RU2738585C1 - Method of uncorrected information recording - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: invention relates to information security components and methods of uncorrectable information recording. Recording system comprises main memory (ROM), a general-purpose processor (CPU) and a trusted (secure) microcontroller with cryptographic functional (SCF) and protected memory, cryptographic key carriers (KC) of initiating information exchange, chain record technology during information recording and interactive formation of common signature of registration device and one or more subjects. Uncorrectable registration of information with subsequent confirmation of authenticity of registration device and information exchange subjects, as well as with guarantee of non-repudiation is provided by the fact that registration device sends registered information

in SCF; SCF calculates the footprint

based on the transmitted data and the value

stored in its memory and stores the obtained value; SCF and KC of information exchange subjects jointly and interactively calculate signature

, which is stored in main memory of registration device together with identifiers or public keys

of current subjects, information

and its imprint

.

EFFECT: technical result is providing integrity of registered information.

1 cl, 2 dwg

Description

Technology area

The invention relates to information security components and methods for uncorrected registration of information. More specifically, the present invention describes the use of a chain-writing cryptographic technology for non-correctable registration of information (data, events) in a registration system using a registration means, including a main (generally unprotected) non-volatile memory and a trusted (protected) cryptographic microcontroller, with additional confirmation of the integrity and reliability (authenticity) of the registered data with the cryptographic keys of the registration facility and one or more subjects initiating information exchange.

State of the art

Under the uncorrected registration of information (see the Extract from "Requirements for cryptographic protection of information, designed to ensure the uncorrected registration of information that does not contain information constituting a state secret" for the customers of these tools) means such a method of processing information by the registration tool, the results of which provide:

- registration of information in accordance with the established list;

- identity of the registered information with information intended for registration (formation and (or) recording), storage and (or) transmission;

- Continuity of registration (protection against violation of the sequence of registration of information blocks);

- the possibility of guaranteed detection of the facts of its correction or falsification based on the results of the audit, including the facts of violation of the sequence of registered events (continuous registration);

- the possibility of guaranteed authentication of the registration tool.

Requirements for uncorrected registration of information are imposed, in particular, on tachographic control devices and cash registers. Similar methods can be relevant in the development of medical equipment and in various other systems for recording information (data, events, etc.).

The navigation-cryptographic module (patent RU119193U1) solves, among other things, the technical problem of providing long-term non-correctable non-volatile data storage of hardware systems.

The tachograph (patent RU157697U1) provides continuous, uncorrected registration of information about the speed and route of vehicles, about the mode of work and rest of vehicle drivers. The functionality is provided by a navigation-cryptographic unit, which includes a secure storage device for storing information in an uncorrected form.

Known patent RU162376U1 for a tachograph, which also uses a navigation-cryptographic module for registering information in an uncorrected form

In a digital electronic tachograph (patent RU2567700C1), the registration of information in an uncorrected form is provided by software and hardware (cryptographic) means, called the "SKZI block". The SKZI block stores the so-called "archive of the tachograph SKZI block". The tachograph ensures the integrity and reliability of the information recorded in the tachograph memory in an uncorrected form, based on the use of a qualified electronic signature, as well as the possibility of guaranteed detection of its correction or falsification based on the results of checking the information registered in the tachograph memory. A similar uncorrectable registration of information is described in patent RU2591647C1.

A significant difference and advantage of the proposed invention consists in dividing the memory of the information recording means into the main (in the general case, unprotected) non-volatile memory and the protected memory of a cryptographic microcontroller (hereinafter referred to as ZKM, a protected cryptographic microcontroller) for storing cryptographic keys and sensitive data, while in all In the considered cases, a secure microcircuit is used to store information in an uncorrected form, which imposes significant restrictions on the amount of recorded information or leads to a significant increase in the cost of the device. In addition, the description of these utility models and inventions does not imply the possibility of guaranteed authentication of the registration medium.

