ds.ov2.front
Class RSA_data

java.lang.Object
  ds.ov2.front.RSA_data

public class RSA_data
extends Object

Data structures for the OV-chip RSA applet. Together with precisely one of RSA_plain_card or RSA_mont_card this class implements the protocols for the RSA applet. With RSA_plain_card it yields the plain RSA applet, with RSA_mont_card it yields the Montgomerizing RSA applet. This class contains the static and some transient data. Some other data and the methods are in RSA_plain_card and RSA_mont_card. The distribution of the data between this class and RSA_plain_card/RSA_mont_card is very simple: All variables that take part in the communication with the host are in this class, the remainder is in RSA_plain_card/RSA_mont_card. Therefore the host driver only has to include this class but not RSA_plain_card or RSA_mont_card.

For the RSA applet there are three sizes of bignats: short ones, double short ones and long ones. The short bignats appear in the exponents, they should be 100-200 bits long. The short bignats are never combined with Montgomery multiplication, they therefore never contain Montgomery digits. The long bignats are the bases, the blinding and the modulus. They should be 1000-2000 bits long. The long bignats are combined with Montgomery multiplication. They must therefore always have two leading zero digits (i.e., two leading zero bytes or shorts), the Montgomery digits. Some computations with the exponent numbers have intermediate results of the double size. For these there is one variable of double short length (200-400 bits).

The applet is always in one of four states, see state:

UNALLOCTED

After applet installation until the allocate protocol (RSA_squared_card.allocate(short, short, short, short)) is run. In this state only the allocate protocol is enabled. All other entries are null in Front_protocols in this state.

UNINITIALIZED

After the allocate protocol (RSA_squared_card.allocate(short, short, short, short)) finished and before the initialize protocol (RSA_squared_card.initialize()) is run. In this state only the initialize protocol is enabled. From this state on all protocols are represented with non-null references in Front_protocols. In this state all other protocols beside initialize are disabled with ASSERT.

INITIALIZED

After the initialize protocol until the first resign protocol. In this state the applet is fully initialized but has a blinding that the host knows. Therefore the applet waits for the first resign protocol run which must be part of the personalization procedure. In this state only the resign protocol is enabled. All the other protocols are disabled with ASSERT.

BLINDED

After the first resign protocol until the applet is deinstalled. In this state only the proof and resign protocols are enabled. The other ones are disabled with ASSERT.

The debug protocols contain a reset protocol that in any state can reset the applet to the UNALLOCTED state. For Java Cards the use of reset will lead to uncollected garbage on the card (the reset protocol has been implemented for the phone).

CPP Preprocessing

This class uses the following cpp defines: PACKAGE, PUBLIC, HOST_TESTFRAME, DIGIT_TYPE, JAVACARD_APPLET

Execution Environment:

host, card

Author:

Hendrik Tews

Version:

$Revision: 1.25 $

Last Commit:

