[go: up one dir, main page]

WO2002005069A2 - Procede pour authentifier des donnees numeriques - Google Patents

Procede pour authentifier des donnees numeriques Download PDF

Info

Publication number
WO2002005069A2
WO2002005069A2 PCT/EP2001/008050 EP0108050W WO0205069A2 WO 2002005069 A2 WO2002005069 A2 WO 2002005069A2 EP 0108050 W EP0108050 W EP 0108050W WO 0205069 A2 WO0205069 A2 WO 0205069A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
key
authentication
digital data
server
Prior art date
Application number
PCT/EP2001/008050
Other languages
German (de)
English (en)
Other versions
WO2002005069A3 (fr
Inventor
Burkhard Koch
Ulrich Koch
Frank Brinkmann
Harald Eickeler
Original Assignee
Burkhard Koch
Ulrich Koch
Frank Brinkmann
Harald Eickeler
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from DE10054298A external-priority patent/DE10054298A1/de
Priority claimed from DE10058685A external-priority patent/DE10058685A1/de
Application filed by Burkhard Koch, Ulrich Koch, Frank Brinkmann, Harald Eickeler filed Critical Burkhard Koch
Priority to AU2001276397A priority Critical patent/AU2001276397A1/en
Publication of WO2002005069A2 publication Critical patent/WO2002005069A2/fr
Publication of WO2002005069A3 publication Critical patent/WO2002005069A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2143Clearing memory, e.g. to prevent the data from being stolen

