經濟部中央標準為WC工消费合作社印策 6T 447206 A7 _____B7 五、發明説明(1 ) <發明背景> 隨著無線通訊快速的發展’其相關的問題也被熱烈地討論。為 了確保每一位使用者都能被合理地收取費用,以及確保資源設備不 會被侵入者所盜用,對於使用者身份的驗證必須確實地被執行。因 為無線通訊的特殊性質,訊息將會在空中傳遞,如何確保訊息不會 被竊聽者所擷取亦是一個重要的議題。在訊息被傳遞前進行加密是 一個最好的選擇。現今的密碼系統可分為兩大類,一為對稱金匙系 統(亦稱秘密金匙系統)與非對稱金匙系統(亦稱公開金匙系統)。 秘密金匙系統較為簡單而方便應用,但是公開金匙系統卻有較高的 安全性。 在現今最普遍的無線通訊系統GSM中,為了簡化計算的複雜 度’身份認證以及資料加密都是使用秘密金匙系統。然而,隨著硬 體技術的進步,使得利用公開金匙系統進行使用者之身分認證以及 通訊金匙的建立亦為可行^換言之,使用者的身份認證以及通訊金 匙的建立都植基於公開金匙系統,而使用者間的秘密通訊則以所建 立的通訊金匙依秘密金匙系統進行。 在先前的研究中,都將焦點放置於使用者與基地台之間的通訊 安全。因為訊息是在空中傳遞,非常容易被侵入者所擷取。然而, 即使使用者與基地台之間的通訊安全被確保了,但是兩基地台之間 的通訊卻仍是不安全的。假設使用者A在基地台A的範圍内,而使 用者B在基地台B的範圍内β若使用者a欲傳送訊息給使用者b ,則 訊息將由使用者A加密後送至基地台a ’基地台A將訊息解密後,在 ----------'^^-- (請先閱讀背面之注f項再填寫本頁) ,ιτ 鯉濟部中夹標率局貝工讲费合作社印* 447206 A7 B7 _ 五、發明説明(2 ) 無加密的情況下傳送至基地台B,再由基地台B加密傳送至使用者 B。因此’在兩基地台間’傳送的訊息並不被保護。 為了要達到端對端的安全通訊,在1997年由學者Park提出了一 個安全協定。其概念就是在兩使用者間建立一個共同的通訊金匙, 再以此通訊金武對傳遞的訊息進行加解密。迄今為止,前人所提出 的安全協定’所有使用者所需的通訊以及認證的資訊都儲存在 SIM卡中。例如,使用者的公開金匙與秘密金匙,認證中心的公開 金匙,由認證中心所簽發的認證文件(certiflcate)以及使用者的名稱 (identity)等等,都是儲存於SIM卡之中》也因此,一般都假設使用 該SIM卡的人即為註冊SIM卡的使用者或是某位由使用者同意授權 使用SIM卡的人。 但是’問題也因此產生。若是SIM卡遭竊,則偷竊者即可使用 偷得的SIM卡’冒充註冊該SIM卡的使用者來與任何人進行通訊。 值得注意的是,人的聲音是可以被模仿的。當81河卡的擁有者是擁 有極大權力的人時,例如國家元首,公司總裁,或是軍事基地的指 揮官等’此問題所造成的傷害將會十分嚴重。藉由偷取SIM卡,不 法之徒便能冒充SIM卡的註冊者,隨意與任何人進行通訊甚至下達 想要被執行的命令。因此,光靠儲存於SIM卡中的資訊來對通話者 的身份進行認後是不夠的。 為確保SIM卡不會被註冊者以外的人冒用,最簡單的方法就是 在SIM卡中加入密瑪功能。在使用行動電話前,使用者必須輸入密 碼。當輸入的密碼無誤時,使用者才能使用電話。但是,對硬體的 侵入與破壞可能會造成密瑪的功能失效。此外,由於密碼的功能往 本紙張尺度4用中国困家#率{CNS )A4規格(210X297公釐) " - (請先Μ讀背面之注$項再填寫本頁) 訂 1 M濟部中央揉率肩K工消费合作社印« 447206 A7 _______B7_ 五、發明说明(3 ) 往是由使用者決定要不要啟動。在一端的使用者並不能要求另一端 的使用者藉由輸入密碼來對通話者的身份進行驗證》 為了能有效地對通話者的身份進行驗證,我們提出了一個新的 協定。藉由加入通訊密碼的觀念於協定中,使得任一端的使用者都 可要求通話雙方進行雙重的交互驗證。當通話的内容不重要時,安 全通訊協定的運作就如同其他的協定般,每一位使用者可藉由認證 中心所簽發的認證文件,對通話者的身份作第一步的確認。然而 當任一端的使用者認為有必要對另一端通話者的身份作進一步的確 認時,可要求雙方進行雙重的認證程序。在雙重的認證程序中,兩 位使用者都會被要求輸入其通訊密碼。當雙方所輸入的通訊密碼都 正確無誤時,一把新的通訊金匙將被產生以用來進行秘密通訊。而 當其中有一方輸入的密碼不正確時,新的通訊金匙將無法被產生出 來0 藉由在協定中加入通訊密碼,即可達到對使用者身份的更進一 步認證》儲存於SIM卡中的由認證中心所簽發的認證文件 (certificate)可視為對使用者身份的第一重認證。而要求輸入通訊密 碼則可視為第二重認證" 本紙》尺度適用中β國家樣率(CMS ) A袖I# < 210X297公釐) —i--·,-------— (請先s讀背面之注f項再填寫本頁} •訂. 44720 6 A7 B7 五、發明説明(4 ) <發明目的> 本發明之主要目的在於提供一種具有對通話者身份進行有效驗 證的具雙重驗證功能之無線通訊安全協定;其主要係以融入通訊密 碼於建立通訊金匙的通訊協定中;由於通訊密碼僅有SIM卡的註冊 者’亦即合法使用者知悉’故第三者無法得知使用者的通訊密碼; 且由於通訊密碼並不儲存於SIM卡中,僅由使用者所記憶;故第三 者即使竊得使用者的SIM卡亦無法偽裝使用者的聲音,冒以使用者 的身份與其他人進行通訊。 本發明之另一主要目的在於提供一種具有對通話者身份進行有 效驗證的具雙重驗證功能之無線通訊安全協定;在兩端的使用者都 可提出要求’要求雙方進行雙重身份認證的程序;亦即雙重認證的 程序可由通話的任一端發起;在雙重認證的程序中,兩方的通話者 都必須輸入其正確的通訊密碼,才能建立新的、正確的通訊金匙, 藉以進行秘密通訊。 ---^-----裝-- (讀先閱讀背面之注意Ϋ項再填寫本K ) 訂 «濟部中央揉準局貝工消费合作杜印製 適 度 尺 張 紙 本The central standard of the Ministry of Economic Affairs is the policy of the WC Industrial Consumer Cooperatives 6T 447206 A7 _____B7 V. Description of the invention (1) < Background of the invention > With the rapid development of wireless communication, its related issues have also been discussed enthusiastically. In order to ensure that each user can be reasonably charged, and to ensure that resources and equipment will not be stolen by intruders, the verification of user identity must be performed reliably. Due to the special nature of wireless communications, messages will be transmitted in the air, and how to ensure that messages are not captured by eavesdroppers is also an important issue. Encrypting messages before they are delivered is the best option. Today's cryptosystems can be divided into two categories, one is the symmetric key system (also known as the secret key system) and the asymmetric key system (also known as the public key system). The secret key system is relatively simple and convenient to use, but the public key system has higher security. In the most common wireless communication system GSM today, in order to simplify the computational complexity, the identity authentication and data encryption both use secret key systems. However, with the advancement of hardware technology, it is feasible to use the public key system for user identity authentication and the establishment of communication keys. In other words, the user's identity authentication and the establishment of communication keys are based on public funds. Key system, and the secret communication between users is based on the secret key system based on the established communication key. In previous studies, the focus was on communication security between users and base stations. Because the message is transmitted in the air, it can be easily captured by intruders. However, even if the communication between the user and the base station is ensured, the communication between the two base stations is still insecure. Suppose user A is within the range of base station A and user B is within the range of base station B. If user a wants to send a message to user b, the message will be encrypted by user A and sent to base station a ' After base station A decrypts the message, at ---------- '^^-(please read the note f on the back before filling in this page) Lecture fee co-operative seal * 447206 A7 B7 _ V. Description of the invention (2) It is transmitted to base station B without encryption, and then transmitted to user B by base station B encrypted. Therefore, the message transmitted between the two base stations is not protected. In order to achieve end-to-end secure communication, a security agreement was proposed by the scholar Park in 1997. The concept is to establish a common communication key between the two users, and then use this communication Jinwu to encrypt and decrypt the transmitted message. So far, the security protocols proposed by the predecessors' all the communication and authentication information required by users are stored in the SIM card. For example, the public and secret keys of