[go: up one dir, main page]

CN101065924B - Smartcard with cryptographic functionality and method and system for using such cards - Google Patents

Smartcard with cryptographic functionality and method and system for using such cards Download PDF

Info

Publication number
CN101065924B
CN101065924B CN200480044471.7A CN200480044471A CN101065924B CN 101065924 B CN101065924 B CN 101065924B CN 200480044471 A CN200480044471 A CN 200480044471A CN 101065924 B CN101065924 B CN 101065924B
Authority
CN
China
Prior art keywords
smart card
string
secret
key
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200480044471.7A
Other languages
Chinese (zh)
Other versions
CN101065924A (en
Inventor
陈利群
K·A·哈里森
M·卡萨萨蒙特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Publication of CN101065924A publication Critical patent/CN101065924A/en
Application granted granted Critical
Publication of CN101065924B publication Critical patent/CN101065924B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Algebra (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a smartcard (10A) holding a secret (SA) associated with the member (A) concerned and arranged to map an input string (str) to a first element (PA) of an algebraic group according to a known mapping function, to multiply the first element (PA) by the secret (SA) to form a second element (PA) of the algebraic group such that there exists a computable bilinear map for the first and second elements, and to output this second element (RA); as being provided with selection of limited functionality, the smartcard (10A) can be brought into play in respect of a variety of cryptographic services, such as encryption, decryption and signing cryptographic services. Thus the smartcard (10A) is suitable to be utilized in an organization which requires a plurality of cryptographic services.

