Two-way public key authentication and key agreement for low-cost terminals
First Claim
1. A method for achieving mutual identification and session key agreement between a terminal and a server at the start of communication session comprising the steps of(a) transmitting from the server to the terminal an identity j of the server, public key Nj of the server and a certificate Cj of the server which certificate Cj, if valid, is congruent to √
- h(j, Nj)mod Nu where Nj is a public key of the server, Nu is a public key of a central authority, and h() signifies a one-way hashing function,(b) at the terminal, verifying that said transmitted certificate Cj received at the terminal satisfies h(j, Nj)≡
cj2 mod Nu,(c) at the terminal, choosing a random number x≡
(xL xR) and obtaining y≡
x2 mod Nj and transmitting y to said server,(d) at said server, performing the modular square root operation to obtain x=(xL, xR)≡
√
y mod N by using secret keys of the server pj,qj, such that Nj =pj qj, and transmitting xL back to the terminal,(e) transmitting, from the terminal to the server, an identity i of the terminal, a public key Pi of the terminal, and a certificate ci of the terminal which certificate ci, if valid, is congruent to √
h(i,Pi) mod Nu, wherein the identity i, the public key Pi and the certificate ci are encrypted using xR as a session key,(f) at the server, verifying that the received certificate ci satisfies h(i,Pi)≡
Ci2 mod Nu,(g) computing at the terminal a signature S(m) based on a challenge message m sent by the server by applying an asymmetric signature operation to said challenge message m, and transmitting the signature to the server in encrypted form using xR as a session key, and(h) verifying the signature at the server.
10 Assignments
0 Petitions
Accused Products
Abstract
A method for achieving mutual authentication and session key agreement between a first party 12 which has minimal computational resources and a second party 18 which has substantial computational resources utilizes a modular square root operation for certificate authentication and key distribution and an ElGamal, NIST DSS, or other efficient signature operation for obtaining the signature of a message. These operations are highly advantageous in a system with asymmetric resources because the computation power required to perform these operations is far less than the computation power required to invert these operations. The entire mutual authentication and session key agreement method can be carried out using only three modular multiplications on the weak computational side.
-
Citations
37 Claims
-
1. A method for achieving mutual identification and session key agreement between a terminal and a server at the start of communication session comprising the steps of
(a) transmitting from the server to the terminal an identity j of the server, public key Nj of the server and a certificate Cj of the server which certificate Cj, if valid, is congruent to √ - h(j, Nj)mod Nu where Nj is a public key of the server, Nu is a public key of a central authority, and h() signifies a one-way hashing function,
(b) at the terminal, verifying that said transmitted certificate Cj received at the terminal satisfies h(j, Nj)≡
cj2 mod Nu,(c) at the terminal, choosing a random number x≡
(xL xR) and obtaining y≡
x2 mod Nj and transmitting y to said server,(d) at said server, performing the modular square root operation to obtain x=(xL, xR)≡
√
y mod N by using secret keys of the server pj,qj, such that Nj =pj qj, and transmitting xL back to the terminal,(e) transmitting, from the terminal to the server, an identity i of the terminal, a public key Pi of the terminal, and a certificate ci of the terminal which certificate ci, if valid, is congruent to √
h(i,Pi) mod Nu, wherein the identity i, the public key Pi and the certificate ci are encrypted using xR as a session key,(f) at the server, verifying that the received certificate ci satisfies h(i,Pi)≡
Ci2 mod Nu,(g) computing at the terminal a signature S(m) based on a challenge message m sent by the server by applying an asymmetric signature operation to said challenge message m, and transmitting the signature to the server in encrypted form using xR as a session key, and (h) verifying the signature at the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
4. The method of claim 3 wherein the value of r is chosen randomly each time the terminal evaluates a signature
-
5. The method of claim 3 wherein a terminal i has a separate signature modulus NiS and wherein the certificate of the terminal i is of the form ci =√
- h(i,pi, NiS) mod Nu.
-
6. The method of claim 1 wherein said signature operation is an ElGamal signature operation.
-
7. The method of claim 1 wherein said signature S(m) is computed according to the National Institute of Standards and Technology Digital Signature Standard Algorithm.
-
8. The method of claim 1 wherein said communication session is aborted if the certificate cj received at said terminal does not satisfy cj2 mod Nu =h(j,Nj).
-
9. The method of claim 1 wherein said communication session is aborted if the certificate cj received at the server does not satisfy ci2 mod Nu =h(i,Pi).
-
10. The method of claim 1 wherein said terminal is a terminal of a portable communications system and said server is a port control unit of said portable communication system.
-
11. The method of claim 10 wherein said terminal is a portable telephone.
-
12. The method of claim 1 wherein the terminal is a smart card and the server is a smart card base unit.
-
13. The method of claim 1 wherein the terminal is an Analog Display Service Interface (ADSI) terminal and said server is an ADSI network cryptoserver.
-
14. The method of claim 1 wherein said terminal is computationally weaker than said server.
-
15. The method of claim 13 wherein said initialization step further comprises selecting said secret key si and generating the corresponding public key pi, forming the certificate ci at the central authority and transmitting the certificate ci to the terminal, and transmitting the public key Nu of the central authority to the terminal.
-
16. The method of claim 1 wherein prior to any communication session said server is initialized by selecting for the server its secret key pj qj, and its public key Nj =pj qj transmitting the public key Nj to the central authority, forming the certificate cj at the central authority and transmitting the certificate cj to the server, and transmitting said public key Nu from said central authority to said server and storing the key Nu at said server.
-
17. The method of claim 1 further comprising the step of, at the server, identifying the proper root when computing √
- y mod Nj by providing said random number with color.
- h(j, Nj)mod Nu where Nj is a public key of the server, Nu is a public key of a central authority, and h() signifies a one-way hashing function,
-
18. A method for achieving mutual authentication and session key agreement between a server and a terminal comprising the steps of
(a) transmitting a certificate of said server from said server to said terminal, (b) verifying the authenticity of said certificate of said server at said terminal, (c) distributing a session key to said terminal and server by selecting a random number x at said terminal, encrypting sad umber x at said terminal by performing at said terminal an asymmetric public key operation which can only be inverted with the knowledge of a secret key of said server, (d) transmitting said number x in encrypted form from said terminal to said server and inverting said operation suing said secret key of said server to obtain x at said server, (e) transmitting a certificate of said terminal from said terminal to said server encrypted using a session key, wherein said session key is based on said number x, (f) verifying the authenticity of said terminal certificate at said server, (g) evaluating a signature S(m) of a message m at said terminal using an asymmetric signature operation, and (h) transmitting the signature to said server in encrypted form using said session key and inverting the signature operation at said server.
-
26. A method for achieving mutual authentication and session key agreement between a first party and a second party at the start of a communication session comprising the steps of
(a) distributing a session key between said parties by selecting a random number at said first party, encrypting said random number using an asymmetric public key encryption operation, transmitting the encrypted random number to the second party, and inverting said encryption operation at said second party to obtain said random number, and (b) at said first party, performing an asymmetric signature operation on a message m to obtain a signature S(m), encrypting said signature S(m) using an encipherment function and a session key which is based on said random number, and transmitting the encrypted signature S(m) to said second party, and at said second party, decrypting said signature S(m) and inverting said signature operation.
-
37. A method for achieving mutual authentication and session key agreement between first and second parties communicating via a communication medium comprising:
-
(a) transmitting a certificate of said second party for said second party to said first party, (b) verifying the authenticity of said certificate of said second party at said first party, (c) distributing a session key to said first and second parties by selecting a random number x at said first party, encrypting said number x at said first party by performing at said first party an asymmetric public key operation which can only be inverted with the knowledge of a secret key of said second party, (d) transmitting said number x in encrypted from said first party to said second party and inverting said operation using said secret key of said second party, (e) transmitting a certificate of said first party from said first party to said second party encrypted using a session key based on said number x, (f) verifying the authenticity of said certificate of said first party at said second party, (g) evaluating a signature S(m) of a message m at said first party using an asymmetric signature operation, (h) transmitting the signature to said second party in encrypted form using said session key and inverting the signature operation at the second party.
-
Specification