[go: up one dir, main page]

HK1151877B - Transponder, reader and a method for its application supported obscured - Google Patents

Transponder, reader and a method for its application supported obscured Download PDF

Info

Publication number
HK1151877B
HK1151877B HK11105992.4A HK11105992A HK1151877B HK 1151877 B HK1151877 B HK 1151877B HK 11105992 A HK11105992 A HK 11105992A HK 1151877 B HK1151877 B HK 1151877B
Authority
HK
Hong Kong
Prior art keywords
transponder
reader
application
response
supported
Prior art date
Application number
HK11105992.4A
Other languages
Chinese (zh)
Other versions
HK1151877A1 (en
Inventor
苏珊‧斯顿
保罗‧胡伯默尔
彼得‧蒂林格
布鲁斯‧默里
海克‧诺伊曼
汉斯‧德容
Original Assignee
Nxp股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nxp股份有限公司 filed Critical Nxp股份有限公司
Priority claimed from PCT/IB2008/054665 external-priority patent/WO2009144535A1/en
Publication of HK1151877A1 publication Critical patent/HK1151877A1/en
Publication of HK1151877B publication Critical patent/HK1151877B/en

Links

Description

Transponder, reader and method of masking applications supported by the same
Technical Field
The present invention relates to a transponder storing a plurality of different applications; a reader designed to decrypt data received from the transponder; and a method for masking applications supported by a reader and/or a transponder. Furthermore, the invention relates to a program element. The invention also relates to a computer readable medium.
Background
The information transmitted between the reader and the transponder, in particular the smart card or the RFID tag, is encrypted so that an attacker cannot obtain the data and use the data to conduct criminal activities. The use of such encryption is quite obvious for personal data, account data, credit card numbers, etc. Since newer smart cards can emulate more smart cards, i.e., support a number of different applications, the supported applications should be obscured. Its use is not a priori evident. However, considering a card that supports applications from "Visa", "american express", "walma" and "new york subway", such use becomes clearer, since the card is very likely to belong to the american citizen. Using this "feature", he can easily be targeted by terrorists.
Some other considerations related to conventional communication systems are described below.
Privacy may be related to an individual or to a group of people (e.g., american citizens) who share certain attributes. Protection from privacy may be advantageous.
Privacy may be compromised in various ways. Conventionally, the UID (unique identifier) of the card used in the collision detection is readable in the clear. Thus, individual users may be scanned at a variety of locations.
One conventionally available scheme is to use a random id (rid). However, trusted applications in the reader still need to know with which card they communicate, and therefore still need a unique card logical id (ucid).
This appears to be harmless when the card is presented with its type, brand, etc. However, the knowledge that type X cards for manufacturer Y are not purchased by many cities for new york subway shows: the cardholder of such a card is very likely to be a new york person.
It would be advantageous to destroy a key for one application without destroying the privacy of other applications.
Further, WO 2006/003562 discloses a method for selecting one of a plurality of data sets registered with a device, wherein each data set is associated with a specified key, wherein exchanged information is encrypted in the device using one of the keys; sending the encrypted exchange information to the remote device; decrypting, in the remote device, the exchanged information using the one key stored in the remote device; the decrypted exchange information is then sent back to the device. Subsequently, the exchange information is compared with the decrypted exchange information. If the two are equal, the correct data set is found, otherwise the loop starts again with another key. The roles of the device and the remote device may change so that a cycle may be initiated in the remote device. WO 2006/003562 also relates to a device for presenting one of a plurality of data sets registered with the device to a remote device.
However, the method uses rather time consuming trial certifications. Furthermore, the method does not support multi-application readers.
Disclosure of Invention
It is therefore an object of the present invention to provide a reader and/or transponder which is capable of operating in a manner which protects privacy.
The object of the invention is achieved by a transponder, a reader, a method, a program element and a computer-readable medium according to the independent claims. According to an example embodiment, there is provided a transponder comprising: a storage unit storing a plurality of different applications; a processing unit adapted to generate, based on a request of the reader, a response that can be interpreted using an encryption scheme known to both the transponder and the reader, such that the reader can analyze the response using the encryption scheme to determine whether the transponder supports the application; and a transmitting unit adapted to transmit the response to the reader.
More specifically, according to an exemplary embodiment, a transponder (which may be communicatively coupled to a reader) is provided, which stores a plurality of different applications (e.g. one or more applications supported by the transponder), which extends the name of an application using a random number (e.g. a true random number or a pseudo random number, which may be generated by a random number generator of the transponder or which may be stored in a memory unit of the transponder) upon request of the reader (e.g. a request by a communication message sent from the reader to the transponder); encrypting or MAC processing the extension number (i.e. generating a message authentication code MAC) using a key associated with the application (which the reader may also know); and sending the encrypted number to the reader. According to another example embodiment, there is provided a reader including: a transmitting unit adapted to transmit a request to the transponder indicating a plurality of applications supported by the reader; an analysis unit adapted to analyze the response received from the transponder using an encryption scheme known to both the transponder and the reader; and a determining unit adapted to determine whether the transponder supports the application by analyzing the response using the encryption scheme.
According to another exemplary embodiment, a reader (which may be communicatively coupled with a transponder) is provided which is designed to decrypt data received from the transponder using a key (which the transponder may also know) associated with an application (e.g. one or more applications supported by the transponder); and determining whether the decrypted number contains the name of the application. According to another example embodiment, there is provided a method of obscuring applications supported by a reader and/or transponder, the method comprising:
the reader sends a reading request to the responder;
the transponder producing a response that can be interpreted using an encryption scheme known to both the transponder and the reader and that indicates whether the application is supported by the transponder;
the transponder sending the response to the reader; and
the reader analyzes the response by using the encryption scheme to determine whether the transponder supports the application.
