ds.ov2.front
Class RSA_plain_card

java.lang.Object
  ds.ov2.front.RSA_plain_card

public class RSA_plain_card
extends Object

Protocol methods for the plain RSA applet. The code here is very similar to RSA_mont_card and RSA_squared_card. There are however enough differences to make a gerneralized unified class a mess. All three applets, the Montgomerizing, the plain RSA and the squaring RSA applet are very similar. For simplicity even all protocol steps are identical (although not all of the data that is transfered during applet personalization is used in all applets). Most differences between the three applets are just treated by conditionals. Only for this class the differences are too big to cover them all nicely in conditionals.

The plain RSA applet computes powers with the RSA cipher. Products are computed with Montgomery multiplication. The communication with the host is done in plain, unmontgomerized numbers. The applet needs 2 Montgomery digits and a number of different Montgomery correction factors.

This class contains the methods that are called from the actions in the protocol steps. Some of the necessary temporary values are defined and allocated here. Most of the necessary data is however in RSA_data. The temporary values defined here do not take part in the communication with the host. Therefore this class does not need to be present in the host driver.

The applet is always in one of four states, see the explanations in RSA_data.

Some computations here use Montgomery multiplication. The exponents are computed with an RSA cipher, therefore the bases and the blinding must be in plain, unmontgomerized form. For the remaining multiplications long bignats Montgomery multiplication is used. These computations have a fixed, statically known number of factors. I therefore do not montgomerize every factor but add an additional factor with the right Montgomery correction for the number of factors at hand. It turns out that all numbers of factors from 2 to 6 appear somewhere, therefore we can keep the correction factors in an array, see RSA_data.montgomery_corrections and RSA_data.get_montgomery_correction.

CPP Preprocessing

This class uses the following cpp defines: PACKAGE, PUBLIC, ASSERT, RANDOM, RSA_EXPONENT, JAVACARD_APPLET, MESSAGE_DIGEST, HOST_TESTFRAME, APPLET_TESTFRAME, CARD_SIGNATURE_ALWAYS_ACCEPT

Execution Environment:

card

Author:

Hendrik Tews

Version:

$Revision: 1.9 $

Last Commit:

$Date: 2009-06-18 11:57:39 $ by $Author: tews $

Field Summary

private Vector	alphas Alphas and quotients.
(package private) Bignat	beta_1 Random beta_1 from the resign protocol and beta from the proof protocoll.
(package private) Bignat	beta_2 Random beta_2 from the resign protocol.
(package private) RSA_data	data Static data and data send and received from the host.
private Bignat	double_small Intermediate value of double small size.
(package private) Front_protocols	front_protocols Registered protocols instance.
(package private) MessageDigest	hash Message digest for computing 160 bit SHA-1.
static PrintWriter	out Debug printer.
private RandomData	rand Random number generator of type RANDOM.
(package private) RSA_exponent	rsa_exponent Object for computing single exponents via public RSA encryption.
(package private) Bignat	sig_quotient Qutient d in the signature protocol.
private Bignat	temp_2 Temporary.
private Bignat	temp_3 Temporary.
(package private) Bignat	temp_blinded_a Temporary blinded attribute expression.

Constructor Summary

RSA_plain_card(RSA_data data, Front_protocols front_protocols)
Non-allocating constructor.

Method Summary

void	allocate(short short_bignat_size, short long_bignat_size, short attribute_length, short mont_correction_len) Allocate all data of the applet.
void	finish_signature(APDU_boolean accept) Third step of the resign protocol.
void	initialize() Initialize the plain RSA applet data structures.
void	make_sig_hash() Second step of the resign protocol.
void	proof_commit() First step of the gate or proof protocol.
void	respond_to_challenge() Second step of the gate or proof protocol.
void	switch_to_new_attributes(APDU_boolean success) Atomically switch to various new values.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

front_protocols

Front_protocols front_protocols

Registered protocols instance. Needed here to update the protocol steps after resigning. (Resinging changes to new attributes, blindings, etc, by atomically switching references, see switch_to_new_attributes.)

data

RSA_data data

Static data and data send and received from the host.

temp_2

private Bignat temp_2

Temporary. Used together with temp_3 and RSA_data.result in various computations.

