EP1428347A1 - Authentication receipt - Google Patents

Authentication receipt

Info

Publication number
EP1428347A1
EP1428347A1 EP02768251A EP02768251A EP1428347A1 EP 1428347 A1 EP1428347 A1 EP 1428347A1 EP 02768251 A EP02768251 A EP 02768251A EP 02768251 A EP02768251 A EP 02768251A EP 1428347 A1 EP1428347 A1 EP 1428347A1
Authority
EP
European Patent Office
Prior art keywords
server
paper look
pen
digital pen
authentication receipt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP02768251A
Other languages
German (de)
French (fr)
Inventor
Mads Doré HANSEN
Lars Romedahl
Mikael Thuvesholmen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anoto AB
Original Assignee
Anoto AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anoto AB filed Critical Anoto AB
Publication of EP1428347A1 publication Critical patent/EP1428347A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to a method, a system and a computer-readable medium storing computer- executable components for authenticating a digital pen.
  • Computers are to an ever-increasing extent used for management and communication of information.
  • the information is typically input by means of a keyboard and stored in the computer memory, for example on a hard disk.
  • Graphic information such as drawings and images, is normally fed to the computer through a separate device, such as a scanner or the like.
  • the process of feeding such information to the computer is time consuming, lengthy, and often yields unsatisfactory results.
  • the information eventually is located in the computer, it can easily be communicated to others, for example as an e-mail or SMS via an Internet connec- tion, or as a fax via a fax modem.
  • the position code which codes a plurality of positions on the surface, enables electronic recording of information that is being written on the writing surface.
  • the information is written on the surface by means of a digital pen.
  • the pen has a sensor, which detects the position code on the surface.
  • the pen records information by recording the detected position code.
  • the position code is capable of coding coordinates of a large number of positions, much larger than the number of necessary positions on one single product.
  • the position code can be seen as forming a virtual surface, which is defined by all positions that the position code is capable of coding, different positions on the virtual surface being dedicated for different functions and/or actors.
  • the pen communicates with a server with knowledge of the functionality of every position on the virtual surface and any actor associated with each such position.
  • the above concept can be used for a number of different purposes.
  • the combination of pen and position coded product can be used as an input device to a computer, a PDA, a mobile phone or the like. For example, text and sketches written on a position-coded notepad can be transferred via the pen to a computer.
  • the combination of pen and position-coded product allows for global communication, directly from the product via the pen, by the position code on the product being dedicated for such communication.
  • the information registered by the pen can be transformed to a fax message, an e-mail or an SMS, and then be sent from the pen to a recipient.
  • the combination of pen and position-coded product can be used in e-commerce.
  • the digital pen can be used to order an item from a position-coded advertisement, which advertisement is associated with a service handler, in a magazine, by the position code in the advertisement being dedicated for such a service.
  • the information is sent in a secure way, i.e. by using encryption and digital signatures. If the pen sends confidential information to a recipient, the pen encrypts the information and the recipient will, in order to decipher the information, decrypt it.
  • the pen can use both symmetric and asymmetric encryption. Both types of encryption provide confidentiality (the information is kept secret during transmission) and authentication
  • Authentication protects two parties exchanging data from a third party, but it does not protect the two parties from each other. Typi- cally, it should not be possible for any one of the two parties to deny having received or transmitted certain information.
  • digital signatures are preferably used. By employing asymmetric encryption it is possible to assign digital signatures to the information sent, thereby obtaining non-repudiation (neither the sender nor the recipient of information is able to deny the transmission) of received or transmitted information. The integrity (the information has not been altered during the transmission) of the information must also be guaranteed. This is achieved by using hash functions.
  • the same key is used for both encryption and decryption, i.e. the transmitter and receiver shares two copies of the same key.
  • the key is used in conjunction with an algorithm, and different keys will produce different output results from the algorithm.
  • the security of the encryption depends on the secrecy of the key, not the secrecy of the algorithm. This makes it possible to use powerful standard algo- rithms, such as the Triple Data Encryption Standard (3- DES) algorithm, the Advanced Encryption Standard (AES) algorithm or the International Data Encryption Algorithm (IDEA) .
  • the security also depends on the length of the key. The longer the key, the more difficult it is to break the cipher.
  • Asymmetric encryption works in a similar way, but is based on a pair of keys; one secret, private key and one public key. Often four keys are used, one public key and one private key for confidentiality and one public key and one private key for authentication and digital signature.
  • the sender uses the public key of the receiver to encrypt the information and the receiver uses its private key to decrypt the information. Only a receiver with a private key corresponding to the public key can read the information, thus providing confidentiality.
  • the sender uses its private key to encrypt the information and the receiver uses the public key of the sender to decrypt the information. If the receiver is able to decrypt the information, it is ascertained that it was encrypted with the corresponding private key, and thus by the corresponding sender.
  • Commonly used public-key algorithms are, for example, the Diffie-Hellman (DH) algorithm and the Rivest-Shamir-Adleman (RSA) algorithm.
  • Hash functions take variable-length input strings and convert them to fixed-length output strings, so called hash values. The hash value can then be used to indicate whether a candidate input is likely to be the same as the real input.
  • One-way hash functions are functions that easily compute hash values from the input strings, but with which it is computationally hard to generate another input value that hashes to the same value. This way, hash functions can be used when sending information to ensure the receiver the integrity of the information.
  • the hash value of the information is calculated and sent along with the information.
  • the receiver can then simply make a hash value of the received information and compare this to the hash value sent. If these match, the recipient is also guaranteed a match between the information received and the information sent, on condition that the hash value itself, or the information sent along with the hash value, is protected. Protection of the hash value, or the information sent along with the hash value, is necessary because the hash function itself is not considered to be secret.
  • random number data is used for different reasons. One is that random data by its nature is difficult to determine or guess, making random numbers suitable as keys.
  • a problem with the provision of confidentiality, authentication, non-repudiation and integrity is the generation of a relatively great amount of traffic between the different participants.
  • a digital pen that wants to communicate with a service handler must prior to that communication contact a paper look-up server.
  • a problem in connection with the communication between a digital pen and a service handler is that before the service handler can start communicating with the digital pen, the service handler must ask the paper look-up server, or any other means with corresponding authority, to authenticate the digital pen.
  • the service handler must ask the paper look-up server, or any other means with corresponding authority, to authenticate the digital pen.
  • a relatively large number of transactions between a pen and different service handlers occurs, and each service handler usually authenticates the pen.
  • a digital pen will perform a large number of transactions during a short time period.
  • the digital pen user can perform a large number of errands by means of the pen, for example order various products from a service handler, carry out banking transactions via a paper form provided by the bank etc.
  • a problem associated with a large number of trans- actions relating to authentication of digital pens between the paper look-up server and the service handlers is that the load on these will increase.
  • An object of the present invention is therefore to reduce the traffic between the participants during authentication of the digital pen.
  • a method for authenticating a digital pen at a service handler in a system including at least one paper look-up server, at least one digital pen and at least one service handler according to claim 1, a system for authentication according to claim 22 and a computer-readable medium storing computer- executable components in accordance with claim 43.
  • Preferred embodiments are defined by the dependent claims .
  • a method is provided where an authentication receipt is created at a paper look-up server, which authentication receipt is used by a service handler to authenticate a digital pen.
  • a system comprising at least a digital pen, at least a paper look-up server and at least a service handler, wherein an authentication receipt is created at a paper look-up server, which authentication receipt is used by a service handler to authenticate a digital pen.
  • the invention is based on the idea that the paper look-up server issues an authentication receipt used by a service handler to authenticate the digital pen, thus avoiding communication between the service handler and the paper look-up server.
  • Digital pen information data is encrypted, preferably with a symmetric key shared by the digital pen and a paper look-up server, and sent, together with a digital pen identifier, from the digital pen to the paper look-up server.
  • the digital pen information data is encrypted with a symmetric key shared by the digital pen and the paper look-up server to assure the paper look-up server that the digital pen information data actually originates from the digital pen.
  • the digital pen identifier is provided so that the paper look-up server can find the symmetric key corresponding to the correct digital pen when decrypting the digital pen information data.
  • the paper look-up server Based on the digital pen information data from the digital pen, the paper look-up server identifies the service handler the digital pen wants to access and sends a message back to the digital pen including an address to the service handler and an authentication receipt.
