Encryption / decryption unit
The encryption/decryption unit with a control unit prevents unauthorized access to decrypted data by isolating it from external buses until re-encryption, addressing security gaps in existing microcontroller operations.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- STMICROELECTRONICS INT NV
- Filing Date
- 2024-12-23
- Publication Date
- 2026-06-26
AI Technical Summary
Existing encryption and decryption operations in microcontrollers or microprocessors lack sufficient security measures to prevent unauthorized access to decrypted data, particularly during data transfer and storage.
Implementing an encryption/decryption unit with a control unit that prohibits external bus access to memory elements storing decrypted data during decryption and encryption operations, using a block encryption/decryption algorithm and secure memory elements accessible only by the control unit.
Prevents unauthorized access to decrypted data, ensuring secure data handling by isolating decrypted data from external buses until it is re-encrypted, thereby enhancing data security.
Abstract
Description
Title of the invention: Encryption / decryption unit technical field
[0001] This description relates generally to decryption / encryption units and associated operating methods. Previous technique
[0002] Encryption and decryption operations are crucial to ensure data security, such as when downloading updates into microcontrollers or microprocessors. Summary of the invention
[0003] There is a need to improve security during encryption and decryption operations, particularly within microcontrollers or microprocessors.
[0004] An embodiment overcomes all or part of the drawbacks of known decryption / encryption units.
[0005] One embodiment provides for an encryption / decryption unit, implementing a block encryption / decryption algorithm, and comprising a control unit: - dedicated to the encryption / decryption unit; and - configured to prohibit access, for a bus external to the encryption / decryption unit, during data decryption and encryption operations, to the contents of memory elements used to store data decrypted by the encryption / decryption unit.
[0006] Another embodiment provides for a method of operating an encryption / decryption unit implementing a block encryption / decryption algorithm, the method comprising prohibiting access, for a bus external to the encryption / decryption unit, during data decryption and encryption operations, to the contents of memory elements used to store parts of data decrypted by the encryption / decryption unit; the access restriction being implemented, by a control unit dedicated to the encryption / decryption unit.
[0007] According to one embodiment, the control unit is configured to implement a transfer of said decrypted data between a first memory element and a second memory element during said data decryption and encryption operations.
[0008] According to one embodiment, the encryption / decryption unit includes a decryption unit configured to decrypt, with said algorithm, blocks of first data, the decrypted blocks being stored in the first memory element.
[0009] According to one embodiment, said transfer is carried out block by block or set of blocks by set of blocks.
[0010] According to one embodiment, said transfer is carried out using a binary stream.
[0011] According to one embodiment, the encryption / decryption unit comprises a encryption unit configured to encrypt, with said algorithm, all or part of the data contained in the second memory element.
[0012] According to one embodiment: - The decryption unit uses a first encryption and decryption key for decryption; and - the encryption unit uses, for encryption, a second encryption and decryption key, different from the first key.
[0013] According to one embodiment, the decryption unit and the encryption unit are part of the same computing unit configured to be parameterized by the control unit so that, in a first parameterization mode, the computing unit implements the decryption unit, and in a second parameterization mode, the computing unit implements the encryption unit.
[0014] According to one embodiment, the encryption / decryption unit includes a third and a fourth secure memory element, accessible only by the control unit.
[0015] According to one embodiment: - the third memory element includes initial parameters intended to be used by the control unit to configure the processing unit with the first parameterization mode; and - the fourth memory element includes second parameters intended to be used by the control unit to configure the calculation unit with the second parameterization mode.
[0016] According to one embodiment, the control unit is configured to, at each iteration of the block algorithm: - configure the processing unit with the aforementioned first parameters so that parts of the data are deciphered and stored in the first memory element; - then transfer these decrypted data portions from the first memory element to the second memory element; then - update the initial settings; - configure the processing unit with the aforementioned second parameters so that the data portions, decrypted and stored in the second memory element, are encrypted; then - Update the second set of parameters.
[0017] According to one embodiment, said first and second parameters each comprise an identifier of the current turn of the algorithm and a turn key associated with said current turn.
[0018] According to one embodiment, said algorithm is an AES, RSA, ECC type algorithm, a symmetric or asymmetric key algorithm, SM4, GOST R 34.12-2015, or a stream or per-stream encryption algorithm.
[0019] According to one embodiment, the control unit is entirely formed from a hardware circuit.
[0020] According to one embodiment, the control unit is formed from an isolated computing unit and program.
[0021] According to one embodiment, the encryption / decryption unit is secure access.
[0022] According to one embodiment, the control unit is secure access.
