Method for authenticating a portable data carrier

US 8,966,275 B2
Filed: 03/07/2011
Issued: 02/24/2015
Est. Priority Date: 03/10/2010
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a portable data carrier to a terminal device, the method comprising:

deriving a public session key (PKSession) and a secret session key (SKSession) in the data carrier, the public session key (PKSession) being derived from a public key (PKi) individual to the data carrier, the public key (PKi) being derived from a public group key (PK), and the secret session key (SKSession) being derived from a secret key (SKi) individual to the data carrier, the secret key (SKi) being derived from a secret group key (SK); and

anonymously authenticating the data carrier to the terminal device using the secret session key (SKSession) in the data carrier and the public session key (PKSession) in the terminal device,wherein the terminal device verifies the public session key (PKSession) by a certificate (CPK) of the public group key (PK), which certificate is stored in the data carrier, by the terminal device checking the certificate (CpK) and reconstructing the derivation of the public session key (PKSession) from the public group key (PK) via the public key (PKi) individual to the data carrier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a portable data carrier (10) to a terminal device by the following steps: In the data carrier (10) a public session key (PK_Session) is derived (S5) from a public key individual to the data carrier (PK_i) which has in its turn been derived (TS32; S1) from a public group key (PK). Further, a secret session key (SK_Session) is derived (S4) from a secret key individual to the data carrier (SK_i) which has in turn been derived (TS31) from a secret group key (SK). Subsequently, a secret communication key (KK) is agreed on (S7) between the data carrier (10) and the terminal device. Finally, the terminal verifies (S8) the public session key (PK_Session) of the data carrier (10).

Citations

16 Claims

1. A method for authenticating a portable data carrier to a terminal device, the method comprising:
- deriving a public session key (PKSession) and a secret session key (SKSession) in the data carrier, the public session key (PKSession) being derived from a public key (PKi) individual to the data carrier, the public key (PKi) being derived from a public group key (PK), and the secret session key (SKSession) being derived from a secret key (SKi) individual to the data carrier, the secret key (SKi) being derived from a secret group key (SK); and
  
  anonymously authenticating the data carrier to the terminal device using the secret session key (SKSession) in the data carrier and the public session key (PKSession) in the terminal device,wherein the terminal device verifies the public session key (PKSession) by a certificate (CPK) of the public group key (PK), which certificate is stored in the data carrier, by the terminal device checking the certificate (CpK) and reconstructing the derivation of the public session key (PKSession) from the public group key (PK) via the public key (PKi) individual to the data carrier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16)
- - 2. The method according to claim 1, wherein the terminal device verifies the public session key (PKSession) by the certificate (CPK) of the public group key (PK), which certificate is stored in the data carrier, by the terminal device first checking the certificate (CPK) and thereafter reconstructing the derivation of the public session key (PKSession) from the public group key (PK) via the public key (PKi) individual to the data carrier.
  - 3. The method according to claim 1, wherein the public key (PKi) individual to the data carrier and the secret key (SKi) individual to the data carrier are derived from the public group key (PK) and the secret group key (SK), respectively, and stored in the data carrier in a personalization phase of the data carrier.
  - 4. The method according to claim 1, wherein the secret key (SKi) individual to the data carrier is derived from the secret group key (SK) while using a first random number (RNDi).
  - 5. The method according to claim 1, wherein the public session key and the secret session key (SKSession) are derived from the public key (PKi) individual to the data carrier and the secret key (SKi) individual to the data carrier, respectively, while using a second random number (RNDSession).
  - 6. The method according to claim 1, including the steps of agreeing on a communication key (KK) between the data carrier and the terminal device while using the public session key (PKSession) and the secret session key (SKSession) of the data carrier as well as a public terminal key and a secret terminal key of the terminal device;
    - wherein the communication key (KK) is agreed on by a Diffie-Hellman key exchange method which is based on a specified primitive root (g) modulo a specified prime number,the secret key (SKi) individual to the data carrier is derived from the secret group key (SK) by multiplication by the first random number (RNDi), andthe public key (PKi) individual to the data carrier formed (TS32) by exponentiation of the primitive root (g) by the secret key individual to the data carrier (SKi),wherein the public group key (PK) is formed by exponentiation of the primitive root (g) by the secret group key (SK).
  - 7. The method according to claim 1, wherein the secret session key (SKSession) is derived by multiplication of the secret key (SKi) individual to the data carrier by the second random number (RNDSession) and the public session key (PKSession) is derived by exponentiation of the public key (PKi) individual to the data carrier by the second random number (RNDSession).
  - 8. The method according to claim 1, wherein the data carrier sends to the terminal device the public session key (PKSession) the product (RNDi*RNDSession) of the first random number (RNDi) and the second random number (RNDSession) as well as the certificate (CPK) of the public group key (PK).
  - 9. The method according to claim 1, wherein the terminal device, for verifying the public session key (PKSession) forms an exponentiation of the public group key (PK) by the product (RNDi*RNDSession) of the first random number (RNDi) and the second random number (RNDSession).
  - 10. The method according to claim 1, wherein, for deriving public keys (PKi) individual to the data carrier and secret keys (SKi) individual to the data carrier of a plurality of different data carriers, the same public and secret group keys (PK;
    - SK) are respectively used.
  - 16. The method according to claim 1, wherein the data carrier stores the certificate (CPK) of the public group key (PK), the certificate (CPK) of the public group key (PK) being configured to be used by the terminal device in the authentication of the portable data carrier.

11. A portable data carrier, comprising:
- a processor, a memory, a data communication interface, and an authentication device,wherein the data communication interface is configured to provide data communication with a terminal device, andwherein the authentication device is configured toderive a public session key (PKSession) from a public key (PKi) individual to the data carrier that is stored in the memory, the public key (PKi) being derived from a public group key (PK),derive a secret session key (PKSession) from a secret key (SKi) individual to the data carrier that is stored in the memory, the secret key (SKi) being derived from a secret group key (SK), andanonymously authenticate the data carrier to the terminal device using the secret session key (SKSession) within the framework of an authentication to the terminal device, andwherein the data carrier stores a certificate (CPK) of the public group key (PK), the certificate (CPK) of the public group key (PK) being configured to be used by the terminal device in the authentication of the portable data carrier for verifying the public session key (PKSession), by checking the certificate (CPK) and reconstructing the derivation of the public session key (PKSession) from the public group key (PK) via the public key (PKi) individual to the data carrier.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The data carrier according to claim 11, wherein the data carrier is configured to authenticate itself to a terminal device by:
    - deriving a public session key (PKSession) and a secret session key (SKSession) in the data carrier, the public session key (PKSession) being derived from a public key (PKi) individual to the data carrier, the public key (PKi) being derived from a public group key (PK), and the secret session key (SKSession) being derived from a secret key (SKi) individual to the data carrier, the secret key (SKi) being derived from a secret group key (SK); and
      
      anonymously authenticating the data carrier to the terminal device using the secret session key (SKSession) in the data carrier or the public session key (PKSession) in the terminal device.
  - 13. A terminal device for data communication with the portable data carrier recited in claim 11, wherein the terminal device is arranged, using a public terminal key and a secret terminal key, to agree on a communication key (KK) with the portable data carrier and to verify a public session key (PKSession) of the data carrier which has been derived from a public group key (PK) via a public key (PK) individual to the data carrier.
  - 14. The terminal device according to claim 13, wherein the terminal device is arranged to verify the public session key (PKSession) of the data carrier by the certificate (CPK) of the public group key (PK), said certificate being stored in the data carrier, by the terminal device first checking the certificate (CPK) and thereafter reconstructing the derivation of the public session key (PKSession) from the public group key (PK) via the public key (PKi) individual to the data carrier.
  - 15. A system comprising the portable data carrier recited in claim 12 and a terminal device for data communication with the portable data carrier,wherein the terminal device is arranged, using a public terminal key and a secret terminal key, to agree on a communication key (KK) with the portable data carrier and to verify a public session key (PKSession) of the data carrier which has been derived from a public group key (PK) via a public key (PK) individual to the data carrier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Giesecke + Devrient Mobile Security GmBH (Giesecke & Devrient GmbH)
Original Assignee
Giesecke & Devrient GmbH
Inventors
Eichholz, Jan, Meister, Gisela
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Nipa, Wasika

Application Number

US13/582,107
Publication Number

US 20120331302A1
Time in Patent Office

1,450 Days
Field of Search

None
US Class Current

713/182
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2103   Challenge-response

H04L 9/0844   with user authentication or...

H04L 9/0877   using additional device, e....

Method for authenticating a portable data carrier

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method for authenticating a portable data carrier

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links