WO1999048239A1 - Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique - Google Patents
Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique Download PDFInfo
- Publication number
- WO1999048239A1 WO1999048239A1 PCT/FR1999/000613 FR9900613W WO9948239A1 WO 1999048239 A1 WO1999048239 A1 WO 1999048239A1 FR 9900613 W FR9900613 W FR 9900613W WO 9948239 A1 WO9948239 A1 WO 9948239A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- operations
- random
- securing method
- data
- key
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
Definitions
- the present invention relates to a data security method, intended for example to be implemented by the microprocessor of a bank card or an access authorization card when connected to a computer authentication terminal.
- the methods of securing data of known type use a cryptographic algorithm comprising cycles of execution of repetitive operations for processing data elements contained in a memory of the card to develop encrypted information intended to be communicated to the computer terminal.
- the execution of the process by the microprocessor of the card generates the emission of derived signals such as consumption peaks at the level of the power supply of the microprocessor, or variations of the electromagnetic radiation so that the envelope of the electromagnetic radiation is significant of the data processed.
- a fraudster wishing to use the microprocessor cards in an unauthorized manner can repeatedly launch the execution of the process and o analyze the derivative signals transmitted to establish correspondences between the different processing operations and each signal or series of signals. On the basis of these correspondences, and by subjecting the card for example to electromagnetic disturbances or drops in voltage at precise times in the course of the algorithm, the fraudster can study the encrypted information obtained and the differences, 5 or on the contrary the absence of differences, between the derived signals emitted to discover the data contained in the memory of the card.
- An object of the invention is to propose an effective securing method which does not have the aforementioned drawbacks.
- a method of securing data using a cryptographic algorithm for performing data element processing operations to develop encrypted information comprising at least one step of random transformation of the execution of at least one operation from one cycle to another or of random transformation of at least one of the data elements so that the encrypted information is unchanged by this random transformation.
- random transformation of the execution of at least one operation is meant a modification of the order of execution of operations or parts of operations, or a modification of the course of a single operation.
- at least one operation and / or at least one of the data processed is randomly modified, which randomly affects the derivative signals transmitted. It is therefore very difficult for a fraudster to distinguish the different processing operations and to discover the data from the derivative signals.
- the random modification does not affect the encrypted information so that it can be used in the usual way after o its preparation.
- the method begins with the permutation 10 of the bits of the message block M o between them to form the block MO.
- the MO block is then divided into two 32-bit blocks MI and M2 during a division step 20.
- the M2 block is then expanded to form a block
- This expansion 30 is for example carried out by cutting the block M2 into eight quartets and adding to each quartet the adjacent extreme bit of the quartets surrounding the quartet concerned (the extreme quartets being considered as adjacent).
- a permutation 110 is performed on the bits of the key K1 to form the key K2.
- the insignificant bits of the key K1 are simultaneously deleted so that the key K2 has only 56 bits.
- the bits of the key K2 are then randomly modified during a transformation 120.
- the bits of the key K3 corresponding to the modified bits of the key K2, here marked with a star, are stored.
- the random transformation 120 is for example carried out by associating with the key K2, via a logical operator of the exclusive OR type, a random number generated by a generator of non-predictable numbers on the card.
- a key K4 is obtained by the rotation 130 of the bits of the key K3.
- a permutation 140 is carried out on the bits of the key K4 to form the key K5. Simultaneously with the permutation 140, the non-significant bits of the key K4 are eliminated so that the key K5 comprises 48 bits.
- the method continues with the association 210 of the block M3 and the key K5 via a logical operator of the exclusive OR type.
- the result of this association is the RI block.
- the reverse transformation of the bits of the block RI corresponding to the bits modified by the transformation 120 is then carried out to form the block R2.
- This inverse transformation 220 of the transformation 120 aims to restore the bits of the block RI 5 corresponding to the bits marked with a star in the state in which they would have been in the absence of the transformation 120.
- the group of operations is then executed again fifteen times by assigning, to each of them, the value of block M1 to block M2 and the value of block R5 to block Ml during an allocation step 260.
