Title of Invention

"METHOD FOR GENERATING A ROOT KEY IMPLEMENTED BY A SECURE MODULE"

Abstract Method for generating a root key implemented by a secure module (MOD) comprising a central unit (CPU) accessing to a first memory zone (Zl) and at least to a second memory zone (Z2) containing all or part of a user program and data (DTA), the user program accessing only to the second memory zone (Z2), the method comprising the steps of: reading by the central unit (CPU) all or part of the content of the second memory zone (Z2), generating at least one root key (RK) based on all or part of the content of the second memory zone (Z2) previously read and on at least one item of secret information (MK2, RTN) stored in the first memory zone (Zl). Fig. 1
Full Text The present invention relates to method for generating a root key implemented by a secure module.
This invention concerns the domain of security modules including at least one central unit and two memory areas.
These units are used in operations implementing cryptographic systems and are given in monolithic form, they are either produced on the same silicon chip or they are assembled on a support and embedded in a resin or protected by a sheet covering the different elements and acting as a fuse in the case of an attempted intrusion.
These security processors have a first memory zone called a bootstrap zone that is executed during the activation of the processor or at each initialisation. This memory is of the ROM type, namely that it is Read Only Memory.
During the execution of the start-up program, this program verifies the second memory zone that is of the rewritable type, usually of the EEPROM, NVRAM or Flash type.
This verification is important as it serves to ensure that the data in this second zone is valid, namely that it is definitely a program (at least in part).
This verification can be carried out in various ways such as the calculation of an imprint (CRC, Hash) and the comparison of this imprint with a value stored in the same zone.
Once the master program that has been initially started, completes its verification, it switches to the second zone and begins the execution of the user program at a conventional address.
The particularity of this type of processor is that at the time of the execution of the program in the second zone, it does not have free access to the memory of the first zone. This access is either definitively prohibited or is subject to a verification mechanism (password for example).

