Method and system for securely selecting applications
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- ASSA ABLOY AB
- Filing Date
- 2024-12-17
- Publication Date
- 2026-06-25
Smart Images

Figure EP2024086706_25062026_PF_FP_ABST
Abstract
Description
[0001] 40179.AAB.P100PC S / Sp / kt
[0002] Description
[0003] Method and System for securely selecting applications
[0004] The disclosure relates to a method and system for securely selecting applications using application identifiers. Additionally, or alternatively, the disclosure relates to a method for securely processing application selection commands. Further a computer program is provided that includes instructions which, when executed by a computer, cause the computer to perform the method at least in part.
[0005] In the field of secure application selection for electronic devices, it is a common practice to use Application Identifiers (Al Ds) to identify and select specific applications stored on a recipient device, such as a smartcard or other secure element. Typically, these Al Ds are transmitted in plain text within a selection command sent by a sender device. This straightforward approach, however, poses significant security risks, particularly when the transmitted Al Ds are intercepted by unauthorized entities. The leakage of such information can compromise the privacy of the application selection process and expose sensitive information about the user or the application itself.
[0006] To address this, existing systems often incorporate static cryptographic keys that encrypt the AIDs before transmission. However, these systems rely on infrastructure-wide static keys, which are shared across multiple devices and stakeholders within the same infrastructure. This design presents a critical vulnerability: if the shared static key is compromised, the security of the entire infrastructure is jeopardized. Additionally, the use of such shared keys complicates the key management process, increasing the risk of operational errors and raising the cost of maintaining secure communication systems.
[0007] Further challenges arise in ensuring the integrity of selection commands and preventing replay attacks, where an attacker intercepts and reuses legitimate commands to gain unauthorized access or disrupt the system. To mitigate such attacks, random numbers, often referred to as cryptographic nonces, are embedded within selection commands to ensure that each command is unique. However, existing solutions frequently lack mechanisms to enforce the uniqueness of these random numbers, resulting in reduced effectiveness against sophisticated attacks. 40179.AAB.P100PC S / Sp / kt
[0008] Another drawback of current methods lies in their inability to fully protect the privacy of the application selection process. Even when AIDs are encrypted, repeated use of the same encryption key or insufficient diversification of the encryption mechanism can allow adversaries to infer which applications are being selected based on observed patterns.
[0009] From a practical perspective, existing systems often fail to adequately address the tradeoff between security and performance. For instance, the computational overhead introduced by advanced cryptographic operations can lead to significant delays in processing selection commands, particularly on resource-constrained recipient devices such as smartcards.
[0010] Given these limitations, there is a clear need for an improved solution that enhances the security and privacy of application selection processes while minimizing the performance impact and complexity of key management.
[0011] With regard to the outlined prior art, the objective of the present disclosure is to provide a method and / or a system, each of which is suitable for enriching the state of the art.
[0012] This objective is achieved by the features of the independent claims. The further independent claims and the dependent claims respectively contain optional further developments of the disclosure.
[0013] The objective is achieved, according to a first aspect, by a method for securely selecting applications using application identifiers, AIDs. Application-specific static keys are used for encrypting the AIDs.
[0014] The disclosure relates to a method for securely selecting applications using application identifiers (AIDs) that employs application-specific static keys for encryption. Secure selection refers to the process of ensuring the confidentiality and integrity of the applications chosen during communication. Applications, in this context, represent specific software, services, and / or functionalities uniquely identified by AIDs. These AIDs are protected during transmission using application-specific static keys, which are unique to each application and remain constant for a particular application while differing across others. Encryption transforms the plaintext AIDs into a secure format to prevent unauthorized access or tampering. 40179.AAB.P100PC S / Sp / kt
[0015] The method begins with the reception of a selection command that contains the Al Ds and a random number. The selection command acts as an instruction issued by a host device, indicating the application to be selected. The random number, unpredictably generated, adds entropy to the method, ensuring the uniqueness of each transaction and mitigating replay attacks.
[0016] Following, the Al Ds are encrypted using their associated application-specific static key. This step secures the identifiers, preventing exposure of sensitive data during transmission and ensuring that the information about the selected application remains confidential. By employing application-specific keys, the scope of potential security breaches is limited to individual applications, enhancing overall system security.
[0017] To ensure uniqueness in the encryption and prevent replay attacks, the random number is embedded in the encryption process. This embedding makes every encryption operation distinct, even when the same Al Ds are repeatedly encrypted, thereby actively preventing pattern recognition or duplication by malicious actors. Additionally, the random number ensures that each command remains specific to its context, safeguarding the process against repeated transmissions of intercepted data.
[0018] Further, the encrypted selection command is transmitted to a recipient side for further processing. The recipient side is responsible for decrypting the AIDs. In an embodiment a verification of their authenticity can be performed when providing a MAC. This ensures that only authorized entities can access the information and that the selection command originates from a trusted source. By validating the decrypted data, the recipient can confirm the correctness of the application selection, completing the process with robust protection of data integrity, confidentiality, and authenticity.
[0019] The recipient side is the entity, system, or device that plays a critical role in the secure selection of applications by receiving the encrypted selection command transmitted from the host device or sender. This side is equipped with the necessary cryptographic and processing capabilities to handle the secure communication process. Upon receiving the encrypted selection command, the recipient side utilizes the appropriate applicationspecific static keys to decrypt the application identifiers (AIDs) contained within the command. This decryption step ensures that the identifiers, which remain encrypted during transmission for security, are accessible only to authorized systems. Further, it is faster to encrypt the AIDs on recipients’ side and then compare for equality. 40179.AAB.P100PC S / Sp / kt
[0020] In addition to decryption, the recipient side is responsible for verifying the integrity and authenticity of the received command. Cryptographic verification methods are employed to ensure that the command originates from a trusted source and has not been tampered with during transmission. By performing these checks, the recipient side ensures that the communication is secure and resistant to malicious activities such as impersonation or data alteration.
