Method of transferring a secret, by the exchange of two certificates between two microcomputers which establish reciprocal authorization
First Claim
1. A method of secured transfer of information S to a first microcomputer belonging to a chip card from a second microcomputer belonging to a security module, the first and second microcomputers establishing reciprocal authentication, this method being characterized in that:
- a) a first authority is entitled to issue cards which have previously been provided with a first public key constituted by a first modulus n, a first verification exponent v and a first signature exponent s, each card having been defined by an accreditation Bc obtained by signature of a credential Crc, which signature can be verified with the aid of this first public key,b) a second authority is entitled to issue security modules which have also previously been provided with a second public key constituted by a second modulus n'"'"', a second verification exponent v'"'"' and a second signature exponent s'"'"', the security module having been defined by an accreditation Bm obtained by signature of a credential Crm, which signature can be verified with the aid of the second public key,c) finally, the first and second microcomputers have previously publicly agreed to use exponentials in a finite set suitable to establish a common transistory key,d) this method comprises the following steps;
A) in a first computational stage, realized by the first microcomputer, calculating an exponential X, an optional message M and a calculated signature from the exponential X and the optional message M, this signature being verifiable with the aid of the first public key,B) in a first data transfer, transmitting, from the first microcomputer to the second microcomputer, a first certificate which comprises the credentials of the card Crc, as well as the calculated signature,C) in a second computational stage, realized by the second microcomputer,i) verifying, with the aid of the first public key, whether the certificate received by the second microcomputer has been properly signed by the card, and,ii) if so, calculating the exponential of the exponential X, which constitutes a common transitory key,iii) then calculating an optional message M'"'"' and the second microcomputer'"'"'s own exponential Y,iv) thereafter working out a cryptogram C from the common transitory key K and from the information S to be transmitted, andv) signing the optional message M'"'"', the exponential of the second microcomputer Y and the cryptogram C,D) in a second data transfer, transmitting, from the second microcomputer to the first microcomputer, a second certificate which comprises the credential of the security module Crm as well as the signed exponential of the second microcomputer Y, optional message M'"'"' and cryptogram C,E) in a third computational stage, realized by the first microcomputer,i) verifying with the aid of the second public key, whether the second certificate received from the second microcomputer has been properly signed by the second microcomputer,ii) if so, calculating the exponential of the exponential Y received from the second microcomputer, which gives the common transitory key K; and
iii) extracting, from the cryptogram C using the common transitory secret K, the information S which is contained in the cryptogram C and which is intended for the first microcomputer,all of the variables herein representing integers.
2 Assignments
0 Petitions
Accused Products
Abstract
According to the invention, the chip card issues a first certificate comprising its letter of credentials (Crc), an exponential (X), an optional message (M), these quantities being signed. The security module verifies the signature and in return issues a second certificate containing its letter of credentials (Crm), an exponential (Y), an optional message (M'"'"'), a cryptogram (C), these quantities being signed. A common secret key is constituted between the card and the security module by the exponentials and allows the card to interpret the cryptogram addressed to it and to act in accordance therewith.
-
Citations
16 Claims
-
1. A method of secured transfer of information S to a first microcomputer belonging to a chip card from a second microcomputer belonging to a security module, the first and second microcomputers establishing reciprocal authentication, this method being characterized in that:
-
a) a first authority is entitled to issue cards which have previously been provided with a first public key constituted by a first modulus n, a first verification exponent v and a first signature exponent s, each card having been defined by an accreditation Bc obtained by signature of a credential Crc, which signature can be verified with the aid of this first public key, b) a second authority is entitled to issue security modules which have also previously been provided with a second public key constituted by a second modulus n'"'"', a second verification exponent v'"'"' and a second signature exponent s'"'"', the security module having been defined by an accreditation Bm obtained by signature of a credential Crm, which signature can be verified with the aid of the second public key, c) finally, the first and second microcomputers have previously publicly agreed to use exponentials in a finite set suitable to establish a common transistory key, d) this method comprises the following steps; A) in a first computational stage, realized by the first microcomputer, calculating an exponential X, an optional message M and a calculated signature from the exponential X and the optional message M, this signature being verifiable with the aid of the first public key, B) in a first data transfer, transmitting, from the first microcomputer to the second microcomputer, a first certificate which comprises the credentials of the card Crc, as well as the calculated signature, C) in a second computational stage, realized by