[0023] According to one embodiment, the blocks implemented by the algorithm have a size 64 or 128 bits.
[0024] According to one embodiment, the encryption / decryption unit is implemented in a secure area of the ARM® environment.
[0025] According to one embodiment, the first data is stored in non-volatile memory.
[0026] According to one embodiment, the data encrypted by the encryption unit is stored in non-volatile memory.
[0027] According to one embodiment, said bus is connected to a microprocessor, external to the encryption / decryption unit, for example via one or more control registers.
[0028] According to one embodiment, apart from said decryption and encryption operations, access, for said bus, to the content of said memory elements used to store data decrypted by the encryption / decryption unit, is permitted.
[0029] According to one embodiment, the encryption / decryption unit is connected to a microprocessor, external to the encryption / decryption unit and to which said bus is connected.
[0030] According to one embodiment, the encryption / decryption unit is connected to a bus master, external to the encryption / decryption unit and to which said bus is connected.
[0031] According to one embodiment, the encryption / decryption unit is arranged in a microcontroller comprising a microprocessor, external to the encryption / decryption unit and to which said bus is connected.
[0032] According to one embodiment, the encryption / decryption unit is connected to a microprocessor, external to the encryption / decryption unit and to which said bus is connected for example via one or more control registers.
[0033] According to one embodiment, the encryption / decryption unit is arranged in a microprocessor and connected to a bus master, external to the encryption / decryption unit, and to which said bus is connected.
[0034] One embodiment provides a microcontroller comprising the encryption / decryption unit as described above.
[0035] One embodiment provides a microprocessor comprising the encryption / decryption unit as described above. Brief description of the drawings
[0036] These features and advantages, as well as others, will be described in detail in the following description of particular embodiments, given by way of non-limiting example, in relation to the accompanying figures, among which:
[0037] [Fig.1] illustrates in a very schematic way a microcontroller to which the embodiments apply;
[0038] [Fig.2] illustrates in a very schematic way an example of a microcontroller circuit of [Fig.1];
[0039] [Fig.3] illustrates in a very schematic way an example of a microcontroller circuit of [Fig.1] according to one embodiment;
[0040] Figure 4 illustrates in a very schematic way an example of a microcontroller circuit from Figure 1 according to one embodiment; and
[0041] [Fig.5] represents an example of an operating method of the example in [Fig.4], Description of the implementation methods
[0042] The same elements have been designated by the same reference numerals in the different figures. In particular, the structural and / or functional elements common to the different embodiments may have the same reference numerals and may have identical structural, dimensional and material properties.
[0043] For the sake of clarity, only the steps and elements useful for understanding the described embodiments have been represented and are detailed.
[0044] Unless otherwise specified, when referring to two interconnected elements, this means directly connected without intermediate elements other than conductors, and when referring to two connected (in English "coupled") elements between them, this means that these two elements can be connected or linked via one or more other elements.
[0045] In the following description, when reference is made to absolute position qualifiers, such as the terms "front", "back", "top", "bottom", "left", "right", etc., or relative position qualifiers, such as the terms "above", "below", "superior", "inferior", etc., or to orientation qualifiers, such as the terms "horizontal", "vertical", etc., reference is made, unless otherwise specified, to the orientation of the figures.
[0046] Unless otherwise specified, the expressions "approximately", "roughly", and "on the order of" mean to within 10% or 10°, preferably to within 5% or 5°.
[0047] Fig. 1 illustrates in a very schematic way a microcontroller or microprocessor 100 to which the described embodiments apply.
[0048] In the example shown, the microcontroller 100 includes a memory 152 (MEM), for example non-volatile, for example of FLASH or Phase Change Memory (PCM) type, or for example volatile, such as RAM (Random Access Memory) type, capable of communicating, via a communication bus, with a memory interface not shown configured to write or read data into and from the memory 152. In one example, the memory 152 is an unprotected memory.
[0049] The microcontroller 100 further includes, for example, a processing unit 110 (CPU), comprising one or more processors under the control of instructions stored in an instruction memory not shown.
[0050] The processing unit 110 and the instruction memory communicate, for example, via a system bus 140 (data, address, and control). The memory 152 is connected to the system bus 140 or to the processing unit 110, for example, via a memory interface (not shown) and / or via intermediate buses 130. The microcontroller 100 further includes, for example, an input / output interface 108 (FO) connected, for example, to the system bus 140 for external communication.
[0051] The microcontroller 100 can integrate other circuits implementing other functions (for example, one or more volatile and / or non-volatile memories, or other processing units). Among these other circuits, the microcontroller 100 includes, for example, a read-only or static memory 118 (ROM).
