Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
  • H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
  • H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/80—Wireless
  • H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

• the invention relates to a method of choosing one of a multitude of data sets being registered with a device.
• the invention further relates to a device for presenting one of a multitude of data sets being registered with the device, to a remote device as well as a remote device itself.
• Identification products such as smart cards and RFID (“Radio Frequency Identification”) tags are used widely in fields such as transport (ticketing, road tolling, baggage tagging), finance (debit and credit cards, electronic wallet, merchant card), communications (SIM cards for GSM phones), and tracking (access control, inventory management, asset tracking).
• International standard ISO14443A is the industrial standard for contactless smart cards.
• ISOl 4443 A-compliant products such as MIF ARETM provide RF communication technology for transmitting data between a card or a tag and a reader device. For example, in electronic ticketing for public transport, travelers just wave their card over a reader at the turnstiles or entry point, benefiting from improved convenience and speed in the ticketing process.
• NFC Near Field Communication
• WiFi Wireless Ethernet
• a method according to the invention can be characterized in the way defined below, that is: A method of choosing one of a multitude of data sets being registered with a device, wherein after being chosen the one data set is presented to a remote device by the device, and wherein each data set is associated with a specific key, the method comprising the following steps of: a) encrypting exchange information al) in the device using one key of the keys associated with a data set and sending encrypted exchange information to the remote device, or a2) in the remote device using a key stored in the remote device and sending encrypted exchange information to the device, b) decrypting the encrypted exchange information bl) in the remote device using the one key stored in the remote device when following step al), or b2) in the device using one key of the keys associated with a data set when following step a2), c) comparing the exchange information with the exchange information decrypted in accordance with step b), and d) presenting
• a remote device according to the invention can be characterized in the way defined below, that is:
• a remote device provided for communication with a device, which device is arranged for presenting one of a multitude of data sets being registered with the device to said remote device, comprising means for generating exchange information, means for transmitting the exchange information to the device, means for receiving encrypted data from said device, means for decrypting said encrypted information with a key stored in the remote device, means for comparing the exchange information with the decrypted exchange information, and means for sending the result of the comparing means to the device.
• a remote device provided for communication with a device, which device is arranged for presenting one of a multitude of data sets being registered with the device to said remote device, comprising means for encrypting exchange information with a key stored in the remote device, means for transmitting encrypted exchange information to the device, means for receiving decrypted exchange information from said device, means for comparing the exchange information with the decrypted exchange information, and means for sending the result of the comparing means to the device.
• the characteristic features according to the invention provide the advantage that it is no longer necessary for a user to have to choose the application on the device manually since due to the proposed communication between the device and the remote device the device automatically determines which application or which data corresponding to a certain application have to be presented to the remote device.
• step b2 presenting a data set to the remote device if the result of the comparison is true or, if said comparison is false, restarting with the generating or decrypting step using a key associated with a further data set in step b2).
• This embodiment of the invention provides the further advantage that the communication between the device and the remote device (sending the exchange information by the device and sending encrypted information by the remote device) has to take place only once, as the subsequent decryption with different keys takes place only in the device.
• the different data sets according to specific applications are "registered” with the device.
• the term “registered” means that the data sets have not necessarily to be stored directly in the device but can also be stored for example in a (further) remote device such as a remote server from where the necessary data set is retrieved after being chosen. Furthermore, it is also imaginable that the keys associated with the data sets are not stored in the device but downloaded when they are required.
• the multitude of data sets and/or the associated keys are stored in the device.
• the advantage is achieved that the proposed interaction between the device and a remote device can immediately start when both devices are brought into contact. It is not necessary then to establish a possibly slow and unstable connection to a remote server. Furthermore, it should be noted that under certain circumstances (subway, aircraft, etc.) it may happen that a connection to a remote server cannot be established since a network is not available. Therefore, it is especially of advantage when both the data sets and the corresponding keys are stored in the device.
• the measures of a specific solution namely that the data sets are stored in encrypted form in a first memory in the device, the chosen encrypted data set according to step d) being decrypted with the associated key, the decrypted data set being stored in a more tamper-resistant second memory in the device, provide the advantage that on the one hand it is possible to use a large cheap first memory for permanently storing encrypted data and to use a small expensive second memory for temporarily storing decrypted data when it is to be used.
• This second memory can be shared by several applications which decreases technical effort and costs.
• encrypted data which represents a smart card application is now decrypted and advantageously loaded into the second memory.
• asymmetric ciphering can be used, meaning that private and public keys have to be used.
• the exchange information can be encrypted with a private key and decrypted with the public key and vice versa.
• Symmetric ciphering is applicable as well.
• the measures that the key being stored in the remote device is identical to one of the keys being stored in the device provides the advantage that the well known communication between a reader and a tag may be used for the purposes of the invention meaning that only fewer changes have to be implemented than in the case of asymmetric ciphering, and that usually state-of-the art readers may be used for the purpose of the invention.
• NFC non-contactless identification
• RFID ultrasonic identification
• interconnection technologies namely the RFID technology, and interconnection technologies.
• NFC operates in the 13.56 MHz frequency range, over a distance of typically a few centimeters, but engineers also work on a system which operates with greater distances of up to Im.
• NFC technology is standardized in ISO 18092, ECMA 340 and ETSI TS 102 190.
• NFC is also compatible to the broadly established contactless smart card infrastructure based on ISO 14443.
• NFC interfaces usually already comprises a tamper-resistant memory and an encrypt/decrypt module as well. Hence it is favorable to use these modules for the invention.
• the first memory is additionally arranged for storing functions for operating said device.
• Devices usually comprise an unsecured main memory for storing the operating system of the device.
• encrypted data as well as functions for the operating system are stored in the first memory. Therefore, the first memory is used in a synergetic way.
• said second memory is arranged for storing said key.
• said key for decrypting encrypted data is stored in the device itself.
• said key should be stored in the tamper-resistant second memory to avoid abusive use of encrypted data.
• Figure 1 shows service initialization as well as usage of encrypted data.
• Figure 2 shows an alternative embodiment for setting up a service.
• Figure 3 shows a first embodiment of a method of choosing one of a multitude of encrypted data sets according to the invention.
• Figure 4 shows a second embodiment of a method of choosing one of a multitude of encrypted data sets according to the invention.
• Figure 5 shows the standard authentication procedure between an RFID tag and a reader.
• Figure 6 shows again the second embodiment of a method as shown in Figure 4 based on a standard authentication for an RFID tag according to Figure 5.
• FIGS 7 -10 show an overview of the different variants of a method according to the invention.
• FIGS. 1 and 2 show a device and a method wherein encrypted data DATenc stored in a device DEV can be used in decrypted format without providing access to said decrypted data DAT to the owner of the device DEV.
• a device DEV may be used with advantage for the invention described.
• Figure 1 shows an arrangement comprising a device DEV as well as two remote devices formed by a server SER and a reader RD.
• Said device DEV which is a mobile phone or a PDA for this example comprises a first memory MEMl and a more tamper-resistant second memory MEM2 as well as an encrypt/decrypt module ENC/DEC.
• Said first memory MEMl in this example is assumed to be the memory for the operating system and other data necessary for the use of the device DEV. Since there are usually no or only minor procedures to secure the main memory of a device DEV against abusive use it is normally quite easy to change data stored in such a memory. Hence sensitive data, for example the IMSI (International Mobile Subscriber
• SIM Subscriber Identification Module
• a further example is smart cards which more and more are part of mobile phones or emulated by mobile phones respectively.
• NFC Near Field Communication
• This interface accomplishes the short range communication with a reader RD and normally comprises also a tamper-resistant memory as well as means for encrypting and decrypting.
• second memory MEM2 and the encrypt/decrypt module ENC/DEC are part of an NFC (Near Field Communication) interface INT.
• the reader RD which is also capable of communicating according to the NFC standard transmits encrypted data DATenc to the device DEV (solid line).
• the encrypted data DATenc represents an application for ticketing in public transport which is to be installed in the device DEV before it can be used.
• the encrypted data DATenc said encrypted data DATenc is therefore stored in first memory MEMl .
• the encrypted data DATenc can be provided by a server SER as well. This is indicated by a dashed line from the server SER to the device DEV in the figure. In this case it is assumed that the server SER is part of the internet and holds the aforesaid application.
