WO2002021766A1 - A wireless distributed authentication system - Google Patents

A wireless distributed authentication system Download PDF

Info

Publication number
WO2002021766A1
WO2002021766A1 PCT/AU2001/001109 AU0101109W WO0221766A1 WO 2002021766 A1 WO2002021766 A1 WO 2002021766A1 AU 0101109 W AU0101109 W AU 0101109W WO 0221766 A1 WO0221766 A1 WO 0221766A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
entity
authentication data
partial
gateway
Prior art date
Application number
PCT/AU2001/001109
Other languages
French (fr)
Inventor
Timothy David Ebringer
Peter George Thorne
Yuliang Zheng
Original Assignee
The University Of Melbourne
Monash University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by The University Of Melbourne, Monash University filed Critical The University Of Melbourne
Priority to AU2001285591A priority Critical patent/AU2001285591A1/en
Publication of WO2002021766A1 publication Critical patent/WO2002021766A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/33Security of mobile devices; Security of mobile applications using wearable devices, e.g. using a smartwatch or smart-glasses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/081Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying self-generating credentials, e.g. instead of receiving credentials from an authority or from another peer, the credentials are generated at the entity itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • the present invention relates to authentication systems, and in particular to a wireless distributed system and method for entity authentication.
  • Authentication refers to techniques that allow one party (the verifier) to gain assurances that the identity of another (the claimant) is as declared, thereby preventing impersonation.
  • the most common authentication technique is for the verifier to check the correctness of a message (possibly in response to an earlier message) which demonstrates that the claimant is in possession of a secret associated by design with the genuine party.
  • This is the basis of the password systems that pervade most computer and restricted entry systems. Unfortunately, these system do not provide robust security, because freely chosen passwords are easily guessed, and imposed passwords are usually written down (and therefore easily stolen) because they are not easily remembered.
  • a token-based identification system uses something possessed by the claimant such as a small card containing a magnetic strip, a smartcard, or a password generating card which provides time-variant passwords.
  • token-based systems are notoriously weak because the token is easily stolen. The risk of theft is exacerbated by the obviousness of the target. If the loss of the token is not noticed immediately, the token can be used by a third party masquerading as the claimant. Alternatively, the token can be reverse engineered to determine internal secrets or the operational mechanism.
  • Biometric authentication systems and methods have been developed due to the weakness of alternative methods such as those discussed above.
  • the advent of low cost fingerprint scanners have made these methods particularly attractive in recent years.
  • biometric authentication can only be used with organic life forms, and not with other physical entities.
  • an entity authentication system including: at least two wireless communications devices in the possession of an entity, at least one of the devices having first partial authentication data and at least one other of the devices having second partial authentication data; and an authentication device for authenticating said entity based on authentication data generated from at least said first and second partial authentication data.
  • the present invention also provides an entity authentication method, including: transmitting, from at least one wireless communications device in the possession of an entity, partial authentication data; receiving said partial authentication data at another wireless communications device in the possession of said entity having other partial authentication data; and generating authentication data from said partial authentication data and said other partial authentication data.
  • an entity authentication method including the: transmitting, from at least two wireless communications devices of an entity, partial authentication data; receiving said partial authentication data at an authentication device and using said partial authentication data to generate authentication data; and authenticating said entity on the basis of said authentication data.
  • the present invention also provides an authentication system having components for executing the steps of any one of the above methods.
  • Figure 1 is a block diagram of a preferred embodiment of a distributed authentication system
  • FIGS. 2 to 6 are schematic diagrams of the steps executed during an authentication session using the distributed authentication system.
  • Figure 7 is a block diagram of a micro-fragment of the system.
  • a distributed authentication system comprises a cooperative wireless communications network formed by a number of microelectronic devices 2 to 8 referred to below as micro-fragments and a verification terminal 9 which includes a computing device 12 with a wireless communications transmitter/receiver 10, as shown in Figure 1.
  • the micro-fragments 2 to 8 are possessed by the claimant, and the verification terminal 9 is possessed by the verifier.
  • the micro-fragments 2 to 8 are small enough to be secreted within items of clothing or jewellery.
