FR2745965A1 - Transmitter authentication method e.g. for IR remote control applications - Google Patents

Abstract

The method involves a transmitter (A) sending a value from a counter and an authentication code (CMPn) which is derived from the counter value to a receiver (B). A secret key can be used to encrypt the counter value to produce the authentication code. The counter value is incremented for each communication before it is transmitted to the receiver. The receiver verifies the authenticity of the code received by checking that the received counter value is greater than the value received for the previous communication.

Description

METHOD FOR AUTHENTICATING A TRANSMITTER DURING A
ONE WAY COMMUNICATION
The present invention relates to a method allowing a circuit B receiving an ORD command from a circuit A, to verify, before executing this ORD command, that the circuit A is authorized to send this command.

 More particularly, the present invention relates to such a method applicable to the case where circuit A and circuit B can only communicate in the direction from A to B.

 Numerous applications are known where communication between two circuits is only possible in one direction. This is the case in particular for remote controls using an infrared beam of light or a radio wave, and certain types of smart card such as audio cards, intended to dial on a telephone line an access number to a reserved service.

 Very often, a degree of security is desirable in order to prevent a fraudster from discovering the particular coding of the ORD order sent by the transmitter A. For example, in the case of an audiocard, a person could put on listen to the telephone line and find out the number to dial to access the reserved service. In the case of a remote control, for example a remote control controlling the opening of the doors of a vehicle, a person could record by means of a sensor the binary code sent by the remote control, in order to reproduce it.

 To avoid this kind of fraud, a means is therefore sought of allowing a receiver B to verify the authenticity of a transmitter A before executing the received ORD order, even if this ORD order is in itself correct in this respect. which concerns its coding.

 We already know so-called rolling code or "rolling code" processes, applicable to one-way communications. According to these methods, the transmitter A authenticates with the receiver B for each new communication by sending it a code Xn of the form Xn = G (Xn1) calculated by means of a mathematical function G and from the code Xn 1 used in the previous communication. Receiver B, which has stored the previous code Xn 1 in memory, checks the validity of the code Xn by means of function G before authorizing the new transaction or executing an order received.

A disadvantage of these methods is that they require perfect synchronization between transmitter A and the receiver
B. Indeed, if at a given time the code Xn sent by the transmitter A is not received by the receiver B, A and B are no longer synchronized, the transmitter A sending the code Xn + while B is waiting for the Xn code. Rolling code processes are therefore inapplicable to remote control systems, where the signal sent by the transmitter is not always received the first time by the receiver.

 In addition, the mathematical function G must be of great complexity to resist possible fraudsters and its calculation requires the intervention of a microprocessor.

However, for low cost applications and large production volume such as remote controls, audio cards, as well as others, it is desired to use wired logic chips, with a cost price much lower than that of microprocessor chips.

 Thus, an objective of the present invention is to provide an authentication method applicable to a one-way communication and not requiring synchronization between the transmitter and the receiver.

 Another objective of the present invention is to provide an authentication method which can be applied both to microprocessor chips and to wired logic chips.

 These objectives are achieved by a method of authenticating a transmitter by a receiver, in which, with each new communication, the transmitter sends to the receiver a value of a counter and an authentication code developed at least from of the value of the counter, modifies the value of the counter according to a predetermined direction of modification, the receiver checks the validity of the authentication code sent by the transmitter and verifies that the value of the counter received is different, according to the direction of modification, of a counter value received during a previous communication.

 The counter value can be always increased with each communication, or always decreased. In the first case, the receiver verifies that the value of the counter received is strictly greater than the value received during the previous communication. In the second case, that the value received is strictly lower than the value received during the previous communication.

 Preferably, the value of the counter is modified by the transmitter before being sent to the receiver.

 Advantageously, the authentication code is developed by means of secret key authentication.

These means used in the prior art for authentication of smart cards can be produced both in the form of software and by wired logic, so that the method of the invention can be implemented with any type of microcircuit, microprocessor or wired logic.

 Advantageously, the counter is organized into lines of increasing weight comprising bits of the same weight, the modification of the value of the counter comprising the step consisting in reading the counter bit by bit from the lines of least weight and changing the value of the first bit encountered whose value is equal to an initial programming value.

These characteristics, advantages as well as others of the present invention will be described in more detail in the following description of the method of the invention and of two examples of application of the method of the invention, in relation to the attached figures among which
FIG. 1 very schematically represents in the form of blocks the functions necessary for implementing the method of the invention,
FIG. 2 represents a first example of application of the method of the invention to a remote control system comprising a wired logic transmitter and a microprocessor receiver,
FIG. 3 represents the content of a memory present in the transmitter of FIG. 2,
FIGS. 4A to 4E represent, at various stages of the method of the invention, the content of a counter present in the transmitter of FIG. 2, and
- Figure 5 shows a second example of application of the method of the invention to an audiocard.

 FIG. 1 very schematically represents the functional elements to be provided in a circuit A and a circuit B for implementing the method of the invention.

It will be recalled that the purpose of the method of the invention is to allow the verification by circuit B of the authenticity of circuit A, and that this verification must be possible in the case where the data communication between A and B cannot be do that in the direction from A to B,
A being a transmitter and B a receiver.

According to the invention, circuit A is equipped with a counter 1 and an authentication function F represented by a block 2, these elements being able to be hardware or entirely software. Circuit B is also equipped with the authentication function F, represented by a block 3, and with a memory 4. The function
F is a cryptographic function of any known type, making it possible to produce an authentication code CA from an entry code CE, CA can be written
CA = F (CE)
The method according to the invention intervenes with each new communication between A and B, and comprises the following steps
(1) circuit A modifies the value of its counter 1, which will be designated CMPnî. The modification is made according to an invariable direction of modification determined by convention and chosen once and for all. Circuit A can for example always increment counter 1 by one unit at each communication, or always decrement it. The new value of counter 1 is designated CMPn.

(2) circuit A sends to circuit B the content of counter 1, i.e. the value CAMP ,,
(3) the circuit A develops, by means of the function F and an entry code CE comprising at least the value CAMP, of the counter 1, an authentication code CA of the form
CA = F (CMPn) and sends this CA code to circuit B,
(4) circuit B generates, by means of the function F and from the value received CMPn, an authentication code
CA 'of the form
CA '= F (CMPn)
(5) circuit B compares CA to CA ',
(6) circuit B compares the value of the counter received CMPn with the value CAMP, ~ 1 1 received during the previous call, recorded in its memory 4,
(7) finally, circuit B records the new value CMPn of counter 1 in its memory 4, for example in place of CMP1.

According to the invention, circuit A is considered authentic by circuit B at the end of steps (5) and (6)
If - the authentication codes CA and CA 'are identical, and if - the value CMPn of the counter 1 received is different, depending on the direction of modification imposed, from the value CAMP, ~ 1 1 received during the previous communication. In other words, circuit B verifies that the value CMPn is strictly greater than CMPn l in the case where one chooses to increment the counter 1 at each new communication, or strictly less than CMPn l if one chooses decrement counter 1 with each new communication.

 Thus, the security offered by the method of the invention is based on a double mechanism. On the one hand, the verification of the validity of the authentication code CA makes it possible to ensure that the issuer A indeed has the authentication function F. On the other hand, the fact of imposing a CAMP value, without constantly increasing or constantly decreasing as input code CE of the authentication function F makes it possible to guarantee a permanent renewal of the authentication code CA and to avoid any risk of fraud by imitation of the code CA.

The method of the invention also has the advantage of not requiring synchronization between A and B. Indeed, if after one or more missed communications between A and B circuit B has in its memory 3 a CAMP count value , ~ 1 1 having a delay of several increments (or several decrements) relative to the value CMPn present in the counter 1 of circuit A, circuit B can still recognize the authenticity of circuit A since it simply verifies that the value received
CMPn is strictly greater than CMPn 1 (or strictly less, depending on the direction of modification chosen).

However, if this could be of interest in certain applications, one could impose synchronization between A and B by requiring that the difference between two counter values CMP1, CMPn received successively by circuit B is strictly equal to a single increment
(or just one decrement).

 On the other hand, the step (1) of modification of the counter 1 could be carried out after the step (3) of sending the contents of the counter, on the condition of providing for an offset when the system is put into service. at least one increment between the initial value present in memory 4 and the initial value of counter 1, so that A can be recognized by B at the first communication.

 The general characteristics of the process according to the invention having been described, we will now focus on its practical implementation. As indicated in the preamble, it is particularly desired to apply the method of the invention to wired logic microcircuits.

Thus, and this is an aspect of the present invention, it is proposed to produce the authentication code CA by means of a secret key authentication circuit Ks of the type used in the prior art for authenticating cards. with memory. In their classic application, the secret key authentication circuits are integrated into the chips of the memory cards and have the function of transforming a random or random word ALEXT sent by a terminal into an authentication code CA. The operation of authentication circuits with secret key Ks is generally based on successive operations of reading a memory not accessible from the outside, in which a plurality of binary words representing the secret key Ks is stored. This operation can moreover be simulated by software, so that you have the choice between a hardware implementation (wired logic) or a software implementation
(microprocessor) authentication functions FKs with secret key Ks. Examples of embodiments are given in French patents FR 92 13913 and FR 89 09734, as well as in French patent application FR 95 12176 in the name of the applicant an authentication circuit very resistant to fraud is proposed.

 FIG. 2 represents an application of the method of the invention to a remote control system comprising a transmitter microcircuit 10 with wired logic and a receiver circuit 20 with microprocessor.

 The microcircuit 10 comprises a counter 11, an authentication circuit 12 with secret key Ks, an infrared light-emitting diode 13 and a control circuit 14 for the diode 13. A wired sequencer 15 controls the operation of the assembly. An external switch 16 actuatable by a user makes it possible to put the microcircuit 10 under tension, the switch 16 being for example connected to an electric battery 17. The authentication circuit 12 is controlled by a clock signal H delivered by the sequencer 15, and has a serial input 12-1 for receiving a CE entry code and a serial output 12-2 for delivering an authentication code CA of the form FKS (CE). Conventionally, the secret key Ks is stored in a memory area 12-3 not accessible from the outside.

 The counter 11 is here a zone 11 of a memory 18 of electrically erasable and programmable EEPROM type.

This memory area 11 has a structure in rows and columns that can be seen in FIGS. 4A to 4E described below, and is accessible bit by bit in read and write mode via a decoder 18-1 of rows and a decoder 18-2 of columns controlled by the sequencer 15.

 The receiver 20 comprises a microprocessor 21, a program memory 22 of ROM type, a non-volatile data memory 23 of saved RAM type or of EEPROM type, an infrared detector 24 and a circuit 25 for shaping the signals received by the detector 24. The program memory 22 contains instructions PGR for operating the microprocessor 21 and a program PFKS for simulating the authentication circuit 12 of the transmitter 10, making it possible to calculate the authentication function FKS.

When the switch 16 is closed, the sequencer 15 performs the tasks for which it has been wired. The sequencer 15 first of all modifies the value
CAMP, ~ 1 l of counter 11, in a manner which will be described in detail below. The new counter value is CMPn.

Then, the sequencer 15 switches the output of the memory 18 to the circuit 14 for controlling the diode 13 as well as to the input 12-1 of the authentication circuit 12, and triggers the bit-by-bit reading of the counter 11 (c that is to say of the memory area 18 used as counter 11), while sending clock signals H to the authentication circuit 12. The content CMPn of counter 11 is therefore sent to receiver 20 in the form of infrared light and simultaneously absorbed by the authentication circuit 12 as the CE entry code. When this operation is finished, the sequencer 15 continues to activate the authentication circuit 12 and switches its output 12-2 to the circuit 14. The authentication circuit 12 delivers an authentication code CA of the form
CA = FKS (CMPfl) which is sent to the receiver 20 in the form of infrared light.

In the receiver 20, the microprocessor 21 reads the value CMPn and the code CA at the output of the circuit 25 and stores them in the memory 23 which already contains the value
CAMP, ~ 1 1 received on the previous call. In accordance with the invention, the microprocessor 21 calculates a code CA 'from CMPn, verifies that the code CA received is identical to
CA 'calculated, and that the value CMPn is higher, or lower, depending on the chosen convention, than CMP1. If the two conditions are met, the microprocessor 20 sends a validation signal VAL which can be used for various purposes, for example for opening the doors of an automobile, turning off or on a power system. alarm, etc.

 In a remote control system of the "door opening" type, it is not necessary to send to the receiver 20 information other than the authentication data (CMP ,, FKs (CMP,)) Indeed, this data alone represent an ORD order insofar as they lead to recognition of the authenticity of the transmitter 10. However, in a multiple order remote control system (for example a remote control of a complex system such as a television) it may be necessary to send to the receiver one (or more) ORDy code chosen from a plurality of possible ORD1, ORD2, ORD3 codes, representing the particular order to be executed. The ORDy code can be sent separately after the authentication data, but it is advantageous to use ORDy as authentication data, so as to increase the complexity of the CA authentication code and make the remote control system even more resistant to fraud.

In practice, this consists of chaining the ORDy code to the CAMP value, at the input of circuit 12 and producing an authentication code CA of the type
CA = FKS (CAMP ,, ORDy)
The data sent being then
(CMP ,, ORDy, CA)
The microprocessor 20 first of all uses the ORDy code as an authentication datum allowing it to verify the received CA code, then when the authentication is complete, "interprets" the ORDy code to carry out the operation requested by the transmitter 10.

On the other hand, it is conceivable that the receiver 20 should respond to different transmitters 10 each having their secret key Ks. This is particularly the case when the receiver 20 is made available to several users in a public place. In this case, the receiver 20 does not know the secret key Ks of the transmitter 10 and determines it from an identification number NI of the transmitter according to the following relationship
Ks = FKp (NI)
FKp being a secret key transformation function Kp installed in the receiver 20. In this case, the identification number NI of the transmitter 10 is stored in the memory 18, as shown in FIG. 3, and is incorporated in the message sent by the transmitter 10 which is of the form
(NI, CMPn, CA}
The authentication code CA can be produced from the value CMPn of the counter 11, as described above, or from an entry code CE formed by chaining of NI and CMP, which makes it possible to increase the interference. . The code
CA is then of the form
CA = FKs (NI, CMPn)
In addition, if a particular ORDy order must be issued, this ORDy order can be chained, as previously proposed, to the other data forming the CE entry code, the authentication code CA then being of the form
CA = FKs (NI, CMPn, ORDy) and the message sent in the form
(NI, CMPn, ORDy, CA}
We will now describe, by way of example, an embodiment of the counter 11. The method of the invention requiring an evolution of the value of the counter 11 with each communication, always in the same direction, it is necessary that the capacity of the counter 11 is sufficient to count communications during the entire lifetime of the transmitter 10. For example, a counter 11 which can count from 0 to 36000 would allow the transmitter to be used 10 times a day for 10 years. However, the counter 11 must be compact.

FIGS. 4A to 4E give an example of management of the area 11 of the memory 18 offering a large capacity for counting from a limited number of bits. The counter 11 comprises 6 lines L1, L2, L3, L4, L5, L6 of increasing weight each comprising 8 bits BO, B1, ... B7 of the same weight. At the start, all the bits B0-B7 of each line L1-L6 are programmed to an initial value, for example to "1" as shown in FIG. 4A. The modification of the value of the counter 11 with each new communication is carried out as follows. Sequencer 15 reads counter 11 bit by bit, starting with the least significant lines
L1, L2, ... until a bit equal to the initial programming value is found, ie here a bit at "1". When this bit is found, the sequencer 15 sets this bit to "0" and resets to "1" all the bits of all the least significant lines. For example, in FIG. 4B, the first bit at "1" encountered is the bit B0 / L2. The sequencer 15 sets this bit to "0" and sets all the bits of line L1 to "1", as shown in FIG. 4C. In FIG. 4D, the first bit at "1" encountered is the bit B3 / L3. The sequencer sets this bit to "O" and sets all the bits of lines L1 and L2 to "1" as shown in FIG. 4E.

 This mode of management of the counter 11 corresponds to a counting in base N + 1, N being the number of bits per line, that is to say a counting in base 9 since each line comprises 8 bits. Thus, in the example shown, 531440 modifications of the counter 11 are possible until all the bits are at "0".

 Other methods of managing the counter 11 can be envisaged. For example, the counting can be done in base 8. This counting consists in putting at "0" the first bit at "1" encountered, as described previously, and at setting at "1" all the bits except the first BO of all the lower weight lines. In this case, one can count up to 299592. Yet another mode of management consists in setting to "1" only the bits of the line of immediately lower weight. In the latter case, not all the possible logical states of the counter are used, but the operation of modifying the value of the counter is simplified.

 It will be noted that the operation of modifying the counter value 11 which has just been described according to several variants can be assimilated to an increment or a decrement according to the chosen convention. If by convention the bits at "0" are taken into account to determine the value of counter 11, the initial configuration of counter 11 shown in FIG. 4A corresponds to a zero value and the operation is an incrementation.

If, on the contrary, the bits at "1" are taken into account to determine the value of the counter 11, the initial configuration of FIG. 4A corresponds to the maximum value of the counter 11 and the operation described is a decrementation.

 In the foregoing, an example of application of the method of the invention to a remote control system has been described. It will be clear to those skilled in the art that the present invention can be the subject of numerous other applications and embodiments.

 By way of example, FIG. 5 illustrates an application of the method of the invention to an audio card of the synchronous type and represents the microcircuit 30 of such an audio card.

 The microcircuit 30 comprises, like the transmitter of FIG. 2, a memory 31 of EEPROM type, an authentication circuit 32 with secret key Ks performing the FKS function, and a wired sequencer 33. The microcircuit 30 here comprises pads of electrical connection, among which there is a block H for receiving a clock signal, a block RST for resetting the microcircuit to zero, a block OUT for sending data, and two blocks for electrical supply Vcc and GND.

According to the invention, the memory 31 includes data
TY, DA, NI and CPMn. TY data identifies the type of card, DA data represents the telephone number of an SVR telephone service to which the card provides access, NI data represents the identification number (or serial number) of the microcircuit 30, and finally CAMP, represents the value of the counter 11 already described.

When the audiocard is inserted into a terminal 40, the terminal 40 applies the clock signal H to the sequencer 33 and reads the TY data from the pad OUT. These data allow it to know that it is in the presence of an audiocard, and will determine its operation during the following sequences (it is assumed here that the terminal is versatile and can accept various types of cards)
Then, the terminal 40 again applies the clock signal H to read the DA data from the memory 31, from which it dials on a telephone line 41 the number of the remote service SVR to be called.

When the SVR service is reached, the terminal 40 closes a switch 42 so as to connect the output
OUT of microcircuit 30 to telephone line 41 and applies the clock signal to sequencer 33 until counter 11 is incremented and the following authentication data sent on line 41
(NI, CMPn, CA}
The CA authentication code can be developed from
CMPn or, better still, NI and CAMP, in order to increase the interference:
CA = FKS (NI, CMPn)
A variant making it possible to further increase the complexity of the authentication code CA consists in injecting into the circuit 32 all the data that may be in the memory 31, CA then being of the form
CA = FKS (TY, DA, NI, CMPn)
In this case, TY and DA should be incorporated into the authentication data sent on line 41
(TY, DA, NI, CMPn, CA}
At the other end of line 41, the authentication data is received by a control circuit 50 which blocks access to the SVR service.

In accordance with the method of the invention, the circuit 50 firstly determines the secret key Ks of the microcircuit 30 by means of the identification number NI received and its own secret key Kp, in the manner already described. Then, the circuit 50 checks the validity of the authentication code CA received, and finally ensures that the value
CMPn of the counter 11 sent by the microcircuit 30 is strictly different, depending on the direction of modification of the counter 11 chosen by convention, from the value CMPn-1 received on the previous communication. If these conditions are met, the circuit 50 closes a switch 51 which releases access to the SVR service.

Claims (10)

 1. Method of authenticating a transmitter  (A, 10.30) by a receiver (B, 20.50), characterized in that, with each new communication,  the transmitter (A, 10.30): - sends the value (CMPn) of a counter to the receiver  (1,11) and an authentication code (CA) developed at least from the value (CMPn) of said counter (1,11), - modifies the value (CMPn 1, CMPn) of the counter (1,11) according to a predetermined direction of modification,  the receiver (B, 20.50) - checks the validity of the authentication code (CA) sent by the transmitter and - checks that the value (CMPn) of the counter received is different, according to said direction of modification, from a value (CMPn 1) of the counter received during a previous communication.  2. Method according to claim 1, characterized in that the value of the counter (1.11) is always increased with each communication, the receiver (B, 20.50) verifying that the value (CMPn) of the received counter is strictly greater to the value (CMPn 1) received during the previous communication.  3. Method according to claim 1, characterized in that the value of the counter (1.11) is always reduced with each communication, the receiver (B, 20.50) verifying that the value (CMPn) of the received counter is strictly lower to the value (CMPn 1) received during the previous communication.  4. Method according to one of claims 1 to 3, characterized in that the value (CMPn 1) of the counter (1,11) is modified by the transmitter (A, 10,30) before being sent to the receiver (B, 20.50).  5. Method according to one of claims 1 to 4, characterized in that said authentication code (CA) is developed by means (12, 32) of authentication  (FKS) with secret key (Ks).  6. Method according to one of claims 1 to 5, characterized in that said counter (11) is organized in lines (L1-L6) of increasing weight comprising bits  (B0-B7) of the same weight, the modification of the value of the counter (11) comprising the step consisting in reading the counter (11) bit by bit from the lines (L1) of lower weight and changing the value of the first bit encountered (B0 / L2, B3 / L3) whose value is equal to an initial programming value ("1").  7. Method according to claim 6, characterized in that the modification of the value of the counter (11) further comprises the step of programming at said initial programming value ("1") the bits of at least one line less significant than the line comprising said first bit.  8. Method according to claim 6, characterized in that the modification of the value of the counter (11) further comprises the step of programming at the initial programming value ("1") the bits (B1-B7) except the first (B0) of all the least significant lines than the line comprising said first bit.  9. Remote control system comprising a transmitter (10) and a receiver (20) implementing the method according to one of claims 1 to 8.  10. Telephone communication system comprising an audiocard (30) and a circuit (50) for controlling access to a reserved service implementing the method according to one of claims 1 to 8.