Long bignat.

temp_3

private Bignat temp_3

Temporary. Used together with temp_2 and RSA_data.result in various computations.

Long bignat.

alphas

private Vector alphas

Alphas and quotients. Keeps the alphas in the proof step until the remainders and quotients are computed. At that point the alphas are not needed any more. Therefore, this vector is used immediately afterwards for the quotients. (The remainders go into RSA_data.remainders.)

The last element with index RSA_data.attribute_length is always an alias of either RSA_data.v or RSA_data.gamma_beta_3.

In the resign protocol the vector is not used except for its first entry (at index 0), which aliased under sig_quotient and which stores the quotient there.

Length RSA_data.attribute_length + 1. Filled with short bignats.

double_small

private Bignat double_small

Intermediate value of double small size. This is the only double small bignat, with twice the size of the exponents. It is used in many places for intermediate results, especially where the exponents are manipulated and then a quotient and a remainder is computed. Also used for the attribute updates in the resign protocol.

beta_1

Bignat beta_1

Random beta_1 from the resign protocol and beta from the proof protocoll.

Long bignat.

beta_2

Bignat beta_2

Random beta_2 from the resign protocol. Not used in the proof protocol.

Long bignat.

temp_blinded_a

Bignat temp_blinded_a

Temporary blinded attribute expression. In the resign protocol the attribute expression consisting of the new attributes and the old blinding is temporarily needed.

Long bignat.

sig_quotient

Bignat sig_quotient

Qutient d in the signature protocol. (The remainder is in RSA_data.sig_remainder). Alias of alphas[0], which are otherwise not used during resigning.

Short bignat.

rand

private RandomData rand

Random number generator of type RANDOM.

rsa_exponent

RSA_exponent rsa_exponent

Object for computing single exponents via public RSA encryption. Has type RSA_EXPONENT.

hash

MessageDigest hash

Message digest for computing 160 bit SHA-1. Has type MESSAGE_DIGEST.

out

public static PrintWriter out

Debug printer. Used for debug messages in the APPLET_TESTFRAME. Needs to be set from the outside.

Constructor Detail

RSA_plain_card

public RSA_plain_card(RSA_data data,
                      Front_protocols front_protocols)

Non-allocating constructor. Sets the data and front_protocols fields and creates an RSA_EXPONENT for rsa_exponent. Sets the State to UNALLOCTED when finished (see applet state description). Allocation of all the bignats and vectors has to be done explicitely with allocate(short, short, short, short).

Parameters:

data - the data instance

front_protocols - the protocols instance

Method Detail

allocate

public void allocate(short short_bignat_size,
                     short long_bignat_size,
                     short attribute_length,
                     short mont_correction_len)

Allocate all data of the applet. Main method of the only step in the allocate protocol. The object structure of the applet up to RSA_data and this class is allocated during applet installation. Afterwards this method must be called in order to allocate all further data structures (mainly bignats and vectors).

The decision whether to allocate the data in RAM (transient memory) or EEProm is hardwired here and in RSA_data.allocate(short, short, short, short, byte). It works for cards with about 2K of RAM up to 1952 bit keys. If there is too little RAM or the key size is too big strange things will happen.

Asserts that the state is UNALLOCTED. Sets the state to UNINITIALIZED when finished (see applet state description).

Parameters:

short_bignat_size - size in bytes of the short (exponent) bignats

long_bignat_size - size in bytes of the long (base) bignats

attribute_length - number of attributes (without counting the blinding)

mont_correction_len - length of the data.montgomery_corrections array

initialize

public void initialize()

Initialize the plain RSA applet data structures. This is the only action of the only step of the initialize protocol. It must be run after allocation and before the first resigning.

Before this method is entered the OV-chip protocol layer transfers the following data as arguments of the initialize step into the right place:

• modulus data.n
• data.v (indirectly via RSA_data.current_attributes)
• data.ptls_key
• data.bases
• data.base_factors The base factors are not needed in the plain applet, but for simplicity the Montgomerizing and the plain applet share the same protocol description. In this applet the length of the base_factors vector is just 1.
• data.current_attributes
• data.current_blinding (indirectly via RSA_data.bases)
• data.RSA_data.montgomerized_one Montgomerized 1. Not needed in this applet, but for simplicity ...
• data.montgomery_corrections

There are no results sent back to the host by the OV-chip protocol layer after this method has finished.

