ds.ov2.front
Class RSA_squared_card

java.lang.Object
  ds.ov2.front.RSA_squared_card

public class RSA_squared_card
extends Object

Protocol methods for the squared RSA applet. The code here is very similar to RSA_plain_card and RSA_mont_card. There are however enough differences to make a gerneralized unified class a mess. All three applets, the Montgomerizing, the plain RSA and the squaring RSA applet are very similar. For simplicity even all protocol steps are identical (although not all of the data that is transfered during applet personalization is used here in all applets). Most differences between the three applets are just treated by conditionals. Only for this class the differences are too big to cover them all nicely in conditionals.

The squaring RSA applet uses an RSA cipher to compute both powers and products. It does neither need Montgomery correction factors nor Montgomery digits. For the communication with the host, all numbers are in plain, unmontgomerized form.

This class contains the methods that are called from the actions in the protocol steps. Some of the necessary temporary values are defined and allocated here. Most of the necessary data is however in RSA_data. The temporary values defined here do not take part in the communication with the host. Therefore this class does not need to be present in the host driver.

CPP Preprocessing

This class uses the following cpp defines: PACKAGE, PUBLIC, ASSERT, RANDOM, RSA_EXPONENT, JAVACARD_APPLET, MESSAGE_DIGEST, USE_SQUARED_RSA_MULT_4 HOST_TESTFRAME, APPLET_TESTFRAME, CARD_SIGNATURE_ALWAYS_ACCEPT

Execution Environment:

card

Author:

Hendrik Tews

Version:

$Revision: 1.8 $

Last Commit:

$Date: 2010-09-20 20:29:07 $ by $Author: tews $

Field Summary

private Vector	alphas Alphas and quotients.
(package private) Bignat	beta_1 Random beta_1 from the resign protocol and beta from the proof protocoll.
(package private) Bignat	beta_2 Random beta_2 from the resign protocol.
(package private) RSA_data	data Static data and data send and received from the host.
private Bignat	double_small Intermediate value of double small size.
(package private) Front_protocols	front_protocols Registered protocols instance.
(package private) MessageDigest	hash Message digest for computing 160 bit SHA-1.
static PrintWriter	out Debug printer.
(package private) Bignat	ptls_key_times_temp_blinded_a Temporary result RSA_data.ptls_key times the temporary blinded attribute expression.
private RandomData	rand Random number generator of type RANDOM.
(package private) RSA_exponent	rsa_exponent Object for computing single exponents via public RSA encryption.
(package private) Bignat	sig_quotient Qutient d in the signature protocol.
(package private) RSA_exponent	square_exponent Object for computing squares via public RSA encryption in Bignat.squared_rsa_mult_2, Bignat.short_squared_rsa_mult_2, Bignat.squared_rsa_mult_4 and Bignat.short_squared_rsa_mult_4.
private Bignat	temp_2 Temporary.
private Bignat	temp_3 Temporary.
private Bignat	temp_4 Temporary.

Constructor Summary

RSA_squared_card(RSA_data data, Front_protocols front_protocols)
Non-allocating constructor.

Method Summary

void	allocate(short short_bignat_size, short long_bignat_size, short attribute_length, short mont_correction_len) Allocate all data of the applet.
void	finish_signature(APDU_boolean accept) Third step of the resign protocol.
void	initialize() Initialize the squaring RSA applet data structures.
void	make_sig_hash() Second step of the resign protocol.
void	proof_commit() First step of the gate or proof protocol.
void	respond_to_challenge() Second step of the gate or proof protocol.
void	switch_to_new_attributes(APDU_boolean success) Atomically switch to various new values.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

front_protocols

Front_protocols front_protocols

Registered protocols instance. Needed here to update the protocol steps after resigning. (Resinging changes to new attributes, blindings, etc, by atomically switching references, see switch_to_new_attributes.)

data

RSA_data data

Static data and data send and received from the host.

temp_2

private Bignat temp_2

Temporary. Used together with temp_3 and RSA_data.result in various computations.

Long bignat.

temp_3

private Bignat temp_3

Temporary. Used together with temp_2 and RSA_data.result in various computations.

Long bignat.

temp_4

private Bignat temp_4

Temporary. Used for squared multiplication.