  • the micro-fragments 2 to 8 each include, as shown in Figure 7, a radio frequency (RF) transmitter 50 and receiver 52, sufficient computing power in a microprocessor 54 to enable data scrambling and unscrambling, and local memory 56 to store security keys and other data. Because the micro-fragments 2 to 8 are located very close to each other (e.g., within a 2 meter diameter) they can communicate by weak RF signals.
  • the micro-fragments 2 to 8 are attached to different parts of the claimant.
  • the claimant is a person
  • they may be attached to the person's finger (in the form of a ring), clothes (in .the form of buttons), glasses (as part of the frames), belt, and wristwatch, as shown in Figure 2.
  • the person may also choose to place one of the micro-fragments in his wallet, and another one in his handbag.
  • micro-fragments is a micro-gateway 8 which acts as the claimant's interface with the verification terminal 9 possessed by the verifier.
  • the micro-gateway 8 communicates with the verification terminal 9 via weak RF signals.
  • it includes a button that allows the claimant to authorise communications between the micro-fragments 2 to 8 and the verification terminal 9, ensuring that the claimant is aware of the fact that an authentication session is taking place.
  • Technology and circuitry for the micro-fragments and terminal 9 is available from standard devices, such as smart cards, and RF transponders and base stations used for vehicle security and entry systems.
  • the devices 2 to 8 and terminal 9 can be made using available Bluetooth technology and products, discussed at http://mvw.bluetooth.com.
  • the devices 2 to 8 and terminal 9 can then be configured and/or coded to execute the authentication processes described herein.
  • the distributed authentication system operates by storing portions of cryptographic keys and other personal information in the micro-fragments 2 to 8.
  • the micro-fragments 2 to 8 are secreted on the claimant in a distributed fashion, as described above and illustrated in Figure 2.
  • the micro-fragments communicate by sending and receiving RF signals which effectively define an authentication zone 20 around the claimant.
  • Matching information for the particular claimant is stored by the verification terminal 9.
  • the verification terminal 9 Once the authentication data has been stored in the terminal 9 and the micro-fragments 2 to 8, the claimant can be authenticated by the distributed authentication system.
  • the continued validity of the authentication zone 20 may be confirmed by occasionally polling the micro-fragments 2 to 8. This allows the claimant to be alerted to potential or actual failure of the authentication zone 20 if one or more micro-fragments is lost.
  • the verification terminal 9 While in the idle state, the verification terminal 9 continually polls the surrounding space for nearby devices by broadcasting a generic device identification query over its RF transmitter and listening for responses.
  • the authentication process begins when the claimant approaches the verification terminal 9 and the gateway device 8 comes within communications range.
  • the gateway device 8 receives the query from the verification terminal 9, as shown in Figure 3.
  • the gateway device 8 signals an alarm to alert the claimant that a valid terminal has issued a query to the claimant, asking the claimant if he or she wishes to be authenticated with this particular terminal 9.
  • the user responds by pushing a "yes" button on the gateway device 8. This step is omitted if the entity to be authenticated is not a person.
  • the gateway device 8 then responds with a unique identifier, as shown in Figure 4.
  • the verification terminal 9 transmits a validation certificate and a challenge to the gateway device 8, as shown in Figure 3.
  • the challenge is a query which possesses random attributes, but is also related to the particular characteristics of the claimant.
  • the gateway device 8 verifies the certificate of the verification terminal 9.
  • the information that the gateway 8 requires in order to respond to the verification terminal 9's challenge is distributed amongst subsets of the micro-fragments 2-7, with some micro-fragments containing redundant data.
  • the gateway device 8 broadcasts an authentication data query to the micro-fragments 2-7, as shown in Figure 5.
  • the micro-fragments 2-7 receive the query and respond by transmitting their part of the claimant's authentication data.
  • the gateway 8 processes responses from each micro-fragment until it has sufficient data to generate a claimant authentication response. For example, the responses from micro- fragments 2, 3, and 4 might be sufficient for the gateway device 8 to generate the response, as shown in Figure 6. In this example, these three devices are said to have formed a quorum of authentication devices.
  • the gateway device 8 generates the authentication data and transmits it to the verification terminal 9, as shown in Figure 4.
  • the verification terminal 9 checks the validity of the response, and acts as an authentication device. If correct, the verification terminal now knows the identity of the claimant with a high degree of certainty.
  • the authentication thus established may be extended over a period of time to provide an authenticated session.
