Method for Exchanging Encrypted Data Via a Communication Network,
Corresponding Method for Storing and Managing the Encryption Keys
Used, and Module Storing these Encryption Keys
The present invention relates to a method for exchanging encrypted data via a communication network and to a corresponding method for storing and managing the encryption keys used. Specifically, the present invention relates to a method for exchanging encrypted data between value-added providers and their users via a communication network, such as a cellular radio network, e.g. the GSM-network, and to a corresponding method for storing and managing the encryption keys, used by a value-added provider for the end-to- end encryption of the exchanged data, the value of a particular encryption key being unknown to a key-assignment administrator.
Data encryption methods are known for encrypting data to be exchanged via a communication network, particularly, for mobile communication systems where data is transmitted via a radio path. In particular, a variety of security features are known from the Global System for Mobile Communication (GSM) as outlined in the GSM recommendations 02.09, concerning security aspects; GSM 02.17, concerning the subscriber identity module (SIM); GSM 03.20, concerning security-related network functions; and GSM 03.21 , concerning security-related algorithms. Besides providing for authentication and confidentiality of the mobile subscriber identity, GSM further provides for confidentiality of the signaling data and user data, exchanged via the radio path between the mobile station and a base station. For this purpose, the SIM contains a ciphering key generating algorithm, which is used to compute a ciphering key based on a random number, received during the authentication process, and based on an individual subscriber identification key stored in the SIM. The ciphering key is calculated in the SIM and by the GSM network and may be used for encryption and decryption of data exchanged via the radio path. Using the generated ciphering key, the data is encrypted and decrypted by means of a stream cipher algorithm, which is implemented on the mobile station, outside the SIM.
Although user data can be kept confidential during its transmission via the radio path, a value-added provider has no guarantee that data exchanged with his users is kept private in the remaining portions of the communication network, for instance, it is kept private from the operator of the communication network. For the purpose of end-to-end encryption of user data, value-added providers using the communication network prefer their own private encryption keys. Consequently, this means that users in the communication network need to be provided with means to decrypt data from numerous value-added providers in the communication network.
It is an object of this invention to propose new and improved methods for exchanging encrypted data and for managing and storing encryption keys, the values of these keys remaining secret and being stored in a compact fashion.
According to the present invention, these objects are achieved particularly through the features of the characterizing portion of the independent claims. In addition, further advantageous embodiments follow from the dependent claims and the description.
In particular, these objects are achieved according to the invention in that at least one segment of the secret encryption key used to encrypt the exchanged data is stored in a secret array unknown to the value-added providers and their users, and in that a pointer to these segments in this array is concatenated with the encrypted data being exchanged. This is advantageous because an encryption key can be specified via the communication network without transmitting the encryption key itself.
Furthermore, these objects are achieved according to the invention in that compact sets of encryption keys are prepared by a trusted third party filling said array with equally sized segments of said encryption keys, in that at least one encryption key is assigned to a value-added provider by a key- assignment administrator communicating pointers to the trusted third party, each specifying a different set of array elements, and in that the values of the assigned encryption keys are determined by the trusted third party assembling
the segments contained in the set of array elements specified by the pointer, so that a different encryption key is assembled for each one of the specified sets of array elements.
Preferably, different sets of encryption keys are prepared in different respective arrays for a plurality of different module manufacturers. The different arrays are transmitted securely to the respective module manufacturers, where they are stored by these module manufacturers in the memory of a plurality of modules. Consequently, a different encryption key is assembled by the trusted third party from the array of each module manufacturer, by assembling the segments from each of the respective arrays according to the specified set of array elements.
Preferably, each of the segments stored in the array is of equal size, and comprises at least two digits of an encryption key, so that with reference to one array element more than one digit of an encryption key can be identified.
Preferably, the array is organized as a two-dimensional array, the number of elements in one of its dimensions being equal to the base of the number system of the digits of the encryption keys. This has the advantage that the full value range of a digit of a pointer of the same number system as the encryption keys can be efficiently used to indicate the positions of elements in that dimension of the array.
