WO1998048389A2 - Method for mutual authentication between two units - Google Patents

Method for mutual authentication between two units Download PDF

Info

Publication number
WO1998048389A2
WO1998048389A2 PCT/EP1998/002231 EP9802231W WO9848389A2 WO 1998048389 A2 WO1998048389 A2 WO 1998048389A2 EP 9802231 W EP9802231 W EP 9802231W WO 9848389 A2 WO9848389 A2 WO 9848389A2
Authority
WO
WIPO (PCT)
Prior art keywords
unit
key
random number
message
units
Prior art date
Application number
PCT/EP1998/002231
Other languages
German (de)
French (fr)
Other versions
WO1998048389A3 (en
Inventor
Hans-Hermann FRÖHLICH
Winfried Gall
Original Assignee
Giesecke & Devrient Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke & Devrient Gmbh filed Critical Giesecke & Devrient Gmbh
Priority to JP54497298A priority Critical patent/JP2001523407A/en
Priority to AU80135/98A priority patent/AU8013598A/en
Priority to EP98928199A priority patent/EP1010146A2/en
Priority to IL13237498A priority patent/IL132374A0/en
Publication of WO1998048389A2 publication Critical patent/WO1998048389A2/en
Publication of WO1998048389A3 publication Critical patent/WO1998048389A3/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Definitions

  • the invention relates to a method for mutual authentication of two communicating units.
  • the three-stage authentication takes place, for example, in such a way that the unit B generates a random number and sends it to the unit A. This also generates a random number and encrypts it and the random number received by the unit B with the aid of its secret key.
  • the result of this encryption is then transmitted as a message from unit A to unit B. This then decrypts this message with the same secret key and checks whether the random number previously sent to unit A matches the random number obtained from the encrypted message. If this is the case, unit B knows that unit A also has the same secret key. Unit A is thus authenticated with respect to unit B.
  • the unit B then exchanges the two random numbers and encrypts them with the shared secret key.
  • the message sent by unit B is then decrypted by unit A and the latter compares the random number previously transmitted to unit B with the random number obtained from the message. If this in turn matches the random number generated by unit A, then unit B is also authenticated to unit A.
  • This mutual authentication is based on the fact that units A and B use the same secret key to encrypt their messages.
  • the encrypted messages are different due to the exchange of the random numbers, it cannot be ruled out that due to the exchange of the random numbers and the associated change in the message when the encryption algorithm is known by listening to the messages for the secret key can be closed.
  • the present invention is therefore based on the object of making plain text attacks more difficult by preventing the occurrence of plain text and associated ciphertext during communication. This task is solved by the features specified in claim 1.
  • the basic idea of the invention is that a key is transmitted in the first message transmitted in encrypted form from a first unit to a second unit, which key is different from the key used by the first unit to encrypt this message.
  • the second unit then encrypts the second message intended for the first unit using the key received from the first unit.
  • the second unit is then authenticated by the first unit on the basis of this message.
  • Another advantage of the method according to the invention is that a key exchange is possible during the authentication without any administrative effort.
  • this key can also be used to encrypt the data exchange between the units.
  • the exchanged key can be dynamic and therefore different for each authentication.
  • the key used to encrypt the key to be exchanged can also be individual for the respective unit.
  • This key is preferably derived from a basic key common to the units of the system, taking into account the respective identifier of the unit, according to a previously defined algorithm.
  • the second unit calculates, for example, starting from this basic key and using the identifier received from the first unit, the key used by the first unit to encrypt the message.
  • the basic key must of course be kept secret.
  • a key derived from a basic key has the advantage that, if the derived key has become insecure for a unit, another derived key can be used to authenticate the unit according to a defined algorithm, without the basic key being changed and encrypted Form must be exchanged between the units.
  • the unit which authenticates the other unit selects from a number of secret keys agreed between the units, according to a defined rule, the key which the unit which is to be authenticated used to encrypt the message is.
  • the units communicating with one another can be, for example, a chip card and a terminal, as are used in electronic payment transactions.
  • the chip card can be assigned to a customer, for example, and the terminal to a dealer or a bank.
  • the method according to the invention is of course not only limited to such an application. Rather, it can be used wherever it is necessary to check the authenticity of system-associated units. ascertain. For example, the method could also be used in a mobile radio system.
  • the figure shows the process flow for the authentication of the communicating units A and B according to the invention.
  • the unit B sends a random number Z_ generated by it to the unit A. Preferably, but not necessarily, this is initiated by a request Ab from unit A.
  • Unit A also generates a random number Z a .
  • the unit A selects a secret key K_ known only to it.
  • unit A encrypts the random numbers Z a and Zb and the key K_ selected by it with the secret key Kab shared by the two units A and B.
  • a sequence number SN can be included in the encryption.
  • the result of the encryption is then transmitted to unit B as message N1.
  • the unit B decrypts the received message Nl with the key Kab.
  • the random number Z a ', the random number Zb', the optional sequence number SN 'and the key K_ selected by the unit A are thus obtained in plain text from the message Nl'.
  • the unit B compares the random number Zv obtained by decryption from the message Nl with the random number Zb generated by the unit B and transmitted to the unit A. If these match, unit A is recognized by unit B as belonging to the system. If this is not the case, unit A is not authentic and does not belong to the system.
  • the sequence number SN ' can also be evaluated by the unit B with regard to its validity.
  • the unit A has another secret key Kab 'previously agreed with the unit B for encrypting the D -
  • the unit B selects the key Kab- according to a previously defined rule from a protected list in which there are several secret keys Kab ', Kab ", Kab n .
  • This key Ka' is then used, as already described above , decrypts the message NI, which enables unit B to successfully authenticate unit A by correctly selecting the key KaK, because units A and B each have several, previously in common are agreed secret keys, units A and B can change the shared secret key Kab 'used for authentication at any time, the change taking place according to a rule previously defined between the units.
  • the selection method described enables the units A and B to switch to other secret keys agreed between them without additional administrative effort if one of the keys has become known.
  • the mutual authentication of units A and B in the invention can take place independently of the selection of a new shared secret key.
  • the authentication of unit B by unit A is described below.
  • the unit B encrypts the random numbers Z_- and Zv using the key K_ 'obtained from the message Nl.
  • the result of the encryption is transmitted to unit A as message N2.
  • the unit A decrypts the message N2 by means of the key Ks previously selected by it and thus receives the random numbers Zb "and Z a " in plain text as message N2 '.
  • the random number Z a " is then compared with the random number Z_ generated by the unit A.
  • a comparison of the random number Zb "obtained from the message N2 by decryption with the random number Zb received from the unit B can also be carried out by the unit A. If the comparison is positive in both cases, the unit B is considered authentic by the Unit A recognized. Of course, however, it may also be sufficient to only compare the random number Z a "with the random number Z a to authenticate the unit B.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Finance (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention relates to a method for mutual authentication between two units that communicate with each other. An encrypted message sent from unit A to unit B is transmitted along with a key differing from the one used to encrypt the message from unit A. Unit B then encrypts the message addressed to unit A using the key received from unit A, on the basis of which unit B is authenticated by unit A.

