-unique key, e.g. stored in hardware e.g. using so-called e-fuse technology. Alternatively, the secret key may be stored in the ROM 207. The ROM 207 contains boot code, hashing code, MAC code, authentication code, and a public root key. In some embodiments, the hashing code and/or the MAC code may be implemented at least partly in hardware instead or in addition to the implementation in ROM. Instruction code involved with the general operation of the cellular telephone is contained in the flash program memory 106. The RAM memory 209 is used for operations which are part of the normal mobile terminal call processing. In some embodiments, operations involving sensitive data, hash value calculations and authentication processes are carried out in conjunction with a protected static random access memory (PSRAM) (not shown) included in the microcontroller 105. The controller 105 communicates with the flash program memory 106 and the RAM 209 via a memory bus 219.
Fig. 3 shows a schematic block diagram of an example of a mobile terminal with a two-chip architecture. In this embodiment, the controller 105 comprises two chips 310 and 313, respectively, an external memory 106 and an internal memory 209. The two chips each contain at least one microprocessor 312 and 315, respectively, and a ROM 311 and 314, respectively. The external memory 106 is any suitable kind of non-volatile memory, for example a flash memory. The internal memory 209 is a fast access memory, for example a RAM. In the embodiment of fig. 3, the two chips share the internal memory 209. Furthermore, in this embodiment, only chip 313 has direct access to the external memory 106. Hence, when the processor 312 of chip 310 is to execute software stored in the external memory 106, the software to be executed is loaded into the internal memory 209 via chip 313 before it can be executed. In this embodiment, both ROMs 311 and 314 comprise boot code, but only ROM 311 comprises hashing code, MAC code, authentication code, and a public root key, and only chip 310 comprises a secret key 318. As described above, the secret key 318 may be stored in hardware e.g. using so-called e-fuse technology. Alternatively, the secret key may be stored in the ROM 311. Furthermore, in some embodiments, the hashing code and/or the MAC code may be implemented at least partly in hardware instead or in addition to the implementation in ROM.
Fig. 4 shows a schematic block diagram of another example of a mobile terminal with a two-chip architecture. This embodiment is similar to the embodiment of fig. 3, except that the two chips 310 and 313 of this embodiment do not share a common internal memory. Instead, each chip has its own internal memory 416 and 417, respectively. As in the embodiment of fig. 3, only chip 313 has direct access to the external memory 106. Hence, when the processor 312 of chip 310 is to execute software stored in the external memory 106, the software to be executed is loaded into the internal memory 416 of chip 310 via chip 313 before it can be executed.
In alternative two-chip embodiments with shared or separate RAM (Random Access Memory), both chips may have direct access to an external non¬ volatile memory and directly run the software to be executed from that memory or first load it into RAM and then execute.
Fig. 5 illustrates an example of a message structure used in a loading process for loading software into a mobile terminal. The message 520 comprises a header section 521 , a payload section 522, a digital certificate section 523, and a digital signature 524.
The payload section 522 comprises the actual payload data to be loaded into the mobile terminal. The payload data may comprise software, such as application software, pre-loader software for organising and/or controlling the loading of other software, parts of the operating system of the mobile terminal, or the like. Alternatively or additionally, the payload data may comprise other data, e.g. configuration data for storage into the flash memory or other memories of the mobile terminal, e.g. an EPROM, an EEPROM or the like. The header section 521 comprises information relevant to the loading process, such as information about the payload data, e.g. version control data, information about the mobile terminal, control parameters that determine how the mobile terminal should process the data, and/or the like.
The signature section comprises a digital signature of the payload 522. The digital signature is calculated using a public-private key pair of an asymmetric
, cryptosystem, e.g. the RSA (Rivest, Shamir, and Adleman) system. The digital signature is calculated by initially calculating a one-way hash function of the payload data, i.e. of the software and/or data to be loaded into the mobile terminal. The calculated hash value is then encrypted with the private key of the public-private key pair.
A one-way hash function is used to derive the hash value representative of the payload data 522. The public/private key system is used to provide security for the valid hash value and authenticate the loading station or data transfer device from which the message 520 is sent.
A one-way hash function is a function that is simple to compute in a forward direction, but difficult to compute in a reverse direction. A one-way hash function, H(M), operates on an arbitrary-length input, M, which in some embodiments is comprised of the payload data 522 or selected parts of the payload data. The hash function performed on M returns a fixed-length hash value, h = H(M).
There are many functions that can take an arbitrary-length input and return an output of fixed length, but one-way hash functions have the following additional characteristics: given M, it is easy to compute h; given h, it is hard to compute M; and given M, it is hard to find another message, M', such that H(M)=H(M1). The aim of the one-way hash is to provide a unique signature, or fingerprint of M. The output of a hash function is referred to as the hash value or a message digest. In embodiments of the method described herein, prior to transmission of the message 520 to the mobile terminal a secure one-way hash function is performed on the payload data 522, or selected contents thereof, to produce a reference hash value. The reference hash value is included into the message 520 as a digital signature as further described below. Upon receipt of the message 520, the mobile terminal calculates an audit hash value of the payload data 522 (or the selected contents thereof) and compares the audit hash value with the reference hash value received as part of the message 520.
