Patent Application
20110035588
Encoding method and encoding device for securing a counter reading of a counting unit against subsequent manipulation, and also verification method and verification device for verifying the authenticity of a counter reading of a counting unit
The invention relates to an encoding method in accordance with the preamble of claim 1 and a verification method for verifying the authenticity in accordance with the preamble of claim 10. In addition the invention relates to an encoding device in accordance with the preamble of claim 17 and a verification device in accordance with the preamble of claim 25.
Present-day counting devices, such as the odometer in an automobile or energy consumption meters for example, are susceptible to manipulation of the counter reading. This problem applies equally to mechanical and electronic counters.
In the case of an odometer in an automobile, the value of the automobile is increased by subsequently reducing the kilometer reading. With regard to leasing contracts, the leasing costs are reduced by means of such manipulation. Even though mechanisms capable of detecting such manipulation of the kilometer reading are used in some luxury class modern automobiles, it does nevertheless appear to be possible at the present time to change the kilometer reading on the majority of automobiles in such a manner that a specialist workshop is unable to detect this action.
Protection against manipulation is thus known for example whereby such manipulation is rendered more difficult through storage of the current kilometer reading at different storage locations and/or in a plurality of electronic control units in an automobile. This is because all storage locations need to be known in order to allow manipulation.
A further approach offering protection against manipulation actions can be implemented in that in the case of a write access to a storage area in which the current kilometer reading is to be stored said storage area is protected by an authentication method. In this situation, some secret information, a password or a key for example, is stored inside the vehicle. This approach fails amongst other things due to the fact that there is currently no physically secure storage area present in an automobile for the secure storage of secret information.
The document DE 101 13 317 A1 describes a method for the detection of errors when reading data out of a storage area. To this end, when the data is stored a check sum is generated by summing individual data words from the data and from this check sum a check word is generated by means of a predefined algebraic operation. When the stored data is read, a check sum is formed by summing the data words read and from this check sum a check word is likewise generated by means of the predefined algebraic function. This check word generated during reading is compared with the associated check word generated during storing, whereby an error is detected in the stored data in the event of any discrepancy between the two check words.
The object of the invention is to set down a method for securing a counter reading of a counting unit against subsequent manipulation, which can be implemented in a simple and cost-effective manner.
This object is achieved on the basis of the encoding method in accordance with the preamble of claim 1 by its characterizing features and also on the basis of the verification method in accordance with the preamble of claim 10 by its characterizing features. In addition, this object is achieved on the basis of the encoding device in accordance with the preamble of claim 17 by its characterizing features and also on the basis of the verification device in accordance with claim 25 by its characterizing features.
The invention relates to an encoding method for securing a counter reading of a counting unit against subsequent manipulation consisting, when the counter reading is incremented or decremented by one count unit, in activating the calculation of a new encoded counter reading and determining the new encoded counter reading by applying a forward chained one-way function to an encoded counter reading, whereby a range of the forward chained one-way function is contained in the domain of the forward chained one-way function.
By using the encoding method according to the invention it is possible to detect almost any subsequent manipulation to an earlier value because the encoded counter reading associated with the earlier counter reading needs to be set at the same time. As a result of the forward chained one-way function generation of the new encoded counter reading can be performed in a simple manner but a reversal of this processing step cannot be implemented in practical terms. The encoding method according to the invention thus prevents any subsequent manipulation of the counter reading whilst being simultaneously simple to manage.
By preference, the forward chained one-way function is selected from a set of available forward chained one-way functions. As a result, manipulation of the counter reading is made more difficult and security is thus increased. Furthermore, manipulation is made yet more difficult by the random selection of the forward chained one-way function.
If preferably before the counter reading is incremented or decremented for a first time the counter reading is preset to an initial counter reading and/or the encoded counter reading is preset to an encoded initial counter reading, whereby the encoded initial counter reading is selected from the domain of the forward chained one-way function, then the counter reading is additionally secured against manipulation. This is because as a result of the particularly random selection of the encoded initial counter reading any transfer of counter readings and encoded counter readings for one combined odometer from another combined odometer can be detected as manipulation.
In an extension of the method according to the invention, the encoded initial counter reading is generated as a function of some personalized information. Manipulation is thus made more difficult, for example, because the personalized information for example needs to be known in order to ascertain the encoded initial counter reading.