[0021] Once the Al Ds have been decrypted and authenticated, the recipient side processes them to determine the application to be selected. This involves matching the decrypted Al Ds against stored application data to identify the relevant application. Depending on the specific use case, this could result in the activation of an application, the execution of a specific function, or the granting of access to certain system features.
[0022] The recipient side also incorporates mechanisms to prevent replay attacks, which involve the unauthorized retransmission of valid commands. By validating the random numbers embedded in the encryption during the initial transmission, the recipient side ensures that each command is unique and specific to its context. This validation process protects the system from repeated use of intercepted commands, further enhancing security.
[0023] Examples of a recipient side include a smartcard in a payment system that decrypts and processes commands to identify a specific payment application, an access control system that determines user permissions based on received encrypted commands, or an loT device that selects and activates relevant applications or configurations. In each case, the recipient side facilitates secure, reliable, and efficient communication while maintaining the confidentiality and integrity of the transmitted data.
[0024] By performing these functions, the recipient side ensures that only authorized and verified commands are processed, enabling a secure application selection process. It acts as a safeguard against unauthorized access, data manipulation, and other security threats, while providing a robust mechanism for secure and accurate application activation.
[0025] The method offers a number of benefits. Among other things, the encryption of application identifiers (Al Ds) using application-specific static keys ensures that the identifiers remain confidential during transmission, preventing unauthorized access or tampering. The use of 40179.AAB.P100PC S / Sp / kt application-specific keys also limits the impact of key leakage to individual applications, thereby enhancing the overall security of the system.
[0026] Moreover, the integration of random numbers into the encryption process ensures that each encryption operation is unique, even for identical Al Ds, effectively preventing pattern recognition by malicious actors. This randomization also protects against replay attacks, as the unique encryption output cannot be reused to exploit the system.
[0027] The authentication of the selection command involves verifying its integrity and authenticity using cryptographic methods. This ensures that the command originates from a trusted source and has not been altered during transmission. If a Message Authentication Code (MAC) is used, it serves as a cryptographic value generated from the command data and a shared secret key, allowing verification of both the data's integrity and its source. By performing these cryptographic checks, the system provides a robust layer of protection against unauthorized modifications or impersonation attempts.
[0028] Additionally, the method eliminates the need for a separate static key for protecting Al Ds by reusing the application-specific static key already present in the system. The application-specific static keys are also required to protect the response of the selection. This simplifies key management, reduces operational complexity, and minimizes the risk associated with distributing additional keys.
[0029] Finally, the transmission of encrypted and authenticated commands to the recipient side enables secure application selection and processing, ensuring that only verified and trusted commands are executed. This comprehensive security approach maintains the confidentiality, integrity, and authenticity of the data throughout the process, making the method highly reliable and secure for practical applications.
[0030] For application cases or application situations that may arise during the executed methods and are not explicitly described herein, it may be provided that, according to the method, an error message and / or a prompt for user feedback is output, and / or a default setting and / or a predetermined initial state is set.
[0031] The methods may involve a computer-implemented method, meaning that one, several, or all steps of the methods can be at least partially performed by a computer or a data processing device, optionally a computing device, in particular the device disclosed 40179.AAB.P100PC S / Sp / kt herein. Where appropriate, it may be provided to execute the steps in a sequence different from that described.
[0032] The following will explain possible refinements of the above-described aspects of the disclosure in detail. Each of the refinements mentioned below can further develop and specify the above-mentioned method either separately or in combination.
[0033] It may be provided that the method comprises receiving an encrypted response message that includes a diversified random number and information about the selected application. This function may have the technical effect of ensuring the confidentiality and integrity of the response message by embedding random number, which prevents replay attacks and ensures that each response is unique. The inclusion of information about the selected application allows the recipient side to identify the application securely without revealing sensitive details during transmission. For the purposes of the present disclosure, a diversified random number can refer to a unique, dynamically generated value added to each response to increase entropy and provide protection against pattern recognition and reuse of encrypted messages.
[0034] In another embodiment, the selection command can be authenticated through a cryptographic verification process using a Message Authentication Code. Cryptographic verification confirms the integrity of the selection command, ensuring that it has not been altered during transmission. The MAC, a cryptographically generated tag, verifies the authenticity of the sender and the correctness of the transmitted data, reducing the risk of impersonation or unauthorized modification. Authentication requires an additional independent static key. A MAC for each protected AID can be added.
[0035] In another embodiment, the method may further comprise encrypting the AIDs individually to ensure privacy, preventing any inference about the selected application. This function achieves the following: by encrypting AIDs individually, the system prevents the exposure of plaintext AIDs, eliminating the risk of attackers deducing patterns or identifying the selected application based on transmitted data. This makes it possible to maintain user privacy and secure the communication channel.
[0036] It may also be provided that the method minimizes performance loss during encryption by implementing parallelized cryptographic processes. This implementation results in increased processing efficiency, enabling the system to handle multiple encryption 40179.AAB.P100PC S / Sp / kt operations simultaneously without significantly affecting response time. By activating this function, the system benefits from improved scalability and the ability to support high- throughput environments.
[0037] In a further embodiment, the random number embedded in the encryption may be dynamically generated for each selection command to ensure unpredictability and prevent static encryption patterns. The inclusion of this function enables the system to produce unique encrypted outputs for each command, preventing attackers from identifying reused encryption patterns. This makes it possible to enhance security by thwarting replay attacks and maintaining unpredictability in the encryption process.
[0038] It may be provided that the application-specific static key used for encrypting the Al Ds is derived from an existing key that is originally used for protecting response messages. It is planned that the selection will take place first, followed by protecting the communication using session keys. This function allows the system to avoid the use of additional static keys for the infrastructure, reducing the risk of key management complexity and potential vulnerabilities from shared keys. By using already present keys, the system achieves enhanced security while simplifying the infrastructure's cryptographic architecture.