the user, the public key of the certification center, the certification document (certiflcate) issued by the certification center, and the user's identity are stored in the SIM card. >> Therefore, it is generally assumed that the person using the SIM card is the user who registered the SIM card or someone who has authorized the use of the SIM card with the user's consent. But the 'problem also arises. If the SIM card is stolen, the thief can use the stolen SIM card 'to impersonate the user who registered the SIM card to communicate with anyone. It is worth noting that human voices can be imitated. When the owner of 81 Heka is a person with great power, such as the head of state, the company's president, or the commander of a military base, etc., the damage caused by this problem will be very serious. By stealing the SIM card, criminals can impersonate the registrant of the SIM card, communicate with anyone at will, and even issue orders that they want to be executed. Therefore, it is not enough to identify the caller by relying on the information stored in the SIM card. To ensure that the SIM card cannot be used by anyone other than the registrant, the easiest way is to add the Mimar function to the SIM card. Before using a mobile phone, the user must enter a password. The user can use the phone only when the password entered is correct. However, intrusion and destruction of the hardware may cause Mimar to fail. In addition, due to the function of the password, use the Chinese standard # rate {CNS) A4 size (210X297 mm) "-(please read the note on the back before filling this page) to order 1 M Ministry of Economic Affairs The central government rubs its shoulders and stamps on the K-worker consumer cooperative «447206 A7 _______B7_ V. Description of the invention (3) It is always up to the user to decide whether to start. The user at one end cannot require the user at the other end to verify the identity of the caller by entering a password. "In order to effectively verify the identity of the caller, we propose a new protocol. By adding the concept of communication passwords to the protocol, users at either end can request the two parties on the call to perform two-way authentication. When the content of the call is not important, the security communication protocol operates just like other protocols, and each user can confirm the identity of the caller through the authentication document issued by the authentication center. However, when the user at either end considers it necessary to further confirm the identity of the caller at the other end, the two parties may be required to perform a two-factor authentication process. In the two-factor authentication process, both users are required to enter their communication password. When the communication passwords entered by both parties are correct, a new communication key will be generated for secret communication. And when the password entered by one of them is incorrect, the new communication key cannot be generated. 0 By adding the communication password in the agreement, you can achieve further authentication of the user's identity. The certificate issued by the certification center can be regarded as the first authentication of the user's identity. The requirement to enter the communication password can be regarded as the second authentication "quotation of this paper" β country sample rate (CMS) A sleeve I # < 210X297 mm) —i-- ·, -------— (Please read the note f on the back before filling in this page} • Order. 44720 6 A7 B7 V. Description of the Invention (4) < Object of the Invention > The main purpose of the present invention is to provide an effective method for identifying the caller. Authenticated wireless communication security protocol with two-factor authentication function; it is mainly used to integrate the communication password into the communication protocol to establish the communication key; because the communication password is only for the registrant of the SIM card, that is, the legal user knows, so the third The user cannot know the user's communication password; and because the communication password is not stored in the SIM card, it is only memorized by the user; therefore, even if a third party steals the user's SIM card, he cannot pretend the user's voice. Communicate with others as the user. Another main objective of the present invention is to provide a wireless communication security protocol with a two-factor authentication function that effectively authenticates the identity of the caller; users at both ends can propose "Requires both parties to perform two-factor authentication procedures; that is, the two-factor authentication procedure can be initiated by either end of the call; in the two-factor authentication procedure, the callers of both parties must enter their correct communication passwords in order to establish a new, The correct communication key is used for secret communication. --- ^ ----- install-(read the note on the back first and then fill out this K) Print moderate paper