Definitions

  • the invention relates to a method for authenticating digital data.
  • the invention further relates to a method for mutually exchanging a first digital data object for a second digital data object via a data network, the data object being transmitted from a first host to a second host and the second data object being transmitted from the second host to the first host.
  • the invention relates to a method for the automated implementation of an exchange for digital data objects and a computer program product for the exchange of authenticated digital data objects.
  • the present invention is based on the object of providing a method for authenticating digital data which makes it possible to clearly identify the digital data as the original.
  • the procedure should be as difficult as possible to avoid and should be practical and easy to implement on common computer hardware and software.
  • This object is achieved in a method for authenticating digital data in that the digital data are linked with an object key, the object key being related to a master key assigned to the digital data during the authentication, and wherein after the authentication, the object key and the Master key invalidated and replaced with updated keys.
  • a unique digital piece is created.
  • authenticating i.e. recognizing this unique item as original
  • the object key linked to the data is checked and the key set is changed.
  • the master key to which the object key is related is used for checking in such a way that it is clearly recognizable whether the object key in question corresponds to the respective master key.
  • the basic idea of the method according to the invention is based on the idea of renewing the relevant keys with each authentication process in order to be able to successfully carry out authentication with only one copy of the digital data at a time. Even if a unique digital object provided with an object key is lost, the functionality associated with it can only be carried out exactly once, namely after authentication has taken place.
  • the object key is formed in two parts, the partial keys being combined during authentication to form a reference key, the correspondence of which is checked with the main key, and wherein after authentication has been carried out at least one of the partial keys and the Master key invalidated and replaced with updated keys.
  • This variant of the method according to the invention provides special protection against loss of the digital data or against unauthorized use of the data by third parties.
  • One of the partial keys can namely be kept separate from the digital data, and authentication is only possible when both partial keys are available.
  • a reference key is generated from the key pair during the authentication process. If there is a match between this reference key and the master key assigned to the digital data, the originality of the digital data is confirmed. After successful authentication, the previous key pair and the master key are declared invalid. Further attempts at authentication with unauthorized copies that are still linked to the old key pair will be rejected.
  • the fact that the key set is updated during each authentication process ensures that only one copy of the digital data in circulation can be recognized as the original.
  • the fact that two subkeys are required for authentication, which must be present at the same time to confirm the originality of the digital data results in an increased security standard.
  • a particular advantage of the method according to the invention is that the data to be authenticated can be copied as desired (security copy), but a functionality linked to the data, for example, which only becomes effective after successful authentication, can always be carried out with exactly one copy.
  • the digital data can unauthorizedly fall into the hands of third parties, the actual value, which is a functionality linked to the digital data, is not changed.
  • One of the partial keys can expediently be added to the digital data.
  • the digital data are usually in the form of a file on a mass storage medium of an electronic data processing system. In addition to the digital data to be authenticated, this file can also contain one of the subkeys. As a result, the assignment of the partial key to the digital data is immediate.
  • the second partial key can be noted or noted, for example, by a user who is authorized to carry out the functionality linked to the digital data. This ensures that the digital data can be copied by unauthorized third parties, but authentication according to the invention is only possible for the authorized user. This makes the digital data useless for unauthorized third parties.
  • the partial key kept separate from the digital data can be used to encrypt the digital data. This makes the digital data illegible for unauthorized third parties, and only the authorized user can decrypt the digital data with the partial key only known to him.
  • the master key is generated by a combination of a randomly selected component with an unchangeable and secret key assigned to the digital data record.
  • knowledge of the master key, which changes after each authentication, is more or less useless for an unauthorized third party.
  • a mathematical one-way function (cf. DIN / ISO 10118) can expediently be used to determine the master key from the random component and the immutable, secret key. This ensures that, even if the two partial keys and the master key are known at the same time, it cannot be inferred from the immutable secret key.
  • At least one updated subkey is also generated by the server after authentication, which is linked to the digital data via a data connection. It is conceivable that the digital data together with the associated updated partial keys are transmitted via the data connection, thereby replacing the original data associated with the invalid keys. Frequent authentication of the digital data increases the level of security, since the keys are updated with each authentication process, thus preventing authentication of a copy that has been created in the meantime. It is also conceivable to transmit the two subkeys over separate data connections in order to further improve security.
  • a secure data transmission method known per se for example SSL
