A WIRELESS DISTRIBUTED AUTHENTICATION SYSTEM
Field of the Invention
The present invention relates to authentication systems, and in particular to a wireless distributed system and method for entity authentication.
Background of the Invention
Authentication refers to techniques that allow one party (the verifier) to gain assurances that the identity of another (the claimant) is as declared, thereby preventing impersonation. The most common authentication technique is for the verifier to check the correctness of a message (possibly in response to an earlier message) which demonstrates that the claimant is in possession of a secret associated by design with the genuine party. This is the basis of the password systems that pervade most computer and restricted entry systems. Unfortunately, these system do not provide robust security, because freely chosen passwords are easily guessed, and imposed passwords are usually written down (and therefore easily stolen) because they are not easily remembered.
A token-based identification system uses something possessed by the claimant such as a small card containing a magnetic strip, a smartcard, or a password generating card which provides time-variant passwords. However, token-based systems are notoriously weak because the token is easily stolen. The risk of theft is exacerbated by the obviousness of the target. If the loss of the token is not noticed immediately, the token can be used by a third party masquerading as the claimant. Alternatively, the token can be reverse engineered to determine internal secrets or the operational mechanism.
Biometric authentication systems and methods have been developed due to the weakness of alternative methods such as those discussed above. The advent of low cost fingerprint scanners have made these methods particularly attractive in recent years. However, even these methods have significant drawbacks. For example, stolen biometric data will
compromise the claimant's biometric data for the rest of his or her life. Furthermore, biometric authentication can only be used with organic life forms, and not with other physical entities.
The above limitations pose a challenge for authentication systems. It is desired, therefore, to provide a robust method and system for authentication which does not suffer from the above difficulties, or which at least provides a useful alternative.
Summary of the Invention
In accordance with the present invention there is provided an entity authentication system, including: at least two wireless communications devices in the possession of an entity, at least one of the devices having first partial authentication data and at least one other of the devices having second partial authentication data; and an authentication device for authenticating said entity based on authentication data generated from at least said first and second partial authentication data.
The present invention also provides an entity authentication method, including: transmitting, from at least one wireless communications device in the possession of an entity, partial authentication data; receiving said partial authentication data at another wireless communications device in the possession of said entity having other partial authentication data; and generating authentication data from said partial authentication data and said other partial authentication data.
In accordance with the present invention there is provided an entity authentication method, including the: transmitting, from at least two wireless communications devices of an entity, partial authentication data; receiving said partial authentication data at an authentication device and using said partial authentication data to generate authentication data; and
authenticating said entity on the basis of said authentication data.
The present invention also provides an authentication system having components for executing the steps of any one of the above methods.
Brief Description of the Drawings
Preferred embodiments of the present invention are hereinafter described, by way of example only, with reference to the accompanying drawings, wherein: Figure 1 is a block diagram of a preferred embodiment of a distributed authentication system;
Figures 2 to 6 are schematic diagrams of the steps executed during an authentication session using the distributed authentication system; and
Figure 7 is a block diagram of a micro-fragment of the system.
Detailed Description of Preferred Embodiments of the Invention
A distributed authentication system, as shown in the Figures, comprises a cooperative wireless communications network formed by a number of microelectronic devices 2 to 8 referred to below as micro-fragments and a verification terminal 9 which includes a computing device 12 with a wireless communications transmitter/receiver 10, as shown in Figure 1. The micro-fragments 2 to 8 are possessed by the claimant, and the verification terminal 9 is possessed by the verifier.
The micro-fragments 2 to 8 are small enough to be secreted within items of clothing or jewellery. The micro-fragments 2 to 8 each include, as shown in Figure 7, a radio frequency (RF) transmitter 50 and receiver 52, sufficient computing power in a microprocessor 54 to enable data scrambling and unscrambling, and local memory 56 to store security keys and other data. Because the micro-fragments 2 to 8 are located very close to each other (e.g., within a 2 meter diameter) they can communicate by weak RF signals.
The micro-fragments 2 to 8 are attached to different parts of the claimant. For example, if the claimant is a person, they may be attached to the person's finger (in the form of a ring), clothes (in .the form of buttons), glasses (as part of the frames), belt, and wristwatch, as shown in Figure 2. The person may also choose to place one of the micro-fragments in his wallet, and another one in his handbag.
One of the micro-fragments is a micro-gateway 8 which acts as the claimant's interface with the verification terminal 9 possessed by the verifier. The micro-gateway 8 communicates with the verification terminal 9 via weak RF signals. In one embodiment for authenticating persons, it includes a button that allows the claimant to authorise communications between the micro-fragments 2 to 8 and the verification terminal 9, ensuring that the claimant is aware of the fact that an authentication session is taking place. Technology and circuitry for the micro-fragments and terminal 9 is available from standard devices, such as smart cards, and RF transponders and base stations used for vehicle security and entry systems. For example, the devices 2 to 8 and terminal 9 can be made using available Bluetooth technology and products, discussed at http://mvw.bluetooth.com. The devices 2 to 8 and terminal 9 can then be configured and/or coded to execute the authentication processes described herein.
The distributed authentication system operates by storing portions of cryptographic keys and other personal information in the micro-fragments 2 to 8. The micro-fragments 2 to 8 are secreted on the claimant in a distributed fashion, as described above and illustrated in Figure 2. The micro-fragments communicate by sending and receiving RF signals which effectively define an authentication zone 20 around the claimant. Matching information for the particular claimant is stored by the verification terminal 9. Once the authentication data has been stored in the terminal 9 and the micro-fragments 2 to 8, the claimant can be authenticated by the distributed authentication system. The continued validity of the authentication zone 20 may be confirmed by occasionally polling the micro-fragments 2 to 8. This allows the claimant to be alerted to potential or actual failure of the authentication zone 20 if one or more micro-fragments is lost.
While in the idle state, the verification terminal 9 continually polls the surrounding space for nearby devices by broadcasting a generic device identification query over its RF transmitter and listening for responses. The authentication process begins when the claimant approaches the verification terminal 9 and the gateway device 8 comes within communications range. The gateway device 8 receives the query from the verification terminal 9, as shown in Figure 3. In one embodiment for authenticating persons, the gateway device 8 signals an alarm to alert the claimant that a valid terminal has issued a query to the claimant, asking the claimant if he or she wishes to be authenticated with this particular terminal 9. The user responds by pushing a "yes" button on the gateway device 8. This step is omitted if the entity to be authenticated is not a person. The gateway device 8 then responds with a unique identifier, as shown in Figure 4. If the identifier corresponds to a valid authentication claimant known to the verification terminal 9, then the verification terminal 9 transmits a validation certificate and a challenge to the gateway device 8, as shown in Figure 3. The challenge is a query which possesses random attributes, but is also related to the particular characteristics of the claimant.
The gateway device 8 verifies the certificate of the verification terminal 9.The information that the gateway 8 requires in order to respond to the verification terminal 9's challenge is distributed amongst subsets of the micro-fragments 2-7, with some micro-fragments containing redundant data. The gateway device 8 broadcasts an authentication data query to the micro-fragments 2-7, as shown in Figure 5. The micro-fragments 2-7 receive the query and respond by transmitting their part of the claimant's authentication data. The gateway 8 processes responses from each micro-fragment until it has sufficient data to generate a claimant authentication response. For example, the responses from micro- fragments 2, 3, and 4 might be sufficient for the gateway device 8 to generate the response, as shown in Figure 6. In this example, these three devices are said to have formed a quorum of authentication devices. The gateway device 8 generates the authentication data and transmits it to the verification terminal 9, as shown in Figure 4. The verification terminal 9 checks the validity of the response, and acts as an authentication device. If correct, the verification terminal now knows the identity of the claimant with a high degree of certainty.
The authentication thus established may be extended over a period of time to provide an authenticated session. After the initial authentication has taken place, the claimant and verification terminal create a shared secret that is used for continual identification. As this authentication relies on the claimant's authentication zone 20 remaining within RF communications range, the sessional authentication is also based on proximity. Once the claimant leaves the immediate area, the shared secret generated for the session is invalidated, and the authentication process must begin again if the claimant wishes to be re-authenticated.
The RF communications between the micro-fragments 2-7, the gateway 8 and the verification terminal 9 are encrypted and authenticated for additional security.
Unlike conventional token-based systems, the authentication process requires a number of the micro-fragments in addition to the gateway device. Thus the micro-fragments are not easily stolen or even identified, since they are extremely small and distributed across a number of locations on the claimant's person, usually in a person's clothing or jewellery. Moreover, if one or more micro-fragments are lost, the claimant can still be authenticated to the system provided that a quorum of micro-fragments remains present. New micro- fragments may be dynamically removed or added (with the claimant's permission) from . the authentication zone 20.
In an alternative embodiment, the interaction of multiple authentication zones belonging to different people could be used to define a special level of access that is unavailable to any smaller combination or single party on their own.
The process of key generation, sharing and reconstruction is described below. A number of alternative embodiments have been developed which determine how the data fragments are generated and shared between the devices, and how the authentication data is generated from these fragments.
In one of the simplest embodiments, m micro-fragments are given to the claimant. In the initialisation phase, a unique authentication key k for the claimant is generated. A copy of the authentication key is given to the verifier. This authentication key k is then 'split' into m pieces referred to as "shadows", by the use of a t-out-of-m secret sharing method, where t is an integer not greater than m . Each micro-fragment is then given one of the shadows. In addition, each micro-fragment is also given a secret key s which is used by all the micro-fragments to securely communicate within the distributed authentication system.
At a later stage, when the verifier asks the claimant to prove his identify, the verification terminal 9 generates and forwards to the claimant's micro-gateway 8 a random number x as a challenge. The verification terminal also computes y = ek(x) , where ek is the encryption algorithm of a cryptosystem such as the Data Encryption Standard (DES) using key k , and stores it for later use.
To answer the challenge, the micro-gateway 8 requests the micro-fragments to provide their shadows. Communications between micro-fragments and the micro-gateway 8 can be carried in a secure and efficient way by the use of a secret key cipher. The micro-gateway 8 then computes the authentication key k from the shadows received. With the authentication key k , the micro-gateway 8 responds the challenge x by sending back to the verification terminal 9 a value z = ek(x) . On receiving z from the micro-gateway 8, the verification terminal 9 checks whether z is identical to the value y that was computed and stored earlier. The authentication is deemed successful only when these two values are indeed identical.
An alternative embodiment is more secure than the above embodiment, but requires the micro-fragments to have more processing power. In this embodiment a Shamir secret sharing method, as described in A. Shamir, How to share a secret, Communications of the ACM, 1979 22: p612-613, is used to distribute the secret needed for the Schnorr identification protocol, as described in C. Schnorr, Efficient signature generation by smart
cards, Journal of Cryptology, 1991 4: pl61-174. The claimant C proves his/her identity to the verification terminal V in a five pass protocol, as described below.
1. Initialisation (and selection of system parameters) (a) A suitable prime p is selected such that p - 1 is divisible by another prime q . Discrete logarithms modulo p are computationally infeasible.
(b) An element β is chosen, 1 < β ≤ p - 1 having multiplicative order q .
(c) Both the claimant and the verification terminal obtain an authentic copy of the system parameters (p, q, β) and the verification function (public key) of a mutually trusted Certification Authority (CA), allowing verification of the CA's signatures Sr(m) on messages m . Sτ involves a suitable known hash function prior to signing, and may be any signature mechanism.
(d) A parameter t (e.g., t ≥ 40), 2' < q is chosen (defining a security level 2').
