CN1981475A - Method of choosing one of a multitude of data sets being registered with a device and corresponding device - Google Patents

Abstract

The invention relates to a device (DEV) and a corresponding method of using encrypted data (DATenc) stored in a first memory (MEM1) of said device (DEV), which device (DEV) additionally includes a more tamper-resistant second memory (MEM2). Encrypted data (DATenc) is read from the first memory (MEM1), encrypted data (DATenc) is decrypted with an associated key (K), and decrypted data (DAT) is stored in the second memory (MEM2). Hence encrypted data (DATenc) stored on said device (DEV) can be used in decrypted format without permitting the owner of the device (DEV) to access said decrypted data (DAT). One application is the emulation of a multitude of smart card applications by a mobile device.

Description

Method of selecting one of plural data sets registered in device and corresponding device

technical field

The invention relates to a method of selecting one of a plurality of data sets registered in a device.

The invention also relates to a device for presenting to a remote device one of a plurality of data sets registered in the device, and to a remote device itself.

Background technique

Identification products such as smart cards and RFID (“Radio Frequency Identification”) tags are used in a wide variety of fields such as transportation (ticket checking, toll collection, luggage tagging), finance (debit and credit cards, e-wallets, business cards ), communication (SIM cards for GSM phones), and tracking (access control, inventory management, asset tracking). The international standard ISO14443A is an industry standard for contactless smart cards. ISO14443A compliant products such as MIFARE ^™ provide RF communication technology for transferring data between a card or tag and a reader device. For example, in electronic ticketing for public transportation, travelers simply wave their cards at turnstiles or readers at entry points, thereby benefiting from improved convenience and speed during the ticketing process. This product is set to be key to supporting individual mobility for multiple applications in the future, including toll collection, airline tickets, access control and more.

Near Field Communication (NFC), developed from a combination of contactless identification and networking technologies, is a very short-range wireless technology, such as measured in centimeters, and is optimized for use between various devices without user configuration intuitive, easy and secure communication. In order for two devices to communicate, the user brings them close together or even touches them. The NFC interfaces of the devices will automatically connect and configure themselves to form a peer-to-peer network. NFC can also bootstrap other protocols like Bluetooth ^™ or Wireless Ethernet (WiFi) by exchanging configuration and session data. NFC is compatible with contactless smart card platforms. This enables NFC devices to read information from these cards, making contactless smart cards the ideal solution for bringing information and credentials into the NFC world. NFC interfaces are now widely used in mobile phones and other mobile devices.

Such devices are also known from WO 01/93212 and WO 04/57890 to be able to emulate several smart cards. When a specific application needs to be used, such as subway ticket checking, the device can present the application to the corresponding reader. So, for example, a mobile phone could be used by users to replace all their contactless smart cards, thus making the mobile phone a universal key and wallet. However, in order to select an application, the user of the device has to choose on the device which card has to be emulated. This is not user friendly and is seen as a major obstacle in accepting devices capable of emulating several smart cards.

Contents of the invention

It is an object of the present invention to provide a method of the type defined in the opening paragraph, and a device and a remote device of the type defined in the second paragraph, which allow the automatic presentation of an application to a remote device such as a reader without requiring user intervention.

In order to achieve the above-defined purpose, with the method according to the invention special features are provided, so that the method according to the invention can be characterized in the manner defined below, namely:

A method of selecting one of a plurality of data sets registered in a device, wherein after selection, said one data set is presented by the device to a remote device, and wherein each data set is associated with a specific key,

The method includes the following steps:

a) Encrypted exchange information

a1) using in said device one of the plurality of keys associated with the data set and sending an encrypted exchange message to the remote device, or

a2) using in said remote device a key stored in the remote device and sending an encrypted exchange message to said device,

b) Decrypt the encrypted exchange message

b1) after step a1), using in said remote device a key stored in the remote device, or

b2) after step a2), using in said device one of the plurality of keys associated with the data set,

c) comparing the exchanged information with the exchanged information decrypted according to step b), and

d) if the result of the comparison is true, the device presents the data set to the remote device, or if the comparison is false, uses the key associated with the other data set in step a1) or step b2) to Perform steps a)-d).

In order to achieve the objects defined above, with the device according to the invention special features are provided so that the device according to the invention can be characterized in the manner defined below, namely:

A device for presenting to a remote device one of a plurality of data sets recorded with the device, wherein each data set is associated with a particular key, and wherein the device comprises: using the key associated with the data set means for encrypting exchanged information; means for transmitting encrypted exchanged information to a remote device; means for receiving decrypted exchanged information from said remote device; means for comparing exchanged information with decrypted exchanged information; and interacting with comparing means to select a dataset device.

