CA2157011C - Method for two-way public key authentication and key agreement for low-cost terminals - Google Patents
Method for two-way public key authentication and key agreement for low-cost terminalsInfo
- Publication number
- CA2157011C CA2157011C CA002157011A CA2157011A CA2157011C CA 2157011 C CA2157011 C CA 2157011C CA 002157011 A CA002157011 A CA 002157011A CA 2157011 A CA2157011 A CA 2157011A CA 2157011 C CA2157011 C CA 2157011C
- Authority
- CA
- Canada
- Prior art keywords
- server
- terminal
- party
- signature
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
- G06Q20/3674—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Abstract
A method for achieving mutual authentication and session key agreement between a first party (12) that has a minimal computational resources and a second party (18) that has substantial resources uses a modular square root operation for certificate authentication and key distribution and an ELGamal, NIST DSS, or other efficient signature operation for obtaining the signature of a message. The second party (18) is connected to a switching system (23) in a central office (22).
Description
~57 0 ~ ~
METHOD FOR TWO-WAY PUBLIC KEY AUTHENTICATION AND
KEY AGREEMENT FOR LOW-COST TERMINALS
Field of the Invention The present invention relates to a method for achieving mutual authentication and session key agreement between a pair of parties using public key cryptography. In particular, the present invention is applicable to a system wherein one of the parties is computationally weak, i.e., has a minimum of computational capability, and one of the parties is computationally strong, i.e., has a much larger computational capability. In a preferred embodiment of the present invention, complete authentication and session key agreement is achieved between two parties without the exchange of any permanent secrets through the use of only three real-time large modular multiplications performed at the computationally weak party. In contrast, prior art methods for achieving mutual authentication and session key agreement with the same level of security require on the order of 200 real-time large modular multiplications at the computationally weak party.
Backqround of the Invention In a portable communication system, users carry low power, low cost, portable digital radio telephone terminals from place to place during and between calls.
Some portable terminals employ a Digital Signal Processor to implement the complicated algorithms that are needed to code 4, .3 W094/210~ 1 ~ 7 011 PCT~S94/01968 speech at low bit rate. Other portable terminals utilize a custom chip for the low bit rate encoding of speech and include a low power microcontroller for handling signalling protocols and other miscellaneous tasks. In either case, a portable terminal must operate for long periods of time on small batteries and a low power implementation of all signal processing operations inside the portable terminal is important. Accordingly, there is a limit on the complexity of any signal processing operation which can take place inside the portable terminal in a short period of time.
In a portable communication system, the portab}e radio terminals access the local telephone exchange network via a suitably dense matrix of shoebox sized radio ports which are located on utility poles or in buildings. Each port comprises a radio modem. Each port is in turn connected back to the telephone network switching system by way of server in the form of a port control unit which may be located in a central office building. A port control unit performs a variety of processing functions including converting between a format suitable for use on the radio link between the portable terminal and the radio ports and a format suitable for use in the telephone network switching system.
The portable communication system may be described as being computationally asymmetric. By this it is meant that each connection has a computationally weak party in the ~orm of the terminal -- i.e., a party with small computational resources -- and a computationally strong party in the form of the server -- i.e., a party with large computational resources.
Thus algorithms which are used in such an asymmetric system should preferably be computationally asymmetric, i.e., the algorithm should require only a minimum of processing on the computationally weak side while more substantial processing is performed on the computationally strong side.
WO94/21067 21~ 7 011 PCT~S94/01968 Because a portable communication system transmits conversations between portable telephone terminals and an array of fixed location ports via radio, the conversations of a portable communication system are more susceptible to eavesdropping than are the conversations of a wireline network.
In addition, unlike wireline telephones, which are tied to a particular wire pair on a particular network, portable telephone terminals roam from place to place and access the network via different ports at different times. The lack of association between user and particular physical location can make a portable communication system vulnerable to attempts at the fraudulent acquisition of services.
The present invention is particularly concerned with message encryption (i.e., the encryption of conversation lS content), key agreement and distribution ( i.e. distribution of the keys required by message 'encryption techniques) and authentication (i.e. ensuring that a service request is legitimate). In particular, the present invention is concerned with foiling the eavesdropper, i.e., one who utilizes radio equipment to intercept the radio transmissions between the portable terminals and the ports.
Another problem which characterizes portable communication systems is the pro~lem of user traceability. Specifically, if a user transmits identifying information in the clear, it is possible for an eavesdropper to determine the location of the user, so that privacy with respect to a user's location is not maintained. The present invention also relates to maintaining the privacy of a user location.
Eavesdropping can be thwarted through the use of a message encryption technique. A message encryption technique employs an encipherment function which utilizes a number referred to as a session key to encipher data (e.g., conversation content).
only the portable terminal and the specific port control unit with which the portable terminal is in communication should WO94/21067 215 7 011 PCT~S94/01968 have knowledge of the session key, so that only the proper portable terminal and the port control unit, as paired on a particular conversation, can encrypt and decrypt digital signals. Two examples of encipherment functions are the National Bureau of Standards Data Encryption Standard (DES) (see e.g., National Bureau of Standards, "Data Encryption Standard", FIPS-PUB-45, 1977) and the more recent Fast Encipherment Algorithm (FEAL) (see e.g., . Shimizu and S.
Miyaguchi, "FEAL-Fast Data Encipherment Algorithm," Systems and Computers in Japan, Vol. 19, No. 7, 1988 and S. Miyaguchi, "The FEAL Cipher Family", Proceedings of CRYPTO '9O, Santa Barbara, CA, August, 1990). One way to use an encipherment function is the electronic codebook technique. In this technique a plain text message m is encrypted to produce the cipher text message c using the encipherment function f by the formula c=f ~m, ~k) where sk is a session key. The cipher text message c can only be decrypted with the knowledge of the session key gk to obtain the plain text message m=f~l(c,sk).
One problem with the use of the encipherment functions such as DES and FEAL in a portable communication system is the problem of session key agreement.
In the conventional session key agreement technique, each portable terminal i has a secret key k; known only to it and a cryptographic database DB. Similarly, each port control unit has a secret key kj, known only to it and the cryptographic database DB. At the start of a communication session, the portable terminal i sends a service request and its identity i in the clear to a port control unit j. The port control unit sends the pair (i,j) to the cryptographic database DB. The.DB
picks a random session key sk and sends to the port control unit j the pair cj,cj where c,=f(ki,sk) and cj=f(kJ,sk). The port control unit j deciphers cJ to find sk and sends c, to the portable terminal i. The portable terminal i deciphers c,to find ~k. Now both the port control unit j and the portable W094/21067 215 7 011 PCT~S94/01968 terminal i are in possession of the session key 3k. Thus, enciphered messages c=f (m, sk) can be transmitted back and forth between the portable terminal i and the port control unit ~.
This approach has several advantages. First the approach requires minimal power in the portable terminal because it utilizes only conventional cryptography. In particular, the computation power required to evaluate f and f' is quite small.
In addition, the conventional key distribution approach is also self-authenticating because a portable telephone trying to impersonate the portable telephone i must know the ostensibly secret key k; ahead of time.
on the other hand, the conventional key distribution protoco requires a database of secret cryptographic keys, which is hard to protect and maintain, and adds survivability and reliability problems to the system. A primary weakness is that a potential eavesdropper can obtain the key k; for the portable telephone i once, and can subsequently intercept all of i~ 9 conversations without i knowing about it. This is the worst kind of damage that can occur; undetectable compromise of privacy. Also, the conventional key distribution protocol has a traceability problem. A portable terminal must announce its identity in the clear before a session key can be fetched from the database. Thus, an eavesdropper can determine the location of a particular portable.
Another approach to session key distribution and party authentication in a portable communication system is to use public key cryptographic techniques. In a typical public key cryptographic system, each party i has a public key P,and a secret key s;. The public key Pj is known to everyone, but the secret key S; is known only to party i. A message m to user i is encrypted using a public operation which makes use of the public key known to everyone, i.e., ~=P (m, P;) where c is the encrypted message, m is the clear text message, P; is the public key and P signifies the public operation. However, this - 6 - 2157 0 ~1 message is decrypted using an operation which makes use of the secret key si, i.e., m = s(c,si); where s signifies the operation. Only the party i which has the secret key si can perform the operation to decrypt the encrypted message.
Public key cryptographic techniques can be used for the distribution of session keys to the parties in a portable communication system. Public key cryptographic techniques can also be used for party authentication in a portable communication system.
One way to use public key cryptography for authentication is to use a signature system. If it is true that P(S(m,Si), Pi) = m, then the owner of the corresponding keys Pi, Si, could sign message m by producing c = S(m, Si). The verifier, given m and c will verify m = P(c,Pi). A signature system could be used for verification as follows: If it is well known that party i's public key is Pi and some party claims to be i, challenge the party claiming to be i with message m and ask the party to sign the message m using his secret key Si; then verify the signature using Pi.
Another aspect of party authentication relates to authentication of a party's public key Pi. A user claiming to be i can provide his public key provided it is certified by a trusted central authority such as a network administrator.
The trusted central authority itself has a well known public key Pu~ The certification is a signature of the trusted authority on a linkage between the user's identification i and his public key Pi.
the highest level of security for session key distribution, and mutual party authentication based on public key cryptography:
1) avoids the use of an on-line centralized database of secret information, 2) hides the identity of a user from an eavesdropper, ~ ;, B
2 ~ 5 7 Q ~ ~
METHOD FOR TWO-WAY PUBLIC KEY AUTHENTICATION AND
KEY AGREEMENT FOR LOW-COST TERMINALS
Field of the Invention The present invention relates to a method for achieving mutual authentication and session key agreement between a pair of parties using public key cryptography. In particular, the present invention is applicable to a system wherein one of the parties is computationally weak, i.e., has a minimum of computational capability, and one of the parties is computationally strong, i.e., has a much larger computational capability. In a preferred embodiment of the present invention, complete authentication and session key agreement is achieved between two parties without the exchange of any permanent secrets through the use of only three real-time large modular multiplications performed at the computationally weak party. In contrast, prior art methods for achieving mutual authentication and session key agreement with the same level of security require on the order of 200 real-time large modular multiplications at the computationally weak party.
Backqround of the Invention In a portable communication system, users carry low power, low cost, portable digital radio telephone terminals from place to place during and between calls.
Some portable terminals employ a Digital Signal Processor to implement the complicated algorithms that are needed to code 4, .3 W094/210~ 1 ~ 7 011 PCT~S94/01968 speech at low bit rate. Other portable terminals utilize a custom chip for the low bit rate encoding of speech and include a low power microcontroller for handling signalling protocols and other miscellaneous tasks. In either case, a portable terminal must operate for long periods of time on small batteries and a low power implementation of all signal processing operations inside the portable terminal is important. Accordingly, there is a limit on the complexity of any signal processing operation which can take place inside the portable terminal in a short period of time.
In a portable communication system, the portab}e radio terminals access the local telephone exchange network via a suitably dense matrix of shoebox sized radio ports which are located on utility poles or in buildings. Each port comprises a radio modem. Each port is in turn connected back to the telephone network switching system by way of server in the form of a port control unit which may be located in a central office building. A port control unit performs a variety of processing functions including converting between a format suitable for use on the radio link between the portable terminal and the radio ports and a format suitable for use in the telephone network switching system.
The portable communication system may be described as being computationally asymmetric. By this it is meant that each connection has a computationally weak party in the ~orm of the terminal -- i.e., a party with small computational resources -- and a computationally strong party in the form of the server -- i.e., a party with large computational resources.
Thus algorithms which are used in such an asymmetric system should preferably be computationally asymmetric, i.e., the algorithm should require only a minimum of processing on the computationally weak side while more substantial processing is performed on the computationally strong side.
WO94/21067 21~ 7 011 PCT~S94/01968 Because a portable communication system transmits conversations between portable telephone terminals and an array of fixed location ports via radio, the conversations of a portable communication system are more susceptible to eavesdropping than are the conversations of a wireline network.
In addition, unlike wireline telephones, which are tied to a particular wire pair on a particular network, portable telephone terminals roam from place to place and access the network via different ports at different times. The lack of association between user and particular physical location can make a portable communication system vulnerable to attempts at the fraudulent acquisition of services.
The present invention is particularly concerned with message encryption (i.e., the encryption of conversation lS content), key agreement and distribution ( i.e. distribution of the keys required by message 'encryption techniques) and authentication (i.e. ensuring that a service request is legitimate). In particular, the present invention is concerned with foiling the eavesdropper, i.e., one who utilizes radio equipment to intercept the radio transmissions between the portable terminals and the ports.
Another problem which characterizes portable communication systems is the pro~lem of user traceability. Specifically, if a user transmits identifying information in the clear, it is possible for an eavesdropper to determine the location of the user, so that privacy with respect to a user's location is not maintained. The present invention also relates to maintaining the privacy of a user location.
Eavesdropping can be thwarted through the use of a message encryption technique. A message encryption technique employs an encipherment function which utilizes a number referred to as a session key to encipher data (e.g., conversation content).
only the portable terminal and the specific port control unit with which the portable terminal is in communication should WO94/21067 215 7 011 PCT~S94/01968 have knowledge of the session key, so that only the proper portable terminal and the port control unit, as paired on a particular conversation, can encrypt and decrypt digital signals. Two examples of encipherment functions are the National Bureau of Standards Data Encryption Standard (DES) (see e.g., National Bureau of Standards, "Data Encryption Standard", FIPS-PUB-45, 1977) and the more recent Fast Encipherment Algorithm (FEAL) (see e.g., . Shimizu and S.