A suitable one-way hash function is for example the SHA-1 function. Other examples of suitable functions include the MD5 algorithm, Snerfu, H-Hash, MD2, MD4, or the like.
Public key algorithms use two keys, one publicly available and one privately held (secret) for tasks such encrypting and decrypting messages, message authentication, and digital signatures. When a sender encrypts a message with the private key, any recipient with a corresponding public key can be assured of the sender's authenticity, since only a sender in possession of the private key was able to encrypt the message. It is the latter scheme that is utilized to authenticate the payload data in accordance with the loading process described herein. A suitable public key algorithm is the RSA algorithm. Other suitable examples include the Fiat-Shamir (FS) algorithm, ELGAMAL, DSA, Fiege-Fiat-Shamir, or the like.
In particular, in the loading process described herein, the calculated hash value is encrypted with the private key of the loading station (or of the generator of the payload) to produce the digital signature 524 that is included in the message 520.
The corresponding public key is included in a certificate that is included in the digital certificate section 523 of the message 520. A digital certificate is a data structure used in a public key system to bind a particular, authenticated individual to a particular public key. A digital certificate is a digital representation of information which identifies a certification authority issuing it, names or identifies the individual whose public key is included, and contains the individual's public key. The digital certificate is digitally signed by the certification authority issuing it, thereby allowing the recipient to authenticate the certificate by using the certification authority's public key.
It is understood that the digital certificate section may comprise a single digital certificate or a chain of certificates. In any case, the certificate or chain of certificates can be authenticated by the mobile terminal by means of a root public key corresponding to the single certificate or the last certificate in the certificate chain. An example of a key hierarchy in connection with the loading of software into mobile phones is described in WO 03/060673.
It is understood that in some embodiments the payload may, for the purpose of calculating the digital signature, be split up in smaller parts, as described in e.g. WO 03/060673, or the signature may only be calculated .
Typically it is desirable to protect the header data 521 as well as the payload data 522. In some embodiments this is achieved by protecting the header data 521 itself by a digital signature. In other embodiments, the above encryption of the calculated hash value further comprises encryption of a hash value calculated over the header data 521 , e.g. by encrypting/signing a concatenation h(SW) | h(H) of the hash value h(SW) calculated over the software (and data) 522 and a hash value h(H) calculated over the header data 521.
Fig. 6 shows a flow diagram of a software loading process for a first-time load of a software version.
In initial step 601 , the mobile terminal receives a software data packet from a reprogramming tool over a local or a remote interface, e.g. GSM, WCDMA, etc., as described above. The packet contains the new software SW, one or more certificates C, and a digital signature S(hr) of the protected software and data, as described in connection with fig. 5 above. Optionally, the new software may include data, e.g. configuration data. The signature S(hr) comprises at least an encrypted hash value calculated from the software and data. The signature is calculated such that first a one-way hash hr=H(SW) of the software and data, SW, is calculated, and subsequently, at least the calculated hash value is encrypted with the private key of a public-private key pair, e.g. an RSA public-private key pair. The corresponding public key is included in a certificate that is included in the software data packet. Upon receipt of the software and data packet, the mobile terminal stores the software, data, certificate(s), and the signature in the external memory 106. As mentioned in connection with fig. 5 above, in some embodiments the signature may protect not only the payload but also the header data, e.g. by encrypting a combination of a hash value calculated from the software and of a hash value calculated from the header.
In step 602 the processor of the mobile terminal reads the newly stored software and data, SW, the certificate(s), C, and the signature, S(hr), into its internal memory.
In step 603, the processor calculates a one-way audit hash value ha=H(SW) of the new software and data, SW.
In step 604, the processor reads a root public key, PK from a memory 605. In some embodiments, the root public key is securely stored, i.e. integrity protected. In one embodiment, the root public key is stored in the internal ROM of the processor, as described above. The processor uses the root public key PK to verify the signature S(hr) of the new software and data. If only one certificate is used, then the signature S(hr) is verified against the public key in the certificate C. The certificate C in turn is then verified against the root public key PK. If several certificates are used, the whole chain of certificates is verified. In that case, the signature of the last certificate in the chain is verified against the root public key. Hence, in step 604, the processor verifies the public key used to sign the new software and data. If the verification succeeds the processor proceeds at step 606 with verifying the signature. Otherwise, the software loading process is aborted.
In step 606, the processor decrypts the digital signature S(hr) of the software and data using the public key verified in step 604, resulting in the reference hash value hr.
