WO2000028493A1 - A method of encryption and apparatus therefor - Google Patents

A method of encryption and apparatus therefor Download PDF

Info

Publication number
WO2000028493A1
WO2000028493A1 PCT/SG1998/000088 SG9800088W WO0028493A1 WO 2000028493 A1 WO2000028493 A1 WO 2000028493A1 SG 9800088 W SG9800088 W SG 9800088W WO 0028493 A1 WO0028493 A1 WO 0028493A1
Authority
WO
WIPO (PCT)
Prior art keywords
token
signature
user data
symmetric key
data
Prior art date
Application number
PCT/SG1998/000088
Other languages
French (fr)
Other versions
WO2000028493A8 (en
Inventor
Teow Hin Ngair
Original Assignee
Kent Ridge Digital Labs
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kent Ridge Digital Labs filed Critical Kent Ridge Digital Labs
Priority to AU11844/99A priority Critical patent/AU1184499A/en
Priority to PCT/SG1998/000088 priority patent/WO2000028493A1/en
Priority to EP98954915A priority patent/EP1129436A1/en
Publication of WO2000028493A1 publication Critical patent/WO2000028493A1/en
Publication of WO2000028493A8 publication Critical patent/WO2000028493A8/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means

Definitions

  • This invention relates to a method of encryption and apparatus therefor, particularly for use with a token such as a smart card.
  • Smart cards which contain onboard memory and computer processing ability are known.
  • One application for such smart cards is for use as tokens for electronic transactions particularly in the banking sector.
  • the card is used to "sign" a transaction digitally so that the instructed party (a bank in a funds transfer operation, for example) knows that the transaction is instructed by the holder of the card.
  • Such a transaction begins with the holder inserting the card into a suitable reader connected to a computer terminal in communication with the bank via a telephone line or the internet.
  • the use of a PIN number known only to the holder grants initial access by the holder to the functions provided by the bank to the card holder.
  • the holder can then instruct a transaction and the transaction is authenticated by a public/private key operation using the card.
  • the card provides this by holding a private key of the holder and digitally signing the data. Subsequent verification by the bank using the holder's public key will identify that the digitally signed instruction came from the holder's card unambiguously.
  • a disadvantage of transactions such as this is that current smart cards only have limited onboard processing power and since a private key operation requires high computational power, it is not feasible to provide the private key operation for the transaction in the card itself. Instead, this is performed by the terminal to which the card reader is connected. This requires that the private key be provided by the card to the terminal so that the operation may be performed. Once the private key has left the card, however, the security provided by the card will be at risk since the private key may be intercepted or copied. Once this has occurred, it is possible for the holder to be impersonated, since the private key relied upon for authentication of the transaction has been compromised.
  • a method of encryption for creating token bound output data from user data using a symmetric key capable token comprising the steps of a. providing the user data or a representation thereof as an input to a symmetric key operation supported by the token, b. retrieving the output of the symmetric key operation as a token signature; and c. combining the token signature with the user data or representation to generate the token bound output data.
  • said representation is a fingerprint of the user data, most preferably generated using a hash function
  • the method may further comprise the step of generating a session key for each symmetric key operation and the session key may be generated by modifying a symmetric key stored in the token number with a random number.
  • steps (a) and (b) may be conducted recursively and the respective token signatures combined as a single combined token signature and/or the method may further comprise the steps of: (i) processing the output data to generate a further input related to the output data;
  • the user data or representation may also be split into a plurality of blocks and separate token signatures are generated for each block, the token signatures being all combined with the user data or representation to generate the token bound output data.
  • the output data is used as an input parameter to a private/public key signature generation operation, to form a private/public key signature for the user data.
  • the invention further provides a method of verifying token bound output data created by the above method by regenerating the token signature using the symmetric key to verify the token, the symmetric key preferably being held by a secure access module at a remote location.