This limitation offers important security because the verification means, as well as the start-up data, are not accessible to the user program. All the data contained in the first zone is thus protected from any intrusion.
It is possible that this first bootstrap zone, in addition to having a part in read-only memory (ROM), includes a rewritable part of memory that is subjected to the same security conditions.
When the first zone is of a very limited size, the execution of the verification program can be carried out from the second zone. The latter is divided into a verification part and a user part.
Therefore, the verification of the user program is carried out on the basis of the data of the first zone, namely on the basis of a first key that is generally stored in said first zone and which allows the verification of the data imprint of the second zone.
The second zone contains data constituting the program and a signature that is encrypted by this first key.
The verification program that can either be in the first zone, or in a verification part of the second zone, calculates a unique imprint (Hash, CRC) on the data to be verified.
To verify that the data is correctly validated, the second zone contains the imprint encrypted by a key that is initially stored in the first zone. This key is used to decrypt the encrypted imprint and the result obtained is compared with the calculated imprint.
This key can be in the first zone either in a definitive form (ROM) or in the programmed form (EEPROM or Flash). In this second case, programming is carried out during the manufacture step or in an authorized centre, the program of the first zone accepts this writing as long as no other key is already found in this memory location.
This key can be of the symmetrical type and thus secret or it can be of the asymmetrical type. In this second variant, this key can be found in a memory zone other than the first zone because even if a third party discovered this key, said third party would not be able to identify a modified data set because he must have the corresponding private key to identify said data. Obviously, this key is kept secret by the management centre that is responsible for preparing the updating of the data.
The data of the second memory zone can represent either one or several programs, either important data such as rights or decryption keys, or a combination of both.
One of the known types of attacks used to discover the contents of the second zone is to search a security defect such as a memory overflow that allows control to be taken on the processor. Once control has successfully been taken, a third party transfers the contents of the second zone towards the exterior and is able to analyse the security mechanism and the keys used.
Using the knowledge of the contents of the second memory zone, said third party has the keys serving to manage the different rights and access to services that control this processor.
Therefore, if a change of keys takes place, managed by the management centre, this change command will be encrypted by a key present in the second memory zone. The third party, who has knowledge of this key, can decrypt this message and also update the contents of this new key.
Therefore, it is apparent that while a secure mechanism has been used to verify the contents of the program zone (second zone), once security has been violated, none of the changes initiated by the management centre have an effect on security because the changing means (new transmission key for example) use keys that the third party already has in his possession. He can thus decipher
the updating message and also change its transmission key. The breach cannot be stopped even if the security breach has been corrected in the application.
The object of this invention is to propose a method to restore the security of this type of security set once the contents of the second memory zone have been read by a third party.
This aim is achieved using a method for generating a security key carried out by a security module comprising a central unit, a first conditional access memory zone and at least one second memory zone containing all or part of the user program, wherein it includes the following steps:
- reading all or part of the second memory zone,
- generating at least one root key based on all or part of the data of the second
zone and at least of some secret information stored in the first memory zone.
Therefore, thanks to the generation of this new root key, it will be possible to secure the replacement of the transmission key and in the same way, of all the keys transmitted subsequently.
It is important that this root key is never constant and must for that reason be different from any key stored in the first memory zone such as the factory key. For this reason said root key is generated as a variable using the new data transmitted by the management centre.
In a first version, this new key is generated without the data of the second zone necessarily being verified. If this data has been modified, the root key will simply be false and the future decryption of a transmission key with this key will not give the correct result.
This root key thus depends on one hand on the downloading or contents of the second memory (or data) and on the other hand on a key stored in a location inaccessible to a third party.
According to another embodiment, the factory key is replaced by a secret program stored in the first zone that calculates, according to a secret algorithm, an imprint on all or part of the second zone data. The manipulation of the data (combination, multiplication, division, EXOR etc..) of the second zone according to a particular algorithm allows the root key to be determined.
The invention will be better understood thanks to the following detailed description and which refers to the enclosed drawings that are given as a non-limitative example, namely:
- Figure 1 describes the organization of a secure processor set,
Figure 2 shows a division of the second zone,
- Figure 3 describes the mechanism for generating the root key.
In Figure 1, the module MOD is a secure processor module. For this reason, it disposes of at least two memory areas namely the first zone Z1 and the second zone Z2. The first zone is made up of all or part ROM memory and is thus not rewritable. It is possible for a part to comprise of memories in RAM or EEPROM for variables among other things. This is called conditional access due to the fact that it is not freely accessible, in particular during the execution of a program in the second zone.
The second zone Z2 contains the processing program and the data. This zone is made up of a non-volatile memory but with the possibility of writing such the EEPROM. Zone Z2 can also contain a volatile memory such as the RAM. In fact, this zone is not generally homogeneous and can comprise several memories of the ROM, RAM, EEPROM, NVRAM and FLASH type.
In our example, a first part of zone 2 called a work zone Z2A is taken into consideration that serves to carry out operations related to the generation of the root key.
User area Z2B is a schematic view of the part containing the processing program(s). According to the implementation method, it is possible to include variables such as security keys for example.
The processor CPU is automatically routed in the first zone Z1 during initialisation or resetting. It is at this point that the first security operations are carried out.
These operations use the first memory zone, but also the work zone Z2A if necessary. Due to the limited area of the first zone, messages are sent to the work zone to carry out the calculation of the imprint for example. The routine that allows the calculation of this imprint can be found in the second zone. Nothing impedes this routine forming part of the data that will be verified. This program is called the system program
The initialisation program launched at the start, calculates an imprint on the conventional part of the data to be verified. This part is defined by pointers contained in the second memory zone. An illustration of the portion mechanism of the user zone Z2B is contained in Figure 2.
The taking into account of data forming the imprint can be made on all or on a part of the user zone. In practice, this imprint will preferably be calculated on the program part and not on the data part (visualization rights for example) since the latter are susceptible to modification during the use of the user program. The identification program of the imprint initialised at the boot of the system, calculates said imprint on the predetermined part of the data to be verified. This part is defined by pointers contained in the second memory zone, in particular in the portion DBS in Figure 2.