More specifically, according to another example embodiment, a method for obscuring applications supported by a reader and/or transponder is disclosed, the method comprising:
the reader sends a request command to the responder;
the transponder uses the random number to extend the name of the application supported by the transponder;
the responder encrypts or MAC-processes the extension number using a key associated with the application;
the transponder sends the encrypted or MAC processed extension number to the reader;
the reader decrypts the encrypted extension number or verifies the MAC on the encrypted extension number; and
the reader determines whether the decrypted, verified extension number includes the name of the application.
According to another exemplary embodiment of the invention, a program element (for example a software routine in source code or in executable code) is provided, which, when being executed by a processor, is adapted to control or carry out a data processing method having the above mentioned features.
According to another exemplary embodiment of the invention, a computer-readable medium (for example a CD, a DVD, a USB stick, a floppy disk or a hard disk) is provided, in which a computer program is stored which, when being executed by a processor, is adapted to control or carry out a data processing method having the above mentioned features.
The data processing that can be performed according to embodiments of the invention can be realized by a computer program, i.e. by software, or by using one or more special electronic optimization circuits, i.e. in hardware, or in hybrid form, i.e. by means of software components and hardware components.
The term "transponder" may particularly denote an RFID tag or a (e.g. contactless) smart card. More specifically, the transponder may be a device (e.g. comprising a chip) that may automatically transmit specific (e.g. encoded) data when activated by a special signal from the challenger.
The term "reader" may particularly denote a base station adapted to transmit a beam of electromagnetic radiation for reading out a transponder and to detect reflected or transmitted signals. The reader device may be adapted as one of the group consisting of: reading and/or writing devices, RFID readers, contactless chip card readers, passive transponders and near field communication devices.
The term "application" may particularly denote a service within a communication system formed by a reader and a transponder, which may contribute to the service. The provision of such contributions may involve the ability of the transponder to provide stored or calculated data, to provide processing power, etc. Examples of such services are: the user of the transponder pays for the use of public transportation, the wireless payment system pays for the purchase price of the item, credit card services, etc.
The term "name of an application" may particularly denote an identifier or code indicating an application, or allow a specified application to be explicitly acquired based on the identifier. Such a name may be embodied as any alphanumeric code, such as a sequence of letters, a sequence of numbers, or a combination of letters and numbers.
The term "encryption scheme" may particularly denote any scheme, routine or algorithm applied to encode a data block underlying a communication message, such that an interpretation of the content of the encrypted data block requires knowledge about the encryption scheme, e.g. one or more keys used for encryption. The different types of encryption encompassed under this term are symmetric encryption (where the communicating party entity may use the same key on both sides) and public encryption (where the communicating party entity may use a public key, a private key, etc.). Specifically, the formation of MAC (message authentication code) and the formation of CRC (cyclic redundancy check), which is encrypted thereafter, can be considered as an encrypted form based on an encryption scheme.
The term "message authentication code" (MAC) may particularly denote a short message used for authenticating a message. The MAC algorithm may accept as input a secret key and a message of arbitrary length to be authenticated, and may output a MAC. The MAC value may protect the data integrity of the message and its authenticity by allowing an authenticating party (also in possession of the secret key or corresponding public key).
The term "cyclic redundancy check" (CRC) may particularly denote the type of function (or its output) that takes a data stream of any length as input and produces as output a value of a certain space, for example an integer of a certain number of bits. The CRC may be used as a checksum to detect data changes during transmission.
Embodiments of the invention may provide the following advantages: applications supported by the transponder may be obscured during transmission of communication messages between the reader and the transponder. Accordingly, the attacker cannot get any information about which or how many applications the transponder supports, thereby protecting the privacy of the communication partners.
In an embodiment, data from the reader may also be masked so that an attacker also does not get information about which or how many applications the reader supports.
Some example aspects of embodiments of the invention are set forth below:
the reader may send a set of applications that it supports, the transponder may respond to the reader if it supports one or more of these applications, and may optionally communicate the transponder identification to the reader.
Such communication may be done in a manner that preserves confidentiality (so that an attacker cannot receive whether the transponder supports the application) and integrity (so that the reader can determine that the transponder supports the application and so that the reader can determine that the transponder supports the application at this time, which may be denoted as freshness).
The reader can then select an application by sending a message to the transponder that the transponder can decode, but the attacker cannot draw conclusions about the support from this.
Confidentiality may indicate that an attacker cannot determine what applications are supported by the responder. The determination cannot be made by observing a communication in which, for example, the application name is transmitted. This is the reason for encrypting the communication. Nor can it be determined by observing multiple messages (which, although encrypted, get the same public information from them). This is the reason for including the random number.
Integrity may mean that the reader may determine from the response that the response was generated by the application-enabled transponder. In particular, this may be done by one of the following example embodiments, wherein many alternatives are possible:
-MAC calculated based on RND | appllname. This conveys support for the application, but not the identification of the transponder. Here RND is a random number and ApplName is an identification of the application.
-a CRC calculated based on some information, e.g. RND iichlid, then encrypting the whole (RND iichlid iicrc). Here, ucid is an identifier of a transponder. The CRC provides integrity.
MAC calculated based on some cryptographic information, for example based on Enc (K, RND | ucid). The MAC provides integrity. Here, Enc is an encryption function and K is a key.
