WO2007026287A1 - Procede et dispositif de generation de germes dans un generateur de nombres aleatoires - Google Patents

Procede et dispositif de generation de germes dans un generateur de nombres aleatoires Download PDF

Info

Publication number
WO2007026287A1
WO2007026287A1 PCT/IB2006/052937 IB2006052937W WO2007026287A1 WO 2007026287 A1 WO2007026287 A1 WO 2007026287A1 IB 2006052937 W IB2006052937 W IB 2006052937W WO 2007026287 A1 WO2007026287 A1 WO 2007026287A1
Authority
WO
WIPO (PCT)
Prior art keywords
seed
initial random
sources
devices
random number
Prior art date
Application number
PCT/IB2006/052937
Other languages
English (en)
Inventor
Ventzislav Nikov
Fred Grumiaux
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2007026287A1 publication Critical patent/WO2007026287A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator

Definitions

  • the present invention relates to a method of generating initial random seeds for random number generators (RNGs) comprised in devices, where the generation is based on using two or more seed sources.
  • the present invention also relates to an electronic device for generating an initial random seed for a random number generator (RNG) comprised in said device, said generation being based on using two or more seed sources.
  • the present invention relates to a manufacturing process for manufacturing electronic devices, said devices being adapted to generate an initial random seed for random number generators (RNGs) comprised in said devices, said generation being based on using two or more seed sources.
  • the portable device must have a cryptographically secure random number generator (RNG). Since building hardware- based RNG is costly, most of the devices implement this functionality in software applying some deterministic algorithm to derive a (pseudo) random number from the current seed. In this way even if the RNG is of high quality, its security level is related to the entropy of the initial random seed of the RNG.
  • RNG random number generator
  • the second approach is to derive the next seed from the current seed by applying a deterministic algorithm.
  • the first approach is not an option, because of the cost involved in providing a hardware-based source of randomness. Thus all random values generated by the RNG (as well as all seeds) are derived in a deterministic way from the initial random seed.
  • An example of the second approach is a solution where the initial random seed is set during manufacturing and where the seed is stored in a secure storage (e.g. device ROM or protected RAM/FLASH).
  • the seed is a random value and should have a high probability of uniqueness for each device. This imposes a burden for manufacturing, since the process should be individualized, which again adds additional cost.
  • This object is achieved in a method of generating an initial random seed for a random number generator (RNG) comprised in a device, said generation being based on using two or more seed sources, said method comprising: - using a fixed seed as a first seed source, said fixed seed being a secret random number, common for a number of devices,
  • RNG random number generator
  • the method of generating said initial random seed for the RNG which preferably is a pseudo random number generator (PRNG) becomes much simpler as the initial random seed does not have to be individualized for each individual device.
  • said device characteristic seed which can e.g. be the serial number of the device as a second seed source, it is ensured that the resulting initial random seed has a high probability of uniqueness, i.e. there is a high statistical probability that the initial random seed will be different for each individual device.
  • said cryptographic algorithm used to generate said initial random seed is a cryptographic one-way iunction.
  • a cryptographic one-way function may e.g. be a cryptographic one-way hash function, a cryptographic trapdoor one-way function, a cryptographic keyed one-way function, or a message digest function, etc.
  • a trapdoor one-way iunction and a keyed one-way function provide a reverse mapping, this requires access to the key/trapdoor.
  • these functions are commonly known as cryptographic one-way functions.
  • the use of a one-way iunction ensures that if a computer attacker finds out the initial random generator seed, although it is secret, he will not be able to obtain the fixed seed.
  • said two or more seed sources comprise key information as a further seed source.
  • key information is symmetric keys, session keys, public keys, private keys.
  • other dynamic information such as network packets might be used as a further seed source.
  • the present invention further relates to a computer-readable medium having stored therein instructions for causing a processing unit to execute said methods.
  • the present invention relates to an electronic device for generating an initial random seed for a random number generator (RNG) comprised in said device, said generation being based on using two or more seed sources, comprising:
  • a first storage means for storing a fixed seed as a first seed source, said fixed seed being a secret random number, common for a number of devices,
  • a processing means for applying a cryptographic algorithm on said fixed seed and said device characteristic seed for combining said seed sources into said initial random seeds.
  • said device can, based on said fixed seed and said at least second seed source, generate said initial random seed for the RNG.
  • the initial random seed does not have to be individualized for each of said number of devices.
  • said first storage means comprises read/write memory. This is of course preferred in order to enable to "write” the fixed seed in the memory and for “reading” it when the initial random seed is generated.
  • said initial random seed is generated the first time said device is activated. In that way, it is ensured that the initial random seed will be generated and with it the security of the device, at the very beginning, before the user starts to exploit the various device features.
  • said first storage means is further adapted to store external secret key information as a further seed source.
  • this e.g. results in a very dynamic way of generating said initial random seed value generation over time, which may therefore thwart replay attacks.
  • said means for providing said device characteristic seed as a second seed source is a second storage means.
  • This second storage means can e.g. be a read only memory to make sure that nobody can change the fixed device characteristic seed.
  • said initial random seed is generated upon connection with a host.
  • the host can e.g. be a network wherein a public key of the host, or alternatively a session key may be used as an additional seed source. This may be an advantage for devices, which are not very robust.
  • the present invention relates to a manufacturing process for manufacturing electronic devices, wherein each of said devices is adapted to generate an initial random seed for a random number generator (RNG) comprised in each device, said generation being based on using two or more seed sources, said manufacturing process comprising: - selecting a fixed seed as a first seed source, said fixed seed being a secret random number, common for a number of devices,
  • RNG random number generator
  • Figure 1 shows a device according to the present invention which is required to perform security/cryptographic operations
  • Figure 2 shows a method according to the present invention of generating initial random seeds for cryptographically secure random number generators.
  • FIG. 1 shows a device 100 according to the present invention that is required to perform security/cryptographic operations.
  • An example of such an operation is the encryption of digital content using a session key, based on a random number, in e.g. a Digital Rights Management (DRM) system.
  • DRM Digital Rights Management
  • the device 100 In order to perform such operations the device 100 must be provided with a random number generator (RNG), wherein the security of the RNG relies in part on the initial entropy of its initial random seed.
  • RNG random number generator
  • Said device 100 can be any kind of a device, e.g.
  • a PDA 110 a mobile phone 109, a television, an audio playback device, an audiovisual recording device, or a regular PC computer 108, wherein the initial random seed is typically generated only once, e.g. the first time a purchaser of the device 100 activates it.
  • the device 100 comprises a processor 104 and a first 101 and a second 112 storage means for storing two or more seed sources 102-103, 111 used to generate an initial random seed 106 for the RNG 107.
  • the first storage means 101 which is preferably a read/write memory such as RAM/FLASH, stores a fixed seed 102 that is secret and random, and is unified for at least a number of devices.
  • the second storage means 112 on the other hand is typically a read only memory (ROM) and stores the device characteristic seed 103, or the device ID, which is unique for each individual device 100.
  • the first storage means 101 has additionally stored an external key 111 as an additional seed source, which preferably is secret for generating said initial random seed from the RNG 107.
  • This external key can be a trusted public key, a symmetric key, a public key, a private key, or a combination thereof.
  • the result obtained by implementing such additional seed sources is a more dynamic value being used in the initial random seed generation.
  • the processor 104 is adapted to combine said fixed seed 102 and said device characteristic seed 103 via a cryptographic algorithm 105 for generating said initial RNG seed 106.
  • the processor uses the external key as a third seed source for generating said initial random seed 106 by combining said seed sources together by e.g. applying cryptographic operations, or the Boolean xor operation.
  • said seed sources 102, 103, 111 have high entropy. Characteristic for these operations is that they aim to preserve, or increase entropy as much as possible, and in doing so result in an initial random seed with high entropy.
  • said cryptographic algorithm 105 is a one-way iunction, such as disclosed by Menezes et al. which is incorporated by reference herein ⁇ A. Menezes, P. van Oorschot, A. Vanstone. Handbook of Applied Cryptography, CRC Press, 1997).
  • Other cryptographic algorithms may be used, e.g. hash functions, symmetric encryptions, message authentication codes, cryptographic one-way hash functions, cryptographic trapdoor one-way functions, cryptographic keyed one-way functions, message digest functions, collision- free one-way hash functions, etc.
  • An example of a one-way hash function 105 algorithm is disclosed in FIPS 180-2 which is incorporated by reference herein (FIPS 180-2. Secure Hash Standard (SHS), NIST).
  • SHS Secure Hash Standard
  • the following cryptographic algorithms may be used in generating said initial random seed 106 from said seed sources by using said seed sources as input values:
  • Initial_RNG_Seed MAC(hash(ExtKeys), DevicelD
  • FixedSeed), Initial_RNG_Seed MAC(FixedSeed, DevicelD
  • Initial_RNG_Seed Encrypt(FixedSeed, DevicelD
  • Initial_RNG_Seed Hash(FixedSeed
  • MAC represents a keyed message authentication code, such as for example the HMAC as disclosed by Bellare et al., which is incorporated by reference herein
  • Encrypt is a symmetric encryption algorithm, for example as disclosed FIPS 197, which is incorporated by reference herein (FIPS 197. Advanced Encryption Standard (AES), NIST) i.e.
  • the external keys have high entropy so that the resulting initial RNG seed will have high entropy and thereby enhance the security of the RNG.
  • part of the external keys are private, i.e. they can be private keys or symmetric keys as mentioned previously.
  • the initial random seed 106 is generated when the device 100 is connected with a host 113 for the first time, e.g. over a network 115, where the host 113 uses e.g. a public key 111 as additional seed source, and receives the device ID 103. Subsequently, the host 103 might be adapted to use this to initialize a further RNG on the host side 113 using the secret common initial random seed, in order to provide a secret common random number 106 that can be generated by both the host 113 and the client, in order to e.g. encrypt content/share content.
  • a public key it is also possible to use e.g. a session key that was established together with the connection.
  • Figure 2 shows a method according to the present invention of generating initial random seeds for cryptographically secure random number generators (in RNGs).
  • RNGs cryptographically secure random number generators
  • two or more seeds are used as seed sources for generating the initial random seed for each of the devices.
  • the step of initiating such initial random seed generation is often initiated when e.g. a purchaser of a device actuates the device for a first time (S) 201, e.g. when a user actuates his/her mobile telephone for the first time.
  • the steps involved in generating the initial random seed for the RNG comprise using a fixed random seed (F_S) 202 as a first initial random seed source, which is a common seed source for a number of devices and preferably has high entropy.
  • the at least second seed source being used (D_C_S) 203 is a device characteristic seed, such as the devices serial number, and/or some external keys such as trusted public keys, symmetric keys, or public- private key pairs. As mentioned previously, other seed sources may be applied, such as external keys.
  • these seeds sources are used as input parameters for a cryptographic algorithm (A A) 204 as mentioned previously under Fig. 1.
  • a A a cryptographic algorithm
  • said seed sources can further comprise a number of additional seed sources, preferably secret and with high entropy.
  • any reference signs placed between parentheses shall not be construed as limiting the claim.
  • the word 'comprising' does not exclude the presence of other elements or steps than those listed in a claim.
  • the invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a system claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de génération de germes aléatoires initiaux pour générateurs de nombres aléatoires (RNG) compris dans des dispositifs. La génération est basée sur l'utilisation de deux ou plusieurs sources de germes, un germe fixe et une première source de germes, laquelle est secrète et aléatoire, et commune aux dispositifs, et un germe caractéristique du dispositif, en tant que seconde source de germes qui identifie particulièrement chacun des dispositifs. Un algorithme cryptographique est alors appliqué sur les sources de germes pour les combiner dans ledit germe aléatoire initial.
PCT/IB2006/052937 2005-08-30 2006-08-24 Procede et dispositif de generation de germes dans un generateur de nombres aleatoires WO2007026287A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP05107925.9 2005-08-30
EP05107925 2005-08-30