In a variant of the encoding method according to the invention, by applying the forward chained one-way function to the encoded initial counter reading an encoded final counter reading is generated for verifying the authenticity of the counter reading, whereby the forward chained one-way function is applied c times. Manipulation of the counter reading is made more difficult by this means because it is almost impossible to ascertain the encoded initial counter reading from the encoded final counter reading and to use it to generate a new encoded counter reading. Furthermore, the encoded final counter reading can advantageously be stored in unencrypted form. In this way it is possible both to reduce the resource requirement for managing the encoded final counter reading and also to avoid costs for a secure storage module for storing the encoded final counter reading.
If, according to a further embodiment, some authentication information is additionally generated for the encoded final counter reading and/or the encoded initial counter reading by means of a cryptographic authentication method using a first cryptographic key, then a transfer of counter readings and encoded counter readings from one combined odometer to another combined odometer can be detected as manipulation. The security of the encoding method according to the invention is increased as a result.
If, according to a further development of the invention, some personalized information, particularly a chassis number as the personalized information, which can be uniquely assigned to the counting unit, or a device number of the counting unit, is preferably additionally used with regard to the cryptographic authentication method, then a further increase in the security of the encoding method according to the invention is achieved.
By preference, the encoded initial counter reading and/or the encoded final counter reading are encrypted by means of a cryptographic encryption method using a second cryptographic key. Herewith in a simple manner any manipulation can be made more difficult or excluded on account of the complexity of the cryptographic encryption method.
The present invention also relates to a verification method for verifying the authenticity of a counter reading of a counting unit, whereby an encoded counter reading is generated on the basis of a forward chained one-way function, in which a test counter reading is determined on the basis of the counter reading, whereby the test counter reading represents a frequency for incrementing or decrementing the counter reading of the counting unit, the encoded counter reading is analyzed using the test counter reading, a positive status signal is emitted if the analysis yields the result that the encoded counter reading has been generated as a result of the counter reading, or a negative status signal is emitted if the analysis yields the result that the encoded counter reading has not been generated as a result of the counter reading. With the aid of the verification method it is possible in a simple and reliable manner to ascertain the authenticity of the encoded counter reading or of the counter reading. The verification method has a lower level of complexity because only the counter reading and the encoded counter reading need to be taken into consideration in the verification process.
By preference, the test counter reading is generated through the counter reading or by subtracting the initial counter reading from the counter reading or through a sum formed by subtracting the initial counter reading from the counter reading. The verification method according to the invention can thus be used with regard to incrementing or decrementing the counter reading.
In an extension of the verification method according to the invention, whereby the encoded counter reading and the encoded final counter reading are generated on the basis of a forward chained one-way function, a number of tests is generated by subtracting the test counter reading from the number, an encoded test counter reading is generated by applying the forward chained one-way function to the encoded counter reading, whereby the forward chained one-way function is applied with the number of tests t times, and the encoded test counter reading is compared with the encoded final counter reading, whereby in the event that the encoded test counter reading is not equal to the encoded final counter reading a negative status signal is emitted, or in the event that the encoded test counter reading is equal to the encoded final counter reading a positive status signal is emitted.
A verification of the authenticity of the counter reading in a manner which is simple and robust against manipulation is guaranteed by this verification method. Use of the encoded final counter reading means that it is almost impossible for an attacker to deduce the encoded initial counter reading, with the result that the verification result of this verification method exhibits a high level of reliability. Furthermore, this verification method is less complex and can be implemented and executed in a simple manner on a computer unit.
In an alternative variant, by applying the forward chained one-way function to the encoded initial counter reading an encoded test counter reading is preferably generated, whereby the forward chained one-way function is applied with the value of the test counter reading Xt times, the encoded test counter reading is compared with the encoded counter reading, whereby in the event that the encoded test counter reading is not equal to the encoded counter reading a negative status signal is emitted, or in the event that the encoded counter reading is equal to the encoded final counter reading a positive status signal is emitted. This variant of the verification method according to the invention is characterized by a low level of complexity and high level of reliability against manipulation. In this situation, only the encoded initial counter reading needs to be kept secret in order to prevent an attacker from being able to produce a new encoded counter reading on the basis of the encoded initial counter reading.
In one extension, the authenticity of the encoded final counter reading and/or of the encoded initial counter reading is preferably verified by means of a cryptographic authentication verification method using a first cryptographic verification key and some authentication information. With the aid of the authentication information it is possible to detect any manipulation of the encoded final counter reading or of the encoded initial counter reading in a simple and reliable manner. Any manipulation can be easily detected particularly through the use of personalized information because this can be associated solely with one person and/or one device, such as an odometer for example. The reliability of the verification method is thus further increased.
