Control of a Motor Vehicle
20220030426 · 2022-01-27
Inventors
Cpc classification
H04L9/0844
ELECTRICITY
H04L9/3066
ELECTRICITY
International classification
H04L9/08
ELECTRICITY
H04L9/30
ELECTRICITY
H04L9/32
ELECTRICITY
Abstract
A motor vehicle stores a first one-way hash of a password and an encrypted value from a second one-way hash of the password. A method for authenticating a device with respect to the vehicle includes the following: a PACE procedure is carried out so that the device and the motor vehicle determine the same session key; the motor vehicle generates a communication key on the basis of the session key and the encrypted one-way hash; and the device generates the communication key based on the session key and the second one-way hash.
Claims
1.-9. (canceled)
10. A method for authenticating an appliance to a motor vehicle, wherein the motor vehicle stores a first one-way hash of a password, and an encrypted value from a second one-way hash of the password, the method comprising: performing a PACE method in order for the appliance and the motor vehicle to determine a same session key; generating, by the motor vehicle, a communication key based on the session key and the encrypted value; and generating, by the appliance, the communication key based on the session key and the second one-way hash.
11. The method according to claim 10, wherein the second one-way hash is encrypted with respect to a predetermined base point of an encryption system.
12. The method according to claim 10, wherein the appliance is linked to the motor vehicle if encrypted communication based on the communication key is possible.
13. The method according to claim 10, wherein encryption is performed based on elliptic curves.
14. The method according to claim 10, wherein the appliance comprises a mobile appliance.
15. The method according to claim 10, wherein the appliance comprises a personal appliance associated with a predetermined user.
16. A device on board a motor vehicle, wherein the device is configured to: store a first one-way hash of a password and an encrypted value from a second one-way hash of the password; perform a PACE method with an appliance in order to determine a session key; generate a communication key based on the session key and the encrypted value; and conduct communication with the appliance that is encrypted based on the communication key.
17. A motor vehicle, comprising the device according to claim 16.
18. An appliance that is configured to: perform a PACE method with a device on board a motor vehicle in order to determine a session key; and determine a communication key based on the session key and a one-way hash of a password used for the PACE method.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
[0022]
[0023]
DETAILED DESCRIPTION OF THE DRAWINGS
[0024]
[0025] The device 115 and the appliance 110 are designed to communicate with one another via a preferably wireless interface 130, for which purpose the device 115 may in particular use the transmission device 120. The interface 130 may be restricted to transmission in a predetermined short range, for example at a distance of typically around 10 meters between the motor vehicle 105 and the appliance 110. In a further variant, the interface may be designed to communicate with the appliance 110 in an interior of the motor vehicle 105.
[0026] The appliance 110 is preferably associated with a user 135 and may more preferably comprise a mobile appliance that is designed for mobile use, for example in the form of a mobile telephone, smartphone, tablet computer or laptop computer. The user 135 may be associated with the motor vehicle 105, for example as driver, passenger, owner, renter or lessee.
[0027] Communication between the appliance 110 and the device 115 should take place in encrypted form, wherein the encryption should depend on a password that is known to the appliance 110—in particular to the user 135. It is furthermore preferable for information about the password not to be stored in any form in the device 115 from which an attacker could use algorithms to reconstruct the password.
[0028] A method described herein may be used to set up encrypted communication. In one embodiment, the appliance 110 may thereby be authenticated to the device 115, or the user 135 may be authenticated to the motor vehicle 105. The use of a function may be enabled only after successful authentication.
[0029]
[0030] Use is made below of a formula syntax in which a lower-case Latin letter corresponds to a number and un upper-case Latin letter corresponds to a point on an elliptic curve that is used for encryption or decryption. A randomly selected character string for increasing entropy when forming a one-way hash is also referred to as a salt and abbreviated here as s.
[0031] By way of example, the left-hand side of
[0032] A first section 205 of the method 200 relates to the provisioning, that is to say the storage of information that is required for subsequent authentication between the communication partners 110 and 115. A second section 210 relates to the negotiation or creation of an encrypted communication connection between the appliance 110 and the device 115. Both sections 205, 210 may also be understood to be stand-alone methods.
[0033] With reference to the first section 205, in a step 215, it is possible to determine a password p that the user 135 should use subsequently for authentication. The user 135 may select an arbitrary password p or a password p may be proposed and be able to be accepted by the user 135. The password p preferably comprises a string of in particular alphanumeric characters that the user 135 may note and input into the appliance 110 by way of a real or virtual keypad. An operation * represents a multiplication of a number by a point on an elliptic curve, and an operation * represents a multiplication of two numbers. ⊕ denotes an addition and ⊖ denotes a subtraction on elliptic curves.
[0034] In a step 220, on the basis of the password, a first one-way hash x=H(s,p) may be determined by way of a first one-way hash function H and a second one-way hash y=G(s,p) may be determined by way of a second one-way hash function G. The second one-way hash y is preferably encrypted by way of a selected generator or base point G: V=y*G. These operations may be performed by the appliance 110 or by an external entity that is preferably not located on board the motor vehicle 105. In a step 225, x and V, the salt s, and an identification I of the user 135 are preferably stored in the device 115.
[0035] With reference to the second section 210, a PACE (Password Authenticated Connection Establishment) method, known per se, is first of all performed in steps 230 to 260 and comprises an authentication and a secure key exchange in order to set up a cryptographically secure communication connection. The PACE method is described in more detail in technical guideline TR-03110 of the German Federal Office for Information Security (BSI). PACE belongs to the family of Password Authenticated Key Exchange (PAKE) protocols. Following steps 265 to 275 of the second section 210 give rise overall to an enhanced (augmented) PAKE method, which is also referred to herein as PACE+.
[0036] Considered in more detail, in a step 230, the appliance 110 may select and encrypt a random number a: A=a*G. The encrypted random number A is preferably transmitted, together with a salt s, to the device 115. In the opposite direction, the device 115 may select and encrypt a random number b: B=b*G. The encrypted random number B is preferably transmitted, together with a salt s, to the appliance 110. The received information on both sides may be mapped to a generator of the mathematical group that is used: T=a*B=(a.Math.b)*G=(b.Math.a)*G=b*A.
[0037] In a step 250, the actual key exchange preferably takes place. To this end, the user 135 may enter the password p into the appliance 110 and the one-way hash x=H(s,p) may be determined. A selected random number c may be encrypted on the basis of x: C=Enc.sub.x(c). The encrypted random number C may then be transmitted to the device 115 on board the motor vehicle 105.
[0038] The device 115 may decrypt the received random number: c=Dec.sub.x(C). In this case, use is made of a decryption Dec.sub.x that corresponds to the encryption Enc.sub.x and is based on the one-way hash x. The device 115 and the appliance 110 may then each determine a temporary generator point D: D=c*G⊕T. On the basis of D, it is then possible to come to a Diffie-Hellman agreement.
[0039] The appliance 110 may determine a further random number e that is able to be encrypted with D: E=e*D. The device 115 may determine a further random number f that is able to be encrypted with D: F=f*D. The determined encrypted random numbers E and F are then preferably transmitted to the respective other communication partner, that is to say E is transmitted from the appliance 110 to the device 115 and F is transmitted from the device 115 to the appliance 110. The device 115 may then determine a first communication key K.sub.H=e*F=(e.Math.f)*D and the appliance 110 may determine a second communication key K.sub.U=f*E=(f.Math.e)*D. It holds true in this case that: K=K.sub.U=K.sub.H.
[0040] Should it not be possible at the receiver to decrypt a message encrypted by way of K and transmitted between the communication partners 110, 115, then the second section 210 of the method 200 is generally considered to have failed and may be terminated or restarted.
[0041] Following the PACE method of steps 230 to 260, in a step 265, the device 115 may form a communication key sk=H(x,T,D,K,b*V). This is possible because, in the first section 205, b and V were stored in the device 115. The appliance 110 may form a communication key sk=H(x,T,D,K,y*B). To this end, the device 110 may use the encrypted random number B from the Diffie-Hellman key exchange.
[0042] The two communication keys sk that are formed are identical, since it holds true that: y*B=y*(b*G)=(y.Math.b)*G=(b.Math.y)*G=b*(y*G)=b*V.
[0043] These additional operations convert the known PACE method into an enhanced PAKE protocol, since the device 115 uses only V, while the appliance 110 requires the unencrypted value y that has to be formed on the basis of the key p.
[0044] In a following step 275, communication may be performed between the device 115 and the appliance 110 on the basis of the communication key sk. If this is not possible, then the second section 210 of the method 200 may be considered to have failed. The communication may comprise setting up a connection, which is also referred to as session, wherein the process of connecting may also be referred to as pairing.
[0045] The complexity of the proposed second section 210 of the method 200 is negligible. The device 115 needs to perform six scalar multiplications or four scalar multiplications and one bilinear scalar multiplication in order to determine the communication key sk. The outlay for the appliance 110 is the same.
REFERENCE SIGNS
[0046] 100 system [0047] 105 motor vehicle [0048] 110 appliance, mobile appliance [0049] 115 device [0050] 120 transmission device [0051] 125 processing device [0052] 130 interface [0053] 200 method [0054] 205 first section [0055] 210 second section [0056] 215 determine password [0057] 220 determine hashes [0058] 225 store hashes [0059] 230 determine, encrypt and transmit nonce [0060] 235 decrypt [0061] 240 map nonce to generator [0062] 245 map nonce to generator [0063] 250 Diffie-Hellman key exchange [0064] 255 derive session key [0065] 260 derive session key [0066] 265 derive communication key [0067] 270 derive communication key [0068] 275 communication/pairing