NL8701069A - Password authentication system for mobile communications - Google Patents

Abstract

When a call is initiated from a subscriber's installation (I), an identification code (ID) is generated (21) and sent with a destination code (AD) selected (22) by the user, to the exchange (II). The data are received (25) and the identity code is verified (26). The exchange then generates (27) a pseudo-random vertification code (VER) which is transmitted to the subscriber. At the subscriber station, the received verification code (VER) is fed to a ROM-controlled password generator (23,24) which sends back a password (LEG). At the exchange, the received password (LEG) is compared (29) with a version (VER') of the verification code. If the password correctly identifies the subscriber, the call is connected.

Description

ί ê ....

* t.

VO 9158 *

Authorization procedure for application in a telecommunication system and telecommunication system in which this procedure is applied.

A. BACKGROUND OF THE INVENTION

1. Field of the invention

The invention relates to an authentication procedure for the authentication of a first device in respect of a second device connectable to this first device via a telecommunication medium. The invention furthermore relates to a telecommunication system in which this authentication procedure can be applied, as well as a first or second device suitable for this authentication procedure. Authentication is here understood to mean identification, i.e. the declaration of the identity by the first device, and verification - consisting of identification 10 and verification - with the aim of determining the reliability of the stated identity.

2. State of the Art

In general, for the authentication of a device which can be connected to a second device by means of a telecommunication medium {e.g. a terminal that "on-line" 8701063 * - 2 - has access to a host computer or a car telephone subscriber that can connect via a switchboard to another (car) telephone subscriber) using code signals that can be entered manually or automatically when initiating be sent from a connection to the appropriate second device. A distinction can be made here between code signals which are intended to indicate the identity of the respective calling first device and code signals which are intended to verify the identity, i.e. to test the reliability (legitimacy) of the relevant calling first device. It is known to use code signals for both identification and verification.

If a second device, eg a computer, is only accessible to a first device or by a group of 15 completely identical first devices, the authentication procedure to be followed includes only verifying the assumed identity (which is the same for all those first devices) of a calling establishment. Verification of the identity of a first device which has sent a call signal to a second device can take place in that the first device, eg at the request of the second device, sends out an identification code to authenticate its identity.

This identification code is received by the second device and tested against a verification code stored in the second device. If the identification code matches the verification code, the connection is maintained and, if necessary, continued; if no agreement is reached, the connection can be broken or an error message is sent to the first device. Thus, authentication serves to test the legitimacy of a calling first device to protect against unwanted, non-legitimate connections.

If a second device (e.g. a host computer or a telecommunications exchange) is accessible to several first devices, which can be distinguished from each other, the 8701069-3 authentication procedure also includes identification - entering the identity - by a calling first device, followed by by verifying the specified identity. The identity can be indicated by an ID code. On the basis of the identity of the calling first establishment, the authority of this establishment may be determined in the second establishment to use the second establishment or parts thereof (eg the authority to which "DATABASES", "WORKSPACES" or "FILES" in a host computer.) In addition, the identity is used for the administration of usage data, in particular usage costs. Authorization and administrative data can be derived from a register present in the second establishment, in which the data are recorded by ID code. After a calling first device has identified itself by means of an ID code - eg a "USERNAME" ~ 15, this identification is usually followed by a verification stroke which, as indicated above, may consist of - at the request of the second device - transmitting a identification code signal - eg a "PASSWORD" - by the first device. compared with an assessment code. The identification code signal will now differ per first device. Likewise, the test code in the second device will now also differ for each first Device. The assessment codes can for instance be derived from the aforementioned register of authorization and administrative data; in this register, the assessment codes are also determined for each ID code.

Authentication procedures in which code signals are exchanged for identification and / or verification have the drawback that these signals can be monitored during a legal connection. In particular, this danger arises when using wireless telecommunication means. Afterwards, an illegal first Device by using the monitored identification and identification code signals may present itself as the 8701069 * 'Λ * - - 4 - relevant Legal First Device.

B. SUMMARY OF THE INVENTION

The invention provides a considerably safer authentication procedure than the known one, in particular with regard to the verification, by n.1. as a means of legitimation, instead of using a specific code signal to be transmitted by the first device, use a credential cipher function specific to the first device concerned. Accordingly, according to the invention, as a test means, instead of a test code, a test cipher function is used. The invention is thus constituted by an authentication procedure of the type indicated under A1, characterized by the following procedure steps: a first procedure step in which the first device transmits a call-15 signal to the second device; a second procedure step in which the second device transmits a verification code to the first device upon receipt of the call signal; a third procedure step in which the first device encrypts the received verification code according to a credential encryption function recorded in the first device and returns the verification code thus encrypted to the second device as identification code; a fourth procedural step in which the second device tests the received identification code against the said verification code and, in dependence on the test result and a test criterion, emits a - first or second - code signal. The verification code is preferably a pseudo-random or a random code. Verification therefore takes place in that the first device to be legitimized encrypts the received verification code in a manner specific to that device (or group of identical devices). The result - the identification code - 8701 06 d -5-.

