1. Field of the Invention
The present invention relates to a secure system for processing data comprising a first device and at least one second device, the devices comprising command and communication means and the command and communication means of the first device being secure. It also relates to the corresponding devices, an operating method of the system and an associated computer programme.
2. Description of the Related Art
When an electronic system including various peripherals, such as a VDU, a keyboard, a disc, . . . is responsible for a security processing operation, such as authentication of a user, a commercial transaction, an electronic signature, a vote, or providing protected multimedia contents, and when this processing operation requires the use of one or more of those peripherals, the system must check the security status of those peripherals at the time at which they are required for this security processing operation.
Establishing the security status of a peripheral is all the more difficult because the peripheral may be removable, that is to say, physically detachable from the core of the system, and because it does not necessarily share its resources (memory space, registers, caches, etc.) with those which must verify the integrity thereof. Typically, a large number of systems are nowadays constituted by a core and “attached” peripherals which are associated with the core by means of, for example, USB connections or wireless connections. Besides the authentication of the peripherals when they become associated with the system, the core of the system must obtain guarantees relating to the effective security status of those “attached” components when they become involved in a sensitive processing operation. Typically, the core of the system may need to check, at the desired time, that a specific peripheral has been initialised by following a confidence procedure, that the code of that peripheral is always secure, that those data are always uninfected and that that peripheral is in a specific operating mode, which is clearly defined and controlled.
In order to solve this problem, a first solution has been proposed for the core of the system, by providing a logical partitioning mechanism, and optionally a physical partitioning mechanism, ensuring that the sensitive elements of this core are isolated from the non-sensitive elements of the system, and that they are accessible from the non-sensitive elements of the system by way of a secure communication channel via the partitioning mechanism. The partitioning mechanism further allows execution of the sensitive elements in a privileged mode, affording them access to facilities and resources of the system which are not accessible to the non-sensitive elements.
In addition, the core and the peripherals may carry out pairing methods which are typically based on sharing a secret key, those methods allowing authentication of the two portions and the embedding or the encryption of their exchanges.
However, those solutions do not overcome the problem of the knowledge by the core of the system, at a given time during its execution, of the security status of one of its peripherals when the core in question does not directly have access to the memory resources and other internal elements of that peripheral which would allow it to obtain directly guarantees concerning the effective security status of the peripheral to be monitored.