Description

Verfahren zur gegenseitigen Authentifizierung zweier Einheiten Procedure for mutual authentication of two units
Die Erfindung betrifft ein Verfahren zur gegenseitigen Authentifizierung zweier miteinander kommunizierender Einheiten. Bei dem internationalen Standard ISO/IEC 9798-2 erfolgt die dreistufige Authentifizierung z.B. derart, daß die Einheit B eine Zufallszahl generiert und diese zu der Einheit A sendet. Diese generiert ebenfalls eine Zufallszahl und verschlüsselt diese und die von der Einheit B empfangene Zufallszahl mit Hilfe ihres geheimen Schlüssels. Das Ergebnis dieser Verschlüsselung wird dann als Nachricht von der Einheit A an die Einheit B übertragen. Diese entschlüsselt dann diese Nachricht mit dem gleichen geheimen Schlüssel und prüft, ob die vorher an die Einheit A gesendete Zufallszahl mit der aus der verschlüsselten Nachricht erhaltenen Zufallszahl übereir__ timmt. Ist dies der Fall, so weiß die Ein- heit B, daß die Einheit A ebenfalls im Besitz des gleichen geheimen Schlüssels ist. Damit ist die Einheit A gegenüber der Einheit B authentisiert. Anschließend vertauscht die Einheit B die beiden Zufallszahlen und verschlüsselt sie mit dem gemeinsamen geheimen Schlüssel. Die von der Einheit B gesendete Nachricht wird dann von der Einheit A entschlüsselt und diese vergleicht die zuvor an die Einheit B übertragene Zufallszahl mit der aus der Nachricht erhaltenen Zufallszahl. Stimmt diese wiederum mit der von der Einheit A generierten Zufallszahl überein, so ist auch die Einheit B gegenüber der Einheit A authentisiert. Diese gegenseitige Authentifizierung basiert darauf, daß die Einheiten A und B zur Verschlüsselung ihrer Nachrich- ten den gleichen geheimen Schlüssel verwenden. Obwohl bei dem bekannten Verfahren die verschlüsselten Nachrichten auf rund der Vertauschung der Zufallszahlen unterschiedlich sind, kann jedoch nicht ausgeschlossen werden, daß aufgrund des Vertauschens der Zufallszahlen und der damit verbundenen Änderung der Nachricht bei Kenntnis des Verschlüsselungsalgo- rithmus durch Abhören der Nachrichten auf den geheimen Schlüssel geschlossen werden kann. Der vorliegenden Erfindung liegt somit die Aufgabe zugrunde, Klartextattacken dadurch zu erschweren, daß das Auftreten von Klartext und zugehörigem Chiffrat während der Kommunikation verhindert wird. Diese Aufga- be wird durch die im Anspruch 1 angegebenen Merkmale gelöst.The invention relates to a method for mutual authentication of two communicating units. In the international standard ISO / IEC 9798-2, the three-stage authentication takes place, for example, in such a way that the unit B generates a random number and sends it to the unit A. This also generates a random number and encrypts it and the random number received by the unit B with the aid of its secret key. The result of this encryption is then transmitted as a message from unit A to unit B. This then decrypts this message with the same secret key and checks whether the random number previously sent to unit A matches the random number obtained from the encrypted message. If this is the case, unit B knows that unit A also has the same secret key. Unit A is thus authenticated with respect to unit B. The unit B then exchanges the two random numbers and encrypts them with the shared secret key. The message sent by unit B is then decrypted by unit A and the latter compares the random number previously transmitted to unit B with the random number obtained from the message. If this in turn matches the random number generated by unit A, then unit B is also authenticated to unit A. This mutual authentication is based on the fact that units A and B use the same secret key to encrypt their messages. Although in the known method the encrypted messages are different due to the exchange of the random numbers, it cannot be ruled out that due to the exchange of the random numbers and the associated change in the message when the encryption algorithm is known by listening to the messages for the secret key can be closed. The present invention is therefore based on the object of making plain text attacks more difficult by preventing the occurrence of plain text and associated ciphertext during communication. This task is solved by the features specified in claim 1.
