Electrical computers and digital processing systems: support – Data processing protection using cryptography – Tamper resistant
Reexamination Certificate
1997-08-29
2001-05-15
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Data processing protection using cryptography
Tamper resistant
C713S193000, C713S185000
Reexamination Certificate
active
06233685
ABSTRACT:
FIELD OF THE INVENTION
The present invention is directed to the field of security. It is more specifically directed to the security of data in a device.
BACKGROUND OF THE INVENTION
Scientists continue to strive to find ways to monitor and/or maintain the security level of a process, processor, coprocessor or processing element. It is recognized that heretofore, a computational device was considered to be secure if it was armored with physical packaging to prevent any access to the internal data and circuits, except via the official interface. The technology and effectiveness of this physical armor varies considerably. All secure devices, by definition, purport to have passive tamper-resistance. Some use more advanced techniques in order to also attempt to be tamper-responsive. A device is said to be tamper-responsive if it provided with a means for actively detecting tamper or penetration, and has the capability of responding by zeroizing and/or erasing sensitive data it contains before it can be observed. An example of a low-end secure device is a simple smart card. The smart card offers limited computational ability and limited, passive physical security. An example of a high-end secure device is a cryptographic server adapter, with active tamper response.
Generally, applications that require secure devices depend on the physical security of these devices. If they did not, the additional expense of physical security is usually not justifiable. Physical security is necessary if someone potentially with direct access to the device might be motivated to attack it. Such potential adversaries includes anyone with physical access. This includes personnel at the factory, along the shipping channel, at retailers and warehouses, and the often overlooked user site.
For example, consider a simple electronic wallet. In this situation, cash is simply a value in a register in the coprocessor resident in the electronic wallet. If a user manages to run their wallet program on hardware which is susceptible to tamper by that user, then that user has effectively created a bottomless wallet. This compromises the security of the entire distributed application.
A bona fide, untampered secure device needs a method by which it can prove that it is untampered and in a state of continued integrity, this is herein referred to as an untampered state method. This has some primary constraints and/or requirements. To begin with, this method needs to be computational, not physical. It is realized that a tampered device might look just like an untampered one. With current commercially viable physical security technology, physical inspection of a device does not suffice to determine if the device has been tampered with by an attacker with at least moderate skills. Without such an untampered state method, a tampered device can appear to carry out its application identically to an untampered one.
As used herein the term device includes a processor, a coprocessor, processing element and/or computational apparatus. The terms erase and/or zeroize as used herein represent any means of disabling the readabilty and/or retrieval of the secrets contained in the device. The terms integrity and untampered state are used interchangeably herein.
An useful untampered state assuredness method, or untampered state method, should employ a technology that provides physical security that also shields a device's internal data, programs, and circuits from any direct examination by the user. Otherwise, an adversary who is able to tamper with a device that performs cryptographic functions, can modify the key generation algorithms. The so tampered device appears to work normally, while the adversary learns and makes use of each key.
In many applications, the program running on such an untamperable device needs to computationally build on this provable untampered state. For example, the electronic wallet program cited above needs not just to run on an untampered device, but also to be able to convince remote agents that it is indeed running on such a device. Thus, untampered state assuredness method must enable an untampered authentic device to distinguish itself from a device that has been modified (say, to install a backdoor or to disable tamper response); and to distinguish itself from a software/hardware clone that may have been constructed after destructive analysis of several real devices.
Some chip-card techniques used heretofore employ the idea of installing a permanent key pair in a device that is merely tamper-resistant. However, these techniques do not address the problem of providing the provable untampered state to third parties in potentially hostile user environments and in an application-available way. Furthermore, tamper-responsive hardware standards do not adequately address this problem.
SUMMARY OF THE INVENTION
The present invention provides a method and apparatus to fully address the suite of problems related to provable untampered state assuredness in secure devices. It includes using active tamper response, generating authentication secrets inside the device via real hardware randomness to minimize risk of compromised factory machines, activating tamper response at a point of trust (certifying authority) to protect against attacks, and/or continually certifying the untampered state of the device along shipping channels and at user sites, and/or allowing for all keys to be regenerated so that in accordance with sound cryptographic practice there is no need to depend on permanent keys.
One aspect of the present invention provides a device having a certifying authority trusted by a user family which includes the device. The certifying authority (often the device manufacturer) has an authority private key. The device comprises a memory and a tamper circuit responsive to a tampering phenomenon and capable of being enabled by the certifying authority to respond to a tamper condition. A key pair generator
103
generates a key pair for the device. The key pair includes a device private key and a device public key. The key pair generator
103
is capable of exporting the device public key to the certifying authority such that the certifying authority performs a verification that the device public key emerged from the device, and signs a first certificate with the authority private key. The first certificate includes the device public key and at least one identifying property of the device. The authority issues the first certificate which becomes available to a third party for use in establishing that the device is in an untampered state. In an embodiment, the device further comprises a zeroizing circuit capable of erasing a portion of the memory upon the tamper circuit detecting an occurrence of the tampering phenomenon, and/or the memory includes all non-volatile memory in the device, and/or the key pair is generated using an internal source of non-deterministic randomness.
Another aspect of the invention, is a device having a memory which includes data required to be erased upon a tampering attempt. The device includes a tamper responsive circuit having an enabling capability, a certifying authority, an initialization circuit wherein the certifying authority enables the tamper responsive circuit using the enabling capability, a first key pair generator for generating a public key made available to a plurality of third party users and for generating a private key retained in the memory, a certification circuit for exporting the public key to the certifying authority via the ordinary outgoing communication channel This is such as to enable the certifying authority to verify the public key, certify that the public key emerged from the device, and certify that the device is untampered. In some embodiments, the device further includes a key pair regenerator for forming a new key pair upon an occurrence of a predetermined event, and/or a recertifier for exporting the new public key to the certifying authority such as to enable the certifying authority to verify the new public key and certify that the new public key e
Smith Sean William
Weingart Steve Harris
Hayes Gail
Herzberg Louis P.
Latham Bryan
LandOfFree
Establishing and employing the provable untampered state of... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Establishing and employing the provable untampered state of..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Establishing and employing the provable untampered state of... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2568746