WO1999018692A1 - Method for exchanging encrypted data via a communication network, corresponding method for storing and managing the encryption keys used, and module storing these encryption keys - Google Patents

Method for exchanging encrypted data via a communication network, corresponding method for storing and managing the encryption keys used, and module storing these encryption keys Download PDF

Info

Publication number
WO1999018692A1
WO1999018692A1 PCT/EP1998/005906 EP9805906W WO9918692A1 WO 1999018692 A1 WO1999018692 A1 WO 1999018692A1 EP 9805906 W EP9805906 W EP 9805906W WO 9918692 A1 WO9918692 A1 WO 9918692A1
Authority
WO
WIPO (PCT)
Prior art keywords
array
segments
encryption keys
module
value
Prior art date
Application number
PCT/EP1998/005906
Other languages
French (fr)
Inventor
Andreas Martschitsch
Rudolf Ritter
Original Assignee
Swisscom Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Swisscom Ag filed Critical Swisscom Ag
Priority to AU97446/98A priority Critical patent/AU9744698A/en
Publication of WO1999018692A1 publication Critical patent/WO1999018692A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to a method for exchanging encrypted data via a communication network and to a corresponding method for storing and managing the encryption keys used.
  • the present invention relates to a method for exchanging encrypted data between value-added providers and their users via a communication network, such as a cellular radio network, e.g. the GSM-network, and to a corresponding method for storing and managing the encryption keys, used by a value-added provider for the end-to- end encryption of the exchanged data, the value of a particular encryption key being unknown to a key-assignment administrator.
  • GSM Global System for Mobile Communication
  • SIM subscriber identity module
  • GSM 03.20 concerning security-related network functions
  • GSM 03.21 concerning security-related algorithms.
  • GSM further provides for confidentiality of the signaling data and user data, exchanged via the radio path between the mobile station and a base station.
  • the SIM contains a ciphering key generating algorithm, which is used to compute a ciphering key based on a random number, received during the authentication process, and based on an individual subscriber identification key stored in the SIM.
  • the ciphering key is calculated in the SIM and by the GSM network and may be used for encryption and decryption of data exchanged via the radio path.
  • the data is encrypted and decrypted by means of a stream cipher algorithm, which is implemented on the mobile station, outside the SIM.
  • a value-added provider has no guarantee that data exchanged with his users is kept private in the remaining portions of the communication network, for instance, it is kept private from the operator of the communication network.
  • value-added providers using the communication network prefer their own private encryption keys. Consequently, this means that users in the communication network need to be provided with means to decrypt data from numerous value-added providers in the communication network.
  • these objects are achieved according to the invention in that at least one segment of the secret encryption key used to encrypt the exchanged data is stored in a secret array unknown to the value-added providers and their users, and in that a pointer to these segments in this array is concatenated with the encrypted data being exchanged.
  • This is advantageous because an encryption key can be specified via the communication network without transmitting the encryption key itself.
  • compact sets of encryption keys are prepared by a trusted third party filling said array with equally sized segments of said encryption keys, in that at least one encryption key is assigned to a value-added provider by a key- assignment administrator communicating pointers to the trusted third party, each specifying a different set of array elements, and in that the values of the assigned encryption keys are determined by the trusted third party assembling the segments contained in the set of array elements specified by the pointer, so that a different encryption key is assembled for each one of the specified sets of array elements.
  • different sets of encryption keys are prepared in different respective arrays for a plurality of different module manufacturers.
  • the different arrays are transmitted securely to the respective module manufacturers, where they are stored by these module manufacturers in the memory of a plurality of modules. Consequently, a different encryption key is assembled by the trusted third party from the array of each module manufacturer, by assembling the segments from each of the respective arrays according to the specified set of array elements.
  • each of the segments stored in the array is of equal size, and comprises at least two digits of an encryption key, so that with reference to one array element more than one digit of an encryption key can be identified.
  • the array is organized as a two-dimensional array, the number of elements in one of its dimensions being equal to the base of the number system of the digits of the encryption keys.
  • This has the advantage that the full value range of a digit of a pointer of the same number system as the encryption keys can be efficiently used to indicate the positions of elements in that dimension of the array.
  • the pointers each comprise a series of digits, the positions and values of which indicating an element's position in the array.
  • This has the advantage that the value of a digit of the pointer can be used to specify the position of an array element in one direction of the array, and the position of a digit within the pointer can be used to specify the position of the array element in the other direction of the array.
  • the value of each of its digits can be used to specify the positions of multiple elements in the array, the free choice of segments for an encryption key being thereby restricted, however.
  • certain or all array elements are preferably used only once as segments of only one encryption key. In order to increase the number of available encryption keys, certain array elements are preferably used as segments of multiple encryption keys, thus reducing the security of these encryption keys.
  • the arrays are preferably stored in the memory of modules, these modules being insertable in a removable fashion into terminal equipment connected to a communication network.
  • Said modules preferably further comprise processing means to determine the encryption key used by a particular value-added provider to encrypt data transmitted via the communication network, by using the pointer concatenated with the encrypted data being exchanged.
  • Fig. 1 shows a block diagram illustrating the information exchange between a trusted third party, a key-assignment administrator, a module manufacturer, and a value-added provider.