Publications (1)

Publication Number Publication Date
WO2007026287A1 true WO2007026287A1 (fr) 2007-03-08

Family

ID=37561233

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2006/052937 WO2007026287A1 (fr) 2005-08-30 2006-08-24 Procede et dispositif de generation de germes dans un generateur de nombres aleatoires

Country Status (1)

Country Link
WO (1) WO2007026287A1 (fr)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2941114A1 (fr) * 2009-01-13 2010-07-16 Viaccess Sa Procede et module de renouvellement du code d'un algorithme cryptographique, procede et module de generation d'une graine, processeur de securite et support d'energistrement pour ces procedes
GB2515763A (en) * 2013-07-02 2015-01-07 Mastercard International Inc Improvements relating to unpredictable number generation
CN104868992A (zh) * 2009-03-02 2015-08-26 耶德托公司 从发送器向接收器安全地提供保密数据
EP2961094A1 (fr) * 2014-06-23 2015-12-30 Entersekt International Limited Système et procédé pour générer un nombre aléatoire
CN102111129B (zh) * 2009-12-28 2016-04-20 北京普源精电科技有限公司 具有输出噪声信号功能的信号发生器和输出噪声信号的方法
WO2016103187A1 (fr) * 2014-12-22 2016-06-30 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et système de suppression de redondance de paquets
US9875085B2 (en) 2015-07-28 2018-01-23 Sandisk Technologies Llc Memory system and method of generating a seed value
WO2019080109A1 (fr) * 2017-10-27 2019-05-02 福建联迪商用设备有限公司 Procédé et système de génération de nombre aléatoire pour terminal
EP3654173A1 (fr) * 2018-11-13 2020-05-20 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Procédé permettant de générer un nombre aléatoire, circuit de génération de nombres aléatoires et programme informatique

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104811A (en) * 1996-08-16 2000-08-15 Telcordia Technologies, Inc. Cryptographically secure pseudo-random bit generator for fast and secure encryption
US20040268117A1 (en) * 2003-06-25 2004-12-30 Wegener Communications, Inc. Rapid decryption of data by key synchronization and indexing