Furthermore, in order to achieve the objects defined above, with the device according to the invention special features are provided, so that the device according to the invention can be characterized in the manner defined below, namely:

A device for presenting to a remote device one of a plurality of data sets registered in the device, wherein each data set is associated with a specific key, and wherein the device comprises: means for generating exchange information; means for transmitting exchanged information to a remote device; means for receiving encrypted data from said remote device; means for decrypting said encrypted information using one of the keys associated with a data set; comparing the exchanged information with the decrypted exchanged information means; and means for interacting with the comparison means to select a data set.

In order to achieve the objects defined above, with the remote device according to the present invention special features are provided such that the remote device according to the present invention can be characterized in the manner defined below, namely:

A remote device provided for communicating with a device arranged to present to said remote device one of a plurality of data sets registered in the device, comprising: means for generating exchanged information; means for transmitting exchange information to said device; means for receiving encrypted data from said device; means for decrypting said encrypted information using a key stored in a remote device; means for comparing exchange information with decrypted exchange information ; and means for sending the result of the comparing means to said device.

Furthermore, in order to achieve the objects defined above, with the remote device according to the present invention special features are provided such that the remote device according to the present invention can be characterized in the manner defined below, namely:

A remote device provided for communication with a device, the device being arranged to present to the remote device one of a plurality of data sets registered with the device, comprising: using a password stored in the remote device means for encrypting exchanged information with a key; means for transmitting encrypted exchanged information to said device; means for receiving decrypted exchanged information from said device; means for comparing exchanged information with decrypted exchanged information; and sending to said device A means to compare the results of means.

The characteristic features according to the invention provide the advantage that it is no longer necessary for the user to have to manually select an application on the device, since the device automatically determines which application or corresponds to a certain application thanks to the communication between the proposed device and the remote device of which data must be presented to the remote device.

An important advantage of the proposed method and device is that the key is never present in the wireless communication, which could theoretically be probed.

In a first embodiment of the method according to the invention, it is provided that the following steps are carried out by the device:

- generate exchange messages;

- encrypting said exchanged information according to step a1);

- receiving decrypted exchange information from said remote device;

- comparing the exchanged information according to step c); and

- presenting the data set to the remote device if the result of the comparison is true; or restarting from the step of generation or encryption using a key associated with another data set in step al) if said comparison is false.

These measures offer the advantage that due to the fact that exchanged information is generated in the device, the communication between the device and the remote device can be reduced, which contributes to saving time and increasing security. It should however be noted that it is in principle possible to create exchanged information on remote devices.

In an even more advantageous embodiment of the method according to the invention, it is provided that said device performs the following steps:

- Generate exchanged information and transmit it to the remote device;

- receiving encrypted exchange information from said remote device;

- decrypting said encrypted exchange information according to step b2);

- comparing the exchanged information according to step c); and

- presenting the data set to the remote device if the result of the comparison is true; or restarting from the step of generation or decryption using the key associated with the other data set in step b2) if said comparison is false.

This embodiment of the invention provides the further advantage that the communication between the device and the remote device (sending of exchanged information by the device and encrypted information by the remote device) has to be done only once, since subsequent Decryption takes place only in the device.

When the information exchanged is a random number, the security of the communication between the device and the remote device can be improved. Using nonces as exchanged information offers the advantage of making so-called "replay attacks" impossible.

Different data sets according to the specific application are "registered" in the device. The term "registered" means that the data set does not have to be stored directly in said device, but can also be stored, for example, in (another) remote device such as a remote server, from which the necessary data sets are retrieved after being selected. data set. Furthermore, it is also conceivable that the keys associated with the data sets are not stored on the device, but downloaded when needed.

However, in an advantageous embodiment of the invention it is provided that a plurality of data sets and/or associated keys are stored in the device.

With these measures, the advantage is achieved that the proposed interaction between the device and the remote device can start immediately when the two devices come into contact. Then establishing a possibly slow and unstable connection to the remote server is unnecessary. Furthermore, it should be noted that in some situations (metro, airplane, etc.) it may happen that a connection to the remote server cannot be established because the network is not available. This is therefore particularly advantageous when the data sets and corresponding keys are stored in the device.

As mentioned above, an advantage of the proposed method and device is that the key is never present in the wireless communication with the remote device which could theoretically be probed. However, in order to further improve security, it is advantageous to store the data in the device in a secure manner, eg to avoid unauthorized access to the data by the user or others.

In particular a solution-specific measure, i.e. the data set is stored in encrypted form in a first memory of the device, the encrypted data set selected according to step d) is decrypted using the associated key, the decrypted data set is stored in the device's In a more tamper-resistant second memory, this offers the advantage that on the one hand it is possible to use a large, cheap first memory to permanently store encrypted data, and a small, expensive second memory to use decrypted data later. Temporarily store the decrypted data from time to time. This second memory can be shared by several applications, which reduces technical effort and costs.

According to the invention, the encrypted data representing the smart card application is now decrypted and advantageously loaded into the second memory.

