Portable data carrier with protection from unsanctioned access, provided due to separation of key on several portions

IPC classes for russian patent Portable data carrier with protection from unsanctioned access, provided due to separation of key on several portions (RU 2251218):

H04L9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy

Another patents in same IPC classes:

Portable data carrier with protection from unsanctioned access, provided due to separation of key on several portions / 2251218
Data carrier is made in such a way, that for important data protection operations confidential data stored in chip memory or formed by it are separated on at least three portions, also provided is processor for calculation of random number and for dividing confidential data on such random number, while first portion of data is an integer result of such division, and third portion of data is the actual random number.

Method and device for storage and reproduction of cryptographic secret key / 2279766
Device for reproduction of secret key of cryptographic system contains: processor, volume of energy-independent memory, operatively connected to aforementioned processor, and a set of parameters for secret key, stored in aforementioned volume of energy independent memory with utilization of lesser memory volume, than for full set of parameters, using Chinese theorem about remainder {p,q,d_p,d_q,v}, and providing greater efficiency of computations, then minimal set of parameters {p,q}, while secret key may be reproduced from aforementioned stored set of parameters of secret key.

Method for checking authenticity of electronic digital signature, verifying an electronic document / 2280896
Method for checking electronic digital signature contains actions in following order: receipt of electronic document in form of multi-bit binary number H, open key in form of first g-bit and second f-bit binary number n and α and electronic digital signature in form of multi-bit binary number S; generation of checking multi-bit binary number B by involution of electronic digital signature to power H by module n; comparison of binary numbers B and α. In case of match, deduction about authenticity of electronic digital signature is done.

Method for generation of encryption key / 2286022
At information receiver side, open encryption key is generated in form of two multi-bit binary numbers p and α. First multi-bit binary number is selected so that Eiler function φ(p) contains at least one simple multiplier γ in form of ξ-bit binary number. Second multi-bit binary number α is calculated from formula α=β^φ(p)/γmod p. Then open encryption key is transferred to information sender, where image of encryption key is formed R=[α^Wmodp]^tmodp, where t≥2 - coefficient, previously given by information sender and information receiver, and W - randomly generated multi-bit binary number. After that image of encryption key is transferred to information receiver, where encryption key is calculated from formula K=R^Zmodp, where Z=t^γ-2modγ. Also proven is that when using the invention, amount of encryption key computation is reduced 4-16 times.

Method for generation and authentication of electronic digital signature that verifies electronic document / 2356172
Invention is related to the field of telecommunications, namely to the field of cryptographic devices and methods for verification of electronic digital signature (EDS). Method for generation and verification of EDS includes the following sequence of actions: elliptical curve is generated in the form of combination of points, every of which is set by two multidigit binary numbers (MBN), n>2 private keys are generated in the form of MBN k₁, k₂, …, k_n, private keys are used to generate n open keys in the form of points P₁, P₂, …, P_n of elliptic curve, electronic document is received, being represented MBN H, depending on received electronic document and on value of private key EDS Q is generated in the form of two or more MBN, collective private key is generated in the form of P point in elliptic curve generated depending on points , where α₁, α₂, …, α_m are natural numbers, 2≤m≤n, α_j≤n and j=1, 2, …, m, the first A and second B verification MBN are generated, at that at least one of verification MBN is generated depending on collective open key P, MBN A and B are compared. If their parametres coincide, conclusion is made on authenticity of electronic digital signature.

System and method for three-phase information encryption / 2376712
Invention relates to communication engineering and is meant for ensuring confidentiality of messages sent over transmission lines. The method of encrypting and decrypting a message involves converting a message from a first form M to a second form M', its separation for further encryption in accordance with a separating code, scrambling the message for further encryption in accordance with a scrambling code, transmitting the message from the encryption device to a reception device, computation of the scrambling code and syntax analysis of the encrypted message for reverse conversion of the scrambling code and combining the messages, as well as converting the message from the second form M' to the first form M. The system for encrypting and decrypting a message comprises corresponding apparatus for three-phase message encryption, descrambling apparatus for computation of the scrambling code and syntax analysis of the encrypted massage for reverse conversion of the scrambling pattern, combination apparatus for computation of the separation code and syntax analysis of the encrypted message for combining the messages, as well as second apparatus for converting messages from the second form M' to the first form M.

