WO1998007249A1 - Controlled access system and method - Google Patents

Controlled access system and method Download PDF

Info

Publication number
WO1998007249A1
WO1998007249A1 PCT/US1997/012840 US9712840W WO9807249A1 WO 1998007249 A1 WO1998007249 A1 WO 1998007249A1 US 9712840 W US9712840 W US 9712840W WO 9807249 A1 WO9807249 A1 WO 9807249A1
Authority
WO
WIPO (PCT)
Prior art keywords
host
key
information
access
cryptographic
Prior art date
Application number
PCT/US1997/012840
Other languages
French (fr)
Inventor
A. Michael Cheponis
H. Paul Rubin
Original Assignee
California Wireless, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by California Wireless, Inc. filed Critical California Wireless, Inc.
Publication of WO1998007249A1 publication Critical patent/WO1998007249A1/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00563Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys using personal physical data of the operator, e.g. finger prints, retinal images, voicepatterns
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • G07C2009/00388Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks code verification carried out according to the challenge/response method
    • G07C2009/00396Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks code verification carried out according to the challenge/response method starting with prompting the keyless data carrier
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • G07C2009/00412Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal being encrypted
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • G07C2009/0042Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal containing a code which is changed
    • G07C2009/00476Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal containing a code which is changed dynamically
    • G07C2009/005Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal containing a code which is changed dynamically whereby the code is a random code
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C2009/00753Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys
    • G07C2009/00769Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys with data transmission performed by wireless means
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C2009/00968Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys shape of the data carrier
    • G07C2009/00984Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys shape of the data carrier fob
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • This invention pertains generally to systems to which access is limited and, more particularly, to a system and method for controlling access to such systems.
  • Examples of systems to which access is limited include computers, files stored in computers, automated teller machines, and entrances to buildings.
  • the system to be accessed is sometimes referred to generically as the host system, or simply the host, with the understanding that it can be any type of system to which access is limited and not just the systems enumerated above.
  • Biometric measurement devices are one way of verifying "something you are”, and physical tokens such as ordinary door keys, magnetic cards and cryptographic access devices are examples of "something you have”. Each of these devices has certain limitations and disadvantages. Mechanical keys are inexpensive and reliable, but they are also easy to copy. Biometric measurement devices require elaborate specialized equipment if they are to provide high security. Cryptographic devices such as the Security Dynamics "Secure ID” card system can require a special server, and magnetic cards require a special reader and can be copied by a "hacked" reader.
  • Another object of the invention is to provide a system and method of the above character which overcome the limitations and disadvantages of techniques heretofore employed.
  • an encryption code in a small cryptographic key which can be carried by a person desiring access to the host, bringing the key into proximity with a wireless transceiver connected to the host, transmitting information over a wireless communication link between the host and the key, encrypting information transmitted from the key to the host in accordance with the encryption code in the key, decrypting the information received by the host, and processing the decrypted information to determine whether access to the host is authorized.
  • Figure 1 is block diagram of one embodiment of a controlled access system according to the invention.
  • FIG. 2 is a block diagram of the cryptographic key in the embodiment of Figure 1.
  • Figure 3 is an isometric view of the cryptographic key in the embodiment of Figure 1 , with the cover open and the components visible on a circuit board within the housing or case.
  • Figures 4 - 7 are flow charts illustrating operation of the system with different authentication and cryptographic protocols.
  • the system includes a host 16 and a cryptographic key 17.
  • the host is illustrated as a computer having a microprocessor 18 with a random access memory (RAM) 19 for temporarily storing data and operating variables, a read-only memory (ROM) 21 for storing system software, a drive unit 22 for more permanent storage of software and data, a keyboard 23 and a monitor 24.
  • RAM random access memory
  • ROM read-only memory
  • the host also includes a transceiver 26 for transferring data and other information over a wireless communications link between the computer and the cryptographic key.
  • That link can utilize any suitable form of communication such as infrared, visible light, radio frequency or inductive coupling, and in one presently preferred embodiment, an infrared transceiver is employed.
  • IrDA Infrared Data Association
  • the transceiver can either be an integral part of the host or it can be located remotely of the host, possibly even being connected to the host through an insecure network. In either case, the key is brought into proximity with the transceiver and actuated to exchange information with the host.
  • the cryptographic key has generally rectangular housing or case 28 of a size which fits easily in the hand or pocket. In one present embodiment, it has a width on the order of 1-1/4 inches, a length on the order of 2 inches, and a thickness on the order of 1/2 inch. In the embodiment illustrated, it is attached to a keychain 29.
  • the cryptographic key includes a central processing unit (cpu) 31 , a random number generator 32, RAM 33, ROM 34, non-volatile memory 36, input switches 37, and a transceiver 38.
  • the transceiver is chosen to match the one in the host, and in the presently preferred embodiment is an IrDA-compatible infrared transceiver.
  • the components of the key are mounted on a circuit board 39 inside the housing or case.
  • Those components include a microcontroller 41 which contains the microprocessor, memory and registers, a battery 42, switches 37, transceiver 38, and a light emitting diode (LED) 43 which indicates the status of the key.
  • the infrared light source and sensor in the transceiver communicate with the host through an infrared transparent window 44 in the end wall of the housing opposite the keychain.
  • One relatively simple cryptographic protocol which can be employed in the invention is authentication of the user by a cryptographic variable or secret key which is shared between the cryptographic key and the host.