  • the use of authentication receipt implies that the paper look-up server must be completely trusted, since the authentication receipt gives a digital pen access to a service handler.
  • a possible scenario is that pirate copies of the digital pens will circulate. It is then important that the paper look-up server does not provide these pens with authentication receipts.
  • a digital pen owner might have a subscription at a specific service handler, paying a fee to access it. It is desirable that an unauthorized digital pen is unable to exploit these services for free.
  • the paper look-up server thus authenticates the digital pen by means of the decryption of digital pen information data and creates an authentication receipt for authentication of the digital pen at the service handler.
  • the paper look-up server sends the authentication receipt and paper look-up server information data, which paper look-up server information data comprises the service handler identity, to the digital pen.
  • the digital pen now knows to which service handler it should send data and sends the authentication receipt to said service handler.
  • the service handler receives the authentication receipt from the digital pen, which receipt comprises such information that the service handler can use it to authenticate the digital pen without having to communi- cate with the paper look-up server.
  • the paper look-up server issues an authentication receipt, it is not necessary for the service handler to contact the paper look-up server to validate the digital pen.
  • authenticating the digital pen at the paper lookup server by means of the decryption of digital pen information data, it is not necessary to, for example, send a digital pen password via the network to achieve access to the server. Neither is it necessary to store passwords at a network server for authentication purposes.
  • the digital pen user need not perform any "manual" operations such as the above mentioned password procedure.
  • the data sent from the digital pen to the paper look-up server is provided with a digital signature, providing not only authentication but also non-repudiation of the digital pen information data.
  • the authentication receipt is, at the paper look-up server, provided with a first digital signature created by the paper look-up server. It is desirable that the authentication receipt can be securely authenticated at the service handler, ensuring the handler that the receipt actually came from the paper look-up server. By means of the first digital signature, non-repudiation of the receipt is further provided.
  • a second digital signature is created at the paper look-up server, which second digital signature is sent to the digital pen.
  • the server Since the server sends information or instructions to the digital pen, in addition to the authentication receipt, such as the address of the service handler or whether the information data transferred from the digital pen to the service handler should be encrypted or not, it is necessary to provide assurance to the digital pen that the authentication receipt actually originates from the paper look-up server.
  • the digital pen authenticates the paper look-up server by means of the second digital signature.
  • digital signatures enable authentication and obstruct repudiation by (i) the recipient that data has been received and (ii) the sender that data has been sent .
  • the concept of digital signatures greatly improves the security of the system.
  • the authentication receipt is provided with a unique receipt identifier.
  • the unique identifier prevents ill-intentioned third parties to produce their own authentication receipts. With the unique identifier, it is possible to keep track of the receipts that are, or have been, in use in the system.
  • the authentication receipt can also be provided with a timestamp. If someone would eavesdrop on the network and capture a copy of the receipt, it would be possible for the eavesdropper to use the receipt for communication with a service handler. With the timestamp, it is possible to have a predetermined limited period of time, a lifetime, during which period of time the receipt is valid.
  • the authentication receipt can further be provided with the digital pen identifier. This identifier is included in the receipt to indicate that the receipt has been issued on behalf of the digital pen.
  • a paper look-up server key identifier could be included in the authentication receipt in order for the service handler to find the public key of the paper look-up server that corre- sponds to the private key of the paper look-up server, when authenticating the receipt .
  • the service handler fetches the public key from a key store database, in which database public keys of the paper look-up server are stored.
  • the unique identifier and/or the timestamp and/or the digital pen identifier can be encrypted, resulting in the fact that confidentiality is provided to such parameters .
  • the encryption can be performed with a symmetric key known by the paper look-up server and the service handler.
  • the paper look-up server can encrypt the authentication receipt.
  • the encryption is preferably performed with a symmetric key known by the paper look-up server and the digital pen.
  • the digital pen can first decrypt the authentication receipt and then encrypt it, preferably with a symmetric key, before sending the encrypted authentication receipt to a service handler.
  • the authentication receipt is provided with confidentiality on its way from the paper look-up server via the digital pen to the service handler. If an eavesdropper captures the receipt, the eavesdropper is unable to use the receipt, since only a party in possession of the symmetric key associated with each encryption can decrypt the receipt. Also, by encryp- ting the receipt with a symmetric key known by the paper look-up server and the digital pen, the digital pen authenticates the paper look-up server by decrypting the receipt .
  • a digital pen is used to execute an e-commerce transaction where the credit card number of the digital pen owner is sent across the network to a service handler, it is of utmost importance that the transfer of the credit card number is secure.
  • graphical e-mails or other non-sensitive information is transferred, it is likely that a very low level of security needs to be employed.
  • the paper look-up server decides the level of security. A number of combinations are possible, the extremes are where no security is employed or where all information data sent between the components in the system is encrypted, including encrypting the authentication receipt.
  • Fig. 1 shows a system for management and communica- tion of information in which the present invention advantageously may be applied;
  • Fig. 2 shows how the present invention can be applied in a system for management and communication of information
  • Fig. 3 is a block diagram showing an embodiment of the present invention when providing authentication, integrity and confidentiality of the pen information data sent to the paper look-up service;
  • Fig. 4 is a block diagram showing an embodiment of the present invention when providing authentication, integrity, non-repudiation and confidentiality of the pen information data sent to the paper look-up service;
  • Fig. 5 is a block diagram showing another embodiment of the present invention when creating an authentication receipt at the paper look-up service
  • Fig. 6 is a block diagram showing yet another embodiment of the present invention when providing authentication, integrity, non-repudiation and confidentiality of the paper look-up service information data and the authentication receipt sent to the pen;
  • Fig. 7 is a block diagram showing further an embodiment of the present invention when providing authentica- tion, integrity, non-repudiation and confidentiality of the pen information data and the authentication receipt sent to the service handler;
  • Fig. 8 is a block diagram showing another embodiment of the present invention when processing the authentication receipt at the service handler.
  • Fig. 9 is a block diagram showing yet another embodiment of the present invention when providing authentication, integrity and confidentiality of the service handler information data sent to the pen.
  • FIG. 1 A system for management and communication of information is shown in Fig. 1. Such a system is further disclosed in the Applicant's international patent applications PCT/SEOO/02640, PCT/SEOO/02641, and PCT/SE00/02659, which applications are incorporated herein by reference.
  • the system of Fig. 1 comprises a plurality of digital pens DP, a plurality of products P with a position code PC, a paper look-up server PLS executing a paper look-up service, and a plurality of service handler units SH.
  • the paper look-up service comprises one or more servers communicating with a database containing the virtual surface formed by the position code and information related thereto.
  • the service handler unit SH is a server unit effecting a service, such as storing or relaying digital information, or initiating transmission of information or items to a recipient.
  • a digital pen is employed, but a digital pen could also be equivalent with, for example, a mobile phone, a PDA or the like provided with the characteristics of a digital pen.
  • these exemplified devices could be merged into one single device.
  • the pen DP When the digital pen DP is operated to mark an activation icon Al on the position-coded product P, the pen DP initiates an operation to forward a message to the paper look-up server PLS (step 1) , for example via short- range radio transmission to a mobile phone MP acting as a modem for connection to the paper look-up server PLS.
  • the message contains a unique pen identifier and at least one position from the digital information that has been recorded electronically on the writing surface of the product P.
  • the paper look-up server PLS Based on the position content of the message, instructs the digital pen DP to contact a specific service handler unit SH (step 2) .
  • the pen DP then sends the message to the service handler unit SH (step 3) , which instructs the pen DP on what data to send, and how to format and tag that data (step 4) .
  • the service handler unit SH After having received the requested data from the pen DP (step 5) , the service handler unit SH returns a verifi- cation thereof to the pen DP (step 6) .
  • the present invention can be applied in the system shown in Fig. 1, as will be described in the following with reference to Fig. 2.
  • the pen DP sends encrypted pen information data and a pen identifier, and possibly also a digital signature created by the pen, to the paper look-up server PLS.
  • the pen information data is advantageously encrypted by a symmetric key known by the pen DP and the paper look-up server PLS (step 1) .
  • the paper look-up server PLS authenticates the pen DP by means of the decryption or, if present, the digital signature created by the pen, and creates an authentication receipt including a unique authentication receipt identifier, a timestamp, and the digital pen identifier. These parameters are encrypted with a symmetric key.
  • the receipt also includes a first digital signature created by the paper look-up server PLS, which first signature is later used by the service handler to authenticate the digital pen.
  • a second digital signature is optionally created by the PLS and is used by the digital pen to authenticate the PLS.