$Date: 2010-02-16 10:26:08 $ by $Author: tews $

Field Summary

(package private) APDU_byte	applet_id Applet identification.
short	attribute_length The number of attributes this card possesses.
Vector	base_factors Base factors needed for Vector.exponent_mod.
Vector	bases Bases.
static short	BLINDED State constant for the state BLINDED, value 3.
Vector	current_attributes Current attributes.
Bignat	current_blinded_a Current blinded attribute expression.
Bignat	current_blinding Current blinding.
Signature	current_signature Current signature on the current blinded attribute expression.
(package private) Bignat	gamma_beta_3 Beta_3 and gamma.
(package private) Bignat	host_alpha Host commitment alpha for the signature protocol.
(package private) Bignat	host_response Host response r for the signature protocol.
static short	INITIALIZED State constant for the state INITIALIZED, value 2.
static byte	INVALID_APPLET_ID Invalid applet identification constant, with value 0.
byte	mod_first_digit_mask Digit mask of the most significant byte of the modulus n.
static byte	MONT_RSA_APPLET Montgomerized RSA Applet identification constant, with value 3.
Bignat	montgomerized_one Montgomerized 1.
(package private) Vector	montgomery_corrections Montgomery correction factors.
Modulus	n The RSA parameter n.
Vector	new_attributes New attributes.
Bignat	new_blinded_a New blinded attribute expression.
Bignat	new_blinding New blinding.
Signature	new_signature New signature on the new blinded attribute expression.
static PrintWriter	out Debug printer.
static byte	PLAIN_RSA_APPLET Plain RSA Applet identification constant, with value 2.
Bignat	ptls_key The public key of service provider.
(package private) Vector	remainders Remainders vector.
(package private) Bignat	result Temporary result.
(package private) Bignat	sig_remainder Remainder c in the signature protocol.
static byte	SQUARED_RSA_APPLET Squaring RSA applet identification constant, with value 4.
static byte	SQUARED4_RSA_APPLET Square 4 RSA applet identification constant, with value 5.
short	state State field.
static short	UNALLOCTED State constant for the state UNALLOCTED, value 0.
static short	UNINITIALIZED State constant for the state UNINITIALIZED, value 1.
Bignat	v The RSA parameter v.
byte	v_first_digit_mask Digit mask of the most significant byte of v.

Constructor Summary

RSA_data()
Nonallocating constructor.

Method Summary

void	allocate(short short_bignat_size, short long_bignat_size, short attribute_length, short mont_correction_len, byte applet_id) Allocate all data and initialize all aliases.
Bignat	get_montgomery_correction(short factors) Return the Montgomery correction factor for factors factors.
void	set_blinding(Bignat beta) Set beta.
void	set_current_blinding() Set current blinding.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

INVALID_APPLET_ID

public static final byte INVALID_APPLET_ID

Invalid applet identification constant, with value 0.

See Also:

Constant Field Values

PLAIN_RSA_APPLET

public static final byte PLAIN_RSA_APPLET

Plain RSA Applet identification constant, with value 2.

See Also:

Constant Field Values

MONT_RSA_APPLET

public static final byte MONT_RSA_APPLET

Montgomerized RSA Applet identification constant, with value 3.

See Also:

Constant Field Values

SQUARED_RSA_APPLET

public static final byte SQUARED_RSA_APPLET

Squaring RSA applet identification constant, with value 4.

See Also:

Constant Field Values

SQUARED4_RSA_APPLET

public static final byte SQUARED4_RSA_APPLET

Square 4 RSA applet identification constant, with value 5.

See Also:

Constant Field Values

applet_id

APDU_byte applet_id

Applet identification. Initialized in allocate(short, short, short, short, byte).

UNALLOCTED

public static final short UNALLOCTED

State constant for the state UNALLOCTED, value 0. See the applet state description.

See Also:

Constant Field Values

UNINITIALIZED

public static final short UNINITIALIZED

State constant for the state UNINITIALIZED, value 1. See the applet state description.

See Also:

Constant Field Values

INITIALIZED

public static final short INITIALIZED

State constant for the state INITIALIZED, value 2. See the applet state description.

See Also:

Constant Field Values

BLINDED

public static final short BLINDED

State constant for the state BLINDED, value 3. See the applet state description.

See Also:

Constant Field Values

state

public short state

State field. Holds one of the state constants. See the applet state description.

n

public Modulus n

The RSA parameter n. Product of two primes and modulus for all the computations. Initialized once during the personalization of the applet.

This modulus contains a long Bignat.

mod_first_digit_mask

public byte mod_first_digit_mask

Digit mask of the most significant byte of the modulus n. For generating random numbers less than n.m we need a mask for the most significant byte in n.m. The mask will mask everything above the most significant bit in n.m. Initialized once during personalization of the applet (in RSA_plain_card.initialize()/RSA_mont_card.initialize()).

Has type DIGIT_TYPE.

v

public Bignat v

The RSA parameter v. Prime and coprime to phi(n), where phi is Eulers phi function. It will always be aliased in current_attributes[attribute_length] and new_attributes[attribute_length].

This is a short Bignat.

v_first_digit_mask

public byte v_first_digit_mask

Digit mask of the most significant byte of v. Needed for generating random numbers less then v. Initialized once during personalization of the applet (in RSA_plain_card.initialize()/RSA_mont_card.initialize()).

Has type DIGIT_TYPE.

ptls_key

public Bignat ptls_key

The public key of service provider. PTLS stands for Public Transport Logistics Services. The key equals x^v, where x is the unknown private key.

This is a long Bignat.

attribute_length

public short attribute_length

The number of attributes this card possesses. Many arrays have size attribute_length + 1 to accomodate for the blinding. But there are also exceptions: remainders has only size attribute_length.

bases

public Vector bases

Bases. The bases g_1 .. g_n are stored in bases[0] to bases[n-1], where n is the number of attributes (see attribute_length). bases[attribute_length] is always an alias to either the current blinding current_blinding or the current beta. There is no guarantee on what is contained in bases[attribute_length], so always set it before use with either set_current_blinding() or set_blinding.

bases has length attribute_length + 1. It is filled with long Bignats.

base_factors

public Vector base_factors

Base factors needed for Vector.exponent_mod. The array contains the products of all possible combinations of the bases in montgomerized form with one exception: the empty product is not contained. See also Host_vector.make_montgomerized_factors.

These factors are only needed in the Montgomerizing applet, therefore, the length of this array is 1 on the plain applet (zero-length vectors do not exists, see the Bignat_array constructor). On the Montgomerizing applet the length is 2^attribute_length -1. The array contains long bignats.

current_attributes

public Vector current_attributes

Current attributes. Index attribute_length is always an alias of v.

At the end of the resign protocol the current_attributes and the new_attributes are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

Length attribute_length + 1. Filled with short bignats.

new_attributes

public Vector new_attributes

New attributes. The new attributes are obtained at the beginning of the resign protocol. Because the resign step can fail we have to build up the new attributes in a different place.

Index attribute_length is always an alias of v.

At the end of the resign protocol the new_attributes and the current_attributes are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

Length attribute_length + 1. Filled with short bignats.

current_blinding

public Bignat current_blinding

Current blinding. Sometimes aliased in bases[attribute_length].

At the end of the resign protocol the current_blinding and the new_blinding are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

Long Bignat.

new_blinding

public Bignat new_blinding

New blinding. Chosen in the beginning of the resign protocol when it is still unclear whether resigning will succeed. Sometimes aliased in bases[attribute_length].

At the end of the resign protocol the new_blinding and the current_blinding are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

Long Bignat.

current_blinded_a

public Bignat current_blinded_a

Current blinded attribute expression. Equals bases^current_attributes, where the current_blinding has been set in bases.

At the end of the resign protocol current_blinded_a and the new_blinded_a are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

Long Bignat.

new_blinded_a

public Bignat new_blinded_a

New blinded attribute expression. Computed during the resign protocol when it is not yet clear whether the resigning will succeed. Equals bases^new_attributes, where the new_blinding has been set in bases.

At the end of the resign protocol new_blinded_a and the current_blinded_a are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

Long Bignat.

current_signature

public Signature current_signature

Current signature on the current blinded attribute expression.

At the end of the resign protocol the current_signature and the new_signature are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

new_signature

public Signature new_signature

New signature on the new blinded attribute expression. Computed during the resign protocol.

At the end of the resign protocol the current_signature and the new_signature are atomically swapped. This is done by exchanging the two references in a transaction, see RSA_plain_card.switch_to_new_attributes and RSA_mont_card.switch_to_new_attributes.

montgomerized_one

public Bignat montgomerized_one

Montgomerized 1. Needed in the Montgomerizing applet for Vector.exponent_mod.