  • the secret key can, for example, be a large number (e.g., 128 bits) which cannot be guessed by an attacker without an unfeasibly large, exhaustive search.
  • the host has a database of authorized users, which contains a user ID and a secret key for each user. As illustrated in Figure 4, the host generates a random number or cipher block R and sends that number as a challenge. The key encrypts the number R using the secret key K and sends the encrypted number CR back to the host. It also sends its user ID so that the host will know which secret key to use. The host then encrypts the number R using the secret key K and compares its result with the encrypted number CR received from the key. If the results match, the user is authenticated (i.e., determined to be authorized to have access to the host), and access is permitted. If not, access is denied.
  • Another authentication protocol which can be utilized is hash-based authentication of the user. According to this protocol, the cryptographic key and the host both implement a secure has function H(x) such as the NIST Secure Hash Algorithm designed for use with the Digital Signature Standard (FIPS PUB 186). Numerous authentication techniques can be based on such functions.
  • HN(n,x) denote the iterated hash function, i.e., the function H iterated n times.
  • HN(4,x) is the same as H(H(H(H(x)))).
  • K the secret key
  • the host stores an iterated hash of K in its database.
  • the number of iterations is a parameter of the implementation. For 100 iterations, for example, the host initially stores HN(100,K) as the user's authentication challenge AC. It also records the number n (in this case, 100) in the database.
  • the host sends the number n to the cryptographic key.
  • the host then replaces AC in its database with R and replaces n with n-1.
  • n reaches zero, the user must re-enroll in the system with a new K.
  • This approach has the advantage that the host does not need to store secret keys. Each new secret key it receives is used once, then discarded.
  • DSA digital signature algorithm
  • the cryptographic key contains a secret key KS and a corresponding public key KP, which is also a cryptographic variable.
  • the host also stores the public key. As illustrated in Figure 6, the host generates a random number or challenge string R and transmits it to the cryptographic key.
  • That key then generates a random "salt" string S and concatenates that string with the random number R, producing a new string R' which consists of the contents of the random number R followed by the contents of the salt string S. It also computes the digital signature DSA(R') using its secret key KP. The cryptographic key then transmits the digital signature DSA(R') to the host, along with the salt string S. The host then verifies the signature on the string R' using the public KP.
  • This technique is advantageous in that the cryptographic key needs to hold only one secret key, which can be used with as many hosts as desired. There is no need for concern about hosts revealing the public keys since those keys are already public. Even if the host is totally compromised, the secret component rests entirely in the cryptographic key and is still secure.
  • the salt string prevents a potentially malicious host from gathering legitimate signatures on arbitrary strings of its own choosing.
  • the secret/public keys can generated be within the cryptographic key by use of a random number generator, or they can be downloaded from a secure host.
  • Generation within the cryptographic key has the advantage that the secret key never leaves the cryptographic key, and there is no need to worry about security of a generating host.
  • the cryptographic key can authenticate a user either by the inputting of an identifying code (e.g., a PIN) through a keypad or by other means such as a biometric sensor to scan a unique feature of the body (e.g., a fingerprint or a retinal scan). If desired, the infrared transceiver in the key can be utilized to perform the scan as well as to communicate with the host. In addition to authenticating users, the cryptographic key can also transmit a stored secret key to the host. This mode makes it convenient to access encrypted files on the host without the user having to remember or type a long password. There are several ways in which the secret key can be transmitted to the host.
  • an identifying code e.g., a PIN
  • a biometric sensor e.g., a biometric sensor
  • the infrared transceiver in the key can be utilized to perform the scan as well as to communicate with the host.
  • the cryptographic key can also transmit a stored secret key to the host. This mode makes it convenient
  • the protocol for the simple approach is that the host requests the secret key from the cryptographic key, and the cryptographic key sends the secret key to the host.
  • Another approach is to transmit the secret key in encrypted form, using a public key protocol such as Diffie-Hellman key exchange or the Hughes key transmission protocol.
  • a public key protocol such as Diffie-Hellman key exchange or the Hughes key transmission protocol.
  • Diffie-Hellman key exchange is described in detail in U.S. Patent 4,200,770, the disclosure of which is incorporated herein by reference. However, its use might require the payment of license fees until the patent expires.
  • the transaction proceeds as follows.
  • the host and the cryptographic key share a common prime modulus P and generator G, similar to those used in Diffie-Hellman key exchange.
  • the modulus P is typically between 512 and 1024 bits.
  • the host requests a secret key transfer from the cryptographic key and sends Y' as part of the request.
  • the cryptographic key can now use K to encrypt a stored secret.
  • a few calculations could be saved by letting K be the secret key needed by the host. In this case, X would be reused in different sessions, so there would be no need for the cryptographic key to compute G mod P every time.
  • the cryptographic key can be provided with a keypad (not shown) for entry of a PIN or other identifying data which is known only to the user. That data can be combined with data stored in the nonvolatile memory of the key to provide the secret key which is used in the various protocols.
  • the requirement for the user to enter a PIN prevents unauthorized users from accessing the host with a stolen cryptographic key.
  • the cryptographic key can be programmed to erase the data stored in its internal non-volatile memory if too many incorrect PIN's are entered, or if hardware tampering is detected. Entering the PIN through the cryptographic key rather than through the host avoids sending secret information over networks which may not be secure.
  • the transmitted message can be authenticated with digital signatures, or other means, if desired.
  • the cryptographic key can also be used for authenticating hosts to a user using the techniques discussed above. This assures a user accessing a remote host through a network that no intruder has tampered with the network and substituted his own computer for the real host. A visual indication as to the success or failure of the authentication protocol is provided by the LED in the cryptographic key.

