CA2308474A1 - Methods and apparatus for the secure identification and validation of things and events - Google Patents
Methods and apparatus for the secure identification and validation of things and events Download PDFInfo
- Publication number
- CA2308474A1 CA2308474A1 CA002308474A CA2308474A CA2308474A1 CA 2308474 A1 CA2308474 A1 CA 2308474A1 CA 002308474 A CA002308474 A CA 002308474A CA 2308474 A CA2308474 A CA 2308474A CA 2308474 A1 CA2308474 A1 CA 2308474A1
- Authority
- CA
- Canada
- Prior art keywords
- entity
- identification
- result
- presumed
- arbitrator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
Methods for non-repudiable, non-trackable, possibly one-way identification and validation of remote entities to identification devices, wherein the identification devices do not require access to databases of remote entity information. An arbitrator entity preferably characterizes and distributes a specific algorithm to each remote entity. An identification device (or system operating an identification device) preferably distributes one reversible algorithm to each remote entity. Each time a remote entity identifies itself to an identification device, it applies its arbitrator provided algorithm to either a time-based variable (one-way identification) or to a challenge provided by the identification device, computing a first result. The remote entity then applies the reversible algorithm to the challenge/time-based variable, to its identification data and to the first computed result, computing a second result which is transmitted to an identification device. The identification device then may apply the reverse algorithm to the second result, computing a presumed challenge/time-based variable, presumed identification data and presumed first result. The identification device then may compare the challenge/time-based variable to the presumed challenge/timebased variable. If they match (within some tolerance for a time-based variable), the identification device transmits the presumed first result, the presumed identification data and the challenge to the arbitrator. The arbitrator then may apply the particular algorithm distributed to that remote entity and apply it to the challenge/time-based variable, thereby computing a valid first result. The arbitrator then may compare the valid first result to the presumed first result. If they match (within a tolerance for time-based variables), the arbitrator may corroborate the authenticity of the identification to the identification device.
Description
METHODS AND APPARATUS FOR THE SECURE IDENTIFICATION
AND VALIDATION OF THINGS AND EVENTS
TECHNICAL FIELD
The present invention generally relates to methods for identification, including remote identification and validation of messages. The methods of the present invention provide security in various transactions by validating and identifying various entities, while avoiding the necessity of conventional authentication procedures or the need to store databases of 1 o information available to an identification device.
BACKGROUND OF THE INVENTION
Various service providers (e.g., Social Securities, Telecoms (PATS), financial 15 institutions, brokers, banks, merchants, etc.) are often involved in transactions requiring the identification and validation of a remote entity (e.g., an individual, organization, smart card, message, account, etc.). These service providers often provide their services to remote entities over various telecommunications media, for example, Internet, phone lines, etc. Naturally, it is important for these providers to ensure during each transaction that the remote entity is not an 2o imposter. Accordingly, they often employ various identification devices to identify and validate remote entities, these devices being referred to herein as Identification Devices. For ease of discussion, a remote entity authorized to engage in transactions, but perhaps not yet identified and/or authenticated by an Identification Device for a particular transaction, is referred to herein as an "Authorized Remote Entity" or "Authorized Entity."
25 One method commonly known in the art and employed by Identification Devices for securely identifying a remote entity is to add "authentication" to an otherwise normal identification process. Authentication is typically accomplished by providing an additional piece of information to an Identification Device, e.g., a secret code, along with identification information. This additional information then may be used to corroborate that the identification 3o is accurate and that the remote entity is not an imposter attempting to impersonate an authorized entity. The additional piece of information is often a secret code or a password (e.g., PIN), but wo ~n~s~6 . prrnB~ms~a also may be a Dynamic Code, preferably computed using a software implemented algorithm.
Alternatively, the additional information may be provided by a token (e.g., Bio-Token) carried by the entity (e.g., individual) to be identified.
Non-variable (i.e., constant or static) information or data (e.g., PIN) can only add limited security to the identification process because a static piece of information eventually may become known to a third party (e.g., potential attacker/impostor/eavesdropper) in which case an authorized entity can easily be impersonated. On the other hand, authentication by means of a variable piece of information (referred to herein as a Dynamic or One Time Code) provides enhanced security.
Currently known methods of authentication which use a Dynamic or One Time Code typically require a prior step of identifying the remote entity to the Identification Device, e.g., by providing a name (e.g., a login name), a serial number, an additional fix code, etc. as part of a message transmitted from a Remote Entity to an Identification Device. This constant part of a message will be referred to herein as an Identification Message. Thus, a method commonly t 5 employed by an Identification Device to securely identify a Remote Entity by authentication typically comprises the three following steps:
l ) Identification: identify who the Remote Entity is supposed to be, by receiving a constant (non-variable, or at least non-constantly-variable) piece of information, referred to herein as an Identification Message;
20 2) Database Search: the Identification Devices searches a database containing the Authorized Entity's secret information or computing keys, to compute a dynamic piece of information (referred to herein as a Valid Dynamic Code) which is associated with and expected from the Authorized Entity at that particular moment; and 25 3) Authentication: the Identification Device compares the Valid Dynamic Code (computed at the Identification Device) with a Dynamic Code received from the Remote Entity (referred to as the Received Dynamic Code} to check if both codes match; if so, the Identification Device corroborates the identification of the Remote Entity as being the Presumed Entity.
3o A variation of the above-described authentication method is referred to as the Challenge and Response method, comprising the following steps:
AND VALIDATION OF THINGS AND EVENTS
TECHNICAL FIELD
The present invention generally relates to methods for identification, including remote identification and validation of messages. The methods of the present invention provide security in various transactions by validating and identifying various entities, while avoiding the necessity of conventional authentication procedures or the need to store databases of 1 o information available to an identification device.
BACKGROUND OF THE INVENTION
Various service providers (e.g., Social Securities, Telecoms (PATS), financial 15 institutions, brokers, banks, merchants, etc.) are often involved in transactions requiring the identification and validation of a remote entity (e.g., an individual, organization, smart card, message, account, etc.). These service providers often provide their services to remote entities over various telecommunications media, for example, Internet, phone lines, etc. Naturally, it is important for these providers to ensure during each transaction that the remote entity is not an 2o imposter. Accordingly, they often employ various identification devices to identify and validate remote entities, these devices being referred to herein as Identification Devices. For ease of discussion, a remote entity authorized to engage in transactions, but perhaps not yet identified and/or authenticated by an Identification Device for a particular transaction, is referred to herein as an "Authorized Remote Entity" or "Authorized Entity."
25 One method commonly known in the art and employed by Identification Devices for securely identifying a remote entity is to add "authentication" to an otherwise normal identification process. Authentication is typically accomplished by providing an additional piece of information to an Identification Device, e.g., a secret code, along with identification information. This additional information then may be used to corroborate that the identification 3o is accurate and that the remote entity is not an imposter attempting to impersonate an authorized entity. The additional piece of information is often a secret code or a password (e.g., PIN), but wo ~n~s~6 . prrnB~ms~a also may be a Dynamic Code, preferably computed using a software implemented algorithm.
Alternatively, the additional information may be provided by a token (e.g., Bio-Token) carried by the entity (e.g., individual) to be identified.
Non-variable (i.e., constant or static) information or data (e.g., PIN) can only add limited security to the identification process because a static piece of information eventually may become known to a third party (e.g., potential attacker/impostor/eavesdropper) in which case an authorized entity can easily be impersonated. On the other hand, authentication by means of a variable piece of information (referred to herein as a Dynamic or One Time Code) provides enhanced security.
Currently known methods of authentication which use a Dynamic or One Time Code typically require a prior step of identifying the remote entity to the Identification Device, e.g., by providing a name (e.g., a login name), a serial number, an additional fix code, etc. as part of a message transmitted from a Remote Entity to an Identification Device. This constant part of a message will be referred to herein as an Identification Message. Thus, a method commonly t 5 employed by an Identification Device to securely identify a Remote Entity by authentication typically comprises the three following steps:
l ) Identification: identify who the Remote Entity is supposed to be, by receiving a constant (non-variable, or at least non-constantly-variable) piece of information, referred to herein as an Identification Message;
20 2) Database Search: the Identification Devices searches a database containing the Authorized Entity's secret information or computing keys, to compute a dynamic piece of information (referred to herein as a Valid Dynamic Code) which is associated with and expected from the Authorized Entity at that particular moment; and 25 3) Authentication: the Identification Device compares the Valid Dynamic Code (computed at the Identification Device) with a Dynamic Code received from the Remote Entity (referred to as the Received Dynamic Code} to check if both codes match; if so, the Identification Device corroborates the identification of the Remote Entity as being the Presumed Entity.
3o A variation of the above-described authentication method is referred to as the Challenge and Response method, comprising the following steps:
WO 99lZ7676 . PCT/IB98/01834 1 ) The Remote Entity is identified (as described in step 1 above);
2) The Remote Entity receives a Challenge generated and sent by the Identification Device and computes a Response, the Response playing the role of a Dynamic Code;
2) The Remote Entity receives a Challenge generated and sent by the Identification Device and computes a Response, the Response playing the role of a Dynamic Code;
3) The Identifcation Device, after identifying the Remote Entity (the Pre-Authentication Identification), requires a database to determine the expected response to the challenge, for that Remote Entity at that moment.
Each of the authentication schemes described above requires the Identification Device to employ a database or look-up table. Naturally, each database must be maintained and updated, which creates problems associated with the management of keys, synchronized database updates, etc. Furthermore, these problems become acute when a service provider utilizing an authentication process has a multitude of Identification Devices disseminated through several countries. Accordingly, methods of authentication are needed which overcome limitations and drawbacks associated with the use of databases in authentication methods currently known in ~ s the art.
Another problem associated with conventional schemes for Remote Identification is the possibility of "repudiation" by an identified and authenticated Remote Entity.