[0039] In another embodiment, the selection command may include partial or relative Application Identifiers (Al Ds), allowing flexibility in identifying applications stored on the recipient side. This function contributes to increased adaptability of the system, as it allows for partial matches or hierarchical identification of stored applications, ensuring compatibility with various application structures and configurations. For the purposes of the present disclosure, partial or relative Application Identifiers (Al Ds) can refer to identifiers that represent a subset or a hierarchical relation of a full AID, enabling flexible application selection based on stored data.
[0040] It may further be provided that the selection command includes metadata that specifies the structure of the AIDs to facilitate their decryption and interpretation on the recipient side. This feature may have the technical effect of enabling the recipient to correctly parse and process the AIDs without prior knowledge of their format. By embedding metadata, the system achieves improved interoperability and reduces errors during the decryption and application selection process. 40179.AAB.P100PC S / Sp / kt
[0041] It may also be provided that the selection command and response message are transmitted using a secure communication protocol compliant with existing standards, including ISO 7816 or NFC communication standards. This makes it possible to ensure compatibility with widely accepted communication standards, allowing seamless integration with existing systems. By utilizing a secure protocol, the system benefits from robust data protection and reduced implementation complexity.
[0042] In another embodiment, the encryption process may use a block cipher algorithm operating in a mode selected from the group consisting of CBC (Cipher Block Chaining) mode and GCM (Galois / Counter Mode). The effect of including this function is the ability to choose a cryptographic mode based on the specific security requirements and operational context, ensuring both data confidentiality and integrity. This flexibility allows the system to address diverse use cases and maintain a high level of cryptographic robustness.
[0043] Up to now, the disclosure has been described with respect to the claimed method. Features, advantages or alternative embodiments herein can be assigned to the other claimed objects (e.g., methods, system, computer program product) and vice versa. In other words, the subject matter which is claimed or described with respect to the claimed method can be improved with features described or claimed in the context of the system and vice versa. In this case, the structural units of the system are embodied by functional features of the method and vice versa, respectively. Generally, in computer science a software implementation and a corresponding hardware implementation are equivalent. Thus, for example, a method step for “storing” data may be performed with a storage unit and respective instructions to write data into the storage. For the sake of avoiding redundancy, although the device may also be used in the alternative embodiments described with reference to the method, these embodiments are not explicitly described again for the device.
[0044] Furthermore, the objective is achieved according to another aspect of the disclosure by a method for securely processing application selection commands, wherein Application Identifiers (Al Ds) are protected using cryptographic mechanisms. The method provides a secure framework for processing application selection commands by ensuring the confidentiality, authenticity, and integrity of Application Identifiers (AIDs) through cryptographic mechanisms. Cryptographic protection includes the use of encryption, 40179.AAB.P100PC S / Sp / kt authentication, and randomization techniques to safeguard Al Ds from unauthorized access and manipulation.
[0045] In a first step, a selection command containing encrypted AIDs and a random number are received. This feature establishes the initiation of the secure process by receiving a selection command that includes encrypted AIDs and a random number. The random number ensures uniqueness and unpredictability for each command, enhancing protection against replay attacks. This step allows the system to process requests securely while maintaining the confidentiality of transmitted data.
[0046] In a further step, decrypting of the encrypted AIDs using an application-specific static key takes place. This step involves decrypting the encrypted AIDs with a static key specific to the application, ensuring that only authorized entities can access the identifiers. The implementation of this function results in robust confidentiality, as each application uses a unique static key, preventing unauthorized access to the AIDs.
[0047] An authentication step can confirm the integrity and authenticity of the selection command by verifying a cryptographic Message Authentication Code (MAC). A MAC is a short cryptographic value generated from the command data and a shared secret key, ensuring that any alteration of the data is detectable. This process ensures that the selection command originates from a trusted source and remains unaltered during transmission. The function has the technical effect of preventing impersonation and unauthorized modifications, thereby enhancing the system's resilience against malicious activities. For the purposes of the present disclosure, a Message Authentication Code (MAC) can refer to a cryptographic code used to verify both the authenticity and integrity of a message, generated using a secret key and a cryptographic algorithm.
[0048] The identification of the selected application is achieved by interpreting the decrypted Application Identifiers (AIDs). This step allows the system to accurately determine which application the selection command pertains to. By activating this function, the system benefits from a precise and efficient application determination process, ensuring seamless and reliable interaction with the requesting entity. For the purposes of the present disclosure, Application Identifiers (AIDs) can refer to unique identifiers used to specify and distinguish applications within a system, enabling accurate selection and processing. 40179.AAB.P100PC S / Sp / kt
[0049] Generating an Encrypted Response Message Containing a Diversified Random Number and Application Information involves the creation of an encrypted response message containing two critical components: a diversified random number and information about the selected application, such as the full AID and associated metadata. The inclusion of the diversified random number ensures that each response message is unique and context-specific, preventing replay attacks by malicious actors. Additionally, the information regarding the selected application provides the sender with the necessary details for subsequent operations, while maintaining confidentiality and integrity. This process ensures secure, reliable, and meaningful communication. For the purposes of the present disclosure a diversified random number can refer to a dynamically generated, unique value embedded in each response message to ensure its uniqueness and prevent replay attacks.
[0050] Metadata can refer to supplementary data associated with an application, such as configuration parameters, descriptive details, or operational context, that assists in the processing and identification of the application.
[0051] The final step involves transmitting the encrypted response message to the sender side. This ensures that the response is securely delivered and can only be interpreted by the intended recipient. The transmission of the response completes the secure communication cycle, guaranteeing the reliability and integrity of the data exchange process. By securing the communication channel, the system ensures robust protection of sensitive information and maintains the continuity of operations. For the purposes of the present disclosure, the sender side can refer to the originating device, system, or entity that initiated the selection command and receives the encrypted response message for further processing.
