SECURE STARTING OF AN ELECTRONIC CIRCUIT

专利摘要:
The invention relates to a method for verifying the authenticity of the contents of a non-volatile memory of an electronic device comprising a microcontroller and an on-board security element, comprising the following steps: starting the microcontroller with instructions stored in a first non-reprogrammable memory area associated with the microcontroller; starting the security element, the security element containing a first decryption key of the content of a second reprogrammable non-volatile memory zone associated with the microcontroller; execute, by the security element, a signature check of the contents of the second zone; and if the signature is verified, the security element sends the first key to the microcontroller.
公开号:FR3043229A1
申请号:FR1560510
申请日:2015-11-03
公开日:2017-05-05
发明作者:Nieuwenhuyze Olivier Van；Christophe Henri Ricard
申请人:Proton World International NV；
IPC主号:

专利说明:

SECURE STARTING OF AN ELECTRONIC CIRCUIT
Field
The present description generally relates to electronic devices and, more particularly, devices including a processor and an embedded security element. The present description applies more particularly to checking the authenticity of all or part of the instructions contained in the processor when the device is started. State of the prior art
Many electronic devices, such as mobile phones, electronic keys (dongles), etc. are equipped with microprocessors for data processing and execution of various applications. Among these applications, some are now linked to operations that need to preserve the security of the information exchanged, for example payment transactions, access control, etc.
In larger devices, such as computers, Set Top Boxes, etc., there are Trusted Platform Module (TPM) modules that protect the contents of the instruction memories. and in particular to verify that a code or program to be executed has not been corrupted. Such modules are lacking in less sophisticated devices such as, for example, mobile phones, electronic keys and connected objects (connected dongle connected watch, etc.).
Electronic devices, even without a secure platform module, are more and more often equipped with embedded security elements which are in fact integrated circuits representing the security functions of smart cards (smartcard, SIM, etc.). · For example, these security elements contain the emulation application of a microcircuit card that provides the secure authentication service for payment, access control, and other operations. summary
It would be desirable to be able to secure the start of an electronic device to check that the code or the data it contains are authentic or not corrupt.
One embodiment provides a solution that overcomes all or some of the disadvantages of known microprocessor start-up techniques in an electronic device.
One embodiment proposes to protect an embedded security element associated with a microprocessor in an electronic device.
Thus, an embodiment provides a method for verifying the authenticity of the contents of a non-volatile memory of an electronic device comprising a microcontroller and an embedded security element, comprising the following steps: starting the microcontroller with stored instructions in a first non-reprogrammable memory zone associated with the microcontroller; starting the security element, the security element containing a first decryption key of the content of a second reprogrammable non-volatile memory zone associated with the microcontroller; execute, by the security element, a signature check of the contents of the second zone; and if the signature is verified, the security element sends the first key to the microcontroller.
According to one embodiment, the microcontroller generates a second key, transmits it to the security element that uses it to encrypt the transmission of the first key to the microcontroller.
According to one embodiment, the transmission of the second key uses an asymmetric public key algorithm.
According to one embodiment, the asymmetric encryption key is unique by microcontroller pair / security element.
According to one embodiment, the first key is not stored in non-volatile memory in the microcontroller.
According to one embodiment, the microcontroller waits for a response from the security element to execute instructions contained in the second zone.
According to one embodiment, in case of authentic update of the content of the second zone, the signature stored in the security element is modified accordingly.
According to one embodiment, the first key is generated by the security element.
According to one embodiment, the power supply of the microcontroller is interrupted if the signature is not verified by the security element.
An embodiment provides an electronic device comprising: a microcontroller; an embedded security element, the microcontroller and the security element being adapted to the implementation of the above method.
According to one embodiment, an intermediate circuit is interposed between the microcontroller and the security element.
Brief description of the drawings
These and other features and advantages will be set forth in detail in the following description of particular embodiments in a non-limiting manner with reference to the accompanying drawings, in which: FIG. 1 is a very diagrammatic representation in the form of blocks of an embodiment of an electronic device equipped with a microcontroller and an onboard security element; FIG. 2 is a schematic representation illustrating an embodiment of a start-up sequence of the microcontroller of the electronic device of FIG. 1; and FIG. 3 is a schematic representation illustrating another embodiment of a start-up sequence of the microcontroller of the electronic device of FIG. 1.
detailed description
The same elements have been designated with the same references in the various figures.
For the sake of clarity, only the steps and elements useful for understanding the embodiments that will be described have been shown and will be detailed. In particular, the applications of the electronic device have not been detailed, the described embodiments being compatible with the usual applications of such devices. In addition, the signal exchange protocols between the different elements of the electronic device have also not been detailed, the embodiments described being, again, compatible with the protocols usually used. In the following description, when referring to the terms approximately, approximately and, in the order of, this means to within 10%, preferably to within 5%.