- the method ends with the operation 300 of obtaining the encrypted information C by the inverse permutation and the union of the last block M2 and the last block R5 obtained.
- the step of random modification of the key K2 comprises the transformation phase 120 and the reverse transformation phase 220. These two phases make it possible to obtain encrypted information C which is not affected by this random modification. One could also carry out in the same way a random modification of the block M2 and / or of another datum.
- the execution of at least one operation can be modified randomly from one cycle to another , a cycle which can be a complete cycle of execution of the algorithm or an intermediate cycle of execution of a group of operations.
- a random determination of the order of execution of certain operations can be carried out during an execution cycle of the algorithm.
- the operations selected will be those whose order of execution with respect to each other does not affect the result.
- the permutation 10 of the bits of the message block M 5 could be carried out after the permutation 110 of the bits of the key K1 or vice versa.
- the data is processed by elements.
- the blocks M2 are treated by quartets. During this operation, it is possible to provide for randomly determining the order of processing of the different quartets.
- the bits of the key K4 are processed individually. A step of random determination of the order of processing of the bits can also be provided for the execution of this permutation.
- the quartets of block M2 can also be processed alternately with the bits of key K4. that is to say, for example, a first quartet of the block M2 is processed, then a series of bits of the key K4, then a second quartet of the block M2, etc., each time storing the data elements processed. in order to check that all the required operations are 'well executed.
- the invention is not limited to the embodiment which has just been described, but on the contrary encompasses any variant incorporating, with equivalent means, its essential characteristics.
- the invention has been described in relation to a DES type algorithm, the invention can be applied to other symmetrical algorithms which proceed by modification of bits.
- the modification being carried out by means of a logical operator of the EXCLUSIVE OR type, the length of the unprocessed data elements is identical to the length of these transformed data elements.
- bit numbers of the data are only given for information and can be modified to adapt to the degree of security envisaged.
- M2, M3, Kl, K2, K3, K4, K5, RI, R2, R3, R4 and R5 can be transformed by associating to them, via the logical operator OR EXCLUSIVE, a random number knowing that, after this random transformation step, a reverse transformation step will be carried out so that the encrypted information C is unchanged by said transformations.
- the data elements can be keys K1, K2, K3. K4. K5 or message blocks M, MO, Ml, M2, M3 or message blocks associated with a key by a logical operator of the EXCLUSIVE OR type RI, R2. R3, R4, 0 R5.
- the random conversion step is a step prior to executed operations group several times and if the step of reverse transformation is a step subsequent to said group of operations, it suffices to generate a random number once and to process the message block M by Y algorithm to obtain encrypted information, all the data elements of the block being modified.
- the data chain is protected from start to finish.
- the algorithm is implemented quickly, which is necessary in the case of a smart card where the duration of the execution of an algorithm must be minimal.
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/646,640 US7073072B1 (en) | 1998-03-17 | 1999-03-17 | Method to prevent power dissipation attacks on a cryptographic algorithm by implementing a random transformation step |
AU28422/99A AU2842299A (en) | 1998-03-17 | 1999-03-17 | Method for data securement using a cryptographic algorithm |
