WO2007043015A2 - Procede de detection de proximite ameliore - Google Patents

Procede de detection de proximite ameliore Download PDF

Info

Publication number
WO2007043015A2
WO2007043015A2 PCT/IB2006/053732 IB2006053732W WO2007043015A2 WO 2007043015 A2 WO2007043015 A2 WO 2007043015A2 IB 2006053732 W IB2006053732 W IB 2006053732W WO 2007043015 A2 WO2007043015 A2 WO 2007043015A2
Authority
WO
WIPO (PCT)
Prior art keywords
protected
query
response
computed
cpu
Prior art date
Application number
PCT/IB2006/053732
Other languages
English (en)
Other versions
WO2007043015A3 (fr
Inventor
Michael Epstein
Marc Vauclair
Ventzislav Nikov
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2007043015A2 publication Critical patent/WO2007043015A2/fr
Publication of WO2007043015A3 publication Critical patent/WO2007043015A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/101Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management

Definitions

  • DRM Digital Rights Management
  • One way of protecting content in the form of digital data is to ensure that content will only be transferred from a transmitting device (source device, e.g. a digital video recorder, DVR) to a receiving device (sink device, e.g. a television display device) if the receiving device has been authenticated as being a compliant device and if the user of the content has the right to transfer (move, copy) that content to another device. If transfer of content is allowed, this will typically be performed in an encrypted way to make sure that the content cannot be captured in an unprotected, high-quality digital format.
  • source device e.g. a digital video recorder, DVR
  • sink device e.g. a television display device
  • SAC secure authenticated channel
  • AKE Authentication and Key Exchange
  • Standards such as International Standard ISO/IEC 11770-3 and ISO/IEC 9796- 2, and public key algorithms such as RSA and hash algorithms like SHA-I are often used.
  • each device typically contains a unique encryption key that is used in a challenge/response protocol with another device to calculate a temporary, mutually shared key. The two devices subsequently use this shared key to protect the exchanged content and usage rights information.
  • a remaining issue is that a SAC may be set up between devices that are, physically or network- wise, far away from each other. To limit this possibility, various proposals have been made for some form of distance measurement that is to be performed when the SAC is set up. If the source and sink devices are too far away from each other, the SAC should not be set up or content exchange should be refused or limited.
  • distance measurement involves a challenge-response protocol where the time between sending the challenge and receiving the response is measured and used to estimate the distance between source and sink devices.
  • Distance measurement can be combined with the authentication protocol of the SAC setup, as is taught for example in international patent application WO 2004/014037 (attorney docket PHNL020681).
  • a problem with distance measurement protocols is that the time between sending the challenge and receiving the response also includes the time needed by the remote party (typically the sink device) to compute the response. This may introduce inaccuracies in the determined distance.
  • a personal computer with a fast processor can compute a response very quickly, even when (complex and hence slow) public key cryptography operations are used.
  • a small portable device such as a PDA will take a much longer time to perform the same computations. It is now hard to tell the difference between such a fast PC that is far away and such a slow portable device that is closer.
  • This object is achieved according to the invention in a method comprising, in a precomputing phase, at both devices (200, 220), computing for a query ⁇ , a protected query Ma 1 and for a response bi a protected response Wb 1 , and in an interactive phase,
  • the protocol interactions are minimized.
  • the only complex operations are during the precomputing phase.
  • the protocol is also very suitable for slow devices such as the above-mentioned PDAs.
  • the present invention is suitable for use in any connection between two devices where there is a need to determine the physical proximity of the connected devices. There is a clear separation from any other protocol, such as the establishment of a secure authenticated channel.
  • the most important feature of the present invention is that the time difference that is measured at the end of the interactive phase relates only to the travel time of the protected query and response between the devices and not to the processing power of the devices. This is due to the precomputation phase which is executed before the interactive phase. Any time spent on computing the protected versions of queries and responses is not counted in the time between sending the protected query and receiving the protected response, because these computations occurred before the interactive phease.
  • the time between query and reply comprises both the time for communicating the query and its reply and the time needed for computing the reply.
  • the document further suggests to subtract the processing time from the measured time between sending the query and receiving the reply. However, this requires that the processing time is known with a sufficient degree of accuracy.
  • the queries and responses are computed by applying a cryptographic hash function to a given seed R.
  • a cryptographic hash function This is an easy and fast way to compute these queries and response.
  • the SAC setup protocol may produce as one of its outputs a number that may serve as the seed R. This number will be hard to predict for an outside attacker. This embodiment thus improves security of the system.
  • the protected version Ma 1 of a query ⁇ , and the protected version mbj of a response b l are computed using a Message Authentication Code (MAC) function.
  • MAC Message Authentication Code
  • the protected query Ma 1 and the protected response mbj are sent accompanied by the number i. This ensures that the recipient knows which computed query and response to compare against the received query and response, respectively. As a result it is more likely that the parties will remain synchronized throughout the protocol.
  • the invention further provides a system that operates according to the invention, and a first device and a second device for use in this system.
  • Fig. 1 schematically shows a system comprising devices interconnected via a network
  • Fig. 2 schematically illustrates a source device and a sink device; and Fig. 3 shows an embodiment of the inventive proximity detection protocol.
  • Fig. 1 schematically shows a system 100 comprising devices 101-105 interconnected via a network 110.
  • a typical digital home network includes a number of devices, e.g. a radio receiver, a tuner/decoder, a CD player, a pair of speakers, a television, a VCR, a digital recorder, a mobile phone, a tape deck, a personal computer, a personal digital assistant, a portable display unit, a car entertainment system, and so on.
  • These devices are usually interconnected to allow one device, e.g. the television, to control another, e.g. the VCR.
  • One device such as e.g. the tuner/decoder or a set top box (STB), is usually the central device, providing central control over the others.
  • STB set top box
  • Content which typically comprises things like music, songs, movies, animations, speeches, videoclips for music, TV programs, pictures, games, ringtones, spoken books and the like, but which also may include interactive services, is received through a residential gateway or set top box 101.
  • Content could also enter the home via other sources, such as storage media like discs or using portable devices.
  • the source could be a connection to a broadband cable network, an Internet connection, a satellite downlink and so on.
  • the content can then be transferred over the network 110 to a sink for rendering.
  • a sink can be, for instance, the television display 102, the portable display device 103, the mobile phone 104 and/or the audio playback device 105.
  • the exact way in which a content item is rendered depends on the type of device and the type of content.
  • rendering comprises generating audio signals and feeding them to loudspeakers.
  • rendering generally comprises generating audio and video signals and feeding those to a display screen and loudspeakers.
  • Rendering may also include operations such as decrypting or descrambling a received signal, synchronizing audio and video signals and so on.
  • the set top box 101 may comprise a storage medium Sl such as a suitably large hard disk, allowing the recording and later playback of received content.
  • the storage medium Sl could be a Personal Digital Recorder (PDR) of some kind, for example a DVD+RW recorder, to which the set top box 101 is connected.
  • Content can also enter the system 100 stored on a carrier 120 such as a Compact Disc (CD) or Digital Versatile Disc (DVD).
  • CD Compact Disc
  • DVD Digital Versatile Disc
  • the portable display device 103 and the mobile phone 104 are connected wirelessly to the network 110 using a base station 111, for example using Bluetooth or IEEE 802.1 Ib.
  • the other devices are connected using a conventional wired connection.
  • One well- known standard is the Universal Plug and Play (http://www.upnp.org) standard.
  • the devices 101-105 are provided with a data protection system for a digital display interface.
  • This data protection system ensures that only authorized and protected content transfers can occur from a first device, hereafter referred to as source device or just source, to a second device, hereafter referred to as sink device or just sink.
  • Fig. 2 schematically illustrates a source device 200 and sink device 220. Both devices comprise a digital interface IF, a processor CPU and a storage component MEM.
  • the source device 200 is a device that holds content which is to be streamed (or otherwise transmitted) to the sink device 220.
  • the sink device 220 then typically is a device that receives this streamed content and renders it, e.g. on a display screen. Any of the devices 101-105 mentioned above may operate as the source device 200 and/or as the sink device 220. It is worth noting that a device may operate as source device relative to one other device, and as sink device relative to a further device. This may even occur simultaneously.
  • An example of a source device 200 and a sink device 220 is a digital video recorder (DVR) connected to a television display. The digital audiovisual content recorded by the DVR is streamed to the display so the user can watch the content.
  • the source may also be a (laptop or desktop) computer, where the sink is its display screen.
  • the interface between source device 200 and sink device 220 comprises a high-speed unidirectional main link 211 and a relatively low-speed bidirectional auxiliary channel 212.
  • the main link 211 can carry up to 10 Gigabits per second and the auxiliary channel 212 has a 1 Megabit per second transfer rate.
  • the main link 211 is used to carry compressed or uncompressed digital data such as video and/or audio data.
  • Technology to perform device authentication and encrypted content transfer is available and is called a secure authenticated channel (SAC).
  • a SAC 210 is assumed to have been set up as shown in Fig. 2 to protect the data transferred over the main link 211 and auxiliary link 212.
  • the main link 211 or only the auxiliary link 212 may be protected by the SAC 210.
  • the SAC may for some message transfers be bypassed, for example for already-encrypted messages or for messages that can safely be sent without protection.
  • Public key cryptography and digital certificates may be used for mutual authentication between the source and sink devices.
  • the data is transferred over the main link in encrypted form.