If furthermore in the case of the cryptographic authentication verification method some personalized information, particularly a chassis number as the personalized information, which can be uniquely assigned to the counting unit, or a device number of the counting unit, is additionally used, then a further increase in the security of the verification method according to the invention is achieved.
In an alternative extension, an encrypted encoded initial counter reading and/or an encrypted encoded final counter reading are decrypted using a second cryptographic verification key into the encoded initial counter reading or the encoded final counter reading respectively prior to executing the verification method. In this way, relevant counter readings are only available to an attacker in encrypted form. Any manipulation is thereby made more difficult and the security of the verification method according to the invention is thus significantly increased.
The invention furthermore relates to an encoding device for executing an encoding method for securing a counter reading of a counting unit against any subsequent manipulation, comprising a cryptographic counting unit for calculating a new encoded counter reading when the counter reading is incremented or decremented by one count unit by applying a forward chained one-way function to an encoded counter reading, whereby a range of the forward chained one-way function is contained in the domain of the forward chained one-way function. By this means, the encoding method according to the invention can be executed in a simple and cost-effective manner.
If by preference a processing module with a storage element is used for storing the encoded counter reading and an activation element for activating the calculation of the new encoded counter reading, and a function module with a forward chained one-way function for calculating the new encoded counter reading from the encoded counter reading, then the encoding method according to the invention can be implemented cost-effectively with a small number of elements. Furthermore, costs can be reduced if standard elements are used for the storage element and the forward chained one-way function.
In an alternative extension, the encoded counter reading is preset to an encoded initial counter reading by the processing module, with the result that any manipulation of the encoded counter can be detected more easily.
Furthermore, the encoding device includes a determination module for generating an encoded final counter reading by applying the forward chained one-way function to an encoded initial counter reading, whereby the forward chained one-way function is applied c times. The encoded final counter reading can be created in a simple manner as a result.
The encoding device preferably includes an authentication module for creating authentication information for the encoded final counter reading and/or the encoded initial counter reading using a first cryptographic key. With the aid of the authentication information any manipulation can be more easily detected.
The authentication module is preferably configured such that in the case of the cryptographic authentication method some personalized information, particularly a chassis number as the personalized information, which can be uniquely assigned to the counting unit, or a device number of the counting unit, is additionally used. Any manipulation can thus be made more difficult and the reliability of the encoding device thereby additionally increased.
In an extension of the encoding device according to the invention, this includes an encryption module for encrypting the encoded final counter reading and/or the encoded initial counter reading using a second cryptographic key into an encrypted encoded final counter reading or an encrypted encoded initial counter reading respectively. The risk of manipulation of the counter reading can thereby be further reduced, whereby the encryption module can in particular be implemented by means of a cost-effective standard module.
In a further development of the invention, the encoding device is used in an odometer device, particularly in an automobile, and/or in a consumption metering facility, particularly for registering electricity, gas or water consumption. By this means, manipulative actions are prevented in sectors in which any manipulation may cause considerable economic damage.
In addition, the invention relates to a verification device for executing a verification method for verifying the authenticity of a counter reading of a counting unit, comprising a verification module for analyzing the encoded counter reading on the basis of a test counter reading and for emitting a positive status signal if the analysis yields the result that the encoded counter reading has been generated as a result of the counter reading, or for emitting a negative status signal if the analysis yields the result that the encoded counter reading has not been produced as a result of the counter reading, whereby the test counter reading represents a frequency for incrementing or decrementing the counter reading of the counting unit. The verification method according to the invention can hereby be implemented in a simple manner.
The verification device preferably comprises a subtraction module for generating a number of tests by subtracting the test counter reading from a number, a generation module for generating an encoded test counter reading by applying the forward chained one-way function to the encoded counter reading, whereby the forward chained one-way function is applied with the number of tests t times, a comparison module for comparing the encoded test counter reading with the encoded final counter reading, whereby in the event that the encoded test counter reading is not equal to the encoded final counter reading a negative status signal is emitted, otherwise a positive status signal is emitted. By this means the verification method according to the invention can be implemented in such a manner as to achieve a high level of reliability when verifying the authenticity of the counter reading.
In an alternative development, the verification device includes a generation module for generating an encoded test counter reading by applying the forward chained one-way function to the encoded initial counter reading, whereby the forward chained one-way function is applied with the value of the test counter reading Xt times, a comparison module (VM) for comparing the encoded test counter reading with the encoded counter reading, whereby in the event that the encoded test counter reading is not equal to the encoded counter reading a negative status signal is emitted, otherwise a positive status signal is emitted. This alternative development is characterized by its cost-effective implementation because only a small number of modules need to be used. Furthermore, a high level of reliability against manipulation attacks is achieved.
In one extension, the verification device according to the invention includes an authentication verification module MAD for verifying the authenticity of the encoded final counter reading and/or of the encoded initial counter reading using a first cryptographic verification key and some authentication information. By this means a risk of manipulation is reduced, whereby a cost-effective implementation can be achieved by using standardized authentication verification modules.
By preference, the authentication verification module MAD is configured such that in the case of the cryptographic authentication verification method some personalized information, particularly a chassis number as the personalized information, which can be uniquely assigned to the counting unit, or a device number of the counting unit, is additionally used. Manipulation can thereby be made more difficult and the level of reliability of the verification device can thus be additionally increased.
If, in a further development, the verification device includes a decryption module for decrypting an encrypted encoded initial counter reading and/or an encrypted encoded final counter reading using a second cryptographic verification key into the encoded initial counter reading or the encoded final counter reading respectively prior to execution of the verification method, then the reliability achieved during verification of the authenticity of the counter reading can be further increased in a cost-effective manner whilst simultaneously maintaining a low level of complexity.
Furthermore, the verification device according to the invention is used in an odometer device, particularly in an automobile, and/or in a consumption metering facility, particularly for registering electricity, gas or water consumption. By this means, manipulative actions are prevented in sectors in which any manipulation can cause considerable economic damage.
Further details and also advantages of the invention will be described in detail with reference to
Elements having the same function and mode of operation are identified by the same reference characters in
The encoding method according to the invention will be described in detail in the following with reference to
The odometer WEG shows for example a counter reading X in kilometers in addition to the current driving speed. When the combined odometer KOW is supplied, the counter reading X of the odometer WEG and an encoded counter reading of the cryptographic odometer KWG can each be preset to a specific initial value. The initial counter reading Xo is Xo=“0000000”, in other words X=Xo=“000000”, and the encoded counter reading Y is equal to an encoded initial counter reading Yo, in other words Y=Yo. When performing the presetting with the encoded initial counter reading Yo it is not possible to use any desired value, but the encoded initial counter reading Yo must be selected from the domain of a forward chained one-way function F. This domain and the forward chained one-way function F will be described in more detail later. The encoded counter reading Y can be stored in a storage element S of a processing module VM. In
If the counter reading X of the odometer WEG is incremented by one count unit, for example from X=“0000000” to X=“0000001”, see query in step S14 in
One-way functions are known for example from [1] pp. 8-9. In general these one-way functions exhibit the characteristic whereby a calculation of a new value from an old value can be performed in a simple manner from the computing standpoint, whereas the determination of an old value from a new value is extremely complex and this complexity increases greatly as a function of the word length of the value. At a word length of 128 bits or greater it is almost impossible from the computing standpoint to perform the determination of an old value from a new value. The one-way functions also have the characteristic that the range of the one-way function is contained in the domain of the one-way function. A known field of application for one-way functions is payment protocols, whereby these only use backward chained one-way functions. This is described in detail in the document [1] on pp. 396-397. In contrast, the forward chained one-way function F is used in the present invention.
In accordance with
Subsequently, the pulse IP is stimulated Xt times in accordance with the test counter reading Xt. This pulse IP is received by an activation element AM of the processing module VM, whereby the activation element AM generates an encoded test counter reading Yt through Xt times application of the forward chained one-way function F to the encoded initial counter reading Yo. The forward chained one-way function F is situated in a function module FM and is executed by the latter. This relationship can be represented by the following equation:
The forward chained one-way function F and the storage element S are accommodated for example in a generator module GXE. Subsequently, the encoded test counter reading Yt is compared with the encoded counter reading Y of the cryptographic odometer KWG from
When using the encoded initial counter reading Yo the encoded initial counter reading Yo must remain secret. Otherwise a subsequent manipulation can be performed in such a manner that a counter reading X can be chosen as desired and by applying the forward chained one-way function F X times to the encoded initial counter reading Yo a manipulated encoded counter reading Y is generated. It is more secure to allocate each combined odometer KOW a separate, in particular randomly generated, encoded initial counter value Yo. This variant too requires that the relevant encoded initial counter values Yo be securely managed to protect against unauthorized access.
