The present invention relates to the protectedly reading out of an enciphered, stored cryptographic key.
At present, for various telecommunication services a secret key is stored, enciphered, Ksec at a user""s on the hard disc of a computer of a user. The secret key Ksec has then been stored in the so-called key store. For opening the key store or, in other words, deciphering the secret key Ksec, used another key Kkey is used. In practice, said other key Kkey is derived from a password entered by a user. The secret key Ksec is then protected by way of the password, in other words, by something the user knows. The object of the present invention is to enhance the safety of the secret key Ksec.
European patent application 0 225 010 discloses a terminal for a system with which users may communicate with another party, e.g., a bank, in a protected manner. Said system ensures that the user can identify himself in a protected manner. For this purpose, the user enters his Personal Identification Number (PIN) at the terminal. In addition, the user lets the terminal read out a chip card of himself. From the chip card, the terminal reads out a chip-card key. The PIN is encoded with said chip-card key, as well as with a terminal key. The PIN encoded in this manner is transmitted to the bank. Further protection is realised by calculating, over the total message to be transmitted, a Message Authentication Code or MAC. In the present document, the MAC is used as a cryptographic check sum of the message, and is generated using the chip-card key and the terminal key. In this prior-art system, therefore, a message is transmitted using a terminal key stored on the terminal. In the prior-art system, the chip card is not used to additionally protect the access to the terminal key. Neither any use of the data-processing capacity of the chip card is made.
The European patent application 0 246 823 relates to a system in which a user can communicate, by way of a terminal, with, e.g., a bank computer. In this system, each user disposes of a personal calculation unit, e.g., a hand-held generator for generating a dynamic password, better known as a xe2x80x9ctokenxe2x80x9d. The method disclosed in the present document comprises the following steps. Over a message to be transmitted by the terminal, there is calculated a MAC using a first cryptographic key stored in the terminal. The end result of the MAC is shown to the user on a display. The end result is a number, which is manually entered by the user on his personal calculation unit. From the MAC entered, the personal calculation unit calculates a new value using a second key. The second key is stored in the memory of the personal calculation unit, and is accessible only after the entry of a PIN by the user on his personal calculation unit. The personal calculation unit then shows the number calculated by it to the user on a display. The user enters said new number on the terminal. Subsequently, the computer of the terminal calculates a new MAC on the message to be transmitted, using the new number entered by the user. Said final MAC is transmitted, together with the message, to the computer of the bank. The final MAC thus functions as a digital signature on the message transmitted. In this known system, the first key, which is stored on the terminal, is not additionally protected. It may be directly read out for calculating the former MAC.
The former object, i.e., enhancing the safety of the secret key, according to the invention is achieved by way of a method for protectedly reading out an enciphered, cryptographic key stored in a first memory of a first communication apparatus, comprising the following steps:
a. making available a first predetermined number by the first communication apparatus to a second communication apparatus;
b. receiving the first predetermined number by the second communication apparatus;
c. calculating a Message Authentication Code by the second communication apparatus on a second predetermined number, using the first predetermined number and with the aid of a predetermined key;
d. making available the Message Authentication Code by the second communication apparatus to the first communication apparatus;
e. receiving the Message Authentication Code by the first communication apparatus;
f. deciphering the cryptographic key by the first communication apparatus, using the Message Authentication Code as a deciphering key.
Due to the method according to the invention, the cryptographic key stored in enciphered form in the first memory of the first communication apparatus can be read out only by using a MAC calculated by the second communication apparatus. In this respect, the access to the cryptographic key is further protected, since use has to be made of the computation capacity of the second communication apparatus.
In a first embodiment of the method according to the invention, the second communication apparatus is a chip card provided with contact pads, the first communication apparatus is provided with a card reader, and making available and receiving the first predetermined number, as well as making available and receiving the Message Authentication Code, take place by way of a physical communication link between the card reader and the contact pads of the chip card. The advantage of said first embodiment is that it is easy to implement, since ever more people have a chip card with them. In addition, in said first embodiment there cannot be made any mistakes, since the communication between the chip card and the first communication apparatus takes place fully automatically.
In an alternative embodiment of the method according to the invention, the second communication apparatus is a calculation unit provided with an input device for receiving the first predetermined number by the second communication apparatus, and the second communication apparatus is additionally provided with a monitor for making available the Message Authentication Code.
In the second embodiment, therefore, the second communication apparatus is not a chip card but a xe2x80x9ctokenxe2x80x9d, which is available in a small size and therefore easy to take along. As compared to a chip card, however, the drawback is that said token must be taken along separately, while most people already have a chip card with them.
In the method defined above, in step a. a first predetermined number is made available by the first communication apparatus. In an embodiment according to the invention, said first predetermined number is equal to a first personal password, which is entered by the user into the first communication apparatus. In such an embodiment, therefore, the access to the cryptographic key is further protected by the first personal password of the user.
In an embodiment according to the invention, the aforementioned step c. takes place only after the user has entered a second personal password at the second communication apparatus. Said further step may take place both in the variant in which the user has entered a first personal password into the first communication apparatus, and in the main variant according to the invention, in which no use is made of a first, personal password.
The method according to the invention may be advantageously used when affixing digital signatures. That is why the invention also relates to the use of any of the methods defined above, the cryptographic key deciphered in this manner being used, after step f., for affixing a digital signature. Of course, the cryptographic key read out in this manner may also be used for other purposes.
For carrying out the method according to the invention, the invention provides for a communication apparatus provided with a memory having stored therein at least an enciphered, cryptographic key, a processor connected to the memory, and means for making available information, the processor being designed for carrying out the following steps:
a. making available a first predetermined number;
b. receiving a Message Authentication Code, which has been calculated by a second communication apparatus on a second predetermined number, using the first predetermined number, and with the aid of a predetermined key;
c. deciphering the cryptographic key, using the Message Authentication Code received as a deciphering key.
Such a communication apparatus may be, e.g., a personal computer of a user.
For the purpose of carrying out the method defined above, the communication apparatus defined above must be capable of communicating with a further communication apparatus which in addition is part of the present invention. That is why the present invention also relates to a communication apparatus provided with a memory, a processor connected to the memory, and means for receiving information, the processor being designed for carrying out the following steps:
a. receiving a first predetermined number;
b. calculating a Message Authentication Code on a second predetermined number, using the first predetermined number, and with the aid of a predetermined key;
c. making available the Message Authentication Code.
Said further communication apparatus is, e.g., a chip card, but may also be a token.