In step 607, the decrypted signature, i.e. the reference hash value hr, is verified against the one-way audit hash value ha calculated in step 603. If the verification succeeds, i.e. if the audit hash value ha and the reference hash value hr are equal, the processor proceeds at step 608 with calculating a reference message authentication code (MAC). Otherwise, the software loading process is aborted.
In step 608, the processor uses the verified one-way hash value ha (=hr) and a chip unique key, K (or a value derived from K), as input values to a MAC calculating function, resulting in a reference message authentication code value tr = MAC(ha; K). The output value of the MAC function is the reference MAC value of the new software and data. In some embodiments, the chip unique key K is stored in a secure memory that is only accessible by the processor. For example the unique key K may be burnt into the chip during the fabrication process using e.g. so-called e-fuse technology. Embodiments of the message authentication code will be described below. The processor stores the new reference MAC value tr in the external memory 106 together with the new software and data SW. Optionally, the certificate(s) and the digital signature values are removed from the external memory.
The loading process described above is controlled by the processor of the mobile terminal. In a two-chip architecture as described in connection with figs. 3 and 4, the above steps are carried out by the chip 311 that is intended to subsequently execute the software. The cryptographic functions for authenticating the received data and, in particular, the MAC function, may be performed by special-purpose software that is stored, e.g. as part of the boot code, in the internal ROM of the processor that performs the above steps.
Hence, the stored reference MAC value is now available for subsequent audits of the software and data by the processor. For example, in order to verify the integrity of the stored software, the processor calculates an audit hash value h(SW) of the stored software and data and an audit MAC value ta = MAC(h(SW);K) of the calculated audit hash value using the chip unique key K. The processor compares the calculated audit MAC value ta with the stored reference MAC value tr. If the two values are equal, the integrity of the software is verified.
For example, such an audit may be performed during the boot process of the mobile terminal and/or each time the software is to be executed and/or periodically in predetermined time intervals, e.g. as described in US 6,026,293.
Fig. 7 illustrates the calculation of an embodiment of a message authentication code (MAC). A MAC is a function that takes a variable length input, M, and a key, K, to produce a fixed-length output, t, the so-called MAC value or tag value: t = MAC(M; K). In some embodiments, the MAC is defined such that for an intruder with knowledge of M but without information about the value of K, it is computationally hard (infeasible) to find a message M' different from M but with the same tag value. Furthermore, the MAC function may be defined such that it is hard for an intruder with knowledge of a message M but without information about the value of K to predict the correct tag value t. In the loading method described herein, a MAC is used to check the integrity of data stored in an unreliable or insecure medium, i.e. in this situation the MAC is used by only one party, i.e. the mobile terminal, when storing and retrieving the payload data. In some embodiments, the MAC function is based on a cryptographic hash function and, in particular, on the hash function H used for authenticating the received payload data as described above. This allows reuse of the hash value calculated during authentication of the received payload data when calculating the MAC value for subsequent integrity protection, thereby considerably reducing the computational effort for the computation of the MAC value and, thus, reducing the installation time.
Fig. 7 shows a block diagram of a MAC calculation module. The MAC calculation module comprises a MAC function calculator 732. The MAC function calculator 732 receives h as an input, h being the verified hash value that was calculated during the preceding signature verification process 736 for the received payload, i.e. h=ha or h=hr. As a second input the MAC function 732 receives a secret key K' that is derived from a chip unique key K. In particular, the key K' may be generated using a pseudo random function 731 , e.g. a pseudo random function that is based on a hash function, e.g. SHA-1 , from a chip unique key K and a mode identifier 735. For example, the chip unique key K may be a random number generated during ASIC production of the chip. Deriving the key K' from the master key K has the advantage that different keys K' may be used for different purposes, e.g. for the protection of different types of software, of different parts of the software, etc., thereby assuring cryptographic separation and increasing the flexibility of the method. The mode identifier 735 allows the selection of different modes. For example, in a multi-chip scenario a different mode may be used for each target chip for which the software is intended. Examples of suitable MAC functions include HMAC (Keyed-Hashing for Message Authentication), Cipher Block Chaining (CBC) MAC using for example AES or a secure one¬ way hash function, e.g. CBC-MAC as specified in "Handbook of Cryptology", by AJ. Menezes, P. C van Oorschot, S.A. Vanstone, p. 353, CRC Press, 1997, where the AES block encryption cipher is used as block cipher E. The MAC function 732 produces a corresponding tag value t as described above.
To prevent unauthorised MAC value computations, the MAC circuitry only releases the computed MAC value t when successful signature verification preceded the computations. Hence, the MAC calculation module receives a further input 733 from the signature verification process 736 indicating whether the digital signature of the received payload data was verified successfully. Block 734 receives the tag value and the signal 733 as inputs and releases the calculated tag value only if the signal 733 indicates that the hash value h is a verified, i.e. authentic, hash value. For example, in the method of fig. 6, the signal 733 is generated by step 607.