NS 一祕 29 鯉濟部中央標率*^工消费合作社印氧 4720 6 A7 _____B7___ 五、發明説明(5 ) <發明之詳細說明〉 在正式介紹我們所提出的方法之前,首先先介紹一下有關使用 認證中心所簽發的認證文件(certificate)來進行使用者身份認證的方 法。在1993年,由Beller,Chang以及Yacobi三位學者所提出的協定 中’有一個可信賴的認證中心(certificationauthority,CA)存在於系 統中。認證中心提供系統中的所有參與者其所需的認證文件,包含 無線通訊使用者以及基地台。藉著提供公開金匙系統的認證服務, 認證中心會以秘密金匙簽發每一位使用者所需的認證文件。認證文 件可被任一位使用者以認證中心之公開金匙加以驗證。以簡化過的 形式表示’ 一份認證文件可以用Cert==(C,[A(C)]sJ來表示。其中h()代 表的是一個單向赫序函數(one-way hashing function),而[…]s〇(則是表 示以認證中心之秘密金匙b對[…]作簽署。在大多數的協定中, 亡通常是許多有關使用者之資訊的組合。例如,要產生一份提供給 使用者的認證文件時’ C可以包含使用者的公開金匙―、使用者的 名稱仍*«、以及一個時間戮記也〜,使得(:=(//^,〜,也〜)。而當 要對認證文件作驗證時,可比較C經過赫序函數後的函數值與 【[ft(c)kk的值’此即以認證中心之公開金匙屯作驗證後所得到的 值。 在此’許多公開金匙系統的數位簽章法都可拿來應用,例如美 國國家標準局所公布的數位簽署標準,DSS,或是ElGamal所提出 的簽章法°總之,現今有許多已提出的公開金起簽章方法都可被拿 來應用’系統設計者可依照自己的需要,選擇最合適的簽章方法。 此法最主要的目的,在於說服使用者,當收到一份他人的認證文件 張ΛΑ適用中__家樑率2】oxw7公着) --- 7 m 111· ^^1 a^n I I I - - In ιίί^^_^ I (锖先閲讀背面之注意事項再填寫本頁) -·»! d47 20 6 A7 B7 經濟部中央標率局w:工消费合作社印架 五、發明说明(6 ) 時,藉由以認證中心的公開金匙依公開金匙驗證方式,使其確信記 載於C中,關於認證文件的所有者的相關資訊是正確無誤的。 根據上述認證文件的身份認證方式為第一重認證,我們提出具 有第二重認證的通訊協定。令〜為無線通訊使用者的秘密金匙, 而:^ (m〇dA〇為其對應之公開金起。依照同樣的方法,令〜以 及〜=f〜(m〇d况)分別為基地台之秘密金匙與公開金匙。心與分 別為認證中心之秘密金匙與公開金匙。當無線通訊使用者欲註冊其 所專屬的SIM卡來用以與他人通訊時,系統會要求使用者選擇一個 通訊密碼以作為日後雙重認證時用。所選擇之認證密碼並不一定要 長度很長,以使用者能夠記憶為主即可。因此,由認證令心所簽發 給使用者以及基地台的認證文件,Certw以及CerQ可以下列表示: CertMS = U^MS > y»iS > y'MS » ^ateMS > > y^s > y'us > ^ateMS ), Certss = {IDgg, , date^, [h(IDBS, , date。 其中所包含的一些參數其性質如下》$SPWD為使用者在註冊 SIM卡時所選擇之通訊密碼,令I等於祝SPWDj,在此五〇表示一個 擴充的函數使得i的長度與使用者的秘密金匙的長度相同。令‘ 為將i與〜做位元對位元的XOR(exclusive-OR)的運算後所得的結果 ’亦即尖=1㊉;而所得的結果4可視為是在做雙重驗證時所使 用的秘密金匙β而其對應的公開金匙即為;^ =^-〜(m〇d Λ〇。值得注 意的是,此秘密金匙‘將不會被儲存在SIM卡中,該值將會在需要 時透過即時地運算求得。故在SIM卡中只儲存一支秘密金匙;^。 聞 面 之 注 頁 訂 本紙张尺度適用中B«家摞率{ CNS ) A4*U*· ( 210X297公釐) / 447206 A7 __B7 五、發明说明(7 ) ' 由認證中心所簽發之認證文件(certificate)可用認證中心的公開 金匙加以驗證,若經驗證證實該認證文件為合法的,則表示認證文 件中所記載的有關使用者的資訊是正確無誤的。植基於先前所提的 認證文件的驗證方式,相似於Park學者所提出的協定,則可建立以 下的協定: [協定1] 1·基地台傳遞給使用者訊息: 則使用者端可計算通訊金匙〜严(m〇d的=_d 。其中,k是由基地台所選擇的一個隨機參數,而〜&則是由使 用者端所選的隨機參數。基地台之公開金匙可從基地台所傳遞的 認證文件CerQ中取得。另一方面,使用者端亦能以認證中心的公 開金匙^來對基地台提供的認證文件Cerias做驗證。 2. 使用者端傳遞訊息給基地台: 其中的瓜’ [/〜為])表示以 < 為加密金匙對队為】做加密的動 作。為的是當基地台計算出通訊金匙卜,可以用計算出的通訊金 起對其進行解密,將所解出的結果,與已知的使用者名稱I以 及基地台名稱/ζ>Μ做比對,以驗證所計算出之通訊金匙之正確性 。當收到訊息後’基地台即可驗證使用者所提供的認證文件 ’同時亦可計算出通訊金匙》 纥=W〜)如(m〇d =〆_ (mod w。 3. 基地台傳送訊息給使用者端:池,【/2^,//^]) + ( ο» ) A4«l» ( 210X29J^*1 --- --:---------J^------,ιτ------- (請先閲讀背面之注f項再填寫本頁) 雔濟部中*揉率爲貝工消费合作社印4ί 銨濟部中央#準局員工消费合作社印家 4 4720 6 A7 _______B7 五、發明説明(8 ) 傳送此訊息的目的在於使得使用者端亦能如基地台端一般,驗證 其所計算出的通訊金匙之正確性》 藉著[協定1],基地台與使用者端可進行交互的驗證,而且共 同的通訊金匙(亦能被建立。當任何人嘗試由基地台與使用者間交 換的訊息來求得秘密金匙的話,其困難度相當於解離散對數問題。 當無線通訊的使用者希望能執行雙重認證的程序時,我們需要 使用另外的一個協定作為基礎,來建立一個端對端的安全通訊協定 0 [協定2] , 1. 基地台傳遞訊息給使用者端: 使用者端可求得*;=(〜.(modM^ (modA〇,其中, 基地台的公開金匙可由基地台所傳遞的認證文件Cerk中求得,同 時’使用者端亦可以認證中心的公開金匙驗證該認證文件的合法 性。此時,使用者端將會被要求輸入其通訊密碼(session password,簡稱SPWD)用以進行雙重驗證的程序。當輸入通訊密喝 SPWD後,使用者端即可計算出乙=五(SPWD)以及,其 中,L的長度與&的長度相同。 2. 使用者端傳送訊息至基地台: 一旦基地台收到使用端所發出之欲進行雙重認證程序的訊息,基 地台將會計算通訊金匙*:=(4 0+〜产(modA〇=(mcxiAO與 本紙張尺度速用中·家樣♦ { CNS > Α4Λ格(210X2^公釐> I-^---:-----------4?----^---- (請先W讀背面之注f«再填离本頁) 44720 6 經濟部中央標準局貝工消费合作社印笨 A7 B7 五、發明説明(9 ) 。亦即基地台將以4作為使用者的公開金匙來配合 計算,求得通訊金匙。同時,基地台亦可以認證中心之公開金匙 對使用者端所提出的認證文件CerQ作驗證。 3.基地台傳遞訊息至使用者端:/火,[/1^,仍mS]) [協定1]與[協定2]的不同點在於,在[協定2]中,當基地台接收 到通知進行雙重驗證程序的訊號Double-Auth SIGNAL時,基地台 會選擇;^為使用者之公開金匙,而不選擇 y^s ° 當通訊密碼被使用 者正確無誤地輸入之後,正確的通訊金匙才能被建立。該訊號 Double-AuthSIGNAL可由任一端的使用者發出。所以,當使用者端 欲進行雙重驗證程序時,可藉由送出一個要求進行雙重驗證程序的 訊號通知位於另一端的使用者與介於兩個使用者間的基地台。 以[協定1]與[協定2]為組成的元素,可建立一個新的端對端具 雙重認證功能之安全協定。為了解釋協定的運作程序,我們將分別 考慮三種條件狀況。第一種狀況是兩使用者間的通訊屬於一般的交 談,在此雙重驗證的功能並不需要被執行。在此狀況下,此協定的 運作與Park所提出的協定幾乎完全相同。第二種情況就是當欲交談 的内容非常重要,而發話端的使用者要求進行雙重認證程序。第三 種狀況則是收話端的使用者要求進行雙重驗證程序。在進行雙重驗 證的程序中’位於兩端的使用者都會被要求輸入其屬於自己的通訊 密碼(SPWD)以建立新的通訊金匙。若是任一端的使用者所輸入的 通訊密碼不正確,則通訊金起將無法正確地產生。所提出的協定在 此三種狀況下的運作情形陳述如下: 本紙張尺度適用中_•家橾♦ ( CNS > Α4Λ* ( 210X297公ft ) —ΐ^-----— (請先Μ讀背面之注$項再填寫本頁) 訂 44720 6 經濟部中央樣率工消費合作衽印架 A7 B7 五、發明说明(10 ) [一般通訊1 在此狀況下,所提出的協定運作的狀況就如同Park所提出的一般。 1. 驗證使用者A:藉著在使用者A,Ad,與基地台A,,之間 執行[協定1],則使用者A與基地台A之間可以成功地進行交互驗 證。同時,基地台A亦可求得建立通訊金匙所需的資訊 2. 通訊要求:使用者Α要求與使用者Β進行通訊。則屬於使用者 A的認證文件以及由基地台a傳遞至基地台B。 3. 呼叫與驗證使用者B :在基地台B呼叫使用者B之後,基地台 B與使用者B間’依[協定1]進行交互驗證。同時,建立通訊金匙 所需的資訊挪^〆"*〜(modA〇亦可由基地台B所求得。 4. 交換金起一1:基地台B將屬於使用者A的認證文件以及建立 通訊金匙所需資訊/)私傳給使用者B ^依所得的資訊,使用者 b可計算求得通訊金匙<=.广〜产(mo(j w = gr^r^ (mod Λ〇,以及為了驗證通訊金匙之正確性所需的 5·交換金匙一2 :使用者B傳遞至基地台B,基地台B再將其與 使用者B所屬的認證文件Cm%傳遞給基地台α β基地台a再將所 收到的訊息全數傳給使用者A。 ^紙張从暹用中國躅家樣率(CNS ) A«WM 210X297公羞) —- ——,-----U— (請先聞讀背面之注意事項再填寫本頁) 訂 經濟部中央#準為貝工消費合作社印* 44720 6 A7 B7 五、發明说明(11 ) 6.交換金匙一3 :使用者A在接到訊息後,可求出通訊金匙 心= (>^β·广〜产(modiV)= (modTV) ’並用服對求得之 通訊金匙作驗證。接著再計算,並將其傳 遞給使用者B,故使用者B亦可以以其驗證所求得之通訊金匙。 在經過上述的程序之後,一支共同的通訊金匙可被使用者A與 使用者B用來進行通訊時交換訊息的加、解密金匙。在此,狀^是 由使用者A以其求得的通訊金匙對兩位使用者的江)做加密後所得的 密文。以狀心為例,是將使用者A的名稱置於前,使用者b的名稱 置於後,再對整串文字作加密。其作用是當使用者B接收到/?尬,之 後,可以用使用者B所計算出的通訊金匙進行解密。若使用者A與 使用者B所求得之通訊金匙是相同的話,則使用者b解密後可得到 兩位使用者的名稱,再將其與先前已知的使用者名稱相比對,即使 用者B即可得知所求得的通訊金匙是否與使用者八所求得的相同。 而狀心亦為相同的功能。其不同點只在於是由使用者b所計算 出來的’提供使用者Α驗證使用者Α所求得的通訊金匙是否與使用 者B相同’而且加密的内容是以使用者B的名稱在前,使用者八的名 稱在後而為之。 [發話端要求進行雙重認證程序] 在這一個部分中,發話端要求通話的雙方都執行雙重驗證的程序。 1.驗證使用者A:藉著在使用者A,吨,與基地台A,呢,之間執 行[協定2],則使用者α與基地台A之間可以成功地進行交互驗證 本紙»尺度適用中家糠率(CNS M4DMM 210X297·公Jt j 一 13NS First Secretary 29 Central Standards of the Ministry of Economic Affairs of Japan * ^ Industrial and Consumer Cooperative Co., Ltd. Printed Oxygen 4720 6 A7 _____B7___ V. Description of the Invention (5) < Detailed Description of the Invention> Before formally introducing our proposed method, first introduce the relevant A method for authenticating a user using a certificate issued by a certification center. In 1993, an agreement proposed by three scholars, Beller, Chang, and Yacobi, included a trusted certification authority (CA) in the system. The certification center provides all participants in the system with the required certification documents, including wireless communication users and base stations. By providing the authentication service of the public key system, the certification center will issue the authentication documents required by each user with a secret key. The authentication file can be verified by any user with the public key of the authentication center. Expressed in a simplified form 'An authentication document can be represented by Cert == (C, [A (C)] sJ. Where h () represents a one-way hashing function, And […] s〇 (means signing […] with the secret key b of the certificate