WO2009004508A1 - Ppprocédé pour une authentification cryptographique - Google Patents

Ppprocédé pour une authentification cryptographique Download PDF

Info

Publication number
WO2009004508A1
WO2009004508A1 PCT/IB2008/051978 IB2008051978W WO2009004508A1 WO 2009004508 A1 WO2009004508 A1 WO 2009004508A1 IB 2008051978 W IB2008051978 W IB 2008051978W WO 2009004508 A1 WO2009004508 A1 WO 2009004508A1
Authority
WO
WIPO (PCT)
Prior art keywords
counter value
authentication
counter
eeprom
value
Prior art date
Application number
PCT/IB2008/051978
Other languages
English (en)
Inventor
Frank Boeh
Jürgen Nowottnick
Original Assignee
Nxp B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nxp B.V. filed Critical Nxp B.V.
Publication of WO2009004508A1 publication Critical patent/WO2009004508A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the invention relates to a method for cryptographic authentication comprising a mutual authentication protocol between a base station and a transponder.
  • the advantage of the invention is that the data exchange for authentication is reduced to a minimum and thus the authentication time is accelerated.
  • the authentication time can be reduced by 40 to 50% whilst simultaneously ensuring a high resistance to attack.
  • a further advantage of the invention can be seen in that there is no need to use special hardware for reliable production of a changing code which is frequently easy to attack and in addition, is more expensive than an EEPROM based solution.
  • An advantageous embodiment of the invention provides that at least one current value of a variable component, in particular of a counter value, is included in a calcula- tion of the cryptographic signatures.
  • the current value of the variable component which is included in the calculation of the cryptographic signatures can already be notified to the transponder and the base station before the authentication.
  • the current value of the variable component i.e. for example, of a counter value (transponder sequence increment) can thereby be notified to the base station by a first standard authentication.
  • variable component in particular the counter value
  • the variable component is incremented directly after an authentication has been made in an EEPROM of the base station. In this way, it is ensured that the current session cannot be repeated.
  • variable component is incremented after an authentication in the transponder and in the base station.
  • variable components can comprise a counter value.
  • the form of the incrementation thematised in the following has also already been reflected in EP 06 114 665 Al .
  • variable component is present in the form of a counter value and after every incrementation in the transponder, the current counter value is only updated in an EEPROM segment of a non- volatile memory (EEPROM), wherein a subsequent access to the EEPROM is only made in the event of a successful incrementing of an EEPROM-based counter.
  • EEPROM non- volatile memory
  • an algorithm is provided which is particularly useful for cryptographic authentication in transponders.
  • This therefore does not comprise a software-hardware solution in which special hardware is always used.
  • this also saves EEPROM accesses based on the storage of redundant information.
  • Each of the EEPROM segments is exclusively used for storing counter data. In many cases, this makes it possible to have a write access to the EEPROM segments optimised for counter data for further increasing the permitted number of write cycles.
  • only one small computing expenditure is required for implementation. Since a new counter value is updated in only one EEPROM segment after every implementation, the number of permitted program cycles can be tripled compared to the methods known from the prior art, wherein additionally at the same time attacks on the security system are made more difficult.
  • an advantageous embodiment of the invention provides that the incrementa- tion comprises the following steps: a) searching for an invalid counter value in one of three EEPROM segments; b) finding a maximum valid counter value from the remaining valid counter values if an invalid counter value exists; c) overwriting the invalid counter value with a valid counter value; d) finding a smallest valid counter value from the three valid counter values, wherein if an invalid counter value is not present, step d) follows step a): e) finding a maximum valid counter value from the three valid counter values; f) overwriting the smallest valid counter value with a valid maximum counter value.
  • the invalid counter state is determined by means of a calculation of the difference from the two remaining counter states, wherein the invalid counter state has the largest differences from the remaining counter states.
  • threshold values are defined for the differences from which a counter state is recognised as invalid. If the threshold value is exceeded, it can be assumed that the relevant memory segment contains an invalid memory value. If the counting rhythm is known, it is also known which are the maximum differences which the memory values of the memory segments should exhibit with respect to one another. If higher differences, which therefore exceed the threshold value, occur for a memory value of a memory segment, it can be assumed that this memory value is invalid.
  • a further advantageous embodiment of the invention provides that the nonvolatile memory-based counter value or a value derived therefrom forms a varying initialisation value for a suitable crypto-algorithm which is used for authentication and/or encryption of the communication with a transponder.
  • a varying value which is synchronously incremented in the base station and also in the transponder is incremented for calculating the two cryptographic signatures (MAC (message authentication) and response). It can thereby be ensured that a crypto session cannot be implemented many times and thus forms of replay attacks can be avoided.
  • access to the user EEPROM is only given in the event of a successful implementation of the INCREMENT command. Each authentication sequence with subsequent EEPROM access can always only be recorded once since a different counter value is used to produce the crypto data for the next session.
  • a practicable variant of the invention provides that the counter states for the incrementing originate from a forward or backward counter.
  • FIG. 1 shows a sequence of a method for accelerated mutual cryptographic authentication
  • Fig. 2 shows a sequence of an implementation of a counter.
  • Figure 1 shows a sequence of a method for accelerated mutual cryptographic authentication.
  • Figure 1 illustrates the sequence of the accelerated authentication which now transmits no random numbers or counter states during the running time of the authentication but substantially only exchanges and verifies the cryptographic signatures (MAC (message authentication) and response).
  • the cryptographic authentication is initiated by the command Authent 15 and transmitted to the transponder.
  • the IDEs or IDS 16 of the transponder can be used and transmitted.
  • the following MAC (message authentication) is then calculated from the sequence increment data which are supplied and incremented in the base station as well as finally also by secret keys.
  • further information can also be used for cryptographic authentication.
  • the MAC 17 received by the transponder is now checked by the transponder which then calculates a response 18 and transmits this back to the base station.
  • the base station again checks the response 18, whereby the cryptic authentication is completed by this exchange and comparison as well as successful verification of MAC 17 and response 18.
  • the current value of the counter value which is included in the calculation of the cryptographic signatures 17, 18 (MAC and RESPONSE) is already known to the transponder 12 and the base station 13 before the authentication 14. This value can be notified, for example, by a first standard authentication to the base station 13.
  • the counter value is incremented after every accelerated authentication 14 in the transponder 12 and in the base station 13.
  • the counter value stored in the EEPROM of the base station 13 is already incremented directly after an authentication 14 has been made. In this way, it is ensured that a current session cannot be repeated. Furthermore, after every confirmed authentication 14 the counter value must be incremented in the transponder 12 without costing authentication time and stored in the EEPROM 10 of the transponder 12 so that the same counter value can be used during the next authentication process.
  • the method 100 uses the three EEPROM segments Z 1 , Z 2 and Z3 for secure storage of successive counter values.
  • the method 100 thereby implies a sequence for secured counting and storage in an EEPROM 10 of the transponder 12 within the scope of an incrementation 11 , wherein the incrementation 11 must proceed successfully in the application in order to subsequently achieve a state in which an access (read, write) to the EEPROM 10 can be allowed, i.e., an access i.e. write and read, can only be released in the event of the command INCREMENT being successfully implemented.
  • a) the search for an invalid counter value Z mval id takes place in one of three EEPROM segments, i.e.
  • the counter can in principle be a forward or backward counter. In this exemplary embodiment, it is assumed that this is a forward counter of step width 1.
  • the invalid counter value in step a) is thereby determined by calculating the difference from the two remaining counter values, wherein an invalid counter value exhibits the largest differences from the remaining numerical values.
  • step c The memory value of a memory segment is thus identified as invalid and is overwritten with the new maximum counter value in step c).
  • This invalid counter value has thus been eliminated from one of the EEPROM memory segments of the EEPROM 10 and has been overwritten by a new valid counter value.
  • step d) the smallest valid counter value from the three valid counter values is detected, wherein if an invalid counter value is not present, process step d) immediately fol- lows process step a).
  • step e) the largest valid counter value is now found from the now three valid counter values so that in the following step f) the smallest valid counter value can be overwritten with a valid maximum counter value.
  • the sequence for secured counting and storage in an EEPROM 10 presented here loads the memory segments of the EEPROM 10 only slightly since each new counter value can only be stored in one of the memory segments of the EEPROM 10 and therefore the EEPROM 10 is only slightly loaded with memory processes.
  • a check of the memory value by checks of the differences generally takes place so that in general the operating security is increased.
  • the EEPROM based counter value or a value derived therefrom forms a varying initialisation value for a suitable cryptoalgorithm which is used to authenticate and/or encrypt the communication with a transponder 12.
  • the method according to the invention is thus a pure software solution which can be used for systems which require a high degree of cryptographic security.
  • a standard authentication would use the respectively transmitted variable values (challenge and counter value) as input parameters for calculating the cryptographic signatures (MAC and RESPONSE).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention porte sur un procédé ( (100) pour une authentification cryptographique ( (14) comprenant un protocole d'authentification mutuelle entre une station de base ( (13) et un transpondeur ( (12). Afin de fournir un procédé ( (100) qui offre la possibilité de réduire de manière considérable le temps d'authentification tout en assurant simultanément une résistance élevée à une attaque, l'invention propose que pendant un temps d'exécution de l'authentification ( (14), des signatures cryptographiques ( (17, 18) pour l'authentification soientsont échangées et vérifiées.
PCT/IB2008/051978 2007-06-29 2008-05-20 Ppprocédé pour une authentification cryptographique WO2009004508A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP07111378.1 2007-06-29
EP07111378 2007-06-29