  • Fig. 2 shows an example of an array with examples of segments of encryption keys and corresponding encryption keys and pointers.
  • Fig. 3 shows an example of a data string exchanged between a value-added provider and its users.
  • the reference number 1 in Fig. 1 indicates a trusted third party (TTP) who is responsible for preparing compact sets S A , S B of encryption keys K A ⁇ - K An , respectively K B ⁇ -K Bn , which are used by value-added providers 2 to encrypt/decrypt data exchanged with their users via a communication network, particularly a mobile telephone network, for instance a GSM, a DCS, or a UMTS network.
  • TTP trusted third party
  • the encryption keys K A ,, K Aj , K B illustrated in Fig 2 are typically composed of a series of digits of a certain number system, for instance hexadecimal, and have a predefined length, for instance sixteen hexadecimal digits stored in eight consecutive bytes, b1 -b8, b1 being the first byte and b8 being the last byte They can be created, for instance, by random number generators appropriate for this purpose, which are known to a person skilled in the art
  • a whole encryption key K B can be created as one unit, the segments b1 -b8 of an encryption key K B , can be created one at a time, or a whole array S A can be created at once, as illustrated in Fig 2 and corresponding to the set S A of encryption keys K A ⁇ -K An shown in Fig 1 , filled with segments b1 -b8 of numerous encryption keys K A ⁇ -K An
  • Segments of the encryption keys KA I -KA ⁇ are stored in an array S A , unless of course, they have already been created in this array S A , as described above
  • Storing segments with two digits of an encryption key K A ⁇ -K An in one element of the array S A has the advantage that with a reference to one array element, two digits of an encryption key K A ⁇ -K An can be specified
  • segments of more than two digits of an encryption key K A ⁇ -K An are stored in the elements of an array
  • the array S A is preferably organized as a two dimensional array SA with the number of elements in one of its dimensions, i e the number of rows or the number of columns, being equal to the base of the number system of the encryption keys K A i-K An , in this example an array S A with sixteen rows
  • there are sixteen rows in the array S A corresponding to sixteen possible values of a hexadecimal digit of a pointer K,, K,
  • the number of elements in the second dimension of the two dimensional array S A is chosen based on the length of the encryption keys K A ⁇ -K An , the number of different encryption keys KAI-KA ⁇ to be stored in the array S A , and also the amount of memory space that is available to store the resulting array S A .
  • the number of rows could also be simply a result of choosing an overall size of the array S A , according to criteria set by a person skilled in the art, for instance a size that is practical as a standard record in a file. In our example, illustrated in Fig.
  • an encryption key K AI -K A ⁇ having a key length of eight-bytes, and an array S A , having sixteen rows, sixty-four different segments b1-b8 of one byte can be stored in four columns, or in an array S A of sixty-four bytes.
  • an encryption key K Al illustrated in Fig. 2
  • a corresponding pointer K could be composed in such a fashion that each of its bytes corresponds to a column, the value of each digit in these bytes indicating the row number of an element in the corresponding column.
  • the first byte of K Al with the value 'A1 ', would be represented by the first digit of the first byte of the pointer K, having the value '1 ', thus pointing to the segment 'A1 ' in row r1 of column d .
  • the second byte of K Al with the value 'A2', would be represented by the second digit of the first byte of the pointer K, having the value '2', thus pointing to the segment 'A2' in row r2 of column d .
  • the second byte of the pointer K would refer to elements in column c2
  • the third and fourth bytes of the pointer K would refer to elements in columns c3 and c4, respectively.
  • an encryption key K A of eight-bytes can be represented by a pointer K, with four bytes pointing to eight segments in the array S A .
  • one digit of a pointer could be used to point to multiple array elements.
  • the first digit of the pointer K having the value 'A', points to the elements at rows rA and rB of column d .
  • the second digit of the pointer K j having the value ⁇ ', points to the elements at rows rE and rF of column c2.
  • the third and fourth digits of the pointer K j would refer to elements in columns c3 and c4, respectively.
  • an encryption key K Aj of eight-bytes can be represented by a pointer K j with two bytes pointing to eight segments in the array S A .
  • a pointer of just one byte could point to all the elements in two rows of the array S A .
  • twice as many equal segments b1 -b8 could be stored in an array with sixteen rows and eight columns.
  • an encryption key K B ⁇ with eight segments b1 -b8, with one byte each could be represented by a four byte pointer, each one of its eight digits pointing to a respective element in the row corresponding to the value of the digit and in the column corresponding to the position of the digit within the pointer.
  • a trusted third party (TTP) 1 is responsible for preparing the compact sets S A , S B of encryption keys M-K A ⁇ , respectively K B i-K Bn , which are used by value-added providers (VAP) 2 to encrypt/decrypt data exchanged with their users
  • encryption keys are assigned to a VAP 2 by a key-assignment administrator 5, who is kept unaware of the particular value of the assigned encryption key
  • the key-assignment administrator 5 assigns an encryption key K Al , illustrated in Fig 2, to a VAP 2 by selecting a pointer K, which has not yet been assigned
  • he is preferably provided with a key selection software program which has access to a database 51 where, for instance, assignments of pointers to VAP's 2 are being logged for specific TTP's 1
  • the key selection software program shows for a particular TTP 1 the pointers K,, K, to the array S A that are still unassigned
  • the key selection software program can, for a particular TTP 1 the
  • Respective key selection software programs can be implemented easily by a person skilled in the art
  • the assignment of a pointer K, to a VAP 2 is communicated by the key-assignment administrator 5, as indicated by arrow 9, to the respective TTP 1
  • the TTP 1 prepares compact sets S A , S B of encryption keys KAI-K A ⁇ , respectively K B ⁇ -K Bn , the different sets S A , S B preferably being transmitted securely to different module manufacturers 3 and 4, respectively, as is indicated by the arrows 7 and 8, respectively, where they are stored safely in the corresponding arrays S' A and S'B, respectively.