Abstract

The system includes a cryptographic key (17) that transmits a signal to a wireless transceiver (26). The wireless transceiver (26) is connected to a microprocessor (18), a keyboard (23), a drive (22), a monitor (24), a rom (21), and a ram (19). The cryptographic key (17) transmits a wireless cryptographic signal is sent between the cryptographic key (17) and the host (16) to request authorization to use the host (16). The signal is decrypted and processed after being received to determine if access is to be granted.

Description

CONTROLLED ACCESS SYSTEM AND METHOD
This invention pertains generally to systems to which access is limited and, more particularly, to a system and method for controlling access to such systems.
Examples of systems to which access is limited include computers, files stored in computers, automated teller machines, and entrances to buildings. For convenience, the system to be accessed is sometimes referred to generically as the host system, or simply the host, with the understanding that it can be any type of system to which access is limited and not just the systems enumerated above.
The traditional methods of distinguishing an authorized user from an unauthorized user or imposter are by "something you have", "something you are" or "something you know". Each of these methods has its own advantages and disadvantages, and two or more of the methods can be combined.
A password is a common example of "something you know". Biometric measurement devices are one way of verifying "something you are", and physical tokens such as ordinary door keys, magnetic cards and cryptographic access devices are examples of "something you have". Each of these devices has certain limitations and disadvantages. Mechanical keys are inexpensive and reliable, but they are also easy to copy. Biometric measurement devices require elaborate specialized equipment if they are to provide high security. Cryptographic devices such as the Security Dynamics "Secure ID" card system can require a special server, and magnetic cards require a special reader and can be copied by a "hacked" reader.
It is in general an object of the invention to provide a new and improved system and method for controlling access to a system to which access is limited.
Another object of the invention is to provide a system and method of the above character which overcome the limitations and disadvantages of techniques heretofore employed.
These and other objects are achieved in accordance with the invention by storing an encryption code in a small cryptographic key which can be carried by a person desiring access to the host, bringing the key into proximity with a wireless transceiver connected to the host, transmitting information over a wireless communication link between the host and the key, encrypting information transmitted from the key to the host in accordance with the encryption code in the key, decrypting the information received by the host, and processing the decrypted information to determine whether access to the host is authorized.
Figure 1 is block diagram of one embodiment of a controlled access system according to the invention.
Figure 2 is a block diagram of the cryptographic key in the embodiment of Figure 1.
Figure 3 is an isometric view of the cryptographic key in the embodiment of Figure 1 , with the cover open and the components visible on a circuit board within the housing or case. Figures 4 - 7 are flow charts illustrating operation of the system with different authentication and cryptographic protocols.
As illustrated in Figure 1 , the system includes a host 16 and a cryptographic key 17. The host is illustrated as a computer having a microprocessor 18 with a random access memory (RAM) 19 for temporarily storing data and operating variables, a read-only memory (ROM) 21 for storing system software, a drive unit 22 for more permanent storage of software and data, a keyboard 23 and a monitor 24.
The host also includes a transceiver 26 for transferring data and other information over a wireless communications link between the computer and the cryptographic key. That link can utilize any suitable form of communication such as infrared, visible light, radio frequency or inductive coupling, and in one presently preferred embodiment, an infrared transceiver is employed. A number of computers today have infrared transceivers or ports built into them for transferring data to printers and other peripheral devices. By using a standard form of communication such as the Infrared Data Association (IrDA) Standards with those ports, secure access can be provided to existing computers without requiring any additional hardware to be added to them. The transceiver can either be an integral part of the host or it can be located remotely of the host, possibly even being connected to the host through an insecure network. In either case, the key is brought into proximity with the transceiver and actuated to exchange information with the host.
