WO2009117981A1

WO2009117981A1 - System for the document-based data exchange between at least two data carriers by way of paper or remote data transmission

Info

Publication number: WO2009117981A1
Application number: PCT/DE2009/000322
Authority: WO
Inventors: Robert Niggl
Original assignee: Robert Niggl
Priority date: 2008-03-14
Filing date: 2009-03-06
Publication date: 2009-10-01
Also published as: DE112009001186A5; EP2263349A1; WO2009117981A4; DE102008014187A1

Abstract

The present invention relates to a data transmission system (1), which in a 2-way method enables a document-based data exchange between at least two data carriers by way of paper or remote data transmission, particularly a system for the secure forwarding of individual data to third parties while controlling those involved. For this purpose, the respective output data is represented as ONE-TIME-PAD key cipher pairs, and the pair components or arbitrary derivative variables, which is to say variables by way of which the pair components can be calculated again, are distributed among a central intermediate storage device and a machine-readable supplementary sheet. The correspondence recipients assume the roles of relay stations, but can remain completely anonymous.

Description

SYSTEM FOR DOCUMENT-BASED DATA EXCHANGE BETWEEN AT LEAST TWO DATA CARRIERS OVER PAPER OR DIRECT

The present invention relates to a device and a method for document-based data exchange between at least two data carriers via paper or EDI, in particular with a system for receiving and processing individual data for secure forwarding to predetermined recipients.

Such methods and systems are known in the art. The data thus transported generally have the defect of being broken up and falsified by appropriate means, so that they are not secure enough in the result, in particular not future-proof with regard to future computing systems with appropriate capacity (keyword: quantum computer). For example, WO 2007/109373 A2 has disclosed a method for compressing data volumes in modern encryption methods, to which reference is subsequently made in the respective context.

It is therefore an object of the present invention to provide a system which operates according to a certain method, which is able to securely receive individual data of a carrier system (source system), to process correspondence compatible and secure and via the correspondence recipient to the carrier system of a third party (target system).

This object is achieved with the characterizing features of the main claims.

This elegant solution also proves that the solution can be integrated into existing technical processes. It may therefore also compete with solutions that transmit personal data directly to third parties, i. with the elimination of data subjects (direct solutions).

According to the invention, the method for document-based data exchange between data carrier systems via paper or EDI is characterized in that a first carrier system (source system) any serial output data - correspondence data or object K correspondence represents - via crypto module as ONE-TIME-P AD-key cipher pair represents , then a pair component (P_l) in a central cache (1st control point) retrievable, in particular system deposited with a wide appropriate reference and then the other pair component (P_2) plus P l - reference via a correspondence sheet to a correspondence receiver (2nd control office) directs, which then if necessary at least the supplementary sheet to a third party forwards, so that then this third party by machine acquisition of the supplementary sheet data in a second carrier system (target system) first the component P_2 and the P l reference and then the by Access to the central memory the centrally stored components P l win and so finally via Kryptomodul the correspondence data K can reconstruct. It should be explicitly noted that instead of P l or P_ 2, it is also possible to use arbitrary derivative quantities P l 'or P_ 2', which the target system P 1 or P_ 2 can recalculate, e.g. an encrypted P l or P_2.

In order for the target system to be able to machine the P_l referrals and P_2 or P_2 ', a sheet in paper form must contain these variables in machine-readable form, eg as a barcode or as a barcode suitably formatted text that can be processed via OCR technologies. As a result of this technical embodiment, a supplemental sheet in paper form becomes a process-compliant read-only memory.

The carrier system according to the invention is therefore further characterized in that it is equipped with an OTP crypto module and

(a) as the source system cryptonization arbitrary serial output data (K) in a predetermined form of OTP key cipher pairs (see below); and

(b) reconstructs output data from OTP key cipher pairs as the target system.

OTP data compression, e.g. according to WO 2007/109373 A2, is not required in the present invention.

