A trusted device relates to a secure device incorporated in a personal computer, mobile equipment, or any other data processing entity to provide built-in security mechanisms that place minimal dependency on a user or administrator to keep the entity and its peripheral devices secure. Trusted personal computing devices have been developed for maximizing security of individual computers through hardware and operating system-based mechanisms rather than through add-in programs and policies. To that end, security mechanisms may be implemented into chips, chipsets, systems on chip and motherboards, among other modules; because it is well known by a person skilled in the art that hardware-based mechanisms are inherently more trustworthy than those created with software.
In order to assure authenticity of data transmitted by a trusted device, digital signatures may be applied to the data. Therefore the trusted device needs access to a key pair including a private key and a public key. In fact, if several trusted devices send data to a same entity and to avoid having several public keys to authenticate the data, the key pair on the trusted devices should be global. From a security point of view, if the private key is compromised on one device, the whole system is broken because a hacker could therefore forge his own authentic data. This creates a single point of failure which is catastrophic in a security system.
The hacker can use several types of non-invasive or invasive attacks to retrieve the global private key such as for example: software attacks, opening the device to try to read the key directly inside the device, Differential Power Analysis (DPA) or Simple power analysis (SPA) attacks, fault injection attacks, etc.
A secure device may be attacked in several ways for recovering the global private key. Some attacks are known as non-invasive attacks since they aim to observe the power consumption, the electromagnetic emanation or the processing time of the device. Other attacks are referenced as invasive attacks, since they involve modifying the device, in particular its behavior during a short lapse of time. In this last category, one knows the Differential Fault Analysis (DFA) as being a serious threat against any encryption/decryption system. DFA is based on the observation and the comparison of the outputs provided by a cryptographic device under two different states. One of these states corresponds to the normal operation of the device, whereas the other is obtained by voluntarily injecting a fault aiming to alter one or several bits by switching from 0 to 1 or vice versa. Such a physical bit inversion can be carried out for example by sweeping the surface of an integrated circuit with a laser beam. By locating sensitive areas within the cryptographic device, laser shots allow disrupting the behavior of the device in an accurate and easy manner, since they can be implemented under the control of a computer, while acting with a very good spatial and temporal resolution. When several faults are injected during the processing of a cryptographic algorithm, the analysis of erroneous outputs allow determining the global private by observing fault propagations within the algorithm.
Different techniques for protecting integrity of programs, cryptographic keys or parameters used to produce the same are used in the prior art as for example:
Document US2011/225409A1 discloses a chipset comprising a one-time-programmable (OTP) memory storing a software boot identification (CCID), wherein the CCID comprises a multi-bit value having two or more CCID customer identifications (CIDs) contained at customer-specific index positions within the multi-bit value. The chipset further comprises one or more processing circuits configured to obtain a certificate and a certificate index value from a customer certificate; read an OTP CID from the CCID by indexing into the CCID according to the certificate index value; determine whether the customer certificate has or has not been revoked based on evaluating the OTP CID with the certificate; and disallow software booting of the chipset, if the customer certificate is determined as having been revoked. The OTP CID values are programmed in OTP memory so that individual bits may be changed from 0 to 1, but not back to 0. In this case bit 1 are locked and bit 0 are unlocked. The OTP CID values for each customer may be managed by the chipset manufacturer.
Document EP2506176A1 discloses methods and systems related to producing chips with the uniqueness property. A random bit vector is generated using a hardware random number generator on the chip or “on the fly” as a hardware component is being produced. The generated random bit vector is stored in a one-time programmable memory of the chip. A value is derived in the chip from the random bit vector programmed in the one-time programmable memory of the chip. The derived value is exported to an external receiving module communicably connected to the chip to enable a security application provider to encrypt a message that can be decrypted by the chip using a key based on the random bit vector programmed in the one time programmable memory of the chip. The random bit vector is programmed in a PROM (Programmable Read-Only Memory) where all bits are locked so that the entire programmed bit string of the vector cannot be modified by a processor. The only way to modify values stored in a PROM is to replace physically the PROM by another one containing updated values.
Document US2010/166182A1 discloses a method for providing secure packetized voice transmissions. A public key corresponding to a destination device is retrieved. An input signal is digitized for transmission over a packetized voice connection to the destination device. The digitized signal is encrypted using a public key of the destination device. This encrypted input signal when received at the destination device is decrypted using a secure private key at the destination device. According to an embodiment, the call device may be associated with an analog terminal adapter provided with an USB connector for inserting a flash storage device, which can contain a private key of an asymmetrical public/private key pair and a pointer to where the public key is located. Then, during session initiation at the startup of the call, the encryptor/decryptor of the destination call device can retrieve the public key of the source call device, and utilize the public key to encrypt data being sent to the source call device. The private key may be stored in a fixed memory of the call device or in a removable flash memory where all bits of the private key bit string may be modified from 0 to 1 and inversely without any restriction.
Document WO2008/057156A2 discloses an improved secure programming technique involving reducing the size of bits programmed in on-chip secret non-volatile memory, at the same time enabling the typical secure applications supported by secure devices. A technique for secure programming involves decoupling chip manufacture from the later process of connecting to ticket servers to obtain tickets. A method according to the technique may involve sending a (manufacturing) server signed certificate from the device prior to any communication to receive tickets. A device according to the technique may include chip-internal non-volatile memory to store the certificate along with the private key, in the manufacturing process. The system comprises a secure processor, an operating system, ticket services, a calling application, and a protected memory. The operating system includes a security kernel, which in turn includes a key store, an encryption/decryption engine, and a security application.
Accordingly, there is a need to provide an efficient solution to prevent hackers determining a private key through any differential fault analysis, or more generally, to guess such a key through information extracted by any kind of analysis.