CN1323478A - Method and device for authenticating with symmetrical algorithm - Google Patents

Method and device for authenticating with symmetrical algorithm Download PDF

Info

Publication number
CN1323478A
CN1323478A CN99812286.6A CN99812286A CN1323478A CN 1323478 A CN1323478 A CN 1323478A CN 99812286 A CN99812286 A CN 99812286A CN 1323478 A CN1323478 A CN 1323478A
Authority
CN
China
Prior art keywords
xor
key
value
alg
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN99812286.6A
Other languages
Chinese (zh)
Inventor
L·鲁索
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gemplus SA
Original Assignee
Gemplus SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemplus SA filed Critical Gemplus SA
Publication of CN1323478A publication Critical patent/CN1323478A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Abstract

The invention concerns a method and a system for authenticating with symmetrical algorithm essentially characterised in that, for each mutual authentication of two parties, a cryptographic computation with a variable key, referred to as K', is carried out. The main steps of said method are as follows: a) party A, possessing the secret key K, sends a random number R1 to party B, the latter also possessing the same secret key K; b) party B selects a random number R2, and computes the number K', which is also a secret key, from the following formula: K' = R2 xor K, xor being the equivalent of the exclusive or mathematical operation; c) then, B, using a symmetrical encryption algorithm ALG, computes a result r derived from the formula: r = ALG[K'](R1); d) said party B then sends r and R2 to said party A; e) said party A, using the same symmetrical encryption algorithm ALG, computes K' and r' from the following formulae: K' = R2 xor K and r' = ALG[k'](R1); f) if r is equal to r', then said party B is authenticated by said party A.