  • the module manufacturers 3 and 4 embed their arrays S' A and S' B securely into their respective modules, for instance an identification card such as the SIM- card used in mobile equipment, for example in mobile telephones, laptop-, or palmtop computers. This is done in a fashion known to a person skilled in the art, so that the arrays S' A and S' B cannot be read from the modules by their users.
  • the arrays S' A and S'B are loaded into the modules by means of special short messages, such as SMS short messages or as USSD data, transmitted, for instance by the trusted third party 1 , via the communication network to the user's terminal equipment, where it is received and handled by special services implemented in the module according to the SICAP method, described in EP 689 368 B1 , or according to a similar method.
  • special short messages such as SMS short messages or as USSD data
  • SMS short messages or as USSD data transmitted, for instance by the trusted third party 1 , via the communication network to the user's terminal equipment, where it is received and handled by special services implemented in the module according to the SICAP method, described in EP 689 368 B1 , or according to a similar method.
  • This latter variant could be executed at the time of personalization of the module or at the time when a user subscribes to or uses the services of a respective VAP 2 for the first time.
  • the pointer K is used by the TTP 1 , preferably by means of the mentioned key assembly software program, to assemble the corresponding segments b1-b8 stored in the arrays S A and S B , assigned to the respective module manufacturers 3 and 4.
  • the resulting encryption key K Al composed of segments stored in the elements of the array S A corresponding to the pointer K
  • the encryption key K Bl composed of segments stored in the elements of the array S B corresponding to the pointer K
  • the VAP 2 securely stores, for instance in a protected database 21 , the received encryption keys KA, and K Bl , for use with users equipped with modules manufactured by module manufacturer 3 and 4, respectively, together with the pointer K,.
  • End-to-end encryption of user data exchanged between a VAP 2 and its users is achieved in that the communication software installed at the VAP 2, having access to the encryption keys K Al and K B , and the corresponding pointer K, encrypts user data by means of an encryption algorithm, for instance the Digital Encryption Standard (DES) or any other algorithm found suitable by a person skilled in the art, and by using the appropriate encryption keys K A , or K Bl for communicating with users equipped with modules manufactured by the manufacturer 3 or 4, respectively
  • the encrypted user data 104 is concatenated with a field 102, containing the pointer K,, an optional field 103, indicating the length, i e the number of bytes, of the encrypted user data 104, and an optional field 101 , identifying the algorithm used to encrypt the user data and identifying the trusted third party 1 responsible for the encryption keys used
  • the data 10 is received by the respective user's terminal equipment connected to the network, for instance a mobile telephone, a palmtop- or laptop computer Special software in the terminal equipment, either implemented as part of the terminal equipment or as part of a module inserted in a removable fashion in the terminal equipment, for instance an identification card, e g a SIM-card, determines the algorithm used to encrypt the user data, the trusted third party 1 responsible for the encryption keys used, the pointer K, to the particular encryption key used, and the number of bytes of encrypted user data from the values in the separate respective fields 101 , 102, and 103 of the received data 10 Based on the pointer K, the encryption key K Al or K B , IS assembled from the segments b1-b8 stored in the corresponding elements of the array S' A or S' B , which are securely stored in the module manufactured by the module manufacturer 3 or 4, respectively
  • the encrypted user data 104 in the received data 10 is then decrypted, using the assembled encryption key K A , or K Bl , by means
  • data will be encrypted by the terminal equipment, either by an appropriate program in the module or as part of the terminal equipment itself, using the same algorithm and encryption key as used by the VAP 2, and by structuring the data preferably in the same fashion as it was received from the VAP 2.
  • the communication software implemented at the VAP 2 will consequently handle the data received from a user in a similar fashion as described above; however, it will not have to assemble the encryption keys K AI or K Bi as they are stored in the database 21 , accessible to the communication software.
  • the VAP 2 In order for the VAP 2 to select the encryption key K A ⁇ or K Bi , it must be provided with information concerning the identity of the manufacturer of the modules 3 or 4 used in the users terminal equipment. This information can be obtained by polling respective information off the module, inserted in the terminal equipment of the user, by means of special messages via the communication network (for instance according to the SICAP method, described in EP 689 368 B1 , or according to a similar method) or by making a respective inquiry via the communication network to the network operator, or by keeping respective information in a local database accessible to the VAP 2.
  • segments b1-b8 of an encryption key K A ⁇ , K B ⁇ are represented by the pointer exchanged via the communication network, it should be noted that it is thoroughly possible to have only some or one segment of an encryption key represented by the exchanged pointer. In such an approach, the remaining portion of an encryption key could be securely stored in the memory of the module, or it could be exchanged together with the encrypted data. It should also be stated that the segments do not need to be of equal size.
  • the encryption keys used for the encryption of data exchanged during a session between a VAP 2 and a user can be changed during this session. This will be transparent to the receiving end, as there will simply be another pointer in the corresponding field 102 concatenated with the encrypted data 104, based on which the new encryption key, to be used for the decryption of the data 104, can easily be determined as described above.
  • encryption keys can be assigned and communicated to VAP's 2 for a fee, which may depend on the security of the particular key.
  • a VAP 2 may also be provided with multiple keys from one array. In a scenario where multiple arrays are required in the same module, it is possible to distinguish these arrays by means of corresponding array identifiers, which would be communicated to a VAP 2 together with the corresponding encryption key and pointer. Furthermore, these identifiers would be included in the transmitted data, so that at the receiving end the encryption keys could be determined from the corresponding array, as described above.

