EP1763936A1 - Method of choosing one of a multitude of data sets being registered with a device and corresponding device - Google Patents

Method of choosing one of a multitude of data sets being registered with a device and corresponding device

Info

Publication number
EP1763936A1
EP1763936A1 EP05752103A EP05752103A EP1763936A1 EP 1763936 A1 EP1763936 A1 EP 1763936A1 EP 05752103 A EP05752103 A EP 05752103A EP 05752103 A EP05752103 A EP 05752103A EP 1763936 A1 EP1763936 A1 EP 1763936A1
Authority
EP
European Patent Office
Prior art keywords
dev
exchange information
key
encrypted
remote device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP05752103A
Other languages
German (de)
French (fr)
Inventor
Robert Blake
Henning Maass
Francesco Gallo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips Electronics NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0414648A external-priority patent/GB0414648D0/en
Application filed by Koninklijke Philips Electronics NV filed Critical Koninklijke Philips Electronics NV
Priority to EP05752103A priority Critical patent/EP1763936A1/en
Publication of EP1763936A1 publication Critical patent/EP1763936A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the invention relates to a method of choosing one of a multitude of data sets being registered with a device.
  • the invention further relates to a device for presenting one of a multitude of data sets being registered with the device, to a remote device as well as a remote device itself.
  • Identification products such as smart cards and RFID (“Radio Frequency Identification”) tags are used widely in fields such as transport (ticketing, road tolling, baggage tagging), finance (debit and credit cards, electronic wallet, merchant card), communications (SIM cards for GSM phones), and tracking (access control, inventory management, asset tracking).
  • International standard ISO14443A is the industrial standard for contactless smart cards.
  • ISOl 4443 A-compliant products such as MIF ARETM provide RF communication technology for transmitting data between a card or a tag and a reader device. For example, in electronic ticketing for public transport, travelers just wave their card over a reader at the turnstiles or entry point, benefiting from improved convenience and speed in the ticketing process.
  • NFC Near Field Communication
  • WiFi Wireless Ethernet
  • a method according to the invention can be characterized in the way defined below, that is: A method of choosing one of a multitude of data sets being registered with a device, wherein after being chosen the one data set is presented to a remote device by the device, and wherein each data set is associated with a specific key, the method comprising the following steps of: a) encrypting exchange information al) in the device using one key of the keys associated with a data set and sending encrypted exchange information to the remote device, or a2) in the remote device using a key stored in the remote device and sending encrypted exchange information to the device, b) decrypting the encrypted exchange information bl) in the remote device using the one key stored in the remote device when following step al), or b2) in the device using one key of the keys associated with a data set when following step a2), c) comparing the exchange information with the exchange information decrypted in accordance with step b), and d) presenting
  • a remote device according to the invention can be characterized in the way defined below, that is:
  • a remote device provided for communication with a device, which device is arranged for presenting one of a multitude of data sets being registered with the device to said remote device, comprising means for generating exchange information, means for transmitting the exchange information to the device, means for receiving encrypted data from said device, means for decrypting said encrypted information with a key stored in the remote device, means for comparing the exchange information with the decrypted exchange information, and means for sending the result of the comparing means to the device.
  • a remote device provided for communication with a device, which device is arranged for presenting one of a multitude of data sets being registered with the device to said remote device, comprising means for encrypting exchange information with a key stored in the remote device, means for transmitting encrypted exchange information to the device, means for receiving decrypted exchange information from said device, means for comparing the exchange information with the decrypted exchange information, and means for sending the result of the comparing means to the device.
  • the characteristic features according to the invention provide the advantage that it is no longer necessary for a user to have to choose the application on the device manually since due to the proposed communication between the device and the remote device the device automatically determines which application or which data corresponding to a certain application have to be presented to the remote device.
  • step b2 presenting a data set to the remote device if the result of the comparison is true or, if said comparison is false, restarting with the generating or decrypting step using a key associated with a further data set in step b2).
  • This embodiment of the invention provides the further advantage that the communication between the device and the remote device (sending the exchange information by the device and sending encrypted information by the remote device) has to take place only once, as the subsequent decryption with different keys takes place only in the device.
  • the different data sets according to specific applications are "registered” with the device.
  • the term “registered” means that the data sets have not necessarily to be stored directly in the device but can also be stored for example in a (further) remote device such as a remote server from where the necessary data set is retrieved after being chosen. Furthermore, it is also imaginable that the keys associated with the data sets are not stored in the device but downloaded when they are required.
  • the multitude of data sets and/or the associated keys are stored in the device.
  • the advantage is achieved that the proposed interaction between the device and a remote device can immediately start when both devices are brought into contact. It is not necessary then to establish a possibly slow and unstable connection to a remote server. Furthermore, it should be noted that under certain circumstances (subway, aircraft, etc.) it may happen that a connection to a remote server cannot be established since a network is not available. Therefore, it is especially of advantage when both the data sets and the corresponding keys are stored in the device.
  • the measures of a specific solution namely that the data sets are stored in encrypted form in a first memory in the device, the chosen encrypted data set according to step d) being decrypted with the associated key, the decrypted data set being stored in a more tamper-resistant second memory in the device, provide the advantage that on the one hand it is possible to use a large cheap first memory for permanently storing encrypted data and to use a small expensive second memory for temporarily storing decrypted data when it is to be used.
  • This second memory can be shared by several applications which decreases technical effort and costs.
  • encrypted data which represents a smart card application is now decrypted and advantageously loaded into the second memory.
  • asymmetric ciphering can be used, meaning that private and public keys have to be used.
  • the exchange information can be encrypted with a private key and decrypted with the public key and vice versa.
  • Symmetric ciphering is applicable as well.
  • the measures that the key being stored in the remote device is identical to one of the keys being stored in the device provides the advantage that the well known communication between a reader and a tag may be used for the purposes of the invention meaning that only fewer changes have to be implemented than in the case of asymmetric ciphering, and that usually state-of-the art readers may be used for the purpose of the invention.
  • NFC non-contactless identification
  • RFID ultrasonic identification
  • interconnection technologies namely the RFID technology, and interconnection technologies.
  • NFC operates in the 13.56 MHz frequency range, over a distance of typically a few centimeters, but engineers also work on a system which operates with greater distances of up to Im.
  • NFC technology is standardized in ISO 18092, ECMA 340 and ETSI TS 102 190.
  • NFC is also compatible to the broadly established contactless smart card infrastructure based on ISO 14443.
  • NFC interfaces usually already comprises a tamper-resistant memory and an encrypt/decrypt module as well. Hence it is favorable to use these modules for the invention.
  • the first memory is additionally arranged for storing functions for operating said device.
  • Devices usually comprise an unsecured main memory for storing the operating system of the device.
  • encrypted data as well as functions for the operating system are stored in the first memory. Therefore, the first memory is used in a synergetic way.
  • said second memory is arranged for storing said key.
  • said key for decrypting encrypted data is stored in the device itself.
  • said key should be stored in the tamper-resistant second memory to avoid abusive use of encrypted data.
  • Figure 1 shows service initialization as well as usage of encrypted data.
  • Figure 2 shows an alternative embodiment for setting up a service.
  • Figure 3 shows a first embodiment of a method of choosing one of a multitude of encrypted data sets according to the invention.
  • Figure 4 shows a second embodiment of a method of choosing one of a multitude of encrypted data sets according to the invention.
  • Figure 5 shows the standard authentication procedure between an RFID tag and a reader.
  • Figure 6 shows again the second embodiment of a method as shown in Figure 4 based on a standard authentication for an RFID tag according to Figure 5.
  • FIGS 7 -10 show an overview of the different variants of a method according to the invention.
  • FIGS. 1 and 2 show a device and a method wherein encrypted data DATenc stored in a device DEV can be used in decrypted format without providing access to said decrypted data DAT to the owner of the device DEV.
  • a device DEV may be used with advantage for the invention described.
  • Figure 1 shows an arrangement comprising a device DEV as well as two remote devices formed by a server SER and a reader RD.
  • Said device DEV which is a mobile phone or a PDA for this example comprises a first memory MEMl and a more tamper-resistant second memory MEM2 as well as an encrypt/decrypt module ENC/DEC.
  • Said first memory MEMl in this example is assumed to be the memory for the operating system and other data necessary for the use of the device DEV. Since there are usually no or only minor procedures to secure the main memory of a device DEV against abusive use it is normally quite easy to change data stored in such a memory. Hence sensitive data, for example the IMSI (International Mobile Subscriber
  • SIM Subscriber Identification Module
  • a further example is smart cards which more and more are part of mobile phones or emulated by mobile phones respectively.
  • NFC Near Field Communication
  • This interface accomplishes the short range communication with a reader RD and normally comprises also a tamper-resistant memory as well as means for encrypting and decrypting.
  • second memory MEM2 and the encrypt/decrypt module ENC/DEC are part of an NFC (Near Field Communication) interface INT.
  • the reader RD which is also capable of communicating according to the NFC standard transmits encrypted data DATenc to the device DEV (solid line).
  • the encrypted data DATenc represents an application for ticketing in public transport which is to be installed in the device DEV before it can be used.
  • the encrypted data DATenc said encrypted data DATenc is therefore stored in first memory MEMl .
  • the encrypted data DATenc can be provided by a server SER as well. This is indicated by a dashed line from the server SER to the device DEV in the figure. In this case it is assumed that the server SER is part of the internet and holds the aforesaid application.
  • the encrypted data DATenc can be downloaded via a comparably fast (and unsecured) internet connection. Said request can be sent to the server SER by the device DEV directly or by the reader RD.
  • the device DEV is ready to be used now.
  • the key K is sent from the reader RD to the device DEV in a second step (solid line).
  • the encrypted data DATenc is read from the first memory MEMl and is decrypted by means of the encrypt/decrypt module ENC/DEC and the key K received from the reader RD.
  • the result of this decryption namely the data DAT is stored in the second memory MEM2.
  • the data DAT can include variables and code as well.
  • the key K is stored in the device DEV during initialization of a service, that means, when the encrypted data DATAenc is received from the reader RD or the server SER.
  • the encrypted data DATAenc can be transmitted via an unsecured communication channel as shown above.
  • the only restriction is that the key K is kept secret.
  • the small key K is transmitted via a slow but secure near field communication (dash-and-dot line) and stored in the second memory MEM2.
  • the device DEV is ready to be used now again wherein the procedure can be started manually for example instead of remotely by the reader RD.
  • the key K is not received from the reader RD but transmitted from the second memory MEM2 to the encrypt/decrypt module ENC/DEC.
  • the encrypted data DATenc is decrypted and the result of this decryption, the data DAT, is stored in the second memory MEM2.
  • the communication between the device DEV and the reader RD can take place as indicated before.
  • the communication channel between the device DEV and the reader RD is assumed to be secure.
  • the second memory MEM2 is tamper resistant as stated before. Hence it is not possible to misuse the key K for abusively changing of the encrypted data DATAenc and to buy tickets without paying for instance.