authority. In most agreements, it is usually a combination of many information about the user. For example, to produce a copy When providing the authentication document to the user, 'C may contain the user ’s public key—the user ’s name is still * «, and a time stamp is also ~, so that (: = (// ^, ~, also ~) . And when you want to verify the authentication document, you can compare the function value of C after the Hertzian function with the value of [[ft (c) kk ', which is the value obtained after the verification of the public key of the certification center. Here, many digital signatures of the public key system can be applied, such as the digital signature standards published by the US National Bureau of Standards, DSS, or the signatures proposed by ElGamal. In short, many have been proposed today Open signature methods can be used to apply 'system designers can follow their own If necessary, choose the most suitable method of signing. The main purpose of this method is to convince the user that when receiving a certification document from another person, Zhang ΛΑ is in use__ 家 梁 率 2] oxw7) --- 7 m 111 · ^^ 1 a ^ n III--In ιίί ^^ _ ^ I (锖 Please read the notes on the back before filling in this page)-· »! d47 20 6 A7 B7 Central Bureau of Standards, Ministry of Economic Affairs w : 工Consumption Cooperative Press 5. In the description of invention (6), the public key of the certification center was used to verify the public key to ensure that it was recorded in C, and the relevant information about the owner of the certification document was correct. According to the identity authentication method of the above authentication document is the first authentication, we propose a communication protocol with the second authentication. Let ~ be the secret key of the wireless communication user, and: ^ (m〇dA〇 corresponds to Open gold. According to the same method, let ~ and ~ = f ~ (m0d case) be the secret gold key and the open gold key of the base station respectively. Xinhe is the secret gold key and the open gold key of the certification center, respectively. When wireless communication users want to register their own SIM card to use with others At the time of the message, the system will ask the user to select a communication password for future two-factor authentication. The selected authentication password does not have to be very long, and the user can only remember it. Therefore, the authentication center Certification documents issued to users and base stations, Certw and CerQ can be expressed as follows: CertMS = U ^ MS > y »iS > y'MS» ^ ateMS > > y ^ s > y'us > ^ ateMS), Certss = {IDgg,, date ^, [h (IDBS,, date. The properties of some of the parameters included are as follows: "$ SPWD is the communication password selected by the user when registering the SIM card. Let I be equal to SPWDj. Here, 50 represents an extended function that makes the length of i and the user's secret. The golden spoons are the same length. Let 'be the result of the bit-by-bit XOR (exclusive-OR) operation of i and ~, that is, the tip = 1㊉; and the obtained result 4 can be regarded as the secret used in the two-factor authentication. The golden key β and its corresponding public golden key are: ^ = ^-~ (m〇d Λ〇. It is worth noting that this secret golden key 'will not be stored in the SIM card, and the value will be in Calculated by real-time calculation when needed. Therefore, only one secret gold key is stored in the SIM card; ^. The page size of the page note is applicable. B «Household rate {CNS) A4 * U * · (210X297 (Mm) / 447206 A7 __B7 V. Description of the invention (7) 'The certification document issued by the certification center can be verified with the public key of the certification center. If the certification proves that the certification document is legal, it means certification The information about users in the document is correct. Based on the verification method proposed earlier, similar to the agreement proposed by Park scholars, the following agreement can be established: [Agreement 1] 1. The base station transmits the message to the user: the user can calculate the communication fee Key ~ Yan (m〇d = _d. Among them, k is a random parameter selected by the base station, and ~ & is a random parameter selected by the user terminal. The public key of the base station can be obtained from the base station. Passed the authentication document CerQ. On the other hand, the client can also use the public key of the certification center ^ to verify the authentication document Cerias provided by the base station. 2. The client sends a message to the base station: Melon's [/ ~ 为]) means to do encryption action with < as the encryption key for the team]. For the base station to calculate the communication key, you can use the calculated communication key to decrypt it, and use the known user name I and the base station name / ζ & M to do Compare to verify the correctness of the calculated communication key. After receiving the message, 'the base station can verify the authentication document provided by the user', and the communication key can be calculated. 