  • the claimant and verification terminal create a shared secret that is used for continual identification. As this authentication relies on the claimant's authentication zone 20 remaining within RF communications range, the sessional authentication is also based on proximity. Once the claimant leaves the immediate area, the shared secret generated for the session is invalidated, and the authentication process must begin again if the claimant wishes to be re-authenticated.
  • the RF communications between the micro-fragments 2-7, the gateway 8 and the verification terminal 9 are encrypted and authenticated for additional security.
  • the authentication process requires a number of the micro-fragments in addition to the gateway device.
  • the micro-fragments are not easily stolen or even identified, since they are extremely small and distributed across a number of locations on the claimant's person, usually in a person's clothing or jewellery.
  • the claimant can still be authenticated to the system provided that a quorum of micro-fragments remains present.
  • New micro- fragments may be dynamically removed or added (with the claimant's permission) from . the authentication zone 20.
  • the interaction of multiple authentication zones belonging to different people could be used to define a special level of access that is unavailable to any smaller combination or single party on their own.
  • micro-fragments are given to the claimant.
  • a unique authentication key k for the claimant is generated.
  • a copy of the authentication key is given to the verifier.
  • This authentication key k is then 'split' into m pieces referred to as "shadows", by the use of a t-out-of-m secret sharing method, where t is an integer not greater than m .
  • shadows by the use of a t-out-of-m secret sharing method, where t is an integer not greater than m .
  • Each micro-fragment is then given one of the shadows.
  • each micro-fragment is also given a secret key s which is used by all the micro-fragments to securely communicate within the distributed authentication system.
  • the verification terminal 9 When the verifier asks the claimant to prove his identify, the verification terminal 9 generates and forwards to the claimant's micro-gateway 8 a random number x as a challenge.
  • DES Data Encryption Standard
  • the micro-gateway 8 requests the micro-fragments to provide their shadows. Communications between micro-fragments and the micro-gateway 8 can be carried in a secure and efficient way by the use of a secret key cipher.
  • the verification terminal 9 checks whether z is identical to the value y that was computed and stored earlier. The authentication is deemed successful only when these two values are indeed identical.
  • An alternative embodiment is more secure than the above embodiment, but requires the micro-fragments to have more processing power.
  • a Shamir secret sharing method as described in A. Shamir, How to share a secret, Communications of the ACM, 1979 22: p612-613, is used to distribute the secret needed for the Schnorr identification protocol, as described in C. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, 1991 4: pl61-174.
  • the claimant C proves his/her identity to the verification terminal V in a five pass protocol, as described below.
  • Both the claimant and the verification terminal obtain an authentic copy of the system parameters (p, q, ⁇ ) and the verification function (public key) of a mutually trusted Certification Authority (CA), allowing verification of the CA's signatures S r (m) on messages m .
  • S ⁇ involves a suitable known hash function prior to signing, and may be any signature mechanism.
  • a parameter t (e.g., t ⁇ 40), 2' ⁇ q is chosen (defining a security level 2').
  • the claimant C securely generates and distributes a secret key £ AURA _ COM to the gateway and all the micro-fragments (for communication purposes).
  • C splits the private key a using a ( ⁇ , ) secret-sharing method, where n is the number of micro-fragments, and ⁇ is the number of them required to reconstruct a .
  • Protocol messages (after C agrees to authentication), where GW is the gateway 8, NT is the verification terminal 9, and MFs are the micro-fragments 2-7:
  • the verification terminal authenticates the gateway's public key v by verifying the CA's signature on cert c , then sends to the gateway a (never previously used) random e (the challenge), 1 ⁇ e ⁇ 2' .
  • the gateway checks that 1 ⁇ e ⁇ 2' , and sends and broadcasts an encrypted request to all micro-fragments to divulge their shadows.
  • a c l a l
  • the gateway 8 then securely removes a from its memory, (f)
  • This protocol is not computationally demanding: during the process of identification, the gateway 8 must only compute modular multiplications. If slightly more complicated certificates and public-key operations are used, then this protocol can be extended to setup a shared secret between the verification terminal 9 and the gateway 8 such that it is possible to maintain a session.
  • a session could be maintained by rerunning the protocol at specific time intervals from step (5a) onwards. The session would end when this protocol failed to complete.
  • the secret sharing method described above can be replaced with the more sophisticated (but more computationally intensive) threshold-signature process described in SJ. Gennaro, H. Krawczyk, T. Rabin, Robust Threshold DSS Signatures, in Advances in Cryptology - Eurocrypt '96, 1996, Springer-Nerlag. This process does not require the reconstruction of the secret at the gateway 8, and allows for proactive update of the shares in the secret.
  • the gateway could be combined with the verification terminal to make a combined authentication device.