FIG. 1 very schematically shows in the form of blocks an example of an electronic device 1 of the type to which the embodiments which will be described apply.
The device 1, for example a mobile phone, an electronic key, etc., comprises a microcontroller 2 (CPU -Central Processing Unit) responsible for controlling all or part of the programs and applications executed in the device. The microcontroller 2 communicates, via one or more buses 12 of addresses, data, and commands, with different electronic and peripheral circuits (not shown) of the device 1, for example control circuits of a screen, keyboard, etc., as well as various wired or wireless I / O 14 (eg Bluetooth) interfaces. The microcontroller 2 generally integrates volatile and nonvolatile memories and also exploits the content of similar memories 16 (MEM (VM / NVM)) of the device 1. The microcontroller 2 and various circuits of the device 1 are powered by a supply unit. energy 18 (PU - Power Unit). For example, the unit 18 is a battery, possibly associated with a voltage regulator.
In the applications covered by this description, the device 1 further comprises an embedded security element 3 (for example of type eSE - embedded Secure Element or eUICC - embedded Universal Integrated Circuit Card) which includes a secure microprocessor. Element 3 is intended to contain the secure services or applications of the electronic device, for example payment applications, access control, etc.
If necessary, an intermediate element or circuit 4, for example a Near Field Communication (NFC) controller 4, also called contactless front end (CLF), a Bluetooth controller, etc. the device 1. This element 4 (illustrated in dashed lines in FIG. 1) can be used by the microcontroller 2, for example by two-wire bus links (I2C or SPI) and, by the element 3, by a Single Wire Protocol (SWP) link.
Depending on the voltage level supported by the security element 3, the latter is either powered by the unit 18, or as shown in FIG. 1 by the element 4 which is supplied to it by the unit 18. By example, one can consider the case of a microcontroller 2 and a contactless communication controller 4, supplied with a voltage of the order of 3 volts by the unit 18 and an element 3 supplied with a voltage of the order of 1.8 volts (power supply) by the controller 4. The need for a power supply by the NFC controller 4 can come from the levels exploited by the communication protocols between the controller and the security element 3.
It is expected to take advantage of the presence of the embedded security element 3 to verify the authenticity of the content (data, instructions, etc.) of all or part of the memories associated with the microcontroller 2.
FIG. 2 is a schematic representation illustrating an embodiment of a start-up sequence of the microcontroller 2 of the electronic device 1 of FIG. 1.
The risks inherent in starting the microcontroller 2 in terms of data security are, that in case of piracy of the code (program) of the microcontroller, there is a risk that the data of the embedded security element can be hacked. This risk occurs at startup, called cold, which follows a power-up (usually called "cold boot") because the set of access control mechanisms to the different circuits have not yet been initialized and in particular, the configuration of the memories according to free zones and reserved zones. The problem is less in the case of a "hot" reset of the device, that is to say without interruption of the power supply of the microcontroller, because these mechanisms for configuring the zones of the memories are generally not affected. However, it is also possible to implement the described embodiment in case of partial or total erasure of the memory during a reset.
During a start (powering up the electronic circuits of the device) or a reset with power failure, the microcontroller 2 begins by accessing a zone 51 (BOOT) frozen from its non-volatile memory containing a code ( a commissioning program). This area 51 is generally a read-only zone, that is to say non-volatile and non-reprogrammable (sometimes called "immutable"). It is therefore fixed to the manufacture and is not likely to be modified by a possible hacker. In fact, the zone or zones 52 (MEMCPU) of memory that must be protected are areas of non-volatile memory that will be exploited by the microcontroller 2 when applications will want to access the element 3. Such zones 52 contain usually code (instructions) and data, which are reprogrammable according to the applications. If an attacker manages to store a code of attack in these zones, it risks being able to have access to the security element 3.
The startup code 51 executed by the microcontroller contains a start instruction of the security element 3 (eSE) as well as, later in the sequencing of the initialization process (illustrated by an arrow 53), an instruction INST of launching a process for checking the content of the zone 52 by the element 3. Once this instruction INST is communicated by the microcontroller 2 to the element 3, the microcontroller 2 goes on standby (HOLD) of a response of the security element 3. As long as it does not receive this response, it does not proceed with the execution of the code it contains.
The check CHECK operated by the element 3 consists in reading all or part of the zone 52 and in performing an authenticity verification mechanism. For example, this mechanism is a signature calculation from the code and the data contained in the zone 52, and verification of this signature with respect to a reference signature stored in the element 3. In this case, in case of authorized modification of the content of the zone 52, the reference signature stored in the element 3 is updated in order to allow subsequent verifications of authenticity.
If the element 3 validates the authenticity of the content of the zone 52, it responds (OK) to the microcontroller 2. It can then leave its standby mode and execute the rest of the initialization from the contents of zone 52.
