Method for protecting the use of software

Abstract

A method for protecting the use of software intended to be executed by an electronic processor of a unit, said electronic processor comprising or having access to at least: - a first register comprising at least one associated item of information, said at least one associated item of information being previously generated and necessary for accessing data used by said software, and / or for encrypting or decrypting communication data intended for said software or resulting from said software with another unit, and - a second register containing at least one file of said software, and / or data necessary for identifying or encrypting files of said software, notably a hash, in which method, upon any modification of said second register or any request to modify said second register, said first register is reinitialized or said at least one associated item of information of said first register is modified in a predetermined manner.

Description

Technical Field

[0001] This invention relates to methods and computer program products for protecting the use of software intended to be executed by an electronic processor of a unit. Background Technology

[0002] The electronic processor executes boot software upon power-up. This boot software resides in read-only memory or permanent memory, but the contents of this memory can be modified. This provides processor suppliers with the possibility of updating the boot software over time, as explained in particular in patent US 5944821. It also allows processor suppliers or retailers to tailor the processor's potential uses by loading different boot software.

[0003] However, this flexibility does open the door to unauthorized software replacements, potentially leading to processor malfunctions or even the theft or corruption of data accessible to the processor. This affects all types of software, especially startup software, but also software specifically designed to check software signatures. Therefore, it is important to distinguish and / or prevent so-called unauthorized installations or modifications that are not legitimate installations corresponding to the first installation of the software, nor modifications to already installed versions of the software or modifications approved by other legitimately installed software.

[0004] These attack risks can sometimes be mitigated by adding another processor associated with the boot process, which checks the legitimacy of the software distributor. This check can also be performed by a protected processor itself, which executes software at boot time to check the distributor of the second boot software, and then executes the second boot software only if the first software allows it, granted after verifying the distributor's identity.

[0005] However, these checks are typically done by examining the signature of the software being checked, which usually includes a secret word or hash of the software that is encrypted so that only a legitimate publisher can decrypt the hash of the software being checked.

[0006] Another method for checking the boot software involves having a register, in addition to the boot software checker, that stores a valid hash, which will be used to check the boot software the next time it is started; this valid hash can be updated, for example, by a function included in the initial boot software.

[0007] However, these techniques can be circumvented if software with the same hash as legitimate software can be designed and created, as disclosed in application US 2010 / 0185845. Unfortunately, this is possible, as known encryption methods MD5 and SHA1 can be forged.

[0008] Furthermore, the advent of quantum computers has made it possible to forge encryption keys, making these software checks even easier to circumvent.

[0009] Unauthorized modifications to software are particularly harmful to electronic processors registered in other units or processors, especially those in networks or installation sites. If the software of an electronic processor is replaced by unauthorized software, its registration will become invalid. Summary of the Invention

[0010] There is a need to improve the security and protection of electronic processors or their use, in order to provide a method that overcomes the shortcomings of known methods. Invention Overview

[0012] method

[0013] The object of this invention is to address this need, and according to one aspect of the invention, this object is achieved by a method for protecting the use of software intended to be executed by an electronic processor of a unit, the electronic processor comprising, or at least having access to:

[0014] - A first register, on which at least one associated information item is stored, said at least one associated information item being previously generated and required to access data used by the software, and / or to encrypt or decrypt communication data intended for use by the software or obtained from the software with another unit, and

[0015] - A second register, which contains at least one file of the software, and / or data, particularly hashes, required to identify or encrypt the files of the software.

[0016] In the method, upon any modification to the second register or any request to modify the second register, the first register is reinitialized or at least one associated information item of the first register is modified in a predetermined manner, such that, in order to access data used by and / or obtained from the software, subsequent modifications to the first register are authorized by instructions from the software that initiated the modification of the second register or by previously determined authorized software after the reinitialization or the first modification.

[0017] Therefore, the use of software is protected by this invention: on the one hand, if the software itself has not initiated any changes or has been authorized by the software, then communications originating from or intended for use with another unit and managed by the software for the electronic processor can no longer be encrypted using the key exchanged with the other unit; on the other hand, if the software itself has not initiated any changes or has been authorized by the software, then communications existing in what is called... Security Register The encrypted data of the associated information item on the first register is no longer accessible to the software; the information has been erased or modified.

[0018] the term" Previously determined licensed software "This should be understood as referring to the authorized software recognized by the electronic processor and / or the unit."

[0019] In a preferred embodiment of the invention, the method uses electronic circuitry incorporated into or connected to the electronic processor, the electronic circuitry being configured to at least detect pairs referred to as... Executable Register Any modification to the second register, or any request to modify the second register, and after such detection, reinitializing the first register or modifying at least one associated information item of the first register in a predetermined manner.

[0020] In one variant, the method according to the invention is executed automatically by code instructions executed by one or more processors.

[0021] Preferably, the first register is reset to zero whenever any modification is made to the second register or any request is made to modify the second register. In a variant, the first register is reset to a predetermined value other than zero.

[0022] In particular, when updating or installing the software, at least one associated information item in the first register can be deleted and / or regenerated.

[0023] The at least one associated information item in the first register can be modified by a value known or generated by the electronic processor of the unit, or by a value transmitted to the unit, or by a value previously known and / or transmitted to a server or to another unit in a network in which the unit moves.

[0024] Software to be protected

[0025] In the following text, the term " software However, this invention can also be applied to applications intended to be executed by an electronic processor.

[0026] The software is preferably the startup software of an electronic processor.

[0027] The processor's boot software can be stored in permanent memory within registers. (Term "...") Permanent storage "This should be understood as meaning that, unlike random access or read-only memory, the register is modifiable, but retains information even when it is no longer powered by electricity."

[0028] In variations or combinations, the software is management software that ensures the management of one or more other third-party software suites, and is specifically configured to list these suites in the unit, replace them with new versions, protect their communication with other units, or sign or encrypt documents. In this case, if the management software is modified in other ways, the confidential data required for these operations is removed.

[0029] The electronic processor of the unit then includes, or advantageously has access to, a switching register that, for each of these other third-party software families, contains at least an identifier for a first register, referred to as a security register, and a second register, referred to as an executable register, for each of these software families. The license management software is advantageously configured to check the version of the software to be installed, and / or to update to modify the second register, referred to as the executable register, associated with the software to be updated, then update the first register, referred to as the security register, and update the switching register after verifying the accuracy of the security register and executable register associated with the updated software.

[0030] If the updated software includes the ability to securely communicate with external electronic devices, the new key for the installed version is preferably transmitted by the software performing the update, and thus may be transmitted by so-called management software before or during the update; this secret data is advantageously transmitted when the new version is installed.

[0031] The software, intended to be executed by the unit's electronic processor, can initiate its own update, thereby making another version of itself available to the unit. In this case, the software preferably checks the validity of the other version, for example, by checking the electronic signature of the software stored, for example, in a first register (the so-called secure register), if it knows the software's true key, or by checking the validity using a random hash method, the hash mixture and the encryption key being, for example, a one-time key entered into the first register before it is updated. These checks can be performed by installing dedicated electronic circuitry on the microprocessor without transmitting the associated secret information contained in the secure register, especially the one-time key used in the random hashing process, and the mixture, to the processor or other parts of the processor.

[0032] Related information

[0033] The at least one associated information item in the first register may include at least one or more encryption keys, particularly symmetric keys, asymmetric keys, public keys, private keys, one-time keys, or a series of one-time keys. In a variant, the at least one associated information item may include at least one or more randomly generated numbers, particularly random numbers referred to as "mixed numbers" as described in random hash patents.

[0034] Among other things, this associated information is used to protect communications with other units, or to encrypt, decrypt, or verify the authenticity of data used by the software.

[0035] The associated information may include other information, particularly the date and time of modification or archiving of the software file on the unit, and / or identifiers that enable identification of new and old versions of the file, the creation date of the new and old versions of the file, the name of the new and old versions of the file, the publisher of the new and old versions of the file, the hash of the new and old versions of the file and the signature issued by its publisher, and the publisher's public key used for the signature.

[0036] One or more associated information items are preferably protected so that they cannot be modified outside of the update and archiving process of the software files associated with them.