It is noted that the MAC computation module may be implemented as a separate MAC computation circuitry on the processor chip. Furthermore, the subsequent comparison between a computed MAC value and a reference value can be performed inside a comparison circuit attached to the MAC circuitry. Furthermore, the secret key K may be stored as part of that circuitry.
Consequently, the entire MAC computation may be confined in a special- purpose circuit and, thus, does not require an exposure/release of the computed MAC outside the circuitry.
The MAC calculation of fig. 7 can be further improved at very little computational cost to further include a secure version control and to break the predictability of the input h to the MAC computation. This alternative embodiment of a MAC calculation will now be described with reference to fig. 8 and fig. 9.
Fig. 8 illustrates the calculation of another embodiment of a message authentication code including a version control mechanism, and fig. 9 shows a flow diagram of the version control process.
According to this embodiment of a MAC circuit 800, the MAC computation in block 732 is performed on a four-tuple (rand, h , cnt , back_cnt) 844. The four-tuple 844 comprises a short, (e.g. 64 bit) random value, rand, that assures that the input to the MAC computation is not under full control by the inputs from the signature verification process 736. The four-tuple further comprises the verified hash value h as in the previous embodiment. Finally, the four-tuple comprises a version control counter, cnt, and a version control back counter, back_cnt, of a version control mechanism described in the following. The MAC function 732, e.g. HMAC, CBC-MAC, or the like, further receives the secret key K' as described in connection with fig. 7 and calculates a MAC value t from the four-tuple and the secret key K'. Likewise, as described in connection with fig. 7, the calculated tag value t is only released if the signature signal 703 indicates that the signature verification process has verified the hash value h.
The four-tuple 844 is generated by a version control module 841 that maintains a version control list 842 of previously received software versions. In particular, the version control list 841 comprises a list of data records where each data record comprises a four-tuple corresponding to a previously observed hash value. The record with the most recent hash value is referred to as the top element of the list 842 which corresponds to the software that is actually installed/in use.
The version control module 841 receives the verified hash value h and a digital signal 733 indicating that the signature was verified successfully from the signature verification process as described above. Furthermore, the version control module 841 receives from the signature verification process 736 the software version counter, cnt, and a number back_cnt. The number back_cnt indicates how many previous versions may still be installed, once a given software version has been installed. For example, back_cnt may be a number between 0 and CMAX, e.g. CMAX=15, where back_cnt=0 means that the new software does not allow that it is replaced with a previous version at all. Hence, back_cnt implements a simple but effective mechanism for controlling backwards and forward compatibility of the loaded software. In some embodiments, the values of cnt and back_cnt are received as part of the software packet that is received during the loading process, e.g. as part of the header section of the received software packet. Upon receipt (step 901 ) of a new hash value h, a new counter cnt, a new back_cnt value, and a signal 733 from the signature verification process 736 during a loading process, the version control module 841 uses the signal 733 to verify (step 902) whether the hash value h has been verified during the signature verification process 736. If this is not the case, the version control module 841 blocks the value of h, i.e. the version control and MAC calculation process is aborted. If the signal 733 indicates that the hash value is authentic, the version control module 841 continues at step 903.
At step 903, the version control module 841 compares the received hash value with the hash values in the version control list 842. If the received hash value h equals one of the previous hash values hprev in the version control list 842, the version control module 841 continues at step 904; otherwise the process continues at step 906.
At step 904, i.e. in case the received hash value h equals one of the previous hash values hprev, the process retrieves the corresponding four-tuple (rand, h , cnt , back_cnt)prΘV, and determines whether the counter value cntprev of the previous version is in the allowed range as defined by the values cnt and back_cnt received from the signature verification process 736. In some embodiments, the allowed range is defined as the range [cnttop-back_cnt, ∞), where cnttOp is the cnt value of the current top element of the list. For simplicity, it is assumed that there is no upper limit on the range of allowed values. However, it is understood that, in other embodiments, an upper limit may be defined.
If cntprev is in the allowed range, the version control module 841 generates (step 905) a new four-tuple (rand, h , cnt , back_cnt)new with components randnew - new random value generated by the version control module 841 , hnew = h, cntnew = cntprev, back_cntnew = back_cntprev, and the version control module replaces the previous tuple with the same h value with the new tuple, and sets the new tuple as the top element in the list. In case the test in step 903 reveals that h is not equal to one of the previous hash values, the new random value, hash value h, and counter are stored together with the allowed back_cnt (associated with this h) in the version control list (step 906). In this case, the new four-tuple (rand, h , cnt , back_cnt)new is created according to: randnew= new random value, hnew= h, cntnew=cnt, back_cntnew = min(back_cnt, cnt - min_allowed_version) and the new tuple will become the top element in the list. Here, min__allowed_version is the current lowest allowed version by any tuple in the update list. After the entry has been placed on top in the update list the min_allowed_version is recomputed as cnttop-back_cnttop, i.e. from the counter cnttop and the back_cnt version of the top element (step 907). Finally, all elements in the list are updated (step 908) so that their back_cnt values are the largest possible values that do not give a version number that is lower than the least allowed version min_allowed_version. If the list contains an entry with a version that falls out of the allowed range, this entry will be deleted.
