1. Field of the Invention
This invention is directed to a method for the transmission of data messages between two stations A and B, which stations may each belong to a group of equally authorized stations, each message being transmitted after encipherment by using a message ciphering key. The invention is also directed to a transmission system for carrying out the method, and to a station for use in such system.
The invention will be described as applied to a so-called EFT-system (Electronic Fund Transfer system) or a bank terminal system and to problems appearing in such systems. However, the method and devices according to the invention are generally applicable in data transmission systems of various types and intended for various purposes.
2. Description of the Prior Art
A bank terminal system or a system for transmission of data or text comprises a number of terminal stations having data input and data output means. Each terminal station may be connected to a central computer for the exchange of information in both directions. A terminal station may also comprise a so-called cash dispenser apparatus, from which a customer may obtain cash by using a personal data carrier, which is temporarily connected to the system. Security of the system is obtained in that a customer is obliged to identify himself to the system before any transaction is allowed. At a human-operated terminal station this may mean that the customer will have to present an acceptable identification document. At an unsupervised terminal station such as a cash dispenser said identification may comprise the step that the customer supplies a secret personal code, a so-called PIN-code, via a keyboard, the corresponding PIN-code then being accessable in the system for comparison with the code which is supplied. The trend is towards an increased number of unsupervised terminal stations which may offer an increased number of different services. Personal data carriers are today shaped as cards according to an accepted ISO-standard and comprise magnetizable carriers for data storage.
A bank terminal system is subject to security risks of different types, or threats. Said threats may then be directed to information transmitted in the system, or to the hardware comprised in the system, such as transmission lines, terminal stations, or personal data carriers. The threats directed to the actual information mean that it could be possible by active or passive tapping to derive, modify or distort the information content. As counter measures, one the one hand the transmission lines and further system elements in question may be protected physically. In bank terminal systems the usual type of transmission means that a terminal station communicates with the central computer via a public or general data network. To physically protect a network of this type would, if possible at all, demand high costs. As a consequence the practicable solution means enciphering of the information.
Alternatively, unauthorized hardware may appear, Accordingly, a unauthorized cash dispenser apparatus may appear in a bank system. In a so-called POS-system (Point of Sales system) a customer could then pay for goods at a place for purchase by using his personal data carrier in a unauthorized terminal station. A different threat is that unauthorized personal data carriers may appear. For the time being the use of unauthorized data carriers is prevented by the fact that the customer is obliged to supply his secret personal code in order to obtain access to the system. However, this procedure means no protection against a unauthorized terminal.
The problem of unauthorized terminals and unauthorized data carriers may be illustrated by the so-called "wardrobe case". According to this case a customer may meet a unauthorized terminal which to the customer appears as a genuine one. This unauthorized terminal is connected to the so-called "wardrobe" in which is housed equipment for tapping the information signals supplied by the data carrier and the key set of the terminal station, and also equipment for forwarding correctly information between the unauthorized terminal and the central computer of the system. By this tapping the entered, secret, personal code is obtained and further information from the data carrier. Said information may then be used for the provision of a unauthorized data carrier.
Thus the transmission of unprotected information on physically accessible lines would mean a grave risk. Furthermore, this case also illustrates necessity for both identification of the user and his data carrier as being authorized in the system to the terminal but also for identification of the terminal to the user and being a genuine one. This mutual identification may be obtained by giving the personal data carrier of the user the shape of an active card, on which the identification information supplied by the terminal may be evaluated. The card will comprise semiconductor memory and signal processing capability, and will function as a station communicating with a terminal.
By a mutual identification of active stations and ciphering of information which is transmitted many threats may be eliminated. The obtained security will depend on the choice of identification procedure and ciphering method. Ciphering of a traditional type means that authorized stations of a system have access to a ciphering algorithm and a deciphering algorithm and also a ciphering key operating as a parameter in said algorithms. If an unciphered or clear-text message is designated by x, the ciphered version thereof or "cipher" is designated by y, the ciphering key is designated as k, the ciphering algorithm is designated E and the deciphering algorithm is designated D, this may be expressed according to the following EQU y=E (x,k) and x=D(y,k)
in which expression D is the inverse function of E for all possible values of k. In a ciphering system of this type it is not necessary to keep the algorithms secret while the key k shall be known to authorized stations only. The ciphering security depends on the difficulty to find the key k. Accordingly, with a knowledge about x and y it should be difficult to find the value of k for which holds y=E(x,k). In the art this is expressed as that the finding of k should be "computationally unpracticable", which means imposing practically unacceptable requirement on data processing capacity and/or time of operation. The weak points of a ciphering method of this type is the fact that the one same ciphering key must be distributed to all authorized stations and from that time be kept secret. In a larger organization the distribution of keys appears a great problem. If transmission between the stations is effected via an unprotected channel, and no additional measures are taken, no key may be transmitted along this channel. This problem has led to systems in which the key or part thereof is distributed in a modified form to authorized stations in order to be restored at a respective station by the use of secret information. Accordingly, also in this case a system is obtained using information which is common to the stations, and this endangers the data security.
The problem of enciphering key distribution is made even worse if the aim is a frequent change of ciphering keys. The desirable situation is to use a fresh enciphering key for every single case of transmission. Such a key is named a "session key". Dependent on the actual application of use a "session" may comprise the transmission of a given amount of data at one single occasion or different amounts of data at different occasions within a defined time space, for example one day.
European patent application No. 0002580 describes a method for verification of the cipherment keys used at two cooperating stations. To this end a random number is sent in a ciphered form from one station to the other, which station operates on the ciphered number using its own key. The result which is obtained is sent back to said one station at which it is checked against the ciphered number which was sent from the beginning. If the check doesn't fail it is thereby verified that both stations have identical ciphering keys. No mutual identification of the participating stations is obtained according to this method and furthermore the stations make use of identical, secret key information.
U.S. Pat. No. 4,227,253 describes a system operating with several "levels" of keys. According to the specification a session key may be established between a host system in one domain and a host system in another domain for performing cryptographic operations between the same. To this end a specific, mutually agreed upon, common cross-domain key is used, whereby each different host system may avoid revealing to other systems its own master key. Disregarding the fact that a complicated arrangement of different keys for different purposes is used it is also evident that the participating host systems have common, secret key information.
The prior art systems described above all have the drawback that all operating parties make use of common key information which must be kept secret by each party, which means that if said key information is revealed by one party this will damage the overall system. A further disadvantage is that no real "hand-shaking" operation is performed between operating parties in order to safeguard that all of the communicating parties are authorized.