Der Grundgedanke der Erfindung besteht darin, daß in der von einer ersten Einheit an eine zweite Einheit in chiffrierter Form übermittelten ersten Nachricht ein Schlüssel mit übertragen wird, der von dem zur Verschlüsse- lung dieser Nachricht von der ersten Einheit verwendeten Schlüssel verschieden ist. Die zweite Einheit verschlüsselt dann mit Hilfe des von der ersten Einheit erhaltenen Schlüssels die für die erste Einheit bestimmte zweite Nachricht. Anhand dieser Nachricht wird dann die zweite Einheit von der ersten Einheit authentifiziert. Dadurch, daß zur Verschlüsselung der Nach- richten, anhand der die Teilnehmer authentisiert werden, verschiedene Schlüssel verwendet werden, als auch auf das Vertauschen der beiden Zufallszahlen verziehet wird, wird ein Ausspähen der geheimen Schlüssel, basierend auf einem Abhören der zwischen den Teilnehmern ausgetauschten Nachrichten erschwert. Dadurch wird die Sicherheit erhöht.The basic idea of the invention is that a key is transmitted in the first message transmitted in encrypted form from a first unit to a second unit, which key is different from the key used by the first unit to encrypt this message. The second unit then encrypts the second message intended for the first unit using the key received from the first unit. The second unit is then authenticated by the first unit on the basis of this message. The fact that different keys are used to encrypt the messages with which the subscribers are authenticated, and that the random numbers are swapped over, makes it possible to spy out the secret keys, based on listening to the messages exchanged between the subscribers difficult. This increases security.
Ein weiterer Vorteil bei dem erfindungsgemäßen Verfahren besteht darin, daß ohne administrativen Aufwand während der Authentisierung ein Schlüsselaustausch möglich ist Dieser Schlüssel kann nach der Authentisierung auch zur Verschlüsselung des Datenaustausches zwischen den Einhei- ten verwendet werden. Der ausgetauschte Schlüssel kann dynamisch und somit für jede Authentisierung unterschiedlich sein. Weiterhin kann auch der zur Verschlüsselung des auszutauschenden Schlüssels verwendete Schlüssel für die jeweilige Einheit individuell sein. Vorzugsweise wird dieser Schlüssel aus einem für die Einheiten des Systems gemeinsamen Grundschlüssel unter Berücksichtigung der jeweiligen Kennung der Einheit nach einem vorher definierten Algorithmus abgeleitet. Die zweite Einheit berechnet dann z.B. ausgehend von diesem Grundschlüssel und unter Verwendung der von der ersten Einheit empfangenen Kennung ebenfalls den von der ersten Einheit zur Verschlüsselung der Nachricht verwendeten Schlüssel. Damit die Sicherheit des Systems gewährleistet ist, muß selbstverständlich der Grundschlüssel geheim gehalten werden. Die Verwendung eines aus einem Grundschlüssel abgeleiteten Schlüssels hat den Vorteil, daß, wenn der abgeleitete Schlüssel für eine Einheit unsicher geworden ist, nach einem definierten Algorithmus ein anderer abgeleiteter Schlüssel der Authentifizierung der Einheit zugrunde gelegt werden kann, ohne daß der Grundschlüssel geändert und in verschlüsselter Form zwischen den Einheiten ausgetauscht werden muß.Another advantage of the method according to the invention is that a key exchange is possible during the authentication without any administrative effort. After authentication, this key can also be used to encrypt the data exchange between the units. The exchanged key can be dynamic and therefore different for each authentication. Furthermore, the key used to encrypt the key to be exchanged can also be individual for the respective unit. This key is preferably derived from a basic key common to the units of the system, taking into account the respective identifier of the unit, according to a previously defined algorithm. The second unit then calculates, for example, starting from this basic key and using the identifier received from the first unit, the key used by the first unit to encrypt the message. To ensure the security of the system, the basic key must of course be kept secret. The use of a key derived from a basic key has the advantage that, if the derived key has become insecure for a unit, another derived key can be used to authenticate the unit according to a defined algorithm, without the basic key being changed and encrypted Form must be exchanged between the units.
Es ist aber auch möglich, daß die Einheit, die die andere Einheit authentifiziert, aus mehreren zwischen den Einheiten vereinbarten geheimen Schlüsseln nach einer definierten Regel den Schlüssel auswählt, der von der Einheit, die authentifiziert werden soll, zur Verschlüsselung der Nachricht ver- wendet worden ist.However, it is also possible for the unit which authenticates the other unit to select from a number of secret keys agreed between the units, according to a defined rule, the key which the unit which is to be authenticated used to encrypt the message is.
Die miteinander kommunizierenden Einheiten können beispielsweise eine Chipkarte und ein Terminal sein, wie diese im elektronischen Zahlungsverkehr Anwendung finden. Die Chipkarte kann beispielsweise einem Kunden und das Terminal einem Händler bzw. einer Bank zugeordnet sein. Das erfindungsgemäße Verfahren ist selbstverständlich nicht nur auf eine solche Anwendung beschränkt Vielmehr kann dieses überall dort eingesetzt werden, wo es erf orderlich ist, die Authentizität von systemzugehörigen Einhei- ten festzustellen. Beispielsweise könnte das Verfahren auch bei einem Mobilfunksystem verwendet werden.The units communicating with one another can be, for example, a chip card and a terminal, as are used in electronic payment transactions. The chip card can be assigned to a customer, for example, and the terminal to a dealer or a bank. The method according to the invention is of course not only limited to such an application. Rather, it can be used wherever it is necessary to check the authenticity of system-associated units. ascertain. For example, the method could also be used in a mobile radio system.
Ein Ausführungsbeispiel der Erfindung wird nachfolgend anhand der Figur erläutert. Die Figur zeigt den Verfahrensablauf bei der erfindvmgsgemäßen Authentifizierung der miteinander kommunizier enden Einheiten A und B. Die Einheit B sendet eine von ihr generierte Zufallszahl Z_ an die Einheit A. Vorzugsweise, jedoch nicht zwingend, wird dies durch eine Anfrage Ab von Einheit A initiert. Die Einheit A generiert ebenfalls eine Zufallszahl Za. Wei- terhin wählt die Einheit A einen nur ihr bekannten geheimen Schlüssel K_ aus. Im nächsten Verfahrensschritt verschlüsselt die Einheit A die Zufallszahlen Za und Zb und den von ihr ausgewählten Schlüssel K_ mit dem für die beiden Einheiten A und B gemeinsamen geheimen Schlüssel Kab. Optional kann eine Sequenznummer SN in die Verschlüsselung miteinbezogen wer- den. Das Ergebnis der Verschlüsselimg wird dann als Nachricht Nl an die Einheit B übertragen. Die Einheit B entschlüsselt die empfangene Nachricht Nl mit dem Schlüssel Kab. Dadurch wird aus der Nachricht Nl' die Zufallszahl Za', die Zufallszahl Zb', die optionale Sequenznummer SN' und der von der Einheit A gewählte Schlüssel K_ im Klartext erhalten. Anschließend vergleicht die Einheit B die durch Entschlüsselung aus der Nachricht Nl erhaltene Zufallszahl Zv mit der von der Einheit B generierten und an die Einheit A übermittelten Zufallszahl Zb. Stimmen diese überein, wird die Einheit A von Einheit B als systemzugehörig erkannt. Ist dies nicht der Fall, so ist die Einheit A nicht authentisch und gehört nicht zπim System. Optional kann auch noch die Sequenznummer SN' bezüglich ihrer Gültigkeit von der Einheit B ausgewertet werden.An embodiment of the invention is explained below with reference to the figure. The figure shows the process flow for the authentication of the communicating units A and B according to the invention. The unit B sends a random number Z_ generated by it to the unit A. Preferably, but not necessarily, this is initiated by a request Ab from unit A. Unit A also generates a random number Z a . Furthermore, the unit A selects a secret key K_ known only to it. In the next method step, unit A encrypts the random numbers Z a and Zb and the key K_ selected by it with the secret key Kab shared by the two units A and B. Optionally, a sequence number SN can be included in the encryption. The result of the encryption is then transmitted to unit B as message N1. The unit B decrypts the received message Nl with the key Kab. The random number Z a ', the random number Zb', the optional sequence number SN 'and the key K_ selected by the unit A are thus obtained in plain text from the message Nl'. The unit B then compares the random number Zv obtained by decryption from the message Nl with the random number Zb generated by the unit B and transmitted to the unit A. If these match, unit A is recognized by unit B as belonging to the system. If this is not the case, unit A is not authentic and does not belong to the system. Optionally, the sequence number SN 'can also be evaluated by the unit B with regard to its validity.
Es ist jedoch auch möglich, daß die Einheit A einen anderen mit der Einheit B vorher vereinbarten geheimen Schlüssel Kab' zur Verschlüsselung der D -However, it is also possible that the unit A has another secret key Kab 'previously agreed with the unit B for encrypting the D -
Nachricht Nl verwendet hat. In diesem Fall wählt die Einheit B nach einer vorher definierten Regel den Schlüssel Kab- aus einer geschützten Liste aus, in der mehrere geheime Schlüssel Kab', Kab", Kabn vorhanden sind. Mit diesem Schlüssel Ka ' wird dann, wie bereits zuvor beschrieben, die Nachricht Nl entschlüsselt. Dadurch ist die Einheit B in der Lage, durch die richtige Auswahl des Schlüssels KaK die Authenti.fi zi erung der Einheit A dennoch erfolgreich durch__uführen. Dadurch, daß die Einheiten A und B jeweils im Besitz mehrerer, vorher gemeinsam vereinbarter geheimer Schlüssel sind, können die Einheiten A und B den zur Authentifizierung verwendeten gemeinsamen geheimen Schlüssel Kab' jederzeit wechseln, wobei der Wechsel nach einer zwischen den Einheiten vorher definierten Regel erfolgt.Message Nl has used. In this case, the unit B selects the key Kab- according to a previously defined rule from a protected list in which there are several secret keys Kab ', Kab ", Kab n . This key Ka' is then used, as already described above , decrypts the message NI, which enables unit B to successfully authenticate unit A by correctly selecting the key KaK, because units A and B each have several, previously in common are agreed secret keys, units A and B can change the shared secret key Kab 'used for authentication at any time, the change taking place according to a rule previously defined between the units.
Das beschriebene Selektionsverfahren ermöglicht, daß die Einheiten A und B ohne zusätzlichen aclministrativen Aufwand auf andere zwischen ihnen vereinbarte geheime Schlüssel ausweichen können, wenn einer der Schlüssel bekannt geworden ist. Es soll jedoch deutlich herausgestellt werden, daß die gegenseitige Authentifizierung der Einheiten A und B bei der Erfindung unabhängig von der Selektion eines neuen gemeinsamen geheimen Schlüssels erfolgen kann.The selection method described enables the units A and B to switch to other secret keys agreed between them without additional administrative effort if one of the keys has become known. However, it should be made clear that the mutual authentication of units A and B in the invention can take place independently of the selection of a new shared secret key.
Im folgenden wird die Authentifizierung der Einheit B durch die Einheit A beschrieben. Die Einheit B verschlüsselt mit Hilfe des aus der Nachricht Nl erhaltenen Schlüssels K_' die Zufallszahlen Z_- und Zv. Das Ergebnis der Verschlüsselimg wird als Nachricht N2 an die Einheit A übermittelt. Die Einheit A entschlüsselt die Nachricht N2 mittels des von ihr vorher ausgewählten Schlüssels Ks und erhält somit die Zufallszahlen Zb" und Za" im Klartext als Nachricht N2'. Daraufhin wird die Zufallszahl Za" mit der von der Einheit A generierten Zufallszahl Z_ verglichen. Zusätzlich kann auch noch ein Vergleich der aus der Nachricht N2 durch Entschlüsselung erhaltenen Zufallszahl Zb" mit der von der Einheit B empfangenen Zufallszahl Zb von der Einheit A durchgeführt werden. Ist der Vergleich in beiden Fällen positiv, so wird die Einheit B als authentisch durch die Einheit A erkannt. Selbstverständlich kann es jedoch auch ausreichend sein, nur einen Vergleich der Zufallszahl Za" mit der Zufallszahl Za zur Authentifizierung der Einheit B durchzuführen. The authentication of unit B by unit A is described below. The unit B encrypts the random numbers Z_- and Zv using the key K_ 'obtained from the message Nl. The result of the encryption is transmitted to unit A as message N2. The unit A decrypts the message N2 by means of the key Ks previously selected by it and thus receives the random numbers Zb "and Z a " in plain text as message N2 '. The random number Z a "is then compared with the random number Z_ generated by the unit A. In addition, a comparison of the random number Zb "obtained from the message N2 by decryption with the random number Zb received from the unit B can also be carried out by the unit A. If the comparison is positive in both cases, the unit B is considered authentic by the Unit A recognized. Of course, however, it may also be sufficient to only compare the random number Z a "with the random number Z a to authenticate the unit B.

