Offline PIN validation with DES

US 4,661,658 A
Filed: 02/12/1985
Issued: 04/28/1987
Est. Priority Date: 02/12/1985
Status: Expired due to Fees

First Claim

Patent Images

1. In a multi-terminal system, a method of offline personal authentication using an authentication tree with an authentication tree function comprising a one-way function, said method employing memory cards issued to users of the system and each user being issued a personal identification number, each of said memory cards having stored thereon a personal key and an index position number representing the tree path for the user to which the card is issued, said method comprising the steps of:

calculating an authentication parameter as a function of a personal key read from a user'"'"'s card, a personal identification number entered by a user at a terminal being used, and a global secret key stored in the terminal being used, said global secret key being a common secret key stored at every terminal said calculating an authentication parameter step further comprising the steps of;

calculating an encrypted personal identification number (PIN), denoted EPIN, by the equation
space="preserve" listing-type="equation">EPIN=E.sub.KGb1 (E.sub.PIN (ID)), where KGb1 is a global secret key stored in each terminal and ID is a user identifier, andcalculating an authentication parameter AP by the equation
space="preserve" listing-type="equation">AP=RightN[E.sub.KP⊕

EPIN (ID)⊕

ID], where the symbol ⊕

is the Exclusive OR operation and "RightN" is a function that extracts the rightmost N bits in the binary variable denoted by the argument of the function, wherein said binary variable is greater than N bitsmapping the calculated authentication parameter to a verification value using said index position number in said one-way function to the root of said authentication tree,comparing the verification value obtained by mapping the calculated authentication parameter with a global verification value of reference stored at the terminal, said global verification value being a common verification value stored at every terminal andenabling said system if the comparison of the versification value obtained by mapping with the global verification value of reference is favorable.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of offline personal authentication in a multi-terminal system uses a secret user PIN, a secret key and other nonsecret data stored on a customer memory card and a nonsecret validation value stored in each terminal connected in a network. The technique of "tree authentication" is used which employs an authentication tree with an authentication tree function comprising a one-way function. An authentication parameter is calculated as a function of a personal key and a user identifier read from the user'"'"'s card and the PIN entered by the user. The calculated authentication parameter is mapped to a verification value using the one-way function to the root of the authentication tree. The verification value obtained by mapping the calculated authentication parameter is then compared with a global verification value stored at the terminal. If the comparison is favorable, the system is enabled for the user; otherwise, the user is rejected.

Citations

8 Claims

1. In a multi-terminal system, a method of offline personal authentication using an authentication tree with an authentication tree function comprising a one-way function, said method employing memory cards issued to users of the system and each user being issued a personal identification number, each of said memory cards having stored thereon a personal key and an index position number representing the tree path for the user to which the card is issued, said method comprising the steps of:
- calculating an authentication parameter as a function of a personal key read from a user'"'"'s card, a personal identification number entered by a user at a terminal being used, and a global secret key stored in the terminal being used, said global secret key being a common secret key stored at every terminal said calculating an authentication parameter step further comprising the steps of;
  calculating an encrypted personal identification number (PIN), denoted EPIN, by the equation
  space="preserve" listing-type="equation">EPIN=E.sub.KGb1 (E.sub.PIN (ID)),
  where KGb1 is a global secret key stored in each terminal and ID is a user identifier, and
  calculating an authentication parameter AP by the equation
  space="preserve" listing-type="equation">AP=RightN[E.sub.KP⊕
  
  EPIN (ID)⊕
  
  ID],
  where the symbol ⊕
  
  is the Exclusive OR operation and "RightN" is a function that extracts the rightmost N bits in the binary variable denoted by the argument of the function, wherein said binary variable is greater than N bitsmapping the calculated authentication parameter to a verification value using said index position number in said one-way function to the root of said authentication tree,comparing the verification value obtained by mapping the calculated authentication parameter with a global verification value of reference stored at the terminal, said global verification value being a common verification value stored at every terminal andenabling said system if the comparison of the versification value obtained by mapping with the global verification value of reference is favorable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1 wherein N equals 56.
  - 3. The method of offline personal authentication as recited in claim 1 wherein the step of mapping is performed by first calculating a different codeword for each node of said authentication tree and then using the different codewords at the iteration of each node.
  - 4. The method of offline personal authentication as recited in claim 2 further comprising the step of storing in each terminal values of Q, an m-bit constant, and KA and KB, two nonsecret cryptographic keys, the calculation of a different codeword for each node being a function of Q, KA and KB and said index position number stored on the user'"'"'s card.
  - 5. The method of offline personal authentication as recited in claim 1 wherein there is further stored on the card m values Y₁, Y₂, . . . , Y_m to be authenticated and the step of mapping is performed by the step of calculating said verification value V from AP, said m values and said tree function by the equation
    
    space="preserve" listing-type="equation">Right56[Y.sub.left ⊕
    
    E.sub.Right56[Ci] (Y.sub.left)]=U
    
    space="preserve" listing-type="equation">Right56[Y.sub.right ⊕
    
    E.sub.U (Y.sub.right)]=Y.sub.new, where Y_left and Y_right are two values in said tree path and C_i are different values of said codeword calculated for each iteration at each node of the tree function and the last Y_new in the iteration is said verification value V.
- 6. The method of offline personal authentication as recited in claim 5 wherein the values of Ci are calculated by the equation
  
  space="preserve" listing-type="equation">C.sub.i =E.sub.Ki E.sub.Ki-1 . . . E.sub.K1 (Q) for i=1,2, . . . ,m
  where K_i =KA if X_i =0 and K_i =KB if X_i =1 and X₁, X₂, X₃, . . . , X_m denote binary bits stored on the user'"'"'s card which represent said index position number.
7. The method of offline personal authentication as recited in claim 1 wherein said user identifier ID is additionally stored on the user'"'"'s card, said method further comprising the step of checking the user identifier ID read from the user'"'"'s card against a list to determine if the ID is invalid, and if it is, rejecting the user.
8. The method of offline personal authentication as recited in claim 7 wherein after calculating the authentication parameter AP, performing the steps of checking a list to determine if the authentication parameter is invalid and, if it is, rejecting the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Matyas, Stephen M.
Primary Examiner(s)
Cangialosi, Salvatore
Assistant Examiner(s)
Lewis, Aaron J.

Application Number

US06/700,897
Time in Patent Office

805 Days
Field of Search

178/22.08, 178/22.09, 178/22.11, 178/22.10, 235/380, 235/382, 235/379
US Class Current

713/185
CPC Class Codes

G06Q 20/4012   Verifying personal identifi...

G07F 7/1016   Devices or methods for secu...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

Offline PIN validation with DES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Offline PIN validation with DES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links