Long bignat.

alphas

private Vector alphas

Alphas and quotients. Keeps the alphas in the proof step until the remainders and quotients are computed. At that point the alphas are not needed any more. Therefore, this vector is used immediately afterwards for the quotients. (The remainders go into RSA_data.remainders.)

The last element with index RSA_data.attribute_length is always an alias of either RSA_data.v or RSA_data.gamma_beta_3.

In the resign protocol the vector is not used except for its first entry (at index 0), which aliased under sig_quotient and which stores the quotient there.

Length RSA_data.attribute_length + 1. Filled with short bignats.

double_small

private Bignat double_small

Intermediate value of double small size. This is the only double small bignat, with twice the size of the exponents. It is used in many places for intermediate results, especially where the exponents are manipulated and then a quotient and a remainder is computed. Also used for the attribute updates in the resign protocol. In this version twice the size means actually twice the size plus one byte. This comes from the requirements of Bignat.short_squared_rsa_mult_2 and Bignat.short_squared_rsa_mult_4.

beta_1

Bignat beta_1

Random beta_1 from the resign protocol and beta from the proof protocoll.

Long bignat.

beta_2

Bignat beta_2

Random beta_2 from the resign protocol. Not used in the proof protocol.

Long bignat.

ptls_key_times_temp_blinded_a

Bignat ptls_key_times_temp_blinded_a

Temporary result RSA_data.ptls_key times the temporary blinded attribute expression. This is used three times in the resign protocol.

Long bignat.

sig_quotient

Bignat sig_quotient

Qutient d in the signature protocol. (The remainder is in RSA_data.sig_remainder). Alias of alphas[0], which are otherwise not used during resigning.

Short bignat.

rand

private RandomData rand

Random number generator of type RANDOM.

rsa_exponent

RSA_exponent rsa_exponent

Object for computing single exponents via public RSA encryption. Has type RSA_EXPONENT.

square_exponent

RSA_exponent square_exponent

Object for computing squares via public RSA encryption in Bignat.squared_rsa_mult_2, Bignat.short_squared_rsa_mult_2, Bignat.squared_rsa_mult_4 and Bignat.short_squared_rsa_mult_4. Has type RSA_EXPONENT.

hash

MessageDigest hash

Message digest for computing 160 bit SHA-1. Has type MESSAGE_DIGEST.

out

public static PrintWriter out

Debug printer. Used for debug messages in the APPLET_TESTFRAME. Needs to be set from the outside.

Constructor Detail

RSA_squared_card

public RSA_squared_card(RSA_data data,
                        Front_protocols front_protocols)

Non-allocating constructor. Sets the data and front_protocols fields and creates an RSA_EXPONENT for rsa_exponent. Sets the State to UNALLOCTED when finished (see applet state description). Allocation of all the bignats and vectors has to be done explicitely with allocate(short, short, short, short).

Parameters:

data - the data instance

front_protocols - the protocols instance

Method Detail

allocate

public void allocate(short short_bignat_size,
                     short long_bignat_size,
                     short attribute_length,
                     short mont_correction_len)

Allocate all data of the applet. Main method of the only step in the allocate protocol. The object structure of the applet up to RSA_data and this class is allocated during applet installation. Afterwards this method must be called in order to allocate all further data structures (mainly bignats and vectors).

The decision whether to allocate the data in RAM (transient memory) or EEProm is hardwired here and in RSA_data.allocate(short, short, short, short, byte). It works for cards with about 2K of RAM up to 1952 bit keys. If there is too little RAM or the key size is too big strange things will happen.

Asserts that the state is UNALLOCTED. Sets the state to UNINITIALIZED when finished (see applet state description).

Parameters:

short_bignat_size - size in bytes of the short (exponent) bignats

long_bignat_size - size in bytes of the long (base) bignats

attribute_length - number of attributes (without counting the blinding)

mont_correction_len - length of the data.montgomery_corrections array

initialize

public void initialize()

Initialize the squaring RSA applet data structures. This is the only action of the only step of the initialize protocol. It must be run after allocation and before the first resigning.

Before this method is entered the OV-chip protocol layer transfers the following data as arguments of the initialize step into the right place:

• modulus data.n
• data.v (indirectly via RSA_data.current_attributes)
• data.ptls_key
• data.bases
• data.base_factors The base factors are not needed in the squaring applet, but for simplicity all RSA applets share the same protocol description. In this applet the length of the base_factors vector is just 1.
• data.current_attributes
• data.current_blinding (indirectly via RSA_data.bases)
• data.RSA_data.montgomerized_one Montgomerized 1. Not needed in this applet, but for simplicity ...
• data.montgomery_corrections. Not needed in this applet, but for simplicity ...