In the embodiment illustrated, the cryptographic key has generally rectangular housing or case 28 of a size which fits easily in the hand or pocket. In one present embodiment, it has a width on the order of 1-1/4 inches, a length on the order of 2 inches, and a thickness on the order of 1/2 inch. In the embodiment illustrated, it is attached to a keychain 29. As illustrated in Figure 2, the cryptographic key includes a central processing unit (cpu) 31 , a random number generator 32, RAM 33, ROM 34, non-volatile memory 36, input switches 37, and a transceiver 38. The transceiver is chosen to match the one in the host, and in the presently preferred embodiment is an IrDA-compatible infrared transceiver.
The components of the key are mounted on a circuit board 39 inside the housing or case. Those components include a microcontroller 41 which contains the microprocessor, memory and registers, a battery 42, switches 37, transceiver 38, and a light emitting diode (LED) 43 which indicates the status of the key. The infrared light source and sensor in the transceiver communicate with the host through an infrared transparent window 44 in the end wall of the housing opposite the keychain.
One relatively simple cryptographic protocol which can be employed in the invention is authentication of the user by a cryptographic variable or secret key which is shared between the cryptographic key and the host. The secret key can, for example, be a large number (e.g., 128 bits) which cannot be guessed by an attacker without an unfeasibly large, exhaustive search.
The host has a database of authorized users, which contains a user ID and a secret key for each user. As illustrated in Figure 4, the host generates a random number or cipher block R and sends that number as a challenge. The key encrypts the number R using the secret key K and sends the encrypted number CR back to the host. It also sends its user ID so that the host will know which secret key to use. The host then encrypts the number R using the secret key K and compares its result with the encrypted number CR received from the key. If the results match, the user is authenticated (i.e., determined to be authorized to have access to the host), and access is permitted. If not, access is denied. Another authentication protocol which can be utilized is hash-based authentication of the user. According to this protocol, the cryptographic key and the host both implement a secure has function H(x) such as the NIST Secure Hash Algorithm designed for use with the Digital Signature Standard (FIPS PUB 186). Numerous authentication techniques can be based on such functions.
One such technique is the S/key protocol which was designed at AT&T Bell Laboratories and is in widespread use on various computer systems. It is illustrated in Figure 5. Let HN(n,x) denote the iterated hash function, i.e., the function H iterated n times. For example, HN(4,x) is the same as H(H(H(H(x)))). When a user enrolls in the system, his cryptographic key generates or is assigned a secret key K. The host stores an iterated hash of K in its database. The number of iterations is a parameter of the implementation. For 100 iterations, for example, the host initially stores HN(100,K) as the user's authentication challenge AC. It also records the number n (in this case, 100) in the database.
To authenticate a user, the host sends the number n to the cryptographic key. The cryptographic key computes the response R = HN (n-1 ,K) and sends that result back to the host. The host verifies that R hashes the stored authentication challenge, i.e., that H(R) = AC. The host then replaces AC in its database with R and replaces n with n-1. When n reaches zero, the user must re-enroll in the system with a new K.
This approach has the advantage that the host does not need to store secret keys. Each new secret key it receives is used once, then discarded.
Another protocol which can be employed to authenticate the user is a digital signature algorithm (DSA), such as the NIST Digital Signature Algorithm described in U.S. Patent 5,231 ,668 and in FIPS PUB 186, the disclosures of which are incorporated herein by reference. According to that algorithm, the cryptographic key contains a secret key KS and a corresponding public key KP, which is also a cryptographic variable. The host also stores the public key. As illustrated in Figure 6, the host generates a random number or challenge string R and transmits it to the cryptographic key. That key then generates a random "salt" string S and concatenates that string with the random number R, producing a new string R' which consists of the contents of the random number R followed by the contents of the salt string S. It also computes the digital signature DSA(R') using its secret key KP. The cryptographic key then transmits the digital signature DSA(R') to the host, along with the salt string S. The host then verifies the signature on the string R' using the public KP.
This technique is advantageous in that the cryptographic key needs to hold only one secret key, which can be used with as many hosts as desired. There is no need for concern about hosts revealing the public keys since those keys are already public. Even if the host is totally compromised, the secret component rests entirely in the cryptographic key and is still secure. The salt string prevents a potentially malicious host from gathering legitimate signatures on arbitrary strings of its own choosing.
The secret/public keys can generated be within the cryptographic key by use of a random number generator, or they can be downloaded from a secure host. Generation within the cryptographic key has the advantage that the secret key never leaves the cryptographic key, and there is no need to worry about security of a generating host.