Method and device to generate compressed rsa module / 2471300
In a method to generate multipliers of an RSA module N with a predetermined part N_h and a pre-undetermined part N₁ the RSA module contains at least two multipliers, at the same time the method includes stages, at which the following is carried out: the first prime number p is generated in the range so that gcd(p-1,e)=1, where e is an open index and (n - n₀) is a bit length of p; the value N_h is produced, which forms a part of N; the second prime number q is generated in the range so that gcd(q-1,e)=1; and N=N_h || N₁, where N₁=(pq)mod 2^n-k; and representation of N at least compressed without losses is produced, which makes it possible to definitely restore N; at the same time q is randomly generated in a predetermined range depending on p and N_h so that pq is an RSA module, a part of which is N_h, which contains k bits and heads the RSA module, which is an n-bit module.

Identification-based data entity encryption for safe access thereof / 2505855
Method involves encrypting (103), using a symmetric encryption key (102), a data entity (100) to obtain an encrypted data entity (104), and encrypting (105), according to an identification information based encryption scheme with a data entity (100) identifier (101) and a master public key, said symmetric encryption key (102) to obtain an encrypted encryption key (106), granting a requesting party a decryption key (201) for decrypting the encryption key (106), where the decryption key is granted in response to a permit request, which includes a decryption key (201) to be issued to the requesting party, recording the granted decryption key (201) in a log book, and performing regular verification.

Methods and apparatus for authentication and identification using public key infrastructure in ip telephony environment / 2506703
Invention relates to authentication methods and specifically to methods and an apparatus for authentication of subscribers in IP telephony networks. The technical result is achieved due to that the disclosed method for authentication through a user device when attempting to access an IP telephony network comprises steps of: obtaining one or more private keys of said user from secure memory associated with said user device; generating an integrity key and a ciphering key; encrypting said integrity key and said ciphering key using a session key; encrypting said session key with a public key of said IP telephony network; and providing said encrypted session key, encrypted integrity key and encrypted ciphering key to said IP telephony network for authentication using a public key infrastructure (PKI) coupled with an authentication and key agreement (AKA) mechanism.

FIELD: data carriers.

SUBSTANCE: data carrier is made in such a way, that for important data protection operations confidential data stored in chip memory or formed by it are separated on at least three portions, also provided is processor for calculation of random number and for dividing confidential data on such random number, while first portion of data is an integer result of such division, and third portion of data is the actual random number.

EFFECT: higher quality of data protection.

3 cl, 1 dwg

The present invention relates to a data carrier with a chip intended for the storage and processing of sensitive or classified information.

Chip data carriers are a lot of different ways, for example for financial transactions to pay for goods and services, and also as a means of identification in access control systems, including access to premises. When applying all these areas inside the chip of the data carrier is processed normally confidential information that must be protected from unauthorized access by third parties. Such protection is provided including due to the fact that the internal structure of the chip are extremely small, making it difficult to access such structures to prevent unauthorized reading of the processed data. In addition, the chip with the aim to further complicate unauthorized access can be terminated to the high level of adhesion mass, when you try to remove the use of force is the destruction of the crystal integrated circuit (IC) or at least destroyed all the stored confidential information. Equally crystal IP already at the stage of its manufacture can be covered with a protective layer, which is impossible to remove bezrazlichiya the crystal IP.

However, by appropriate technical means that despite their extremely high costs in principle are available, an attacker may be able to open the chip and to examine its internal structure. To access the internal structure can, for example, by removing the protective coating by a special etching technology or colifoam it using the appropriate tool. To bare in this way the structural elements of the chip, such as conductive paths, you can connect pin microscopy or explore these patterns in some other way to identify the shape of the transferred signals. Then, on the basis of these detected signals, you can try to extract contained in the media data, sensitive information such as secret keys, for its illegal use. In addition, there may be attempts to purposefully interfere with microscopes on the shape of the signals passing through the exposed structural elements of the chip.

In addition, recently became known methods by measuring the current consumption or temporal characteristics when encrypting to identify sensitive data and is primarily used for encrypting the secret key (see Paul C. Kocher, "Timing Attacks on implementation of Diffie-Hellman, RSA, DS, and other Systems", published by Springer Verlag 1998; WO 99/35782).

The simplest among these methods of obtaining unauthorized access to confidential information is a simple analysis of the electric characteristics (SPA from ang. "Simple Power Analysis"). This method of analysis can be illustrated by the following example, when a known message M is encrypted using the secret key d, i.e. a certain ciphertext of the form Y=M^dmod n. When the modular exponentiation intermediate result in the presence of a "1" in figure d squares and multiplied by M, whereas in the presence of "0" in figure d intermediate result only squares. When known M the analysis of the current and/or temporal characteristics that accompany the implementation of these operations allows to reveal the message M Because this message is always used in the presence of a "1" in figure d, you can without any problems to identify himself secret key.