  • a method of generating a private key signature in respect of user data using a token comprising the steps of: a. providing the user data or a representation thereof as an input to a symmetric key operation supported by the token; b. retrieving the output of the symmetric key operation as a token signature; c. combining the token signature with the user data to generate token bound output data; and d. providing the output data as an input parameter to a private key signature generation operation, to form a private key signature for the user data.
  • the method of the second aspect may further comprise the steps of using a signature verification operation to verify the token bound output data and re-generating the token signature using the symmetric key to verify the token.
  • the invention extends to apparatus for performing the above methods.
  • a token for an electronic transaction the token supporting a symmetric key operation to generate a token signature from input data.
  • the token further stores a private key for a digital transaction signature operation and is embodied as a smartcard.
  • on-line symmetric key authentication of the smart card by a Secure Access Module is employed on top of a private/public key system.
  • the former binds the transaction to the physical smart card that the user is holding.
  • a two-layer security system is provided in which basic transaction-related operations are protected by the private/public key system and the symmetric key encryption binds these operations with the user's smart card.
  • FIG. 1 is a schematic diagram of the main structural elements involved in an electronic transaction using the embodiment of the invention.
  • Multi Payment Card Operating System smartcard and to use of existing features of this card to provide enhanced cryptographic security. It will be appreciated, however, that the invention is equally applicable for use with other smartcards and tokens generally.
  • a Gemplus MPCOS smartcard 10 is shown.
  • the smartcard includes an onboard processor and memory chip 20 connected to data input/output terminals 30.
  • the smartcard 10 is insertable in a reader 40 which includes contacts (not shown) which engage the terminals 30 thus allowing the card to communicate through the reader 40.
  • the reader 40 is connected to a computer terminal 50 which is in turn connectable via a direct dial-in connection or via the internet to an entity to be instructed, for example an on-line computer 60 at a bank.
  • the bank's computer 60 is further connectable to a Secure Access Module (SAM) 70 which stores at least one symmetric key also held by the card 10 as described hereinafter.
  • SAM 70 may be present in the Bank itself or may be held by a trusted third party.
  • the smartcard 10 of the embodiment of the invention stores not only a private key for electronic transaction use but also a symmetric key such as a triple DES key, for a symmetric encryption operation.
  • the symmetric key is used is the embodiment of the invention to encrypt transaction dependent information which then forms part of the public/private key operation described with reference to the prior art. Since symmetric encryption requires relatively less computational power, this encryption can be conducted by the card processor, so that the symmetric key need never leave the card and thus its security is not compromised.
  • cryptographic binding of the smartcard to the private key stored therein can be achieved by injecting a smartcard "signature" into the transaction, based on the symmetric key held by the card.
  • a smartcard signature for a MPCOS Smartcard is via the SELFK command using a card specific key K. More information on this secure messaging command may be found in the Gemplus "MPCOS-3DES Reference Manual".
  • a generic smartcard signature generation operation using SELFK command has the following steps:
  • the terminal software generates a 8-byte number R, which is essentially random, such as a hash value of user data.
  • the terminal sends the command SELFK (R, Kindex) to the MPCOS card to generate a card signature, where Kindex indicates the secret symmetric key K held by the card to be used for encryption (the card may have several keys, each having a different Kindex) .
  • the terminal retrieves both the smartcard signature S and card random number CR.
  • the bank sends these values together with the card serial number (CSN) and Kindex to the SAM 70 which securely holds the symmetric keys associated with the card to re-compute the value of S. If the two S values do match, the bank can be sure that the MPCOS card with the CSN serial number is indeed present. To prevent misuse, the comparison of the S values should only be done in the SAM 70 itself. The comparison result is then output to the bank computer 60.
  • the SAM 70 needs to store the card specific key K. Since many keys for different cards 10 will need to be stored, the SAM 70 may hold a master key, from which all the specific keys K can be derived. The SAM 70, however, needs to be held in a secure environment, for example in the data centre of the bank or other secure premises and guarded with a sound and secure policy.