The coding and verification method according to the invention can also be used in the event of a decrementation of the counter reading X. If the initial counter reading is Xo=100 and the counter reading is X=80, then the test counter reading Xt can be generated by means of the following equation:
X
t
=|X−Xo|=|80−100|=20 (2)
The remainder of the procedure for the verification method is analogous to the situation in which the counter reading X of the counting unit is incremented.
An extension of the method according to the invention is presented in the following which requires no secure safekeeping of the encoded initial counter reading Yo. Firstly, before the counter reading X is incremented or decremented for the first time a random encoded initial counter reading Yo is generated. This encoded initial counter reading Yo is written to the storage element S. In addition, in step S12 of
In order to verify the authenticity of the counter reading X the verification method according to the invention is used which is illustrated in detail in
Finally, in step S43 the encoded test counter reading Yt is compared with the encoded final counter reading Ye; see comparison module VM. If this yields the result that the encoded test counter reading Yt is not equal to the encoded final counter reading Ye, in other words Ye≠Yt, then the counter reading X has been manipulated; see step S44. In this situation, the negative status signal NEIN can be emitted. Otherwise, step S45 yields the result that the counter reading X has not been manipulated, in other words Ye=Yt. This can be indicated by emitting the positive status signal JA.
This extension of the method according to the invention is characterized particularly in that neither the encoded final counter reading Ye nor the number c needs to be kept secret. Since it is as good as impossible to ascertain the encoded initial counter value Yo from the encoded final counter reading Ye on account of the characteristics of the forward chained one-way function F, no secrecy is required.
The described extension requires that the counter reading X does not exceed the number c. Therefore, when selecting the number c, the service life of the odometer WEG should be taken into consideration. Today's automobiles have an average service life of 150,000 km to 300,000 km for example. A maximum value for the counter reading X of 500,000 km and thus the number c=“500,000” should therefore suffice. In the case of commercial road vehicles, however, a significantly higher value does need to be set for the number c.
In a further embodiment of the encoding method according to the invention, the encoded final counter reading Ye and/or the encoded initial counter reading Yo can be encrypted by means of a cryptographic mechanism. To this end, an encrypted encoded final counter reading Y*e or an encrypted encoded initial counter reading Y*o is generated with the aid of a second cryptographic key ES2; see steps S17 and S18 from
In a further variant, in accordance with
AI=MAU(Ye,ES1,PI)
In this situation the reference character MAU describes an authentication module MAU for generating the authentication information AI. This step is illustrated in S13 in
With regard to this variant according to the invention, in order to verify the authenticity of the counter reading X verification information is for example obtained in accordance with
In the event of failure to verify authenticity, step S44 follows which indicates that the counter reading X or the encoded final counter reading Ye has been manipulated. In this situation, the negative status signal NEIN can be emitted. Otherwise, the method continues with step S41. This step is identified in
The authenticity verification performed for the encoded final counter reading Ye can also be carried out for the encoded initial counter reading Yo.
In a further variant of the invention, selection of the encoded initial counter reading Yo can be made as a function of personalized information PI.
In an extension of the encoding and verification method according to the invention a separate, in particular randomly selected, forward chained one-way function F can be used for each combined odometer KOW. In this situation, it is necessary to take into consideration the fact that when the verification method is executed for verifying the authenticity of the counter reading X the relevant forward chained one-way function F associated with the combined odometer KOW is used.
In a variant of the method according to the invention the combined odometer KOW comprises solely the cryptographic odometer KWG (this is not illustrated graphically). The odometer WEG is not required in this situation because the counter reading X can be ascertained from the encoded counter reading Y. In order to obtain the currently valid counter reading X, the forward chained one-way function F is applied to the encoded counter reading Y as often as required until the encoded counter reading Y matches the encoded final counter reading Ye. In this situation, a repeat number W counts how often the forward chained one-way function F has been applied during this process. The current counter reading X is yielded as a result of subtracting the repeat number W from the number c, in other words X=c−W. With regard to this variant, however, it is necessary to ensure that the encoded counter reading Y valid prior to determination of the current counter reading X is retained. Otherwise, the encoded counter reading Y matches the final counter reading Ye and this variant would thus result in an incorrect mode of operation for the combined odometer KOW.
The inventive encoding method, verification method and the inventive encoding device and verification device have been represented with reference to an odometer for an automobile. The invention is not however restricted to only this field of application and any counting unit can be protected by the invention against manipulation. Further examples of fields of application are consumption measuring devices such as those for electricity, gas or gaming machines for example.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2005 030 657.8 | Jun 2005 | DE | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP2006/063446 | 6/22/2006 | WO | 00 | 9/23/2008 |