DE69910549T DE69910549T2 (de) | 1998-03-17 | 1999-03-17 | Verfahren zur datensicherung welches einen krypto-algorithmus verwendet |
EP99909029A EP1064752B1 (fr) | 1998-03-17 | 1999-03-17 | Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique |
US11/433,232 US20060271795A1 (en) | 1998-03-17 | 2006-05-12 | Method to prevent power dissipation attacks on a cryptographic algorithm by implementing a random transformation step |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR9803242A FR2776445A1 (fr) | 1998-03-17 | 1998-03-17 | Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique |
FR98/03242 | 1998-03-17 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/433,232 Continuation US20060271795A1 (en) | 1998-03-17 | 2006-05-12 | Method to prevent power dissipation attacks on a cryptographic algorithm by implementing a random transformation step |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1999048239A1 true WO1999048239A1 (fr) | 1999-09-23 |
Family
ID=9524129
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR1999/000613 WO1999048239A1 (fr) | 1998-03-17 | 1999-03-17 | Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique |
Country Status (7)
Country | Link |
---|---|
US (2) | US7073072B1 (fr) |
EP (1) | EP1064752B1 (fr) |
AU (1) | AU2842299A (fr) |
DE (1) | DE69910549T2 (fr) |
ES (1) | ES2205784T3 (fr) |
FR (1) | FR2776445A1 (fr) |
WO (1) | WO1999048239A1 (fr) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0981115A2 (fr) * | 1998-08-20 | 2000-02-23 | Orga Kartensysteme GmbH | Méthode d'exécution d'un programme de chiffrage pour chiffrer des données dans un support de données portable avec microprocesseur |
EP0981223A2 (fr) * | 1998-08-20 | 2000-02-23 | Kabushiki Kaisha Toshiba | Dispositif de chiffrage/déchiffrage |
US7400723B2 (en) | 2001-02-08 | 2008-07-15 | Stmicroelectronics Sa | Secure method for secret key cryptographic calculation and component using said method |
US8296576B2 (en) * | 2000-09-14 | 2012-10-23 | Stmicroelectronics Sa | Method for scrambling the current consumption of an integrated circuit |
US8386791B2 (en) | 2004-03-11 | 2013-02-26 | Oberthur Technologies | Secure data processing method based particularly on a cryptographic algorithm |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7587044B2 (en) | 1998-01-02 | 2009-09-08 | Cryptography Research, Inc. | Differential power analysis method and apparatus |
WO1999035782A1 (fr) * | 1998-01-02 | 1999-07-15 | Cryptography Research, Inc. | Procede et appareil cryptographiques resistant aux fuites |
CA2333095C (fr) * | 1998-06-03 | 2005-05-10 | Cryptography Research, Inc. | Perfectionnement de normes cryptographiques et autres procedes cryptographiques a reduction des fuites pour cartes a puces et autres systemes cryptographiques |
DE69935913T2 (de) | 1998-07-02 | 2008-01-10 | Cryptography Research Inc., San Francisco | Leckresistente aktualisierung eines indexierten kryptographischen schlüssels |
WO2000019656A1 (fr) * | 1998-09-30 | 2000-04-06 | Koninklijke Philips Electronics N.V. | Procede de codage permettant de realiser des operations cryptographiques |
FR2789776B1 (fr) * | 1999-02-17 | 2001-04-06 | Gemplus Card Int | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete |
DE19921633A1 (de) * | 1999-05-10 | 2000-11-16 | Deutsche Telekom Ag | Verfahren zur Implementierung kryptographischer Algorithmen |
US6724894B1 (en) * | 1999-11-05 | 2004-04-20 | Pitney Bowes Inc. | Cryptographic device having reduced vulnerability to side-channel attack and method of operating same |
CA2298990A1 (fr) * | 2000-02-18 | 2001-08-18 | Cloakware Corporation | Methode et systeme de resistance a l'analyse de puissance |
CA2327911A1 (fr) * | 2000-12-08 | 2002-06-08 | Cloakware Corporation | Fonctions logicielles d'obscurcissement |
FR2820576B1 (fr) * | 2001-02-08 | 2003-06-20 | St Microelectronics Sa | Procede de cryptage protege contre les analyses de consommation energetique, et composant utilisant un tel procede de cryptage |