Thus, the OTP crypto unit of a source system randomly generates a one-time key E which has the same length as K and encrypts K with E via a bit association (cipher K '). As an example, the bit addition is called the bit addition: 0 + 1 = 1 + 0 = 1, 1 + 1 = 0 + 0 = 0. Then K '= K + E and K = K' + E, where each bitwise is added. Note to the mathematical literature: The bit addition has the properties of an "abelian group", so you can, for example, calculate "as with integers". For bit variables x, y, z in particular always applies

• x + 0 = x

• (x + y) + z = x + (y + z)

how to easily check by case distinction. The addition of bits in algebra is also known as "addition in the smallest field (| F_2)." Apparently always

• x + x = 0 For example, the bit addition to encryption can be used because K '+ E = (K + E) + E = K + (E + E) = K + O = K, where O is an O-bit list of the same length as E.

In principle, "long keys" of sufficient randomization quality could be obtained by means of technical methods developed in the context of quantum cryptography.On another point of a previous PCT patent application, a computer-based method is described, which, given a suitable configuration, can generate keys of sufficient randomization quality can deliver, so that the invention could already be used in the mass market.

The processes for secure data transmission are shown in FIGS. 1 and 2.

At the starting point of the technical process is thus the kryptonization of any output data K in the form of an OTP key cipher pair. The transport of the pair components to the respective target system then takes place via a central buffer and a machine-readable supplementary sheet, which is routed via a correspondence receiver.

This technical data flow takes account of a special feature of OTP cryptography. Since K '+ E = E + K', keys and ciphers are indistinguishable because they are the same length, carry no information and are interchangeable.

An extreme example is intended to clarify that a technical data flow description for OTP key cipher pairs in "classic" terms would be misleading.

Suppose the crypto unit of the source system supplies the pair in a randomized way. Then not even the source system would know, by which way the key and on which the cipher is transported. But even if the source system documented what was key and cipher, that identification would be an illusion. For a given key-cipher pair, this assertion would be (mathematically secured) not verifiable and thus technically irrelevant.

Conversely, any technical data flow description that requires certain data elements as a "key" or "cipher" does not conceptually capture OTP key-cipher pairs.

The "loss of identity" of key and cipher seems "paradoxical" at first sight. In fact, there is no loss of information, but rather a characteristic of the present invention safe method.

Based on the main theorem of information theory (Shannon) one could even show that every secure method must have this characteristic.

Thus, it is advantageous that a central buffer is provided, which is characterized in that a carrier system there according to the method by means of remote data transmission OTP key or OTP ciphers or associated derivatives retrievable deposits or retrieves there. As stated, it would be misleading to speak of a "key pool" or a "cipher pool". It is rather an OTP data pool, i. a data pool for components of OPT key cipher pairs or any associated derivatives that allow retroactive accounting.

Furthermore, it is advantageous to provide at least one communication module that communicates with the OTP data pool.

The method according to the invention offers the following advantages:

1. (Security) If the central mass storage is only used as an OTP data pool, then with appropriate reference formation (see suggestions below) no conclusions can be drawn possible on the correspondence data or the correspondence recipient: OTP pair components and suitable derivatives do not carry any information. If the supplementary sheets are designed accordingly (see suggestions below), information will not be transferred in any way, ie neither via the data pool nor via the machine-readable supplement. The paper path would also give the data carrier supplementary sheet maximum transport protection. A frequent or even mass violation of the secrecy of letters is excluded because technically too complicated. In any case, she would quickly notice. The invention provides security even in those countries where it is feared that government agencies may secretly force access to the OTP data pool. Paper compliant paper compliant sheets are therefore ideal read-only memories in terms of safety.

2. (high practicability) The supplement can be sent separately by email. The third party did not even need a scanner.

3. (low integration costs) Existing document-based procedures can easily be extended. Newer printers can usually generate suitable barcodes. Even in the "paper case", there is no "media break" (i.e., the procedural compliant sheet can be machine-processed) without losing the safety advantages (see above).

4. (Counterfeit Security) Even when using an email the data exchange would be forgery-proof if the access to the central memory is secured accordingly.

5. (Data sovereignty) If the correspondence data is data about the correspondence recipient, no data exchange will be possible without the technical cooperation of the data subject. These obvious advantages over the prior art methods and systems also make the present invention future proof. For example, it does not have to worry about the quantum computer. In a strict sense, the invention is thus the "final" correspondence-based 2-way method for data transmission with a correspondence receiver as a relay station.