Claims

P a t e n t a n s p r ü c h e Patent claims
1. Verfahren zur gegenseitigen Authentifizieπmg zweier miteinander kommunizierender Einheiten (A) und (B) mit folgenden Schritten:1. Method for mutual authentication of two communicating units (A) and (B) with the following steps:
- Die Einheit (B) generiert eine Zufallszahl (Zb), die an die Einheit (A) übertragen wird,- The unit (B) generates a random number (Zb) which is transmitted to the unit (A),
- die Einheit ( A) wählt einen nur ihr bekannten geheimen Schlüssel (K_) aus,the unit (A) selects a secret key (K_) known only to it,
- die Einheit (A) verschlüsselt mit Hilfe eines für die Einheiten (A) und (B) gemeinsamen geheimen Schlüssels (Kab) wenigstens eine von der Einheit (A) generierte Zufallszahl (Za), die von der Einheit (B) empfangene Zufallszahl (Zb) und den von ihr ausgewählten geheimen Schlüssel (K_),- The unit (A) encrypts at least one random number (Z a ) generated by the unit (A) and the random number received by the unit (B) with the aid of a secret key (Kab) common to the units (A) and (B) (Zb) and the secret key (K_) selected by her,
- die Einheit (A) überträgt das Ergebnis der Verschlüsselimg als Nachricht (Nl) zur Einheit (B), diese entschlüsselt mit Hilfe des gemeinsamen geheimen Schlüssel (Kab') die empfangene Nachricht (Nl), wodurch die Zufallszahlen (Za') und (Zv) und der von der Einheit ( A) ausgewählte Schlüssel (IC/) im Klartext erhalten werden,- The unit (A) transmits the result of the encryption as a message (Nl) to the unit (B), which decrypts the received message (Nl) with the help of the shared secret key (Kab '), whereby the random numbers (Za') and ( Zv) and the key (IC /) selected by the unit (A) are obtained in plain text,
- die Einheit (B) vergleicht wenigstens die aus der Nachricht (Nl) erhaltene Zufallszahl (Zv) mit der von ihr generierten Zufallszahl (Zb),the unit (B) compares at least the random number (Zv) obtained from the message (Nl) with the random number (Zb) generated by it,
- bei Übereir_rtimmung wenigstens der Zufallszahlen (Zy) und (Zb) wird die Einheit (A) durch die Einheit (B) als authentisch erkannt, - die Einheit (B) verschlüsselt daraufhin mit Hilfe des von der Einheit (A) empfangenen Schlüssels (K/) wenigstens die aus der empfangenen Nachricht (Nl) erhaltene Zufallszahl (Za'),- If at least the random numbers (Zy) and (Zb) agree, the unit (A) is recognized as authentic by the unit (B), the unit (B) then encrypts at least the random number (Z a ') obtained from the received message (Nl) using the key (K /) received by the unit (A),
- die Einheit (B) überträgt das Ergebnis dieser Verschlüsselung als Nachricht (N2) zur Einheit (A),the unit (B) transmits the result of this encryption as a message (N2) to the unit (A),
- die Einheit (A) entschlüsselt die von der Einheit (B) empfangene Nachricht (N2), wodurch wenigstens die Zufallszahl (Za") im Klartext erhalten wird,the unit (A) decrypts the message (N2) received by the unit (B), whereby at least the random number (Z a ") is obtained in plain text,
- die Einheit (A) vergleicht wenigstens die von ihr generierte Zufallszahl (Za) mit der aus der Nachricht (N2) erhaltenen Zufallszahl (Za") und- The unit (A) compares at least the random number (Z a ) generated by it with the random number (Z a ") obtained from the message (N2) and
- bei Übereinstimmung der Zufallszahlen (Za) und (Za") wird die Einheit (B) durch die Einheit (A) als authentisch erkannt.- If the random numbers (Z a ) and (Z a ") match, the unit (B) is recognized by the unit (A) as authentic.
2. Verfahren nach Anspruch 1, dadurch gekennzeichnet, daß die von der Einheit (A) zur Einheit (B) übertragene Nachricht (Nl) zusätzlich eine Sequenznummer (SN) enthält, die von der Einheit (B) zur Authentifizierung der Einheit (A) ausgewertet wird.2. The method according to claim 1, characterized in that the message (Nl) transmitted from the unit (A) to the unit (B) additionally contains a sequence number (SN) which is used by the unit (B) to authenticate the unit (A) is evaluated.
3. Verfahren nach Anspruch 1 oder 2 dadurch gekennzeichnet, daß die Einheit (A) zusätzlich die aus der Nachricht (N2) durch Entschlüsselung mit Hilfe des Schlüssels (Ks) im Klartext erhaltene Zufallszahl (Zv) mit der von der Einheit (B) empfangenen Zufallszahl (Zb) vergleicht und bei Übereinstimmung der Zufallszahlen (Zb") und (Zb) die Einheit (B) als authentisch durch die Einheit (A) erkannt wird. 3. The method according to claim 1 or 2, characterized in that the unit (A) additionally from the message (N2) by decryption with the help of the key (Ks) in plain text received random number (Zv) with that received from the unit (B) Compares the random number (Zb) and, if the random numbers (Zb ") and (Zb) match, the unit (B) is recognized as authentic by the unit (A).
4. Verfahren nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, daß der Schlüssel (Kab) der Einheit (A) individuell zugeordnet ist und die Einheit (B) den der Einheit (A) individuell zugeordneten Schlüssel in Abhängigkeit einer von der Einheit (A) empfangenen Kennung nach einem bestimmten Algorithmus aus einem geheimen Grundschlüssel (K) ableitet, welcher der Einheit (A) nicht bekannt ist.4. The method according to any one of the preceding claims, characterized in that the key (Kab) of the unit (A) is individually assigned and the unit (B) the key of the unit (A) individually assigned depending on one of the unit (A) received identifier according to a certain algorithm from a secret basic key (K) which is unknown to the unit (A).
5. Verfahren nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, daß die Einheiten (A) und (B) gemeinsam nach einer definier- ten Regel mehrere geheime Schlüssel vereinbaren, wobei der jeweils zur Authentifizierung von den Einheiten (A) und (B) verwendete gemeinsame geheime Schlüssel bei bestimmten Ereignissen von den Einheiten (A) und (B) gewechselt werden kann. 5. The method according to any one of the preceding claims, characterized in that the units (A) and (B) agree several secret keys together according to a defined rule, the one used for authentication of the units (A) and (B) shared secret keys can be changed by units (A) and (B) on certain events.
PCT/EP1998/002231 1997-04-17 1998-04-16 Method for mutual authentication between two units WO1998048389A2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
JP54497298A JP2001523407A (en) 1997-04-17 1998-04-16 Mutual authentication method between two entities
AU80135/98A AU8013598A (en) 1997-04-17 1998-04-16 Method for mutual authentication between two units
EP98928199A EP1010146A2 (en) 1997-04-17 1998-04-16 Method for mutual authentication between two units
IL13237498A IL132374A0 (en) 1997-04-17 1998-04-16 Method for mutal authentication between two units