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104811A (en) * 1996-08-16 2000-08-15 Telcordia Technologies, Inc. Cryptographically secure pseudo-random bit generator for fast and secure encryption
US20040268117A1 (en) * 2003-06-25 2004-12-30 Wegener Communications, Inc. Rapid decryption of data by key synchronization and indexing

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010081631A1 (fr) * 2009-01-13 2010-07-22 Viaccess Procede et module de renouvellement du code d'un algorithme cryptographique, procede et module de generation d'une graine, processeur de securite et support d'enregistrement pour ces procedes
US8542822B2 (en) 2009-01-13 2013-09-24 Viaccess Method and module for renewing the code of a cryptographic algorithm, method and module for generating a seed, security processor and recording carrier for these methods
FR2941114A1 (fr) * 2009-01-13 2010-07-16 Viaccess Sa Procede et module de renouvellement du code d'un algorithme cryptographique, procede et module de generation d'une graine, processeur de securite et support d'energistrement pour ces procedes
CN104868992A (zh) * 2009-03-02 2015-08-26 耶德托公司 从发送器向接收器安全地提供保密数据
CN102111129B (zh) * 2009-12-28 2016-04-20 北京普源精电科技有限公司 具有输出噪声信号功能的信号发生器和输出噪声信号的方法
GB2515763A (en) * 2013-07-02 2015-01-07 Mastercard International Inc Improvements relating to unpredictable number generation
US9438420B2 (en) 2013-07-02 2016-09-06 Mastercard International Incorporated Unpredictable number generation
EP2961094A1 (fr) * 2014-06-23 2015-12-30 Entersekt International Limited Système et procédé pour générer un nombre aléatoire
WO2016103187A1 (fr) * 2014-12-22 2016-06-30 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et système de suppression de redondance de paquets
US9665441B2 (en) 2014-12-22 2017-05-30 Telefonaktiebolaget L M Ericsson (Publ) Method and system for packet redundancy removal
US9875085B2 (en) 2015-07-28 2018-01-23 Sandisk Technologies Llc Memory system and method of generating a seed value
WO2019080109A1 (fr) * 2017-10-27 2019-05-02 福建联迪商用设备有限公司 Procédé et système de génération de nombre aléatoire pour terminal
EP3654173A1 (fr) * 2018-11-13 2020-05-20 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Procédé permettant de générer un nombre aléatoire, circuit de génération de nombres aléatoires et programme informatique

Similar Documents

Publication Publication Date Title
US10187200B1 (en) System and method for generating a multi-stage key for use in cryptographic operations
US9882717B2 (en) System and method for generating a server-assisted strong password from a weak secret
EP2526505B1 (fr) Dispositif et procédé d'obtention d'une clé cryptographique
JP6267207B2 (ja) 物理的クローン不能関数として使用されるメモリから暗号化キーを生成するためのシステム
EP1440535B1 (fr) Cryptage de mémoire
WO2007026287A1 (fr) Procede et dispositif de generation de germes dans un generateur de nombres aleatoires
JP4774492B2 (ja) 認証システム及び遠隔分散保存システム
JP5306465B2 (ja) セキュアなメモリに応用するメッセージ認証コードの事前計算
US7899184B2 (en) Ends-messaging protocol that recovers and has backward security
JP2001514834A (ja) 安全決定性暗号鍵発生システムおよび方法
US20210091932A1 (en) Method for role-based data transmission using physically unclonable function (puf)-based keys
US20070039046A1 (en) Proof of execution using random function
CN111404952B (zh) 变电站数据加密传输方法、装置、计算机设备和存储介质
US8438393B2 (en) Quadratic residue based password authenticated key exchange method and system
KR20080025121A (ko) 비대칭 개인키로부터 비밀키 생성
CN111314050B (zh) 一种加解密方法及装置
JP2004336794A (ja) 暗号システム内でユーザ定義idに基づく公開鍵を発生する方法と機器
US20230096860A1 (en) Associative puf arrays to generate session keys with pseudo-homomorphic methods
JP2024511236A (ja) コンピュータファイルのセキュリティ暗号化方法、復号化方法および読み取り可能な記憶媒体
US20230045288A1 (en) Puf-protected pseudo-homomorphic methods to generate session keys
CN110855667A (zh) 一种区块链加密方法、装置及系统
Fluhrer Quantum cryptanalysis of NTRU
Tahir et al. Resilience against brute force and rainbow table attacks using strong ICMetrics session key pairs
JP6294882B2 (ja) 鍵保管装置、鍵保管方法、及びそのプログラム
US8175266B2 (en) System and method of performing authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06795762

Country of ref document: EP

Kind code of ref document: A1