Long Bignat.

montgomery_corrections

Vector montgomery_corrections

Montgomery correction factors. The correction factor for 2 factors is stored at index 0, for 3 factors at index 1, and so on. The plain RSA applet needs all correction factors for up to 6 factors. See get_montgomery_correction for additional explanations.

Length is determined by the mont_correction_len argument of allocate. For the plain RSA applet the length must be at least 5. Filled with long bignats.

host_alpha

Bignat host_alpha

Host commitment alpha for the signature protocol. Not used during the proof protocol.

Long bignat.

host_response

Bignat host_response

Host response r for the signature protocol. Not used during the proof protocol.

Long bignat.

remainders

Vector remainders

Remainders vector. Stores the remainders during the proof protocol. In the RSA_plain_card.make_sig_hash()/RSA_mont_card.make_sig_hash() step of the resign protocol it first carries the attribute updates. Later in that step the remainder c of the resign protocol is stored in index 0 via the sig_remainder alias.

There is no blinding in the remainders. The length is therefore just attribute_length. Filled with short Bignats.

sig_remainder

Bignat sig_remainder

Remainder c in the signature protocol. This is an alias to remainders[0], because the remainders array is not used when c is needed.

Short bignat.

result

Bignat result

Temporary result. Used to sent results back to the host in the two steps of the proof protocol. Further used as temporary in many computations together with RSA_plain_card.temp_2/RSA_mont_card.temp_2 and RSA_plain_card.temp_3/RSA_mont_card.temp_2.

Long bignat.

gamma_beta_3

Bignat gamma_beta_3

Beta_3 and gamma. Holds beta_3 during the resing protocol and gamma during the proof protocol.

Short bignat.

out

public static PrintWriter out

Debug printer. Used for debug messages in the APPLET_TESTFRAME. Needs to be set from the outside.

Constructor Detail

RSA_data

public RSA_data()

Nonallocating constructor. Allocation must be done explicitely with allocate.

Method Detail

set_current_blinding

public void set_current_blinding()

Set current blinding. Alias bases[attribute_length] to current_blinding.

set_blinding

public void set_blinding(Bignat beta)

Set beta. Alias bases[attribute_length] to beta.

get_montgomery_correction

public Bignat get_montgomery_correction(short factors)

Return the Montgomery correction factor for factors factors. In the plain RSA applet non of the numbers is montgomerized. For most computations, however, Montgomery multiplication is used. Therefore all computations contain an additional Montgomery correction factor. To muliply A and B do C x A x B, where x denotes Montgomery multiplication and C == get_montgomery_correction(2).

Note that for counting the number of factors the Montgomery correction factor is not counted. Therefore the smallest number of factors is 2.

Parameters:

factors - number of factors (not counting the Montgomery correction factor)

Returns:

the correction factor for factors factors

Throws:

ArrayIndexOutOfBoundsException - if factors is larger than the maximal correction factor contained in montgomery_corrections.

allocate

public void allocate(short short_bignat_size,
                     short long_bignat_size,
                     short attribute_length,
                     short mont_correction_len,
                     byte applet_id)

Allocate all data and initialize all aliases. The decision whether to allocate the data in RAM (transient memory) or EEProm is hardwired here. It works for cards with about 2K of RAM up to 1952 bit keys. If there is too little RAM or the key size is too big strange things will happen.

This allocate here is always called twice! In the normal case, where the host application is talking to a java card one object of this class exists both on the card and in the host application. Both must execute allocate, of course.

In the host testframe, where applet code and host code are linked in one application there is only one RSA_data object. Then allocate here is called twice on the same object. Once from the action of the allocate step and once directly from the host driver in host_side_init. There are special provisions to make sure this second call does not reallocate everything.

Parameters:

short_bignat_size - size in bytes of the short (exponent) bignats

long_bignat_size - size in bytes of the long (base) bignats

attribute_length - number of attributes (without counting the blinding)

mont_correction_len - length of the montgomery_corrections array

applet_id - applet identification