[0052] The method ensures the confidentiality and integrity of Application Identifiers (AIDs) by encrypting them with application-specific static keys. The authenticity of the selection command is verified using cryptographic methods, which may include the use of a Message Authentication Code (MAC). A MAC, if implemented, acts as a cryptographic value derived from the command data and a shared secret key, allowing verification of the data’s origin and integrity. The inclusion of dynamically generated diversified random numbers in both the selection command and response messages prevents replay attacks and ensures the uniqueness of each transaction. By embedding metadata and processing decrypted AIDs, the method enables accurate and efficient application identification while 40179.AAB.P100PC S / Sp / kt maintaining flexibility for different application structures. Secure transmission of encrypted response messages ensures reliable communication, protecting sensitive information from unauthorized access. Overall, the method achieves robust security, seamless application selection, and efficient communication within a cryptographically protected framework.
[0053] The methods may involve a computer-implemented method, meaning that one, several, or all steps of the methods can be at least partially performed by a computer or a data processing device, optionally a computing device, in particular the device disclosed herein. Where appropriate, it may be provided to execute the steps in a sequence different from that described.
[0054] The following will explain possible refinements of the above-described aspects of the disclosure in detail. Each of the refinements mentioned below can further develop and specify the above-mentioned method either separately or in combination.
[0055] The method may include validating the uniqueness of the random number received in the selection command to ensure the integrity of the command. This feature allows the system to detect and prevent replay attacks by confirming that each random number is unique and associated with a specific transaction. The validation process contributes to maintaining the authenticity and security of the command, ensuring that unauthorized or repeated commands are not processed. For the purposes of the present disclosure, a random number can refer to an unpredictable and unique numerical value generated to enhance entropy and protect cryptographic operations against vulnerabilities such as replay attacks.
[0056] The method may include comparing the received encrypted Al Ds with its stored applications by re-encrypting its stored Al Ds and identifying matches to determine the selected application. This function enables the system to securely identify the selected application by cross-verifying encrypted data, ensuring that only valid and authorized applications are processed. By activating this function, the system benefits from enhanced accuracy and confidentiality in application selection, as plaintext identifiers are never exposed. For the purposes of the present disclosure, stored applications can refer to the list or database of applications maintained on the recipient side, represented by their associated encrypted Al Ds for secure comparison. 40179.AAB.P100PC S / Sp / kt
[0057] The method may include encrypting the response message using an application-specific static key to ensure that the message is protected against unauthorized access during transmission. This function allows the response message to remain confidential and accessible only to the intended recipient. By employing an application-specific static key, the system ensures that the encryption is unique to the application, minimizing the risk of compromise even if one key is leaked. For the purposes of the present disclosure, an application-specific static key can refer to a cryptographic key uniquely associated with a specific application, used for encryption and decryption to maintain data confidentiality and prevent unauthorized access.
[0058] The method may include a diversified random number in the encrypted response message, which serves as a cryptographic nonce to ensure message integrity and prevent replay attacks. This feature ensures that each response message is unique and tamper-proof by embedding a dynamic value that invalidates attempts to reuse or alter previously transmitted messages. The implementation of this feature results in enhanced security for communication between the sender and recipient. For the purposes of the present disclosure, a cryptographic nonce can refer to a single-use, dynamically generated value embedded in cryptographic operations to ensure the uniqueness and integrity of each transaction or communication.
[0059] The method may include verification data in the encrypted response message, enabling the sender side to detect and prevent any unauthorized modifications to the response. This function contributes to the reliability and integrity of the communication process by allowing the sender to verify the authenticity and correctness of the response data. The inclusion of verification data ensures that any attempt to tamper with or alter the response message is detected before further actions are taken. For the purposes of the present disclosure, verification data can refer to cryptographic information, such as a checksum, embedded in the response message to confirm its authenticity and detect unauthorized modifications during transmission.
[0060] In another aspect, the disclosure relates to a system for securely selecting application. The system includes a sender device that is responsible for initiating secure communication by generating and transmitting selection commands. The sender device ensures the confidentiality and integrity of transmitted data by performing cryptographic operations. It generates random numbers to guarantee the uniqueness of encryption and to prevent replay attacks, ensuring that each transaction is specific to its context. This 40179.AAB.P100PC S / Sp / kt function contributes to maintaining security by making each encryption operation unpredictable.
[0061] The sender device encrypts Application Identifiers (Al Ds) individually using applicationspecific static keys, which ensures privacy by preventing the plaintext Al Ds from being exposed during transmission. This encryption prevents malicious actors from deducing which application is being selected based on the transmitted data. By isolating each application-specific key, the impact of a potential key breach is limited to a single application.
[0062] Finally, the sender device transmits encrypted selection commands, including the Al Ds, random numbers, to the recipient device, thereby securely initiating the application selection process.
[0063] In an embodiment of the system, the sender device can also generate a Message Authentication Code (MAC) to confirm the authenticity and integrity of selection commands. The MAC can ensure that any tampering with the selection command during transmission is detectable, providing robust data integrity and preventing unauthorized modifications. In this embodiment, the sender device transmits encrypted selection commands, including the Al Ds, random numbers, and MAC to the recipient device, thereby securely initiating the application selection process.
[0064] For the purposes of the present disclosure, a sender device refers to the entity or system responsible for initiating the secure communication process by generating and transmitting selection commands. It can perform cryptographic operations to ensure the confidentiality, integrity, and authenticity of the transmitted data. The sender device generates random numbers, encrypts Application Identifiers (AIDs) using applicationspecific static keys, and creates a Message Authentication Code (MAC) to verify the authenticity and integrity of the selection commands. It then transmits these encrypted commands, including the AIDs, random numbers, and MAC, to the recipient device.
[0065] Practical implementation examples include smartphones or NFC-enabled devices used for accessing secured applications on smartcards, such as mobile payment systems or secure access control systems. Other examples are Point-of-Sale (POS) terminals that select specific payment applications from a multi-application smartcard or a digital wallet, 40179.AAB.P100PC S / Sp / kt as well as loT control hubs that communicate securely with embedded devices or sensors, selecting and configuring specific functionalities.
