The field of the invention is that of the protection of digital data. The invention more precisely relates to a method for encrypting/decrypting data on a host device by means of a secret key preserved in a secure device and which is not communicated to the host device.
Computer and electronic systems increasingly resort to cryptography. Since the quantities of exchanged data exponentially increase, it turns out on the other hand to be necessary to be capable of encrypting data streams with increasing rates.
Generally, there are two families of components capable of performing encryption and decryption operations, that is the conventional microcontrollers (MCU for “MicroController Unit”) and secure microcontrollers (SE for “Secure Element”).
MCU Microcontrollers have most of the time enough resources available to quickly encrypt a significant quantity of information, either by running encryption algorithms by an embedded software, or using hardware accelerators which enable cryptographic operations to be made without overloading the arithmetic unit and the core logic of an MCU microcontroller. However, MCU microcontrollers have not a “strong box” enabling them to robustly store secrets. Actually, they do not enable a high security level to be ensured on their own.
Reversely, SE microcontrollers allow by construction, both in a software and hardware point of view, to store secrets with a high confidence degree. These SE microcontrollers are embedded in different everyday products such as chip cards (SIM card, bank card, access badges, etc.) or laptops (TPM “Trusted Platform Module” cryptographic chip). But although SE microcontrollers are capable of making cryptographic computations on restricted quantities of data (for authentications, of integrity control for example), they are on the other hand not capable of making encryption or decryption operations on high rate data streams.
Different so-called “remotely keyed encryption” protocols (RKEP) have been provided to combine respective advantages of the microcontrollers MCU and SE and thus carry out high rate and high security level encryption and decryption. According to these protocols, an MCU-type host device receives the plain text to be encrypted and pulls down the RKEP protocol in connection with a SE-type secure device in order to encrypt the plain text without the secret key leaving the SE-type secure device.
Patent application US 2009/0006865 A1 sets out an exemplary RKEP protocol the general principle of which consists in hashing the message P to be encrypted in the host device and then transmitting the message digest Z resulting from the hashing to the secure device. The latter then encrypts the message digest Z with the secret key K to generate a message key KP, and then transmits the message key KP to the host device which then performs the encryption of the message P with the message key KP.
This protocol has the main drawback to allow a chosen plain text attack according to which the attacker has texts available he/she subjects to the secure device as message digests Z and from which he/she recovers the encrypted versions KP.
This protocol has also the drawback of exposing the message keys KP on the communication link between the host device and the secure device, these keys being then subject to interception.
Finally, this protocol has also the drawback that the computations of the message digests have to be performed for each message by the host device. But these computations are cycle- and memory-consuming.
The purpose of the invention is to provide a RKEP protocol with an improved security level and lessen computational complexity. For this, it provides a method for encrypting a message by a host device, comprising the steps of:
characterised in that it includes the prior steps of:
in that the step of requesting, by the host device, a message key comprises transmitting the token, and in that the step of generating, by the secure device, the message key is preceded by a step of checking the legitimacy of the token.
The invention also relates to a method for decrypting a message by a host device, comprising the steps of:
characterised in that the message is accompanied by a token, and in that the step of generating, by the secure device, the message decryption key is preceded by a step of checking the legitimacy of the token.
The invention extends on the other hand to a system for encrypting and decrypting messages, said system comprising a host module and a security module configured for implementing these methods.
Further aspects, purposes, advantages and characteristics of the invention will become more apparent upon reading the following detailed description of preferred embodiments thereof, given by way of non-limiting example, and made in reference to the appended drawings wherein:
The invention relates to a method for encrypting/decrypting data on a host device by means of a secret key preserved in a distant secured device and which key is not communicated to the host device. It also extends to a system for encrypting/decrypting data which comprises a host device and a secured device with are configured for implementing the method.
The host device comprises a MCU-type microcontroller, whereas the secured device comprises a SE-type microcontroller. They are designated by those references in the figures. The host device MCU and the secure device SE are connected to each other via a communication link.
In reference to
In a similar way, and in reference to
Within this scope, the invention proposes that the encryption comprises the prior steps of requesting RT1, RT2, by the host device MCU, a token T from the secure device SE, generating GT1, GT2 the token by the secure device SE, and transmitting the token T thus generated to the host device MCU. On the other hand, the step RK1, RK2 of requesting, by the host device MCU, the message key comprises transmitting the token T to the secure device SE, and the step GK1, GK2 of generating, by the secure device SE, the encryption key of the message is preceded by a step VT1, VT2 of checking the legitimacy of the token T. Of course, if the token turns out to be non-legitimate, the required message key is not generated and therefore is not communicated to the host device MCU.
As regards the decryption according to the invention, the message C to be decrypted is accompanied by a token T and the step GK1, GK2 of generating the message key by the secured device is preceded by a step VT1, VT2 of checking the legitimacy of the token, either by the host device itself, or by the secure module, in which case the step RK1′, RK2′ of requesting a message key by the host device MCU comprises transmitting the token T.
This encryption/decryption method has the advantage that the host device MCU only carries out the encryption of the message P or the decryption of the message C, and does not have its performance degraded because of computations of values derived from these messages implementing for example a hashing. The encryption and decryption operations are thus more efficiently performed.
Besides, this encryption/decryption method protects against a selected plain text attack. An attacker cannot indeed iterate a great quantity of tokens to discover information about the way to generate a message key KP. Actually, the tokens must be legitimate to make the obtention of a message key possible. The security is thus improved.
The generation of the token comprises the encryption of a random number by means of the secret key. The token is thus the encrypted from a random number, as a result of a cryptographic computation made in the secure device SE. Exemplary embodiments of generating a token and checking its legitimacy are the following ones.