Description

Method and apparatus with the symmetry algorithm checking
The present invention relates to the method with the symmetry algorithm checking, its principal character that has is, for two sides' that are referred to as A and B usually checking mutually separately, carries out the cryptographic calculations to changeable key (being referred to as K ').
Or rather, the present invention relates to the cryptographic calculations quoted from above during two sides' that are referred to as A and B and under the exchanges data situation, are independent of each other the checking.This can be between PC and server, between reader and server, between monolithic card and monolithic card reader, for instance, such as an ATM under use monolithic card situation, be referred to as A, the user who comes the cash dispenser side that hope is withdrawn cash is referred to as B.
More particularly, two side A and (or) B can be taken as be a monolithic card and (or) reader.
The expert knows that privacy problem is of great concern to the true(-)running of the device of cash dispenser and monolithic Card Type.These concerns are to continue and the theme of more effective safeguard measure, so that this attack more and more is difficult to succeed.
In order to explain this situation, in cryptological technical field, two sides that interknit as everybody knows are called as A and B.
In more technology and scientific terminology, this method is made up of the step of some.
Specifically, the A that has a privacy key K selects a random value R, or random number, also is referred to as a message.
A sends this random value R to the B that also has identical privacy key K.
B utilizes symmetric encipherment algorithm ALG to calculate a result by following formula, is referred to as r:
r=ALG[K](R)。
R is the result with the encryption of the message R of algorithm ALG and privacy key K.The algorithm that is called ALG is a symmetric encipherment algorithm.This can be DES (a data encryption message), triple des, IDES etc.
This computing can be performed, because privacy key is known to two side A and B, and has only A and B to know.
Secondly, B sends as a result r to A.Latter A utilizes following formula result of calculation r ' then:
r’=ALG[K](R)。
If number r equals r ' as a result, then B is verified.
B is finished by this way by the checking of A.
Yet this operation is inadequate, because it is fragile to current measurement thereby to possible assaulter's attack.
An assailant, or the assaulter measures the current drain of this sheet.According to resulting curve, he can infer information and the employed data of processor in the management.In order to implement accurate measurement, the assailant must take multiple measurements and screen them.
Or rather, problem is the calculating of r, that is to say to be formula:
r=ALG[K](R)。
This is because current measurement is easy to realize on this level, therefore can know data via calculating, particularly because key K is a constant.
In order to obtain a pertinent measurement, the assaulter must carry out and repeatedly measure and screen them, so that therefrom extract pertinent information.Because use identical constant key K, so identical key K is all used in all measurements, so results of screening is that key K is distinctive.
The present invention proposes first characteristic, and it is made up of a simple and clear modification, and this is modified in the r ' computing formula as the object of the invention indentification protocol and carries out.
The A side that has privacy key K sends several R of a random value or picked at random 1To B side.The latter also has identical privacy key K.
B selects a random number R 2, use following formula to calculate number K ' then, it also is a privacy key:
'=R 2Xor K, xor are the mathematic sign distances.
Secondly, B calculates caused by following formula one r as a result:
r=ALG[K’](R 1)
B sends r and R then 2Give A.
The symmetric encipherment algorithm ALG that The latter is identical adopts following formula calculating K ' and r ':
K’=R 2xor?K
With
r’=ALG[K’](R 1)。
Suppose that r equals r ', then B is verified by A.
The impossibility of Gong Jiing is based on the following fact at the moment, and promptly because K ' changes when each checking, the current drain that calculates r and r ' is different when carrying out checking at every turn.
Yet the calculating of K ' is still fragility to attack, because relate to current drain.Therefore, the present invention proposes second characteristic, and itself and above-mentioned first characteristic are irrelevant, only relevant with the calculating of K '.
This be because the present invention use one with above-mentioned verification system irrelevant with (or) relevant encryption system.
It is made up of the calculating of K ', and K ' produces at random.
For this purpose, the formula below privacy key K utilizes is broken down into one group of n sub-key k i, i is the subscript of sub-key:
K=k i?xor?k 2?xor…xor?kn。
Therefore, the calculating of K ' is possible as existing with another formulae express:
K’=R 2?xor?k 1?xor…xor?kn。
Because the in-place property of operator xor, the order of calculating might be changed, so that when each checking, obtain a different calculating.
In order to set up the contact between k and the k ', the algorithm that is adopted comprises an initial phase and a circulation subclass.
The initialization of algorithm is explained in general at first, and is by explaining a concrete condition, last interchangeable to general situation then.
Initialization is explained in following statement.
In general, first table k (be referred to as k[in the following description]) is used; This table comprises n sub-key k iValue.
Second table (hereinafter be referred to as to-do[]) that is referred to as to-do comprises n Boolean.Each Boolean comprises true value, below and in Fig. 2, be referred to as " True " or " T ".Table k[] and to-do[] comprise n element of similar number, represent n sub-key k iWith n Boolean.
Value R 2Be assigned to K ', or K '=R or rather 2
Circulating in of algorithm describes below and draws in Fig. 1:
First step, as long as promptly step a is made up of the following fact, promptly table to-do[] in still have an element value be " T ", then 1 and n between random number i selected.
Step subsequently, step b, the test the table to-do[] in element i with hereinafter with the identity property that is referred to as the value of " T " among the figure.
If the identity property test is then carried out two computings for true:
-at first, step c is with K ' and table k[] i element between the result of mathematics distance distribute to variable K ', in fact it is the calculating of following formula:
K’=K’xor?k?[i]
-the second, steps d is will be hereinafter be assigned to table to-do[with the value " False " that is referred to as " F " among the figure] in the element of subscript i: to-do[i]=" F ".
If the test of the identity property of step b is for false, then computing system turns back to first step, i.e. step a.
This algorithm is not the constant time, because might carry out than sub-key k iWant many circulations.
The present invention also relates between two entities that have identical privacy key K or two side A and B with a verification system of symmetric encipherment algorithm, it realizes above-mentioned method.
The present invention will describe with the embodiment of a definite example now, and as only describing the shown in Figure 2 of two circulations, it is that sub-key number n equals 2, the situation of n=2.
Initialization is still identical with above-mentioned ordinary circumstance; In Fig. 2, illustrate with note A or 10.
The circulation of algorithm is implemented as follows:
Two calculating of algorithm are possible.
Be not to carry out following computing:
K’=R 2?xor?k 1?xor?k 2
Be exactly to carry out following computing:
K’=R 2?xor?k 2?xor?k 1
Therefore, which the assaulter do not know will carry out at the beginning and calculates, and therefore can not use repeatedly to measure and screen.
A cyclical-transformation or the probability of inserting two elements in attempting for the first time be zero, perhaps in clearer and visible mode (referring to Fig. 2), in once attempting at table to-do[] two elements in the probability of input value " F " be zero.Therefore, once can not obtain two identical values " F ", " F " in the circulation.
Secondly, in two circulations or twice trial at table to-do[] two elements in the probability of input " F " equal 1/2nd or 1/2.
This is because at first circulation time, and random number i equals 1 (20) can 2 (21), and i=1 or 2 is selected; Value " F " is put into table to-do[then] in two elements one; This first circulate in and be denoted as B among Fig. 2.
When second circulation (referring to Fig. 2), random number i equals 1 or 2, and i=1 or 2 is selected; Value " F " is put into table to-do[according to selected random number then] in two elements in one; This second circulates in and is denoted as C among Fig. 2.
Therefore two kinds of situations about having stopped (31,32) are arranged, that is to say in two elements to be two values " F " and two situations (30,33) that do not stop; The calculating of K ' is not terminated.The probability that obtains this result is 1/2nd.
In addition, the probability of inserting two elements in the 3rd circulation or trial equals 1/4th, or 1/4 (not shown among Fig. 2).
This is because random number i equals 1 or 2 selected; Value " F " be not be devoted to the table to-do[] first element in be exactly to render in second element.
Therefore,, two situations about having stopped are arranged, that is to say in two elements to be two values " F " as at second circulation time, and two situations about not stopping.The calculating of K ' is not terminated.
More generally, the probability of inserting two elements in k circulation equals 1/2 K-1
Know that in order to betide each mean value S that comprises the circulation that value " F " will carry out of two elements be favourable.
For this reason, mathematic expectaion calculated and formulation as follows: S = Σ i = 2 n i × 1 2 i = 1
This mathematic expectaion is the weighted sum of probability.
As calculated, it equals three.
Therefore conclusion is: S=3.
The calculating of K ' is on average finished with three circulations.

Claims (8)

  1. Between two entities that have identical privacy key K or two side A and B with the method for symmetric encipherment algorithm checking, it is characterized in that it carries out following verification step:
    A) have random value of A side's transmission of privacy key K or several R of picked at random 1To B side, the latter also has identical privacy key K;
    B) random number R is selected by B side 2And adopt following formula to calculate number K ', it also is a privacy key:
    K '=R 2Xor K, xor are equivalent to the distance of mathematics;
    C) secondly, B utilize symmetric encipherment algorithm ALG to calculate to obtain r as a result by following formula:
    r=ALG[K’](R 1)
    D) said B side sends r and R then 2Give said A side;
    E) said A side utilizes identical symmetric encipherment algorithm ALG to adopt following formula calculating K ' and r ':
    K’=R 2?xor?K
    With
    r’=ALG[K’](R 1)。
    F) if r equals r ', then said B side is verified by said A side.
  2. 2. according to the method for claim 1, it is characterized in that the formula below the key K utilization is broken down into one group of n sub-key k i, i is the subscript of sub-key:
    K=k i?xor?k 2?xor…xor?kn。
  3. 3. according to the method for claim 1 or 2, it is characterized in that it comprises with following formula comes calculating K ' system, K ' is according to sub-key K iThe order that uses becomes at random, and i is the sub-key subscript:
    K’=R 2?xor?k 1?xor…xor?kn。
  4. 4. according to the method for claim 3, it is characterized in that privacy key K ' utilizes the algorithm that comprises an initial phase and one group of circulation to be calculated.
  5. 5. according to the method for claim 4, it is characterized in that initial phase comprises;
    -first shows k, or k[], n sub-key k comprised iAnd
    -the second table is referred to as to-do, or to-do[], comprise n Boolean, each Boolean comprises the true value that is called " True " or " T ",
    And it is characterized in that showing k[] and to-do[] comprising n element of similar number, it represents n sub-key k iWith n Boolean.
  6. 6. according to the method for claim 4, it is characterized in that the algorithm circulation comprises the steps:
    A) as long as first step is made up of the following fact, promptly table to-do[] in still have an element value be " T ", then 1 and n between random number i selected;
    B) second step comprises that test is at table to-do[] in element i have value " T ";
    C) if the result of second step is true, then the 3rd step comprises two computings:
    -at first, with K ' and table k[] i element between the result of mathematics distance distribute to variable K ', it is to be calculated as follows:
    K’=K’xor?k[i]
    The-the second, will be hereinafter distribute to table to-do[with the value " False " that is referred to as " F " among the figure] in the element of subscript i: to-do[i]=" F ".
  7. 7. according to the method for claim 4, it is characterized in that the algorithm circulation is made up of the following step:
    A) as long as first step is made up of the following fact, promptly table to-do[] in still have an element value be " T ", then 1 and n between random number i selected;
    B) second step comprises that test is at table to-do[] in element i have value " T ";
    C) if the result of second step is false, then computing system turns back to first step.
  8. Between two entities that have identical privacy key K or two side A and B with a system of symmetric encipherment algorithm checking, it is characterized in that its realizes verification method according to any of claim 1 to 7.
CN99812286.6A 1998-08-17 1999-08-16 Method and device for authenticating with symmetrical algorithm Pending CN1323478A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR98/10591 1998-08-17
FR9810591A FR2782431B1 (en) 1998-08-17 1998-08-17 SYMMETRIC ALGORITHM AUTHENTICATION METHOD AND DEVICE

