Described below is a method for authentication of at least one token using a challenge-response protocol and for protection of the integrity of data stored on the token, using a symmetrical key. Also described is a system having a verifying entity for authentication of at least one token, making use of a challenge-response protocol and for protecting the data integrity of data stored on the token, making use of a symmetrical key.
Using RFID (radio frequency identification), it is possible to equip labels or tags with a chip which can be read contactlessly. RFID tags are used, above all, for marking goods. Furthermore, identification documents for access control and cards for payment systems can be equipped with RFID tags. A distinction is drawn between active and passive RFID tags. Active RFID tags possess a dedicated power supply, whereas passive RFID tags have no dedicated power supply. Passive RFID tags are supplied with energy by an electromagnetic field emitted from an RFID reading device. Usually, an RFID tag has a memory with a plurality of addressable memory units. The RFID reading device for reading out the data stored on the RFID tag has a pre-determined standard instruction set for access to the memory units of the RFID tag. Using the two commands “Read” and “Write”, data on the memory RFID tag can be read therefrom or data can be written thereto. Using these known RFID tags, it is only possible to write data into a data store of the RFID tag or out of the data store. Increasingly, however, sensitive data is held ready on an RFID tag, for example, in electronic passports, access control cards or in applications for plagiarism protection. Unauthorized reading of the data from an RFID tag of this type absolutely must be prevented for data protection and safety reasons. By contrast with data carriers having contact-dependent interfaces, with RFID tags, the data is transmitted wirelessly, so that there is a danger of unnoticed reading of data.
A measure for protecting against unauthorized reading is two-sided authentication of RFID tag and reading device in order to prevent an unauthorized user (or hacker) tapping into the data communication unnoticed and thus being able to read out data that is critical to security. It can also thereby be ensured that the data being read out originates from a non-manipulated RFID tag. In some applications such as, for example, plagiarism protection, one-sided authentication of the RFID tag, wherein only the genuineness of the RFID tag is tested by the reading device, is sufficient.
For authenticity checking, an authentication function, for example, by a challenge-response method, is implemented. In a challenge-response method, for authentication of the RFID tag by the RFID reading device, a random challenge is generated and sent to the RFID tag. The RFID tag calculates the response belonging to the challenge by a secret key and sends this response back to the RFID reading device. The RFID reading device then checks the response received by the RFID tag for correctness. The challenge-response protocol is designed such that only the RFID tag which possesses the right secret key is able to calculate the correct response. It is not possible for a hacker, by knowledge of pairs of associated challenge and response, to determine the secret key.
Known, for example, is the Origa chip from Infineon (www.infineon.com/origa), which converts the challenge-response protocol with asymmetric cryptography. For this purpose, the Origa chip uses a private cryptographic key to calculate the associated response message after receiving a challenge message. The validity of the response message is checked by the reading device using an associated public key.
There is also a need to transmit data stored on a token of this type with manipulation protection. However, it is an essential framework condition in RFID-based data communication that the simplest and fastest possible data communication takes place between the RFID reading device and the transponder. This is due firstly thereto that the transponder typically has little resources, that is, both little energy resources and little resources for storage and calculation, so that given a corresponding protocol, the smallest possible data quantities should be evaluated and the smallest possible data traffic should take place. Secondly, a protocol of this type should also be carried out as rapidly as possible, since very often, particularly in the case of dynamic RFID-based data communication systems, the transponder lies within the range of action of the respective RFID reading device for only a short time. Within this short time, a data communication connection must be established and authenticated and the manipulation-protected data exchange must take place. However, the previously known solutions require the RFID tag to have relatively complex hardware, due to the calculation-intensive encryption and the complex key-agreement protocol.