Patent Grant
8411864
This is the U.S. National Phase Application under 35 U.S.C. §371 of International Application no. PCT/EP2008/05376, filed Feb. 27, 2008, which application claims the benefit of French Patent Application No. 07 01625, filed Mar. 6, 2007, both of which are incorporated by reference herein. The International Application was published in French on Sep. 12, 2008 as WO/2008/107351 under PCT Article 21 (2).
The invention relates to a method of modifying a set of secrets included in a cryptographic module. In particular, the invention applies to the reloading in an unprotected environment of access keys included in a set of chip cards.
In a system comprising a set of cryptographic modules (for example chip cards comprising cryptographic secrets), the management of the secrets included in the said modules is a complex task. In particular, the operation of updating the secrets must meet a certain number of security requirements. Hence, it is commonplace for the secrets to be updated in a secure environment, that is to say generally in secure premises, outside of the context in which the cryptographic modules are utilized. When the number of cryptographic modules is significant, this housekeeping operation is unwieldy and expensive.
Furthermore, in order to guarantee a correct security level, the cryptographic modules do not permit read and write access to the secrets. Should the process of updating the secrets suffer a failure, for example following an unintentional interruption to the process, it is not possible to resume and complete the process at the actual location where the latter has experienced such a failure.
The aim of the invention is notably to remedy the aforesaid drawbacks. For this purpose, the subject of the invention is a method of modifying secrets included in a cryptographic module. The cryptographic module guarantees that the loading of a secret is either successful, or invalid. The cryptographic module allows the reading of a version number for each secret. The cryptographic module comprises an information indicating a version number corresponding to the set of secrets. The method according to the invention comprises notably a first step in the course of which, if the version number of the set of secrets is equal to a version number requiring the loading of a set of new secrets, the version number of the set of secrets of the cryptographic module is rendered equal to a distinctive number making it possible to determine that the cryptographic module is being reloaded. The method according to the invention comprises a second step in the course of which, for each secret, if the version number of the said secret different from the version number of the corresponding new secret to be loaded, the new secret and its version number are loaded. The method according to the invention comprises a third step in the course of which the version number of the set of secrets of the cryptographic module is rendered equal to the version number of the set of new secrets.
In one embodiment, the version number of the set of secrets of the cryptographic module on the card is recorded in a file of the cryptographic module of the card accessible via an immutable secret.
In another embodiment, the version number of the set of secrets of the cryptographic module on the card is recorded in the form of a secret used only to indicate the global version of the secrets.
In another embodiment, the version number of the set of secrets of the cryptographic module on the card is recorded in the form of the last of the secrets to be reloaded in the second step.
In the course of the second step, the verification of the version number of each secret can notably be carried out by mutual authentication of the various secrets until the interruption point is found.
The invention has notably the advantages that it makes it possible to modify a set of secrets in a cryptographic module so as to guarantee the consistency thereof even when the updating may only be done secret by secret. The invention makes it possible to also guarantee that after reloading of the secrets within the cryptographic module, the data already present in the cryptographic module will continue to be accessible and uncorrupted.
Furthermore, the method according to the invention can be interrupted at any moment without this giving rise to corruption of the secrets included in the cryptographic module. Moreover, after one or more interruptions, intentional or accidental, in the course of the implementation of the steps of the method according to the invention, the method can still be implemented from the same machine or from a different machine able to track the implementation of the steps of the method.
Other characteristics and advantages of the invention will become apparent with the aid of the description which follows given in conjunction with the appended drawings which represent,
The method according to the invention makes it possible notably to resume and complete the modification of a set of secrets (sensitive data supplemented with their access keys), it not being possible for the said secrets to be reread, or necessarily rewritten.
In the embodiment of the method according to the invention, illustrated by
A cryptographic module such as this can be for example a chip card, in particular a “Mifare® DESFire” card.