[0066] The system further includes a recipient device that receives encrypted selection commands from the sender device. The recipient device decrypts the encrypted Al Ds using application-specific static keys. This step ensures that only authorized systems can access the AIDs, maintaining their confidentiality and preventing unauthorized access.
[0067] The recipient device identifies the selected application based on the decrypted AIDs. This function enables precise application determination, ensuring seamless interaction with the sender device. After identifying the selected application, the recipient device generates an encrypted response message containing a diversified random number, the full AID, and associated metadata. The diversified random number acts as a cryptographic nonce, ensuring that each response message is unique and resistant to replay attacks. The full AID and metadata provide detailed information about the selected application for subsequent processing.
[0068] Further, the recipient device transmits the encrypted response message back to the sender device. This ensures a secure and reliable communication loop, maintaining the integrity and confidentiality of the data exchange.
[0069] In an embodiment of the system, the recipient device can verify the MAC included in the selection command to confirm its integrity and authenticity. By authenticating the MAC, the system ensures that the command originates from a trusted source and has not been tampered with during transmission, safeguarding the data against impersonation and modification.
[0070] For the purposes of the present disclosure, a recipient device refers to the entity or system responsible for receiving, decrypting, and processing the encrypted selection commands sent by the sender device. It is equipped to decrypt the encrypted AIDs using application-specific static keys, verify the MAC to authenticate the integrity of the selection command, and identify the selected application based on the decrypted AIDs. The recipient device also generates an encrypted response message containing a diversified random number to prevent replay attacks, the full AID, and associated metadata of the selected application. The response is securely transmitted back to the sender device. 40179.AAB.P100PC S / Sp / kt
[0071] Practical implementation examples include smartcards or secure elements in banking or access control systems that process encrypted selection commands from external devices and return verified application information. Other examples are access control systems that authenticate user credentials and provide secure responses indicating access status or selected permissions, as well as embedded devices in industrial loT environments, which process selection commands to activate specific functionalities or configurations and confirm execution securely to the sender device.
[0072] This system enables a robust and secure method for selecting applications while maintaining high levels of confidentiality, integrity, and authenticity in the communication process. By employing cryptographic techniques such as encryption, randomization, and authentication, the system effectively prevents replay attacks, unauthorized access, and data tampering. Its modular design, comprising sender and recipient devices, ensures precise application selection and secure data exchange, making it suitable for various secure communication environments.
[0073] The above-described with reference to the system applies analogously to the methods and vice versa.
[0074] The above-described can be summarized in other words and in a possible more specific embodiment of the disclosure as described below, wherein the following description is not to be construed as limiting to the disclosure.
[0075] An example command-response pair of a selection command can look like this one using ISO 7816 APDll notation. The example uses 16 Byte block size which allows to e.g., use the AES algorithm. The example also uses the CBC crypto mode but does not exclude to use any other mode e.g., GCM. The idea is using the application specific static selection keys, which are normally only used to protect the responses, for the protection of the AIDs. This leads to individually protected Al Ds with its own keys.
[0076] The KSEL is the application specific static selection key which is normally used to protect the response, which derives an encryption and a MAC key for the calculations.
[0077] The command provides a random number (RndC.IV) to make the IVs of the encrypted AID unpredictable and the encrypted blocks look different for every selection command. ENC IV = ENCECB(KSELx_MAC, RndC.IV) 40179.AAB.P100PC S / Sp / kt
[0078] Tx and LPIainOIDx provide information about the plain AID. Because the AID can also be provided e.g., partial or relative.
[0079] The response provides also a random number (RndR.IV) which is also used to make the IV of the encrypted response unpredictable and the encrypted blocks look different for every selection command.
[0080] The RndC.IV in the response can be used as replay attack protection.
[0081] ENC IV = ENCECB(KSELx_MAC, RndR.IV)
[0082] The encrypted response provides more information about the selected application e.g., full AID, metadata, diversifier.
[0083] The User Device need to analyze all protected Al Ds to find out which Al Ds is sent for the selection.
[0084] This solution does not require an additional static key. It uses keys which are already present on a system and the keys are in control of the application provider.
[0085] Furthermore, a computer program is provided, comprising instructions which, when executed by a computer, cause the computer to perform or partially perform the method described above. The program code of the computer program may be in any code format, particularly in a code suitable for controlling motor vehicles. The above-described with reference to the control device, the motor vehicle, and the method applies analogously to the computer program and vice versa.
[0086] Additionally, a computer-readable medium, particularly a computer-readable storage medium, is provided. The computer-readable medium comprises instructions which, when executed by a computer, cause the computer to perform or partially perform the method described above. This means that a computer-readable medium can be provided which includes the computer program as defined above. The computer-readable medium may be any digital data storage device, such as a USB stick, a hard drive, a CD-ROM, an SD card, or an SSD card (or SSD drive / SSD hard drive).
[0087] The computer program does not necessarily have to be stored on such a computer- readable storage medium to be made available to the motor vehicle; it can also be obtained via the Internet or from other external sources. The above-described with reference to the method, the control device, the computer program, and the motor vehicle applies analogously to the computer-readable medium and vice versa. 40179.AAB.P100PC S / Sp / kt
[0088] The disclosure also encompasses combinations of the features of the described embodiments. Thus, the disclosure also includes implementations that feature a combination of the characteristics of several described embodiments, provided the embodiments are not described as being mutually exclusive.
[0089] Brief Descriptions of the Drawings
[0090] In the following, the disclosure will further be described with reference to exemplary embodiments illustrated in the figures, in which:
[0091] Fig. 1 schematically shows a system for securely processing application selection commands;
[0092] Fig. 2 schematically shows a flow chart of the method for securely selecting applications using application identifiers;
[0093] Fig. 3 schematically shows a flow chart of the method for securely processing application selection commands, and
[0094] Fig. 4 schematically shows a technical implementation example of a selection command and response provided by an embodiment of the disclosed system.
