PROCEDURE AND DEVICE FOR LOADING INPUT DATA INTO AN ALGORITHM DURING AUTHENTICATION

PROCEDE ET DISPOSITIF POUR CHARGER DES DONNEES D'ENTREE DANS UN ALGORITHME LORS D'UNE PROCEDURE D'AUTHENTIFICATION

English Abstract

2.1 The problem with security in paying with chip cards is the loading of
input data into an
algorithm during authentication.
2.2 Separating the data blocks and switching; an additional feedback after the
post-connected
counters on and off at preselected times (number of clock pulses) helps to
improve the security
of debited and credited data.
2.3 The invention can be used for all authentication procedures where chip
cards are used.

French Abstract

La question de la sécurité des données dans les opérations de paiement à l'aide de cartes à puce est inhérente aux processus intervenant lors du chargement de données d'entrée dans un algorithme pendant la procédure d'authentification. Pour améliorer la sécurité des données de débit et de crédit, il est prévu une répartition des blocs de données et la connexion et la déconnexion d'une rétroaction après les compteurs intercalés à la suite à des périodes (cycles) prédéfinis. Cette invention peut s'utiliser dans toutes les procédures d'utilisation impliquant l'emploi de cartes à puce.

Claims

6
CLAIMS:
1. Process for loading input data into an algorithm
during the authentication between chip cards with purse
function and a security module, in which the card user has
access to a stored credit balance and in which, at each
transaction, the required cash amount or the cash amount
entered by the card user is deducted from the chip card of
the card user with the aid of a security function and the
cash amounts are summated and stored in a summator for cash
amounts of the security module, and in which a linear
feedback shift register is used for the authentication
algorithm, the nonlinear function of said shift register
being cryptographically reinforced in conjunction with
downstream counters, and in which input data, comprising a
random number, a secret key and non-secret card data, are
included in said algorithm, characterized in that the input
data are divided into a plurality of blocks of data and in
that, during the loading of the blocks into the linear
feedback shift register, an additional further feedback
circuit after the downstream counters is introduced into the
shift register and is disconnected after a given number of
clock pulse steps.
2. Process according to claim 1, characterized in
that the card data with the secret key are introduced as a
first block and the random number is introduced as a further
block.
3. Process according to claims 1 and 2, characterized
in that, during the loading phase of the input data,
different counts are used than in the following phase after
loading in of the input data for calculation of the
authentication token.

7
4. Process according to claims 1 and 2, characterized
in that the first downstream counter counts to 1.
5. Process according to claims 1 and 2, characterized
in that the counters and the number of clock pulses to be
executed are selected precisely such that the authentication
token is calculated after a number of clock pulses fixed by
other system conditions.
6. Process according to any one of claims 1 to 5,
characterized in that the output of bits begins after all
the input data have been loaded in.
7. Process according to any one of claims 1 to 6,
characterized in that, between the loading in of the blocks
from claim 1 and with the additional feedback being
maintained, the entire circuit arrangement is clocked a few
steps further without input data being loaded and before
bits are output.
8. Process according to any one of claims 1 to 6,
characterized in that, between the loading in of the blocks
from claim 1 and after the additional feedback has been
disconnected, the entire circuit arrangement is clocked a
certain number of steps further without input data being
loaded and before bits are output.
9. Device for loading input data into an algorithm
during authentication using a cryptographic MAC function,
consisting of a linear feedback shift register with a
nonlinear feed forward function which picks off the shift
register and, via a counter, influences the output of the
shift register which is followed by a further counter,
characterized in that, for use for the authentication
algorithm, the circuit arrangement composed of the linear
feedback shift register with downstream counters is

8
cryptographically reinforced by an additional disconnectable
nonlinear feedback circuit.
10. Device according to claim 9, characterized in that
the additional feedback is picked off after the first
downstream counter before a latch.
11. Device according to claim 9, characterized in that
the additional feedback is picked off from a latch after the
first downstream counter.
12. Device according to claim 9, characterized in that
the additional feedback is picked off after the second
downstream counter.
13. Device according to claim 9, characterized in that
the additional feedback is in the form of an XOR sum of the
pick-offs after the first downstream counter before a latch,
from the latch after the first stream downstream counter and
after the second downstream counter.
14. Device according to claim 9, characterized in that
the counters are divided or reduced in size.

Description

CA 02244126 2005-O1-05
28.030-19
1
Procedure and device used to load input data during
authentication into an algorithm
Description:
The invention relates to a procedure as described
in detail in claim 1, and to a device of the kind defined in
claim 9. Several procedures of this kind are known and are
used for various kinds of electronic cash cards, while the
devices are digital circuits for chips according to
EP 0 616 429 A1.
Procedures of the kind referred to here are, for
example, known from ETSI D/EN/TE 090114, Terminal Equipment
(TE) Requirements for IC cards and terminals for
telecommunication use, Part 4 - Payment methods, version 4,
of 7 February 1992, and from the European patent
application 0 605 070.
In addition to telephone cards with a defined
value (starting credit), which are used for card phones,
there are also electronic cash cards with similar
functionality used for paying small amounts; these cash
cards are of increasing importance. For the "pay with chip
card" event, a card reader module and security module (SM)
for verifying the card and the credit amount are integrated
in the equipment.
EP 0 605 070 A2 also describes a procedure to
transfer (credit and debit) money amounts to and from chip
cards whereby overridable memory locations of a chip card
are divided into at least two memory locations, one of which
is used for debiting amounts (i.e. electronic cash card),
similar to telephone cards, and the other one is used for
crediting amounts, similar to a credit card. With the

CA 02244126 2005-O1-05
28.030-19
2
normal security conditions applied, it is planned to
transfer amounts between these two areas in order to refill
the electronic cash card.
In order to avoid that unauthorized persons access
a card reader and its built-in security module, and that
specially protected, and consequently expensive (for the
operator) dedicated lines have to be installed, a procedure
(P95114) has been suggested whereby the operator of the card
reader inserts a security module with chip card function
into the card reader before any pay event. Tnlhen a
cardholder inserts his or her electronic cash card into the
card reader, data areas of the chip card are read out so
that the card can be verified and the remaining credit
amount be checked. Next, authentication with the security
module, and one or several acceptance checks are carried
out. Finally, the due amount or entered amount is debited
to the cardholder's chip card using a security function, and
added to the sum counter for money amounts in the security
module. After such pay events, the counter setting of the
security module is transmitted to a billing center.
The purpose of the invention is to increase the
security of card readers for electronic cash cards with
regard to manipulation and defects.
In accordance with one aspect of this invention,
there is provided a process for loading input data into an
algorithm during the authentication between chip cards with
purse function and a security module, in which the card user
has access to a stored credit balance and in which, at each
transaction, the required cash amount or the cash amount
entered by the card user is deducted from the chip card of

CA 02244126 2005-O1-05
28030-19
3
the card user with the aid of a security function and the
cash amounts are summated and stored in a summator for cash
amounts of the security module, and in which a linear
feedback shift register is used for the authentication
algorithm, the nonlinear function of said shift register
being cryptographically reinforced in conjunction with
downstream counters, and in which input data, comprising a
random number, a secret key and non-secret card data, are
included in said algorithm, characterized in that the input
data are divided into a plurality of blocks of data and in
that, during the loading of the blocks into the linear
feedback shift register, an additional further feedback
circuit after the downstream counters is introduced into the
shift register and is disconnected after a given number of
clock pulse steps.
In accordance with another aspect of this
invention, there is provided a device for loading input data
into an algorithm during authentication using a
cryptographic MAC function, consisting of a linear feedback
shift register with a nonlinear feed forward function which
picks off the shift register and, via a counter, influences
the output of the shift register which is followed by a
further counter, characterized in that, for use for the
authentication algorithm, the circuit arrangement composed
of the linear feedback shift register with downstream
counters is cryptographically reinforced by an additional
disconnectable nonlinear feedback circuit.
The invention, including its effects, advantages
and fields of application, is described in detail by the
following examples.
Authentication algorithms are typically used for
identification security. In authentication procedures,

CA 02244126 2005-O1-05
28030-19
4
however, other data plays a role in addition to the identity
of chip cards and persons and possibly a security module
(SM); the correctness of this other data must be ensured.
An authentication procedure can be used, for example, with
non-secret card data (D) with a secret key (K) and a random
number (R). For electronic cash cards, separate security
functions are used for debits and credits, each of which is
checked with a cryptographic checksum.
The invented procedure can be used to carry out
debit and credit transactions using a cryptographic token,
provided that authentication and cryptographic checksum are
carried out via the counter setting and using a
challenge/response procedure. In this case, a single
challenge/response procedure, whereby only one random number
is provided by the security module (SM) and only one
response is calculated by the chip card, can prove both the
identity (authentication) and the internal counter setting
to the security module.
To achieve this, the variable input data, such as
the counter setting and the random number, are initially
processed internally with "keyed hash functions" - MAC
functions, whereby the card-specific secret key of the chip
card is used as key. The tokens resulting from counter
setting and random number can then be associated, for
example, (in a perhaps cryptographically unsecure way) by
XOR or a linear-feedback shift register, and subsequently be
output, with protected data integrity, with a sufficient
cryptographic function.
This procedure is of practical use insofar as the
keyed hash functions, which are only used internally, do not
have to meet particularly high requirements with regard to

CA 02244126 2005-O1-05
28030-19
their security; also, relatively simple functions can be
used since the results of these functions do not "leave" the
chip card. Data manipulation, however, is effectively
prevented.
5 The example for the invention assumes that a
linear-feedback shift register (LFSR) with additional
nonlinear function and post-connected counters is used:
0. Additional feedback circuits are applied after the post-
connected counters in the LFSR.
1. Input data, consisting of the non-secret card data (D)
and the secret key (K) is read into the LFSR while both the
feedback of the LFSR and the additional feedback(s) are
active.
2. A certain number of clock pulses occurs without input
data being read in.
3. Input data consisting of the random number (R) is read
in while both the feedback of the LFSR and the additional
feedback(s) are active.
4. The additional feedback circuits are switched off, and
the counters are reset, if necessary.
5. A certain number of clock pulses occurs, and during
these pulses, output bits are generated according to the
current counter settings.