Abstract

An entity authentication system, including at least two wireless communications devices (2 to 8) in the possession of an entity, at least one of the devices having first partial authentication data and at least one other of the devices having second partial authentication data and an authentication device (9) for authenticating the entity based on authentication data generated from at least the first and second partial authentication data. The devices are wearable by the entity and the partial authentication data is distributed amongst the wireless devices using a secret sharing method where n is the number of wireless devices, t is the number of the wireless devices required to generate the authentication data from the partial authentication data and n &ge t.

Description

A WIRELESS DISTRIBUTED AUTHENTICATION SYSTEM
Field of the Invention
The present invention relates to authentication systems, and in particular to a wireless distributed system and method for entity authentication.
Background of the Invention
Authentication refers to techniques that allow one party (the verifier) to gain assurances that the identity of another (the claimant) is as declared, thereby preventing impersonation. The most common authentication technique is for the verifier to check the correctness of a message (possibly in response to an earlier message) which demonstrates that the claimant is in possession of a secret associated by design with the genuine party. This is the basis of the password systems that pervade most computer and restricted entry systems. Unfortunately, these system do not provide robust security, because freely chosen passwords are easily guessed, and imposed passwords are usually written down (and therefore easily stolen) because they are not easily remembered.
A token-based identification system uses something possessed by the claimant such as a small card containing a magnetic strip, a smartcard, or a password generating card which provides time-variant passwords. However, token-based systems are notoriously weak because the token is easily stolen. The risk of theft is exacerbated by the obviousness of the target. If the loss of the token is not noticed immediately, the token can be used by a third party masquerading as the claimant. Alternatively, the token can be reverse engineered to determine internal secrets or the operational mechanism.
Biometric authentication systems and methods have been developed due to the weakness of alternative methods such as those discussed above. The advent of low cost fingerprint scanners have made these methods particularly attractive in recent years. However, even these methods have significant drawbacks. For example, stolen biometric data will compromise the claimant's biometric data for the rest of his or her life. Furthermore, biometric authentication can only be used with organic life forms, and not with other physical entities.
The above limitations pose a challenge for authentication systems. It is desired, therefore, to provide a robust method and system for authentication which does not suffer from the above difficulties, or which at least provides a useful alternative.
Summary of the Invention
In accordance with the present invention there is provided an entity authentication system, including: at least two wireless communications devices in the possession of an entity, at least one of the devices having first partial authentication data and at least one other of the devices having second partial authentication data; and an authentication device for authenticating said entity based on authentication data generated from at least said first and second partial authentication data.
The present invention also provides an entity authentication method, including: transmitting, from at least one wireless communications device in the possession of an entity, partial authentication data; receiving said partial authentication data at another wireless communications device in the possession of said entity having other partial authentication data; and generating authentication data from said partial authentication data and said other partial authentication data.
In accordance with the present invention there is provided an entity authentication method, including the: transmitting, from at least two wireless communications devices of an entity, partial authentication data; receiving said partial authentication data at an authentication device and using said partial authentication data to generate authentication data; and authenticating said entity on the basis of said authentication data.
The present invention also provides an authentication system having components for executing the steps of any one of the above methods.
Brief Description of the Drawings
Preferred embodiments of the present invention are hereinafter described, by way of example only, with reference to the accompanying drawings, wherein: Figure 1 is a block diagram of a preferred embodiment of a distributed authentication system;
Figures 2 to 6 are schematic diagrams of the steps executed during an authentication session using the distributed authentication system; and
Figure 7 is a block diagram of a micro-fragment of the system.
Detailed Description of Preferred Embodiments of the Invention
A distributed authentication system, as shown in the Figures, comprises a cooperative wireless communications network formed by a number of microelectronic devices 2 to 8 referred to below as micro-fragments and a verification terminal 9 which includes a computing device 12 with a wireless communications transmitter/receiver 10, as shown in Figure 1. The micro-fragments 2 to 8 are possessed by the claimant, and the verification terminal 9 is possessed by the verifier.
The micro-fragments 2 to 8 are small enough to be secreted within items of clothing or jewellery. The micro-fragments 2 to 8 each include, as shown in Figure 7, a radio frequency (RF) transmitter 50 and receiver 52, sufficient computing power in a microprocessor 54 to enable data scrambling and unscrambling, and local memory 56 to store security keys and other data. Because the micro-fragments 2 to 8 are located very close to each other (e.g., within a 2 meter diameter) they can communicate by weak RF signals. The micro-fragments 2 to 8 are attached to different parts of the claimant. For example, if the claimant is a person, they may be attached to the person's finger (in the form of a ring), clothes (in .the form of buttons), glasses (as part of the frames), belt, and wristwatch, as shown in Figure 2. The person may also choose to place one of the micro-fragments in his wallet, and another one in his handbag.