For the encryption process described above, asymmetric encryption can be used, which means that a private key and a public key must be used. Thus, exchanged information can be encrypted with the private key and decrypted with the public key, and vice versa. Symmetric encryption is also applicable.

However, the key stored in the remote device is the same as one of the keys stored in the device, which provides the advantage that the well-known communication between the reader and the tag can be used for the purpose of the present invention, which This means that fewer changes have to be implemented than in the case of asymmetric encryption, and that prior art readers can generally be used for the purposes of the present invention.

Advantageously, said second memory and/or said decryption means are part of the NFC interface. As mentioned above, NFC technology is developed from the combination of non-contact identification, that is, RFID technology and interconnection technology. NFC operates in the 13.56MHz frequency range over distances typically of a few centimeters, but engineers are also developing systems that work at greater distances up to 1m. NFC technology is standardized in ISO 18092, ECMA 340 and ETSI TS 102 190. NFC is also compatible with the widely established contactless smart card infrastructure based on ISO 14443. NFC interfaces usually already include tamper-resistant memory and encryption/decryption modules. Therefore, it is advantageous to use these modules for the present invention.

It is further advantageous that the first memory is additionally arranged to store functions for operating the device. Devices typically include non-secure main memory for storing the device's operating system. In this embodiment, encrypted data and functions for the operating system are stored in the first memory. Therefore, the first memory is used in a cooperative manner.

Finally advantageously, said second memory is arranged to store said key. For some applications it is beneficial when the key used to decrypt encrypted data is stored in the device itself. In this case, the key should be stored in a tamper-resistant second memory to avoid misuse of encrypted data.

Description of drawings

The aspects defined above and further aspects of the invention are apparent from and are elucidated with reference to the examples of embodiment to be described hereinafter. The invention is now explained in more detail with the aid of the drawings showing an advantageous embodiment of the invention. Note that these examples are not intended to narrow the broad scope of the invention.

Figure 1 illustrates service initialization and use of encrypted data.

Figure 2 shows an alternative embodiment for establishing a service.

Fig. 3 shows a first embodiment of a method of selecting one of a plurality of encrypted data sets according to the invention.

Fig. 4 shows a second embodiment of a method of selecting one of a plurality of encrypted data sets according to the invention.

Figure 5 shows the standard identification process between an RFID tag and a reader.

FIG. 6 shows again a second embodiment of the method shown in FIG. 4 based on the standard identification of the RFID tag according to FIG. 5 .

7-10 show overviews of different variants of the method according to the invention.

Detailed ways

Figures 1 and 2 show a device and a method in which encrypted data DATenc stored in a device DEV can be used in a decrypted format without providing the owner of the device DEV with access to said decrypted data DAT. Such a device DEV can advantageously be used with the present invention. In particular, Figure 1 shows an arrangement comprising a device DEV and two remote devices consisting of a server SER and a reader RD. Said device DEV is in this example a mobile phone or a PDA comprising a first memory MEM1 and a second, more tamper-resistant memory MEM2 as well as an encryption/decryption module ENC/DEC. Said first memory MEM1 in this example is assumed to be the memory for the operating system and other data required for use by the device DEV. Since there is usually no or only a small program to protect the main memory of the device DEV from misuse, it is usually very easy to change the data stored in such memory. Sensitive data, such as the IMSI (International Mobile Subscriber Identity) in the case of a mobile phone, is therefore stored in a tamper-resistant memory, such as a SIM (Subscriber Identity Module). Another example is smart cards that are increasingly becoming part of mobile phones or emulated separately by mobile phones. In this case, mention must also be made of an interface operating according to a standard for Near Field Communication (NFC). This interface enables short-range communication with the reader RD and usually also includes tamper-resistant memory and means for encryption and decryption. Therefore, the example assumes that the second memory MEM2 and the encryption/decryption modules ENC/DEC are part of the NFC (Near Field Communication) interface INT.

The function of this arrangement is as follows: In a first step, the reader RD, also capable of communicating according to the NFC standard, sends encrypted data DATenc (solid line) to the device DEV. In the present case, the encrypted data DATenc represent an application for ticket checking in public transport, which application is installed in the device DEV before it can be used. Once received, the encrypted data DATenc are thus stored in the first memory MEM1.

Optionally, the server SER can also provide encrypted data DATenc. This is indicated by the dotted line in the figure from the server SER to the device DEV. In this case, it is assumed that the server SER is part of the Internet and holds the above-mentioned applications. On request, the encrypted data DATenc can be downloaded via a relatively fast (and unsecured) Internet connection. Said request can be sent by the device DEV directly to the server SER or by the reader RD to the server SER.

In principle, the device DEV is now ready to be used. Thus, when the device DEV is in the vicinity of the reader RD, in a second step the key K is sent from the reader RD to the device DEV (solid line). In a third step, the encrypted data DATenc is read from the first memory MEM1 and decrypted by means of the encryption/decryption module ENC/DEC and the key K received from the reader RD. In a fourth step, the decryption result, ie the data DAT, is stored in the second memory MEM2. Now the communication between the device DEV and the reader RD can take place, as it is known from prior art systems. Data DAT can also include variables and codes.

In an alternative embodiment, the key K is stored in the device DEV during service initialization, which means that the encrypted data DATAenc is received from the reader RD or the server SER. The encrypted data DATAenc may be sent via an unsecured communication channel as described above. The only restriction is to keep the key k secret. Therefore, the small key K is sent via slow but secure near field communication (dashed line) and stored in the second memory MEM2.

In principle, the device DEV can now be used again at any time, wherein for example the process can be started manually instead of remotely by the reader RD. Furthermore, contrary to the method described above, the key k is not received from the reader RD but sent from the second memory MEM2 to the encryption/decryption module ENC/DEC. The encrypted data DATenc is decrypted again, and the result of this decryption, data DAT, is stored in the second memory MEM2. Communication between the device DEV and the reader RD can take place as previously described.

The communication channel between the device DEV and the reader RD is assumed to be secure. Furthermore, the second memory MEM2 is tamper-resistant as described above. It is therefore not possible to misuse the key k to abusively alter the encrypted data DATAenc and, for example, to buy a ticket without paying for it. The advantage of this method is that applications, which usually use a large memory space, can be stored in an inexpensive standard memory and temporarily loaded into an expensive tamper-resistant second memory MEM2, as explained in more detail later, in this way The mode shares the second memory MEM2 between several services.

FIG. 2 shows an alternative embodiment of the inventive device DEV. The device DEV is again shown in combination with two remote devices consisting of a server SER and a reader RD. In addition to FIG. 1 , the device DEV also includes a random number generator RAND which is part of the interface INT of the NFC.

The function of the arrangement of Fig. 2 is as follows: Firstly, unencrypted data DAT is sent via short-range communication from the reader RD to the device DEV and stored there in the second memory MEM2 (solid line). In a second step, the random key K is generated by the random number generator RAND, stored in the second memory MEM2, and sent to the encryption/decryption module ENC/DEC. In a third step, the data DAT are encrypted with said key K by means of an encryption/decryption module ENC/DEC. Finally, as a result of this step, the encrypted data DATenc is stored in the first memory MEM1 in a fourth step.

Furthermore, data DAT (dotted line) can also be sent by the server SER. Contrary to the embodiment of Fig. 1, here a secure communication channel should exist between the server SER and the device DEV, since the data DAT is not encrypted. It is also conceivable that the data DAT is sent from the server SER to the reader RD (dot-dash line) via a tamper-resistant communication channel (for example by means of a company internal network) and then to the device DEV via a short-range wireless communication link.

Figures 3-10 below describe different embodiments of a method of presenting to a reader RD one of a plurality of applications already registered, in particular stored in the device DEV.

Figures 1 and 2 show a device DEV which can be used for a method of presenting one of a plurality of applications to a reader RD. Furthermore, Figures 1 and 2 explain how encrypted data DATenc can be stored in such a device DEV in a decrypted format without providing the owner of the device DEV (or others) with access to said decrypted data DAT. For this reason, it is advantageous to use such an inventive device DEV for the method according to the invention as claimed and as described below ( FIGS. 3-6 ).

It should however be noted that using a device (similar to the device DEV as described above in FIGS. 1 and 2 ) which does not comprise the first memory MEM1 and the second memory MEM2, the method according to the invention as described hereinafter in principle is also applicable.

Furthermore, in principle it is not necessary to use encrypted data DATenc or data sets DS1enc . However, it is advantageous for the data (sets) used by the method to be in encrypted form for the reasons mentioned above concerning the secure storage of the encrypted data DATenc. Therefore, the encrypted data DATenc will be used in the following to describe the method according to the invention as claimed in the claims. However, the scope of the invention is not limited to the use of encrypted data sets DS1enc...DSnenc.

Figure 3 shows how a first implementation of the method according to the invention can present a certain application to a remote device, here in the form of a reader RD. For this example, it is assumed that the encrypted data DATenc is divided into several encrypted data sets DS1enc...DSnenc, which represent different smart card applications, one for public transport, one for cinema ticket checking, one for company identity cards, and so on. These encrypted data sets DS1enc . . . DSnenc have been previously stored during the initialization routine shown in FIG. 1 or FIG. 2 . It is also possible to store the application in a different way, eg directly by the supplier of the device DEV (eg mobile phone). Each encrypted data set DS1enc...DSnenc has an associated key K1...Kn stored in the second memory MEM2. In contrast to Fig. 2, the device DEV additionally comprises a comparator COMP, and the reader RD additionally comprises an encryption/decryption module ENC/DEC'.

The function of the arrangement of Fig. 3 is as follows: When the device DEV is in the vicinity of the reader RD, it has to determine which of the applications represented by the encrypted data sets DS1enc...DSnenc has to be selected.

In a first step, exchange information is generated by the device DEV. This is advantageous when the exchange information is a random number generated by the random number generator RAND.

In a second step, the device DEV encrypts the random number R with a key Kx of a plurality of keys K1 . . . Kn. Said key Kx is also used to decrypt the associated encrypted data set DSx. Next, in a third step, the encrypted random number Renc is sent to the reader RD. In a fourth step, the encrypted random number Renc is decrypted with the reader key Krd by means of the encryption/decryption module ENC/DEC' of the reader RD. The result of this operation, the reader random number Rrd, is then sent back to the device DEV and compared with the original random number R in a fifth step by means of the comparator COMP.

If the result of said comparison is true, meaning that the nonce R and the reader nonce Rrd are identical, the correct key Kx has been found (assuming correct operation for symmetric encryption). Then, in a sixth step, the encrypted data set Dsxenc associated with said key Kx is decrypted with the key Kx by means of an encryption/decryption module ENC/DEC. In a seventh step, the result of the decryption, the data DSx, is stored in the second memory MEM2 (dotted line). Now, the device DEV is readily available for eg public transport.

The key Kx used to encrypt the random number R associated with the encrypted data set DSxenc in the device DEV and the key Krd used to decrypt the encrypted random number R on the reader RD if the comparison of the random number is true are the same, ie Kx=Krd. This means that the correct application or dataset DSxenc was found.

If the result of the comparison is false, i.e. if the random number R and the reader random number Rrd are different, then the key Kx used on the device DEV and the key Krd used on the reader RD are not the same, which means Means the correct data set/correct application has not been found yet. A new cycle starts, whereupon the random number R is encrypted with a new key on the device DEV using a new generated random number or the same random number R as already generated in the first cycle. This encrypted random number is sent to the remote reader RD or the like. The loop is executed recursively until the result of the above comparison is true.

Fig. 4 shows another implementation of the method according to the invention how a certain application may be presented to the reader RD. Assume again that the encrypted data DATenc is divided into several encrypted data sets DS1enc...DSnenc, which represent different smart card applications, one for public transport, one for cinema ticket checking, one for corporate identity cards, and so on. These encrypted data sets DS1enc . . . DSnenc have been previously stored during the initialization routine shown in FIG. 1 or FIG. 2 . It is also possible to store the application in a different way, eg directly by the supplier of the device DEV (eg mobile phone) as mentioned above.

Again, each encrypted data set DS1enc...DSnenc has an associated key K1...Kn stored in the second memory MEM2. In contrast to Fig. 2, the device DEV additionally comprises a comparator COMP, and the reader RD additionally comprises an encryption/decryption module ENC/DEC'.

The function of the arrangement of Fig. 4 is as follows: When the device DEV is in the vicinity of the reader RD, it has to determine which of the applications represented by the encrypted data sets DS1enc...DSnenc has to be selected.

In a first step, exchange messages are generated by the device DEV. This is again advantageous when the exchanged information is a random number R generated by the random number generator RAND. In a second step, the device DEV transmits this random number R to the reader RD. In a third step, the reader RD encrypts this random number R with the key Krd stored in the reader RD. In a fourth step, the reader RD sends back the encrypted random number Renc' to the device DEV. In the fifth step, the encrypted random number Renc' is decrypted by means of the encryption/decryption module ENC/DEC of the device DEV using one of the keys Kx stored in the device DEV, and in the sixth step In step, the obtained random number R' is compared with the original random number R in the comparator COMP.

If the result of the comparison is true, that is, the original random number R and the random number R' received by decrypting the encrypted random number Renc' are the same, then the key Kx used for decryption in the device DEV and the key Kx used to read The encrypted key Krd in the device RD is the same. This means that the correct application or data set DSxenc to be presented to the reader RD is found. Then in a seventh step, the encrypted data set DSxenc associated with said key Kx is decrypted with the key Kx in the device DEV by means of the encryption/decryption module ENC/DEC. In an eighth step, the result of the decryption, the data DSx is stored in the second memory MEM2 (dotted line). The device DEV is now ready for use eg by public transport.

As already mentioned above, the key Kx used in the device DEV to decrypt the encrypted random number Renc' and the key Kx used in the reader RD to encrypt The key Krd of the original random number R is the same, ie Kx=Krd. This means that the correct application or encrypted dataset DSxenc was found.

If the result of said comparison is false, that is, the random numbers R and R' are not the same, then the key Kx used in the device DEV and the key Krd used on the reader RD are not the same, which means correct The dataset/proper application has not been found. In this case, another key stored in the device DEV is used to decrypt the encrypted random number Renc', and the resulting random number is compared with the original random number R. This process is repeated until the random numbers R and R' are the same and the correct application is found.

The method as described in connection with FIG. 4 provides the advantages of encrypting the random number R into an encrypted random number Renc' and the communication between the device DEV and the reader RD (sending the random number R and the encrypted random number Renc') This has to be done only once, since subsequent decryption with a different key is only done in the device DEV. In contrast, the method described in FIG. 3 necessitates that, if the correct application cannot be found in the first cycle, the two-way communication between the device DEV and the reader RD has to be performed again.

The method as described in FIG. 4 will be further described with reference to FIGS. 5 and 6 . Fig. 5 shows the known communication between a transponder such as an RFID tag TRA (which stores data for one application and a corresponding key K) and a reader RD. Typically, RFID tags require authentication before any communication can occur. Figure 5 illustrates this interaction. The mutual authentication process starts with the reader RD sending a GET_CHALLENGE command to the tag TRA. A random number R is then generated in the tag TRA and sent back to the reader RD. The reader RD uses its secret key Krd and the public algorithm stored in the reader RD to calculate an encrypted data block TK1 containing the encrypted random number Renc' and additional control data and sends it back to the tag TRA. The received encrypted data block TK1 is decrypted in the tag TRA and the random number R' contained in the data block TK1 is compared with the previously transmitted random number R. If the two agree, the tag TRA detects that the same key K=Krd is in use. The tag TRA then encrypts the control data sent by the reader RD and sends it back with a second encrypted data block TK2, allowing the reader RD to also verify that the same key K=Krd is being used in a similar manner. Assuming that the reader RD also detects that the same key K=Krd is in use, finally the data exchange between the tag TRA and the reader RD can take place.

This authentication process between the reader RD and the tag TRA is also used for the method according to the invention as described in FIG. 4 . In FIG. 6, the label TRA of FIG. 5 is replaced by a device DEV as described in FIG. 4, such as a mobile phone or a PDA. Different tags, such as subway tickets, movie tickets, etc., are registered in the device DEV. The registry contains encrypted data sets DS1enc...DSnec and keys K1...Kn for authentication. The encrypted data sets DS1enc...DSnec are stored in the database CDB of the secure memory MEM1, as described above in FIG. 4 . The keys K1 . . . Kn are stored in a key database KDB in a secure, more tamper-resistant memory MEM2 of the device DEV.

When the device DEV is presented to the reader device DEV, the basic interaction as described with reference to Figure 5 is initially used. After the encrypted data block TK1 is received, the interaction branches into the scheme described in FIG. 6 .

Once the reader RD responds with the encrypted data block TK1 as shown in Fig. 5, the device DEV retrieves the key Kx from the key database KDB and uses this key to decrypt the encrypted data block TK1. The device DEV tries one key after another until the correct key is found, and the device DEV presents the correct data set DSxenc (DSx) to the reader, as described in more detail in FIG. 4 .

In the illustrations of Figs. 3-6 it was assumed that different applications, namely encrypted data sets DS1enc...DSnenc and corresponding keys K1...Kn have been stored in the device DEV. However, it may also happen that the application is only registered in the device DEV. In this case the (encrypted) data sets DS1enc...DSnenc are not stored directly in the device DEV, but e.g. in a server SER from which encrypted data can be downloaded if the device DEV requires the data set Set one of DS1enc . . . DSnenc, eg as described in FIGS. 1 and 2 . After downloading, the downloaded dataset DSxenc is stored in the device DEV and then presented by the device DEV to the remote device RD.

In case the device DEV is a (mobile) phone, it is possible that the device DEV retrieves a data set associated with a specific application from a remote database CDB of registered applications (tags). This data set is then loaded into the working memory of the NFC hardware. Now, the interaction can continue in the standard mode of operation, since the device DEV is simulating only one tag TRA.

It is not necessary to try the keys K1..Kn in the order in which they are stored in the second memory MEM2. It is also possible that the keys K1...Kn have different weights depending on how often they are used, thereby reducing the search time. Here, the search starts with the key Kx that has the greatest likelihood of being the correct key.

It is also conceivable that a key different from the key Kx used to decrypt the associated encrypted data set DSx is used to select the appropriate application. Therefore, each encrypted data set DSx is associated with two keys. One for decryption and one same as the reader key Krd.

It is also not necessary to use symmetric encryption. It is also conceivable to use asymmetric encryption using public and private keys.

It should be noted that the encryption/decryption module ENC/DEC, the random number generator RAND and the comparator COMP are not necessarily part of the NFC interface INT. However, the arrangement shown is preferred because the NFC interface INF is generally considered to be tamper-resistant, or at least more tamper-resistant than the rest of the device DEV.

It should be further mentioned that the invention is not limited to smart card applications. Rather, any device where encrypted data must be decrypted is suitable, in particular an adapted PC with a secure second memory. It is also not necessary for the device DEV to communicate with the reader RD. It is conceivable to communicate between two similar devices DEV, eg two NFC compatible mobile phones. One application could be the exchange of (digital) currency between two phones (each with encrypted accounts).

The method as described with reference to FIGS. 4 and 6 is the most advantageous variant of the method according to the invention, since it uses the standard verification procedure for RFID tags as described in FIG. 5 . Furthermore, as already described, this embodiment requires only a small amount of communication between the remote device RD and the device DEV, so said variant of the inventive method is fast and reliable.

However, as already described with reference to FIG. 3 , other embodiments of the invention are in principle possible and may be advantageous in certain specific cases.

A short overview of possible embodiments of the method according to the invention is given below:

Fig. 7 schematically depicts the method as already shown in Fig. 3: the device DEV generates a random number R, which is encrypted with one of the keys Kx of the keys K1...Kn stored in the device DEV , and send the encrypted random number Renc to the reader RD. The reader RD decrypts the number Renc with the reader key Krd stored in the reader RD (the reader key Krd is identical to one of the keys K1...Kn stored in the device DEV). This decrypted reader number Rrd is sent back to the device DEV, where the original random number R and the reader number Rrd are compared to identify the correct application.

Fig. 8 schematically shows the method of Figs. 4 and 6, wherein the random number R generated by the device DEV is sent to the reader RD. The reader RD encrypts the random number R into an encrypted reader number Renc' using the reader key Krd and sends this number Renc' back to the device DEV. The device DEV decrypts the encrypted number Renc' with one of the keys Kx of the keys K1...Kn stored in the device DEV and compares the resulting number R' with the original random number R. This process of decrypting the encrypted number Renc' with the keys K1...Kn stored in the device DEV is repeated until the correct application is found.

In another embodiment according to FIG. 9, the exchange information, typically a random number R, is generated by the reader RD. The random number R is sent to the device DEV, where it is encrypted with one of the keys K1..Kn Kx into an encrypted number Renc. This number Renc is sent back to the reader RD, where it is decrypted by means of the reader key Krd. The resulting number R' is compared with the original random number R. If the original random number R and the decrypted random number R' are the same, the correct key/correct application is found, if the comparison is not true, the device DEV encrypts the random number R with another key and sends it to the reader Taker RD and so on. In this case, the reader RD can send a random number R to the device DEV so that the device DEV can detect that another encryption is necessary, or send some specific information to the device DEV.

As mentioned, the comparison will be done in the reader RD. In principle, however, it is also possible to send the number Rrd from the reader RD to the device DEV, which then compares the two random numbers R, Rrd.

Another embodiment is shown in FIG. 10 . Here, the reader RD generates a random number R, encrypts the random number R with the reader key Krd, and sends the encrypted number Renc' to the device DEV. The device DEV decrypts the encrypted number Renc' by means of one of the keys K1...Kn, Kx.

The resulting random number R' is compared with the original random number R, preferably as shown in the reader RD. However, it is also possible that the reader RD sends the original random number R further to the device DEV so that a comparison can be performed in the device DEV.

It should finally be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the invention as defined in the appended claims. Note in particular that although the selection of data sets in the claims and figures primarily relates to encrypted data sets, this is not considered mandatory for the invention. Rather the invention also relates to selecting one of a plurality of unencrypted data sets. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The words "comprising" and "comprising" etc. do not exclude the presence of elements or steps other than those listed in a claim or in the entire specification. The singular reference of an element does not exclude the plural reference of such elements and vice versa. In a device claim enumerating several means, several of these means can be embodied by one and the same item of hardware or software. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims (13)

1. A method of selecting one of a plurality of data sets (DS1enc...DSnenc) registered in a device (DEV), wherein after selection said one data set (DSxenc) is presented by the device (DEV) For a remote device (RD), and where each data set (DS1enc...DSnenc) is associated with a specific key (K1...Kn), The method includes the following steps: a) Encrypted exchange information (R) a1) Use one of the keys (K1...Kn) associated with the data set (DS1enc...DSnenc) in said device (DEV) with one key (Kx) and send send an encrypted exchange message (Renc), or a2) using the key (Krd) stored in the remote device (RD) in said remote device (RD) and sending an encrypted exchange message (Renc') to said device (DEV), b) Decrypt the encrypted exchange message (Renc, Renc') b1) after step a1), using in said remote device (RD) a key (Krd) stored in the remote device (RD), or b2) after step a2), using in said device (DEV) a key (Kx) of a plurality of keys (K1...Kn) associated with a data set (DS1enc...DSnenc), c) compare the exchange information (R) with the exchange information (Rrd, R') decrypted according to step b), and d) present the data set (DSxenc) to the remote device (RD) by said device (DEV) if the result of the comparison is true, or use the same method as in step a1) or step b2) if said comparison is false The key associated with another data set performs steps a)-d). 2. A method as claimed in claim 1, wherein the following steps are performed by the device (DEV): - generate exchange information (R); - encrypting said exchange information (R) according to step a1); - receiving decrypted exchange information (Rrd) from said remote device (RD); - comparing the exchanged information (R) according to step c); and - Present the data set (DSxenc) to the remote device (RD) if the result of the comparison is true, or if said comparison is false, from the generation using the key associated with another data set in step a1) Or the encryption step starts over. 3. A method as claimed in claim 1, wherein the following steps are performed by the device (DEV): - generate exchange information (R) and send it to the remote device (RD); - receiving encrypted exchange information (Renc') from said remote device (RD); - decrypting said encrypted exchange information (Renc') according to step b2); - comparing the exchanged information (R) according to step c); and - Present the data set (DSxenc) to the remote device (RD) if the result of the comparison is true, or if the comparison is false, from the generation using the key associated with another data set in step b2) Or the decryption step starts over. 4. The method as claimed in one of claims 1 to 3, wherein the exchanged information (R) is a random number (R). 5. A method as claimed in claim 1, wherein the data sets (DS1enc...DSnenc) are stored in encrypted form in the first memory (MEM1) of the device (DEV), according to the selected encrypted data of step d). The set (DSxenc) is decrypted using the associated key (Kx), and the decrypted data set (DSx) is stored in a second, more tamper-resistant memory (MEM2) in the device (DEV). 6. A device (DEV) for presenting to a remote device (RD) one of a plurality of data sets (DS1enc...DSnenc) registered in the device (DEV), wherein each data set (DS1enc. ..DSnenc) is associated with one specific key (K1...Kn), and wherein said device (DEV) comprises: utilizing multiple keys (K1.. means for encrypting exchange information (R) with a key (Kx) in .Kn); means for sending encrypted exchange information (Renc) to a remote device (RD); receiving decrypted exchange information from said remote device (RD) means (Rrd); means for comparing the exchange information (R) with the decrypted exchange information (Rrd); and means for interacting with the comparing means to select a data set (DSx). 7. A device (DEV) for presenting to a remote device (RD) one of a plurality of data sets (DS1enc...DSnenc) registered in the device (DEV), wherein each data set (DS1enc. ..DSnenc) is associated with a specific key (K1...Kn), and wherein said device (DEV) comprises: means for generating an exchange message (R); sending the exchange message (R) to a remote device (RD ) means; means for receiving encrypted data (Renc') from said remote device (RD); utilizing one of a plurality of keys (K1...Kn) associated with a data set (DS1enc...DSnenc) means for decrypting said encrypted information (Rrd) with a key; means for comparing the exchange information (R) with the decrypted exchange information (R'); and means for interacting with the comparing means to select a data set (DSx). 8. The device (DEV) according to claim 6 or 7, wherein said device (DEV) comprises: - a first memory (MEM1), - more tamper-resistant second memory (MEM2), - means for reading encrypted data (DATenc; DS1enc..DSnenc) from the first memory (MEM1), - means for decrypting (ENC/DEC) encrypted data (DATenc; DS1enc..DSnenc) using associated keys (K; K1...Kn), and - Means for storing the decrypted data (DAT; D1...Dn) in a second memory (MEM2). 9. A device (DEV) as claimed in claim 8, wherein said second memory (MEM2) and/or said decryption means (ENC/DEC) are part of an NFC interface (INT). 10. A device (DEV) as claimed in claim 8, wherein said first memory (MEM1) is additionally arranged to store functions for operating said device (DEV). 11. A device (DEV) as claimed in claim 8, wherein said second memory (MEM2) is arranged to store said key (K). 12. A remote device (RD) provided for communication with a device (DEV) arranged to transfer data sets (DS1enc. ..DSnenc) is presented to said remote device (RD), comprising: means for generating exchange information (R); means for sending exchange information (R) to said device (DEV); ) means for receiving encrypted data (Renc); means for decrypting said encrypted information (Renc) using a key (Krd) stored in a remote device (RD); combining the exchange information (R) with the decrypted exchange information (Rrd ) means for comparing; and means for sending the result of the comparing means to said device (DEV). 13. A remote device (RD) provided for communication with a device (DEV) arranged to transfer data sets (DS1enc. ..DSnenc) is presented to said remote device (RD), comprising: means for encrypting exchanged information (R) with a key (Krd) stored in the remote device (RD); sending to said device (DEV) means for encrypting exchange information (Renc'); means for receiving decrypted exchange information (R') from said device (DEV); means for comparing exchange information (R) with decrypted exchange information (R'); and means for sending the result of the comparing means to said device (DEV).

Images