* * *

Field of application

The present invention refers to a method to detect a message compatible with the OTA standard (Over The Air) and affected by an error. The invention also refers to a system implementing said method.

In particular, the invention refers to a method of the type above mentioned to improve security in wireless transmissions that involve secure electronic devices, as the integrated circuit cards (IC Cards) .

Prior art

Are known methods to detect a message compatible with the OTA standard (Over The Air) and affected by an error.

One of these methods, known as checksum, consists in summing up all the bits of a message and in storing the resultant value in the same message, before of its transmission. After the receiving, the same sum calculation is implemented and the resultant value is compared with the stored value in the message. If the two values don't correspond, an error is detected.

In the presence of a wrong checksum, a receiving device may return a generic error to a sender device or asking for the retransmission of the message. The error is generic because the checksum doesn't allow returning to the cause which has determined the different value of the sum before and after the transmission .

The known methods aren't able to detect if the OTA message is affected by a specific error, and in particular by a cryptographic error. On the contrary, the response given by the receiving device to an OTA message affected by a cryptographic error may supply information that compromises its security.

For this reason, the sender device may be a hacker which intentionally sends an OTA message affected by wrong cryptography, i.e. using a wrong cryptographic key, for analyzing the generic error response of the receiving device and gleaning information .

In particular, in the field of telecommunication applications (GSM, UMTS, 3GPP2, LTE, etc.), a way to attack an integrated circuit card (IC Card, SIM, USIM, UICC, R-UIM) , consists exactly in sending to the card an OTA message using a false cryptographic key. The information sent to the card in response to said OTA message may be used to return to the cryptographic key of card.

To understand better what above mentioned, it' s worthwhile observing that, according to the OTA protocol, some information can be encrypted in the message to send through a symmetric key cryptographic algorithm, as algorithms DES, 3DES, AES .

Once received and deciphered the OTA message, the receiving device can verify the authenticity, the correctness and the integrity of the received data. For this purpose, always according to the OTA standard, three control modes are considered, mutually exclusive, based on variable size field within the OTA packet. They are known as Cryptographic Checksum, Digital Signature and Redundancy Check.

However, even if said methods certainly represent a valid solution in the integrity and authenticity control of the received data, they are not able to distinguish the event wherein the OTA message received has been ciphered with wrong key (for example in case of a hacker attack) from the event wherein casual errors have occurred, as the ones due to interferences .

Moreover, exactly according to the OTA standard, usage of said control modes is nonobligatory. Indeed, the transmission of OTA messages without Cryptographic Checksum, Digital Signature and Redundancy Check is common practice, because it accelerates the communication, even if it prevents from implementing said controls.

In other words, the ciphering error is not adequately processed by the receiving device that works according to the OTA standard, which may answer sending considerable information, that could allow a hacker to detect the ciphering key of the receiving device.

The technical problem at the base of the present invention is that of think up a method to detect a message compatible with the OTA standard (Over The Air) and affected specifically by a wrong cryptography, both in the case the OTA message comprises the optional values of Cryptographic Checksum or Digital Signature or Redundancy Check, and in the case wherein said values are omitted, as optional, allowing therefore the receiving device to implement a countermeasure to a possible attack based on an intentional wrong cryptography and riding out the limitations which even now afflict the known methods.

Summary of the invention

Scope of the present invention is therefore implementing an effective and efficient method to detect messages affected by wrong ciphering, in order to make more secure the communication between a secure electronic device and any other electronic sender device and to defend said secure electronic device by a possible hacker attack.

Other scope of the invention is that of realizing a particular state message, that doesn't contain considerable information or from which it may be possible go back to the ciphering key of the secure electronic device, and that inform the sender device about the presence of messages affected by wrong ciphering.

Said technical problem is resolved by a method according to the present invention, comprising the steps of receiving a ciphered OTA message, deciphering the OTA message received and reading a counter field (PCNTR) of padding bytes and the corresponding padding bytes in the message deciphered; the ciphering error is identified by detecting a value of the counter field (PCNTR) or a value in the padding bytes incongruent with the OTA standard or incongruent with a cryptographic algorithm used for the deciphering.

According to an aspect of the invention, the method detects at least one bit 1 in at least one of the padding bytes of the deciphered OTA message come indicative value of the wrong ciphering.

According to an other aspect, the method detect a counter field that does not belong to a preset interval of the cryptographic algorithm, as indicative value of the wrong ciphering. In one embodiment, the cryptographic algorithm is the DES algorithm or AES and the interval is, respectively, [0..7] or [0..15].

According to another aspect of the invention, the ciphered OTA message is received by a secure electronic device, comprising a ciphering key for deciphering the OTA message.

In the prosecution of the description, the expression secure electronic device or receiving device are used as synonymous to indicate the device of which is wanted for protecting the cryptographic key, i.e. the device that implements the method according to the present invention. The secure electronic device comprises an integrated circuit card (IC Card), for example SIM, USIM, UICC or R-UIM.

According to one embodiment of the present invention, the secure electronic device doesn' t send any message or error code in response to the OTA message affected by wrong ciphering, to not supply any useful information to a sender device of the OTA message .

According to another embodiment, the secure electronic device sends a message or error code in response to the OTA message affected by wrong ciphering, but said message or error code is different from others messages of error, for example from messages of wrong checksum.

The ciphered OTA message is received by a secure electronic device as an integrated circuit card (IC Card) comprising receiving and deciphering means of the ciphered OTA message, reading means of the counter field of padding bytes and of the corresponding padding bytes, and detecting means of a value of the counter field (PCNTR) or of a value in the padding bytes incongruent with the OTA standard or incongruent with a cryptographic algorithm used for the deciphering.

The said technical problem is also solved by the OTA (Over The Air) communication protocol modified to allow the detecting of a message potentially affected by a wrong ciphering. The protocol modified is characterized by the fact of allowing the reading a counter field (PCNTR) of padding bytes in an OTA message already deciphered and the reading of a number of padding bytes in the OTA message already deciphered corresponding to the counter field; and the detecting of a value of the counter field (PCNTR) or of a value in the padding bytes incongruent with the OTA standard or incongruent with a cryptographic algorithm used for the deciphering. The incongruent value is indicative of the wrong ciphering.

These and other features of the present invention will appear clear through the following description, shown by way of example and not limitative, in reference to the attached drawings.

Brief description of the drawings

Figure 1: it schematically represents a message or OTA Command Packet, according to the prior art.

Figure 2: it is a block diagram representative of the method according to the present invention.

Detailed description

Is now described a method to detect a wrong ciphering in a message compatible with the OTA standard, according to the present invention.

The method comprises the step of receiving an OTA message in a receiving device, also indicated as secure electronic device. The OTA message is sent, for example, by an OTA server as sender device, for the updating of an operating system or of an application stored in the secure electronic device. The latter comprises for example an integrated circuit card (IC Card) .

The OTA message is a Command Packet with a plurality of fields, among which a counter field of padding bytes (PCNTR) and a secured data field with padding. The counter field stores a value equal to the number of padding bytes present in the secured data field with padding. The latters, according to the OTA standard, have all the bits with value equal to zero.

The OTA server ciphers the OTA message to send using a cryptographic key equal to the one of the secure electronic device. It's also possible that the sender device is a hacking device, in that case the cryptographic key of the sender device is different from the one of the receiving device, and the OTA message is sent in the attempt of recovering from the receiving device valuable information, useful for obtaining its cryptographic key.

Both the electronic devices (sender and receiving) exploit a cryptographic algorithm for the encryption and decryption of the messages, for example the DES algorithm (Data Encryption Standard) or AES (Advanced Encryption Standard) .

The interval of possible values of the padding bytes counter depends on the used algorithm. In particular, in the DES algorithm, the secure data field with padding includes a number of bytes multiple of 8, whereas, in the AES algorithm, the number of bytes is multiple of 16. Therefore, the padding bytes counter is included between 0 and 7 for the DES algorithm and is included between 0 and 15 for the AES algorithm.

The sender electronic device produces a data packet of generic length and, depending on the cryptographic algorithm used, adds a number of padding bytes to the secure data field with padding, to make it multiple of 8 (in case of DES) or 16 (in case of AES) . At this point, the sender electronic device encrypts the message with its cryptographic key and sends it.

Once received the OTA message, the secure electronic device deciphers the messages received with its own cryptographic key and reads the content. In particular, said device accesses to the counter field (PCNTR) , reads the value and controls the congruence with the padding bytes present in the secure data field with padding.

A congruence check consists in verifying that the number of padding bytes in the secure data field with padding, i.e. the number of bytes having all the bits set to 0, corresponds to the number indicated in the padding bytes counter PCNTR. Therefore, if the bits of each padding bytes are set to zero, the integrity and the authenticity of the sender device are verified.

Differently, the OTA message is affected by a cryptographic error of a potential hacker that uses a wrong key, i.e. different from the one of the receiving device, for ciphering the OTA message.

Another coherence check consists in controlling that the number indicated in the padding bytes counter PCNTR is in a preconceived interval, in conformity with the cryptographic algorithm used. For example, in the case of DES algorithm, a padding bytes counter PCNTR with value out of the interval [0..7] is being indicative of a cryptographic error. Therefore, the OTA message is affected by a cryptographic error generated by a potential hacker that uses a wrong cryptographic key different from the one of the receiving device.

At the end of the above mentioned check, the secure electronic device may implement a security procedure, for example sending to the sender device a cryptographic error message, being indicative the wrong ciphering and without including in said message useful information to return to the correct ciphering key, for example generic error messages.

In order to render everything even clearer, an example of embodiment of the present invention is given hereunder, with reference to the figure 2.

The sender electronic device 10 produces an OTA data message comprising a data packet 11 of length 3 bytes (n bytes); using, for example, the cryptographic DES algorithm, the sender device adds 5 bytes (8-n bytes) of padding 12 with all the bits set to 0, as expected from the OTA standard, for completing the secured data field with padding 16 of the OTA message 13 and sets to 5 (8-n) the counter field of padding PCNTR 15.

Later, the sender device encrypts the fields of the Command Packet 14 with its cryptographic key 17 and sends the message. The cryptographic key of the sender device, in the example of figure 2, is different from that of the receiving device, for example a wrong key.

Once received the OTA message, the secure electronic device 20 decrypts the ciphered fields of the Command Packet 21. Using its own cryptographic key 22 for the decryption, the secure electronic device obtains numerical results different from those of the sender electronic device, being the two keys different.

According to the example, the value in the counter field PCNTR 22 of the deciphered OTA message is no more 5 (8-n), but 4 (x) ; the secure electronic device reads the content of the secure data field with padding 23, and check the presence of some bits set to 1 in the 4 (x) padding bytes 24. The presence of said bits set ad 1 allows the receiving device for detecting the message affected by wrong ciphering and handling the event in an appropriate way, producing an error message 25 for the sender electronic device 10. It is also possible that, due to the different keys used by the sender device and the receiving device, a value y of the padding bytes counter doesn't belong to the interval [0..7], after the deciphering of the OTA message among the receiving device; for example the value of the counter field after the deciphering may be 11, in case of DES algorithm or 23 in case of AES algorithm. Also in this case, the receiving device may detect the message affected by wrong ciphering and implement a security procedure, for example producing an error message 25 for the sender electronic device 10 or ignoring the OTA message received. Profitably, according to the method of the present invention, it is possible to recognize a cryptographic error in an OTA message from errors of different character, for example from transmission error of the message.

Profitably, a response of the receiving device in case of wrong cryptography may be differentiated from a response in case of error of different or generic character, as in the error of checksum. In particular, the receiving device may be programmed to send no information in response to an OTA message affected by a cryptographic error, to not supply any useful information to a possible sender device of hacking .

Profitably, the device may be programmed to answer with specific information of wrong cryptography, through which the potential sender device of hacking could not return to any considerable information of the sender device.