DE102010001137A1 - Secure renewal of cryptographic keys - Google Patents

Abstract

A method for securely renewing a cryptographic key k with partial keys k1 and k2, which are used for secure communication between subscribers A and B, comprises steps of transmitting a first message from A to B, the first message containing the following: MID, Na, MAC [k1] (MID, Na); transmitting a second message from B to A, the second message including: MID, Nb, MAC [k1] (MID, Na, Nb); where MID is an identification of A, Na is a number generated by A, Nb is a number generated by B and MAC [k1] (...) is the value of a one-way function MAC on the basis of the subkey k1; and determining a renewed key k 'on the basis of both random numbers Na and Nb and the partial key k2 ;.

Description

For the transmission of information to be exchanged for interception, alteration and counterfeiting by third parties between two communication partners, different cryptographic methods are known. For example, vending machines that allow cashless payment through, for example, credit, debit or debit cards, can first cryptographically encrypt information required for a financial transfer, and then transmit it on an unsecured medium to a central location where the transfer continues , An example of such vending machines is a parking ticket machine set up on a parking area, in which the service of parking a motor vehicle on the parking area can be paid for.

Such a vending machine is usually controlled by a microprocessor whose performance is relatively modest. Deployment of an asymmetric encryption method based on a pair of public and secret cryptographic keys usually can not be performed in an acceptable time because of the complexity of the method of such microcomputers. A symmetric encryption method in which both communication partners are in possession of the same key, which is used equally for encryption as well as for decryption, generally has less security against a cryptological attack. The secret key ("shared secret") is therefore usually renewed at intervals.

To install a cryptographic key, extensive policies exist to prevent the key from being compromised before or during installation. The guidelines issued by the Security Standards Council (SSC) of the Payment Card Industry (PCI) require, among other things, complete documentation of the generation, career and whereabouts of the cryptographic key. In addition, the four-eye principle applies, i. h. that a person who is entrusted with the handling of a cryptographic key, at no time in the possession of the full key, but at most a key fragment. In order to renew the cryptographic key, for example in a vending machine, at least two persons are required to install and activate complementary key fragments by means of separate data carriers on site at the vending machine. With a larger number of vending machines, such as full-coverage parking machines, the regular renewal of the cryptographic keys is a logistically and personnel consuming process that is associated with high costs.

The invention is based, to make the renewal of such cryptographic keys more economical task.

The invention solves this problem by a method having the features of claim 1, a computer program product having the features of claim 6 and a system having the features of claim 7. Subclaims give preferred embodiments again.

A method for securely renewing a cryptographic key k with subkeys k1 and k2 used for secure communication between subscribers A and B comprises steps of transmitting a first message from A to B, the first message including: MID, Na, MAC [k1] (MID, Na); transmitting a second message from B to A, the second message including: MID, Nb, MAC [k1] (MID, Na, Nb); and determining a renewed key k 'based on Na and Nb and the subkey k2. Where MID is an identification of A, Na is a number generated by A, Nb is a number generated by B, and MAC [k1] (x) is the value of a one-way function MAC based on subkey k1 with the argument x.

Using the method, only two messages need to be exchanged between A and B to renew the cryptographic key k. The communication can be handled via an unsecured network, which for example includes parts of the Internet or a radio network. A use of local operators is not required for the transmission of the renewed key, which can result in cost advantages.

The communication between the subscribers A and B can be encrypted by means of a symmetric encryption method on the basis of the subkey k2. As a result, all communications between A and B are encrypted, and a potential attacker will have extra trouble with a cryptographic attack detecting a key renewal operation due to eavesdropping messages between A and B.

The method may further comprise determining renewed subkeys k1 'and k2' based on the renewed key k '. The subkeys k1 'and k2' can replace the subkeys k1 and k2, wherein the subkey k1 can be used for encrypting and decrypting the communication between A and B and the subkey k2 for message authentication, such as by means of the MAC function.

The MAC function can be a Keyed Hash Message Authentication (HMAC) based on the partial key k1. In the process, a message authentication code (MAC) for the message is determined on the basis of a key. Without knowledge of the correct subkey, a scatter value of a message can not be checked, and a message carrying a wrong spurious value can be rejected as a forgery or falsification. The HMAC is an effective measure against counterfeiting of messages between A and B.

The renewed key k 'may be determined by means of a One Way Keyed Hash (OWKH) cryptographic function based on the partial key k2. To generate the cryptographic OWKH function, the subkey k2 is additionally required. The cryptographic OWKH function secures the renewed key k 'against a cryptographic attack.