Freshness can be handled in the following way: the reader may send the random number along with a list of applications that the reader supports. The transponder may include the random number based on a calculation of the CRC or MAC. This may prevent re-execution of a previous response of the transponder.
Application selection may be made with confidentiality (thus encrypted and including a random number), integrity (so that the transponder can determine that the message is authentic), and freshness (in the earlier flow including some reason for the random information that the transponder provided to the reader).
In an embodiment, the reader may send application support and the responder responds in a manner that the reader can determine actual support and the attacker cannot.
Further exemplary embodiments of the transponder are explained below. However, these embodiments also apply for the reader, for the method, for the program element and for the computer-readable medium.
The processing unit of the transponder (e.g. an integrated circuit of the transponder with processing capabilities) may be adapted to: upon receiving a request from a reader indicating applications supported by the reader, evaluating which one or more of the one or more applications supported by the reader are also supported by the transponder; and performing the expansion and encryption for the reader-supported and transponder-supported applications. Thus, the transponder can react to the reader's request by generating a list of applications that the transponder supports and that the reader also supports. Thus, an agreement on the applications supported by the two entities may be implemented between the transponder and the reader.
The processing unit may be adapted to extend the name of the application using the random number and the checksum prior to encryption. Any of the application name, the random number, the checksum and the key may be any sequence of numeric characters, an alphabetic sequence, or any alphanumeric code. Although particular embodiments may allow for simple addition of an application name to a random number, the system may become even more secure and less prone to failure when a checksum is added to a data block in addition to the application name and random number before the data block is encrypted for subsequent secure transmission.
In an embodiment, the processing unit of the transponder may be adapted to: random numbers are also generated for applications not supported by the transponder. The transmitting unit of the transponder, such as an antenna, may be adapted to transmit the generated random number to the reader. By adding data blocks to the transmission message, such as a communication message, also for applications not supported by the transponder, the length of the communication message can be made independent of the number of applications supported by the transponder. Therefore, an attacker cannot derive the number of (supported) applications by only analyzing the length of the communication message. The random number generated for an application not supported by the transponder may not have any indication of the name of the unsupported application. Alternatively, the random number generated for an application not supported by the transponder may be accompanied by an indication of the name of the unsupported application and have an indication related to the fact that the application is not supported.
The advantage that merely analyzing the length of the communication message sent from the transponder to the reader does not allow to determine the number of applications supported by the transponder holds in particular when the processing unit is adapted to generate a random number for an application not supported by the transponder having a length identical to the length of the encryption number for the application supported by the transponder. By taking this measure, an attacker is simply unable to distinguish whether one of the communicating parties supports or does not support a given application based on the length of the transmitted data portion. This may further improve data security and privacy when operating the communication system.
The random number may be a pseudo-random number. Unlike pseudo-random numbers, true random numbers are numbers that are generated independently of their generation criteria. For cryptographic purposes, a number based on a physical measurement may be considered random. A pseudo-random number may be a number that has as few detectable patterns as possible but is not truly random. A computer program can make pseudo random numbers because the computer program cannot make true random numbers. The random number generator may be part of the transponder.
The processing unit of the transponder may be adapted to: an identifier indicating the identity of the transponder is included in the response. In other words, the transponder may include, for example, a Unique Identifier (UID) or a card logical unique identifier (cleuid) in the communication message to clearly indicate to the reader which transponder answered the reply.
The processing unit may be adapted to select one of a plurality of applications supported by the reader and may include the selected application in the response. In scenarios where both the reader and transponder support multiple identical applications, the transponder may have the ability to select one of these possible applications for subsequent use. This may be indicated simply by the transponder answering the response with the name of the application that should then be used for subsequent communication. Thus, the transponder can decide which application to present to the reader.
The processing unit may be adapted to include in the response a plurality or all of the applications supported by the transponder as a basis for subsequent selection by the reader of one of the supported applications. In such an embodiment, the reader may be an entity that decides which of a plurality of applications supported by both communication partner devices can be subsequently used. Thus, after the reader receives a response from the transponder including information of which application or applications the transponder supports, the reader may select a specific one of the supported applications, e.g. preferred according to a specified decision criterion. This selected application can then be used subsequently for further cooperation between the reader and the transponder.
The processing unit of the transponder may be adapted to: a response is generated to include a Message Authentication Code (MAC). This message authentication code is an example of how an encryption scheme is used between the transponder and the reader to mask the name of the application that both support. There are many possibilities to form a message authentication code that meets this criteria. One possibility is to form the MAC in combination with a random number based on a key associated with the application. An alternative is to apply a combination of a name and a random number. Another alternative is to apply a combination of a name with a random number and an identifier indicating the identity of the transponder. Such a MAC may allow the reader to explicitly determine whether the tag supports an application.
As an alternative to sending the message authentication code as a response, embodiments of the invention may use a Cyclic Redundancy Check (CRC) as a response, or as part thereof, and then encrypt. Such an encrypted CRC can be considered as an example of how to apply an encryption scheme. Such a CRC may be based on a random number and an identifier indicating the identity of the transponder. The unique identifier and the combination of the random number and the CRC may also be encrypted.
The processing unit may be adapted to: the response is generated to include any other data block that has a checksum or does not have an application name but includes information that allows the reader to determine whether the transponder supports the application based on an analysis of the checksum. For example, the reader does not have to include all supported applications in a single communication message. In an alternative embodiment, the reader may then send a plurality of communication messages to the transponder, each asking whether a specified application is supported. In reply to each of these communication messages, the responder may indicate whether the application included in the previous request is supported without specifically indicating the application name. This may be indicated using a MAC that allows the reader to explicitly derive an association between an application and information about supported or unsupported.
