ds.ov2.front
Class RSA_mont_card

java.lang.Object
  ds.ov2.front.RSA_mont_card

public class RSA_mont_card
extends Object

Protocol methods for the Montgomerizing RSA applet. The code here is very similar to RSA_plain_card and RSA_squared_card. There are however enough differences to make a gerneralized unified class a mess. All three applets, the Montgomerizing, the plain RSA and the squaring RSA applet are very similar. For simplicity even all protocol steps are identical (although not all of the data that is transfered during applet personalization is used in all applets). Most differences between the two applets are just treated by conditionals. Only for this class the differences are too big to cover them all nicely in conditionals.

The Montgomerizing RSA applet computes everything on the JCVM, without using the crypto coprocessor. Everything is done with Montgomery muliplication. To spare some (de)montgomerizations on the card many numbers in the communication with the host are montgomerized. The applet needs no Montgomery correction factors, but it needs 2 Montgomery digits.

This class contains the methods that are called from the actions in the protocol steps. Some of the necessary temporary values are defined and allocated here. Most of the necessary data is however in RSA_data. The temporary values defined here do not take part in the communication with the host. Therefore this class does not need to be present in the host driver.

The applet is always in one of four states, see the explanations in RSA_data.

All computations use solely Montgomery multiplication. Therefore everything (except for the exponents) has to be montgomerized. Data received from and sent to the host is Montgomerized too.

CPP Preprocessing

This class uses the following cpp defines: PACKAGE, PUBLIC, ASSERT, RANDOM, RSA_EXPONENT, JAVACARD_APPLET, MESSAGE_DIGEST, HOST_TESTFRAME, APPLET_TESTFRAME, CARD_SIGNATURE_ALWAYS_ACCEPT

Execution Environment:

card

Author:

Hendrik Tews

Version:

$Revision: 1.8 $

Last Commit:

$Date: 2009-06-18 11:57:39 $ by $Author: tews $

Field Summary

private Vector	alphas Alphas and quotients.
(package private) Bignat	beta_1 Random beta_1 from the resign protocol and beta from the proof protocoll.
(package private) Bignat	beta_2 Random beta_2 from the resign protocol.
(package private) RSA_data	data Static data and data send and received from the host.
private Bignat	double_small Intermediate value of double small size.
(package private) Front_protocols	front_protocols Registered protocols instance.
(package private) MessageDigest	hash Message digest for computing 160 bit SHA-1.
static PrintWriter	out Debug printer.
private RandomData	rand Random number generator of type RANDOM.
(package private) Bignat	sig_quotient Qutient d in the signature protocol.
private Bignat	temp_2 Temporary.
private Bignat	temp_3 Temporary.
private Vector	temp_base_vec Temporary base vector of length 2.
(package private) Bignat	temp_blinded_a Temporary blinded attribute expression.
private Vector	temp_exp_vec Temporary exponent vector of length 2.

Constructor Summary

RSA_mont_card(RSA_data data, Front_protocols front_protocols)
Non-allocating constructor.

Method Summary

void	allocate(short short_bignat_size, short long_bignat_size, short attribute_length, short mont_correction_len) Allocate all data of the applet.
void	finish_signature(APDU_boolean accept) Third step of the resign protocol.
void	initialize() Initialize the plain RSA applet data structures.
void	make_sig_hash() Second step of the resign protocol.
void	proof_commit() First step of the gate or proof protocol.
void	respond_to_challenge() Second step of the gate or proof protocol.
void	switch_to_new_attributes(APDU_boolean success) Atomically switch to various new values.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

front_protocols

Front_protocols front_protocols

Registered protocols instance. Needed here to update the protocol steps after resigning. (Resinging changes to new attributes, blindings, etc, by atomically switching references, see switch_to_new_attributes.)

data

RSA_data data

Static data and data send and received from the host.

temp_2

private Bignat temp_2

Temporary. Used together with temp_3 and RSA_data.result in various computations.

Long bignat.

temp_3

private Bignat temp_3

Temporary. Used together with temp_2 and RSA_data.result in various computations.

Long bignat.

alphas

private Vector alphas

Alphas and quotients. Keeps the alphas in the proof step until the remainders and quotients are computed. At that point the alphas are not needed any more. Therefore, this vector is used immediately afterwards for the quotients. (The remainders go into RSA_data.remainders.)

The last element with index RSA_data.attribute_length is always an alias of either RSA_data.v or RSA_data.gamma_beta_3.

In the resign protocol the vector is not used except for its first entry (at index 0), which aliased under sig_quotient and which stores the quotient there.