  • the authentifiable data together with the associated partial keys can be provided by a server protected against unauthorized access by third parties, on which the secret master key assigned to the digital data is stored.
  • the digital data are then processed on the central server for authentication in accordance with the invention and made available for retrieval via a data connection.
  • a high degree of security is ensured by the fact that the partial keys are generated and the associated master key is stored on the same computer system without security-relevant data being transmitted via interceptable data connections.
  • the above-described method for authenticating digital data makes it possible to clearly authenticate the digital data as the original. This means that digital one-offs are available for the provision and distribution via the Internet. Such clearly authenticated digital data are of great advantage when doing business over the Internet (e-commerce). Namely, it is possible to assign a concrete countervalue to authenticatable digital data objects, since an unauthorized copying of the data is impossible. Authenticable digital data objects with different data contents (pictures, texts, videos, pieces of music etc.) can thus be used as digital objects of value and in particular also as digital collectibles.
  • a disadvantage of the above-mentioned commonly used transmission protocols e.g. FTP
  • FTP commonly used transmission protocols
  • the present invention is further based on the object of providing a method with which digital data objects, in particular digital valuables and digital collectibles, are mutually interchangeable between hosts connected to the Internet, with the aim being to ensure that the one linked to the digital data objects Equivalent to the respective recipient.
  • This object is achieved in a method for the mutual exchange of a first digital data object for a second digital data object via a data network, the first data object being transmitted from a first host to a second host and the second data object being transmitted from the second host to the first host solved that the data objects have features on the basis of which they can be authenticated, in particular according to the method described above, the first and the second host communicating with an authentication server via the data network through which the authentication of both data objects is carried out, and wherein the mutual transfer of data objects between the hosts is only carried out after successful authentication of both data objects.
  • the authenticity of the data objects ensures that it can at least be checked whether the respective recipient of a data object is in possession of the authentic original of the data object after transmission.
  • an authentication server that is independent of the hosts involved in the mutual exchange of the data objects to which a connection is established for authentication via the data network, the trustworthiness of the proof of authenticity is ensured.
  • the fact that the mutual transmission of the data objects is carried out only after the respective authenticity has been successfully established also ensures that the hosts involved receive the desired countervalue when the two data objects are exchanged.
  • both data objects can first be transmitted to the authentication server via the data network, from where, after successful authentication of both data objects, the first data object is transmitted to the second host and the second data object to the first host.
  • the trustworthy authentication server is involved in the exchange process to the extent that both exchange partners can be sure that they will receive the desired authentic original, which in particular prevents the exchange process from being incomplete, in particular from only one-way data transmission without retransferring the desired one Equivalent value takes place.
  • a method for the automated implementation of an exchange for digital data objects in which the data objects are offered for exchange by means of an exchange server via a data network, the data objects having features by means of which they can be authenticated, and wherein a mutual transmission of the Data objects to the host connected to the exchange server via the data network are only carried out after successful authentication of the data objects to be exchanged for one another.
  • an exchange can be realized on the Internet, which is used to exchange digital valuables, especially digital collectibles, is determined.
  • Any hosts connected to the data network can connect to the exchange server as exchange partners in order to offer authenticated digital exchange objects for exchange.
  • the exchange server can be, for example, a web server that presents the exchange objects to be exchanged on the Internet.
  • the exchange server can be used to coordinate the exchange offers of different exchange partners, whereupon a mutual transfer of the data objects over the data network is carried out by the exchange server to the corresponding hosts.
  • the fact that the exchange process is linked to the successful authentication of the data objects to be exchanged ensures that each exchange partner receives the desired original of the exchange object.
  • the data objects to be exchanged are each linked to a key which is checked during the authentication process, the key becoming invalid after authentication and being replaced by an updated key. If, according to the invention, there is a mutual exchange of digital data objects linked to keys, it makes sense if the updated key is only transmitted to the destination of the data transmission after authentication. This ensures that only the recipient of a data object is equipped with the key required for authentication after the data transmission.
  • a computer program product with means for transmitting the data objects via the data network and with means for establishing a data connection with an authentication server via the data network is suitable for exchanging authenticatable digital data objects between two hosts connected to a data network, means being provided, by which the authentication process is carried out via the data connection to the authentication server, and means are provided by which the transmission of the data objects is controlled depending on the success of the authentication.