Other exemplary embodiments of the reader are explained next. However, these embodiments also apply for the transponder, for the method, for the program element and for the computer-readable medium.
The reader may include: the evaluation unit, which may be part of the processor of the reader, may be adapted to evaluate which transponder or transponders are currently within radio range of the reader. In such an embodiment, the reader may first detect a plurality of transponders (e.g., RFID tags or smart cards) located within a spatial range around the reader within which the reader is able to communicate with the transponders.
After performing such an evaluation, a selection unit of the reader, which may be part of the processor of the reader, may select one of the transponders that has previously been detected to be within radio range for further communication. This selection process may be performed in the context of an anti-collision process to ensure that the reader communicates with only one of the transponders at a time, thereby preventing cross-talk. For example, the reader may switch other transponders (other than the selected transponder) within radio range of the reader to a silent or silent state.
The reader may further include: a sending unit adapted to send a request to the transponder, the request indicating one or more applications supported by the reader. Such a transmitting unit may be a communication antenna. Using such a request, the reader can issue instructions to the communicatively coupled transponders to indicate which applications are supported by the reader. Using this information, the communication system can then proceed with further communication in a more meaningful way, for example avoiding communication relating to applications that the communication partner device (i.e. transponder and/or reader) cannot support.
In alternative embodiments, such a request may also be sent in clear text, for example in a scenario where the reader provides which applications are not relevant to security, or in a scenario where the reader interrogates the transponder for information about applications supported by the transponder.
The processing unit and/or the transmitting unit of the reader may be adapted to: the request is sent at a constant length independent of the number of applications supported by the reader. In general, including each application supported by the reader in the request may require a specified data length, such that the data block consisting of a simple list of supported applications depends on the number of supported applications. Thus, if only this data block is sent to the responder, a possible attacker can derive the number of supported applications by simply analyzing the length of the communication message. However, if the request is always sent with a constant length and the possibly blank data portion is filled with, for example, a random number, the number of applications supported by the reader may be masked.
The processing unit and/or the transmitting unit of the reader may be adapted to: a "blank" request is sent to the responder to request that the responder indicate the applications that are supported by the responder. In this context, the term "blank" may denote a message that does not include an indication of which applications are supported by the reader and/or an indication of a list of applications supported by the reader requesting the transponder. In such an embodiment, the request may not have any indication at all of the supported applications, but may include an indication that allows the transponder to recognize that the information requested by the reader is the number of applications supported by the transponder.
The determining unit of the reader may be adapted to: upon determining that the decrypted extension number does not contain the name of the application, it is deduced that the application is not supported by the responder. In other words, the absence of a known application in a communication message sent from a transponder to a reader may allow the reader to deduce: in a given embodiment, the transponder does not provide the corresponding application.
The determining unit of the reader may be adapted to: the identity of the transponder is determined by retrieving from the response an identifier indicative of the identity of the transponder. Thus, the reader may also derive information from replies to the request by the transponders, according to the agreed data ordering scheme. This allows the system to be operated also in the environment of one reader and a plurality of transponders.
The determining unit of the reader may be adapted to: based on the response, it is determined that the reader supports and selects one application for subsequent use. Such an embodiment corresponds to a scenario in which the transponder decides on the application to be used.
Alternatively, the reader may decide on an application to be subsequently used for subsequent communication between the reader and the transponder. In such a scenario, the determining unit of the reader may be adapted to select one of the plurality of applications supported by the transponder for subsequent use and to send the selected application to the transponder. For example, the reader may ask answers about which of the 10 applications the transponder supports. The transponder can answer the 6 applications it supports out of these 10 applications. The reader may then select one of the 6 commonly supported applications for further operation of the reader transponder system, and may notify the transponder accordingly.
To allow the reader to operate in accordance with the transponder described above and generate a CRC and/or MAC in response (or generate a CRC and/or MAC as a response), a corresponding configuration may be made in the reader to interpret such a CRC and/or MAC.
The determining unit of the reader may further be adapted to: the application supported by the transponder is determined by analyzing the MAC or another data block included in the response, the MAC not having an application name. In scenarios where a reader queries for support of a specified application in each communication message, thereby sending multiple requests to a transponder in succession, each reply to each request may be allowed to determine by analyzing the MAC: whether the transponder indicates support for the application specifying the challenge.
Example embodiments of the present invention may allow privacy attributes to be provided with respect to a selected application identity. An architecture according to an example embodiment of the present invention may accommodate a multi-application reader. Such an architecture may also be certified without the use of experimentation. Instead of trial authentication, embodiments may have a single capability response from the transponder, which itself may rely on interrogation by the reader (i.e., the transponder only responds to applications supported by the reader). Accordingly, the exemplary embodiments of the present invention can secure a precise privacy property and a fast performance.
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter.
Drawings
The invention will be described in more detail hereinafter, by way of non-limiting examples, with reference to the embodiments shown in the drawings.
Fig. 1 illustrates a message flow between a reader and a smart card according to an exemplary embodiment of the present invention.
Fig. 2 shows a communication system according to an example embodiment of the present invention.
Fig. 3 to 5 illustrate message flows between a reader and a transponder according to an exemplary embodiment of the present invention.
Detailed Description
The depiction in the figures is schematic. In different figures, similar or identical elements are provided with the same reference signs.
Fig. 1 shows a message flow between a reader 102 and a smart card 104 forming a communication system 100 according to an example embodiment of the present invention.
As explained in further detail below, during communication between reader 102 and smart card 104, a plurality of communication messages are exchanged.