One of the micro-fragments is a micro-gateway 8 which acts as the claimant's interface with the verification terminal 9 possessed by the verifier. The micro-gateway 8 communicates with the verification terminal 9 via weak RF signals. In one embodiment for authenticating persons, it includes a button that allows the claimant to authorise communications between the micro-fragments 2 to 8 and the verification terminal 9, ensuring that the claimant is aware of the fact that an authentication session is taking place. Technology and circuitry for the micro-fragments and terminal 9 is available from standard devices, such as smart cards, and RF transponders and base stations used for vehicle security and entry systems. For example, the devices 2 to 8 and terminal 9 can be made using available Bluetooth technology and products, discussed at http://mvw.bluetooth.com. The devices 2 to 8 and terminal 9 can then be configured and/or coded to execute the authentication processes described herein.
The distributed authentication system operates by storing portions of cryptographic keys and other personal information in the micro-fragments 2 to 8. The micro-fragments 2 to 8 are secreted on the claimant in a distributed fashion, as described above and illustrated in Figure 2. The micro-fragments communicate by sending and receiving RF signals which effectively define an authentication zone 20 around the claimant. Matching information for the particular claimant is stored by the verification terminal 9. Once the authentication data has been stored in the terminal 9 and the micro-fragments 2 to 8, the claimant can be authenticated by the distributed authentication system. The continued validity of the authentication zone 20 may be confirmed by occasionally polling the micro-fragments 2 to 8. This allows the claimant to be alerted to potential or actual failure of the authentication zone 20 if one or more micro-fragments is lost. While in the idle state, the verification terminal 9 continually polls the surrounding space for nearby devices by broadcasting a generic device identification query over its RF transmitter and listening for responses. The authentication process begins when the claimant approaches the verification terminal 9 and the gateway device 8 comes within communications range. The gateway device 8 receives the query from the verification terminal 9, as shown in Figure 3. In one embodiment for authenticating persons, the gateway device 8 signals an alarm to alert the claimant that a valid terminal has issued a query to the claimant, asking the claimant if he or she wishes to be authenticated with this particular terminal 9. The user responds by pushing a "yes" button on the gateway device 8. This step is omitted if the entity to be authenticated is not a person. The gateway device 8 then responds with a unique identifier, as shown in Figure 4. If the identifier corresponds to a valid authentication claimant known to the verification terminal 9, then the verification terminal 9 transmits a validation certificate and a challenge to the gateway device 8, as shown in Figure 3. The challenge is a query which possesses random attributes, but is also related to the particular characteristics of the claimant.
The gateway device 8 verifies the certificate of the verification terminal 9.The information that the gateway 8 requires in order to respond to the verification terminal 9's challenge is distributed amongst subsets of the micro-fragments 2-7, with some micro-fragments containing redundant data. The gateway device 8 broadcasts an authentication data query to the micro-fragments 2-7, as shown in Figure 5. The micro-fragments 2-7 receive the query and respond by transmitting their part of the claimant's authentication data. The gateway 8 processes responses from each micro-fragment until it has sufficient data to generate a claimant authentication response. For example, the responses from micro- fragments 2, 3, and 4 might be sufficient for the gateway device 8 to generate the response, as shown in Figure 6. In this example, these three devices are said to have formed a quorum of authentication devices. The gateway device 8 generates the authentication data and transmits it to the verification terminal 9, as shown in Figure 4. The verification terminal 9 checks the validity of the response, and acts as an authentication device. If correct, the verification terminal now knows the identity of the claimant with a high degree of certainty. The authentication thus established may be extended over a period of time to provide an authenticated session. After the initial authentication has taken place, the claimant and verification terminal create a shared secret that is used for continual identification. As this authentication relies on the claimant's authentication zone 20 remaining within RF communications range, the sessional authentication is also based on proximity. Once the claimant leaves the immediate area, the shared secret generated for the session is invalidated, and the authentication process must begin again if the claimant wishes to be re-authenticated.
The RF communications between the micro-fragments 2-7, the gateway 8 and the verification terminal 9 are encrypted and authenticated for additional security.
Unlike conventional token-based systems, the authentication process requires a number of the micro-fragments in addition to the gateway device. Thus the micro-fragments are not easily stolen or even identified, since they are extremely small and distributed across a number of locations on the claimant's person, usually in a person's clothing or jewellery. Moreover, if one or more micro-fragments are lost, the claimant can still be authenticated to the system provided that a quorum of micro-fragments remains present. New micro- fragments may be dynamically removed or added (with the claimant's permission) from . the authentication zone 20.
In an alternative embodiment, the interaction of multiple authentication zones belonging to different people could be used to define a special level of access that is unavailable to any smaller combination or single party on their own.
The process of key generation, sharing and reconstruction is described below. A number of alternative embodiments have been developed which determine how the data fragments are generated and shared between the devices, and how the authentication data is generated from these fragments. In one of the simplest embodiments, m micro-fragments are given to the claimant. In the initialisation phase, a unique authentication key k for the claimant is generated. A copy of the authentication key is given to the verifier. This authentication key k is then 'split' into m pieces referred to as "shadows", by the use of a t-out-of-m secret sharing method, where t is an integer not greater than m . Each micro-fragment is then given one of the shadows. In addition, each micro-fragment is also given a secret key s which is used by all the micro-fragments to securely communicate within the distributed authentication system.
At a later stage, when the verifier asks the claimant to prove his identify, the verification terminal 9 generates and forwards to the claimant's micro-gateway 8 a random number x as a challenge. The verification terminal also computes y = ek(x) , where ek is the encryption algorithm of a cryptosystem such as the Data Encryption Standard (DES) using key k , and stores it for later use.
To answer the challenge, the micro-gateway 8 requests the micro-fragments to provide their shadows. Communications between micro-fragments and the micro-gateway 8 can be carried in a secure and efficient way by the use of a secret key cipher. The micro-gateway 8 then computes the authentication key k from the shadows received. With the authentication key k , the micro-gateway 8 responds the challenge x by sending back to the verification terminal 9 a value z = ek(x) . On receiving z from the micro-gateway 8, the verification terminal 9 checks whether z is identical to the value y that was computed and stored earlier. The authentication is deemed successful only when these two values are indeed identical.
An alternative embodiment is more secure than the above embodiment, but requires the micro-fragments to have more processing power. In this embodiment a Shamir secret sharing method, as described in A. Shamir, How to share a secret, Communications of the ACM, 1979 22: p612-613, is used to distribute the secret needed for the Schnorr identification protocol, as described in C. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, 1991 4: pl61-174. The claimant C proves his/her identity to the verification terminal V in a five pass protocol, as described below.
1. Initialisation (and selection of system parameters) (a) A suitable prime p is selected such that p - 1 is divisible by another prime q . Discrete logarithms modulo p are computationally infeasible.
(b) An element β is chosen, 1 < β ≤ p - 1 having multiplicative order q .
(c) Both the claimant and the verification terminal obtain an authentic copy of the system parameters (p, q, β) and the verification function (public key) of a mutually trusted Certification Authority (CA), allowing verification of the CA's signatures Sr(m) on messages m . Sτ involves a suitable known hash function prior to signing, and may be any signature mechanism.
(d) A parameter t (e.g., t ≥ 40), 2' < q is chosen (defining a security level 2').
2. Selection of per-user parameters (a) The claimant C securely generates and distributes a secret key £AURA_COM to the gateway and all the micro-fragments (for communication purposes).
(b) The claimant C creates a string representing their identity Ic .
(c) C chooses at random a private key a , ≤ a ≤ q-l and computes v = β~a modp . (d) C identifies him/herself by a conventional manner (eg, passport) to the CA, transfers v to the CA with integrity, and obtains a certificate certc = (/c,v,Sr(/c,v)) from the C A binding Ic with v .
3. C splits the private key a using a (τ, ) secret-sharing method, where n is the number of micro-fragments, and τ is the number of them required to reconstruct a .
(a) C chooses a new prime pN > max(α, n) , and defines bQ = a . (b) C selects τ-1 random, independent coefficients ,...,bτ_x, 0≤bj≤pN-\, defining the random polynomial over Zp>/ ,
f=Σ] xJ-
(c) C computes al=f(i)modp, X≤i≤n (or for any n distinct points i, 1 < i ≤ p - 1 ), and securely transfers each share , to one of the micro- fragments, along with the public index i .
4. Protocol messages (after C agrees to authentication), where GW is the gateway 8, NT is the verification terminal 9, and MFs are the micro-fragments 2-7:
GW → VT : cert^ x = j3rmod/? (1)
GW ^ NT : e [where X≤e≤2' <q] (2) GW → MFs: e ΛAURA-COM (req ^uest for shadow) ' (3) '
GW - MFs: eκ Λ-AURA-COM (i,a l.)/ (4) ' GW → NT : y = ae + rmodq (5)
5. Protocol actions
(a) The gateway chooses a random r (the commitment), l≤r≤q-X, computes
(the witness) x = βr modp and sends (1) to the verification terminal.
(b) The verification terminal authenticates the gateway's public key v by verifying the CA's signature on certc, then sends to the gateway a (never previously used) random e (the challenge), 1 ≤ e ≤ 2' .
(c) The gateway checks that 1 < e ≤ 2' , and sends and broadcasts an encrypted request to all micro-fragments to divulge their shadows.
(d) If the shadows recognise the request (if it decrypts to something sensible), then they wait a random amount of time (if broadcasting on the same frequency, to avoid collisions), and send their encrypted fragment.
(e) After the gateway receives τ shadows, it computes
a = clal, where c, = [ J ,-, then computes = ae + rmod and ι=l l≤j≤τj≠i l j l sends y to the verification terminal. The gateway 8 then securely removes a from its memory, (f) The verification terminal 9 computes z — βyve modp and accepts the claimant's identity provided z = x .
This protocol is not computationally demanding: during the process of identification, the gateway 8 must only compute modular multiplications. If slightly more complicated certificates and public-key operations are used, then this protocol can be extended to setup a shared secret between the verification terminal 9 and the gateway 8 such that it is possible to maintain a session. In the case where the verification terminal has a pair of public and private keys (yvv) where yv is defined by yv = β"v modp , the shared key can be readily obtained by calculating k = yy r mod p on the micro-gateway, and k = yα" odp on the verification terminal.
Alternatively, a session could be maintained by rerunning the protocol at specific time intervals from step (5a) onwards. The session would end when this protocol failed to complete.
As a final embodiment, the secret sharing method described above can be replaced with the more sophisticated (but more computationally intensive) threshold-signature process described in SJ. Gennaro, H. Krawczyk, T. Rabin, Robust Threshold DSS Signatures, in Advances in Cryptology - Eurocrypt '96, 1996, Springer-Nerlag. This process does not require the reconstruction of the secret at the gateway 8, and allows for proactive update of the shares in the secret.
Many modifications will be apparent to those skilled in the art without departing from the scope of the present invention as herein described with reference to the accompanying drawings. For example, the gateway could be combined with the verification terminal to make a combined authentication device.