In some embodiments, a MAC check value (MACLIST) is associated with the version control list to prevent unauthorized manipulation of the entries in the list, thereby further increasing the security of the method. The MACLIST value is updated only when the list has been updated, i.e. after a successful signature verification. Prior to accessing/using the version control list the current MAC check value can be checked against the MACLIST value. To prevent unauthorised MACLIST value computations, the MAC circuitry will only release the computed MAC value when a successful signature verification preceded the computations (as controlled by block 734 in figs. 7 and 8).
Hence, the stored reference MAC value and the version control list are now available for subsequent audits of the software and data by the processor. For example, in order to verify the integrity of the stored software, the processor calculates an audit hash value ha=h(SW) of the stored software and data and generates an audit tuple (rand, ha, cnt , back_cnt) with the values rand, cnt, and back_cont retrieved from the version control list. From this, the processor calculates an audit MAC value ta = MAC((rand, ha, cnt , back_cnt);K) of the calculated audit tuple using the chip unique key K. The processor compares the calculated audit MAC value ta with the stored reference MAC value tr. If the two values are equal, the integrity of the software is verified.
As described above, such an audit may be performed during the boot process of the mobile terminal and/or each time the software is to be executed and/or periodically in predetermined time intervals.
The above process will now be further illustrated by way of example and with reference to fig. 10.
Fig. 10 illustrates an example of a version control mechanism where a version control list of size 3 is used, i.e. the version control list can store three tuples. In this example, it is further assumed that there is a sequence of 8 software version releases with the following values (h, cnt, back_cnt) of the hash value h, the version counter cnt and the back counter back_cnt received from the signature verification process: Version 1 : (M, 1 ,0),
Version 2: (H2.2.1), Version 3: (H3,3,2), Version 4: (H4, 4,3), Version 5: (H5, 5, 2), Version 6: (H6, 6, 3),
Version 7: (H7, 7, 4), and Version 8: (H8, 8, 4).
It is further assumed that the above versions have been applied in sequence except version 7 that was not applied. Fig. 10 shows the version control list 1001 after installation of version 8. Each row of the version control list 1001 includes the corresponding four-tuple for one of the installed versions: Row 1002, the top element of the list, corresponds to version 8, row 1003 corresponds to version 6, and row 1004 corresponds to version 5. R8, R6, and R5 are the random numbers generated by the version control module as described above. After version 8 was applied the lowest allowed version was 4 (since cnt of version 8 is 8 and back_cnt of version 8 is 4 and 8-4=4), thus min_allowed_version = 4. Accordingly, the back_cnt values of the remaining entries in the list were adjusted during the installation of version 8 to meet the limit on the lowest allowed version after version 8 has been added. In particular, the back_cnt value in row 1002 was set to 2 and the back_cnt value in row 1003 was set to 1. Prior to the update with version 8, the lowest allowed version was 3, but this value was raised to 4 through version 8.
Fig. 10 further shows the version control table 1011 after installation of version 7. First of all, the counter value cnt of version 7 is 7, i.e. in the allowed range of the current version. The hash value H7 does not yet exist in the version control list 1001, hence a new four-tuple 1007 with the new hash value H7 is stored as the new top element 1012 of the version control table 1011. The previous top element is moved down in the list and corresponds to row 1013. Version 6 is now placed in row 1014, while version 5 is removed from the list, because in this example, there is only room for three four-tuples in the version control list. The value of back_cnt of the new top element 1012 is set to 3 in order to meet the limit of the current lowest allowed version (min_allowed_version=4).
Fig. 11 shows a flow diagram of a software loading process for a software upgrade. The process is similar to the process shown in fig. 6 for loading a software for the first time.
In initial step 1101 , the mobile terminal receives a software upgrade data packet from a reprogramming tool over a local or a remote interface, e.g. GSM, WCDMA, etc., as described above. The packet contains the new software upgrade Δ, one or more certificates C, and a digital signature S(hr) of the protected software, as described in connection with fig. 5 above. Optionally, the software may further include data, e.g. updated configuration data. In one embodiment, the new software is loaded as a so-called delta-file including the differences of the new software relative to the current software, thereby reducing the size of the upgrade packet. Delta-file techniques are known in the art and described in e.g. "Delta storage for arbitrary non-text files", by Christian Reichenberger, Proc. Of the 3rd International Workshop on Software Configuration Management, pp. 144-152, Norway, June 1991. Alternatively other upgrade file generation methods may be used or the entire new software may be received. The signature S(hr) comprises an encrypted hash value calculated from the new software. The signature is calculated such that first a one-way hash hr=H(SW) of the new software, SW, is calculated, and subsequently, the hash value is encrypted with the private key of a public-private key pair, e.g. an RSA public-private key pair. The corresponding public key is included in a certificate that is included in the software upgrade packet. Upon receipt of the software upgrade packet, the mobile terminal stores the software upgrade, certificate(s), and the signature in the external memory 106.