Within the scope of the invention, this imprint is carried out by a unidirectional operation which is a mathematical operation H of a source set towards a destination set, in which each element x of the source set is attributed with an image H(x). These functions are particularly useful when they are so-called Hash
functions, such as that which is defined in page 27 of the work RSA Laboratories' Frequently Asked Questions About Today's s Cryptography, v4.0. Element x can be of any length but H(x) is always a fixed length of characters, namely a fixed-size string. This type of function is difficult to invert, that is to say that the knowledge of H(x) does not in general allow the discovery of x. Furthermore, it is collision free since it is an injective function, that is to say that H(y)=H(x) necessarily leads to y=x, similarly H(y) ^H(x) necessarily leads to y ^x.
It is considered impossible to reproduce the same control information H as soon as a single value of the set x has been modified even if other values are modified with the aim of invalidating the modification generated by the first modification.
In Figure 2, the user zone Z2B in Figure 1 is divided into several portions PA, PB and PC. These portions are not adjacent in this example and are separated by portions PI that do not affect the calculation of the imprint. The information describing these different portions is contained in portion DES that also forms part of the user zone Z2B. It contains the indications of memory locations involved in the calculation of the control information. These indications can be either in the form of a "start pointer" and "length" or "start pointer" and "end pointer".
Furthermore, it is possible to have not just one but several items of control information, each item of information H1, H2, Hn is applied on a portion PA, PB or Pn. This allows the generation of not only one root key but several keys.
In Figure 1 the I/O block illustrates the means of communication towards the exterior of the module MOD, indispensable means for using the cryptographic functions and the rights stored in the memory Z2B. It is also in this way that the data is accidentally extracted from the zone Z2 by a defect such as that described previously.
In Figure 3, the generation of the root key is schematised. The data DTA that, according to the example in Figure 2, is made up of portions PA, PB and PC,
serves to calculate with the processor the imprint that is in our case control information Hash. To calculate the root key RK, this control information H and a factory key MK2 are used to obtain said root key RK by the intermediary of an encryption module ENC, This secret key will be of the symmetrical type (or used symmetrically by the managing centre) since in the contrary case it would not be the same resultant root key in the managing centre and in the module MOD.
It should be noted that if the contents of the user part Z2B already have an established imprint when the conformity of the program stored is verified, it is possible to use said imprint in place of the control information H. The important factor in this operation is the use of data that represents all or part of the data DTA. In a variant, it is possible to select one from three octets, for example, to identify the data that will be encrypted by the factory key MK2.
According to another embodiment, the factory key is replaced by a secret algorithm (RTN) that is stored in the first zone Z1. Said algorithm can be copied from this first zone towards the work zone Z2A during the initialisation phase if necessary.
According to a particular method this algorithm combines all or part of the data DTA in order to obtain a unique result depending on said data. This combination can implement different arithmetical operations such as multiplication, Exor etc.
Once this root key has been calculated, it is stored in a memory zone of the second zone Z2.
The location of the execution of these method steps is not identified. The program in the bootstrap zone can simply copy the factory key in a temporary memory zone and the root key generation program, called the system program, can be contained in the work zone Z2A. The important factor is the storage of this factory key in the first zone Z1 in order to render it inaccessible during the normal execution of the user program.
Once the root key has been generated, the factory key is eliminated from the temporary memory.
According to one of the practical applications, the management centre that is responsible for security, prepares new software in order to avoid a known defect such as an attack by a counterfeiter aiming to extract the data of the zone Z2. This new software is signed, that is to say that the Hash function is calculated on the data and the result is encrypted with the private key MK1.
All is then encrypted by transmission keys and transmitted in the form of messages to security modules MOD.
The program existing in the user zone Z2B processes the incoming data and decrypts the messages by means of one or several system transmission keys. The data is then stored in locations provided for that purpose. Once this downloading has been completed the processor activates a re-start function. This allows all the newly stored data to be verified.
This verification in general refers to the set of stored programs and said verification is carried out according to the steps described above. If the hypothesis of a third party with an insecure module MOD is considered, the first memory zone Z1 does not exist (or is blank) and the processor immediately starts in the second zone 22. The new program received from the management centre is decrypted by the third party and the user zone is therefore identical to that of a secure processor with double memory zones.
During the start-up of the secure processor, the root key is generated and is used to decrypt the new transmission key. The fictitious module does not have this root key and cannot decrypt the transmission key. At this point, the messages exchanged between the management centre and the security module are no longer accessible to the fictitious module. If the latter attempts to rediscover the root key by means of an attack of the type that would allow it to obtain the contents of the second zone, this attack would no longer work since the aim of
this new software is precisely to avoid this type of fraud. The secure module rediscovers the security level preceding the attack that had allowed the data extraction.
Therefore, this method allows a security defect to be rectified remotely and the original security to be reset without having to exchange all the modules as was often the case.
As indicated above, access to the first zone Z1 is carried out at the start-up of the microprocessor or after a verification mechanism. During the scenario described above, it is possible not to activate the resetting of the microprocessor and request access to the first zone by means of a gateway. Once the entrance has taken place by means of this requested gateway (by the introduction of a password for example), the execution of the program is no longer visible since the second zone is thus unknown to a third party having recopied this zone. The program initiated in this way starts the generation of the root key.
The conditional access memory zone Z1 cannot supply the necessary secret data to form the root key. In this configuration, the program of the user zone Z2, only has access to the first zone Z1 to read the data for the calculation of the root key. During these operations, the visibility duration of the first zone will be limited to the time necessary for reading, this zone will then be made inaccessible.
According to one embodiment, the factory key makes a set of keys. At each generation of a root key, a factory key is deactivated. The selection of the key to be used can be carried out in different ways, namely:
- on the command of the management centre, that is to say by a descriptor in the
definition data DES,
- by using the n last bits of the imprint (for example 3 bits) that allows said bits to
choose from among the keys (for example 8 keys) stored.













