WO2009004508A1 - Method for cryptographic authentication - Google Patents

Method for cryptographic authentication Download PDF

Info

Publication number
WO2009004508A1
WO2009004508A1 PCT/IB2008/051978 IB2008051978W WO2009004508A1 WO 2009004508 A1 WO2009004508 A1 WO 2009004508A1 IB 2008051978 W IB2008051978 W IB 2008051978W WO 2009004508 A1 WO2009004508 A1 WO 2009004508A1
Authority
WO
WIPO (PCT)
Prior art keywords
counter value
authentication
counter
eeprom
value
Prior art date
Application number
PCT/IB2008/051978
Other languages
French (fr)
Inventor
Frank Boeh
Jürgen Nowottnick
Original Assignee
Nxp B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nxp B.V. filed Critical Nxp B.V.
Publication of WO2009004508A1 publication Critical patent/WO2009004508A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the invention relates to a method for cryptographic authentication comprising a mutual authentication protocol between a base station and a transponder.
  • the advantage of the invention is that the data exchange for authentication is reduced to a minimum and thus the authentication time is accelerated.
  • the authentication time can be reduced by 40 to 50% whilst simultaneously ensuring a high resistance to attack.
  • a further advantage of the invention can be seen in that there is no need to use special hardware for reliable production of a changing code which is frequently easy to attack and in addition, is more expensive than an EEPROM based solution.
  • An advantageous embodiment of the invention provides that at least one current value of a variable component, in particular of a counter value, is included in a calcula- tion of the cryptographic signatures.
  • the current value of the variable component which is included in the calculation of the cryptographic signatures can already be notified to the transponder and the base station before the authentication.
  • the current value of the variable component i.e. for example, of a counter value (transponder sequence increment) can thereby be notified to the base station by a first standard authentication.
  • variable component in particular the counter value
  • the variable component is incremented directly after an authentication has been made in an EEPROM of the base station. In this way, it is ensured that the current session cannot be repeated.
  • variable component is incremented after an authentication in the transponder and in the base station.
  • variable components can comprise a counter value.
  • the form of the incrementation thematised in the following has also already been reflected in EP 06 114 665 Al .
  • variable component is present in the form of a counter value and after every incrementation in the transponder, the current counter value is only updated in an EEPROM segment of a non- volatile memory (EEPROM), wherein a subsequent access to the EEPROM is only made in the event of a successful incrementing of an EEPROM-based counter.
  • EEPROM non- volatile memory
  • an algorithm is provided which is particularly useful for cryptographic authentication in transponders.
  • This therefore does not comprise a software-hardware solution in which special hardware is always used.
  • this also saves EEPROM accesses based on the storage of redundant information.
  • Each of the EEPROM segments is exclusively used for storing counter data. In many cases, this makes it possible to have a write access to the EEPROM segments optimised for counter data for further increasing the permitted number of write cycles.
  • only one small computing expenditure is required for implementation. Since a new counter value is updated in only one EEPROM segment after every implementation, the number of permitted program cycles can be tripled compared to the methods known from the prior art, wherein additionally at the same time attacks on the security system are made more difficult.
  • an advantageous embodiment of the invention provides that the incrementa- tion comprises the following steps: a) searching for an invalid counter value in one of three EEPROM segments; b) finding a maximum valid counter value from the remaining valid counter values if an invalid counter value exists; c) overwriting the invalid counter value with a valid counter value; d) finding a smallest valid counter value from the three valid counter values, wherein if an invalid counter value is not present, step d) follows step a): e) finding a maximum valid counter value from the three valid counter values; f) overwriting the smallest valid counter value with a valid maximum counter value.
  • the invalid counter state is determined by means of a calculation of the difference from the two remaining counter states, wherein the invalid counter state has the largest differences from the remaining counter states.
  • threshold values are defined for the differences from which a counter state is recognised as invalid. If the threshold value is exceeded, it can be assumed that the relevant memory segment contains an invalid memory value. If the counting rhythm is known, it is also known which are the maximum differences which the memory values of the memory segments should exhibit with respect to one another. If higher differences, which therefore exceed the threshold value, occur for a memory value of a memory segment, it can be assumed that this memory value is invalid.
  • a further advantageous embodiment of the invention provides that the nonvolatile memory-based counter value or a value derived therefrom forms a varying initialisation value for a suitable crypto-algorithm which is used for authentication and/or encryption of the communication with a transponder.
