Efficient Downloading and Updating Application on Smart Cards

Yongsu Park, Junyoung Heo, Yookun Cho

School of Computer Science and Engineering

Seoul National University

Download of applications on Smart Cards 2 types of the smart card

Applications are loaded onto the ROM at the time of fabrication These cards should be used for some specific purpose.

Applications are downloaded onto the FLASH memory when they are required.

This provides flexibility and wide utilities. Small communication bandwidth, small size of he card’s RAM

=> Usually, application is divided into blocks, each of which is downloaded into the smart card.

Threats and Security Requirements Threats for downloading the applications

Downloaded application can be a malicious program. Downloaded application may be infected by a virus. Malicious program can illegally modify the files containing e-cash.

Security Requirements Source authentication of the downloaded blocks Data integrity of the downloaded blocks

Naive approach – Signing each block Computationally inefficient large communication overhead

Previous work CASCADE with hashes

Requires a large amount of FLASH memory and RAM

CASCADE without hashes Has a long verification delay of each block

OTA (Ordered Tree Authentication) Requires a large amount of FLASH memory

(e.g., If a block size is 256 bytes and SHA-1 is used, OTA requires 15.6 % overhead)

Proposed Scheme Proposed scheme

Based on hash-chaining technique

Parameterized scheme Provides a trade-off between the required FLASH memory size and the verification

delay of updating the application.

Two phases Authentication information generation phase Transmission phase

Sig(H1)

M1 M2 M3 M4

H(M4||M5)

H1 H2 H3 H4

H(M3||H4)H(M2||H3)H(M1||H2) M5

Downloading the application Authentication information generation phase

1. An application consists of blocks, M1, …, Mn.

2. A parameter k, k|n.

3. For every n/k chunks, AP computes a hash-chain (without a Sig()).

4. For S1, …, Sk, AP computes a hash chain.

H1 H4

M1

M2

M4

M5

H(M1||H1)

H(M2||M3) H(M5||M6)

H(M4||H4)

S1 S2 S3 S4

M3 M6

H7 H10

M7

M8

M10

M11

H(M7||H7)

H(M8||M9) H(M11||M12)

H(M11||H11)

M9 M12

An example (n=12, k=4)

SigAP(I1)

S1 S2 S3

S4H(S3||I4)H(S2||I3)H(S1||I2)

I1 I2 I3

Downloading the application (Cont’d) Transmission phase

1. AP transmits SigAP(I1), I1, (S1, I2), (S2, I3), …, (Sk-2, Ik-1), (Sk-1, Sk-2)

2. The card verifies Si and then stores SigAP(I1), S1, S2, …, Sk in the FLASH memory.

3. AP transmits each hash chain that corresponds to Si

4. The card verifies Mi and then stores it in the FLASH memory.

H1 H4

M1

M2

M4

M5

H(M1||H1)

H(M2||M3) H(M5||M6)

H(M4||H4)

S1 S2 S3 S4

M3 M6

H7 H10

M7

M8

M10

M11

H(M7||H7)

H(M8||M9) H(M11||M12)

H(M11||H11)

M9 M12

SigAP(I1)

S1 S2 S3

S4H(S3||I4)H(S2||I3)H(S1||I2)

I1 I2 I3

Updating the application Consider the case when a single block Mt is to be updated.

Authentication information generation phase1. AP recalculates all the hash-chains.

Transmission phase1. AP transmits SigAP(I1), I1, (S1, I2), (S2, I3), …, (Sk-2, Ik-1), (Sk-1, Sk-2)

2. The card verifies Si and then stores SigAP(I1), S1, S2, …, Sk in the FLASH memory.

3. AP transmits a single hash chain that corresponds to Si which contains Mt.

4. The card verifies data blocks and then stores them in the FLASH memory.

Analysis Amount of required RAM and FLASH memory

Required RAM size: O(1) FLASH memory overhead: O(k)

Verification Delay Verification delay of Mi: # of hashes to be downloaded for

verification after Mi is downloaded. Downloading the application: O(k). By the method in Section 4.2,

this can be reduced to O(1). Updating the application: O(k+n/k)

Comparison

Conclusion This paper presents an efficient method for authentication

of the application that is to be downloaded/updated into the smart card.

The proposed scheme is based on hash chain technique and provide a trade-off between the FLASH memory requirement (O(k)) and verification delay of updating the application (O(n/k))

Moreover, the the required RAM size and verification delay of downloading the application are O(1).