Publications (1)

Publication Number Publication Date
CN1323478A true CN1323478A (en) 2001-11-21

Family

ID=9529804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN99812286.6A Pending CN1323478A (en) 1998-08-17 1999-08-16 Method and device for authenticating with symmetrical algorithm

Country Status (7)

Country Link
EP (1) EP1104607A1 (en)
JP (1) JP2002523923A (en)
CN (1) CN1323478A (en)
AU (1) AU5173199A (en)
FR (1) FR2782431B1 (en)
MX (1) MXPA01001783A (en)
WO (1) WO2000010287A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100405395C (en) * 2005-03-22 2008-07-23 刘普合 Commodity composite anti-fake code and symmetric test anit-fake method
CN1684411B (en) * 2004-04-13 2010-04-28 华为技术有限公司 Method for verifying user's legitimate of mobile terminal
CN101997880A (en) * 2010-12-01 2011-03-30 湖南智源信息网络技术开发有限公司 Method and device for verifying security of network page or interface
CN102014136A (en) * 2010-12-13 2011-04-13 南京邮电大学 Peer to peer (P2P) network secure communication method based on random handshake
CN1863042B (en) * 2005-12-13 2011-05-04 华为技术有限公司 Method for information encryption and decryption
CN102411692A (en) * 2010-09-25 2012-04-11 中国移动通信有限公司 Method, system and equipment for running terminal
CN1682479B (en) * 2002-07-24 2013-07-17 高通股份有限公司 Method and device for efficient encryption and authentication for data processing systems

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2804524B1 (en) * 2000-01-31 2002-04-19 Oberthur Card Systems Sas METHOD FOR EXECUTING A CRYPTOGRAPHIC PROTOCOL BETWEEN TWO ELECTRONIC ENTITIES
FR2819079B1 (en) * 2000-12-29 2003-02-14 Gemplus Card Int METHOD OF PROTECTION AGAINST ATTACKS BY MEASURING CURRENT OR ELECTROMAGNETIC RADIATION
FR2819078B1 (en) * 2000-12-29 2003-02-14 Gemplus Card Int METHOD OF PROTECTION AGAINST ATTACKS BY MEASURING CURRENT OR BY MEASURING ELECTROMAGNETIC RADIATION
CN100364262C (en) * 2004-08-04 2008-01-23 中国联合通信有限公司 Access discrimination method and device for EV-DO network
US7401222B2 (en) * 2004-12-16 2008-07-15 Xerox Corporation Method of authentication of memory device and device therefor
FR2974694B1 (en) * 2011-04-27 2013-05-31 Peugeot Citroen Automobiles Sa METHOD OF SECURELY EXCHANGING SYMMETRICALLY ENCRYPTED MESSAGES
CZ2022127A3 (en) * 2022-03-17 2023-05-17 Jan Topol A method of municipal wastewater treatment and equipment for performing the method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2530053B1 (en) * 1982-07-08 1986-04-25 Bull Sa METHOD FOR CERTIFYING THE SOURCE OF AT LEAST ONE INFORMATION RECORDED IN A MEMORY OF A FIRST ELECTRONIC DEVICE AND TRANSMITTED TO A SECOND ELECTRONIC DEVICE, AND SYSTEM FOR IMPLEMENTING SUCH A METHOD
FR2612315A1 (en) * 1987-03-13 1988-09-16 Trt Telecom Radio Electr METHOD FOR SIMULTANEOUSLY READING AND CERTIFYING INFORMATION PRESENT IN A MEMORY OF AN ELECTRONIC MEDIUM
JP2531354B2 (en) * 1993-06-29 1996-09-04 日本電気株式会社 Authentication method
FR2738972B1 (en) * 1995-09-15 1997-11-28 Thomson Multimedia Sa DATA PAGING METHOD FOR A SECURE DATA EXCHANGE PROTOCOL
DE19716111A1 (en) * 1997-04-17 1998-10-22 Giesecke & Devrient Gmbh Procedure for mutual authentication of two units

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1682479B (en) * 2002-07-24 2013-07-17 高通股份有限公司 Method and device for efficient encryption and authentication for data processing systems
CN1684411B (en) * 2004-04-13 2010-04-28 华为技术有限公司 Method for verifying user's legitimate of mobile terminal
CN100405395C (en) * 2005-03-22 2008-07-23 刘普合 Commodity composite anti-fake code and symmetric test anit-fake method
CN1863042B (en) * 2005-12-13 2011-05-04 华为技术有限公司 Method for information encryption and decryption
CN102411692A (en) * 2010-09-25 2012-04-11 中国移动通信有限公司 Method, system and equipment for running terminal
CN102411692B (en) * 2010-09-25 2015-07-01 中国移动通信有限公司 Method, system and equipment for running terminal
CN101997880A (en) * 2010-12-01 2011-03-30 湖南智源信息网络技术开发有限公司 Method and device for verifying security of network page or interface
CN102014136A (en) * 2010-12-13 2011-04-13 南京邮电大学 Peer to peer (P2P) network secure communication method based on random handshake
CN102014136B (en) * 2010-12-13 2013-03-06 南京邮电大学 Peer to peer (P2P) network secure communication method based on random handshake

Also Published As

Publication number Publication date
WO2000010287A1 (en) 2000-02-24
FR2782431B1 (en) 2000-09-29
EP1104607A1 (en) 2001-06-06
AU5173199A (en) 2000-03-06
FR2782431A1 (en) 2000-02-18
MXPA01001783A (en) 2002-07-22
JP2002523923A (en) 2002-07-30

Similar Documents

Publication Publication Date Title
US7356696B1 (en) Proofs of work and bread pudding protocols
CN1323478A (en) Method and device for authenticating with symmetrical algorithm
CN1314277C (en) Method and device for testing first communication side truth and reliability in communication network
CN104811300B (en) The key updating method of cloud storage and the implementation method of cloud data accountability system
CN107749836B (en) Mobile sensing system and mobile sensing method for user privacy protection and data reliability
US6940976B1 (en) Generating user-dependent RSA keys
CN101032117A (en) Method of authentication based on polynomials
CN1846397A (en) Two-factor authenticated key exchange method and authentication method using the same, and recording medium storing program including the same
CN1281608A (en) Cryptographic key generation using biometric data
CN1889432A (en) Long-distance password identifying method based on smart card, smart card, server and system
CN1413320A (en) Method of authenticating anonymous users while reducing potential for
CN1922845A (en) Token authentication system and method
CN1902853A (en) Method and apparatus for verifiable generation of public keys
CN101030859A (en) Method and system for verifying distributed network
CN1193538C (en) Electronic cipher formation and checking method
CN1763760A (en) Be used to use digital ticket that the method and apparatus of the ecommerce of anonymity is provided
CN1855810A (en) Dynamic code verificating system, method and use
US9973514B2 (en) Method and apparatus for assuring location data integrity with minimum location disclosure
CN101034985A (en) Method and system for the anti-counterfeit of the mobile phone with the dynamic code
CN1925398A (en) Cipher card dynamic identification method and system based on pre-computation
CN101075869A (en) Method for realizing network certification
CN108337092A (en) Method and system for executing collective's certification in a communication network
US8051097B2 (en) System and method for authentication using a shared table and sorting exponentiation
CN110932865B (en) Linkable ring signature generation method based on SM2 digital signature algorithm
CN112487253A (en) User invitation code generation method, verification method, device, equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication