• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a secure electronic entity (E) comprising a memory (NV) storing data in the form of bytes and a processing module (M) adapted to receive data from an electronic device (TP). The processing module (M) is adapted to determine a piece of evidence of integrity based on the received data and at least a portion of the stored bytes, and to issue the integrity evidence item to the electronic device (TP). A method for verifying the integrity of data stored in such a secure electronic entity (E) is also described.
    公开号:FR3030831A1
    申请号:FR1463256
    申请日:2014-12-23
    公开日:2016-06-24
    发明作者:Emmanuelle Dottax;Florian Galdo;Christophe Giraud;Jean-Philippe Vallieres
    申请人:Oberthur Technologies SA;
    IPC主号:
    专利说明:

    [0001] TECHNICAL FIELD TO WHICH THE INVENTION RELATES The present invention relates to the verification of the integrity of data stored in a secure electronic entity.
    [0002] It relates more particularly to a secure electronic entity, an electronic device and a method for verifying the integrity of data stored in such a secure electronic entity. The invention is particularly advantageous in the case where the stored data are at least partially secret and must therefore be encrypted when they are stored outside the secure electronic entity. TECHNOLOGICAL BACKGROUND Secure electronic entities, such as integrated microcircuit cards or secure elements, which store confidential data, for example secret cryptographic keys, used for example in electronic message encryption electronic signature or identification. Although these secure electronic entities are designed to make it almost impossible to intrude into their operation, it is desirable to check from time to time, for example periodically, that the data stored in a given electronic entity is intact (ie ie they have not been tampered with). OBJECT OF THE INVENTION In this context, the present invention provides a secure electronic entity comprising a memory storing data in the form of bytes and a processing module adapted to receive data from an electronic device, characterized in that the processing module is adapted to determine an integrity evidence item based on the received data and at least a portion of the stored bytes, and to issue the integrity evidence item to the electronic device. Thus, the secure electronic entity is designed to return a piece of evidence of integrity determined by combining the received data and the stored bytes. Such evidence proves that stored data (in the form of bytes) at the time when the electronic entity receives the data from the external electronic device (for example a third-party auditor) are indeed those expected, otherwise secure electronic entity could not produce the correct evidence. According to optional (and therefore non-limiting) characteristics: the received data represent a random value (generated for example by the electronic device); the received data designate regions of the memory; the processing module is designed to determine the integrity proof element as a function of the multiplets stored in the regions designated by the received data; the processing module is designed to determine the proof of integrity element partly by means (that is to say by means in particular) of an encryption of the stored bytes; the secure electronic entity comprises a module for implementing the encryption as a function of a secret key stored in the electronic entity; the processing module is adapted to determine the proof of integrity element by means of a signature function or a hash function or a message authentication code generation function; said secure electronic entity is an access card to a mobile telephone network. The invention also proposes a cellular telephone comprising a secure electronic entity as proposed above, for example soldered to the cellular telephone. The invention also proposes a power supply counter comprising a secure electronic entity as proposed above, for example soldered to said counter. The invention also proposes an on-board electronic system for a vehicle (for example for a motor vehicle) comprising a secure electronic entity as proposed above, possibly welded to the electronic system. The invention further provides an electronic apparatus comprising a near-field communication module and a secure electronic entity as proposed above connected to the near-field communication module.
    [0003] The invention also proposes a method for verifying the integrity of data stored in a secure electronic entity, characterized in that it comprises the following steps: - transmission, by an electronic device, of data to the electronic entity secure; - receipt of the data by the secure electronic entity; determination of an integrity proof element as a function of the data received and of at least a part of the bytes stored in a memory of the secure electronic entity; - Issuing, by the secure electronic entity, the proof of integrity element to the electronic device. Such a method may further comprise a step of determining at least part of the data transmitted by random draw (for example within the electronic device).
    [0004] According to a first possibility of realization, the received data can represent a random value used as a parameter during the application of a function. According to a second possible embodiment, the received data can designate regions of the memory; the determination of the integrity proof element can in this case be carried out according to the multiplets stored in the regions designated by the received data. According to other optional features: the determination of the integrity proof element comprises an encryption of the memorized bytes; the encryption of the stored bytes uses a secret key stored in the secure electronic entity; the proof of integrity element is determined by applying a signature function or a hash function or a message authentication code generation function; said electronic device is a third party listener. DETAILED DESCRIPTION OF AN EXEMPLARY EMBODIMENT The following description with reference to the accompanying drawings, given as non-limiting examples, will make it clear what the invention consists of and how it can be achieved.
    [0005] In the accompanying drawings: FIG. 1 represents a system in which a secure electronic entity according to the invention is used; - Figure 2 schematically shows the information stored in a server of a third party auditor and in a non-volatile memory of the secure electronic entity according to a first embodiment of the invention; FIG. 3 represents the main steps of a first exemplary method implemented in the context of the invention; FIG. 4 represents the main steps of a second exemplary method implemented in the context of the invention; FIGS. 5 to 7 schematically represent algorithms that can be used in the context of the method of FIG. 4; FIG. 8 represents the main steps of a third example of a method implemented in the context of the invention; and FIG. 9 represents the main steps of a fourth exemplary method implemented in the context of the invention. Figure 1 shows schematically the main elements of a system in which the invention can be implemented.
    [0006] Such a system comprises an electronic apparatus A provided with a communication module COM for exchanging data with other electronic devices, as described hereinafter. The electronic device A may be a cellular and / or smart phone (in English: "smartphone"), a digital tablet or any other electronic device which it is desired that it may exchange data with external electronic devices, for example a energy supply meter, an appliance or an electronic system embedded in a motor vehicle. The communication module COM makes it possible to establish two-way communication (here wireless) with an N network architecture, which is itself connected to the Internet network INT. According to a first possible embodiment, the network architecture N can be a mobile telephone network, in which case the communication module COM is designed to communicate with a base station of the mobile telephone network. According to a second possible embodiment, the network architecture N can be an access point of a wireless local area network (WLAN), in which case the communication module COM is designed to join this local network. In both cases, the communication module COM makes it possible to access the Internet network INT through the network architecture N. Thus, a processor P of the electronic device A (for example a microprocessor) connected to the communication module COM can exchange data with electronic devices (such as computers or servers) connected to the Internet, including a TP Third Party Auditor (TPT) and ISS electronic entity transmitter. The electronic apparatus A also comprises a secure electronic entity E, for example a microcircuit card, possibly universal (or UICC for "Universal Integrated Circuit Card") as referred to in the technical specification ETSI TS 102 221, an integrated secure element ( or eSE for "embedded Secure Element") as referred to in the specification "GlobalPlatform Card Specification version 2.2.1" or another type of secure element In the case where the secure electronic entity E is a microcircuit card, it for example, a card for access to a mobile telephone network, such as a USIM card (for "Universal Subscriber Identity Module"), or a secure token (in English: "secure token "). The secure electronic entity E can be mounted in the device A removably (as is the case for a microcircuit card made in one of the formats 2FF, 3FF or 4FF, or so gener ale, in a format smaller than those of the format 2FF), or irremovably (for example welded) as in the case of an integrated secure element (eSE already mentioned above) or an integrated microcircuit card (also called eUICC for "Embedded Universal Integrated Circuit Card").
    [0007] The secure electronic entity E is here connected to the processor P of the electronic device A and thus has access, via this processor P, to the communication module COM. As a variant, the secure electronic entity E could be directly connected to the communication module COM. As illustrated in FIG. 1, the secure electronic entity itself comprises a microprocessor M, a random access memory V and at least one non-volatile memory NV, for example a rewritable non-volatile memory of the EEPROM type (for "Electrically Erasable and Programmable Read-Only Memory ") or Flash. The non-volatile memory NV stores computer program instructions which, when executed by the microprocessor M, allow the implementation of methods, such as the methods given below by way of example. The secure electronic entity E also stores data, in particular confidential data such as secret keys (for example in particular the cryptographic keys K1, K2 used in the examples given below). The secure electronic entity E can thus implement (as already indicated, because of the execution, by its microprocessor M, of instructions stored in the non-volatile memory NV, or even in the RAM V) a method of cryptographic key encryption and / or a cryptographic key decryption method and / or a cryptographic key signing method and / or an authentication code generating method using secret data and / or a method for generating a response to a challenge by using secret data For each of these methods, the cryptographic key or the secret data concerned is for example stored in the non-volatile memory NV . In some cases, such as the case already mentioned of a universal microcircuit card or UICC, the secure electronic entity E can also implement methods for initiating and establishing remote communication via the communication module. COM implanted in the electronic device A which hosts the secure electronic entity E, for example by means of mechanisms such as those commonly referred to as "SIM Toolkits". The secure electronic entity E may then have the initiative of initiating an exchange with remote electronic devices, such as the third party auditor TP and the issuer ISS. The program instructions and the data are stored (here in NV nonvolatile memory) as bytes (for example bytes). The secure electronic entity E is also designed, because of its physical construction and the design of the computer programs that it memorizes, so as to make it very difficult or impossible for an attacker to access (by reading and / or modification) to the confidential data that it stores. Thus, the secure electronic entity E has for example an assurance level EAL greater than 4 in the sense of the Common Criteria (standard I5015408), for example a level EAL4 + (VAN5) or higher, and / or a level higher than 3 according to FIPS 140-2 (for "Federal Information Processing Standard") The electronic apparatus A may also comprise a near field communication module COM ', such as a communication module NFC (for "Near Field Communication") As a variant, it would be possible to use a wireless communication module of another type, for example Bluetooth, ZigBee, or other such a near-field communication module COM 'is here directly connected to the secure electronic entity E, for example by means of a connection of SWP type (for "Single Wire Protocol." In a variant, the near-field communication module COM 'could be connected to the processor P of the electronic apparatus A and could in this case exchange data with the entity secure electronic E via the processor P. The near field communication module COM 'is designed to enter into communication with a reader (here an NEC reader) when this COM' module (as well as consequently the electronic device A) is positioned at a distance from the reader below a predetermined threshold, for example a threshold less than 0.3 m. The reader and the secure electronic entity E can thus exchange data according to a wireless communication protocol, for example according to the standard 150 14443. In particular, the reader can issue commands (such as ADPU commands for "Application"). Protocol Data Unit ") over the wireless link; the near-field communication module COM 'receives these commands and transmits them to the secure electronic entity E (here via the SWP link). The secure electronic entity E processes these commands (in particular by means of the methods implemented in the secure electronic entity as described above) and transmits responses (generated by the aforementioned processing) via the near-field communication module COM 'and to the reader. The electronic device A can thus notably be used, thanks to the confidential data stored in the secure electronic entity E and to the exchange possibilities provided by the near-field communication module COM ', as a means of identifying its carrier, for example in payment (payment authorization), transport (access to the transport network via an automatic gateway controlled by the reader), identity, loyalty, etc. applications. A first embodiment of the invention will now be described with reference to FIGS. 2 and 3. As can be seen in FIG. 2, in this first embodiment, the non-volatile memory NV of the secure electronic entity E stores data. on the one hand a fixed operating system ROS and a modifiable operating system FOS. The fixed operating system ROS is registered in the non-volatile memory NV during the production of the secure electronic entity E, for example during a personalization phase during which program instructions and data of customization are written in NV nonvolatile memory, here without possibility of subsequent modification. The modifiable operating system FOS is also written in the nonvolatile memory NV during the personalization phase, but can be modified later, for example remotely according to a predefined procedure during which the microprocessor M of the entity secure electronic E communicates with a remote server (for example via the communication module COM) and writes data received from the remote server into the nonvolatile memory