[0052] The microcontroller 100 further includes, for example, a volatile memory 122 (VOL MEM), for example of RAM type, connected for example to the bus 140 and / or to the processing unit 110 via an intermediate bus 142.
[0053] The microcontroller 100 further includes an encryption / decryption unit 120 (DECRYPT W / Key 1 + ENCRYPT W / Key 2). The terms “unit of "Encryption / Decryption" refers to a computing or processing unit, or an encryption and decryption engine, capable of implementing data encryption and decryption. For example, the processing unit 110 uses a first encryption key, Key 1, known, for instance, to the microcontroller 100 and the manufacturer. The processing unit 110 also uses, for example, a second encryption key, Key 2, known, for example, only to the microcontroller 100. Keys Key 1 and Key 2 are provisioned, for example, in one or more one-time programmable memories (OTPs), not shown, of the microcontroller 100. These keys are then copied, for example, into volatile memory 122.
[0054] The encryption / decryption unit 120 is, for example, composed of a decryption unit dedicated to decryption and an encryption unit dedicated to encryption. The encryption / decryption unit 120 uses an algorithm to perform data encryption or decryption operations. This algorithm is, for example, a block cipher and decryption algorithm such as AES, RSA, ECC, a symmetric or asymmetric key algorithm, SM4, and GOST R 34.12-2015, or a stream cipher.
[0055] A block cipher / decryption system consists of two matched algorithms, one for encryption and the other for decryption. Both algorithms accept two inputs: an input block of size, for example, n = 128 bits, and a key of size 128, 192, or 256 bits; and both produce an output block of n bits. The decryption algorithm is defined as the inverse function of the encryption algorithm.
[0056] In one example, the block cipher and decryption algorithm used is called a "round cipher" or "turn cipher," or a symmetric round cipher and decryption algorithm. The symmetric round cipher and decryption algorithm generally transforms a message consisting of plaintext data with one of the keys Key 1, Key 2, or a secret key, in order to obtain ciphertext data. Encryption and decryption are performed by blocks, or sets, of bits of the data to be encrypted / decrypted.
[0057] The execution of this encryption and decryption algorithm is, for example, an iterative encryption or processing operation. This iterative processing consists of applying one or more successive mathematical and / or logical operations to the plaintext data and to the key Key 1 (respectively Key 2), over several iterations. For example, these operations are applied over a number N of iterations.
[0058] The encryption and decryption algorithm may, for example, begin with an optional initialization step, allowing the data and key to be prepared for the steps following. For example, the initialization step can be a first step of masking the data to be encrypted.
[0059] At each turn, a subkey, also called a turn key or round key, is first calculated or generated from the secret Key 1 (respectively Key 2) or the subkey of the previous turn. The set of mathematical and / or logical operations applied to the key or subkey at each turn is called the key path. This subkey is then used to transform or encrypt the data.
[0060] To encrypt the data, a set of mathematical and / or logical operations are applied to the data, or to the encrypted data from the previous turn, at each turn, using the key Key 1 (respectively Key 2), or the subkey. The set of mathematical and / or logical operations applied at each turn to the data, or to the encrypted data, is called the data path. The set formed by the key path and the data path is then called the turn function of the encryption and decryption algorithm.
[0061] At the end of each iteration, we thus obtain encrypted data with the subkey. This encrypted data is then reinjected into the processing or encryption process, thereby serving as input data for the next iteration function. Similarly, each new subkey is reinjected at the output of each iteration to generate the subkey for the following iteration.
[0062] After the number N of turns, the numerical data obtained by the last application of the turn function constitutes the final numerical data.
[0063] In other words, the block cipher algorithm or process includes, for example, successively: - an initialization step; - a first round, during which the round function is applied to the data and to the key Key 1 (respectively Key 2); - a certain number of intermediate iterations (N-2 iterations for example), for each of which a new subkey is calculated, and during which the iteration function is applied to the encrypted data and to the subkey resulting from the application of the function in the previous iteration; and - a final round, at the end of which the processing of the last encrypted data, by a final application of the round function, leads to obtaining the final encrypted data.
[0064] The number N of rounds is also called the number of iterations. This number N of rounds generally depends on the encryption algorithm used, and on the size of the secret key Key 1 (respectively Key 2).
[0065] The turn function, applied to each turn, consists, for example, of substitution, row shift, and column shuffle operations followed by a combination (for example, an exclusive OR) with the subkey of the turn in question. This turn function typically aims to obtain an algorithm with confusing properties (i.e., the most complex possible relationship between the secret key and the plaintext message) and diffusive properties (i.e., the dissipation, in the statistics of the ciphertext message, of statistical redundancy in the plaintext message). The algorithm may also include secondary masking operations to add a layer of protection to the data to be encrypted during the application of the turn function.