  • the MPCOS card only outputs the 4 least significant bytes of S as a security measure. Therefore, only the 4 least significant bytes are sent by terminal 40 and compared by the SAM 70. However, 4 bytes of signature S may not provide sufficient security strength to prevent an exhaustive search attack.
  • the signature algorithm is preferably, therefore, extended as follows: 1. The terminal software generates the number R.
  • the terminal sends the command SELFK (R, Kindex) to the MPCOS card.
  • the MPCOS card generates a 8-byte random number CR 2c.
  • the terminal retrieves both the 4 byte output value S and 8-byte card random number CR. 2e.
  • the terminal concatenates S to an initially empty buffer S' , and similarly concatenates CR to an initially empty buffer CR' .
  • cryptogram S' can have any length, depending upon the number of iterations n and can be used as the MPCOS card signature of the input value R.
  • the signature S' is notionally divided into n four byte elements and corresponding n eight byte elements of random number CR' .
  • the SAM 70 then repeats the algorithm noted using the initial input R, the elements of CR' and the hash function H to generate and verify the elements of S'.
  • S' should preferably have a length of at least 128-bits. This can be achieved by setting the loop number n in step 2 to 4.
  • the implementation may make use of the latest advancements in hash function technology. In particular, use could be made of the HMAC algorithm (Internet RFC 2085, 2104 and 2202) or the simultaneous use of both MD5 and SHA in a secure socket layer protocol (SSL v3) .
  • the smartcard signature is applied to a transaction as follows :
  • a digital transaction signature operation is required to verify the user requesting the transaction.
  • the digital transaction signature usually consists of applying a private key operation p to the hash value h (D) of a document D, which is the value R referred to above, such a signature being denoted by p (h (D) ) .
  • the transaction signature is modified to p (h (D ⁇ ⁇ S (h (D ) ) ) or p (h (D
  • the private key operation instead of applying the private key operation to the document directly, this is applied to the hash function fingerprint of the concatenation of the document and the smart card signature of the document.
  • the smartcard does not have sufficient computing power to perform the private key operation. Therefore, the private key is output from the card to the terminal 50 which computes the private key operation which generates the digital transaction signature before sending this to the bank computer 60 together with the document, the token signature, the card serial number (CSN) and Kindex.
  • the bank computer 60 then performs a public key operation using the document transaction signature, the user's public key, the smartcard signature and the document, to verify the document transaction signature.
  • the bank then generates the hash function fingerprint h(D) of the document.
  • the smartcard signature S(R) , card serial number CSN and the hash function fingerprint h(D) are then sent to the SAM 70 which performs the symmetric encryption operation on h(D) using the symmetric key it holds and CR (CR') from the card signature and compares the result with S (S') from the card signature to determine if the signature came from the card identified by the card serial number. If so, an indication is given to the bank computer 60 thus providing a verification that the transaction was conducted with the physical presence of the card 10.
  • h (D) is longer than the 8-byte number R needed for generating the smart card signature.
  • h (D) can be split into 8-byte blocks of h (D) x , ..., h (D) m (discarding any incomplete trailing block) with each block being processed independently. These processed blocks are then concatenated so that the transaction signature is modified to p (h (D ⁇ ⁇ S (h (D) 1 ) I
  • Each block can be processed to form a concatenated signature S' as discussed above.
  • the loop count 2a-2f above for each S' can be correspondingly reduced to balance between security and data length.
  • a variation of the method using the following steps can prevent such an attack, by providing a means for the smartcard to encrypt an input related to the signature with the card's session key:
  • a cryptogram can be generated from the MPCOS card that assures that the digital transaction signature is generated during the same session as the last SELFK command used to create the smartcard signature using the following steps:
  • the value read in step 5 is added to the digital transaction signature.
  • the SAM 70 then checks encrypted value m as part of the smartcard signature verification routine. With this enhancement, a positive verification by the SAM 70 securely indicates that the public key signature is indeed generated during one single smart card session.
  • the embodiment described is not to be construed as limitative.
  • the invention is applicable to other kinds of tokens other than smartcards such as a PCMCIA token.
  • the token signature generating method can be used on its own or with other encryption or digital signing techniques, not limited to public/private key operations for digital transaction signature generation as described.