Description

Smart card with encryption function and method and system for using the same
Technical Field
The present invention relates to a smart card having an encryption function and a method and system for providing an encryption service in an organization using the same.
The term "organizational structure" as used herein is intended to cover any formal or informal body such as a business enterprise, interest group, international organization, or country. Also, as used herein, the term "smart card" is intended to include any small-sized object (such as a credit card-sized object) incorporating processing functionality, typically on a single-chip microcomputer, that is externally accessible through any suitable interface using either physical contact means or non-contact means such as inductive, capacitive, opto-electronic or the like. The processing function may be based on a programmed processor or dedicated circuitry. The smart card may be powered in any suitable manner, such as by an external power source via physical contact, by an on-card power source, by inductive coupling, or by opto-electronic means. As is well known, smart cards typically include both volatile and non-volatile memory. Where a memory is used to store secrets, at least the memory should be tamper resistant/resistant.
Background
In many organizations, various cryptographic functions are used to secure processes operated by the organizations, including, for example, authentication, digital signatures, key generation, and the like. These cryptographic functions typically involve the use of secrets associated with a user, which may be on behalf of the organization itself or a particular entity within the organization.
When only a single cryptographic function is required, it is convenient to provide the user's secret and the cryptographic functions associated with using the secret on a smart card that the user can carry with him. To ensure that the secret never needs to be exported from the card, it is necessary to provide encryption functionality on the smart card.
Currently, most of the available smart cards are unitary function cards, such as smart cards for secure storage, smart cards for entity authentication, smart cards for digital signatures, smart cards for decryption, and the like.
Where a user needs to be involved in using a plurality of different cryptographic functions, as is likely the case in a large organisation, it would be inconvenient and expensive to provide a respective smart card for each cryptographic function to be implemented.
It has therefore been proposed to provide a smart card with a plurality of fixed functions, each function operating independently of the others. An example is described in US-A-20020100808 entitled "Smart card multiple controlled electronic sockets", filed on 30.11.2001. This document describes a multifunctional smart card having a wallet with a plurality of pockets capable of registering stored values that are restricted to predetermined purposes.
Using this method to provide a smart card for providing multiple cryptographic functions is too expensive and complex because it requires the smart card to generate and maintain many different keys, each for a specific purpose.
It is an object of the present invention to provide a smart card which can be used to provide a plurality of cryptographic services and which is less expensive and less complex than the previously proposed solutions.
As will become apparent below, embodiments of the present invention employ encryption techniques that use bilinear mappings. Accordingly, a brief description of some of this prior art will now be given.
In the present specification, G1And G2Representing two large principal order algebraic groups, with separationThe scatter algorithm problem is believed to be difficult, for which there is a non-degenerate computable bilinear mapping p, e.g., Tate pairing or Weil pairing. Note that G1Is a larger algebraic group G0Of (a)]Twist subgroup, for all p ∈ G1Satisfy [ l]P ═ O, where O is the unit element, l is the large prime number, l ═ G0The number of elements in (c). Group G2Are subgroups of finite field multiplicative groups.
For Weil pairing, the bilinear map p is represented as:
p:G1×G1→G2
the Tate pairing may be similarly represented, although it may be of asymmetric form:
p:G1×G0→G2
in general, group G0And G1Is a point on an elliptic curve (typically, although not necessarily, a super-singular elliptic curve); however, this is not necessarily the case.
As is well known to those of ordinary skill in the art, for encryption purposes, a modified form of the Weil and Tate pairing is used to ensure that P (P, P) ≠ 1, where P ∈ G1(ii) a However, for convenience, the pairs are simply referred to below by their general names, rather than being identified as modified. Further background on Weil and Tate pairings and their cryptographic uses can be found in the following references:
-G.Frey,M.Müller,and H.Rück.The Tate pairing and the discrete logarithm applied toelliptic curve cryptosystems.IEEE Transactions on Information Theory,45(5):1717-1719,1999.
-D.Boneh and M.Franklin.Identity based encryption from the Weil pairing.InAdvances in Cryptology-CRYPTO 2001,LNCS 2139,pp.213-229,Springer-Verlag,2001.
for convenience, the examples given below assume the use of a symmetric bilinear map (p: G)1×G1→G2),G1The element (b) is a point on the elliptic curve; these characteristics, however, should not be considered as limiting the scope of the invention.
Due to G1And G2The mapping between is bilinear so the exponents/coefficients can be moved around. For example, if a, b, c ∈ Z (where Z is all integer set) and P, Q ∈ G1Then, then
p(aP,bQ)c=p(aP,cQ)b=p(bP,cQ)a=p(bP,aQ)c=p(cP,aQ)b=p(cP,bQ)a
=p(abP,Q)c=p(abP,cQ)=p(P,abQ)c=p(cP,abQ)
=...
=p(abcP,Q)=p(P,abcQ)=p(P,Q)abc
Further, the following cryptographic hash function (hash function) is defined as:
H1:{0,1)*→G1
H2:{0,1)*→Z* l
H3:G2→{0,1)*
function H1() Typically represented as a mapto point function, which functions to convert a string input to a point on the elliptic curve being used.