The closest to the present invention is a useful model of the cryptographic fiscal drive RU191278U1, which solves the technical problem of long-term uncorrected storage of data in non-volatile memory using an array of individual cryptographic protection means formed for each document, called the fiscal attribute of the document (FDF). The FPD is formed by a cryptographic coprocessor using a cryptographic transformation algorithm and is applied to the data of the cash document, the current time and the end-to-end incremental number of the current package.

A significant difference of the proposed invention is the use of chain recording technology instead of taking into account the end-to-end incremental packet number, which ensures the consistency of the sequence of records (that is, even if the attacker managed to successfully “forge” the cryptogram of one of the records, the error will affect all subsequent records).

In addition, the disadvantage of all the described utility models and patents is the exclusion of the subject of information exchange (in the case of a tachograph, the driver of a vehicle) from the process of registering events (information). Thus, there is no explicit binding of the registered events to the subject (or subjects) that initiated the information exchange. This can complicate the analysis of conflict situations and complicates the assignment of legal significance to the registered information.

A significant difference and significant advantage of the present invention is the interactive participation in the registration process of subjects of information exchange, the authenticity of which is also confirmed in the process of the subsequent verification of the incorrigibility. The formation of authenticating cryptograms (common signature) takes place with the direct participation of both the registration means and the key carriers of the subjects - which guarantees their activity at the time of registration of the event.

The method of using a cryptographic key in the present invention is based on mechanisms similar to those described in patent RU2417410C2. A significant difference of the present invention is that initially there is no common key of the system participants, and the signature generation / verification key is generated dynamically and can change depending on the subjects initiating information exchange in the registration system.

The objectives of the present invention are:

- an increase in the amount of information recorded and stored in an uncorrected form;

- increasing information security and stability of the system through the use of cryptographic keys of the registration means and subjects of information exchange;

- increasing the cryptographic strength, and therefore confidence in the information integrity control system through the use of the chain recording mechanism;

- the possibility of giving legal significance to the registered information;

the ability to authenticate the registration tool;

- the ability to authenticate subjects who initiated information exchange (information registration process);

- non-repudiation for subjects of information exchange from the fact of participation in the process of registration of information.

Disclosure of invention

The main technical result to be achieved by the claimed invention is to guarantee the integrity of the registered information, unambiguous detection of the facts of modification of the registered information (deletion, addition, change, violation of the registration sequence, etc.), the possibility of authentication of the registration means and subjects that initiated the information exchange, a guarantee of the impossibility of registering information without the direct participation of the subjects of information exchange and, as a result, non-repudiation and the possibility of giving legal significance to the registered information.

The claimed technical result is achieved due to the use in the registering system of a registration tool (see Fig. 1) containing main memory (ROM), a general-purpose processor (CPU) and a trusted (protected) microcontroller with cryptographic functionality (ZKM) and protected memory, cryptographic key carriers (hereinafter referred to as CC) of subjects initiating information exchange, chain recording technologies when registering information and interactively generating a common signature of the registration facility and one or more subjects.

Note that in the general case, a registration system can include more than one registration means, and subjects of information exchange can initiate registration of information with different registration means. In addition, both a single device and a system of components can be a means of registration: for example, a remote server can be used as a ROM.

For a specific implementation, it is required to select a keyless fingerprint algorithm (for example, a hashing algorithm) and an electronic signature algorithm that allows for joint interactive signature generation by several participants. Examples of such an electronic signature algorithm are the well-known elliptic curve signature algorithms (ECDSA, GOST R 34.10-2012 and others). The specific implementation will be discussed below.

We will call the main memory of the recording means its unprotected non-volatile memory (ROM, read-only memory), and the protected memory is the memory of the ZKM.

In specific implementations, the division into main and protected memory may be logical rather than physical. That is, the ROM can be a protected memory, and also the memory of the same trusted microcontroller that is used as the ZKM can be used as a ROM.

Let B = H (k) denote the function that calculates the footprint for some row k. To increase the cryptographic strength of the system, the important properties of this function should be the complexity of searching for preimages and resistance to collisions. However, in a number of applied cases, these properties can be abandoned. Moreover, in some cases it is even possible to use the trivial function H (k) = k.

Let f (E, B) denote a function on the set of strings. In some cases, it is permissible to use the function f (E, B) = f (E), that is, with a dependence only on the first argument.

Let S (a, K _u , K _{s (1)} , K _{s (2)} , ..., K _{s (m)} ) be the joint signature of the registration facility and subjects of information exchange under row a, where K _u is the key (key pair) registration means stored in the ZKM, K _{s (1)} , K _{s (2) ...} , K _{s (m)} - keys (key pairs) of subjects of information exchange, stored in their CN.

At the moment of initialization (before the start of operation) or reinitialization (with archiving of the previous data) of the registration facility, the byte-string B _{0 is} written to its main memory, as well as to the protected memory of the ZKM. This value may depend on the device parameters (for example, B ₀ = H (N _r || N _k ), where N _r is the serial number of the registration tool, and N _k is the serial number of the ZKM, || - here and below means concatenation, then there is a sequential write of byte-lines) or set randomly.

Let E ₁ ,…, E _n be a sequence of string descriptions of the registered information (events, data, etc.).

Then B ₁ = H (f (E ₁ , B ₀ )),…, B _{i + 1} = H (f (E _{i + 1} , B _i )),…, B _n = H (f (E _n , B _n-1 )). That is, B ₀ , B ₁ , ..., B _n is a chain recording of fingerprints of the registered information. The last value of B _n is stored in the protected memory, and the initial value of B ₀ must be stored in the main memory, and both all and part of B _i can be stored, depending on the limitations on the volume of the main memory. If the value of B _{0 is} unambiguously calculated from some known parameters of the registration tool or is stored in an external database available for further verification, then its explicit storage is not necessary.

Uncorrected registration of information with subsequent confirmation of the authenticity of the registration facility and subjects of information exchange, as well as with a guarantee of non-repudiation, is ensured by the fact that the registration facility submits the registered information E _n to the ZKM; ZKM calculates the fingerprint B _n = H (f (E _n , B _n-1 )) based on the transmitted data and the value of B _n-1 stored in its memory, and stores the received value; ZKM and KN of subjects of information exchange together and interactively calculate the signature S _n = S (B _n, K _u , K _{s (1)} ⁿ , K _{s (2)} ⁿ , ..., K _{s (m)} ⁿ ), which is stored in the main memory of the registration facility together with the public keys of current subjects K _{s (j)} ⁿ , information E _n and its fingerprint B _n .

Additionally, you can save the values of K _{s (i)} ⁿ and S _n in the ZKM, overwriting them in subsequent calculations.

For ease of description, but without limiting the generality, consider a specific example for one subject of information exchange (Fig. 2).

In a preferred embodiment, string concatenation (f (E, B) = E || B) is used as the function f, the hashing algorithm GOST R 34.11-2012, 256 bits (hereinafter referred to as G3411) is used to calculate the fingerprints, and the algorithm is used to calculate the signature electronic signature GOST R 34.10-2012, 256 bit.

Let (d _u , Q _u ) be a key pair of registration means. The private key d _u is stored in the ZKM, and the key Q _u is known to the system participants.

Let (d _s ⁱ , Q _s ⁱ ) be the key pair of the subject that initiates the information exchange and registration of events at the i-th step. The private key d _s ⁱ is stored on the CN of the subject, and the key Q _s ⁱ is not a secret.

Let (p, q, P) be the parameters of the GOST R 34.10-2012 algorithm.

The following protocol is used for uncorrected registration of E _n .

1. The registration tool transmits E _n to the ZKM.

2. ZKM calculates and stores B _n = G3411 (E _n || B _n-1 ).

3. ZKM chooses a random number k _u satisfying the inequality 0 <k _u <q, then calculates the point of the elliptic curve R _u = k _u P.

4. ZKM transfers R _u and B _n to the registration facility (to the CPU).

5. The registration tool transfers B _{n to the} subject of information exchange (in his CN).

6. The CN of the subject chooses a random number k _s satisfying the inequality 0 <k _s <q, then calculates R _s = k _s P (mod q) and transmits R _s to the registration facility.

7. The registration means calculates using the CPU R = R _u + R _s .

8. The value r = x _G (R) (the first coordinate of the point R) is transmitted to the ZKM and KN.

9. ZKM and KN independently calculate the values s _u = rd _u + k _u B _n (mod q) and s _s = rd _s ⁿ + k _s B _n (mod q) and transmit them to the CPU of the registration means.

10. The logger CPU computes s = s _u + s _s (mod q).

Further, the registration means stores together with E _{n the} obtained signature S _n = (r, s) and the key Q _s ⁿ or the subject identifier.

The pair (r, s) is the signature of GOST R 34.10-2012 to the message (E _n || B _n-1 ) on the key (d _u + d _s ⁿ , Q _u + Q _s ⁿ ) - that is, it is not required to check it knowledge of no secret data, only the public keys of the registration facility and the subject of information exchange. In this case, to calculate the signature, either knowledge of both values of the private keys or their sum is required.

In addition, the registration tool and the subject of information exchange interactively participate in the signature generation protocol, therefore, delayed generation of such a signature is impossible (with time-spaced receipt of parts of the signature from the registration tool and the subject of information exchange).

To check the uncorrected sequence E ₁ , ..., E _{n of the} registered information, the following are required:

- initial value B ₀ ;

- signature S _n under B _n - the last fingerprint of the chain of events (information);

- public key of the registration facility Q _u ;

- identifier or public key Q _s ^{n of the} subject who initiated the last information exchange.

The system for checking the registration incorrigibility (hereinafter - SPN) sequentially calculates the chain of fingerprints B ₁ , ..., B _n , and then verifies the signature S _n under the value B _n on the public key Q = Q _u + Q _s ⁿ . Additionally, the SPN can check the coincidence of the calculated value B _n with the value stored in the PCS. Storing only the subject's identifier is possible if the SPN independently stores the public key database.

A successful check means that the recorded sequence of events is incorrect. If the value of B _n , calculated by the SPN, did not coincide with the value in the ZKM memory, then this indicates a violation of the integrity of the registered events. If the check B _n was successful, and the signature was not correct, then this indicates a violation of the authenticity.

In the case of participation in the information exchange of several subjects, the registration tool conducts similar exchanges in parallel with each of the subjects (sequential transmission is technically possible, but from the point of view of logical processing, this does not matter), and at step 7, R = R _u + R _{s (1 )} +… + R _{s (n)} , and at step 10 s = s _u + s _{s (1)} +… + s _{s (n)} (mod q) is calculated. Accordingly, simultaneously with the signature, it is necessary to store the identifiers or public keys of all subjects participating in the signing, or the common public key Q = Q _u + Q _{s (1)} ⁿ + ... + Q _{s (m)} ⁿ .

Note that this type of verification does not make it possible to unambiguously determine at what moment the failure occurred and which event was incorrectly registered.

For a more accurate diagnosis and simplification of the analysis of conflict situations, it is necessary to store intermediate signatures S _i and the corresponding public keys of subjects Q _{s (j)} ⁱ - either for all i from 1 to n, or only a part of them (the choice depends on the balance required in the information system between the accuracy when parsing conflict situations and restrictions on the amount of used non-volatile memory). At the same time, it is reasonable to store intermediate values of S _i in the main memory of the recording means, and the last (at the current moment) value can be additionally duplicated in the memory of the PCS. As in the general case, the last value of the fingerprint B _n is stored in the protected memory, and the initial value of the fingerprint B ₀ (or data for calculating it) must be stored in the main memory, and both all or some of the fingerprints B _i can be stored, depending on restrictions on the amount of main memory.

A method is possible that includes an additional check (for each registration action, periodic or selective, on conditions determined by a specific information system) of the previous signature by the subjects of information exchange before the formation of a common signature. That is, before the start of signature generation, the registration means transfers to the subject (s) of information exchange the previous value of the fingerprint B _n-1 , the signature S _n-1 under it and the public key Q = Q _u + Q _{s (1)} ^n-1 + ... + Q _{s (m)} ^n-1 . The subject (subjects) of information exchange verifies the signature, and only after that participates in the process of forming the next signature. Thus, each subsequent subject confirms the authenticity of the previous one, which makes it possible to give legal significance to the registered information.

Also, such a check can be performed by the ZKM or even the CPU of the registration tool.

As mentioned above, such a check can be performed either every time a general signature is formed, or periodically (once for a certain, fixed, number of general signatures), or selectively on conditions determined by a specific information system. The condition can be the registration of an event of a given type. For example, when registering events that are assessed as critical within a specific implementation, such an additional check enhances the information security of the system due to additional control of the integrity of previously recorded data. Another approach is also possible: when registering critical events, this check is skipped to reduce the system response time, and during subsequent operations the check is performed.

In addition, it is possible to independently calculate B _{n by the} subjects of information exchange - that is, at step 5, the registration means transfers E _n and B _{n-1 to the} subjects of information exchange, after which the cryptographic devices of the subjects calculate B _n = G3411 (E _n || B _n-1 ) and put their signature under it.

Note that various methods for selecting the initial value B ₀ , modifying the method for calculating B _n , the frequency and conditions for generating a signature when registering information, the frequency and conditions for adding verification of the previous signature by subjects of information exchange and / or registration means, the possibility of storing additional data in the ZKM, adding format-logical control of information E _n or previously registered information, the use of various versions of the ROM of the registration means, the choice of certain software / hardware / software and hardware means of information protection as the ZKM and / or KN, as well as the choice of those or other, different from the mentioned, cryptographic transformations do not change the essence of the invention.

A person skilled in the art will appreciate that as technology advances, the basic idea of the invention can be implemented in various ways. Therefore, the invention and its embodiments are not limited to the aforementioned examples, but they may vary within the scope defined by the claims.

Implementation of the invention

This invention can be implemented using as a means of registration - a computer program that implements cryptographic algorithms, for example, using the open source library OpenSSL, and as a protected microcontroller and key carrier of the subject of information exchange - microprocessor devices (smart cards, sim cards, usb tokens, etc.). At the same time, as shown above, the Russian standard GOST R 34.10-2012 can be used as an electronic digital signature algorithm, and GOST R 34.11-2012 can be used as a hashing algorithm to implement the chain recording mechanism.

Brief Description of Drawings

FIG. 1. General diagram of the registration system components

FIG. 2. Protocol for interactive calculation of the total signature of the registration facility and the subject of information exchange

Claims (2)

1. A method of uncorrected registration of information, characterized in that: the non-volatile memory of the registration means is divided into the main memory of the device and the protected memory of the cryptographic microcontroller; cryptographic keys of registration means and subjects, one or more, initiating information exchange are used; the integrity of information is ensured by a chain recording mechanism with the storage of intermediate information prints in protected memory; the authenticity of information, registration means and subjects of information exchange is confirmed by an electronic digital signature generated jointly and interactively by a cryptographic microcontroller of the registration tool and cryptographic devices of subjects of information exchange; the main memory is used for storing the registered information, in which all or part of the intermediate fingerprints of the chain recording and signatures can also be stored; the protected memory stores cryptographic keys, sensitive data, the last fingerprint value of the chain record, and, if necessary, the last signature value. 2. The method according to claim 1, characterized in that before the formation of the common signature, the registration means and / or subjects of information exchange, all or part of them, additionally check the previous stored signature, and the check can be performed for each common signature or selectively on the conditions defined by a specific information system.

Images