  • the PLS encrypts PLS information data, which PLS information data instructs the pen DP which service handler SH it should contact, and the authentication receipt with a symmetric key known by the paper look-up server PLS and the pen DP and sends the encrypted data to the pen DP (step 2) .
  • the pen DP receives the encrypted data, decrypts it and authenticates the paper look-up server PLS by means of the second digital signature, if present, created by the PLS.
  • the authentication of the paper look-up server PLS at the pen DP is performed by encrypting the authentication receipt.
  • the pen DP then encrypts the pen information data and the authenti- cation receipt with a symmetric key and sends the symmetrically encrypted data to the service handler SH designated by the paper look-up server PLS (step 3) .
  • the service handler SH decrypts the pen information data and the authentication receipt and authenticates the pen DP by means of the first digital signature included in the authentication receipt and thus a roundtrip of transferring authentication data between the service handler SH and the paper look-up server PLS is avoided.
  • Fig. 3 shows how the pen provides authentication, integrity and confidentiality of the pen information data M DP when transferring data to the paper look-up service (i.e. the service running on the paper look-up server) .
  • E denotes encryption and D decryption.
  • Confidentiality and authentication of the pen information data M D p is provided by encrypting the pen information data M DP with a symmetric key K s shared by the pen and the paper look-up service.
  • the pen information data M DP is concatenated, denoted
  • ID DP ) is calculated and sent along with the encrypted pen information data and the pen identifier ID DP , thus obtaining integrity of the data sent to the paper look-up service .
  • the paper look-up service then fetches the symmetric key K s from a pen key database, which database contains the symmetric key corresponding to each pen in the system. This is possible due to the fact that the pen identifier is transferred along with the pen information data M DP .
  • the paper look-up service decrypts the encrypted pen information data with the symmetric key K s , recreating the pen information data M DP .
  • the pen identifier ID DP is concatenated to the received pen information data M DP on the recipient side.
  • the concatenated data M DP I I ID DP is evaluated in a hash function, which operation produces a hash value H(M DP
  • the hash value is compared to the received hash value H(M DP I I ID DP ) . If neither the pen information data M DP , nor the pen identifier ID DP , or both, have been altered, the comparison will match, thus assuring the integrity of the received data.
  • Fig. 4 shows how the pen provides authentication, integrity, non-repudiation and confidentiality of the pen information data M DP when transferring data to the paper look-up service.
  • a random number R DP is generated and encrypted with the public key KU PLS of the paper look-up service, which encryption provides the confidentiality of the random number.
  • the encrypted random number is then encrypted with the private key KR DP of the pen, which encryption provides the digital signature, thereby obtaining authentication and non-repudiation.
  • Confidentiality of the pen information data M DP is provided by encrypting the pen information data M DP with a symmetric key K s shared by the pen and the paper look-up service.
  • the pen information data M DP is concatenated with the random number R DP and the pen identifier ID DP .
  • ID D P H (M DP
  • the paper look-up service then fetches the symmetric key K s from a pen key database, which database contains the symmetric key corresponding to each pen in the system. This is possible due to the fact that the pen identifier is transferred to the paper look-up service.
  • the paper look-up service decrypts the encrypted pen information data with the symmetric key K s , recreating the pen information data M DP .
  • the paper look-up service uses the public key of the pen KU DP and the private key KR PLS of the paper look-up service to decrypt the random number R DP .
  • the random number R DP is concatenated to the received pen information data M DP and the pen identifier ID DP on the recipient side.
  • R DP I I ID DP is evaluated in a hash function, which operation produces a hash value H (M DP
  • the hash value is compared to the received hash value H(M DP
  • the order of encryption of the random number R DP i.e.
  • Fig. 5 illustrates how the paper look-up service creates an authentication receipt AR.
  • a random number R SHI is generated and encrypted with the public key KU SH of the service handler, thereby providing confidentiality of the random number.
  • the encrypted random number is then encrypted with the private key KR PL s of the paper look-up service, thus obtaining the digital signature of the paper look-up service for authentication at the service handler.
  • the random number is later used for decryption at the service handler.
  • the random number R SH ⁇ is evalu- ated in a hash function and the hash value is used for symmetric encryption of the pen identifier ID DP , the authentication receipt identifier ID AR . and the timestamp TS .
  • the paper look-up service key identifier KeyID PLS is provided in order for the service handler to find the corresponding public key of the paper look-up service in a key store database, which data base contains the public key of the paper look-up service corresponding to the private key of the paper look-up service.
  • R SH ⁇ is then evaluated in a hash function to provide integrity of the authentication receipt AR.
  • the paper look-up service identifier KeyID PLS the encryption of ID AR
  • R SH ⁇ the hash value of KeyID PLS
  • R SH ⁇ the hash value of KeyID PLS
  • the public key of the service handler KU SH is later used for encryption of pen information data sent from the pen to the service handler.
  • the paper look-up service information data M PLS includes a service handler key identifier, later used by the service handler.
  • a random number R P S is generated and encrypted with the public key KU DP of the pen, which encryption provides confidentiality of the random number.
  • the encrypted random number is then encrypted with the private key KR PLS of the paper look-up service, thus providing the digital signature of said paper look-up service to the pen. It should be noted that if it is sufficient to authenticate the paper look-up service at the pen by means of decrypting the authentication receipt, this digital signature is not necessary.
  • This signature is provided if non-repudiation of data sent from the paper look-up service to the pen is desired.
  • AR, Mp L s, KU SH and R PLS are concatenated, and the concatenated data is evaluated in a hash function, thus obtaining integrity of the data sent to the pen.
  • the pen decrypts
  • AR I I M P S and separates them, thereby acquiring the paper look-up service information data M PLS .
  • M PLS is concatenated with the public key KU SH of the service handler and the random number R PLS .
  • KU SH is evaluated in a hash function and compared to the hash value H(AR
  • Fig. 7 shows the pen sending data to the service handler.
  • a random number R SH2 is generated and encrypted with the public key KU SH of the service handler, thus providing confidentiality of the random number.
  • the random number is evaluated in a hash function.
  • the pen information data M D is concatenated with the authentication receipt AR and the hash value of the random number is used as a symmetric key for encrypting the concatena- ted data.
  • the service handler key identifier KeyID S H / which was included in the paper look-up service information data sent to the pen in Fig.
  • the service handler can fetch, from a key store database, the corresponding private key KR SH to the public key KU SH of the service handler used to encrypt the random number R S H2 • AR I I M DP I I R S H2 I I KeyID S H is evaluated in a hash function, thus providing integrity of the data sent to the service handler.
  • the service handler decrypts the encrypted random number and evaluates the random number R SH2 in a hash function.
  • the hash value is used to decrypt the encrypted concatenated data AR
  • the pen information data concatenated with the authentication receipt AR I I M D p is concatenated with the random number R SH2 and the service handler key identifier KeyID SH , resulting in AR I I M DP I I R S H2 I I KeylDsH- AR
  • KeyID SH is evaluated in a hash function, and the hash value is compared to the received H (AR
  • the service handler separates AR
  • Fig. 8 describes the processing of the authentication receipt AR at the service handler.
  • the service handler separates the data included in the authentication receipt into four parts.
  • the paper look-up service key identifier KeyID PLS is provided in order for the service handler to fetch the corresponding public key KU PLS of the paper look-up service from a key store database .
  • the random number R SHI encrypted at the paper look-up service is decrypted with the public key
  • KU PLS of the paper look-up service and the private key KR SH of the service handler thus authenticating the receipt, i.e. making sure the authentication receipt originates from the paper look-up service, and recreating the random number R SH ⁇ .
  • the random number is evaluated in a hash function and the hash value H(R S ⁇ ) is used to decrypt the encrypted authentication receipt identifier ID AR , the timestamp TS and the pen identifier ID DP .
  • the three parameters ID AR , TS and ID DP are then separated and thus recreated.
  • a hash function is employed to evaluate the integrity of the data.
  • FIG. 9 illustrates how the service handler symmetrically encrypts the service handler information data M SH , thus providing confidentiality of the data, with a hash value H(RS H2 ) of the random number R SH 2 received from the pen as described in Fig. 7 and sends the encrypted service handler information data and a hash value of the service handler information data to the pen.
  • the service handler information data M SH contains instructions what data the pen shall send to the service handler, and how the pen shall format and tag that data.
  • the pen decrypts the encrypted service handler information data using the hash value of the random number R S 2/ thus recreating the service handler information data M S .
  • the pen evaluates service handler information data M SH in a hash function and compares the hash value to the received hash value, thus checking integrity.
  • the pen then sends the requested pen information data to the service provider as described in Fig. 7. Note that when sending data this time, the pen does not need to generate a new random number. If, however, it is considered necessary for security reasons, the pen will generate a new random number.
  • the pen again uses the hash value of R SH2 to symmetrically encrypt the pen information data and the authentication receipt.
  • R SH2 is not sent to the service handler, as the service handler already has access to the random number R SH2 necessary to decrypt the pen information data and the authentication receipt. Neither does the pen need to send the service handler key identifier KeyID S this time, since the service handler already has access to it.

Abstract

The present invention relates to a method, a system and a computer-readable medium storing computer-executable components for authenticating a digital pen. The invention is based on the idea that a paper look-up server issues an authentication receipt used by a service handler to authenticate a digital pen. The authentication receipt comprises such information that the service handler can use it to authenticate the digital pen without having to communicate with the paper look-up server.

Description

AUTHENTICATION RECEIPT
Technical Field of the Invention
The present invention relates to a method, a system and a computer-readable medium storing computer- executable components for authenticating a digital pen.
Background Art
Traditionally, information is written and distributed by means of pen and paper. However, such paper- based information is difficult to manage and communicate in an efficient way.
Computers are to an ever-increasing extent used for management and communication of information. The information is typically input by means of a keyboard and stored in the computer memory, for example on a hard disk. However, it is a slow process to input information with a keyboard, and there is a significant risk of errors occurring in the process. Graphic information, such as drawings and images, is normally fed to the computer through a separate device, such as a scanner or the like. The process of feeding such information to the computer is time consuming, lengthy, and often yields unsatisfactory results. When the information eventually is located in the computer, it can easily be communicated to others, for example as an e-mail or SMS via an Internet connec- tion, or as a fax via a fax modem.
The present Applicant has proposed a remedy to this problem in the international application WO 01/16691, which is incorporated herein by this reference and in which the Applicant envisages the use of a product having a writing surface which is provided with a position code.
The position code, which codes a plurality of positions on the surface, enables electronic recording of information that is being written on the writing surface. The information is written on the surface by means of a digital pen. The pen has a sensor, which detects the position code on the surface. The pen records information by recording the detected position code. The position code is capable of coding coordinates of a large number of positions, much larger than the number of necessary positions on one single product. Thus, the position code can be seen as forming a virtual surface, which is defined by all positions that the position code is capable of coding, different positions on the virtual surface being dedicated for different functions and/or actors. The pen communicates with a server with knowledge of the functionality of every position on the virtual surface and any actor associated with each such position. The above concept can be used for a number of different purposes. The combination of pen and position coded product can be used as an input device to a computer, a PDA, a mobile phone or the like. For example, text and sketches written on a position-coded notepad can be transferred via the pen to a computer. Additionally, the combination of pen and position-coded product allows for global communication, directly from the product via the pen, by the position code on the product being dedicated for such communication. For example, the information registered by the pen can be transformed to a fax message, an e-mail or an SMS, and then be sent from the pen to a recipient. Further, the combination of pen and position-coded product can be used in e-commerce. For example, the digital pen can be used to order an item from a position-coded advertisement, which advertisement is associated with a service handler, in a magazine, by the position code in the advertisement being dedicated for such a service.
In the communication between the different participants in the above concept, it is desirable that the information is sent in a secure way, i.e. by using encryption and digital signatures. If the pen sends confidential information to a recipient, the pen encrypts the information and the recipient will, in order to decipher the information, decrypt it. The pen can use both symmetric and asymmetric encryption. Both types of encryption provide confidentiality (the information is kept secret during transmission) and authentication
(assuring the receiver that the identity of the sender of the information is not false) . Authentication protects two parties exchanging data from a third party, but it does not protect the two parties from each other. Typi- cally, it should not be possible for any one of the two parties to deny having received or transmitted certain information. When there is not complete trust between the receiver and transmitter, digital signatures are preferably used. By employing asymmetric encryption it is possible to assign digital signatures to the information sent, thereby obtaining non-repudiation (neither the sender nor the recipient of information is able to deny the transmission) of received or transmitted information. The integrity (the information has not been altered during the transmission) of the information must also be guaranteed. This is achieved by using hash functions. When using symmetric encryption, the same key is used for both encryption and decryption, i.e. the transmitter and receiver shares two copies of the same key. The key is used in conjunction with an algorithm, and different keys will produce different output results from the algorithm. The security of the encryption depends on the secrecy of the key, not the secrecy of the algorithm. This makes it possible to use powerful standard algo- rithms, such as the Triple Data Encryption Standard (3- DES) algorithm, the Advanced Encryption Standard (AES) algorithm or the International Data Encryption Algorithm (IDEA) . The security also depends on the length of the key. The longer the key, the more difficult it is to break the cipher.
Asymmetric encryption works in a similar way, but is based on a pair of keys; one secret, private key and one public key. Often four keys are used, one public key and one private key for confidentiality and one public key and one private key for authentication and digital signature. The sender uses the public key of the receiver to encrypt the information and the receiver uses its private key to decrypt the information. Only a receiver with a private key corresponding to the public key can read the information, thus providing confidentiality. For authentication and digital signature, the sender uses its private key to encrypt the information and the receiver uses the public key of the sender to decrypt the information. If the receiver is able to decrypt the information, it is ascertained that it was encrypted with the corresponding private key, and thus by the corresponding sender. Commonly used public-key algorithms are, for example, the Diffie-Hellman (DH) algorithm and the Rivest-Shamir-Adleman (RSA) algorithm.
Although the legitimate person has signed the information, it is not possible to know from digital signa- tures alone if the information has been delivered in its entirety. What is needed is a mechanism that delivers some kind of fingerprint of the unique information. Mathematically, these mechanisms are called hash functions. Hash functions take variable-length input strings and convert them to fixed-length output strings, so called hash values. The hash value can then be used to indicate whether a candidate input is likely to be the same as the real input. One-way hash functions are functions that easily compute hash values from the input strings, but with which it is computationally hard to generate another input value that hashes to the same value. This way, hash functions can be used when sending information to ensure the receiver the integrity of the information. The hash value of the information is calculated and sent along with the information. The receiver can then simply make a hash value of the received information and compare this to the hash value sent. If these match, the recipient is also guaranteed a match between the information received and the information sent, on condition that the hash value itself, or the information sent along with the hash value, is protected. Protection of the hash value, or the information sent along with the hash value, is necessary because the hash function itself is not considered to be secret. In many encryption algorithms random number data is used for different reasons. One is that random data by its nature is difficult to determine or guess, making random numbers suitable as keys.
A problem with the provision of confidentiality, authentication, non-repudiation and integrity is the generation of a relatively great amount of traffic between the different participants.
A digital pen that wants to communicate with a service handler must prior to that communication contact a paper look-up server. A problem in connection with the communication between a digital pen and a service handler is that before the service handler can start communicating with the digital pen, the service handler must ask the paper look-up server, or any other means with corresponding authority, to authenticate the digital pen. Normally, in a system comprising the above mentioned participants, a relatively large number of transactions between a pen and different service handlers occurs, and each service handler usually authenticates the pen. Moreover, it is envisaged that a digital pen will perform a large number of transactions during a short time period. The digital pen user can perform a large number of errands by means of the pen, for example order various products from a service handler, carry out banking transactions via a paper form provided by the bank etc. A problem associated with a large number of trans- actions relating to authentication of digital pens between the paper look-up server and the service handlers is that the load on these will increase. Summary of the Invention