A common public/private key pair may be defined for a trusted authority as:
the private key is s
Wherein s ∈ ZlAnd is
The public key is (P, R)
Wherein P and R are common elements of the main and derived, respectively, wherein
P∈G1And R ∈ G1The relationship between P and R is R ═ sP
In addition, an identifier-based public/private key may be defined for a party with the cooperation of a trusted authority. As is well known to those of ordinary skill in the art, in "identifier-based" encryption methods, a common cryptographically unrestricted string of characters is used in conjunction with the public data of a trusted authority to perform tasks such as data encryption or signing. Complementary tasks, such as decryption and signature verification, need to involve a trusted authority to perform computations based on public strings and its own private data. In message signing applications and also often in message encryption applications, character strings are used to "identify" a party (sender in signing applications, intended recipient in encryption applications); typically for these encryption methods, this results in the use of "identifier-based" or "identity-based" tags. However, in at least some cryptographic applications, the string may serve a different purpose for identifying the intended recipient's application, and, in fact, may be any string that has no purpose other than to form the basis of the cryptographic process. Thus, the use of the term "identifier-based" herein with respect to encryption methods and systems is to be understood simply as implying that these methods and systems are not restricted to the use of characters based on encryption, regardless of whether the string of characters is used to identify the intended recipient. Also, as used herein, the term "string" is simply meant to imply an ordered sequence of bits from a string of characters, a serial image bitmap, a digitized voice signal, or any other data source.
In the present case, the identifier-based public/private key pair defined for a party has a public key QIDAnd a private key SIDWherein Q isID,SID∈G1. The usual public/private key pair (P, R/s) of a trusted authority is linked to an identifier-based public/private key by:
SID=sQIDand QID=H1(ID)
Where the ID is an identifier string for a party.
Some typical uses of the above-described key pairs will now be given with reference to fig. 1 of the accompanying drawings, fig. 1 depicting a trusted authority 1 with a public key (P, sP) and a private key s. Party a acts as a common third party and is also used for the described identifier-based encryption task (IBC), party B has the IBC public key QIDAnd IBC private key SIDThe latter key is generated from the identifier ID of party B by the private key generation function of trusted authority 1. The trusted authority typically only provides the B-party with its private key after having checked the authorized identifier ID of the B-party (e.g. by having verified that the B-party satisfies some condition specified in the identifier, such as an identity condition).
Short signature (see dashed box 2): the holder of the private key s (i.e. the trusted authority 1 or anyone who has disclosed s) can use s to sign the bit string; more particularly, where m represents a signed message, the holder of s calculates:
V=sH1(m).
validation by party a involves the party verifying that the following equations are satisfied:
p(P,V)=p(R,H1(m))
as described above, this is based on G being a bilinear exponent/coefficient1And G2To be mapped between. That is to say that the position of the first electrode,
p(P,V)=p(P,sH1(m))
=p(P,H1(m))s
=p(sP,H1(m))
=p(R,H1(m))
a further description of this form of short signature can be found In the article "Shortsignatures from the Weil pairing" published by Boneh, D.B.Lynn, and H.Shacham at "In Advances In cryptography-ASIACRYPT' 01, LNCS2248, page 514-.
Identifier-based encryption (see dashed box 3): identifier-based encryption allowing a private key S of an identifier-based key pairIDThe holder of (in this case, party B) decrypts the public key Q of the usage B sent to them (by party a)IDAn encrypted message.
More specifically, party a, in order to encrypt message m, first calculates:
U=rP
wherein r is Zl *Random elements of (2). Next, party A calculates:
V=m
Figure 200480044471710000210003_0
H3(p(R,rQID))
party a now has ciphertext elements U and V sent to party B.
The B-party message decryption is performed by calculating the following:
V
Figure 200480044471710000210003_1
H3(p(U,SID))=V
Figure 200480044471710000210003_2
H3(p(rP,sQID)
=V
Figure 200480044471710000210003_3
H3(p(P,QID)rs)
=VH3(p(sP,rQID))
=V
Figure 200480044471710000210003_5
H3(p(R,rQID))
=m
the encryption scheme of the above example is the "basic identification" scheme described in the above-referenced article written by d.boneh and m.franklin. As indicated in this article, this basic scheme does not protect against selective ciphertext attacks (the described scheme is only used to help understand the principles involved-the complete security scheme is described later in this document and the relevant details reader should refer to this article).
Identifier-based signature (see dashed box 4): identifier-based signatures using pairings can be implemented. For example:
the B party firstly calculates:
r=p(SID,P)k
wherein k is Zl *Random element of (2)
Party B then applies a hash function H2Giving m | r (connection of m and r), thereby obtaining:
h=H2(m‖r).
thereafter, the B party calculates
U=(k-h)SID
Thereby producing outputs U and h as signatures for message m.
Signature verification by party a can be established by calculating the following equation:
r′=p(U,P)·p(QID,R)h
wherein if H ═ H2(m | r') the signature can be accepted.
Disclosure of Invention
According to a first aspect of the present invention there is provided a method of providing cryptographic services in an organisation, the method comprising:
providing members of an organisation with respective smart cards, each smart card holding a secret relating to the member concerned and arranged to map an input string to a first element of an algebraic group according to a known mapping function, multiplying the first element by the secret to form a second element of the algebraic group, whereby there is a computable bilinear mapping for the first and second elements, and outputting the second element;
the member uses a smart card provided with at least encryption, decryption and signature encryption services, the smart card of the member concerned holding the same secret as is required in all these services.
Each smart card therefore only needs to be provided with limited cryptographic functions, the provided functions being chosen such that the stored secret is protected, but the secret can function with respect to various cryptographic services. In this way, the smart card may remain functionally lightweight, resulting in reduced costs. Most of the processing involved in providing full encryption services is performed off the smart card.
According to a second aspect of the present invention there is provided a system for providing a password protection procedure in an organisation, the system comprising:
a plurality of smart cards for use by respective members of the organization, each smart card comprising:
a non-volatile memory for holding a secret associated with the respective member,
an input device for receiving an input string,
a first functional entity for mapping the input string to a first element of an algebraic group according to a known mapping function,
a second functional entity for multiplying the first element by the secret to form a second element of the algebraic group such that there is a computable bilinear mapping for the first and second elements, and
output means for outputting the second element;
a plurality of processing subsystems for carrying out, at least when taken together, at least the encryption, decryption and signature encryption services relating to the use of said smart card, the smart card of the member concerned holding the same secret as is required in all these services.
According to a third aspect of the present invention, there is provided a smart card comprising:
a non-volatile memory for holding a secret associated with a user of the card,
an input device for receiving an input string,
a first functional entity for mapping the input string to a first element of an algebraic group according to a known mapping function,
a second functional entity for multiplying the first element by the secret to form a second element of the algebraic group such that there is a computable bilinear mapping for the first and second elements, and
output means for outputting the second element.
Brief Description of Drawings
Embodiments of the invention will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram showing a prior art encryption process based on elliptic curve encryption using Tate pairing; and
fig. 2 is a schematic diagram illustrating an embodiment of the present invention.
Best mode for carrying out the invention
FIG. 2 depicts members A and B of an organization, which includes a finance department 22, a legal department 23, and a security department 24. The members of the organization have respective smart cards, designated 10A and 10B in figure 2 for members a and B, respectively. Members a and B also have respective computers 20A and 20B, each computer including a smart card interface that allows the smart card to be operatively coupled to the computer.
The various departments of the organization are interconnected by a network 25. The computers 20A and 20B are also connected to the network 25, and the printer 21 is also connected to the network 25. The printer 21 has a smart card interface through which a smart card can be coupled to the printer.
The form of the member smart card will now be described with reference to the smart card 10A of member a, the other smart cards being substantially identical. The smart card 10A comprises an input/output interface block 11 and an encryption function block 14 (shown in dashed outline).
The interface block 11 comprises a data input channel 30, a data output channel 31 and an access security entity 12. The interface block 11 is adapted to allow the smart card to be coupled with a smart card interface provided on a device such as a computer 20A or a printer 21. The access security entity 12 is for example realised to require the entry of a PIN code before allowing use of the smart card, this PIN code being entered by the user via means operatively coupled to the smart card.
The input channel 30 is arranged to receive an input string (generally, string str), while the output channel 31 is arranged to output a point on an elliptic curve (generally, point R, R for the smart card 10A of member a)A). Point RAThe form of the output can be interfacedThe entities 19 of the block 11 are arranged, for example, in the form of character strings.
The cryptographic block 14 of the smart card 10A contains the following functional entities:
-for generating a random secret sAThe entity 15 of (a);
-for holding secrets sAThe nonvolatile memory 16;
Map-to-Point entity 17, for receiving a string str from input channel 30 and mapping it to the first element P of the algebraic group according to a known one-way mapping function;
-a multiplication entity for multiplying the first element P by the stored secret sATo form a second element R of the same algebraic group as the first elementASo that there is a computable bilinear mapping of the first and second elements, which are output on the output channel 31.
Preferably, the first and second elements P and RAAre points on the same elliptic curve and it will be assumed hereinafter that this curve is considered to be the same curve as the one used in the prior art example described above with reference to fig. 1. Similarly, the respective hash functions already described above with reference to the example of fig. 1 will be used for the example given below; in particular, the Map-to-Point function performed by the entity 17 is a hash function H1