By cons, if the element 3 does not validate (NOK) the contents of the zone 52, it causes, via a switch K inserted on the supply line of the microcontroller 2, an interruption of this power supply. This then forces the microcontroller to restart and the steps described above are repeated. If the error came from a transient malfunction, the next run validates the startup. On the other hand, if the code contained in the zone 52 is indeed problematic (whether as a result of an attack or following a problem with the memory), the microcontroller 2 will restart successively, for example until the battery 18 is exhausted or without end as long as device 1 is plugged in, but without ever going through the BOOT boot phase.
Preferably, at the start of the element 3 (BOOT eSE), the latter monitors the arrival of a request (of the instruction INST) from the microcontroller 2. In case this request does not arrive after a certain time, fixed with respect to the usual time between the start and the arrival of the request INST (for example of the order of one hundred milliseconds), the element 3 causes the interruption of the power supply of the microcontroller 2 . This provides additional security in the event of a disruption of the BOOT boot program of the microcontroller.
FIG. 3 is a schematic representation illustrating another embodiment of a startup sequence of the microcontroller of the electronic device of FIG. 1.
According to this embodiment, everything is done by message exchange between the microcontroller 2 and the security element 3, without necessarily acting on (interrupting) the power supply of the microcontroller.
The start of the microcontroller 2 and the security element 3 is caused in the same way as in the previous embodiment, that is to say that at startup (block 61, BOOT CPU) of the microcontroller 2, that it causes the boot (block 62, BOOT eSE) of the security element 3. Once started, the element 3 waits for instruction (WAIT).
In addition, the content verification of the zone 52 or the non-volatile memory areas (NVM) containing the code to be verified is also preferably carried out by a signature verification by the element 3.
According to the embodiment of FIG. 3, the code and the fixed data, stored in non-volatile memory 52 and constituting the initialization data of the microcontroller 2 after it has been started, are encrypted. The encryption used is for example a symmetric encryption type AES. However, the encryption key is not stored in the microcontroller 2 but is stored in the security element 3.
Once the microcontroller 2 has started (end of the block 61) and it has instructed the element 3 to start, it generates a key (block 63, GEN KeyAESRDM), preferably a random number of the size of the AES used for code encryption.
The microcontroller 2 then transmits this key KeyAESRDM to the security element. Preferably, this transmission is carried out by a public key mechanism, the microcontroller encrypting the KeyAESRDM key with the PUBLIC KEY public key of the algorithm (block 64, CIPHER KeyAESRDM (PUBLIC KEY)). Preferably, the microcontroller 2 does not store the random number KeyAESRDM in non-volatile memory. Indeed, it is enough for him to store this number in volatile memory, which reduces the risks of attack. Once the KeyAESRDM key is transmitted, the microcontroller goes on standby (WAIT). Element 3 decrypts the KeyAESRDM key using the public key public key (block 65, DECIPHER KeyAESRDM)) and stores it (block 66, STORE KeyAESRDM). The element 3 then decrypts (block 67, DECIPHER CODE (AESCodeKey) the code contained in the zone 52 of the non-volatile memory of the microcontroller 2 (or associated therewith) and calculates and checks (block 68, COMPUTE / CHECK SIGNATURE ) the signature of the code.
If the signature is incorrect (output N of block 69, OK ), Element 3 does not respond to microcontroller 2 and the operation of the latter is blocked (STOP).
If the signature is correct (output Y of block 69), element 3 encrypts the key AESCodeKey with KeyAESRDM key (block 70, CIPHER AESCodeKey (KeyAESRDM)) and sends it to microcontroller 2. The latter decrypts the key AESCodeKey ( block 71, DECIPHER AESCodeKey (PUBLIC KEY)) with key KeyAESRDM.
The microcontroller 2 then uses this key AESCodeKey to decrypt the code contained in the zone 52 and execute it (EXECUTE). However, the key AESCodeKey is not stored in nonvolatile memory by the microcontroller 2. Thus, microcontroller side 2, the KeyAESRDM number and the key AESCodeKey are only stored in volatile storage elements (RAM, registers or other) .
According to an alternative embodiment, the key AESCodeKey is generated by the security element 3 at each change of the signature of the code contained in the zone 52, that is to say at each modification of this code.
According to another variant, during the manufacture of the circuits (of the microcontroller 2 and the security element 3), the encryption code of the memory 52 of the microcontroller is generated by the security element 3. This means that the code AESCodeKey varies from one device 1 to another.
Preferably, the asymmetric key (public and private key pair) is unique per pair of microcontroller component 2 / security element 3.
Note that the two embodiments and their respective variants can be combined. For example, in the event of authentication failure according to the second embodiment, (output N of block 69, FIG. 3), provision can be made for the security element to interrupt the power supply of the microcontroller in accordance with the mode of embodiment described in connection with Figure 2.
Various embodiments have been described. Various modifications will occur to those skilled in the art. In particular, the choice of memory areas whose content must be verified depends on the application and may vary. In addition, the choice of information exchange encryption processes between the security element and the microcontroller also depends on the applications. In addition, the practical implementation of the embodiments that have been described is within the abilities of those skilled in the art using the functional indications given above.