Publications (1)

Publication Number Publication Date
WO2009004508A1 true WO2009004508A1 (fr) 2009-01-08

Family

ID=39735361

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/051978 WO2009004508A1 (fr) 2007-06-29 2008-05-20 Ppprocédé pour une authentification cryptographique

Country Status (1)

Country Link
WO (1) WO2009004508A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104142803A (zh) * 2013-05-08 2014-11-12 德国福维克控股公司 用于将信息防复制地存储在数据载体上的方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4601011A (en) * 1981-12-30 1986-07-15 Avigdor Grynberg User authorization verification apparatus for computer systems including a central device and a plurality of pocket sized remote units
EP0998095A2 (fr) * 1998-07-31 2000-05-03 Lucent Technologies Inc. Procédé d'authentification et d'accord entre deux correspondants
WO2002014974A2 (fr) * 2000-08-14 2002-02-21 Comsense Technologies, Ltd. Authentification par serveurs multiples
US20060046690A1 (en) * 2004-09-02 2006-03-02 Rose Gregory G Pseudo-secret key generation in a communications system
US20070005972A1 (en) * 2005-06-30 2007-01-04 Mizikovsky Semyon B Method for refreshing a pairwise master key

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4601011A (en) * 1981-12-30 1986-07-15 Avigdor Grynberg User authorization verification apparatus for computer systems including a central device and a plurality of pocket sized remote units
EP0998095A2 (fr) * 1998-07-31 2000-05-03 Lucent Technologies Inc. Procédé d'authentification et d'accord entre deux correspondants
WO2002014974A2 (fr) * 2000-08-14 2002-02-21 Comsense Technologies, Ltd. Authentification par serveurs multiples
US20060046690A1 (en) * 2004-09-02 2006-03-02 Rose Gregory G Pseudo-secret key generation in a communications system
US20070005972A1 (en) * 2005-06-30 2007-01-04 Mizikovsky Semyon B Method for refreshing a pairwise master key

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104142803A (zh) * 2013-05-08 2014-11-12 德国福维克控股公司 用于将信息防复制地存储在数据载体上的方法
CN104142803B (zh) * 2013-05-08 2019-12-24 德国福维克控股公司 用于将信息防复制地存储在数据载体上的方法

Similar Documents

Publication Publication Date Title
US10243732B1 (en) Cryptographic key management for end-to-end communication security
Yang et al. Mutual authentication protocol for low-cost RFID
US7596704B2 (en) Partition and recovery of a verifiable digital secret
Cai et al. Attacks and improvements to an RIFD mutual authentication protocol and its extensions
CN106411505B (zh) 一种移动射频识别的双向认证方法及移动射频识别系统
JP5355685B2 (ja) 無線波読取装置による無線タグの認証方法
CN111723383A (zh) 数据存储、验证方法及装置
US20100153731A1 (en) Lightweight Authentication Method, System, and Key Exchange Protocol For Low-Cost Electronic Devices
CN1466710A (zh) 保护静态和动态数据免遭未授权操作的系统
Safkhani et al. Cryptanalysis of the Cho et al. protocol: a hash-based RFID tag mutual authentication protocol
CN110147666B (zh) 物联网场景下的轻量级nfc身份认证方法、物联网通信平台
Bilal et al. Security analysis of ultra-lightweight cryptographic protocol for low-cost RFID tags: Gossamer protocol
Zuo Changing hands together: a secure group ownership transfer protocol for RFID tags
Tillich et al. Security analysis of an open car immobilizer protocol stack
KR100737181B1 (ko) 안전한 알에프아이디 시스템을 위한 저부하 및 재동기특성을 가진 상호인증 장치 및 그 방법
Yang et al. Security and privacy on authentication protocol for low-cost rfid
CN108566385B (zh) 基于云的高效隐私保护的双向认证方法
US9559838B2 (en) Method of processing data protected against fault injection attacks and associated device
CN106936571B (zh) 利用字合成运算来实现单标签密钥无线生成的方法
JP6188633B2 (ja) コンピュータシステム、コンピュータ、半導体装置、情報処理方法およびコンピュータプログラム
US20090034717A1 (en) Method of processing data protected against attacks by generating errors and associated device
Parameswarath et al. A puf-based lightweight and secure mutual authentication mechanism for remote keyless entry systems
Chien The study of RFID authentication protocols and security of some popular RFID tags
KR100680272B1 (ko) Rfid인증 시스템 및 그 방법
Chabbi et al. RFID and NFC authentication protocol for securing a payment transaction

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08751259

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08751259

Country of ref document: EP

Kind code of ref document: A1