ΐ is returned and tested in the second facility against the previously broadcast verification code. A further elaboration of the invention provides two preferred embodiments for this.

According to a first preferred embodiment, the verification code which is sent by the second device to the calling first device is additionally encrypted in the same second device according to a (first) verification encryption function which is related to the specific data stored in the second device. said credential cipher function. After receipt of the identification code - that is, the verification code encrypted in the first device according to the identification encryption function - this identification code is tested against the verification code encrypted in the second device. Preferably, the verification code function is identical to the identification encryption function 15, making the verification criterion very simple: a first code signal ("verification positive") is issued when the identification code is matched to the verification code encrypted in the second device; a second code signal ("test negative") if it is not equal.

According to a second preferred embodiment, the verification code is not encrypted, but the identification code received from the first device is encrypted in the second device in accordance with a second verification encryption function which is related to the aforementioned identification encryption function in a particular setting established in the second device. . Subsequently, this encrypted identification code is tested against the originally transmitted verification code, temporarily recorded in the second device.

Preferably, this second verification digit function is the inverse of the identification digit function. According to this preferred embodiment of the authentication procedure according to the invention, a verification code is therefore sent to the first device after a call from the first device, which is also temporarily stored in the second device. The 8701069 ¥ -6 verification code is then encrypted in the first device according to the identification encryption function and (as an identification code) sent back to the second device, encrypted there again - now according to the verification encryption function - and then tested against the original verification code. Since the verification encryption function is preferably the inverse of the identification encryption function (in other words, the decryption function associated with this encryption function), the test criterion is then whether or not the identification code encrypted in the second device is equal to the original verification code: in the case of equality, the verification is positive. and a first code signal is output; in the event of inequality, the test is negative and a second code signal is issued. If a second device is only accessible to one first device or to a group of first devices that do not have a different identity from one another, then the authentication procedure, as explained under A2, only includes the verification of the identity assumed by the second device. of the first establishment. In this case, the identification cipher function with which the (or an) calling device must identify itself will always be the same and therefore also the verification cipher function with which the identification code is tested. It should be noted that the verification code is of course different every time, i.e. always when verification is deemed necessary, i.e. when establishing a connection and, if desired, periodically during a standing connection. In this case, therefore, one and the same (first and second respectively) test encryption function can be used for all connection calls.

If a second device is accessible to different first devices that can be distinguished from each other, as already explained under A2, the authentication procedure also comprises the identification of a calling first device, prior to the verification. According to a further elaboration of 8701069 - 7 - the invention for this case, the identification takes place in a manner known per se by means of transmitting a call signal which includes or is accompanied by an ID code by a first device. Each of the various first establishments must, after making a call to (and giving its identity to) the second establishment, identify itself by means of its own, specific identification number function. Since the identification digit function per first device is different, the assessment digit function per call will have to be adapted to the respective calling first device, for the call criterion to be the same for each call. For this purpose, the verification encryption function is derived per call from the ID code received from the calling first device. Another possibility is not to set the verification digit function in such a way that the testing criterion always remains the same, but instead to set the testing criterion so that the verification digit function remains the same for every call (every ID code). For this purpose, the assessment criterion is derived per call from the ID code received from the calling first Device.

The second device, together with the verification code, can transmit the ID code of the calling first device (inside or outside the verification code signal), eg - as usual in a car telephone system - to prevent double channel investment in the telecommunication medium. Likewise, the ID code can be transmitted with the identification code transmitted by the first device in the third procedural step. This has the advantage that if it appears that the ID code received in the third procedure step deviates from the ID code received in the first procedure step (e.g. by signal mutilation), the connection is terminated or the verification (the second m the fourth procedure step) can be repeated.

The identification digit function in the first establishment can be completely fixed in 8701 069 - 8 - t, or (in part) by means of parameters are adjustable. For example, such parameters can be sent along with the verification code, whereby the credential encryption function in the first device can be controlled (at least in part) from the second device. Within the second device, these parameters are then used to control the verification encryption function in a corresponding manner. The security of the system is further increased if in the first procedure step the first device sends an address code with the call sign-10 sew, e.g. for indicating a further connection (e.g. with another first device) or access (e.g. to a computer file if the second device is a host computer), this address code or a derivative thereof being used as a parameter for setting the credential and (preferably) the test encryption function.

After all, the chosen address codes will often be different at a time and thus the legitimation encryption function, which makes it more difficult for outsiders to find the encryption logic (in practice impracticable). Such a result is achieved by using a channel code (eg the relevant (radio) channel number) or a derivative thereof as a setting parameter for the said encryption functions.

With the dm.v. setting the address code of the credential function can also be achieved that the cryptographic strength - the inverse of the probability that the credential function can be derived from the exchanged code signals, in this case the verification code and the identification code - of the credential function depends on the address code or a derivative thereof, e.g. length. This measure achieves that, for example, international or other relatively important connections can be established using crypto-graphically relatively strong encryption functions, without however burdening the (majority of) per se less important connections. 8701069 i - 9 with relatively long processing times inherent in cryptographically strong encryption functions. Another (possibly additional) measure with the same purpose is to relate the length of the verification code to the length (or another derivative) of the address code.