To prevent a similar attempt to gain unauthorized access to the data is quite easy, if make the message M, respectively, in the key of d certain changes. However, from the publication of Paul .Kocher, "Timing Attacks on implementation of Diffle-Hellman, RSA, DSS, and other Systems", published by Springer Verlag, 1998, as well as from the application WO 99/35782 there are also other methods of analysis, which is allow to identify the key even if modified, i.e. encoded ("masked"), the message key or by experimental removal of many characteristics, the shape of which allows to judge about what is happening in integrated circuit (IC) temporary changes in the current (so-called differential analysis of the electrical characteristics (DPA). "Differential Power Analysis"), respectively, the differential analysis of the electrical characteristics of a higher order (Higher Order DPA").

As a protective measure to prevent such attempts to gain unauthorized access to information, was proposed so-called "masking or hiding exponent" ("Exponent Blinding"), in which the secret key d is not directly used.

Thus, in particular, for encryption instead of the secret key d in this method, it is proposed to use the expression d+r· f, where g is a random number, and f is the Euler function. This applied specifically to the RSA algorithm (digital signature algorithm Rivest-Shamir-Adleman) the following applies: n=p· q, where p and q are Prime numbers, and thus f=(p-1)· (q-1). When using Euler's theorem we have the following expression: M^dmod n=M^{d+r· f}mod n. If each calculation to use different random numbers g, even in financial p is a result of multiple attempts to analyze the computational procedure will not be able to identify key d.

In another embodiment, the secret key d can be decomposed into an expression of the form d1· d2 mod F. In this case is used for encryption the following expression: Y=M^{d1· d2 mod f}mod n=(M^d1)^d2mod n.

However, the drawback of this method is the protection key is that due to insufficient memory Prime numbers p and q or f is usually not stored in the memory of the chip card.

The secret key d can be decomposed into the sum of d1 and d2. In this case we have the following expression: d=d1+d2, respectively, is used for encryption the following expression:

Y=M^d1+d2mod n=M^d1·M^d2mod n=(M^d1mod n · M^d2mod n) mod n.

In order to ensure a high degree of data protection during the decomposition of the exponent in the expression of the form d=d1+d2 or d=d1· d2 mod f for each calculation you must use a new random pair d1/d2. As the generation of random numbers is usually a long process, this method is not suitable for use in chip-cards. In addition, this significantly increases the time spent on calculations associated with the modular exponentiation, which also prevents the application of this method in chip cards.

Based on the foregoing, the present invention was based on the task to develop a way to protect sensitive data contained the chip portable data carrier, from unauthorized access, it is necessary to provide a possibility as effective as before, the use of such data.

In respect of the objects specified in the restrictive parts of claims 1, respectively 7 and 12 types, this task is solved according to the invention with the help of distinctive features presented in the claims.

In the present invention proposes a data carrier with a chip having at least one memory that stores the operating program that contains multiple commands, the execution of each command is accompanied by the appearance of signals detectable outside of the chip. According to the invention, such a data carrier is designed to carry important data protection operations to share confidential data stored in the chip memory or generated them, at least three parts. This storage medium has processor, respectively computing device to calculate a random number and for dividing the confidential data on this random number. The first portion of the data represents the integer result of the division, the second portion of the data represents the remainder of the division, and the third part of the data is itself a random number.

According to one before occhialini of embodiments of the invention confidential data is a secret key to encrypt messages, this key is preferably used as the exponent in the calculation associated with the execution of group operations in asymmetric encryption methods (algorithms public key cryptography, such as based on the use of elliptic curve algorithm, RSA algorithm, etc.), respectively, the operations module.

In accordance with the following embodiment of the invention, a random number is requested to choose so that the length of this random number together with its weight on the Hamming was approximately constant for different random numbers. This approach eliminates the possibility of revealing confidential data by analyzing the time interval spent on modular exponentiation is proportional to the length of the exponent and its weight Hamming.

In the proposed in the invention method, the secret key is divided into relatively short random number. The result of this division without remainder from it represents the first part of the key, the remainder from this division is the second part of the key, and the random number is the third part.

To encrypt message M using an expression of the form Y=M^dmod n. Thus, the secret key d is divided into d1, d2 and r, where d1=d/r (r is a random number) without consideration of the balance of the such division. The remainder from this division forms the second part d2 of the key d. Thus d2=d mod r. Thus, for the key of d we have the following expression: d=r· d1+d2.

In the result of the preceding operations encrypted message takes the following form:

Y=M^dmod n=M^{r· d1+d2}mod n=(M^r)^d1·M^d2mod n=

=((M^r))^d1mod n · M^d2mod n) mod n.