For example, a Remote Entity, which has been identified and authenticated as being an Authorized Entity, may later deny the genuineness of a particular communication or event under scrutiny. To illustrate, 2o in the case of a Gambling Service Provider (although identification and authentication techniques may apply to any service provider, Gambling Service Providers are used for this example), Remote Entities (e.g., gamblers) may place bets from remote locations and pay for those bets using Credit Cards. Naturally, before a particular Remote Entity places any bets, the Gambling Service Provider identifies and authenticates that Remote Entity by a procedure 25 similar to those described above. Once the bets have been placed, one of the Remote Entities wins a prize, while all of the remaining Remote Entity gamblers lose. This situation presents an opportunity for any number of losing Remote Entities to repudiate their particular betting transaction, including the identification and authentication process, claiming that they never made the transaction/bet, and that the Gambling Service Provider fabricated the transaction or 3o made a mistake. Because each Remote Entity is authenticated by the Provider's Identification Device, and further because the provider includes a database containing secret information, the wo ~n~6~6 . pc~rns~roi~4 Provider has the capability to compute as many Valid Dynamic Codes as the Gambling Service Provider may desire, and an unscrupulous Gambling Service Provider thereby has the ability to fabricate transactions. Accordingly, when a Remote Entity repudiates a transaction, there is no way to prove whether the Gambling Service Provider fabricated the transaction or the Remote Entity has repudiated a valid transaction. Of course, if all the losing Remote Entities repudiate their transactions, the effect on the Gambling Service Provider may be disastrous.
As illustrated in the example above, present methods of authentication intrinsically are subject to the negative effects of transaction repudiation, due to the fact that the receiving/identifying/authenticating side of each transaction has the capability to compute a 1 o secret Dynamic Code as accurately as the Remote Entity. Accordingly, new methods are needed which avoid Remote Entity repudiation of transactions.
A further drawback of authentication methods known in the art and described above is the fact that a Remote Entity is trackable. In other words, an eavesdropper may follow every transaction made a particular Remote Entity because that Remote Entity transmits the same ~ 5 constant identification information for every transaction. This ability to track a Remote Entity creates a lack of security and privacy for many Remote Entities (e.g., especially government officers, ministers, police officers, etc.). Accordingly, new methods of identification are needed which avoid the trackability of Remote Entity transactions.
2o BRIEF SUMMARY OF THE INVENTION
The present invention discloses methods for secure.identification of entities, whereby no authentication process is necessary. In other words, the present invention comprises various One Ste~/One Way Identification Procedures whereby only a secure identification step is 25 required, without the need of an additional authentication step.
Furthermore, these methods of identification help to avoid the possibility of impersonation because a part of each identification process is variable and valid only one time. Consequently, the identification process cannot be intercepted and re-used, is non-repudiable and is non-trackable. In addition, by utilizing the methods of the present invention, the need for an Identification Device, as described above. to 3o have access to a database of authentication data is alleviated.
Each of the authentication schemes described above requires the Identification Device to employ a database or look-up table. Naturally, each database must be maintained and updated, which creates problems associated with the management of keys, synchronized database updates, etc. Furthermore, these problems become acute when a service provider utilizing an authentication process has a multitude of Identification Devices disseminated through several countries. Accordingly, methods of authentication are needed which overcome limitations and drawbacks associated with the use of databases in authentication methods currently known in ~ s the art.
Another problem associated with conventional schemes for Remote Identification is the possibility of "repudiation" by an identified and authenticated Remote Entity.
For example, a Remote Entity, which has been identified and authenticated as being an Authorized Entity, may later deny the genuineness of a particular communication or event under scrutiny. To illustrate, 2o in the case of a Gambling Service Provider (although identification and authentication techniques may apply to any service provider, Gambling Service Providers are used for this example), Remote Entities (e.g., gamblers) may place bets from remote locations and pay for those bets using Credit Cards. Naturally, before a particular Remote Entity places any bets, the Gambling Service Provider identifies and authenticates that Remote Entity by a procedure 25 similar to those described above. Once the bets have been placed, one of the Remote Entities wins a prize, while all of the remaining Remote Entity gamblers lose. This situation presents an opportunity for any number of losing Remote Entities to repudiate their particular betting transaction, including the identification and authentication process, claiming that they never made the transaction/bet, and that the Gambling Service Provider fabricated the transaction or 3o made a mistake. Because each Remote Entity is authenticated by the Provider's Identification Device, and further because the provider includes a database containing secret information, the wo ~n~6~6 . pc~rns~roi~4 Provider has the capability to compute as many Valid Dynamic Codes as the Gambling Service Provider may desire, and an unscrupulous Gambling Service Provider thereby has the ability to fabricate transactions. Accordingly, when a Remote Entity repudiates a transaction, there is no way to prove whether the Gambling Service Provider fabricated the transaction or the Remote Entity has repudiated a valid transaction. Of course, if all the losing Remote Entities repudiate their transactions, the effect on the Gambling Service Provider may be disastrous.
As illustrated in the example above, present methods of authentication intrinsically are subject to the negative effects of transaction repudiation, due to the fact that the receiving/identifying/authenticating side of each transaction has the capability to compute a 1 o secret Dynamic Code as accurately as the Remote Entity. Accordingly, new methods are needed which avoid Remote Entity repudiation of transactions.
A further drawback of authentication methods known in the art and described above is the fact that a Remote Entity is trackable. In other words, an eavesdropper may follow every transaction made a particular Remote Entity because that Remote Entity transmits the same ~ 5 constant identification information for every transaction. This ability to track a Remote Entity creates a lack of security and privacy for many Remote Entities (e.g., especially government officers, ministers, police officers, etc.). Accordingly, new methods of identification are needed which avoid the trackability of Remote Entity transactions.
2o BRIEF SUMMARY OF THE INVENTION
The present invention discloses methods for secure.identification of entities, whereby no authentication process is necessary. In other words, the present invention comprises various One Ste~/One Way Identification Procedures whereby only a secure identification step is 25 required, without the need of an additional authentication step.
Furthermore, these methods of identification help to avoid the possibility of impersonation because a part of each identification process is variable and valid only one time. Consequently, the identification process cannot be intercepted and re-used, is non-repudiable and is non-trackable. In addition, by utilizing the methods of the present invention, the need for an Identification Device, as described above. to 3o have access to a database of authentication data is alleviated.
wo ~m6~6 _ pcTns9srois~
The invention comprises the use of Reversible Algorithms, as shown below, in accordance with the principles disclosed in US patent 5,524,072 issued to Labaton et al., hereby incorporated by reference.
According to a preferred method of the present invention, reversible algorithms (e.g., mathematical algorithms) may be used in conjunction with a Challenge-Response method similar to that described above, wherein a Identification Device generates a random challenge.
This challenge then may be transmitted to a Remote Entity. The Remote Entity generates a substantially or totally dynamic response (i.e., little or no constant part), and such response constitutes "secure identification information." It is important to emphasize at this point that, according to a preferred embodiment of this invention, an Identification Device does not need to know the identity of any Presumed Entity in order to identify a particular Remote Entity.
Accordingly, an Identification Device is capable of checking the identification of a Remote Entity without the need of a database and without the need to know in advance who the Remote Entity is supposed to be (i.e., without the need to know an Authorized Entity).
I5 This invention further provides methods for non-repudiable identification, which means that the Remote Entity will not be able to claim that a Service Provider fabricated the identification message. This is accomplished by providing three different entities, namely, a Remote Entity, a Service Provider/Identification Device and an Arbitrator, wherein no single entity has access to all of the necessary data.
2o The present invention further provides for systems and methods wherein a Response computation is composed of more than one step, the first step being a computation of the result (Rl) inferred from the Arbitrator Seed number. The result R1 will be one of the arguments of the Reversible Algorithm.
In accordance with a further aspect of the present invention, an anti-repudiation feature 2s comprises the following steps: first, a Service Provider receives an identification message from a Remote Entity; second, the Service Provider applies the reverse of the Reversible Algorithm to the signature, and recuperates the original arguments, including Rl.
Because Rl is computed by the remote entity using the Arbitrator seed number, which is not known to the Service Provider, that means that a correct Rl, validated and corroborated by the Arbitrator, can come 30 only from the Remote Entity, and can not be fabricated by the service provider.
WO 997676 . ~ PCTnBlB/01834 BRIEF DESCRIPTION OF THE DRAWING FIGURES
The subject of the invention will, hereinafter, be described in conjunction with the appended drawing figures, wherein like numerals designate like elements, and:
Figure 1 is a block flow diagram of an exemplary initialization process for an Arbitrator and a System (e.g., a Service Provider which operates an Identification Device, ID
Node, or multitude ID Nodes) according to the methods of the present invention;
Figure 2 is a block flow diagram of an exemplary identification process for a challenge-response type identification according to the methods of the present invention;
1o Figure 3 is a block flow diagram of an exemplary anti-repudiation process;
Figure 4 is a block flow diagram of an exemplary identification process according to the methods of the present invention;
Figure 5 is a block flow diagram of an exemplary time-based identification process, with drift correction, according to the methods of the present invention;
~ 5 Figure 6 is a block flow diagram of a further exemplary time-based identification process, with drift correction, and wherein an Identification Device has access to a database; and Figure 7 is a graphical representation of a preferred FTolerance function.
2o DETAILED DESCRIPTION
The present invention provides methods for secure identification of a Remote Entity by an Identification Device, wherein the Identification Device may not require the use of a dedicated local database. Furthermore, the methods of the present invention may provide for 25 one-way, non-repudiable, non-trackable identification. Typically, an Identification Device is operated by a Service Provider, or any other entity requiring secure identification of Remote Entities, to engage in transactions with those entities (for simplicity, referred to herein as a Service Provider).
In accordance with a first method of the present invention, a reversible algorithm 30 (referred to herein as a Reversible Function) F SYSssn may be selected by a Service Provider out of a family of possible algorithms, preferably by selecting a System Seed Number (or SSN).
wo ~m6~6 . pcTns9srois~
The Service Provider then may distribute the reversible algorithm to any or all of the Remote Entities authorized to engage in transactions with the Service Provider (Authorized Remote Entities). The Service Provider also may provide a specific Remote Entity Identification number (referred to herein as C ID) to each of the Authorized Remote Entities (e.g., a driver's license number).
Each time a Remote Entity is to be identified by a Service Provider (e.g., for a particular transaction between the Service Provider and the Remote Entity), the Service Provider may select a random number (referred to herein as Ch or Challenge) and transmits it to the Remote Entity. The Remote Entity then may apply a function F SYSssn to the parameters C ID and Ch, thereby generating response R2 as follows:
F SYSssn (C ID,Ch) = R2.
The response (R2) then may be transmitted to the Service Provider's Identification Device. At the Identification Device, the reverse of the system function F
SYSssn (referred to herein as F' 1 SYSssn) may be applied to R2, thereby recuperating C ID and a number presumed to be Ch, referred to herein as Ch':
F'I_SYSssn (R2) = C ID, Ch'.
The Identification Device then may compare Ch (sent) to Ch' (received/computed) and determine whether they match. If they match, C ID is a correct and valid identification.
