METHOD FOR CREATING AND PRESERVING AN IDENTIFIER

CREATION ET CONSERVATION D'UN IDENTIFICATEUR

English Abstract

A method for creating a global unambiguous identifier for predetermined data
structures and for storing identifiers created. In the method, an unambiguous
identifier is created from a key and/or keys associated with an encryption
and/or signing procedure and/or from key holder information and/or other
information. From the identifier, an unambiguous hash code is generated using
e.g. a hash function. The hash codes thus generated are stored in a
centralized place so that each hash code is unambiguously associated with a
given juridical person and a given key pair. The hash code can be used e.g. as
a part of encrypted messages sent by a mobile station in a mobile
communication system so that the user can infer from the identifier how the
message can be decrypted into plain language.

French Abstract

La présente invention concerne un procédé permettant, d'une part la création d'un identificateur global univoque destiné à des structures de données, et d'autre part la conservation en mémoire des identificateurs créés. Pour créer un identificateur univoque, le procédé consiste à partir d'au moins une clé associée à une procédure de cryptage et/ou de signature, et/ou à partir d'au moins une information portant éventuellement sur le détenteur de la clé. Pour générer un code de hachage univoque, on part de l'identificateur que l'on soumet à une fonction de hachage. Le code de hachage ainsi généré est ensuite stocké dans un lieu centralisé de façon que chaque code de hachage soit associé de façon univoque à une personne morale et à une paire de clés définie. Dans le corps d'un message crypté envoyé par une station mobile d'un système de communications mobile, ce code de hachage peut être utilisé de façon que l'utilisateur puisse déduire de l'identificateur la façon dont le message peut se décrypter en langage clair.

Claims

7
CLAIMS
1. Method for creating an unique identifier
for predetermined data structures and for storing
identifiers created, in which method
an unique identifier is created from initial data
including a key and/or keys associated with an encryp-
tion and/or signing method, key holder information
and/or other information;
a hash code is generated from the identifier which
is a reference pointer to the information from which
the hash code has been generated; and
the hash codes thus generated are stored in a cen-
tralized place so that each hash code is unambiguously
associated with a given juridical person, charac-
terized in that the method further comprises the
steps of:
keeping a record of the identifiers created by means
of a counter,
formatting the counter to a value zero before creat-
ing the identifier,
attaching the counter to the initial data of the
unique identifier to be created,
checking whether the identifier created is unique,
and if the identifier is not unique, then the value of
the counter is increased and the identifier is re-
created, otherwise
the creation process is stopped.
2. Method as defined in claim 1, char-
acterized in that the method further comprises
the steps of:
checking the value of the counter, and
if the value of the counter exceeds the allowed value,
the creation of the identifier is started from the be-
ginning.
3. Method as defined in claim 1, character-
ized in that prior to creating the identifier, the

8
value of the counter is formatted to a first free
value.
4. Method as defined in claims 1 - 3, char-
acterized in that the hash code is generated using a
hash function.
5. Method as defined in claims 1 - 4, charac-
terized in that a reference pointer consisting of a
given part of the hash code is used.
6. Method as defined in claims 1 - 4, charac-
terized in that that the last five bytes of the hash
code are used as a reference pointer.
7. Method as defined in claims 1 - 6, char-
acterized in that the encryption method used is the
public and private key method.
8. Method as defined in claims 1 - 7, charac-
terized in that the hash codes and the public informa-
tion from which the hash code has been generated are
placed in the custody of a trusted third party.

Description

CA 02363655 2001-08-16
WO 00/49767 PCT/FI00/00124
1
METHOD FOR CREATING AND PRESERVING AN IDENTIFIER
FIELD OF THE INVENTION
The present invention relates to telecommuni-
cation. In particular, the present invention concerns
a new type of method for creating a global unambiguous
identifier for predetermined data structures. Moreo-
ver, the invention relates to concentrated and reli-
able storage of identifiers.
BACKGROUND OF THE INVENTION
The volume of data communication is continu-
ously increasing. The increase entails growing demands
on the security and reliability of data communication.
Many enterprises have their offices scattered around
the world. This is one the factors requiring the pro-
vision of secure data transmission. Various encryption
methods have long been used for data protection. One
of these methods is the public and private key method.
In the following, reference is made to the
public and private key method, but let this be only an
example of the method used.
Encryption is used to prevent transmitted in-
formation from getting into the wrong hands in a plain
language form. The public and private key method is a
means used to achieve this end. At present, the public
keys of private persons are often only locally known
to other people, and finding out the keys requires a
considerable deal of work. The availability of public
key pairs must be simple and feasible in hardware-
independent environments. These factors make it possi-
ble for encryption and signature by the public and
private key method to meet the objective aimed at -
simplicity and efficiency.
The problem at present is the management of
key pairs. As queries for keys may have to be made
globally in any part of the network, using local data

CA 02363655 2001-08-16
WO 00/49767 PCT/FI00/OOI24
2
bases is difficult or almost impossible. Likewise, the
key pair has to be provided with unambiguous data al
lowing the key pair to be associated with the holder
of the key. This is another problem which has not yet
been properly solved.
The object of the present invention is to
eliminate the drawbacks referred to above or at least
to significantly alleviate them.
A specific object of the invention is to dis
close a new type of method whereby the management of
encryption keys is converted from a distributed system
into a centralized one. A further object of the inven
tion is to disclose a method in which an unambiguous
hash code is generated from each key comprised in an
encryption procedure and from the juridical person as-
sociated with the key. This hash code functions as an
identifier by means of which the key pair and the key
holder are associated with each other.
As for the features characteristic of the
present invention, reference is made to the claims.
BRIEF DESCRIPTION OF THE INVENTION
The method of the invention relates to the
creation of a global unambiguous identifier for prede-
termined data structures and to the storage of the
identifiers created. In the method, a juridical name
is added to encryption keys, preferably to a public
encryption and signing key. In addition to the keys
and juridical name, it is possible to add to the
structure to be created even other information to en-
sure that the structure will be unambiguous, i.e. that
a corresponding structure has never been created be-
fore.
From the structure thus created, a hash code
is generated by a function appropriate for the pur-
pose, e.g. a hash function. One of such functions is
the MD5 (MD, Message Digest). The hash function works

CA 02363655 2001-08-16
WO 00/49767 PCT/FI00/00124
3
in a way that makes it impossible to deduce from the
result the starting values used to generate the hash
code. The hash code created works as a reference
pointer pointing to the data from which it has been
generated. In other words, if a hash code created from
information representing a given person is known,
then, based on the hash code, it will be possible to
unambiguously determine the public keys in use and the
juridical person behind the keys. As the hash code
produced by the hash function may be very long, it is
possible to use a given part of the hash code, e.g.
the last five bytes, to identify a desired party. Five
bytes is sufficient to cover over 1000 billion differ-
ent identifiers.
To make the availability of the key pairs as
simple as possible, the hash codes created and the
public information from which the hash code has been
generated are placed in the custody of a trusted third
party (TTP).
The hash code of the present invention can be
used e.g. as a part of an encrypted short message in a
mobile communication system. This part unambiguously
tells the receiver of the message whose public keys
are needed to decrypt the message.
The present invention provides the advantage
that the authenticity of information received is rec-
ognized locally. If the local data is changed, then
the identifier changes as well. Further, the invention
does not restrict the structure of the pointer record
in any way. Another advantage of the invention is that
the unambiguous hash code created constitutes a kind
of "fist" by means of which the receiver can easily
ascertain who is the sender and which keys are needed
to decrypt the information received.

CA 02363655 2001-08-16
WO 00/49767 PCT/FI00/00124
4
LIST OF ILLUSTRATIONS
In the following, the invention will be de-
scribed in detail by the aid of a few of its embodi-
ments, wherein
Fig. 1 illustrates a preferred method accord-
ing to the invention for creating an unambiguous iden-
tifier, and
Fig. 2 represents the registration of an
identifier according to Fig. 1.
Fig. 1 presents an example illustrating the
creation of an identifier, e.g. a net identification.
In this example, encryption is implemented using the
public and private key method. The method illustrated
in Fig. 1 is designed to create an unambiguous identi-
fier for associating a key pair with the holder of the
keys. In this example, the identifier is created from
a public key pair and the juridical name of the holder
of the key pair. 'Juridical name' refers to the person
who has the right to use the encryption keys.
The procedure of creating an identifier is
started by first creating a secret and a public en-
cryption key. The identifiers created are recorded by
means of a running counter, which is at first reset to
zero (3). The juridical name (4) is associated with
the (public) keys created. From the public keys, coun-
ter and juridical name, a hash code (5) is generated.
The hash code is produced e.g. using the MD5 function
(MD, Message Digest). This is a one-way function,
which means that the starting values used to generate
the hash code can not be deduced from this function.
Part of the hash code , a . g . the last f ive bytes of the
hash code, may be used as a reference to the juridical
name.
Next, a check is performed to establish
whether the reference number obtained is already in
use (6). The counter value is incremented by one if
the identifier is already in use (7). Incrementing the

CA 02363655 2001-08-16
WO 00/49767 PCT/FI00/00124
counter has the effect that the identifier to be gen-
erated next will differ somewhat from the previous
identifier attempted. If at this point the counter
value exceeds an allowed limit (11), e.g. 232, then the
5 creation of the identifier is started again from the
beginning.
If the reference number is free, then the
reference number just created is reserved in a refer-
ence index ( 8 ) . The ref erence index i s maintained a . g .
by a trusted third party. If for some reason the at-
tempt to reserve (9) the reference number failed, then
the counter value is incremented by one (7) and action
is resumed at step 5 if the counter did not exceed a
maximum allowed value. If the maximum value was ex-
ceeded (11), then the creation of the identifier is
started from the beginning.
The counter value and the public keys are
saved to an X5 index (10). X5 index means a database
of juridical persons, maintained by a trusted third
party. The reference index reference pointer is set to
contain a pointer to the juridical person in the X5
index. Thus, the juridical person has now been associ-
ated with a given net identification.
Fig. 2 illustrates a situation where an iden
tifier thus created is to be registered. 'Card issuer'
(CI) means e.g. an operator or card manufacturer. In
this example, 'card' means a subscriber identity mod
ule (SIM) as used in mobile stations. The card issuer
(CI) sends a request for the registration of an iden
tifier to a certificate authority (CA) (21). The CA is
a so-called trusted third party, which functions as an
independent party and is in no way linked with the
parties using it. In the custody of or available to
the CA is a NIDS (Net ID Server) . The CA sends to the
NIDS a request for making a reservation (22). The NIDS
checks whether the same identifier is already in use.
If the identifier is not in use, then the NIDS will

CA 02363655 2001-08-16
WO 00/49767 PCT/FI00/00124
6
send the CA information confirming successful reserva-
tion (23). The CA sends a confirmation (24) of suc-
cessful registration to the card issuer.
The card issuer may also verify himself
whether a given identifier is already in use or check
whether a given identifier was successfully reserved.
To carry out a verification, the CI sends to the NIDS
a request to check a given NID (25) . As a result, the
NIDS sends the card issuer an answer to the inquiry
(26) .
The invention is not restricted to the exam-
ples of its embodiments described above, but many
variations are possible within the scope of the inven-
tive idea defined in the claims.

Representative Drawing