According to a preferred embodiment of the invention, the legitimation encryption function depends on the received verification code, such that if the verification code corresponds to the ID code of the relevant first device, the legitimation code corresponds to the verification code (and therefore also to the ID code), while if the received verification code does not match the ID code, the identification code does not match the verification code. With this measure it is achieved that a first device which is suitable for applying the authentication procedure according to the invention, i.e. the first and. third procedure step, is able to initiate a connection with a conventional second device, which is not suitable for the authentication procedure according to the invention, i.e. the second and the fourth procedure step. In particular, this option is applicable if the first device is a car telephone subscriber and the second device is a car telephone exchange. According to the conventional procedure, such a car telephone exchange returns as a verification code a replica of the ID code received from a subscriber's set (instead of a (pseudo) random verification code). According to the present preferred embodiment, upon receipt of this verification code corresponding to the ID code, the first device, i.e. the subscriber device, returns an identification code corresponding to the received verification code (and thus to the ID code). The second device, i.c. the conventional exchange, receives and accepts it according to the conventional procedure. Thus, the first device can present itself as a conventional first device as opposed to a conventional second device.

8701 069 * -lO-

In order to provide the possibility of allowing a conventional first device to connect to a per se for the authentication procedure according to the invention, in this case the second and the fourth procedure step, according to a preferred embodiment the verification code depends on the during the first procedure step received ID code, which - depending on that ID code - either does or does not correspond to that ID code. In this way, a second device can present itself as a conventional second device compared to a conventional first device.

The verification encryption function, which is derived from the received ID code, is hereby set - if the ID code represents a conventional first device - as a unit function. As a result, depending on the above-mentioned first or second preferred embodiment with regard to the test, the verification code, which in the present case corresponds to the ID code, respectively. the identification code of the (conventional) first device, which therefore also corresponds to the ID code, remains unaffected by the verification function. Instead of setting the verification 20 encryption function as a unit function via the received ID code, use can also be made of a verification verification function which, in a corresponding manner as the aforementioned identification encryption function, depends on the received verification code resp. identification code, such that if the verification code resp. ID code corresponds to the ID code of the relevant first device, the verification code resp. identification code is not actually encrypted (i.e. encrypted according to a unit function), while if the verification code resp. identification code, on the other hand, does not correspond to the ID code, the verification 30 code respectively. identification code is actually encrypted. In both cases, the assessment therefore consists of comparing the verification code with the identification code, both of which - provided no signal mutilation occurs - correspond to the ID code.

8701069 »* -11-

As indicated above, it is also possible to derive not the verification encryption function from the ID code, but instead the assessment criterion. When using this, the verification code resp. identification code is indeed encrypted, even if they correspond to the ID code, but the test criterion is adapted to the test encryption function so that the latter remains the same unchanged.

The last two preferred embodiments offer a solution, inter alia, to a problem which arises when converting a conventional telecommunication system into a system suitable for the authentication procedure according to the invention, n.1. the logistical impossibility to convert an existing telecommunication system (e.g. a car telephone system) in its entirety within a short time (i.e. including all relevant devices, i.c.

15 subscriber sets and exchanges). As a result of the above two measures, converted installations can cooperate with (not yet) converted installations. Incidentally, it is hereby noted that the devices which are suitable for using the authentication procedure according to the invention can make connections to conventional devices by the aforementioned measures, but that the degree of security will of course not be higher than that achieved. when applying the known (conventional) authentication procedure.

The present invention also includes a telecommunication system for applying the above-discussed authentication procedure. According to a further elaboration, the first Device hereby comprises an ID code generator for generating and transmitting said ID code, the second device a verification code generator for generating and transmitting said verification code after receipt of the ID code. code of * the first device, the first device a credential code generator for causing said credential code to be sent after reception of the verification code, which credential code generator comprises an encryption device for encrypting the received verification code to the aforementioned code; identification code according to said identification cipher function and the second device verification means for testing the received identification code against the previously broadcast verification code and issuing a code signal in dependence on the assessment result and a test criterion

If the second device can be called up by different, non-identical first devices, the second device comprises an ID code / parameter register in which associated system parameters are stored per ID code. These system parameters may include ID code specific encryption parameters for setting the encryption encryption function as well as a specific status parameter related to the system status of the respective first device and which serves to set the verification code generator to broadcast a verification code that may or may not match that ID code. The encryption parameters can thus be used to adapt the verification encryption function to the identification encryption function in such a way that the assessment criterion is always the same. Instead of encryption parameters, the system parameters may also include testing parameters for setting the testing criterion in the testing means. If the received ID code represents a conventional first device, the test encryption function can be set as unit function by the encryption parameters, as already indicated above. The status parameter relates to whether or not the first device 30 is suitable for applying the authentication procedure according to the invention, i.e. whether a call is made by a conventional or a first device modified according to the invention. Under the control of the status parameter, the second device 8701 06 9 -13- then sends a verification code that does or does not correspond to the received ID code.