FR2844409B1 (fr) * | 2002-09-05 | 2004-12-24 | Sagem | Protection d'une cle secrete pour algorithme d'authentification dans un radiotelephone mobile |
FR2862454A1 (fr) * | 2003-11-18 | 2005-05-20 | Atmel Corp | Methode de reduction modulaire aleatoire et equipement associe |
FR2885711B1 (fr) * | 2005-05-12 | 2007-07-06 | Atmel Corp | Procede et materiel modulaire et aleatoire pour la reduction polynomiale |
FR2889349A1 (fr) * | 2005-07-26 | 2007-02-02 | St Microelectronics Sa | Procede et dispositif de securisation d'un circuit integre, notamment une carte a microprocesseur |
FR2897216B1 (fr) * | 2006-02-08 | 2008-05-02 | Sagem Defense Securite | Protection d'un algorithme cryptographique |
FR2914129B1 (fr) * | 2007-03-21 | 2009-06-12 | Oberthur Card Syst Sa | Procede de traitement de donnees au sein d'une entite electronique |
WO2009156881A2 (fr) * | 2008-06-24 | 2009-12-30 | Nds Limited | Sécurité dans des circuits intégrés |
EP2234031A1 (fr) * | 2009-03-24 | 2010-09-29 | SafeNet, Inc. | Obscurcissement |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3029381B2 (ja) * | 1994-01-10 | 2000-04-04 | 富士通株式会社 | データ変換装置 |
US6049613A (en) * | 1997-03-07 | 2000-04-11 | Jakobsson; Markus | Method and apparatus for encrypting, decrypting, and providing privacy for data values |
US5991415A (en) * | 1997-05-12 | 1999-11-23 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for protecting public key schemes from timing and fault attacks |
US6064740A (en) * | 1997-11-12 | 2000-05-16 | Curiger; Andreas | Method and apparatus for masking modulo exponentiation calculations in an integrated circuit |
WO1999035782A1 (fr) | 1998-01-02 | 1999-07-15 | Cryptography Research, Inc. | Procede et appareil cryptographiques resistant aux fuites |
WO1999063696A1 (fr) * | 1998-06-03 | 1999-12-09 | Cryptography Research, Inc. | Utilisation d'informations non previsibles pour reduire au maximum les fuites provenant des cartes a puces et autres systemes cryptographiques |
JP3600454B2 (ja) * | 1998-08-20 | 2004-12-15 | 株式会社東芝 | 暗号化・復号装置、暗号化・復号方法、およびそのプログラム記憶媒体 |
JP4188571B2 (ja) * | 2001-03-30 | 2008-11-26 | 株式会社日立製作所 | 情報処理装置の演算方法および耐タンパ演算攪乱実装方式 |
-
1998
- 1998-03-17 FR FR9803242A patent/FR2776445A1/fr not_active Withdrawn
-
1999
- 1999-03-17 AU AU28422/99A patent/AU2842299A/en not_active Abandoned
- 1999-03-17 US US09/646,640 patent/US7073072B1/en not_active Expired - Fee Related
- 1999-03-17 ES ES99909029T patent/ES2205784T3/es not_active Expired - Lifetime
- 1999-03-17 WO PCT/FR1999/000613 patent/WO1999048239A1/fr active IP Right Grant
- 1999-03-17 EP EP99909029A patent/EP1064752B1/fr not_active Expired - Lifetime
- 1999-03-17 DE DE69910549T patent/DE69910549T2/de not_active Expired - Lifetime
-
2006
- 2006-05-12 US US11/433,232 patent/US20060271795A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
KOCHER P C: "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems", ADVANCES IN CRYPTOLOGY - CRYPTO'96. 16TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE. PROCEEDINGS, SANTA BARBARA, CA, USA, 18-22 AUG. 1996, ISBN 3-540-61512-1, 1996, Berlin, Germany, Springer-Verlag, Germany, pages 104 - 113, XP000626590 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0981115A2 (fr) * | 1998-08-20 | 2000-02-23 | Orga Kartensysteme GmbH | Méthode d'exécution d'un programme de chiffrage pour chiffrer des données dans un support de données portable avec microprocesseur |
EP0981223A2 (fr) * | 1998-08-20 | 2000-02-23 | Kabushiki Kaisha Toshiba | Dispositif de chiffrage/déchiffrage |
EP0981223A3 (fr) * | 1998-08-20 | 2001-03-14 | Kabushiki Kaisha Toshiba | Dispositif de chiffrage/déchiffrage |
EP0981115A3 (fr) * | 1998-08-20 | 2004-04-14 | Orga Kartensysteme GmbH | Méthode d'exécution d'un programme de chiffrage pour chiffrer des données dans un support de données portable avec microprocesseur |