the second microcomputer, i) verifying, with the aid of the first public key, whether the certificate received by the second microcomputer has been properly signed by the card, and, ii) if so, calculating the exponential of the exponential X, which constitutes a common transitory key, iii) then calculating an optional message M'"'"' and the second microcomputer'"'"'s own exponential Y, iv) thereafter working out a cryptogram C from the common transitory key K and from the information S to be transmitted, and v) signing the optional message M'"'"', the exponential of the second microcomputer Y and the cryptogram C, D) in a second data transfer, transmitting, from the second microcomputer to the first microcomputer, a second certificate which comprises the credential of the security module Crm as well as the signed exponential of the second microcomputer Y, optional message M'"'"' and cryptogram C, E) in a third computational stage, realized by the first microcomputer, i) verifying with the aid of the second public key, whether the second certificate received from the second microcomputer has been properly signed by the second microcomputer, ii) if so, calculating the exponential of the exponential Y received from the second microcomputer, which gives the common transitory key K; and iii) extracting, from the cryptogram C using the common transitory secret K, the information S which is contained in the cryptogram C and which is intended for the first microcomputer, all of the variables herein representing integers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 12, 15)
-
-
8. A method of secured transfer of information to a first microcomputer belonging to a chip card from a second microcomputer belonging to a security module, the first and second microcomputers establishing reciprocal authentication, this method being characterized in that:
-
a) a first authority is entitled to issue cards which have previously been provided with a first public key constituted by a first modulus n, a first verification exponent v and a first signature exponent s, each card having been defined by an accreditation Bc obtained by signature of a credential Crc, which signature can be verified with the aid of this first public key, b) a second authority is entitled to issue security modules which have also previously been provided with a second public key constituted by a second modulus n'"'"', a second verification exponent v'"'"', and a second signature exponent s'"'"', a security module having been defined by an accreditation Bm obtained by signature of a credential Crm, which signature can be verified with the aid of the second public key, c) the first and second microcomputers have previously publicly agreed to use exponentials in a finite set suitable to establish a common transitory key, d) this method comprises the following steps; A) in the second microcomputer, i) retrieving a stored first certificate including credentials of the card Crc and a signature of an exponential X and an optional message M, ii) verifying with the aid of the first public key whether the first certificate has been properly signed, iii) if so, calculating the exponential of the exponential X to yield a common transitory key K, iv) then calculating an optional message M'"'"' and the second microcomputer'"'"'s own exponential Y, v) thereafter working out a cryptogram C from the common transitory key K and from the information S to be transmitted, and vi) signing the optional message M'"'"', the exponential of the second microcomputer Y'"'"' and the cryptogram C, B) transmitting, from the second microcomputer to the first microcomputer, a second certificate which comprises the credential of the security module Crm as well as the signed exponential of the second microcomputer Y, optional message M'"'"', and cryptogram C, C) in the first microcomputer, i) verifying with the aid the of the second public key, whether the second certificate received from the second microcomputer has been properly signed by the second microcomputer, ii) if so, calculating the exponential of the exponential Y received from the second microcomputer, to yield the common transitory key K, and iii) extracting, from the cryptogram C using the common transitory key K, the information S which is contained in the cryptogram C and which is intended for the first microcomputer, all of the variables herein representing integers. - View Dependent Claims (9, 10, 11, 13, 14, 16)
-
13. The method of claim 8 wherein, in order to store the first certificate in the directory, the second authority performs the following steps:
-
assigning to each card a rank in a group of cards, assigning a common exponent x to the group, and calculating a collective certificate valid for the group, with the aid of an auxiliary microcomputer and based on using the exponent x as the exponent for the whole group.
-
-
14. The method of claim 8 wherein
the finite set is a finite field having a first number p as its characteristics and a base which is a primitive element a of the field, the exponent X satisfies the equation X=ax mod p, where x is a positive exponent less than p, step d)A)iv) comprises selecting a positive integer y less than p and calculating the exponential of the second microcomputer according to the equation Y=ay mod p, step d)A)iii) comprises calculating the common transitory key according to the equation K=(ax)y mod p, and step d)C)ii) comprises calculating the common transitory key according to the equation K=(ay) x mod p. -
16. A method as claimed in claim 8, characterized in that
in step d)A)v), the second microcomputer calculates the cryptogram C from the common transitory key K and from the information S by an exclusive-OR operation between S and K, in step d)C)iii), the first microcomputer extracts the information S from the cryptogram C by the same exclusive-OR operation between the cryptogram C and the common transitory key K.
-
Specification