Cryptography – Particular algorithmic function encoding
Reexamination Certificate
1999-11-05
2004-04-20
Barrón, Gilberto (Department: 2132)
Cryptography
Particular algorithmic function encoding
C380S042000, C380S045000, C380S277000, C705S060000
Reexamination Certificate
active
06724894
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates generally to cryptographic devices and, more particularly, to cryptographic devices having reduced vulnerability to side-channel attack and methods for operating such devices to reduce such vulnerability. Still more particularly it relates to such devices and methods incorporated into postage metering systems employing cryptographic processes for evidencing postage payment.
Side channel attacks pose a significant threat to cryptographic systems. Such attacks involve analysis of related signals produced when an encrypted message is produced to obtain information which simplifies analysis of the cryptographic system under attack. One recently published technique of side channel attack is differential power analysis (DPA). This technique involves observation and analysis of fluctuations on the power line of a cryptographic device to determine the cryptographic secrets, i.e., the crypto keys, used by the device.
DPA attacks allow an attacker to extract secret protected information from a supposedly secure cryptographic device by measuring variations in power consumption over time, and then applying sophisticated analysis to this information. Any type of secure cryptographic device where such power variations are accessible is potentially susceptible to the attack. Such devices include smart cards, PC (PCMCIA) cards and printed circuit boards, including devices that are housed within a protected enclosure.
The attack is based on the principle that as the cryptographic processor performs its cryptographic functions, such as encryption or signing; transistors comprising the processor switch on and off, which changes the amount of current drawn from the source supplying power to the processor. The attacker can correlate the current changes with data being processed and the crypto keys ( hereinafter sometimes “keys”) being used. The significance of the attack is as follows.
Secure information systems are based on an assumption that the secret information, i.e., the crypto keys, stored within a secure cryptographic device are protected against disclosure to any attacker. It is well known to use physical tamper-resistant or tamper-proof physical security to prevent such disclosure. With such physical security in effect, it has been assumed that an attacker without “cribs”, i.e. information of some sort to simplify the analysis, could only obtain crypto keys either by trying all the possible crypto keys associated with the algorithm being used (symmetric algorithms) or by carrying out a complex mathematical search (asymmetric algorithms). For accepted cryptographic algorithms, this search is prohibitive, e.g. obtaining a 1024 bit RSA key requires 230 years of 300 Mhz PC computing. However, the DPA attack makes this assumption false. If the cryptographic device is subject to DPA attack, then the crypto key can be obtained in a matter of days or weeks using DPA. Thus it is imperative that the security community at large find means either to defeat this attack or to at least greatly lengthen the time and expertise needed to successfully carry it out.
Many of the proposed countermeasures to the DPA attack involve the introduction of signal noise or filters on the power line, random timing and delays during cryptographic processing, and the introduction of extraneous operations. These countermeasures make the attack much more difficult by decreasing the amount of information obtained from each sampling of the power line signal. However, an attacker can overcome them by obtaining more samples of power line fluctuations and applying more sophisticated analytical techniques. Thus if a key is used sufficiently often it can be compromised by such attacks. Thus it would be advantageous to limit the amount of use of each particular key and ideally to use a different key for each message encrypted. However, this approach of substantially reducing usage creates great difficulty in the management of key distribution and is generally not useful outside of military or similar applications where the number of parties using a key is small.
One application of cryptographic processes where it is anticipated that protection against side channel attacks will be important is in postage metering systems. The vast majority of the Posts around the world require prepayment for postal services provided by the Posts. This allows the Posts to avoid the substantial time and cost associated with a post-payment system that requires processing billing data and collecting and processing remittance. Prepayment, however, necessitates that individual mailpieces carry verifiable evidence of paid postage. The traditional postage stamp is a prime example of such evidence. Postage meters which securely couple mechanical printing of postal indicia and accounting functions to assure that unpaid indicia are not printed are another well known means for evidencing postage payment. Postal revenue security in the such postage meters depends on two features: 1) physical security of the printing process, i.e., printing of postage evidence can not occur without appropriate accounting, and 2) forensic delectability, i.e., fraudulent postal indicia can be distinguished from legitimate indicia.
Coupling the printing and accounting mechanism within a secure tamper-evident enclosure provides physical security of printing. Inspection of the device normally reveals tampering. Effective forensic delectability of fraudulent postal indicia depends on non-availability of alternative mechanisms suitable for forging indicia. Before the proliferation of inexpensive, high print quality computer printers, serious attempts to generate fraudulent indicia using an alternate printing mechanism were detectable.
Today, the availability of inexpensive computer-driven printers provides opportunities for customer convenience and cost advantages for printing postage evidence. However, the use of such printers requires a new way of securing postage which was first suggested in U.S. Pat. Nos. 4,641,347, 4,641,346, 4,757,537, and 4,775,246. At that time, it was realized that the security of postage evidencing depends on the security of the information printed in the indicium, including message authentication and integrity.
U.S. Pat. Nos. 4,831,555 and 4,725,718 extended this idea to unsecured printing of postage; disclosing the necessity that at least some of the information in the indicium must appear random to a party not in possession of some secret. Such random looking information is commonly referred to as a digital token.
The basis of postal revenue security in the digital world is two new requirements: 1) security of the digital token generating process, i.e., digital tokens can not be generated without appropriate accounting, and 2) automatic delectability, i.e., fraudulent digital tokens can be detected by automatic means.
A encryption of selected data on the mailpiece with a secret key is one method for producing a digital token. The data may include postage value, date, postal code of the geographical deposit area, recipient address information, meter data, and piece count. Such data is commonly referred to as postal data. The secret key used to generate the digital token is generally held within the accounting device. A verifier, with access to a verifying key corresponding to the accounting device key, validates the digital token. Several cryptographic algorithms and protocols have been considered for this purpose. U.S. Pat. No. 4,853,961 describes critical aspects of public-key cryptography for mailing applications. See: José Pastor, CRYPTOPOST “A Universal Information-Based Franking System for Automated Mail Processing, Proceedings of the Four the Advanced Technology Conference of the U.S. Postal Service, Vol. I, pp. 429-442, Nov. 1990. See also José Pastor, CRYPTOPOST “A Cryptographic Application to Mail Processing, Journal of Cryptology, 3 (2), pp. 137-146, Nov. 1990.
Two methods of presenting a postal verifier with fraudulent evidence of payment are a counterfeited indicium and a copied indici
Barrón Gilberto
Chaclas Angelo N.
Lanier Benjamin E.
Lemm Brian A.
Malandra, Jr. Charles R.
LandOfFree
Cryptographic device having reduced vulnerability to... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Cryptographic device having reduced vulnerability to..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Cryptographic device having reduced vulnerability to... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3240798