Preferably, the pointers each comprise a series of digits, the positions and values of which indicating an element's position in the array. This has the advantage that the value of a digit of the pointer can be used to specify the position of an array element in one direction of the array, and the position of a digit within the pointer can be used to specify the position of the array element in the other direction of the array. In order to decrease the number of digits of the pointer even further, the value of each of its digits can be used to specify the positions of multiple elements in the array, the free choice of segments for an encryption key being thereby restricted, however.
To increase the security of an encryption key, certain or all array elements are preferably used only once as segments of only one encryption key. In order to increase the number of available encryption keys, certain array elements are preferably used as segments of multiple encryption keys, thus reducing the security of these encryption keys.
The arrays are preferably stored in the memory of modules, these modules being insertable in a removable fashion into terminal equipment connected to a communication network. Said modules preferably further comprise processing means to determine the encryption key used by a particular value-added provider to encrypt data transmitted via the communication network, by using the pointer concatenated with the encrypted data being exchanged.
An embodiment of the present invention is described below by way of example. The embodiment example is illustrated by means of the following appended figures:
Fig. 1 shows a block diagram illustrating the information exchange between a trusted third party, a key-assignment administrator, a module manufacturer, and a value-added provider.
Fig. 2 shows an example of an array with examples of segments of encryption keys and corresponding encryption keys and pointers.
Fig. 3 shows an example of a data string exchanged between a value-added provider and its users.
The reference number 1 in Fig. 1 indicates a trusted third party (TTP) who is responsible for preparing compact sets SA, SB of encryption keys KAι- KAn, respectively KBι-KBn, which are used by value-added providers 2 to encrypt/decrypt data exchanged with their users via a communication network, particularly a mobile telephone network, for instance a GSM, a DCS, or a UMTS network.
The encryption keys KA,, KAj, KB illustrated in Fig 2, are typically composed of a series of digits of a certain number system, for instance hexadecimal, and have a predefined length, for instance sixteen hexadecimal digits stored in eight consecutive bytes, b1 -b8, b1 being the first byte and b8 being the last byte They can be created, for instance, by random number generators appropriate for this purpose, which are known to a person skilled in the art A whole encryption key KB, can be created as one unit, the segments b1 -b8 of an encryption key KB, can be created one at a time, or a whole array SA can be created at once, as illustrated in Fig 2 and corresponding to the set SA of encryption keys KAι-KAn shown in Fig 1 , filled with segments b1 -b8 of numerous encryption keys KAι-KAn
Segments of the encryption keys KAI-KAΠ, for instance a segment b1 with one byte comprising two hexadecimal digits, are stored in an array SA, unless of course, they have already been created in this array SA, as described above Storing segments with two digits of an encryption key KAι-KAn in one element of the array SA has the advantage that with a reference to one array element, two digits of an encryption key KAι-KAn can be specified In a variant, segments of more than two digits of an encryption key KAι-KAn are stored in the elements of an array
As illustrated in Fig 2, the array SA is preferably organized as a two dimensional array SA with the number of elements in one of its dimensions, i e the number of rows or the number of columns, being equal to the base of the number system of the encryption keys KAi-KAn, in this example an array SA with sixteen rows This has the advantage that the full value range of a digit of a pointer K,, K,, of the same number system as the encryption keys KAI-KAΠ, can be efficiently used to indicate the positions of elements in that dimension of the array SA In our example, there are sixteen rows in the array SA corresponding to sixteen possible values of a hexadecimal digit of a pointer K,, K,
The number of elements in the second dimension of the two dimensional array SA, ι e the number of columns, is chosen based on the length of the encryption keys KAι-KAn, the number of different encryption keys KAI-KAΠ to be stored in the array SA, and also the amount of memory space that
is available to store the resulting array SA. Obviously, the number of rows could also be simply a result of choosing an overall size of the array SA, according to criteria set by a person skilled in the art, for instance a size that is practical as a standard record in a file. In our example, illustrated in Fig. 2, an encryption key KAI-KAΠ, having a key length of eight-bytes, and an array SA, having sixteen rows, sixty-four different segments b1-b8 of one byte can be stored in four columns, or in an array SA of sixty-four bytes.
Without limiting the selection of specific elements from a sixty-four byte array as segments for an encryption key, it is possible to select 4,426,165,368 different encryption keys; obviously, many of these keys would share the same segments.
There are numerous ways of referencing individual segments stored in the array elements. For instance, if an encryption key KAl, illustrated in Fig. 2, comprises eight-bytes, each byte being represented by a segment stored in an element of array SA, a corresponding pointer K, could be composed in such a fashion that each of its bytes corresponds to a column, the value of each digit in these bytes indicating the row number of an element in the corresponding column. For instance, the first byte of KAl, with the value 'A1 ', would be represented by the first digit of the first byte of the pointer K, having the value '1 ', thus pointing to the segment 'A1 ' in row r1 of column d . In the same way, the second byte of KAl, with the value 'A2', would be represented by the second digit of the first byte of the pointer K, having the value '2', thus pointing to the segment 'A2' in row r2 of column d . By selecting two segments from each column, the second byte of the pointer K, would refer to elements in column c2, and the third and fourth bytes of the pointer K, would refer to elements in columns c3 and c4, respectively. Thus an encryption key KA, of eight-bytes can be represented by a pointer K, with four bytes pointing to eight segments in the array SA.
Other approaches resulting in even shorter pointers are also possible. For instance, one digit of a pointer could be used to point to multiple array elements. For example, the first digit of the pointer K,, having the value 'A', points to the elements at rows rA and rB of column d . In the same way, the
second digit of the pointer Kj, having the value Ε', points to the elements at rows rE and rF of column c2. By selecting two segments from each column in consecutive rows, the third and fourth digits of the pointer Kj would refer to elements in columns c3 and c4, respectively. Thus an encryption key KAj of eight-bytes can be represented by a pointer Kj with two bytes pointing to eight segments in the array SA. In another variant, not illustrated, a pointer of just one byte could point to all the elements in two rows of the array SA.
It should be noted that the values of the segments in these examples are completely arbitrary, and could have any other value depending only on the method by which they are created, as described above.
With the limitation that two segments are selected from each column of the sixteen-by-four array SA, it is possible to select (16*15)4=3,317,760,000 different encryption keys. With the limitation that two consecutive segments are selected from each column of the sixteen-by-four array SA (assuming row rF and rO are considered consecutive), it is possible to select 16 =65,536 different encryption keys. Obviously, many of these keys would share the same segments, as there are only eight unique eight-byte encryption keys in an array SA with sixty-four bytes. Handling of this limitation will be discussed in more detail later in this description.
In another example, not illustrated, twice as many equal segments b1 -b8 could be stored in an array with sixteen rows and eight columns. In such an array, an encryption key KBι with eight segments b1 -b8, with one byte each, could be represented by a four byte pointer, each one of its eight digits pointing to a respective element in the row corresponding to the value of the digit and in the column corresponding to the position of the digit within the pointer. Such an array, assuming encryption keys with one segment per column, would provide the possibility of 168=4,294,967,296 different encryption keys, of which only sixteen are unique keys, not sharing any segments with other keys.
