1. Field of the Invention
The invention relates to the security of the processing of digitized information elements and, more specifically, it relates to a new method enabling the authentication of binary data elements contained in a file.
The expression "method of authentication" is understood herein as a signal-processing operation by which it is ascertained that a set of data sought at a certain place really is the expected set of data. If this is the case, an authorization is issued (for the execution of other operations). If it is not the case, a prohibition is issued.
Methods of electronic authentication are becoming ever more necessary with the increasing use of electronics in everyday life. Electronic authentication may be used to enable an authorized person to gain access to confidential information or to reserved premises, or to enable transactions directly having a fiduciary value, using a personal account etc.
In particular, electronic chip cards are being increasingly used to provide services. Authentication procedures are necessary to ascertain that the card is truly vested with the power to provide such and such a service and that the holder of the card is truly entitled to use this card. The invention shall be described here below with reference to a chip card so that it can be understood more easily, but the invention is not restricted to this example.
2. Description of the Prior Art
The exemplary methods of authentication that shall be given here below are described as examples to show the variety of possible situations in which the invention, which will be explained thereafter, can be applied.
In the case of a chip card, for example, the following authentication scheme is frequently used: in an internal non-volatile memory, the card contains a confidential code that is specific to the holder of the card and is known to him alone. The card is inserted into a reader that is coupled to a keyboard for the introduction of data elements. The holder of the card introduces his-confidential code through the keyboard. This code is transmitted to the card. A comparison is made in the card, and the subsequent operation is permitted only if the code introduced corresponds to the confidential code in memory.
This is a first level of authentication: the verification of the entitlement of the holder.
A second level may consist in ascertaining that the card is truly entitled to carry out the transaction which the reader will carry out with it. The card then contains, in another non-volatile memory zone, a secret key K1 of an encryption algorithm C(D, K) where C is a function of a piece of data D and of a key K. Unlike the personal confidential code which the holder needs to know, the key K is not known to the holder.
The card reader sends any piece of data D1 to the card. The card contains the encryption program C(D, K) in its memory. It encrypts the data D1 by means of the secret key K1, i.e. it performs the function C(D1, K1); and it sends the result R1 to the reader which, in the meantime, has encrypted the same data D1 with the same encryption algorithm C(D,K) and with a key K2 which it has in its memory and which should, in principle, correspond to K1. The results R1 and R2 of the encryption operations are compared. If there is correspondence, it means that the right key K1 is present in the chip card. If not, the operation is not authorized. The correspondence may be an identity of R1 and R2, but it may also be a predetermined relationship that is not an identity.
In another method of authentication, given by way of an example, the algorithm C(D, K) used in the card to obtain the result R1 is not the same as that used in the reader to obtain the result R2. For example, the algorithm of the card is an encryption algorithm C(D1,K1) leading to a result R1. The algorithm contained in the reader is a decryption algorithm that can be used to recover D1 from R1, referenced D(R,K). It is possible to use a known type of algorithm (RSA) that has the following property: a single key K2, different from K1, is capable of decrypting the result R1 encrypted with the key K1. This means that, for each key K1, a single key K2 is such that if C(D1, K1)=R1, then D(R1, K2)=D1. The electronic processing is then as follows: the reader sends a piece of data D1 to the card. The card encrypts this data with the algorithm C(D, K), using its internal key K1. It sends the result R1 to the reader. The reader carries out the decryption algorithm D(R1, K2) on this result. The result is compared with the data D1 initially sent by the reader. If there is no identity, it means that the key contained in the card was not the right one. In this case, what is verified therefore is not the identity of two encryption keys but the correspondence between an encryption key K1 and the only decryption key K2 that corresponds to it. High security is obtained with this system, especially in the case of the use of the algorithm RSA which is such that the knowledge of the encryption key cannot be used to compute the reverse decryption key and vice versa, so that it is possible for one of the two keys to be unprotected.
To increase the security attached to these methods, the data D1 sent by the reader is a random data element, so that it is not possible to draw conclusions from a succession of fruitless attempts at authentication.
The above paragraphs refer to the authentication of a card by the presence of a secret key that resides in the card. However, it is possible to envisage a case where a part of the contents of the memory of the card has to be authenticated without there being authorization for the contents to travel in clear form on the link between the card and the card reader. In this case, it is possible to envisage, for example, the execution of an encryption algorithm with secret key C(D,K) by using, as a secret key K, a key contained in the card and, as data D, a piece of information contained in the card rather than (or in addition to) a piece of data sent by the card reader.
In this case it is necessary, naturally, for the program that is contained in the card and that carries out the algorithm to know the location of the information to be authenticated. This location is designated either by a physical address or by a logic address in a file.
It has therefore been proposed to authenticate the information by means of an encryption algorithm using, as a key, a secret key contained in the card and, as data, several data elements which are notably the contents of the expected information, the physical or logic address at which it should be located and, as the case may be, the data (for example a random data element) sent by the card reader.
In a practical way, the information elements that are thus certified are data elements of constant length, for example one four-byte word for the information to be certified, one word for the address and one word for the random data element.