Search

US-12621163-B2 - Method and device for controlling access to a resource

US12621163B2US 12621163 B2US12621163 B2US 12621163B2US-12621163-B2

Abstract

A method for controlling access to a resource in an electronic device including a secure element with a permanent memory having an OTP area. The method includes the following steps performed first when the secure element or the electronic device boots: checking presence of at least one of a secret data and an initialization value in the permanent memory and, in a negative event, generating an initialization value and storing it into the OTP area, in a positive event, if the permanent memory includes secret data, decrypting, within the secure element, the secret data by using an algorithm using a cryptographic key and, if the permanent memory further includes an initialization value, the initialization value, and checking the integrity of the secret data by using a signature stored in the permanent memory and, on successful completion, providing access to the resource.

Inventors

  • Luis Ruiz
  • Didier Hunacek

Assignees

  • Nagravision Sàrl

Dates

Publication Date
20260505
Application Date
20211216
Priority Date
20210113

Claims (20)

  1. 1 . A method for controlling access to a resource in an electronic device, said electronic device comprising a secure element linked with a permanent memory having a one-time programmable area, said method comprising, performed first when the secure element or the electronic device boots: checking a presence of at least one of secret data and an initialization value in the permanent memory; in a negative event, generating an initialization value and storing the initialization value into the one-time programmable area; in a positive event, and when the permanent memory includes secret data, decrypting, within the secure element, the secret data by using an algorithm using a cryptographic key and, when the permanent memory further includes an initialization value, decrypting, within the secure element, the initialization value by using the algorithm using the cryptographic key; and checking integrity of the secret data by using a signature stored in the permanent memory and, on successful completion, providing access to the resource.
  2. 2 . The method of claim 1 , wherein at least one of the secret data and the signature is stored in the one-time programmable area.
  3. 3 . The method of claim 1 , wherein the cryptographic key is an obfuscated cryptographic key.
  4. 4 . The method of claim 1 , wherein the cryptographic key is scattered within a source data set or within the algorithm.
  5. 5 . The method of claim 1 , wherein the cryptographic key is a global key integrated into a plurality of electronic devices at a manufacturing stage.
  6. 6 . The method of claim 5 , wherein: the secret data is encrypted using a personal key, and the method further comprises deriving said personal key from the global key and from the initialization value.
  7. 7 . The method of claim 1 , wherein the algorithm is a proprietary or custom algorithm which is kept secret.
  8. 8 . The method of claim 1 , wherein the initialization value is generated in a random way and/or stored in plain text within the one-time programmable area.
  9. 9 . The method of claim 1 , wherein said secret data is stored during a manufacturing stage of the electronic device.
  10. 10 . The method of claim 1 , wherein the checking of the presence is preceded by testing, by a selector, a condition whether the electronic device is for a specific company or market and, when the electronic device is not for a specific company or market, the checking of the presence is executed.
  11. 11 . An electronic device for controlling access to a resource, the electronic device comprising: circuitry including at least a secure element linked with a permanent memory having a one-time programmable area, wherein the secure element hosts an algorithm with a cryptographic key and is configured to: first, when the secure element or the electronic device boots, check a presence of at least one of a secret data and an initialization value in the permanent memory, in a negative event, generate an initialization value and store the initialization value in the one-time programmable area, in a positive event, and when the permanent memory includes secret data, decrypt the secret data by using said algorithm using the cryptographic key and, when the permanent memory further includes an initialization value, decrypt, within the secure element, the initialization value by using the algorithm using the cryptographic key, and check integrity of the secret data by using a signature stored in the permanent memory and, on successful completion, provide access to the resource.
  12. 12 . The electronic device of claim 11 , wherein the electronic device is configured to prevent access to the permanent memory other than by the secure element.
  13. 13 . The electronic device of claim 11 , the circuitry includes a selector configured to determine, before a first-ever boot of the secure element or the electronic device, whether checking the presence of the secret data or of the initialization value and generating and storing the initialization value must be skipped.
  14. 14 . The electronic device of claim 11 , wherein the circuitry constitutes a system on a chip.
  15. 15 . A method for controlling access to a resource in an electronic device, the electronic device comprising a secure element linked with a permanent memory having a one-time programmable area, the method comprising: testing a condition whether the electronic device is for a specific company or market; when the electronic device is for the specific company or the market, skipping checking of a presence of at least one of secret data and an initialization value in the permanent memory; when the electronic device is not for a specific company or market, checking the presence of the at least one of secret data and the initialization value in the permanent memory; in a negative event of the checking, generating an initialization value and storing the initialization value into the one-time programmable area; in a positive event of the checking, and when the permanent memory includes secret data, decrypting, within the secure element, the secret data by using an algorithm using a cryptographic key and, when the permanent memory further includes an initialization value, decrypting, within the secure element, the initialization value by using the algorithm using the cryptographic key; and checking integrity of the secret data by using a signature stored in the permanent memory and, on successful completion, providing access to the resource.
  16. 16 . The method of claim 15 , wherein at least one of the secret data and the signature is stored in the one-time programmable area.
  17. 17 . The method of claim 15 , wherein the cryptographic key is an obfuscated cryptographic key.
  18. 18 . The method of claim 15 , wherein the cryptographic key is scattered within a source data set or within the algorithm.
  19. 19 . The method of claim 15 , wherein the cryptographic key is a global key integrated into a plurality of electronic devices at a manufacturing stage.
  20. 20 . The method of claim 19 , wherein: the secret data is encrypted using a personal key, and the method further comprises deriving the personal key from the global key and from the initialization value.

Description

TECHNICAL FIELD The present disclosure relates to the field of secure access provided by electronic devices for hardware or software resources. Such accesses are typically linked to sensitive or conditional services, such as those provided in the Pay-TV (television) field for example. The present disclosure is more specifically applicable to chips or chipsets provided with programmable secrets, such as chipsets with programming key slots. In such a context, a method based on secret data for controlling access to a resource and an electronic device for implementing this method is disclosed hereafter. BACKGROUND When a chipset must be programmed with secret data, it is generally done at a wafer level, i.e. at the level of the thin slice of the semiconductor or its substrate. Such an operation takes times and is costly. Chipsets made by manufacturers for specific devices, such as decoders in the Pay-TV field, are provided with secret data stored e.g. in a one-time-programmable area (OTP area) which is a memory area that may be specifically reserved for this purpose. However, some manufacturers do not program such secret data, either through negligence or to offer the same chipsets to interested third parties for integration into parallel solutions. Indeed, it is common for the same chipset to be used by more than one company that develops conditional access systems. Accordingly, the same chipset may be used for several companies but it will generally be configured differently from one company to another. Secret data typically refers to decryption keys or key files required for getting access to some products or services proposed to customers or client devices dependent on conditional access solutions. Within chipsets manufacturers, these secrets are usually stored in plain text (i.e., in an unencrypted form) inside so-called black-boxes which are kinds of slightly protected servers. Since they have to be loaded in the related programming key slots during the manufacturing process, these secrets are necessarily known by the manufacturers. Therefore, there is a risk that unprogrammed chipsets, having an untouched OTP area, are recovered for fraudulent purposes. For instance, a malicious person within the chipset manufacturer may have access to unprogrammed chipsets with untouched OTP area, as well as to secret data issued from a black-box. Therefore, such a person will have everything needed to make a clone of the original chipset programmed with those secret data. According to another scenario, unprogrammed chipsets with untouched OTP areas could be acquired via a fraudulent market since some manufacturers legally provide some of their clients with such chipsets. Hackers could undertake physical attacks onto authentic chipsets programmed with secret data. In case of successful attacks, such hackers could copy the secret data into unprogrammed chipsets in order to clone the authentic chipsets. Accordingly, there is still a risk for a company that develops conditional access systems on basis of such chipsets to be copied by scammers using illegal approaches. To overcome such issues, one solution may consist of preventing external access to the OTP area designed to receive secret data. Indeed, if a chipset does not need to be loaded with secret data, e.g. because it is designed to be used for purposes other than conditional accesses, the access to the OTP area from outside the chipset could be prevented by burning a component acting as a fuse for example. However, some manufacturers refrain from burning the programming key slots because some of their clients prefer to load secret data themselves or do it through another channel. Besides, the fact that the OTP area of chipsets remains accessible, i.e. is kept in a dormant state, even when it is not programmed, remains interesting for a company making conditional access solutions. Indeed, such a company may have an interest to legally recover these chipsets from a third company, for example in the event of a company takeover or merger. However, if the recovered chipsets comprise burned empty key slots or burned OTP areas, it should be aware that no subsequent programming is then possible. In this case, there is no interest for such a company to recover unprogrammed chipsets into which it is no longer possible to load secret data. Accordingly, there is a need for an efficient and reliable solution to at least partially overcome the aforementioned issues and drawbacks. More specifically, such a solution preferably must be able to avoid having to burn untouched OTP areas designed to store secret data if the latter have not been loaded into the chipset, and prevent that such areas can be subsequently loaded with secret data after the chipset manufacturing process. Therefore, this solution should be able to efficiently prevent hackers getting replications of chipsets provided with valuable secret data from unprogrammed chipsets provided with a virgin OTP area. SUMMARY OF