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19716111.1 1997-04-17
DE19716111A DE19716111A1 (en) 1997-04-17 1997-04-17 Procedure for mutual authentication of two units

Publications (2)

Publication Number Publication Date
WO1998048389A2 true WO1998048389A2 (en) 1998-10-29
WO1998048389A3 WO1998048389A3 (en) 1999-01-28

Family

ID=7826826

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP1998/002231 WO1998048389A2 (en) 1997-04-17 1998-04-16 Method for mutual authentication between two units

Country Status (6)

Country Link
EP (1) EP1010146A2 (en)
JP (1) JP2001523407A (en)
AU (1) AU8013598A (en)
DE (1) DE19716111A1 (en)
IL (1) IL132374A0 (en)
WO (1) WO1998048389A2 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1223565A1 (en) * 2001-01-12 2002-07-17 Motorola, Inc. Transaction system, portable device, terminal and methods of transaction
JP2002281027A (en) * 2001-03-19 2002-09-27 Toshiba Corp Entity device for authentication system, key updating method and authentication system updating method
AU2004201742B2 (en) * 2000-02-15 2004-06-03 Silverbrook Research Pty Ltd Consumables validation chip
AU2004205292B2 (en) * 2000-02-15 2004-12-09 Silverbrook Research Pty Ltd A system for authenticating an object
US7003111B2 (en) 2001-10-11 2006-02-21 International Business Machines Corporation Method, system, and program, for encoding and decoding input data
US7865440B2 (en) 2001-10-11 2011-01-04 International Business Machines Corporation Method, system, and program for securely providing keys to encode and decode data in a storage cartridge
GB2493138A (en) * 2011-07-15 2013-01-30 Flick Mobile Ltd A system for secure payment transactions

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7702926B2 (en) 1997-07-15 2010-04-20 Silverbrook Research Pty Ltd Decoy device in an integrated circuit
US7249108B1 (en) 1997-07-15 2007-07-24 Silverbrook Research Pty Ltd Validation protocol and system
US6816968B1 (en) 1998-07-10 2004-11-09 Silverbrook Research Pty Ltd Consumable authentication protocol and system
FR2782431B1 (en) * 1998-08-17 2000-09-29 Gemplus Sca SYMMETRIC ALGORITHM AUTHENTICATION METHOD AND DEVICE
DE19953448A1 (en) 1999-11-06 2001-05-10 Volkswagen Ag Bumper
SE518400C2 (en) * 2000-02-04 2002-10-01 Telia Ab Procedure and arrangement for mutual authentication in communication between two persons in a communication system
US7197642B2 (en) 2000-02-15 2007-03-27 Silverbrook Research Pty Ltd Consumable authentication protocol and system
AU2005200945B2 (en) * 2000-02-15 2006-10-05 Silverbrook Research Pty Ltd Integrated Circuit For Authenticating an Object
AU2006252272B2 (en) * 2000-02-15 2007-03-22 Silverbrook Research Pty Ltd An apparatus for validating a device using first and second keys
US7496397B2 (en) 2004-05-06 2009-02-24 Boston Scientific Scimed, Inc. Intravascular antenna
KR100601703B1 (en) * 2004-10-04 2006-07-18 삼성전자주식회사 Method for authenticating the device using broadcast crptography

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2600188A1 (en) * 1986-06-16 1987-12-18 Bull Cp8 Method of accrediting an external environment by a portable object associated with this environment
EP0253722A1 (en) * 1986-07-17 1988-01-20 Bull Cp8 Method for diversifying a basic key and for authenticating a key worked out from a predetermined basic key and system for operation
EP0440800A1 (en) * 1989-06-05 1991-08-14 Ntt Data Communications Systems Corporation Ic card for security attestation and ic card service system using said ic card
FR2681165A1 (en) * 1991-09-05 1993-03-12 Gemplus Card Int Process for transmitting confidential information between two chip cards
EP0548967A2 (en) * 1991-12-24 1993-06-30 GAO Gesellschaft für Automation und Organisation mbH Data exchange system with authentification status check