Miyaguchi, "FEAL-Fast Data Encipherment Algorithm," Systems and Computers in Japan, Vol. 19, No. 7, 1988 and S. Miyaguchi, "The FEAL Cipher Family", Proceedings of CRYPTO '9O, Santa Barbara, CA, August, 1990). One way to use an encipherment function is the electronic codebook technique. In this technique a plain text message m is encrypted to produce the cipher text message c using the encipherment function f by the formula c=f ~m, ~k) where sk is a session key. The cipher text message c can only be decrypted with the knowledge of the session key gk to obtain the plain text message m=f~l(c,sk).
One problem with the use of the encipherment functions such as DES and FEAL in a portable communication system is the problem of session key agreement.
In the conventional session key agreement technique, each portable terminal i has a secret key k; known only to it and a cryptographic database DB. Similarly, each port control unit has a secret key kj, known only to it and the cryptographic database DB. At the start of a communication session, the portable terminal i sends a service request and its identity i in the clear to a port control unit j. The port control unit sends the pair (i,j) to the cryptographic database DB. The.DB
picks a random session key sk and sends to the port control unit j the pair cj,cj where c,=f(ki,sk) and cj=f(kJ,sk). The port control unit j deciphers cJ to find sk and sends c, to the portable terminal i. The portable terminal i deciphers c,to find ~k. Now both the port control unit j and the portable W094/21067 215 7 011 PCT~S94/01968 terminal i are in possession of the session key 3k. Thus, enciphered messages c=f (m, sk) can be transmitted back and forth between the portable terminal i and the port control unit ~.
This approach has several advantages. First the approach requires minimal power in the portable terminal because it utilizes only conventional cryptography. In particular, the computation power required to evaluate f and f' is quite small.
In addition, the conventional key distribution approach is also self-authenticating because a portable telephone trying to impersonate the portable telephone i must know the ostensibly secret key k; ahead of time.
on the other hand, the conventional key distribution protoco requires a database of secret cryptographic keys, which is hard to protect and maintain, and adds survivability and reliability problems to the system. A primary weakness is that a potential eavesdropper can obtain the key k; for the portable telephone i once, and can subsequently intercept all of i~ 9 conversations without i knowing about it. This is the worst kind of damage that can occur; undetectable compromise of privacy. Also, the conventional key distribution protocol has a traceability problem. A portable terminal must announce its identity in the clear before a session key can be fetched from the database. Thus, an eavesdropper can determine the location of a particular portable.
Another approach to session key distribution and party authentication in a portable communication system is to use public key cryptographic techniques. In a typical public key cryptographic system, each party i has a public key P,and a secret key s;. The public key Pj is known to everyone, but the secret key S; is known only to party i. A message m to user i is encrypted using a public operation which makes use of the public key known to everyone, i.e., ~=P (m, P;) where c is the encrypted message, m is the clear text message, P; is the public key and P signifies the public operation. However, this - 6 - 2157 0 ~1 message is decrypted using an operation which makes use of the secret key si, i.e., m = s(c,si); where s signifies the operation. Only the party i which has the secret key si can perform the operation to decrypt the encrypted message.
Public key cryptographic techniques can be used for the distribution of session keys to the parties in a portable communication system. Public key cryptographic techniques can also be used for party authentication in a portable communication system.
One way to use public key cryptography for authentication is to use a signature system. If it is true that P(S(m,Si), Pi) = m, then the owner of the corresponding keys Pi, Si, could sign message m by producing c = S(m, Si). The verifier, given m and c will verify m = P(c,Pi). A signature system could be used for verification as follows: If it is well known that party i's public key is Pi and some party claims to be i, challenge the party claiming to be i with message m and ask the party to sign the message m using his secret key Si; then verify the signature using Pi.
Another aspect of party authentication relates to authentication of a party's public key Pi. A user claiming to be i can provide his public key provided it is certified by a trusted central authority such as a network administrator.
The trusted central authority itself has a well known public key Pu~ The certification is a signature of the trusted authority on a linkage between the user's identification i and his public key Pi.
the highest level of security for session key distribution, and mutual party authentication based on public key cryptography:
1) avoids the use of an on-line centralized database of secret information, 2) hides the identity of a user from an eavesdropper, ~ ;, B
2 ~ 5 7 Q ~ ~
3) achieves mutual authentication and session key agreement between the parties, in such a way that they do not exchange any permanent secrets.
To achieve this highest level of security using RSA, the most well-known public key algorithm (see e.g., R.L. Rivest, A. Shamir, L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, vol. 21, no. 2, pp. 120-126, February 1978), each of the parties must perform on the order of 200 large modular multiplications (where the numbers involved are over 500 bits in length). Using algorithms described in the prior art, this highest level of security requires about 200 modular multiplications.
The problem with these prior art algorithms is that a large amount of computations is required by both parties.
This is not suitable in an asymmetric system wherein one side (e.g., the terminal or portable telephone) has only weak computational resources and one side (e.g., the server or port control unit), has strong computational resources. The prior art algorithms are not sufficiently asymmetric so that only a very small amount of computations need to be performed on the weak side.
Accordingly, it is an object of the present invention to provide a public key cryptographic method for key distribution and mutual party authentication with a high level of security in an asymmetric system where one of the parties is computationally weak and the other party is computationally strong.
Summary of the Invention The present invention is directed to a method for achieving mutual authentication and session key distribution for a communication session between two parties where the first party is computationally weak, i.e., has limited computational ~, ,~1 WO94/21067 215 ~ n 1 1 PCT~S94/01968 resources, and the second party is computationally strong, i.e., has s~bstantial computational resources. For example, the first party may be a terminal in the form of a portable telephone and the second party may be a server in the form of a port control unit in a wireless personal communication system.
In accordance with the invention, two highly asymmetric public key cryptographic operations are utilized. A modular square root operation used for certificate authentication and session key distribution. An ElGamal signature operation (see, e.g., T. ElGamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Trans. IT, Vol. IT-31, No. 4, July 1985, pp. 469-472) is used to obtain and verify the signature of the computationally weak party. When these operations are used the entire mutual authentication and session key distribution method requires only three real-time modular multiplications at the computationally weak party. The modular square root and ElGamal operations are extremely well suited for the asymmetrical system described above. They utilize encryption operations which require little real-time computation power and which can be performed at the computationally weak side portion, while the inverse decryption operations which require significant computational power can be performed at the computationally strong side party.
In accordance with a preferred embodiment of the inventive method, in a first phase, a public key of the server (computationally strong side) as well as a certificate of the server is transmitted to the terminal (computationally weak side). The certificate of the server is verified. A random number x=(xL,x~) where (xL~x~) signifies the concatenation of two numbers xL and x~ is chosen at the terminal and encrypted by squaring x using the public key of the server as a modulus (see, e.g., M.O. Rabin, "Digitalized Signatures and Public Key Functions as Intractable as Factorization", MIT Laboratory for Computer Science, TR 212, January 1979). The result is WO94121067 PCT~S94/01968 transmitted to the server which inverts the squaring operation using its secret key. Thus, both sides are in possession of x.
Thus, x or XL or XR may be used as the session key. The number x, or XR may be transmitted back from the server to the terminal to verify that the server was in fact able to obtain x. In a later phase, a public key of the terminal and a certificate of the terminal are sent to server encrypted conventionally using the session key. The terminal certificate is verified at the server. An ElGamal signature of a challenge from the network is computed at the terminal, is encrypted conventionally using the session key, and is transmitted to the server. The ElGamal signature operation is inverted at the server using the previously transmitted public key of the terminal to verify the signature. In an alternative embodiment, the National lS Institute of Standards in Technology (NIST) Digital Signature Standard (DSS) algorithm can be used as the signature scheme instead of using an ElGamal scheme. In further alternative embodiments, any signature system which is efficient for the signer could be used in place of the ElGamal scheme. For example, the following systems may be used: Even Goldreich and Micali (S. Even, O. Goldreich, S. Micali, "On-Line~Off-Line Digital Signature Schemes", in "Advances in Cryptology-CRYPTO
'89 Proceedings," G. Brassard (ed.), Lecture Notes in Computer Science, Vol. 435, Springer-Verlag, 1990,pp. 263-275.), Schnorr (C.P. Schnorr, "Efficient Signature Generation by Smart Cards", "Journal of Cryptology, Vol. 4, No. 3, l9gl, pp. 161-174), Shamir (A. Shamir, "An Efficient Identification Scheme Based on Permuted Kernels-Extended Abstract", Proceedings of CRYPTO '89, G. 8rassard, Ed., LNCS 435,pp. 606-609), or Fiat and Shamir (A.
Fiat, A. Sh~ir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", Proceedings of CRYPTO
'86, A.M. Odlyzko, Ed., LNCS 263, 1987, pp. 186-194).
WO94121067 21~ ~ O 11 PCT~S94/01968 In addition to requiring very little computational resources at the weak side party, the inventive method has some other significant advantages.~-The individual buildlng blocks of the inventive method (moduiar square root and ElGamal signature in the preferred) are made inseparable by using the session key obtained in the first phase to encrypt transmissions in the second phase, thereby protecting against the possibility of "cut in the middle" attacks. In addition, in a wireless personal communication system, the inventive method provides security against eavesdroppers and provides privacy of the user's location. No permanent secrets of an individual user are disclosed to the network and no secret information is stored in a vuinerable on-line database.
The invention has mainly been described in connection with a portable communication system and specifically a portable communication system wherein the portable terminals are portable telephones. However, it should be noted that the portable terminals may also be portable computers or portable fax machines or other devices which transmit data to and receive data from a port control unit of a portable communication system.
In general, the invention is applicable to any system wherein a terminal and a server communicate with one another in an environment where there is a need for session key distribution for encryption and mutual party authentication.
The invention is applicable especially where the computational resources of the terminal are much smaller than the computational resources of the server. For example, the terminal (i.e., weak side party) may be a smart card and the server (strong side party) may be a smart card base unit.
Alternatively, the terminal may be an Analog Display Services Interface (ADSI) terminal used for home banking, for example, and the server may be an ADSI cryptoserver. Another application could be a computer client/server system, where WO94/21067 215 7 01 1 PCT~S94/01968 many client computers access a single server. It is possible that such clients and servers wi}l have comparable computing power. In this case it may be advantageous to perform the "weak side" computations in the server to balance the computational load.
Brief Description of the Drawing FIG 1 schematically illustrates a portable communication system.
FIG 2 schematically illustrates a session key distribution and mutual party authentication protocol according to-an illustrative embodiment of the present invention.
Detailed Descri~tion of the Invention The detailed description of the invention is divided into the following sections. Section A describes a portable communication system. Section B describes the Rabin modular square root public Xey operation. Section C describes ElGamal signature operation. Section D describes public key certificates. Section E describes an illustrative session key distribution and mutual authentication protocol in accordance with an embodiment of the invention.
A. Portable Communication Svstem A portable communication system 10 is schematically illustrated in FIG 1. The system 10 comprises a plurality of low power, low cost portable digital radio terminals 12. The portable terminals 12 are carried from place to place by their users. Illustratively, the terminals 12 are portable telephones.
The portable terminals 12 communicate with the local exchange telephone system 20. The local exchange telephone system 20 is represented in FIG 1 by the central office 22, the central office 24, and the customer premises equipment 26 and WO94/21067 21~ 7 011 PCT~S94/01968 28 connected by wire lines 27iand 29, respectively, to the central office 22.
As indicated above, some portable telephones employ a Digital Signal Processor (DSP) to implement the complicated algorithms that are needed to code speech at low bit rates.
Other portable telephones utilize a custom chip for the low bit rate coding of speech and include a low power general purpose microcontroller for handling signalling protocols and other miscellaneous tasks. In any case, a portable telephone or other portable terminal must operate for long periods of time on small batteries and low power implementation of all signal processing operations inside the portable terminal is important.
The portable terminals 12 access the local exchange telephone system 20 via the ports 14. A specific portable terminal 12 and a specific port 14 communicate via a radio link, schematically illustrated in FIG 1 by the arrow 16. The ports 14 are typically of shoebox size and are located on utility poles or buildings. Each of the ports 14 comprises a simple radio modem.
The ports 14 connect back to the local exchange telephone system 20 via the lines 17 and the servers or port control units 18. The port control units 18 are generally located in a central office building and perform a variety of signal 2S processing functions. Specifically, a port control unit 18 translates between a format suitable for transmission via the radio link 16 and a format suitable for use in the switching system 23 of the central office 22. Each port control unit 18 also does speech transcoding and performs signal processing necessary for encryption and decryption of messages over the radio link 16.
WO94/21067 21~ 7 01 1 PCT~S94/01968 B. Rabin Modular Sauare Root OPeration Let p and q be two secret primes, and N=pq. Each user has a pair of secret and public keys, where the public key is a composite number, such as the above N, and the secret is its factorization p and q. To encrypt a message x, intended for the owner of the above keys, one computes y-x~ mod ~
i.e., just one large multiplication. It has been proven that computing x given y and N iS as hard as factoring N and is therefore a difficult task unless the secret prime numbers p and q are known.
Given y, p and q it is easy to find x (at a cost equivalent to about 200 large multiplications). Specifically, primes p and q are used such that p-q 3 mod 4 to find x=xp mod p, and 15 x=xq mod q. It is easy to see, using Fermat's little theorem, that if x" - ytP~ mod p, and xq~ y~q~Y mod q, (2) then x,2 y mod p, (3) xqt y mod q (4) from which, using Chinese Remaindering, there can be computed x - xp-q-qj+Xq-p-~ mod pq, ( 5) where q; and p; have been chosen so that:
q; - q~ mod p, and p, - p~ mod q. (6) Note that there is an ambiguity in using this technique for encryption, because if x, is a solution to (3), then so is -x, mod p. Likewise, if xq is a solution to (4), then so is ~xq mod q. Thus the congruence (l) usually has four solutions.