  • the advantage of this method is, that applications which generally use large memory spaces can be stored in a cheap standard memory and are temporarily loaded into an expensive tamper-resistant second memory MEM2 which in this way can be shared between several services as explained later in more detail.
  • FIG 2 shows an alternative embodiment of the inventive device DEV.
  • the device DEV is again shown in combination with two remote devices formed by a server SER and a reader RD.
  • the device DEV comprises a random number generator RAND which is part of the NFC interface INT.
  • the function of the arrangement of Figure 2 is as follows: First of all the unencrypted data DAT is transmitted from the reader RD to the device DEV via a short range communication and stored there in the second memory MEM2 (solid line). In a second step a random key K is generated by the random number generator RAND and is stored in the second memory MEM2 as well as sent to the encrypt/decrypt module ENC/DEC. In a third step the data DAT is encrypted with said key K by means of the encrypt/decrypt module ENC/DEC. Finally, as a result of this step, namely the encrypted data DATenc is stored in the first memory MEMl in a fourth step.
  • the data DAT can also be transmitted by the server SER (dashed line).
  • a secure communication channel should exist between the server SER and the device DEV since the data DAT is not encrypted. It is also imaginable that the data DAT is transmitted via a tamper-resistant communication channel (for example by means of a company internal network) from the server SER to the reader RD (dash-and-dot line) and is then transmitted to the device DEV via a short-range radio communication link.
  • FIGS 3 - 10 describe different embodiments of a method of presenting to a reader RD one of a multitude of applications being registered, especially being stored in a device DEV.
  • the Figures 1 and 2 show such a device DEV which can be used for a method to present one of a multitude of applications to a reader RD.
  • Figures 1 and 2 explain how encrypted data DATenc can be stored in such a device DEV in decrypted format without providing access to said decrypted data DAT to the owner (or other persons) of the device DEV.
  • the use of such an inventive device DEV for a method according to this invention as claimed and as described in the following ( Figures 3 - 6) is of advantage.
  • Figure 3 shows a first realization of a method according to the invention how a certain application can be presented to a remote device, here in the form of a reader RD.
  • the encrypted data DATenc is divided into several encrypted data sets DSlenc.DSnenc which represent different smart card applications, one for public transport, one for cinema ticketing, one for a company identification card, etc.
  • These encrypted data sets DSlenc.DSnenc have been stored before during initialization routines shown in Figure 1 or 2. It is also possible that the applications have been stored in a different way, for example directly by the provider of the device DEV (e.g. mobile phone).
  • Each encrypted data set DSlenc.DSnenc has an associated key Kl..Kn which is stored in the second memory MEM2.
  • the device DEV additionally comprises a comparator COMP and the reader RD additionally comprises an encrypt/decrypt module ENC/DEC.
  • this random number R is encrypted by the device DEV with one key Kx out of the multitude of keys Kl ...Kn. Said key Kx is also for decrypting an associated encrypted data set DSx. Subsequently, the encrypted random number Rene is transmitted to the reader RD in a third step. In a fourth step the encrypted random number Rene is decrypted with a reader key Krd by means of the encrypt/decrypt module ENC/DEC of the reader RD. The result of this operation, the reader random number Rrd is then sent back to the device DEV and is compared with the original random number R by means of the comparator COMP in a fifth step.
  • the correct key Kx is found (for correct operation symmetrical encryption is assumed). Then, in a sixth step the encrypted data set Dsxenc, which is associated with said key Kx, is decrypted by means of the encrypt/decrypt module ENC/DEC with key Kx. In a seventh step the result of the decryption, namely the data DSx, is stored in the second memory MEM2 (dashed line). Now the device DEV is ready to be used for public transport for example.
  • the result of said comparison is false, i.e. if the random number R and the reader random number Rrd are not identical, the key Kx used on the device DEV and the key Krd used on the reader RD are not identical, which means that the correct data set/the correct application has not yet been found.
  • a new cycle starts, with a new random number being generated or the same random number R as already generated in the first cycle is used, the random number R being encrypted with a new key on the device DEV.
  • the encrypted random number is sent to the remote reader RD etc. Said cycle is recursively performed until the result of the aforesaid comparison is true.
  • FIG 4 shows a further realization of a method according to the invention how a certain application can be presented to a reader RD.
  • encrypted data DATenc is divided into several encrypted data sets DSlenc.DSnenc which represent different smart card applications, one for public transport, one for cinema ticketing, one for a company identification card, etc.
  • These encrypted data sets DSlenc.DSnenc have been stored before during initialization routines shown in Figure 1 or 2. It is also possible that applications have been stored in a different way, for example directly by the provider of device DEV (e.g. mobile phone), as already mentioned above.
  • DEV e.g. mobile phone
  • each encrypted data set DSlenc.DSnenc has an associated key Kl..Kn which are stored in the second memory MEM2.
  • the device DEV additionally comprises a comparator COMP and the reader RD additionally comprises an encrypt/decrypt module ENC/DEC.
  • exchange information is generated by the device DEV. Again it is of advantage when the exchange information is a random number R which is generated by the random number generator RAND. In a second step this random number R is transmitted by the device DEV to the reader RD. In a third step this random number R is encrypted by the reader RD with the key Krd stored in the reader RD. The encrypted random number Rene' is transmitted back to the device DEV by the reader RD in a fourth step.
  • This encrypted random number Rene' is decrypted with one key Kx of the keys Kl ...Kn stored in the device DEV in a fifth step by means of the encrypt/decrypt module ENC/DEC of the device DEV and the resulting random number R' is compared in the comparator COMP with ' the original random number R in a sixth step.
  • the key Kx for decryption in the device DEV and the key Krd for encryption in the reader RD are identical. This means that the correct application or data set DSxenc to be presented to the reader RD is found.
  • the encrypted data set DSxenc which is associated with said key Kx is decrypted by means of the encrypt/decrypt module ENC/DEC with the key Kx in the device DEV.
  • the result of the decryption namely the data DSx is stored in the second memory MEM2 (dashed line). Now the device DEV is ready to be used for public transport for example.
  • the key Kx used in the device DEV and the key Krd used on the reader RD are not identical, which means that the correct data set/the correct application has not yet been found.
  • another key stored in the device DEV is used to decrypt the encrypted random number Rene' and the resulting random number is compared with the original random number R. This procedure is repeated until the random numbers R and R' are identical and the correct application is found.
  • the method as described in connection with Figure 4 offers the advantage that the encryption of the random number R to an encrypted random number Rene' and the communication between the device DEV and the reader RD (sending the random number R and the encrypted number Rene') have to take place only once, as the subsequent decryption with different keys takes place only in the device DEV.
  • the method as described in Figure 3 makes it necessary - if the correct application cannot be found in the first cycle - that again a communication between the device DEV and the reader RD in both directions has to take place.
  • Figure 5 shows the well-known communication between a transponder, for example an RFID tag TRA, which has stored the data for one application and the corresponding key K, and a reader RD.
  • RFID tags require authentication before any communication can occur.
  • Figure 5 shows this interaction.
  • the mutual authentication procedure begins with the reader RD sending a GET_CHALLENGE command to the tag TRA.
  • a random number R is then generated in the tag TRA and sent back to the reader RD.
  • the reader RD uses its secret key Krd which is stored in the reader RD and a common algorithm to calculate an encrypted data block TKl, which contains the encrypted random number Rene' and additional control data and sends it back to the tag TRA.
  • This process of authentication between a reader RD an a tag TRA is also used in a method according to the invention as described in Figure 4.
  • the tag TRA of Figure 5 is replaced by a device DEV such as, for example, a mobile phone or a PDA as described in Figure 4.
  • Different tags e.g. Underground Ticket, Cinema Ticket, etc.
  • This registration contains the encrypted data sets DSlenc... DSnec as well as the keys Kl ...Kn used for authentication.
  • the encrypted data sets DSlenc... DSnec are stored in a database CDB in secure memory MEMl as described above in Figure 4.
  • the keys Kl.. Kn are stored in a key database KDB in the device DEV in a secure, more tamper-resistant memory MEM2.
  • the device DEV retrieves a key Kx from the key database KDB and uses this to decrypt the encrypted data block TKl.
  • the device DEV tries one key after the other until the correct key is found, and the device DEV presents the correct data set DSxenc (DSx) to the reader RD as described in more detail in Figure 4.
  • the downloaded data set DSxenc is stored in the device DEV and can then be presented by the device DEV to a remote device RD.
  • the device DEV is a (mobile) phone it is then possible that the device DEV retrieves a data set associated with a specific application from the remote database CDB of the registered applications (tags). The data set is then loaded into the operation memory of the NFC Hardware. Now the interaction can continue in the standard mode of operation, since the device DEV is emulating just one tag TRA.
  • each encrypted data set DSx is associated with two keys. One for decryption and one which is identical with a reader key Krd.
  • the encrypt/decrypt module ENC/DEC, the random number generator RAND as well as the comparator COMP are not necessarily part of the NFC interface INT. However, the arrangement shown is preferred since the NFC interface INT as a whole is assumed to be tamper resistant or at least more tamper resistant than the remaining part of the device DEV.
  • the invention is not limited to smart card applications. Rather any device where encrypted data has to be decrypted is suitable, in particular adapted PCs having a secure second memory. It is not necessary either for the device DEV to communicate with a reader RD. It is imaginable that communication takes place between two similar devices DEV (e.g. two NFC compatible mobile phones). One application could be the exchange of (digital) money between two phones each with an encrypted account.
  • Figure 7 depicts schematically the method as already shown in Figure 3:
  • the device DEV creates a random number R, encrypts this random number R with one key Kx of the keys Kl.. Kn stored in the device DEV and sends the encrypted random number Rene to the reader RD.
  • the reader RD decrypts the number Rene with the reader key Krd stored in the reader RD (the reader key Krd is identical to one of the keys Kl.. Kn stored in the device DEV). This decrypted reader number Rrd is sent back to the device DEV, where the original random number R and the reader number Rrd are compared to identify the correct application.
  • Figure 8 shows schematically the method of Figures 4 and 6, where the random number R generated by the device DEV is sent to the reader RD.
  • the reader RD encrypts the random number R with the reader key Krd to an encrypted reader number Rene' and sends this number Rene' back to the device DEV.
  • the device DEV decrypts this encrypted number Rene' with one key Kx of the keys Kl..Kn stored in the device DEV and compares the resulting number R' with the original random number R. This process of decrypting the encrypted number Rene' with keys Kl..Kn stored in the device DEV is repeated until the correct application is found.
  • the exchange information i.e. usually a random number R, is generated by the reader RD.
  • the random number R is sent to the device DEV, where it is encrypted with one key Kx of the keys Kl.. Kn to an encrypted number Rene. This number Rene is sent back to the reader RD where it is decrypted by means of a reader key Krd.
  • the resulting number R' is compared with the original random number R. If the original random number R and the decrypted number R' are identical, the correct key/the correct application is found. If the comparison is not true, the device DEV encrypts the random number R with another key and sends it to the reader RD etc. In this case the reader RD can send the random number R to the device DEV so that the device DEV can detect that a further encryption is necessary, or certain specific information is sent to the device DEV.
  • FIG. 10 A further embodiment is shown in Figure 10.
  • the reader RD generates a random number R, encrypts the random number R with the reader key Krd and sends the encrypted number Rene' to the device DEV.
  • the device DEV decrypts the encrypted number Rene' by means of one key Kx of the keys Kl.. Kn.
  • the resulting number R' is compared with the original random number R, preferably as depicted in the reader RD.
  • the reader RD further sends the original random number R to the device DEV, so that the comparison may take place in the device DEV.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