• the encrypted data DATenc can be downloaded via a comparably fast (and unsecured) internet connection. Said request can be sent to the server SER by the device DEV directly or by the reader RD.
• the device DEV is ready to be used now.
• the key K is sent from the reader RD to the device DEV in a second step (solid line).
• the encrypted data DATenc is read from the first memory MEMl and is decrypted by means of the encrypt/decrypt module ENC/DEC and the key K received from the reader RD.
• the result of this decryption namely the data DAT is stored in the second memory MEM2.
• the data DAT can include variables and code as well.
• the key K is stored in the device DEV during initialization of a service, that means, when the encrypted data DATAenc is received from the reader RD or the server SER.
• the encrypted data DATAenc can be transmitted via an unsecured communication channel as shown above.
• the only restriction is that the key K is kept secret.
• the small key K is transmitted via a slow but secure near field communication (dash-and-dot line) and stored in the second memory MEM2.
• the device DEV is ready to be used now again wherein the procedure can be started manually for example instead of remotely by the reader RD.
• the key K is not received from the reader RD but transmitted from the second memory MEM2 to the encrypt/decrypt module ENC/DEC.
• the encrypted data DATenc is decrypted and the result of this decryption, the data DAT, is stored in the second memory MEM2.
• the communication between the device DEV and the reader RD can take place as indicated before.
• the communication channel between the device DEV and the reader RD is assumed to be secure.
• the second memory MEM2 is tamper resistant as stated before. Hence it is not possible to misuse the key K for abusively changing of the encrypted data DATAenc and to buy tickets without paying for instance.
• the advantage of this method is, that applications which generally use large memory spaces can be stored in a cheap standard memory and are temporarily loaded into an expensive tamper-resistant second memory MEM2 which in this way can be shared between several services as explained later in more detail.
• FIG 2 shows an alternative embodiment of the inventive device DEV.
• the device DEV is again shown in combination with two remote devices formed by a server SER and a reader RD.
• the device DEV comprises a random number generator RAND which is part of the NFC interface INT.
• the function of the arrangement of Figure 2 is as follows: First of all the unencrypted data DAT is transmitted from the reader RD to the device DEV via a short range communication and stored there in the second memory MEM2 (solid line). In a second step a random key K is generated by the random number generator RAND and is stored in the second memory MEM2 as well as sent to the encrypt/decrypt module ENC/DEC. In a third step the data DAT is encrypted with said key K by means of the encrypt/decrypt module ENC/DEC. Finally, as a result of this step, namely the encrypted data DATenc is stored in the first memory MEMl in a fourth step.
• the data DAT can also be transmitted by the server SER (dashed line).
• a secure communication channel should exist between the server SER and the device DEV since the data DAT is not encrypted. It is also imaginable that the data DAT is transmitted via a tamper-resistant communication channel (for example by means of a company internal network) from the server SER to the reader RD (dash-and-dot line) and is then transmitted to the device DEV via a short-range radio communication link.
• FIGS 3 - 10 describe different embodiments of a method of presenting to a reader RD one of a multitude of applications being registered, especially being stored in a device DEV.
• the Figures 1 and 2 show such a device DEV which can be used for a method to present one of a multitude of applications to a reader RD.
• Figures 1 and 2 explain how encrypted data DATenc can be stored in such a device DEV in decrypted format without providing access to said decrypted data DAT to the owner (or other persons) of the device DEV.
• the use of such an inventive device DEV for a method according to this invention as claimed and as described in the following ( Figures 3 - 6) is of advantage.
• Figure 3 shows a first realization of a method according to the invention how a certain application can be presented to a remote device, here in the form of a reader RD.
• the encrypted data DATenc is divided into several encrypted data sets DSlenc.DSnenc which represent different smart card applications, one for public transport, one for cinema ticketing, one for a company identification card, etc.
• These encrypted data sets DSlenc.DSnenc have been stored before during initialization routines shown in Figure 1 or 2. It is also possible that the applications have been stored in a different way, for example directly by the provider of the device DEV (e.g. mobile phone).
• Each encrypted data set DSlenc.DSnenc has an associated key Kl..Kn which is stored in the second memory MEM2.
• the device DEV additionally comprises a comparator COMP and the reader RD additionally comprises an encrypt/decrypt module ENC/DEC.
• this random number R is encrypted by the device DEV with one key Kx out of the multitude of keys Kl ...Kn. Said key Kx is also for decrypting an associated encrypted data set DSx. Subsequently, the encrypted random number Rene is transmitted to the reader RD in a third step. In a fourth step the encrypted random number Rene is decrypted with a reader key Krd by means of the encrypt/decrypt module ENC/DEC of the reader RD. The result of this operation, the reader random number Rrd is then sent back to the device DEV and is compared with the original random number R by means of the comparator COMP in a fifth step.
• the correct key Kx is found (for correct operation symmetrical encryption is assumed). Then, in a sixth step the encrypted data set Dsxenc, which is associated with said key Kx, is decrypted by means of the encrypt/decrypt module ENC/DEC with key Kx. In a seventh step the result of the decryption, namely the data DSx, is stored in the second memory MEM2 (dashed line). Now the device DEV is ready to be used for public transport for example.
• the result of said comparison is false, i.e. if the random number R and the reader random number Rrd are not identical, the key Kx used on the device DEV and the key Krd used on the reader RD are not identical, which means that the correct data set/the correct application has not yet been found.
• a new cycle starts, with a new random number being generated or the same random number R as already generated in the first cycle is used, the random number R being encrypted with a new key on the device DEV.
• the encrypted random number is sent to the remote reader RD etc. Said cycle is recursively performed until the result of the aforesaid comparison is true.
• FIG 4 shows a further realization of a method according to the invention how a certain application can be presented to a reader RD.
• encrypted data DATenc is divided into several encrypted data sets DSlenc.DSnenc which represent different smart card applications, one for public transport, one for cinema ticketing, one for a company identification card, etc.
• These encrypted data sets DSlenc.DSnenc have been stored before during initialization routines shown in Figure 1 or 2. It is also possible that applications have been stored in a different way, for example directly by the provider of device DEV (e.g. mobile phone), as already mentioned above.
• DEV e.g. mobile phone
• each encrypted data set DSlenc.DSnenc has an associated key Kl..Kn which are stored in the second memory MEM2.
• the device DEV additionally comprises a comparator COMP and the reader RD additionally comprises an encrypt/decrypt module ENC/DEC.
• exchange information is generated by the device DEV. Again it is of advantage when the exchange information is a random number R which is generated by the random number generator RAND. In a second step this random number R is transmitted by the device DEV to the reader RD. In a third step this random number R is encrypted by the reader RD with the key Krd stored in the reader RD. The encrypted random number Rene' is transmitted back to the device DEV by the reader RD in a fourth step.
• This encrypted random number Rene' is decrypted with one key Kx of the keys Kl ...Kn stored in the device DEV in a fifth step by means of the encrypt/decrypt module ENC/DEC of the device DEV and the resulting random number R' is compared in the comparator COMP with ' the original random number R in a sixth step.
• the key Kx for decryption in the device DEV and the key Krd for encryption in the reader RD are identical. This means that the correct application or data set DSxenc to be presented to the reader RD is found.
• the encrypted data set DSxenc which is associated with said key Kx is decrypted by means of the encrypt/decrypt module ENC/DEC with the key Kx in the device DEV.
• the result of the decryption namely the data DSx is stored in the second memory MEM2 (dashed line). Now the device DEV is ready to be used for public transport for example.
• the key Kx used in the device DEV and the key Krd used on the reader RD are not identical, which means that the correct data set/the correct application has not yet been found.
• another key stored in the device DEV is used to decrypt the encrypted random number Rene' and the resulting random number is compared with the original random number R. This procedure is repeated until the random numbers R and R' are identical and the correct application is found.
• the method as described in connection with Figure 4 offers the advantage that the encryption of the random number R to an encrypted random number Rene' and the communication between the device DEV and the reader RD (sending the random number R and the encrypted number Rene') have to take place only once, as the subsequent decryption with different keys takes place only in the device DEV.
• the method as described in Figure 3 makes it necessary - if the correct application cannot be found in the first cycle - that again a communication between the device DEV and the reader RD in both directions has to take place.
• Figure 5 shows the well-known communication between a transponder, for example an RFID tag TRA, which has stored the data for one application and the corresponding key K, and a reader RD.
• RFID tags require authentication before any communication can occur.
• Figure 5 shows this interaction.
• the mutual authentication procedure begins with the reader RD sending a GET_CHALLENGE command to the tag TRA.
• a random number R is then generated in the tag TRA and sent back to the reader RD.
• the reader RD uses its secret key Krd which is stored in the reader RD and a common algorithm to calculate an encrypted data block TKl, which contains the encrypted random number Rene' and additional control data and sends it back to the tag TRA.
• This process of authentication between a reader RD an a tag TRA is also used in a method according to the invention as described in Figure 4.
• the tag TRA of Figure 5 is replaced by a device DEV such as, for example, a mobile phone or a PDA as described in Figure 4.