Asserts that the applet is in state UNINITIALIZED. After completion the state is set to INITIALIZED (see applet state description).

There are no results sent back to the host by the OV-chip protocol layer after this method has finished.

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

check state

ASSERT that data.state contains UNINITIALIZED

initialize digit masks data.mod_first_digit_mask, data.v_first_digit_mask

with calling Bignat.get_first_digit_mask. An important subtlety here is that the index of the first digit of the modulus is always 0 because there are no montgomery digits used for this applet.

finish rsa_exponent initialization

install the modulus data.n.m with RSA_exponent_interface.set_modulus.

finish square_exponent initialization

install the modulus also in square_exponent. Further initialize some temporary to 2 (Bignat.two()) and set this as exponent with RSA_exponent_interface.set_exponent (all temporaries can be used for this purpose here; the offset is zero, because there are no Montgomery digits in this applet).

Compute current blinded attribute expression data.current_blinded_a

compute data.bases^data.current_attributes with data.bases.squared_rsa_exponent_mod. It is wise to use all four temporaries (RSA_data.result, temp_2, temp_3, temp_4) here, let the result be stored in one of them and copy (Bignat.copy) it later to data.current_blinded_a. Note that the RSA_data.current_blinding and the RSA_data.v are alias in the bases and current_attributes vector at index RSA_data.attribute_length + 1.

advance the RSA_data.state

by setting it to INITIALIZED

switch_to_new_attributes

public void switch_to_new_attributes(APDU_boolean success)

Atomically switch to various new values. During the resign protocol the applet gets new attributes, chooses a new blinding, and computes the new blinded attribute expression and a new signature on it. To improve fault tolerance all these new data is stored in new_* variables, that are distinct form the current_* ones. At the end of the finish_signature step of the resign protocol the new_* versions are atomically copied into the current_* ones. This is done in this method by swapping references.

Swapping the references introduces a little problem in the protocol layer: The layer also has aliases for instance of RSA_data.current_blinded_a and of RSA_data.current_signature. After swapping references, these aliases suddenly alias invalid data. Therefore one has to uptate the step data structure with front_protocols.update_steps.

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

Create temporaries

Create 4 temporary references and initialize them to data.current_attributes, data.current_blinding, data.current_blinded_a and data.current_signature, respectively.

Check side conditions

ASSERT that the argument success is still false and that data.new_attributes aliases data.v at index data.attribute_length.

Start a transaction

with Misc.begin_transaction() in order to be compatible with the HOST_TESTFRAME

finish attribute swapping

by writing the new_* references into the current_* variables and then by assigning the temporary references to the new_* variables.

update protocol step aliases

with front_protocols.update_steps

set state, mark success and commit

set the state data.RSA_data.state to BLINDED if it was INITIALIZED, set success to true and commit the transaction with Misc.commit_transaction()

Parameters:

success - alias of RSA_card_protocol_description.signature_accepted, initially false, set to true when the atomic swapping succeeds

make_sig_hash

public void make_sig_hash()

Second step of the resign protocol. (In the first step no method is executed on the card, only data.applet_id, data.current_blinded_a and data.current_signature are sent to the host in the first step.)

Prior to calling this method the protocol layer receives

• the host commitment data.host_alpha
• the attribute updates in data.remainders; these updates are in modulo format: to subract x from an attribute, the host sends data.v- x.

After this method the protocol layer sends the remainder c in data.sig_remainder.

Asserts that the applet is in state INITIALIZED or BLINDED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available. The detailed operations of this method are:

check state

ASSERT that the state data.RSA_data.state is either INITIALIZED or BLINDED.

compute new attributes and store them in data.new_attributes

The addition of the current attribute value with the update might overflow, because of the modulo representation of the updates. Therefore, each attribute must be copied into double_small, where the update from data.remainders is added and the remainder modulo data.v is taken. Finally the remainder in double_small is copied to the new attributes in data.new_attributes. The alias to data.v at index data.attribute_length in data.new_attributes and data.current_attributes must not be touched.

