Upload
yiannis-hatzopoulos
View
103
Download
0
Tags:
Embed Size (px)
Citation preview
Yiannis HatzopoulosScientific Engineering Services
A USB CardJava Dongle offering
•Anti-Piracy protection
•Digital Rights Management
•eCommerce security
•Secure conditional access to local
and remote computational resources
•Complex licensing schemes supportCE
R 2
005
- B
rus s
els
Recipient of the eGateOpen 2004 Jury Award,
sponsored by Sun Micro, ST, Axalto
eSmartLockUSB
CardJavaDongle
Anti-Piracy module
Secure eCommerce TokenERP/ CRM connectivity
TimeStamp authenticatorLease / Pay-as-you-use
Digital Right Managementsupport
Crypto web access
Secure CD / DVD access
Secure local Save/Loadoperation support
Multi – UserConcurrency Licensing
administrator
eSignature generator andauthenticator
Key Distribution Server on LANs and WANs
eSmartLock API service delivery
Certificate
AntiPiracyProtection
ERP/CRM eBillingServer
eSignatureValidation
Protected CD/ DVDaccess Internet Crypto
Access
Soft Product Key / Credits / DRM
eSessioning
Encrypted Storageon Hard Disk
Trusted ThirdParty – VPN serviceTrusted ThirdParty – VPN service
+
eSmartLock FunctionalComponents
eGate K(R)
eGate
K(R)
eGate eGate
K(R)
PC to C
ard
authenticatio
n
Card to PC
authenticatio
n
Card to C
ard
authenticatio
n
eSmartLock mutual authentication patterns
ClientServer
R
R
R
Renv
Envelope Key generation
Card RSA Public Key
Renv( TicketKey)
Ticket Key
3DES, Renv
Ticket key Encrypted Channel
eSmartLock Ticket Key generation
MS CryptoAPI
RSAREF2 API
Challenge
CardID Soft Product Key Data MAC
Soft Product Key
It only decodes on a specific card
Credit Update Operation
Soft Product Key Data
Credit Credit UpdateData
New
Authenticated TimeStamp
Generic DRM Command Set
Soft Product Key Data
On Card Parser
PC based DRM parser ( option sets / keysets / commands etc)
On PC Parser
Vendor’s Order Processing dept
Co
mp
iles
DRM request from Customer
eSmartLock Soft Product Key Processing pattern
Per
sist
e nt S
tor a
ge o
n C
ard
DRM Command
eSmartLockDigital RightsManagement
Business rules
Card controlledIndividualization
Rights revocation
Rights renewal
Secure delivery path
Trial
Leasing
Pay-per-use
Rights Transfer
Conventional licencing
Flexible Multi-UserLicensing
Produces RSA encrypted PK
[CardID,eSession Key,K(eSessionKey),
K(TimeStamp)]
eSession Request:
Encrypts K[Random pad, CardID, eSession parameters]
Performs RSA Private Key decryption,
authenticates with K => eSessionKey,
TimeStamp
Internet
Secure C
hannel
eSessionKey
TimeStamp
eSm
art L
ock
eSmartLock eSessioning
ContentAccess
Server/ ERP
eGate eGate
eGate
Object of InteresteSmartLockPublic Keys
ESmartLockClient i
AccessControl
List
Authenticate Identity - Submit PK
Authorized Services
ESmartLockServer
CA - KDC
ESmartLockClient A
Client PK Registration
eGate
ESmartLockClient B
B’s Public Key A’s P
ublic Key
VPN
eSignatureChecks
Key Distribution Center function
Store PKsafely
eSmartLock Client – ServerTrusted Third Party Service
Extranet
N Max Active Concurrent Licenses allowed
eSm
art L
ock
Se r
ver
eSm
art L
ock
Cl ie
nts
eSmartLock concurrency licensing
DynamicLicense ID
storage eSmartLock
K User Population
010010100100010100101001000001100101000101001010100101010011101001010101001010100101010010101010101010010101001010101001010101010100101010101001010101111110100101010111110100101011
Secure Hash Algorithm
Encrypt withRSA Private Key
Signat
ure 010010100100010100101001000001
100101000101001010100101010011101001010101001010100101010010101010101010010101001010101001010101010100101010101001010101111110100101010111110100101011
Signat
ure
Secure Hash Algorithm Decrypt with
RSA Public Key
ComparisonThe RSA Public key is importedfrom an eSmartLock KDC
eSignature Creation eSignature Verification
eSmartLock eSignature support
Sou
rce
data
eSmartLock antiPiracy functionality
•Mutual authentication pattern PC-Card
•PC – Card Communication based on Tickets
•onCard attack detector
•Secure access onCard parameter file
•Byte buffer unlocker on PC memory
•Executable code on-Card repository: exe and java based
•Debugger detection – interrupt vector redirection
•Time-trapping to detect tracing attacks
•Runtime code decryption layers
•Use of dumb threads
•External code calls on Card