In step 1102 the processor of the mobile terminal reads the newly stored software upgrade, the certificate(s), C, and the signature, S(hr), into its internal memory.
In step 1122, the processor performs a version control. The mobile terminal has received a software version number of the new software version as part of the upgrade packet. The software version number of the new software image is checked against the version number of the current software stored on the external memory (protected by a MAC). If the new software version number is lower than the old software version number, the mobile terminal aborts the update process. In another embodiment, the version control process described in connection with figs. 8 and 9 is performed.
If the version control of step 1122 has succeeded, the process continues at step 1123, where the processor generates the new software SWnew from the received delta-file Δ and the current software version SWprev stored on the external memory (protected by a MAC).
In step 1103, the processor calculates a one-way audit hash value ha=H(SWnew) of the new software SWw
In step 1104, the processor reads a root public key, PK, from a memory 1105. In some embodiments, the root public key is securely stored, i.e. integrity protected. In one embodiment, the root public key is stored in the internal ROM of the processor, as described above. The processor uses the root public key PK to verify the signature S(hr) of the new software. If only one certificate is used, then the signature S(hr) is verified against the public key in the certificate C. The certificate C in turn is then verified against the root public key PK. If several certificates are used, the whole chain of certificates is verified. In that case, the signature of the last certificate in the chain is verified against the root public key. Hence, in step 1104, the processor verifies the public key used to sign the new software. If the verification succeeds, the processor proceeds at step 1106 with verifying the signature. Otherwise, the software loading process is aborted.
In step 1106, the processor decrypts the digital signature S(hr) of the software using the public key verified in step 1104, resulting in the reference hash value hr.
In step 1107, the decrypted signature, i.e. the reference hash value hr, is verified against the one-way audit hash value ha calculated in step 1103. If the verification succeeds, i.e. if the audit hash value ha and the reference hash value hr are equal, the processor proceeds at step 1108 with calculating a reference message authentication code (MAC). Otherwise, the software loading process is aborted.
In step 1108, the processor uses the verified one-way hash value ha and a chip unique key, K (or a value derived from K), as input values to a MAC calculating function, resulting in a reference message authentication code value tr = MAC(ha; K). The output value of the MAC function is the reference MAC value of the new software. In some embodiments, the chip unique key K is burnt into the chip during the fabrication process using e.g. so-called e- fuse technology. Alternatively, the key K is stored in another secure memory that is only accessible by the processor. Embodiments of the message authentication code have been described above. The processor stores the new reference MAC value tr in the external memory 106 together with the new software. The previous MAC value is deleted. Optionally, the certificate(s) and the digital signature values are removed from the external memory. The new software version SWnew is stored in the external memory and the old software version is deleted.
The loading process described above is controlled by the processor of the mobile terminal. In a two-chip architecture as described in connection with figs. 3 and 4, the above steps are carried out by the chip 311 that is intended to subsequently execute the software.
Hence, in the above a powerful software signing mechanism for the protection of software for many different systems has been described. The mechanism is efficiently combined with a symmetric key based integrity protection mechanism for secure software storage. Once the SW has been installed in the platform, the symmetric key based mechanism is used, and advantage is taken from previously computations. Furthermore, a combined mechanism to protect and version control software is described herein.
The provided integrity protection at storage is particular advantageous in connection with a two CPU architecture, when the non-volatile memory is connected to an untrusted CPU, and where there is a need for SW updates.
Although some embodiments have been described and shown in detail, the invention is not restricted to them, but may also be embodied in other ways within the scope of the subject matter defined in the following claims. In particular, the embodiments have mainly been described with reference to a mobile terminal as an example of a data processing device. It is understood, however, that the method, product means, and device described herein may also be applied to other data processing devices.
The method, product means, and device described herein can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed microprocessor. In the device claims enumerating several means, several of these means can be embodied by one and the same item of hardware, e.g. a suitably programmed microprocessor, one or more digital signal processor, or the like. The mere fact that certain measures are recited in mutually different dependent claims or described in different embodiments does not indicate that a combination of these measures cannot be used to advantage.
It should be emphasized that the term "comprises/comprising" when used in this specification is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof.