Step 1-3: Generate random betas

beta_1, beta_2 and data.gamma_beta_3 must be filled with random values using Bignat.rand_mod. The first two are long bignats modulo the RSA modulus that contain no Montgomery digits. For the first two one has therefore to use the modulus data.n.m, the first digit index 0, and the mask data.mod_first_digit_mask. For the third beta one has to use the modulus data.v, the first digit index 0, and the mask data.v_first_digit_mask. XXXXXXXXXXXXXXXXXXXXXXXX The remaining detailed description is not up to date.

Step 4: compute the new blinding

First multiply the current blinding with the montgomery correction for two factors (see data.get_montgomery_correction) in one of the temporaries. Multiply this temporary then with beta_1 in another temporary. Finally copy the last temporary into data.new_blinding.

Step 5: Compute the temporary attribute expression with the new attribute values and the old blinding

First alias the current blinding in the bases vector with data.set_current_blinding. Compute then the exponent data.bases^data.new_attributes with the method Vector.mont_rsa_exponent_mod and a montgomery correction for data.attribute_length + 1 factors. Use data.result as temporary for the result.

Step 6: Compute the new blinded attribute expression

First compute the power beta_1^data.v using rsa_exponent.power and store the result the temporary temp_2. Then multiply temp_2 with the Montgomery correction for 2 factors and store the result in temp_3. Then multiply temp_3 with data.result and store the result in temp_2. Finally copy temp_2 into data.new_blinded_a.

Step 7: Compute the second input for the hash

First compute ???^data.gamma_beta_3 and store the result in data.result. Then multiply data.result with the Montgomery correction for 4 factors and store the result in temp_3. Then compute the exponent data.ptls_key^data.gamma_beta_3 and store the result in temp_2. Then multiply temp_2 and temp_3 and store the result in data.result. Then compute beta_2^data.v and store the result in temp_3. Then multiply temp_3 with data.result and store the result in temp_2. Finally multiply data.host_alpha with temp_2 and store the result in data.result.

Step 8: Compute the hash

First feed data.new_blinded_a into the hash by using hash.update with offset 2 (Montgomery digits) and length data.new_blinded_a.size() - 2. The necessary byte array can be obtained with Bignat.get_digit_array. Then finish the hash by feeding data.result with offset 2 and size() - 2 into MessageDigest doFinal. Use data.new_signature.hash_output_buf with offset 0 as output array. Then finalize the hash computation with data.new_signature.commit_hash. Finally copy (Signature.hash_into_bignat) the hash value into double_small.

Step 9: Compute the modulus c and the remainder d

First add data.gamma_beta_3 to double_small. Then divide (Bignat.remainder_divide) double_small by data.v, storing the quotient in sig_quotient. Finally copy double_small into data.sig_remainder.

finish_signature

public void finish_signature(APDU_boolean accept)

Third step of the resign protocol. Prior to calling this method the protocol layer receives the host response r in data.host_response. After this method the protocol layer sends the boolean result of this method in RSA_card_protocol_description.signature_accepted.

Sets the state of the applet to BLINDED if it was INITIALIZED (see applet state description).

If the host response passes the acceptance check this method computes the final signature and starts a transaction to switch to the new attributes and the new signature. If all this goes through the result value in accept is set to true. Otherwise it remains false when this method finishes.

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available.

Parameters:

accept - reference to the accept result of this method, equal to RSA_card_protocol_description.signature_accepted, will be true when returning from this method precisely if the applet accepts the new signature and the transaction for changing to the new attributes and the new signature succeeded.

proof_commit

public void proof_commit()

First step of the gate or proof protocol. Prior to calling this method no arguments are received. After this method the protocol layer sends the following data to the host:

• the applet identifier data.applet_id to let the host distinguish between the plain and the Montgomerizing applet,
• the current blinded attribute expression data.current_blinded_a,
• the current signature data.current_signature, and
• the applet commitment w in data.result

Asserts that the applet is in the state BLINDED (see applet state description).

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available.

respond_to_challenge

public void respond_to_challenge()

Second step of the gate or proof protocol. Prior to calling this method the protocol layer receives the host challenge gamma in data.gamma_beta_3. After this method the protocol layer sends the following data to the host:

• the remainders r_i in data.remainders
• the applet response s in data.result

The source code of this method is affected by Brand's patents on selective disclosure protocols that are now in the posession of Microsoft. Microsoft lawyers are still pondering our request from January 2009 for making the full source code publically available. The source code of this method is therefore currently not publically available.