Asserts that the applet is in state UNINITIALIZED. After completion the state is set to INITIALIZED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

check state

ASSERT that RSA_data.state contains UNINITIALIZED

initialize digit masks RSA_data.mod_first_digit_mask, RSA_data.v_first_digit_mask

with calling Bignat.get_first_digit_mask, an important subtlety here is that because of the Montgomery digits the index of the first digit of the modulus in data.n.m is 2.

finish rsa_exponent initialization

install the modulus with RSA_exponent_interface.set_modulus

Compute current blinded attribute expression data.current_blinded_a

compute data.bases^data.current_attributes with data.bases.mont_rsa_exponent_mod. Because in this method the result and first temporary is used heavily in the multiplication, it is wise to use data.result as first temporary and copy the result afterwards into data.current_blinded_a. Note that the RSA_data.current_blinding and the RSA_data.v are alias in the bases and current_attributes vector at index RSA_data.attribute_length + 1. Because of the blinding one has to use a montgomery correction factor for data.attribute_length + 1 factors, see data.get_montgomery_correction.

advance the RSA_data.state

by setting it to INITIALIZED

switch_to_new_attributes

public void switch_to_new_attributes(APDU_boolean success)

Atomically switch to various new values. During the resign protocol the applet gets new attributes, chooses a new blinding, and computes the new blinded attribute expression and a new signature on it. To improve fault tolerance all these new data is stored in new_* variables, that are distinct form the current_* ones. At the end of the finish_signature step of the resign protocol the new_* versions are atomically copied into the current_* ones. This is done in this method by swapping references.

Swapping the references introduces a little problem in the protocol layer: The layer also has aliases for instance of RSA_data.current_blinded_a and of RSA_data.current_signature. After swapping references, these aliases suddenly alias invalid data. Therefore one has to uptate the step data structure with front_protocols.update_steps.

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

Create temporaries

Create 4 temporary references and initialize them to data.current_attributes, data.current_blinding, data.current_blinded_a and data.current_signature, respectively.

Check side conditions

ASSERT that the argument success is still false and that data.new_attributes aliases data.v at index data.attribute_length.

Start a transaction

with Misc.begin_transaction() in order to be compatible with the HOST_TESTFRAME

finish attribute swapping

by writing the new_* references into the current_* variables and then by assigning the temporary references to the new_* variables.

update protocol step aliases

with Front_protocols.update_steps()

set state, mark success and commit

set the state to BLINDED if it was INITIALIZED, set success to true and commit the transaction with Misc.commit_transaction()

Parameters:

success - alias of RSA_card_protocol_description.signature_accepted, initially false, set to true when the atomic swapping succeeds

make_sig_hash

public void make_sig_hash()

Second step of the resign protocol. (In the first step no method is executed on the card, only RSA_data.applet_id, RSA_data.current_blinded_a and RSA_data.current_signature are sent to the host in the first step.)

Prior to calling this method the protocol layer receives

• the host commitment RSA_data.host_alpha
• the attribute updates in RSA_data.remainders; these updates are in modulo format: to subract x from an attribute, the host sends RSA_data.v- x.

After this method the protocol layer sends the remainder c in RSA_data.sig_remainder.

Asserts that the applet is in state INITIALIZED or BLINDED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

check state

ASSERT that the state is either INITIALIZED or BLINDED.

compute new attributes and store them in RSA_data.new_attributes

The addition of the current attribute value with the update might overflow, because of the modulo representation of the updates. Therefore, each attribute must be copied into double_small, where the update is added and the remainder modulo data.v is taken. Finally the remainder in double_small is copied into the data.new_attributes. The alias to data.v at index data.attribute_length in data.new_attributes and RSA_data.current_attributes must not be touched.