According to a preferred embodiment, the second device comprises, for testing the identification code against the previously broadcast verification code, a verification encryption device, or for encrypting the verification code transmitted to both the first device and presented to this verification encryption device, according to the said first verification encryption function, wherein the credential code received from the first device is presented to a verifier and is thereby tested against the verification code encrypted by the verifying encryption device, or for encrypting the identification code received by the second device in accordance with the said second verifying encryption function, wherein the code passed by this verification digit-encrypted identification code is presented to said verification body and thereby tests against the verification code; depending on the test result, the verifier issues a code signal, eg a first code signal if the test result does correspond to the fixed relationship between the identification digit function and the test digit function, or a second code signal if, on the other hand, the test result does not correspond to this.

In particular, the invention can be applied in a telecommunication system in which the first device is a subscriber telephone, eg a radiotelephone subscriber, and the second device is an exchange, i.e. a radiotelephone exchange.

According to a preferred embodiment of a first Device, ie subscriber device according to the invention, the ID code generator and the authentication encryption device are formed at least in part by a simple means of temporarily interacting with the device, at least comprising memory means, wherein said ID code, as well as said credential encryption function, at least at least specific parameters thereof, are stored in said memory means. The authentication device can either contain only memory means and be constituted by eg a plug-in ROM, a "memory card" or a magnetic card, or, in addition to the memory means, additionally contain signal processing means and eg be constituted by a "smart card" , ie a card with both memory means and a microprocessor. In the latter case, the microprocessor together with the memory means can take over, for example, the entire function of the ID code generator and / or the identification code element. This preferred embodiment offers users the possibility to provide any first device, i.e. subscriber device, with desired authentication parameters in a simple manner and temporarily (e.g. for the duration of a connection).

15 C. REFERENCES None.

D. BRIEF FIGURE DESCRIPTION

Figures 1 and 2 schematically show the course of the authentication procedure according to the invention, wherein a first device 20 calls a second device by means of a call signal; figure 1 according to a first, figure 2 according to a second further elaboration with regard to the testing procedure '.

Figures 3 and 4 schematically show the course of the authentication procedure according to the invention, wherein a first device 25 calls a second device by means of an ID code signal; figure 3 according to a first, figure 4 according to a second further elaboration with regard to the testing procedure.

Figures 5 and 6 schematically show an exemplary embodiment of a telecommunication system for performing the procedure 30 according to the invention; figure 5 according to the further elaborated procedure indicated in figure 3, figure 6 according to the further elaborated procedure indicated in figure 4.

8701069 * - 15 -

Figures 7a and 7b show a special embodiment of the first device, each a variant thereof.

E. FIGURE DESCRIPTION AND EMBODIMENTS

In figure 1 it is schematically indicated that a first device I wishing to connect to a second device II, for this purpose, starts by transmitting (1) a call signal CALL, which is received (via a connection medium whose operation per se falls outside the scope of the present description) by the second device II. For the time being, it is assumed that the second device II knows the identity of the first device I (e.g. because the two devices are intended to communicate exclusively with each other). After reception (2) of the call signal, a verification code VER is sent to the first device I (4), eg a pseudo-random (digital) code signal of a certain length. Within the second device II, this same code signal is encrypted (5) according to a verification encryption function which is the same as a credential encryption function with which the transmitted code signal VER in the first device I is to be encrypted for verification of its identity. These encryption functions are in the first resp. second establishment established.

In the first device I, the verification code VER is received (6) and then encrypted (7) according to the credential verification function specific to that device I. The verification code thus encrypted is now converted as the legitimation code LEG

broadcast (8) to the second device II, where this ID code LEG is received (9). In order to test the received identification code LEG for correct encryption, it is compared (11) with the verification code VER (5) already encrypted in the second device II. If the two signals LEG and VER 'appear to be equal to each other, the encryption of the verification code in the first and the second device has apparently taken place according to the same encryption function, with which the calling first device is expected to have identified itself. ; in that case a first code signal C1 is output. If the two compared signals LEG and VER 'are unequal, a second code signal C2 is output. The above-mentioned code signals C1 and C2 can, for example, continue forwarding or to disconnect the connection to the first device I.

Figure 2 deviates from figure 1 with regard to the assessment procedure. After the reception (9) of the legitimation code LEG from the first device I, the legitimation code LEG (the verification code VER (7) encrypted in the first device) is encrypted (10) according to an encryption function which is the inverse of the encryption function of the first device I. The identification code RES 'thus deciphered is compared (11) with the verification code (not encrypted) VER. In case of equality, a first code signal

C1, in the event of unevenness, a second code signal C2 is issued, e.g. disconnection of the connection.

Figure 3 schematically shows the course of the procedure if 20 more first devices can connect to a second device. The second device can be, for example, a telecommunications exchange for voice or data connections or a network server of a data network. The first device may, for example, be a telephone subscriber, a data terminal or a personal computer. A calling device sends (1) a call signal containing its ID code. Upon receipt (2) in the second device II, this ID code is passed on to an ID code / parameter register from which specific parameters associated with the ID code are derived (3), such as an access parameter (eg "allow-30 authorized "or" temporarily no access due to default ") or billing parameters (eg booking number of connection charges). Furthermore, the ID code / parameter register per ID code contains a status parameter that indicates whether or not the corresponding calling 8701 06 9 • * - 17 - device is suitable for applying the authentication procedure according to the invention and with which is set whether the verification code whether or not it must match the corresponding ID code. It also contains ID code / parameter register-5 ter encryption parameters for setting the verification digit function that either verifies the verification code VER (the former verification procedure) previously transmitted to the first device I or the validation code received from the first device (back). LEG (the latter review procedure) is ciphered. If the access parameter and the status parameter allow this, a (pseudo) random verification code VER is transmitted (4) which is encrypted both in the second device II (5) and after reception (6) in the first device I. After being encrypted in the first device I (7), the verification code is sent as legitimation code LEG (8), received by the second device II (9) and compared (11) with the encrypted (in the second device II). 5) verification code. If the resp. codes, a first code signal C1, in the event of unevenness, a second code signal C2 is issued, eg resulting in further forwarding or disconnection of the connection.

The procedure shown schematically in Figure 4 differs from that in Figure 3 only with regard to the assessment procedure. This almost corresponds to that of figure 2 and consists in that the identification code LEG is encrypted (10) after receipt (9) by the second device II (10) according to a verification digit function which is derived (3) from the ID code (by means of said ID code / parameter register) and which is the inverse of the encryption function of the respective first device; in other words, the identification code is deciphered the test encryption function. Depending on the result of the equation (11), a first or a second code signal C1 resp. C2 issued.

With regard to the verification procedure, it is also noted that it is also possible to use a verification function 8701 069 - 18 - digit function that is not equal to the identification digit function, respectively. its inverse, but which is in a different relationship to that credential digit function. After testing the identification code LEG against the verification code VER 'encoded (according to the verification encryption function) 5, respectively. the legitimation code LEG 'encrypted (according to the verification verification function) to the previously transmitted verification code VER, the first code signal C1 is output if the verification result does correspond to the relationship between the identification encryption function and the verification-10 encryption function, or the second code signal C2 if the comparison - comparison result does not correspond to that relationship. The test criterion therefore corresponds to the latter relationship.

Instead of the encryption parameters for encrypting (10) 15 the verification code VER resp. the ID code LEG, test parameters can be derived from the ID code / parameter register. The test criterion that is applied during the test (11) is then set by these parameters and adapted to the relationship between the credential digit function and the (fixed-20) test digit function. In this case, interaction takes place between activities 3 (deriving parameters from the ID code / parameter register) and 11 (testing LEG against VER 'or from LEG' against VER) instead of between activities 3 and 5 (encryption of VER according to the first test digit function 25 to VER ') in Figure 3, respectively. activities 3 and 10 (encryption of LEG according to the second test encryption function to LEG ') in figure 4.

Figure 5 shows part of a (wireless) telecommunication system, in this case a car telephone system, suitable for carrying out the procedure indicated in Figure 3. In this figure 5, as a first device, a subscriber device I is indicated, which comprises a first control device 20 (incl. Transmitter and receiver device), an ID code generator 21, an address code device 22 (hereinafter referred to as AD coder 8701069-19) and an identification code 23. , including a credentialing means 24. In this identification numeral 24, (in e.g. a ROM), a identification figure function is determined which is specific to that subscriber set I. As a second device, a central II is indicated which comprises a second control element 25 (incl. Transmitter and receiver) and an ID code. / parameter register 26. In this ID code / parameter register the encryption parameters for setting the verification encryption functions are set per ID code. Furthermore, the ID code / parameter reference yesterday 26 comprises the relevant aforementioned access parameter and status parameter, which indicate whether or not a calling subscriber is authorized to access the exchange II and II respectively. whether or not a calling subscriber is suitable for applying the present authentication procedure. Furthermore, the exchange II 15 comprises a verification code generator 27, a verification encryption device 28 and a verification device 29.

If the subscriber set I wishes to make a connection to the exchange II (and via the exchange e.g. to a second subscriber set), the subscriber set I sends out a call signal containing its ID code generated by the ID code person - rator, as well as an address code AD, entered (keyed in) by the relevant subscriber in the AD coder 22. Via the control member 20 and the connection medium, in this case a radio channel to be invested by known means for the duration of the connection, the ID code and the address code AD sent to the exchange II where they are received by the second controller 25, which supplies the ID code to the ID code / parameter register 26. This register 26 is assigned an access parameter associated with the ID code. as well as a status parameter. If this access parameter allows ("positive") and if the status parameter indicates that the calling extension device is suitable for performing the present authentication procedure, the verification code generator 27 will go through a pseudo-code 8701 069-20. - voluntary verification code VER 'sent to the calling subscriber terminal I; if the status parameter indicates that the subscriber device is not suitable for encryption of the verification code, a verification code corresponding to the received ID code is transmitted, according to the usual conventional procedure. This verification code VER is also presented to the verification encryptor 28, which encrypts the verification code VER according to an encryption function derived from the ID code / parameter register 26 and which is (e.g.) 1d identical to the credential encryption function of the calling subscriber 1. The the first controller 20 of verification code VER received from the subscriber set I is meanwhile presented to the credential generator 23 and encrypted by the credential scrambler 24 in accordance with the subscriber set 13 specific credential encryption function. Thus, the verification code VER is encrypted both in the subscriber set I and in the exchange II, and in this case - if the Authentication encryption function of the calling subscriber I is the same as the verification encryption function - in an identical manner. The encrypted verification code is presented by the subscriber device I as identification code LEO, via the first controller 20, the connection medium and the second controller 25 of the exchange II, to the verification device 29, where this identification code is tested against the verification code 28 encrypted verification-25 code VER '. If the resp. encryption results (i.e. the ID code lEG and the encrypted verification code VER ') appear to be the same and the verification is therefore positive, by means of outputting a code signal C1 to the second controller 25 causes the link to be forwarded to the appropriate second subscriber indicated by the AD code; if the authentication code LEG is not the same as the verification code VER enciphered in the central II, a code signal C2 is output to the second controller 8701069-21 which effects the disconnection of the connection.