Abstract

Method for exchanging encrypted data between value-added providers (2) and their uses via a communication network and corresponding method for storing and managing the encryption keys (KAi, KAj, KBi) used to encrypt the exchanged data, segments (b1-b8) of the secret encryption key (KAi, KAj, KBi) being stored in a secret array (S'A, S'B) unkown to the value-added providers (2) and to their users, and a pointer (Ki) to these segments in this array (S'A, S'B) being concatenated with the encrypted data (104) being exchanged. Preparation of compact sets (SA, SB) of encryption keys (KA1-KAn, KB1-KBn) by a trusted third party (1) filling arrays (SA, SB) with segments (b1-b8) of encryption keys, assignment of encryption keys (KAi, KBi) to value-added providers (2) by a key-assignment administrator (5) communicating pointers (Ki) to the trusted third party (1), and assembly of the assigned encryption keys (KAi, KBi) by the trusted third party (1).

Description

Method for Exchanging Encrypted Data Via a Communication Network,
Corresponding Method for Storing and Managing the Encryption Keys
Used, and Module Storing these Encryption Keys
The present invention relates to a method for exchanging encrypted data via a communication network and to a corresponding method for storing and managing the encryption keys used. Specifically, the present invention relates to a method for exchanging encrypted data between value-added providers and their users via a communication network, such as a cellular radio network, e.g. the GSM-network, and to a corresponding method for storing and managing the encryption keys, used by a value-added provider for the end-to- end encryption of the exchanged data, the value of a particular encryption key being unknown to a key-assignment administrator.
Data encryption methods are known for encrypting data to be exchanged via a communication network, particularly, for mobile communication systems where data is transmitted via a radio path. In particular, a variety of security features are known from the Global System for Mobile Communication (GSM) as outlined in the GSM recommendations 02.09, concerning security aspects; GSM 02.17, concerning the subscriber identity module (SIM); GSM 03.20, concerning security-related network functions; and GSM 03.21 , concerning security-related algorithms. Besides providing for authentication and confidentiality of the mobile subscriber identity, GSM further provides for confidentiality of the signaling data and user data, exchanged via the radio path between the mobile station and a base station. For this purpose, the SIM contains a ciphering key generating algorithm, which is used to compute a ciphering key based on a random number, received during the authentication process, and based on an individual subscriber identification key stored in the SIM. The ciphering key is calculated in the SIM and by the GSM network and may be used for encryption and decryption of data exchanged via the radio path. Using the generated ciphering key, the data is encrypted and decrypted by means of a stream cipher algorithm, which is implemented on the mobile station, outside the SIM. Although user data can be kept confidential during its transmission via the radio path, a value-added provider has no guarantee that data exchanged with his users is kept private in the remaining portions of the communication network, for instance, it is kept private from the operator of the communication network. For the purpose of end-to-end encryption of user data, value-added providers using the communication network prefer their own private encryption keys. Consequently, this means that users in the communication network need to be provided with means to decrypt data from numerous value-added providers in the communication network.
It is an object of this invention to propose new and improved methods for exchanging encrypted data and for managing and storing encryption keys, the values of these keys remaining secret and being stored in a compact fashion.
According to the present invention, these objects are achieved particularly through the features of the characterizing portion of the independent claims. In addition, further advantageous embodiments follow from the dependent claims and the description.
In particular, these objects are achieved according to the invention in that at least one segment of the secret encryption key used to encrypt the exchanged data is stored in a secret array unknown to the value-added providers and their users, and in that a pointer to these segments in this array is concatenated with the encrypted data being exchanged. This is advantageous because an encryption key can be specified via the communication network without transmitting the encryption key itself.
Furthermore, these objects are achieved according to the invention in that compact sets of encryption keys are prepared by a trusted third party filling said array with equally sized segments of said encryption keys, in that at least one encryption key is assigned to a value-added provider by a key- assignment administrator communicating pointers to the trusted third party, each specifying a different set of array elements, and in that the values of the assigned encryption keys are determined by the trusted third party assembling the segments contained in the set of array elements specified by the pointer, so that a different encryption key is assembled for each one of the specified sets of array elements.
Preferably, different sets of encryption keys are prepared in different respective arrays for a plurality of different module manufacturers. The different arrays are transmitted securely to the respective module manufacturers, where they are stored by these module manufacturers in the memory of a plurality of modules. Consequently, a different encryption key is assembled by the trusted third party from the array of each module manufacturer, by assembling the segments from each of the respective arrays according to the specified set of array elements.
Preferably, each of the segments stored in the array is of equal size, and comprises at least two digits of an encryption key, so that with reference to one array element more than one digit of an encryption key can be identified.
Preferably, the array is organized as a two-dimensional array, the number of elements in one of its dimensions being equal to the base of the number system of the digits of the encryption keys. This has the advantage that the full value range of a digit of a pointer of the same number system as the encryption keys can be efficiently used to indicate the positions of elements in that dimension of the array.
Preferably, the pointers each comprise a series of digits, the positions and values of which indicating an element's position in the array. This has the advantage that the value of a digit of the pointer can be used to specify the position of an array element in one direction of the array, and the position of a digit within the pointer can be used to specify the position of the array element in the other direction of the array. In order to decrease the number of digits of the pointer even further, the value of each of its digits can be used to specify the positions of multiple elements in the array, the free choice of segments for an encryption key being thereby restricted, however. To increase the security of an encryption key, certain or all array elements are preferably used only once as segments of only one encryption key. In order to increase the number of available encryption keys, certain array elements are preferably used as segments of multiple encryption keys, thus reducing the security of these encryption keys.
The arrays are preferably stored in the memory of modules, these modules being insertable in a removable fashion into terminal equipment connected to a communication network. Said modules preferably further comprise processing means to determine the encryption key used by a particular value-added provider to encrypt data transmitted via the communication network, by using the pointer concatenated with the encrypted data being exchanged.
An embodiment of the present invention is described below by way of example. The embodiment example is illustrated by means of the following appended figures:
Fig. 1 shows a block diagram illustrating the information exchange between a trusted third party, a key-assignment administrator, a module manufacturer, and a value-added provider.
Fig. 2 shows an example of an array with examples of segments of encryption keys and corresponding encryption keys and pointers.
Fig. 3 shows an example of a data string exchanged between a value-added provider and its users.
The reference number 1 in Fig. 1 indicates a trusted third party (TTP) who is responsible for preparing compact sets SA, SB of encryption keys KAι- KAn, respectively KBι-KBn, which are used by value-added providers 2 to encrypt/decrypt data exchanged with their users via a communication network, particularly a mobile telephone network, for instance a GSM, a DCS, or a UMTS network. The encryption keys KA,, KAj, KB illustrated in Fig 2, are typically composed of a series of digits of a certain number system, for instance hexadecimal, and have a predefined length, for instance sixteen hexadecimal digits stored in eight consecutive bytes, b1 -b8, b1 being the first byte and b8 being the last byte They can be created, for instance, by random number generators appropriate for this purpose, which are known to a person skilled in the art A whole encryption key KB, can be created as one unit, the segments b1 -b8 of an encryption key KB, can be created one at a time, or a whole array SA can be created at once, as illustrated in Fig 2 and corresponding to the set SA of encryption keys KAι-KAn shown in Fig 1 , filled with segments b1 -b8 of numerous encryption keys KAι-KAn
Segments of the encryption keys KAI-KAΠ, for instance a segment b1 with one byte comprising two hexadecimal digits, are stored in an array SA, unless of course, they have already been created in this array SA, as described above Storing segments with two digits of an encryption key KAι-KAn in one element of the array SA has the advantage that with a reference to one array element, two digits of an encryption key KAι-KAn can be specified In a variant, segments of more than two digits of an encryption key KAι-KAn are stored in the elements of an array
As illustrated in Fig 2, the array SA is preferably organized as a two dimensional array SA with the number of elements in one of its dimensions, i e the number of rows or the number of columns, being equal to the base of the number system of the encryption keys KAi-KAn, in this example an array SA with sixteen rows This has the advantage that the full value range of a digit of a pointer K,, K,, of the same number system as the encryption keys KAI-KAΠ, can be efficiently used to indicate the positions of elements in that dimension of the array SA In our example, there are sixteen rows in the array SA corresponding to sixteen possible values of a hexadecimal digit of a pointer K,, K,
The number of elements in the second dimension of the two dimensional array SA, ι e the number of columns, is chosen based on the length of the encryption keys KAι-KAn, the number of different encryption keys KAI-KAΠ to be stored in the array SA, and also the amount of memory space that is available to store the resulting array SA. Obviously, the number of rows could also be simply a result of choosing an overall size of the array SA, according to criteria set by a person skilled in the art, for instance a size that is practical as a standard record in a file. In our example, illustrated in Fig. 2, an encryption key KAI-K, having a key length of eight-bytes, and an array SA, having sixteen rows, sixty-four different segments b1-b8 of one byte can be stored in four columns, or in an array SA of sixty-four bytes.
Without limiting the selection of specific elements from a sixty-four byte array as segments for an encryption key, it is possible to select 4,426,165,368 different encryption keys; obviously, many of these keys would share the same segments.
There are numerous ways of referencing individual segments stored in the array elements. For instance, if an encryption key KAl, illustrated in Fig. 2, comprises eight-bytes, each byte being represented by a segment stored in an element of array SA, a corresponding pointer K, could be composed in such a fashion that each of its bytes corresponds to a column, the value of each digit in these bytes indicating the row number of an element in the corresponding column. For instance, the first byte of KAl, with the value 'A1 ', would be represented by the first digit of the first byte of the pointer K, having the value '1 ', thus pointing to the segment 'A1 ' in row r1 of column d . In the same way, the second byte of KAl, with the value 'A2', would be represented by the second digit of the first byte of the pointer K, having the value '2', thus pointing to the segment 'A2' in row r2 of column d . By selecting two segments from each column, the second byte of the pointer K, would refer to elements in column c2, and the third and fourth bytes of the pointer K, would refer to elements in columns c3 and c4, respectively. Thus an encryption key KA, of eight-bytes can be represented by a pointer K, with four bytes pointing to eight segments in the array SA.
Other approaches resulting in even shorter pointers are also possible. For instance, one digit of a pointer could be used to point to multiple array elements. For example, the first digit of the pointer K,, having the value 'A', points to the elements at rows rA and rB of column d . In the same way, the second digit of the pointer Kj, having the value Ε', points to the elements at rows rE and rF of column c2. By selecting two segments from each column in consecutive rows, the third and fourth digits of the pointer Kj would refer to elements in columns c3 and c4, respectively. Thus an encryption key KAj of eight-bytes can be represented by a pointer Kj with two bytes pointing to eight segments in the array SA. In another variant, not illustrated, a pointer of just one byte could point to all the elements in two rows of the array SA.
It should be noted that the values of the segments in these examples are completely arbitrary, and could have any other value depending only on the method by which they are created, as described above.
With the limitation that two segments are selected from each column of the sixteen-by-four array SA, it is possible to select (16*15)4=3,317,760,000 different encryption keys. With the limitation that two consecutive segments are selected from each column of the sixteen-by-four array SA (assuming row rF and rO are considered consecutive), it is possible to select 16 =65,536 different encryption keys. Obviously, many of these keys would share the same segments, as there are only eight unique eight-byte encryption keys in an array SA with sixty-four bytes. Handling of this limitation will be discussed in more detail later in this description.
In another example, not illustrated, twice as many equal segments b1 -b8 could be stored in an array with sixteen rows and eight columns. In such an array, an encryption key KBι with eight segments b1 -b8, with one byte each, could be represented by a four byte pointer, each one of its eight digits pointing to a respective element in the row corresponding to the value of the digit and in the column corresponding to the position of the digit within the pointer. Such an array, assuming encryption keys with one segment per column, would provide the possibility of 168=4,294,967,296 different encryption keys, of which only sixteen are unique keys, not sharing any segments with other keys.
As was described above, a trusted third party (TTP) 1 is responsible for preparing the compact sets SA, SB of encryption keys M-K, respectively KBi-KBn, which are used by value-added providers (VAP) 2 to encrypt/decrypt data exchanged with their users Preferably, encryption keys are assigned to a VAP 2 by a key-assignment administrator 5, who is kept unaware of the particular value of the assigned encryption key The key-assignment administrator 5 assigns an encryption key KAl, illustrated in Fig 2, to a VAP 2 by selecting a pointer K, which has not yet been assigned For that purpose, he is preferably provided with a key selection software program which has access to a database 51 where, for instance, assignments of pointers to VAP's 2 are being logged for specific TTP's 1 For instance, the key selection software program shows for a particular TTP 1 the pointers K,, K, to the array SA that are still unassigned Furthermore, the key selection software program can, for example, also indicate how many segments b1-b8 an encryption key KAl, KBl, corresponding to a particular pointer K,, is sharing with encryption keys that have already been assigned, so that different rates can be charged for encryption keys with different security levels, i e different numbers of shared segments Preferably, certain segments of the array, for example rows rO to r7 of array SA, are reserved for use as highly secure and/or fully independent encryption keys, while other segments can be freely shared among encryption keys In our example with a sixteen-by-four array SA, encryption keys with eight-bytes, and two of eight segments stored in each column, four fully independent encryption keys, not sharing any segments with any other encryption keys, could be selected from the reserved rows rO to r7, while (8*7)4=9,834,496 different encryption keys could be selected from the remaining rows
Respective key selection software programs can be implemented easily by a person skilled in the art The assignment of a pointer K, to a VAP 2 is communicated by the key-assignment administrator 5, as indicated by arrow 9, to the respective TTP 1 This can preferably be accomplished in that the above-mentioned key selection software communicates directly to another key assembly software program of the TTP 1 , possibly running on the same computer or on a computer connected through a communication network, in which case the communication is preferably performed in a secure fashion, or in that an electronic or paper message is automatically or manually sent to the TTP 1 , where it is handled by entering the received relevant information, preferably into a key assembly software program of the TTP 1 As is illustrated in Fig. 1 , the TTP 1 prepares compact sets SA, SB of encryption keys KAI-K, respectively KBι-KBn, the different sets SA, SB preferably being transmitted securely to different module manufacturers 3 and 4, respectively, as is indicated by the arrows 7 and 8, respectively, where they are stored safely in the corresponding arrays S'A and S'B, respectively. The module manufacturers 3 and 4 embed their arrays S'A and S'B securely into their respective modules, for instance an identification card such as the SIM- card used in mobile equipment, for example in mobile telephones, laptop-, or palmtop computers. This is done in a fashion known to a person skilled in the art, so that the arrays S'A and S'B cannot be read from the modules by their users. In a variant, the arrays S'A and S'B are loaded into the modules by means of special short messages, such as SMS short messages or as USSD data, transmitted, for instance by the trusted third party 1 , via the communication network to the user's terminal equipment, where it is received and handled by special services implemented in the module according to the SICAP method, described in EP 689 368 B1 , or according to a similar method. This latter variant could be executed at the time of personalization of the module or at the time when a user subscribes to or uses the services of a respective VAP 2 for the first time.
The pointer K,, assigned to a VAP 2 and communicated by the key- assignment administrator 5 to the respective TTP 1 , as described above, is used by the TTP 1 , preferably by means of the mentioned key assembly software program, to assemble the corresponding segments b1-b8 stored in the arrays SA and SB, assigned to the respective module manufacturers 3 and 4. The resulting encryption key KAl, composed of segments stored in the elements of the array SA corresponding to the pointer K,, and the encryption key KBl, composed of segments stored in the elements of the array SB corresponding to the pointer K,, are transmitted securely (for instance, by using TTP- or PTP- services or by normal mail), as indicated by arrow 6, to the VAP 2, together with the pointer K,- The VAP 2 securely stores, for instance in a protected database 21 , the received encryption keys KA, and KBl, for use with users equipped with modules manufactured by module manufacturer 3 and 4, respectively, together with the pointer K,. End-to-end encryption of user data exchanged between a VAP 2 and its users is achieved in that the communication software installed at the VAP 2, having access to the encryption keys KAl and KB, and the corresponding pointer K,, encrypts user data by means of an encryption algorithm, for instance the Digital Encryption Standard (DES) or any other algorithm found suitable by a person skilled in the art, and by using the appropriate encryption keys KA, or KBl for communicating with users equipped with modules manufactured by the manufacturer 3 or 4, respectively As is illustrated in Fig 3, the encrypted user data 104 is concatenated with a field 102, containing the pointer K,, an optional field 103, indicating the length, i e the number of bytes, of the encrypted user data 104, and an optional field 101 , identifying the algorithm used to encrypt the user data and identifying the trusted third party 1 responsible for the encryption keys used It should be noted that the order of the fields given in this example could be altered if this was desired for practical reasons by a person skilled in the art The encrypted and concatenated data 10 is subsequently transmitted via a communication network, for example a mobile telephone network, such as a GSM, a DCS, or a UMTS network, for instance by means of SMS short messages or as USSD data
At the receiving end, the data 10 is received by the respective user's terminal equipment connected to the network, for instance a mobile telephone, a palmtop- or laptop computer Special software in the terminal equipment, either implemented as part of the terminal equipment or as part of a module inserted in a removable fashion in the terminal equipment, for instance an identification card, e g a SIM-card, determines the algorithm used to encrypt the user data, the trusted third party 1 responsible for the encryption keys used, the pointer K, to the particular encryption key used, and the number of bytes of encrypted user data from the values in the separate respective fields 101 , 102, and 103 of the received data 10 Based on the pointer K,, the encryption key KAl or KB, IS assembled from the segments b1-b8 stored in the corresponding elements of the array S'A or S'B, which are securely stored in the module manufactured by the module manufacturer 3 or 4, respectively The encrypted user data 104 in the received data 10 is then decrypted, using the assembled encryption key KA, or KBl, by means of the appropriate specified decryption algorithm, which can be implemented in the module or in the terminal equipment itself.
In a response to the VAP 2, data will be encrypted by the terminal equipment, either by an appropriate program in the module or as part of the terminal equipment itself, using the same algorithm and encryption key as used by the VAP 2, and by structuring the data preferably in the same fashion as it was received from the VAP 2. The communication software implemented at the VAP 2 will consequently handle the data received from a user in a similar fashion as described above; however, it will not have to assemble the encryption keys KAI or KBi as they are stored in the database 21 , accessible to the communication software.
In order for the VAP 2 to select the encryption key KAι or KBi, it must be provided with information concerning the identity of the manufacturer of the modules 3 or 4 used in the users terminal equipment. This information can be obtained by polling respective information off the module, inserted in the terminal equipment of the user, by means of special messages via the communication network (for instance according to the SICAP method, described in EP 689 368 B1 , or according to a similar method) or by making a respective inquiry via the communication network to the network operator, or by keeping respective information in a local database accessible to the VAP 2.
Although in the description above all segments b1-b8 of an encryption key KAι, KBι are represented by the pointer exchanged via the communication network, it should be noted that it is thoroughly possible to have only some or one segment of an encryption key represented by the exchanged pointer. In such an approach, the remaining portion of an encryption key could be securely stored in the memory of the module, or it could be exchanged together with the encrypted data. It should also be stated that the segments do not need to be of equal size.
In a variant of the present invention, the encryption keys used for the encryption of data exchanged during a session between a VAP 2 and a user can be changed during this session. This will be transparent to the receiving end, as there will simply be another pointer in the corresponding field 102 concatenated with the encrypted data 104, based on which the new encryption key, to be used for the decryption of the data 104, can easily be determined as described above.
As indicated earlier, encryption keys can be assigned and communicated to VAP's 2 for a fee, which may depend on the security of the particular key. A VAP 2 may also be provided with multiple keys from one array. In a scenario where multiple arrays are required in the same module, it is possible to distinguish these arrays by means of corresponding array identifiers, which would be communicated to a VAP 2 together with the corresponding encryption key and pointer. Furthermore, these identifiers would be included in the transmitted data, so that at the receiving end the encryption keys could be determined from the corresponding array, as described above.

Claims

Claims
1. Method for exchanging encrypted data (104) between value- added providers (2) and their users via a communication network, at least certain users being provided with a module for receiving said data (104), wherein said data (104) is encrypted with a secret encryption key (KAl, KBl), characterized in that at least one segment (b1 -b8) of said encryption key (KA., KBl) is stored in a secret array (SΑ, S'B) and in that a pointer (K,) to said segments (b1 -b8) in said array (SΑ, S'B) is concatenated with said encrypted data (104) being exchanged.
2. Method according to the preceding claim, characterized in that said secret array (SΑ, S'B) is unknown to said value-added provider (2) and to said users.
3. Method according to one of the preceding claims, characterized in that one different encryption key (KAl, KAj, KBl), comprising different key segments (b1 -b8), is assigned in the same array (SΑ, S'B) to different value- added providers (2).
4. Method according to one of the preceding claims, characterized in that the encryption keys (KAl, KAj, KBl) used for encrypting said data (104) are determined by said module assembling equally sized segments (b1 -b8) of said array (S'A, S'B) as indicated by said pointer (K,, K,).
5. Method according to one of the preceding claims, characterized in that the encryption keys (KA,, KA), KBl) are prepared and communicated to the value-added providers (2) by a trusted third party (1 ), and embedded in said module by a module manufacturer (3, 4).
6. Method according to one of the preceding claims, characterized in that the pointers (K,, K,) are assigned to the value-added providers (2) by a key- assignment administrator (5).
7. Method according to one of the preceding claims, characterized in that a tag (101 ), indicating the trusted service provider (1 ) responsible for preparing said encryption keys (KAl, KA), KBl) and indicating an algorithm used to encrypt said data (104), is concatenated with said data (104).
8. Method according to one of the preceding claims, characterized in that a number, indicating the length (103) of the encrypted data (104), is concatenated with said data (104).
9. Method for storing and managing secret encryption keys (KA╬╣-KAn, KB1-KBn) which comprise a series of digits of a certain number system, and which are used for end-to-end encryption of data exchanged between value- added providers (2) and their users via a communication network, using terminal equipment, at least certain of which being provided with a removable module, the value of a particular said encryption key (KA╬╣, KAj, KB,) used by a said value-added provider (2) being unknown to a key-assignment administrator (5), characterized in that it comprises the following steps:
- preparation of a compact set (SA, SB) of encryption keys (K -KAΠ, KB1-KBn) by a trusted third party (1 ) filling an array (SA, SB) with segments (b1- b8) of said encryption keys (KAι-KAn, KBrKBn);
- assignment of at least one encryption key (KA╬╣, KB|) to at least one of said value-added providers (2) by said key-assignment administrator (5) communicating pointers ( ) to the said trusted third party (1 ), each specifying a different set of array elements for a said value-added provider (2); and
- determination of the values of the assigned encryption keys (KAi, KBl) by the trusted third party (1 ) assembling the segments contained in the set of array elements specified by the pointer (K,), a different encryption key (KAl, KB╬╣) being assembled for each one of the specified sets of array elements.
10. Method according to the preceding claim, characterized in that it further comprises the following steps: - preparation of different sets (SA, SB) of encryption keys (KAι-KAn, KBI-KBΠ) in different respective arrays (SA, SB) for a plurality of different module manufacturers (3, 4),
- secure transmission of the different arrays (SΑ, S'B) to the respective module manufacturers (3, 4) and storage of the received arrays (S'A, S'B) by said module manufacturers (3, 4) in the memory of a plurality of modules, and
- assembly of a different encryption key (KAl, KBl) from the array (SA, SB) of each module manufacturer (3, 4) by the trusted third party (1 ) assembling the segments (b1 -b8) from each of the respective arrays (SA, SB) according to the specified set of array elements (K,)-
1 1. Method according to one of the claims 9 to 10, characterized in that it further comprises the following step:
- secure transmission of the assembled encryption keys (KAl, KB|) to the respective value-added providers (2) by the trusted third party (1 ).
12. Method according to one of the claims 9 to 1 1 , characterized in that each of the said segments (b1 -b8) is of equal size and comprises at least two of said digits of an encryption key (KA╬╣-KAn, KB1-KBn)
13. Method according to one of the claims 9 to 12, characterized in that the said pointer (K,) comprises a series of digits, the positions and values of which indicating an element's position in the array (SA, SB, S'A, S'B).
14. Method according to one of the claims 9 to 13, characterized in that said pointer (K,) comprises a series of digits, the value of each of which indicating the positions of multiple elements in the array (SA, SB, SΑ, S'B).
15. Method according to one of the claims 9 to 14, characterized in that at least certain elements in said array (SA, SB) are used as segments (b1 - b8) of only one encryption key (KAi-KAn, KB1-KBn).
16. Method according to the preceding claim, characterized in that each element in said array (SA, SB) is used only once as a segment (b1-b8) of only one encryption key (KA╬╣-KAn, KB1-KBn).
17. Method according to one of the claims 9 to 15, characterized in that some elements in said array (SA, SB) are used as segments (b1-b8) of multiple encryption keys (K -KAΠ, KBι-KBn).
18. Method according to one of the claims 9 to 17, characterized in that said array (SA) is organized as a two-dimensional array, the number of elements in one of its dimensions being equal to the base of said certain number system.
19. Method according to one of the claims 9 to 18, characterized in that said certain number system is hexadecimal.
20. Module for use in terminal equipment connected to a communication network by inserting said module in a removable fashion into said terminal equipment, said module comprising a memory, characterized in that said memory contains an array (S'A) with a plurality of segments (b1-b8) of a plurality of encryption keys (KAi-KAn) used for end-to-end encryption of data exchanged with at least one value-added provider (2) via said communication network, each encryption key (KAi-KAn) comprising a series of digits of a certain number system, at least one of said segments being part of a particular said encryption key (KA,), said at least one of said segments being specified by a pointer ( ).
21. Module according to the preceding claim, characterized in that it further comprises processing means to determine the encryption key (KAι) used by a said value-added provider (2) to encrypt data transmitted via said communication network, by using a said pointer (K,) contained in a field (102) of the said transmitted data (10), said pointer (K,) specifying elements of the said array (SΑ) containing the said segments (b1-b8) of the said encryption key (KAι), and by assembling these said segments (b1-b8).
22. Module according to one of the claims 20 to 21 , characterized in that each of the said segments (b1-b8) is of equal size and comprises at least two digits of a said encryption key (KA╬╣-KAn).
23. Module according to one of the claims 20 to 22, characterized in that it contains additional said arrays (S'A) prepared by at least one other trusted third party (1 ).
24. Module according to one of the claims 20 to 23, characterized in that it further comprises means to determine the array (S'A) containing the set of encryption keys (KA╬╣-KAn) prepared by the trusted third party (1 ) indicated in a field (101 ) of the received data (10).
25. Module according to one of the claims 20 to 24, characterized in that it further comprises means to receive said arrays (S'A) from said trusted third parties (1 ) in special messages transmitted via said communication network, and to store the received arrays (SΑ) in said memory.
26. Module according to one of the claims 20 to 25, characterized in that the said pointer ( ) comprises a series of digits, the positions and values of which indicate an element's position in the array (S'A).
27. Module according to one of the claims 20 to 26, characterized in that said pointer (Kj) comprises a series of digits, the value of each of which indicates the positions of multiple elements in the array (S'A).
28. Module according to one of the claims 20 to 27, characterized in that at least certain elements in said array (S'A) are used as segments (b1 -b8) of only one encryption key (KAI-KAΠ).
29. Module according to the preceding claim, characterized in that each element in said array (S'A) is used only once as a segment (b1-b8) of only one encryption key ( M-KAΠ)-
30. Module according to one of the claims 20 to 28, characterized in that some elements in said array (S'A) are used as segments (b1-b8) of multiple encryption keys (KA╬╣-KAn)-
31. Module according to one of the claims 20 to 30, characterized in that said array (S'A) is organized as a two-dimensional array, the number of elements in one of its dimensions being equal to the base of said certain number system.
32. Module according to one of the claims 20 to 31 , characterized in that said certain number system is hexadecimal.
PCT/EP1998/005906 1997-10-07 1998-09-16 Method for exchanging encrypted data via a communication network, corresponding method for storing and managing the encryption keys used, and module storing these encryption keys WO1999018692A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU97446/98A AU9744698A (en) 1997-10-07 1998-09-16 Method for exchanging encrypted data via a communication network, corresponding method for storing and managing the encryption keys used, and module storing these encryption keys