[0095] Detailed Description
[0096] In the following description, for purposes of explanation and not limitation, specific details are set forth, in order to provide a thorough understanding of the current disclosure. It will be apparent to one skilled in the art that the current disclosure may be practiced in other embodiments that depart from these specific details. For example, the skilled artisan will appreciate that the current disclosure may be practiced with any application for different functionalities or for different computing entities.
[0097] Figure 1 depicts a system 300 for securely selecting applications, designed to protect sensitive information during the application selection process. The system comprises a sender device 10 and a recipient device 20. Both devices are enclosed within the broader context of the system 300. 40179.AAB.P100PC S / Sp / kt
[0098] The sender device 10 is configured to generate and transmit encrypted selection commands. It performs several critical tasks to ensure secure communication. First, the sender device 10 generates random numbers to ensure encryption uniqueness and to mitigate replay attacks. These random numbers act as initialization vectors (IVs) for encryption processes. The sender device 10 encrypts Application Identifiers (Al Ds) individually using application-specific static keys, a crucial measure to preserve privacy by preventing inference about which application is selected. It eliminates the need for additional static keys and minimizes the risk associated with key leakage. To maintain integrity and authenticity, the sender device 10 can generate a Message Authentication Code (MAC) for the selection commands. Once the commands are ready, the sender transmits them to the recipient device 20. These commands include encrypted AIDs, random numbers, and the MAC.
[0099] The recipient device 20 is designed to receive and process the encrypted selection commands. Its primary function is to decrypt the AIDs using the application-specific static keys. Further, it can verify the integrity of the commands by checking the MAC. After decryption, the recipient device 20 identifies the selected application based on the AIDs. Additionally, the recipient device 20 generates an encrypted response message containing a diversified random number to further prevent replay attacks and information about the selected application, including the full AID and associated metadata. This response is then securely transmitted back to the sender device 10.
[0100] The encryption processes within the system 300 use a block cipher algorithm. Depending on the mode selected, such as Cipher Block Chaining (CBC) or Galois / Counter Mode (GCM), the encryption ensures robust protection against unauthorized access. The random numbers embedded in the selection commands are dynamically generated for each transaction, ensuring unpredictability and further strengthening security. These measures collectively address the risks associated with static encryption patterns and replay attacks, as the use of dynamic random numbers creates variability in encrypted data.
[0101] The sender device 10 implements the method 100 as further described with regard to Figure 2 for securely selecting applications. This method 100 includes steps such as receiving selection commands with AIDs and random numbers, encrypting the AIDs with application-specific keys, and authenticating the commands through cryptographic 40179.AAB.P100PC S / Sp / kt verification. Additionally, the sender embeds random numbers into the encryption process to ensure each encryption is unique. This method 100 also minimizes performance loss by enabling parallelized cryptographic operations. Further, the sender may receive encrypted response messages containing diversified random numbers and information about the selected application.
[0102] On the other side, the recipient device 20 implements the method 200 as further described with regard to Figure 3 for securely processing the selection commands. The recipient device 20 decrypts the AIDs, can verify a MAC if used, and identifies the selected application. This method 200 also involves generating an encrypted response message, which contains critical information about the selected application and a new diversified random number. The response ensures integrity and authenticity through additional cryptographic mechanisms, and the diversified random number serves as a nonce to prevent replay attacks.
[0103] A technical advantage of the system 300 lies in its ability to use application-specific static keys for both the protection of AIDs and response messages. It can eliminate the need for additional static keys, reducing key management complexity and limiting the impact of key leakage. This design also ensures privacy by encrypting AIDs individually, preventing external observers from inferring which application is selected based on encrypted data. Furthermore, the integration of random numbers ensures the encryption outputs are unique for every command, mitigating risks associated with static encryption patterns.
[0104] Another advantage is that the response messages from the recipient device 20 include verification data, which allows the sender device 10 to detect and prevent any unauthorized modifications to the response. The use of secure communication protocols, compliant with standards such as ISO 7816 or NFC, further reinforces the reliability and interoperability of the system.
[0105] Figure 2 shows the method 100 for securely selecting applications using Application Identifiers (AIDs). The method 100 begins with step 110, where a selection command containing AIDs and a random number is received by the sender device 10. The random number included in the selection command is dynamically generated for each transaction to ensure unpredictability and to prevent static encryption patterns. This dynamic generation of random numbers ensures that each selection command appears unique, mitigating the risk of replay attacks. 40179.AAB.P100PC S / Sp / kt
[0106] In step 120, the Al Ds are encrypted using an application-specific static key. This encryption process leverages keys that are derived from existing keys already used for protecting response messages. By reusing application-specific static keys, the method eliminates the need for additional static keys within the infrastructure. This design reduces key management complexity and limits the security risks associated with key leakage. The encryption process employs a block cipher algorithm operating in a mode such as Cipher Block Chaining (CBC) or Galois / Counter Mode (GCM), ensuring robust protection against unauthorized access.
[0107] Step 130 involves authenticating the selection command through cryptographic verification. A Message Authentication Code (MAC) can be used. The MAC ensures the integrity and authenticity of the command, allowing the recipient side to verify that the command has not been tampered with during transmission.
[0108] In step 140, the method embeds the dynamically generated random number into the encryption process. This step not only ensures the uniqueness of the encrypted data but also strengthens the system’s 300 resistance to replay attacks. Embedding the random number within the encryption guarantees that even identical Al Ds produce distinct encrypted outputs for each command, further protecting the privacy of the selection process.
[0109] Step 150 concludes the primary sequence of the method by transmitting the selection command to the recipient device 20. The selection command, now fully encrypted and authenticated, is sent using a secure communication protocol compliant with existing standards, such as ISO 7816 or NFC communication standards. These protocols ensure the safe and reliable delivery of sensitive information.