Claims

CLAIMS:
1. An entity authentication system, including: at least two wireless communications devices in the possession of an entity, at least one of the devices having first partial authentication data and at least one other of the devices having second partial authentication data; and an authentication device for authenticating said entity based on authentication data generated from at least said first and second partial authentication data.
2. An entity authentication system as claimed in claim 1, having a gateway for generating said authentication data for transmission to said authentication device.
3. An entity authentication system as claimed in claim 2, wherein said gateway accesses said partial authentication data and generates said authentication data in response to a signal from said authentication device.
4. An entity authentication system as claimed in claim 2, wherein said gateway is one of said wireless communications devices.
5. An entity authentication system as claimed in claim 1, wherein said partial authentication data is distributed amongst said wireless devices using a secret sharing method where n is the number of wireless devices, t is the number of said wireless devices required to generate said authentication data from said partial authentication data and n ≥ t .
6. An entity authentication system as claimed in claim 1, wherein said wireless devices are wearable by said entity.
7. An entity authentication system as claimed in claim 1, wherein said wireless devices communicate with one another and said authentication device using short range RF encrypted communication signals.
8. An entity authentication system as claimed in claim 4, wherein said gateway is triggered by said signal when said gateway is within a predetermined distance from said authentication device.
9. An entity authentication method, including: transmitting, from at least one wireless communications device in the possession of an entity, partial authentication data; receiving said partial authentication data at another wireless communications device in the possession of said entity having other partial authentication data; and generating authentication data from said partial authentication data and said other partial authentication data.
10. An entity authentication method as claimed in claim 9, including transmitting said authentication data to an authentication device.
11. An entity authentication method as claimed in claim 9 or 10, wherein said receiving step includes receiving external partial authentication data from an external wireless device, and said generating step includes generating said authentication data from said partial authentication data, said other partial authentication device and said external partial authentication data.
12. An entity authentication method, including: transmitting, from at least two wireless communications devices of an entity, partial authentication data; receiving said partial authentication data at an authentication device and using said partial authentication data to generate authentication data; and authenticating said entity on the basis of said authentication data.
13. An entity authentication method as claimed in claim 10, wherein said transmitting step is executed by a gateway to said authentication device.
14. An entity authentication method as claimed in claim 13, wherein said gateway accesses said partial authentication data and generates said authentication data in response to a signal from said authentication device.
15. An entity authentication method as claimed in claim 13, wherein said gateway is one of said wireless devices.
16. An entity authentication system as claimed in claim 9 or 12, wherein said partial authentication data is distributed amongst said wireless devices using a secret sharing method where n is the number of wireless devices, t is the number of said wireless devices required to generate said authentication data from said partial authentication data and n ≥ t .
17. An entity authentication method as claimed in claim 9 or 12, wherein said wireless devices are wearable by said entity.
18. An entity authentication method as claimed in claim 9 or 12, wherein said wireless devices communicate using short range RF encrypted communication signals.
19. An entity authentication system as claimed in claim 15, wherein said gateway is triggered by said signal when said gateway is within a predetermined distance from said authentication device.
20. An entity authentication system having components for executing the steps of a method as claimed in any one of claims 9, 10, 12 to 15 and 19.
PCT/AU2001/001109 2000-09-04 2001-09-04 A wireless distributed authentication system WO2002021766A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001285591A AU2001285591A1 (en) 2000-09-04 2001-09-04 A wireless distributed authentication system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AUPQ9871 2000-09-04
AUPQ9871A AUPQ987100A0 (en) 2000-09-04 2000-09-04 A wireless distributed authentication system

Publications (1)

Publication Number Publication Date
WO2002021766A1 true WO2002021766A1 (en) 2002-03-14

Family

ID=3823925

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2001/001109 WO2002021766A1 (en) 2000-09-04 2001-09-04 A wireless distributed authentication system

Country Status (2)

