Vol.3 No.1 2010

90/110

Research paper : Secure implementation of cryptographic modules (A. Satoh et al.)−87−Synthesiology - English edition Vol.3 No.1 (2010) Cryptographic algorithms and cryptanalysis techniques made dramatic advances particularly in wartime. Cryptography seen in mystery novels and suspense films mostly uses a secret algorithm that only the involved parties know, so it seems to be a puzzle-solving game different from the one in information security. Third parties, however, can decipher such cryptography once they discover the algorithm or the secret of the puzzle.On the contrary, in today’s cryptography, the key of the secret lies in the cryptographic key. Even the same message is enciphered into different ciphertext by using a different key. Therefore, if a third party obtains one key, the communicators can keep the confidentiality of messages with another key. Likewise, the Enigma machine, a mechanical cipher machine the German army used during World War II, separates the initial device setting, treated as a cipher key, from the algorithm of the machine. However, since the algorithm still involves an important hint for cryptanalysis, secure management of not only the key but also the machine itself is essential.After the war, bank businesses and governmental operations began using cryptography for securing information, motivated by DES (Data Encryption Standard)[1] that the National Institute of Standards and Technology (NIST) established as a U.S. Federal standard in 1977. Most of previous cryptographic schemes did not clearly separate the algorithms and keys like the Enigma machine. In addition, their algorithms were not willingly made public because of their specific purposes. In those regards, disclosing the algorithm of DES was epoch-making. In the same year, Rivest, Shamir, and Adleman at the Massachusetts Institute of Technology (MIT) devised the RSA[2] (named after the inventors’ surnames) scheme, which is suitable for digital signatures as well as encryption. DES is categorized as symmetric-key cryptography since, with the DES algorithm, encryption and decryption both use the same key. On the other hand, RSA is classified into public-key cryptography as it uses an encryption key and a decryption key different from each other and making the encryption key public does not affect confidentiality.While cryptography had been considered equivalent to military technology and severely restricted to use and to import and export until the late 90’s, the restrictions have gradually been relaxed since before or after 2000. Subsequently, more and more consumer products have begun using various cryptographic algorithms for different purposes. Meanwhile, the remarkable advancements in cryptanalysis techniques and computer’s performance made the cryptographic strength of DES questionable. Thus, NIST called for stronger cryptographic algorithms for AES (Advanced Encryption Standard)[3] worldwide. Cryptographers and other specialists discussed the security issues and evaluated the performance of the implementations for AES algorithm proposals at three public standardization conferences[4]. Since NIST determined one as a new U.S. federal standard in 2001, several international standards have adopted AES.The AES project triggered various evaluation and standardization works such as CRYPTREC (Cryptography Research and Evaluation Committees)[5] the security evaluation project for Japanese e-government recommended ciphers, the European Union’s NESSIE project (New European Schemes for Signatures, Integrity and Encryption)[6], and ISO/IEC 18033[7]. Once it was thought that keeping the cryptographic algorithm secret provided attackers with fewer clues for cryptanalysis. However, there have been many incidents compromising proprietary algorithms that leaked through some channel or were reverse-engineered. Therefore, standard cryptographic algorithms such as AES are typically published so that many researchers and engineers can pursue various analyses for security verification of the algorithms throughout the world.2.2 Security evaluation for cryptographic implementationEnthusiastic security verification for standard cryptographic algorithms performed by a number of specialists ensures that there is little worry of a potential sudden exposure of a security flaw in the algorithm. Nevertheless, even with presumably secure algorithms, cryptographic key leakage may still occur due to a flaw in the software or hardware implementation of the algorithm. Unfortunately, it is hard for users to verify whether the implementation is secure or not. Thus, international standards were established for public institutes to perform security evaluation on security and cryptographic products for users’ convenience, such as ISO/IEC 15408 (Common Criteria)[8][9] and ISO/IEC 19790[10].ISO/IEC 15408 provides an evaluation framework for general information security products, including cryptographic modules, so that evaluators can verify the sound implementation of such products based on a Security Target (ST) determined by the developers. It also specifies Evaluation Assurance Level (EAL) in seven grades that express evaluation depths. The levels are roughly classified into two groups, which are EAL 1 to 4 for commercial use and EAL 5 to 7 for military and governmental secret agencies. Note that the EALs do not express the security strength of the product but indicate that the implementation of the security functions was properly conducted based on the specified ST. The security evaluation described in ISO/IEC 15408 mainly deals with logical functions, but physical security functions or hardware issues are not sufficiently mentioned. Under certain conditions, hardware security may be considered properly managed. However, this premise is not true when the attacker possesses the cryptographic hardware module such as a smart card. To address this issue,

※このページを正しく表示するにはFlashPlayer9以上が必要です