[0110] Further, after the selection command is processed by the recipient device 20, the sender device 10 may receive an encrypted response message. This response message includes a diversified random number to prevent replay attacks, as well as information about the selected application, such as the full AID and associated metadata. The use of diversified random numbers adds an additional layer of security by ensuring that each response is unique and resistant to interception. 40179.AAB.P100PC S / Sp / kt
[0111] To ensure privacy, the method 100 encrypts Al Ds individually, preventing any inference about the selected application. This measure guarantees that even if an observer intercepts the encrypted selection command, they cannot deduce which application is being selected. The method 100 also implements parallelized cryptographic processes to minimize performance loss during encryption, optimizing the system for real-time operation.
[0112] The selection command may include partial or relative Al Ds to provide flexibility in identifying applications stored on the recipient side. Metadata accompanying the selection command specifies the structure of these Al Ds, facilitating their decryption and interpretation by the recipient. This feature supports compatibility with a wide range of application architectures and enhances the system’s adaptability to different environments.
[0113] Figure 3 illustrates the method 200 for securely processing application selection commands.
[0114] The method begins with step 210, where the recipient device 20 receives a selection command from the sender device 10. This selection command contains encrypted Application Identifiers (Al Ds) and a dynamically generated random number. The inclusion of the random number ensures that each command is unique, preventing replay attacks and adding a layer of cryptographic variability. The recipient device 20 validates the uniqueness of the random number as part of the process to guarantee the integrity of the command and to confirm that it has not been tampered with or reused.
[0115] In step 220, the recipient device 20 decrypts the encrypted Al Ds using an applicationspecific static key. This decryption process is critical for interpreting the selection command while maintaining the privacy of the AIDs. The application-specific static key is derived from an existing key infrastructure, ensuring secure decryption without the need for additional static keys. By reusing application-specific keys, the method reduces the complexity of key management and minimizes the risk associated with potential key leaks.
[0116] Next, in step 230, the recipient device authenticates the selection command. A cryptographic Message Authentication Code (MAC) can be verified. The MAC provides assurance that the command has not been altered during transmission, confirming its 40179.AAB.P100PC S / Sp / kt authenticity and integrity. This step is essential for ensuring trust between the sender and recipient devices 20.
[0117] In step 240, the recipient device 20 identifies the selected application by comparing the decrypted Al Ds with stored application identifiers. To optimize this process, the recipient device 20 may re-encrypt its stored Al Ds using the same application-specific static key and the received random number, matching the result against the decrypted AIDs from the selection command. This technique ensures that the selection is accurate while maintaining the confidentiality of the stored application identifiers.
[0118] After identifying the selected application, the recipient device 20 generates an encrypted response message in step 250. This response message includes several key components:
[0119] A diversified random number, which serves as a cryptographic nonce to prevent replay attacks. The diversified random number ensures that each response is unique and resistant to interception and reuse by unauthorized parties.
[0120] Information about the selected application, including the full AID and associated metadata. The metadata may include details necessary for further processing, such as structural information or operational parameters associated with the selected application.
[0121] The response message is then encrypted using an application-specific static key. This ensures that the message remains protected against unauthorized access during transmission. Encrypting the response with an application-specific key further enhances privacy and security, as it ties the message's encryption to the specific application being selected.
[0122] The recipient device 20 transmits the encrypted response message back to the sender device 10. To ensure robustness against manipulation, the response message includes verification data. This verification data enables the sender device 10 to detect and prevent unauthorized modifications to the response, safeguarding the integrity of the communication process.
[0123] Further, the use of a diversified random number in the response message enhances security by ensuring that each response remains unique and contextually tied to the originating selection command. This random number also provides a mechanism for the 40179.AAB.P100PC S / Sp / kt sender device 10 to verify that the response corresponds to the original command, effectively preventing attacks that rely on replaying previously intercepted responses.
[0124] The method also adheres to secure communication standards, such as ISO 7816 or NFC protocols, to ensure compatibility and reliability across different systems. These standards guarantee that the selection command and response message are transmitted securely and efficiently, maintaining the integrity of the entire transaction.
[0125] Figure 4 schematically shows a technical implementation example of a selection command and response provided by an embodiment of the disclosed system 300. The figure 4 illustrates the interaction between the sender device 10 and recipient device 20, focusing on the structure and cryptographic mechanisms of the selection command and the corresponding response.
[0126] In the first line of Figure 4, the selection command is depicted. This command is transmitted from the sender device 10 and includes encrypted Application Identifiers (AIDs) and a random number, denoted as RndC.IV. The random number serves to make the Initialization Vectors (IVs) for encryption unpredictable, ensuring that the encrypted AIDs differ with every command, even when the same plaintext AIDs are used. The encryption process uses an application-specific static selection key (KSEL), which derives both encryption and MAC keys for secure calculations. The encryption of the IV is represented as ENC IV = ENCECB(KSELx_MAC, RndC.IV), where the block size is 16 bytes, enabling the use of cryptographic algorithms such as AES. While the example employs the CBC (Cipher Block Chaining) mode for encryption, other modes like GCM (Galois / Counter Mode) are also feasible.
[0127] Additionally, the command includes Tx and LPIainOIDx, which provide information about the plaintext AID. The system 300 allows flexibility by supporting full, partial, or relative AIDs, ensuring adaptability to various application identification scenarios. The cryptographic protection of AIDs using KSEL not only secures the identifiers but also individualizes the encryption for each application, thereby enhancing security and privacy.
[0128] The second line of Figure 4 represents the response generated by the recipient device 20 and transmitted back to the sender device 10. This response also contains a random number, RndR.IV, which is used to generate a unique IV for the encryption of the response. This ensures that the encrypted blocks in the response are unpredictable and 40179.AAB.P100PC S / Sp / kt unique, preventing replay attacks. The encryption of the response IV is represented as ENC IV = ENCECB(KSELx_MAC, RndR.IV). The response provides additional information about the selected application, such as the full AID, metadata, and a diversifier, all of which are encrypted for confidentiality.