[0037] One or more associated information items are preferably protected so that they can be used only by the software or management software associated with the register.

[0038] One or more associated information items are preferably protected so that they are used only by electronic circuitry that allows encryption, decryption, and signature verification, without revealing the contents of the security register to the rest of the electronic circuitry or other electronic circuitry.

[0039] With a private encryption key, one or more associated information items can be generated by the software itself using its older version before it updates itself.

[0040] In the case of public keys or one-time encryption keys, these keys may originate from remote electronic devices with which the unit communicated using the software prior to the software update, or they may be created by the unit itself to communicate with them. However, other information items may be accessed upon request by the unit or its associated software. Finally, other information, such as the modification date of publicly accessible files, is preferably entered as associated information into the executable register.

[0041] Modification or writing to the second register may cause or necessitate the zeroing or modification of the associated information input to the first register.

[0042] The device preferably includes a generator for generating symmetric, asymmetric, and one-time encryption keys, enabling the storage of these keys in a secure register. Preferably, the private key of a pair of asymmetric keys is not transmitted to the rest of the processor or any other electronic circuitry (as applicable) in any other way, but only in an encrypted manner and by using a key that exists in a secure register associated with an existing version of the same software or with management software, in particular symmetric and one-time encryption keys.

[0043] register

[0044] In one embodiment of the invention, the second register contains at least one file of software.

[0045] In one variant, the software file is stored in encrypted form on a third register, and the second register includes at least one or more encryption keys, particularly symmetric or asymmetric keys, for decrypting and / or checking the signature of the encrypted file.

[0046] Preferably, only management software or software whose files are contained in the second register or whose signature is entered into the second register can be authorized to modify or be able to modify the second register.

[0047] In one variant, only management software or software that performs its own updates is authorized to modify the switching register, and preferably, when the executable register is inspected, writes to the executable register can be prevented until the switching register corresponding to the software has been updated.

[0048] In one variant, the software file is stored in a third register. The first register includes at least one encryption key and a random secret number that has been mixed or concatenated with the software file stored in the third register. The second register also includes at least one hash of the file generated by the mixing or concatenation, called a "hash," which is encrypted using the encryption key contained in the first register. This provides a very high level of security for verifying whether software whose file is in the third register and which has generated the data in the second register is indeed the original submission, especially if the number of decryption tests is limited in time and the only solution is to try to forge the file using all possible random numbers.

[0049] Preferably, each software family executes on a processor or a separate virtual processor.

[0050] Identification within the network

[0051] The at least one associated information item in the first register may be required to identify the processor in a network of cell movements.

[0052] The at least one associated information item in the first register may be required for communication with one or more servers and / or one or more other units of the network.

[0053] In cases where the software is modified and the second register is modified or must be modified, resulting in a modification of the first register, the unit can only be identified from other units in the network if, during the last use of the software before the modification, the unit was able to transmit information to other units in the network, where these units move within the network, and this information will allow other units to communicate with the modified software upon the unit's restart. The unit can then be identified using the most recently modified first register; the first register is required for using the software and for identifying the unit.

[0054] The first register can be modified based on a first modification to the second register, such a modification rendering critical functions of the software, particularly those involving the network or one or more servers, ineffective. Therefore, after the first register will cease to be modified by writes to the second register, but before a restart, the unit will, if necessary, refill the first register and notify the server or other units, or other functions of the unit with which it can communicate.

[0055] equipment

[0056] Furthermore, the subject of this invention is an apparatus for protecting the use of software intended to be executed by an electronic processor of a unit, particularly an apparatus for implementing a method according to the invention, the apparatus being incorporated into or having access to the electronic processor, and including or having access to at least a first register and a second register, wherein at least one associated information item exists on the first register, the at least one associated information item being previously generated and required for accessing data used by the software, and / or encrypting or decrypting communication data intended for use with or obtained from the software and from another unit, the second register containing a file of the software, and / or data required to identify or encrypt the file of the software, particularly a hash, the apparatus including at least one electronic circuit configured to reinitialize the first register or modify the at least one associated information item of the first register in a predetermined manner upon any modification to the second register or any request for modification of the second register, such that, in order to access data used by and / or obtained from the software, subsequent modifications to the first register are authorized by instructions from the software that has initiated the modification of the second register after the reinitialization or the first modification.

[0057] The electronic circuit is advantageously configured to detect the application of a first predetermined voltage indicating a modification or modification request to the second register at a predetermined point in the electronic circuit, and after the detection, to apply a second predetermined voltage at another predetermined point in the electronic circuit, the application of the second predetermined voltage triggering a re-initialization of the first register or modifying at least one associated information item of the first register in a predetermined manner.

[0058] The electronic circuit is preferably configured such that modification of the second register is permitted only when all bits of the first register are equal to zero. This condition is demonstrated by first reading the first register and recording the maximum value of the bits read, particularly in a third register included in or accessible by the device. If the value recorded after reading the first register is equal to 1, modification of the second register is prevented.

[0059] The device according to the present invention includes:

[0060] The first memory register, referred to as the security register, and the second memory register, referred to as the executable register, as previously described, and preferably:

[0061] Ensure that the memory registers of each software series protected are secure.

[0062] And preferably,

[0063] Additional executable registers and additional security registers, as well as registers called switching registers, allow input and inspection before being designated as available.

[0064] Modules configured to generate random numbers, symmetric keys, and one-time keys, and / or

[0065] Modules configured to generate pairs of asymmetric keys, and / or

[0066] The module configured to calculate hashes.

[0067] Modules configured to compute and / or inspect digital signatures, particularly those using symmetric, asymmetric keys, or random hashes.

[0068] Modules configured to perform encryption and decryption using symmetric, one-time, or asymmetric keys, and

[0069] A module configured to check the physical integrity of circuits and electronic components.

[0070] Advantageously, faults or software or hardware errors are encoded in memory that may cause damage to one of the executable file, the executable register, or the security register, as well as at least one software suite protected by the unit and its associated security register, particularly at least one software suite capable of installing other software and its associated information. This memory is preferably non-erasable, particularly of ROM type, and preferably inaccessible to the processor, but copyable to one of the executable register and the security register. Therefore, this allows a secure connection to a server to be established, which can then command software updates and the possible installation of other software.

[0071] The device according to the invention also preferably includes a physical protection device for making the contents of some memory registers of the cell, especially the first register (the so-called security register), unobservable even with sophisticated observation equipment (e.g., an electron microscope) or through a short circuit in some electronic circuit, without requiring the access rights required for such action to trigger the erasure of the register.

[0072] To prevent one or more processors and the memory they use from being replaced by other processors and memories, and to prevent access to the security register, the security register and one or more processors linked to the unit and the memory used by the processor are preferably arranged such that any physical modification to the processor or any physical modification to the memory, or any electrical interference, is detected and results in the erasure of a first register referred to as the security register.

[0073] The device according to the invention can circulate current in microcircuits surrounding the processor and memory registers (and preferably when the microcircuits are energized), and measures the intensity of the current and / or the inductance of each of these circuits and / or the capacitance between each or some of these circuits, and / or the time taken for an electrical signal to flow through one or more circuits. Any change in one of these measurements or any change relative to a reference state can indicate a physical modification, possibly for accessing the circuitry of the processor or memory. The device may also include a battery or coin cell configured to perform these checks when the circuitry is not energized.

[0074] Advantageously, when implementing the method according to the invention in the case of transmitting messages, the device can input the identity of the software, in particular its name, publisher, and version, especially if such information is input into the second register; this input can be accomplished by adding a header to the transmitted message, which advantageously forms part of the message related to encryption or electronic signature.

[0075] The features described above for the method also apply to the device, and vice versa.

[0076] Computer program products

[0077] Furthermore, one aspect of the present invention is a computer program product for protecting the use of software intended to be executed by an electronic processor, the electronic processor including, or preferably having access to, encryption and / or decryption and / or verification of an electronic signature requiring a digital key stored in a first register called a security register, the first register being erased upon any modification to a second register called an executable register, wherein the code of the protected software is entered into the second register, or the authenticity of the software is checked before or during execution using a hash or random hash (possibly encrypted) present in the second register called the executable register.

[0078] Furthermore, one subject of the present invention is a computer program product for implementing a method according to the invention for protecting the use of software intended to be executed by an electronic processor of a unit, the electronic processor including, or at least having access to, a first register and a second register, wherein at least one associated information item exists in the first register, the at least one associated information item being previously generated and required for accessing data used by the software, and / or encrypting or decrypting communication data intended for use with or obtained from the software and from another unit; the second register contains at least one file of the software, and / or data required for identifying or encrypting the file of the software, particularly hashes.

[0079] The computer program product includes a medium and processor-readable instructions stored on the medium, such that when the processor-readable instructions are executed, upon any modification to the second register or any request to modify the second register, the first register is reinitialized or at least one associated information item of the first register is modified in a predetermined manner, such that, in order to access data used by and / or obtained from the software, subsequent modifications to the first register are authorized by instructions from the software that has initiated the modification of the second register or by previously determined authorized software after the reinitialization or the first modification.

[0080] The features described above for methods and devices also apply to computer program products.

[0081] The present invention also relates to a computer-readable information medium, including instructions for a computer program product that enables the implementation of the above-described functions.

[0082] Units and applications of the present invention

[0083] The unit can be any electronic unit that includes at least one electronic processor.

[0084] Preferably, all software executed by the unit is launched using the method according to the invention. If the software is authorized to execute without being launched according to the method, such software with access to the security device is preferably installed in a virtual portion of the processor, which is protected in both memory read and write modes from possible actions of software not launched by the security device.

[0085] Identifiers of other software executed by the unit, especially identifiers of such software initiated by the unit, are also advantageously transmitted via any communication, possibly along with their hash or random hash; thus, the remote device can check, if necessary, whether all such software has been checked to ensure that it does not pose any security problem.

[0086] This device can be used in particular for:

[0087] Protect information exchange with remote data servers.

[0088] It transmits data and exchanges data with other similar units connected to the same server or connected to other servers.

[0089] Measurements are taken and then transmitted to a remote server; these measurements can be, for example:

[0090] ○ Physical measurements of pressure, temperature, heat, dimensions, etc.

[0091] ○ Measurements, such as atmospheric temperature, wind speed and direction, rainfall, or wave height.

[0092] ○ Measurement of consumption, such as the amount of electricity passing through the cable, the heat in the heating element, or the amount of water in the water pipe.

[0093] ○ Measurement of the use of parts within the machine or the machine itself.

[0094] ○ Geographical location measurement,

[0095] ○ Kinematic measurements, such as vehicle speed or acceleration and direction.

[0096] Protect data transmission to and from the server.

[0097] Retransmit the video or audio to the server.

[0098] The identity of the RFID chip that passed through its "field of vision" is retransmitted to the server, or

[0099] The door or window locks can be controlled from the server or another object connected to the server.

[0100] Protect the firmware of your network router.

[0101] Firmware for protecting the chip card

[0102] Protect the firmware of chip card readers or multiple readers, whether or not they are in contact. Attached Figure Description

[0103] The invention will be better understood by reading the following detailed description of exemplary, non-limiting implementations of the invention and by studying the accompanying drawings, in which:

[0104] Figure 1 This illustrates an example of a device for protecting the use of software according to the present invention.

[0105] Figure 2 This refers to a variant device according to the present invention for protecting the use of software.

[0106] Figure 3 An example showing the contents of the switching register according to the present invention,

[0107] Figure 4 An example illustrating the steps of using the device according to the invention, and

[0108] Figure 5 Another example illustrating the steps of using the device according to the invention. Detailed Implementation

[0109] Figure 1 An example of a device according to the invention is shown, which is used to protect software updates intended to be performed by the electronic processor P of a unit.

[0110] In this example, the software is the boot software of processor P, and the software file, its signature, and the encryption key used to decrypt the software file stored in encrypted form are stored in a second register (the so-called executable register) R2 accessible to electronic processor P. Electronic processor P can also access a cryptographic module MC, which can read a first register (the so-called security register) R1 containing at least one associated information item. This associated information item is previously generated and is necessary for accessing data used by the software and / or encrypting or decrypting communication data intended for use with or obtained from the software and from another unit. Processor P can also access the security register in write mode, but not in read mode.

[0111] The voltage applied to the write terminal B1 that allows writing to the executable register R2 results in a voltage being applied to the erase terminal B2 of the security register R1.

[0112] Software loaded into the processor and communicating with the server can perform its own updates in order to:

[0113] Download the new version and its signature;

[0114] The new version is checked by copying it into the password module, in order to target the new version:

[0115] ○ The signature is decrypted using the issuer's public key entered into the security register.

[0116] ○ Hash calculation software

[0117] ○ Compare the hashed and decrypted signatures.

[0118] Download the new encryption key used to communicate with the server after the update, as well as the software publisher's possible new public key;

[0119] Check for a new version of the encryption key by copying it into the cryptographic module.

[0120] ○ The signature is decrypted using the server's public key entered into the security register.

[0121] ○ Calculate the hash of the encryption key.

[0122] ○ Compare the hashed and decrypted signatures.

[0123] Copy the downloaded software to the executable register R2;

[0124] If necessary, copy the new signature to security register R1;

[0125] Copy the new encryption key used to communicate with the server into the security register R1;

[0126] Initiate a processor restart.

[0127] Processor startup

[0128] Processor P starts by loading the software that exists in the executable register R2.

[0129] Communicating with the server

[0130] In order to send protected data to the server, processor P sends unprotected data to the cryptographic module, which returns protected (i.e., encrypted and signed) data to processor P, and then the processor sends the protected data to the server via a data network such as the Internet.

[0131] In order to receive protected data from the server, the processor sends the protected data it receives via a data network such as the Internet to a cryptographic module, which checks the possible signatures of the data and then returns the decrypted data to the processor.

[0132] exist Figure 2 In the second example shown, to prevent the unit from becoming inoperable when the erasure and modification of valid data in the first register (security register) R1 ceases, the device according to the invention can also access a third register R3, called the "executable A" register, on which the software file or a key that enables decryption and / or verification of its signature can be stored; a fourth register R4, called the "security A" register, whose associated information is modified during any update of the second register R2; and a trigger and switching register R5, which indicates whether to select the executable register R2 or R3 and the security register R1 or R4, i.e., which register the information should originate from, to start the software accordingly or to notify the cryptographic module of the cryptographic key and other values ​​held in the security register.

[0133] The processor can choose to switch flip-flops to read registers R1 and R4 or registers R2 and R3. The switching of these flip-flops is invariant; that is, even if the processor stops or the circuit is powered off, the selection of one or the other pair of registers will not change. Only instructions from the processor can change this selection. Preferably, the flip-flops can also inform the processor which selection they are positioned on.

[0134] Processor startup

[0135] The processor starts by reading code provided by a trigger, which originates from one of the two executable registers.

[0136] Processor update:

[0137] processor:

[0138] Download the new version of the software, along with its digital signature and new key, to communicate with the server after the update.

[0139] The new software and digital signature are passed to the encryption module.

[0140] The encryption module uses a symmetric key and a public key to decrypt the software and the new encryption key and its signature, respectively. The symmetric key and public key are issued by the software issuer for the software and by the server for the encrypted data, and exist in a secure register that allows the trigger to communicate with it.

[0141] The decryption module returns the decrypted and verified software signed by the publisher with the public key in the security register, as well as the encrypted data whose origin has also been decrypted and verified.

[0142] Then, the processor enters the new version of the software, along with new encrypted data and hashes for the new version of the software, into the unused executable registers and unused security registers.

[0143] The processor checks whether the input from the previous step does not include any write errors.

[0144] Processor-actuated trigger.

[0145] The processor restarted.

[0146] Processor communicates with server:

[0147] In order to send protected data to the server, the processor returns unprotected data to the cryptographic module, which returns protected (i.e., encrypted and signed) data, and then the processor sends the protected data to the server via a data network such as the Internet.

[0148] In order to receive protected data from the server, the processor sends the protected data it receives via a data network such as the Internet to a cryptographic module, which returns decrypted data after checking the possible signatures of the data.

[0149] The cryptographic module queries the security register it is linked to via a trigger to find out the keys and other parameters to be used for encryption, decryption, and authentication operations.

[0150] exist Figure 3 In the illustrated embodiment, the independent processor P0 manages the input / output of the security device, while the cryptographic modules P1, P2, ..., Pi allocate various cryptographic tasks and ensure the management of the executable register and the security register. The device has multiple cryptographic modules that can operate simultaneously, such as... Figure 5 As shown.

[0151] Specifically, the device includes three registers Ra, Rb, and Rc organized in a table format. Registers Ra and Rb are permanent, and register Rc is permanent if cryptographic processing has been performed on either side of a power outage.

[0152] Register Ra is associated with the software, both in relation to the line number of its executable and security registers in register Rb, and in relation to a list of cryptographic modules that process data for the software. Register Rc lists the currently ongoing cryptographic processing tasks and, for each task, the number of the cryptographic module performing the computation. Therefore, the cross-referencing between tables Ra and Rc allows for the retrieval of the identifier of the software that has initiated each cryptographic task.

[0153] Figure 4 An example is shown where the processor manages the executable registers and security registers, and the processor is entrusted by an external host processor to store the software in the device.

[0154] In step 101, the system checks whether the requested software is indeed one of a series of software launched from one of the executable registers in tables Ra and Rb, which are generated and transferred to the software at startup, by requesting the decryption of a random number using a key stored in processor P0; this is because the software has the right to input new software or modify its stored version in the device. The software stored in the first executable register may, for example, be the only software authorized to modify or install other software. In step 102, the device searches for free rows in Rb. In step 103, the device writes the software's code and security data to a free row in register Rb. In step 104, this information is again sent to register Rb for verification. In step 105, the row number of the used register is entered into column Nob of register Ra to correspond to the record of the software, or, if the software is not already listed there, the row number is entered into a free row in register Ra, and the software's identifier is also entered into that free row. If the updated software is executed during this update process, the software is restarted. Alternatively, this final step, including updating register Ra, is performed only if the software being updated is not currently being executed, and then the update of register Ra is performed only if the software is shut down.

[0155] If only the software signature or hash, or a software hash mixed with a secret number, rather than the software file, is input into the executable register, then preferably the suitability of the signature or hash stored in the executable register is systematically checked before the software starts. The publisher's public key for the software signature may already be stored in a secure register when the software is updated and the software file is placed into the executable register; the secret mixed number may also be stored if necessary. To prevent the processor from repeatedly attempting to circumvent the checks by using random numbers, the number of check tests is preferably limited in time.

[0156] Figure 5The method represents the steps by which a device responds to requests from software protected by the device by performing cryptographic operations.

Claims

1. A method for protecting the use of software intended to be executed by an electronic processor of a unit, said electronic processor comprising or at least having access to: - A first register, on which at least one associated information item is stored, said at least one associated information item being previously generated and required to access data used by the software, and / or to encrypt or decrypt communication data intended for use by the software or obtained from the software with another unit, and - A second register, which contains at least one file of the software, and / or data required to identify or encrypt the file of the software. In the method, upon any modification to the second register or any request to modify the second register, the first register is reinitialized or at least one associated information item of the first register is modified in a predetermined manner, such that, in order to access data used by and / or obtained from the software, after the reinitialization or any modification to the second register, subsequent modifications to the first register are authorized by instructions from the software that initiated the modification of the second register or by previously determined authorized software. The method uses electronic circuitry incorporated into or connected to the electronic processor, the electronic circuitry being configured to at least detect any modification to the second register or any request to modify the second register, and after the detection, to reinitialize the first register or modify at least one associated information item of the first register in a predetermined manner.

2. The method of claim 1, wherein, When any modification is made to the second register or any request is made to modify the second register, the first register is reset to zero.

3. The method according to claim 1 or 2, wherein, The at least one associated information item in the first register is modified by a value known or generated by the electronic processor of the unit, or by a value transmitted to the unit, or by a value previously known and / or transmitted to a server or to another unit in a network in which the unit moves.

4. The method according to claim 1 or 2, wherein, The first register includes at least one or more associated information items, or at least one or more randomly generated numbers.

5. The method according to claim 4, wherein, The encryption key is a symmetric key, an asymmetric key, a public key, a private key, or a series of one-time keys.

6. The method according to claim 1 or 2, wherein, The software is the startup software of the electronic processor.

7. The method according to claim 1 or 2, wherein, The software files are stored in encrypted form on a third register, which includes at least one or more encryption keys for decrypting and / or checking the signature of the encrypted files.

8. The method according to claim 7, wherein, The encryption key is either a symmetric key or an asymmetric key.

9. The method according to claim 1 or 2, wherein, Only software that manages the software or files contained in the second or third register is authorized to modify or is able to modify the second register.

10. The method according to claim 1 or 2, wherein, Only software whose file is contained in the second register or whose signature is entered into the second register is authorized to modify or able to modify the second register.

11. The method according to claim 1 or 2, wherein, The software file is stored in a third register. The first register includes at least one encryption key and a random secret number, the random secret number being mixed or concatenated with the software file stored in the third register. The second register also includes at least one hash of the file generated by the mixing or concatenation, the hash being encrypted with the encryption key contained in the first register.

12. The method according to claim 1 or 2, wherein, The software is management software that ensures management of one or more other third-party software families. The electronic processor of the unit includes or is able to access a switching register, which for each of these other third-party software families contains at least the identifiers of the first register and the second register of each of these software families.

13. The method according to claim 1 or 2, wherein, The first register contains at least one associated information item for identifying the electronic processor in the network in which the unit moves.

14. The method according to claim 1, wherein, The data required to identify or encrypt the software files is a hash.

15. An apparatus for protecting the use of software intended to be executed by an electronic processor of a unit, the apparatus being used to implement the method according to any one of claims 1 to 14, the apparatus being incorporated into or having access to the electronic processor, and comprising or at least having access to a first register and a second register, wherein at least one associated information item is present in the first register, the at least one associated information item being previously generated and required for accessing data used by the software, and / or encrypting or decrypting communication data intended for use with or obtained from the software with another unit, the second register containing files of the software, and / or data required for identifying or encrypting files of the software. The device includes at least one electronic circuit configured to reinitialize the first register or modify at least one associated information item of the first register in a predetermined manner upon any modification to the second register or any request to modify the second register, such that, in order to access data used by and / or obtained from the software, after the reinitialization or any modification to the second register, subsequent modifications to the first register are authorized by instructions from the software that initiated the modification of the second register or by previously determined authorized software. The electronic circuitry is incorporated into or connected to the electronic processor and is configured to at least detect any modification to the second register, or any request to modify the second register, and after the detection, to reinitialize the first register or modify at least one associated information item of the first register in a predetermined manner.

16. The device according to claim 15, wherein, The electronic circuit is configured to detect the application of a first predetermined voltage at a predetermined point in the electronic circuit indicative of a modification or modification request to the second register, and, after such detection, to apply a second predetermined voltage at another predetermined point in the electronic circuit, the application of the second predetermined voltage triggering a re-initialization of the first register or modifying at least one associated information item of the first register in a predetermined manner.

17. A computer program product for implementing a method for protecting the use of software intended to be executed by an electronic processor of a unit according to any one of claims 1 to 14, the electronic processor including or at least capable of accessing a first register and a second register, wherein at least one associated information item exists on the first register, the at least one associated information item being previously generated and required for accessing data used by the software, and / or encrypting or decrypting communication data intended for use with or obtained from the software with another unit, the second register containing at least one file of the software, and / or data required for identifying or encrypting the file of the software. The computer program product includes a medium and processor-readable instructions stored on the medium, such that when the processor-readable instructions are executed, upon any modification to the second register or any request to modify the second register, the first register is reinitialized or at least one associated information item of the first register is modified in a predetermined manner, such that, in order to access data used by and / or obtained from the software, after the reinitialization or any modification to the second register, subsequent modifications to the first register are authorized by instructions from the software that initiated the modification to the second register or by previously determined authorized software.

Images