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2600188A1 (en) * 1986-06-16 1987-12-18 Bull Cp8 Method of accrediting an external environment by a portable object associated with this environment
EP0253722A1 (en) * 1986-07-17 1988-01-20 Bull Cp8 Method for diversifying a basic key and for authenticating a key worked out from a predetermined basic key and system for operation
EP0440800A1 (en) * 1989-06-05 1991-08-14 Ntt Data Communications Systems Corporation Ic card for security attestation and ic card service system using said ic card
FR2681165A1 (en) * 1991-09-05 1993-03-12 Gemplus Card Int Process for transmitting confidential information between two chip cards
EP0548967A2 (en) * 1991-12-24 1993-06-30 GAO Gesellschaft für Automation und Organisation mbH Data exchange system with authentification status check

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2004201742B2 (en) * 2000-02-15 2004-06-03 Silverbrook Research Pty Ltd Consumables validation chip
AU2004205292B2 (en) * 2000-02-15 2004-12-09 Silverbrook Research Pty Ltd A system for authenticating an object
EP1223565A1 (en) * 2001-01-12 2002-07-17 Motorola, Inc. Transaction system, portable device, terminal and methods of transaction
JP2002281027A (en) * 2001-03-19 2002-09-27 Toshiba Corp Entity device for authentication system, key updating method and authentication system updating method
US7003111B2 (en) 2001-10-11 2006-02-21 International Business Machines Corporation Method, system, and program, for encoding and decoding input data
US7865440B2 (en) 2001-10-11 2011-01-04 International Business Machines Corporation Method, system, and program for securely providing keys to encode and decode data in a storage cartridge
US9317720B2 (en) 2001-10-11 2016-04-19 International Business Machines Corporation Method, system, and program for securely providing keys to encode and decode data in a storage cartridge
GB2493138A (en) * 2011-07-15 2013-01-30 Flick Mobile Ltd A system for secure payment transactions

Also Published As

Publication number Publication date
EP1010146A2 (en) 2000-06-21
AU8013598A (en) 1998-11-13
WO1998048389A3 (en) 1999-01-28
IL132374A0 (en) 2001-03-19
DE19716111A1 (en) 1998-10-22
JP2001523407A (en) 2001-11-20

Similar Documents

Publication Publication Date Title
EP0631408B1 (en) Method for authentication between two electronic devices
DE69533328T2 (en) VERIFICATION DEVICE
DE3883287T2 (en) Control of the use of secret transmission keys by control values produced in a production site.
DE69829642T2 (en) AUTHENTICATION SYSTEM WITH CHIP CARD
WO1998048389A2 (en) Method for mutual authentication between two units
DE102013206185A1 (en) Method for detecting a manipulation of a sensor and / or sensor data of the sensor
EP1368929B1 (en) Authentication method
EP1076887A1 (en) Method for authenticating a chip card in a message transmission network
EP2567501B1 (en) Method for cryptographic protection of an application
EP2749003A1 (en) Method for authenticating a telecommunication terminal comprising an identity module on a server device in a telecommunication network, use of an identity module, identity module and computer program
DE10026326B4 (en) A method of cryptographically verifying a physical entity in an open wireless telecommunications network
DE102018202176A1 (en) Master-slave system for communication via a Bluetooth low-energy connection
AT504634B1 (en) METHOD FOR TRANSFERRING ENCRYPTED MESSAGES
DE19840742B4 (en) Method for increasing the security of authentication methods in digital mobile radio systems
EP2730050B1 (en) Method for generating and verifying an electronic pseudonymous signature
DE3922642C2 (en)
WO2000067422A1 (en) Signing and signature authentication of messages
EP3367285B1 (en) Terminal, id-token, computer program and corresponding methods for authenticating access authorization
EP1573955B1 (en) Encoding method
EP1163559B1 (en) Method for securing access to a data processing device and appropriate device
WO2018091703A1 (en) Method and apparatus for securing an electronic data transmission
DE19648824A1 (en) Process for secure message exchange with mass services, and subscriber facility and service provider facility therefor
DE102022000857B3 (en) Procedure for the secure identification of a person by a verification authority
EP1400142A2 (en) Authentication method
EP2526646A1 (en) Secure renewal of cryptographic keys

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 132374

Country of ref document: IL

AK Designated states

Kind code of ref document: A2

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DK EE ES FI GB GE GH GM GW HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DK EE ES FI GB GE GH GM GW HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
ENP Entry into the national phase

Ref country code: JP

Ref document number: 1998 544972

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: 1998928199

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 09403087

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 1998928199

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: CA

WWR Wipo information: refused in national office

Ref document number: 1998928199

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 1998928199

Country of ref document: EP