[0129] RndC.IV included in the response serves as a replay attack protection mechanism, as it allows the sender device 10 to verify that the response corresponds to the original command. The encrypted response must be decrypted and analyzed by the sender device 20 to extract and process the application-specific data.
[0130] This example, using ISO 7816 APDll notation, highlights the use of application-specific static keys (KSEL) to protect both the selection command and response. By reusing these keys for AID protection, the system 300 avoids the need for additional keys while ensuring secure, individualized encryption for each application. The design allows the sender device 10 to analyze all protected Al Ds to identify which AID was selected, completing the secure application selection process.
[0131] The objective of the invention is to address these shortcomings by introducing a system and method that ensures the confidentiality, authenticity, and integrity of application selection commands, while simultaneously safeguarding the privacy of the selected application and streamlining the cryptographic operations involved.
[0132] 40179.AAB.P100PC S / Sp / kt
[0133] Reference Numerals
[0134] 10 sender device
[0135] 20 recipient device 100 method for securely selecting applications
[0136] 110-150 method steps
[0137] 200 method for securely processing application selection commands
[0138] 210-260 method steps
[0139] 300 system
Claims
40179.AAB.P100PC S / Sp / ktClaims1 . Method (100) for securely selecting applications using application identifiers, Al Ds, wherein application-specific static keys are used for encrypting the Al Ds, and wherein the method (100) comprises the steps of:- Receiving (110) a selection command that includes Al Ds and a random number;- Encrypting (120) the Al Ds using an application-specific static key;- Embedding (140) a random number in the encryption to ensure the uniqueness of each encryption and in particular to prevent replay attacks, and- Transmitting (150) the selection command to a recipient side for further processing by decrypting the Al Ds and verifying their authenticity.
2. Method (100) according to the direct preceding claims, wherein the method further comprises:- Authenticating (130) the selection command through a cryptographic verification using a Message Authentication Code, MAC; and / or- Receiving an encrypted response message that includes a diversified random number and information about the selected application; and / or- Ensuring privacy by encrypting the Al Ds individually, preventing any inference about the selected application, and / or- Minimizing performance loss during encryption by implementing parallelized cryptographic processes.
3. Method (100) according to any of the preceding claims, wherein the random number embedded in the encryption is dynamically generated for each selection command to ensure unpredictability and prevent static encryption patterns.
4. Method (100) according to any of the preceding claims, wherein the applicationspecific static key used for encrypting the Al Ds is derived from an existing key that is originally used for protecting response messages, thereby avoiding the use of additional static keys for the infrastructure.
5. Method (100) according to the preceding claims, wherein the selection command includes partial or relative Application Identifiers (Al Ds), allowing flexibility in identifying applications stored on the recipient side, and wherein the selection40179.AAB.P100PC S / Sp / kt command includes metadata that specifies the structure of the AIDs to facilitate their decryption and interpretation on the recipient side6. Method (100) according to the preceding claims, wherein the selection command and response message are transmitted using a secure communication protocol compliant with existing standards, including ISO 7816 or NFC communication standards.
7. Method (100) according to the preceding claims, wherein the encryption process uses a block cipher algorithm operating in a mode selected from the group consisting of CBC (Cipher Block Chaining) mode and GCM (Galois / Counter Mode).
8. Method (200) for securely processing application selection commands, wherein Application Identifiers (AIDs) are protected using cryptographic mechanisms, comprising the steps of:- Receiving (210) a selection command containing encrypted AIDs and a random number;- Decrypting (220) the encrypted AIDs using an application-specific static key;- Identifying (240) the selected application based on the decrypted AIDs;- Generating (250) an encrypted response message containing:- A diversified random number for preventing replay attacks,- Information regarding the selected application, including the full AID and associated metadata, and- Transmitting (260) the encrypted response message to a sender side.
9. Method (200) according to the direct preceding claim, wherein the method (200) includes:- Authenticating (230) the selection command by verifying a cryptographic Message Authentication Code (MAC); and / or- Validating a uniqueness of the random number received in the selection command to ensure the integrity of the command.
10. Method (200) according to the direct preceding claim, wherein the method (200) includes:40179.AAB.P100PC S / Sp / kt- Comparing the received encrypted Al Ds with its stored applications by reencrypting its stored Al Ds and identifying matches to determine the selected application.
11. Method (200) according to the direct preceding claim, wherein the method (200) includes:- Encrypting the response message using an application-specific static key to ensure that the message is protected against unauthorized access during transmission.
12. Method (200) according to the preceding claims 7 to 8, wherein the diversified random number included in the encrypted response message serves as a cryptographic nonce to ensure message integrity and prevent replay attacks.
13. Method (200) according to the preceding claims 7-9, wherein the encrypted response message includes verification data enabling the sender side to detect and prevent any unauthorized modifications to the response.
14. System (300) for securely selecting applications, comprising:- A sender device (10) for generating and transmitting selection commands, configured to:- Generate random numbers for ensuring encryption uniqueness and preventing replay attacks;- Encrypt Application Identifiers (AIDs) individually using application-specific static keys to ensure privacy and prevent inference about the selected application;- Transmit encrypted selection commands, including the AIDs, random numbers, to a recipient device (20);- The recipient device (20) for receiving and processing selection commands, configured to:- Receive encrypted selection commands from the sender device (10);- Decrypt the encrypted AIDs using the corresponding application-specific static keys;- Identify the selected application based on the decrypted AIDs;- Generate an encrypted response message containing:- A diversified random number to prevent replay attacks;40179.AAB.P100PC S / Sp / kt- - Information regarding the selected application, including the full AID and associated metadata, and- Transmit the encrypted response message back to the sender device (10).
15. Computer program comprising instructions which, when executed by a computer, cause the computer to carry out the method according to the any of the preceding method claims.