The cryptographic key can authenticate a user either by the inputting of an identifying code (e.g., a PIN) through a keypad or by other means such as a biometric sensor to scan a unique feature of the body (e.g., a fingerprint or a retinal scan). If desired, the infrared transceiver in the key can be utilized to perform the scan as well as to communicate with the host. In addition to authenticating users, the cryptographic key can also transmit a stored secret key to the host. This mode makes it convenient to access encrypted files on the host without the user having to remember or type a long password. There are several ways in which the secret key can be transmitted to the host.
One simple approach is to transmit the secret key in unencrypted form. The problem with this approach is possible interception of the transmission and capture of the secret key by eavesdroppers. With infrared systems, where the range of transmission is limited, this technique can be used in low-to-medium security applications in typical environments. However, it is probably not suitable for use in systems such as RF where the range of transmission is greater.
The protocol for the simple approach is that the host requests the secret key from the cryptographic key, and the cryptographic key sends the secret key to the host.
Another approach is to transmit the secret key in encrypted form, using a public key protocol such as Diffie-Hellman key exchange or the Hughes key transmission protocol. This avoids the security problems of the simple approach but requires a more powerful microprocessor in the cryptographic key. Diffie-Hellman key exchange is described in detail in U.S. Patent 4,200,770, the disclosure of which is incorporated herein by reference. However, its use might require the payment of license fees until the patent expires.
Using the Hughes protocol, the transaction proceeds as follows. The host and the cryptographic key share a common prime modulus P and generator G, similar to those used in Diffie-Hellman key exchange. The modulus P is typically between 512 and 1024 bits. The host generates a random number Y and computes Y' = Gγ mod P. The host then requests a secret key transfer from the cryptographic key and sends Y' as part of the request. The host also calculates a multiplicative inverse Y"1 so that Y*Y" 1 = 1 mod P.
The cryptographic key generates a secret random number X and sends Z = (Y')x mod P to the host. Since Y = Gγ mod P, this means that Z = (Y')x mod P = G mod P. The cryptographic key also computes K = Gx mod P, but does not send it.
The host then computes Zγ" mod P. That is the same as K = Gx mod P, and K is now a secret key shared between the cryptographic key and the host. The cryptographic key can now use K to encrypt a stored secret. Alternatively, a few calculations could be saved by letting K be the secret key needed by the host. In this case, X would be reused in different sessions, so there would be no need for the cryptographic key to compute G mod P every time.
Another suitable technique is the RSA public key cipher described in U.S. Patent 4,405,829, the disclosure of which is incorporated herein by reference.
That approach is desirable in that it would require fewer computations by the cryptographic key, assuming a low public exponent. However, its use might require the payment of license fees until the patent expires.
For high security applications, the cryptographic key can be provided with a keypad (not shown) for entry of a PIN or other identifying data which is known only to the user. That data can be combined with data stored in the nonvolatile memory of the key to provide the secret key which is used in the various protocols. The requirement for the user to enter a PIN prevents unauthorized users from accessing the host with a stolen cryptographic key. For even greater security, the cryptographic key can be programmed to erase the data stored in its internal non-volatile memory if too many incorrect PIN's are entered, or if hardware tampering is detected. Entering the PIN through the cryptographic key rather than through the host avoids sending secret information over networks which may not be secure.
For all of the cryptographic variable or key transmission techniques discussed above, the transmitted message can be authenticated with digital signatures, or other means, if desired.
In addition to authenticating users to a host, the cryptographic key can also be used for authenticating hosts to a user using the techniques discussed above. This assures a user accessing a remote host through a network that no intruder has tampered with the network and substituted his own computer for the real host. A visual indication as to the success or failure of the authentication protocol is provided by the LED in the cryptographic key.
It is apparent from the foregoing that a new and improved system and method have been provided for controlling access to a system to which access is limited. While only certain presently preferred embodiments have been described in detail, as will be apparent to those familiar with the art, certain changes and modifications can be made without departing from the scope of the invention as defined by the following claims.

Claims

1. In a system for controlling access to a host: a cryptographic key adapted to be carried by a person seeking access to the host, wireless communication means for transmitting information between the key and the host when the key is held in proximity with a transceiver connected to the host, means included in the key for encrypting information for transmission to the host, and means included in the host for decrypting the information from the key and processing the decrypted information to determine whether access to the host is authorized.
2. The system of Claim 1 wherein the wireless communication means comprises infrared transceivers included in the host and in the key.
3. The system of Claim 1 wherein the means for encrypting information includes a microprocessor.
4. The system of Claim 1 wherein the means for encrypting information includes a private encryption code in the cryptographic key.
5. The system of Claim 1 wherein the host comprises a computer, and the means for decrypting the information and processing the decrypted information comprises a microprocessor within the computer.
6. In a method of verifying authorization to access a host, the steps of: storing an encryption code in a cryptographic key which can be carried by a person desiring access to the host, bringing the key into proximity with a wireless transceiver connected to the host, transmitting information over a wireless communication link between the transceiver and the key, encrypting information transmitted from the key to the transceiver in accordance with the encryption code in the key, decrypting the information received by the host, and processing the decrypted information to determine whether access to the host is authorized.
7. A cryptographic key for obtaining access to a host to which access is limited, comprising a body of a size suitable for attachment to a conventional key chain, a microprocessor within the body, means within the body for storing a cryptographic code, means programming the microprocessor to encrypt information in accordance with the stored code, and transceiver means carried by the body for transmitting encrypted information from the key to the host over a wireless communication link.
PCT/US1997/012840 1996-08-09 1997-08-01 Controlled access system and method WO1998007249A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US69481496A 1996-08-09 1996-08-09
US08/694,814 1996-08-09

Publications (1)

Publication Number Publication Date
WO1998007249A1 true WO1998007249A1 (en) 1998-02-19

Family

ID=24790380

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1997/012840 WO1998007249A1 (en) 1996-08-09 1997-08-01 Controlled access system and method

Country Status (1)

Country Link
WO (1) WO1998007249A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2341061A (en) * 1998-06-16 2000-03-01 Nec Corp Portable data communication terminal with separate user authenticating security device in radio communication with the terminal
GB2360610A (en) * 2000-03-22 2001-09-26 Newmark Technology Group Plc Computer access control and security system
WO2002031778A1 (en) * 2000-10-13 2002-04-18 Nokia Corporation Wireless lock system
EP1460508A1 (en) * 2003-03-08 2004-09-22 c.a.r.u.s. Information Technology AG User authentication by wireless device carried with user, user proximity checks
EP1016947A3 (en) * 1998-12-31 2006-04-26 Texas Instruments Incorporated Portable electronic equipment key
GB2513669A (en) * 2013-06-21 2014-11-05 Visa Europe Ltd Enabling access to data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4800590A (en) * 1985-01-14 1989-01-24 Willis E. Higgins Computer key and computer lock system
US5377269A (en) * 1992-10-29 1994-12-27 Intelligent Security Systems, Inc. Security access and monitoring system for personal computer
US5402492A (en) * 1993-06-18 1995-03-28 Ast Research, Inc. Security system for a stand-alone computer

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4800590A (en) * 1985-01-14 1989-01-24 Willis E. Higgins Computer key and computer lock system
US5377269A (en) * 1992-10-29 1994-12-27 Intelligent Security Systems, Inc. Security access and monitoring system for personal computer
US5402492A (en) * 1993-06-18 1995-03-28 Ast Research, Inc. Security system for a stand-alone computer

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2341061B (en) * 1998-06-16 2001-03-14 Nec Corp Method and system for authenticating a user
GB2341061A (en) * 1998-06-16 2000-03-01 Nec Corp Portable data communication terminal with separate user authenticating security device in radio communication with the terminal
US6515575B1 (en) 1998-06-16 2003-02-04 Nec Corporation Method of authenticating user and system for authenticating user
EP1016947A3 (en) * 1998-12-31 2006-04-26 Texas Instruments Incorporated Portable electronic equipment key
GB2360610A (en) * 2000-03-22 2001-09-26 Newmark Technology Group Plc Computer access control and security system
WO2002031778A1 (en) * 2000-10-13 2002-04-18 Nokia Corporation Wireless lock system
US7624280B2 (en) 2000-10-13 2009-11-24 Nokia Corporation Wireless lock system
EP1460508A1 (en) * 2003-03-08 2004-09-22 c.a.r.u.s. Information Technology AG User authentication by wireless device carried with user, user proximity checks
GB2513669A (en) * 2013-06-21 2014-11-05 Visa Europe Ltd Enabling access to data
GB2513669B (en) * 2013-06-21 2016-07-20 Visa Europe Ltd Enabling access to data
US10445484B2 (en) 2013-06-21 2019-10-15 Visa Europe Limited Enabling access to data
US11275821B2 (en) 2013-06-21 2022-03-15 Visa Europe Limited Enabling access to data
US11868169B2 (en) 2013-06-21 2024-01-09 Visa Europe Limited Enabling access to data

Similar Documents

Publication Publication Date Title
US7624280B2 (en) Wireless lock system
US7979716B2 (en) Method of generating access keys
US8559639B2 (en) Method and apparatus for secure cryptographic key generation, certification and use
KR101198120B1 (en) Iris information based 3-factor user authentication method for otp generation and secure two way authentication system of wireless communication device authentication using otp
US7669236B2 (en) Determining whether to grant access to a passcode protected system
JP3222111B2 (en) Remote identity verification method and apparatus using personal identification device
US5491752A (en) System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
US6956950B2 (en) Computer readable medium having a private key encryption program
US7178025B2 (en) Access system utilizing multiple factor identification and authentication
US7707622B2 (en) API for a system having a passcode authenticator
US7886155B2 (en) System for generating requests to a passcode protected entity
US7178034B2 (en) Method and apparatus for strong authentication and proximity-based access retention
EP1844567B1 (en) Passcodes
US20060107312A1 (en) System for handing requests for access to a passcode protected entity
US20060107063A1 (en) Generating requests for access to a passcode protected entity
JPH0652518B2 (en) Security system and its management method
US20010054147A1 (en) Electronic identifier
JP2005512204A (en) Portable device and method for accessing a data key activated device
WO1999024895A1 (en) Tamper resistant method and apparatus
US7702911B2 (en) Interfacing with a system that includes a passcode authenticator
EP1472816A2 (en) Access system utilizing multiple factor identification and authentication
WO2001013201A2 (en) Peer-to-peer network user authentication protocol
KR20030033863A (en) The method and system of multistage user certification using active user-certifiable card of USB module type
WO1998007249A1 (en) Controlled access system and method
JP2002530930A (en) Method and apparatus for securely distributing authentication credentials to roaming users

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): BR CA CN JP KR MX PL TR

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: JP

Ref document number: 98509728

Format of ref document f/p: F

NENP Non-entry into the national phase

Ref country code: CA

122 Ep: pct application non-entry in european phase