In the following, the invention will be described in more detail with reference to drawings. It shows

Fig. 1: a schematic overview of the relationships of the various modules in the data carrier system according to the invention

(I);

2a shows a partial block diagram (source system) of the data carrier system (1) with the associated various technical devices;

FIG. 2b shows a partial block diagram (target system) of the data carrier system (1) with the associated various technical devices; FIG.

Fig. 3: a method for computer-assisted randomized generation long

Key.

1 shows a block diagram of the relationships between the various modules in the data transmission system 1 according to the invention. Starting from (IT) systems which store any personal data K, an integration system is presented which provides the secure, in particular forgery-proof, Exchange of this data between a source and a destination system so that the correspondence recipient retains the ultimate control over the data exchange. The owners of the initial systems are referred to below as carriers, their IT systems as carrier systems.

The owners of the personal data are referred to as affected persons.

One possible area of application for the invention is the health service (keyword: electronic health card / egk). Possible scenarios would be the exchange of treatment data doctor-to-doctor or the billing data exchange doctor-to-payment office - each under the control of the patient (affected).

Compared to the egk solution, no "data center" (central patient record) is required, yet the data is technically elegantly and authentically delivered to its destination if the recipient of the correspondence is technically involved as a relay station.

This proves that there is no technical reason to eliminate those affected by direct solutions (see above). The security generated by technology - "Affected as a relay station" - is apparently always higher than a direct solution, which is legally supplemented by a consent scheme.

We assume in the following that each carrier or each carrier system is suitably identified throughout the system. It makes sense to keep the identification persistent over time, e.g. by generally consecutive numbering, so that a number is awarded only once over time.

Since the invention requires a system-wide unique reference for the correspondence data K, the identification of the carrier systems or the carrier (ensemble identification) and thus the demarcation of the entire system is in fact always given or possible. It is a particular advantage of the invention that a registration / identification of those affected is not required (anonymous relay stations: see also embodiment below).

The new overall system is created by expanding an ensemble of carrier systems to include centralized storage and machine-processable side-plates (read-only memory), as well as logic that links all storage units together.

The technical connection between a source system of the correspondence publisher and the target system of a third party is made in total via

A central memory (hereinafter called OTP or correspondence register) with Internet interface or analog interfaces for remote data access, on the appropriate protocols such. https accessed in authorized form; solutions are also included which provide for a plurality of central OTP registers from the point of view of the carrier systems; in this case we assume that these are identifiable by unique register numbers.

A correspondence sheet that must be machine-processable to the minimum extent of the process-specific data (process-compliant read-only memory).

The linking of these technical elements of the overall system 1 - carrier systems, central storage, machine-readable supplements, scanners (if paper-based supplements are created) is integrated via a logic, e.g. can be realized via software components and are referred to below as modules.

The logic is described functionally via appropriate function groups. The group formation is obvious, but not mandatory. In this sense, the control unit, which represents the logic on a carrier system, based on further functional units, hereinafter referred to as integration module.

The integration module in FIGS. 2 a and 2b is based on the following further functional groups:

The communication module communicates with the central OTP register The crypto module contains the encryption technology incl. Random generator The packaging module serializes data on correspondence data

- The barcode module or ORC module translates texts in image files or image files into texts

- The unpacking module deserializes correspondence data into the respective target format.

The implementation of a system according to the invention described below captures an example scenario in which billing data is passed in paper form from a biller to a paying agent via a bill recipient. For a given bill R, the source system of the biller prepares the data exchange with the paying agent as follows (hereinafter called correspondence preparation):

1. (Packaging) R is converted into a correspondence object K, ie in particular serialized.

2. (Numbering) The integration module assigns a consecutive number or alternatively another anonymizing number (referred to below as correspondence number) for the correspondence object, so that the tuple (correspondence number, biller number, OTP register number) - subsequently extended correspondence number - system-wide K clearly identified.

3. (Encryption) The crypto module represents K as an OTP key cipher pair (P l, P_2), where P l = key and P 2 = cipher. If derivatives are used, the crypto unit also generates the respective derivatives P 1 'or P_ 2' (for example an additionally encrypted P_ 2, so that only a specific target system can reconstruct the correspondence data K).

4. (correspondence) A pair component (P_l) or a derivative (P l ') is now together with the K reference via communication module to the central OTP register acc. Transfer OTP register number.

5. (Barcode Creation) Via barcode module, corresponding image files are generated which contain the K-reference and the other pair component P_2 or a derivative P_2 '.

6. (Document creation) The text system of the source system generates the invoice document with attached sheet (ready to print). The printing system then generates the associated pressure pieces, esp. The machine-readable lead sheet.

Result: The correspondence data K are thus "virtualized", that is to say the correspondence data K kryptonized as an OTP pair (P_l, P_2) are stored outside the source system in accordance with the method and usable by the machine.

The extended invoice document will now be sent as usual to the debtor by post. The recipient of the correspondence can only decide whether to forward the invoice document and / or supplementary sheet to the paying agent (insurance, health insurance, assistance). If the correspondence data and the supplementary sheet were appropriately designed, it would be sufficient to forward only the supplementary sheet.

The copy of the supplement could now be sent by post or electronically - by fax, e-mail or analogue technical channels. If electronic forwarding is intended in the example scenario, it would be advisable to anonymise the sender, for example, public-key-based in that the sender number is encrypted with the public key of the paying agent.

If the debtor forwards the supplementary sheet by post to the paying agent, the procedure of the third-party target system will be reversed:

1. (Scanning) The sheet is scanned at the post office of the third party (or a service provider); The result is an image file with the appropriate resolution.

2. (Read) The image file is analyzed (bar code module, OCR method, etc.) and thus the K reference and P_2 or a derivative value P_2 'won.

3. (Register request) With the K reference, the OTP register is accessed via EDI and the stored pair component P l or a derivative P l 'is called up.

4. (Decryption) If derivative quantities P l 'or P_ 2' were used, first the pair components P l or P_ 2 are determined (for example by decryption of P_ 2 'via crypto module). Finally, the correspondence data K is reconstructed via the crypto module with the OTP pair components P 1 and P_ 2.

5. (Unpack) Via the unpacking module K is transferred to the target system.

Figures 2a and 2b also depict a graphical representation of the functional groups and their relationships / interfaces.

In the illustrated scenario, registering is done directly, i. by the biller. Of course, the biller could also use service providers for this. The extended correspondence number would simply have to be extended by a corresponding service provider number to obtain a reference (i.e. system-wide unique) for K according to the invention.

The working example illustrates a significant advantage of the invention:

1. The invention requires a system far unique reference for the respective correspondence data K. By this requirement, the ensemble is virtually always identifiable; the implementation of the invention is even simplified by explicit ensemble identification.

2. An identification / registration of the correspondence recipients is not required: Rather, by appropriate reference formation (see recommendations above) this identification can even be excluded.

For the application of the invention, this means that those concerned can remain system-aided completely anonymous (anonymous relay stations). By the appropriate access protection for the central memory yet any misuse is excluded, ie the data transfer is also forgery-proof. For the sake of completeness, the bit addition has also been carried out briefly and the characteristics relevant for the enciphering have been proven. A program-oriented notation is used. Instead of the + sign, the ^Λ character is used for the corresponding bit operator, which is available in many programming languages.

Definition: Let! 0 = 1,! l = 0 (negation)

It obviously applies! ! x = x

Definition: Let 0 ^Λ 0 = l ^Λ l = 0 and 0 ^Λ l = l ^Λ 0 = l (bit addtion or XOR linkage)

Then always applies

• x ^Λ x = 0 (clear)

• x ^Λ ! X = 1 (clear)

• x ^A 0 = x (because 1 ^Λ 0 = 1, 0 ^A 0 = 1)

• x ^Λ l =! X (because l ^Λ l = 0, 0 ^Λ l = l)

Furthermore, for two bit variables x, y, the following always holds:

• x ^A y = y ^Λ x (clear)

We now consider arbitrary bit variables x, y, z and show:

• x ^Λ (y ^Λ z) = (x ^Λ y) ^Λ z Assumption: y = z.