Method for generating a root key implemented by a secure module (MOD) comprising a central unit (CPU) accessing to a first memory zone (Zl) and at least to a second memory zone (Z2) containing all or part of a processing instructions and data (DTA), the processing instructions accessing only to the second memory zone (Z2), the method comprising the steps of: reading by the central unit (CPU) all or part of the content of the second memory zone (Z2), generating at least one root key (RK) based on all or part of the content of the second memory zone (Z2) previously read and on at least one item of secret information (MK2, RTN) stored in the first memory zone (Zl).
Fig. 1






WE CLAIM:
1. Method for generating a root key implemented by a secure module
(MOD) comprising a central unit (CPU) accessing to a first memory zone (Zl)
and at least to a second memory zone (Z2) containing all or part of a
processing instructions and data (DTA), the processing instructions
accessing only to the second memory zone (Z2), the method comprising the
steps of:
- reading by the central unit (CPU) all or part of the content of the second memory zone (Z2),
- generating at least one root key (RK) based on all or part of the content of the second memory zone (Z2) previously read and on at least one item of secret information (MK2, RTN) stored in the first memory zone (Zl).

2. Method as claimed in claim 1, wherein the secret information is a factory key (MK2).
3. Method as claimed in claim 1, wherein it consists in determining at least one item of control information (H) representative of all or part of the data (DTA) of the second zone (Z2), this control information (H) being used for the generation of the root key (RK).
4. Method as claimed in claim 3, wherein the control information (H) is the result of a function (Hash) called unidirectional and without collision, executed on all or part of the data of the second memory zone (Z2).