As was described above, a trusted third party (TTP) 1 is responsible for preparing the compact sets SA, SB of encryption keys M-KAΠ, respectively KBi-KBn, which are used by value-added providers (VAP) 2 to encrypt/decrypt
data exchanged with their users Preferably, encryption keys are assigned to a VAP 2 by a key-assignment administrator 5, who is kept unaware of the particular value of the assigned encryption key The key-assignment administrator 5 assigns an encryption key KAl, illustrated in Fig 2, to a VAP 2 by selecting a pointer K, which has not yet been assigned For that purpose, he is preferably provided with a key selection software program which has access to a database 51 where, for instance, assignments of pointers to VAP's 2 are being logged for specific TTP's 1 For instance, the key selection software program shows for a particular TTP 1 the pointers K,, K, to the array SA that are still unassigned Furthermore, the key selection software program can, for example, also indicate how many segments b1-b8 an encryption key KAl, KBl, corresponding to a particular pointer K,, is sharing with encryption keys that have already been assigned, so that different rates can be charged for encryption keys with different security levels, i e different numbers of shared segments Preferably, certain segments of the array, for example rows rO to r7 of array SA, are reserved for use as highly secure and/or fully independent encryption keys, while other segments can be freely shared among encryption keys In our example with a sixteen-by-four array SA, encryption keys with eight-bytes, and two of eight segments stored in each column, four fully independent encryption keys, not sharing any segments with any other encryption keys, could be selected from the reserved rows rO to r7, while (8*7)4=9,834,496 different encryption keys could be selected from the remaining rows
Respective key selection software programs can be implemented easily by a person skilled in the art The assignment of a pointer K, to a VAP 2 is communicated by the key-assignment administrator 5, as indicated by arrow 9, to the respective TTP 1 This can preferably be accomplished in that the above-mentioned key selection software communicates directly to another key assembly software program of the TTP 1 , possibly running on the same computer or on a computer connected through a communication network, in which case the communication is preferably performed in a secure fashion, or in that an electronic or paper message is automatically or manually sent to the TTP 1 , where it is handled by entering the received relevant information, preferably into a key assembly software program of the TTP 1
As is illustrated in Fig. 1 , the TTP 1 prepares compact sets SA, SB of encryption keys KAI-KAΠ, respectively KBι-KBn, the different sets SA, SB preferably being transmitted securely to different module manufacturers 3 and 4, respectively, as is indicated by the arrows 7 and 8, respectively, where they are stored safely in the corresponding arrays S'A and S'B, respectively. The module manufacturers 3 and 4 embed their arrays S'A and S'B securely into their respective modules, for instance an identification card such as the SIM- card used in mobile equipment, for example in mobile telephones, laptop-, or palmtop computers. This is done in a fashion known to a person skilled in the art, so that the arrays S'A and S'B cannot be read from the modules by their users. In a variant, the arrays S'A and S'B are loaded into the modules by means of special short messages, such as SMS short messages or as USSD data, transmitted, for instance by the trusted third party 1 , via the communication network to the user's terminal equipment, where it is received and handled by special services implemented in the module according to the SICAP method, described in EP 689 368 B1 , or according to a similar method. This latter variant could be executed at the time of personalization of the module or at the time when a user subscribes to or uses the services of a respective VAP 2 for the first time.
The pointer K,, assigned to a VAP 2 and communicated by the key- assignment administrator 5 to the respective TTP 1 , as described above, is used by the TTP 1 , preferably by means of the mentioned key assembly software program, to assemble the corresponding segments b1-b8 stored in the arrays SA and SB, assigned to the respective module manufacturers 3 and 4. The resulting encryption key KAl, composed of segments stored in the elements of the array SA corresponding to the pointer K,, and the encryption key KBl, composed of segments stored in the elements of the array SB corresponding to the pointer K,, are transmitted securely (for instance, by using TTP- or PTP- services or by normal mail), as indicated by arrow 6, to the VAP 2, together with the pointer K,- The VAP 2 securely stores, for instance in a protected database 21 , the received encryption keys KA, and KBl, for use with users equipped with modules manufactured by module manufacturer 3 and 4, respectively, together with the pointer K,.
End-to-end encryption of user data exchanged between a VAP 2 and its users is achieved in that the communication software installed at the VAP 2, having access to the encryption keys KAl and KB, and the corresponding pointer K,, encrypts user data by means of an encryption algorithm, for instance the Digital Encryption Standard (DES) or any other algorithm found suitable by a person skilled in the art, and by using the appropriate encryption keys KA, or KBl for communicating with users equipped with modules manufactured by the manufacturer 3 or 4, respectively As is illustrated in Fig 3, the encrypted user data 104 is concatenated with a field 102, containing the pointer K,, an optional field 103, indicating the length, i e the number of bytes, of the encrypted user data 104, and an optional field 101 , identifying the algorithm used to encrypt the user data and identifying the trusted third party 1 responsible for the encryption keys used It should be noted that the order of the fields given in this example could be altered if this was desired for practical reasons by a person skilled in the art The encrypted and concatenated data 10 is subsequently transmitted via a communication network, for example a mobile telephone network, such as a GSM, a DCS, or a UMTS network, for instance by means of SMS short messages or as USSD data
At the receiving end, the data 10 is received by the respective user's terminal equipment connected to the network, for instance a mobile telephone, a palmtop- or laptop computer Special software in the terminal equipment, either implemented as part of the terminal equipment or as part of a module inserted in a removable fashion in the terminal equipment, for instance an identification card, e g a SIM-card, determines the algorithm used to encrypt the user data, the trusted third party 1 responsible for the encryption keys used, the pointer K, to the particular encryption key used, and the number of bytes of encrypted user data from the values in the separate respective fields 101 , 102, and 103 of the received data 10 Based on the pointer K,, the encryption key KAl or KB, IS assembled from the segments b1-b8 stored in the corresponding elements of the array S'A or S'B, which are securely stored in the module manufactured by the module manufacturer 3 or 4, respectively The encrypted user data 104 in the received data 10 is then decrypted, using the assembled encryption key KA, or KBl, by means of the appropriate specified decryption
algorithm, which can be implemented in the module or in the terminal equipment itself.
In a response to the VAP 2, data will be encrypted by the terminal equipment, either by an appropriate program in the module or as part of the terminal equipment itself, using the same algorithm and encryption key as used by the VAP 2, and by structuring the data preferably in the same fashion as it was received from the VAP 2. The communication software implemented at the VAP 2 will consequently handle the data received from a user in a similar fashion as described above; however, it will not have to assemble the encryption keys KAI or KBi as they are stored in the database 21 , accessible to the communication software.
In order for the VAP 2 to select the encryption key KAι or KBi, it must be provided with information concerning the identity of the manufacturer of the modules 3 or 4 used in the users terminal equipment. This information can be obtained by polling respective information off the module, inserted in the terminal equipment of the user, by means of special messages via the communication network (for instance according to the SICAP method, described in EP 689 368 B1 , or according to a similar method) or by making a respective inquiry via the communication network to the network operator, or by keeping respective information in a local database accessible to the VAP 2.
Although in the description above all segments b1-b8 of an encryption key KAι, KBι are represented by the pointer exchanged via the communication network, it should be noted that it is thoroughly possible to have only some or one segment of an encryption key represented by the exchanged pointer. In such an approach, the remaining portion of an encryption key could be securely stored in the memory of the module, or it could be exchanged together with the encrypted data. It should also be stated that the segments do not need to be of equal size.
In a variant of the present invention, the encryption keys used for the encryption of data exchanged during a session between a VAP 2 and a user can be changed during this session. This will be transparent to the receiving
end, as there will simply be another pointer in the corresponding field 102 concatenated with the encrypted data 104, based on which the new encryption key, to be used for the decryption of the data 104, can easily be determined as described above.
As indicated earlier, encryption keys can be assigned and communicated to VAP's 2 for a fee, which may depend on the security of the particular key. A VAP 2 may also be provided with multiple keys from one array. In a scenario where multiple arrays are required in the same module, it is possible to distinguish these arrays by means of corresponding array identifiers, which would be communicated to a VAP 2 together with the corresponding encryption key and pointer. Furthermore, these identifiers would be included in the transmitted data, so that at the receiving end the encryption keys could be determined from the corresponding array, as described above.