Country Link
AU (1) AUPQ987100A0 (en)
WO (1) WO2002021766A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2264672A2 (en) * 2009-06-19 2010-12-22 Huf Hülsbeck & Fürst GmbH & Co. KG Key for a lock system of a motor vehicle
WO2012121883A1 (en) 2011-03-08 2012-09-13 Cisco Technology, Inc. Improving security for remote access vpn
WO2018060754A1 (en) * 2016-09-30 2018-04-05 Intel Corporation Technologies for multiple device authentication in a heterogeneous network
EP3316163A1 (en) * 2016-10-28 2018-05-02 Hewlett-Packard Development Company, L.P. Authentication system
JP2021118406A (en) * 2020-01-23 2021-08-10 株式会社リーディングエッジ User authentication method and user authentication method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5771459A (en) * 1994-06-21 1998-06-23 U.S. Philips Corporation Communication system for use with stationary and second entities, via a wireless intermediate network with gateway devices, a gateway device for use with such system, and a mobile entity provided with such gateway device
US6028937A (en) * 1995-10-09 2000-02-22 Matsushita Electric Industrial Co., Ltd Communication device which performs two-way encryption authentication in challenge response format
EP1024626A1 (en) * 1999-01-27 2000-08-02 International Business Machines Corporation Method, apparatus, and communication system for exchange of information in pervasive environments
US6292896B1 (en) * 1997-01-22 2001-09-18 International Business Machines Corporation Method and apparatus for entity authentication and session key generation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5771459A (en) * 1994-06-21 1998-06-23 U.S. Philips Corporation Communication system for use with stationary and second entities, via a wireless intermediate network with gateway devices, a gateway device for use with such system, and a mobile entity provided with such gateway device
US6028937A (en) * 1995-10-09 2000-02-22 Matsushita Electric Industrial Co., Ltd Communication device which performs two-way encryption authentication in challenge response format
US6292896B1 (en) * 1997-01-22 2001-09-18 International Business Machines Corporation Method and apparatus for entity authentication and session key generation
EP1024626A1 (en) * 1999-01-27 2000-08-02 International Business Machines Corporation Method, apparatus, and communication system for exchange of information in pervasive environments

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2264672A2 (en) * 2009-06-19 2010-12-22 Huf Hülsbeck & Fürst GmbH & Co. KG Key for a lock system of a motor vehicle
WO2012121883A1 (en) 2011-03-08 2012-09-13 Cisco Technology, Inc. Improving security for remote access vpn
US20140351925A1 (en) * 2011-03-08 2014-11-27 Cisco Technology, Inc. Security for remote access vpn
US9178697B2 (en) * 2011-03-08 2015-11-03 Cisco Technology, Inc. Security for remote access VPN
CN109644126A (en) * 2016-09-30 2019-04-16 英特尔公司 Technology for the multiple equipment certification in heterogeneous network
WO2018060754A1 (en) * 2016-09-30 2018-04-05 Intel Corporation Technologies for multiple device authentication in a heterogeneous network
CN109644126B (en) * 2016-09-30 2022-05-13 英特尔公司 Techniques for multiple device authentication in a heterogeneous network
US11438147B2 (en) 2016-09-30 2022-09-06 Intel Corporation Technologies for multiple device authentication in a heterogeneous network
US11949780B2 (en) 2016-09-30 2024-04-02 Intel Corporation Technologies for multiple device authentication in a heterogeneous network
EP3316163A1 (en) * 2016-10-28 2018-05-02 Hewlett-Packard Development Company, L.P. Authentication system
US10540487B2 (en) 2016-10-28 2020-01-21 Hewlett-Packard Development Company, L.P. Authentication system
US11144621B2 (en) 2016-10-28 2021-10-12 Hewlett-Packard Development Company, L.P. Authentication system
JP2021118406A (en) * 2020-01-23 2021-08-10 株式会社リーディングエッジ User authentication method and user authentication method

Also Published As

Publication number Publication date
AUPQ987100A0 (en) 2000-09-28

Similar Documents

Publication Publication Date Title
JP4790731B2 (en) Derived seed
Park On certificate-based security protocols for wireless mobile communication systems
Liao et al. A secure dynamic ID based remote user authentication scheme for multi-server environment
US6085320A (en) Client/server protocol for proving authenticity
Das et al. A dynamic ID-based remote user authentication scheme
US5323146A (en) Method for authenticating the user of a data station connected to a computer system
US7502467B2 (en) System and method for authentication seed distribution
EP1383265A1 (en) Method for generating proxy signatures
Mishra et al. A secure password-based authentication and key agreement scheme using smart cards
WO2005002130A1 (en) Hybrid authentication
WO1998051032A2 (en) Two way authentication protocol
US7313697B2 (en) Method for authentication
Odelu et al. A secure and efficient ECC‐based user anonymity preserving single sign‐on scheme for distributed computer networks
Das et al. A biometric-based user authentication scheme for heterogeneous wireless sensor networks
CN101652782A (en) Communication terminal device, communication device, electronic card, method for a communication terminal device and method for a communication device for providing a verification
Truong et al. Robust mobile device integration of a fingerprint biometric remote authentication scheme
US7222362B1 (en) Non-transferable anonymous credentials
Ebringer et al. Parasitic authentication to protect your e-wallet
WO2002021766A1 (en) A wireless distributed authentication system
Yi et al. A secure conference scheme for mobile communications
JP2004328293A (en) Electronic ticket, electronic ticket system, authentication system, and information processing system
de Waleffe et al. Better login protocols for computer networks
Amin et al. An efficient remote mutual authentication scheme using smart mobile phone over insecure networks
Chatterjee et al. A novel multi-server authentication scheme for e-commerce applications using smart card
Chang et al. A secure authentication scheme for telecare medical information systems

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 2003107932

Country of ref document: RU

Kind code of ref document: A

Format of ref document f/p: F

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP