DE10250810A1 - Cryptographic computation method for running protected computation in smart cards produces a code with two or more code parameters - Google Patents

Abstract

A code (12) is invoked with code parameters (p,q,pinv,sp,dp,sq,dq). Integrity checks (30,34,40) are run on the code in order to prevent a cryptographic attack, in which conclusions about second code parameters are drawn through tampering with first code parameters. The integrity checks determine whether the value of one code parameter remains in a repeatedly interrupted range of reliable values. Independent claims are also included for the following: (a) A computer program product with program commands to make a processor run the method of the present invention; (b) and for a portable carrier like a chip card or chip module set up to run the method of the present invention.

Description

The invention relates generally the technical field of cryptography and more specifically a procedure to better protect a cryptographic calculation against Attacks. In particular, the invention is intended for use in portable data carriers, e.g. as smart cards in different designs or can be configured as chip modules.

For the exchange of encrypted and / or signed data is e.g. in U.S. Patent 4,405,829 RSA method well known. According to the RSA procedure becomes a public key to encoding or signature verification and a secret private key to decryption or signature generation used. The security of the RSA process is based on the fact that currently none efficient way is known to get the prime factors p and q of a large number n with n = pq to determine. While the so-called modulus n is published as part of the public key will have to the values p and q are kept secret.

The ones required to perform the RSA procedure calculation processes are relatively expensive. So must e.g. when decrypting or Signature generation the data to be processed with parameters of the private key be potentiated. Especially for portable data carriers with their limited Computing power is therefore often a Implementation of the RSA procedure for decryption or signature generation used that the Chinese remainder class sentence (CRT = Chinese remainder theorem) and therefore also referred to as the RSA-CRT method becomes. By using the RSA-CRT method, the required computational effort approximately reduced by a factor of 4.

The RSA-CRT procedure provides instead of a complex power calculation, two considerably simpler ones Carry out exponentiations, the results of which then relate to the decrypted data or the generated Signature can be combined. In the first of these calculations goes only the secret prime factor p, and goes into the second calculation only the secret prime factor q.

Attack scenarios have been proposed where exactly one of the two mentioned RSA-CRT calculation branches disturbed e.g. by targeted exposure to heat or radiation or by electric impulse. If this succeeds, the result of the Overall calculation derive a multiple of that prime factor p, q whose Calculation branch not disturbed has been. In other words, the attack described Conclusions on pull the private key. This has potentially catastrophic consequences because not only that just performed decryption or signature generation, but all using private key executed cryptographic operations are compromised.

The attack just mentioned is known under the names "fault attack" or "Bellcore attack" and e.g. in column 4 of U.S. Patent 5,991,415. Also in the US patent 5,991,415 a method is disclosed in which to protect against it while an additional attack to the cryptographic calculation Factor j is included in the calculation. However, there are, as follows will continue to be shown that the methods not known from US Pat. No. 5,991,415 can be.

The above is particularly critical of attack then when the cryptographic calculation by a processor of a portable data carrier, for example a smart card or a chip module, accomplished becomes. A first reason for that is that such portable disk often for safety-critical applications are used, e.g. in connection with financial transactions, access control or the signature of legally binding documents. Second, there are portable ones disk, while the cryptographic calculation is carried out, typically in Possession of the attacker so that all of them possibilities to influence the calculation and to spy on the calculation results.

The invention has the task of a Technology for particularly good protection of cryptographic calculations against attacks. Such attacks are particularly intended be prevented on similar Principles like the "Bellcore attack" described above are based. In preferred configurations protection according to the invention interact advantageously with other protection methods.

According to the invention, this task is complete or partially solved through a process to protect To run a cryptographic calculation with the features of the claim 1, a method for determining a key for a cryptographic calculation having the features of claim 12, a computer program product according to claim 14 and a portable disk according to claim 15. The dependent Define claims preferred embodiments of the invention. The enumeration order the procedural steps in the claims are not intended to limit the Protected area understood become; Rather, embodiments of the invention are provided in which these process steps in whole or in part in others Sequence or in whole or in part in parallel or in whole or in part be interleaved.

The invention is based on the basic knowledge that an attack similar to the "bellcore attack" described above does not only result from a disturbance in the calculation processes during the cryptogra phic calculation is possible, but also in that the cryptographic calculation is supplied with incorrect parameters. This can be done, for example, by passing an incorrect pointer address to the calculation routine or by changing the content of memory fields in which key parameters are contained from the outside. The inventors have recognized that the result of a cryptographic calculation that is supplied with such falsified parameters can possibly be used to draw conclusions about key parameters to be kept secret.

According to the invention, protection is provided against such an attack, an integrity check of the one used for the cryptographic calculation key perform. By this measure the attack can be recognized and warded off by e.g. the cryptographic Calculation is canceled without output of a result. The Integrity check can a manipulation of the key parameters usually do not rule out with absolute certainty; she however, should be one for practical purposes, adequate protection against the attack mentioned Offer. This implies that a simple value range monitoring (range check) with a fixed lower limit and a fixed upper limit Limit not as an integrity check in the Would be considered within the meaning of the present invention.

The integrity check is preferably designed in such a way that manipulation, in which a monitored key parameter is falsified in a random manner, with a probability bordering on certainty, for example with a probability greater than ^{1-10 -3} or greater than ^{1-10 -6} or greater than 1 - 10 ^–9 , is recognized. While the integrity check in some configurations only includes individual, particularly critical key parameters, it is preferably provided to monitor all parameters of a key to be kept secret. Different test methods can be carried out for individual parameters or parameter groups in the course of the integrity check.

The procedures used to verify integrity each have the goal of falsifying the monitored Parameters key or the monitored key parameters to recognize. In a preferred embodiment, the integrity check in the Result determines whether there is a key parameter within a permissible, multiple interrupted range of values. This type of examination is usually then before if the key parameter when generating the key that actually for the cryptographic calculation required value and an additional, redundant fuse value was calculated, e.g. for checksum calculations the case is.

While some or all key parameters can be provided individually will check preferably determined during the integrity check, whether at least two key parameters have a predetermined relationship to one another. The integrity check can involve a multiplicative operation, including in the choice of words a multiplication, a division, a Potentiation, a modulo calculation and a divisibility check are understand.

It is preferably checked whether a key parameters or a value derived therefrom by a hedging value is divisible. In this case, the key parameter is key generation preferably by multiplying the actually for the cryptographic Calculation needed Value with the security value. The security value can Part of the key or be fixed.

The method according to the invention is for all cryptographic Suitable calculations in which a cryptographic attack by Adulteration at least of a first key parameter Conclusions on at least one second key parameter allows. In particular, the invention is for securing the decryption or signature generation in an RSA process, preferably in an RSA-CRT method. In these cases, the integrity check affects the RSA private key. It is expected that appropriate ways to attack for further cryptographic calculations can be found, which then also in the manner according to the invention can be secured.

In preferred configurations determined during the integrity check, whether an exponent used in an exponentiation operation is smooth is divisible by a security value. These embodiments The invention can be used particularly advantageously with an exponent concealment method combine as it is from the international patent application WO 01/48974 A1 is known. In further advantageous configurations become - alternatively or additionally to the exponent concealment just mentioned - the prime factors multiplied by an obfuscation parameter in the RSA process, so that Calculation result by means of an equality check modulo of the obfuscation parameter be checked for correctness can.

The computer program product according to the invention has program instructions in order to implement the method according to the invention. Such a computer program product can be a physical medium, for example a semiconductor memory or a floppy disk or a CD-ROM, on which a program for executing a method according to the invention is stored. However, the computer program product can also be a non-body Lich medium, for example a signal transmitted over a computer network. The computer program product can be provided in particular for use in connection with the production and / or initialization and / or personalization of chip cards or other data carriers.

In preferred configurations the computer program product and / or the portable data carrier Characteristics developed, the above and / or in the dependent method claims correspond to the mentioned characteristics.

Other characteristics, advantages and tasks of Invention will emerge from the following detailed description of several embodiments and execution alternatives out. Reference is made to the schematic drawings in show them:

1 1 shows an exemplary flowchart of a method for key calculation with representation of a public and a private key,

2 an exemplary flow diagram of a cryptographic calculation method,

3 an exemplary flow chart of a portion of the method of 2 in a modified form, and

4 an exemplary flow chart of another embodiment of the cryptographic calculation method.

This in 1 The procedure shown is used to calculate a public key 10 and a private key 12 which are designed for use in an RSA process. The dashed arrows indicate which key parameter is generated by which process step. In connection with the use of the key pair 10 . 12 With portable data carriers (eg chip cards), the method can be carried out in a secure environment, for example during the initialization or personalization of the data carrier. The externally calculated key pair is then transferred to the data carrier as part of the initialization or personalization data. Alternatively, it is also possible that the method of 1 by the disk itself to determine the key pair.