  • Corresponding computer programs can be provided to users on suitable data carriers such as CD-ROMs or Floppy disks or can also be downloaded from the Internet.
  • suitable data carriers such as CD-ROMs or Floppy disks or can also be downloaded from the Internet.
  • the conventional technologies and protocols customary on the Internet can advantageously be used to implement the means mentioned above.
  • FIG. 1 block diagram of the invention
  • FIG. 2 block diagram of the invention
  • a digital data record 1 is transmitted from a first client 2 to a server 4 via a data connection 3.
  • Data record 1 is stored on server 4.
  • a master key 5 assigned to data record 1 and a partial key 6 are generated, for example as a random number.
  • a partial key 7 is then formed from these two keys. This is done in such a way that the key pair 6, 7 can be clearly assigned to the master key 5.
  • the two keys 6 and 7 then form the two-part key linked to the digital data. Suitable keys are any sequences of numbers or characters or bit sequences of sufficient length.
  • the key 7 is added to the digital data record 1 and transmitted back to the client 2 as a data record 1 'via a data connection 8.
  • the second key 6 is also transferred separately from the digital data record 1 via the data connection 8.
  • a copy of the data record 1 'to which the key 7 is attached can now be transmitted via a data connection 9 which exists between the client 2 and a further client 10. If the copy now on the client 10 is to be authenticated as the original the subkey 6 must also be transmitted to the client 10, for example via a further data connection 11.
  • the digital data record V with the attached key 7 and the partial key 6 is then transmitted to the server 4 via a data connection 12. There, the data record V is checked to see whether it is identical to the data record 1 stored on the server 4.
  • the transmitting keys 6 and 7 are combined to form a reference key 5 ′′, the correspondence of which is checked with the master key 5 stored on the server 4. If the authentication is successful, the originality of the digital data record V is confirmed.
  • the data record 1 is linked with a new partial key 13 and, together with this, is transferred back to the client 10 as a data record 1 ′′ via a data connection 14.
  • the transmission of the likewise updated subkey 15 also takes place via the same data connection 14 Authentication of the digital data record 1 takes place exclusively by means of the updated partial keys 13 and 15.
  • the method according to the invention can be used, for example, for the secure use of so-called chip cards.
  • the authorized user of the chip card receives a partial key, for example as a PIN code. He must remember this or write it down separately from the card.
  • the second partial key is stored on the card chip.
  • authentication is carried out using the stored key together with the PIN code entered by the user. If the authentication is successful, the desired transaction linked to the chip card is carried out.
  • the key stored on the chip card is exchanged for an updated key. In this way it is reliably prevented that transactions linked to the chip card can be carried out by means of unauthorized copies of the card chip.
  • FIG. 2 shows a host 16, a host 17 and an authentication server 18.
  • the two hosts 16, 17 intend to exchange digital data objects 19 and 20 that can be authenticated with one another. It deals These are, for example, image files to which a key 21 or 22 is attached for authentication.
  • Both hosts 16 and 17 transmit the image files 19 and 20 together with the attached keys 21 and 22 to the authentication server 18.
  • the assignment of the keys 21, 22 to the image files 19, 20 and the up-to-dateness of the keys 21, 22 is carried out on the authentication server checked. If it is determined that both data objects 19, 20 are authentic, an updated key 23 is transmitted to the host 16 and an updated key 24 is transmitted to the host 17.
  • the hosts 16 and 17 begin to mutually transmit the data objects 19 and 20.
  • the key 23 received from the authentication server 18 is added to the image file 20 on the host 16; The same thing happens on the host 17. It is then ensured for both exchange partners that an authentic data object 20 or 19 has been received, since the keys required for authenticating the data objects were only transmitted to the destination of the data transmission.
  • the authentication server 18 also functions as a web server on which the automated exchange exchange is carried out.
  • the data objects 19 and 20 are authenticated. If this authentication is successful, the data objects 19 and 20 are presented on a web page 25 of the exchange server 18 and are thus offered for exchange to any exchange partner who has access to the exchange server 18 via the Internet. If a match of exchange offers is found on the exchange server 18, the exchange objects which are provided with updated keys 23 and 24 after the authentication process are transmitted to the hosts 16, 17 concerned. Because authentication takes place on the exchange server 18 found, it can be guaranteed that each host will have an authenticated original after the exchange process.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Collating Specific Patterns (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé pour authentifier des données numériques, selon lequel ces dernières sont liées au moyen d'une clé en deux parties. Lors du processus d'authentification, les deux parties de cette clé sont combinées pour former une clé de référence dont la concordance avec une clé principale affectée aux données numériques est vérifiée. Une fois l'authentification réussie, la clé principale et une ou les deux parties de clé sont déclarées non valides et de nouvelles clés actualisées sont produites. Une autre authentification des données numériques n'est alors possible qu'au moyen de l'ensemble de données actualisé. Ce procédé d'authentification s'utilise en particulier pour mettre en oeuvre, de manière automatisée, un système de bourse d'échange sur Internet.
PCT/EP2001/008050 2000-07-12 2001-07-12 Procede pour authentifier des donnees numeriques WO2002005069A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001276397A AU2001276397A1 (en) 2000-07-12 2001-07-12 Method for authenticating digital data