Length RSA_data.attribute_length + 1. Filled with short bignats.

double_small

private Bignat double_small

Intermediate value of double small size. This is the only double small bignat, with twice the size of the exponents. It is used in many places for intermediate results, especially where the exponents are manipulated and then a quotient and a remainder is computed. Also used for the attribute updates in the resign protocol.

beta_1

Bignat beta_1

Random beta_1 from the resign protocol and beta from the proof protocoll.

Long bignat.

beta_2

Bignat beta_2

Random beta_2 from the resign protocol. Not used in the proof protocol.

Long bignat.

temp_blinded_a

Bignat temp_blinded_a

Temporary blinded attribute expression. In the resign protocol the attribute expression consisting of the new attributes and the old blinding is temporarily needed.

Long bignat.

sig_quotient

Bignat sig_quotient

Qutient d in the signature protocol. (The remainder is in RSA_data.sig_remainder). Alias of alphas[0], which are otherwise not used during resigning.

Short bignat.

rand

private RandomData rand

Random number generator of type RANDOM.

hash

MessageDigest hash

Message digest for computing 160 bit SHA-1. Has type MESSAGE_DIGEST.

temp_base_vec

private Vector temp_base_vec

Temporary base vector of length 2. Used in the resign and proof protocols to compute a multi-exponent of length 2. On the two locations the bases are completely differend and are, in part, temporary numbers. Therefore this base vector is only filled with aliases of other bignats.

Contains precisely two aliases of long bignats.

temp_exp_vec

private Vector temp_exp_vec

Temporary exponent vector of length 2. Used in the resign and proof protocols to compute a multi-exponent of length 2. On the two locations the exponents are completely differend and are, in part, temporary numbers. Therefore this base vector is only filled with aliases of other bignats.

Contains precisely two aliases of short bignats.

out

public static PrintWriter out

Debug printer. Used for debug messages in the APPLET_TESTFRAME. Needs to be set from the outside.

Constructor Detail

RSA_mont_card

public RSA_mont_card(RSA_data data,
                     Front_protocols front_protocols)

Non-allocating constructor. Sets the data and front_protocols fields. Sets the State to UNALLOCTED when finished. Allocation of all the bignats and vectors has to be done explicitely with allocate(short, short, short, short).

Parameters:

data - the data instance

front_protocols - the protocols instance

Method Detail

allocate

public void allocate(short short_bignat_size,
                     short long_bignat_size,
                     short attribute_length,
                     short mont_correction_len)

Allocate all data of the applet. Main method of the only step in the allocate protocol. The object structure of the applet up to RSA_data and this class is allocated during applet installation. Afterwards this method must be called in order to allocate all further data structures (mainly bignats and vectors).

The decision whether to allocate the data in RAM (transient memory) or EEProm is hardwired here and in RSA_data.allocate(short, short, short, short, byte). It works for cards with about 2K of RAM up to 1952 bit keys. If there is too little RAM or the key size is too big strange things will happen.

Asserts that the state is UNALLOCTED. Sets the state to UNINITIALIZED when finished (see applet state description).

Parameters:

short_bignat_size - size in bytes of the short (exponent) bignats

long_bignat_size - size in bytes of the long (base) bignats

attribute_length - number of attributes (without counting the blinding)

mont_correction_len - length of the data.montgomery_corrections array

initialize

public void initialize()

Initialize the plain RSA applet data structures. This is the only action of the only step of the initialize protocol. It must be run after allocation and before the first resigning.

Before this method is entered the OV-chip protocol layer transfers the following data as arguments of the initialize step into the right place:

• modulus data.n
• data.v (indirectly via RSA_data.current_attributes)
• data.ptls_key
• data.bases
• data.base_factors
• data.current_attributes
• data.current_blinding (indirectly via RSA_data.bases)
• data.RSA_data.montgomerized_one
• data.montgomery_corrections

Asserts that the applet is in state UNINITIALIZED. After completion the state is set to INITIALIZED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

check state

ASSERT that RSA_data.state contains UNINITIALIZED

initialize digit masks RSA_data.mod_first_digit_mask, RSA_data.v_first_digit_mask

with calling Bignat.get_first_digit_mask, an important subtlety here is that because of the Montgomery digits the index of the first digit of the modulus in data.n.m is 2.