The public key 10 has a modulus n and a public exponent e as key parameters. The private key 12 is intended for RSA calculations using the Chinese residual class theorem, which are also referred to here as RSA-CRT calculations (CRT = Chinese remainder theorem). The private key is the key parameter 12 a first and a second prime factor p, q, a CRT coefficient pinv, a first and a second fuse value sp, sq as well as a secured first and a secured second CRT exponent dp, dq.

This in 1 The method shown begins in a known manner in step 14 with the random selection of two prime numbers with a length of, for example, 1024 or 2048 bits each, which are the first and second prime factors p, q in the private key 12 get saved. In the subsequent step 16, the modulus n of the public key 10 calculated as the product of the two prime factors p, q. The public exponent e is determined in step 18 as a random number that is prime to the value (p - 1) · (q - 1). Since in the present exemplary embodiment the private key 12 is tailored to RSA-CRT calculations, the modular inverse of p modulo q is calculated in step 20 and as the CRT coefficient pinv in the private key 12 added.

In step 22, the value d is calculated as the modular inverse of the public exponent e modulo (p-1) · (q-1). In RSA processes that do not use the Chinese residual class theorem, d as the private exponent would be the main component of the private key. In known RSA-CRT methods, the two CRT exponents d mod (p - 1) and d mod (q - 1) would be used instead of d. In the present exemplary embodiment, the private key contains 12 on the other hand, values derived from the above-mentioned CRT exponents d mod (p - 1) and d mod (q - 1) by an additional safety measure. This security measure is, for example, the multiplication with one security value each. Manipulation of the saved values can then be determined by a divisibility check. In alternative embodiments, other security measures are provided, for example creating a checksum or the multiple transfer of at least the important transfer parameters.

In step 24, two random numbers with a length of, for example, 64 bits (8 bytes) are generated as security values sp, sq. The secured first CRT exponent dp is calculated in step 26 according to dp: = (d mod (p - 1)) · sp. Correspondingly, the secured second CRT exponent dq is determined in step 28 by the calculation dq: = (d mod (q-1)) · sq. The values mentioned are all used as parameters of the private key 12 stored. This is the determination of a private key that is protected against manipulation 12 completed.

In the present exemplary embodiment, the private key is located 12 essentially in the form of a data structure RSAPrivateCRTKey according to the conventions of the Java Card application programming interface. These conventions are currently available in the document "Java Card ^TM 2.1.1 Application Programming Interface", Revision 1.0, May 18, 2000, issued by Sun Microsystems, Inc., USA, at http://java.sun.com/ products / javacard / javacard21.html. The data structure provided there has fields DP1 and DQ1 for the unsecured CRT exponents d mod (p - 1) and d mod (q - 1). To the private key 12 According to the present exemplary embodiment, to accommodate such a data structure, the present exemplary embodiment provides that the values sp and dp are stored together in the field DP1 of the RSAPrivateCRTKey, and that the values sq and dq are accordingly stored together in the field DQ1. In 1 this is indicated by dotted lines. In execution variants, the values sq and dq can also be stored in other fields of the RSAPrivateCRTKey or outside of this data structure.

The exemplary embodiments described here deviate slightly from the above-mentioned Java card specification, in the present case the modular inverse of p modulo q as CRT coefficient pinv in the private key 12 is included. In contrast, according to the Java Card specification, a CRT coefficient PQ is used, which is the modular inverse of q modulo p. Modifications to the methods described here are provided in which the CRT coefficient PQ is part of the private key in accordance with the Java Card specification 12 is. The ideas according to the invention can also be used for such configurations without significant changes.

2 shows a first embodiment of a secured RSA-CRT method, which is used for decryption or signature generation. The method is intended to be carried out by a processor of a portable data carrier, in particular a chip card (smart card) or a chip module. For this purpose, the method is implemented in the form of program instructions for this processor, which are stored in a ROM or EEPROM of the data carrier. The private key required for decryption or signature generation 12 is also stored in the EEPROM of the data carrier.

When the procedure is called, a pointer to the private key is displayed 12 passed to the called decryption or signature generation routine. The inventors have recognized that a cryptographic attack can be carried out by using individual parameters of the private key 12 manipulated before decryption or signature creation begins. This can be done, for example, through targeted action on the private key 12 contain EEPROM or by passing an incorrect address to the RSA-CRT routine. Such an attack would have the extremely disadvantageous consequence that the calculation result - z. B. the decrypted data or the generated signature - draw conclusions about the values of the secret key parameters. This would be the key pair 10 . 12 compromised for all previous and future calculations.