The right side then delivers

• x ^Λ (y ^A z) = x ^Λ 0 = x

For the left side two cases are possible:

• (x ^Λ x) ^Λ x = 0 ^Λ x = x

• (x ^Λ ! X) ^Λ ! X = l ^A ! X = !! x = x

Assumption: y ≠ z.

The following cases are possible for the left side:

• x ^A (x ^Λ ! X) = x ^Λ l =! X

• x ^Λ (! X ^Λ x) = x ^Λ l =! X The following cases are possible for the right side:

• (x ^Λ! X) ^Λ x = l ^Λ x =! X

• (x ^A x) ^Λ ! X = 0 ^Λ ! X =! X

Consequently, the equation holds in all cases.

So let K be a bit-list as before, E an equal-length one-time-key, and let the cipher K 'be defined as K' = S ^Λ E, adding on a component-by-component basis. If O is an equal bit list with all zeroes, then K ' ^A E = (K ^Λ E) ^Λ E = K ^Λ (E ^Λ E) = K ^Λ O = K.

Finally, the randomization method according to FIG. 3 is described in its essential aspects.

A long bitlist is generated "piece by piece" with a standard random generator, with the random number generator being reinitialized with safely encrypted stock values after each step, and the length of the piece and the selection of stock values are randomized.The pieces are "short enough" and is the The value store is large enough and unpredictable enough, then a result of independent random experiments is simulated. Safely encrypted values are evidently ideal reinitialization values, so that independence is inherited "step by step." Under these conditions, the method provides high-quality randomized bitlists.Supportable values can be obtained with computer-aided value The amount of possible results is so great that it would not be possible to simulate it externally.

1. Summary

This document describes a method for generating randomly randomized bit lists based on random number generators for bit lists with a limited number of bits.

The strategy is to construct a corresponding vector B = (Bi, ..., B _n ) of sufficiently short sublists B ₁ , obtained by independent reinitialization, such that the reinitialization process has a variable number of times Parameters (called stocks) is controlled.

It is shown that under certain conditions - in particular with regard to the number and the collection of the stock values - the overall list is sufficiently well randomized.

2 basic terms, notations

Definition 1. An (elementary) random generator Z is described below as a tuple (/. G. M) with

• / is an initialization function

• g is a production function that delivers m bits

For a random number generator Z = (/, <?. m)

• Inιt (Z): = / (read: initialization function of Z)

• Prod (Z): = g (read: production function of Z)

• bill (Z): = m (read: number of bits of Z)

• Inιts (Z): = number of parameters of Init (Z)

Definition 2. If Z is a random number generator, byte (Z) is the following function: • Input: A number h

Output: h bytes generated by repeatedly calling Prod (Z), i. Prod (Z) is called x times, bit number (Z) * x> h * 8, sequentially concatenated, the bits generated and then output (the first) h bytes.

Definition 3. For a list α = (αi, - - -, α _m ) let | α | : = m the list length. Are α =

(I, ..., a _m ), b = (bi, ..., fe _n ) Lists, let us start with: = (oi, α _TO , δi, ..., 6 _n ) the list which is given by linking α with δ. If X - (X ₁ , X _M ) is ^a list of lists, list (X) is the concatenation of all elements:

• List (X): = X ₁ for M = 1

• List (X): = Lwrfe ((J_ ^" i, ..., X _M -I)) XM for M> 1

Definition 4. For a data object x, let dim (x) be the memory requirement of x in bytes.

3 task

With a random number generator Z, a byte list of (minimum) length M is to be generated.

4 solution

4.1 Overview

There is a stepwise vector B - [B _x,. , , , B _n ), n> 0, generated by Bytelisten B ₁ , the total result in a sufficiently long total list, ie

• \ {list {(B _u ..., ß "_i)) | <M <\ List (B) \

where before each step the initialization function of Z is called:

• The first step (i = 1) uses classic initialization values (for example, current timestamps).

• In each step i, the reinitialization parameters for the next step ( ^'' + 1) are determined in such a way that a corresponding selection of values V _{1 is} randomized from a value store V - (V ₁ , ..., V _H ) and these parameters then one-time-pad-encrypted, the keys are each newly generated via byte (Z).