Abstract

A method of encryption for creating token bound output data from user data using a symmetric key capable token is disclosed, said method comprising the steps of providing the user data or a representation thereof as an input to a symmetric key operation supported by the token, retrieving the output of the symmetric key operation as the token signature; and combining the token signature with the user data to generate the token bound output data. Preferably the output data is used as an input parameter to a private key signature generation operation, to form a private key signature for the user data.

Description

A METHOD OF ENCRYPTION AND APPARATUS THEREFOR
BACKGROUND AND FIELD OF THE INVENTION
This invention relates to a method of encryption and apparatus therefor, particularly for use with a token such as a smart card.
Smart cards, which contain onboard memory and computer processing ability are known. One application for such smart cards is for use as tokens for electronic transactions particularly in the banking sector. The card is used to "sign" a transaction digitally so that the instructed party (a bank in a funds transfer operation, for example) knows that the transaction is instructed by the holder of the card.
Such a transaction begins with the holder inserting the card into a suitable reader connected to a computer terminal in communication with the bank via a telephone line or the internet. The use of a PIN number known only to the holder grants initial access by the holder to the functions provided by the bank to the card holder. The holder can then instruct a transaction and the transaction is authenticated by a public/private key operation using the card. The card provides this by holding a private key of the holder and digitally signing the data. Subsequent verification by the bank using the holder's public key will identify that the digitally signed instruction came from the holder's card unambiguously.
A disadvantage of transactions such as this is that current smart cards only have limited onboard processing power and since a private key operation requires high computational power, it is not feasible to provide the private key operation for the transaction in the card itself. Instead, this is performed by the terminal to which the card reader is connected. This requires that the private key be provided by the card to the terminal so that the operation may be performed. Once the private key has left the card, however, the security provided by the card will be at risk since the private key may be intercepted or copied. Once this has occurred, it is possible for the holder to be impersonated, since the private key relied upon for authentication of the transaction has been compromised.
It is an object of the invention to alleviate this disadvantage of the prior art.
SUMMARY OF THE INVENTION
According to the invention in a first aspect, there is provided a method of encryption for creating token bound output data from user data using a symmetric key capable token, said method comprising the steps of a. providing the user data or a representation thereof as an input to a symmetric key operation supported by the token, b. retrieving the output of the symmetric key operation as a token signature; and c. combining the token signature with the user data or representation to generate the token bound output data.
Preferably said representation is a fingerprint of the user data, most preferably generated using a hash function
The method may further comprise the step of generating a session key for each symmetric key operation and the session key may be generated by modifying a symmetric key stored in the token number with a random number.
If a session key is employed, steps (a) and (b) may be conducted recursively and the respective token signatures combined as a single combined token signature and/or the method may further comprise the steps of: (i) processing the output data to generate a further input related to the output data;
(ii) applying steps (a) and (b) to the further input to create a session bound output; (iii) combining the session bound output with the token bound output .
The user data or representation may also be split into a plurality of blocks and separate token signatures are generated for each block, the token signatures being all combined with the user data or representation to generate the token bound output data.
Preferably the output data is used as an input parameter to a private/public key signature generation operation, to form a private/public key signature for the user data.
The invention further provides a method of verifying token bound output data created by the above method by regenerating the token signature using the symmetric key to verify the token, the symmetric key preferably being held by a secure access module at a remote location.
According to the invention in a second aspect, there is provided a method of generating a private key signature in respect of user data using a token, the token having stored therein a private key and a symmetric key, the method comprising the steps of: a. providing the user data or a representation thereof as an input to a symmetric key operation supported by the token; b. retrieving the output of the symmetric key operation as a token signature; c. combining the token signature with the user data to generate token bound output data; and d. providing the output data as an input parameter to a private key signature generation operation, to form a private key signature for the user data.
The method of the second aspect may further comprise the steps of using a signature verification operation to verify the token bound output data and re-generating the token signature using the symmetric key to verify the token.
The invention extends to apparatus for performing the above methods.
According to the invention in a third aspect, there is provided a token for an electronic transaction, the token supporting a symmetric key operation to generate a token signature from input data. Preferably, the token further stores a private key for a digital transaction signature operation and is embodied as a smartcard.
In the described embodiment, on-line symmetric key authentication of the smart card by a Secure Access Module is employed on top of a private/public key system. The former binds the transaction to the physical smart card that the user is holding. Thus, a two-layer security system is provided in which basic transaction-related operations are protected by the private/public key system and the symmetric key encryption binds these operations with the user's smart card. Hence, as long as at least one of these two security schemes is not compromised, the resulting signature operation remains secure.
BRIEF DESCRIPTION OF THE DRAWING
An embodiment of the invention will now be described, by way of example, with reference to accompanying Figure 1 which is a schematic diagram of the main structural elements involved in an electronic transaction using the embodiment of the invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
In the following detailed description, reference is made to a specific application of the invention using a Gemplus MPCOS
(Multi Payment Card Operating System) smartcard and to use of existing features of this card to provide enhanced cryptographic security. It will be appreciated, however, that the invention is equally applicable for use with other smartcards and tokens generally.
With reference to Figure 1, a Gemplus MPCOS smartcard 10 is shown. The smartcard includes an onboard processor and memory chip 20 connected to data input/output terminals 30. The smartcard 10 is insertable in a reader 40 which includes contacts (not shown) which engage the terminals 30 thus allowing the card to communicate through the reader 40. The reader 40 is connected to a computer terminal 50 which is in turn connectable via a direct dial-in connection or via the internet to an entity to be instructed, for example an on-line computer 60 at a bank.
The bank's computer 60 is further connectable to a Secure Access Module (SAM) 70 which stores at least one symmetric key also held by the card 10 as described hereinafter. The SAM 70 may be present in the Bank itself or may be held by a trusted third party.
The smartcard 10 of the embodiment of the invention stores not only a private key for electronic transaction use but also a symmetric key such as a triple DES key, for a symmetric encryption operation. The symmetric key is used is the embodiment of the invention to encrypt transaction dependent information which then forms part of the public/private key operation described with reference to the prior art. Since symmetric encryption requires relatively less computational power, this encryption can be conducted by the card processor, so that the symmetric key need never leave the card and thus its security is not compromised.
Using this technique, cryptographic binding of the smartcard to the private key stored therein can be achieved by injecting a smartcard "signature" into the transaction, based on the symmetric key held by the card. One method of creating such a smartcard signature for a MPCOS Smartcard is via the SELFK command using a card specific key K. More information on this secure messaging command may be found in the Gemplus "MPCOS-3DES Reference Manual".
A generic smartcard signature generation operation using SELFK command has the following steps:
1. The terminal software generates a 8-byte number R, which is essentially random, such as a hash value of user data.
2. The terminal sends the command SELFK (R, Kindex) to the MPCOS card to generate a card signature, where Kindex indicates the secret symmetric key K held by the card to be used for encryption (the card may have several keys, each having a different Kindex) .
3. Upon receipt of the instruction, the MPCOS card generates a 8-byte random number CR. The MPCOS card then computes a session key: TK = 3DES(CR, K) , by applying a triple DES operation to CR using K. and generates an encrypted output signature: S = 3DES (R, TK) , by applying a triple DES operation to R using session key TK.
4. The terminal retrieves both the smartcard signature S and card random number CR. To verify the signature S based on R and CR, the bank sends these values together with the card serial number (CSN) and Kindex to the SAM 70 which securely holds the symmetric keys associated with the card to re-compute the value of S. If the two S values do match, the bank can be sure that the MPCOS card with the CSN serial number is indeed present. To prevent misuse, the comparison of the S values should only be done in the SAM 70 itself. The comparison result is then output to the bank computer 60.
To achieve this verification, the SAM 70 needs to store the card specific key K. Since many keys for different cards 10 will need to be stored, the SAM 70 may hold a master key, from which all the specific keys K can be derived. The SAM 70, however, needs to be held in a secure environment, for example in the data centre of the bank or other secure premises and guarded with a sound and secure policy.
In actual implementation, the MPCOS card only outputs the 4 least significant bytes of S as a security measure. Therefore, only the 4 least significant bytes are sent by terminal 40 and compared by the SAM 70. However, 4 bytes of signature S may not provide sufficient security strength to prevent an exhaustive search attack. The signature algorithm is preferably, therefore, extended as follows: 1. The terminal software generates the number R.
2. Loop for j from 1 to n, do 2a-2f.
2a. The terminal sends the command SELFK (R, Kindex) to the MPCOS card. 2b. The MPCOS card generates a 8-byte random number CR 2c. The MPCOS card computes TK = 3DES(CR, K) , and output S = 3DES(R, TK) .
2d. The terminal retrieves both the 4 byte output value S and 8-byte card random number CR. 2e. The terminal concatenates S to an initially empty buffer S' , and similarly concatenates CR to an initially empty buffer CR' .
2f. Loop back to 2a with R now set to a hash function- derived value H(R| |S| |CR), where | | represents concatenation.
Using the above algorithm, cryptogram S' can have any length, depending upon the number of iterations n and can be used as the MPCOS card signature of the input value R. The signature S' is notionally divided into n four byte elements and corresponding n eight byte elements of random number CR' .
To provide the required verification, the SAM 70 then repeats the algorithm noted using the initial input R, the elements of CR' and the hash function H to generate and verify the elements of S'. For commercial grade security, S' should preferably have a length of at least 128-bits. This can be achieved by setting the loop number n in step 2 to 4. For the hash function H used in step 2f above, the implementation may make use of the latest advancements in hash function technology. In particular, use could be made of the HMAC algorithm (Internet RFC 2085, 2104 and 2202) or the simultaneous use of both MD5 and SHA in a secure socket layer protocol (SSL v3) .
For convenience the smart card signature (S, CR) or (S' , CR' ) generated by the smart card using the above method will hereinafter be referred to as S(R) where R is the input value.
The smartcard signature is applied to a transaction as follows :
In an electronic transaction operation, a digital transaction signature operation is required to verify the user requesting the transaction. The digital transaction signature usually consists of applying a private key operation p to the hash value h (D) of a document D, which is the value R referred to above, such a signature being denoted by p (h (D) ) . To make sure that p is applied with the appropriate smart card, the transaction signature is modified to p (h (D \ \ S (h (D ) ) ) ) or p (h (D| I S ' (h (D) ) ) ) . Therefore, instead of applying the private key operation to the document directly, this is applied to the hash function fingerprint of the concatenation of the document and the smart card signature of the document. As in the prior art, the smartcard does not have sufficient computing power to perform the private key operation. Therefore, the private key is output from the card to the terminal 50 which computes the private key operation which generates the digital transaction signature before sending this to the bank computer 60 together with the document, the token signature, the card serial number (CSN) and Kindex.
The bank computer 60 then performs a public key operation using the document transaction signature, the user's public key, the smartcard signature and the document, to verify the document transaction signature. The bank then generates the hash function fingerprint h(D) of the document. The smartcard signature S(R) , card serial number CSN and the hash function fingerprint h(D) are then sent to the SAM 70 which performs the symmetric encryption operation on h(D) using the symmetric key it holds and CR (CR') from the card signature and compares the result with S (S') from the card signature to determine if the signature came from the card identified by the card serial number. If so, an indication is given to the bank computer 60 thus providing a verification that the transaction was conducted with the physical presence of the card 10.
Usually, the length of h (D) is longer than the 8-byte number R needed for generating the smart card signature. To use the whole of h(D) and increase the security strength of the smart card signature further, h (D) can be split into 8-byte blocks of h (D) x, ..., h (D)m (discarding any incomplete trailing block) with each block being processed independently. These processed blocks are then concatenated so that the transaction signature is modified to p (h (D\ \ S (h (D) 1) I |...| \ s (h (D) ) ) .
Each block can be processed to form a concatenated signature S' as discussed above. The loop count 2a-2f above for each S' can be correspondingly reduced to balance between security and data length.
To verify the digital signature generated with the above it is necessary to transmit the additional values of S and CR (or S' and CR' ) for each element S (h (D) ) -S (h (D) of the smart card signature generated. The verification application of the bank computer 60 will then check the value of each S (h (D) i) (i = 1 to m) against each pair of h (D) i and CR using the SAM 70 for computation of each S value.
One potential weakness to the above method is that even though a security mechanism is included to ensure that the digital signature is generated with a prior access to the appropriate smartcard, it is not possible for the bank to tell that the smartcard signature is generated during the same session as the digital transaction signature. For example, whenever the smartcard is inserted into a compromised computer, an attacker could possibly generate many smart card signatures with different documents and store them. At a later point when the attacker discovers the user' s private key, the correct digital transaction signatures can then be generated without accessing the smart card.
A variation of the method using the following steps can prevent such an attack, by providing a means for the smartcard to encrypt an input related to the signature with the card's session key:
1. Create a file in the Smartcard memory. 2. Create a PIN number to protect access to the file
3. Set the file update permission to allow any application to write to the file in plain text.
4. Set the file read permission to allow MPCOS secure messaging [i.e. encrypted messaging] only.
With such a smart card file, a cryptogram can be generated from the MPCOS card that assures that the digital transaction signature is generated during the same session as the last SELFK command used to create the smartcard signature using the following steps:
1. Do not reset the card after the last SELFK command that generates the value of S (h (D) )
2. After the p signing operation, generate a hash m of the digital transaction signature.
3. Present the PIN to unlock the smart card file.
4. Write m into the smart card file using the MPCOS UPDBIN (update binary file) command without secure messaging.
5. Read back the value of m using the MPCOS RDBIN (read binary file) command with secure messaging, that is encrypting m using the session key TK.
The value read in step 5 is added to the digital transaction signature. The SAM 70 then checks encrypted value m as part of the smartcard signature verification routine. With this enhancement, a positive verification by the SAM 70 securely indicates that the public key signature is indeed generated during one single smart card session.
The embodiment described is not to be construed as limitative. For example, the invention is applicable to other kinds of tokens other than smartcards such as a PCMCIA token. The token signature generating method can be used on its own or with other encryption or digital signing techniques, not limited to public/private key operations for digital transaction signature generation as described.