Claims

CLAIMS:
1. A method of loading data into a data processing device, the method comprising:
- receiving a payload data item by the data processing device;
- performing a cryptographic authentication process to ensure the authenticity of the payload data item;
- storing the authenticated received payload data item in the data processing device; and
- integrity protecting the stored payload data item;
characterised in
that performing a cryptographic authentication process comprises calculating an audit hash value of at least the received data item; and
that the integrity protecting further comprises calculating a reference message authentication code value of at least the audit hash value using a secret key stored in the data processing device as an input.
2. A method according to claim 1 , wherein the cryptographic authentication process includes
- receiving a reference hash value; and - comparing the received reference hash value with the calculated audit hash value to verify the authenticity of the received payload data item.
3. A method according to claim 2, wherein the cryptographic authentication process includes digitally signing the data item according to a public key cryptosystem.
4. A method according to claim 3, comprising
- receiving the payload data item, a digital signature data item and a digitally signed digital certificate data item, wherein the digital certificate data item includes a first public key and wherein the digital signature data item includes a reference hash value encrypted with a first private key corresponding to the first public key;
- authenticating the digitally signed digital certificate data item against a root public key stored in the data processing device;
- authenticating the digital signature data item against the authenticated digital certificate;
- comparing the received reference hash value with the calculated audit hash value to verify the authenticity of the received payload data item.
5. A method according to claim 3 or 4, further comprising cryptographically authenticating the reference hash value; and wherein calculating the reference message authentication code value is performed only if the reference hash value is successfully authenticated.
6. A method according to any one of claims 1 through 5, wherein the integrity protecting further comprises storing the calculated reference message authentication code value in relation to the received payload data item.
7. A method according to any one of claims 1 through 6, wherein calculating the reference message authentication code value further comprises calculating the reference message authentication code value of a combined data item derived from at least the audit hash value and a random number.
8. A method according to any one of claims 1 through 7, wherein calculating the reference message authentication code value further comprises calculating the reference message authentication code value of a combined data item derived from at least the audit hash value and a version control data item.
9. A method according to claim 8, further comprising storing a version control data record in a version control data structure, the version control data record including information about the received payload data item including at least the version control data item.
10. A method according to claim 9, wherein the stored version control data record is integrity protected.
11. A method according to claim 9 or 10, wherein the version control data record comprises a version counter.
12. A method according to claim 11 , wherein the version control data record further comprises a back counter identifying a number of previous versions that may replace the current version of the payload data item.
13. A method according to any one of claims 1 through 12, wherein the secret key is a secret data item unique to the data processing device.
14. A method according to any one of claims 1 through 13, wherein the secret key is a secret data item known only to the data processing device.
15. A method according to any one of claims 1 through 14, wherein receiving the payload data item comprises receiving a delta update of a previously received current data item, and generating the payload data item as an updated payload data item from the previously received current data item and the received delta update.
16. A computer program comprising program code means adapted to cause a data processing device to perform the steps of the method according to any¬ one of claims 1 through 15, when said computer program is run on the data processing device.
17. A data processing device comprising a first processing circuit adapted to perform the method according to any one of claims 1 through 15.
18. A data processing device according to claim 17, further comprising storage means adapted to store the received payload data item; and a second processing circuit connected to the storage means and to the first processing circuit; wherein the second processing circuit is adapted to provide to the first processing circuit at least read access to the storage means.
19. A data processing device according to claim 17 or 18, wherein the first processing circuit comprises local storage means for storing a root public key of an asymmetric cryptographic system.
20. A data processing device according to any one of claims 17 through 19, wherein the first processing circuit comprises local storage means for storing said secret key.
21. A method of protecting the integrity of a current version of a data item stored in a data processing device, the method comprising
- determining a reference hash value of at least the data item;
- calculating a reference message authentication code value from the determined reference hash value using a secret key stored in the data processing device; - storing the calculated reference message authentication code value in relation to the data item; characterised in
that calculating the reference message authentication code value comprises calculating the reference message authentication code value from a combined data item derived from the determined reference hash value and at least a part of a version control data record, the version control data record including version control information about the current version of the data item.
22. A method according to claim 21 , wherein the version control data record comprises a version counter; and wherein calculating the reference message authentication code value comprises calculating a reference message authentication code value from a combined data item derived from the determined reference hash value and at least the version counter.
23. A method according to claim 22, wherein the version control data record further comprises a back counter identifying a number of previous versions that may replace the current version; and wherein calculating the reference message authentication code value comprises calculating a reference message authentication code value from a combined data item derived from the determined reference hash value and at least the back counter.
24. A method according to any one of claims 21 through 23, wherein the version control data record further comprises the reference hash value for the current version of the data item.
25. A method according to any one of claims 21 through 24, further comprising generating the version control data record; and storing the version control data record in a version control data structure.
26. A method according to claim 25, further comprising integrity protecting the version control data record.
27. A method according to any one of claims 21 through 26, wherein the secret key is a secret data item unique to the data processing device.
28. A method according to any one of claims 21 through 27, wherein the secret key is a secret data item known only to the data processing device.
29. A method according to any one of claims 21 through 28, further comprising
- receiving a delta update of a previously received current data item; and
- generating the data item as an updated data item from the previously received current data item and the received delta update.
30. A method of verifying the integrity of a current version of a data item stored in a data processing device, the method comprising
- calculating an audit hash value of the data item; - calculating an audit message authentication code value from the calculated audit hash value using a secret key stored in the data processing device;
- comparing the calculated audit message authentication code value with a reference message authentication code value stored in relation to the data item;
characterised in
that the method further comprises retrieving a version control data record, the version control data record including version control information about the current version of the data item; and that calculating the audit message authentication code value comprises calculating an audit message authentication code value from a combined data item derived from the calculated audit hash value and at least a part of the version control data record.
31. A method according to any one of claims 21 through 30, wherein the data item is loaded by performing the method defined in any one of claims 1 through 15.
32. A data processing device comprising storage means for storing a current version of a data item and a version control data record, the version control data record including version control information about the current version of the data item; and processing means adapted to perform the method according to any one of claims 21 through 31.
PCT/EP2005/009624 2004-10-11 2005-09-07 Secure loading and storing of data in a data processing device WO2006039967A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/577,084 US8627086B2 (en) 2004-10-11 2005-09-07 Secure loading and storing of data in a data processing device
JP2007535036A JP4856080B2 (en) 2004-10-11 2005-09-07 Secure loading and storage of data to data processing equipment

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP04388069.9 2004-10-11
EP04388069A EP1645931A1 (en) 2004-10-11 2004-10-11 Secure loading and storing of data in a data processing device
US61803704P 2004-10-12 2004-10-12
US60/618,037 2004-10-12

Publications (1)

Publication Number Publication Date
WO2006039967A1 true WO2006039967A1 (en) 2006-04-20

Family

ID=35355897

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2005/009624 WO2006039967A1 (en) 2004-10-11 2005-09-07 Secure loading and storing of data in a data processing device

Country Status (3)