At step 1 of the communication scheme of fig. 1 (see reference numeral 120), reader 102 evaluates which smart cards are within its radio range and finally selects one of them in an anti-collision procedure (which is known per se). The selected one of the smart cards is the transponder 104.
At step 2 (see reference numeral 130), reader 120 sends a command to smart card 104, the command containing information about the applications supported by reader 102. In this example, reader 102 supports applications A, B and C.
In step 3, smart card 104 evaluates which of the applications supported by reader 102 are also supported by card 104. The card 104 then sends the name of the supported application, extended by the random number and checksum, back to the reader (see reference numeral 140), where the extension number is encrypted and/or MAC processed using the key associated with the aforementioned application. In this example, card 104 supports applications A, B, D, X and Z. The smart card 104 does not support application C. Thus, the name of application a is extended using the random number and checksum, and then encrypted and/or MAC processed using the key associated with application a. In the same way, the name of application B is processed. Since application C is not supported, only a random number is generated and transmitted to reader 102. It should be noted that the random number has the same length as the number obtained for applications a and B.
At step 4, reader 102 decrypts the received data and/or checks the MAC using the keys for applications A, B and C that smart card 102 also uses (strictly speaking, card 104 uses only the keys for a and B). After decryption, the application names for a and B appear in plaintext, or the MAC using the application name a or B matches the received MAC. Thus, reader 102 knows that smart card 104 supports applications a and B but not application C (for C, the random number appears after decryption). Reader 102 then selects one of these applications and informs smart card 104 which application should be used for further processing.
In this example, the name of application a is extended using a random number and a checksum. The resulting number is then encrypted using the key associated with application a and sent to the smart card 104 (see reference numeral 150). In the smart card 104, the received data is decrypted again so that the name of the application a appears in plaintext. Both the reader and the smart card 104 now know which application should be used. Alternatively, the smart card 104 calculates the MAC and verifies that it is the same as the received MAC.
The above process may include the following advantages:
the application name supported by the transponder is never sent in clear text, so that an attacker can be prevented from obtaining unauthorized information about the application provided in the communication system.
Since the encrypted names contain random parts, the encrypted names are never the same, making attacks even more difficult.
The length of the card's reply is always the same regardless of the number of applications supported by the communication partner. This also obscures the number of supported applications.
Accordingly, an attacker cannot determine which applications, or how many applications, the smart card supports.
In an alternative embodiment, in step 2 of fig. 1, the application name is sent in clear, since the primary target to be protected is the smart card 104. However, communications from reader 102 to smart card 104 may also be encrypted. In another embodiment, there is no information at all about the applications supported by reader 102, so that only a blank command is sent to card 104 in step 2.
However, due to the length of the answer, the attacker can determine the number of supported applications. Thus, in another embodiment, the command of step 2 has a predetermined default length of, for example, 10 applications. At this time, data blocks not used for the application are filled with random numbers. Then, it cannot be determined which applications are supported or how many applications are supported. An attacker cannot determine which applications or how many applications are supported by the smart card 104.
Privacy plays an important role for individuals as well as for groups of people sharing certain attributes. Privacy, however, may be compromised in various ways. With conventional card communication systems, the collision detection is readable in clear text. Thus, individual users may be scanned at a variety of locations. Even when using random identifiers, trusted applications in the reader still need to know with which card they communicate, and therefore still need a unique card logical id (ucid). This may not be harmless when the card presents the applications it supports. An attacker may be able to track individuals based on bypass information derivable from the support application.
This is not always harmless when the card is presented with its type, brand, etc. For example, knowledge that type X cards for manufacturer Y are not purchased by many cities for new york subway shows: the cardholder of such a card is very likely to be a new york person.
With these configurations in mind, privacy is the ultimate goal. It may be advantageous for the communication system not to show any entity that is not a trusted user of the application supported by the specified card instance information about the card owner, the card application, the card identification, the card manufacturer, the card type, etc. Thus, privacy should not be lost through protocols, data, behavior, or through the simulated behavioral attributes of the card.
The extent to which a communication system achieves this end purpose depends on the available cost, time, compatibility with installed libraries, and the like. Destroying a key for one application does not destroy the privacy of other applications.
However, in a final privacy scenario, there may be a residual privacy risk. If the application key is broken, the privacy of all users of the application is compromised. The ucid may be read out and the user may be tracked in this manner.
A communication system 100 capable of maintaining privacy according to an exemplary embodiment of the present invention is explained below with reference to fig. 2.
Communication system 100 may be similar to the communication system shown in fig. 1 and includes a reader 102 and a transponder 104 coupled for wireless communication with each other.
Reader 102 includes a processor 112 (e.g., a microprocessor or central processing unit) coupled to a transmitter antenna 114 and a receiver antenna 116. The transmitter antenna 114 is capable of sending a communication message 118 to the transponder 104. The receiver antenna 116 is capable of receiving a communication message 122 from the transponder 104. Although transmitter antenna 114 and receiver antenna 116 are illustrated in fig. 2 as two distinct antennas, alternative embodiments may use a single common shared transceiver antenna. Communication messages 118, 122 may be exchanged wirelessly between the entities 102, 104.
The antennas 114, 116 are electrically coupled to the processor 112 such that data may be transmitted from the processor 112 to the transmit antenna 114 for transmission as a communication message 118; the process 112 may also analyze and process communication messages 122 received by the receiver antenna 116.
A memory unit 124, such as a semiconductor memory, is coupled to the processor 112 for bi-directional data transfer to store data accessible by the processor 112. Further, an input/output unit 126 is shown, the input/output unit 126 allowing a user to operate and control the reader device 102.