• Different tags e.g. Underground Ticket, Cinema Ticket, etc.
• This registration contains the encrypted data sets DSlenc... DSnec as well as the keys Kl ...Kn used for authentication.
• the encrypted data sets DSlenc... DSnec are stored in a database CDB in secure memory MEMl as described above in Figure 4.
• the keys Kl.. Kn are stored in a key database KDB in the device DEV in a secure, more tamper-resistant memory MEM2.
• the device DEV retrieves a key Kx from the key database KDB and uses this to decrypt the encrypted data block TKl.
• the device DEV tries one key after the other until the correct key is found, and the device DEV presents the correct data set DSxenc (DSx) to the reader RD as described in more detail in Figure 4.
• the downloaded data set DSxenc is stored in the device DEV and can then be presented by the device DEV to a remote device RD.
• the device DEV is a (mobile) phone it is then possible that the device DEV retrieves a data set associated with a specific application from the remote database CDB of the registered applications (tags). The data set is then loaded into the operation memory of the NFC Hardware. Now the interaction can continue in the standard mode of operation, since the device DEV is emulating just one tag TRA.
• each encrypted data set DSx is associated with two keys. One for decryption and one which is identical with a reader key Krd.
• the encrypt/decrypt module ENC/DEC, the random number generator RAND as well as the comparator COMP are not necessarily part of the NFC interface INT. However, the arrangement shown is preferred since the NFC interface INT as a whole is assumed to be tamper resistant or at least more tamper resistant than the remaining part of the device DEV.
• the invention is not limited to smart card applications. Rather any device where encrypted data has to be decrypted is suitable, in particular adapted PCs having a secure second memory. It is not necessary either for the device DEV to communicate with a reader RD. It is imaginable that communication takes place between two similar devices DEV (e.g. two NFC compatible mobile phones). One application could be the exchange of (digital) money between two phones each with an encrypted account.
• Figure 7 depicts schematically the method as already shown in Figure 3:
• the device DEV creates a random number R, encrypts this random number R with one key Kx of the keys Kl.. Kn stored in the device DEV and sends the encrypted random number Rene to the reader RD.
• the reader RD decrypts the number Rene with the reader key Krd stored in the reader RD (the reader key Krd is identical to one of the keys Kl.. Kn stored in the device DEV). This decrypted reader number Rrd is sent back to the device DEV, where the original random number R and the reader number Rrd are compared to identify the correct application.
• Figure 8 shows schematically the method of Figures 4 and 6, where the random number R generated by the device DEV is sent to the reader RD.
• the reader RD encrypts the random number R with the reader key Krd to an encrypted reader number Rene' and sends this number Rene' back to the device DEV.
• the device DEV decrypts this encrypted number Rene' with one key Kx of the keys Kl..Kn stored in the device DEV and compares the resulting number R' with the original random number R. This process of decrypting the encrypted number Rene' with keys Kl..Kn stored in the device DEV is repeated until the correct application is found.
• the exchange information i.e. usually a random number R, is generated by the reader RD.
• the random number R is sent to the device DEV, where it is encrypted with one key Kx of the keys Kl.. Kn to an encrypted number Rene. This number Rene is sent back to the reader RD where it is decrypted by means of a reader key Krd.
• the resulting number R' is compared with the original random number R. If the original random number R and the decrypted number R' are identical, the correct key/the correct application is found. If the comparison is not true, the device DEV encrypts the random number R with another key and sends it to the reader RD etc. In this case the reader RD can send the random number R to the device DEV so that the device DEV can detect that a further encryption is necessary, or certain specific information is sent to the device DEV.
• FIG. 10 A further embodiment is shown in Figure 10.
• the reader RD generates a random number R, encrypts the random number R with the reader key Krd and sends the encrypted number Rene' to the device DEV.
• the device DEV decrypts the encrypted number Rene' by means of one key Kx of the keys Kl.. Kn.
• the resulting number R' is compared with the original random number R, preferably as depicted in the reader RD.
• the reader RD further sends the original random number R to the device DEV, so that the comparison may take place in the device DEV.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Storage Device Security (AREA)
• Mobile Radio Communication Systems (AREA)
• Telephone Function (AREA)

Priority Applications (1)

Applications Claiming Priority (4)

Publications (1)

Family

ID=34971136

Family Applications (1)

Country Status (4)

Families Citing this family (9)

Family Cites Families (4)

• 2005
  • 2005-06-23 WO PCT/IB2005/052066 patent/WO2006003562A1/en not_active Application Discontinuation
  • 2005-06-23 EP EP05752103A patent/EP1763936A1/de not_active Withdrawn
  • 2005-06-23 JP JP2007518758A patent/JP2008504788A/ja active Pending
  • 2005-06-23 KR KR1020067027399A patent/KR20070030231A/ko not_active Application Discontinuation

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events