• Furthermore, the length of B ₁ in step i is randomized within adjustable limits - a minimum length (L) or maximum length (L ') - determined. 4.2 Algorithm

1: procedure RANDOMIZE (Z, B, M, L, L ', V)

2: // Compute B with \ List (B) \> M via Z under the following conditions:

3: // M> 0

4: // 0 <L <L '

3: // \ V \> 0

6: // instructions x: = byte (Z) (dim (x)) assume an x-type in the following.

7: // which can be allocated with arbitrary bits (for example, unsigned int)

8: B initialize // now: B - [B ₁ , ..., B _n ), ra = 0 so \ B \ = 0, \ list {B) \ = 0

9: Auxiliary vector W, \ W \ - Inits (Z), with default initialization values

10: for \ list (B) \ <M do // step: B = (Bi,..., B _n ) to extend an element

11: Call InIt (Z) with W // Initialize Z

12: for k = l.Jnits (Z) do // W _k for reinitialization

13: r: = byte (Z) (dim (r)) // Determine random number r.

14: h: - mod (r, \ V \) // determine the precedence index h

15; S: = Byte (Z) (dim (V _h )) // Determine key 5

16: W _k : = XOR (V _h , S) Il V _h OTP-Encrypt

17: r: = byte (z) (dim (r)) // determine further random number r

18: d: = max (L, mod (r, V)) // set length d of the new element

19: b: = byte (Z) (d) // compute byte list b of length d

20: B: = (B ₁ , ..., B _n , b) Expand Il B by b ^'

21: // now: | ß | > 0, \ List (B) \> M

4.3 rating

assumptions:

1. The partial lists are short enough (to be controlled via L. LI).

2. The number of stock values is large enough (e.g., | V | = 10000).

3. The stock values are generated on the computer system-technically conditioned and without connection with any technical data so that they are not externally foreseeable.

Under this assumption B is then randomized sufficiently well:

• The first partial list is won by classical initialization, so it is sufficiently well randomized.

• In each subsequent step, the random number generator is reinitialized with values that are sufficiently well-randomized, so each sub-list of a subsequent step is randomly and randomly randomized, because:

If the selected stock values are securely encrypted in step i, the selected stock values are encrypted securely and independently in step ϊ + 1 as well. • It is virtually impossible to simulate the set of possible outcomes over the set of possible input values.

5 stock determination

implements:

• Collect addresses of allocated objects in a vector.

• When the maximum vector length is reached, the oldest entries are overwritten, i. A writing position is maintained, which is reset to 0 after reaching the maximum length.

Claims

File number: PCT login Our sign: RN 8002 int.PATENTANSPRÜCHE

1. Method for document-based data exchange between data carrier systems via

Paper or DUN characterized in that a first carrier system (source system) arbitrary serial output data - called correspondence data K - via crypto module as a ONE-TIME-P AD-key cipher pair - wherein the pair components are not identified as a key or cipher then a pair component (P_l) is retrievably stored in a central cache (1st control location), particularly with system-wide appropriate reference, and then the other pair component (P_2) plus P l reference via a correspondence sheet to a correspondence recipient (second inspection body), who then forwards at least the supplementary sheet to a third party, then this third party by machine acquisition of the supplementary sheet data in a second carrier system (target system) first the component P_2 and the P l reference and thereafter which gain access to the central memory centrally deposited components P l and so finally via Kry ptomodul can reconstruct the correspondence data K, which is explicitly also recorded that instead of P l or P_2 also any derivative quantities P l 'or P_2' are used, via which the target system P l or P_2 can recalculate.

2. carrier system (1) for the controlled exchange of data between data carrier systems, characterized in that it is equipped with a crypto module and (a) as source system arbitrary serial output data (K) in the form of OTP key cipher pairs kryptonisiert and possibly related derivatives calculated or (b) as Target system from OTP key cipher pairs Reconstructs output data and, if necessary, backs-up related derivatives.

3. Central cache according to one of the preceding claims, characterized in that a carrier system there according to the method stored by dial-up OTP key or OTP ciphers or related derivatives retrievable or retrieves.

4. Supplementary sheet according to one of the preceding claims, characterized in that a carrier system there according to the method OTP key or OTP ciphers or associated derivatives stores or reads.