5. Method as claimed in claim 4, wherein the second zone (Z2) includes furthermore a description part (DES) comprising the location of the memory zone(s) determining the formation of the control information (H).
6. Method as claimed in claim 5, wherein this description part (DES) includes a plurality of location information for each part (PA, PB, PC) of the user memory zone (Z2B) corresponding to partial control information (HI, H2 H2... Hn).
7. Method as claimed in claim 2, wherein the factory key (MK2) is of the symmetrical type.
8. Method as claimed in claim 1, wherein the second zone (Z2) includes a verification zone (Z2A) and a user zone (Z2B), the programs contained in the verification zone (Z2A) are in charge of the verification of the data in the user zone (Z2B), the central unit (CPU) transferring the necessary data from the first zone towards the verification zone (Z2A).
9. Method as claimed in claim 8, wherein the factory key (MK2) is copied from the first zone (Zl) towards the verification zone (Z2A) by the central unit (CPU).
10. Method as claimed in claim 9, wherein the factory key is eliminated when the root key is generated.
11. Method as claimed in claim 1, wherein the root key (RK) is used as the transmission key to decrypt the messages originating from a management centre.

Documents:

5321-DELNP-2005-Abstract-(03-11-2008).pdf

5321-DELNP-2005-Abstract-(16-02-2009).pdf

5321-DELNP-2005-Abstract-(18-12-2008).pdf

5321-delnp-2005-abstract.pdf

5321-DELNP-2005-Claims-(03-11-2008).pdf

5321-DELNP-2005-Claims-(16-02-2009).pdf

5321-DELNP-2005-Claims-(18-12-2008).pdf

5321-delnp-2005-claims.pdf

5321-DELNP-2005-Correspondence-Others-(03-11-2008).pdf

5321-DELNP-2005-Correspondence-Others-(16-02-2009).pdf

5321-DELNP-2005-Correspondence-Others-(18-12-2008).pdf

5321-DELNP-2005-Correspondence-Others-(20-02-2009).pdf

5321-delnp-2005-correspondence-others.pdf

5321-DELNP-2005-Description (Complete)-(03-11-2008).pdf

5321-delnp-2005-description (complete).pdf

5321-DELNP-2005-Drawings-(03-11-2008).pdf

5321-delnp-2005-drawings.pdf

5321-DELNP-2005-Form-1-(03-11-2008).pdf

5321-delnp-2005-form-1.pdf

5321-delnp-2005-form-18.pdf

5321-DELNP-2005-Form-2-(03-11-2008).pdf

5321-DELNP-2005-Form-2-(16-02-2009).pdf

5321-delnp-2005-form-2.pdf

5321-DELNP-2005-Form-3-(03-11-2008).pdf

5321-delnp-2005-form-3.pdf

5321-delnp-2005-form-5.pdf

5321-DELNP-2005-GPA-(03-11-2008).pdf

5321-delnp-2005-gpa.pdf

5321-delnp-2005-pct-210.pdf

5321-DELNP-2005-Petition-137-(03-11-2008).pdf

5321-DELNP-2005-Petition-138-(03-11-2008).pdf


Patent Number 231526
Indian Patent Application Number 5321/DELNP/2005
PG Journal Number 13/2009
Publication Date 27-Mar-2009
Grant Date 05-Mar-2009
Date of Filing 21-Nov-2005
Name of Patentee NAGRACARD SA.,
Applicant Address ROUTE DE GENEVE 22, CH-1033 CHESEAUX-SUR-LUASANNE, SWITZERLAND,
Inventors:
# Inventor's Name Inventor's Address
1 HENRY KUDELSKI CHEMIN DE SOUS-GOURZE, 1, CH-1091 GRANDVAUX, SWITZERLAND
2 SERGE GAUMAN RUE DE COLLEGE 11, CH-1400 YVERDON, SWITZERLAND
PCT International Classification Number G07F 7/10
PCT International Application Number PCT/IB2004/050794
PCT International Filing date 2004-05-27
PCT Conventions:
# PCT Application Number Date of Convention Priority Country
1 0953/03 2003-05-28 Switzerland