If directly manufactured with installed secrets sAOr if a secure loading of the secret to the memory via the interface 11 is provided, the secret generator entity 15 may be omitted.
As will be described more fully below, assume that the member smart cards 10A, 10B, etc. with minimal encryption functionality represented by the entities 16-18, allow the organization of which A and B are members to operate a range of cryptographic security processes involving various encryption functions such as signing, encrypting, decrypting.
In the example of FIG. 2, eachThe member smart card is used for generating multiple public keys<P,RA>Each for the finance department 22, the legal department 23 and the security department 24, each department maintaining a respective database 32, 33, 34 recording each member and their respective public keys. For any given smart card, the department public keys it generates are different from each other in that each public key is based on a string provided to it by the relevant department, which selects this string to indicate, for example, some of its characteristics related to the relevant member.
Thus, member A may have permission from the financial department to authorize an expense request. Thus, the financial department requires member A to provide a public key based on the string "spending authority" which is the first string of several possible strings used by the financial department to describe the member's financial-related authority. Member A then uses their smart card (e.g., after operatively coupling it with their computer 20A) to take the string "expense rights" as the input string str and output the corresponding point RAF(subscript F indicates that the point is relevant to the financial department). Thus:
PF1Map-to-Point ("spending authority")
Wherein subscript F1 indicates that point P is derived from the first string "expense rights" used by the financial department;
RAF=sA(PF1)
then the public key for member A of the financial department is<PF1,RAF>. Point PF1Can be arranged to contact the point RAFOutput by the smart card 10A together or, preferably, the financial department can calculate P itself since the Map-to-Point function is publicF1. In fact, the finance department may store only point RAFSince the record it maintains for member A will have recorded A as having spending privileges, the financial department can calculate the first part of A's public key whenever needed.
Of course, the financial department needs to make sure that it is indeed receiving the public key generated by a's smart card 10A before storing it in a's record in database 32. This can be achieved in many ways. For example, the financial department may require a to physically arrive at the financial department, present a's smart card 10A, which is then coupled to processing means in the department to generate the public key. In practice this is not necessary, since provided that the financial department does know a public key generated by a's smart card, it can check whether the public key purportedly generated by the card from the string provided by the department is authentic. This check is based on a bilinear map p such as the Weil pair or Tate pair as follows:
calculating PF1Map-to-Point ("spending authority")
And (4) checking:
p(Pref,RAF)=p(PF1,RAref)
wherein<Pref,RAref>Is the trusted public key of a (but may be made available to the financial department). It is to be expected that the left side should be equal to the right side because:
p ( P F 1 , R Aref ) = p ( P F 1 , s A ( P ref ) )
= p ( P F 1 , P ref ) s A
= p ( s A ( P F 1 ) , P ref )
= p ( R AF , P ref )
the department public keys for the legal department and security department for member a are formed in a similar manner. Thus, the public key for the legal department of a is formed from the string "manager", which is a characteristic of a relating to the legal department:
public key for legal department of a:<PL1,RAL>
wherein the subscript L indicates the legal department, PL1Formed by Map-To-Point ("master").
For the security department, the string that is used as the basis for A's associated public key is A's normal working position, here "construct XY", so:
public key for security department of a:<PS1,RAS>
wherein the subscript S indicates the Security department, PS1Formed by Map-To-Point ("construct XY").
Using the smart card 10B and the appropriate input strings provided by each department, member B similarly forms its department public key. The string provided to B by any particular department may be the same as or different from the string provided to a, depending on whether B has characteristics associated with the same department. Thus, B may not have any authorization for financial expenses from the financial department, so the string that underlies B's financial department public key is "no authority", so:
b public key for finance department:<PF2,RBF>
wherein the subscript F indicates the financial department, PF2Formed by Map-To-Point ("no authority").
Having described the application context for the smart card 10A, several example applications will now be given.
1. Assume that member B has an expense incurred and sends an expense reimbursement request to the financial department. Before paying the expense, the finance department sends the request to the manager of B-in this case member a-for authorizing the payment. To authorize payment, member a inserts his smart card 10A into the smart card interface of computer 10A and enters his PIN to activate smart card 10A; member a then uses the smart card to calculate:
RAreq=SA(Map-To-Point (request))
A sends it back to the financial department as an authorization signature. Then the financial department:
-calculating PreqMap-To-Point (request)
Query the public key of a in the database 32 and check:
p(PF1,RAreq)=p(Preq,RAF)
this is the case if the financial department has actually received a's authorized signature for the request.
2. The legal department 23 wishes to send a secret to member a. To accomplish this, a database 33 is maintained that is public data of the trusted authority IBEPublic key of (A)<PL1,RAL>And the department 23 encrypts documents using identity-based encryption using a string as an encryption key string EKS, which is "date, document reference number". Thus, for the prior art IBE encryption method described in fig. 1, the department 23:
-generating a secret r from the generated secret r,
-calculating:
U=rPL1
V=m
Figure 200480044471710000210003_6
H3(t(RAL,r(Map-To-Point(EKS))))
wherein m is a seal
-sending < U, V, EKS > to member a.
To decrypt the message, member a inserts his smart card 10A into his computer smart card interface, authenticates himself to the smart card by entering his PIN, and calculates a decryption key using the smart card:
RAdec=sA(Map-To-Point(EKS))
the decryption key is output to the computer of a, which then decrypts the file as follows:
m=V
Figure 200480044471710000210003_7
H3(t(U,RAdec))
in this example, the encryption key string EKS may change each time, i.e., EKS and thus the decryption key RAdecIs the session key. However, in some applications, the EKS may be reused so that the corresponding decryption key may be (securely) stored as a long-term key. It is to be foreseen that not only these departments, but any other member mayTo send the data secretly to member a using the method described above, and then a uses his smart card in the decryption of the data.
3. In a variation of the above example application, member A encrypts the data to be printed using an IBE encryption method such as described above using any public key created using A's smart card and any appropriate encryption key string EKS. For the present cryptographic operation, the public key may for example be a public key specifically created using the smart card 10A. The element group < U, V, EKS > is sent to the printer 21, where it is saved until member a arrives at the printer, and the smart card is inserted into the printer's smart card interface. After a has entered his PIN through the user interface of the printer, the smart card 10A is activated to generate the decryption key required to decrypt the data. The printer uses the decryption key to decrypt subsequently printed data.
4. In the application of the two previous examples, the smart card 10A of member a has not really been used in the role of the IBE trusted authority, since the decryption entity is actually member a (in fact, in both examples, the decryption entity is actually a device at least temporarily under member a control). However, it is possible for the smart card of A to be truly used in the role of the IBE trusted authority. For example, a file may be sent encrypted to a member managed by member A, the file being encrypted as in the second example application. To decrypt the file, the recipient member must obtain the decryption key from member a. This gives A the opportunity to exercise their discretion in deciding whether to allow the recipient member to access the file. In this case, the encryption key string advantageously contains information to assist a in making the decision-indeed, the encryption key string may include one or more conditions relating to a having to check the recipient before providing the decryption key.
5. In a further example application, member a sometimes works in the office during weekends, and when a does so he needs to register with the security department (which always needs an on-site presence). By arranging a to enter the building in which he works,and inserts his smart card 10A into the entry smart card interface, this registration may be done automatically. After a has entered his PIN through this interface to start the smart card, the portal interface enters the current time string into the smart card and sends the resulting output and entered time string to the security department (preferably together with member a's identifier, such as a card number electronically read from the card). The security department queries the database 34 for the stored public key for the identified party<PS1,RAS>And uses this public key to verify whether the data received from the ingress smart card interface was generated using the smart card of the currently involved a. If the verification is satisfactory, A is allowed access to the building and this fact is recorded. As an additional security measure, the security department may also issue a challenge to the smart card of a based on the current occasion (random number) that is provided as input to the card, and the output is then verified by the security department in the manner already described.
The above example applications are not exhaustive. For example, the signature process 4 of fig. 1 may also be performed. Furthermore, the smart card may be used to perform processes that require the inclusion of multiple members. Thus, the file may be an IBE encrypted using public data generated by the smart cards of multiple members (i.e., through multiple trusted authorities), decryption of the encrypted item being possible by obtaining a decryption subkey from each smart card. Further information on how multiple trusted authorities are used is given in the following articles: chen L., K.Harrison, A.Moss, N.P.Smart and D.Soldera. "certificate of public keys with Information based system" Proceedings of Information Security provision 2002, ed.A.H.Chan and V.Gligor, LNCS 2433, pages 322 and 333, Springer-Verlag, 2002.
It will be appreciated that many variations to the above-described embodiments of the invention are possible. Therefore, the access control entity 12 and the output form entity 19 of the smart card interface block 11 may be omitted if desired. Furthermore, whilst in the above user interaction with a smart card has been through a device to which the smart card is coupled via the interface 11, it is also possible to provide user interface elements such as a numeric keypad (for data input) and an LCD display (for data output) on the smart card itself. The smart card may contain additional functionality including (although not preferred to) other cryptographic functionality.

Claims (22)

1. A method of providing cryptographic services in an organisation, the method comprising:
providing each member of an organisation with a respective smart card, each smart card holding a secret relating to the member concerned and being configured to: mapping the input string str to a first element P of an algebraic group according to a known mapping function, multiplying the first element P by the secret to form a second element R of the algebraic group, such that there is a calculable bilinear mapping of the first element and the second element, and outputting the second element;
the member using a smart card (10A) in at least the provision of encryption, decryption and signature encryption services, wherein a secret held by the same smart card of the member is involved as required in all of these services;
wherein each member's smart card is used to generate a respective public key, each said public key containing said first element P and a corresponding second element R.
2. A method according to claim 1, wherein a smart card (10A) of at least one member is used to generate a respective public key for each of a plurality of entities (22, 23, 24) in the organisation, each such public key containing a smart card output generated using a characteristic string provided by the entity concerned as an input string str for the smart card (10A).
3. The method of claim 1, wherein:
said member having the public key < P, R > signs the subject string m using its smart card (10A) by providing the subject string m to the smart card as said input string str and using the resulting output as its signature on the subject string; and
the recipient of the subject string and signature checks the signature by verifying the following:
(P, signature) ═ R, H1(m))
Wherein H1() Is the known mapping function.
4. The method of claim 1, wherein:
the subject string m is encrypted for decryption with a key containing said member with the associated public key < P, R >, the subject string being encrypted by an identifier-based encryption process based on a bilinear mapping and using a second element R as an encryption parameter and a non-secret encryption key string.
5. The method of claim 4, wherein the encrypted subject string m is recovered by inputting a non-secret encryption key string into the member's smart card (10A), and using the resulting output as a decryption key in decrypting the encrypted subject string.
6. The method according to claim 5, wherein the encrypted subject string and the non-secret encryption key string are provided to a processing device (20A) associated with the member and comprising a smart card interface, the member presenting its smart card (10A) to the smart card interface of the processing device (20A) so that the device can use the smart card (10A) to obtain a decryption key, the device subsequently using the decryption key to decrypt the encrypted subject string.
7. The method of claim 5, wherein the encrypted subject string and the non-secret encryption key string are provided to a printer (21) having a smart card interface, the member presenting its smart card (10A) to the printer's smart card interface so that the printer (21) can use the smart card to obtain a decryption key, the printer then using the decryption key to decrypt the encrypted subject string for printing.
8. The method of claim 1, wherein the member acts as a trusted authority with respect to identifier-based encrypted IBC services based on bilinear mapping; after determining that at least one condition specified in the encryption key string has been met, the member provides a secret key for the IBC service, the member using its smart card (10A) to generate the secret key by providing the encryption key string to the smart card as the input string str and using the generated output as the secret key.
9. The method according to claim 1, wherein the form of the second element R is converted for output from the smart card (10A).
10. Method according to claim 1, wherein the smart card (10A) does not contain cryptographic service functions other than the functions (17, 18) and any use security and secret generation features that may be present, the functions (17, 18) being related to mapping said input string to said first element P and multiplying said secret by the first element P.
11. The method of claim 1, wherein the first element P and the second element R are points on the same elliptic curve.
12. The method of claim 11, wherein the bilinear map is based on Tate or Weil pairings.
13. A system for providing a password protection procedure in an organization, the system comprising:
a plurality of smart cards (10A, 10B) for use by respective members of the organisation, each smart card (10A) comprising:
a non-volatile memory (16) for holding a secret associated with the respective member,
input means (11) for receiving an input string str,
a first functional entity (17) for mapping said input string str to a first element P of an algebraic group according to a known mapping function,
a second functional entity (18) for multiplying the first element P by the secret to form a second element R of the algebraic group, such that there is a computable bilinear mapping of the first and second elements, and
output means (11) for outputting the second element R;
wherein the system further comprises a plurality of processing subsystems (22, 23, 24) for carrying out processes involving, at least when considered together, at least encryption, decryption and signature of encrypted services relating to the use of the smart card, wherein secrets held by the same smart card of a member are involved as required in all of these services;
wherein each member's smart card is used to generate a respective public key, each said public key containing said first element P and a corresponding second element R.
14. A system according to claim 13, wherein each subsystem (22, 23, 24) is arranged to store a respective public key generated by the member's smart card (10A), each such public key containing a second element generated from a signature string provided by the subsystem concerned using as an input string for the smart card.
15. A system according to claim 13, wherein at least one of the subsystems (22, 23, 24) is arranged to require the member to sign a subject string m using its smart card by processing the subject string m as the input string and providing the resulting second element as a signature, the at least one subsystem being arranged to check the signature by verifying:
(P, signature) ═ R, H1(m))
Wherein,
-H1() Is said known mapping function, and
- < P, R > is a trusted public key associated with the member, P is said first element generated by using the member's smart card, and R is said second element generated by using the member's smart card.
16. The system according to claim 13, wherein at least one of said subsystems (22, 23, 24) is arranged to encrypt a subject string m for decryption with a key containing said member with an associated public key < P, R >, where P is said first element generated by using the member's smart card (10A) and R is said second element generated by using the member's smart card (10A), said at least one subsystem being arranged to encrypt said subject string m by an identifier-based encryption method based on bilinear mapping and using R and a non-secret encryption key string as encryption parameters.
17. The system according to claim 16, wherein said at least one said subsystem (22, 23, 24) is arranged to recover the encrypted subject string m by inputting a non-secret encryption key string into the smart card (10A) of the member and using the resulting output as a decryption key in decrypting the encrypted subject string.
18. The system according to claim 13, wherein at least one of said subsystems (22, 23, 24) is arranged to use said member as a trusted authority with respect to identifier-based cryptographic services based on bilinear mappings; said at least one said subsystem is arranged to provide the member with an encryption key string for presentation as said input string to the member a's smart card, and to receive back the generated second element as a decryption key.
19. A system according to claim 13, wherein the output means (11) of each smart card (10A) is arranged to change its form before the second element R is output from the smart card.
20. The system according to claim 13, wherein the smart card (10A) does not contain cryptographic service functions other than the functions (17, 18) and any use security and secret generation features that may be present, the functions (17, 18) being related to mapping said input string str to said first element P and multiplying said secret by the first element.
21. The system of claim 13, wherein the first element P and the second element R are points on the same elliptic curve.
22. The system of claim 21, wherein the bilinear map is based on Tate or Weil pairings.
CN200480044471.7A 2004-11-24 2004-11-24 Smartcard with cryptographic functionality and method and system for using such cards Expired - Fee Related CN101065924B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2004/053081 WO2006056234A1 (en) 2004-11-24 2004-11-24 Smartcard with cryptographic functionality and method and system for using such cards

Publications (2)

Publication Number Publication Date
CN101065924A CN101065924A (en) 2007-10-31
CN101065924B true CN101065924B (en) 2011-06-08

Family

ID=34959769

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200480044471.7A Expired - Fee Related CN101065924B (en) 2004-11-24 2004-11-24 Smartcard with cryptographic functionality and method and system for using such cards

Country Status (2)

Country Link
CN (1) CN101065924B (en)
WO (1) WO2006056234A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008128384A1 (en) * 2007-04-24 2008-10-30 Aigo Research Institute Of Image Computing Co., Ltd A smart card and a method for adding digital watermark to the interior data of the smart card
CN108347440B (en) * 2018-02-07 2020-08-18 飞天诚信科技股份有限公司 Method and device for enabling SCSI equipment to support smart card application
HUP1900254A1 (en) * 2019-07-15 2021-01-28 Xtendr Zrt Cryptographic alias mapper method and computer system, as well as computer program and computer readable medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1280726A (en) * 1997-12-05 2001-01-17 保密信息技术公司 Transformation methods for optimizing elliptic curve cryptographic computations
GB2401014A (en) * 2003-04-23 2004-10-27 Hewlett Packard Development Co Identifier based encryption method using an encrypted condition and a trusted party

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483523A (en) * 2002-04-15 2009-07-15 株式会社Ntt都科摩 Signature schemes using bilinear mappings

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1280726A (en) * 1997-12-05 2001-01-17 保密信息技术公司 Transformation methods for optimizing elliptic curve cryptographic computations
GB2401014A (en) * 2003-04-23 2004-10-27 Hewlett Packard Development Co Identifier based encryption method using an encrypted condition and a trusted party

Also Published As

Publication number Publication date
CN101065924A (en) 2007-10-31
WO2006056234A1 (en) 2006-06-01

Similar Documents

Publication Publication Date Title
US6944770B2 (en) Methods and systems for generating and validating value-bearing documents
US8825555B2 (en) Privacy-sensitive sample analysis
AU651326B2 (en) Method and system for personal identification using proofs of legitimacy
US8559639B2 (en) Method and apparatus for secure cryptographic key generation, certification and use
JP4638990B2 (en) Secure distribution and protection of cryptographic key information
US7499551B1 (en) Public key infrastructure utilizing master key encryption
US6708893B2 (en) Multiple-use smart card with security features and method
EP2157725A1 (en) Content protection apparatus, and content utilization apparatus
CN109660338B (en) Anti-quantum computation digital signature method and system based on symmetric key pool
US20040165728A1 (en) Limiting service provision to group members
US7000110B1 (en) One-way function generation method, one-way function value generation device, proving device, authentication method, and authentication device
JP2000358026A (en) Method for executing transaction by certified user of personal identification card while using transaction terminal and method for issuing personal identification card to certified user
US20060098824A1 (en) Method and apparatus for providing short-term private keys in public key-cryptographic systems
CN101183439A (en) Electronic bill processing system and processing method
US11997075B1 (en) Signcrypted envelope message
US7505945B2 (en) Electronic negotiable documents
US20050102523A1 (en) Smartcard with cryptographic functionality and method and system for using such cards
US20040247115A1 (en) Elliptic curve exponentiation apparatus that can counter differential fault attack, and information security apparatus
EP0808535B1 (en) Electronic negotiable documents
US20090037340A1 (en) Digital certification method and apparatus
CN101065924B (en) Smartcard with cryptographic functionality and method and system for using such cards
JPS613254A (en) User certification system
EP0998074B1 (en) Method of digital signature, and secret information management method and system
Djouadi Abdelouahed smartcard based cryptographique E-signature
Omura A smart card to create electronic signatures

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110608

Termination date: 20131124