US6940975B1 (en) | 1998-08-20 | 2005-09-06 | Kabushiki Kaisha Toshiba | Encryption/decryption apparatus, encryption/decryption method, and program storage medium therefor |
US8296576B2 (en) * | 2000-09-14 | 2012-10-23 | Stmicroelectronics Sa | Method for scrambling the current consumption of an integrated circuit |
US7400723B2 (en) | 2001-02-08 | 2008-07-15 | Stmicroelectronics Sa | Secure method for secret key cryptographic calculation and component using said method |
US8386791B2 (en) | 2004-03-11 | 2013-02-26 | Oberthur Technologies | Secure data processing method based particularly on a cryptographic algorithm |
Also Published As
Publication number | Publication date |
---|---|
DE69910549T2 (de) | 2004-06-17 |
EP1064752A1 (fr) | 2001-01-03 |
US20060271795A1 (en) | 2006-11-30 |
US7073072B1 (en) | 2006-07-04 |
DE69910549D1 (de) | 2003-09-25 |
FR2776445A1 (fr) | 1999-09-24 |
AU2842299A (en) | 1999-10-11 |
ES2205784T3 (es) | 2004-05-01 |
EP1064752B1 (fr) | 2003-08-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1064752B1 (fr) | Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique | |
CA2480896C (fr) | Procede de securisation d'une entite electronique a acces crypte | |
FR2681165A1 (fr) | Procede de transmission d'information confidentielle entre deux cartes a puces. | |
FR2689264A1 (fr) | Procédé d'authentification accompli entre une carte à circuit intégré et une unité terminale et système prévu dans ce but. | |
EP0434551B1 (fr) | Procédé de génération d'un nombre aléatoire dans un système de traitement de données, et système mettant en oeuvre un tel procédé | |
WO2001095274A1 (fr) | Procede de securisation de la phase de pre-initialisation d'un systeme embarque a puce electronique, notamment d'une carte a puce, et systeme embarque mettant en oeuvre le procede | |
EP1055203B1 (fr) | Protocole de controle d'acces entre une cle et une serrure electronique | |
EP1391853A1 (fr) | Diversification d'un identifiant unique d'un circuit intégré | |
EP1120662B1 (fr) | Procédé pour tester un circuit intégré comportant des parties matérielles et/ou logicielles ayant un caractère de confidentialité | |
EP2166696B1 (fr) | Protection de l'intégrité de données chiffrées en utilisant un état intermédiare de chiffrement pour générer une signature | |
FR2907622A1 (fr) | Procede de transmission de donnees utilisant un code d'accuse de reception comportant des bits d'authentification caches | |
EP3300293A1 (fr) | Procédé de chiffrement ou de déchiffrement symétrique par bloc | |
EP1107503B1 (fr) | Composant électronique de sécurité | |
EP1122909A1 (fr) | Procédé d'exécution d'un protocole cryptographique entre deux entités électroniques. | |
EP1163562B1 (fr) | Procede de securisation d'un enchainement d'operations realisees par un circuit electronique dans le cadre de l'execution d'un algorithme | |
FR3056322A1 (fr) | Procede de chiffrement ou de dechiffrement protege contre des attaques par canaux caches | |
EP1449067B1 (fr) | Securisation d'un generateur pseudo-aleatoire | |
EP0855072B1 (fr) | Procede d'authentification pour microcircuit a logique cablee | |
FR2600188A1 (fr) | Procede d'habilitation d'un milieu exterieur par un objet portatif relie a ce milieu | |
EP1119939B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete | |
EP1721246A2 (fr) | Procede et dispositif pour accomplir une operation cryptographique | |
EP0890157B1 (fr) | Perfectionnements aux cartes a memoire | |
EP0566512A1 (fr) | Procédé de contrôle d'accès du type autorisant l'accès à une fonction d'exploitation d'un module d'exploitation à l'aide d'un mot de contrôle | |
FR3052279A1 (fr) | ||
EP1470663B1 (fr) | Procede de generation et de verification de signatures electroniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU CA CN JP US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1999909029 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 09646640 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 1999909029 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 1999909029 Country of ref document: EP |