Patent Application
20100239091
The field of the invention is that of communicating objects such as, more particularly, chip cards, cellular telephones or PDAs. More precisely, the present invention relates to a method for generating masks in a communicating object.
In the following description, “mask” will refer to a digital function intended to mask a sensitive datum or instructions of a programme desired to be kept secret in the communicating object. In the field of chip cards, such a datum is for example a key, a code, an identifier of the owner of the card or an algorithm or instructions that are desirably not disclosed to a possible attacker. Such data are thus not stored “encoded” in the card.
In order to mask a sensitive datum in a chip card, it is known to apply a mathematic function to such sensitive datum. The resulting datum is then a masked datum which is stored in the memory of the card. Subsequently, if such a sensitive datum is desirably read, a mathematical function which is the reverse of the preceding one is applied to the masked datum and the sensitive datum can then be restored to be used, for example for executing a programme.
The mathematical function is for example an Exclusive-Or.
When applying the mask 11 to the masked datum 13 by the Exclusive-or function, the datum 10 is regenerated since the Exclusive-or function is reversible.
The drawback of such known solution is that it is possible for an attacker to find the mask 11 by injecting mistakes into the communicating object, for example a chip card or by exploiting malfunctions thereof. Such attacks are also called “dump” attacks. If the mask 11 is disclosed to the attacker, the latter will have no particular difficulty to read all the masked data stored in the communicating object.
A solution for remedying such drawback linked to the presence of a unique mask consists in providing several masks in the communicating object and in changing the mask as a function of the application or the type of data to be masked. Such solution however has the drawback of requiring the storing of several masks in the communicating object, which can hardly be considered when the memory resource is small, as is the case in chip cards.
The present invention aims at remedying such drawback.
More precisely, one of the objectives of the invention is to provide a method for masking data in a communicating object making it possible to mask a very large number of data without requiring storing more than one mask or at least a very high number of masks.
This objective, as well as others, which will appear in the following, is reached thanks to a method for generating masks in a communicating object, the masks being intended to mask data to be stored in the communicating object, with at least one master mask being stored in the communicating object, the method consisting in:
The application of diversifiers to the master mask thus makes it possible to obtain diversified masks which are used to mask the data.
Preferably, the reversible function used is an Exclusive-Or function.
Advantageously, the application of a diversified master mask consists in applying a rotation to the master mask. Thus, the generation of diversified masks consists of simple rotations of the master masks. For a 256-byte master mask, it will thus be possible to generate 256 different masks if the rotation is byte-oriented. It is well understood that it is also possible to perform rotations at the bit level, which further increases the number of different masks which can be generated.
The diversifier is preferably generated in a pseudo-random manner in the communicating object. This has the advantage of being capable of masking the data on the fly.
Advantageously, the master masks are diversified from one communicating object to another. Thus, even though an attacker succeeds in finding the master mask of a communicating object, he/she will not be able to unmask the data stored in another communicating object since the master masks thereof are different.
The invention also relates to a communicating object including means for implementing such a method.
The communicating object preferably consists of a chip card.
Other advantages and characteristics of the present invention will appear when reading the following description of a preferred embodiment given as an illustration and not as a limitation, and the appended drawings wherein:
In this preferred embodiment, a mask 11, also called a master mask, is used. The master mask 11 is stored in the communicating object. The invention proposes to apply a diversifier D to the master mask 11 so as to generate a diversified mask 14.
In a preferred embodiment, the diversifier D is a simple pointer which marks the byte of the master mask 11, which will be used to mask the first byte of the datum 10. In
Then, the bytes d0 to d1 of the data 10 are masked using the bytes of the diversified mask 14 to supply the masked datum 15.
In order to unmask the masked datum 15, the latter is stored in the communicating object together with the diversifier D used to generate the diversified mask 14, which means with the diversifier for obtaining it. The masked datum 15 is thus associated with the diversifier D.
When writing or creating another datum in the card, another diversifier will be generated, preferably in a random way, so as to generate another diversified mask which will be used for masking such other datum.
The advantage of the invention is that it is possible to generate as many diversified masks as there are bytes or bits in the master mask 11. Storing the diversifier D requires little space in the memory, typically one byte.
In order to reinforce the security of the method according to the invention, it is possible to use more than one master mask, for example two, and to generate two diversifiers D1 and D1. The diversifier D1 will be applied to the first master mask and the diversifier D2 to the second master mask. Each byte of a datum to be masked will be masked, for example using the Exclusive-or function, by a byte of the first diversified mask and by a byte of the second diversified mask. The diversifiers D1 and D2 will then be stored together with the masked data. For a 256-byte master mask, it will then be possible to generate 2562 different masks.
The invention applies particularly well in a Java environment and the diversifiers can be stored with the header of the Java objects.
The reversible Exclusive-Or function is not the only one which can be used: it is possible to use a DES function or a simple rotation. Any reversible function is suitable for the invention.
The diversifier D is preferably generated in a random or pseudo-random way when the data 10 is written/created in the communicating object or upon each starting of the communicating object.
From one communicating object to another, the master masks 11 are preferably diversified. This ensures that, in the case of a successful attack on a communicating object, the attacker having a master mask cannot unmask the masked data in another communicating object.
The invention can be applied to any communicating object, such as for example portable phones and preferably to chip cards, for example multi-application chip cards.
| Number | Date | Country | Kind |
|---|---|---|---|
| 07301410.2 | Sep 2007 | EP | regional |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP2008/061242 | 8/27/2008 | WO | 00 | 4/15/2010 |
