AGREEMENT OF EXCHANGE KEYS ON THE BASIS OF TWO STATIC ASYMMETRIC KEY PAIRS

Abstract

A method for setting up a subscriber identity module for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server includes generating one or several exchange keys from keys of the provisioning server and of the subscriber identity module on a production server and are transmitted into the subscriber identity module and stored, so that the subscriber identity module is put particularly into a state as though it had generated the exchange keys itself. In a method for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server, the subscriber identity module sends its public key to the provisioning server, which subsequently generates the exchange keys.

Claims

1.-12. (canceled)

13. A method for setting up a subscriber identity module for the agreement of one or several exchange keys, between a subscriber identity module and a provisioning server, proceeding from asymmetric key data, the asymmetric key data comprising an individual static asymmetric key pair of the subscriber identity module, comprising a private key and a public key, and a static asymmetric key pair of the provisioning server, comprising a private key and a public key, the method comprising the steps of: a) generating the asymmetric key pair individual for the subscriber identity module, comprising the public key and the private key; b) generating the asymmetric key pair of the provisioning server, comprising the public key and the private key; c) generating said one or several exchange keys employing the private key of the subscriber identity module and the public key of the provisioning server; wherein step a) and step c) are performed on a production server, and the method comprises the further step of: d) transmitting and storing the one or several exchange keys generated in step c) on the production server into the subscriber identity module, so that the subscriber identity module is particularly put into a state as though it had generated the exchange keys itself.

14. The method according to claim 13, wherein step c) comprises the partial steps of: c1) generating a secret employing the private key of the subscriber identity module and the public key of the provisioning server; c2) optionally generating or supplying a random nonce; c3) generating the exchange keys proceeding from the secret and the nonce, where applicable.

15. The method according to claim 13, wherein step b) is performed either on the production server, and wherein at least the private key generated in step b) is supplied to the provisioning server, or is performed on the provisioning server, and wherein at least the public key generated in step b) is supplied to the production server.

16. The method according to claim 13, wherein step d) further comprises: transmitting and storing the public key of the subscriber identity module into the subscriber identity module.

17. The method according to claim 16, wherein step d) comprises: transmitting and storing the public key by directly transmitting and storing the public key, and optionally transmitting and storing additional authentication information which permits an authentication of the public key stored in the subscriber identity module.

18. The method according to claim 16, further comprising the step of: generating a certificate over the public key of the subscriber identity module by signing the public key of the subscriber identity module; wherein step d) comprises: transmitting and storing the public key by transmitting and storing the certificate.

19. The method according to claim 16, wherein for the agreement of one or several exchange keys, between a subscriber identity module and a provisioning server, proceeding from asymmetric key data, the method comprising the steps of: e) supplying a subscriber identity module set up and establishing a communication connection between the subscriber identity module and the provisioning server; f) transferring the public key of the subscriber identity module from the subscriber identity module to the provisioning server; g) in the provisioning server receiving the public key of the subscriber identity module and identifying the subscriber identity module by means of the received public key; h) in the provisioning server supplying the private key of the provisioning server; i) in the provisioning server generating the one or several exchange keys employing the public key of the subscriber identity module and the private key of the provisioning server.

20. The method according to claim 19, wherein: wherein step c) comprises the partial steps of: c1) generating a secret employing the private key of the subscriber identity module and the public key of the provisioning server; c2) optionally generating or supplying a random nonce; c3) generating the exchange keys proceeding from the secret and the nonce, where applicable; wherein if a nonce is used, step f) further comprises: transferring said nonce from the subscriber identity module to the provisioning server; and step i) comprises the partial steps of: i1) generating the secret employing the public key of the subscriber identity module and the private key of the provisioning server; i2) generating the exchange key proceeding from the secret and the nonce, where applicable.

21. The method according to claim 13, wherein the asymmetric key data are destroyed, in particular deleted, after generating the one or several exchange keys.

22. The method according to claim 14, wherein the secret is destroyed, in particular deleted, after generating the one or several exchange keys.

23. A transmission method, wherein data are encrypted with exchange keys and the encrypted data are transmitted between a subscriber identity module and a provisioning server, wherein the exchange keys have been generated with a method according to claim 13.

24. The method according to claim 13, wherein as asymmetric key pairs Diffie-Hellman key pairs are provided, in particular a Diffie-Hellman key pair, of the subscriber identity module and a Diffie Hellman key pair, of the provisioning server.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0045] In the following the invention will be explained in more detail on the basis of embodiment examples and with reference to the drawing, in which there is shown:

[0046] FIG. 1 a system for illustrating the invention.

DETAILED DESCRIPTION OF EMBODIMENT EXAMPLES

[0047] FIG. 1 shows a system for illustrating the invention. The system comprises a production server ProdS, a subscriber identity module SIM and a provisioning server or OTA server OTA S. The production server ProdS and the provisioning server OTA S have an asymmetric cryptographic algorithm and a processor, for example a CPU and/or a crypto co-processor, for executing the asymmetric cryptographic algorithm, thus to perform asymmetric cryptographic computations. In FIG. 1 pseudo-commands are shown set in uppercase, comprising GET for receiving data, CREATE for generating data, DELETE for deleting data and VERIFY for the verification of data, PLAIN for unencrypted data transmission, ENC for encryption or encrypted property of data, DEC for decryption or decrypted property of data. Between the entities production server ProdS and subscriber identity module SIM and between the entities subscriber identity module SIM and provisioning server OTA S there extend arrows to indicate data transmission between entities.

[0048] The production server ProdS is located at a manufacturer of subscriber identity modules for personalizing the subscriber identity modules, for example by programming into the respective subscriber identity module SIM the individual International Subscriber Mobile Identity IMSI, the individual authentication key Ki and data of this kind. The invention assumes that the production server ProdS currently has the task of programming a specific individual subscriber identity module SIM. For the programming of several subscriber identity modules SIM, the method would be performed in principle substantially several times.

[0049] According to the invention, additional production steps are effected within the scope of the production of the subscriber identity module SIM, which are not effected in the conventional production. Here, the subscriber identity module SIM is programmed with additional data, which, later when the subscriber identity module SIM is in the field and logs into a communication network (mobile communication network), will give the subscriber identity module SIM the appearance of being set up for performing computations in accordance with an asymmetric crypto-algorithm, for example for a Diffie-Hellman key agreement method.

[0050] In a step 0 an asymmetric, for example Diffie-Hellman, key pair is generated by the provisioning server OTA S which is intended to send encrypted data to the subscriber identity module SIM later on, when the subscriber identity module SIM is in the field, said asymmetric key pair comprising a public key PubK(OTA) and a private key PrivK(OTA).

[0051] In a step 1, the provisioning server OTA S supplies the public key PubK(OTA) to the production server ProdS, or the production server ProdS retrieves the key PubK(OTA) from the provisioning server OTA S (pseudo command GET).

[0052] In a step 2 the production server ProdS generates (CREATE) an individual asymmetric, for example Diffie-Hellman, key pair for the subscriber identity module SIM, said asymmetric key pair comprising an individual public key PubK(SIM) and an individual private key PrivK(SIM), which are individual for the subscriber identity module SIM. Further, the production server ProdS generates (CREATE) a random nonce N.

[0053] In a step 3 the production server ProdS generates (CREATE) a secret Z, which is likewise individual for the subscriber identity module SIM, from the public key PubK(OTA) the provisioning server OTA S and the private key PrivK(SIM) of the subscriber identity module SIM. The secret Z is computed for example according to the C(0e, 2s) key scheme, as described in the document [1] NIST SP 800-56Ar2, chap. 6.3.

