The present invention relates to an instrument for making messages secure, each message having a sender, a receiver, and a content, security being obtained by implementing means, on sending, that enable an encoded indication to be associated with the message to guarantee the authentic nature of the message relative to certain sensitive parameters thereof, and to guarantee the identities of its sender and of its addressee, and on reception, that verify or monitor said encoded indication of the message by using decoding means that match the encoding means used for generating the coded indication.
The coded indication may accompany the content of the message which is readable xe2x80x9cin the clearxe2x80x9d; in which case the indication can be called a xe2x80x9csealxe2x80x9d and the encoding involved is referred to below as xe2x80x9csealingxe2x80x9d. In other cases, it is the content of the message itself that is encoded, in which case the encoding is called xe2x80x9cencryptingxe2x80x9d, with the information content not being readable in the clear.
It is recalled that sealing or encrypting are known and that they use an algorithm to encode one or more sensitive data items of the message, or the entire message, by means of an encoding key which is personal to the sender.
The seal is checked or decrypted by using an appropriate algorithm and a key which may differ from the encoding key (in which case the algorithm is said to be xe2x80x9casymmetricalxe2x80x9d), or which may be the same (in which case the algorithm is said to be xe2x80x9csymmetricalxe2x80x9d).
When the key for checking or decrypting is different from the key for sealing or encrypting, security problems are smaller than in the second case. In this context, it is recalled that security in this field means that it is not possible to counterfeit a sealed transaction message or to read an encrypted message. The degree of security depends essentially on the ease of access to the encoding key. An asymmetrical or irreversible encoding algorithm is more reliable than a symmetrical or reversible algorithm since the encoding key is not disclosed to other actors acting to check or receive the message. Nevertheless, such an algorithm is very inconvenient to implement since it requires lengthy keys to be used and it requires lengthy cryptograms, thereby requiring large amounts of computer power. For a seal, it is generally the practice to add the seal to a message at the time the message is sent. When the message is on a paper medium, decoding requires the message to be keyed in for processing purposes and that is a major source of error and of wrong operation, even when using automatic reader devices.
That is why presently-preferred instruments for making data exchanges secure use symmetrical algorithms (e.g. the data encryption standard or xe2x80x9cDESxe2x80x9d) which require means that are less powerful and therefore less expensive, and which enable relatively short seals and relatively short sealing keys to be used. The drawback of such symmetrical algorithms lies in the same sealing key being possessed by at least two actors, which means that a seal cannot legally be deemed to be a signature since a plurality of actors share the secret and can therefore xe2x80x9csealxe2x80x9d or xe2x80x9csignxe2x80x9d a message.
There are also risks of fraud when secret keys are transferred or transported, and these risks can be reduced only at the cost of technology that is expensive and complex. This is particularly unsuitable for use when exchanging data that corresponds, for example, to property that is not in material form, and this is a field that is expanding very quickly and where it is necessary to supply an increasing number of users with instruments for making exchanges secure.
The present invention seeks to decrease the risk of fraud as far as possible by proposing an instrument for making secure that is capable of generating encoding/decoding keys that are unknown to the operators who themselves exchange keys that are public, regardless of the role of the operator (sender, receiver, certifier, . . . ).
To this end, the invention thus provides an instrument for making secure by encoding/decoding messages exchanged between each of the actors of a network having a plurality of actors, each being capable of acting as a sender or as an addressee of a message that is encoded or sealed, which instrument comprises, for each actor, a respective device including an integrated circuit with memory zones and a microprocessor capable of executing at least one algorithm and of controlling access to said zones as a function of the nature of the operation requested thereof by the operator holding the device, the operations being selected from the following:
encoding;
calculating a key to be communicated; and
decoding;
the memory zones containing two types of base key that are masked, including a base key of a first type which is specific to each device, and at least one base key of a second type which is common to all of the devices.
The first advantage of the instrument of the invention results from this technological feature (i.e. base key values that are masked, with access thereto being via the microprocessor and being selective as a function of the operation allocated thereto). This disposition makes it possible for each microprocessor to implement algorithms that are symmetrical, and therefore fast, while nevertheless creating an overall encoding/decoding (sealing/checking or encrypting/decrypting) system that is asymmetrical, and therefore provides a very high degree of security.
In order to better understand the fundamental mechanisms for processing the various keys as implemented by the invention, the invention is explained with reference to the following application by way of example. The messages to be processed are messages addressed by a sender to receivers. A certain amount of security concerning the authenticity of the message on sending is usually provided by performing the sealing technique. The sender proceeds by encoding certain characteristic data items of the message using a cryptographic algorithm and a key that is specific to the sender. The result of this operation is known as the xe2x80x9csealxe2x80x9d. The receiver of the message (or the checker) proceeds with seal verification by means of the same key which is applied to the same data that is already known. Using the means of the invention, the sender and the addressees proceed with sealing or with seal verification in entirely conventional manner.
The sender has a device of the invention (e.g. an integrated circuit card) in which a microprocessor possesses two operating modes: a first mode known as xe2x80x9ccalculate public keyxe2x80x9d mode where the public key is the key to be communicated, and a second mode known as xe2x80x9ccalculate sealxe2x80x9d mode. The integrated circuit also has memory zones which contain two addresses each containing a masked value (known as a xe2x80x9cbasexe2x80x9d key) that is unknown not only to the bearer of the device but also to the manufacturer. These addresses are accessible by the microprocessor but only when performing particular functions that are to be executed. More precisely, one of the values (first base key T) is accessible by the microprocessor only when executing the xe2x80x9ccalculate sealxe2x80x9d function which is an encoding function, while the other value (second base key U) is accessible only when executing the xe2x80x9ccalculate public keyxe2x80x9d function which implements a decoding algorithm.
The actors constituting receivers or addressees of the sealed message also have their own copies of the same device (integrated circuit card) with a microprocessor and memory zones. In a version of the invention that is simplified for explanatory purposes, these memory zones contain, at one address to which access is controlled by the microprocessor, a value that is identical to the second base key U included in the card of the sender, and the microprocessor possesses only a xe2x80x9cseal verificationxe2x80x9d function which is a decoding function. The second base key is naturally unknown to the holder of the card and also to its manufacturer.
In conventional manner, the sender must initially send a key to the receivers to enable them to verify the seals that the sender will put on the messages. For this purpose, the sender selects a key of arbitrary value S which is specific to the sender and which becomes the sender""s signature. The sender supplies this signature to the device of the invention in its xe2x80x9ccalculate public keyxe2x80x9d mode. The function executed by the microprocessor then consists in encoding said key S by an algorithm A while using the first base key T, and in re-encoding the result obtained by the algorithm 1/A that is the inverse of the algorithm A while using the second base key U. The resulting value constitutes the public key V, which key is to be communicated to each of the receivers.
This can be written algebraically as follows:
V=[S(A)T](l/A)U
where:
(A)T means that the key S is encoded by the algorithm A while using the key T; and
(1/A)U means that the result is encoded by the inverse of the algorithm A while using the key U (which is a decoding operation).
The key V as calculated in this way is transmitted to the receivers.
To seal a message, the sender selects the xe2x80x9ccalculate sealxe2x80x9d function of the microprocessor. The sender inputs the message M that is to be sealed to the device together with the selected signature key S. The microprocessor proceeds to encode the key S by the algorithm A while using the first base key T to obtain the sealing key K. This is written:
K=S(A)T
which is not accessible to the sender and is used to calculate the seal associated with the message S (written below Sc(M/S)).
The receiver has the device of the invention available and in that device the microprocessor possesses a xe2x80x9cverify sealxe2x80x9d operating mode and a memory zone that is accessible by the microprocessor only while executing said function, which zone contains the same value U as the second base key of the sender""s device.
The receiver, possessing the key V, receives the message (in the clear) and proceeds with verification of the seal associated with the message by selecting the xe2x80x9cverify sealxe2x80x9d function which is a decoding function that can be executed by the microprocessor of the device held by the receiver. This decoding is performed using the key K which is calculated by the microprocessor while executing seal verification, and this is done on each verification operation without it being possible for the receiver to have any access thereto.
Thus, to obtain the key K, the microprocessor proceeds by encoding the key V by means of the second base key U and the algorithm A. Specifically:
K=V(A)U=[S(A)T] (1/A)U(A)U=S(A)T
The microprocessor of the receiver uses this key to calculate the seal and it gives the receiver the result of a comparison between the value of the seal that it has just calculated and the value of the seal that it has received from the sender.
The above explanation of the various means of the invention and how they are implemented in a basic application illustrate the degree of security obtained in the transaction between a sender and a receiver by means of two masked keys T and U which are accessible only to a microprocessor and even then only in a manner that is selective depending on the function that is being executed by the microprocessor. The masking and this selective accessibility are implemented specifically during manufacture of the memory card and of the integrated circuit so there is no possibility of access being gained by means of any dishonest operation, e.g. by applying software. The device of the invention gives an exchange security of the same degree as an asymmetrical encoding algorithm but with the advantages of a symmetrical algorithm.
In reality, this basic application described above for explanatory purposes gives no more than a glimpse of the possibilities offered by the device of the invention. Thus, other characteristics and advantages appear from the following description of implementations given by way of indication.