The method according to the invention receives as input a set of new secrets to be loaded instead of the secrets included in the cryptographic module. To the set of new secrets there corresponds a version number corresponding to the set of new secrets. Likewise, to the set of secrets included in the cryptographic module there corresponds a version number. To each secret included in the cryptographic module there corresponds a version number. To each new secret to be loaded there corresponds a version number. To each secret there therefore corresponds a version number. If the version numbers are identical then this implies that the secrets are identical. The same holds for the version number of the set of secrets.
The method according to the invention comprises a first step 1 in the course of which the cryptographic module is marked as undergoing reloading of secrets. Thus, in the course of the first step 1, after being assured if necessary that the reloading of the secrets has been requested, the version number of the set of secrets of the cryptographic module is read.
Next, the version number of the set of secrets of the cryptographic module is compared with the version number of the set of secrets to be loaded. This comparison determines whether it is necessary to load the new secrets (for example, the version number of the set of secrets to be loaded is greater than the version number of the set of already loaded secrets). If appropriate:
In the course of the first step 1, if the version number of the set of secrets of the cryptographic module is equal to the distinctive number making it possible to determine that the cryptographic module is being reloaded, this signifies that it was not possible to complete the update operation beforehand. In this case:
Any interruption during these steps can be resumed so as to continue the reloading at the interrupted location, on the same machine, or on another machine.
The version number of the set of secrets of the cryptographic module on the card can be stored:
In particular, the method according to the invention can be applied to a pool of chip cards which can have version numbers of secrets which differ. This case arises notably when the set of chip cards corresponds to a batch, and when the secrets are data access keys. The method can be applied to a pool of sensitive terminals whose communication secrets must be changed in the field. The method according to the invention can further be applied to databases whose administration does not allow a change of rights of access in a single transaction.
In one embodiment, the verification of the version number of each secret (in particular when the latter is not available or is not readable) can be done by mutual authentication of the various secrets until the interruption point is found.
| Number | Date | Country | Kind |
|---|---|---|---|
| 07 01625 | Mar 2007 | FR | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP2008/052376 | 2/27/2008 | WO | 00 | 10/16/2009 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2008/107351 | 9/12/2008 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6298336 | Davis et al. | Oct 2001 | B1 |
| 6587836 | Ahlberg et al. | Jul 2003 | B1 |
| 6718314 | Chaum et al. | Apr 2004 | B2 |
| 7480907 | Marolia et al. | Jan 2009 | B1 |
| 7613743 | Giampaolo et al. | Nov 2009 | B1 |
| 20030188117 | Yoshino et al. | Oct 2003 | A1 |
| 20040003267 | Strom et al. | Jan 2004 | A1 |
| 20040123282 | Rao | Jun 2004 | A1 |
| 20040215755 | O'Neill | Oct 2004 | A1 |
| 20050018853 | Lain et al. | Jan 2005 | A1 |
| 20050027862 | Nguyen et al. | Feb 2005 | A1 |
| 20050047598 | Kruegel | Mar 2005 | A1 |
| 20050132179 | Glaum et al. | Jun 2005 | A1 |
| 20060161750 | Perkins et al. | Jul 2006 | A1 |
| 20060259207 | Natsume | Nov 2006 | A1 |
| 20070204304 | Kim | Aug 2007 | A1 |
| Number | Date | Country |
|---|---|---|
| 1688843 | Aug 2006 | EP |
| Entry |
|---|
| GlobalPlatform Card Specification 2.1.1 (Mar. 2003). |
| Oestreicher, M.; “Transactions in Java Card”, 15th Computer Security Applications Conference (ACSAC '99), pp. 291-298 (1999). |
| GlobalPlatform Card-Specification v2-0-1 (Apr. 7, 2000). |
| D.B. Johnson et al., Method for Validating a Key Data Set using a Modification Detection Code and a Tree Authentication Algorithm, IBM Technical Disclosure Bulletin, TDB v36 n4 Apr. 1993 p. 107-110 (Apr. 1, 1993). |
| Number | Date | Country | |
|---|---|---|---|
| 20100135496 A1 | Jun 2010 | US |