纥 = W ~) Such as (m〇d = 〆_ (mod w. 3. Base station transmission Message to the user: Chi, [/ 2 ^, // ^]] + (ο ») A4« l »(210X29J ^ * 1 ----: --------- J ^- -----, ιτ ------- (Please read the note f on the back before filling in this page) The Ministry of Economic Affairs * The rubbing rate is printed by the Shellfish Consumer Cooperatives 4ί 济 部 中心 # 准 局 员Consumption cooperative seal 4 4720 6 A7 _______B7 V. Description of the invention (8) The purpose of transmitting this message is to enable the user end to verify the correctness of the calculated communication key as the base station side "By [Agreement 1], the base station and the user can perform interactive verification, and a common communication key (can also be established. When anyone tries to obtain a secret key by the message exchanged between the base station and the user, it The difficulty is equivalent to solving the discrete logarithm problem. When the user of wireless communication wants to perform the two-factor authentication process, we need to use another protocol as the basis to establish a End-to-end security communication protocol 0 [Protocol 2], 1. The base station sends a message to the user terminal: The user terminal can obtain *; = (~. (ModM ^ (modA〇, where the public key of the base station) It can be obtained from the authentication file Cerk transmitted by the base station, and the 'user can also verify the legality of the authentication file by the public key of the certification center. At this time, the user will be required to enter its session password (session password) (Referred to as SPWD) is used to perform the two-factor authentication procedure. After entering SPWD, the user can calculate B = five (SPWD) and, where the length of L is the same as the length of &. 2. Use The sender sends a message to the base station: Once the base station receives a message from the user that intends to perform the two-factor authentication process, the base station will calculate the communication key *: = (4 0 + ~ production (modA〇 = (mcxiAO and Quick use of this paper scale · Home samples ♦ {CNS > Α4ΛGrid (210X2 ^ mm > I-^ ---: ----------- 4? ---- ^- -(Please read the note f on the back «Then leave this page] 44720 6 Central Standards Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperative, India Ben A7 B7 V. Invention Ming (9). That is, the base station will use 4 as the public key of the user to calculate the communication key. At the same time, the base station can also use the public key of the certification center to submit the authentication document to the user end. CerQ for verification. 3. The base station sends a message to the user: / fire, [/ 1 ^, still mS]) [Protocol 1] differs from [Protocol 2] in that in [Protocol 2], when the base station When the station receives the signal for notification of the two-factor authentication procedure, Double-Auth SIGNAL, the base station will choose; ^ is the public key of the user, instead of y ^ s ° When the communication password is correctly entered by the user, it is correct Communication key can be established. The signal Double-AuthSIGNAL can be issued by users on either end. Therefore, when the user terminal wants to perform the two-factor authentication procedure, it can send a signal requesting the two-factor authentication procedure to notify the user at the other end and the base station between the two users. With [Agreement 1] and [Agreement 2] as the elements, a new end-to-end security agreement with two-factor authentication can be established. To explain the operating procedures of the agreement, we will consider three conditions. The first situation is that the communication between the two users is a general negotiation, and the two-factor authentication function does not need to be performed. In this case, the operation of the agreement is almost identical to that proposed by Park. The second case is when the content of the conversation is very important, and the user of the calling party requires a two-factor authentication process. The third situation is when the user at the receiving end requests a two-factor authentication process. In the two-factor authentication process, users at both ends will be required to enter their own communication password (SPWD) to create a new communication key. If the communication password entered by the user on either end is incorrect, the communication funds will not be generated correctly. The operation of the proposed agreement under these three conditions is stated as follows: In the application of this paper standard_ 家 橾 ♦ (CNS > Α4Λ * (210X297m ft) —ΐ ^ -----— (please read first) Note $ on the back, please fill in this page again.) Order 44720 6 Central sample rate consumer cooperation stamp frame A7 B7 of the Ministry of Economic Affairs 5. Description of invention (10) [General newsletter 1 In this situation, the status of the proposed agreement operation is as follows It is the same as proposed by Park. 1. Verify user A: By performing [Agreement 1] between user A, Ad, and base station A ,, user A and base station A can be successfully Perform interactive verification. At the same time, base station A can also obtain the information required to establish a communication key. 2. Communication requirements: User A requests communication with user B. It belongs to the authentication document of user A and is provided by base station a. Pass to base station B. 3. Call and authenticate user B: After base station B calls user B, base station B and user B perform interactive authentication according to [Agreement 1]. At the same time, a communication key is established. The required information is moved ^ 〆 " * ~ (modA〇 can also be obtained from base station B. 4. Submit Gold exchange 1: 1: Base station B privately transmits the authentication documents belonging to user A and the information needed to establish the communication key /) to user B ^ Based on the information obtained, user b can calculate and obtain the communication key < =. 广 ~ 产 (mo (jw = gr ^ r ^ (mod Λ〇, and 5. exchange key 1 required to verify the correctness of the communication key 1: User B passes to base station B, base station B then passes the authentication file Cm% which belongs to user B to base station α β base station a and then transmits all the received messages to user A. ^ Paper from China uses the Chinese sample rate (CNS) A «WM 210X297 public shame) —- ——, ----- U— (Please read the notes on the back before filling out this page) Order the Central Ministry of Economic Affairs # quasi-printed for Beigong Consumer Cooperatives * 44720 6 A7 B7 V. Description of the invention (11) 6. Exchange key 1: After user A receives the message, he can find the key of the communication key = (> ^ β · 广 〜 产 (modiV) = (modTV) 'and use The server verifies the obtained communication key. It then calculates it and passes it to user B, so user B can also verify the obtained communication key with it. After that, a common communication key can be used by user A and user B to exchange information for encryption and decryption keys during communication. Here, status ^ is the communication key obtained by user A using it The ciphertext obtained by encrypting the two users (jiang). Taking the centroid as an example, the name of user A is placed first, the name of user b is placed after, and the entire text is encrypted. Its function is that when user B receives / embarrassing, he can use the communication key calculated by user B to decrypt it. If the communication keys obtained by user A and user B are the same, user b can obtain the names of two users after decryption, and then compare them with the previously known user names, that is, User B can know whether the communication key obtained is the same as that obtained by user eight. The centroid is the same function. The only difference is that 'provide user A to verify whether the communication key obtained by user A is the same as user B' and the encrypted content is based on the name of user B first. , The name of user eight comes later. [Two-Factor Authentication Procedure Required by the Originator] In this section, the originator requires both parties of the conversation to perform a two-factor authentication procedure. 1. Verify user A: By performing [Agreement 2] between user A, ton, and base station A, then user α and base station A can successfully interact to verify the paper. Applicable rate of Zhongjia bran (CNS M4DMM 210X297 · Male Jt j 13
f請先聞讀背面之注f項再填寫本頁J 訂 44720 6 M濟部中央揉準局1*:工消費合作社印» Α7 Β7 五、發明説明(12 ) 。當基地台A收到由使用者A所發出要求執行雙重驗證程序的訊 號Double_auth SIGNAL ’基地台A可求得建立通訊金匙所需的 資訊 D//’尸容㈣+Ι;Λ| (mod 。 2. 通訊要求:使用者Α要求與使用者Β進行通訊。則屬於使用者 Α的認證文件以及雙重驗證訊號D〇uble_Auth SIGNAL由基地台A傳遞至基地台B。 3. 呼叫與驗證使用者B :在基地台B呼叫使用者B之後,基地台丑與 使用者B間’依[協定2]進行交互驗證。同時,建立通訊金起所 需的資訊(modA〇亦可由基地台B所求得, 4. 交換金起_1:基地台B將屬於使用者A的認證文件、雙重驗 證訊號Double一Auth SIGNAL以及建立通訊金匙所需資訊洲〗傳 給使用者B。當使用者B收到Double_AuthSIGNAL時,依所得的 資訊,使用者B可計算求得通訊金匙严·(modiV) =(mod Λ〇,以及驗證通訊金匙正確性所需的 RESB=f(Jc:t[ID叫,id。)〇 5. 交換金匙_2 :使用者B傳遞至基地台B,基地台B再將其與 使用者Β所屬的認證文件傳遞給基地台Α。基地台Α再將所 收到的訊息全數傳給使用者A。 6. 交換金匙_3 :使用者A在接到訊息後,可求出通訊金匙 叫+心*产(modA〇=〆叫% (modiV),並用對求得之 — l·---^------- (請先閲讀背面之注$項再填寫本頁) •訂 本紙張尺度逍用ψ团«瘟r r«Kie \ αλλλλ^ /磉λ 赦 \ - 【 f - s 5 < IV Λ 一 c / 44720 6 嫌濟部中央揉牟為属工^费合作社印掣 A7 _B7 ____ 五、發明説明(13 ) 通訊金起作驗證。接著再計算〃^^(^’【^^,仍^^並將其傳遞 給使用者B,故使用者B亦可以其驗證所求得之通訊金匙。 依此步驟,則共同的通訊金匙《即可被產生’並用來作為傳遞 訊息的加解密金起。 [由受話端要求進行雙重驗證程序] 為了確實確定通話者的身份,受話端的使用者也應該有權力要 求雙方進行雙重驗證,尤其當發話端的通話者選擇不進行雙重驗證 時。例如,當使用者A打電話給使用者B時,使用者可能也想要確 認說話者的身份是否就是記錄於使用者A所擁有的認證文件 中的使用者。在此狀況下,通訊協定的運作方式如下: 1.驗證使用者A:藉著在使用者A,,與基地台A,叭,之間執 行[協定1],則使用者A與基地台A之間可以成功地進行交互驗證 。同時,基地台A亦可求得建立通訊金匙所需的資訊… (mod N) ° 2_通訊要求:使用者A要求與使用者B進行通訊。則屬於使用者 A的認證文件^以及由基地台A傳遞至基地台B。 3·呼叫與驗證使用者B :在基地台B呼叫使用者B之後,基地台B與 使用者B間,依[協定2]進行交互驗證。一旦基地台B接收到由使 用者B所發出的要求進行雙重驗證的訊息£>〇uble_Auth SIGNAL,建立通訊金匙所需的資訊= (m〇dA〇亦可由 基地台B所求得。 本紙張尺度遑用中國颺家梯率(CNS ) ( 210X 297公鐮) 15 閲 if 背 項 f 灯 447206 經濟部中央梯準局Λ工消费合作社印掣 A7 B7 五、發明说明(14 ) 4. 雙重驗證-1 :在此步驟中,基地台b將使用者B要求進行雙重驗 證的訊號傳遞給基地台A。基地台B將使用者B所擁有的認證文 件Gri吨、建立通訊金匙所需的資訊^%以及雙重驗證的訊號f Please read the note f on the back before you fill out this page. J Order 44720 6 M Central Government Bureau of the Ministry of Economic Affairs 1 *: Seal of Industrial and Consumer Cooperatives »Α7 Β7 V. Description of Invention (12). When base station A receives a signal from user A requesting a two-factor authentication procedure Double_auth SIGNAL 'Base station A can obtain the information required to establish a communication key D //' Corpse ㈣ + Ι; Λ | (mod 2. Communication request: User A requests to communicate with user B. The authentication document and the two-factor authentication signal Double_Auth SIGNAL belonging to user A are passed from base station A to base station B. 3. Call and authenticate the user B: After base station B calls user B, the base station and user B will perform interactive verification according to [Agreement 2]. At the same time, the information required for establishing a communication fund (modA〇 can also be requested by base station B). Here, 4. From the exchange gold_1: Base station B transmits the authentication document belonging to user A, the two-factor authentication signal Double_Auth SIGNAL, and the information required to establish the communication key to user B. When user B receives When Double_AuthSIGNAL is reached, according to the obtained information, user B can calculate the communication key strictness (modiV) = (mod Λ〇), and RESB = f (Jc: t [ID called , Id.) 〇 5. Exchange gold key_2: User B passes to the base Station B, base station B then passes the authentication documents belonging to user B to base station A. Base station A then transmits all the received messages to user A. 6. Exchange key _3: user After receiving the message, A can find the communication key called + heart * production (modA〇 = howling% (modiV), and use the right one to obtain — l · --- ^ ------- (Please Please read the note on the back of the page before filling in this page) • The paper size of the book is 逍 group «rrrr« Kie \ αλλλλ ^ / 磉 λ pardon \-[f-s 5 < IV Λ a c / 44720 6 The Central Ministry of Economy and Trade of the People's Republic of China is a member of the ^ Fu Cooperative Association. A7 _B7 ____ V. Description of the Invention (13) The communication fund will be used for verification. Then ^^^ (^ '[^^, still ^^ and pass it to User B, so user B can also verify the obtained communication key. According to this step, the common communication key "can be generated" and used as the encryption and decryption gold for transmitting the message. [By the recipient Requires two-factor authentication procedure] In order to confirm the identity of the caller, the user at the receiving end should also have the right to require two parties to perform two-factor authentication, especially when the caller at the calling end When you choose not to perform two-factor authentication. For example, when user A calls user B, the user may also want to confirm whether the speaker's identity is the user recorded in the authentication file owned by user A. In this case, the operation mode of the communication protocol is as follows: 1. Authenticate user A: By executing [Agreement 1] between user A, and base station A, ,, user A and base station A Interaction verification can be successfully performed. At the same time, base station A can also obtain the information needed to establish the communication key ... (mod N) ° 2_Communication request: User A requests to communicate with user B. The authentication file belonging to the user A ^ and transmitted from the base station A to the base station B. 3. Call and verify user B: After base station B calls user B, base station B and user B perform interactive authentication according to [Agreement 2]. Once the base station B receives the message from the user B requesting two-factor authentication £> 〇uble_Auth SIGNAL, the information required to establish the communication key = (m〇dA〇 can also be obtained by the base station B. This Paper scale uses China's Yang Family Ramp (CNS) (210X 297 male sickle) 15 Read if the back item f Lamp 447206 Central Ladder Standard Bureau of the Ministry of Economic Affairs Λ Industrial Consumer Cooperative Press A7 B7 5. Description of the invention (14) 4. Double Authentication-1: In this step, base station b transmits the signal for user B to perform two-factor authentication to base station A. Base station B passes the authentication document Gri owned by user B and establishes the communication key. Information ^% and two-factor authentication signal
Double_Auth SIGNAL傳遞給基地台A。 5. 在此步驟中’基地台A將使用者B要求進行雙重驗證的程序通知 使用者A。作法是一旦基地台a收到要求進行雙重驗證的訊號, 基地台A會將使用者B所擁有的認證文件、建立通訊金匙 所需的資訊以及雙重驗證的訊號Double—Auth SIGNAL傳遞 給使用者A。當使用者A接收到雙重驗證的訊號後,[協定2]將會 在基地台A與使用者A間被執行。使用者A將被要求輸入其通訊 密碼,而建立通訊金匙所需的資訊(modA〇亦可被求 得。 6. 交換金匙_1 :依從基地台A所接收得的資訊,使用者a可計算求 得通訊金匙产+Ά (modiV)=产% (m〇dA〇,以及驗 證通訊金匙正確性所需的财I = /況,。 7. 交換金起一2 :使用者A傳遞至基地台B,基地台B再將其以 及建立通訊金匙所需的資訊傳遞給使用者Β ^ 8. 交換金起一3 :使用者Β在接到訊息後’可求出通訊金匙 (modA〇=产% (m〇dA?),並用對求得 之通訊金匙作驗證°接著再計算Λ£5β=/(*:,⑽Ms,/Dws 】),並將其 傳遞給使用者A,故使用者A亦可以其驗證所求得之通訊金匙。 本紙依尺度ϋΛ中國圃家橾隼i CNS ) A4规格(2〗OX2q公釐) --:---„--------- (請先閲讀背面之注意事項再填寫本頁) 訂 44720 6 A7 B7 五、發明説明(15 ) 〜~ 在第三個步驟中,如果使用者B要求執行雙重驗證程序的話, 則原先由基地台A所計算的/>义將會被丟棄不用。在經過第三步驟 之後’協定的執行就如同先前由發話者要求進行雙重驗證程序的步 驟一般。只需將使用者B視為發話者,而使用者A視為收話者即可 〇 在介紹完三種狀況下提出的通訊協定之運作程序之後,一個 新的端對端的安全通訊協定即告完成。事實上,雙重驗證的程序可 由任一端的使用者發起。一旦雙重驗證程序被發起,[協定2]即會在 兩端各自被執行。而一支新的通訊金匙也會在兩端的使用者都輸入 正確的通訊密碼後被建立。 ^^^1 ^^^1 Ji^i ^^1« a^i (請先閲讀背面之注f項再填寫本頁) 訂 經濟都中央標车局I工消费合作社印製 29- 44720 6 A7 B7_____ 五、發明説明(16 ) <安全性之分析> 1. 無線通訊使用者以及基地台所持有的認證文件(certificate)無法被 偽造。每一位參與者所持有的認證文件内都包含了一個由認證中 心所簽發的電子簽章;在無法得知認證中心的秘密金匙之情況下 ’認證文件無法偽造;若是有人嘗試要從認證十心的公開金匙來 求得其對應的秘密金匙,則必須解相當於離散對數問題難度的問 題〇 2. 在得知使用者或是基地台的公開金匙的情況下,除非能夠解決 離散對數問題’才能從中求得其對應的秘密金匙;而即使侵入者 擷取到建立通訊金題所需的資訊’如/)//Α。仍然要解決離散對數 問題才能得到其内隱藏的秘密值。 S濟部中央標率f工消费合作社印製Double_Auth SIGNAL is passed to base station A. 5. In this step, 'Base Station A notifies User A of the procedure that User B requested for two-factor authentication. The practice is that once base station a receives a signal requesting two-factor authentication, base station A will pass the authentication document owned by user B, the information required to establish the communication key, and the signal of two-factor authentication Double-Auth SIGNAL to the user. A. When user A receives the two-factor authentication signal, [Protocol 2] will be executed between base station A and user A. User A will be required to enter his communication password, and the information needed to establish the communication key (modA〇 can also be obtained. 6. Exchange Key_1: Follow the information received by base station A, user a Can be calculated to obtain the communication key production + Ά (modiV) = production% (m〇dA〇, and verify the correctness of communication key I = / status, 7. Exchange funds from the first 2: user A Pass to base station B, base station B then passes it and the information needed to establish the communication key to the user B ^ 8. Exchange money from one to three: After receiving the message, the user B can find the communication key (modA〇 =% of production (m〇dA?), and use the communication key obtained to verify ° and then calculate Λ £ 5β = / (* :, ⑽Ms, / Dws)), and pass it to the user A, so user A can also verify the obtained communication key. This paper is in accordance with the standard ϋΛ 中国 中 国家 橾 隼 i CNS) A4 specification (2〗 OX2q mm)-: ------------- ----- (Please read the notes on the back before filling this page) Order 44720 6 A7 B7 V. Description of the invention (15) ~~ In the third step, if user B asks to perform the two-factor authentication procedure The meaning of / > originally calculated by base station A will be discarded. After the third step, the implementation of the agreement is the same as the previous two-step verification procedure requested by the speaker. Only user B is required It can be regarded as the caller, and user A can be regarded as the receiver. After introducing the operating procedures of the communication protocols proposed in the three situations, a new end-to-end security communication protocol is completed. In fact, two-factor authentication The procedure can be initiated by users on either end. Once the two-factor authentication procedure is initiated, [Agreement 2] will be executed on both ends. A new communication key will also enter the correct communication on both ends. The password is created. ^^^ 1 ^^^ 1 Ji ^ i ^^ 1 «a ^ i (Please read the note f on the back before filling out this page) Printed by the Central Bureau of Standards and Automobiles Bureau I Printing Consumer Cooperative 29- 44720 6 A7 B7_____ V. Description of the invention (16) < Analysis of security > 1. The authentication documents held by the wireless communication user and the base station cannot be forged. Each participant holds Included in the certification documents An electronic signature issued by a certification center; the authentication document cannot be forged if the secret key of the certification center cannot be known; if someone tries to obtain the corresponding secret gold from the public key of the authentication center Key, you must solve the problem equivalent to the difficulty of the discrete logarithm problem. 2. In the case of knowing the public key of the user or the base station, unless the discrete logarithm problem can be solved, the corresponding secret golden key can be obtained from it. ; And even if the intruder captures the information needed to create a communication title, such as /) // Α. We still have to solve the discrete logarithm problem to get the secret value hidden inside. Printed by the Ministry of Economic Affairs Central Standards F Industrial Consumer Cooperative
If L—II ϋ n I n -- (婧先M讀背面之注意事項弄填寫本頁> 3. 在得知兩方通話者所傳遞之建立通訊金匙所需的資訊, 以以及時,侵入者可藉此配合使用者Α與 使用者B之公開金匙求得〆叫以及gw的值;但是通訊金起g、% 仍無法被求得,除非能夠得到r心或r%的值;換言之,除非能夠 有效地解決離散對數問題,否則只有其擁有者,使用者A與使用 者B,才可獲知〜與rws,的正確值β 4. 根據先前提出的協定,通訊金匙可依照 <«‘产〜严=(>^产〜)%的式子被求得;如果使用者 Α所輸入的通訊密碼不正確,則正確的&將無法被計算出來; ( CNS ) Α4Λ# ( 2!0X297^jt ) -- 44720 6 A7 B7__ 五、發明説明(17 ) 那表示當使用者B試著要依式子以使用者A對應的公開金匙成求 出通訊金匙時,正確的通訊金匙< = 將無法被求得;因為若 求得的不正確,則KC^UmodJV);同理,當使用者B輸入 的通訊密碼不正確時,正確的‘,將無法被求得;當使用者A試 著以使用者B對應的公開金匙計算通訊金匙時,正確的通訊 金匙將無法產生。 由於只有SIM卡的合法擁有者知道正確的通訊密碼,而且通訊 密碼是在通訊的時候即時地被輸入,因此,若通訊金匙能正確無誤 地被建立起來時,則使用者可相信在另一端的通話者即為具有記錄 於認證文件(certificate)中之合法使用者。 由於^^的值是在使用者輸入通訊密碼後,即時地配合儲存於 SIM卡中的秘密金趣所計算出來的。故當不法之徒要冒充使用者 的身份時,除了必須盜取使用者所擁有的SIM卡外,還必須強迫使 用者說出其通訊密碼,並模仿使用者的聲音,才能冒充使用者的身 份與他人交談;由於通訊密碼只有使用者自己本人才知道,故不法 之徒不可能在不被察覺的情況下冒充使用者的身份。 --\---^------- (請先閲讀背面之注##項再填寫本頁) ,tr Μ濟部中央橾準扃負工消費合作杜印1i 本紙浪又度速用中躏國家樣奉(CNS > A4規格U丨公漦)If L—II ϋ n I n-(Jing first read the notes on the back to fill out this page> 3. After knowing the information required by the two parties to establish a communication key, in a timely manner, Intruders can cooperate with the public keys of user A and user B to obtain the value of howl and gw; however, the communication gold can not be obtained from g and% unless the value of r heart or r% can be obtained; In other words, unless the discrete logarithm problem can be effectively solved, only its owners, user A and user B, can know the correct value of ~ and rws, β 4. According to the previously proposed agreement, the communication key can be in accordance with < «'Production ~ strict = (> ^ production ~)%' s formula is obtained; if the communication password entered by user A is incorrect, the correct & will not be calculated; (CNS) Α4Λ # (2! 0X297 ^ jt)-44720 6 A7 B7__ 5. Description of the invention (17) That means that when user B tries to find the communication key based on the public key corresponding to user A, it is correct. The communication key < = cannot be obtained; because if it is not obtained correctly, KC ^ UmodJV); Similarly, when user B When the password is incorrect communication correct ', it can not be obtained; when the user A again with user B's Public Key corresponding to the calculated communication key gold, gold key correct communication can not be generated. Because only the legal owner of the SIM card knows the correct communication password, and the communication password is entered in real time during communication, if the communication key can be established correctly, the user can believe that it is on the other end The caller is a legitimate user with a record in the certificate. The value of ^^ is calculated after the user enters the communication password in real-time with the secret Jinqu stored in the SIM card. Therefore, when the criminal wants to impersonate the identity of the user, in addition to stealing the SIM card owned by the user, he must also force the user to speak his communication password and imitate the voice of the user in order to impersonate the identity of the user. Talk to others; because the communication password is only known to the user, it is impossible for a criminal to impersonate the identity of the user without being noticed. -\ --- ^ ------- (Please read the Note ## on the back before filling this page) Samples from China and China (CNS > A4 size U 丨 Public)