2. Selection of per-user parameters (a) The claimant C securely generates and distributes a secret key £AURA_COM to the gateway and all the micro-fragments (for communication purposes).
(b) The claimant C creates a string representing their identity Ic .
(c) C chooses at random a private key a , ≤ a ≤ q-l and computes v = β~a modp . (d) C identifies him/herself by a conventional manner (eg, passport) to the CA, transfers v to the CA with integrity, and obtains a certificate certc = (/c,v,Sr(/c,v)) from the C A binding Ic with v .
3. C splits the private key a using a (τ, ) secret-sharing method, where n is the number of micro-fragments, and τ is the number of them required to reconstruct a .
(a) C chooses a new prime pN > max(α, n) , and defines bQ = a .
(b) C selects τ-1 random, independent coefficients ,...,bτ_x, 0≤bj≤pN-\, defining the random polynomial over Zp>/ ,
f(χ=Σ] xJ-
(c) C computes al=f(i)modp, X≤i≤n (or for any n distinct points i, 1 < i ≤ p - 1 ), and securely transfers each share , to one of the micro- fragments, along with the public index i .
4. Protocol messages (after C agrees to authentication), where GW is the gateway 8, NT is the verification terminal 9, and MFs are the micro-fragments 2-7:
GW → VT : cert^ x = j3rmod/? (1)
GW ^ NT : e [where X≤e≤2' <q] (2) GW → MFs: e ΛAURA-COM (req ^uest for shadow) ' (3) '
GW - MFs: eκ Λ-AURA-COM (i,a l.)/ (4) ' GW → NT : y = ae + rmodq (5)
5. Protocol actions
(a) The gateway chooses a random r (the commitment), l≤r≤q-X, computes
(the witness) x = βr modp and sends (1) to the verification terminal.
(b) The verification terminal authenticates the gateway's public key v by verifying the CA's signature on certc, then sends to the gateway a (never previously used) random e (the challenge), 1 ≤ e ≤ 2' .
(c) The gateway checks that 1 < e ≤ 2' , and sends and broadcasts an encrypted request to all micro-fragments to divulge their shadows.
(d) If the shadows recognise the request (if it decrypts to something sensible), then they wait a random amount of time (if broadcasting on the same frequency, to avoid collisions), and send their encrypted fragment.
(e) After the gateway receives τ shadows, it computes
a = clal, where c, = [ J ,-, then computes = ae + rmod and ι=l l≤j≤τj≠i l j l
sends y to the verification terminal. The gateway 8 then securely removes a from its memory, (f) The verification terminal 9 computes z — βyve modp and accepts the claimant's identity provided z = x .
This protocol is not computationally demanding: during the process of identification, the gateway 8 must only compute modular multiplications. If slightly more complicated certificates and public-key operations are used, then this protocol can be extended to setup a shared secret between the verification terminal 9 and the gateway 8 such that it is possible to maintain a session. In the case where the verification terminal has a pair of public and private keys (yv,αv) where yv is defined by yv = β"v modp , the shared key can be readily obtained by calculating k = yy r mod p on the micro-gateway, and k = yα" odp on the verification terminal.
Alternatively, a session could be maintained by rerunning the protocol at specific time intervals from step (5a) onwards. The session would end when this protocol failed to complete.
As a final embodiment, the secret sharing method described above can be replaced with the more sophisticated (but more computationally intensive) threshold-signature process described in SJ. Gennaro, H. Krawczyk, T. Rabin, Robust Threshold DSS Signatures, in Advances in Cryptology - Eurocrypt '96, 1996, Springer-Nerlag. This process does not require the reconstruction of the secret at the gateway 8, and allows for proactive update of the shares in the secret.
Many modifications will be apparent to those skilled in the art without departing from the scope of the present invention as herein described with reference to the accompanying drawings. For example, the gateway could be combined with the verification terminal to make a combined authentication device.