  • a varying value which is synchronously incremented in the base station and also in the transponder is incremented for calculating the two cryptographic signatures (MAC (message authentication) and response). It can thereby be ensured that a crypto session cannot be implemented many times and thus forms of replay attacks can be avoided.
  • access to the user EEPROM is only given in the event of a successful implementation of the INCREMENT command. Each authentication sequence with subsequent EEPROM access can always only be recorded once since a different counter value is used to produce the crypto data for the next session.
  • a practicable variant of the invention provides that the counter states for the incrementing originate from a forward or backward counter.
  • FIG. 1 shows a sequence of a method for accelerated mutual cryptographic authentication
  • Fig. 2 shows a sequence of an implementation of a counter.
  • Figure 1 shows a sequence of a method for accelerated mutual cryptographic authentication.
  • Figure 1 illustrates the sequence of the accelerated authentication which now transmits no random numbers or counter states during the running time of the authentication but substantially only exchanges and verifies the cryptographic signatures (MAC (message authentication) and response).
  • the cryptographic authentication is initiated by the command Authent 15 and transmitted to the transponder.
  • the IDEs or IDS 16 of the transponder can be used and transmitted.
  • the following MAC (message authentication) is then calculated from the sequence increment data which are supplied and incremented in the base station as well as finally also by secret keys.
  • further information can also be used for cryptographic authentication.
  • the MAC 17 received by the transponder is now checked by the transponder which then calculates a response 18 and transmits this back to the base station.
  • the base station again checks the response 18, whereby the cryptic authentication is completed by this exchange and comparison as well as successful verification of MAC 17 and response 18.
  • the current value of the counter value which is included in the calculation of the cryptographic signatures 17, 18 (MAC and RESPONSE) is already known to the transponder 12 and the base station 13 before the authentication 14. This value can be notified, for example, by a first standard authentication to the base station 13.
  • the counter value is incremented after every accelerated authentication 14 in the transponder 12 and in the base station 13.
  • the counter value stored in the EEPROM of the base station 13 is already incremented directly after an authentication 14 has been made. In this way, it is ensured that a current session cannot be repeated. Furthermore, after every confirmed authentication 14 the counter value must be incremented in the transponder 12 without costing authentication time and stored in the EEPROM 10 of the transponder 12 so that the same counter value can be used during the next authentication process.
  • the method 100 uses the three EEPROM segments Z 1 , Z 2 and Z3 for secure storage of successive counter values.
  • the method 100 thereby implies a sequence for secured counting and storage in an EEPROM 10 of the transponder 12 within the scope of an incrementation 11 , wherein the incrementation 11 must proceed successfully in the application in order to subsequently achieve a state in which an access (read, write) to the EEPROM 10 can be allowed, i.e., an access i.e. write and read, can only be released in the event of the command INCREMENT being successfully implemented.
  • a) the search for an invalid counter value Z mval id takes place in one of three EEPROM segments, i.e.
  • the counter can in principle be a forward or backward counter. In this exemplary embodiment, it is assumed that this is a forward counter of step width 1.
  • the invalid counter value in step a) is thereby determined by calculating the difference from the two remaining counter values, wherein an invalid counter value exhibits the largest differences from the remaining numerical values.
  • step c The memory value of a memory segment is thus identified as invalid and is overwritten with the new maximum counter value in step c).
  • This invalid counter value has thus been eliminated from one of the EEPROM memory segments of the EEPROM 10 and has been overwritten by a new valid counter value.
  • step d) the smallest valid counter value from the three valid counter values is detected, wherein if an invalid counter value is not present, process step d) immediately fol- lows process step a).
  • step e) the largest valid counter value is now found from the now three valid counter values so that in the following step f) the smallest valid counter value can be overwritten with a valid maximum counter value.
  • the sequence for secured counting and storage in an EEPROM 10 presented here loads the memory segments of the EEPROM 10 only slightly since each new counter value can only be stored in one of the memory segments of the EEPROM 10 and therefore the EEPROM 10 is only slightly loaded with memory processes.
  • a check of the memory value by checks of the differences generally takes place so that in general the operating security is increased.
  • the EEPROM based counter value or a value derived therefrom forms a varying initialisation value for a suitable cryptoalgorithm which is used to authenticate and/or encrypt the communication with a transponder 12.
  • the method according to the invention is thus a pure software solution which can be used for systems which require a high degree of cryptographic security.
  • a standard authentication would use the respectively transmitted variable values (challenge and counter value) as input parameters for calculating the cryptographic signatures (MAC and RESPONSE).

Abstract

The invention relates to a method (100) for cryptographic authentication (14) comprising a mutual authentication protocol between a base station (13) and a transponder (12). In order to provide a method (100) which offers the possibility of considerably reducing the authentication time whilst simultaneously ensuring a high resistance to attack, the inven¬ tion proposes that during a running time of the authentication (14), cryptographic signatures (17, 18) for the authentication are exchanged and verified.

Description

METHOD FOR CRYPTOGRAPHIC AUTHENTICATION
FIELD OF THE INVENTION
The invention relates to a method for cryptographic authentication comprising a mutual authentication protocol between a base station and a transponder.
BACKGROUND OF THE INVENTION
In access security systems in automobile technology, according to the present state of the art, so-called mutual authentication protocols are used in which, along with secret keys, cryptographic signatures are calculated on the basis of variable random numbers which are exclusively supplied by a base station. In this case, in transponders for automobile applications only the vehicle base station provides the uniquely variable component for calculation of the cryptographic signatures.
In the chip card sector, random number generators are presently also used on the card, these frequently being based on special RC oscillators. Such realisations in access security systems are difficult to achieve for automobile applications, inter alia for cost reasons.
The advantage of a solution in which the card or the transponder likewise provides a number which changes from time to time is the increased resistance to attack against so-called "replay attack". In this attack and its derivatives a non-authorised base station (attacker) could attempt to read out protected information from the transponder or modify information in the transponder EEPROM memory by using recorded valid communication sequences.
In order to prevent attacks on transponder systems, in the recent past improved protocols have been developed for mutual authentication.
A disadvantage with these protocols however is the communication time which is not short, which substantially determines the necessary authentication time. In the aforesaid systems the time available for an authentication is limited.
OBJECT AND SUMMARY OF THE INVENTION
It is therefore the object of the present invention to provide a method for cryptographic authentication which opens up the possibility of considerably reducing the authentication time whilst simultaneously securing a high resistance to attack.
This object is achieved by the features of claim 1. According to the invention, in a method for cryptographic authentication in which a mutual authentication protocol is transmitted between a base station and a transponder, during the running time of the authentication substantially cryptographic signatures for the authentication are exchanged and verified. The basic idea of the invention is not to transmit random numbers or counter states for an authentication during the running time of the authentication. Rather, essentially the cryptographic signatures (MAC (message authentication) and RESPONSE) are exchanged and verified for an accelerated authentication.
The advantage of the invention is that the data exchange for authentication is reduced to a minimum and thus the authentication time is accelerated. Depending on the implementation, the authentication time can be reduced by 40 to 50% whilst simultaneously ensuring a high resistance to attack.
A further advantage of the invention can be seen in that there is no need to use special hardware for reliable production of a changing code which is frequently easy to attack and in addition, is more expensive than an EEPROM based solution.
At the same time, effective protection against replay attacks is ensured according to the invention.
An advantageous embodiment of the invention provides that at least one current value of a variable component, in particular of a counter value, is included in a calcula- tion of the cryptographic signatures.
Within the scope of the invention, the current value of the variable component which is included in the calculation of the cryptographic signatures, i.e., the MAC and the RESPONSE, can already be notified to the transponder and the base station before the authentication. The current value of the variable component, i.e. for example, of a counter value (transponder sequence increment) can thereby be notified to the base station by a first standard authentication.
Another further development of the invention provides that for security reasons, the variable component, in particular the counter value, is incremented directly after an authentication has been made in an EEPROM of the base station. In this way, it is ensured that the current session cannot be repeated.
It is advantageous if the variable component is incremented after an authentication in the transponder and in the base station. Here also, for example, the variable components can comprise a counter value. The form of the incrementation thematised in the following has also already been reflected in EP 06 114 665 Al .
A practicable variant of the invention provides that the variable component is present in the form of a counter value and after every incrementation in the transponder, the current counter value is only updated in an EEPROM segment of a non- volatile memory (EEPROM), wherein a subsequent access to the EEPROM is only made in the event of a successful incrementing of an EEPROM-based counter.
In this way, an algorithm is provided which is particularly useful for cryptographic authentication in transponders. This therefore does not comprise a software-hardware solution in which special hardware is always used. Compared to other methods, this also saves EEPROM accesses based on the storage of redundant information. Each of the EEPROM segments is exclusively used for storing counter data. In many cases, this makes it possible to have a write access to the EEPROM segments optimised for counter data for further increasing the permitted number of write cycles. In addition, only one small computing expenditure is required for implementation. Since a new counter value is updated in only one EEPROM segment after every implementation, the number of permitted program cycles can be tripled compared to the methods known from the prior art, wherein additionally at the same time attacks on the security system are made more difficult.
An advantageous embodiment of the invention provides that the incrementa- tion comprises the following steps: a) searching for an invalid counter value in one of three EEPROM segments; b) finding a maximum valid counter value from the remaining valid counter values if an invalid counter value exists; c) overwriting the invalid counter value with a valid counter value; d) finding a smallest valid counter value from the three valid counter values, wherein if an invalid counter value is not present, step d) follows step a): e) finding a maximum valid counter value from the three valid counter values; f) overwriting the smallest valid counter value with a valid maximum counter value. The advantage of such an incrementation can be seen in that any redundant storage is avoided and it is nevertheless achieved that if an invalid memory content of a memory segment occurs, the counting rhythm is not disturbed since that memory segment which recognises an invalid content is re-written and therefore valid counter values are again stored subsequently in all three memory segments from which further counting can be started. In addition, since the memory segments are exclusively used for storing counter values, these processes can be optimised and can thus be achieved with an increase in the number of permitted write cycles.
Advantageously, as described in detail in DE 102 01 554 Al, in step a) the invalid counter state is determined by means of a calculation of the difference from the two remaining counter states, wherein the invalid counter state has the largest differences from the remaining counter states.
It is advantageous if threshold values are defined for the differences from which a counter state is recognised as invalid. If the threshold value is exceeded, it can be assumed that the relevant memory segment contains an invalid memory value. If the counting rhythm is known, it is also known which are the maximum differences which the memory values of the memory segments should exhibit with respect to one another. If higher differences, which therefore exceed the threshold value, occur for a memory value of a memory segment, it can be assumed that this memory value is invalid. A further advantageous embodiment of the invention provides that the nonvolatile memory-based counter value or a value derived therefrom forms a varying initialisation value for a suitable crypto-algorithm which is used for authentication and/or encryption of the communication with a transponder.
Within the scope of the invention it is also provided that a varying value which is synchronously incremented in the base station and also in the transponder is incremented for calculating the two cryptographic signatures (MAC (message authentication) and response). It can thereby be ensured that a crypto session cannot be implemented many times and thus forms of replay attacks can be avoided. In addition, it should be noted within the framework of the invention that access to the user EEPROM is only given in the event of a successful implementation of the INCREMENT command. Each authentication sequence with subsequent EEPROM access can always only be recorded once since a different counter value is used to produce the crypto data for the next session.
A practicable variant of the invention provides that the counter states for the incrementing originate from a forward or backward counter.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention is explained in detail subsequently with reference to the drawings. In the figures in schematic view Fig. 1 shows a sequence of a method for accelerated mutual cryptographic authentication and
Fig. 2 shows a sequence of an implementation of a counter.
DESCRIPTION OF EMBODIMENTS
Figure 1 shows a sequence of a method for accelerated mutual cryptographic authentication. Figure 1 illustrates the sequence of the accelerated authentication which now transmits no random numbers or counter states during the running time of the authentication but substantially only exchanges and verifies the cryptographic signatures (MAC (message authentication) and response). The cryptographic authentication is initiated by the command Authent 15 and transmitted to the transponder. In addition to this command, the IDEs or IDS 16 of the transponder can be used and transmitted. The following MAC (message authentication) is then calculated from the sequence increment data which are supplied and incremented in the base station as well as finally also by secret keys. Optionally, further information can also be used for cryptographic authentication. The MAC 17 received by the transponder is now checked by the transponder which then calculates a response 18 and transmits this back to the base station. The base station again checks the response 18, whereby the cryptic authentication is completed by this exchange and comparison as well as successful verification of MAC 17 and response 18. It can be deduced from Figure 2 that the current value of the counter value which is included in the calculation of the cryptographic signatures 17, 18 (MAC and RESPONSE) is already known to the transponder 12 and the base station 13 before the authentication 14. This value can be notified, for example, by a first standard authentication to the base station 13. The counter value is incremented after every accelerated authentication 14 in the transponder 12 and in the base station 13. For security reasons, the counter value stored in the EEPROM of the base station 13 is already incremented directly after an authentication 14 has been made. In this way, it is ensured that a current session cannot be repeated. Furthermore, after every confirmed authentication 14 the counter value must be incremented in the transponder 12 without costing authentication time and stored in the EEPROM 10 of the transponder 12 so that the same counter value can be used during the next authentication process.
The method 100 uses the three EEPROM segments Z1, Z2 and Z3 for secure storage of successive counter values. The method 100 according to the invention thereby implies a sequence for secured counting and storage in an EEPROM 10 of the transponder 12 within the scope of an incrementation 11 , wherein the incrementation 11 must proceed successfully in the application in order to subsequently achieve a state in which an access (read, write) to the EEPROM 10 can be allowed, i.e., an access i.e. write and read, can only be released in the event of the command INCREMENT being successfully implemented. In a first step a) the search for an invalid counter value Zmvalid takes place in one of three EEPROM segments, i.e. it is questioned whether an invalid counter value Zmvalid exists among the counter values Z1, Z2 and Z3. If such an invalid counter value Zmvalid exists, in a further step b) a maximum valid counter value is found from the remaining counter values Z1 and Zj (i, j = 1, 2, 3) as long as the existence of an invalid counter value is present. The counter can in principle be a forward or backward counter. In this exemplary embodiment, it is assumed that this is a forward counter of step width 1. The invalid counter value in step a) is thereby determined by calculating the difference from the two remaining counter values, wherein an invalid counter value exhibits the largest differences from the remaining numerical values. The memory value of a memory segment is thus identified as invalid and is overwritten with the new maximum counter value in step c). This invalid counter value has thus been eliminated from one of the EEPROM memory segments of the EEPROM 10 and has been overwritten by a new valid counter value. Should it now be found that no invalid counter value now exists, in step d) the smallest valid counter value from the three valid counter values is detected, wherein if an invalid counter value is not present, process step d) immediately fol- lows process step a). Finally, in step e) the largest valid counter value is now found from the now three valid counter values so that in the following step f) the smallest valid counter value can be overwritten with a valid maximum counter value.
The sequence for secured counting and storage in an EEPROM 10 presented here loads the memory segments of the EEPROM 10 only slightly since each new counter value can only be stored in one of the memory segments of the EEPROM 10 and therefore the EEPROM 10 is only slightly loaded with memory processes. In addition, a check of the memory value by checks of the differences generally takes place so that in general the operating security is increased. As a result of the sequence presented here, the EEPROM based counter value or a value derived therefrom forms a varying initialisation value for a suitable cryptoalgorithm which is used to authenticate and/or encrypt the communication with a transponder 12. The method according to the invention is thus a pure software solution which can be used for systems which require a high degree of cryptographic security.
In the event of an EEPROM hardware defect, either on the side of the base station 13 or the transponder 12, the accelerated authentication 14 would fail. In this case, a standard authentication would use the respectively transmitted variable values (challenge and counter value) as input parameters for calculating the cryptographic signatures (MAC and RESPONSE).
REFERENCE LIST
100 Method
10 EEPROM
11 Incrementation
12 Transponder
13 Base station
14 Authentication
15 Command Authent
16 IDE or IDS
17 MAC (message authentication)
18 Response

Claims

1. A method (100) for cryptographic authentication (14) comprising a mutual authentication protocol between a base station (13) and a transponder (12), characterised in that during a running time of the authentication (14), cryptographic signatures
(17, 18) for the authentication are exchanged and verified.
2. The method according to claim 1, characterised in that at least one current value of a variable component, in particular of a counter value, is included in a calculation of the cryptographic signatures (17, 18).
3. The method according to claim 1 or 2, characterised in that the current value of the variable component is notified to the transponder (12) and the base station (13) before the authentication (14).
4. The method according to claim 2 or 3, characterised in that the variable component is incremented after an authentication (14) in the transponder (12) and in the base station (13).
5. The method according to claim 4, characterised in that the variable component is present in the form of a counter value and after every incrementing (11) in the transponder (12) the counter value is only updated in an EEPROM segment of a non- volatile memory (EEPROM) (10), wherein a subsequent access to the EEPROM (10) is only made in the event of a successful incrementing (11) of an EEPROM-based counter.
6. The method according to claim 5, characterised in that the incrementing (11) comprises the following steps: a) searching for an invalid counter value in one of three EEPROM segments; b) finding the maximum valid counter value from the remaining valid counter values if an invalid counter value exists; c) overwriting the invalid counter value with a valid counter value; d) finding the smallest valid counter value from the three valid counter values, wherein if an invalid counter value is not present, step d) follows step a): e) finding a maximum valid counter value from the three valid counter values; f) overwriting the smallest valid counter value with a valid maximum counter value.
7. The method according to claim 6, characterised in that in step a) the invalid counter value is determined by means of a calculation of the differences from the two remaining counter values, wherein the invalid counter value has the largest differences from the remaining counter values.
8. The method according to claim 7, characterised in that threshold values are defined for the differences from which a counter value is recognised as invalid.
9. The method according to any one of the preceding claims, characterised in that the EEPROM-based counter value or a value derived therefrom forms a varying initialisation value for a suitable crypto-algorithm which is used for authentication (14) and/or encryption of the communication with the transponder (12).
10. The method according to any one of the preceding claims, characterised in that the counter values for the incrementing (11) originate from a forward or backward counter.
11. The method according to any one of the preceding claims, characterised in that the variable component, in particular the counter value which is stored in an EEPROM of the base station (13), is already incremented directly after the authentication (14) has been made.
PCT/IB2008/051978 2007-06-29 2008-05-20 Method for cryptographic authentication WO2009004508A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP07111378.1 2007-06-29
EP07111378 2007-06-29

Publications (1)

Publication Number Publication Date
WO2009004508A1 true WO2009004508A1 (en) 2009-01-08

Family

ID=39735361

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/051978 WO2009004508A1 (en) 2007-06-29 2008-05-20 Method for cryptographic authentication

Country Status (1)

Country Link
WO (1) WO2009004508A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104142803A (en) * 2013-05-08 2014-11-12 德国福维克控股公司 Method for copy-protected storage of information on a data carrier