As can also be seen in fig. 2, the transponder 104 comprises: a transmitting and receiving antenna 110; a processor 108 (e.g., a microprocessor); and a memory 106. In an embodiment, the memory 106 and the processor 108 may be monolithically integrated in an Integrated Circuit (IC), which may be connected to the antenna 110 and attached to the support 128 (e.g., a piece of manufacture).
During operation, processor 112 of reader 102 may serve as an evaluation unit for evaluating which transponders 104 are within radio range of transponder 102. In this scenario, transponder 104 is close enough to allow sufficiently accurate communication only if transponder 104 is within radio range of reader 102. In the case where multiple transponders are within radio range of reader 102, processor 112 may serve as a selection unit for selecting one of the transponders within radio range (in this scenario, transponder 104) for subsequent communication during an anti-collision procedure.
Reader 102 may also send a request, such as communication message 118, to transponder 104 via transmitting antenna 114 indicating the applications supported by reader 102. Such a request may be sent in an encrypted manner or in the clear. In another embodiment, request 118 may not have any indication of applications supported by reader 102.
However, in a preferred embodiment, the transmit antenna 114 transmits a request 118, the request 118 having a constant length independent of the number of applications supported by the reader 102, but indicating the supported applications in an encrypted manner. This prevents an attacker from identifying the information provided by reader 102 by analyzing the length of communication message 118. The blank portion in the corresponding data packet may be filled with a random number to mask the number of supported applications from an attacker.
The transponder 104 may store in its memory unit 106 data required to support a plurality of different applications supported by the transponder 104. Upon receiving request 118 from reader 102, processing unit 108 may generate communication message 122 to notify reader 102 of applications supported by transponder 104. To this end, the application name schematically indicated with reference numeral 202 in fig. 2 may be extended with a random number 204 and a checksum 206. The random number may be generated by the processor 108. The checksum 206 and the application name 202 may be stored in the memory 106. In addition, the data packets 202, 206, 204 may be encrypted using a key 208 that may also be stored in the memory 106. The key 208 may be associated with or assigned to the application indicated by the name 202. Transmitting antenna 110 may then transmit a corresponding encrypted data message 210 to reader device 102, as illustrated by communication message 122 in fig. 2.
If transponder 104 does not support an application, transponder 104 may simply send a communication message consisting of a random number to reader 102. The message may be of the same length as communication message 210 to make it difficult for an attacker to derive information about the number of applications supported by transponder 104.
Upon receipt of communication message 122 by receiver antenna 116, processor 112 will operate as a decryption unit for decrypting the received data using key 208 associated with the application supported by transponder 104. With this measure, the processor 112 may derive the decrypted numbers, i.e. the data packets 202, 206, 204. From the data packets 202, 206, 204, the processor 112 may identify an application name 202, the application name 202 allowing the reader device 102 to determine that the transponder 104 supports the corresponding application. For further communication between reader device 102 and current 104, both entities know that both entities can provide the application indicated by application name 202. While privacy is maintained.
It should be noted by the person skilled in the art that the inventive transponder, the inventive reader and the inventive method, as well as the inventive software, are not limited to contactless data transmission, but are in principle also applicable to wired communication.
Referring now to fig. 3, a communication scheme 300 between reader 102 and transponder 104 according to an exemplary embodiment of the present invention is explained.
In the depicted embodiment, communication message 302 is sent from reader 102 to transponder 104, communication message 302 including a plurality of application names 202(A, B, C), for which application names 202 reader 102 wishes to know whether transponder 104 supports the applications.
In response to the request 302, the responder 104 generates a communication message 304, the communication message 304 including, among other things, a calculated MAC 306, the MAC 306 being formed based on the application name 202 (i.e., the supported application a) in combination with the random number 204 for obscuring the name of the supported application a. In this context, it should be noted that field 310 provides the integrity of the password.
The communication message 302 and the response 304 may each include another random number 308, denoted RndQ, the other random number 308 being optional and may be used to determine freshness.
The communication message 304 includes not only the blocks 204, 202, 308 associated with application a, but also, if appropriate, corresponding blocks indicating support for applications B and C. Corresponding random numbers may also be computed for applications B and C, as indicated by reference numerals 204' and 204 ". Integrity blocks may also be computed for applications B and C, as indicated by reference numerals 310' and 310 ". Integrity blocks 310' and 310 "are computed in the same manner as database 310 for application a: state-based MAC, RndF or RndH, application name and RndQ, and use key KB or KC instead of key KA.
Analysis of message 304 on the reader 102 side, after sending reply 304 from transponder 104 to reader 102, allows reader 102 to extract information about which application(s) transponder 104 supports.
Since transponder 104 supports 3 applications A, B, C in this embodiment, reader 102 may perform the selection process indicated by reference numeral 320. To this end, reader 102 calculates MAC 322 using keys KA, KB, or KC depending on whether application A, application B, or application C is selected. MAC 322 includes random number 308, block 324 indicating application a, application B, or application C, and corresponding random number RndD 204, RndF 204', or RndH 204 ".
Upon receipt of the communication message 320, the transponder may send a message 330 back.
The responder 104 may only return one response to an application A, B or C when the responder 104 selects a subsequent operation to be performed using the supported application A, B, C. At this point, the select command 320 is not needed because the transponder 104 has already made a selection.
The embodiment of fig. 3 does not include an identifier (clid) for the transponder 104 in the MAC 306.
In the embodiment of fig. 4, which illustrates a communication sequence 400, a MAC 412 is generated that includes such a unique identifier.
In the embodiment of fig. 4, the responder 104 generates a reply 410 after receiving the request 302. Reply 410 includes a calculated MAC 412, MAC 412 being formed from a payload block 414 and a block 416 indicating the application name. The payload block 414 is computed as a function of the key KA associated with application a and may include other data. Further, a random number RndD may be used for this purpose. The payload block 414 includes a sub-block 418 indicating the identity of the transponder 104 and includes a random number block 420. As shown in fig. 4, corresponding blocks may also be generated for applications B and C, if appropriate.
The scenario in fig. 4 of forming reply 410 relates to the situation where transponder 104 actually supports application A, B, C. In an alternative scenario where an application is not supported, transponder 104 may not send communication message 410, but simply send a random number to reader 102. This obscures any supported "presence" or "absence".
The payload block 430 is associated with application a, while the payload block 430' is associated with application B and the payload block 430 "is associated with application C. In a similar manner, integrity blocks 310' and 310 "corresponding to block 310 are formed for applications B and C. The payload blocks 430', 430 "are calculated by encrypting the unique identifier clid id and the random number RndX in the same way as the payload field 430 for application a, but using the key KB or KC instead of KA.
Again, in scenarios where reader 102 selects one of supported applications A, B, C for subsequent use, reader 102 may generate selection message 440. To this end, MAC 442 may be computed by reader device 102 and includes a random number 444, a block 446 indicating a transponder identification, and includes fields 324 and 308.
The example of fig. 4 relates to a scenario in which reader 102 supports applications A, B and C. Regarding MAC 442, if reader 102 does not select application A, B or C, then random number RndY may be sent. The key used to compute the MAC 442 is KA, KB, or KC, depending on which of the applications A, B, C is selected.
As shown in fig. 3, RndQ 308 may or may not be used. A response is given for each application or the transponder 104 only gives one response for A, B or C return. At this point, the select command 440 is not required.
In the embodiment of fig. 5, communication messages 303 and 330 are the same as in fig. 3 and 4.
However, to calculate the communication message 510, the payload block 512 may be calculated as an encryption (E) of a Key (KA) indicating application a and other data. In addition, a random number RndD may be used to calculate this block 512. As can also be seen in fig. 5, block 512 includes the identity 418 of the transponder, the random number RndX 420, the name 202 of application a, the optional random number RndQ 308, and a Cyclic Redundancy Check (CRC) 514. CRC 514 ensures the integrity of the cipher. The respective blocks for applications B and C can be calculated accordingly, see reference numerals 512' and 512 ". For example, field 512' is calculated in a corresponding manner as for application a: CLUID, RndX, RndQ, and CRC are encrypted, but the key KB is used instead of KA.
For select message 550, MAC 552 may be computed. RndY may be sent if reader 102 does not select application A, B or C. To calculate the MAC 552, the key used is KA, KB or KC, depending on which of the applications A, B or C is selected.
According to an exemplary embodiment of the invention, the entire functionality of the reader and transponder may be reversed such that the protocol flow proceeds in the other direction. This is an equivalent solution to the explicitly disclosed system and is also covered by the scope of the claims. For example, the reader application name may be protected by reversing the reader and transponder sides.
Finally, it should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" and "comprises", and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. In the device claim enumerating several means, several of these means may be embodied by one and the same item of software or hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims (24)

1. A transponder (104) comprising:
a storage unit (106) that stores a plurality of different applications;
a processing unit (108) adapted to generate, based on a request of the reader (102), a response that can be interpreted using an encryption scheme known to both the transponder (104) and the reader (102), such that the reader (102) can analyze the response using the encryption scheme, thereby determining whether the transponder (104) supports the application; and
a transmitting unit (110) adapted to transmit the response to the reader (102); wherein the processing unit (108) is adapted to: the name of an application supported by the transponder (104) is extended with a random number to obtain an extension number, and the extension number is encrypted with a key associated with the application to generate the response.
2. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: upon receiving a request from a reader (102) indicating applications supported by the reader (102), evaluating which of the applications supported by the reader (102) are also supported by a transponder (104); and performing the expansion and encryption for applications supported by the reader (102) and supported by the transponder (104).
3. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: the checksum is also used to extend the name of the application before encryption.
4. The transponder (104) of claim 1,
wherein the processing unit (108) is adapted to: generating a random number for an application not supported by the transponder (104);
wherein the transmitting unit (110) is adapted to: transmitting the generated random number to the reader (102).
5. The transponder (104) of claim 4, wherein the processing unit (108) is adapted to: for applications not supported by the transponder (104), a random number is generated having the same length as the length of a number encrypted for an application supported by the transponder (104).
6. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: an identifier (418) indicative of the identity of the transponder (104) is included in the response.
7. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: one of a plurality of applications supported by the reader (102) is selected and the selected application is included in the response.
8. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: including in the response a plurality or all of the applications supported by the transponder (102) as a basis for subsequent selection by the reader (102) of one of the supported applications.
9. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: generating the response to include a message authentication code MAC (306, 412).
10. The transponder (104) of claim 9, wherein the processing unit (108) is adapted to: generating a response comprising a message authentication code MAC (306, 412) based on a combination of the group consisting of: a key associated with the application and a random number; the name of the application and a random number; the name of the application; and a random number and an identifier indicating the identity of the transponder (104).
11. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: the response is generated to include a cyclic redundancy check (514).
12. The transponder (104) of claim 11, wherein the processing unit (108) is adapted to: a response is generated that includes a cyclic redundancy check (514) based on the random number and an identifier indicative of the identity of the transponder (104).
13. The transponder (104) of claim 1, wherein the processing unit (108) is adapted to: generating the response to include the encrypted checksum, but the checksum does not have the application name, enables the reader (102) to determine whether the transponder (104) supports the application based on the checksum.
14. A reader (102), comprising:
a sending unit (114) adapted to send a request to the transponder (104) indicating a plurality of applications supported by the reader (102);
an analyzing unit (112) adapted to analyze the response received from the transponder (104) using an encryption scheme known to both the transponder (104) and the reader (102) to determine whether the transponder (104) supports the application,
wherein the analyzing unit (112) is a decrypting unit (112) adapted to decrypt the response received from the transponder (104) using a key associated with the application, thereby deriving a decrypted extension number, wherein the extension number is derived by the transponder (104) using a random number to extend a name of the application supported by the transponder (104); and
wherein the analyzing unit (112) is adapted to determine whether the decrypted extension number contains the name of the application.
15. The reader (102) according to claim 14, wherein the transmitting unit (114) is adapted to: the request is sent in an encrypted manner or is adapted to be sent in clear.
16. The reader (102) according to claim 14, wherein the transmitting unit (114) is adapted to: the request is sent at a constant length independent of the number of applications supported by the reader (102).
17. The reader (102) according to claim 14, wherein the analyzing unit (112) is adapted to: upon determining that the decrypted number does not contain the name of the application, it is deduced that the application is not supported by the transponder (104).
18. The reader (102) according to claim 14, wherein the analyzing unit (112) is adapted to: the identity of the transponder (104) is determined by retrieving from the response an identifier (418) indicative of the identity of the transponder (104).
19. The reader (102) according to claim 14, wherein the analyzing unit (112) is adapted to: based on the response, it is determined that the reader (102) supports and selects one application for subsequent use.
20. The reader (102) according to claim 14, wherein the analyzing unit (112) is adapted to: one of a plurality of applications supported by the transponder (102) is selected for subsequent use, and the selected application is sent to the transponder (102).
21. The reader (102) according to claim 14, wherein the analyzing unit (112) is adapted to: determining applications supported by the transponder (104) by analyzing a message authentication code included in the response.
22. The reader (102) according to claim 14, wherein the analyzing unit (112) is adapted to: determining applications supported by the transponder (104) by analyzing a cyclic redundancy check included in the response.
23. The reader (102) according to claim 14, wherein the analyzing unit (112) is adapted to: determining applications supported by the transponder (104) by analyzing a checksum included in the response, the checksum not having an application name.
24. A method of obscuring applications supported by a reader (102) and/or transponder (104), the method comprising:
-the reader (102) sends a request command to the transponder (104);
the transponder (104) using the random number to extend a name of an application supported by the transponder (104) to an extension number and using a key associated with the application to encrypt the extension number to produce a response, the response being interpretable using an encryption scheme known to both the transponder (104) and the reader (102), and the response indicating whether the transponder (104) supports the application;
-the transponder (104) sends the response to the reader (102); and
the reader (102) analyzes the response using the encryption scheme to determine whether the transponder (104) supports the application.
HK11105992.4A 2008-05-26 2008-11-07 Transponder, reader and a method for its application supported obscured HK1151877B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP08104090.9 2008-05-26
EP08104090 2008-05-26
PCT/IB2008/054665 WO2009144535A1 (en) 2008-05-26 2008-11-07 Reader and transponder for obscuring the applications supported by a reader and/or a transponder and method thereof

Publications (2)

Publication Number Publication Date
HK1151877A1 HK1151877A1 (en) 2012-02-10
HK1151877B true HK1151877B (en) 2015-02-27

Family

ID=

Similar Documents

Publication Publication Date Title
US8368516B2 (en) Secure data exchange with a transponder
US8296852B2 (en) Transponder, RFID system, and method for RFID system with key management
CN104217230B (en) The safety certifying method of hiding ultrahigh frequency electronic tag identifier
Ranasinghe et al. Security and privacy: Modest proposals for low-cost RFID systems
EP2297667B1 (en) System of providing a fixed identification of a transponder while keeping privacy and avoiding tracking
CN102027483A (en) Method for authenticating an RFID tag
CN105847004A (en) Method for authentication of an object by a device capable of mutual contactless communication, corresponding system and object
Engels et al. On security with the new Gen2 RFID security framework
Ranasinghe et al. Security and privacy solutions for low-cost rfid systems
Kim et al. MARP: Mobile agent for RFID privacy protection
CN104700125A (en) AES encryption and verification of ultra high frequency radio identification system
US9384440B2 (en) Reader and transponder for obscuring the applications supported by a reader and/or a transponder and method thereof
US10511946B2 (en) Dynamic secure messaging
Choi et al. A Fully Integrated CMOS Security‐Enhanced Passive RFID Tag
HK1151877B (en) Transponder, reader and a method for its application supported obscured
Queisser et al. Cataloging RFID Privacy and Security
CN108540969A (en) A kind of radio frequency processing method and computer readable storage medium
KR100618316B1 (en) RFID authentication system and method
Basappa et al. Accessory authentication on NFC enabled product using three pass AES algorithm
Samuel RFID security in door locks
Jeon et al. Strong authentication protocol for RFID tag using SHA-1 hash algorithm
Yassaei Security and privacy analysis of Radio Frequency Identification systems
Murthy Security and Privacy in Low Cost Radio Frequency Identification
Wachsmann Privacy-Enhancing Cryptographic Systems for RFID-based E-Tickets
CN106295449A (en) A kind of authentication method, system, read write line and label