权利要求:
Claims (11)
[1" id="c-fr-0001]
A method for verifying the authenticity of the contents of a non-volatile memory of an electronic device (1) comprising a microcontroller (2) and an on-board security element (3), comprising the following steps: start (61) the microcontroller with instructions stored in a first zone (51) of non-reprogrammable memory associated with the microcontroller; starting (62) the security element, the security element containing a first key (AESCodeKey) for decrypting the content of a second zone (52) of non-volatile memory reprogrammable associated with the microcontroller; executing (68), by the security element, a signature check of the contents of the second zone; and if the signature is verified, the security element sends (70) the first key to the microcontroller.
[2" id="c-fr-0002]
2. Method according to claim 1, wherein the microcontroller (2) generates (63) a second key (KeyAESRDM), transmits it to the security element (3) which uses it to encrypt (70) the transmission of the first key (AESCodeKey) to the microcontroller.
[3" id="c-fr-0003]
3. The method of claim 2, wherein the transmission of the second key (KeyAESRDM) uses an asymmetric public key algorithm.
[4" id="c-fr-0004]
4. The method of claim 3, wherein the asymmetric encryption key is unique by torque microcontroller (2) / security element (3).
[5" id="c-fr-0005]
5. Method according to any one of claims 1 to 4, wherein the first key (AESCodeKey) is not stored in non-volatile memory in the microcontroller (2).
[6" id="c-fr-0006]
The method according to any one of claims 1 to 5, wherein the microcontroller (2) waits for a response from the security element (3) to execute instructions contained in the second zone (52).
[7" id="c-fr-0007]
7. Method according to any one of claims 1 to 6, wherein, in case of authentic update of the content of the second zone (52), the signature stored in the security element (3) is modified accordingly. .
[8" id="c-fr-0008]
The method of any one of claims 1 to 7, wherein the first key (AESCodeKey) is generated by the security element (3).
[9" id="c-fr-0009]
9. Method according to any one of claims 1 to 8, wherein the power supply of the microcontroller (2) is interrupted if the signature is not verified by the security element (3).
[10" id="c-fr-0010]
An electronic device comprising: a microcontroller (2); an on-board safety element (3), the microcontroller and the safety element being adapted to implement the method according to any one of claims 1 to 9.
[11" id="c-fr-0011]
11. Device according to claim 10, wherein an intermediate circuit (4) is interposed between the microcontroller (2) and the security element (3).