A method of choosing one of a multitude of data sets (DS1enc..DSnenc) being registered with a device (DEV), wherein each data set (DS1enc..DSnenc) is associated with a specific key (K1 ...Kn), wherein exchange information (R) is encrypted in the device (DEV) using one key (Kx) of the keys (K1..Kn), encrypted exchange information (Renc) is sent to the remote device (RD), decrypted there using the one key (Krd) stored in the remote device (RD), and decrypted exchange information (Rrd) is then sent back to device (DEV). Subsequently, the exchange information (R) is compared with the decrypted exchange information (Rrd). If the two are equal, the right data set (DSx) is found, otherwise the cycle starts again with another key. Roles of device (DEV) and remote device (RD) may change so that the cycle may be initiated in remote device (RD). The invention also relates to a device for presenting one of a multitude of data sets being registered with the device to a remote device.

Description

Method of choosing one of a multitude of data sets being registered with a device and corresponding device
FIELD OF THE INVENTION
The invention relates to a method of choosing one of a multitude of data sets being registered with a device.
The invention further relates to a device for presenting one of a multitude of data sets being registered with the device, to a remote device as well as a remote device itself.
BACKGROUND OF THE INVENTION
Identification products such as smart cards and RFID ("Radio Frequency Identification") tags are used widely in fields such as transport (ticketing, road tolling, baggage tagging), finance (debit and credit cards, electronic wallet, merchant card), communications (SIM cards for GSM phones), and tracking (access control, inventory management, asset tracking). International standard ISO14443A is the industrial standard for contactless smart cards. ISOl 4443 A-compliant products such as MIF ARE™ provide RF communication technology for transmitting data between a card or a tag and a reader device. For example, in electronic ticketing for public transport, travelers just wave their card over a reader at the turnstiles or entry point, benefiting from improved convenience and speed in the ticketing process. Such products are set to be the key to individual mobility in the future, supporting multiple applications including road tolling, airline tickets, access control and many more. Evolving from a combination of contactless identification and networking technologies, Near Field Communication (NFC) is very short-range wireless technology, for distances measured in centimeters, and is optimized for intuitive, easy and secure communications between various devices without user configuration. In order to make two devices communicate, users bring them close together or even make them touch. The devices' NFC interfaces will automatically connect and configure themselves to form a peer-to-peer network. NFC can also bootstrap other protocols like Bluetooth™ or Wireless Ethernet (WiFi) by exchanging the configuration and session data. NFC is compatible with contactless smart card platforms. This enables NFC devices to read information from these cards, making contactless smart cards the ideal solution for bringing information and vouchers into the NFC world. NFC Interfaces are nowadays widely used in mobile phones and other mobile devices.
From WO 01/93212 and WO 04/57890 such devices are known which are also capable of emulating several smart cards. When a particular application needs to be used, for example Underground Ticketing, this application can be presented by the device to the corresponding reader. So, for example, mobile phones can be used by consumers to replace all their contactless smart cards, turning the mobile phone into a universal key and wallet.
However, for choosing the application the user of the device has to select on the device which card has to be emulated. This is not user friendly and is seen to be a major barrier in the acceptance of devices which are capable of emulating several smart cards.
OBJECT AND SUMMARY OF THE INVENTION
It is an object of the invention to provide a method of the type defined in the opening paragraph and a device as well as a remote device of the type defined in the second paragraph, which allow to automatically present the application to a remote device such as a reader without the need of user intervention.
In order to achieve the object defined above, with a method according to the invention characteristic features are provided so that a method according to the invention can be characterized in the way defined below, that is: A method of choosing one of a multitude of data sets being registered with a device, wherein after being chosen the one data set is presented to a remote device by the device, and wherein each data set is associated with a specific key, the method comprising the following steps of: a) encrypting exchange information al) in the device using one key of the keys associated with a data set and sending encrypted exchange information to the remote device, or a2) in the remote device using a key stored in the remote device and sending encrypted exchange information to the device, b) decrypting the encrypted exchange information bl) in the remote device using the one key stored in the remote device when following step al), or b2) in the device using one key of the keys associated with a data set when following step a2), c) comparing the exchange information with the exchange information decrypted in accordance with step b), and d) presenting a data set to the remote device by the device if the result of the comparison is true or, if said comparison is false, performing steps a) — d) using a key associated with a further data set in step al) or in step b2). In order to achieve the object defined above, with a device according to the invention characteristic features are provided so that a device according to the invention can be characterized in the way defined below, that is:
A device for presenting one of a multitude of data sets being registered with the device to a remote device, wherein each data set is associated with a specific key, and wherein the device comprises means for encrypting exchange information with one of the keys associated with a data set, means for transmitting encrypted exchange information to a remote device, means for receiving decrypted exchange information from said remote device, means for comparing the exchange information with the decrypted exchange information, and means for choosing the one data set interacting with the comparing means. Furthermore, in order to achieve the object defined above, with a device according to the invention characteristic features are provided, so that a device according to the invention can be characterized in the way defined below, that is:
A device for presenting one of a multitude of data sets being registered with the device to a remote device, wherein each data set is associated with a specific key, and wherein the device comprises means for generating exchange information, means for transmitting the exchange information to the remote device, means for receiving encrypted data from said remote device, means for decrypting said encrypted information with one of the keys associated with a data set, means for comparing the exchange information with the decrypted exchange information, and means for choosing the one data set interacting with the comparing means.
In order to achieve the object defined above, with a remote device according to the invention characteristic features are provided so that a remote device according to the invention can be characterized in the way defined below, that is:
A remote device provided for communication with a device, which device is arranged for presenting one of a multitude of data sets being registered with the device to said remote device, comprising means for generating exchange information, means for transmitting the exchange information to the device, means for receiving encrypted data from said device, means for decrypting said encrypted information with a key stored in the remote device, means for comparing the exchange information with the decrypted exchange information, and means for sending the result of the comparing means to the device.
Furthermore, in order to achieve the object defined above, with a remote device according to the invention characteristic features are provided so that a remote device according to the invention can be characterized in the way defined below, that is: A remote device provided for communication with a device, which device is arranged for presenting one of a multitude of data sets being registered with the device to said remote device, comprising means for encrypting exchange information with a key stored in the remote device, means for transmitting encrypted exchange information to the device, means for receiving decrypted exchange information from said device, means for comparing the exchange information with the decrypted exchange information, and means for sending the result of the comparing means to the device.
The characteristic features according to the invention provide the advantage that it is no longer necessary for a user to have to choose the application on the device manually since due to the proposed communication between the device and the remote device the device automatically determines which application or which data corresponding to a certain application have to be presented to the remote device.
- An important advantage of the proposed method as well as of the device is that a key never appears in the radio communication which otherwise could theoretically be spied out. In a first embodiment of the method according to the invention is provided that the following steps are performed by the device:
- generating exchange information,
- encrypting said exchange information according to step al),
- receiving decrypted exchange information from said remote device, - comparing the exchange information according to step c), and
- presenting a data set to the remote device if the result of the comparison is true or, if said comparison is false, restarting with the generating or encrypting step using a key associated with a further data set in step al).
These measures provide the "advantage that due to the fact that the exchange information is generated in the device, the communication between the device and the remote device can be reduced, which helps to save time and increase security. However, it should be noted that in principle it is possible for the exchange information to be created on the remote device.
In an even more favorable embodiment of a method according to the invention it is provided that the following steps are performed by the device:
- generating exchange information and transmitting it to the remote device,
- receiving encrypted exchange information from said remote device,