An object of the present invention is therefore to reduce the traffic between the participants during authentication of the digital pen.
This object is achieved by a method for authenticating a digital pen at a service handler in a system including at least one paper look-up server, at least one digital pen and at least one service handler according to claim 1, a system for authentication according to claim 22 and a computer-readable medium storing computer- executable components in accordance with claim 43. Preferred embodiments are defined by the dependent claims . According to a first aspect of the invention, a method is provided where an authentication receipt is created at a paper look-up server, which authentication receipt is used by a service handler to authenticate a digital pen. According to a second aspect of the invention, a system is provided comprising at least a digital pen, at least a paper look-up server and at least a service handler, wherein an authentication receipt is created at a paper look-up server, which authentication receipt is used by a service handler to authenticate a digital pen. The invention is based on the idea that the paper look-up server issues an authentication receipt used by a service handler to authenticate the digital pen, thus avoiding communication between the service handler and the paper look-up server.
Digital pen information data is encrypted, preferably with a symmetric key shared by the digital pen and a paper look-up server, and sent, together with a digital pen identifier, from the digital pen to the paper look-up server. The digital pen information data is encrypted with a symmetric key shared by the digital pen and the paper look-up server to assure the paper look-up server that the digital pen information data actually originates from the digital pen. The digital pen identifier is provided so that the paper look-up server can find the symmetric key corresponding to the correct digital pen when decrypting the digital pen information data. Based on the digital pen information data from the digital pen, the paper look-up server identifies the service handler the digital pen wants to access and sends a message back to the digital pen including an address to the service handler and an authentication receipt. The use of authentication receipt implies that the paper look-up server must be completely trusted, since the authentication receipt gives a digital pen access to a service handler. A possible scenario is that pirate copies of the digital pens will circulate. It is then important that the paper look-up server does not provide these pens with authentication receipts. A digital pen owner might have a subscription at a specific service handler, paying a fee to access it. It is desirable that an unauthorized digital pen is unable to exploit these services for free.
The paper look-up server thus authenticates the digital pen by means of the decryption of digital pen information data and creates an authentication receipt for authentication of the digital pen at the service handler. The paper look-up server sends the authentication receipt and paper look-up server information data, which paper look-up server information data comprises the service handler identity, to the digital pen. The digital pen now knows to which service handler it should send data and sends the authentication receipt to said service handler. The service handler receives the authentication receipt from the digital pen, which receipt comprises such information that the service handler can use it to authenticate the digital pen without having to communi- cate with the paper look-up server. Due to the fact that the paper look-up server issues an authentication receipt, it is not necessary for the service handler to contact the paper look-up server to validate the digital pen. By authenticating the digital pen at the paper lookup server by means of the decryption of digital pen information data, it is not necessary to, for example, send a digital pen password via the network to achieve access to the server. Neither is it necessary to store passwords at a network server for authentication purposes. By employing the encryption approach, the digital pen user need not perform any "manual" operations such as the above mentioned password procedure.
According to an embodiment of the invention, the data sent from the digital pen to the paper look-up server is provided with a digital signature, providing not only authentication but also non-repudiation of the digital pen information data.
According to a further embodiment of the invention, the authentication receipt is, at the paper look-up server, provided with a first digital signature created by the paper look-up server. It is desirable that the authentication receipt can be securely authenticated at the service handler, ensuring the handler that the receipt actually came from the paper look-up server. By means of the first digital signature, non-repudiation of the receipt is further provided. According to another embodiment of the invention, a second digital signature is created at the paper look-up server, which second digital signature is sent to the digital pen. Since the server sends information or instructions to the digital pen, in addition to the authentication receipt, such as the address of the service handler or whether the information data transferred from the digital pen to the service handler should be encrypted or not, it is necessary to provide assurance to the digital pen that the authentication receipt actually originates from the paper look-up server. The digital pen authenticates the paper look-up server by means of the second digital signature. As mentioned earlier, digital signatures enable authentication and obstruct repudiation by (i) the recipient that data has been received and (ii) the sender that data has been sent . The concept of digital signatures greatly improves the security of the system.
According to yet another embodiment of the invention, the authentication receipt is provided with a unique receipt identifier. The unique identifier prevents ill-intentioned third parties to produce their own authentication receipts. With the unique identifier, it is possible to keep track of the receipts that are, or have been, in use in the system. The authentication receipt can also be provided with a timestamp. If someone would eavesdrop on the network and capture a copy of the receipt, it would be possible for the eavesdropper to use the receipt for communication with a service handler. With the timestamp, it is possible to have a predetermined limited period of time, a lifetime, during which period of time the receipt is valid. If this lifetime is short enough, it is not likely that an eavesdropper manages to use the receipt within the limited time period, even if the eavesdropper would capture the receipt. The authentication receipt can further be provided with the digital pen identifier. This identifier is included in the receipt to indicate that the receipt has been issued on behalf of the digital pen. A paper look-up server key identifier could be included in the authentication receipt in order for the service handler to find the public key of the paper look-up server that corre- sponds to the private key of the paper look-up server, when authenticating the receipt . The service handler fetches the public key from a key store database, in which database public keys of the paper look-up server are stored. According to further embodiments of the invention, to hamper eavesdroppers, the unique identifier and/or the timestamp and/or the digital pen identifier can be encrypted, resulting in the fact that confidentiality is provided to such parameters . The encryption can be performed with a symmetric key known by the paper look-up server and the service handler. According to yet a further embodiment of the invention, to further hamper eavesdroppers, the paper look-up server can encrypt the authentication receipt. The encryption is preferably performed with a symmetric key known by the paper look-up server and the digital pen. The digital pen can first decrypt the authentication receipt and then encrypt it, preferably with a symmetric key, before sending the encrypted authentication receipt to a service handler. Thus, the authentication receipt is provided with confidentiality on its way from the paper look-up server via the digital pen to the service handler. If an eavesdropper captures the receipt, the eavesdropper is unable to use the receipt, since only a party in possession of the symmetric key associated with each encryption can decrypt the receipt. Also, by encryp- ting the receipt with a symmetric key known by the paper look-up server and the digital pen, the digital pen authenticates the paper look-up server by decrypting the receipt .
It is important to understand that the system allows different levels of security. If, for example, a digital pen is used to execute an e-commerce transaction where the credit card number of the digital pen owner is sent across the network to a service handler, it is of utmost importance that the transfer of the credit card number is secure. On the other hand, if graphical e-mails or other non-sensitive information is transferred, it is likely that a very low level of security needs to be employed. It is not desirable to force the digital pen and the paper look-up server to perform computationally demanding operations in terms of processing power, such as providing data with digital signatures and encrypting data, in cases where it is not necessary. The paper look-up server decides the level of security. A number of combinations are possible, the extremes are where no security is employed or where all information data sent between the components in the system is encrypted, including encrypting the authentication receipt.