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US6131397P 1997-10-07 1997-10-07
US60/061,313 1997-10-07
EP98810398 1998-05-04
EP98810398.2 1998-05-04

Publications (1)

Publication Number Publication Date
WO1999018692A1 true WO1999018692A1 (en) 1999-04-15

Family

ID=26151917

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP1998/005906 WO1999018692A1 (en) 1997-10-07 1998-09-16 Method for exchanging encrypted data via a communication network, corresponding method for storing and managing the encryption keys used, and module storing these encryption keys

Country Status (2)

Country Link
AU (1) AU9744698A (en)
WO (1) WO1999018692A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007121587A1 (en) * 2006-04-25 2007-11-01 Stephen Laurence Boren Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2681165A1 (en) * 1991-09-05 1993-03-12 Gemplus Card Int Process for transmitting confidential information between two chip cards
US5574785A (en) * 1994-05-31 1996-11-12 Fujitsu Limited Enciphered communication system
WO1997016902A2 (en) * 1995-11-02 1997-05-09 Tri-Strata Security, Inc. Unified end-to-end security methods and systems for operating on insecure networks
WO1997024831A1 (en) * 1995-12-29 1997-07-10 Mci Communications Corporation Multiple cryptographic key distribution
WO1998020645A2 (en) * 1996-11-05 1998-05-14 Tri-Strata Security, Inc. Improved tri-signature security architecture systems and methods

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2681165A1 (en) * 1991-09-05 1993-03-12 Gemplus Card Int Process for transmitting confidential information between two chip cards
US5574785A (en) * 1994-05-31 1996-11-12 Fujitsu Limited Enciphered communication system
WO1997016902A2 (en) * 1995-11-02 1997-05-09 Tri-Strata Security, Inc. Unified end-to-end security methods and systems for operating on insecure networks
WO1997024831A1 (en) * 1995-12-29 1997-07-10 Mci Communications Corporation Multiple cryptographic key distribution
WO1998020645A2 (en) * 1996-11-05 1998-05-14 Tri-Strata Security, Inc. Improved tri-signature security architecture systems and methods

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TSUROMU MATSUMOTO: "INCIDENCE STRUCTURES FOR KEY SHARING - EXTENDED ABSTRACTS -", ADVANCES IN CRYPTOLOGY - ASIACRYPT '94, 4TH. INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATIONS OF CRYPTOLOGY, WOLLONGONG, AUSTRALIA, NOV. 28 - DEC. 1, 1994 PROCEEDINGS, no. CONF. 4, 28 November 1994 (1994-11-28), PIEPRZYK J;SAFAVI-NAINI R (EDS ), pages 342 - 353, XP000527602 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007121587A1 (en) * 2006-04-25 2007-11-01 Stephen Laurence Boren Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks
US9166782B2 (en) 2006-04-25 2015-10-20 Stephen Laurence Boren Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks

Also Published As

Publication number Publication date
AU9744698A (en) 1999-04-27

Similar Documents

Publication Publication Date Title
US5402490A (en) Process for improving public key authentication
KR102241255B1 (en) Method for managing communication between server and user equipment
CN101035146B (en) Wireless communication device, MAC address management system, wireless communication method, and program
US5249230A (en) Authentication system
EP1452027B1 (en) Access to encrypted broadcast content
US4484025A (en) System for enciphering and deciphering data
US5889861A (en) Identity confidentiality method in radio communication system
US8265282B2 (en) Method of and system for secure management of data stored on electronic tags
US20040030906A1 (en) System and method for SMS authentication
US8254570B2 (en) Method and system for encryption of data
EP1048181B1 (en) Procedure and system for the processing of messages in a telecommunication system
EP1495409B1 (en) Method and system for distribution of encrypted data in a mobile network
US20120002810A1 (en) Short message service cipher
WO2006034399A2 (en) Secure software execution such as for use with a cell phone or mobile device
IL140367A (en) Device, system and method for secure communication and access control
EP1040630A1 (en) Data communications
EP0781427B1 (en) Secure computer network
US6611194B1 (en) Method for inserting a service key in a terminal and devices for implementing said method
CN101223798B (en) Retrospective implementation of SIM capabilities in a security module
CN102369686A (en) Key information management method, content transmission method, key information management apparatus, license management apparatus, content transmission system, and terminal apparatus
WO1996008756A9 (en) Secure computer network
CN1826810B (en) Procedure for monitoring the usage of a broadcasted content
US11128455B2 (en) Data encryption method and system using device authentication key
CN113228720A (en) Method and apparatus for ensuring secure attachment in a size-constrained authentication protocol
KR20180000220A (en) Method providing secure message service and apparatus therefor

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AT AU AZ BA BB BG BR BY CA CH CN CU CZ CZ DE DE DK DK EE EE ES FI FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: KR

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: CA