[0066] The algorithm used is, for example, an AES-type decryption and encryption algorithm (e.g., with GCM, ECB, CTR, CCM, CBC, or other mode), RSA, ECC, a symmetric or asymmetric key algorithm, SM4, GOST R 34.12-2015, or a stream cipher algorithm, or even includes hash-type functions.
[0067] The encryption / decryption unit 120 is for example connected to bus 140.
[0068] In the example shown, the encryption / decryption unit 120 is, for example, connected to the processing unit 110 via one or more control registers 160. In one example, an intermediate bus 162 connects the control register(s) 160 to the encryption / decryption unit 120. In another example, a further intermediate bus 170 connects the control register(s) 160 to the processing unit 110. The contents of the control registers 160 allow, for example, for a SAES (Secure AES) accelerator, the selection of the key source (internal to the microcontroller or provided by the user), the specification of the number of padding bytes for the last block, the selection of the key size, the activation of DMA coupling on the input and / or output, and the selection of the current mode (encryption, decryption, or derivation). key), choose the AES chaining mode (ECB, CBC, GCM, CCM, ...), change the current phase (initialization phase, header phase, payload phase, or final phase). In an example, the encryption / decryption unit 120 is also directly connected to the processing unit 110 by one or more buses 170, 172, 173, 174.
[0069] The processing unit 110 has, for example, access to the control registers 160 as well as to certain registers of the encryption / decryption unit 120 to initiate encryption or decryption phases implemented by the encryption / decryption unit 120. In one example, the processing unit 110 may have access to other registers from the encryption / decryption unit 120 (status, Data in, Data out, Key registers, IV registers, ...).
[0070] In the example shown, the encryption / decryption unit 120 is connected to a memory, for example memory 152 and / or memory 122. More particularly, the encryption / decryption unit 120 is connected to memory locations or elements 153, 154, of memory 152 respectively via buses 128 and 129. Memory location 154, for example, is dedicated to storing encrypted data, such as a program to be downloaded, with the encryption / decryption algorithm and the key Key 1, coming from outside the microcontroller 100. Memory location 153, for example, is dedicated to storing encrypted data, with the encryption / decryption algorithm and the key Key 2, coming from the encryption / decryption unit 120.
[0071] In the example shown, the microcontroller 100 is configured to receive encrypted data, for example for an update download operation, from a memory location 134 (Encrypted data W / Key 1), external to the microcontroller 100, for example located at the manufacturer's premises. The memory location 134 is configured, for example, to store encrypted data obtained after encrypting plaintext data stored in a memory location 132 (CLEAR DATA). The algorithm used to encrypt the data stored in memory location 132 is the same encryption / decryption algorithm as that used by the encryption / decryption unit 120 and uses, for example, Key 1.
[0072] In one example, the encryption / decryption unit 120 is connected to the volatile memory 122, for example with buses 126, 144. The volatile memory 122 allows, for example, the data to be temporarily stored in plaintext, as decrypted by the encryption / decryption unit 120, before being re-encrypted by the encryption / decryption unit 120 with the key Key 2.
[0073] [Fig. 2] illustrates in a very schematic way an example of a circuit of the microcontroller or microprocessor 100 of [Fig. 1]. More particularly, [Fig. 2] illustrates an example of the implementation of the encryption / decryption unit 120.
[0074] In the example shown, the encryption / decryption unit 120 comprises a first memory element 254 (encrypted data W / Key 1 register input) and a second memory element 253 (encrypted data W / Key 2 register output). Memory elements 253 and 254 are, for example, registers or buffers.
[0075] Memory element 254 is configured to receive, for example via bus 129, data encrypted with the encryption / decryption algorithm using the key Key 1, which are initially present in memory element 154. Memory element 253 is, for example, configured to receive encrypted data resulting from the encryption of data with the key Key 2. The data passing through memory element 253 is, for example, then stored in memory location 153, for example via bus 128.
[0076] In the example shown, the encryption / decryption unit 120 includes a decryption unit 204 (Context decryption W / Key 1). The decryption unit 204 is, for example, a computing or processing unit dedicated to decryption, or A computing or processing unit, configured to perform decryption or encryption based on a given set of parameters. For example, decryption unit 204 is configured to perform decryption using a block algorithm and the key Key 1.
[0077] Unit 204 and unit 207 are configured with parameters (“context” in English) comprising elements that need to be saved or restored to restart the encryption or decryption process stopped in a later step.