Further features of, and advantages with, the present invention will become apparent when studying the appended claims and the following description.
Brief Description of the Drawings
Exemplifying embodiments of the invention will be described in greater detail with reference to the accompanying drawings, in which:
Fig. 1 shows a system for management and communica- tion of information in which the present invention advantageously may be applied;
Fig. 2 shows how the present invention can be applied in a system for management and communication of information; Fig. 3 is a block diagram showing an embodiment of the present invention when providing authentication, integrity and confidentiality of the pen information data sent to the paper look-up service;
Fig. 4 is a block diagram showing an embodiment of the present invention when providing authentication, integrity, non-repudiation and confidentiality of the pen information data sent to the paper look-up service;
Fig. 5 is a block diagram showing another embodiment of the present invention when creating an authentication receipt at the paper look-up service;
Fig. 6 is a block diagram showing yet another embodiment of the present invention when providing authentication, integrity, non-repudiation and confidentiality of the paper look-up service information data and the authentication receipt sent to the pen;
Fig. 7 is a block diagram showing further an embodiment of the present invention when providing authentica- tion, integrity, non-repudiation and confidentiality of the pen information data and the authentication receipt sent to the service handler;
Fig. 8 is a block diagram showing another embodiment of the present invention when processing the authentication receipt at the service handler; and
Fig. 9 is a block diagram showing yet another embodiment of the present invention when providing authentication, integrity and confidentiality of the service handler information data sent to the pen.
Description of Preferred Embodiments of the Invention
A system for management and communication of information is shown in Fig. 1. Such a system is further disclosed in the Applicant's international patent applications PCT/SEOO/02640, PCT/SEOO/02641, and PCT/SE00/02659, which applications are incorporated herein by reference. The system of Fig. 1 comprises a plurality of digital pens DP, a plurality of products P with a position code PC, a paper look-up server PLS executing a paper look-up service, and a plurality of service handler units SH. The paper look-up service comprises one or more servers communicating with a database containing the virtual surface formed by the position code and information related thereto. This virtual surface contains all positions that the position code is capable of coding and the functionality of every position on the virtual surface and the actor associated with each such position. The service handler unit SH is a server unit effecting a service, such as storing or relaying digital information, or initiating transmission of information or items to a recipient. In the example hereinabove, a digital pen is employed, but a digital pen could also be equivalent with, for example, a mobile phone, a PDA or the like provided with the characteristics of a digital pen. Furthermore, it is understood that these exemplified devices could be merged into one single device.
When the digital pen DP is operated to mark an activation icon Al on the position-coded product P, the pen DP initiates an operation to forward a message to the paper look-up server PLS (step 1) , for example via short- range radio transmission to a mobile phone MP acting as a modem for connection to the paper look-up server PLS. The message contains a unique pen identifier and at least one position from the digital information that has been recorded electronically on the writing surface of the product P. Based on the position content of the message, the paper look-up server PLS instructs the digital pen DP to contact a specific service handler unit SH (step 2) . The pen DP then sends the message to the service handler unit SH (step 3) , which instructs the pen DP on what data to send, and how to format and tag that data (step 4) . After having received the requested data from the pen DP (step 5) , the service handler unit SH returns a verifi- cation thereof to the pen DP (step 6) .
The present invention can be applied in the system shown in Fig. 1, as will be described in the following with reference to Fig. 2. The pen DP sends encrypted pen information data and a pen identifier, and possibly also a digital signature created by the pen, to the paper look-up server PLS. The pen information data is advantageously encrypted by a symmetric key known by the pen DP and the paper look-up server PLS (step 1) . The paper look-up server PLS authenticates the pen DP by means of the decryption or, if present, the digital signature created by the pen, and creates an authentication receipt including a unique authentication receipt identifier, a timestamp, and the digital pen identifier. These parameters are encrypted with a symmetric key. The receipt also includes a first digital signature created by the paper look-up server PLS, which first signature is later used by the service handler to authenticate the digital pen. A second digital signature is optionally created by the PLS and is used by the digital pen to authenticate the PLS. The PLS encrypts PLS information data, which PLS information data instructs the pen DP which service handler SH it should contact, and the authentication receipt with a symmetric key known by the paper look-up server PLS and the pen DP and sends the encrypted data to the pen DP (step 2) . The pen DP receives the encrypted data, decrypts it and authenticates the paper look-up server PLS by means of the second digital signature, if present, created by the PLS. Normally, the authentication of the paper look-up server PLS at the pen DP is performed by encrypting the authentication receipt. The pen DP then encrypts the pen information data and the authenti- cation receipt with a symmetric key and sends the symmetrically encrypted data to the service handler SH designated by the paper look-up server PLS (step 3) . The service handler SH decrypts the pen information data and the authentication receipt and authenticates the pen DP by means of the first digital signature included in the authentication receipt and thus a roundtrip of transferring authentication data between the service handler SH and the paper look-up server PLS is avoided. The present invention will be described in greater detail in the following figures.
As is clearly understood by those of ordinary skills in the art, the different steps described with reference to Fig. 2 is performed by a microprocessor MP arranged in the pen DP, the paper look-up server PLS and the service handler SH, respectively.
It should be noted that those skilled in the art will realize that a number of different implementations are possible when encrypting data. The encryption can be performed with symmetric keys or asymmetric keys, digital signatures can be provided, encryption can be omitted for certain data etc. It is understood that the different embodiments, and features thereof, can be combined to create new embodiments not shown in this application.
Fig. 3 shows how the pen provides authentication, integrity and confidentiality of the pen information data MDP when transferring data to the paper look-up service (i.e. the service running on the paper look-up server) . In the figure, E denotes encryption and D decryption. Confidentiality and authentication of the pen information data MDp is provided by encrypting the pen information data MDP with a symmetric key Ks shared by the pen and the paper look-up service. The pen information data MDP is concatenated, denoted | | , with the pen identifier IDDP. The hash value of MDP | | IDDP, H (MDP | | IDDP) , is calculated and sent along with the encrypted pen information data and the pen identifier IDDP, thus obtaining integrity of the data sent to the paper look-up service .
The paper look-up service then fetches the symmetric key Ks from a pen key database, which database contains the symmetric key corresponding to each pen in the system. This is possible due to the fact that the pen identifier is transferred along with the pen information data MDP. The paper look-up service decrypts the encrypted pen information data with the symmetric key Ks, recreating the pen information data MDP. The pen identifier IDDP is concatenated to the received pen information data MDP on the recipient side. The concatenated data MDP I I IDDP is evaluated in a hash function, which operation produces a hash value H(MDP | | IDDP) . The hash value is compared to the received hash value H(MDP I I IDDP) . If neither the pen information data MDP, nor the pen identifier IDDP, or both, have been altered, the comparison will match, thus assuring the integrity of the received data.
Fig. 4 shows how the pen provides authentication, integrity, non-repudiation and confidentiality of the pen information data MDP when transferring data to the paper look-up service. A random number RDP is generated and encrypted with the public key KUPLS of the paper look-up service, which encryption provides the confidentiality of the random number. The encrypted random number is then encrypted with the private key KRDP of the pen, which encryption provides the digital signature, thereby obtaining authentication and non-repudiation. Confidentiality of the pen information data MDP is provided by encrypting the pen information data MDP with a symmetric key Ks shared by the pen and the paper look-up service. The pen information data MDP is concatenated with the random number RDP and the pen identifier IDDP. The hash value of MDP | | RDP | | IDDP H (MDP | | RDP | | IDDP) , is calculated and sent along with the encrypted and signed random number, the encrypted pen information data and the pen identifier IDDP, thus obtaining integrity of the data sent to the paper look-up service.
The paper look-up service then fetches the symmetric key Ks from a pen key database, which database contains the symmetric key corresponding to each pen in the system. This is possible due to the fact that the pen identifier is transferred to the paper look-up service. The paper look-up service decrypts the encrypted pen information data with the symmetric key Ks, recreating the pen information data MDP. The paper look-up service uses the public key of the pen KUDP and the private key KRPLS of the paper look-up service to decrypt the random number RDP. The random number RDP is concatenated to the received pen information data MDP and the pen identifier IDDP on the recipient side. The concatenated data MDP | | RDP I I IDDP is evaluated in a hash function, which operation produces a hash value H (MDP | | RDP | | IDDP) . The hash value is compared to the received hash value H(MDP | | RDP I I IDDP) . If neither the pen information data MDP, nor the random number RDP, the pen identifier IDDP, or all three parameters, have been altered, the comparison will match, thus assuring the integrity of the received data. The order of encryption of the random number RDP, i.e. to first encrypt with the public key KUpLS of the paper look-up service and then encrypt with the private key KRDp of the pen, is employed because it should not be possible to save the signed random number for later use. Clearly, it is possible to first encrypt with the private key KRDp of the pen and then encrypt with the public key KUpLs of the paper look-up service. This will, however, result in a lower level of security. Fig. 5 illustrates how the paper look-up service creates an authentication receipt AR. A random number RSHI is generated and encrypted with the public key KUSH of the service handler, thereby providing confidentiality of the random number. The encrypted random number is then encrypted with the private key KRPLs of the paper look-up service, thus obtaining the digital signature of the paper look-up service for authentication at the service handler. The random number is later used for decryption at the service handler. The random number RSHι is evalu- ated in a hash function and the hash value is used for symmetric encryption of the pen identifier IDDP, the authentication receipt identifier IDAR. and the timestamp TS . The paper look-up service key identifier KeyIDPLS is provided in order for the service handler to find the corresponding public key of the paper look-up service in a key store database, which data base contains the public key of the paper look-up service corresponding to the private key of the paper look-up service. The concatenated data KeyIDPLS | | IDAR | | TS | | IDDP | | RSHι is then evaluated in a hash function to provide integrity of the authentication receipt AR. The paper look-up service identifier KeyIDPLS, the encryption of IDAR | | TS | | IDDP, the signed and encrypted random number RSHI, and the hash value of KeyIDPLS | | IDAR | | TS | | IDDP | | RSHι are then concatenated, thus forming the authentication receipt AR. Fig. 6 demonstrates the operation of sending data from the paper look-up service to the pen. The authenti- cation receipt AR and the paper look-up service information data MPLS, which paper look-up service information data comprises the service handler identity, is encrypted using a symmetric key Ks shared by the pen and the paper look-up service, which encryption provides confidentiality and authentication of AR and MPLS. The public key of the service handler KUSH is later used for encryption of pen information data sent from the pen to the service handler. The paper look-up service information data MPLS includes a service handler key identifier, later used by the service handler. A random number RP S is generated and encrypted with the public key KUDP of the pen, which encryption provides confidentiality of the random number. The encrypted random number is then encrypted with the private key KRPLS of the paper look-up service, thus providing the digital signature of said paper look-up service to the pen. It should be noted that if it is sufficient to authenticate the paper look-up service at the pen by means of decrypting the authentication receipt, this digital signature is not necessary. This signature is provided if non-repudiation of data sent from the paper look-up service to the pen is desired. AR, MpLs, KUSH and RPLS are concatenated, and the concatenated data is evaluated in a hash function, thus obtaining integrity of the data sent to the pen. The pen decrypts
AR I I MP S and separates them, thereby acquiring the paper look-up service information data MPLS. AR | | MPLS is concatenated with the public key KUSH of the service handler and the random number RPLS . AR | | MPLS | | RPLS | | KUSH is evaluated in a hash function and compared to the hash value H(AR | | MPLS | | RPLS | | KUSH) received from the paper look-up service, thus checking the integrity of the received data.
Fig. 7 shows the pen sending data to the service handler. A random number RSH2 is generated and encrypted with the public key KUSH of the service handler, thus providing confidentiality of the random number. The random number is evaluated in a hash function. The pen information data MD is concatenated with the authentication receipt AR and the hash value of the random number is used as a symmetric key for encrypting the concatena- ted data. The service handler key identifier KeyIDSH/ which was included in the paper look-up service information data sent to the pen in Fig. 6, is provided so that the service handler can fetch, from a key store database, the corresponding private key KRSH to the public key KUSH of the service handler used to encrypt the random number RSH2 • AR I I MDP I I RSH2 I I KeyIDSH is evaluated in a hash function, thus providing integrity of the data sent to the service handler. The service handler decrypts the encrypted random number and evaluates the random number RSH2 in a hash function. The hash value is used to decrypt the encrypted concatenated data AR | | MDP. The pen information data concatenated with the authentication receipt AR I I MDp is concatenated with the random number RSH2 and the service handler key identifier KeyIDSH, resulting in AR I I MDP I I RSH2 I I KeylDsH- AR | | MDP | | RSH2 | | KeyIDSH is evaluated in a hash function, and the hash value is compared to the received H (AR | | MDP | | RSH2 | | KeyIDSH) , thereby checking the integrity of the received data. The service handler separates AR | | MDP, thereby acquiring the pen information data MDP and the authentication receipt AR.
Fig. 8 describes the processing of the authentication receipt AR at the service handler. The service handler separates the data included in the authentication receipt into four parts. As mentioned earlier, the paper look-up service key identifier KeyIDPLS is provided in order for the service handler to fetch the corresponding public key KUPLS of the paper look-up service from a key store database . The random number RSHI encrypted at the paper look-up service is decrypted with the public key
KUPLS of the paper look-up service and the private key KRSH of the service handler, thus authenticating the receipt, i.e. making sure the authentication receipt originates from the paper look-up service, and recreating the random number RSHι . The random number is evaluated in a hash function and the hash value H(RSι) is used to decrypt the encrypted authentication receipt identifier IDAR, the timestamp TS and the pen identifier IDDP. The three parameters IDAR, TS and IDDP are then separated and thus recreated. As described earlier, a hash function is employed to evaluate the integrity of the data. Fig. 9 illustrates how the service handler symmetrically encrypts the service handler information data MSH, thus providing confidentiality of the data, with a hash value H(RSH2) of the random number RSH2 received from the pen as described in Fig. 7 and sends the encrypted service handler information data and a hash value of the service handler information data to the pen. The service handler information data MSH contains instructions what data the pen shall send to the service handler, and how the pen shall format and tag that data. The pen decrypts the encrypted service handler information data using the hash value of the random number RS2/ thus recreating the service handler information data MS . The pen evaluates service handler information data MSH in a hash function and compares the hash value to the received hash value, thus checking integrity. The pen then sends the requested pen information data to the service provider as described in Fig. 7. Note that when sending data this time, the pen does not need to generate a new random number. If, however, it is considered necessary for security reasons, the pen will generate a new random number. The pen again uses the hash value of RSH2 to symmetrically encrypt the pen information data and the authentication receipt. RSH2 is not sent to the service handler, as the service handler already has access to the random number RSH2 necessary to decrypt the pen information data and the authentication receipt. Neither does the pen need to send the service handler key identifier KeyIDS this time, since the service handler already has access to it.
Even though the invention has been described with reference to specific exemplifying embodiments thereof, many different alterations, modifications and the like will become apparent for those skilled in the art. The described embodiments are therefore not intended to limit the scope of the invention, as defined by the appended claims .

Claims

1. A method for authenticating a digital pen at a service handler in a system including at least one paper look-up server, at least one digital pen and at least one service handler, the method including the steps of: sending encrypted data and a digital pen identifier from said digital pen to said paper look-up server; authenticating said digital pen and creating an authentication receipt at said paper look-up server; sending said authentication receipt from said paper look-up server to said digital pen; sending said authentication receipt from said digital pen to said service handler; and authenticating said digital pen at said service handler based on the received authentication receipt.
2. The method according to claim 1, wherein the encryption of data is performed with a symmetric key at said digital pen.
3. The method according to claim 1 or 2 , wherein said encrypted data includes a digital signature created by said digital pen.
4. The method according to claim 1-3, including providing, at the paper look-up server, the authentication receipt with a first digital signature created by the paper look-up server.
5. The method according to claim 4, wherein the step of authenticating said digital pen at said service handler includes authenticating said authentication receipt by means of said first digital signature created by the paper look-up server.
6. The method according to claim 4 or 5 , including creating a second digital signature at the paper look-up server.
7. The method according to claim 6, wherein the step of sending said authentication receipt from said paper look-up server to said digital pen includes sending said second digital signature.
8. The method according to claim 7, including authenticating said paper look-up server at said digital pen by means of said second digital signature before sending the authentication receipt to the service handler.
9. The method according to any of the preceding claims, including providing, at the paper look-up server, the authentication receipt with a unique identifier.
10. The method according to claim 9, including encrypting said unique identifier.
11. The method according to any of the preceding claims, including providing, at the paper look-up server, the authentication receipt with a timestamp.
12. The method according to claim 11, including providing, at the paper look-up server, the timestamp with a predetermined lifetime.
13. The method according to claim 11 or 12, including encrypting said timestamp.
14. The method according to any of the preceding claims, including providing, at the paper look-up server, the authentication receipt with the digital pen identifier.
15. The method according to claim 14, including encrypting said digital pen identifier.
16. The method according to any of the preceding claims, including providing, at the paper look-up server, the authentication receipt with a paper look-up server key identifier.
17. The method according to claim 10, 13 or 15, wherein said encryption is performed with a symmetric key.
18. The method according to any of the preceding claims including encrypting said authentication receipt at said paper look-up server.
19. The method according to claim 18, wherein said encryption of said authentication receipt is performed with a symmetric key.
20. The method according to claim 18 or 19, including the steps of : decrypting said authentication receipt at the digital pen; and encrypting the decrypted authentication receipt at the digital pen.
21. The method according to claim 20, wherein said encryption of said authentication receipt is performed with a symmetric key.
22. A system for authentication including: at least one digital pen; at least one paper look-up server; and at least one service handler, wherein said digital pen is arranged to send encrypted data and a digital pen identifier to said paper look-up server, receive an authentication receipt from said paper look-up server and send said authentication receipt to said service handler; said paper look-up server is arranged to authenti- cate said digital pen, create said authentication receipt and send said authentication receipt to said digital pen; and said service handler is arranged to authenticate said digital pen based on the received authentication receipt.
23. The system according to claim 22, wherein said digital pen is arranged to perform the encryption of data with a symmetric key.
24. The system according to claim 22 or 23, wherein said digital pen is arranged to create a digital signature and include said digital signature in the encrypted data.
25. The system according to claims 22-24, wherein said paper look-up server is arranged to provide the authentication receipt with a first digital signature created by the paper look-up server.
26. The system according to claim 25, wherein said service handler is arranged to authenticate said digital pen by authenticating said authentication receipt by means of said first digital signature created by the paper look-up server.
27. The system according to claim 25 or 26, wherein said paper look-up server is arranged to create a second digital signature.
28. The system according to claim 27, wherein said paper look-up server is arranged to send said second digital signature to the digital pen.
29. The system according to claim 28, wherein said digital pen is arranged to authenticate said paper lookup server by means of said second digital signature before sending said authentication receipt to said service handler.
30. The system according to claims 22-29, wherein the paper look-up server is arranged to provide the authentication receipt with a unique identifier.
31. The system according to claim 30, wherein the paper look-up server is arranged to encrypt said unique identifier.
32. The system according to claims 22-31, wherein the paper look-up server is arranged to provide the authentication receipt with a timestamp.
33. The system according to claim 32, wherein the paper look-up server is arranged to provide the timestamp with a predetermined lifetime.
34. The system according to claim 32 or 33, wherein the paper look-up server is arranged to encrypt said timestamp .
35. The system according to claims 22-34, wherein the paper look-up server is arranged to provide the authentication receipt with the digital pen identifier.
36. The system according to claim 35, wherein the paper look-up server is arranged to encrypt said digital pen identifier.
37. The system according to claims 22-36, wherein the paper look-up server is arranged to provide the authentication receipt with a paper look-up server key identifier.
38. The system according to claim 31, 34 or 36, wherein the paper look-up server is arranged to perform said encryption with a symmetric key.
39. The system according to claims 22-38, wherein said paper look-up server is arranged to encrypt said authentication receipt .
40. The system according to claim 39, wherein said paper look-up server is arranged to encrypt said authentication receipt with a symmetric key.
41. The system according to claim 39 or 40, wherein said digital pen is arranged to decrypt said authentication receipt; and said digital pen is arranged to encrypt the decrypted authentication receipt.
42. The system according to claim 41, wherein said digital pen is arranged to encrypt said authentication receipt with a symmetric key.
43. A computer-readable medium storing computer- executable components for causing a unit to perform the steps recited in any one of claims 1-21 when the computer-executable components are run on microprocessor included by the unit .
EP02768251A 2001-09-07 2002-09-06 Authentication receipt Withdrawn EP1428347A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SE0102965A SE0102965L (en) 2001-09-07 2001-09-07 Autenticeringskvitto
SE0102965 2001-09-07
PCT/SE2002/001601 WO2003024019A1 (en) 2001-09-07 2002-09-06 Authentication receipt

Publications (1)

Publication Number Publication Date
EP1428347A1 true EP1428347A1 (en) 2004-06-16

Family

ID=20285249

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02768251A Withdrawn EP1428347A1 (en) 2001-09-07 2002-09-06 Authentication receipt

Country Status (4)

Country Link
EP (1) EP1428347A1 (en)
CN (1) CN100369405C (en)
SE (1) SE0102965L (en)
WO (1) WO2003024019A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006062468A1 (en) * 2004-12-07 2006-06-15 Anoto Ab Methods and apparatuses for routing information to an application service
KR101892266B1 (en) 2011-10-06 2018-08-28 삼성전자주식회사 Method and apparatus for determining input
CN108667610B (en) * 2017-04-02 2021-05-25 北京拓思德科技有限公司 Equipment authentication method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5661506A (en) 1994-11-10 1997-08-26 Sia Technology Corporation Pen and paper information recording system using an imaging pen
US5852434A (en) 1992-04-03 1998-12-22 Sekendur; Oral F. Absolute optical position determination

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6085321A (en) * 1998-08-14 2000-07-04 Omnipoint Corporation Unique digital signature
WO2001016691A1 (en) * 1999-08-30 2001-03-08 Anoto Ab Notepad

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5852434A (en) 1992-04-03 1998-12-22 Sekendur; Oral F. Absolute optical position determination
US5661506A (en) 1994-11-10 1997-08-26 Sia Technology Corporation Pen and paper information recording system using an imaging pen

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DYMETMAN M; COPPERMAN M: "Intelligent paper", LECTURE NOTES IN COMPUTER SCIENCE, vol. 1375, March 1998 (1998-03-01), pages 392 - 406, XP002328425
See also references of WO03024019A1

Also Published As

Publication number Publication date
SE0102965L (en) 2003-03-08
WO2003024019A1 (en) 2003-03-20
CN100369405C (en) 2008-02-13
CN1557065A (en) 2004-12-22
SE0102965D0 (en) 2001-09-07

Similar Documents

Publication Publication Date Title
US7353393B2 (en) Authentication receipt
US7249256B2 (en) Encryption protocol
US6918042B1 (en) Secure configuration of a digital certificate for a printer or other network device
US5539828A (en) Apparatus and method for providing secured communications
US6292892B1 (en) Apparatus and method for providing secured communications
JP5295479B2 (en) Method and system for preventing unauthorized delivery and use of electronic keys with key seeds
US7215771B1 (en) Secure disk drive comprising a secure drive key and a drive ID for implementing secure communication over a public network
US7095859B2 (en) Managing private keys in a free seating environment
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
WO2002023798A1 (en) System for protecting objects distributed over a network
CN114175580B (en) Enhanced secure encryption and decryption system
US20020021804A1 (en) System and method for data encryption
JP3690237B2 (en) Authentication method, recording medium, authentication system, terminal device, and authentication recording medium creation device
US20020001388A1 (en) High speed copy protection method
JP2003110544A (en) Device and method for enciphering and deciphering
JP4140617B2 (en) Authentication system using authentication recording medium and method of creating authentication recording medium
EP1428347A1 (en) Authentication receipt
JP2002247021A (en) Method and device for displaying access limited contents
CN108985079B (en) Data verification method and verification system
EP1421548B1 (en) Encryption protocol
EP0784256A1 (en) Method and apparatus for public-key cryptography using a secure semiconductor device
JP4604523B2 (en) Data transfer method and data storage device
JP4289552B2 (en) How to prevent leakage of confidential data
US20070076880A1 (en) Secure digital transmission
林椿芳 et al. Research and Implementation of ID-based Encryption Scheme Based on Symmetric-Key Technique with a Trusted Device

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20040407

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ANOTO IP LIC HB

111L Licence recorded

Free format text: 0100 LEAPFROG ENTERPRISES INC.

Effective date: 20050530

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ANOTO AB

TPAC Observations filed by third parties

Free format text: ORIGINAL CODE: EPIDOSNTIPA

17Q First examination report despatched

Effective date: 20090323

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ANOTO AB

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20091003