In a preferred exemplary implementation of the above-described method, the present 2o invention may utilize a Rabin Algorithm (known in the art). Accordingly, the Service Provider may select two large prime numbers, P 1 and P2, each of them being congruent with 7(mod 8), or alternatively, select a System Seed Number (SSN), from which two such prime numbers may be consequently inferred (See Figure l, blocks 5 and 6): These two prime numbers will determine, as parameters, the Reverse Algorithm, as explained below, but the prime numbers will not be transmitted or communicated to the Remote Entity, and will remain as secret system keys under the supervision of the Service Provider (See Figurel, block 7). The Service Provider then may calculate the product P 1 * P2 = SM (referred to herein as a System Module) and send the System Module (SM) to Remote Entities, not necessarily openly, but preferably embedded in a function F SYSssn _(See Figure l, block 8). The F SYSssn maY be masked on a 3o chip.
WO 99/Z7676 - PCTnB98/01834 A preferred exemplary model for the function F SYSssn may be specified as a function FFM (x) as follows:
FFM (x) = x2 (mod M).
The Remote Entity then may make the following computations:
FFSM (Ch) = L 1 and then FFSM (Ll ) = L2 and then FFSM (L2) = L3 and then FFSM (L3) = L4 and then 1o and so on until q (where q is any natural number), FFSM (Lq-1 ) = Lq.
And then, defining the function LSB(X) as the 'Least Significant (n)Bit(s)' of X (where n is any natural number), the Remote Entity may make the following computations:
FFSM (Lq) = T1 and then LSB(T1 ) = cl FFSM (T1) = T2 and then LSB(T2) = c2 FFSM (T2) = T3 and then LSB(T3) = c3 FFSM (T3) = T4 and then LSB(T4) = c4 and so on until n, where n is the amount of digits of the concatenation Ch o C
ID, FFSM (Tn-1 ) = Tn and then LSB(Tn) = cn.
The Remote Entity then may concatenate cl,...,cn and refer to the concatenation as C as follows:
C=cl oc2oc3~c4oooooooocn (wherein ~ stands for concatenation).
Then, the Remote Entity may bitwise-xor C with the concatenation Ch o C ID as follows (where ''xor" corresponds to the "exclusive or" function):
(cl oc2 o c3o c4~ o o ~ ~ o ~ ~ cn) ~(Ch o C ID ) = V
(wherein ~ stands for bitwise-xor).
WO 99/Z'1676 . PCT/IB98/01834 Then, the Remote Entity may compute Tn+m (m being any natural number) in the following manner:
FFSM (Tn) = Tn+1 and so on until n+m, FFSM (Tn+m-1 ) = Tn+m.
The Remote Entity then may concatenate V and Tn+m as follows, resulting in R2 (referred to herein as a Cipher):
R2 = V o Tn+m i o At this point, a Remote Entity may transmit the Cipher R2 to an Identification Device. Because the Identification Device (or, e.g., Service Provider operating the Identification Device) knows the prime numbers P 1 and P2, it may reverse the algorithm and recover Ch and C ID, as follows:
The Identification Device may use the Euclidean Algorithm in conjunction with P1 and P2, to compute Ll and L2, such that:
L 1 P 1 + L2 p2 = 1 (mod SM).
K1 and K2 may be defined as follows:
K1 = L1P1 and K2 = L2 P2.
Then, the following computations may be made as follows:
2o Y 1 = Tn+m (mod P 1 ) and Y2 = Tn+m (mod P2).
Then, the following computations may be made as follows:
Z1= yl ((PI+1)/4) (mod PI) and, if Z1((pl-1)/2) _ _1 (mod P1) then ZI = P1-Z1.
Then, the following computations may be made as follows:
Z2 = y2 ((p2+1 )/4) (mod P2) and, if Z2((P?-1)/2) _ _1 (mod P2) then Z2 = P2-Z2.
Then, the following computations may be made as follows:
Tn+m-1 = Z 1 K2 + Z2 K 1.
Then, applying the same procedure, compute Tn+m-2, and so on, obtaining all of the Ti until Tp.
The Identification Device then may proceed as follows:
Taking Ti, the following computations may be made as follows:
Ci = LSB(Ti) for I = 1 "n.
The results then may be concatenated as follows:
C = C1 oC2 o C3o C4 0 0 0 0 0 0 0 o Cn.
Then, the Identification Device may XOR C with V as follows:
[V = (cl oc2 ~ c3o c4o 0 o a o 0 0 o cn) ~ (Ch o C ID), sent from the Remote Entity], and then compute as follows:
(cl ~c2 o c3a c4 ~ ~ ~ cn) ~ V =
(cI oc2 o c3o c4 0 0 o cn) ~ (cl oc2 o c3o c4 0 0 o cn) ~ (Ch o C ID) _ (Ch a C ID) Having recuperated the C ID, the identification is complete. Recuperation of the Ch then may be used to authenticate the identification, to the extent that Ch should be exactly the ~ 5 same as the Ch sent to the Remote Entity.
It is worth noting that the example shown represents an extremely secure methodology for identifying a Remote Entity because the sensitive secrets, namely, the knowledge regarding how to factorize the SSN (namely P1 and P2) is only available at the Identification Device and not available to the Remote Entity (e.g., not stored in a token carried by the Remote Entity). Of 2o course, any suitable mathematical (or other) manipulations or operations may be employed in the context of the present invention.
The present invention further provides methods for identifying one or more Remote Entities to a Central Identification Device (e.g., operated by a Service Providei) wherein the identification process is arbitrated by an Independent Arbitrator Entity.
These methods 25 preferably comprise the following steps:
a) The Independent Arbitrator Entity may characterize a specific algorithm (or a plurality of algorithms) for each of the Remote Entities, and then distribute each algorithm to its respective Remote Entity;
b) The Central Identification Device (e.g., operated by a Service Provider) may 3o distribute one (or more) reversible algorithm to each of the Remote Entities;
wo ~m6~6 - rc~rnB~ois34 c) Each time a Remote Entity is to be identified, the Remote Entity may apply the Independent Arbitrator Entity's algorithm to a challenge (Ch) provided by the Central Identification Device, thereby providing a first result R1. The Remote Entity then may apply the Central Identification Device's reversible algorithm to the challenge Ch, to its identification data C ID, and to the said first result R1, thereby computing a second result R2 (the Cipher). The Remote Entity then may transmit the second result R2 to the Central Identification Device. The Central Identification Device then may apply the reverse of the reversible algorithm to the received second result R2, thereby computing a presumed challenge Ch', a C ID, and a presumed first result R1. The Identification to Device then may compare the transmitted challenge Ch to the computed presumed challenge Ch'. If they are identical, the Central Identification Device may transmit the presumed first result RI to an Independent Arbitrator Entity together with the Remote Entity's identification data (which may be C ID or other data, for example a Remote Entity's Serial Number) and the challenge Ch. The Arbitrator Entity then may retrieve is the specific algorithm transmitted from the specific Remote entity and apply the algorithm to the challenge Ch, thereby computing a true first result R1. The Arbitrator Entity then may compare the true first result R1 with the presumed first result Rl and, if they are identical, the arbitrator entity may corroborate the identification to the Central Identification Device. Once the Central Identification Device has received the 2o corroboration from the Arbitrator Entity, it may accept the presumed identification data C ID as being true identification data corresponding to the Remote Entity.
These methods (or other suitable operations) utilizing three entities (Remote Entity, Central Identification Device and Arbitrator Entity), provide for non-repudiable and non-trackable secure identifications methodology. An exemplary implementation of these methods 25 may comprises the following steps:
a) In addition to Remote Entities and Identification Devices, utilize a third independent party, referred to herein, for example, as an Arbitrator Entity;
b) The Arbitrator Entity may select a first algorithm (referred to herein as F ~ 1 ASN) which preferably is selected from a family of algorithms F ARB I, 3o preferably by the means of a seed number (referred to herein as an Arbitrator Seed Number = ASN) (See Figure 1 Block 1 ).
WO 99/Z7676 - rc~rns~ro><s~
An important purpose of this algorithm (F_ARB IASN) is to generate a different pseudo-random number for each Remote Entity (See Figure 1, block 2). This pseudo-random number, referred to herein as REAN (Remote Entity's Arbitrator Number), determines the algorithm (F_ARB2~AN) (see Figure 1, blocks 3 and 4) which may correlate the transaction related number Ch and, optionally C ID, with an arbitrator inferred number R1.
The BEAN is preferably the result of the product of two large prime numbers, p'1 and p'2, both of which may be congruent with 3(mod4). Hence the computed R1 may be different and specific for each transaction.
Accordingly, the algorithm F ARB 1 ASN is suitably applied to a Remote Entity's 1 o openly known number, for example, the Remote Entity's Serial Number or any other publicly known number associated with the Remote Entity, to generate the BEAN (Remote Entity's Arbitrator Number), as follows:
F ARB 1 ASN (Serial Number) = REAN.
The second algorithm selected by the Arbitrator is referred to herein as F
ARB2gE~, which also preferably is selected from a family of algorithms by means of the previously obtained Remote Entity Arbitrator Number REAN (See Figure 1, block 3).
It is worth noting that an Arbitrator only needs to select one number, namely the ASN, which is suitably the same for all the cases belonging to such Arbitrator. In contrast, the REAN
is advantageously different and preferably dedicated for each Remote Entity, and the R1 is 2o different for each transaction and inferred from the ASN to further enhance security.
The Remote Entity may then apply the F ARB2~AN algo~thm to Ch (and, optionally, to C ID), thereby getting a response R1 (see Figure 2, block 11), as follows:
F ARB2~AN CC ID, Ch ) = R1.
At this point, a Remote Entity may apply the F SYSssn algorithm to Ch, C ID
and Rl, thereby retrieving the Cipher R2 (see Figure 2, block 12), as follows:
F SYSssn ( Ch , C ID, R1) = R2 (the Cipher).
The Remote Entity may then transmit Cipher R2 to an Identification Device (e.g., ID
Node or System Administrator) (See Figure 2, block 13).
wo ~m6~6 . rcrns9sro>«
The Identification Device may then receive Cipher R2 (see Figure 2, block 14).
The Identification Device, which knows the values of P 1 and P2, then may non-repudiably identify the Remote Entity, without using any database, by applying the reverse of F
SYSssn to R2.
Accordingly, F-1_SYSssn is applied to R2, thereby retrieving the original arguments, namely, C ID, Ch' and Rl, as follows:
F-1 SYSssnW) - C ID, Ch' ,R1.
If Ch' is sufficiently identical to the Ch transmitted, then the C ID is validated as being authentic, e.g., an authentic Entity Identification Number (See Figure 2, blocks 15 and 16).
R1 then may be preserved to refute repudiations of such transactions. That is, cases 1 o where the Remote Entity denies that he/she/it had a Cipher (e.g., R2), or, in other words, when the Remote Entity claims that a Cipher (e.g., R2) was fabricated by the Identification Device and/or the controller of such a device (See Figure 2, block 17).
Referring now to Figure 3, in. the case of repudiation problems or, alternatively, for each desired case, the Identification Device may provide the Arbitrator with a Remote Entity's Serial 15 Number, the Ch, the Presumed Rl, and, optionally, the C ID (see Figure 3, blocks 19,20 and 21).
The Arbitrator may then apply the F ARB 1 ASN ~gorithm to the Serial Number, thereby obtaining the REAN, as follows:
F ARB 1 ASN (S~~ Number) = REAN (See Figure 3, block 22).
2o The Arbitrator may then apply the F ARB2gEAN algorithm to Ch and, optionally, to C ID, and thereby obtain the true R1 (see Figure 3, block 23) as follows:
F ~B2REAN (C ID,Ch ) = R1, which is the true R1.
The arbitrator may then determine whether the true R1 is identical to the Presumed R1 (see Figure 3, blocks 24 and 25). If R1 and the Presumed R1 are not identical, then R2 may be 25 a fabrication (See Figure3, block 27). On the other hand, if RI matches the presumed R1, it may be concluded that the R2 is coming from an Authorized Remote Entity, because the Identification Device has no means with which to compute (fabricate) a true R1 (see Figure 3, block 26).
According to another preferred exemplary implementation of the methods of the present invention, the Remote Entity may utilize an algorithm F ARB2~AN, ch~cterized by an Arbitrator by means of a BEAN, to compute the transaction specific Rl, using the transaction specific Challenge Ch transmitted by the Identification Device (e.g., ID Node/
System Administrator), as follows:
the Remote Entity may compute:
M 1 = Ch 2 (mod REAN) M2 = M21 (mod REAN) t o and so on, until p (any natural number) S 1 = Mp = M2p_ 1 (mod REAN).
The Remote Entity then may compute:
C' 1 = LSB (S I ).
Accordingly, S2 = S21 (mod REAN) -> C'2 = LSB (S2) and so on, until n:
Sn - S2n-1 (mod REAN) -~ C'n = LSB (Sn).
The result is the following concatenation:
Rl=C'loooaooooC'n.
2o Accordingly, the above-described step F ARB2~AN (Ch ) = Rl thereby may be accomplished.
According to a further preferred implementation of the methods of the present invention, a preferred implementation of the function F SYSssn is now presented. In accordance with this aspect of the present invention, a System Seed Number (SSN), selected by an administrator, may be used to infer a SM (System Module, as discussed above). The Remote Entity may make the following computations:
T1 = R12 (mod SM) ~ C1 = LSB (Tl) T2 = T21 (mod SM) ~ C2 = LSB (T2) wo ~n~6~6 . rcrns9srois~
.... ..................... ~......_...........................
and so on, to:
Tn = T2n-1 (mod SM) ~ Cn = LSB (Tn) Tn+1 = T2n (mod SM) ....... ................
and soon, to:
Tn+m = T2n+m (mod SM).
The C's then may be concatenated as follows:
C=ClooooooooCn.
A Cipher (R2) message then may be computed as follows:
R2 = [(C ID ~ CH)] ~ C] o Tn+m~
Accordingly, the above-mentioned step F SYSssn (Ch ) = R2 thereby may be accomplished.
Obviously, while a C ID is always the same for a particular Remote Entity, the Cipher ~ 5 should be different from any prior Cipher (R2), to the extent that the Ch is different from any prior Ch transmitted to a particular Remote Entity.
The Remote Entity may transmit the Cipher R2 to an Identification Device (e.g., ID
Node/System Administrator) and, because the Identification Device knows the prime numbers P 1 and P2, the Identification Device may reverse the algorithm and recover Ch and C ID.
2o The Identification Device (e.g., ID Node/ System Administrator) may use the Euclidean Algorithm (or other suitable Algorithms) in conjunction with P1 and P2 to compute what is referred to as the reverse algorithm or Reverse Algorithm, F-1 SYSssn~ A
preferred exemplary implementation of this computation is as follows:
a) compute L 1 and L2 such that L 1 P 1 + L2 P2 = 1 (mod SM};
2s b) define Kl = L 1 P 1 and K2 = L2 P2;
c) compute:
Y 1 = Tn+m (mod P 1 ) and YZ = Tn+m (mod P2);
IS
WO 99/27676 . pCrne98~o~s34 d) compute:
Z1 = Y1 ((P1+1)/4) (mod P1) and, if Z 1 ((P 1-1 )/2) _ _ 1 (mod P 1 ) then Z 1 = P 1-Z 1; ~d Z~ = Y2 ((P2+1 )/4) (mod P2) if Z2((P2-1 )/2) _ _1 (mod P2) then Z2 = P2-Z2;
e) compute:
Tn+m-1 = Z1K2 + Z2 K1;
and, applying the same procedure, compute:
Tn+m-2 t o and so on, obtaining all the Ti until Tp is recuperated.
The Identification Device (e.g., ID Node/System Administrator) then may proceed as follows:
a) using Ti, compute: ci = LSB(Ti) and so on for i = n,n-1,...,1 (T1 is also recaptured);
1s clearly, the Reverse algorithm applied to T1 generates the R1, which is stored together with the correspondent Ch for potential repudiation.cases;
b) the ci results are concatenated as follows:
C=cl ~c2~c3oc4oooo~~oocn c) the Identification Device (e.g., ID Node/System Administrator) then may XOR
2o C with V, thereby obtaining:
(c 1 a c2 o c3 o c4 0 0 ~ cn) ~V =
(c 1 ~ c2 o c3 ~ c4 0 0 o cn) ~ (c 1 o c2 o c3~ c4o 0 o cn) ~(Ch o C ID) = (Ch o C ID).
Having recuperated the C ID, the identification may be complete. The recuperation of Ch then may be used to authenticate the identification, to the extent that Ch should be exactly 25 the same as the Ch sent to the Remote Entity.
If a Remote Entity later repudiates the transaction, the Identification Device (e.g., ID
Node/System Administrator) may provide the Arbitrator with the Remote Entity's Serial IG
wo ~m6~6 - rc~rn~~sroia~
Number, the transaction Ch, the presumed Rl and, optionally, the C ID. The Arbitrator then may apply the F ARB I ASN to the Serial number, thereby obtaining the REAN as follows:
F ARB I ASN (Serial Number) = REAN.
The Arbitrator then may apply the F ARB2~AN ~gorithm to Ch and, optionally, to C ID, thereby obtaining the true R1, as follows:
a) the Arbitrator may compute:
M 1 = Ch 2 (mod REAN) M2 = M21 (mod REAN) and so on, until t o S 1 = M40 = M239 (mod REAN), (wherein 39 and 40 are examples only and may differ);
b) the Arbitrator may compute:
C' 1 = LSB (S l );
c) consequently:
S2 = S2I (mod REAN ) ~ C'2 = LSB (S2) and so on, up to Sn = S2n-1 (mod REAN) -~ C'n = LSB (Sn).
Accordingly, the result is the true RI for this specific Remote Entity and for this specific transaction (Ch), wherein:
2o Rl=C'loooo~~~~C'n.
The Arbitrator may then check whether the true R1 is identical to the Presumed RI
claimed by the Identification Device (e.g., ID Node/system administrator). If they do not match, the R2 is a fabrication. On the other hand, if the two numbers match, it is confirmed that the R2 is from the Remote Entity because the Identification Device has no means with which to compute (fabricate) a true Rl.
It is worth noting that the example shown represents an remarkably secure methodology to identify a Remote Entity. The sensitive secrets, e.g., the knowledge on how to factorize the wo ~r~~6~6 . Pc~rnB9sroia3e SSN, is available only to the Identification Device (e.g., ID Node/ System Administrator) and is not available to the Remote Entities (e.g., not in their tokens}.
According to another preferred exemplary implementation of the methods of the present invention, the methods and algorithms described above may be used, but, instead of having the Identification Device send a challenge (Ch} to the Remote Entity, the Remote Entity may use the Cipher's Generation Time. The time of the moment of computing the Cipher, the Generation Time and Date, the GMT and Date, or some other suitable time-based variable having a particular resolution, e.g., of seconds. For simplicity, this type of time-based variable will be referred to herein as Generation Time, or Gtime (see Figure 4, block l Ob).
t o Refernng to Figure 4, a Remote Entity may proceed as in Figure 4, illustrating a non-repudiable, non-trackable, one-way identification method. The Remote Entity may transmit a message, which identifies the Remote Entity, to the Identification Device (e.g., ID Node, or one of various ID Nodes of a particular Service Provider), and this ends the protocol. Accordingly, during the time that the identification is being made on-line, both sides, Remote Entity and Identification Device, know the corresponding GtimelReception Time (see Figure 4, block 14b) and, consequently, the Identification Device may verify the identification (See Figure 4, blocks 1 Sb and 16b). If the Identification is not on-line, the Generation Time used in the computation may be communicated openly to the Identification Device.
With regard to on-line transactions, to overcome possible drift between the time 2o measured by the Remote Entity and the time measured by the Identification Device, two successive identification procedures may be accomplished during the same identification process (see Figure 5). The time elapsed between the two identification procedures also may be determined by the Identification Device (see Figure 5, block 19d), which will signal/ trigger the Remote Entity to send a new Cipher. Because the time elapsed is set by the Identification Device, this process avoids the possibility of an impostor using two pre-recorded Ciphers in an attempt to defraud the system. Hence, measuring the Absolute Value of the drift difference (see Figure 5, block 27d) the Identification Device can overcome the drift problem without compromising security.
Another preferred exemplary implementation of the methods of the present invention 3o comprises a process similar to that described in Figure 5, but instead of using the Gtime a Remote Entity may use a Remote entity's specific function of the Gtime, referred to herein as is wo 99n~6~6 . rcTne9sro><s3e F T RE(Time), which preferably is a linear function. The Identification Device (e.g., ID Node/
System Administrator) will require the knowledge to compute F T RE(Time), and therefore, a database may be necessary.
As an example, a function of Gtime may be utilized wherein F T RE(Time) =
s RE Time = Time + RE cte, and where RE cte is a constant value, and is different for each Remote Entity (see Figure 6). Because, according to this particular implementation, the Identification Device may use a database anyway, it may be convenient to preserve the RE Time and RTime of the previous transaction (referred to herein as RE_Time_pre and RTime-pre) in a database available to the Identification Device. This is in order to update the 1 o drift while the' RE_cte value is being updated, which absorbs the drift as is shown in Figure 6.
' The Identification Device, after receiving the RE Time embedded in the Cipher and registering the RTime (Reception Time), will compare the difference:
RE Time - RTime with the previous difference (last recorded transaction):
~ 5 RE Time - RTime which will be referred to herein as:
RE Time-pre - RTime-pre.
This difference should be less than a tolerance value. The tolerance value may be a function (FTolerance) of the absolute value of the difference between RTime and Rtime-pre, as follows:
2o FTolerance(RTime - RTime~re).
A preferred specification of FTolerance is shown in Figure 7.
Although the invention has been described herein using specific examples of the various methods encompassed by the present invention, variations or alterations of the methods presented herein do not represent a departure from the spirit of the invention as set forth in the 25 specification and claims. For example, the methods of the present invention may include the addition of encryption steps. Furthermore, the addition of DES to the cipher or permutations of it; the addition of transaction data to the cipher, whether such transaction data is encrypted or not; and/or the addition of Error Correction algorithms. Moreover, the sequential order of the steps or sub-steps illustrated herein are used only to explain the methodology presented, and do 3o not limit or define the scope of the invention. Accordingly, slight variations in the implementation and/or sequential order the method steps described herein do not represent a departure from the spirit and scope of the invention.
Although the invention has been described herein using a general method for identification, many possible implementations of the methods presented by the invention are possible and remain within the scope of the invention. For example, these methods may be implemented in part wherein the Remote Entities are tokens or other portable devices (e.g., smart cards), or are the carriers of such devices. Moreover, the Identification Devices described herein may be in the form of PC's, ATMs, kiosks, or the like. Furthermore, the above-described methods may be masked or otherwise embedded into chips, and would not represent a 1 o departure from the spirit of the present invention.
Although the invention has been described herein in conjunction with the appended drawing figures and specific functions, those skilled in the art will appreciate that the scope of the invention is not so limited. Various modifications in the selection and arrangement of the various components, method and steps discussed herein may be made without departing from ~ s the spirit of the invention as set forth above.
The invention comprises the use of Reversible Algorithms, as shown below, in accordance with the principles disclosed in US patent 5,524,072 issued to Labaton et al., hereby incorporated by reference.
According to a preferred method of the present invention, reversible algorithms (e.g., mathematical algorithms) may be used in conjunction with a Challenge-Response method similar to that described above, wherein a Identification Device generates a random challenge.
This challenge then may be transmitted to a Remote Entity. The Remote Entity generates a substantially or totally dynamic response (i.e., little or no constant part), and such response constitutes "secure identification information." It is important to emphasize at this point that, according to a preferred embodiment of this invention, an Identification Device does not need to know the identity of any Presumed Entity in order to identify a particular Remote Entity.
Accordingly, an Identification Device is capable of checking the identification of a Remote Entity without the need of a database and without the need to know in advance who the Remote Entity is supposed to be (i.e., without the need to know an Authorized Entity).
I5 This invention further provides methods for non-repudiable identification, which means that the Remote Entity will not be able to claim that a Service Provider fabricated the identification message. This is accomplished by providing three different entities, namely, a Remote Entity, a Service Provider/Identification Device and an Arbitrator, wherein no single entity has access to all of the necessary data.
2o The present invention further provides for systems and methods wherein a Response computation is composed of more than one step, the first step being a computation of the result (Rl) inferred from the Arbitrator Seed number. The result R1 will be one of the arguments of the Reversible Algorithm.
In accordance with a further aspect of the present invention, an anti-repudiation feature 2s comprises the following steps: first, a Service Provider receives an identification message from a Remote Entity; second, the Service Provider applies the reverse of the Reversible Algorithm to the signature, and recuperates the original arguments, including Rl.
Because Rl is computed by the remote entity using the Arbitrator seed number, which is not known to the Service Provider, that means that a correct Rl, validated and corroborated by the Arbitrator, can come 30 only from the Remote Entity, and can not be fabricated by the service provider.
WO 997676 . ~ PCTnBlB/01834 BRIEF DESCRIPTION OF THE DRAWING FIGURES
The subject of the invention will, hereinafter, be described in conjunction with the appended drawing figures, wherein like numerals designate like elements, and:
Figure 1 is a block flow diagram of an exemplary initialization process for an Arbitrator and a System (e.g., a Service Provider which operates an Identification Device, ID
Node, or multitude ID Nodes) according to the methods of the present invention;
Figure 2 is a block flow diagram of an exemplary identification process for a challenge-response type identification according to the methods of the present invention;
1o Figure 3 is a block flow diagram of an exemplary anti-repudiation process;
Figure 4 is a block flow diagram of an exemplary identification process according to the methods of the present invention;
Figure 5 is a block flow diagram of an exemplary time-based identification process, with drift correction, according to the methods of the present invention;
~ 5 Figure 6 is a block flow diagram of a further exemplary time-based identification process, with drift correction, and wherein an Identification Device has access to a database; and Figure 7 is a graphical representation of a preferred FTolerance function.
2o DETAILED DESCRIPTION
The present invention provides methods for secure identification of a Remote Entity by an Identification Device, wherein the Identification Device may not require the use of a dedicated local database. Furthermore, the methods of the present invention may provide for 25 one-way, non-repudiable, non-trackable identification. Typically, an Identification Device is operated by a Service Provider, or any other entity requiring secure identification of Remote Entities, to engage in transactions with those entities (for simplicity, referred to herein as a Service Provider).
In accordance with a first method of the present invention, a reversible algorithm 30 (referred to herein as a Reversible Function) F SYSssn may be selected by a Service Provider out of a family of possible algorithms, preferably by selecting a System Seed Number (or SSN).
wo ~m6~6 . pcTns9srois~
The Service Provider then may distribute the reversible algorithm to any or all of the Remote Entities authorized to engage in transactions with the Service Provider (Authorized Remote Entities). The Service Provider also may provide a specific Remote Entity Identification number (referred to herein as C ID) to each of the Authorized Remote Entities (e.g., a driver's license number).
Each time a Remote Entity is to be identified by a Service Provider (e.g., for a particular transaction between the Service Provider and the Remote Entity), the Service Provider may select a random number (referred to herein as Ch or Challenge) and transmits it to the Remote Entity. The Remote Entity then may apply a function F SYSssn to the parameters C ID and Ch, thereby generating response R2 as follows:
F SYSssn (C ID,Ch) = R2.
The response (R2) then may be transmitted to the Service Provider's Identification Device. At the Identification Device, the reverse of the system function F
SYSssn (referred to herein as F' 1 SYSssn) may be applied to R2, thereby recuperating C ID and a number presumed to be Ch, referred to herein as Ch':
F'I_SYSssn (R2) = C ID, Ch'.
The Identification Device then may compare Ch (sent) to Ch' (received/computed) and determine whether they match. If they match, C ID is a correct and valid identification.
In a preferred exemplary implementation of the above-described method, the present 2o invention may utilize a Rabin Algorithm (known in the art). Accordingly, the Service Provider may select two large prime numbers, P 1 and P2, each of them being congruent with 7(mod 8), or alternatively, select a System Seed Number (SSN), from which two such prime numbers may be consequently inferred (See Figure l, blocks 5 and 6): These two prime numbers will determine, as parameters, the Reverse Algorithm, as explained below, but the prime numbers will not be transmitted or communicated to the Remote Entity, and will remain as secret system keys under the supervision of the Service Provider (See Figurel, block 7). The Service Provider then may calculate the product P 1 * P2 = SM (referred to herein as a System Module) and send the System Module (SM) to Remote Entities, not necessarily openly, but preferably embedded in a function F SYSssn _(See Figure l, block 8). The F SYSssn maY be masked on a 3o chip.
WO 99/Z7676 - PCTnB98/01834 A preferred exemplary model for the function F SYSssn may be specified as a function FFM (x) as follows:
FFM (x) = x2 (mod M).
The Remote Entity then may make the following computations:
FFSM (Ch) = L 1 and then FFSM (Ll ) = L2 and then FFSM (L2) = L3 and then FFSM (L3) = L4 and then 1o and so on until q (where q is any natural number), FFSM (Lq-1 ) = Lq.
And then, defining the function LSB(X) as the 'Least Significant (n)Bit(s)' of X (where n is any natural number), the Remote Entity may make the following computations:
FFSM (Lq) = T1 and then LSB(T1 ) = cl FFSM (T1) = T2 and then LSB(T2) = c2 FFSM (T2) = T3 and then LSB(T3) = c3 FFSM (T3) = T4 and then LSB(T4) = c4 and so on until n, where n is the amount of digits of the concatenation Ch o C
ID, FFSM (Tn-1 ) = Tn and then LSB(Tn) = cn.
The Remote Entity then may concatenate cl,...,cn and refer to the concatenation as C as follows:
C=cl oc2oc3~c4oooooooocn (wherein ~ stands for concatenation).
Then, the Remote Entity may bitwise-xor C with the concatenation Ch o C ID as follows (where ''xor" corresponds to the "exclusive or" function):
(cl oc2 o c3o c4~ o o ~ ~ o ~ ~ cn) ~(Ch o C ID ) = V
(wherein ~ stands for bitwise-xor).
WO 99/Z'1676 . PCT/IB98/01834 Then, the Remote Entity may compute Tn+m (m being any natural number) in the following manner:
FFSM (Tn) = Tn+1 and so on until n+m, FFSM (Tn+m-1 ) = Tn+m.
The Remote Entity then may concatenate V and Tn+m as follows, resulting in R2 (referred to herein as a Cipher):
R2 = V o Tn+m i o At this point, a Remote Entity may transmit the Cipher R2 to an Identification Device. Because the Identification Device (or, e.g., Service Provider operating the Identification Device) knows the prime numbers P 1 and P2, it may reverse the algorithm and recover Ch and C ID, as follows:
The Identification Device may use the Euclidean Algorithm in conjunction with P1 and P2, to compute Ll and L2, such that:
L 1 P 1 + L2 p2 = 1 (mod SM).
K1 and K2 may be defined as follows:
K1 = L1P1 and K2 = L2 P2.
Then, the following computations may be made as follows:
2o Y 1 = Tn+m (mod P 1 ) and Y2 = Tn+m (mod P2).
Then, the following computations may be made as follows:
Z1= yl ((PI+1)/4) (mod PI) and, if Z1((pl-1)/2) _ _1 (mod P1) then ZI = P1-Z1.