NV, for example after an authentication step of the remote server. According to one conceivable variant, such an operating system 25 could be loaded into RAM for its execution. As also visible in FIG. 2, the third party listener TP stores a plurality of random values r1, rn and a plurality of verification values M1, Mn respectively associated with the aforementioned random values. The verification values Mi are not communicated to the secure electronic entity E. The random values ri are successively communicated to the secure electronic entity E, distributed over the period of use of the secure electronic entity E, as explained below. For example, a number n of random values ri (and associated verification values Mi) are used such that the secure electronic entity E can not memorize all of these values ri, Mi. For example, during a phase of the modifiable operating system FOS during which the third party auditor TP is aware of the data forming the modifiable operating system FOS, he successively determines by random selection each of the random values ri and calculates the associated verification value Mi by applying a function F to this random value ri and the data which form the modifiable operating system FOS: Mi = F (ri, FOS). The function F is such that it is impossible to determine F (ri, FOS) without having knowledge of all the data forming the modifiable operating system FOS and that the verification values Mi give no information on the data forming the editable operating system FOS. The function F is for example based on a hash function H, applied to the concatenation of the random value ri and data forming the modifiable operating system FOS: F (ri, F0S) = H (ri II FOS), where It is the concatenation operator. The hash function H used is for example of the SHA-256, SHA-512 or SHA-3 type. As a variant, the function F could be a message authentication code generation function MAC, using a secret key K2 and, here again, applied for example to the concatenation of the random value ri and data forming the system of authentication. modifiable operation FOS: F (ri, F0S) = MAC (K2, ri II FOS). The MAC function used is for example of HMAC type (based for example on SHA-256), CMAC or CBC-MAC (based for example on the AES algorithm). In the case of using a message authentication code generation function, the secret key 1 <2 is stored by the third party auditor TP to perform the calculation of the verification values Mi as it has just been indicated and by the secure electronic entity E for calculating an item of evidence as explained below. According to one conceivable variant, it would be possible to use (rather than a message authentication code) a signature produced by means of a private key of a public key infrastructure (PKI). Note that, for the application of the function F, we consider the raw form of the bytes stored in the area concerned (including the data forming the modifiable operating system FOS), regardless of what these multiplets represent when use of the secure electronic entity E (the multiplets may for example represent as already indicated instructions executable by the microprocessor M, personalization data, confidential data such as secret keys, or even unused data). FIG. 3 represents a method of exchanging data between the third party auditor TP and the secure electronic entity E in order to verify that the modifiable operating system FOS is in conformity with that which has been evaluated (for example with a view to certification) in the evaluation phase. It is understood that after this evaluation phase, the third party auditor TP generally no longer has access to the modifiable operating system FOS. This exchange of data between the third party auditor TP and the secure electronic entity E is for example carried out via the Internet network INT, the network architecture N, the communication module COM and the processor P of the electronic device A, as explained above with reference to FIG. 1. The method starts in step E2 by the transmission by the third party listener TP of one of the random numbers ri to the secure electronic entity. Such a step is for example periodically implemented. According to a first possibility of realization, the random number r; emitted during step E2 is randomly selected from the plurality of random numbers r1, rn stored in the third party listener TP (this can be done in practice by randomly determining, among integers between 1 and n, 'index i used). According to a second possibility of realization, the random numbers r1, rn are used sequentially, one after the other.
    [0008] The secure electronic entity E receives the random number ri in step E4. The secure electronic entity E (in practice its microprocessor M, which uses the RAM V for this purpose) then determines in step E6 the verification value associated with the random number ri received, according to the same process as that used by the third party auditor TP during the evaluation phase, here by applying the function F to the random number received ri and the data forming the modifiable operating system FOS. M * is the verification value thus calculated by the secure electronic entity: M * = F (ri, FOS).
    [0009] The calculated verification value M * is sent to the third party auditor TP in step E8 as evidence to attest that the modifiable operating system FOS has not been modified. The third party auditor TP receives the verification value M * in the step E10 and compares it with the step E12 to that calculated during the evaluation phase. Due to the properties of the function F indicated above, if the verification value M * calculated by the secure electronic entity E is equal to the verification value Mi stored by the third party auditor TP, the memory image corresponding to the The modifiable operating system FOS is the expected one and the operation of the secure electronic entity can continue normally (step E16). On the contrary, if the verification value M * calculated by the secure electronic entity E differs from the verification value Mi memorized by the third party auditor TP, this means that the modifiable operating system FOS does not conform to that which has been evaluated. In this case, step E14 is performed in which the problem encountered is addressed, for example by sending a message to the ISS transmitter of the secure electronic entity E, which may, for example, revoke the rights associated with the secure electronic entity E. Note that, the value r; not being predictable, the secure electronic entity E can not calculate and store previously the associated verification value Mi (which would allow the secure electronic entity E to return the expected value even if the operating system FOS was then modified). In other words, the data of the operating system FOS stored in the non-volatile memory NV when receiving the unpredictable value (here random) ri must be in accordance with those present during the evaluation phase for the entity secure electronics E can calculate a verification value M * equal to the expected value Mi. Note also that all the data stored in the modifiable area of the non-volatile memory NV (area where is stored the operating system modifiable FOS) is used in the calculation of each verification value Mi so that the secure electronic entity E can not memorize a copy of the modifiable operating system that would allow it to calculate a correct verification value Mi even after modification (no allowed) of the modifiable operating system FOS.
    [0010] Finally, as indicated above, the secure electronic entity E can not memorize all the random values r; and Mi verification, and therefore can not respond to the third party auditor TP using a verification value determined at an earlier time and then memorized (which would allow him to make changes to the modifiable operating system FOS after dealing the set of random values r1, rn and stored the verification values M1, Mn associated). A second embodiment of the invention will now be described with reference to FIG. 4. This embodiment also relates to the case where an editable operating system FOS stored in the non-volatile memory NV of a secure electronic entity E is verified by a third party auditor TP, as schematically represented in FIG. 2. In this second embodiment, however, the third party auditor TP does not at any time know (in plain text) data forming the modifiable operating system FOS , but only has an encrypted version C of these data, as explained now. Note, however, that when the third party auditor TP also has a certifying role, provision can be made for the encrypted version C of the data to be generated during an initial audit phase, under the supervision of the certifier.
    [0011] FIG. 4 represents the main steps of a second exemplary method implemented in the context of the invention. This method thus begins at step E20 with a data encryption step forming the modifiable operating system FOS by the ISS transmitter of the secure electronic entity ISS. This encryption step is for example performed by applying to the data forming the modifiable operating system FOS an encryption algorithm (here symmetrical) ENC using a secret key K1 stored by the issuer ISS and by the secure electronic entity E (and known only to these two entities). As part of its encryption, the modifiable operating system FOS is for example divided into ordered blocks FOS i of predetermined size (here 16 bytes). According to a first possible embodiment, the enciphering algorithm ENC is of the CBC (for "Cipher Block Chaining") type and is applied as represented in FIG. 5: the first block FOSi is combined with an initialization vector IV (predetermined or determined during the calculation, for example by random drawing) by application of an "exclusive" (or XOR) operator, that is to say by a boolean sum, then an AES encryption algorithm is applied with the secret key K1 to the result of the combination in order to obtain the first encrypted block C1, for the other data blocks of the modifiable operating system FOS, the concerned block FOS i and the previously encrypted block CH are combined by means of a " or exclusive '(Boolean sum), then the AES encryption algorithm is applied with the secret key K1 to the result of the combination in order to obtain the encrypted version Ci of the current block.
    [0012] According to a second possible embodiment, the ENC encryption algorithm is of the ECB type (for "Encoded CodeBook") and is applied as shown in FIG. 6: an AES encryption algorithm using the encryption key K1 is applied separately to each block FOSi in order to obtain the encrypted version Ci of the block concerned.
    [0013] According to a third embodiment, the encryption algorithm is of the CTR (counter) type: an incremented block block counter is encrypted by means of an encryption algorithm, such as the AES encryption algorithm, using a secret key (eg key K1); the encrypted version Cj of the block concerned is obtained by Boolean sum of the corresponding FOSi block and the encrypted counter. Whatever the possibility of realization used, the concatenation of the encrypted blocks Ci obtained forms the encrypted version C of the modifiable operating system FOS. The encrypted version C of the modifiable operating system FOS obtained in step E20 is sent to step E22 to the third party auditor TP. The third party auditor TP thus receives, during a step E24, the encrypted version C of the modifiable operating system FOS, for example as already indicated in the form of encrypted blocks C. The third party auditor TP then determines in step E26 a plurality of numbers r1, rn by random draw. For each random number ri thus determined, the third party listener TP determines in step E28 an associated verification value Mi, for example by applying a function F to the random number concerned ri and to the encrypted version C of the system. modifiable operation FOS.
    [0014] The function F has properties identical to that used in the first embodiment. Moreover, as indicated for the first embodiment, it is possible to use a number n of random values ri and verification values Mi such that the secure electronic entity E can not memorize all these values ri, Mi. For example, as a function F, a CBC-MAC (for "Cipher Block Chaining - Message Authentication Code") algorithm is used, taking as the initialization vector the random value ri and, as a cryptographic function, the algorithm AES encryption using a secret key K2, as shown in FIG. 7. The random values ri and the associated verification values Mi are stored by the third party listener (step E30), as shown in FIG. could here alternatively refrain from previously determining the random values ri and verification Mi and memorize them (see below steps E34 and E40). Since the modifiable operating system FOS is stored by the third party auditor TP in encrypted form, it can keep this data in memory throughout the use of the secure electronic entity E. When the secure electronic entity E is used (which the third party listener TP can be informed by receiving - not shown in FIG. 4 - a message from the issuer ISS), the third party auditor TP periodically checks the integrity of the delivery system. modifiable operation FOS as described now. In the example described here, an index i (step E32) is initially initialized to 0. In the aforementioned variant where the random values ri have not been determined in advance, a value ri is then determined by random selection in step E34 (this step not being naturally performed when the procedure has been carried out in advance. in step E26). Whenever the random value ri is determined (prior to step E26 or on the field in step E34), the random value ri is sent by the third party auditor TP in step E36 to destination of the secure electronic entity E. The secure electronic entity E receives the random value ri in step E38.
    [0015] The secure electronic entity E then determines in step E42 a verification value M * on the basis of the random value r; and data forming the modifiable operating system FOS, encrypting the data forming the modifiable operating system FOS by means of the encryption algorithm ENC and the secret key K1 used in step E20, and using the function F used in step E28: M * = F (r1, ENC (Ki, F0S)). It is recalled that the secure electronic entity E stores for this purpose the secret key (or cryptographic key) K1 and, in the case where the function F is of CBC-MAC type as indicated above, the secret key (or cryptographic key) K2. On the other hand, when the initialization vector IV used by the issuer ISS to encrypt the data forming the operating system FOS (see step E20 above) is obtained by random draw, this initialization vector IV is also stored in the secure electronic entity E. In the aforementioned variant where the verification values M; have not been determined in advance, the third party auditor TP determines during this time in step E40 (or possibly before sending the random value r) in step E36) the verification value M; associated with the random value r; obtained in step E34, by applying the function F to this random value r; and the encrypted version C of the modifiable operating system FOS: M; = F (n, C). This step is of course not carried out when the step E28 has been carried out beforehand. As indicated above, in the preceding examples, the function F is applied to all the modifiable data of the non-volatile memory NV (that is to say in some cases to all the data of the non-volatile memory NV).
    [0016] However, it is also possible during steps E40 and E42 to apply the function F to only a part of the non-volatile memory NV or the modifiable operating system FOS, for example to only part of the FOS blocks; forming the editable operating system FOS. Thus, for example when the modifiable operating system FOS is encrypted in step E20 by means of an ECB (or CTR) type algorithm, the third party auditor TP can send to the secure electronic entity E when the step E36 a designation of the FOS blocks; to which the function F must be applied, for example in the form of a list {k (1), k (I)} of indices i of these blocks (determined for example by random draw) and the verification words Mi, M * can then be determined by concatenating the blocks concerned: - on the side of the third party listener TP (step E40), Mi = F (ri, Ck (l) 11.- liCk (i)); on the side of the secure electronic entity E (step E42), M * = F (ri, ENC (Ki, F0Sk (I)) 11- - IIENC (Ki, F0Sk (I))).