[0078] In an example where the algorithm is of type AES, these parameters each include an identifier of the current iteration of the algorithm and a key associated with said current iteration. In an example where the algorithm is of type AES GCM, the first and second parameters also include parameters "IV", "count", or the result of the calculation of the last preceding block called "GF2Mul".
[0079] The decryption unit 204 is connected to the memory element 254 (encrypted data W / Key 1 register input). The data encrypted with Key 1, for example by the manufacturer, is received by the microcontroller 100 via the memory element 154, for example with an update protocol, and stored in the memory element 254. The encrypted data contained in the memory element 254 is then decrypted, for example block by block, for example following instructions from the processing unit 110 and / or the configuration of the control registers 160, by the decryption unit 204 and stored in a memory element 206 (Decrypted data block output) of the encryption / decryption unit 120. The memory element 206 is, for example, a register or a buffer.
[0080] Memory element 206 is connected for example to memory 122 via bus 126. The decrypted data, i.e. in plain text, is temporarily stored in memory 122.
[0081] The encryption / decryption unit 120 further includes another memory element 208 (Decrypted data block input), for example a register or a buffer, which is connected to memory 122 via an intermediate bus 144, for example. The plaintext data is transferred from memory 122 to the memory element 208 before being erased from memory 122.
[0082] The encryption unit 207 (Context2 encryption W / Key 2) which is connected to the memory element 208. The encryption unit 207 is, for example, a processing unit, or a calculation engine, dedicated to encryption. The encryption unit 207 is, for example, configured to perform encryption using the block cipher and decryption algorithm used by the decryption unit 204, but this time with the second secret key Key 2.
[0083] The encryption unit 207 is for example linked to the memory element 253 (Encrypted data W / Key 2 register output) in which the data encrypted by the encryption unit 207 are stored.
[0084] Memory element 254 is for example connected to the processing unit 110 and / or to the control registers 160 via the intermediate bus 170.
[0085] Memory element 253 is for example connected to the processing unit 110 and / or to the control registers 160 via the intermediate bus 173.
[0086] Memory element 206 is for example connected to the processing unit 110 and / or to the control registers 160 via the intermediate bus 172.
[0087] The memory element 208 is for example connected to the processing unit 110 and / or to the control registers 160 via the intermediate bus 174.
[0088] In one example, data transfers between memory element 254 and decryption unit 204, as well as between encryption unit 207 and memory element 253, are performed block by block, for example, of the size of the blocks used in the encryption / decryption algorithm. Other types of transfer may be implemented, such as a bit stream.
[0089] Not illustrated, other bus master circuits, such as Direct Memory Access (DMA) circuits, can be connected to memory 122 or to memory elements 254, 206, 208 and 253.
[0090] The fact that, in the example of [Fig.2], the decrypted data is momentarily stored in plain text in memory 122, gives potential access by the processing unit 110, or by other bus master circuits, to this sensitive data.
[0091] Even if memory 122 is protected by complex access processes, such as those implemented in the ARM© Trustzone architecture, it is not possible to ensure that no attack will eventually compromise the data stored in clear text, even momentarily, in memory 122.
[0092] In order to overcome these problems, the described embodiments implement an encryption / decryption unit, using a block encryption / decryption algorithm, and comprising a control unit: - dedicated to the encryption / decryption unit; and - configured to prohibit access, for a bus external to the encryption / decryption unit, during data decryption and encryption operations, to the contents of memory elements used to store data decrypted by the encryption / decryption unit.
[0093] The decrypted data is therefore no longer stored in volatile memory 122, which prevents a potential attack to steal sensitive data in plaintext.
[0094] The decrypted data is thus no longer accessible until it is re-encrypted. Memory elements 206, 208 are thus completely isolated from the unit of processing 110, and more generally of any bus master, when the data is in plain text, in other words when the decryption / encryption process is in progress ("chained" in English).
[0095] Figure 3 schematically illustrates an example of a microcontroller circuit of Figure 1 according to one embodiment. More particularly, Figure 3 illustrates one embodiment of the encryption / decryption unit 120.
[0096] The example in [Fig.3] is similar to that in [Fig.2] except that the data decrypted by the decryption unit 204, and present in the memory element 206 during the decryption / encryption process, are no longer stored, even momentarily, in memory 122. The memory elements 206 and 208 of [Fig.3] are thus not connected to memory 122 by buses 126 and 144.