- decrypting said encrypted exchange information according to step b2), - comparing the exchange information according to step c), and
- presenting a data set to the remote device if the result of the comparison is true or, if said comparison is false, restarting with the generating or decrypting step using a key associated with a further data set in step b2).
This embodiment of the invention provides the further advantage that the communication between the device and the remote device (sending the exchange information by the device and sending encrypted information by the remote device) has to take place only once, as the subsequent decryption with different keys takes place only in the device.
Security of the communication between the device and the remote device can be improved when the exchange information is a random number. Using a random number as exchange information provides the advantage that so-called "replay-attacks" are not possible. The different data sets according to specific applications are "registered" with the device. The term "registered" means that the data sets have not necessarily to be stored directly in the device but can also be stored for example in a (further) remote device such as a remote server from where the necessary data set is retrieved after being chosen. Furthermore, it is also imaginable that the keys associated with the data sets are not stored in the device but downloaded when they are required.
However, in an advantageous embodiment of the invention it is provided that the multitude of data sets and/or the associated keys are stored in the device.
With these measures the advantage is achieved that the proposed interaction between the device and a remote device can immediately start when both devices are brought into contact. It is not necessary then to establish a possibly slow and unstable connection to a remote server. Furthermore, it should be noted that under certain circumstances (subway, aircraft, etc.) it may happen that a connection to a remote server cannot be established since a network is not available. Therefore, it is especially of advantage when both the data sets and the corresponding keys are stored in the device.
As already mentioned above it is an advantage of the proposed method as well as of the device that a key never appears in the radio communication with the remote device, which otherwise could theoretically be spied out. However, to further improve security it is of advantage that the data are stored in the device in a secure manner, for example to prevent unauthorized access to the data by the user or another person.
Especially the measures of a specific solution, namely that the data sets are stored in encrypted form in a first memory in the device, the chosen encrypted data set according to step d) being decrypted with the associated key, the decrypted data set being stored in a more tamper-resistant second memory in the device, provide the advantage that on the one hand it is possible to use a large cheap first memory for permanently storing encrypted data and to use a small expensive second memory for temporarily storing decrypted data when it is to be used. This second memory can be shared by several applications which decreases technical effort and costs. According to the invention encrypted data which represents a smart card application is now decrypted and advantageously loaded into the second memory.
For the ciphering process described above asymmetric ciphering can be used, meaning that private and public keys have to be used. Hence the exchange information can be encrypted with a private key and decrypted with the public key and vice versa. Symmetric ciphering is applicable as well.
However, the measures that the key being stored in the remote device is identical to one of the keys being stored in the device provides the advantage that the well known communication between a reader and a tag may be used for the purposes of the invention meaning that only fewer changes have to be implemented than in the case of asymmetric ciphering, and that usually state-of-the art readers may be used for the purpose of the invention.
It is advantageous, when the above mentioned second memory and/or said decrypting means are part of an NFC interface. As already described above the NFC technology evolved from a combination of contactless identification, namely the RFID technology, and interconnection technologies. NFC operates in the 13.56 MHz frequency range, over a distance of typically a few centimeters, but engineers also work on a system which operates with greater distances of up to Im. NFC technology is standardized in ISO 18092, ECMA 340 and ETSI TS 102 190. NFC is also compatible to the broadly established contactless smart card infrastructure based on ISO 14443. NFC interfaces usually already comprises a tamper-resistant memory and an encrypt/decrypt module as well. Hence it is favorable to use these modules for the invention.
It is further advantageous, when the first memory is additionally arranged for storing functions for operating said device. Devices usually comprise an unsecured main memory for storing the operating system of the device. In this embodiment encrypted data as well as functions for the operating system are stored in the first memory. Therefore, the first memory is used in a synergetic way.
Finally, it is advantageous when said second memory is arranged for storing said key. For some applications it is beneficial when the key for decrypting encrypted data is stored in the device itself. In this case said key should be stored in the tamper-resistant second memory to avoid abusive use of encrypted data.
BRIEF DESCRIPTION OF THE DRAWINGS
The aspects defined above and further aspects of the invention are apparent from the examples of embodiment to be described hereinafter and are explained with reference to these examples of embodiment. The invention is now explained in more detail by means of figures which show advantageous embodiments of the invention. It is noted that the examples may not serve to narrow the broad scope of the invention.
Figure 1 shows service initialization as well as usage of encrypted data. Figure 2 shows an alternative embodiment for setting up a service.
Figure 3 shows a first embodiment of a method of choosing one of a multitude of encrypted data sets according to the invention.
Figure 4 shows a second embodiment of a method of choosing one of a multitude of encrypted data sets according to the invention. Figure 5 shows the standard authentication procedure between an RFID tag and a reader.
Figure 6 shows again the second embodiment of a method as shown in Figure 4 based on a standard authentication for an RFID tag according to Figure 5.
Figures 7 -10 show an overview of the different variants of a method according to the invention.
DESCRIPTION OF EMBODIMENTS
The figures 1 and 2 show a device and a method wherein encrypted data DATenc stored in a device DEV can be used in decrypted format without providing access to said decrypted data DAT to the owner of the device DEV. Such a device DEV may be used with advantage for the invention described. In particular Figure 1 shows an arrangement comprising a device DEV as well as two remote devices formed by a server SER and a reader RD. Said device DEV which is a mobile phone or a PDA for this example comprises a first memory MEMl and a more tamper-resistant second memory MEM2 as well as an encrypt/decrypt module ENC/DEC. Said first memory MEMl in this example is assumed to be the memory for the operating system and other data necessary for the use of the device DEV. Since there are usually no or only minor procedures to secure the main memory of a device DEV against abusive use it is normally quite easy to change data stored in such a memory. Hence sensitive data, for example the IMSI (International Mobile Subscriber
Identity) in case of a mobile phone, is stored in a tamper-resistant memory, for example in a SIM (Subscriber Identification Module). A further example is smart cards which more and more are part of mobile phones or emulated by mobile phones respectively. In this context also an interface operating according to the standard for Near Field Communication (NFC), has to be mentioned. This interface accomplishes the short range communication with a reader RD and normally comprises also a tamper-resistant memory as well as means for encrypting and decrypting. Hence it is assumed for this example that second memory MEM2 and the encrypt/decrypt module ENC/DEC are part of an NFC (Near Field Communication) interface INT. The function of the arrangement is as follows: In a first step the reader RD which is also capable of communicating according to the NFC standard transmits encrypted data DATenc to the device DEV (solid line). In the present case the encrypted data DATenc represents an application for ticketing in public transport which is to be installed in the device DEV before it can be used. Upon reception, the encrypted data DATenc said encrypted data DATenc is therefore stored in first memory MEMl .
Alternatively, the encrypted data DATenc can be provided by a server SER as well. This is indicated by a dashed line from the server SER to the device DEV in the figure. In this case it is assumed that the server SER is part of the internet and holds the aforesaid application. On request the encrypted data DATenc can be downloaded via a comparably fast (and unsecured) internet connection. Said request can be sent to the server SER by the device DEV directly or by the reader RD.
In principle, the device DEV is ready to be used now. Hence, when the device DEV is in the vicinity of the reader RD, the key K is sent from the reader RD to the device DEV in a second step (solid line). In a third step the encrypted data DATenc is read from the first memory MEMl and is decrypted by means of the encrypt/decrypt module ENC/DEC and the key K received from the reader RD. In a fourth step the result of this decryption, namely the data DAT is stored in the second memory MEM2. Now communication between the device DEV and the reader RD can take place as it is known from prior art systems. The data DAT can include variables and code as well. In an alternative embodiment the key K is stored in the device DEV during initialization of a service, that means, when the encrypted data DATAenc is received from the reader RD or the server SER. The encrypted data DATAenc can be transmitted via an unsecured communication channel as shown above. The only restriction is that the key K is kept secret. Hence the small key K is transmitted via a slow but secure near field communication (dash-and-dot line) and stored in the second memory MEM2.
In principle the device DEV is ready to be used now again wherein the procedure can be started manually for example instead of remotely by the reader RD. Additionally, in contrast to the method indicated above, the key K is not received from the reader RD but transmitted from the second memory MEM2 to the encrypt/decrypt module ENC/DEC. Again the encrypted data DATenc is decrypted and the result of this decryption, the data DAT, is stored in the second memory MEM2. The communication between the device DEV and the reader RD can take place as indicated before.
The communication channel between the device DEV and the reader RD is assumed to be secure. Also the second memory MEM2 is tamper resistant as stated before. Hence it is not possible to misuse the key K for abusively changing of the encrypted data DATAenc and to buy tickets without paying for instance. The advantage of this method is, that applications which generally use large memory spaces can be stored in a cheap standard memory and are temporarily loaded into an expensive tamper-resistant second memory MEM2 which in this way can be shared between several services as explained later in more detail.
Figure 2 shows an alternative embodiment of the inventive device DEV. The device DEV is again shown in combination with two remote devices formed by a server SER and a reader RD. In addition to Figure 1 the device DEV comprises a random number generator RAND which is part of the NFC interface INT.
The function of the arrangement of Figure 2 is as follows: First of all the unencrypted data DAT is transmitted from the reader RD to the device DEV via a short range communication and stored there in the second memory MEM2 (solid line). In a second step a random key K is generated by the random number generator RAND and is stored in the second memory MEM2 as well as sent to the encrypt/decrypt module ENC/DEC. In a third step the data DAT is encrypted with said key K by means of the encrypt/decrypt module ENC/DEC. Finally, as a result of this step, namely the encrypted data DATenc is stored in the first memory MEMl in a fourth step.
Again the data DAT can also be transmitted by the server SER (dashed line). In contrast to the embodiment of Figure 1 here a secure communication channel should exist between the server SER and the device DEV since the data DAT is not encrypted. It is also imaginable that the data DAT is transmitted via a tamper-resistant communication channel (for example by means of a company internal network) from the server SER to the reader RD (dash-and-dot line) and is then transmitted to the device DEV via a short-range radio communication link.
The following Figures 3 - 10 describe different embodiments of a method of presenting to a reader RD one of a multitude of applications being registered, especially being stored in a device DEV. The Figures 1 and 2 show such a device DEV which can be used for a method to present one of a multitude of applications to a reader RD. Furthermore, Figures 1 and 2 explain how encrypted data DATenc can be stored in such a device DEV in decrypted format without providing access to said decrypted data DAT to the owner (or other persons) of the device DEV. For this reason, the use of such an inventive device DEV for a method according to this invention as claimed and as described in the following (Figures 3 - 6) is of advantage.
However, it should be noted that in principle the method according to the invention as described in the following is also applicable using a device that does not comprise a first and a second memory MEMl and MEM2 like the device DEV as described above in the Figures 1 and 2.
Furthermore, in principle it is not necessary to use encrypted data DATenc or data sets DSlenc...DSnenc as described in the following and the method according to the invention is also applicable to data (sets) which are stored in a device DEV without encryption. However, due to the reasons described above concerning the secure storage of encrypted data DATenc it is of advantage when the data (sets) used for the method are in encrypted form. The method according to the invention as claimed in the claims will therefore be described in the following using encrypted data DATenc. However, the scope of the invention is not restricted to the use of encrypted data sets DSlenc. DSnenc.
Figure 3 shows a first realization of a method according to the invention how a certain application can be presented to a remote device, here in the form of a reader RD. For this example it is assumed that the encrypted data DATenc is divided into several encrypted data sets DSlenc.DSnenc which represent different smart card applications, one for public transport, one for cinema ticketing, one for a company identification card, etc. These encrypted data sets DSlenc.DSnenc have been stored before during initialization routines shown in Figure 1 or 2. It is also possible that the applications have been stored in a different way, for example directly by the provider of the device DEV (e.g. mobile phone). Each encrypted data set DSlenc.DSnenc has an associated key Kl..Kn which is stored in the second memory MEM2. In contrast to Figure 2 the device DEV additionally comprises a comparator COMP and the reader RD additionally comprises an encrypt/decrypt module ENC/DEC.
The function of the arrangement of Figure 3 is as follows: When the device DEV is in the proximity of a reader RD it has to be determined which of the applications represented by encrypted data sets DSlenc.DSnenc has to be chosen. In a first step exchange information is generated by the device DEV. It is of advantage when the exchange information is a random number R which is generated by the random number generator RAND.
In a second step this random number R is encrypted by the device DEV with one key Kx out of the multitude of keys Kl ...Kn. Said key Kx is also for decrypting an associated encrypted data set DSx. Subsequently, the encrypted random number Rene is transmitted to the reader RD in a third step. In a fourth step the encrypted random number Rene is decrypted with a reader key Krd by means of the encrypt/decrypt module ENC/DEC of the reader RD. The result of this operation, the reader random number Rrd is then sent back to the device DEV and is compared with the original random number R by means of the comparator COMP in a fifth step.
If the result of said comparison is true, meaning that the random number R and reader random number Rrd are identical, the correct key Kx is found (for correct operation symmetrical encryption is assumed). Then, in a sixth step the encrypted data set Dsxenc, which is associated with said key Kx, is decrypted by means of the encrypt/decrypt module ENC/DEC with key Kx. In a seventh step the result of the decryption, namely the data DSx, is stored in the second memory MEM2 (dashed line). Now the device DEV is ready to be used for public transport for example.
In the case where the comparison of the random numbers is true, the key Kx associated with the encrypted data set DSxenc in the device DEV to encrypt the random number R and the key Krd used on the reader RD to decrypt the encrypted random R are identical, Kx = Krd. This means that the correct application or data set DSxenc is found.
If the result of said comparison is false, i.e. if the random number R and the reader random number Rrd are not identical, the key Kx used on the device DEV and the key Krd used on the reader RD are not identical, which means that the correct data set/the correct application has not yet been found. A new cycle starts, with a new random number being generated or the same random number R as already generated in the first cycle is used, the random number R being encrypted with a new key on the device DEV. The encrypted random number is sent to the remote reader RD etc. Said cycle is recursively performed until the result of the aforesaid comparison is true.
Figure 4 shows a further realization of a method according to the invention how a certain application can be presented to a reader RD. Again it is assumed that encrypted data DATenc is divided into several encrypted data sets DSlenc.DSnenc which represent different smart card applications, one for public transport, one for cinema ticketing, one for a company identification card, etc. These encrypted data sets DSlenc.DSnenc have been stored before during initialization routines shown in Figure 1 or 2. It is also possible that applications have been stored in a different way, for example directly by the provider of device DEV (e.g. mobile phone), as already mentioned above.
Again each encrypted data set DSlenc.DSnenc has an associated key Kl..Kn which are stored in the second memory MEM2. In contrast to Figure 2 the device DEV additionally comprises a comparator COMP and the reader RD additionally comprises an encrypt/decrypt module ENC/DEC.
The function of the arrangement of Figure 4 is as follows: When the device DEV is in the proximity of a reader RD it has to be determined which of the applications represented by the encrypted data set DSlenc.DSnenc has to be chosen.
In a first step exchange information is generated by the device DEV. Again it is of advantage when the exchange information is a random number R which is generated by the random number generator RAND. In a second step this random number R is transmitted by the device DEV to the reader RD. In a third step this random number R is encrypted by the reader RD with the key Krd stored in the reader RD. The encrypted random number Rene' is transmitted back to the device DEV by the reader RD in a fourth step. This encrypted random number Rene' is decrypted with one key Kx of the keys Kl ...Kn stored in the device DEV in a fifth step by means of the encrypt/decrypt module ENC/DEC of the device DEV and the resulting random number R' is compared in the comparator COMP with ' the original random number R in a sixth step.
If the result of said comparison is true, i.e., the original random number R and the random number R' received by the decryption of the encrypted random number Rene' are identical, the key Kx for decryption in the device DEV and the key Krd for encryption in the reader RD are identical. This means that the correct application or data set DSxenc to be presented to the reader RD is found. Then in a seventh step the encrypted data set DSxenc which is associated with said key Kx is decrypted by means of the encrypt/decrypt module ENC/DEC with the key Kx in the device DEV. In an eighth step the result of the decryption, namely the data DSx is stored in the second memory MEM2 (dashed line). Now the device DEV is ready to be used for public transport for example.
As already mentioned above, in the case where the comparison of the random numbers is true, the key Kx used in the device DEV to decrypt the encrypted random number Rene' and the key Krd used in the reader RD to encrypt the original random number R are identical, Kx = Krd. This means that the correct application or encrypted data set DSxenc is found.
If the result of said comparison is false, i.e. the random numbers R and R' are not identical, the key Kx used in the device DEV and the key Krd used on the reader RD are not identical, which means that the correct data set/the correct application has not yet been found. In this case another key stored in the device DEV is used to decrypt the encrypted random number Rene' and the resulting random number is compared with the original random number R. This procedure is repeated until the random numbers R and R' are identical and the correct application is found.
The method as described in connection with Figure 4 offers the advantage that the encryption of the random number R to an encrypted random number Rene' and the communication between the device DEV and the reader RD (sending the random number R and the encrypted number Rene') have to take place only once, as the subsequent decryption with different keys takes place only in the device DEV. In contrast to this, the method as described in Figure 3 makes it necessary - if the correct application cannot be found in the first cycle - that again a communication between the device DEV and the reader RD in both directions has to take place.
The method as described in Figure 4 will be described further with reference to Figures 5 and 6. Figure 5 shows the well-known communication between a transponder, for example an RFID tag TRA, which has stored the data for one application and the corresponding key K, and a reader RD. In general, RFID tags require authentication before any communication can occur. Figure 5 shows this interaction. The mutual authentication procedure begins with the reader RD sending a GET_CHALLENGE command to the tag TRA. A random number R is then generated in the tag TRA and sent back to the reader RD. The reader RD uses its secret key Krd which is stored in the reader RD and a common algorithm to calculate an encrypted data block TKl, which contains the encrypted random number Rene' and additional control data and sends it back to the tag TRA. The received encrypted data block TKl is decrypted in the tag TRA and the random number R' contained in the data block TKl is compared to the previously transmitted number R. If the two correspond, then the tag TRA has detected that the same key K=Krd is in use. The tag TRA then encrypts the control data transmitted by the reader RD and sends this back with second encrypted data block TK2 allowing the reader RD to also verify that the same key K=Krd is in use in a similar way. Assuming that the reader RD also detects that the same key K=Krd is in use, finally data exchange between tag TRA and reader RD can take place.
This process of authentication between a reader RD an a tag TRA is also used in a method according to the invention as described in Figure 4. In Figure 6 the tag TRA of Figure 5 is replaced by a device DEV such as, for example, a mobile phone or a PDA as described in Figure 4. Different tags, e.g. Underground Ticket, Cinema Ticket, etc., are registered with the device DEV. This registration contains the encrypted data sets DSlenc... DSnec as well as the keys Kl ...Kn used for authentication. The encrypted data sets DSlenc... DSnec are stored in a database CDB in secure memory MEMl as described above in Figure 4. The keys Kl.. Kn are stored in a key database KDB in the device DEV in a secure, more tamper-resistant memory MEM2.
When the device DEV is presented to a reader device DEV, the basic interaction as described with reference to Figure 5 is used initially. After receiving the encrypted data block TKl the interaction branches into the scheme as described in Figure 6.
Once the reader RD has responded with the encrypted data block TKl as depicted in Figure 5, the device DEV retrieves a key Kx from the key database KDB and uses this to decrypt the encrypted data block TKl. The device DEV tries one key after the other until the correct key is found, and the device DEV presents the correct data set DSxenc (DSx) to the reader RD as described in more detail in Figure 4.
In the description of the Figures 3 - 6 it is assumed that the different applications, i.e. the encrypted data sets DSlenc...DSnenc and the corresponding keys Kl.. Kn are already stored in the device DEV. However, it may also occur that the applications are only registered with the device DEV. In that case the (encrypted) data sets DSlenc...DSnenc are not stored directly in the device DEV, but are for example stored in a server SER, from where one of the encrypted data sets DSlenc. DSnenc can be downloaded as described for example in Figures 1 and 2 if it is needed by the device DEV. After being downloaded the downloaded data set DSxenc is stored in the device DEV and can then be presented by the device DEV to a remote device RD. In the case where the device DEV is a (mobile) phone it is then possible that the device DEV retrieves a data set associated with a specific application from the remote database CDB of the registered applications (tags). The data set is then loaded into the operation memory of the NFC Hardware. Now the interaction can continue in the standard mode of operation, since the device DEV is emulating just one tag TRA.
It is not essential that the keys Kl ..Kn are tried in the order in which they are stored in the second memory MEM2. It is also possible that the keys Kl.. Kn have different weights depending on how often they are used, thereby reducing the search time. Here the search is started with the key Kx that has the biggest chance of being the right one. It is also imaginable that a key different from a key Kx for decrypting an associated encrypted data set DSx is used for choosing the proper application. So each encrypted data set DSx is associated with two keys. One for decryption and one which is identical with a reader key Krd.
It is further not necessary for symmetrical encryption to be used. It is also imaginable that asymmetric encryption using a public and a private key is used.
It should also be noted that the encrypt/decrypt module ENC/DEC, the random number generator RAND as well as the comparator COMP are not necessarily part of the NFC interface INT. However, the arrangement shown is preferred since the NFC interface INT as a whole is assumed to be tamper resistant or at least more tamper resistant than the remaining part of the device DEV.
It should further be mentioned that the invention is not limited to smart card applications. Rather any device where encrypted data has to be decrypted is suitable, in particular adapted PCs having a secure second memory. It is not necessary either for the device DEV to communicate with a reader RD. It is imaginable that communication takes place between two similar devices DEV (e.g. two NFC compatible mobile phones). One application could be the exchange of (digital) money between two phones each with an encrypted account.
The method as described with reference to Figures 4 and 6 is the most advantageous variant of a method according to the invention, since it uses the standard authentication procedure for RFID tags as described in Figure 5. Furthermore, as already described, this embodiment needs only little communication between the remote device RD and the device DEV, so that said variant of the inventive method is fast and reliable.
However, as already described with reference to Figure 3, in principle other embodiments of the invention are also possible and may be of advantage in certain specific situations.
In the following a short overview of the possible embodiments of the method according to the invention is given:
Figure 7 depicts schematically the method as already shown in Figure 3: The device DEV creates a random number R, encrypts this random number R with one key Kx of the keys Kl.. Kn stored in the device DEV and sends the encrypted random number Rene to the reader RD. The reader RD decrypts the number Rene with the reader key Krd stored in the reader RD (the reader key Krd is identical to one of the keys Kl.. Kn stored in the device DEV). This decrypted reader number Rrd is sent back to the device DEV, where the original random number R and the reader number Rrd are compared to identify the correct application.
Figure 8 shows schematically the method of Figures 4 and 6, where the random number R generated by the device DEV is sent to the reader RD. The reader RD encrypts the random number R with the reader key Krd to an encrypted reader number Rene' and sends this number Rene' back to the device DEV. The device DEV decrypts this encrypted number Rene' with one key Kx of the keys Kl..Kn stored in the device DEV and compares the resulting number R' with the original random number R. This process of decrypting the encrypted number Rene' with keys Kl..Kn stored in the device DEV is repeated until the correct application is found. In a further embodiment according to Figure 9 the exchange information, i.e. usually a random number R, is generated by the reader RD. The random number R is sent to the device DEV, where it is encrypted with one key Kx of the keys Kl.. Kn to an encrypted number Rene. This number Rene is sent back to the reader RD where it is decrypted by means of a reader key Krd. The resulting number R' is compared with the original random number R. If the original random number R and the decrypted number R' are identical, the correct key/the correct application is found. If the comparison is not true, the device DEV encrypts the random number R with another key and sends it to the reader RD etc. In this case the reader RD can send the random number R to the device DEV so that the device DEV can detect that a further encryption is necessary, or certain specific information is sent to the device DEV.
As described the comparison will take place in the reader RD. However, in principle it could also be possible to transmit the number Rrd from the reader RD to the device DEV, which then compares the two random numbers R, Rrd.
A further embodiment is shown in Figure 10. Here the reader RD generates a random number R, encrypts the random number R with the reader key Krd and sends the encrypted number Rene' to the device DEV. The device DEV decrypts the encrypted number Rene' by means of one key Kx of the keys Kl.. Kn.
The resulting number R' is compared with the original random number R, preferably as depicted in the reader RD. However, it is also possible that the reader RD further sends the original random number R to the device DEV, so that the comparison may take place in the device DEV.
Finally, it should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In particular it is noted that although choosing a data set is primarily related to encrypted data sets in the claims and figures this is not regarded as mandatory for the invention. Rather the invention is also related to choosing one of a multitude of unencrypted data sets. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word "comprising" and "comprises", and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. The singular reference of an element does not exclude the plural reference of such elements and vice- versa. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware or software. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

1. A method of choosing one of a multitude of data sets (DS 1 enc..DSnenc) being registered with a device (DEV), wherein after being chosen the one data set (DSxenc) is presented to a remote device (RD) by the device (DEV), and wherein each data set (DS 1 enc..DSnenc) is associated with a specific key (Kl ...Kn), the method comprising the following steps of: a) encrypting exchange information (R) al) in the device (DEV) using one key (Kx) of the keys (Kl ...Kn) associated with a data set (DSl enc. DSnenc) and sending encrypted exchange information (Rene) to the remote device (RD), or a2) in the remote device (RD) using a key (Krd) stored in the remote device (RD) and sending encrypted exchange information (Rene') to the device (DEV), b) decrypting the encrypted exchange information (Rene, Rene') bl) in the remote device (RD) using the one key (Krd) stored in the remote device (RD) when following step al), or b2) in the device (DEV) using one key (Kx) of the keys (Kl ...Kn) associated with a data set (DSl enc. DSnenc) when following step a2), c) comparing the exchange information (R) with the exchange information (Rrd, R') decrypted in accordance with step b), and d) presenting a data set (DSxenc) to the remote device (RD) by the device (DEV) if the result of the comparison is true or, if said comparison is false, performing steps a) - d) using a key associated with a further data set in step al) or in step b2).
2. A method as claimed in claim 1, wherein the following steps are performed by the device (DEV):
- generating exchange information (R),
- encrypting said exchange information (R) according to step al),
- receiving decrypted exchange information (Rrd) from said remote device (RD), - comparing the exchange information (R) according to step c), and - presenting a data set (DSxenc) to the remote device (RD) if the result of the comparison is true or, if said comparison is false, restarting with the generating or encrypting step using a key associated with a further data set in step al).
3. A Method as claimed in claim 1, wherein the following steps are performed by the device (DEV):
- generating exchange information (R) and transmitting it to the remote device (RD),
- receiving encrypted exchange information (Rene') from said remote device (RD),
- decrypting said encrypted exchange information (Rene') according to step b2),
- comparing the exchange information (R) according to step c), and
- presenting a data set (DSxenc) to the remote device (RD) if the result of the comparison is true or, if said comparison is false, restarting with the generating or decrypting step using a key associated with a further data set in step b2).
4. A method as claimed in one of the claims 1 to 3, wherein the exchange information (R) is a random number (R).
5. A method as claimed in claim 1, wherein the data sets (DSlenc... DSnenc) are stored in encrypted form in a first memory (MEMl) in the device (DEV), the chosen encrypted data set (DSxenc) according to step d) being decrypted with the associated key (Kx), the decrypted data set (DSx) being stored in a more tamper-resistant second memory (MEM2) in the device (DEV).
6. A device (DEV) for presenting one of a multitude of data sets
(DSlenc. DSnenc) being registered with the device (DEV) to a remote device (RD), wherein each data set (DSlenc..DSnenc) is associated with a specific key (Kl ...Kn), and wherein the device (DEV) comprises means for encrypting exchange information (R) with one key (Kx) of the keys (Kl ...Kn) associated with a data set (DSlenc... DSnenc), means for transmitting encrypted exchange information (Rene) to a remote device (RD), means for receiving decrypted exchange information (Rrd) from said remote device (RD), means for comparing the exchange information (R) with the decrypted exchange information (Rrd), and means for choosing the one data set (DSx) interacting with the comparing means.
7. A device (DEV) for presenting one of a multitude of data sets (DSlenc.DSnenc) being registered with the device (DEV) to a remote device (RD), wherein each data set (DSlenc.DSnenc) is associated with a specific key (Kl ...Kn), and wherein the device (DEV) comprises means for generating exchange information (R), means for transmitting the exchange information (R) to the remote device (RD), means for receiving encrypted data (Rene') from said remote device (RD), means for decrypting said encrypted information (Rrd) with one key (Kx) of the keys (Kl ...Kn) associated with a data set (DSlenc... DSnenc), means for comparing the exchange information (R) with the decrypted exchange information (R'), and means for choosing the one data set (DSx) interacting with the comparing means.
8. A device (DEV) as claimed in claim 6 or 7, wherein the device (DEV) comprises:
- a first memory (MEMl),
- a more tamper-resistant second memory (MEM2),
- means for reading encrypted data (DATenc; DSlenc.DSnenc) from the first memory (MEMl), - means for decrypting (ENC/DEC) encrypted data (DATenc;
DSlenc.DSnenc) with an associated key (K; Kl ...Kn), and
- means for storing decrypted data (DAT; Dl ...Dn) in the second memory (MEM2).
9. A device (DEV) as claimed in claim 8, wherein said second memory (MEM2) and/or said decrypting means (ENC/DEC) are part of an NFC interface (INT).
10. A device (DEV) as claimed in claim 8, wherein the first memory (MEMl) is additionally arranged for storing functions for operating said device (DEV).
11. A device (DEV) as claimed in claim 8, wherein said second memory (MEM2) is arranged for storing said key (K).
12. A remote device (RD) provided for communication with a device (DEV), which device (DEV) is arranged for presenting one of a multitude of data sets (DSlenc.DSnenc) being registered with the device (DEV) to said remote device (RD), comprising means for generating exchange information (R), means for transmitting the exchange information (R) to the device (DEV), means for receiving encrypted data (Rene) from said device (DEV), means for decrypting said encrypted information (Rene) with a key (Krd) stored in the remote device (RD), means for comparing the exchange information (R) with the decrypted exchange information (Rrd), and means for sending the result of the comparing means to the device (DEV).
13. A remote device (RD) provided for communication with a device (DEV), which device (DEV) is arranged for presenting one of a multitude of data sets (DSlenc.DSnenc) being registered with the device (DEV) to said remote device (RD), comprising means for encrypting exchange information (R) with a key (Krd) stored in the remote device (RD), means for transmitting encrypted exchange information (Rene') to the device (DEV), means for receiving decrypted exchange information (R') from said device (DEV), means for comparing the exchange information (R) with the decrypted exchange information (R'), and means for sending the result of the comparing means to the device (DEV).
EP05752103A 2004-06-30 2005-06-23 Method of choosing one of a multitude of data sets being registered with a device and corresponding device Withdrawn EP1763936A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP05752103A EP1763936A1 (en) 2004-06-30 2005-06-23 Method of choosing one of a multitude of data sets being registered with a device and corresponding device

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB0414648A GB0414648D0 (en) 2004-06-30 2004-06-30 Multi-application communication device
EP04106893 2004-12-22
EP05752103A EP1763936A1 (en) 2004-06-30 2005-06-23 Method of choosing one of a multitude of data sets being registered with a device and corresponding device
PCT/IB2005/052066 WO2006003562A1 (en) 2004-06-30 2005-06-23 Method of choosing one of a multitude of data sets being registered with a device and corresponding device

Publications (1)

Publication Number Publication Date
EP1763936A1 true EP1763936A1 (en) 2007-03-21

Family

ID=34971136

Family Applications (1)

Application Number Title Priority Date Filing Date
EP05752103A Withdrawn EP1763936A1 (en) 2004-06-30 2005-06-23 Method of choosing one of a multitude of data sets being registered with a device and corresponding device

Country Status (4)

Country Link
EP (1) EP1763936A1 (en)
JP (1) JP2008504788A (en)
KR (1) KR20070030231A (en)
WO (1) WO2006003562A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102006037473A1 (en) * 2006-08-10 2008-02-14 Giesecke & Devrient Gmbh Initialization process for security token function involves creating virtual security token in secure region of host system
DE102007006384A1 (en) * 2007-02-08 2008-08-14 Smartmachine International Holding Gmbh A method and apparatus for storing secure information required for near field communication on a communication device
JP5289460B2 (en) 2007-11-30 2013-09-11 サムスン エレクトロニクス カンパニー リミテッド System and method for secure communication in a near field communication network
ES2400934T3 (en) 2008-05-26 2013-04-15 Nxp B.V. Reader and transponder to hide applications supported by a reader and / or transponder, and corresponding procedure
US20100153721A1 (en) * 2008-12-12 2010-06-17 Anders Mellqvist Portable Electronic Devices, Systems, Methods and Computer Program Products for Accessing Remote Secure Elements
CA2761889A1 (en) * 2009-05-13 2010-11-18 Eric Myron Smith System and method for securely identifying and authenticating devices in a symmetric encryption system
JP2013179453A (en) * 2012-02-28 2013-09-09 Nippon Telegr & Teleph Corp <Ntt> Computer system and computing method
WO2013138867A1 (en) * 2012-03-22 2013-09-26 Secure Nfc Pty. Ltd. Secure nfc apparatus and method
CN104217230B (en) * 2014-08-29 2017-03-15 公安部交通管理科学研究所 The safety certifying method of hiding ultrahigh frequency electronic tag identifier

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19838628A1 (en) * 1998-08-26 2000-03-02 Ibm Extended smart card communication architecture and method for communication between smart card application and data carrier
TW545023B (en) * 1999-12-10 2003-08-01 Koninkl Philips Electronics Nv Synchronization of session keys
US6832314B1 (en) * 1999-12-15 2004-12-14 Ericsson, Inc. Methods and apparatus for selective encryption and decryption of point to multi-point messages
WO2001093212A2 (en) * 2000-05-30 2001-12-06 Pointsec Mobile Technologies, Inc. Apparatus and methods for using a virtual smart card

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2006003562A1 *

Also Published As

Publication number Publication date
JP2008504788A (en) 2008-02-14
KR20070030231A (en) 2007-03-15
WO2006003562A1 (en) 2006-01-12

Similar Documents

Publication Publication Date Title
EP2487629B1 (en) Secure smart poster
EP3698535B1 (en) Privacy preserving tag
US9542630B2 (en) Method of securely reading data from a transponder
US20120300933A1 (en) System and method for enhanced rfid instrument security
EP1763936A1 (en) Method of choosing one of a multitude of data sets being registered with a device and corresponding device
CN101154281B (en) Method and mobile device for migrating finance data in smart card
CN102034321B (en) Authentication method and system used for wireless payment
US20150248668A1 (en) Secure mobile device transactions
CN104240074A (en) Prepaid card online payment system based on identity authentication and payment method of prepaid card online payment system
CN104754568A (en) Identity recognition method and device based on NFC (Near Field Communication)
CN102547691A (en) Security electronic control system and method based on 2.4G radio frequency identification (RFID) smart card system
WO2012019238A1 (en) System and method for converging rfid building security with pki techniques
US10511946B2 (en) Dynamic secure messaging
CN101859453A (en) Smart card loss reporting method based on short message service and system
JP6667115B2 (en) Non-contact communication device, non-contact communication method, program, and non-contact communication system
CN111046413B (en) RFID communication method and system
US10810296B2 (en) Communication apparatus, communication method, and communication system
Chang et al. An improved certificate mechanism for transactions using radio frequency identification enabled mobile phone
US11398898B2 (en) Secure RFID communication method
WO2006003558A2 (en) Device for using encrypted data and method thereto
Fu et al. Scheme and secure protocol of mobile payment based on RFID

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20070130

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU MC NL PL PT RO SE SI SK TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20070328