    [0017] In any case, the secure electronic entity E sends in step E44 the verification value M * determined in step E42, as evidence of the integrity of the modifiable operating system FOS (or part of it) to the third party auditor TP. The third party auditor TP can thus compare in step E48 the verification value Mi determined by him (step E28 or E40) to the verification value M * received from the secure electronic entity E. If the result of the comparison is positive, the modifiable operating system FOS stored in the secure electronic entity E corresponds to that expected and the third party listener TP can wait a predetermined duration (timeout of the step E50) before incrementing the index i ( step E52) and loop in step E36 (or E34 according to the variant mentioned above) to check again the integrity of the modifiable operating system FOS. If the result of the comparison is negative, the modifiable operating system FOS (or, in general, the memory area covered by the verification) has been modified and the third party auditor TP for example sends an alert message to the destination. of the ISS transmitter (step E54). On receipt of this alert message, the ISS issuer for example takes steps to disable the secure electronic entity, such as the revocation of certificates stored in the secure electronic entity (step E56).
    [0018] FIG. 8 represents the main steps of a third exemplary method implemented in the context of the invention. During a step E100, the issuer ISS transmits an IM memory image to the secure electronic entity E. This IM memory image contains all the data and instructions to be stored in the non-volatile memory NV of the secure electronic entity E to enable its operation. The secure electronic entity E receives the memory image IM in step E102 and stores it in its non-volatile memory NV. The secure electronic entity is then ready to be used for the functionality for which it is designed, for example as a means of payment, means of access to a mobile telephone network, means of identification, etc. The steps E100 and E102 can be carried out in the context of FIG. 1, in which case a mechanism for securing the exchanges is previously implemented between the issuer ISS and the secure electronic entity E in order to perform the personalization remotely. As a variant, the steps E100 and E102 can be performed within an establishment dedicated to the personalization of secure electronic entities, in which case the secure electronic entity E communicates (via a wired link or wireless short-range or other) with a ISS transmitter customization machine (the personalization machine then implementing step E100). During a step E104, the memory image IM is secured by the issuer ISS, for example by encryption using a cryptographic algorithm using a SECsT cryptographic key, which makes it possible to obtain a secure version (here encrypted ) IMsEc of the IM memory image. The issuer ISS may optionally further generate a signature or authentication code (or MAC for "Message Authentication Code") of the memory image IM. The secure memory image IMsEc and the cryptographic key SECsT (and possibly the signature or the authentication code) are emitted by the issuer ISS in step E106, intended for the third party auditor TP. The SECsT cryptographic key being a secret shared between the issuer ISS and the third party auditor TP (or, alternatively, between the issuer ISS and a hardware security module held by the third party auditor TP), it is transmitted using a mechanism preventing its disclosure, for example by means of a secure channel established between the issuer ISS and the third party auditor TP. The third party listener TP receives and stores in step E108 the secure memory image IMsEc and the cryptographic key SECsT (and possibly the signature or the authentication code). In practice, the cryptographic key SECsT is for example stored in a hardware security module (or HSM for "Hardware Security Module") of the ISS transmitter, for example a microcircuit card or an integrated secure element. Then, during a step E110, the third party listener generates a secret SECINT (for example by random draw) and memorizes this secret SECINT, for example within the hardware security module mentioned above. The secret SECINT generated in step E110 is transmitted to the secure electronic entity E, for example by means of a secure communication channel established between the third party auditor TP and the secure electronic entity E, then stored in the secure electronic entity E (step E112), for example in an area of the NV non-volatile memory not covered by the integrity check. In the example just given, the secret SECINT is generated by the third party auditor TP. As a variant, the secret SECINT could be generated by the issuer ISS, transmitted to the third party auditor ISS (for example during the step E106 described above) and stored in the secure electronic entity E during the customization (for example in step E102 described above). Periodically during the use of the secure electronic entity E, the third party auditor TP can then check the integrity of parts of the memory image IM stored in non-volatile memory NV, as now described.
    [0019] The third party listener TP generates in step E114 an unpredictable (ordered) list L of regions of the memory area whose integrity is to be checked, here the non-volatile memory NV (which contains in normal operation the image IM memory received and stored in step E102). Each region of the list L is here defined by an address, which designates the beginning of the region concerned (that is to say, for example, the first byte of the region concerned), and by a length (expressed for example in number of words bits, here in number of bytes). For each region of the list L, the address and the length defining this region are for example determined by random draw. However, it can be provided in this case that certain particular parts of the memory concerned (in this case the non-volatile memory NV), for example parts containing instructions or critical or sensitive data, are more frequently targeted by the regions of the list. For this purpose, for example, it is provided that certain addresses are determined by random selection among the addresses located in these particular parts of the memory concerned, while other addresses are determined by random selection among all the possible addresses for the memory concerned. Alternatively, the list of regions could be predetermined (while still preferably unpredictable). The third party auditor TP may indeed in practice use a large number of predetermined lists so that the secure electronic entity E will not be able to memorize the expected response (VALINT integrity value mentioned below) to each of these lists. According to another possibility of realization, the third party listener TP can choose the list L by random draw among a large number of predetermined lists. In the case described here where the list is not predetermined, the number of regions listed in the list L can be fixed or variable, for example determined by random draw between a minimum value and a maximum value. Note also that the different regions of the list L may possibly overlap (i.e. overlap) without this poses difficulties in the rest of the process. The third party auditor TP then sends in step E116 the list L (generated in step E114) to the secure electronic entity E. The non-predictable list L is received by the secure electronic entity E at 15. step E118. The secure electronic entity E then builds in step E120 a byte structure by reading the bytes stored in the memory regions (here non-volatile memory NV) designated in the list L received, for example by concatenation of the bytes read in the regions of the list L. The secure electronic entity E can thus determine in step E122 a value of integrity VALINT (or verification value) by applying a function f to the byte structure produced in step E120, again using the secret SEC INT. The function f is for example a signature cryptographic function 25 or message authentication code generation using as the cryptographic key the secret SECINT and as a message (to sign or to authenticate) the aforementioned octet structure. The function f can be of one of the types proposed above (in the context of the first two exemplary embodiments) for the function F. As for the function F, the function f is applied by considering the raw form of the multiplets (here bytes) of the structure, regardless of what these bytes represent when using the secure electronic entity E Note that the function f can possibly use other parameters (for example a random value) which are in this case transmitted from the third party auditor TP to the secure electronic entity E with the list L in step E116, or alternatively from the secure electronic entity E to the third party auditor TP with the integrity value VALINT in step E124 (described below). These other parameters comprise for example an initialization vector used by the function f (especially when the function f is of CBC-MAC type). The integrity value VALINT calculated by the secure electronic entity E in step E122 is transmitted to the third party auditor TP during step E124. The third party listener TP receives and stores this integrity value VALINT in step E126. The third party listener TP then reads in the secure memory image IMsEc the parts corresponding to the regions of the list L and the decryption of these parts read by means of the cryptographic key SECsT (step E128). Alternatively, the decryption is performed by the hardware security module (within it) so that the third party listener TP is not aware of the decrypted versions. The third party auditor TP (or, as the case may be, the hardware security module) may on this occasion possibly carry out the verification of the signature or the associated authentication code, when such an element has been transmitted during the step E106 as mentioned above. The third party auditor TP (or, alternatively, the hardware security module held by the third party auditor TP) can thus produce in step E130 a byte structure from the bytes contained in the decrypted parts, according to the process used by the secure electronic entity E in step E120, here by concatenation of these bytes. The data structure obtained in step E130 is normally (that is to say, in normal operation, without modification of the memory image IM) identical to that obtained in step E120. The third party auditor TP (or, alternatively, the hardware security module held by the third party auditor TP) determines in step E132 a value of integrity VALINT * from the byte structure obtained in the step E130, according to the same process as that used in step E122, that is to say by applying the function f to this byte structure produced in step E130, again using the secret SECINT. The third party auditor TP (or, alternatively, the hardware security module held by the third party auditor TP) can thus check in step E134 whether the value of integrity VALINT calculated by the secure electronic entity E is equal to to the integrity value VALINT * calculated in step E132. When the steps which have just been described are carried out by the hardware security module held by the third party auditor TP (so that the third party auditor TP himself can not know the content of the checked memory), an indicative message the result of the comparison is transmitted from the hardware security module to the third party auditor TP. If the verification is positive, the memory image IM stored in the non-volatile memory NV of the secure electronic entity E has not been altered and the secure electronic entity E can therefore continue to be used normally. The method therefore continues in this case by a delay step E136, before the implementation of a new iteration of the verification of the integrity of the memory image IM from step E114 as described above. .
    [0020] If the verification of step E134 is negative, the process continues on the contrary in step E138 during which an action is set up to deal with the lack of integrity of the memory image thus detected. This action is for example the transmission (not represented in FIG. 8) of a message indicating this lack of integrity to the issuer ISS, which can then, for example, revoke the rights associated with the secure electronic entity E or alternatively, requiring a remote update of the memory image of the NV nonvolatile memory. The integrity verification iteration described above only makes it possible to verify the integrity of the data contained in the regions of the list L used during this iteration. However, as iterations proceed, a larger part of the memory concerned will have been verified. Note further that the secure electronic entity E can not predict the regions used during a given iteration and can not anticipate the integrity value transmitted in response to the third party auditor TP.
    [0021] The only possibility for the secure electronic entity E to calculate the expected response is therefore that it maintains the integrity of the memory concerned. FIG. 9 represents the main steps of a fourth example of a method implemented in the context of the invention. In this example, the third party listener TP stores an IMDER derived memory image obtained from the memory image IM (stored in the non-volatile memory NV of the secure electronic entity E), for example by means of a cryptographic encryption algorithm (such as an ECB type algorithm as mentioned above). This situation is for example obtained by a method of the same type as that of steps E20 to E24 described above with reference to FIG. 4. The secure electronic entity E stores the cryptographic encryption key used to obtain the encrypted cryptographic key. IMDER derived memory image.
    [0022] An iteration of a method for verifying the integrity of the memory image IM is described below. Such an iteration is periodically repeated in order to progressively cover a larger and larger part of the memory concerned, as described above with reference to FIG. 8 for the third exemplary embodiment.
    [0023] The third party listener TP generates in step E200 an unpredictable (ordered) list L of regions of the memory area whose integrity is to be checked, here the non-volatile memory NV. As in the third example described above with reference to FIG. 8, each region of the list L is here defined by an address and by a length. The list L of the regions is generated according to one of the possibilities envisaged above in the context of the third exemplary embodiment. The third party auditor TP issues the list L to the secure electronic entity E (step E202) and the unpredictable list L is therefore received by the secure electronic entity E in step E204.
    [0024] The secure electronic entity E then reads the stored data (in the form of bytes, here bytes) in the regions designated in the list L and generates in step E206 corresponding derived data, by applying the algorithm used to obtain the IMDER derived image stored by the third party auditor TP as indicated above (here an encryption algorithm, for example of the EBC type, using the encryption cryptographic key stored by the secure electronic entity E). The electronic entity then builds in step E208 a data structure to be processed (or byte structure) using the derived data obtained in step E206, for example by concatenation of these derived data. The secure electronic entity E can thus determine in step E210 a value of integrity VALINT (or verification value) by applying a function f to the data structure produced in step E208, for example by using in addition to a SECINT secret shared between the secure electronic entity E and the third party auditors TP, as in the third example described with reference to FIG. 8. The function f can be of one of the types proposed above (in the framework of the first three examples of implementation). The integrity value VALINT calculated by the secure electronic entity E in step E210 is transmitted to the third party listener TP during the step E212 and received by the latter in the step E214, which stores it. The third party listener TP then proceeds to read from the parts corresponding to the regions of the list L in the IMDER derived memory image and produces in step E216 a data structure from the read data, according to the process used by the secure electronic entity E in step E208, here by concatenation of the read data. The data structure obtained in step E216 is normally (i.e., in normal operation, without modification of the memory image IM) identical to that obtained in step E208. The third party listener TP determines in step E218 a value of integrity VALINT * from the data structure obtained in step E216, according to the same process as that used in step E210, that is to say say, by applying the function f to this data structure produced in step E216, again using the SECINT shared secret. The third party auditor TP can thus verify in step E220 whether the value of integrity VALINT calculated by the secure electronic entity E is equal to the integrity value VALINT * calculated in step E218. If the verification is positive, the memory image IM stored in the non-volatile memory NV of the secure electronic entity E has not been altered and the secure electronic entity E can therefore continue to be used normally (step E222) . If the verification of step E220 is negative, the process continues on the contrary in step E224 during which an action is set up to deal with the lack of integrity of the IM image thus detected. This action is of the same type as that of step E138 described above with reference to FIG. 8.
    权利要求:
    Claims (22)
    [0001]
    REVENDICATIONS1. Secure electronic entity (E) comprising: - a memory (NV) storing data in the form of bytes; a processing module (M) designed to receive data (r1; L) from an electronic device (TP); characterized in that the processing module (M) is adapted to determine a proof of integrity element (M *; VALINT) as a function of the received data (r1; L) and at least a portion of the memorized bytes, and to issue the proof of integrity element (M *; VALINT) to the electronic device (TP).
    [0002]
    The secure electronic entity of claim 1, wherein the received data represents a random value (r1).
    [0003]
    The secure electronic entity of claim 1, wherein the received data (L) designates regions of the memory (NV) and wherein the processing module (M) is adapted to determine the integrity evidence element ( VALINT) according to the multiplets stored in the regions designated by the received data (L).
    [0004]
    Secure electronic entity according to one of claims 1 to 3, wherein the processing module (M) is adapted to determine the proof of integrity element (M *; VALINT) in part by means of encryption. memorized bytes.
    [0005]
    5. secure electronic entity according to claim 4, comprising a module for implementing the encryption according to a secret key (K1) stored in the secure electronic entity (E).
    [0006]
    The secure electronic entity according to one of claims 1 to 5, wherein the processing module (M) is adapted to determine the proof of integrity element (M *; VALINT) by means of a signature function. or a hash function or a message authentication code generation function.
    [0007]
    7. secure electronic entity according to one of claims 1 to 6, said secure electronic entity being an access card to a mobile network.
    [0008]
    Cell phone comprising a secure electronic entity according to one of claims 1 to 7.
    [0009]
    The cellular telephone of claim 8, wherein the secure electronic entity is soldered to the cellular telephone.
    [0010]
    Power supply meter comprising a secure electronic entity according to one of claims 1 to 7.
    [0011]
    11. Power supply meter according to claim 10, wherein the secure electronic entity is soldered to said counter.
    [0012]
    12. On-board electronic system for a vehicle comprising a secure electronic entity according to one of claims 1 to 7.
    [0013]
    An on-board electronic system according to claim 12, wherein the secure electronic entity is soldered to the electronic system.
    [0014]
    An electronic apparatus comprising a near field communication module and a secure electronic entity according to one of claims 1 to 7 connected to the near field communication module.
    [0015]
    15. A method for verifying the integrity of data stored in a secure electronic entity (E), characterized in that it comprises the following steps: - transmission, by an electronic device (TP), of data (r1; L) to the secure electronic entity (E); - receiving the data (r1; L) by the secure electronic entity (E); determination of a proof of integrity element (M *; VALINT) as a function of the received data (ri; L) and of at least a part of the bytes stored in a memory (NV) of the secure electronic entity ( E); - issuing, by the secure electronic entity (E), the proof of integrity element (M *; VALINT) to the electronic device (TP).
    [0016]
    16. The verification method according to claim 15, comprising a step of determining (E26; E34; E114; E200) at least a portion of the data (r1; L) transmitted by random selection.
    [0017]
    17. A verification method according to claim 15 or 16, wherein the received data represents a random value (ri) used as a parameter when applying a function (E6; E42).
    [0018]
    The verification method according to claim 15 or 16, wherein the received data (L) designates regions of the memory (NV) and wherein the determination of the integrity evidence element (VALINT) is performed according to bytes stored in the regions designated by the received data (L).
    [0019]
    The verification method according to one of claims 15 to 18, wherein the determination of the integrity proof element comprises an encryption (E42; E206) of the memorized bytes.
    [0020]
    20. A verification method according to claim 19, wherein the encryption of the stored bytes uses a secret key (K1) stored in the secure electronic entity (E).
    [0021]
    21. The verification method according to one of claims 15 to 20, wherein the proof of integrity element (M *; VALINT) is determined by applying a signature function or a hash function. a message authentication code generation function.
    [0022]
    22. The verification method according to one of claims 15 to 21, wherein said electronic device is a third party auditor (TPA).