In order to considerably increase the Chance of secrecy of the credential encryption function, this encryption function is determined by fixed parameters, specific to the subscriber-set concerned and by variable parameters, e.g. derived from the relevant AD code or the channel code of the radio channel of which is being used. Of course it is also necessary. to vary the test numerical function (or test criterion) identically with the relevant variable parameters. By setting the credential encryption function by fixed, subscriber set-specific and variable, non-subscriber-specific parameters, the specific fixed (and secret) parameters of the encryption function from the exchanged signals (VER or LEG) are impossible in practice to distract.

The processing times of the encryption means are proportional to the length of the verification code VER and to the cryptographic strength of the encryption functions. it may be advantageous to influence both of these factors, e.g. using the length or value of the ID code or of the AD code as (variable) parameter 20 for just setting the encryption functions (i.e. their complexity). This can ensure that relatively expensive and / or important connections are additionally secured (at the expense of longer processing times) without burdening all connections.

Figure b corresponds to figure 5, with the exception of the means for testing the identification code RES. According to this exemplary embodiment, the Legitimation Code LEG is tested in accordance with the procedure of Figure 4 using a verification encryption device 30. According to the embodiment shown in this figure, the verification code VER which is issued by the verification code generator 27 is, besides transmitted via the control device 25, additionally (unencrypted) presented to the testing device 29.

8701069 - 22 -

The verification code encrypted by the subscriber set I, the legitimation code LEG, is presented for verification to the verification device 2b »upon receipt by the control unit 25 from the exchange II, however, via the verification encryption device 30, where the 5 legitimation code LEG is encrypted according to the inverse identification number associated with the relevant ID code. Testing the decrypted ID code LEG 'and the verification code VER in the tester 29 will result in equality of these codes VER and LEG'; in that case, a code signal C1 is output to the controller 25, which causes the connection to be forwarded to the relevant second subscriber device indicated by the AD code. However, if it is found that the encrypted ID code LEG 'is not equal to the verification code VER, the comparator 15 outputs a second code signal C2 to the controller 25.

Thus, for example, the connection is broken; if necessary, the verification procedure is carried out again, after which, depending on the result, the connection is still forwarded or switched off.

If an existing conventional telecommunication system with a large number of first devices, ic subscribers, and several second devices, ic exchanges, is to be converted into a system in which the present authentication procedure is implemented, this poses the problem that it is 2b logistically impossible in particular, all subscriber sets can be modified at the same time, the more so since this must be done without any significant interruption of business operations.

To solve the above-mentioned problem, as mentioned above, according to a preferred embodiment of the invention, use is made of a credential encryption function which depends on

of the (value of the) verification code VER and such that if the verification code VER corresponds to the ID code of the relevant first device I, this verification code VER

8701069 * ï - 23 - is converted into a corresponding ID code LEG (= VER = ID code), while if the received verification code VER does not match the relevant ID code, this verification code VER is converted into a non-corresponding identification code LEG 5 (^ VER ^ ID code). Due to this dependence - e.g. software-created by means of a conditional sub-function such as: IF VER-ID THEN LEG-VER ELSE LEG-F (VER) - it is thus achieved that a subscriber set (provided with an ID) that after transmitting its ID code, as verification code a 10 with its ID code receives the corresponding code, this verification code is sent back unchanged (according to a unit function "encrypted") as identification code LEG to the exchange II. The subscriber set I thus pretends to act as a conventional subscriber set in this way and can therefore cooperate with a 15 as if with a (still) unconverted exchange II, which, in accordance with the usual conventional procedure, returns the relevant ID code after receiving a call signal (provided with an ID code and an AD code) and after receiving it the ID code retransmitted by the subscriber set I forwards the connection to a second subscriber set indicated by the AD code.

Just as a subscriber set I according to the invention can pretend to be a conventional subscriber set, a exchange II according to the invention can also pretend to be a conventional center, so that conventional subscribers (not yet converted) can use this exchange. . The operation is as follows (see figure 5 or 6): after receiving a calling ID code signal, the relevant system parameters are derived from the ID code / parameter register 26, including 30 the corresponding status parameter relating to the status ( "suitable or not for authentication procedure according to the invention") of the calling subscriber, as well as the specific encryption parameters for the verification encryption function.

8701069 h - 24 -

If the status parameter indicates that the subscriber device in question is not (yet) suitable for application of the present new authentication procedure, under the control of the controller 25 the verification code generator 27 does not issue a pseudo-random verification code VER, but instead a verification code VER corresponding to the ID code, which is transmitted via the control device 25 to the subscriber set I. The (conventional) subscriber terminal then transmits again its ID code (according to the usual conventional procedure) 10 and this ID code is tested in the tester 29 against the verification code VER - which corresponds to the ID code - transmitted in advance by the exchange II. The reviewing digit 28 (FIG. 5) and. 30 (figure 6) hereby transmits the code signals presented (in this case the verification code VER or the identification code 15 LEG, both corresponding to the ID code), unaffected, n.1.

in that the verification encryption function corresponds to the aforementioned identification encryption function, which after all has an ID code-dependent character as indicated above. As has already been stated above, it is also possible to use the verification numeral function 20 by means of to set the digit parameters derived from the ID code / parameter register 26 as a unit function, so that the input signals (VER or LEG) are converted unaffected (in fact, not digitized) into output signals (VER 'or LEG') . The first device, in this case the subscriber set I, can be designed in such a way that the ID code generator 24 and the scrambler 24 or parts thereof can easily be temporarily (eg always for the duration of a connection) with the subscriber set I. connected. Figures 7a and 7b both show an exemplary embodiment of such a subscriber set I, which is provided with a receiver 31 for receiving an external authenticator 32. In Figure 7a, the authenticator 32 only contains a memory in which an ID code and a credential encryption function or parameters thereof, eg the 8701069 a * - 25 - encryption key, which are used for the authentication of the subscriber device I. The relevant ID code and identification encryption function form a matching pair and are successively to be used for different subscriber sets 5 I. In fact, this embodiment does not use authentication parameters (ic ID code and credential encryption function) that are specific to the subscriber set in a strict sense, but authentication parameters that are specific to the relevant user (subscriber). Naturally, the corresponding ID code with the associated encryption parameters of the verification encryption function must be included in the central II per user in the said ID code / parameter register 26. The ID code and the associated encryption function which are stored in the authentication device 32 are recorded via the recording device 31 by the ID code generator 21, respectively. the legitimacy digit 24 is read, after which further processing thereof takes place in these organs. For example, the authenticator 32 may be an insertable Read Only Memory ("Insert ROM"). In Fig. 7b, in addition to a memory, the authentication device 32 also contains a microprocessor which completely assumes the function of the ID generator 21 and the encryption device 24.

The authentication element 32 can be formed, for example, by a so-called "smart card".

With the exemplary embodiments according to Figs. 7a and 7b discussed above, a large degree of flexibility is obtained with regard to the use of subscriber sets. This also opens up the possibility of making subscriber sets available for public use (eg in public telephone booths) where the authentication proceeds according to the authentication procedure according to the invention and in which the costs of a connection in the exchange II are invoiced, which means heretofore, it has only been reserved for users of non-public subscriber sets.

8701069 - 26 -

Finally, it is noted that the present authentication procedure - i.e. in particular the last three procedure steps - can be used not only during connection initiation, but also during an already established connection.

For example, this procedure can be performed at regular intervals to periodically verify the connection. This can prevent that if a connection between a legal first device and a second device, after having been terminated by the legal first device, can be taken over by an illegal first device without the second device noticing this.

8701069

Claims (30)

1. Authentication procedure for the authentication of. a first ; device in front of a second device connectable to the first device via a telecommunication medium, characterized by the following procedural steps: - a first procedure step in which the first device (I) sends a call signal (CALL) to the second device (II); - a second procedure step in which the second device sends a verification code (VER) to the first device after receiving the call signal; - a third procedure step in which the first device encrypts the received verification code according to a legitimation encryption function recorded in the first device and returns the verification code thus encrypted to the second device as an identification code (LEG); - a fourth procedural step in which the second device tests the received identification code against said verification code and, in dependence on the test result and a test criterion, emits a code signal (C1 / C2). Authentication procedure according to claim 1, characterized in that the second Device (II) encrypts said verification code (VER) according to a first verification encryption function that is related to said credential encryption function in a particular relationship established in the second device and that the second 25, in the fourth procedure step, tests the received identification code (LEG) against the verification code (VER1) encrypted according to this verification encryption function. Authentication procedure according to claim 2, characterized in that the first verification encryption function is the same as the authentication encryption function and that the verification criterion consists of whether or not the identification code (LEG) is encrypted in the second device (II). verification code (VER '). Authentication procedure according to claim 1, characterized in that, in the fourth procedure step, the second device (II) encrypts the received identification code (LEG) according to a second verification encryption function which is stored in a particular device established in the second device. is related to said more credential digit function and this encrypted credential code (LEG ') then tests against said credential code (VER). Authentication procedure according to claim 4, characterized in that the second verification encryption function is the inverse of the identification encryption function and that the verification criterion consists of whether or not the encrypted identification code (LEG ') is the same as the verification code (VER). Authentication procedure according to claim 2 or 4, wherein an ID code (ID) is transmitted with the call signal, characterized in that the resp. test encryption function is derived from the received ID code. Authentication procedure according to claim 2 or 4, wherein at 15 the call signal an ID code (ID) is transmitted, characterized in that said verification criterion is derived from the received ID code. Authentication procedure according to claim 1, characterized in that the verification code is a random or a pseudo-random code. Authentication procedure according to claim 1, wherein an ID code (ID) is transmitted with the call signal, characterized in that in the second procedure step the relevant ID code (ID) is transmitted with the verification code (VER). Authentication procedure according to claim 1, wherein an ID code is transmitted with the call signal, characterized in that in the second procedure step the relevant ID code (ID) is transmitted with the identification code (LEG). Authentication procedure according to claim 1, characterized in that one or more parameters for setting the credential encryption function are transmitted with the verification code (VER). Authentication procedure according to claim 1, wherein in the first procedure step 8701 069-29, the first device also transmits an address code, characterized in that this address code (AD) or a derivative thereof is used as a parameter for setting the authentication encryption function. Authentication procedure according to claim 1, wherein the first device and the second device can connect to each other via one of several connection channels, characterized in that a channel code designating the relevant connection channel or a derivative thereof is used as a parameter for setting of the legitimacy digit function. Authentication procedure according to claim 1, wherein in the first procedure step the first device also transmits an address code, characterized in that the length of the verification code (VER) depends on the address code (AD) or a derivative thereof. Authentication procedure according to claim 1, wherein an ID code (ID) is transmitted with the call signal, characterized in that the authentication encryption function depends on the received verification code (VER) such that either - if the authentication code corresponds to the ID. code (ID) - the identification code corresponds to the verification code or - if the received verification code does not correspond to the ID code (ID) - the identification code does not correspond to the verification code. Authentication procedure according to claim 6 or 7, characterized in that the verification code (VER) broadcast in the second procedure step depends on whether or not the ID code (ID) received corresponds to this ID code (ID). Telecommunication system for carrying out the identification procedure according to one of the preceding claims. Telecommunication system according to claim 17, characterized in that the first device (I) comprises an ID code generator (21) for generating and transmitting said ID code (ID), the second device (II) a verification code generator ( 27) includes 8701 069-30 - for generating and transmitting said verification code (VER) upon receipt of the ID code (ID) from the first device, the first device (I) includes an ID code generator (23) for transmitting said identification code 5 (LEG) upon receipt of the verification code, which identification code generator comprises an identification encryption means (24) for encrypting the received verification code into said identification code according to said identification encryption function and that the second device (II) test means includes for testing the received identification code against the pre-transmitted verification code and for depending on the testing result and of a test criterion issuing a code signal (C1 / C2). Telecommunication system according to claim 18, characterized in that the second device (II) comprises an ID code / parameter register (26) in which associated system parameters are stored per ID code (ID). 20. Telecommunication system according to claim 19, characterized in that the system parameters per ID code comprise specific encryption parameters for setting the verification encryption function. Telecommunication system according to claim 19, characterized in that the system parameters per ID code (ID) comprise a specific status parameter for setting the verification code generator to broadcast a verification code which either corresponds or does not correspond to the ID code (ID). Telecommunication system according to claim 19, characterized in that the system parameters for each ID code (ID) comprise specific test parameters for setting the test means. Telecommunication system according to claim 18, characterized in that the verification means comprise a first verification encryption device (28) for encrypting the verification code (VER) according to said first 8701069 - both sent to the first device (I) and presented to this verification encryption device. * -31- verification encryption function, in which the identification code (LEG) received from the first device is presented to a verification body (29) and is thereby tested against the verification code (VER ') encrypted by the verification encryption device, which 5 evaluation device, depending on the testing result. code signal (C1 / C2). Telecommunication system according to claim 18, characterized in that verification means comprise a second verification encryption means (30) for encrypting the received identification code 10 (LEG) according to said second verification encryption function, wherein the identification code (LEG ') encrypted by this verification encryption element is assigned to a verification element. (29) is presented and this is used to test against the verification code (VER), which tester outputs a code signal (C1 / C2) depending on the test result. Device for use as a first device (I) in a telecommunication system according to claim 18. Device according to claim 25, characterized in that said ID code generator (21) and said credential identifier (24) are formed at least in part by temporarily interacting with the device (I) in a simple manner bring, at least comprising memory means, authentication means, wherein said ID code (ID), as well as said identification encryption function, at least at least its specific encryption parameters, are stored in said memory means. Device according to claim 26, characterized in that said authentication element comprises signal processing means. « 28. Device for use as a second device (II) in a telecommunication system according to claim 18. A telecommunications system according to claim 18, wherein the first device (I) is constituted by a subscriber set and the second device (II) by a telecommunications exchange, the subscriber set being one of more subscribers accessing said telecommunications exchange 8701069 can have. Subscriber device for use in a telecommunication system according to claim 25 or 26. 870ί069