Claims

1. A method of encryption for creating token bound output data from user data using a symmetric key capable token, said method comprising the steps of a. providing the user data or a representation thereof as an input to a symmetric key operation supported by the token, b. retrieving the output of the symmetric key operation as the token signature; and c. combining the token signature with the user data or representation to generate the token bound output data.
2. A method as claimed in claim 1 wherein said representation is a fingerprint of the user data.
3. A method as claimed in claim 2 wherein the representation is generated using a hash function
4. A method as claimed in any one of claims 1 to 3 further comprising the step of generating a session key for each symmetric key operation.
5. A method as claimed in claim 4 wherein the session key is generated by modifying a symmetric key stored in the token with a random number.
6. A method as claimed in claim 4 or 5 wherein steps (a) and (b) are conducted recursively and the respective token signatures combined as a single combined token signature.
7. A method as claimed in any one of claims 4 to 6 further comprising the steps of:
(i) processing the output data to generate a further input related to the output data;
(ii) applying steps (a) and (b) to the further input to create a session bound output;
(iii) combining the session bound output with the token bound output .
8. A method as claimed in any one of the preceding claims wherein the user data or representation is split into a plurality of blocks and separate token signatures are generated for each block, the token signatures being all combined with the user data or representation to generate the token bound output data.
9. A method as claimed in any one of the proceeding claims wherein the output data is used as an input parameter to a private key signature generation operation, to form a private key signature for the user data.
10. A method of verifying token bound output data created by the method of any one of the preceding claims by regenerating the token signature using the key employed to encrypt the data and matching it with that in the token bound output.
11. A method as claimed in claim 10 wherein the symmetric key is held by a secure access module at a remote location.
12. A method of generating a private key signature in respect of user data using a token, the token having stored therein a private key and a symmetric key, the method comprising the steps of: a. providing the user data or a representation thereof as an input to a symmetric key operation supported by the token; b. retrieving the output of the symmetric key operation as a token signature; c. combining the token signature with the user data to generate token bound output data; and d. providing the output data as an input parameter to a private key signature generation operation, to form a private key signature for the user data.
13. A method of verifying a private key signature generated by the method of claim 12 comprising the steps of using a signature verification operation to verify the token bound output data and re-generating the token signature using the symmetric key to verify the token.
14. A method as claimed in claim 13 wherein the token signature is verified at a secure location at which the symmetric key is stored.
15. A method as claimed in claim 14 wherein the location is a secure access module.
16. Apparatus for performing the method of any one of claims 1 to 9 or 12.
17. Apparatus for performing the method of any one of claims 10, 11, 13 or 14.
18. A token for an electronic transaction, the token supporting a symmetric key operation to generate a token signature from input data.
19. A token as claimed in claim 18 wherein the token further stores a private key for a digital transaction signature operation.
20. A token as claimed in claim 18 or claim 19 being a smartcard.
PCT/SG1998/000088 1998-11-10 1998-11-10 A method of encryption and apparatus therefor WO2000028493A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU11844/99A AU1184499A (en) 1998-11-10 1998-11-10 A method of encryption and apparatus therefor
PCT/SG1998/000088 WO2000028493A1 (en) 1998-11-10 1998-11-10 A method of encryption and apparatus therefor
EP98954915A EP1129436A1 (en) 1998-11-10 1998-11-10 A method of encryption and apparatus therefor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SG1998/000088 WO2000028493A1 (en) 1998-11-10 1998-11-10 A method of encryption and apparatus therefor

Publications (2)

Publication Number Publication Date
WO2000028493A1 true WO2000028493A1 (en) 2000-05-18
WO2000028493A8 WO2000028493A8 (en) 2001-02-01

Family

ID=20429886

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG1998/000088 WO2000028493A1 (en) 1998-11-10 1998-11-10 A method of encryption and apparatus therefor

Country Status (3)

Country Link
EP (1) EP1129436A1 (en)
AU (1) AU1184499A (en)
WO (1) WO2000028493A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002080122A1 (en) * 2001-03-30 2002-10-10 Harexinfotech Inc. Method and system for settling financial transaction with mobile communications portable terminal containing financial information
EP1316171A1 (en) * 2000-08-04 2003-06-04 First Data Corporation Person-centric account-based digital signature system
EP1365363A2 (en) 2002-05-02 2003-11-26 Giesecke & Devrient GmbH Method for carrying out a data transaction by means of a transaction device which consists of a main- and a separable auxiliary component
US20130132281A1 (en) * 2011-11-22 2013-05-23 Xerox Corporation Computer-implemented method for capturing data using provided instructions
CN104579677A (en) * 2014-11-18 2015-04-29 飞天诚信科技股份有限公司 Secure and rapid data signature method
CN113067701A (en) * 2021-03-29 2021-07-02 武汉天喻信息产业股份有限公司 Method and device for updating binding relationship

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3806704A (en) * 1971-08-02 1974-04-23 T Shinal Identification system
US5280527A (en) * 1992-04-14 1994-01-18 Kamahira Safe Co., Inc. Biometric token for authorizing access to a host system
EP0624014A2 (en) * 1993-05-05 1994-11-09 Addison M. Fischer Personal date/time notary device
EP0735720A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes, Inc. Method for key distribution and verification in a key management system
EP0837383A2 (en) * 1996-10-21 1998-04-22 Fuji Xerox Co., Ltd. Method and apparatus for data verification
WO1998022914A2 (en) * 1996-11-20 1998-05-28 Tecsec, Incorporated Cryptographic medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3806704A (en) * 1971-08-02 1974-04-23 T Shinal Identification system
US5280527A (en) * 1992-04-14 1994-01-18 Kamahira Safe Co., Inc. Biometric token for authorizing access to a host system
EP0624014A2 (en) * 1993-05-05 1994-11-09 Addison M. Fischer Personal date/time notary device
EP0735720A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes, Inc. Method for key distribution and verification in a key management system
EP0837383A2 (en) * 1996-10-21 1998-04-22 Fuji Xerox Co., Ltd. Method and apparatus for data verification
WO1998022914A2 (en) * 1996-11-20 1998-05-28 Tecsec, Incorporated Cryptographic medium

