Information technology systems are subject to various threats. For example, transmitted information can be monitored and changed by an unauthorized third party. A further threat relating to communication between two communication partners is the use of a false identity of one communication partner under false pretences.
These and other threats are countered by various security mechanisms which are intended to protect the information technology system against the threats. One security mechanism which is used for protection is the encryption of the transmitted data. In order that the data in a communication link between two communication partners can be encrypted, steps must first be taken before the transmission of the actual data to prepare for the encryption. The steps may comprise, for example, the two communication partners using the same encryption algorithm, and the common, secret code possibly being agreed.
The security mechanism for encryption in the case of mobile radio systems is gaining particular importance, since the transmitted data in these systems can be monitored by any third party without any special additional cost.
This leads to the requirement to make a choice of known security mechanisms and to combine these security mechanisms in a suitable manner and to specify communication protocols such that they ensure the security of information technology systems.
Various asymmetric methods are known for computer-aided interchange of cryptographic codes. Asymmetric methods, which are suitable for mobile radio systems are (A. Aziz, W. Diffie, xe2x80x9cPrivacy and Authentication for Wireless Local Area Networksxe2x80x9d, IEEE Personal Communications, 1994, pages 25 to 31) and (M. Beller, xe2x80x9cProposed Authentication and Key Agreement Protocol for PCSxe2x80x9d, Joint Experts Meeting on Privacy and Authentication for Personal Communications, PandA JEM 1993, 1993, pages 1 to 11).
The method described in (A. Aziz, W. Diffie, xe2x80x9cPrivacy and Authentication in Wireless Local Area Networksxe2x80x9d, IEEE Personal Communications, 1994, pages 25 to 31) relates expressly to local networks and places more stringent computation performance requirements on the computer units of the communication partners while interchanging the codes. In addition, more transmission capacity is required in the method than in the method according to the invention, since the length of the messages is greater than in the case of the method according to the invention.
The method described in (M. Beller, xe2x80x9cProposed Authentication and Key Agreement Protocol for PCSxe2x80x9d, Joint Experts Meeting on Privacy and Authentication for Personal Communications, PandA JEM 1993, 1993, pages 1 to 11) did not implement a number of basic security aims. Explicit authentication of the network by the user is not achieved. In addition, a code which is transmitted by the user to the network is not confirmed to the user by the network. In addition, no assurance is provided regarding the freshness (current validity) of the code for the network. A further disadvantage of this method is the limitation to the Rabin method for the implicit authentication of the code by the user. This limits the method in a relatively flexible application.
Furthermore, no security mechanism is provided to ensure that transmitted data cannot be disputed. This is a considerable disadvantage, particularly when producing charge invoices, which cannot be contested, for a mobile radio system. The limitation of the method to the National Institute of Standards in Technology Signature Standard (NIST DSS) as the signature function used also limits the general applicability of the method.
A method for secure data interchange between a large number of subscribers, involving an actual certificate, has been disclosed (U.S. Pat. No. 5,214,700). The protocol used in this method has a random number, an identity statement as well as a public code and a session code. However, this method does not implement basic security aims.
Furthermore, a method has been disclosed for PC-PC communication with the involvement of a trust center (DE Brochure: Telesec. Telekom, Produktentwicklung Telesec beim Fernmeldeamt Siegen [Telesec product development at the Siegen Telecommunications Authority], pages 12-13 and FIG. 16).
U.S. Pat. No. 5,222,140 discloses a method in which a session code is produced using both a public code and a secret code, as well as using a random number. This session code is linked to a public code.
Furthermore, U.S. Pat.No. 5,153,919 describes a method in which a user unit identifies itself to a network unit. An authentication process then takes place, using a hash function between the user unit and the network unit.
Other secure communication protocols are known, but do not implement essential, basic security aims (M. Beller et al, Privacy and Authentication on a Portable Communication System, IEEE Journal on Selected Areas in Communications, Vol. 11, No. 6, pages 821-829, 1993).
The problem to which the invention relates is to specify a simplified method for computer-aided interchange of cryptographic codes.
A first value is formed in the first computer unit from a first random number with the aid of a generating element of a finite group, and a first message is transmitted from the first computer unit to the second computer unit, the first message having at least the first value. A session code is formed in the second computer unit with the aid of a first hash function, a first input variable of the first hash function having at least one first term which is formed by exponentiation of the first value with a secret network code. The session code is formed in the first computer unit with the aid of the first hash function, a second input variable of the first hash function having at least one second term which is formed by exponentiation of a public network code using the first random number. Furthermore, a fourth input variable is formed in the first computer unit with the aid of a second hash function or of the first hash function, a third input variable for the first hash function or for the second hash function having at least the session code in order to form the fourth input variable. Then, a signature term is formed in the first computer unit from at least the fourth input variable, using a first signature function. A third message is transmitted from the first computer unit to the second computer unit, the third message having at least the signature term of the first computer unit. The signature term is verified in the second computer unit.
The advantages achieved by the method according to the invention are primarily a considerable reduction in the length of the transmitted messages and the implementation of further security aims.
The method according to the invention achieves the following security aims:
mutual explicit authentication by the user and the network, that is to say mutual verification of the asserted identity,
code agreement between the user and the network with mutual implicit authentication, that is to say that the method results in a common, secret session code being available after completion of the procedure, from which each party knows that only the authentic opposite number may also be in possession of the secret session code,
assurance of the freshness (current validity) of the session code for the user,
mutual confirmation of the session code by the user and the network, that is to say the confirmation that the opposite number is actually in possession of the agreed secret session code.
The following advantageous developments of the method also relate to these security aims.
The first message also has an identity statement of a certifying computer unit, which supplies a network certificate which can be verified by the first computer unit. A second message is transmitted from the second computer unit to the first computer unit, the second message having at least the network certificate. The network certificate is verified in the first computer unit.
In this development of the method trustworthy public user code of the first computer unit, for example in the form of a user certificate, is additionally made available in the first computer unit, and a trustworthy public network code of the second computer unit, for example in the form of a network certificate, is made available in the second computer unit. In this development, the public network code need not be available in the first computer unit.
A third message is transmitted from the first computer unit to the second computer unit, the third message also having a user certificate. The use, certificate is verified in the second computer unit.
As a result of this development of the method, it is not necessary for the public user code to be available in the second computer unit.
The first message also has an identity variable of the first computer unit and an identify statement of a certifying computer unit, which supplies to the first computer unit a network certificate which can be verified by the first computer unit. A fourth message is transmitted from the second computer unit to the certifying computer unit, the fourth message having at least the public network code, the first value and the identify variable of the first computer unit as input variable, and an output variable of a third hash function being signed using a second signature function. The first signed term is verified in the certifying computer unit. A third term is formed in the certifying computer unit, which third term has at least the first value, the public network code and an identity statement of the second computer unit. A hash value up to the third term is formed in the certifying computer unit using a fourth hash function. The hash value up to the third term is signed in the certifying computer unit using a third signature function with a secret certifying code. A network certificate is formed in the certifying computer unit, which network certificate has at least the third term and the signed hash value of the third term. A fourth hash function is applied in the certifying computer unit to a fifth term, which has at least the identity statement of the second computer unit and a user certificate. The hash value of the fifth term is signed using the third signature function with the secret certifying code, and the result represents the second signed term. A fifth message, which has at least the network certificate, the fifth term and the second signed term, is transmitted from the certifying computer unit to the second computer unit. The network certificate and the second signed term are verified in the second computer unit. A fourth term, which has at least the public network code and the signed hash value of the third term, is formed in the second computer unit. A second message is transmitted from the second computer unit to the first computer unit, the second message having at least the fourth term. The network certificate is verified in the first computer unit.
In this development of the method, there is no need for a trustworthy public network code of the second computer unit in the first computer unit. A trustworthy public certifying code of the certifying computer unit is available in the first computer unit. This means that the first computer unit has to xe2x80x9csupplyxe2x80x9d the trustworthy public network code in the form of a network certificate from a certifying computer unit. In the same way, the second computer unit needs the trustworthy public user code in the form of a user certificate from the certifying computer unit.
An intermediate code is formed in the first computer unit before the formation of the first message, in that a public certifying code is raised to the power of the first random number. A second encrypted term is formed in the first computer unit before the formation of the first message from the identity variable of the first computer unit, in that the identity variable is encrypted with the intermediate code using an encryption function. The first message has the second encrypted term instead of the identity variable of the first computer unit. The fourth message has the second encrypted term instead of the identity variable of the first computer unit. The second encrypted term is decrypted in the certifying computer unit once the fourth message has been received.
Furthermore, at least one of the variables, the identity statement of the second computer unit, the identity variable of the first computer unit, the public network code or the user certificate is checked in the certifying computer unit, using a revocation list.
Further developments of the method achieve the security aim of user anonymity, that is to say the confidentiality of the identity of the user with respect to third parties.
The first message also has at least one old temporary identity variable of the first computer unit. A new temporary identity variable is formed for the first computer unit, in the second computer unit, once the first message has been received and before the second message is formed. A fourth encrypted term is formed from the new temporary identity variable of the first computer unit, in which the new temporary identity variable of the first computer unit is encrypted with the session code, using the encryption function. The second message additionally has at least the fourth encrypted term. The fourth encrypted term is decrypted in the first computer unit, once the second message has been received and before the fourth input variable is formed. The third input variable for the first hash function or for the second hash function, in order to form the fourth input variable, also has at least the new temporary identity variable of the first computer unit. The third message does not have the identity variable of the first computer unit.
This development of the method makes it possible to use temporary user identities.
A response, which contains information relating to the session code, is formed in the second computer unit. A second message is transmitted from the second computer unit to the first computer unit, the second message having at least the response. The session code is checked in the first computer unit, using the response.
This development of the method primarily ensures additional authentication of the second computer unit with respect to the first computer unit.
In the second computer unit, the first input variable of the first hash function also has at least one second random number. The second message also has the second random number. In the first computer unit, the second input variable of the first hash function also has at least the second random number.
This development achieves the security aim of assurance of freshness (current validity) of the session code for the network.
A third encrypted term is formed in the first computer unit before the formation of the third message, in that an optional second data field is encrypted with the session code, using the encryption function. The third message also has at least the third encrypted term. The third encrypted term is decrypted in the second computer unit, once the third message has been received.
This development of the method in addition achieves the security aim of the data which have been transmitted from the user to the network being indisputable.
The method according to the invention can also very easily be adapted to different requirements since it is not limited to specific algorithms for signature formation and encryption.