Step 1-3: Generate random betas

beta_1, beta_2 and RSA_data.gamma_beta_3 must be filled with random values using the Bignat.rand_mod. The first two are long bignats modulo the RSA modulus that must contain two leading Montgomery digits. For the first two one has therefore to use the modulus data.n.m, the first digit index 2, and the mask data.mod_first_digit_mask. For the third beta one has to use the modulus data.v, the first digit index 0, and the mask data.v_first_digit_mask.

Step 4: compute the new blinding

First multiply the current blinding with the montgomery correction for two factors (see data.get_montgomery_correction) in one of the temporaries. Multiply this temporary then with beta_1 in another temporary. Finally copy the last temporary into data.new_blinding.

Step 5: Compute the temporary attribute expression with the new attribute values and the old blinding

First alias the current blinding in the bases vector with data.set_current_blinding. Compute then the exponent data.bases^data.new_attributes with the method Vector.mont_rsa_exponent_mod and a montgomery correction for data.attribute_length + 1 factors. Use data.result as temporary for the result and copy it into temp_blinded_a.

Step 6: Compute the new blinded attribute expression

First compute the power beta_1^data.v using rsa_exponent.power and store the result the temporary temp_2. Then multiply temp_2 with the Montgomery correction for 2 factors and store the result in temp_3. Then multiply temp_3 with data.result and store the result in temp_2. Finally copy temp_2 into data.new_blinded_a.

Step 7: Compute the second input for the hash

First compute temp_blinded_a^data.gamma_beta_3 and store the result in data.result. Then multiply data.result with the Montgomery correction for 4 factors and store the result in temp_3. Then compute the exponent data.ptls_key^data.gamma_beta_3 and store the result in temp_2. Then multiply temp_2 and temp_3 and store the result in data.result. Then compute beta_2^data.v and store the result in temp_3. Then multiply temp_3 with data.result and store the result in temp_2. Finally multiply data.host_alpha with temp_2 and store the result in data.result.

Step 8: Compute the hash

First feed data.new_blinded_a into the hash by using hash.update with offset 2 (Montgomery digits) and length data.new_blinded_a.size() - 2. The necessary byte array can be obtained with Bignat.get_digit_array. Then finish the hash by feeding data.result with offset 2 and size() - 2 into MessageDigest doFinal. Use data.new_signature.hash_output_buf with offset 0 as output array. Then finalize the hash computation with data.new_signature.commit_hash. Finally copy (Signature.hash_into_bignat) the hash value into double_small.

Step 9: Compute the modulus c and the remainder d

First add data.gamma_beta_3 to double_small. Then divide (Bignat.remainder_divide) double_small by data.v, storing the quotient in sig_quotient. Finally copy double_small into data.sig_remainder.

finish_signature

public void finish_signature(APDU_boolean accept)

Third step of the resign protocol. Prior to calling this method the protocol layer receives the host response r in data.host_response. After this method the protocol layer sends the boolean result of this method in RSA_card_protocol_description.signature_accepted.

Sets the state of the applet to BLINDED if it was INITIALIZED (see applet state description).

If the host response passes the acceptance check this method computes the final signature and starts a transaction to switch to the new attributes and the new signature. If all this goes through the result value in accept is set to true. Otherwise it remains false when this method finishes.

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

XXXXXXXXXXXXXXX

Parameters:

accept - reference to the accept result of this method, equal to RSA_card_protocol_description.signature_accepted, will be true when returning from this method precisely if the applet accepts the new signature and the transaction for changing to the new attributes and the new signature succeeded.

proof_commit

public void proof_commit()

First step of the gate or proof protocol. Prior to calling this method no arguments are received. After this method the protocol layer sends the following data to the host:

• the applet identifier data.applet_id to let the host distinguish between the plain and the Montgomerizing applet,
• the current blinded attribute expression data.current_blinded_a,
• the current signature data.current_signature, and
• the applet commitment w in data.result

Asserts that the applet is in the state BLINDED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

XXXXXXXXXXXXXXXXX

respond_to_challenge

public void respond_to_challenge()

Second step of the gate or proof protocol. Prior to calling this method the protocol layer receives the host challenge gamma in data.gamma_beta_3. After this method the protocol layer sends the following data to the host:

• the remainders r_i in data.remainders
• the applet response s in data.result

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

XXXXXXXXXXXXXX