[0097] The encryption / decryption unit 120 of [Fig. 3] further comprises a control unit 350. The control unit 350 is connected, for example, to the memory elements 206 and 208, for example via respective intermediate buses 321 and 322. In one example, buses 321 and 322 are dedicated to the control unit 350 and the memory elements 206 and 208. In other words, buses 321 and 322 are not accessible to bus masters external to the encryption / decryption unit 120.
[0098] In one example, the control unit 350 is dedicated to the encryption / decryption unit 120. In other words, the control unit 350 is, for example, not accessible by a bus master outside the encryption / decryption unit 120, or at least not accessible by bus masters during decryption and encryption operations.
[0099] The control unit 350 is configured for example to prohibit access (dotted lines between the control unit 350 and buses 172 and 174), to buses, or equivalently to their bus masters, for example buses 162, 170, outside the encryption / decryption unit 120, during decryption and encryption operations, to the contents of memory elements 206, 208.
[0100] In other words, once the decryption operations by unit 204 have been initiated, control unit 350 blocks access to memory elements 206 and 208. In other words, when units 204 and / or 207 are running, that is, when they are in chained mode, control unit 350 blocks access to memory elements 206 and 208 until the decryption and encryption processes are complete. For example, in the case of an AES GCM-type algorithm, a tag is provided to indicate authentication.
[0101] Apart from the decryption and encryption operations implemented by the encryption / decryption unit 120, bus masters, for example via the buses 162, 170, 172, 173, 174 can have access to one or more of the memory elements 206, 208, 253 and 254.
[0102] In one example, the control register(s) 160 remain accessible to the processing unit 110, for example, or to bus masters, including during the decryption and encryption operations implemented by the encryption / decryption unit 120.
[0103] In the example shown, memory elements 206, 208, 253 and 254 can be registers capable of containing a word, or a block, of data or a buffer circuit capable of containing several words, or several blocks, of data.
[0104] In one example, the control unit 350 is configured to implement a transfer of decrypted data contained in memory element 206 to memory element 208, for example, during data decryption and encryption operations. This transfer is performed, for example, block by block, word by word, or according to a bit stream. The transfer can also be initiated when one of the memory elements 206 or 208 is full or when it reaches a predetermined or programmable threshold. In another example, the transfer is initiated when a timer expires to signify that the bit stream is complete.
[0105] In one example, the transfer also includes the transfer of blocks or bitstream from unit 204 to unit 207 via memory element 206 and memory element 208.
[0106] In another example, the transfer also includes the transfer of blocks or bitstream from memory element 208 to unit 207.
[0107] In one example, the control unit 350 is entirely formed of a hardware circuit.
[0108] In another example, the control unit 350 consists of a computing unit and a program, isolated in the sense of the ARM® environment for example.
[0109] In one example, the control unit 350 is secure access.
[0110] In one example, the encryption / decryption unit 120 of [Fig.3] is put into works in a secure area of an ARM® environment.
[0111] The example in [Fig.3] prevents sensitive data in plaintext from being found outside the encryption / decryption unit 120 before being encrypted with the key Key 2.
[0112] Figure 4 schematically illustrates an example of a microcontroller circuit of Figure 1 according to one embodiment. More particularly, the example in Figure 3 illustrates one embodiment of the encryption / decryption unit 120.
[0113] The example shown is similar to that of [Fig. 3] except that the encryption / decryption unit 120 is this time composed of a single calculation unit 410 which, depending on a parameter applied by the control unit 350, acts either as the encryption unit 204 or as the decryption unit 207.
[0114] In other words, in the example of [Fig.4], the decryption unit 204 and the encryption unit 207 are part of a single computing unit 410 that can be parameterized by the control unit 350 so that, in a first parameterization mode, the computing unit 410 implements an operation similar or identical to that of the decryption unit 204 of [Fig.3], and that in a second parameterization mode, the computing unit 410 implements an operation similar or identical to that of the encryption unit 207.
[0115] In the example of [Fig.4], the encryption / decryption unit 120 includes two other memory elements 404, 406, which are, for example, secured and accessible only by the control unit 350. The memory elements 404, 406 are, for example, buffers, or registers, or protected memory spaces.
[0116] In the example in [Fig. 4], memory element 404 is configured to store first parameters to be used by control unit 350 to configure calculation unit 410 with the first parameterization mode. Memory element 406 contains second parameters to be used by control unit 350 to configure calculation unit 410 with the second parameterization mode.
[0117] In one example, the first and second parameters include elements that need to be saved or restored to restart the encryption or decryption process stopped in a later step.
[0118] In one example, the first and second parameters are updated at each algorithm round, whether in encryption or decryption.
[0119] In an example where the algorithm is of type AES, the first and second parameters each include an identifier of the current iteration of the algorithm and a key associated with said current iteration. In an example where the algorithm is of type AES GCM, the first and second parameters also include parameters "IV", "count", or the result of the calculation of the last preceding block called "GF2Mul".
[0120] In the example of [Fig.4], the control unit 350 is connected to the calculation unit 410 via a bus 408 for parameterizing the calculation unit.
[0121] The example in [Fig. 4] reduces by half the chip size required for encryption and decryption compared to the example in [Fig. 3], which uses two units, each dedicated to a specific task: decryption for unit 204 and encryption for unit 207. Thus, in the example in [Fig. 4], unit 410 is, for a first block or first bitstream, in a decryption mode, Once this first block is decrypted, unit 410 is configured to be in encryption mode. This cycle repeats until all blocks have been processed.
[0122] Figure 5 represents an example of an operating method for the example of the [Fig.4]
[0123] In a step 502 (Configure context 1 and context 2), during the initialization of unit 410, in order to process a first block, the parameters necessary for the configuration of unit 410 are stored respectively in memory elements 404 and 406.
[0124] In a step 504 (Restore context 1), subsequent to step 502, the parameters from memory element 404 are used by the control unit 350 to parameterize unit 410 in the first parameterization mode, i.e. in decryption mode.
[0125] In a step 505 (Decrypt), for example subsequent to step 504, the block present in memory element 254 is decrypted by unit 410 parameterized in the first parameterization mode and with the key Key 1.
[0126] In step 506 (Update context 1), for example after step 505, the parameters stored in memory element 404 are updated. For example, an indicator of the algorithm's round number or iteration, as well as the round key, are incremented or modified. This update is performed, for example, by control unit 350. If the block being processed is the last, then step 506 is not performed after step 505, but the process proceeds directly to step 507 (Restore context 2).
[0127] In step 507, for example later than step 506, the parameters stored in memory element 406 are used by the control unit 350 to parameterize unit 410 in the second parameterization mode, i.e. in encryption mode.
[0128] In a step 508 (Encrypt), for example subsequent to step 507, the block present in memory element 208 is encrypted by unit 410 parameterized in the second parameterization mode and with the key Key 2. In the case where the block processed is the last, then a step 512 (return output) is carried out, otherwise a step 510 (Update context 2) is implemented.
[0129] In step 510, the parameters stored in memory element 406 are updated. For example, an indicator of the round number or the algorithm's round, as well as the round key, are incremented or modified. This update is performed, for example, by the control unit 350. If the block being processed is not the last, then the next step implemented is step 504, and steps 505, 506, 507, 508, and 510 are chained together until the last block is processed. In the case of the last block processed, step 507 directly follows step 505 and step 512 directly follows step 508.
[0130] In step 512, when the last block has been encrypted in step 508, then an authentication indicator is returned (called a "tag" when the algorithm is AES GCM).
[0131] In one example, a Computation Completion Flag (CCF) is a bit from an Interrupt Status Register (ISR) that is set to 1 when an encryption or decryption operation is complete. This bit can serve as an indicator of the end of encryption or decryption.
[0132] Various embodiments and variations have been described. Those skilled in the art will understand that certain features of these various embodiments and variations could be combined, and other variations will become apparent to those skilled in the art. In particular, the described methods can be applied to the installation or updating of encrypted programs or any action or program requiring decryption followed by encryption.
[0133] Finally, the practical implementation of the described embodiments and variants is within the reach of a person skilled in the art, based on the functional specifications given above. In particular, a person skilled in the art will be able to implement any architecture that prevents access, for a bus external to the encryption / decryption unit 120, during data decryption and encryption operations, to the contents of the memory elements 206, 208 used to store data decrypted by the encryption / decryption unit 120.
Claims
Demands
1. Encryption / decryption unit (120), implementing a block encryption / decryption algorithm, and comprising a control unit (350): - dedicated to the encryption / decryption unit; and - configured to prohibit access, for a bus (162, 170, 172, 174) outside the encryption / decryption unit, during data encryption and decryption operations, to the contents of memory elements (206, 208) used to store data decrypted by the encryption / decryption unit (120).
2. Encryption / decryption unit according to claim 1, wherein the control unit (350) is configured to implement a transfer of said decrypted data between a first memory element (206) and a second memory element (208) during said data decryption and encryption operations.
3. Encryption / decryption unit according to claim 1 or 2, wherein the encryption / decryption unit (120) comprises a decryption unit (204) configured to decrypt, with said algorithm, blocks of first data, the decrypted blocks being stored in the first memory element (206).