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
DE10033854 2000-07-12
DE10033854.2 2000-07-12
DE10054298A DE10054298A1 (de) 2000-07-12 2000-11-02 Verfahren zur Authentifizierung digitaler Daten
DE10054298.0 2000-11-02
DE10058685.6 2000-11-25
DE10058685A DE10058685A1 (de) 2000-11-25 2000-11-25 Verfahren zum Austausch von digitalen Daten

Publications (2)

Publication Number Publication Date
WO2002005069A2 true WO2002005069A2 (fr) 2002-01-17
WO2002005069A3 WO2002005069A3 (fr) 2003-03-13

Family

ID=27213958

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2001/008050 WO2002005069A2 (fr) 2000-07-12 2001-07-12 Procede pour authentifier des donnees numeriques

Country Status (2)

Country Link
AU (1) AU2001276397A1 (fr)
WO (1) WO2002005069A2 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3057029A1 (fr) * 2015-02-13 2016-08-17 Thomas Wolf Procédé et appareil amélioré de cryptage et d'authentification

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5224163A (en) * 1990-09-28 1993-06-29 Digital Equipment Corporation Method for delegating authorization from one entity to another through the use of session encryption keys
GB9507885D0 (en) * 1995-04-18 1995-05-31 Hewlett Packard Co Methods and apparatus for authenticating an originator of a message
US5872848A (en) * 1997-02-18 1999-02-16 Arcanvs Method and apparatus for witnessed authentication of electronic documents
US7171559B1 (en) * 1998-03-18 2007-01-30 Kent Ridge Digital Labs Method of exchanging digital data
DE19820422A1 (de) * 1998-05-07 1999-11-11 Giesecke & Devrient Gmbh Verfahren zur Authentisierung einer Chipkarte innerhalb eines Nachrichtenübertragungs-Netzwerks

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3057029A1 (fr) * 2015-02-13 2016-08-17 Thomas Wolf Procédé et appareil amélioré de cryptage et d'authentification
US10263780B2 (en) 2015-02-13 2019-04-16 Thomas Wolf Encryption and authentication method and apparatus

Also Published As

Publication number Publication date
WO2002005069A3 (fr) 2003-03-13
AU2001276397A1 (en) 2002-01-21

Similar Documents

Publication Publication Date Title
EP3596653B1 (fr) Émission de documents virtuels dans une chaîne de blocs
DE60211841T2 (de) Vorrichtung zur Aktualisierung und zum Entzug der Gültigkeit einer Marke in einer Infrastruktur mit öffentlichen Schlüsseln
EP2409452B1 (fr) Procédé de fourniture de paires de clefs cryptographiques
DE4003386C1 (fr)
EP1946481B1 (fr) Dispositif de réalisation d une signature électronique améliorée d un document électronique
DE69931967T2 (de) Methode zur sicherung von elektronischer information
EP3452941B1 (fr) Procédé de documentation électronique d'informations de licence
EP0030381B1 (fr) Procédé et dispositif pour la production et le contrôle de documents protégés contre des falsifications et document utilisé à cet effet
WO1997047109A1 (fr) Procede de gestion de cles cryptographique entre une premiere unite informatique et une seconde unite informatique
DE10025626A1 (de) Verschlüsseln von abzuspeichernden Daten in einem IV-System
DE10233297A1 (de) Vorrichtung zur digitalen Signatur eines elektronischen Dokuments
DE69330743T2 (de) Verfahren zur Beurkundung einer Informationseinheit durch eine andere
WO1997047108A1 (fr) Procede de gestion de cles cryptographiques, fonde sur un groupe, entre une premiere unite informatique et des unites informatiques d'un groupe
DE69737806T2 (de) Datenverschlüsselungsverfahren
EP3552344B1 (fr) Structure de chaîne de blocs à chaînage bidirectionnel
DE69605654T2 (de) Elektronisch verhandelbare dokumente
EP2562670B1 (fr) Procédé d'exécution d'un accès en écriture, produit de programme informatique, système informatique et carte à puce
EP2491513B1 (fr) Procédé et système de fourniture d'objets de données à protection erdm
WO2002005069A2 (fr) Procede pour authentifier des donnees numeriques
EP3244362B1 (fr) Procédé destiné à l'exécution de transactions
DE3619566C2 (fr)
WO2022063851A1 (fr) Serveur pour la gestion de transactions
DE4344280C2 (de) Verfahren zum Autorisieren von digitalisierten Daten aus Texten, Bildern und dergleichen
DE10054298A1 (de) Verfahren zur Authentifizierung digitaler Daten
DE10242673B4 (de) Verfahren zur Identifikation eines Benutzers

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP