1. Field
The embodiments discussed herein relate to a method for encrypted data exchange between users of a communication system, and a communication system.
2. Description of the Related Art
The embodiments relate to the field of communications technology and in particular the area of contactless communication for identification purposes. Although applicable in principle to any communication systems, the embodiments and the problems which they address will now be explained with reference to so-called RFID communication systems and their applications, RFID standing for “Radio Frequency Identification”. For the general background to this RFID technology, reference is made to the “RFID Handbook” [in German] by Klaus Finkenzeller, Hansa-Verlag, third revised edition, 2002.
In currently known RFID systems, typically an electromagnetic signal sent out from a base station (or reading station or reader) is picked up by a passive transponder (or tag) which obtains therefrom the energy required to power the transponder. In most UHF or microwave based RFID systems, in addition to this unidirectional energy transfer, bidirectional data communication typically also takes place on the basis of a so-called challenge/response procedure wherein the base station continuously sends out challenge (data request) signals which are only answered if an appropriate transponder is in the coverage area of that base station. In this case the transponder in the immediate vicinity of the base station reacts with a response signal. Such RFID transponders are used, for example, to tag objects such as products, documents and the like.
In contrast to conventional wireline data communication, data is transferred between base station and a corresponding transponder virtually autonomously and to a certain extent in the background, without a user having to be present at all. That is to say, data communication is initiated as soon as an authenticated transponder is in the coverage area of the associated base station. Whereas, for example, for reading a data carrier such as a diskette, a USB memory stick or similar, the data carrier must be deliberately brought into contact with a corresponding reading device by the user and in the case of wireline data communication, the data communication must likewise be deliberately initiated by the user, this is not the case with RFID-based wireless data communication.
This has a number of significant advantages, e.g. for identification in the logistics field, in department stores, etc. However, this RFID-based data communications technology also has a number of disadvantages which must be taken into account in many applications.
One such problem relates to the reading of data contained in an RFID transponder by an unauthorized user (attacker), particularly if the data is security-critical data. For these reasons an RFID-based data communication system typically also contains a security mechanism which, for example, protects data communication to the effect that a security code is modulated onto the transmit signal by the base station and can then be decoded and evaluated by the transponders permitted to communicate data. After successful evaluation, the transponder permitted to communicate data transmits a response signal likewise containing a security code back to the base station, which code can then be evaluated in the base station to authenticate the transponder. By this authentication it is ensured in the base station that no unauthorized user can eavesdrop on the data communication and therefore read security-critical data.
An essential consideration for transponder-based data communication is that it shall take place as simply and quickly as possible between base station and transponder. The reason for this is that, on the one hand, the transponder typically only has minimal resources, i.e. minimal energy resources but also minimal memory and computing resources, so that during authentication typically as little data as possible must be evaluated and authenticated. On the other hand, this authentication must also be carried out as quickly as possible, since particularly in the case of dynamic RFID-based data communication systems, the transponder to be authenticated is very often only present in the coverage area of the particular base station for a short period of time. Within this brief period, a data communication connection must be established, and must be authorized and then the data exchange must take place.
To secure data communication between base station and transponder, data is communicated in a cryptographically protected manner. The essential feature of these cryptographic encryption methods is that inversion, i.e. determining the private key from the public key, is virtually impossible in finite time using available computing capacities.
It has proved advantageous to use cryptographic encryption algorithms based on elliptic curves, as these provide a high degree of security for short key lengths. Such cryptographic encryption methods based on elliptic curves are very efficient, particularly due to the fact that with these methods, in contrast to known cryptographic methods, there is no known attack method with sub-exponential runtime. In other words, this means that the security gain per bit of the security parameters used in methods based on elliptic curves is higher and therefore much shorter key lengths can be used for practical applications. Cryptographic methods based on elliptic curves therefore provide better performance and require less bandwidth for transmitting the system parameters than other cryptographic methods with a comparable level of achievable security.
The cryptographic methods therefore represent a compromise between the security to be expected and the computational complexity involved in encrypting data. German patent application DE 101 61 138 A1 discloses that it is possible to determine the scalar multiple of a point solely on the basis of the X-coordinate of that point even without using the Y-coordinate. Corresponding computing rules are likewise described in this document for any fields. This makes it possible to achieve much more efficient point arithmetic implementations, e.g. a Montgomery ladder, for the scalar multiplications, a smaller number of field multiplications for each point addition, and a smaller number of registers for the point representation of the intermediate results.
Against this background, an aspect of the embodiments is to provide wireless data communication authentication which requires in particular less computational complexity while maintaining a high level of security, and which in particular is also fast.