[0054] In a step 4 the production server ProdS generates (CREATE) the exchange keys K for the subscriber identity module SIM, which are now likewise individual for the subscriber identity module SIM, from the secret Z and the nonce N. Further, by signing the public key of the subscriber identity module SIM, the production server ProdS generates a certificate Cert(PubK(SIM)) or briefly Cert( . . . ). By means of the certificate Cert( . . . ) the provisioning server OTA S can verify later whether the exchange keys K of the subscriber identity module SIM actually come from a permissible production site, and have not been generated by an attacker himself. Optionally, the production server ProdS also generates at this point a symmetric key k for the encrypted exchange of other data, for example of accompanying data. The symmetric key k is mentioned for the sake of completeness, and not essential to the invention.

[0055] In a step 5, the necessary data are transmitted from the production server ProdS to the subscriber identity module SIM. In particular, the exchange key K, the nonce N and the certificate Cert(PubK(SIM)) are transmitted. By transmitting the certificate, the public key PubK(SIM) is transmitted implicitly to the subscriber identity module SIM. Optionally, the public key PubK(SIM) can be transmitted explicitly in addition. Optionally, the symmetric key k is transmitted as well, where applicable.

[0056] In a step 6, the following data are stored in the subscriber identity module SIM: the exchange keys K, the nonce N, the public key PubK(SIM) (now explicitly, i.e. outside of the certificate, for which purpose the public key PubK(SIM) has been extracted previously from the certificate Cert( . . . ), where applicable), and the certificate Cert( . . . ). Optionally, the symmetric key k is stored in the subscriber identity module SIM, where applicable. The data stated are stored here in a persistent, non-volatile memory of the subscriber identity module SIM. In the production server ProdS the two keys public key PubK(SIM) and private key PrivK(SIM) of the asymmetric key pair of the subscriber identity module SIM and the public key PubK(OTA) the provisioning server OTA S are deleted at any desired time after the generation of the secret Z.

[0057] In step 7, the subscriber identity module SIM is put into the field. For this purpose, the subscriber identity module SIM is passed to a merchant or end user, for example. It is irrelevant whether the subscriber identity module SIM is put into the field as a plug-in module, i.e. SIM card or USIM card, etc., or as a firmly implemented, embedded eUICC or integrated iUICC, already together with a terminal. In the case of a plug-in module, the subscriber identity module SIM is inserted in a terminal (e.g. smart phone) in addition.

[0058] In a step 8, by means of the terminal in which it is operated, the subscriber identity module SIM contacts the provisioning server OTA S to retrieve data. In this case, the subscriber identity module SIM sends to the provisioning server OTA S, in unencrypted plain text form (PLAIN), its public asymmetric key PubK(SIM), the certificate Cert( . . . ) over its public asymmetric key PubK(SIM) and the nonce N.

[0059] In a step 9, the provisioning server OTA S verifies the certificate Cert( . . . ) received from the subscriber identity module SIM and thereby verifies the public asymmetric key PubK(SIM) of the subscriber identity module SIM. If the verification fails, the method of key agreement ends here, and can be restarted, where applicable. If the verification of the asymmetric key PubK(SIM) of the subscriber identity module SIM is successful, the method of key agreement will be continued with step 10.

[0060] In step 10, the provisioning server OTA S generates the secret Z from the public asymmetric key PubK(SIM) received from the subscriber identity module SIM and with its own private asymmetric key PrivK(OTA). With the self-generated secret Z and the nonce N received from the subscriber identity module SIM the provisioning server OTA S generates (CREATE) the exchange keys K. Now, the provisioning server OTA S has the exchange keys K for encrypted data exchange with the subscriber identity module SIM, as if the subscriber identity module SIM itself had performed a key agreement method such as Diffie-Hellman.

[0061] In a step 11, the provisioning server OTA S sends to the subscriber identity module SIM encrypted provisioning data PrDat that are encrypted with an encryption key from the exchange keys K. If necessary, authentications are performed with authentication keys from the exchange keys K. If necessary, the subscriber identity module SIM sends to the provisioning server OTA S encrypted data which are likewise encrypted with an encryption key from the exchange keys K.

CITED PRIOR ART

[0062] [1] NIST SP 800-56Ar2, NIST Special Publication 800-56A Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography [0063] [2] WO 2015/124371 A1