Compute current blinded attribute expression data.current_blinded_a

compute data.bases^data.current_attributes with data.bases.mont_rsa_exponent_mod. Because in this method the result and first temporary is used heavily in the multiplication, it is wise to use data.result as first temporary and copy the result afterwards into data.current_blinded_a. Note that the RSA_data.current_blinding and the RSA_data.v are alias in the bases and current_attributes vector at index RSA_data.attribute_length + 1. Because of the blinding one has to use a montgomery correction factor for data.attribute_length + 1 factors, see data.get_montgomery_correction.

advance the RSA_data.state

by setting it to INITIALIZED

There are no results sent back to the host by the OV-chip protocol layer after this method has finished.

switch_to_new_attributes

public void switch_to_new_attributes(APDU_boolean success)

Atomically switch to various new values. During the resign protocol the applet gets new attributes, chooses a new blinding, and computes the new blinded attribute expression and a new signature on it. To improve fault tolerance all these new data is stored in new_* variables, that are distinct form the current_* ones. At the end of the finish_signature step of the resign protocol the new_* versions are atomically copied into the current_* ones. This is done in this method by swapping references.

Swapping the references introduces a little problem in the protocol layer: The layer also has aliases for instance of RSA_data.current_blinded_a and of RSA_data.current_signature. After swapping references, these aliases suddenly alias invalid data. Therefore one has to uptate the step data structure with front_protocols.update_steps.

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

Create temporaries

Create 4 temporary references and initialize them to data.current_attributes, data.current_blinding, data.current_blinded_a and data.current_signature, respectively.

Check side conditions

ASSERT that the argument success is still false and that data.new_attributes aliases data.v at index data.attribute_length.

Start a transaction

with Misc.begin_transaction() in order to be compatible with the HOST_TESTFRAME

finish attribute swapping

by writing the new_* references into the current_* variables and then by assigning the temporary references to the new_* variables.

update protocol step aliases

with Front_protocols.update_steps()

set state, mark success and commit

set the state to BLINDED if it was INITIALIZED, set success to true and commit the transaction with Misc.commit_transaction()

Parameters:

success - alias of RSA_card_protocol_description.signature_accepted, initially false, set to true when the atomic swapping succeeds

make_sig_hash

public void make_sig_hash()

Second step of the resign protocol. (In the first step no method is executed on the card, only RSA_data.applet_id, RSA_data.current_blinded_a and RSA_data.current_signature are sent to the host in the first step.)

Prior to calling this method the protocol layer receives

• the host commitment RSA_data.host_alpha
• the attribute updates in RSA_data.remainders; these updates are in modulo format: to subract x from an attribute, the host sends RSA_data.v- x.

After this method the protocol layer sends the remainder c in RSA_data.sig_remainder.

Asserts that the applet is in state INITIALIZED or BLINDED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

check state

ASSERT that the state is either INITIALIZED or BLINDED.

compute new attributes and store them in RSA_data.new_attributes

The addition of the current attribute value with the update might overflow, because of the modulo representation of the updates. Therefore, each attribute must be copied into double_small, where the update is added and the remainder modulo data.v is taken. Finally the remainder in double_small is copied into the data.new_attributes. The alias to data.v at index data.attribute_length in data.new_attributes must not be touched.

XXXXXXXXXXXXXXXXXXX

finish_signature

public void finish_signature(APDU_boolean accept)

Third step of the resign protocol. Prior to calling this method the protocol layer receives the host response r in data.host_response. After this method the protocol layer sends the boolean result of this method in RSA_card_protocol_description.signature_accepted.

Sets the state of the applet to BLINDED if it was INITIALIZED (see applet state description).

If the host response passes the acceptance check this method computes the final signature and starts a transaction to switch to the new attributes and the new signature. If all this goes through the result value in accept is set to true. Otherwise it remains false when this method finishes.

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available.

Parameters:

accept - reference to the accept result of this method, equal to RSA_card_protocol_description.signature_accepted, will be true when returning from this method precisely if the applet accepts the new signature and the transaction for changing to the new attributes and the new signature succeeded.

proof_commit

public void proof_commit()

First step of the gate or proof protocol. Prior to calling this method no arguments are received. After this method the protocol layer sends the following data to the host:

• the applet identifier data.applet_id to let the host distinguish between the plain and the Montgomerizing applet,
• the current blinded attribute expression data.current_blinded_a,
• the current signature data.current_signature, and
• the applet commitment w in data.result

Asserts that the applet is in the state BLINDED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available.

respond_to_challenge

public void respond_to_challenge()

Second step of the gate or proof protocol. Prior to calling this method the protocol layer receives the host challenge gamma in data.gamma_beta_3. After this method the protocol layer sends the following data to the host:

• the remainders r_i in data.remainders
• the applet response s in data.result

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available.