类似技术:

---

公开号 | 公开日 | 专利标题

---

US9529734B2|2016-12-27|Smart storage device

---

KR101885393B1|2018-09-10|Device for and method of handling sensitive data

---

EP0414314A1|1991-02-27|Single-number generation method for micro-chip card and use of same for the cooperation of the card with a host-system

---

KR20040068614A|2004-07-31|Protecting a device against unintended use in a secure environment

---

EP3166095A1|2017-05-10|Secure starting of an electronic circuit

---

JP2004519050A|2004-06-24|Security module with volatile memory for storing algorithm code

---

FR2751767A1|1998-01-30|SECURE DATA STORAGE SYSTEM ON CD-ROM

---

EP1791292B1|2013-01-02|Personalisation of an electronic circuit

---

EP3166039B1|2020-07-22|Controlled starting of an electronic circuit

---

JP2007507786A|2007-03-29|Method and circuit for identifying and / or verifying hardware and / or software of electrical equipment and data carriers cooperating with electrical equipment

---

US20170364711A1|2017-12-21|Secure element

---

WO2016207715A1|2016-12-29|Secure management of electronic tokens in a cell phone

---

EP2426652A1|2012-03-07|Simplified method for customising a smart card and associated device

---

EP3923169A1|2021-12-15|Secure starting of an electronic circuit

---

EP2131300A2|2009-12-09|Securing method and device for a portable electronic entity

---

US20140164787A1|2014-06-12|Control method and information processing apparatus

---

US10360376B2|2019-07-23|Method for operating a computer unit, and such a computer unit

---

EP1826699A1|2007-08-29|Secure digital processing unit and program protection method

---

WO2020049253A1|2020-03-12|Method for securing the use of an apparatus operating with an accessory or a consumable

---

CH716291A2|2020-12-15|Decentralized signature process, under biometric control, of a transaction intended for a blockchain.

---

EP3021515A1|2016-05-18|Enhancement of the authentic integrity of data using the last block encrypting said data in cbc mode

同族专利:

---

公开号 | 公开日

---

EP3166095A1|2017-05-10|

---

CN106650456B|2020-03-13|

---

US20170124330A1|2017-05-04|

---

US10157281B2|2018-12-18|

---

CN111310209A|2020-06-19|

---

FR3043229B1|2018-03-30|

---

US20190073480A1|2019-03-07|

---

CN106650456A|2017-05-10|

---

US11086999B2|2021-08-10|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

US20040243801A1|2000-08-18|2004-12-02|Liqun Chen|Trusted device|

---

US20050076226A1|2003-10-01|2005-04-07|International Business Machines Corporation|Computing device that securely runs authorized software|EP3923169A1|2020-06-10|2021-12-15|Proton World International N.V.|Secure starting of an electronic circuit|AUPQ321699A0|1999-09-30|1999-10-28|Aristocrat Leisure Industries Pty Ltd|Gaming security system|

---

US7000115B2|2001-06-19|2006-02-14|International Business Machines Corporation|Method and apparatus for uniquely and authoritatively identifying tangible objects|

---

NO314379B1|2001-11-28|2003-03-10|Telenor Asa|Registration and activation of electronic certificates|

---

US20030120922A1|2001-12-06|2003-06-26|Fairchild Semiconductor Corporation|Device authentication system and method|

---

US7322042B2|2003-02-07|2008-01-22|Broadon Communications Corp.|Secure and backward-compatible processor and secure software execution thereon|

---

CA3012154A1|2003-05-30|2004-12-16|Apple Inc.|An in-circuit security system and methods for controlling access to and use of sensitive data|

---

US8332653B2|2004-10-22|2012-12-11|Broadcom Corporation|Secure processing environment|

---

US7844808B2|2006-12-18|2010-11-30|Microsoft Corporation|Computer compliance enforcement|

---

FR2926149B1|2008-01-07|2010-01-29|Bull Sas|DEVICE, SYSTEMS AND METHOD FOR SECURELY STARTING A COMPUTER INSTALLATION|

---

US9613215B2|2008-04-10|2017-04-04|Nvidia Corporation|Method and system for implementing a secure chain of trust|