4. Encryption / decryption unit according to claim 3 in its dependence on claim 2, wherein said transfer is carried out block by block or set of blocks by set of blocks.
5. Encryption / decryption unit according to claim 3 in its dependence on claim 2, wherein said transfer is carried out using a bitstream.
6. Encryption / decryption unit according to any one of claims 3 to 5, wherein the encryption / decryption unit (120) comprises an encryption unit (207) configured to encrypt, with said algorithm, all or part of the data contained in the second memory element (208).
7. Encryption / decryption unit according to claim 6, wherein: - the decryption unit (204) uses, for decryption, a first encryption and decryption key; and - the encryption unit (207) uses, for encryption, a second encryption and decryption key, different from the first key.
8. Encryption / decryption unit (120) according to any one of claims 6 or 7 in its dependence on claim 6, wherein the decryption unit (204) and the encryption unit (207) are part of the same computing unit (410) configured to be parameterized by the control unit (350) such that, in a first parameterization mode, the computing unit (410) implements the decryption unit (204), and in a second parameterization mode, the computing unit (410) implements the encryption unit (207).
9. Encryption / decryption unit (120) according to the preceding claim, wherein the encryption / decryption unit (120) comprises a third and fourth secure memory elements (404, 406), accessible only by the control unit (350).
10. Encryption / decryption unit (120) according to the preceding claim, wherein: - the third memory element (404) includes first parameters intended to be used by the control unit (350) to configure the calculation unit (410) with the first configuration mode; and - the fourth memory element (406) includes second parameters intended to be used by the control unit (350) to configure the calculation unit (410) with the second configuration mode.
11. Encryption / decryption unit (120) according to claim 10, wherein the control unit (350) is configured to, at each iteration of the block algorithm: - set the arithmetic unit (410) with said first parameters so that portions of data are decrypted and stored in the first memory element (206); - then transfer these decrypted portions of data from the first memory element (206) to the second memory element (208); then - update the first parameters; - set the arithmetic unit (410) with said second parameters so that the decrypted and stored in the second memory element (208), are encrypted; then - Update the second set of parameters.
12. Encryption / decryption unit (120) according to claim 11, wherein said first and second parameters each comprise an identifier of the current round of the algorithm and a round key associated with said current round.
13. Encryption / decryption unit (120) according to any one of claims 1 to 12, wherein: - said algorithm is an AES, RSA, ECC type algorithm, a symmetric or asymmetric key algorithm, SM4, GOST R 34.12-2015, or a stream cipher algorithm; or - the control unit (350) is entirely formed of a hardware circuit; or - the control unit (350) consists of an isolated computing unit and program; or - the encryption / decryption unit (120) is secure access; or - the control unit (350) is secure access; or - the blocks implemented by the algorithm have a size of 64 or 128 bits; or - the encryption / decryption unit (120) is implemented in a secure area of the ARM® environment; or - the initial data is stored in non-volatile memory; or - the data encrypted by the encryption unit (207) is stored in non-volatile memory (253); or - said bus is connected to a microprocessor (CPU), external to the encryption / decryption unit, for example via one or more control registers (160); or - apart from the said decryption and encryption operations, access, for the said bus, to the content of the said memory elements (206, 208) used to store data decrypted by the encryption / decryption unit (120), is authorized; Or - the encryption / decryption unit (120) is connected to a microprocessor (CPU), external to the encryption / decryption unit and to which said bus is connected; or - the encryption / decryption unit (120) is connected to a bus master (CPU), external to the encryption / decryption unit and to which said bus is connected; - the encryption / decryption unit (120) is arranged in a microcontroller (100) comprising a microprocessor (CPU), external to the encryption / decryption unit and to which said bus is connected; - the encryption / decryption unit (120) is connected to a microprocessor (CPU), external to the encryption / decryption unit and to which said bus is connected, for example, via one or more control registers (160); or - the encryption / decryption unit (120) is arranged in a microprocessor and connected to a bus master (CPU), external to the encryption / decryption unit, and to which said bus is connected.
14. Method of operating an encryption / decryption unit (120) according to any one of claims 1 to 13, the method comprising prohibiting access, for a bus (162, 170, 172, 174) external to the encryption / decryption unit (120), during data decryption and encryption operations, to the contents of memory elements (206, 208) used to store parts of data decrypted by the encryption / decryption unit; the access prohibition being implemented by a control unit (350) dedicated to the encryption / decryption unit (120).
15. Microcontroller (100) comprising the encryption / decryption unit (120) according to any one of claims 1 to 13; or microprocessor (100) comprising the encryption / decryption unit (120) according to any one of claims 1 to 13.