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4601011A (en) * 1981-12-30 1986-07-15 Avigdor Grynberg User authorization verification apparatus for computer systems including a central device and a plurality of pocket sized remote units
EP0998095A2 (en) * 1998-07-31 2000-05-03 Lucent Technologies Inc. Method for two party authentication and key agreement
WO2002014974A2 (en) * 2000-08-14 2002-02-21 Comsense Technologies, Ltd. Multi-server authentication
US20060046690A1 (en) * 2004-09-02 2006-03-02 Rose Gregory G Pseudo-secret key generation in a communications system
US20070005972A1 (en) * 2005-06-30 2007-01-04 Mizikovsky Semyon B Method for refreshing a pairwise master key

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4601011A (en) * 1981-12-30 1986-07-15 Avigdor Grynberg User authorization verification apparatus for computer systems including a central device and a plurality of pocket sized remote units
EP0998095A2 (en) * 1998-07-31 2000-05-03 Lucent Technologies Inc. Method for two party authentication and key agreement
WO2002014974A2 (en) * 2000-08-14 2002-02-21 Comsense Technologies, Ltd. Multi-server authentication
US20060046690A1 (en) * 2004-09-02 2006-03-02 Rose Gregory G Pseudo-secret key generation in a communications system
US20070005972A1 (en) * 2005-06-30 2007-01-04 Mizikovsky Semyon B Method for refreshing a pairwise master key

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104142803A (en) * 2013-05-08 2014-11-12 德国福维克控股公司 Method for copy-protected storage of information on a data carrier
CN104142803B (en) * 2013-05-08 2019-12-24 德国福维克控股公司 Method for the copy-protected storage of information on a data carrier

Similar Documents

Publication Publication Date Title
Yang et al. Mutual authentication protocol for low-cost RFID
US7596704B2 (en) Partition and recovery of a verifiable digital secret
Cai et al. Attacks and improvements to an RIFD mutual authentication protocol and its extensions
CN106411505B (en) A kind of mutual authentication method and Mobile RFID system of Mobile RFID
JP5355685B2 (en) Wireless tag authentication method using radio wave reader
US20100153731A1 (en) Lightweight Authentication Method, System, and Key Exchange Protocol For Low-Cost Electronic Devices
CN1466710A (en) Method of securing and exposing a logotype in an electronic device
CN111723383A (en) Data storage and verification method and device
Safkhani et al. Cryptanalysis of the Cho et al. protocol: a hash-based RFID tag mutual authentication protocol
Bilal et al. Security analysis of ultra-lightweight cryptographic protocol for low-cost RFID tags: Gossamer protocol
CN110147666B (en) Lightweight NFC identity authentication method in scene of Internet of things and Internet of things communication platform
Zuo Changing hands together: a secure group ownership transfer protocol for RFID tags
KR100737181B1 (en) Apparatus and method for lightweight and resynchronous mutual authentication protocol for secure rfid system
Tillich et al. Security analysis of an open car immobilizer protocol stack
Yang et al. Security and privacy on authentication protocol for low-cost rfid
CN108566385B (en) Bidirectional authentication method based on cloud efficient privacy protection
US9559838B2 (en) Method of processing data protected against fault injection attacks and associated device
CN106936571B (en) Method for realizing wireless generation of single-label secret key by utilizing word synthesis operation
JP6188633B2 (en) Computer system, computer, semiconductor device, information processing method, and computer program
US20090034717A1 (en) Method of processing data protected against attacks by generating errors and associated device
CN106027237B (en) Cipher key matrix safety certifying method based on group in a kind of RFID system
Chien The study of RFID authentication protocols and security of some popular RFID tags
KR100680272B1 (en) Rfid authentication system and its method
Parameswarath et al. A puf-based lightweight and secure mutual authentication mechanism for remote keyless entry systems
CN103701785A (en) Ownership transfer and key array-based RFID (radio frequency identification) security authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08751259

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08751259

Country of ref document: EP

Kind code of ref document: A1