---

US8103909B2|2008-09-15|2012-01-24|Juniper Networks, Inc.|Automatic hardware-based recovery of a compromised computer|

---

US8635481B1|2010-04-29|2014-01-21|Amazon Technologies, Inc.|Power cut off mode|

---

US8385553B1|2012-02-28|2013-02-26|Google Inc.|Portable secure element|

---

US9100174B2|2012-08-31|2015-08-04|Freescale Semiconductor, Inc.|Secure provisioning in an untrusted environment|

---

EP2989579B1|2013-04-23|2018-06-06|Hewlett-Packard Development Company, L.P.|Redundant system boot code in a secondary non-volatile memory|

---

US10084603B2|2013-06-12|2018-09-25|Lookout, Inc.|Method and system for rendering a stolen mobile communications device inoperative|

---

EP2852118B1|2013-09-23|2018-12-26|Deutsche Telekom AG|Method for an enhanced authentication and/or an enhanced identification of a secure element located in a communication device, especially a user equipment|

---

US9912474B2|2013-09-27|2018-03-06|Intel Corporation|Performing telemetry, data gathering, and failure isolation using non-volatile memory|

---

FR3024915B1|2014-08-18|2016-09-09|Proton World Int Nv|DEVICE AND METHOD FOR PROVIDING SECURE PLATFORM MODULE SERVICES|

---

US9430658B2|2014-12-16|2016-08-30|Freescale Semiconductor, Inc.|Systems and methods for secure provisioning of production electronic circuits|

---

US10243739B1|2015-03-30|2019-03-26|Amazon Technologies, Inc.|Validating using an offload device security component|

---

US10211985B1|2015-03-30|2019-02-19|Amazon Technologies, Inc.|Validating using an offload device security component|

---

US9626512B1|2015-03-30|2017-04-18|Amazon Technologies, Inc.|Validating using an offload device security component|

---

JP6132952B1|2016-04-07|2017-05-24|三菱電機株式会社|In-vehicle engine controller|

---

US10733284B2|2016-10-06|2020-08-04|Samsung Electronics Co., Ltd.|Trusted execution environment secure element communication|

---

US9946899B1|2016-10-14|2018-04-17|Google Llc|Active ASIC intrusion shield|

---

US10963570B2|2018-12-11|2021-03-30|Verizon Media Inc.|Secure boot of remote servers|EP3270620A1|2016-07-13|2018-01-17|Gemalto Sa|Method and devices for managing a secure element|

---

FR3060161A1|2016-12-08|2018-06-15|Orange|TECHNIQUE FOR MANAGING A RIGHT OF ACCESS TO A SERVICE FOR A COMMUNICATOR DEVICE|

法律状态:
2016-10-20| PLFP| Fee payment|Year of fee payment: 2 |

---

2017-05-05| PLSC| Publication of the preliminary search report|Effective date: 20170505 |

---

2017-10-20| PLFP| Fee payment|Year of fee payment: 3 |

---

2017-11-17| CA| Change of address|Effective date: 20171011 |

---

2018-10-24| PLFP| Fee payment|Year of fee payment: 4 |

---

2019-11-19| PLFP| Fee payment|Year of fee payment: 5 |

---

2020-10-21| PLFP| Fee payment|Year of fee payment: 6 |

优先权:

---

申请号 | 申请日 | 专利标题

---

FR1560510|2015-11-03|

---

FR1560510A|FR3043229B1|2015-11-03|2015-11-03|SECURE STARTING OF AN ELECTRONIC CIRCUIT|FR1560510A| FR3043229B1|2015-11-03|2015-11-03|SECURE STARTING OF AN ELECTRONIC CIRCUIT|

---

EP16161516.6A| EP3166095A1|2015-11-03|2016-03-22|Secure starting of an electronic circuit|

---

CN202010093707.7A| CN111310209A|2015-11-03|2016-03-31|Secure start-up of electronic circuits|

---

CN201610201141.9A| CN106650456B|2015-11-03|2016-03-31|Safe starting method of electronic circuit and electronic equipment|

---

US15/139,205| US10157281B2|2015-11-03|2016-04-26|Secure starting of an electronic circuit|

---

US16/184,886| US11086999B2|2015-11-03|2018-11-08|Secure starting of an electronic circuit|