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1316171A1 (en) * 2000-08-04 2003-06-04 First Data Corporation Person-centric account-based digital signature system
EP1316171A4 (en) * 2000-08-04 2006-05-03 First Data Corp Person-centric account-based digital signature system
US7784106B2 (en) 2000-08-04 2010-08-24 First Data Corporation Manufacturing unique devices that generate digital signatures
WO2002080122A1 (en) * 2001-03-30 2002-10-10 Harexinfotech Inc. Method and system for settling financial transaction with mobile communications portable terminal containing financial information
EP1365363A2 (en) 2002-05-02 2003-11-26 Giesecke & Devrient GmbH Method for carrying out a data transaction by means of a transaction device which consists of a main- and a separable auxiliary component
EP1365363A3 (en) * 2002-05-02 2004-08-25 Giesecke & Devrient GmbH Method for carrying out a data transaction by means of a transaction device which consists of a main- and a separable auxiliary component
US20130132281A1 (en) * 2011-11-22 2013-05-23 Xerox Corporation Computer-implemented method for capturing data using provided instructions
CN104579677A (en) * 2014-11-18 2015-04-29 飞天诚信科技股份有限公司 Secure and rapid data signature method
CN104579677B (en) * 2014-11-18 2017-12-19 飞天诚信科技股份有限公司 A kind of data signature method safely and fast
CN113067701A (en) * 2021-03-29 2021-07-02 武汉天喻信息产业股份有限公司 Method and device for updating binding relationship
CN113067701B (en) * 2021-03-29 2022-09-02 武汉天喻信息产业股份有限公司 Method and device for updating binding relationship

Also Published As

Publication number Publication date
AU1184499A (en) 2000-05-29
WO2000028493A8 (en) 2001-02-01
EP1129436A1 (en) 2001-09-05

Similar Documents

Publication Publication Date Title
US5602918A (en) Application level security system and method
US9640012B2 (en) Transaction verification protocol for smart cards
US8559639B2 (en) Method and apparatus for secure cryptographic key generation, certification and use
US6385723B1 (en) Key transformation unit for an IC card
US7254706B2 (en) System and method for downloading of files to a secure terminal
JP4559679B2 (en) Implementing cryptographic primitives using basic register operations
EP1873960A1 (en) Method for session key derivation in a IC card
US20020144117A1 (en) System and method for securely copying a cryptographic key
CN115225268A (en) Using elliptic curve cryptography for personal device security to share secrets
JPH113033A (en) Method for identifying client for client-server electronic transaction, smart card and server relating to the same, and method and system for deciding approval for co-operation by user and verifier
US20070168291A1 (en) Electronic negotiable documents
US8046584B2 (en) Message authentication device
KR20030095341A (en) Ic card and authentication method in electronic ticket distribution system
KR102277060B1 (en) System and method for encryption
JP3980145B2 (en) Cryptographic key authentication method and certificate for chip card
EP2179533B1 (en) Method and system for secure remote transfer of master key for automated teller banking machine
JP2007522739A (en) One-way authentication
EP3702991A1 (en) Mobile payments using multiple cryptographic protocols
JP2003501698A (en) Generating parameters using basic register operations
JP2003044436A (en) Authentication processing method, information processor, and computer program
JP3925975B2 (en) IC card processing method in network system
KR20220086135A (en) Block chain-based power transaction operation system
WO2000028493A1 (en) A method of encryption and apparatus therefor
WO1996024997A1 (en) Electronic negotiable documents
WO2008113302A2 (en) Method for generation of the authorized electronic signature of the authorized person and the device to perform the method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: C1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: C1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

CFP Corrected version of a pamphlet front page
CR1 Correction of entry in section i
WWE Wipo information: entry into national phase

Ref document number: 1998954915

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 09831491

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 1998954915

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WA Withdrawal of international application
XX Miscellaneous:

Free format text: IN PCT GAZETTE NO. 39/2002, PAGE 19180, UNDER "ANNOUNCEMENT OF THE WITHDRAWAL OF INTERNATIONAL APPLICATIONS AFTER INTERNATIONAL PUBLICATION", THE ANNOUNCEMENT RELATING TO "PCT/SG98/00088 - WO00/028493" SHOULD BE CONSIDERED NULL AND VOID.

WWW Wipo information: withdrawn in national office

Ref document number: 1998954915

Country of ref document: EP