US-12625694-B2 - Authentication scheme for providing software updates to an update agent

Abstract

A method, an update agent and an off-card entity are provided for implementing an authentication scheme for providing a software image to a secure element. An installation package includes a package binding function for linking the installation package to the secure element, a manifest, a manifest signature generated using a block-cipher algorithm, and a software image is received at an update agent within the secure element. The update agent implements an authentication and integrity scheme by verifying various signatures contained within the installation package and installing the software image in case of successful authentication and integrity verification.

Inventors

• Clara GIFRE
• David PATINO
• Federico RUAU

Assignees

• GIESECKE+DEVRIENT MOBILE SECURITY GERMANY GMBH

Dates

Publication Date

20260512

Application Date

20220629

Priority Date

20210630

Claims (10)

1. 1 . A method performed by an off-card entity for generating an installation package, comprising a header part and a payload part, for providing a software image to a secure element, the method comprising: combining the software image with a manifest and a manifest signature, to obtain the payload part of the installation package; and providing a package binding function within the header part to link the installation package to the secure element; wherein the manifest signature is a first signature generated using a block cipher algorithm; wherein the manifest signature is generated using a Message Authentication Code (MAC) algorithm based on a symmetric key block cipher; wherein the method further comprises generating a second signature for protecting the payload part and inserting the second signature in the manifest; wherein the package binding function comprises an initializes secure channel function for opening a communication session with the secure element and a pair of image protection keys for software image encryption; the method further comprising generating a third signature as a package binding signature to protect the initialize secure channel function and the pair of image protection keys and inserting the third signature into the header of the installation package; wherein the manifest signature protects the entire manifest.
2. 2 . The method according to claim 1 , wherein generating the second signature comprises calculating a checksum over the payload part.
3. 3 . The method of claim 2 , wherein the second signature is a SHA-256 digest.
4. 4 . The method according to claim 1 , wherein the third signature is a cipher-based Message Authentication Code, MAC, (MAC) generated using a MAC algorithm based on a symmetric key block cipher.
5. 5 . The method according to claim 1 , wherein one or more of the first signature and the third signature has a length of 16 bytes.
6. 6 . The method according to claim 1 , wherein the initialize secure channel function comprises at least a host cryptogram for verifying the communication session established between the off-card entity and the secure element.
7. 7 . A non-transitory computer-readable medium storing instructions for an update agent which, when executed by a secure element, installs a software image on the secure element, the update agent being configured to: receive through a communication session established with an off-card entity an installation package according to claim 1 , comprising an initialize secure channel function, a manifest, a manifest signature and a software image; authenticate the communication session by verifying a host cryptogram within the initialize secure channel function; and verify integrity of the software image if the communication session has been authenticated or return an error message otherwise.
8. 8 . The non-transitory computer-readable medium according to claim 7 , wherein the update agent is further configured to verify integrity of the software image by: unwrapping the manifest; verifying the manifest signature; and rejecting the software image in case of signature mismatch, otherwise accepting the software image to be installed on the secure element.
9. 9 . The non-transitory computer-readable medium according to claim 8 , wherein the update agent is further configured to calculate a checksum over the received software image, to compare the calculated checksum with the second signature extracted from the manifest, and to reject the software image in case of signature mismatch, otherwise to accept the software image to be installed on the secure element.
10. 10 . A server configured to provide protected software updates to a secure element through an installation package, the server comprising at least one processor and a non-transitory memory storing instructions that, when executed by the at least one processor, being configured to generate the installation package from a software image by: combining the software image with a manifest and a manifest signature, to obtain a payload part of the installation package, wherein the manifest signature is generated using a block cipher algorithm; providing a package binding function within a header part to link the installation package to the secure element; wherein the package binding function comprises an initialize secure channel function for opening a communication session with the secure element and a pair of image protection keys for software image encryption; and transmitting the installation package to an update agent on the secure element; generating a second signature for protecting the payload part and inserting the second signature in the manifest; generating a third signature as a package binding signature to protect the initialize secure channel function and the pair of image protection keys, and inserting the third signature into the header of the installation package; wherein the manifest signature is a first signature generated using a block cipher algorithm; wherein the manifest signature protects the entire manifest.

Description

The present invention relates to updating a piece of software, such as an operating system, on a secure element, and more particularly, to a method, an update agent and an off-card entity for implementing an authentication scheme for providing a software image to a secure element. BACKGROUND OF THE INVENTION Recently, mobile devices configured to employ electronic subscriber profiles for communicating on mobile networks have emerged. Such mobile devices are typically equipped with smart cards containing electronic/embedded Secure Elements (SE), such as electronic/embedded universal integrated circuit cards (cUICCs), smartSD, or smart microSD, to name a few. A secure element is a tamper resistant element, TRE, that provides a secure memory and execution environment within a smart card/device in which application code and application data can be securely stored and administered. The secure element ensures that access to the data stored on the card is provided only when authorized. A secure element designed to be used in telecommunication products, such as mobile devices, is configured to store one or more electronic subscriber profiles, in particular electronic subscriber identification module (eSIM) profiles, that may allow mobile devices to connect to one or more mobile networks. A subscriber profile (e.g., eSIM profile) may be generated by a mobile network operator (MNO) and may be downloaded to a mobile network device. The subscriber profile may then be installed on the secure element of the mobile device and used for communication over a corresponding mobile network by the mobile device. Historically, a secure element's software does not vary once it has surpassed the production phase. This means that if any problem is found that is related to the software within it (new attacks or vulnerabilities, new updates on sector specification, the expected life cycle of the devices using it), the only possible action is to change the whole secure element. This makes it particularly difficult to keep up to date with the market needs in terms of production (with software updates after production being impossible), especially when the production is bound to be executed within a certified environment in the factory. The GSMA remote provisioning architecture (c.f., SGP.22 RSP Technical Specification, Version 2.0, issued by the GSM Association—in the following referred to as GSMA RSP 22) provides a platform for implementing a procedure to load software onto a secure element (SE) or Tamper Resistant Element (TRE). The GSMA platform allows to implement a change in the profiles stored in the secure element by providing to the secure element a Bound Profile Package containing profile updates. To ensure integrity of the Bound Profile Package, the GSMA remote provisioning architecture implements an authentication and encryption scheme based on the SCP03t algorithm. The scheme requires several exchanges between the TRE and the server before it can prepare a Bound Profile Package that contain the profiles used for the load, which might not be optimal for a broadcast deploy of a new piece of software. Furthermore, the GSMA platform does not allow for implementing a change in the basic software present in the SE/TRE, such as for instance a change of an operating system, as the security scheme provided lacks extra layers of protection which might be required for the deployment of critical data such as a new operating system. Some of the uses of the download/update security schemes might require to be as fast as possible for several reasons. Some examples might be the need to apply this to several targets on a production line, or having a constraint due to this process being allocated inside another one, like the secure element being updated as part of a device update, and the manufacturer of the device setting such restriction. Recently, remote provisioning capabilities for supporting operating system updates onto secure elements during field deployment have been put forward. Such solutions require however a large footprint on the side of the secure element for implementing the update process, which makes them difficult to be adopted within small chips architectures. It is therefore desirable to provide a solution for secure software remote provisioning, which is efficient in terms of performance and memory consumption and which can be implemented with a small hardware footprint. SUMMARY OF THE INVENTION The present invention addresses the above object by the subject-matter covered by the independent claims. Preferred embodiments of the invention are defined in the dependent claims. According to a first aspect of the present invention, there is provided a method performed by an off-card entity for generating an installation package, comprising a header part and a payload part, for providing a software image to a secure element. The method comprises combining the software image with a manifest and a manifest signature, as a first