Then, the following computations may be made as follows:
Z2 = y2 ((p2+1 )/4) (mod P2) and, if Z2((P?-1)/2) _ _1 (mod P2) then Z2 = P2-Z2.
Then, the following computations may be made as follows:
Tn+m-1 = Z 1 K2 + Z2 K 1.
Then, applying the same procedure, compute Tn+m-2, and so on, obtaining all of the Ti until Tp.
The Identification Device then may proceed as follows:
Taking Ti, the following computations may be made as follows:
Ci = LSB(Ti) for I = 1 "n.
The results then may be concatenated as follows:
C = C1 oC2 o C3o C4 0 0 0 0 0 0 0 o Cn.
Then, the Identification Device may XOR C with V as follows:
[V = (cl oc2 ~ c3o c4o 0 o a o 0 0 o cn) ~ (Ch o C ID), sent from the Remote Entity], and then compute as follows:
(cl ~c2 o c3a c4 ~ ~ ~ cn) ~ V =
(cI oc2 o c3o c4 0 0 o cn) ~ (cl oc2 o c3o c4 0 0 o cn) ~ (Ch o C ID) _ (Ch a C ID) Having recuperated the C ID, the identification is complete. Recuperation of the Ch then may be used to authenticate the identification, to the extent that Ch should be exactly the ~ 5 same as the Ch sent to the Remote Entity.
It is worth noting that the example shown represents an extremely secure methodology for identifying a Remote Entity because the sensitive secrets, namely, the knowledge regarding how to factorize the SSN (namely P1 and P2) is only available at the Identification Device and not available to the Remote Entity (e.g., not stored in a token carried by the Remote Entity). Of 2o course, any suitable mathematical (or other) manipulations or operations may be employed in the context of the present invention.
The present invention further provides methods for identifying one or more Remote Entities to a Central Identification Device (e.g., operated by a Service Providei) wherein the identification process is arbitrated by an Independent Arbitrator Entity.
These methods 25 preferably comprise the following steps:
a) The Independent Arbitrator Entity may characterize a specific algorithm (or a plurality of algorithms) for each of the Remote Entities, and then distribute each algorithm to its respective Remote Entity;
b) The Central Identification Device (e.g., operated by a Service Provider) may 3o distribute one (or more) reversible algorithm to each of the Remote Entities;
wo ~m6~6 - rc~rnB~ois34 c) Each time a Remote Entity is to be identified, the Remote Entity may apply the Independent Arbitrator Entity's algorithm to a challenge (Ch) provided by the Central Identification Device, thereby providing a first result R1. The Remote Entity then may apply the Central Identification Device's reversible algorithm to the challenge Ch, to its identification data C ID, and to the said first result R1, thereby computing a second result R2 (the Cipher). The Remote Entity then may transmit the second result R2 to the Central Identification Device. The Central Identification Device then may apply the reverse of the reversible algorithm to the received second result R2, thereby computing a presumed challenge Ch', a C ID, and a presumed first result R1. The Identification to Device then may compare the transmitted challenge Ch to the computed presumed challenge Ch'. If they are identical, the Central Identification Device may transmit the presumed first result RI to an Independent Arbitrator Entity together with the Remote Entity's identification data (which may be C ID or other data, for example a Remote Entity's Serial Number) and the challenge Ch. The Arbitrator Entity then may retrieve is the specific algorithm transmitted from the specific Remote entity and apply the algorithm to the challenge Ch, thereby computing a true first result R1. The Arbitrator Entity then may compare the true first result R1 with the presumed first result Rl and, if they are identical, the arbitrator entity may corroborate the identification to the Central Identification Device. Once the Central Identification Device has received the 2o corroboration from the Arbitrator Entity, it may accept the presumed identification data C ID as being true identification data corresponding to the Remote Entity.
These methods (or other suitable operations) utilizing three entities (Remote Entity, Central Identification Device and Arbitrator Entity), provide for non-repudiable and non-trackable secure identifications methodology. An exemplary implementation of these methods 25 may comprises the following steps:
a) In addition to Remote Entities and Identification Devices, utilize a third independent party, referred to herein, for example, as an Arbitrator Entity;
b) The Arbitrator Entity may select a first algorithm (referred to herein as F ~ 1 ASN) which preferably is selected from a family of algorithms F ARB I, 3o preferably by the means of a seed number (referred to herein as an Arbitrator Seed Number = ASN) (See Figure 1 Block 1 ).
WO 99/Z7676 - rc~rns~ro><s~
An important purpose of this algorithm (F_ARB IASN) is to generate a different pseudo-random number for each Remote Entity (See Figure 1, block 2). This pseudo-random number, referred to herein as REAN (Remote Entity's Arbitrator Number), determines the algorithm (F_ARB2~AN) (see Figure 1, blocks 3 and 4) which may correlate the transaction related number Ch and, optionally C ID, with an arbitrator inferred number R1.
The BEAN is preferably the result of the product of two large prime numbers, p'1 and p'2, both of which may be congruent with 3(mod4). Hence the computed R1 may be different and specific for each transaction.
Accordingly, the algorithm F ARB 1 ASN is suitably applied to a Remote Entity's 1 o openly known number, for example, the Remote Entity's Serial Number or any other publicly known number associated with the Remote Entity, to generate the BEAN (Remote Entity's Arbitrator Number), as follows:
F ARB 1 ASN (Serial Number) = REAN.
The second algorithm selected by the Arbitrator is referred to herein as F
ARB2gE~, which also preferably is selected from a family of algorithms by means of the previously obtained Remote Entity Arbitrator Number REAN (See Figure 1, block 3).
It is worth noting that an Arbitrator only needs to select one number, namely the ASN, which is suitably the same for all the cases belonging to such Arbitrator. In contrast, the REAN
is advantageously different and preferably dedicated for each Remote Entity, and the R1 is 2o different for each transaction and inferred from the ASN to further enhance security.
The Remote Entity may then apply the F ARB2~AN algo~thm to Ch (and, optionally, to C ID), thereby getting a response R1 (see Figure 2, block 11), as follows:
F ARB2~AN CC ID, Ch ) = R1.
At this point, a Remote Entity may apply the F SYSssn algorithm to Ch, C ID
and Rl, thereby retrieving the Cipher R2 (see Figure 2, block 12), as follows:
F SYSssn ( Ch , C ID, R1) = R2 (the Cipher).
The Remote Entity may then transmit Cipher R2 to an Identification Device (e.g., ID
Node or System Administrator) (See Figure 2, block 13).
wo ~m6~6 . rcrns9sro>«
The Identification Device may then receive Cipher R2 (see Figure 2, block 14).
The Identification Device, which knows the values of P 1 and P2, then may non-repudiably identify the Remote Entity, without using any database, by applying the reverse of F
SYSssn to R2.
Accordingly, F-1_SYSssn is applied to R2, thereby retrieving the original arguments, namely, C ID, Ch' and Rl, as follows:
F-1 SYSssnW) - C ID, Ch' ,R1.
If Ch' is sufficiently identical to the Ch transmitted, then the C ID is validated as being authentic, e.g., an authentic Entity Identification Number (See Figure 2, blocks 15 and 16).
R1 then may be preserved to refute repudiations of such transactions. That is, cases 1 o where the Remote Entity denies that he/she/it had a Cipher (e.g., R2), or, in other words, when the Remote Entity claims that a Cipher (e.g., R2) was fabricated by the Identification Device and/or the controller of such a device (See Figure 2, block 17).
Referring now to Figure 3, in. the case of repudiation problems or, alternatively, for each desired case, the Identification Device may provide the Arbitrator with a Remote Entity's Serial 15 Number, the Ch, the Presumed Rl, and, optionally, the C ID (see Figure 3, blocks 19,20 and 21).
The Arbitrator may then apply the F ARB 1 ASN ~gorithm to the Serial Number, thereby obtaining the REAN, as follows:
F ARB 1 ASN (S~~ Number) = REAN (See Figure 3, block 22).
2o The Arbitrator may then apply the F ARB2gEAN algorithm to Ch and, optionally, to C ID, and thereby obtain the true R1 (see Figure 3, block 23) as follows:
F ~B2REAN (C ID,Ch ) = R1, which is the true R1.
The arbitrator may then determine whether the true R1 is identical to the Presumed R1 (see Figure 3, blocks 24 and 25). If R1 and the Presumed R1 are not identical, then R2 may be 25 a fabrication (See Figure3, block 27). On the other hand, if RI matches the presumed R1, it may be concluded that the R2 is coming from an Authorized Remote Entity, because the Identification Device has no means with which to compute (fabricate) a true R1 (see Figure 3, block 26).
According to another preferred exemplary implementation of the methods of the present invention, the Remote Entity may utilize an algorithm F ARB2~AN, ch~cterized by an Arbitrator by means of a BEAN, to compute the transaction specific Rl, using the transaction specific Challenge Ch transmitted by the Identification Device (e.g., ID Node/
System Administrator), as follows:
the Remote Entity may compute:
M 1 = Ch 2 (mod REAN) M2 = M21 (mod REAN) t o and so on, until p (any natural number) S 1 = Mp = M2p_ 1 (mod REAN).
The Remote Entity then may compute:
C' 1 = LSB (S I ).
Accordingly, S2 = S21 (mod REAN) -> C'2 = LSB (S2) and so on, until n:
Sn - S2n-1 (mod REAN) -~ C'n = LSB (Sn).
The result is the following concatenation:
Rl=C'loooaooooC'n.
2o Accordingly, the above-described step F ARB2~AN (Ch ) = Rl thereby may be accomplished.
According to a further preferred implementation of the methods of the present invention, a preferred implementation of the function F SYSssn is now presented. In accordance with this aspect of the present invention, a System Seed Number (SSN), selected by an administrator, may be used to infer a SM (System Module, as discussed above). The Remote Entity may make the following computations:
T1 = R12 (mod SM) ~ C1 = LSB (Tl) T2 = T21 (mod SM) ~ C2 = LSB (T2) wo ~n~6~6 . rcrns9srois~
.... ..................... ~......_...........................
and so on, to:
Tn = T2n-1 (mod SM) ~ Cn = LSB (Tn) Tn+1 = T2n (mod SM) ....... ................
and soon, to:
Tn+m = T2n+m (mod SM).
The C's then may be concatenated as follows:
C=ClooooooooCn.
A Cipher (R2) message then may be computed as follows:
R2 = [(C ID ~ CH)] ~ C] o Tn+m~
Accordingly, the above-mentioned step F SYSssn (Ch ) = R2 thereby may be accomplished.