To resolve this ambiguity, x is chosen by the sender to contain some previously-agreed-upon pattern. The decrypting party then selects this "colored" solution. For example, if x contains all zeroes in the least significant 30 bits, there is roughly a WO94/21067 2 1 S 7 0 11 PCT~S94/01968 one in a billion probability that the ambiguity will remain, in which case the protocol can simply be aborted and re-executed.
As used herein, the above procedure for solving Eq. (l) for x given y , is denoted as x - ~y mod N ~ ( 7 ) This technique can also be used to generate an unforgeable signature. To create a signature on message m, a user with widely-known public key N (which is the product of secret primes p and q), can compute signature s as 8 = rm mod N ( 8 ) using the secret keys p and q in accordance with the procedure shown above. Any party wishing to verify the signature just checks whether the above congruence is true. This verification requires only a single modular multiplication. On the other hand, it is computationally infeasible to forge a signature because the potential forger must know the secret keys p and q, the factors of N. For this signature scheme no coloring is needed for the signature, however, coloring is needed for the message, to prevent the Rabin "paradox" attack (S. Goldwasser, 25 S. Micali, R.L. Rivest, "A Digital Signature Scheme Secured Against Chosen Message Attacks", SIAM J. On Comput., Vol. 17, No. 2, 1988, pp. 281-308). This attack is feasible whenever the victim is willing to extract modular square roots of any arbitrary integer, and expose the result to the attacker.
Also, the victim has to choose one of the possible roots at random, i.e., if the "correct" root is colored, and the victim returns the colored root then the attack will fail. Otherwise, this attack leads to efficient factorization of the victim's modulus. In the inventive protocol this attack is not feasible.
WO94t21067 215 7 0 ~1 PCT~S94/01968 C. ElGamal Siqnatures Let P, and s, be the public and secret keys of user a, where P, _ aS' mod N~. Ns~ the ElGamal signature modulus is either prime or composed of the product of two primes, and ~ is a generator in the maximal cyclic subgroup of the multiplicative group of integers modulo N5, Z'N. (see, e.g., N. Koblitz, "A
Course in Number Theory and Cryptography," Springer Verlag, 1987, p. 32). An ElGamal signature (see, e.g., T. ElGamal, "A
Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Trans. IT, Vol. IT-31, No. 4, July 1985, pp. 469-472) by user a, on message m is an ordered pair v,w)~ for which p~-v~ -- a~ mod Ns Thus a recipient of a signature can easily verify it. To create a signature, user a chooses a random number r, and computes v -c~ mod N. From (9) it follows that S.- v + r-w _ m mod ~(Ns) (10) where ~(N) is the Euler totient function. It follows that a, who (is the only one who) knows s" can compute w, provided gcd(r,~(N)) = 1, where gcd means greatest common divisor.
It is believed to be hard for anybody not knowing s, to forge a signature on a pre-specified message, given certain precautions are taken.
Since r,v,r' and s,-v could be prepared ahead of time tthey are independent of the message to be signed), the only significant on-line (i.e., real-time) operation is the multiplication by r~ in w = (m-s~v)-rl mod ~(Ns) (11) It is important to note that the value r, chosen randomly by the signer, must change with every signature. Otherwise the signer's secret s, can be revealed.
D. Public KeY Certificates Public key certificates are the signature of a trusted - authority on the linkage of an identity and the corresponding WO94/21067 2 157 011 PCT~S94/01968 claimed public key. There is a Central Authority ~CA) with a secret key p~ and ~ and public key N~=pu-q~. The Central Authority is an off-line trusted entity. When a terminal (e.g., portable communication unit) or network server (e.g., port control unit) is ini.ialized, it is given a unique identity i, it chooses its own secret key, ~, q, or s" and computes the corresponding public key, either N; in accordance with the Rabin modular square root scheme, or P, in accordance with the ElGamal scheme.
The CA then provides the terminal or server with its signature on a linkage between i and N; in the case of a Rabin scheme (or i and Pi in ElGamal). A linkage can be a one-way hashing of the concatenation of the involved items. During a communication session, a terminal with ElGamal public key P, sends its identity, public key, and certificate to the network server. Once the certificate is verified by the server, a process which requires one squaring modulo N~ and which proves that the CA agreed to the linkage between the identity and public key, the terminal can prove its identity by performing a signature to a random challenge message m using the secret key associated with Pi-Similarly, the server can send its identity, public key,and certificate to the terminal. The terminal can square the certificate modulo NU to confirm the linkage, and send a message to the server, encrypted with the server's verified public key. The server can prove its identity by performing the secret operation (decryption) associated with the public key.
E. Session Re~ Distribution and Mutual Authentication Protocol FIG 2 illustrates a session key distribution and mutual authentication protocol in accordance with an embodiment of the invention. The protocol may be used at the start of each communication session between a computationally weak terminal (e.g., portable communication unit, ADSI, smart card) and a WO94/21067 215 7 011 PCT~S94/01968 computationally strong network server (e.g., port control unit ADSI network cryptoserver, smart card base unit).
To use the protocol, the terminal and server are assumed to be initialized. When the server is initialized (part (a) of FIG 2), it picks a Rabin secret key ~,qJ and a corresponding public key Nj=pj-q;. The corresponding public key NJ is transmitted to the central authority u. The central authority picks a unique identity j for the server. The central authority also computes the certification cJ which is illustratively a Rabin signature (i.e., modular square root) on h ( j, N;) where h represents a hashing of a linkage comprised of and NJ, i. e., cje~ ht j ,Nj) mod Nu, where Nu=puqu is a modulus of the central authority u. The central authority then transmits j, CJ, a (the ElGamal generator), Ns (the ElGamal modulus) and Nu to the server j. The server then stores j, CJ, NJ a, Ns~ Nu~
When a terminal (part (b) of FIG 2) is initialized, the central authority picks and transmits a unique identity i to the terminal. The central authority also transmits a, N, and Nu to the terminal. The terminal i chooses a secret key s, and generates the associated public key-Pi in accordance with the ElGamal operation described above. The public key P, is transmitted to the central authority u. The central authority u provides the terminal i with a certificate in the form of a Rabin signature (i.e., modular square root) on h(i,P;), i.e., cj-~h(i,~,) mod Nu. The terminal i also stores Nu the public key of the central authority u and c;, s" P~, Ns and Nu.
Part (c) of FIG 2 shows the precomputation that is performed once per protocol execution but prior to the actual time of protocol of execution. The precomputation is required for the ElGamal signature operation. To perform the precomputation the terminal i picks a random number r and computes and stores v~a' mod N5, r ~ mod ~(Ns), and Slv mod ~(N,) .
W094/21067 21 ~ 7 ~11 PCT~S94/01968 At the start of a communication session as shown in part (d) of FIG 2, the netwcrk s~erver sends its identity j, public key N; ~ and certificate Cj to-the terminal. The terminal verifies the certificate c; by squaring it modulo the central authority's public key N~. If it is correct, the terminal picks a random number x, considered to be a concatenation of two halves xL,x~, and "color" (e.g., k leading or trailing zeros as indicated by the symbol 0~). The terminal then encrypts x.
The encryption involves performing an operation y~o~x) which preferably involves only a single modular multiplication. For example, Y=otx)--x~ mod Nj. The terminal then transmits y to the network server. The network server decrypts y by performing the operation x=o'~y) _ ~y mod Nj, chooses the root with correct "color", and sends xL back to the terminal to prove it was able to decrypt and is therefore an authentic network server. Note that the Rabin "paradox" attack is infeasible here, because the server does not respond with arbitrary root, but returns the same root that the terminal chose (and, in fact, only a portion, e.g., XL, of that root). The number x~ which is now known exclusively by both the terminal and the server serves as a session key.
From this point on the protocol messages (and ensuing conversation) are encrypted with a conventional cipher function using x~ as the session key in order to hide the identity of the terminal from an eavesdropper on the communication channel between the terminal and server. This is useful especially in a portable telephone, where customer location information should be hidden from an eavesdropper.
The terminal then sends its identity i, public key P; and certificate c,to the server. The server verifies the certificate by squaring modulo the central authority's public key. The server then sends a random challenge to the terminal in the form of message m. The terminal proves its identity by W094/21067 21 S 7 011 PCT~S94/01968 returning an ElGamal signature on the random challenge. The signature requires only one real-time modular multiplication in the terminal if the above-specified "pre-computations" are performed ahead of time. The server then verifies the signature.
A variation on this protocol is for each terminal to have its own public ElGamal modulus N~ with secret prime factors Pu and q~ known only to terminals. In this case, N.~ has to be transmitted to server j in order for the server j to invert the signature operation. Thus, the certificate cl of terminal ~
now takes the form ~ h(i,Pj,N;) mod Nu instead of cj-ih(i,P,) mod Nu.
In another variation of this protocol, the third transmission of the real-time protocol (the transmission of the message x,) is omitted, and instead the challenge (m) is required to have some agreed-upon pattern or "color". After decryption of the message transmitting m (using the conventional cipher with key x~), party i verifies that the expected pattern is present. Party i aborts the protocol if the expected pattern is not present. This completes the authentication of the network side j by the terminal i. The remainder of the protocol executes as previously stated.
This protocol achieves full fledged public key two way authentication plus session key agreement, which is inseparable from the authentication process. All this is done at a cost of three on-line large multiplications for the computationally weak side (plus a few hundred off-line large multiplications, and potentially around 100 bytes of added memory). In comparison RSA achieves this level of security at the cost of a few hundred large on-line (real-time) multiplications on both sides. For PCS handsets, this difference is crucial. Even for ADSI terminals, that do not have problems of power or space, this is important, because the complexity of the proposed protocol is low enough to provide good real-time performance W094/21067 21~ ~ O 11 PCT~S94/01968 without requiring a high-performance processor such as a Digital Signal Processor or special modular exponentiation circuitry in the terminal. Such a processor, which is required for adequate real-time performance with RSA, could increase the cost of a terminal by as much as $100.
For an 8-bit micro-controller which would be expected to be present in PCS handsets and ADSI terminals, computation of a single modular multiplication takes on the order of 0.l seconds. Analysis of this protocol shows that the handset or terminal must perform only 3 modular multiplications in real time, requiring around 0.3 seconds processing time. (Compare this with roughly 20 seconds for RSA). Processing time in the network side can be assumed negligible because the network is assumed to be computationally strong. Transmission time will add to the protocol execution time. But some messages can be combined to reduce transmission time while retaining the security of the protocol.
Note, however, that a precomputation on the order of 200 modular multiplications (20 seconds on an 8-bit micro) is required in the terminal for each execution of the protocol because the value r must change with every signature. This can be done well in advance, and the results stored for use in future transactions.
CONCLUSION
A protocol which enables session key agreement and mutual authentication between a terminal and a server has been disclosed. The protocol requires only minimal processing on one side. This makes the protocol ideal for PCS handsets, ADSI
terminals, and smart cards. The protocol supports location/identity hiding which is especially important for a PCS .
WO94/21067 215 7 011 PCT~S94/01968 Finally, the above-described embodiments of the invention are intended to be illustrative only. Numerous alternative embodiments may be devised by those skilled in the art without departing from the scope of the following claims.
To achieve this highest level of security using RSA, the most well-known public key algorithm (see e.g., R.L. Rivest, A. Shamir, L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, vol. 21, no. 2, pp. 120-126, February 1978), each of the parties must perform on the order of 200 large modular multiplications (where the numbers involved are over 500 bits in length). Using algorithms described in the prior art, this highest level of security requires about 200 modular multiplications.
The problem with these prior art algorithms is that a large amount of computations is required by both parties.
This is not suitable in an asymmetric system wherein one side (e.g., the terminal or portable telephone) has only weak computational resources and one side (e.g., the server or port control unit), has strong computational resources. The prior art algorithms are not sufficiently asymmetric so that only a very small amount of computations need to be performed on the weak side.
Accordingly, it is an object of the present invention to provide a public key cryptographic method for key distribution and mutual party authentication with a high level of security in an asymmetric system where one of the parties is computationally weak and the other party is computationally strong.
Summary of the Invention The present invention is directed to a method for achieving mutual authentication and session key distribution for a communication session between two parties where the first party is computationally weak, i.e., has limited computational ~, ,~1 WO94/21067 215 ~ n 1 1 PCT~S94/01968 resources, and the second party is computationally strong, i.e., has s~bstantial computational resources. For example, the first party may be a terminal in the form of a portable telephone and the second party may be a server in the form of a port control unit in a wireless personal communication system.
In accordance with the invention, two highly asymmetric public key cryptographic operations are utilized. A modular square root operation used for certificate authentication and session key distribution. An ElGamal signature operation (see, e.g., T. ElGamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Trans. IT, Vol. IT-31, No. 4, July 1985, pp. 469-472) is used to obtain and verify the signature of the computationally weak party. When these operations are used the entire mutual authentication and session key distribution method requires only three real-time modular multiplications at the computationally weak party. The modular square root and ElGamal operations are extremely well suited for the asymmetrical system described above. They utilize encryption operations which require little real-time computation power and which can be performed at the computationally weak side portion, while the inverse decryption operations which require significant computational power can be performed at the computationally strong side party.
In accordance with a preferred embodiment of the inventive method, in a first phase, a public key of the server (computationally strong side) as well as a certificate of the server is transmitted to the terminal (computationally weak side). The certificate of the server is verified. A random number x=(xL,x~) where (xL~x~) signifies the concatenation of two numbers xL and x~ is chosen at the terminal and encrypted by squaring x using the public key of the server as a modulus (see, e.g., M.O. Rabin, "Digitalized Signatures and Public Key Functions as Intractable as Factorization", MIT Laboratory for Computer Science, TR 212, January 1979). The result is WO94121067 PCT~S94/01968 transmitted to the server which inverts the squaring operation using its secret key. Thus, both sides are in possession of x.