    类似技术:
    公开号 | 公开日 | 专利标题
    EP3152860B1|2021-05-05|Method for the authentication of a first electronic entity by a second electronic entity, and electronic entity implementing such a method
    EP1427231B1|2011-08-31|Method of establishing and managing a confidence model between a SIM-card and a mobile terminal
    EP2145448B1|2011-03-09|Controlled activation of function
    EP3010175B1|2019-04-10|Replay of a batch of secure commands in a secure channel
    EP2242229A1|2010-10-20|Method for authenticating a mobile client terminal with a remote server
    FR2926938A1|2009-07-31|METHOD OF AUTHENTICATING AND SIGNING A USER TO AN APPLICATION SERVICE USING A MOBILE PHONE AS A SECOND FACTOR IN COMPLEMENT AND INDEPENDENTLY OF A FIRST FACTOR
    EP3238200A1|2017-11-01|Secure electronic entity, electronic apparatus and method for verifying the integrity of data stored in such a secure electronic entity
    FR3053203A1|2017-12-29|TECHNIQUE FOR DOWNLOADING A PROFILE OF ACCESS TO A NETWORK
    EP1784016A1|2007-05-09|Security method for transferring data between a multimedia terminal and a security module
    WO2001011820A1|2001-02-15|Method and device for guaranteeing the integrity and authenticity of a set of data
    EP3185468B1|2019-09-25|Data-transmission method, data-receiving method, corresponding devices and programs
    EP3014849B1|2018-08-01|Method for changing an authentication key
    EP3021515B1|2019-06-26|Enhancement of the authentic integrity of data using the last block encrypting said data in cbc mode
    FR2980063A1|2013-03-15|AUTHENTICATION METHOD
    FR2853785A1|2004-10-15|Electronic entity e.g. subscriber identification module card, for mobile communication, has recording unit to update and store maximal number of data, and receiving unit to verify whether received command is from authorized party
    WO2021074527A1|2021-04-22|Method for managing a public key database, method for authenticating public keys, and server device and client device implementing these methods
    WO2021099744A1|2021-05-27|Secure method for data exchange between a terminal and a server
    CN111901287A|2020-11-06|Method and device for providing encryption information for light application and intelligent equipment
    CN112350920A|2021-02-09|Instant communication system based on block chain
    WO2022013072A1|2022-01-20|Device, method and program for secure communication between white boxes
    FR3066666A1|2018-11-23|METHOD FOR SECURING COMMUNICATION WITHOUT STATE MANAGEMENT
    EP3140951A1|2017-03-15|Electronic entity and method for generating a session key
    FR3044847A1|2017-06-09|METHOD OF EXCHANGING DATA WITHIN A GROUP OF ELECTRONIC ENTITIES
    FR3025341A1|2016-03-04|SECURING ENCRYPTION KEYS FOR TRANSACTION ON A DEVICE WITHOUT SECURE MODULE
    FR2900776A1|2007-11-09|METHOD OF SECURING DATA
    同族专利:
    公开号 | 公开日
    FR3030831B1|2018-03-02|
    WO2016102833A1|2016-06-30|
    KR20170097771A|2017-08-28|
    EP3238200A1|2017-11-01|
    US20170353315A1|2017-12-07|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US5442645A|1989-06-06|1995-08-15|Bull Cp8|Method for checking the integrity of a program or data, and apparatus for implementing this method|
    US20100223656A1|2009-02-27|2010-09-02|Microsoft Corporation|Trusted entity based anti-cheating mechanism|FR3060806A1|2016-12-20|2018-06-22|Oberthur Technologies|METHOD FOR VERIFYING THE DATA INTEGRITY, ELECTRONIC ENTITY AND ELECTRONIC APPARATUS COMPRISING SUCH AN ELECTRONIC ENTITY|
    FR3060807A1|2016-12-20|2018-06-22|Oberthur Technologies|METHOD OF VERIFYING THE INTEGRITY OF A PROGRAM, ELECTRONIC ENTITY AND ELECTRONIC APPARATUS COMPRISING SUCH AN ELECTRONIC ENTITY|
    CN109314639A|2016-08-09|2019-02-05|Kddi株式会社|Management system, key generating device, car-mounted computer, management method and computer program|US8914674B2|2010-11-05|2014-12-16|Interdigital Patent Holdings, Inc.|Device validation, distress indication, and remediation|GB2564878B|2017-07-25|2020-02-26|Advanced Risc Mach Ltd|Parallel processing of fetch blocks of data|
    法律状态:
    2015-11-23| PLFP| Fee payment|Year of fee payment: 2 |
    2016-06-24| PLSC| Publication of the preliminary search report|Effective date: 20160624 |
    2016-11-21| PLFP| Fee payment|Year of fee payment: 3 |
    2017-11-21| PLFP| Fee payment|Year of fee payment: 4 |
    2018-03-23| CJ| Change in legal form|Effective date: 20180209 |
    2018-03-23| CD| Change of name or company name|Owner name: IDEMIA FRANCE, FR Effective date: 20180209 |
    2019-11-20| PLFP| Fee payment|Year of fee payment: 6 |
    2020-10-02| CA| Change of address|Effective date: 20200826 |
    2020-10-02| CJ| Change in legal form|Effective date: 20200826 |
    2020-11-20| PLFP| Fee payment|Year of fee payment: 7 |
    2021-11-18| PLFP| Fee payment|Year of fee payment: 8 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1463256|2014-12-23|
    FR1463256A|FR3030831B1|2014-12-23|2014-12-23|SECURE ELECTRONIC ENTITY, ELECTRONIC APPARATUS AND METHOD FOR VERIFYING THE INTEGRITY OF DATA STORED IN SUCH A SECURE ELECTRONIC ENTITY|FR1463256A| FR3030831B1|2014-12-23|2014-12-23|SECURE ELECTRONIC ENTITY, ELECTRONIC APPARATUS AND METHOD FOR VERIFYING THE INTEGRITY OF DATA STORED IN SUCH A SECURE ELECTRONIC ENTITY|
    US15/538,709| US20170353315A1|2014-12-23|2015-12-17|Secure electronic entity, electronic apparatus and method for verifying the integrity of data stored in such a secure electronic entity|
    EP15828654.2A| EP3238200A1|2014-12-23|2015-12-17|Secure electronic entity, electronic apparatus and method for verifying the integrity of data stored in such a secure electronic entity|
    KR1020177020623A| KR20170097771A|2014-12-23|2015-12-17|A method for verifying the integrity of a secure electronic entity, an electronic device, and data stored in the secure electronic entity|
    PCT/FR2015/053595| WO2016102833A1|2014-12-23|2015-12-17|Secure electronic entity, electronic apparatus and method for verifying the integrity of data stored in such a secure electronic entity|
    [返回顶部]