According to a further aspect, a computer program product comprises program code means for carrying out the method described above, wherein the computer program product can run on a computer or be stored on a computer-readable data carrier.

In another aspect, a secure communication system includes a terminal for interacting with a user and a transaction site, wherein the transaction site and the terminal communicate with each other via an unsecured communication link, and the transaction site and the terminal are configured to perform the method described above. The communication may include a communication step of the method.

In particular, in a system comprising a plurality of terminals spatially spaced apart, maintenance and servicing costs of the terminals may be reduced by use of the described method.

The terminal may be a vending machine and the communication may include a financial transfer. Based on the described method, the system may be configured to meet policies for handling cryptographic keys, such as an institution performing or further handling the money transfer, although to renew the key, physical presence of operators on the terminal is not required is.

The terminal may already be equipped with a cryptographic key u for its first communication with the transaction site prior to its commissioning. The cryptographic key u can be installed, for example, cost-saving in the production, delivery or commissioning of the terminal. In particular, it is possible to equip a plurality of terminals with the same key u. After start-up, each terminal can as quickly as possible carry out the above-described method for renewing the cryptographic key, whereby a cryptological vulnerability of each terminal can be kept small.

Further, the system may include a keystore for storing individual keys for each terminal. Individual cryptographic keys used for communicating the transaction site with the individual terminals can thus be managed in a centralized manner and protected accordingly.

The invention will now be explained in more detail with reference to the accompanying figures, in which:

1 a system with encrypted communication between a transaction site and a plurality of terminals;

2 a method of operating the system 1 ;

3 a method for renewing the cryptographic key for communication in the system 1 ; and

4 an alternative method for renewing the cryptographic key for communication in the system 1
represent.

1 shows a system 100 , which is a transaction office 110 , several devices 120 , a key store 130 and an administration facility 140 includes. By means of a network 150 is each of the terminals 120 with the transaction control 110 connected. The network 150 may be unsecured in whole or in part. In particular, the network can 150 include a portion of the internet. The terminals 120 can, as in 1 shown to be car park terminals; In other embodiments, any type of vending machine may be used as the terminal 120 be implemented.

The transaction control 110 and the administration facility 140 are each with the keystore 130 connected. In the key store 130 are, for example in the form of a database, keys for communication with each of the terminals 120 stored. By means of the administration device 140 can, among other things, be new Key generated and existing keys are viewed, changed and deleted.

Administration forces W1 and W2 retain volumes C1 and C2, respectively, by means of which a cryptographic key to the terminals 120 can be spent.

The transaction control 110 , the key store 130 and the administration facility 140 can each be implemented by a computer. In particular, several of said elements can be implemented by a common computer. In a further embodiment, the transaction control 110 , the key store 130 and / or the administration facility 140 be executed repeatedly for failover and / or load distribution.

In one embodiment, the transaction control is 110 associated with other facilities that allow processing of a monetary transaction. These further devices may include, for example, a secure network, which is connected to a transaction computer of a credit card company or other organization for processing cashless payment transactions.

2 shows a method 200 to operate the system 100 out 1 , The procedure 200 includes the commissioning and operation of one of the terminals 120 out 1 with regard to a cryptographic key k.

In a first step 210 the cryptographic key k is generated, which is used for communication of the terminal to be set up 120 with the transaction control 110 over the network 150 should be used. The cryptographic key k is used by the administration device 140 generated and stored in the keystore 130 deposited.

In a following step 220 are generated from the generated cryptographic key k two key fragments f1 and f2, in a subsequent step 230 be written to the two volumes C1 and C2. In order to obtain the key k or a subkey k1, k2, it is necessary to know all the key fragments f1, f2. In an alternative embodiment, it is also possible to use more than two data carriers C1, C2 for transporting correspondingly many key fragments f1, f2 of the key k by correspondingly many administration forces W1, W2. In yet an alternative embodiment, one of the key fragments f1, f2 may already be during the production of the terminal 120 be introduced into this.

The data carriers C1 and C2 can be any data carriers, in particular magnetic stripe cards, chip cards, semiconductor memories or magnetic memories. Preferably, the key fragments f1, f2 are secured individually on the data carriers C1 and C2 by means of personal identification codes (PIN). For reading out or using the key fragment f1, f2 from the data carrier C1, C2, the PIN must be known, which can be given for example in the form of a four or more digit number. In one step 240 the volumes C1 and C2 are output to the administration forces W1 and W2. In one embodiment, the administration forces W1 and W2 can select the identification codes (PINs) which secure the key fragments f1, f2 on the data carriers C1 and C2, respectively. The delivery of the data carriers C1 and C2 to the administration forces W1 and W2 is logged in order to later produce a complete audit trail of the history of the generated key k or of the key fragments f1, f2 generated on its basis. In one step 250 becomes the terminal 120 and the administration forces W1 and W2 in each case use the data carriers C1 and C2 to enter the key fragments f1, f2 entrusted to them into the terminal 120 one. For this process they use their personal identification codes (PINs). Setting up the terminal 120 and the import of the cryptographic key k or the key fragments f1, f2 is also logged. In the terminal 120 the key fragments f1, f2 are reassembled to the key k.

The inputting of the two key fragments f1, f2 may occur after the terminal has been set up 120 be carried out directly on site. In another embodiment, the loading of one of the key fragments f1, f2 can already take place before the terminal 120 is spent at its place of use. In any case, the four-eyes principle is maintained by executing the generation and uploading of the key k such that at no time is a single person in possession of the complete key k.

In one step 260 becomes the terminal 120 put into operation. In a subsequent step 270 becomes the terminal 120 operated, causing a communication of the terminal 120 with the transaction control 110 over the network 150 wherein the communication is secured on the basis of the cryptographic key k or a part thereof with a symmetric encryption method.

Under certain conditions, for example, regularly after expiration of a predetermined time or event-driven, such as when there is a suspicion, the cryptographic key k used could be compromised, the cryptographic key k in a following step 280 renewed. Usually, renewal requires performing essential elements of the steps 210 to 260 , in particular the physical transport of data carriers with key fragments to the terminal 120 , The operation of the terminal 120 in step 270 can be suspended until a renewed cryptographic key is recorded. After renewing the key, the terminal may 120 in step 270 continue to operate.

3 shows a method 300 for renewing the cryptographic key k for communication in the system 1 , The procedure 300 can both during the commissioning of the terminal 120 in step 260 as well as in the context of the step 280 of the procedure 200 in 2 be performed. Main purpose of the procedure 300 it is to renew the cryptographic key k by means of communication over a connection, which is secured by means of a cryptographic key k, without a potential attacker, who can intercept and / or influence the communication, coming into possession of the renewed cryptographic key.

For simplicity, the procedure 300 described below using communication partners A and B. For the system 100 in 1 it is irrelevant, in which way the roles A and B, for example, the terminal 120 and the transaction office 110 be assigned to. In 3 Steps shown on the left are performed by A, steps shown on the right are performed by B. Procedural steps, which are shown in the middle, concern a message transmission between A and B in the direction indicated in each case.

The key k used initially is available to both communication partners A and B and is divisible into two subkeys k1 and k2, whereby k1 is used for generating message authentication codes (MAC) and k2 for encrypting messages. The division of the key k into subkeys k1, k2 can take place, for example, by bit operations with a constant, so that individual bits of the key k are assigned to the subkeys k1 or k2. In the course of the procedure 200 the entire key k is renewed by a key k ', which can be divided into subkeys k1' and k2 'in an analogous manner as described above.

Related to one of the terminals 120 out 1 can by using the method 300 the steps 220 to 250 in the procedure 200 to 2 essentially eliminated. In one embodiment, the terminal may 120 already be equipped with a subkey prior to its installation, as part of its commissioning in step 260 renewed.

In a first step 305 A generates a number Na. This number is preferably a random number ("nonce"). The safety of the procedure 300 is greatest when the number Na generated by A appears random, that is, can not be deducted at reasonable cost from an earlier generated number or an indication of it. The generation of Na may include a random number generator or pseudo-random number generator implemented in hardware and / or software.

In a following step 310 creates A based on Na following first message:
<genkey, MID, Na, MAC [k1] (genkey, MID, Na)>

Where genkey is the request or command to perform a key renewal. MID is an identification of the terminal 120 , The communication partner B can keep a list in the identification numbers MID of terminals 120 are registered, from which requests for key renewal are accepted. Furthermore, the first message contains the number Na generated by A. The last element of the first message is the value of a function MAC, which is executed on the basis of the subkey k1 on the already mentioned fields of the first message as an argument. There may also be additional fields of the first message arguments of the MAC function.

The MAC function ("Message Authentication Code") is a one-way function for generating a characteristic string for a given argument. The hash function (hash) used for this purpose is generated on the basis of the subkey k1, and is thus a one-way keyed hash cryptographic function (OWKH). A one-way function is easy to calculate for a given argument; However, the inference from any result to the corresponding argument is complicated.

Any variation in the argument thus results in a change in the function value of the MAC function. By using the subkey k1 for the MAC function, it is not possible to determine the functional value of the MAC function without knowledge of the subkey k1. Accordingly, an attacker can not provide a generated or intercepted and corrupted first message with a correct MAC value even if the attacker does not know the subkey k1. Moreover, the correctness of the function value of the MAC function for a given character string can only be confirmed or refuted if the subkey k1 is known.

Examples of the MAC feature include Cipher Block Chaining MAC (CBC-MAC), MAA, RIPE-MAC, MD4, MD5, SHA, and Whirlpool.

Then A sends the created first message in one step 315 B. B receives the first message from A in one step 320 ,

In a following step 325 B checks the integrity of the message received by A. For this, B determines the value of the MAC function based on the partial key k1 with the first three fields of the message as an argument. If the function value of the MAC function generated by B coincides with the function value that B finds in the message of A, the integrity of the received message is unbroken. Otherwise, there is an indication of corruption or corruption of the message between A and B. This may, for example, have been due to a transmission error or a third-party manipulation of the first message. If B can not ensure the integrity of the first message, B will not proceed with the procedure 300 continued. Instead, B may, for example, re-run the method 300 initiate or instruct A, the procedure 300 to start afresh. Additionally or alternatively, A and / or B may log the failed communication and / or trigger an alarm to initiate further security measures.

Then B checks in one step 330 the identity of A. B may result in a list of communication partners A, of which B accepts a message requesting the renewal of a cryptographic key. If B is off in the system 1 for example, the transaction control 110 so B can get a list of terminals 120 therefore, B is accepting a message requesting the renewal of the cryptographic key. The list can be made by means of the administration device 140 to get managed.

Preferably, there is the largest possible space of possible identification numbers MID, which is relatively sparse, that is, with random choice of an identification number from the supply of possible identification numbers, the probability is low to select an identification number, which already to a terminal 120 is forgiven. For example, the identification number can be numeric or alphanumeric and comprise four to eight digits more than to name all existing terminals 120 is required.

In the next step 335 B generates a number Nb, as above with reference to step 305 is described. In a subsequent step 340 B creates a second message based on Nb:
<ack, MID, Nb, MAC [k1] (ack, MID, Na, Nb)>

The field "ack" (acknowledge) stands for confirmation of the request "genkey" from that of A in step 310 created first message. Is B continuing the process 300 disagree, he answers with a negative affirmation, for example, "nak" (no acknowledge). MID is again the identification of A. Nb is the number generated by B and MAC [k1] (...) is the function value of the MAC function on the basis of the subkey k1, which takes as arguments the first three fields of the second message as well the one from A in step 305 generated number Na includes. In one embodiment, additional fields of the second message may be arguments of the MAC function. The MAC function is executed on the basis of the same subkey k1, which is also A in step 310 used in determining the functional value of the MAC function for the first message.

The second message B creates in one step 345 sent to A. A receives the second message in one step 350 and verifies the correctness of the second message using the MAC function value, as above with respect to the step 325 is executed.

After completing the step 350 Both on the side of A and B, the numbers Na and Nb are present, those of A and B, respectively, in the steps 305 and 335 were generated. Now the following steps 355 and 360 correspond to each other in pairs and are carried out respectively on the side of A and B respectively. In the steps 355 respectively. 360 On the basis of the subkey k2, a new key k 'is determined by means of a one-way keyed hash cryptographic function G (OWKH):
k '= G [k2] (Na, Nb)

Examples of such functions include MD5, SHH1, MDC1, MDC4 and RIPE-MD. The key k 'can be used either directly for the symmetric encryption of communication data between A and B or divided into two subkeys k1' and k2 ', where k1' is used to generate the MAC function values and k2 'is used to encrypt subsequent messages between A and B. In final steps 365 and 370 the subkey k1 used hitherto is replaced by k1 'and the subkey k2 by k2'. This is the procedure 300 terminated and a subsequent communication between A and B can be encrypted or decrypted with the renewed subkey k1 and authenticated with the renewed subkey k2 by means of the MAC function.

The communication between A and B in steps 315 . 320 . 345 and 350 of the procedure 300 may be encrypted in one embodiment by means of a symmetric encryption method, such as DES, 3DES or AES128, on the basis of the subkey k2. The safety of the procedure 300 is not based on the security of the symmetric encryption method.

• (1) Die Wahrscheinlichkeit, dass B eine genkey-Nachricht akzeptiert, die anscheinend von A gesendet wurde, jedoch nicht von A stammt, ist vernachlässigbar;
• (2) Die Wahrscheinlichkeit, dass A eine ack-Nachricht akzeptiert, die anscheinend von B gesendet wurde, jedoch nicht von B stammt, ist vernachlässigbar; und (3) E kann nicht zwischen dem Schlüssel k und einer zufälligen Bitfolge der gleichen Länge unterscheiden.

Can be assumed that an attacker E, the unencrypted communication between A and B in the process 300 can not hear, k1 and k2 does not know and that MAC and G are pseudo-random function families, it can be proved that the following properties are fulfilled:

• (1) The likelihood that B accepts a genkey message that seems to have been sent from A but does not come from A is negligible;
• (2) The probability that A accepts an ack message that seems to have been sent from B but is not from B is negligible; and (3) E can not distinguish between the key k and a random bit string of the same length.

This is the procedure 300 secure against any attacker E who can intercept the traffic between A and B and inject manipulated messages, but does not know subkeys k1 and k2.

4 shows an alternative method 400 for renewing the cryptographic key k for communication in the system 100 out 1 , As above with respect to 3 is described in 4 Steps of A shown on the left and steps B on the right are performed. The steps shown in the middle are messages between A and B.

In one step 410 A generates a new key, for example on the basis of the function G described above with two numbers N1, Nb generated by A as argument. The generated key k 'encodes A in one step 420 with the applicable communication key k1.

In one step 430 A creates a message containing a key renewal request and the encrypted new key k '. Furthermore, the message includes the function value of the MAC function described above with the remaining elements of the message as arguments. The created message will be in one step 440 transmitted from A to B.

In one step 450 B examines the message received from A, where B follows the steps described above 320 to 330 going on. The remaining steps 460 and 470 respectively. 470 and 490 correspond to the steps described above 355 and 365 respectively. 360 and 370 , The procedure 400 is easier than the procedure 300 out 3 to implement, but provides only lower security against an attacker E.

Claims (10)

Procedure ( 300 for securely renewing a cryptographic key k with subkeys k1 and k2 used for secure communication between subscribers A and B, the method ( 300 ) Comprises: - submitting ( 315 ) of a first message from A to B, the first message containing: MID, Na, MAC [k1] (MID, Na); - To transfer ( 345 ) of a second message from B to A, the second message comprising: MID, Nb, MAC [k1] (MID, Na, Nb); Where MID is an identification of A, Na is a number generated by A, Nb is a number generated by B, and MAC [k1] (...) is the value of a one-way function MAC based on subkey k1; - Determine ( 355 . 360 ) of a renewed key k 'on the basis of both numbers Na and Nb and the subkey k2. Procedure ( 300 ) according to claim 1, wherein the communication between the subscribers A and B by means of a symmetric encryption method on the basis of the subkey ( 42 ) is encrypted. Procedure ( 300 ) according to claim 1 or 2, wherein the method ( 300 ) further determining ( 365 . 370 ) renewed subkey k1 'and k2' based on the renewed key k '. Procedure ( 300 ) according to one of the preceding claims, wherein the function MAC is a cryptographic lending function on the basis of the subkey ( 41 ). Procedure ( 300 ) according to one of the preceding claims, wherein the renewed key k 'is determined by means of a one-way cryptographic scattering function on the basis of k2. Computer program product with program code means for carrying out a method ( 300 ) according to one of claims 1 to 5, when it runs on a computer or stored on a computer-readable medium. System ( 100 ) for secure communication, comprising: - a terminal ( 120 ) for interaction with a user; and - a transaction office ( 110 ); - where the transaction office ( 110 ) and the terminal ( 120 ) by means of an unsecured communication connection ( 150 ) communicate with each other; and - where the transaction office ( 110 ) and the terminal ( 120 ) for carrying out the process ( 300 ) are arranged according to one of claims 1 to 5. System ( 100 ) according to claim 7, characterized in that the terminal ( 120 ) is a selling device and the communication involves a financial transfer. System ( 100 ) according to claim 7 or 8, characterized in that the terminal ( 120 ) prior to its commissioning with a cryptographic key u for its first communication with the transaction office ( 110 ) Is provided. System ( 100 ) according to claim 9, characterized in that the key u by means of several data carriers (C1, C2) stored parts in the terminal ( 120 ) is spent.

Images