Thus, x or XL or XR may be used as the session key. The number x, or XR may be transmitted back from the server to the terminal to verify that the server was in fact able to obtain x. In a later phase, a public key of the terminal and a certificate of the terminal are sent to server encrypted conventionally using the session key. The terminal certificate is verified at the server. An ElGamal signature of a challenge from the network is computed at the terminal, is encrypted conventionally using the session key, and is transmitted to the server. The ElGamal signature operation is inverted at the server using the previously transmitted public key of the terminal to verify the signature. In an alternative embodiment, the National lS Institute of Standards in Technology (NIST) Digital Signature Standard (DSS) algorithm can be used as the signature scheme instead of using an ElGamal scheme. In further alternative embodiments, any signature system which is efficient for the signer could be used in place of the ElGamal scheme. For example, the following systems may be used: Even Goldreich and Micali (S. Even, O. Goldreich, S. Micali, "On-Line~Off-Line Digital Signature Schemes", in "Advances in Cryptology-CRYPTO
'89 Proceedings," G. Brassard (ed.), Lecture Notes in Computer Science, Vol. 435, Springer-Verlag, 1990,pp. 263-275.), Schnorr (C.P. Schnorr, "Efficient Signature Generation by Smart Cards", "Journal of Cryptology, Vol. 4, No. 3, l9gl, pp. 161-174), Shamir (A. Shamir, "An Efficient Identification Scheme Based on Permuted Kernels-Extended Abstract", Proceedings of CRYPTO '89, G. 8rassard, Ed., LNCS 435,pp. 606-609), or Fiat and Shamir (A.
Fiat, A. Sh~ir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", Proceedings of CRYPTO
'86, A.M. Odlyzko, Ed., LNCS 263, 1987, pp. 186-194).
WO94121067 21~ ~ O 11 PCT~S94/01968 In addition to requiring very little computational resources at the weak side party, the inventive method has some other significant advantages.~-The individual buildlng blocks of the inventive method (moduiar square root and ElGamal signature in the preferred) are made inseparable by using the session key obtained in the first phase to encrypt transmissions in the second phase, thereby protecting against the possibility of "cut in the middle" attacks. In addition, in a wireless personal communication system, the inventive method provides security against eavesdroppers and provides privacy of the user's location. No permanent secrets of an individual user are disclosed to the network and no secret information is stored in a vuinerable on-line database.
The invention has mainly been described in connection with a portable communication system and specifically a portable communication system wherein the portable terminals are portable telephones. However, it should be noted that the portable terminals may also be portable computers or portable fax machines or other devices which transmit data to and receive data from a port control unit of a portable communication system.
In general, the invention is applicable to any system wherein a terminal and a server communicate with one another in an environment where there is a need for session key distribution for encryption and mutual party authentication.
The invention is applicable especially where the computational resources of the terminal are much smaller than the computational resources of the server. For example, the terminal (i.e., weak side party) may be a smart card and the server (strong side party) may be a smart card base unit.
Alternatively, the terminal may be an Analog Display Services Interface (ADSI) terminal used for home banking, for example, and the server may be an ADSI cryptoserver. Another application could be a computer client/server system, where WO94/21067 215 7 01 1 PCT~S94/01968 many client computers access a single server. It is possible that such clients and servers wi}l have comparable computing power. In this case it may be advantageous to perform the "weak side" computations in the server to balance the computational load.
Brief Description of the Drawing FIG 1 schematically illustrates a portable communication system.
FIG 2 schematically illustrates a session key distribution and mutual party authentication protocol according to-an illustrative embodiment of the present invention.
Detailed Descri~tion of the Invention The detailed description of the invention is divided into the following sections. Section A describes a portable communication system. Section B describes the Rabin modular square root public Xey operation. Section C describes ElGamal signature operation. Section D describes public key certificates. Section E describes an illustrative session key distribution and mutual authentication protocol in accordance with an embodiment of the invention.
A. Portable Communication Svstem A portable communication system 10 is schematically illustrated in FIG 1. The system 10 comprises a plurality of low power, low cost portable digital radio terminals 12. The portable terminals 12 are carried from place to place by their users. Illustratively, the terminals 12 are portable telephones.
The portable terminals 12 communicate with the local exchange telephone system 20. The local exchange telephone system 20 is represented in FIG 1 by the central office 22, the central office 24, and the customer premises equipment 26 and WO94/21067 21~ 7 011 PCT~S94/01968 28 connected by wire lines 27iand 29, respectively, to the central office 22.
As indicated above, some portable telephones employ a Digital Signal Processor (DSP) to implement the complicated algorithms that are needed to code speech at low bit rates.
Other portable telephones utilize a custom chip for the low bit rate coding of speech and include a low power general purpose microcontroller for handling signalling protocols and other miscellaneous tasks. In any case, a portable telephone or other portable terminal must operate for long periods of time on small batteries and low power implementation of all signal processing operations inside the portable terminal is important.
The portable terminals 12 access the local exchange telephone system 20 via the ports 14. A specific portable terminal 12 and a specific port 14 communicate via a radio link, schematically illustrated in FIG 1 by the arrow 16. The ports 14 are typically of shoebox size and are located on utility poles or buildings. Each of the ports 14 comprises a simple radio modem.
The ports 14 connect back to the local exchange telephone system 20 via the lines 17 and the servers or port control units 18. The port control units 18 are generally located in a central office building and perform a variety of signal 2S processing functions. Specifically, a port control unit 18 translates between a format suitable for transmission via the radio link 16 and a format suitable for use in the switching system 23 of the central office 22. Each port control unit 18 also does speech transcoding and performs signal processing necessary for encryption and decryption of messages over the radio link 16.
WO94/21067 21~ 7 01 1 PCT~S94/01968 B. Rabin Modular Sauare Root OPeration Let p and q be two secret primes, and N=pq. Each user has a pair of secret and public keys, where the public key is a composite number, such as the above N, and the secret is its factorization p and q. To encrypt a message x, intended for the owner of the above keys, one computes y-x~ mod ~
i.e., just one large multiplication. It has been proven that computing x given y and N iS as hard as factoring N and is therefore a difficult task unless the secret prime numbers p and q are known.
Given y, p and q it is easy to find x (at a cost equivalent to about 200 large multiplications). Specifically, primes p and q are used such that p-q 3 mod 4 to find x=xp mod p, and 15 x=xq mod q. It is easy to see, using Fermat's little theorem, that if x" - ytP~ mod p, and xq~ y~q~Y mod q, (2) then x,2 y mod p, (3) xqt y mod q (4) from which, using Chinese Remaindering, there can be computed x - xp-q-qj+Xq-p-~ mod pq, ( 5) where q; and p; have been chosen so that:
q; - q~ mod p, and p, - p~ mod q. (6) Note that there is an ambiguity in using this technique for encryption, because if x, is a solution to (3), then so is -x, mod p. Likewise, if xq is a solution to (4), then so is ~xq mod q. Thus the congruence (l) usually has four solutions.
To resolve this ambiguity, x is chosen by the sender to contain some previously-agreed-upon pattern. The decrypting party then selects this "colored" solution. For example, if x contains all zeroes in the least significant 30 bits, there is roughly a WO94/21067 2 1 S 7 0 11 PCT~S94/01968 one in a billion probability that the ambiguity will remain, in which case the protocol can simply be aborted and re-executed.
As used herein, the above procedure for solving Eq. (l) for x given y , is denoted as x - ~y mod N ~ ( 7 ) This technique can also be used to generate an unforgeable signature. To create a signature on message m, a user with widely-known public key N (which is the product of secret primes p and q), can compute signature s as 8 = rm mod N ( 8 ) using the secret keys p and q in accordance with the procedure shown above. Any party wishing to verify the signature just checks whether the above congruence is true. This verification requires only a single modular multiplication. On the other hand, it is computationally infeasible to forge a signature because the potential forger must know the secret keys p and q, the factors of N. For this signature scheme no coloring is needed for the signature, however, coloring is needed for the message, to prevent the Rabin "paradox" attack (S. Goldwasser, 25 S. Micali, R.L. Rivest, "A Digital Signature Scheme Secured Against Chosen Message Attacks", SIAM J. On Comput., Vol. 17, No. 2, 1988, pp. 281-308). This attack is feasible whenever the victim is willing to extract modular square roots of any arbitrary integer, and expose the result to the attacker.
Also, the victim has to choose one of the possible roots at random, i.e., if the "correct" root is colored, and the victim returns the colored root then the attack will fail. Otherwise, this attack leads to efficient factorization of the victim's modulus. In the inventive protocol this attack is not feasible.
WO94t21067 215 7 0 ~1 PCT~S94/01968 C. ElGamal Siqnatures Let P, and s, be the public and secret keys of user a, where P, _ aS' mod N~. Ns~ the ElGamal signature modulus is either prime or composed of the product of two primes, and ~ is a generator in the maximal cyclic subgroup of the multiplicative group of integers modulo N5, Z'N. (see, e.g., N. Koblitz, "A
Course in Number Theory and Cryptography," Springer Verlag, 1987, p. 32). An ElGamal signature (see, e.g., T. ElGamal, "A
Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Trans. IT, Vol. IT-31, No. 4, July 1985, pp. 469-472) by user a, on message m is an ordered pair v,w)~ for which p~-v~ -- a~ mod Ns Thus a recipient of a signature can easily verify it. To create a signature, user a chooses a random number r, and computes v -c~ mod N. From (9) it follows that S.- v + r-w _ m mod ~(Ns) (10) where ~(N) is the Euler totient function. It follows that a, who (is the only one who) knows s" can compute w, provided gcd(r,~(N)) = 1, where gcd means greatest common divisor.
It is believed to be hard for anybody not knowing s, to forge a signature on a pre-specified message, given certain precautions are taken.
Since r,v,r' and s,-v could be prepared ahead of time tthey are independent of the message to be signed), the only significant on-line (i.e., real-time) operation is the multiplication by r~ in w = (m-s~v)-rl mod ~(Ns) (11) It is important to note that the value r, chosen randomly by the signer, must change with every signature. Otherwise the signer's secret s, can be revealed.
D. Public KeY Certificates Public key certificates are the signature of a trusted - authority on the linkage of an identity and the corresponding WO94/21067 2 157 011 PCT~S94/01968 claimed public key. There is a Central Authority ~CA) with a secret key p~ and ~ and public key N~=pu-q~. The Central Authority is an off-line trusted entity. When a terminal (e.g., portable communication unit) or network server (e.g., port control unit) is ini.ialized, it is given a unique identity i, it chooses its own secret key, ~, q, or s" and computes the corresponding public key, either N; in accordance with the Rabin modular square root scheme, or P, in accordance with the ElGamal scheme.
The CA then provides the terminal or server with its signature on a linkage between i and N; in the case of a Rabin scheme (or i and Pi in ElGamal). A linkage can be a one-way hashing of the concatenation of the involved items. During a communication session, a terminal with ElGamal public key P, sends its identity, public key, and certificate to the network server. Once the certificate is verified by the server, a process which requires one squaring modulo N~ and which proves that the CA agreed to the linkage between the identity and public key, the terminal can prove its identity by performing a signature to a random challenge message m using the secret key associated with Pi-Similarly, the server can send its identity, public key,and certificate to the terminal. The terminal can square the certificate modulo NU to confirm the linkage, and send a message to the server, encrypted with the server's verified public key. The server can prove its identity by performing the secret operation (decryption) associated with the public key.
E. Session Re~ Distribution and Mutual Authentication Protocol FIG 2 illustrates a session key distribution and mutual authentication protocol in accordance with an embodiment of the invention. The protocol may be used at the start of each communication session between a computationally weak terminal (e.g., portable communication unit, ADSI, smart card) and a WO94/21067 215 7 011 PCT~S94/01968 computationally strong network server (e.g., port control unit ADSI network cryptoserver, smart card base unit).
To use the protocol, the terminal and server are assumed to be initialized. When the server is initialized (part (a) of FIG 2), it picks a Rabin secret key ~,qJ and a corresponding public key Nj=pj-q;. The corresponding public key NJ is transmitted to the central authority u. The central authority picks a unique identity j for the server. The central authority also computes the certification cJ which is illustratively a Rabin signature (i.e., modular square root) on h ( j, N;) where h represents a hashing of a linkage comprised of and NJ, i. e., cje~ ht j ,Nj) mod Nu, where Nu=puqu is a modulus of the central authority u. The central authority then transmits j, CJ, a (the ElGamal generator), Ns (the ElGamal modulus) and Nu to the server j. The server then stores j, CJ, NJ a, Ns~ Nu~
When a terminal (part (b) of FIG 2) is initialized, the central authority picks and transmits a unique identity i to the terminal. The central authority also transmits a, N, and Nu to the terminal. The terminal i chooses a secret key s, and generates the associated public key-Pi in accordance with the ElGamal operation described above. The public key P, is transmitted to the central authority u. The central authority u provides the terminal i with a certificate in the form of a Rabin signature (i.e., modular square root) on h(i,P;), i.e., cj-~h(i,~,) mod Nu. The terminal i also stores Nu the public key of the central authority u and c;, s" P~, Ns and Nu.
Part (c) of FIG 2 shows the precomputation that is performed once per protocol execution but prior to the actual time of protocol of execution. The precomputation is required for the ElGamal signature operation. To perform the precomputation the terminal i picks a random number r and computes and stores v~a' mod N5, r ~ mod ~(Ns), and Slv mod ~(N,) .
W094/21067 21 ~ 7 ~11 PCT~S94/01968 At the start of a communication session as shown in part (d) of FIG 2, the netwcrk s~erver sends its identity j, public key N; ~ and certificate Cj to-the terminal. The terminal verifies the certificate c; by squaring it modulo the central authority's public key N~. If it is correct, the terminal picks a random number x, considered to be a concatenation of two halves xL,x~, and "color" (e.g., k leading or trailing zeros as indicated by the symbol 0~). The terminal then encrypts x.
The encryption involves performing an operation y~o~x) which preferably involves only a single modular multiplication. For example, Y=otx)--x~ mod Nj. The terminal then transmits y to the network server. The network server decrypts y by performing the operation x=o'~y) _ ~y mod Nj, chooses the root with correct "color", and sends xL back to the terminal to prove it was able to decrypt and is therefore an authentic network server. Note that the Rabin "paradox" attack is infeasible here, because the server does not respond with arbitrary root, but returns the same root that the terminal chose (and, in fact, only a portion, e.g., XL, of that root). The number x~ which is now known exclusively by both the terminal and the server serves as a session key.
From this point on the protocol messages (and ensuing conversation) are encrypted with a conventional cipher function using x~ as the session key in order to hide the identity of the terminal from an eavesdropper on the communication channel between the terminal and server. This is useful especially in a portable telephone, where customer location information should be hidden from an eavesdropper.
The terminal then sends its identity i, public key P; and certificate c,to the server. The server verifies the certificate by squaring modulo the central authority's public key. The server then sends a random challenge to the terminal in the form of message m. The terminal proves its identity by W094/21067 21 S 7 011 PCT~S94/01968 returning an ElGamal signature on the random challenge. The signature requires only one real-time modular multiplication in the terminal if the above-specified "pre-computations" are performed ahead of time. The server then verifies the signature.
A variation on this protocol is for each terminal to have its own public ElGamal modulus N~ with secret prime factors Pu and q~ known only to terminals. In this case, N.~ has to be transmitted to server j in order for the server j to invert the signature operation. Thus, the certificate cl of terminal ~
now takes the form ~ h(i,Pj,N;) mod Nu instead of cj-ih(i,P,) mod Nu.
In another variation of this protocol, the third transmission of the real-time protocol (the transmission of the message x,) is omitted, and instead the challenge (m) is required to have some agreed-upon pattern or "color". After decryption of the message transmitting m (using the conventional cipher with key x~), party i verifies that the expected pattern is present. Party i aborts the protocol if the expected pattern is not present. This completes the authentication of the network side j by the terminal i. The remainder of the protocol executes as previously stated.
This protocol achieves full fledged public key two way authentication plus session key agreement, which is inseparable from the authentication process. All this is done at a cost of three on-line large multiplications for the computationally weak side (plus a few hundred off-line large multiplications, and potentially around 100 bytes of added memory). In comparison RSA achieves this level of security at the cost of a few hundred large on-line (real-time) multiplications on both sides. For PCS handsets, this difference is crucial. Even for ADSI terminals, that do not have problems of power or space, this is important, because the complexity of the proposed protocol is low enough to provide good real-time performance W094/21067 21~ ~ O 11 PCT~S94/01968 without requiring a high-performance processor such as a Digital Signal Processor or special modular exponentiation circuitry in the terminal. Such a processor, which is required for adequate real-time performance with RSA, could increase the cost of a terminal by as much as $100.
For an 8-bit micro-controller which would be expected to be present in PCS handsets and ADSI terminals, computation of a single modular multiplication takes on the order of 0.l seconds. Analysis of this protocol shows that the handset or terminal must perform only 3 modular multiplications in real time, requiring around 0.3 seconds processing time. (Compare this with roughly 20 seconds for RSA). Processing time in the network side can be assumed negligible because the network is assumed to be computationally strong. Transmission time will add to the protocol execution time. But some messages can be combined to reduce transmission time while retaining the security of the protocol.
Note, however, that a precomputation on the order of 200 modular multiplications (20 seconds on an 8-bit micro) is required in the terminal for each execution of the protocol because the value r must change with every signature. This can be done well in advance, and the results stored for use in future transactions.
CONCLUSION
A protocol which enables session key agreement and mutual authentication between a terminal and a server has been disclosed. The protocol requires only minimal processing on one side. This makes the protocol ideal for PCS handsets, ADSI
terminals, and smart cards. The protocol supports location/identity hiding which is especially important for a PCS .
WO94/21067 215 7 011 PCT~S94/01968 Finally, the above-described embodiments of the invention are intended to be illustrative only. Numerous alternative embodiments may be devised by those skilled in the art without departing from the scope of the following claims.
Claims (37)
1. A method for achieving mutual identification and session key agreement between a terminal and a server at the start of a communication session comprising the steps of (a) transmitting from the server to the terminal an identity j of the server, public key N j of the server and a certificate c j of the server which if valid is congruent to ~h(j,N j) mod N u, where N j is a public key of the server, N u is a public key of a central authority, and h~ signifies a one-way hashing function, (b) at the terminal, verifying that the transmitted certificate c j received at the terminal satisfies h(j,N j)~ C2j mod N u, (c) at the terminal, choosing a random number X=(X L,X R) and obtaining y~x2 mod N j and transmitting y to said server, (d) at said server, performing a modular square root operation to obtain x= (X L,X R)- ~y mod N j by using secret keys of the server p j,q j, such that N j=p j q j, and transmitting X L back to the terminal, (e) transmitting, from the terminal to the server, an identity i of the terminal, a public key P i of the terminal, and a certificate c i of the terminal which certificate c i, if valid, is congruent to ~h(i, P i) mod N u, wherein the identity i, the public key P i and the certificate c i are encrypted using X R as a session key, (f) at the server, verifying that the transmitted certificate c i satisfies h(i, P i)-c i 2 mod N u, (g) computing at the terminal a signature S(m) on a challenge m sent by the server by applying an asymmetric signature operation to the message m, and transmitting the signature S(m) to the server in encrypted form using X R as a session key, and (h) verifying the signature at the server by inverting the signature operation.
2. The method of claim 1 wherein said signature S(m) is given by the ordered pair (v,w) for which:
P i v V w = .alpha.m mod N s where P i is said public key of the terminal, N s is a signature modulus which is a prime number or the product of two prime numbers, .alpha. is a generator in the maximal cyclic subgroup of the multiplicative group of integers modulo N s, Z~ N s.
P i v V w = .alpha.m mod N s where P i is said public key of the terminal, N s is a signature modulus which is a prime number or the product of two prime numbers, .alpha. is a generator in the maximal cyclic subgroup of the multiplicative group of integers modulo N s, Z~ N s.
3. The method of claim 2 wherein said step of evaluating a signature S(m) on a message m comprises performing the real time operation w=(m-S i v)~r -1 mod ~(N s) where r is a predetermined number, v~.alpha.r mod N s, ~(N) is the Euler totient function, and gcd(r,~(N))-1.
4. The method of claim 3 wherein the value of r is chosen randomly each time the terminal evaluates a signature.
5. The method of claim 1 wherein said signature operation is an ElGamal signature operation.
6. The method of claim 1 wherein said signature S(m) is computed according to the National Institute of Standards and Technology Digital Signature Standard Algorithm.
7. The method of claim 1 wherein said communication session is aborted if the certificate C j received at said terminal does not satisfy cj 2 mod N u=h(j,N j).
8. The method of claim 1 wherein said communication session is aborted if the certificate c i received at the server does not satisfy C i 2 mod N u=h(i,P i).
9. The method of claim 1 wherein said terminal is a terminal of a portable communications system and said server is a port control unit of said portable communication system.
10. The method of claim 9 wherein said terminal is a portable telephone.
11. The method of claim 1 wherein the terminal is a smart card and the server is a smart card base unit.
12. The method of claim 1 wherein the terminal is an Analog Display Service Interface (ADSI) terminal and said server is an ADSI network cryptoserver.
13. The method of claim 1 wherein said terminal is computationally weak and said server is computationally strong.
14. The method of claim 1 wherein prior to any communication session said server is initialized by selecting for the server its secret key p j, q j, and its public key N j = p j q j transmitting the public key N j to the central authority, forming the certificate c j at the central authority and transmitting the certificate c j to the server, and transmitting said public key N u from said central authority to said server and storing the key N u at said server.
15. The method of claim 14 wherein said initialization step further comprises selecting said secret key S i and generating the corresponding public key P i, forming the certificate c i at the central authority and transmitting the certificate c i to the terminal, and transmitting the public key N u of the central authority to the terminal.
16. The method of claim 1 wherein a terminal i has a separate signature modulus N is and wherein the certificate of the terminal i is of the form c i = mod N u.
17. The method of claim 1 further comprising the step of, at the server, identifying a proper root when computing mod N j by providing said random number with color.
18. A method for achieving mutual authentication and session key agreement between a server and a terminal comprising the steps of (a) transmitting a certificate of said server from said server to said terminal, (b) verifying that said certificate of said server is authentic at said terminal, (c) distributing a session key to said terminal and server by selecting a random number x at said terminal, encrypting said number x at said terminal by performing at said terminal an asymmetric public key operation which can only be inverted with the knowledge of a secret key of said server, (d) transmitting said number x in encrypted form from said terminal to said server and inverting said operation using said secret key of said server to obtain x at said server, (e) transmitting a certificate of said terminal from said terminal to said server encrypted using a session key depending on said number x, (f) verifying said terminal certificate is authentic at said server, (g) evaluating a signature S(m) of a message m at said terminal using an asymmetric signature operation, and (h) transmitting the signature to said server in encrypted form using said session key and inverting the signature operation at said server.
19. The method of claim 18 wherein said step (a) comprises transmitting from said server to said terminal an identity j of said server, a public key N j of said server and a certificate which if valid is of the form c j - ~h(j,N j) mod N u where N u is a public key of a central authority.
20. The method of claim 19 wherein said step (b) comprises determining if h(j, N j)~ C j 2 mod N u.
21. The method of claim 18 wherein said asymmetric public key operation is y~x2 mod N j where N j, is a public key of the server.
22. The method of claim 21 wherein X=(X L,X R), wherein X R is said session key, and wherein x is provided with color which is used at said server to identify a proper root of X2 mod N j.
23. The method of claim 18 wherein said step (e) comprises transmitting an identity i of said terminal, a public key P i of said terminal and a certificate c i of said terminal which if valid is of the form c i~~h(i,P i) mod N u.
24. The method of claim 23 wherein said step (f) comprises determining if h(i,P i)~C i 2 mod N u.
25. The method of claim 18 wherein said signature operation is an ElGamal signature operation.
26. A method for achieving mutual authentication and session key agreement between a first party and a second party at the start of a communication session comprising the steps of (a) distributing a session key between said parties by selecting a random number at said first party, encrypting said random number using an asymmetric public key encryption operation, transmitting the encrypted random number to the second party, and inverting said encryption operation at said second party to obtain said random number, and (b) said first party performing an asymmetric signature operation on a message m to obtain a signature S(m), encrypting said signature S(m) using an encipherment function and a session key which is based on said random number, and transmitting the encrypted signature S(m) to said second party, and at said second party decrypting said signature S(m) and inverting said signature operation.
27. The method of claim 26 wherein said public key encryption operation comprises squaring said random number utilizing only a single modular multiplication at said first party.
28. The method of claim 26 wherein said signature operation is an ElGamal signature operation which utilizes only a single real time modular multiplication at said first party.
29. The method of claim 26 further comprising the step of authenticating a certificate of said second party at said first party by performing only a single modular multiplication at said first party.
30. The method of claim 26 further comprising the step of authenticating a certificate of said first party at said second party.
31. The method of claim 26 wherein said second party has more computational resources than said first party.
32. The method of claim 26 wherein said first party is a terminal of a portable communication system and the second party is a port control unit of the portable communication system.
33. The method of claim 26 wherein the first party is a terminal and the second party is a server.
34. The method of claim 33 wherein said terminal is a smart card and said server is a smart card base unit.
35. The method of claim 33 wherein the terminal is an Analog Display Server Interface (ADSI) and the server is an ADSI
network crypto server.
network crypto server.
36. The method of claim 26 wherein the first party is a server and the second party is a terminal or workstation.
37. A method for achieving mutual authentication and session key agreement between first and second parties communicating via a communication medium comprising:
(a) transmitting a certificate of said second party from said second party to said first party, (b) verifying that said certificate of said second party is authentic at said first party, (c) distributing a session key to said first and second parties by selecting a random number x at said first party, encrypting said number x at said first party by performing at said first party an asymmetric public key operation which can only be inverted with the knowledge of a secret key of said second party, (d) transmitting said number x in encrypted form said first party to said second party and inverting said operation using said secret key of said second party to obtain x at said second party, (e) transmitting a certificate of said first party from said first party to said second party encrypted using a session key depending on said number x, (f) verifying that said certificate of said first party is authentic at said second party, (g) evaluating a signature S(m) of a message m at said first party using an asymmetric signature operation, (h) transmitting the signature to said second party in encrypted form using said session key and inverting the signature operation at the second party.
(a) transmitting a certificate of said second party from said second party to said first party, (b) verifying that said certificate of said second party is authentic at said first party, (c) distributing a session key to said first and second parties by selecting a random number x at said first party, encrypting said number x at said first party by performing at said first party an asymmetric public key operation which can only be inverted with the knowledge of a secret key of said second party, (d) transmitting said number x in encrypted form said first party to said second party and inverting said operation using said secret key of said second party to obtain x at said second party, (e) transmitting a certificate of said first party from said first party to said second party encrypted using a session key depending on said number x, (f) verifying that said certificate of said first party is authentic at said second party, (g) evaluating a signature S(m) of a message m at said first party using an asymmetric signature operation, (h) transmitting the signature to said second party in encrypted form using said session key and inverting the signature operation at the second party.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US08/026,673 US5299263A (en) | 1993-03-04 | 1993-03-04 | Two-way public key authentication and key agreement for low-cost terminals |
US026,673 | 1993-03-04 |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2157011A1 CA2157011A1 (en) | 1994-09-15 |
CA2157011C true CA2157011C (en) | 1999-03-30 |
Family
ID=21833192
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002157011A Expired - Lifetime CA2157011C (en) | 1993-03-04 | 1994-02-25 | Method for two-way public key authentication and key agreement for low-cost terminals |
Country Status (6)
Country | Link |
---|---|
US (2) | US5299263A (en) |
EP (1) | EP0691055B1 (en) |
JP (1) | JPH08507619A (en) |
CA (1) | CA2157011C (en) |
DE (1) | DE69426416T2 (en) |
WO (1) | WO1994021067A1 (en) |
Families Citing this family (236)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7028187B1 (en) * | 1991-11-15 | 2006-04-11 | Citibank, N.A. | Electronic transaction apparatus for electronic commerce |
JPH06223041A (en) * | 1993-01-22 | 1994-08-12 | Fujitsu Ltd | Rarge-area environment user certification system |
US5414772A (en) * | 1993-06-23 | 1995-05-09 | Gemplus Development | System for improving the digital signature algorithm |
US5420910B1 (en) | 1993-06-29 | 1998-02-17 | Airtouch Communications Inc | Method and apparatus for fraud control in cellular telephone systems utilizing rf signature comparison |
US5950121A (en) | 1993-06-29 | 1999-09-07 | Airtouch Communications, Inc. | Method and apparatus for fraud control in cellular telephone systems |
ATE187588T1 (en) * | 1993-08-17 | 1999-12-15 | R3 Security Engineering Ag | PROCEDURE FOR DIGITAL SIGNATURE AND PROCEDURE FOR KEY AGREEMENT |
US5497422A (en) * | 1993-09-30 | 1996-03-05 | Apple Computer, Inc. | Message protection mechanism and graphical user interface therefor |
JP3263878B2 (en) * | 1993-10-06 | 2002-03-11 | 日本電信電話株式会社 | Cryptographic communication system |
US5491749A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for entity authentication and key distribution secure against off-line adversarial attacks |
US5491750A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for three-party entity authentication and key distribution using message authentication codes |
US5434919A (en) | 1994-01-11 | 1995-07-18 | Chaum; David | Compact endorsement signature systems |
US5420927B1 (en) * | 1994-02-01 | 1997-02-04 | Silvio Micali | Method for certifying public keys in a digital signature scheme |
US5511121A (en) * | 1994-02-23 | 1996-04-23 | Bell Communications Research, Inc. | Efficient electronic money |
US5493614A (en) * | 1994-05-03 | 1996-02-20 | Chaum; David | Private signature and proof systems |
DE4416253B4 (en) * | 1994-05-07 | 2005-09-22 | Deutsche Telekom Ag | Method for distributing key information in a manner compatible with data protection |
US5504817A (en) * | 1994-05-09 | 1996-04-02 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for memory efficient variants of public key encryption and identification schemes for smart card applications |
US5515441A (en) * | 1994-05-12 | 1996-05-07 | At&T Corp. | Secure communication method and apparatus |
US5577121A (en) * | 1994-06-09 | 1996-11-19 | Electronic Payment Services, Inc. | Transaction system for integrated circuit cards |
US5588060A (en) * | 1994-06-10 | 1996-12-24 | Sun Microsystems, Inc. | Method and apparatus for a key-management scheme for internet protocols |
US6026167A (en) * | 1994-06-10 | 2000-02-15 | Sun Microsystems, Inc. | Method and apparatus for sending secure datagram multicasts |
US5838792A (en) * | 1994-07-18 | 1998-11-17 | Bell Atlantic Network Services, Inc. | Computer system for centralized session key distribution, privacy enhanced messaging and information distribution using a split private key public cryptosystem |
US5557678A (en) * | 1994-07-18 | 1996-09-17 | Bell Atlantic Network Services, Inc. | System and method for centralized session key distribution, privacy enhanced messaging and information distribution using a split private key public cryptosystem |
US5748735A (en) * | 1994-07-18 | 1998-05-05 | Bell Atlantic Network Services, Inc. | Securing E-mail communications and encrypted file storage using yaksha split private key asymmetric cryptography |
US5588061A (en) * | 1994-07-20 | 1996-12-24 | Bell Atlantic Network Services, Inc. | System and method for identity verification, forming joint signatures and session key agreement in an RSA public cryptosystem |
US5905799A (en) * | 1994-07-20 | 1999-05-18 | Bell Atlantic Network Services, Inc. | Programmed computer for identity verification, forming joint signatures and session key agreement in an RSA public cryptosystem |
US5557346A (en) * | 1994-08-11 | 1996-09-17 | Trusted Information Systems, Inc. | System and method for key escrow encryption |
US5557765A (en) * | 1994-08-11 | 1996-09-17 | Trusted Information Systems, Inc. | System and method for data recovery |
US5606609A (en) * | 1994-09-19 | 1997-02-25 | Scientific-Atlanta | Electronic document verification system and method |
US5633930A (en) * | 1994-09-30 | 1997-05-27 | Electronic Payment Services, Inc. | Common cryptographic key verification in a transaction network |
US5559887A (en) * | 1994-09-30 | 1996-09-24 | Electronic Payment Service | Collection of value from stored value systems |
US5737419A (en) * | 1994-11-09 | 1998-04-07 | Bell Atlantic Network Services, Inc. | Computer system for securing communications using split private key asymmetric cryptography |
JPH08263438A (en) * | 1994-11-23 | 1996-10-11 | Xerox Corp | Distribution and use control system of digital work and access control method to digital work |
US7117180B1 (en) | 1994-11-23 | 2006-10-03 | Contentguard Holdings, Inc. | System for controlling the use of digital works using removable content repositories |
US6963859B2 (en) | 1994-11-23 | 2005-11-08 | Contentguard Holdings, Inc. | Content rendering repository |
US20050149450A1 (en) * | 1994-11-23 | 2005-07-07 | Contentguard Holdings, Inc. | System, method, and device for controlling distribution and use of digital works based on a usage rights grammar |
US6272632B1 (en) | 1995-02-21 | 2001-08-07 | Network Associates, Inc. | System and method for controlling access to a user secret using a key recovery field |
US6487661B2 (en) | 1995-04-21 | 2002-11-26 | Certicom Corp. | Key agreement and transport protocol |
US5761305A (en) * | 1995-04-21 | 1998-06-02 | Certicom Corporation | Key agreement and transport protocol with implicit signatures |
US6785813B1 (en) * | 1997-11-07 | 2004-08-31 | Certicom Corp. | Key agreement and transport protocol with implicit signatures |
AU5266596A (en) * | 1995-04-21 | 1996-11-07 | Certicom Corp. | Method for signature and session key generation |
CA2176972C (en) * | 1995-05-17 | 2008-11-25 | Scott A. Vanstone | Key agreement and transport protocol with implicit signatures |
GB9510035D0 (en) | 1995-05-18 | 1995-08-02 | Cryptech Systems Inc | Strengthened public key protocols |
US5778072A (en) * | 1995-07-07 | 1998-07-07 | Sun Microsystems, Inc. | System and method to transparently integrate private key operations from a smart card with host-based encryption services |
US5812669A (en) * | 1995-07-19 | 1998-09-22 | Jenkins; Lew | Method and system for providing secure EDI over an open network |
US5819171A (en) * | 1995-08-31 | 1998-10-06 | Cellular Technical Services Co., Inc. | Automated forced call disruption for use with wireless telephone systems |
US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
US7600129B2 (en) | 1995-10-02 | 2009-10-06 | Corestreet, Ltd. | Controlling access using additional data |
US7353396B2 (en) | 1995-10-02 | 2008-04-01 | Corestreet, Ltd. | Physical access control |
US5604804A (en) * | 1996-04-23 | 1997-02-18 | Micali; Silvio | Method for certifying public keys in a digital signature scheme |
US8015597B2 (en) | 1995-10-02 | 2011-09-06 | Corestreet, Ltd. | Disseminating additional data used for controlling access |
US6766450B2 (en) * | 1995-10-24 | 2004-07-20 | Corestreet, Ltd. | Certificate revocation system |
US8732457B2 (en) * | 1995-10-02 | 2014-05-20 | Assa Abloy Ab | Scalable certificate validation and simplified PKI management |
US7822989B2 (en) * | 1995-10-02 | 2010-10-26 | Corestreet, Ltd. | Controlling access to an area |
US7337315B2 (en) | 1995-10-02 | 2008-02-26 | Corestreet, Ltd. | Efficient certificate revocation |
US7716486B2 (en) | 1995-10-02 | 2010-05-11 | Corestreet, Ltd. | Controlling group access to doors |
US5787175A (en) * | 1995-10-23 | 1998-07-28 | Novell, Inc. | Method and apparatus for collaborative document control |
US8261319B2 (en) | 1995-10-24 | 2012-09-04 | Corestreet, Ltd. | Logging access attempts to an area |
US5796832A (en) * | 1995-11-13 | 1998-08-18 | Transaction Technology, Inc. | Wireless transaction and information system |
US5715518A (en) * | 1996-03-06 | 1998-02-03 | Cellular Technical Services Company, Inc. | Adaptive waveform matching for use in transmitter identification |
US5999626A (en) * | 1996-04-16 | 1999-12-07 | Certicom Corp. | Digital signatures on a smartcard |
US5903651A (en) | 1996-05-14 | 1999-05-11 | Valicert, Inc. | Apparatus and method for demonstrating and confirming the status of a digital certificates and other data |
US6901509B1 (en) | 1996-05-14 | 2005-05-31 | Tumbleweed Communications Corp. | Apparatus and method for demonstrating and confirming the status of a digital certificates and other data |
US5638447A (en) * | 1996-05-15 | 1997-06-10 | Micali; Silvio | Compact digital signatures |
US5610982A (en) * | 1996-05-15 | 1997-03-11 | Micali; Silvio | Compact certification with threshold signatures |
US7567669B2 (en) * | 1996-05-17 | 2009-07-28 | Certicom Corp. | Strengthened public key protocol |
US5893031A (en) * | 1996-06-27 | 1999-04-06 | Cellular Technical Services Company, Inc. | System and method for collection of transmission characteristics |
US5940751A (en) * | 1996-06-27 | 1999-08-17 | Cellular Technical Services Company, Inc. | System and method for detection of fraud in a wireless telephone system |
US5956635A (en) * | 1996-07-16 | 1999-09-21 | Cellular Technical Services Company, Inc. | Detection and prevention of channel grabbing in a wireless communications system |
US6272538B1 (en) * | 1996-07-30 | 2001-08-07 | Micron Technology, Inc. | Method and system for establishing a security perimeter in computer networks |
US5841864A (en) * | 1996-08-05 | 1998-11-24 | Motorola Inc. | Apparatus and method for authentication and session key exchange in a communication system |
US5850444A (en) * | 1996-09-09 | 1998-12-15 | Telefonaktienbolaget L/M Ericsson (Publ) | Method and apparatus for encrypting radio traffic in a telecommunications network |
DE19640526A1 (en) * | 1996-10-01 | 1998-04-02 | Deutsche Telekom Ag | Process for the transmission of signals |
JPH10112883A (en) * | 1996-10-07 | 1998-04-28 | Hitachi Ltd | Radio communication exchange system, exchange, public key management device, mobile terminal and mobile terminal recognizing method |
US5924025A (en) * | 1996-10-25 | 1999-07-13 | Cellular Technical Services Company, Inc. | System and method for detection of redial fraud in a cellular telephone system |
US5953420A (en) * | 1996-10-25 | 1999-09-14 | International Business Machines Corporation | Method and apparatus for establishing an authenticated shared secret value between a pair of users |
US6260144B1 (en) * | 1996-11-21 | 2001-07-10 | Pitney Bowes Inc. | Method for verifying the expected postal security device in a postage metering system |
US6397328B1 (en) * | 1996-11-21 | 2002-05-28 | Pitney Bowes Inc. | Method for verifying the expected postage security device and an authorized host system |
CA2221670A1 (en) * | 1996-11-21 | 1998-05-21 | Robert A. Cordery | Method for verifying the expected postage security device in a host system |
US6058301A (en) | 1996-11-27 | 2000-05-02 | Airtouch Communications, Inc. | Cellular fraud prevention using selective roaming |
US6377691B1 (en) * | 1996-12-09 | 2002-04-23 | Microsoft Corporation | Challenge-response authentication and key exchange for a connectionless security protocol |
US5757919A (en) * | 1996-12-12 | 1998-05-26 | Intel Corporation | Cryptographically protected paging subsystem |
US5875394A (en) * | 1996-12-27 | 1999-02-23 | At & T Wireless Services Inc. | Method of mutual authentication for secure wireless service provision |
IL130774A0 (en) * | 1997-01-03 | 2001-01-28 | Fortress Technologies Inc | Improved network security device |
US6154541A (en) * | 1997-01-14 | 2000-11-28 | Zhang; Jinglong F | Method and apparatus for a robust high-speed cryptosystem |
DE19702049C1 (en) * | 1997-01-22 | 1998-05-14 | Ibm | Chipcard cryptographic key certification method |
US6292896B1 (en) | 1997-01-22 | 2001-09-18 | International Business Machines Corporation | Method and apparatus for entity authentication and session key generation |
GB2321741B (en) | 1997-02-03 | 2000-10-04 | Certicom Corp | Data card verification system |
US5915021A (en) * | 1997-02-07 | 1999-06-22 | Nokia Mobile Phones Limited | Method for secure communications in a telecommunications system |
US5878122A (en) * | 1997-02-07 | 1999-03-02 | Northern Telecom Limited | Long distance service bureau |
US5999807A (en) * | 1997-02-28 | 1999-12-07 | Cellular Technical Services Company, Inc. | System and method for the verification of authentic telephone numbers in a wireless telephone system |
US5956634A (en) * | 1997-02-28 | 1999-09-21 | Cellular Technical Services Company, Inc. | System and method for detection of fraud in a wireless telephone system |
US5999806A (en) * | 1997-02-28 | 1999-12-07 | Cellular Technical Services Company, Inc. | Waveform collection for use in wireless telephone identification |
US5970405A (en) * | 1997-02-28 | 1999-10-19 | Cellular Technical Services Co., Inc. | Apparatus and method for preventing fraudulent calls in a wireless telephone system using destination and fingerprint analysis |
US6247129B1 (en) | 1997-03-12 | 2001-06-12 | Visa International Service Association | Secure electronic commerce employing integrated circuit cards |
US6125185A (en) * | 1997-05-27 | 2000-09-26 | Cybercash, Inc. | System and method for encryption key generation |
US6134597A (en) * | 1997-05-28 | 2000-10-17 | International Business Machines Corporation | CRC hash compressed server object identifier |
JP3595109B2 (en) * | 1997-05-28 | 2004-12-02 | 日本ユニシス株式会社 | Authentication device, terminal device, authentication method in those devices, and storage medium |
US6263081B1 (en) | 1997-07-17 | 2001-07-17 | Matsushita Electric Industrial Co., Ltd. | Elliptic curve calculation apparatus capable of calculating multiples at high speed |
US6052466A (en) * | 1997-08-28 | 2000-04-18 | Telefonaktiebolaget L M Ericsson (Publ) | Encryption of data packets using a sequence of private keys generated from a public key exchange |
CZ9703188A3 (en) * | 1997-10-08 | 2002-06-12 | ©Árka Mudr. Kutálková | Communication method between external terminal of a bank account user and internal terminal of a banking system by making use of telephone network and apparatus for making the same |
US6073237A (en) * | 1997-11-06 | 2000-06-06 | Cybercash, Inc. | Tamper resistant method and apparatus |
US6151676A (en) * | 1997-12-24 | 2000-11-21 | Philips Electronics North America Corporation | Administration and utilization of secret fresh random numbers in a networked environment |
US6738907B1 (en) | 1998-01-20 | 2004-05-18 | Novell, Inc. | Maintaining a soft-token private key store in a distributed environment |
WO2004075519A1 (en) * | 1998-01-30 | 2004-09-02 | Alain Maillet | Method and unit for interception of telephone calls |
KR100315641B1 (en) | 1999-03-03 | 2001-12-12 | 서평원 | Mutual Authentication Method Of Mobile Station And System For OTAPA |
US6751735B1 (en) | 1998-03-23 | 2004-06-15 | Novell, Inc. | Apparatus for control of cryptography implementations in third party applications |
US6615350B1 (en) | 1998-03-23 | 2003-09-02 | Novell, Inc. | Module authentication and binding library extensions |
US6701433B1 (en) | 1998-03-23 | 2004-03-02 | Novell, Inc. | Method and apparatus for escrowing properties used for accessing executable modules |
US6532451B1 (en) * | 1998-03-23 | 2003-03-11 | Novell, Inc. | Nested strong loader apparatus and method |
DE19820605A1 (en) | 1998-05-08 | 1999-11-11 | Giesecke & Devrient Gmbh | Method for secure distribution of software |
US7215773B1 (en) | 1998-10-14 | 2007-05-08 | Certicom.Corp. | Key validation scheme |
US6178506B1 (en) | 1998-10-23 | 2001-01-23 | Qualcomm Inc. | Wireless subscription portability |
CA2255285C (en) * | 1998-12-04 | 2009-10-13 | Certicom Corp. | Enhanced subscriber authentication protocol |
US6526506B1 (en) | 1999-02-25 | 2003-02-25 | Telxon Corporation | Multi-level encryption access point for wireless network |
US6453159B1 (en) * | 1999-02-25 | 2002-09-17 | Telxon Corporation | Multi-level encryption system for wireless network |
US6349338B1 (en) * | 1999-03-02 | 2002-02-19 | International Business Machines Corporation | Trust negotiation in a client/server data processing network using automatic incremental credential disclosure |
US6804778B1 (en) * | 1999-04-15 | 2004-10-12 | Gilian Technologies, Ltd. | Data quality assurance |
US6886095B1 (en) | 1999-05-21 | 2005-04-26 | International Business Machines Corporation | Method and apparatus for efficiently initializing secure communications among wireless devices |
DE60029217T2 (en) * | 1999-05-21 | 2007-05-31 | International Business Machines Corp. | METHOD AND DEVICE FOR INITIALIZING SAFE CONNECTIONS BETWEEN AND BETWEEN ONLY CUSTOMIZED CORDLESS EQUIPMENT |
US7409704B1 (en) * | 1999-07-15 | 2008-08-05 | Telefonaktiebolaget L M Ericsson (Publ) | System and method for local policy enforcement for internet service providers |
WO2001013201A2 (en) * | 1999-08-12 | 2001-02-22 | Sarnoff Corporation | Peer-to-peer network user authentication protocol |
WO2001033867A2 (en) * | 1999-11-03 | 2001-05-10 | Motorola Inc. | A method for validating an application for use in a mobile communication device |
KR100619005B1 (en) * | 1999-11-25 | 2006-08-31 | 삼성전자주식회사 | Authentication method for establishing connection between devices |
US20050213758A1 (en) * | 2000-02-07 | 2005-09-29 | Lenstra Arjen K | Efficient and compact subgroup trace representation ("XTR") |
US7076061B1 (en) | 2000-02-07 | 2006-07-11 | Citibank, N.A. | Efficient and compact subgroup trace representation (“XTR”) |
DE10026326B4 (en) * | 2000-05-26 | 2016-02-04 | Ipcom Gmbh & Co. Kg | A method of cryptographically verifying a physical entity in an open wireless telecommunications network |
FR2810139B1 (en) * | 2000-06-08 | 2002-08-23 | Bull Cp8 | METHOD FOR SECURING THE PRE-INITIALIZATION PHASE OF AN ON-BOARD ELECTRONIC CHIP SYSTEM, ESPECIALLY A CHIP CARD, AND ON-BOARD SYSTEM IMPLEMENTING THE METHOD |
US20040073617A1 (en) | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
US7017189B1 (en) * | 2000-06-27 | 2006-03-21 | Microsoft Corporation | System and method for activating a rendering device in a multi-level rights-management architecture |
US7765580B2 (en) * | 2000-12-22 | 2010-07-27 | Entrust, Inc. | Method and apparatus for providing user authentication using a back channel |
JP2002198956A (en) * | 2000-12-27 | 2002-07-12 | Toshiba Corp | Communication equipment and its authentication method |
US20020087483A1 (en) * | 2000-12-29 | 2002-07-04 | Shlomi Harif | System, method and program for creating and distributing processes in a heterogeneous network |
US20020087481A1 (en) * | 2000-12-29 | 2002-07-04 | Shlomi Harif | System, method and program for enabling an electronic commerce heterogeneous network |
FR2821225B1 (en) * | 2001-02-20 | 2005-02-04 | Mobileway | REMOTE ELECTRONIC PAYMENT SYSTEM |
US20020162004A1 (en) * | 2001-04-25 | 2002-10-31 | Gunter Carl A. | Method and system for managing access to services |
US20030172299A1 (en) * | 2002-03-05 | 2003-09-11 | Gunter Carl A. | Method and system for maintaining secure access to web server services using permissions |
US20020162002A1 (en) * | 2001-04-25 | 2002-10-31 | Gunter Carl A. | Method and system for controlling access to services |
US6885388B2 (en) * | 2001-04-25 | 2005-04-26 | Probaris Technologies Inc. | Method for automatically generating list of meeting participants and delegation permission |
US20020162019A1 (en) * | 2001-04-25 | 2002-10-31 | Berry Michael C. | Method and system for managing access to services |
US20030236977A1 (en) * | 2001-04-25 | 2003-12-25 | Levas Robert George | Method and system for providing secure access to applications |
US20050210263A1 (en) * | 2001-04-25 | 2005-09-22 | Levas Robert G | Electronic form routing and data capture system and method |
US20030005327A1 (en) * | 2001-06-29 | 2003-01-02 | Julian Durand | System for protecting copyrighted materials |
KR20030008453A (en) * | 2001-07-18 | 2003-01-29 | 주식회사 더블유에스랩 | Method of inter-authentication and security service using user-password in SMS for CDMA network |
US20030200447A1 (en) * | 2001-08-17 | 2003-10-23 | Lotta Almroth | Identification system |
US20030065956A1 (en) * | 2001-09-28 | 2003-04-03 | Abhijit Belapurkar | Challenge-response data communication protocol |
KR100449572B1 (en) * | 2002-05-22 | 2004-09-22 | 주식회사 케이티프리텔 | Method and system for performing mutual authenticating between mobile terminal and server |
JP2003141267A (en) * | 2001-11-05 | 2003-05-16 | Sony Corp | System and method for correspondence education |
US7681034B1 (en) | 2001-12-12 | 2010-03-16 | Chang-Ping Lee | Method and apparatus for securing electronic data |
US6889210B1 (en) * | 2001-12-12 | 2005-05-03 | Pss Systems, Inc. | Method and system for managing security tiers |
US10033700B2 (en) * | 2001-12-12 | 2018-07-24 | Intellectual Ventures I Llc | Dynamic evaluation of access rights |
US7380120B1 (en) | 2001-12-12 | 2008-05-27 | Guardian Data Storage, Llc | Secured data format for access control |
US7783765B2 (en) * | 2001-12-12 | 2010-08-24 | Hildebrand Hal S | System and method for providing distributed access control to secured documents |
US7631184B2 (en) * | 2002-05-14 | 2009-12-08 | Nicholas Ryan | System and method for imposing security on copies of secured items |
US7478418B2 (en) | 2001-12-12 | 2009-01-13 | Guardian Data Storage, Llc | Guaranteed delivery of changes to security policies in a distributed system |
US7921284B1 (en) | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
US7562232B2 (en) * | 2001-12-12 | 2009-07-14 | Patrick Zuili | System and method for providing manageability to security information for secured items |
US7930756B1 (en) | 2001-12-12 | 2011-04-19 | Crocker Steven Toye | Multi-level cryptographic transformations for securing digital assets |
US7565683B1 (en) | 2001-12-12 | 2009-07-21 | Weiqing Huang | Method and system for implementing changes to security policies in a distributed security system |
US10360545B2 (en) | 2001-12-12 | 2019-07-23 | Guardian Data Storage, Llc | Method and apparatus for accessing secured electronic data off-line |
USRE41546E1 (en) | 2001-12-12 | 2010-08-17 | Klimenty Vainstein | Method and system for managing security tiers |
US7921288B1 (en) | 2001-12-12 | 2011-04-05 | Hildebrand Hal S | System and method for providing different levels of key security for controlling access to secured items |
US8006280B1 (en) | 2001-12-12 | 2011-08-23 | Hildebrand Hal S | Security system for generating keys from access rules in a decentralized manner and methods therefor |
US7178033B1 (en) | 2001-12-12 | 2007-02-13 | Pss Systems, Inc. | Method and apparatus for securing digital assets |
US7260555B2 (en) | 2001-12-12 | 2007-08-21 | Guardian Data Storage, Llc | Method and architecture for providing pervasive security to digital assets |
US7921450B1 (en) | 2001-12-12 | 2011-04-05 | Klimenty Vainstein | Security system using indirect key generation from access rules and methods therefor |
US8065713B1 (en) | 2001-12-12 | 2011-11-22 | Klimenty Vainstein | System and method for providing multi-location access management to secured items |
US7950066B1 (en) | 2001-12-21 | 2011-05-24 | Guardian Data Storage, Llc | Method and system for restricting use of a clipboard application |
US8176334B2 (en) | 2002-09-30 | 2012-05-08 | Guardian Data Storage, Llc | Document security system that permits external users to gain access to secured files |
US20030182559A1 (en) * | 2002-03-22 | 2003-09-25 | Ian Curry | Secure communication apparatus and method for facilitating recipient and sender activity delegation |
US7748045B2 (en) * | 2004-03-30 | 2010-06-29 | Michael Frederick Kenrich | Method and system for providing cryptographic document retention with off-line access |
US8613102B2 (en) | 2004-03-30 | 2013-12-17 | Intellectual Ventures I Llc | Method and system for providing document retention using cryptography |
US7073068B2 (en) * | 2002-05-24 | 2006-07-04 | Lucent Technologies Inc. | Method and apparatus for distributing shares of a password for use in multi-server password authentication |