The process of forming an encrypted message Y is illustrated on the accompanying description of the drawing.

First, in step 1 is a random number r (RND r). Then in step 2 by dividing the secret key d is formed in the previous step, a random number r is calculated first portion d1 of the key. The second part d2 of the key is formed as d mod r.

Step 4 begin calculations on the formation of the ciphertext, which first calculates M^rmod n. In the next step 5, the expression is evaluated D1=(M^r)^d1mod n, then in step 6, calculate the expression D2=M^d2mod n.

Obviously, the execution order of the individual computational operations in time can be partially changed. For example, you can first calculate M^d1mod n, then (M^d1)^rmod n, since (M^r)^d1mod n=(M^d1)^rmod n.

The last step 7 interim results D1 and D2 are multiplied and the value is modulo n. Those whom the following applies: D1· D2 mod n=M^dmod n=y

The advantage of the proposed invention is that the chip card is not required to store the Prime numbers p and q required for the formation f, and in the absence of the need to generate a long random number, which requires a considerable computing time. In addition, the computing time for the calculation associated with the operations module, it is possible to maintain within acceptable limits, effectively and with a high degree of reliability of the use proposed in the invention, the solution applied to the chip card. In addition, when carrying out the above method do not need to make any changes in the data stored in the nonvolatile memory of the data carrier that otherwise would require the appropriate time and would lead to slower non-volatile memory.

Because the time spent on modular exponentiation, in proportion to the length of the exponent and its weight Hamming, further increase the level of data protection is possible, if to generate a random number r to use approach, allows you to generate such random numbers r constant length and constant Hamming weight.

Proposed in the invention, the solution may find application in the most diverse systems of encryption. As an example, this can be called the RSA algorithm, encryption according to the method of El-Gamal, DSA algorithm (digital signature algorithm), based on the use of elliptic curve systems, etc.

1. A data carrier with a chip having at least one memory that stores the operating program that contains multiple commands, the execution of each command is accompanied by the appearance of signals detectable outside of the chip, characterized in that it is made so that to perform important for data protection operations to share confidential data stored in the chip memory or generated them, at least three parts, and a processor to calculate a random number and for dividing the confidential data on this random number, and the first portion of the data represents an integer result this division, the second portion of the data represents the remainder from this division, and the third part of the data is itself a random number.

2. The data carrier according to claim 1, characterized in that the sensitive data is a secret key to encrypt messages.

3. The data carrier according to claim 1 or 2, characterized in that the sensitive data is used as the exponent in calculations related to the implementation group the new operations methods in asymmetric encryption.

4. The data carrier according to any one of claims 1 to 3, characterized in that the sensitive data is used as the exponent in calculations related to the operations module.

5. The data carrier according to any one of claims 1 to 3, characterized in that the secret key is used as the exponent in calculations related to the operations module.

6. The data carrier according to any one of claims 1 to 5, characterized in that a random number is chosen so that the length of this random number together with its weight on the Hamming was approximately constant for different random numbers.

7. The way to protect sensitive data on the data carrier with a chip having at least one memory that stores the operating program that contains multiple commands, the execution of each command is accompanied by the appearance of signals detectable outside of the chip, wherein to perform important for data protection operations confidential data stored in the chip memory or generated them, share at least three parts, first compute a random number, and the first portion of the data represents the integer result of the division confidential data on this random number, the second part of the data is the remainder of this de is to be placed, and the third part of the data is itself a random number.

8. The method according to claim 7, characterized in that the sensitive data is a secret key to encrypt messages.

9. The method according to claim 7 or 8, characterized in that the sensitive data is used as the exponent in the calculation associated with the execution of group operations in asymmetric encryption methods.

10. The method according to claim 7 or 8, characterized in that the sensitive data is used as the exponent in calculations related to the operations module.

11. The method according to claim 7 or 8, characterized in that the secret key is used as the exponent in calculations related to the operations module.

12. The method according to any of claims 7 to 11, characterized in that a random number is chosen so that the length of this random number together with its weight on the Hamming was approximately constant for different random numbers.

13. The method of forming an encrypted message in the authentication system system components or the formation of a digital signature, wherein forming a random number r, by dividing the secret key d, the received random number r is calculated first part (d1) of the key, the operation d mod r to get the second part (d2) key, start is formirovanie encrypted message, why calculate M^rmod n, and then compute D1=(M^r)^d1mod n and D2=M^d2mod n, and then the intermediate results D1 and D2 Peremohy and find the value modulo n.

14. The method according to item 13, wherein when calculating D1 first compute M mod n, and then compute (M^d1)^rmod n.