Country Link
KR (1) KR20070074617A (en)
RU (1) RU2408071C2 (en)
WO (1) WO2006039967A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012178853A (en) * 2006-05-26 2012-09-13 Alcatel-Lucent Usa Inc Encryption method for secure packet transmission
US8316442B2 (en) 2008-01-15 2012-11-20 Microsoft Corporation Preventing secure data from leaving the network perimeter
EP2879074A1 (en) * 2013-11-29 2015-06-03 Gemalto SA Method for loading a native code on a secure element

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2464628C1 (en) * 2011-06-24 2012-10-20 Федеральное государственное военное образовательное учреждение высшего профессионального образования "Военная академия связи имени маршала Советского Союза С.М. Буденного" Министерства обороны Российской Федерации Method of controlling software operation
RU2475838C1 (en) * 2011-11-07 2013-02-20 Федеральное государственное бюджетное образовательное учреждение высшего профессионального образования Иркутский государственный университет путей сообщения (ФГБОУ ВПО ИрГУПС) Device for cryptographic information protection

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020002703A1 (en) * 2000-06-30 2002-01-03 International Business Machines Corporation Device and method for updating code
WO2002001351A2 (en) * 2000-06-28 2002-01-03 Microsoft Corporation Binding by hash
US6367012B1 (en) * 1996-12-06 2002-04-02 Microsoft Corporation Embedding certifications in executable files for network transmission
US6401206B1 (en) * 1997-03-06 2002-06-04 Skylight Software, Inc. Method and apparatus for binding electronic impressions made by digital identities to documents
US20030105968A1 (en) * 2001-11-30 2003-06-05 International Business Machines Corporation System and method for migration of a version of a bootable program
US20040025010A1 (en) * 2002-07-30 2004-02-05 Texas Instruments Incorporated Computing platform certificate

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6367012B1 (en) * 1996-12-06 2002-04-02 Microsoft Corporation Embedding certifications in executable files for network transmission
US6401206B1 (en) * 1997-03-06 2002-06-04 Skylight Software, Inc. Method and apparatus for binding electronic impressions made by digital identities to documents
WO2002001351A2 (en) * 2000-06-28 2002-01-03 Microsoft Corporation Binding by hash
US20020002703A1 (en) * 2000-06-30 2002-01-03 International Business Machines Corporation Device and method for updating code
US20030105968A1 (en) * 2001-11-30 2003-06-05 International Business Machines Corporation System and method for migration of a version of a bootable program
US20040025010A1 (en) * 2002-07-30 2004-02-05 Texas Instruments Incorporated Computing platform certificate

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012178853A (en) * 2006-05-26 2012-09-13 Alcatel-Lucent Usa Inc Encryption method for secure packet transmission
US8583929B2 (en) 2006-05-26 2013-11-12 Alcatel Lucent Encryption method for secure packet transmission
JP2014161027A (en) * 2006-05-26 2014-09-04 Alcatel-Lucent Usa Inc Encryption method for secure packet transmission
US8316442B2 (en) 2008-01-15 2012-11-20 Microsoft Corporation Preventing secure data from leaving the network perimeter
EP2879074A1 (en) * 2013-11-29 2015-06-03 Gemalto SA Method for loading a native code on a secure element

Also Published As

Publication number Publication date
RU2408071C2 (en) 2010-12-27
RU2007117505A (en) 2008-11-20
KR20070074617A (en) 2007-07-12

Similar Documents

Publication Publication Date Title
US8627086B2 (en) Secure loading and storing of data in a data processing device
JP4856080B2 (en) Secure loading and storage of data to data processing equipment
JP4854677B2 (en) Updating the memory content of the processing device
US7373509B2 (en) Multi-authentication for a computing device connecting to a network
JP4912879B2 (en) Security protection method for access to protected resources of processor
US7299358B2 (en) Indirect data protection using random key encryption
EP1618451B1 (en) Associating software with hardware using cryptography
JP4668619B2 (en) Device key
RU2601862C2 (en) Method, unit and device for processing encryption and decryption
US20060059547A1 (en) Method of verifying downloaded software and corresponding device
US11361087B2 (en) Security data processing device
US20080082828A1 (en) Circuit arrangement and method for starting up a circuit arrangement
JP2007512787A (en) Trusted mobile platform architecture
WO2014138626A1 (en) Systems and methods for maintaining integrity and secrecy in untrusted computing platforms
US20220224546A1 (en) Software integrity protection method and apparatus, and software integrity verification method and apparatus
RU2408071C2 (en) Protected data loading and storage in data processing device
KR100749868B1 (en) Device Keys
KR20070017455A (en) Secure protection method for access to protected resources in a processor
JP5180264B2 (en) Device key

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2007535036

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 557/MUMNP/2007

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 1020077010632

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 2007117505

Country of ref document: RU

WWE Wipo information: entry into national phase

Ref document number: 200580042121.1

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 11577084

Country of ref document: US

122 Ep: pct application non-entry in european phase

Ref document number: 05778451

Country of ref document: EP

Kind code of ref document: A1

WWP Wipo information: published in national office

Ref document number: 11577084

Country of ref document: US