US20030233584A1 (en) * | 2002-06-14 | 2003-12-18 | Microsoft Corporation | Method and system using combinable computational puzzles as challenges to network entities for identity check |
KR100456624B1 (en) * | 2002-08-09 | 2004-11-10 | 한국전자통신연구원 | Authentication and key agreement scheme for mobile network |
US20040203868A1 (en) * | 2002-08-14 | 2004-10-14 | Eidson John C. | Measurement authentication |
US7221757B2 (en) * | 2002-08-15 | 2007-05-22 | Opentv, Inc. | Method and system for accelerated data encryption |
KR20040017487A (en) * | 2002-08-21 | 2004-02-27 | 이창우 | Authenticating method using public key cryptosystem |
US7512810B1 (en) | 2002-09-11 | 2009-03-31 | Guardian Data Storage Llc | Method and system for protecting encrypted files transmitted over a network |
US7836310B1 (en) | 2002-11-01 | 2010-11-16 | Yevgeniy Gutnik | Security system that uses indirect password-based encryption |
KR20040042123A (en) * | 2002-11-13 | 2004-05-20 | 주식회사 퓨쳐시스템 | Portable authentication apparatus and authentication method using the same |
US7577838B1 (en) | 2002-12-20 | 2009-08-18 | Alain Rossmann | Hybrid systems for securing digital assets |
US7890990B1 (en) | 2002-12-20 | 2011-02-15 | Klimenty Vainstein | Security system with staging capabilities |
CA2525398C (en) * | 2003-05-13 | 2014-03-11 | Corestreet, Ltd. | Efficient and secure data currentness systems |
US8707034B1 (en) | 2003-05-30 | 2014-04-22 | Intellectual Ventures I Llc | Method and system for using remote headers to secure electronic files |
US20040250073A1 (en) * | 2003-06-03 | 2004-12-09 | Cukier Johnas I. | Protocol for hybrid authenticated key establishment |
AU2004251364B9 (en) * | 2003-06-24 | 2010-09-23 | Assa Abloy Ab | Access control |
US7730543B1 (en) | 2003-06-30 | 2010-06-01 | Satyajit Nath | Method and system for enabling users of a group shared across multiple file security systems to access secured files |
US7555558B1 (en) | 2003-08-15 | 2009-06-30 | Michael Frederick Kenrich | Method and system for fault-tolerant transfer of files across a network |
US8127366B2 (en) | 2003-09-30 | 2012-02-28 | Guardian Data Storage, Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US7703140B2 (en) | 2003-09-30 | 2010-04-20 | Guardian Data Storage, Llc | Method and system for securing digital assets using process-driven security policies |
US8707030B2 (en) * | 2003-11-19 | 2014-04-22 | Corestreet, Ltd. | Distributed delegated path discovery and validation |
US7702909B2 (en) * | 2003-12-22 | 2010-04-20 | Klimenty Vainstein | Method and system for validating timestamps |
CA2872032A1 (en) | 2004-01-09 | 2005-08-04 | Corestreet, Ltd. | Signature-efficient real time credentials for ocsp and distributed ocsp |
US20050204139A1 (en) * | 2004-03-10 | 2005-09-15 | Helland Patrick J. | Service broker security |
WO2005109734A1 (en) * | 2004-05-10 | 2005-11-17 | Koninklijke Philips Electronics N.V. | Personal communication apparatus capable of recording transactions secured with biometric data |
EP1601153B1 (en) * | 2004-05-28 | 2010-07-28 | Sap Ag | Client authentication using a challenge provider |
EP1601154A1 (en) * | 2004-05-28 | 2005-11-30 | Sap Ag | Client authentication using a challenge provider |
US7707427B1 (en) | 2004-07-19 | 2010-04-27 | Michael Frederick Kenrich | Multi-level file digests |
US7509120B2 (en) | 2004-09-07 | 2009-03-24 | Research In Motion Limited | System and method for updating message trust status |
KR100601703B1 (en) * | 2004-10-04 | 2006-07-18 | 삼성전자주식회사 | Method for authenticating the device using broadcast crptography |
US7545932B2 (en) * | 2004-10-29 | 2009-06-09 | Thomson Licensing | Secure authenticated channel |
US7205882B2 (en) * | 2004-11-10 | 2007-04-17 | Corestreet, Ltd. | Actuating a security system using a wireless device |
US20060271493A1 (en) * | 2005-05-24 | 2006-11-30 | Contentguard Holdings, Inc. | Method and apparatus for executing code in accordance with usage rights |
US8132005B2 (en) * | 2005-07-07 | 2012-03-06 | Nokia Corporation | Establishment of a trusted relationship between unknown communication parties |
US7438078B2 (en) * | 2005-08-05 | 2008-10-21 | Peter Woodruff | Sleeping bag and system |
EP1920324A1 (en) * | 2005-08-19 | 2008-05-14 | Nxp B.V. | Circuit arrangement for and method of performing an inversion operation in a cryptographic calculation |
KR20080035004A (en) * | 2005-08-19 | 2008-04-22 | 엔엑스피 비 브이 | Circuit arrangement and method for rsa key generation |
US8874477B2 (en) | 2005-10-04 | 2014-10-28 | Steven Mark Hoffberg | Multifactorial optimization system and method |
US7664259B2 (en) * | 2006-03-09 | 2010-02-16 | Motorola, Inc. | Encryption and verification using partial public key |
US9277295B2 (en) | 2006-06-16 | 2016-03-01 | Cisco Technology, Inc. | Securing media content using interchangeable encryption key |
US9137480B2 (en) * | 2006-06-30 | 2015-09-15 | Cisco Technology, Inc. | Secure escrow and recovery of media device content keys |
US7760873B2 (en) * | 2006-06-30 | 2010-07-20 | Intel Corporation | Method and a system for a quick verification rabin signature scheme |
GB0613235D0 (en) * | 2006-07-04 | 2006-08-09 | Maidsafe Net Ltd | File system authentication |
US7979054B2 (en) | 2006-10-19 | 2011-07-12 | Qualcomm Incorporated | System and method for authenticating remote server access |
US8090954B2 (en) * | 2007-03-16 | 2012-01-03 | Microsoft Corporation | Prevention of unauthorized forwarding and authentication of signatures |
US8261080B2 (en) * | 2007-04-12 | 2012-09-04 | Xerox Corporation | System and method for managing digital certificates on a remote device |
US8689003B2 (en) | 2007-06-01 | 2014-04-01 | Adobe Systems Incorporated | System and method for secure password-based authentication |
IL185285A0 (en) * | 2007-08-14 | 2008-01-06 | Yeda Res & Dev | A method and apparatus for implementing a novel one-way hash function on highly constrained devices such as rfid tags |
JP2009140231A (en) * | 2007-12-06 | 2009-06-25 | Sony Corp | Communication system and communication terminal apparatus |
US8117447B2 (en) * | 2008-01-10 | 2012-02-14 | Industrial Technology Research Institute | Authentication method employing elliptic curve cryptography |
KR20100008326A (en) * | 2008-07-15 | 2010-01-25 | 엘지전자 주식회사 | Method of supporting location privacy |
WO2010030127A2 (en) * | 2008-09-10 | 2010-03-18 | Lg Electronics Inc. | Method for selectively encrypting control signal |
US20110191129A1 (en) * | 2010-02-04 | 2011-08-04 | Netzer Moriya | Random Number Generator Generating Random Numbers According to an Arbitrary Probability Density Function |
US20110213711A1 (en) * | 2010-03-01 | 2011-09-01 | Entrust, Inc. | Method, system and apparatus for providing transaction verification |
US8990574B1 (en) * | 2010-10-06 | 2015-03-24 | Prima Cinema, Inc. | Secure device authentication protocol |
US8621227B2 (en) | 2010-12-28 | 2013-12-31 | Authernative, Inc. | System and method for cryptographic key exchange using matrices |
US8656484B2 (en) | 2010-12-28 | 2014-02-18 | Authernative, Inc. | System and method for mutually authenticated cryptographic key exchange using matrices |
JP5701792B2 (en) * | 2012-02-27 | 2015-04-15 | 株式会社東芝 | COMMUNICATION DEVICE, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM |
US9603014B2 (en) * | 2014-04-29 | 2017-03-21 | Lsis Co., Ltd. | Power system |
US10205598B2 (en) * | 2015-05-03 | 2019-02-12 | Ronald Francis Sulpizio, JR. | Temporal key generation and PKI gateway |
US9843592B2 (en) | 2015-10-14 | 2017-12-12 | Sony Interactive Entertainment America Llc | Fast multicast messaging encryption and authentication |
EP3371731B1 (en) | 2015-11-04 | 2020-01-08 | Screening Room Media, Inc. | Digital content delivery system |
US10129029B2 (en) * | 2016-06-16 | 2018-11-13 | International Business Machines Corporation | Proofs of plaintext knowledge and group signatures incorporating same |
US9973342B2 (en) * | 2016-06-16 | 2018-05-15 | International Business Machines Corporation | Authentication via group signatures |
US10452819B2 (en) | 2017-03-20 | 2019-10-22 | Screening Room Media, Inc. | Digital credential system |
CN110035071A (en) * | 2019-03-26 | 2019-07-19 | 南瑞集团有限公司 | A kind of long-range double factor mutual authentication method, client and server-side towards industrial control system |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4453074A (en) * | 1981-10-19 | 1984-06-05 | American Express Company | Protection system for intelligent cards |
US4723284A (en) * | 1983-02-14 | 1988-02-02 | Prime Computer, Inc. | Authentication system |
US4759063A (en) * | 1983-08-22 | 1988-07-19 | Chaum David L | Blind signature systems |
US4799258A (en) * | 1984-02-13 | 1989-01-17 | National Research Development Corporation | Apparatus and methods for granting access to computers |
US4885777A (en) * | 1985-09-04 | 1989-12-05 | Hitachi, Ltd. | Electronic transaction system |
DE3782780T2 (en) * | 1986-08-22 | 1993-06-09 | Nec Corp | KEY DISTRIBUTION PROCEDURE. |
US5218637A (en) * | 1987-09-07 | 1993-06-08 | L'etat Francais Represente Par Le Ministre Des Postes, Des Telecommunications Et De L'espace | Method of transferring a secret, by the exchange of two certificates between two microcomputers which establish reciprocal authorization |
CA1321649C (en) * | 1988-05-19 | 1993-08-24 | Jeffrey R. Austin | Method and system for authentication |
US4969189A (en) * | 1988-06-25 | 1990-11-06 | Nippon Telegraph & Telephone Corporation | Authentication system and apparatus therefor |
US5016274A (en) * | 1988-11-08 | 1991-05-14 | Silvio Micali | On-line/off-line digital signing |
US5222140A (en) * | 1991-11-08 | 1993-06-22 | Bell Communications Research, Inc. | Cryptographic method for key agreement and user authentication |
-
1993
- 1993-03-04 US US08/026,673 patent/US5299263A/en not_active Expired - Lifetime
- 1993-08-02 US US08/101,437 patent/US5406628A/en not_active Expired - Lifetime
-
1994
- 1994-02-25 WO PCT/US1994/001968 patent/WO1994021067A1/en active IP Right Grant
- 1994-02-25 EP EP94909772A patent/EP0691055B1/en not_active Expired - Lifetime
- 1994-02-25 JP JP6520043A patent/JPH08507619A/en active Pending
- 1994-02-25 CA CA002157011A patent/CA2157011C/en not_active Expired - Lifetime
- 1994-02-25 DE DE69426416T patent/DE69426416T2/en not_active Expired - Lifetime
Also Published As
Publication number | Publication date |
---|---|
EP0691055A4 (en) | 1998-05-06 |
WO1994021067A1 (en) | 1994-09-15 |
EP0691055B1 (en) | 2000-12-13 |
CA2157011A1 (en) | 1994-09-15 |
DE69426416D1 (en) | 2001-01-18 |
US5299263A (en) | 1994-03-29 |
DE69426416T2 (en) | 2001-07-26 |
US5406628A (en) | 1995-04-11 |
EP0691055A1 (en) | 1996-01-10 |
JPH08507619A (en) | 1996-08-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2157011C (en) | Method for two-way public key authentication and key agreement for low-cost terminals | |
US5222140A (en) | Cryptographic method for key agreement and user authentication | |
Juang | Efficient password authenticated key agreement using smart cards | |
Fontaine et al. | A survey of homomorphic encryption for nonspecialists | |
Chang et al. | Remote password authentication with smart cards | |
US5150411A (en) | Cryptographic system allowing encrypted communication between users with a secure mutual cipher key determined without user interaction | |
CA2596500C (en) | Method and structure for challenge-response signatures and high-performance secure diffie-hellman protocols | |
US5588061A (en) | System and method for identity verification, forming joint signatures and session key agreement in an RSA public cryptosystem | |
US5796833A (en) | Public key sterilization | |
US7221758B2 (en) | Practical non-malleable public-key cryptosystem | |
NZ535698A (en) | An cryptosystem involving generating an isogeny that maps points from one elliptic curve onto another elliptic curve and publishing a public key corresponding to the isogeny | |
Boyd | Modern data encryption | |
CN110519226B (en) | Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate | |
CN109104278A (en) | A kind of encrypting and decrypting method | |
Bellare et al. | Translucent cryptography—an alternative to key escrow, and its implementation via fractional oblivious transfer | |
Gobi et al. | A comparative study on the performance and the security of RSA and ECC algorithm | |
Shimbo et al. | Cryptanalysis of several conference key distribution schemes | |
Purevjav et al. | Email encryption using hybrid cryptosystem based on Android | |
Kwon | Virtual software tokens-a practical way to secure PKI roaming | |
Constantinescu | Authentication protocol based on ellipitc curve cryptography | |
Ki et al. | Privacy-enhanced deniable authentication e-mail service | |
Kwon et al. | A forward-secure e-mail protocol without certificated public keys | |
Shim | Vulnerabilities of generalized MQV key agreement protocol without using one-way hash functions | |
Krishna | A randomized cloud library security environment | |
Darwish et al. | New hybrid cryptosystem for internet applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKEX | Expiry |
Effective date: 20140225 |