In a first example illustrated in
Following a request RK1, RK1′ for obtaining the message key via which a token is transmitted, the secure module SE carries out checking VT1 of the legitimacy of the token transmitted. For this, it performs decryption of the token to obtain the number N and the identifier UID, and performs a comparison of this identifier resulting from the decryption of the token with its true identifier. In this example, a symmetrical encryption algorithm E is used, and the decryption algorithm is noted D such that if B=E(A, KSE), then A=D(B, KSE).
In a second example illustrated in
Following a request RK2, RK2′ for obtaining the message key via which a token concatenated with a number is transmitted, the secure module SE performs checking VT2 of the legitimacy of the token transmitted. For this, it performs decryption of the token transmitted by the host module to obtain the number N, and performs comparing this number resulting from decryption of the token with the number concatenated to the token transmitted by the host module. In this example, an asymmetrical encryption algorithm A is used, the encryption of the token being performed by means of a secret private key SKSE and its decryption being performed by means of a public key PKSE such that the secure module SE makes a signature of the number N upon generating the token.
A first embodiment of the invention, illustrated by
In a second embodiment of the invention illustrated by
The message key can then be transmitted to the host module which then performs encryption of the message P by means of the encryption algorithm E and the message key to obtain the encrypted message C, or decryption of the message C by means of the decryption algorithm D and the message key KP to obtain the decrypted message P. It will be noted that at the end of the encryption, the encrypted message C is concatenated with the token T and the number N, such that the host module has a token/legitimate number couple available upon decrypting.
In an alternative embodiment represented in
By avoiding to transmit the message key KP in plain text, the security is therefore enhanced. Of course, the public key PKSE must remain secret because an attacker owning it could decrypt the encrypted message keys CKP and retrieve the message keys KP.
This alternative further has the advantage that the host module can itself perform the check of a token using the public key PKSE, which turns out in particular to be useful as a prior step to the decryption of a message C which is accompanied by a token.
It will be noticed that than in both embodiments described above, the host module uses a symmetrical algorithm to encrypt/decrypt the data. The invention is not restricted to this choice, but extends also to the use of an asymmetrical algorithm, even if this is not favoured because of constraints caused on the rate of these operations.
The invention is not limited to encryption and decryption methods such as previously described, but also extends to encryption and decryption systems formed by a host module and a secure module which are configured for the implementation of these methods. Examples of such systems are given in
The invention also finds application in embedded systems wherein the MCU and SE microcontrollers are integrated. However, the invention is not restricted to this application, and also covers any type of link between the MCU and the SE, in particular a remote link.
Number | Date | Country | Kind |
---|---|---|---|
14 51924 | Mar 2014 | FR | national |
Number | Name | Date | Kind |
---|---|---|---|
5218638 | Matsumoto et al. | Jun 1993 | A |
6148404 | Yatsukawa | Nov 2000 | A |
6377691 | Swift | Apr 2002 | B1 |
6400701 | Lin | Jun 2002 | B2 |
6493716 | Azagury | Dec 2002 | B1 |
6757825 | MacKenzie | Jun 2004 | B1 |
6760441 | Ellison | Jul 2004 | B1 |
6950941 | Lee | Sep 2005 | B1 |
7269727 | Mukherjee | Sep 2007 | B1 |
7269730 | Stirbu | Sep 2007 | B2 |
7321971 | Wilding | Jan 2008 | B2 |
7421578 | Huang | Sep 2008 | B1 |
8201233 | Beaulieu | Jun 2012 | B2 |
20050027985 | Sprunk et al. | Feb 2005 | A1 |
20050097317 | Trostle | May 2005 | A1 |
20050132204 | Gouguenheim et al. | Jun 2005 | A1 |
20080056498 | Verma | Mar 2008 | A1 |
20090006865 | Zunke et al. | Jan 2009 | A1 |
20100142711 | Weis et al. | Jun 2010 | A1 |
20110091036 | Norrman | Apr 2011 | A1 |
20130233924 | Burns | Sep 2013 | A1 |
20140125423 | Pebay-Peyroula et al. | May 2014 | A1 |
20140126623 | Dore et al. | May 2014 | A1 |
20160080039 | Brahami | Mar 2016 | A1 |
20160234022 | Motika | Aug 2016 | A1 |
Number | Date | Country |
---|---|---|
WO 0062507 | Oct 2000 | WO |
Entry |
---|
Matt Blaze, “High Bandwidth Encryption with Low-Bandwidth Smartcards”, Dec. 3, 1995, AT&T Bell Laboratories, pp. 1-8. |
Blaze et al., “A Formal Treatment of Remotely Keyed Encryption (Extended Abstract)”, Eurocrypt '98, Helsinki, LNCS 1403, pp. 251-265. |
Http://www.crypto.com/papers; Matt Blaze's Technical Papers, Aug. 6, 2006, pp. 1-7. |
French Preliminary Search Report dated Dec. 8, 2014, in Patent Application No. FR 1451924, filed Mar. 10, 2014 (with English Translation of Category of Cited Documents). |
Matt Blaze, “High-Bandwidth Encryption with Low-Bandwidth Smartcards”, Lecture Notes in Computer Science, XP 047294340, Feb. 21, 1996, pp. 33-40. |
Alina Oprea, et al., “Securing a Remote Terminal Application with a Mobile Trusted Device”, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC), XP 010757430, Dec. 6, 2004, 10 pages. |
Number | Date | Country | |
---|---|---|---|
20160359620 A1 | Dec 2016 | US |