Obviously, while a C ID is always the same for a particular Remote Entity, the Cipher ~ 5 should be different from any prior Cipher (R2), to the extent that the Ch is different from any prior Ch transmitted to a particular Remote Entity.
The Remote Entity may transmit the Cipher R2 to an Identification Device (e.g., ID
Node/System Administrator) and, because the Identification Device knows the prime numbers P 1 and P2, the Identification Device may reverse the algorithm and recover Ch and C ID.
2o The Identification Device (e.g., ID Node/ System Administrator) may use the Euclidean Algorithm (or other suitable Algorithms) in conjunction with P1 and P2 to compute what is referred to as the reverse algorithm or Reverse Algorithm, F-1 SYSssn~ A
preferred exemplary implementation of this computation is as follows:
a) compute L 1 and L2 such that L 1 P 1 + L2 P2 = 1 (mod SM};
2s b) define Kl = L 1 P 1 and K2 = L2 P2;
c) compute:
Y 1 = Tn+m (mod P 1 ) and YZ = Tn+m (mod P2);
IS
WO 99/27676 . pCrne98~o~s34 d) compute:
Z1 = Y1 ((P1+1)/4) (mod P1) and, if Z 1 ((P 1-1 )/2) _ _ 1 (mod P 1 ) then Z 1 = P 1-Z 1; ~d Z~ = Y2 ((P2+1 )/4) (mod P2) if Z2((P2-1 )/2) _ _1 (mod P2) then Z2 = P2-Z2;
e) compute:
Tn+m-1 = Z1K2 + Z2 K1;
and, applying the same procedure, compute:
Tn+m-2 t o and so on, obtaining all the Ti until Tp is recuperated.
The Identification Device (e.g., ID Node/System Administrator) then may proceed as follows:
a) using Ti, compute: ci = LSB(Ti) and so on for i = n,n-1,...,1 (T1 is also recaptured);
1s clearly, the Reverse algorithm applied to T1 generates the R1, which is stored together with the correspondent Ch for potential repudiation.cases;
b) the ci results are concatenated as follows:
C=cl ~c2~c3oc4oooo~~oocn c) the Identification Device (e.g., ID Node/System Administrator) then may XOR
2o C with V, thereby obtaining:
(c 1 a c2 o c3 o c4 0 0 ~ cn) ~V =
(c 1 ~ c2 o c3 ~ c4 0 0 o cn) ~ (c 1 o c2 o c3~ c4o 0 o cn) ~(Ch o C ID) = (Ch o C ID).
Having recuperated the C ID, the identification may be complete. The recuperation of Ch then may be used to authenticate the identification, to the extent that Ch should be exactly 25 the same as the Ch sent to the Remote Entity.
If a Remote Entity later repudiates the transaction, the Identification Device (e.g., ID
Node/System Administrator) may provide the Arbitrator with the Remote Entity's Serial IG
wo ~m6~6 - rc~rn~~sroia~
Number, the transaction Ch, the presumed Rl and, optionally, the C ID. The Arbitrator then may apply the F ARB I ASN to the Serial number, thereby obtaining the REAN as follows:
F ARB I ASN (Serial Number) = REAN.
The Arbitrator then may apply the F ARB2~AN ~gorithm to Ch and, optionally, to C ID, thereby obtaining the true R1, as follows:
a) the Arbitrator may compute:
M 1 = Ch 2 (mod REAN) M2 = M21 (mod REAN) and so on, until t o S 1 = M40 = M239 (mod REAN), (wherein 39 and 40 are examples only and may differ);
b) the Arbitrator may compute:
C' 1 = LSB (S l );
c) consequently:
S2 = S2I (mod REAN ) ~ C'2 = LSB (S2) and so on, up to Sn = S2n-1 (mod REAN) -~ C'n = LSB (Sn).
Accordingly, the result is the true RI for this specific Remote Entity and for this specific transaction (Ch), wherein:
2o Rl=C'loooo~~~~C'n.
The Arbitrator may then check whether the true R1 is identical to the Presumed RI
claimed by the Identification Device (e.g., ID Node/system administrator). If they do not match, the R2 is a fabrication. On the other hand, if the two numbers match, it is confirmed that the R2 is from the Remote Entity because the Identification Device has no means with which to compute (fabricate) a true Rl.
It is worth noting that the example shown represents an remarkably secure methodology to identify a Remote Entity. The sensitive secrets, e.g., the knowledge on how to factorize the wo ~r~~6~6 . Pc~rnB9sroia3e SSN, is available only to the Identification Device (e.g., ID Node/ System Administrator) and is not available to the Remote Entities (e.g., not in their tokens}.
According to another preferred exemplary implementation of the methods of the present invention, the methods and algorithms described above may be used, but, instead of having the Identification Device send a challenge (Ch} to the Remote Entity, the Remote Entity may use the Cipher's Generation Time. The time of the moment of computing the Cipher, the Generation Time and Date, the GMT and Date, or some other suitable time-based variable having a particular resolution, e.g., of seconds. For simplicity, this type of time-based variable will be referred to herein as Generation Time, or Gtime (see Figure 4, block l Ob).
t o Refernng to Figure 4, a Remote Entity may proceed as in Figure 4, illustrating a non-repudiable, non-trackable, one-way identification method. The Remote Entity may transmit a message, which identifies the Remote Entity, to the Identification Device (e.g., ID Node, or one of various ID Nodes of a particular Service Provider), and this ends the protocol. Accordingly, during the time that the identification is being made on-line, both sides, Remote Entity and Identification Device, know the corresponding GtimelReception Time (see Figure 4, block 14b) and, consequently, the Identification Device may verify the identification (See Figure 4, blocks 1 Sb and 16b). If the Identification is not on-line, the Generation Time used in the computation may be communicated openly to the Identification Device.
With regard to on-line transactions, to overcome possible drift between the time 2o measured by the Remote Entity and the time measured by the Identification Device, two successive identification procedures may be accomplished during the same identification process (see Figure 5). The time elapsed between the two identification procedures also may be determined by the Identification Device (see Figure 5, block 19d), which will signal/ trigger the Remote Entity to send a new Cipher. Because the time elapsed is set by the Identification Device, this process avoids the possibility of an impostor using two pre-recorded Ciphers in an attempt to defraud the system. Hence, measuring the Absolute Value of the drift difference (see Figure 5, block 27d) the Identification Device can overcome the drift problem without compromising security.
Another preferred exemplary implementation of the methods of the present invention 3o comprises a process similar to that described in Figure 5, but instead of using the Gtime a Remote Entity may use a Remote entity's specific function of the Gtime, referred to herein as is wo 99n~6~6 . rcTne9sro><s3e F T RE(Time), which preferably is a linear function. The Identification Device (e.g., ID Node/
System Administrator) will require the knowledge to compute F T RE(Time), and therefore, a database may be necessary.
As an example, a function of Gtime may be utilized wherein F T RE(Time) =
s RE Time = Time + RE cte, and where RE cte is a constant value, and is different for each Remote Entity (see Figure 6). Because, according to this particular implementation, the Identification Device may use a database anyway, it may be convenient to preserve the RE Time and RTime of the previous transaction (referred to herein as RE_Time_pre and RTime-pre) in a database available to the Identification Device. This is in order to update the 1 o drift while the' RE_cte value is being updated, which absorbs the drift as is shown in Figure 6.
' The Identification Device, after receiving the RE Time embedded in the Cipher and registering the RTime (Reception Time), will compare the difference:
RE Time - RTime with the previous difference (last recorded transaction):
~ 5 RE Time - RTime which will be referred to herein as:
RE Time-pre - RTime-pre.
This difference should be less than a tolerance value. The tolerance value may be a function (FTolerance) of the absolute value of the difference between RTime and Rtime-pre, as follows:
2o FTolerance(RTime - RTime~re).
A preferred specification of FTolerance is shown in Figure 7.
Although the invention has been described herein using specific examples of the various methods encompassed by the present invention, variations or alterations of the methods presented herein do not represent a departure from the spirit of the invention as set forth in the 25 specification and claims. For example, the methods of the present invention may include the addition of encryption steps. Furthermore, the addition of DES to the cipher or permutations of it; the addition of transaction data to the cipher, whether such transaction data is encrypted or not; and/or the addition of Error Correction algorithms. Moreover, the sequential order of the steps or sub-steps illustrated herein are used only to explain the methodology presented, and do 3o not limit or define the scope of the invention. Accordingly, slight variations in the implementation and/or sequential order the method steps described herein do not represent a departure from the spirit and scope of the invention.
Although the invention has been described herein using a general method for identification, many possible implementations of the methods presented by the invention are possible and remain within the scope of the invention. For example, these methods may be implemented in part wherein the Remote Entities are tokens or other portable devices (e.g., smart cards), or are the carriers of such devices. Moreover, the Identification Devices described herein may be in the form of PC's, ATMs, kiosks, or the like. Furthermore, the above-described methods may be masked or otherwise embedded into chips, and would not represent a 1 o departure from the spirit of the present invention.
Although the invention has been described herein in conjunction with the appended drawing figures and specific functions, those skilled in the art will appreciate that the scope of the invention is not so limited. Various modifications in the selection and arrangement of the various components, method and steps discussed herein may be made without departing from ~ s the spirit of the invention as set forth above.
Claims (3)
1. An identification method for a multitude of to-be-identified-entities against a central identification entity, the said identification arbitrated by an independent arbitrator entity comprising the steps of:
the independent arbitrator entity characterizing specific algorithms for each, and distributing the said algorithms to each of the to-be- identified entities;
the central identification entity distributing one reversible algorithm for all and to all of the to-be-identified-entities;
and for each identification operation, the to-be-identified-entity:
applies the independent arbitrator entity's algorithm to a challenge selected by the central identification entity for such identification operation computing a first result, and then applies the central identification entity's reversible algorithm to the said challenge, to its identification data, and to the said first result computing a second result (cipher), and the to-be-identified-entity transmits the said second result to the central identification entity;
whereas the central identif cation entity applies the reverse of the reversible algorithm to the received second result, computing a presumed challenge, a presumed to-be-identified entity's identification data, and a presumed first result;
and whereas the central identification entity compares the challenge previously send to the said presumed challenge, and if they are identical, the central identification entity sends to the independent arbitrator entity the presumed first result, together with the to-be-identified presumed entity identification data or other identification data of such entity, and the said challenge, and whereas the arbitrator entity retrieves the specific algorithm sent by him to the said to-be-identified entity and applies the said specific algorithm to the challenge computing the true first result, and compares such true first result with the presumed first result, and, if eventually are identical, the arbitrator entity corroborates the veracity of the identification to the central identification entity;
and whereas the central entity, having received the corroboration from the arbitrator entity, accepts the presumed identification data as true identification data corresponding to the to-be-identified-entity.
the independent arbitrator entity characterizing specific algorithms for each, and distributing the said algorithms to each of the to-be- identified entities;
the central identification entity distributing one reversible algorithm for all and to all of the to-be-identified-entities;
and for each identification operation, the to-be-identified-entity:
applies the independent arbitrator entity's algorithm to a challenge selected by the central identification entity for such identification operation computing a first result, and then applies the central identification entity's reversible algorithm to the said challenge, to its identification data, and to the said first result computing a second result (cipher), and the to-be-identified-entity transmits the said second result to the central identification entity;
whereas the central identif cation entity applies the reverse of the reversible algorithm to the received second result, computing a presumed challenge, a presumed to-be-identified entity's identification data, and a presumed first result;
and whereas the central identification entity compares the challenge previously send to the said presumed challenge, and if they are identical, the central identification entity sends to the independent arbitrator entity the presumed first result, together with the to-be-identified presumed entity identification data or other identification data of such entity, and the said challenge, and whereas the arbitrator entity retrieves the specific algorithm sent by him to the said to-be-identified entity and applies the said specific algorithm to the challenge computing the true first result, and compares such true first result with the presumed first result, and, if eventually are identical, the arbitrator entity corroborates the veracity of the identification to the central identification entity;
and whereas the central entity, having received the corroboration from the arbitrator entity, accepts the presumed identification data as true identification data corresponding to the to-be-identified-entity.
2. An identification method for a multitude of to-be-identified-entities against a central identification entity, the said identification arbitrated by an independent arbitrator entity, as in claim 1, but instead of receiving a challenge from the central identification entity, the to-be-identified-entity computes the time and date of the moment, applies the independent arbitrator entity's algorithm to the said time and date computing a first result, and then applies the central identification entity's reversible algorithm to the said time and date, to its identification data, and to the said first result computing a second result (cipher), and the to-be-identified-entity send the said second result to the central identification entity;
and whereas the central identification entity:
records the reception time of the cipher sent by the to-be-identified entity the central identification entity applies the reverse of the reversible algorithm to the received second result, computing a presumed time and date, a presumed to-be-identified entity's identification data, and a presumed first result;
and whereas the central identification entity compares the said reception time to the said presumed time and date, and if they are alike according to a pre-established tolerance, the central identification entity sends to the independent arbitrator entity the presumed first result, together with the to-be-identified entity identification data or other identification data of such entity, and the said presumed time and date, and whereas the arbitrator entity retrieves the specific algorithm sent by him to the said to-be-identified entity and applies the said specific algorithm to the said presumed time and date received from the central identification entity, computing the true first result, and compares such true first result with the presumed first result, and, if eventually are identical, the arbitrator entity corroborates the veracity of the identification to the central identification, entity;
and whereas the central entity, having received the corroboration from the arbitrator entity, accepts the presumed identification data as true identification data corresponding to the to-be-identified-entity.
and whereas the central identification entity:
records the reception time of the cipher sent by the to-be-identified entity the central identification entity applies the reverse of the reversible algorithm to the received second result, computing a presumed time and date, a presumed to-be-identified entity's identification data, and a presumed first result;
and whereas the central identification entity compares the said reception time to the said presumed time and date, and if they are alike according to a pre-established tolerance, the central identification entity sends to the independent arbitrator entity the presumed first result, together with the to-be-identified entity identification data or other identification data of such entity, and the said presumed time and date, and whereas the arbitrator entity retrieves the specific algorithm sent by him to the said to-be-identified entity and applies the said specific algorithm to the said presumed time and date received from the central identification entity, computing the true first result, and compares such true first result with the presumed first result, and, if eventually are identical, the arbitrator entity corroborates the veracity of the identification to the central identification, entity;
and whereas the central entity, having received the corroboration from the arbitrator entity, accepts the presumed identification data as true identification data corresponding to the to-be-identified-entity.
3. A system for secure identification comprising:
an arbitrator configured to store and provide a different algorithm for each of a plurality of remote entities, comprising a first processor having access to a first memory; and an identification device configured to provide a reversible algorithm to each of said remote entities, comprising a second processor having access to a second memory;
wherein each of said remote entities comprises a remote entity memory and a remote entity processor, and is configured to store one of said arbitrator algorithms, said reversible algorithm and remote entity identity information; and wherein said first processor cannot access said second memory and said second processor cannot access said first memory.
an arbitrator configured to store and provide a different algorithm for each of a plurality of remote entities, comprising a first processor having access to a first memory; and an identification device configured to provide a reversible algorithm to each of said remote entities, comprising a second processor having access to a second memory;
wherein each of said remote entities comprises a remote entity memory and a remote entity processor, and is configured to store one of said arbitrator algorithms, said reversible algorithm and remote entity identity information; and wherein said first processor cannot access said second memory and said second processor cannot access said first memory.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IL122106A IL122106A (en) | 1997-11-04 | 1997-11-04 | Method and algorithms for identification and validation |
| IL122106 | 1997-11-04 | ||
| PCT/IB1998/001834 WO1999027676A2 (en) | 1997-11-04 | 1998-11-04 | Methods and apparatus for the secure identification and validation of things and events |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2308474A1 true CA2308474A1 (en) | 1999-06-03 |
Family
ID=11070814
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002308474A Abandoned CA2308474A1 (en) | 1997-11-04 | 1998-11-04 | Methods and apparatus for the secure identification and validation of things and events |
Country Status (5)
| Country | Link |
|---|---|
| EP (1) | EP1031260A4 (en) |
| AU (1) | AU9757898A (en) |
| CA (1) | CA2308474A1 (en) |
| IL (1) | IL122106A (en) |
| WO (1) | WO1999027676A2 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7013393B1 (en) | 1999-12-21 | 2006-03-14 | Pierre Stevens | Universal intelligent card for secure access to system functions |
| EP1668448A2 (en) | 2003-09-12 | 2006-06-14 | RSA Security Inc. | System and method providing disconnected authentication |
| GB0514492D0 (en) | 2005-07-14 | 2005-08-17 | Ntnu Technology Transfer As | Secure media streaming |
| US10075452B2 (en) | 2016-02-18 | 2018-09-11 | Comcast Cable Communications, Llc | Distributed content uploading and validation |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4326098A (en) * | 1980-07-02 | 1982-04-20 | International Business Machines Corporation | High security system for electronic signature verification |
| GB2146815A (en) * | 1983-09-17 | 1985-04-24 | Ibm | Electronic fund transfer systems |
| US5010571A (en) * | 1986-09-10 | 1991-04-23 | Titan Linkabit Corporation | Metering retrieval of encrypted data stored in customer data retrieval terminal |
| JP2671649B2 (en) * | 1991-07-08 | 1997-10-29 | 三菱電機株式会社 | Authentication method |
| US5422953A (en) * | 1993-05-05 | 1995-06-06 | Fischer; Addison M. | Personal date/time notary device |
| US5349643A (en) * | 1993-05-10 | 1994-09-20 | International Business Machines Corporation | System and method for secure initial program load for diskless workstations |
| DE69312328T2 (en) * | 1993-09-20 | 1998-01-08 | Ibm | SYSTEM AND METHOD FOR CHANGING THE KEY OR PASSWORD IN A COMMUNICATION NETWORK WITH KEY DISTRIBUTION |
| JP3263878B2 (en) * | 1993-10-06 | 2002-03-11 | 日本電信電話株式会社 | Cryptographic communication system |
| US5491750A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for three-party entity authentication and key distribution using message authentication codes |
| US5790667A (en) * | 1995-01-20 | 1998-08-04 | Matsushita Electric Industrial Co., Ltd. | Personal authentication method |
| JPH0950465A (en) * | 1995-08-04 | 1997-02-18 | Hitachi Ltd | Electronic shopping method, electronic shopping system and document authentication method |
-
1997
- 1997-11-04 IL IL122106A patent/IL122106A/en not_active IP Right Cessation
-
1998
- 1998-11-04 CA CA002308474A patent/CA2308474A1/en not_active Abandoned
- 1998-11-04 WO PCT/IB1998/001834 patent/WO1999027676A2/en not_active Application Discontinuation
- 1998-11-04 AU AU97578/98A patent/AU9757898A/en not_active Abandoned
- 1998-11-04 EP EP98951640A patent/EP1031260A4/en not_active Withdrawn
Also Published As
| Publication number | Publication date |
|---|---|
| IL122106A0 (en) | 1998-12-06 |
| EP1031260A2 (en) | 2000-08-30 |
| WO1999027676A3 (en) | 1999-09-02 |
| IL122106A (en) | 2010-11-30 |
| AU9757898A (en) | 1999-06-15 |
| WO1999027676A2 (en) | 1999-06-03 |
| EP1031260A4 (en) | 2001-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11100743B1 (en) | Blockchain-based election system | |
| US6957185B1 (en) | Method and apparatus for the secure identification of the owner of a portable device | |
| EP1769419B1 (en) | Transaction & payment system securing remote authentication/validation of transactions from a transaction provider | |
| EP0824814B1 (en) | Methods and apparatus for authenticating an originator of a message | |
| US8315948B2 (en) | Method and device for generating a single-use financial account number | |
| EP0500749B1 (en) | Method for personal identification using proofs of legitimacy | |
| US7844550B2 (en) | Method and device for generating a single-use financial account number | |
| JP2777060B2 (en) | Authentication method of portable object by offline terminal and corresponding terminal | |
| US4797920A (en) | Electronic funds transfer system with means for verifying a personal identification number without pre-established secret keys | |
| US5832089A (en) | Off-line compatible electronic cash method and system | |
| US7568616B2 (en) | Authentication methods and apparatus for vehicle rentals and other applications | |
| US5245657A (en) | Verification method and apparatus | |
| US6430690B1 (en) | Secure one-way authentication communication system | |
| JP2000357156A (en) | System and method for authentication sheet distribution | |
| CA2308474A1 (en) | Methods and apparatus for the secure identification and validation of things and events | |
| EP0886248B1 (en) | Method and apparatus for registration of information with plural institutions and recording medium with registration program stored thereon | |
| WO1996041316A2 (en) | Off-line compatible electronic cash method and system | |
| JP2005252349A (en) | Certifying simulated zero-knowledge method of |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |