Method of generating a public key for an electronic device and electronic device

Abstract

A method for generating a public key for an electronic device is provided, wherein the method comprises generating a public key 103 based on a private key and a unique identifier associated with the electronic device 200.

Claims

1. A method for generating a public key for an electronic device, the method comprising: receiving a unique serial number from the electronic device, wherein a private key is chosen for the unique serial number; generating a public key based on both the private key and the received serial number, wherein the received serial number diversifies a primary base point; storing the generated public key, the unique serial number, and a certificate in a memory in the electronic device; and authenticating the electronic device by sending the stored public key, the stored serial number, and the stored certificate to a reader, wherein the reader is configured to verify the certificate.

2. The method according to claim 1, further comprising: generating a secondary base point based on both the primary base point and the unique serial number.

3. The method according to claim 1, wherein the primary base point is a base point over a prime field or elliptic curves.

4. The method according to claim 1, further comprising: calculating a secondary base point g′ according to g′=g.sup.ID, wherein ID denotes the unique serial number, and g denotes the primary base point; and calculating the public key y according to y=g′.sup.x, wherein y denotes the public key and x denotes the private key.

5. The method according to claim 1, further comprising: authenticating the electronic device by using an asymmetric proof algorithm.

6. The method according to claim 5, wherein the asymmetric proof algorithm is a Zero Knowledge Proof of Knowledge algorithm.

7. The method according to claim 6, wherein the Zero Knowledge Proof of Knowledge algorithm is an ElGamal type encryption scheme.

8. The method of claim 1, wherein the primary base point is defined by a manufacturer.

9. The method of claim 1, further comprising: determining whether g′.sup.resp matches g′.sup.r.Math.y.sup.c.

10. The method of claim 9, further comprising: when g′.sup.resp matches g′.sup.r.Math.y.sup.c, authenticating the electronic device.

11. The method of claim 1, wherein the electronic device is a security token.

12. The method of claim 11, wherein the security token is a smart card.

13. The method of claim 11, wherein the security token is a USB security token.

14. A non-transitory computer-readable medium, in which a computer program is stored which, when being executed by a processor, authenticates an electronic device, the non-transitory computer readable medium comprising: instructions for receiving a unique serial number from the electronic device, wherein a private key is chosen for the unique serial number; instructions for generating a public key based on both the private key and the received serial number, wherein the received serial number diversifies a primary base point; instructions for storing the generated public key, the unique serial number, and a certificate in a memory in the electronic device; and instructions for authenticating the electronic device by sending the stored public key, the stored serial number, and the stored certificate to a reader, wherein the reader is configured to verify the certificate.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The invention will be described in more detail hereinafter with reference to examples of embodiment but to which the invention is not limited.

(2) FIG. 1 schematically illustrates a flow chart of an authentication method according to an exemplary embodiment.

(3) FIG. 2 schematically illustrates a security token.

DESCRIPTION OF EMBODIMENTS

(4) The illustration in the drawing is schematically. In different drawings, similar or identical elements are provided with the same reference signs.

(5) In the following an authentication method 100 based on a Zero Knowledge Proof of Knowledge protocol according to an exemplary embodiment will be described in more detail with reference to the flow chart of FIG. 1.

(6) In a first step 101 a manufacturer defines a primary base point g of a mathematical group G, e.g. on an elliptic curve. In a next step 102 a private key x is chosen for every security token A having a serial number ID. Afterwards a public key y is calculated 103 according g′=g.sup.ID and y=g′.sup.x, wherein g′ represents a secondary base point which is unique for every security token, since ID is unique for every security token. Then the serial number ID, the public key y and a certificate for y is stored on the security token 104. The certificate may be issued for example by the security token's manufacturer or any other trusted third party in the authentication system.

(7) For authentication the security token A sends its serial number ID, its public key y and the certificate to a reader B 105. The reader B verifies the certificate 106 and in case of a valid certificate B computes g′=g.sup.ID 107 as the base point for the following protocol. In case the certificate is not valid the authentication method aborts 113. Furthermore, A chooses a number r, computes g′.sup.r and sends the results to the reader B 108. After receiving the result of g′.sup.r B randomly chooses a challenge c and sends the challenge c to the security token A 109. Then A computes
resp=(r+c.Math.ID.Math.x)mod n,

(8) wherein n is the order of the mathematical group G, and sends resp to B 110. In a next step B verifies the response resp by checking whether g′.sup.resp equals g.sup.′r.Math.y.sup.c 111. In case the verification is positive the security token A is authentic 112. In case the verification is not positive the security token A is not authentic 113.

(9) An algorithm according to an exemplary embodiment may be used in every system where a serial number infrastructure exists and a strong cryptographic proof of authenticity is needed. Assuming a token reader system where every security token is equipped with a unique 8 byte serial number an actual implementation may have the following steps:

(10) A manufacturer of the security tokens defines a cryptographic system based on elliptic curves, i.e. the manufacturer publishes the parameters of an elliptic curve, a base point g and its public key for certificate verification. To have a reasonable level of security parameters of 160 bits may be chosen. Elliptic curve cryptography using 160 bits are typically considered to be even good enough for qualified digital signatures. Thus, it may be possible to choose even shorter values than 160 bits, since the security level may not need to be so high. In both, security token and readers, an algorithm to perform point multiplication on elliptic curves may be implemented.

(11) For every security token the manufacturer may generate a Unique Identification (UID), a secret key y, may compute or generate a public key y=g.sup.UID*.sup.x and may issue a certificate for y, i.e. the manufacturer signs y with his own private key. Assuming 8 bytes for the UID and a very high security level of 160 bits, the secret key may have 96 bits and the corresponding key may have 160 bits.

(12) Whenever an entity wants to proof for the originality of the security token, the entity performs the protocol described with reference to the flow chart shown in FIG. 1. If the security token passes the test, it is original, if it fails then it is not. The protocol is correct since an attacker who can properly reply to every challenge c “knows” the private exponent.

(13) FIG. 2 schematically illustrates a security token. Such a security token may be a smart card or a USB security token. In particular, FIG. 2 shows a schematically USB security token 200. The USB security token 200 comprises an interface portion 201 adapted to be plugged to a USB port of a reading device and a body 202 building a housing for integrated circuits being part of the security token 200. In particular, a memory 203 is schematically depicted in FIG. 2 in which a private key, a base point for an authentication algorithm, a public key, a certificate for the public key, a serial number UID, and further data may be stored.

(14) Finally, it should be noted that the above-mentioned embodiments illustrate rather then limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word “comprising” and “comprises”, and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. In a device claim enumerating several means, several of these means may be embodied by one and the same item of software or hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.