1. Field of the Invention
The present invention generally relates to the ciphering or encryption of data, of programs, or more generally of digital codes to be stored in one or several memories, external to an integrated processor in charge of exploiting these codes.
2. Discussion of the Related Art
An example of application of the present invention relates to the ciphering of executable programs downloaded by a device (computer, video or audio data reader, device provided with a microprocessor for executing downloadable programs, etc.) in which these programs are to be stored. The downloading may, for example, use the Internet. More specifically, the present invention relates to programs or data for which it is desired to prevent an unauthorized user from accessing and exploiting them.
Reference will be made hereafter to the term “data” to designate any digital code, be it executable programs or data processed by these programs.
“External to the integrated processor” means, according to the present invention, external to a so-called secure area within which is located a central processing unit communicating with the outside of this secure area over one or several buses. The memory is then connected to this or these bus(es) and is thus external to the integrated processor.
FIG. 1 illustrates, partially and very schematically, the structure of a system with a microprocessor and an external memory to which the present invention applies. A so-called secure area 1 within which is located a CPU 2 communicating via one or several buses 3 with an external memory 4 (EXT MEM) is defined. Memory 4 generally is a non-sequential (random or not) access memory. Area 1 is, for example, the microprocessor or, more generally, one or several integrated data processing circuits defining an area within which it is considered that the processed data are not likely to be pirated. In practice, secure area 1 is most often formed of a single integrated circuit chip, external memory 4 being another chip. Processor 2 is associated, in the secure area, with an internal memory 5 (INT MEM) also considered as being secure and exploits a cache memory 6 (CACHE) used as an input-output interface with bus 3.
The ciphering to which the present invention applies involves that of any data transiting on bus(es) 3, between memory 4 and central unit 2 or more generally area 1. This ciphering consists of coding the data stored by means of a key known by the integrated processor. Generally, this key is transmitted thereto by an asymmetrical ciphering process from a distant system providing the program, so that the processor stores it in a protected internal area (for example, memory 5) and uses it both to decrypt the downloaded program and/or to cipher the data in the external memory.
The present invention more specifically relates to the case of data which, when stored in the external memory, are ciphered by means of a key which depends on the integrated circuit and which is different from one chip to another, possibly after personalization. However, the ciphering is independent from the actual data in that it is not necessary to know the data preceding or following those under ciphering to be capable of performing this ciphering.
An example of a known solution to cipher the content of a memory external to a processor is described in U.S. patent application No. US-A-2003-0198344. This solution consists of dividing the data into blocks and of stream-ciphering each data block by means of a sequence combining a key specific to the integrated circuit and an initialization vector changing for each data block.
FIG. 2 very schematically illustrates such a solution in the form of blocks. This solution is based on the use of a pseudo-random generator 10 (SEGEN) providing a sequence SE of ciphering of a data block P by means of an XOR-type gate 11. Gate 11 provides a ciphered result C, that is, a block P ciphered by means of sequence SE. Sequence SE provided by generator 10 is based on an internal key K corresponding to a key specific to the microprocessor and on an initialization vector IV provided by a generator 12 (IVGEN). Generator 10 is pseudo-random in that, for a given key K, it always provides the same sequence SE for a same initialization vector IV. Magnitudes K and IV are exploited by a pseudo-random number generation algorithm (block 10) and are binary words having their sizes depending on the desired security in terms of numbers of possible combinations. Sequence SE is a binary word having its size depending on the size of the blocks to be ciphered. The flow of data blocks C is stored in memory 4 (MEM). Initialization vector IV generated by generator 12 is stored in memory 4 at the same time as encrypted block C (CRYPT DATA) coming from gate 11, to be able to associate, with each stored block, an initialization vector specific thereto. What has been described hereabove corresponds to a phase of writing (high portion of FIG. 2, WRITE) into memory 4 (MEM).
To decipher (low portion of FIG. 2, READ) data read from memory 4, the same pseudo-random generator 10 of sequences SE and the same XOR gate 11 are used. Generator 10 receives on the one hand key K internal to the integrated circuit (processor) and on the other hand the initialization vector IV corresponding to block C to be deciphered, read from memory 4.
A solution such as illustrated in FIG. 2 corresponds to a solution described in the above-mentioned U.S. patent and enables the ciphered data to be ciphered by a key specific to the integrated circuit chip processing them.
A first problem of conventional solutions of the type described in this patent application is linked to the need for storage of the initialization vectors. Such a storage is space-consuming (be it external or internal to circuit 1).
Another problem is linked to the so-called risk of collision with the method used to generate initialization vectors IV of sequence generator SE. Indeed, the probability to be in the presence of two identical initialization vectors is a function of the size of word IV generated by generator 12. However, increasing the length of the random sequence increases the circuit cost. In fact, for a same ciphering algorithm (block 10), the security of the ciphering is then dependent on the size of the initialization vector.