In order to prevent such a cryptographic attack, the method of 2 a private key integrity check 12 provided that includes a sequence of several partial exams. In 2 the dashed arrows indicate which key parameters are included in the respective partial tests.

The process begins in step 30 with the partial check whether the in the private key 12 contained CRT coefficient pinv actually represents the modular inverse of the first prime factor p modulo of the second prime factor q. In other words, it is checked whether the predetermined relationship p · pinv = 1 mod q is fulfilled. If this is not the case, an error jump occurs and the process is terminated. If the check is successful, it can be assumed that the key parameters p, q and pinv have not been manipulated and the process is continued.

In the following calculation module 32 a first auxiliary value y1 is determined as a result of the first of the two CRT calculation branches. The data to be decrypted or signed, the first prime factor p and the first CRT exponent d mod p - 1 are included in this calculation, the latter value not being directly available, but from the secured first CRT exponent dp and the first security value sp must be derived.

To check whether one of the two values sp, dp has been manipulated, a divisibility check is first carried out in step 34. If the secured first CRT exponent dp is not smooth through the If the first fuse value sp is divisible, an error jump occurs again and process termination. If, on the other hand, the division merges without remainder, can be accepted with almost certain probability be that at least no accidental falsification one of the two key parameters sp and dp has taken place. This divisibility check represents only a minor one additional Computational effort because the backup value sp is only a relatively low one bit length having. A deliberate manipulation of the two parameters sp and dp with knowledge of the proposed security mechanism could by the method described here is of course not discovered; but it is present unimaginable how an attacker could do such a targeted enrollment manage new values in individual EEPROM cells of the data carrier could.

If the integrity check with regard to the parameters sp and dp was successful in step 34, the actual calculation of the first auxiliary value y1 according to y1: = (x mod p) ^ (dp / sp) is carried out in step 36. With regard to the exponent dp / sp, the division result already calculated in step 34 can of course generally be used. Since the backup method in the present exemplary embodiment simply consisted of a multiplication by the first backup value sp - see step 26 in 1 -, dp / sp = d mod (p - 1) and therefore y1 = (x mod p) ^ (d mod (p - 1)). this is that desired result of the first CRT calculation branch.

A second calculation module 38 corresponds to the second CRT calculation branch. The procedure is the same as in the first calculation module 32 from, however, the second prime factor q, the second security value sq and the secured second CRT exponent dq are used. In step 40 the integrity check with regard to the key parameters sq and dq follows, and in step 42 the second auxiliary value y2 is calculated according to the formula y2: = (x mod q) ^ (dq / sq).

n the calculation step concluding the method 44 the overall result y, that is to say the decrypted data or the calculated signature, is determined in a manner known per se by combining the two CRT auxiliary values y1 and y2. The calculation performed here can be expressed as y: = (((y2 - y1) · pinv) mod q) · p + y1. Different evaluation sequences can of course be selected for the calculation steps carried out by the processor of the data carrier. In general, different variants of the RSA-CRT calculations of steps 36, 42 and 44 are known from the literature, which differ in particular in the way in which intermediate results are reduced to the respective modulo ranges. The inventive idea of the integrity check and the multiplicative securing of the CRT exponents dp and dq proposed in the present exemplary embodiment can be combined with all of these variants.

The integrity check according to the present invention is aimed particularly against a cryptographic attack, the time before the RSA calculations - at the latest during the parameter transfer to the RSA routine - is executed. The exam when passing parameters can also be done in a simple manner by in addition to the transfer parameters also related redundant information, for example in the form of checksums is saved, and after the parameter transfer a saved one checksum with a new over the handed over Parameters calculated checksum is compared. Alternatively, at least important transfer parameters handed over several times and after handover on identity checked become.

There are other types of attacks known to be spying on of the individual calculation steps to draw conclusions about key parameters to be kept secret to enable. In particular, the exponent formation in steps 36 and 42 is exposed to such attacks because in common implementations of Exponentiation operation the processor activity during the calculation process depends significantly on the bit sequence of the exponent. This processor activity can be caused by Measurement of power consumption (SPA = simple power analysis or DPA = differential power analysis) or other signals such as electrical field strengths spied become.

To protect against such attacks is in the international patent publication WO 01/48974 A1 been suggested to exponent with remainder by a random number to share and three separate exponentiations instead of a single exponentiation operation undertake as the exponent the integer quotient, the Random number and the remainder determined during the division become. This method is described in detail in the cited patent publication described, the content of which is hereby fully included in this document is recorded.

It is a particular advantage of the Security procedure according to the present Invention that itself this easily with the also called "exponent blinding " Veiling process according to WO 01/48974 A1 can be combined, whereby especially those for the disguise procedure anyway required division also for the security procedure according to the present Can use invention. The inventive method can be implemented with very little additional effort.

3 shows the process steps of a calculation module 32 ' that compared to the calculation module 32 of 2 is modified in such a way that it additionally uses the technique of exponent concealment known from WO 01/48974 A1. For this purpose, a random number r with a length of, for example, 64 bits (8 bytes) is first selected in step 46. In step 48, a division with the remainder is carried out in order to divide the saved CRT exponent dp into the factors dp1 and rsp and the remainder dp2; dp = dp1rsp + dp2. In contrast to the method known from WO 01/48974 A1, it is not the random number r but the value r · sp that is used as the divisor in step 48.

In steps 50 and 52, the first two potentiation operations are now carried out, in that the base value x mod p is first potentiated with the random number r and the intermediate result y11 thus obtained is then potentiated with the integer quotient dp1. For the result y12, y12 = ((x mod p) ^ r) ^ dp1 = (x mod p) ^ (rdp1). The security value sp was not included in steps 50 and 52, since the multiplication used to secure the CRT exponent dp is already in connection with the division 48 was undone.

In step 54 - in analogy to step 34 in FIG 2 - a divisibility check to ensure the integrity of the key parameters sp and dp. In contrast to step 34 in 2 however, it is not the secured CRT exponent dp, but the division remainder dp2 that is divided by sp. Since dp2 differs from dp only by a multiple of r · sp - and thus by a multiple of sp -, the two checks are equivalent. The one through the However, due to the considerably shorter dividend dp2, the execution of calculation step 54 is considerably less than when calculating step 34 in 2 , In addition, the integer division result dp2 / sp is required in the following step 56. The division and divisibility check in step 54 represents the only additional computational effort compared to the known method according to WO 01/48974 A1.

If dp2 is not a smooth multiple of sp, the method is terminated in step 54 with an error exit. Otherwise, a further intermediate value y13 is calculated in step 56 according to y13: = (x mod p) ^ (dp2 / sp). As a result y1 of the calculation module 32 ' the product y12 · y13 is determined in step 58. This result is identical to the first auxiliary value y1 according to step 36 of FIG 2 because: y1 = y12y13 = ((x mod p) ^ (rdp1)) ((x mod p) ^ (dp2 / sp)) = (x mod p) ^ ((rdp1) + (dp2 / sp)) = (x mod p) ^ (dp / sp)

The entire RSA-CRT method in the particularly protected embodiment variant described here begins with an integrity check of the parameters p, q and pinv by the in 2 Step 30 shown. This is followed by the steps of the calculation module as the first CRT calculation branch 32 ' according to 3 to determine the first auxiliary value y1. To calculate the second auxiliary value y2, the in 3 shown methods used, of course, the key parameters p, sp and dp are replaced by q, sq and dq. The random number r can either be from the first run of the calculation module 32 ' be adopted or redetermined. The final result y is finally obtained by a combination of the two auxiliary values y1 and y2 as in step 44 of 2 calculated.

This in 4 The method shown provides an additional checking step in which a further obfuscation parameter j is used. A first calculation block 60 corresponds approximately to step 30 in 2 , In step 62, the obfuscation parameter j is selected as a random prime number with a length of, for example, 32 bits (4 bytes). The prime factors p and q are multiplied by the obfuscation parameter j in steps 64 and 66 to obtain obscured prime factors p 'and q', respectively. A test is performed in step 68 to check the integrity of the key parameters p, q and pinv. If p '· pinv = j mod q' holds, the process continues; otherwise an error jump occurs.

In a second calculation block 70 a first auxiliary value y1 is determined according to the formula y1: = (x ^ (dp / sp)) mod p '. The first auxiliary value y1 essentially corresponds to the first auxiliary value of the exemplary embodiments of 2 and 3 , whereby however p 'instead of p is used for the modulo calculation. In detail, the calculation is carried out in different versions either as in the calculation module 32 of 2 or as in the calculation module 32 ' of 3 , In both cases, a divisibility check is carried out to ensure the integrity of the key parameters sp and dp.

A third calculation block 72 corresponds to the second calculation block 70 with the difference that instead of dp, sp and p 'the values dq, sq and q' are used to calculate a second auxiliary value y2. Again, the third calculation block 72 either like the calculation module 38 in 2 or analogous to the representation of 3 be designed. Through a divisibility test in the third calculation block 72 the integrity of the key parameters sq and dq is checked.

Step 74 relates to the calculation of an intermediate result y 'using the formula y': = [((y2 - y1) · pinv) mod q '] · p + y1. This corresponds approximately to step 44 in 2 , In step 76 there is a further test which relates the previous calculations to one another and detects faulty calculation processes. It is checked whether the following equality relationship modulo j applies: y 'mod j = [((x ^ (dq / sq)) mod j - (x ^ (dp / sp)) mod j) pinvp + (x ^ (dp / sp)) mod j] mod j

If this equation is not met, the error is aborted. Otherwise, the method is completed in step 78 with the calculation of the end result y according to y: = y 'mod n, where n is the modulus with n = p * q. By further checking the course of the calculation in step 76, the method according to FIG 4 Protection against cryptographic attacks has been further improved.

Claims (15)

Method for the secure execution of a cryptographic calculation, in which a key ( 12 ) with at least two key parameters (p, q, pinv, sp, dp, sq, dq), characterized in that an integrity check ( 30 . 34 . 40 . 54 ) of the key ( 12 ) is carried out in order to prevent a cryptographic attack in which, by falsifying at least one first key parameter (p, q, pinv, sp, dp, sq, dq), conclusions about at least one second key parameter (p, q, pinv, sp, dp, sq, dq). Method according to claim 1, characterized in that during the integrity check ( 30 . 34 . 40 . 54 ) it is determined whether the value of at least one key parameter (p, q, pinv, sp, dp, sq, dq) is in a range of permissible values that is interrupted several times. Method according to claim 1 or claim 2, characterized in that during the integrity check ( 30 . 34 . 40 . 54 ) it is determined whether at least two key parameters (p, q, pinv, sp, dp, sq, dq) are in a predetermined relationship to one another. Method according to one of claims 1 to 3, characterized in that the integrity check ( 30 . 34 . 40 . 54 ) includes a multiplicative operation, in particular a divisibility check. Method according to one of claims 1 to 4, characterized in that during the integrity check ( 30 . 34 . 40 . 54 ) it is checked whether a key parameter (p, q, pinv, sp, dp, sq, dq) or a value that differs from the key parameter (p, q, pinv, sp, dp, sq, dq) by a multiple of one Fuse value (sp, sq) differs, is evenly divisible by the fuse value (sp, sq). Method according to one of claims 1 to 5, characterized in that that at the integrity check one with the key parameters (p, q, pinv, sp, dp, sq, dq) stored checksum with one after the transfer the key parameter (p, q, pinv, sp, dp, sq, dq) newly calculated checksum is compared. Method according to one of claims 1 to 6, characterized in that that for exam of integrity important transfer parameters handed over several times and after handover on identity checked become. Method according to one of claims 1 to 7, characterized in that that the cryptographic calculation a decryption or signature generation with an RSA method, in particular an RSA-CRT method. Method according to Claim 8, characterized in that at least one exponentiation operation is carried out in the cryptographic calculation, and in that in the integrity check ( 30 . 34 . 40 . 54 ) it is checked whether the exponent used in the exponentiation operation is evenly divisible by a saving value (sp, sq). A method according to claim 9, characterized in that at an exponent obfuscation method in the cryptographic calculation for spying protection is applied. Method according to one of claims 8 to 10, characterized in that that the Prime factors (p, q) of the RSA method with a concealment parameter (j) are multiplied, and that the accuracy of the calculation history through an equality check modulo of the obfuscation parameter (j) is checked. Method for determining a key for a cryptographic Calculation with at least two key parameters (p, q, pinv, sp, dp, sq, dq) which is for use in a method according to a of claims 1 to 9 is provided. A method according to claim 12, characterized in that at least a key parameter (p, q, pinv, sp, dp, sq, dq) by multiplying one for the cryptographic Calculation needed Value with a backup value (sp, sq) is obtained. Computer program product having program instructions, to induce a processor, a method with the features one of the claims Execute 1 to 13. Portable data carrier, in particular chip card or chip module that is used for execution of a method with the features of one of claims 1 to 13 is set up.