  • the proximity detection protocol consists of a pre-computation phase and an interactive phase. During the precomputation phase, the devices compute the information they will use during the interactive phase. Each phase of the protocol is now described in turn.
  • both devices obtain at least one query and at least one corresponding response.
  • both devices compute a sequence of queries, hereafter referred to as the sequence a, and a sequence of responses, hereafter referred to as the sequence b using the above-mentioned seed R and a public algorithm.
  • Elements of the sequences are referred to as Ci 1 and b t respectively, where i is an integer ranging from 0 to a certain (sufficiently large) maximum N.
  • the queries and responses can simply be binary sequences.
  • sequences a and b may be computed in many ways.
  • the cryptographic hash function preferably is the well-known SHA function. In this embodiment the sequences are unknown to third parties.
  • the protected versions are generated using a Message Authentication Code (MAC) function using a MAC such as AES in XCBC mode as follows:
  • MAC Message Authentication Code
  • a HMAC using a cryptographic hash function such as SHA
  • SHA cryptographic hash function
  • the use of the MD5 hash function is theoretically possible, but this function has been shown to be insecure.
  • a keyed MAC or a digital signature algorithm it is possible to publish the sequences a and b and still have a secure protocol.
  • Both devices further have a counter to keep track of the current query and response. This counter is denoted by i.
  • the precomputing phase may occur at any time prior to the interactive phase. If the common secret authentication key K and the seed R (or one of these values) are established during the SAC setup, then of course the precomputing phase should occur after setting up the SAC. If however the inputs needed for the precomputing phase are not established during the SAC setup, then the precomputing phase may occur at any time. By performing these computations prior to the interactive phase, it is ensured that any time spent on these computations does not affect the time measured in the actual distance measurement protocol. This way the time measured is the most accurate.
  • the second phase is interactive and illustrated in Fig. 3. Initially, both devices have stored respective copies ofa h b u ma b mb u and i which were computed in the first phase.
  • source device 200 records the current time, hereafter referred to as t 0 .
  • step 302 source device 200 sends Ma 1 to sink device 220 which receives it in step 303.
  • sink device 220 verifies that the received value Ma 1 is equal to the stored value Ma 1 . As this involves only a comparison between two numbers, this can be done very efficiently. If the received value does not match the stored value, the sink aborts the protocol in step 320.
  • sink device 220 responds by sending the value mb t back to the source device 200.
  • the source device 200 receives this value mb t in step 306 and verifies in step 307 that the received value Mb 1 is equal to the stored value mb t .
  • Both devices 200, 220 subsequently increase their counters i by one in steps 308, 309.
  • the counters ensure that both devices use the same values Ma 1 and Mb 1 in the protocol. It may happen that the respective counters from the devices 200, 220 have different values. For example, a device may crash after completing the message exchange but before the counter could be updated. If the other device does update the counter, then subsequent distance measurements will fail because the comparison of the received Ma 1 or Mb 1 and the stored Ma 1 or Mb 1 will reveal they are not identical.
  • the device performing the check to compare the received protected value, say Ma 1 , against not only the stored Ma 1 , but also against the previous and next items in the sequence, ma 1+ i and Ma 1 -I. If there is a match between the received value ma, and ma 1+ i or Ma 1 -I, the device can adjust its counter appropriately.
  • An alternative solution to this problem is to send the counter i along with the value THa 1 (or Mb 1 ). This way the recipient immediately knows against which stored value the received value is to be compared.
  • Source device 200 in step 310 again records the current time, hereafter referred to as ti.
  • the source device 200 computes the time difference ti - to. This time difference is used in the final step 312 to determine if the sink device 220 is sufficiently close to the source device 200. This is preferably done by determining if the time difference is less than a predetermined limit.
  • This determination can be used to decide whether the sink device 220 is to be authenticated or not, or whether particular content is allowed to be transferred to the sink device 220. For instance, a requirement could be that any query is to be answered within7 milliseconds. This is sufficiently short to know with reasonable certainty that the sink device 220 must be close to the source device 200. The choice depends on many parameters, such as the expected travel time of data over the network. In the abovementioned network where the auxiliary channel 212 has a 1 Megabit per second transfer rate, the inventors prefer a value of 500 ⁇ s. At regular intervals during data transfer the proximity detection may be repeated to verify whether the source device 200 and the sink device 220 are still in the required proximity of each other.
  • the proximity protocol according to the invention does not need to be carried out over this secure authenticated channel 210. It may be carried out over the auxiliary channel 212 without protecting the messages.
  • any reference signs placed between parentheses shall not be construed as limiting the claim.
  • the word “comprising” does not exclude the presence of elements or steps other than those listed in a claim.
  • the word "a” or “an” preceding an element does not exclude the presence of a plurality of such elements.
  • the invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Radar Systems Or Details Thereof (AREA)

Abstract

La présente invention concerne un procédé pour déterminer une distance entre un premier dispositif (200) et un second dispositif (220). Au cours d'une phase de précalcul, les deux dispositifs (200, 220) calculent, pour une requête ai, une requête protégée mai et, pour une réponse bi, une réponse protégée mbi. Au cours d'une phase interactive, le premier dispositif (200) envoie la requête protégée mai au second dispositif (220). Le second dispositif (220) compare la requête protégée mai reçue à la requête protégée mai calculée et envoie la réponse protégée mbi au premier dispositif (200). Le premier dispositif (200) compare la réponse protégée mbi reçue à la réponse protégée mbi calculée. La distance est déterminée sur la base d'une mesure du temps écoulé entre l'envoi de la requête protégée mai au second dispositif (220) et la réception de la réponse protégée mbi provenant du second dispositif (220).
PCT/IB2006/053732 2005-10-13 2006-10-11 Procede de detection de proximite ameliore WO2007043015A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP05109517.2 2005-10-13
EP05109517 2005-10-13

Publications (2)

Publication Number Publication Date
WO2007043015A2 true WO2007043015A2 (fr) 2007-04-19
WO2007043015A3 WO2007043015A3 (fr) 2007-09-07

Family

ID=37943201

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2006/053732 WO2007043015A2 (fr) 2005-10-13 2006-10-11 Procede de detection de proximite ameliore

Country Status (1)

Country Link
WO (1) WO2007043015A2 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2090998A1 (fr) * 2005-10-18 2009-08-19 Intertrust Technologies Corporation Systèmes et procédés de moteurs de gestion de droits numériques
US8234387B2 (en) 2003-06-05 2012-07-31 Intertrust Technologies Corp. Interoperable systems and methods for peer-to-peer service orchestration
US9298955B2 (en) 2011-11-04 2016-03-29 Nxp B.V. Proximity assurance for short-range communication channels
US9589110B2 (en) 2011-04-11 2017-03-07 Intertrust Technologies Corporation Information security systems and methods
US9626667B2 (en) 2005-10-18 2017-04-18 Intertrust Technologies Corporation Digital rights management engine systems and methods

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004014037A1 (fr) * 2002-07-26 2004-02-12 Koninklijke Philips Electronics N.V. Mesure de distance authentifiée sécurisée

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004014037A1 (fr) * 2002-07-26 2004-02-12 Koninklijke Philips Electronics N.V. Mesure de distance authentifiée sécurisée

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8234387B2 (en) 2003-06-05 2012-07-31 Intertrust Technologies Corp. Interoperable systems and methods for peer-to-peer service orchestration
US9317843B2 (en) 2003-06-05 2016-04-19 Intertrust Technologies Corporation Interoperable systems and methods for peer-to-peer service orchestration
US9466054B1 (en) 2003-06-05 2016-10-11 Intertrust Technologies Corporation Interoperable systems and methods for peer-to-peer service orchestration
EP2090998A1 (fr) * 2005-10-18 2009-08-19 Intertrust Technologies Corporation Systèmes et procédés de moteurs de gestion de droits numériques
US8688583B2 (en) 2005-10-18 2014-04-01 Intertrust Technologies Corporation Digital rights management engine systems and methods
US8776216B2 (en) 2005-10-18 2014-07-08 Intertrust Technologies Corporation Digital rights management engine systems and methods
US9626667B2 (en) 2005-10-18 2017-04-18 Intertrust Technologies Corporation Digital rights management engine systems and methods
US9589110B2 (en) 2011-04-11 2017-03-07 Intertrust Technologies Corporation Information security systems and methods
US10009384B2 (en) 2011-04-11 2018-06-26 Intertrust Technologies Corporation Information security systems and methods
US9298955B2 (en) 2011-11-04 2016-03-29 Nxp B.V. Proximity assurance for short-range communication channels

Also Published As

Publication number Publication date
WO2007043015A3 (fr) 2007-09-07

Similar Documents

Publication Publication Date Title
US10091186B2 (en) Secure authenticated distance measurement
RU2295202C2 (ru) Устройство, сконфигурированное для обмена данными, и способ аутентификации
US8468350B2 (en) Content transmission apparatus, content reception apparatus and content transmission method
US8561210B2 (en) Access to domain
CN102687483B (zh) 设备的临时注册
US20080133918A1 (en) Method and apparatus for transmitting data using authentication
US20100106960A1 (en) Content transmitting device, content receiving device and content transmitting method
KR20070009983A (ko) 콘텐츠로의 액세스를 인증하는 방법
US20070169203A1 (en) Method and apparatus for transmitting content to device which does not join domain
JP2010021875A (ja) データ送信装置、データ受信装置、データ送信方法およびデータ受信方法
JP3801559B2 (ja) 通信装置および方法、記録媒体、並びにプログラム
WO2007043015A2 (fr) Procede de detection de proximite ameliore
US8312166B2 (en) Proximity detection method
WO2007043014A1 (fr) Procede de communication chiffree mettant en oeuvre un flot de cles
JP4069458B2 (ja) データ通信システムおよびデータ通信方法、データ送信装置およびデータ送信方法、データ受信装置およびデータ受信方法、並びにプログラム
WO2007042996A1 (fr) Systeme de securite ameliore
MXPA06008255A (en) Method of authorizing access to content

Legal Events

Date Code Title Description
NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06809569

Country of ref document: EP

Kind code of ref document: A2