1. Conceptual Formulation In every operational system with an exchange of confidential and secret information between operational components Ai the problem of mutual authentication of the involved cryptographic entities will arise. In case of transmitting information coming from an instance B from the overall system to an instance A of the overall system, A has to have the opportunity to verify the authenticity of B (and vice versus). Usually the unilateral or mutual authentication is based on the verification of confidential information according to a so-called Challenge-Response-Procedure. In this case instance A sends a sequence of information with a specifically defined syntax ("Challenge") to instance B.

Instance B authenticates itself (viewed by A) by accurate reaction (respective to the protocol) against the information received ("Response"). The communication between A and B will possibly be encrypted with a common key only known by A and B. ISO 9798 1-4 describes different prevalent procedures.

Subject of this invention, as defined in the appending claims is an extended Challenge-Response-Procedure between a Conditional Access Module (following referred to as CAM) and a deployed Smartcard (following referred to as SC). The

cryptographic system here stands for the system"Conditional Access Module (CAM) and Smartcard", while the instances A and B individually stand for CAM resp. SC (instead of CAM also a Set-Top-Box with embedded CAM may be used).

Description of the Conceptual Formulation The Challenge-Response-Procedure should contain at least the following functions : Unilateral authentication of the SC through the CAM Common generation and arrangement of a session key S, which is necessary for further transmission of information and supports the exchange of keys (control word) between SC and CAM. This is supposed to establish a secure connection between the respective Smartcard and the CAM If possible a desirable aspect would also be Authentication of the CAM through the Smartcard 2. Formal description of the procedure Notation: A=CAM, B=SC.

PKA (public key algorithm) is an arbitrary (asymmetric) encryption algorithm with the keys epKF (A; B), dpKF (A; B) (here: epKF (A; B) is the public key, dpKF (A; B) is the associated private key). Furthermore, SKA (Symmetric Key Algorithm) is a symmetric encryption-algorithm which is present on A as well as on B.

Following: e=ep (A ; B), d=dpKF (A; B).

First Embodiment With reference to Fig. 1 of the appending drawings, a first embodiment of the invention will be disclosed more in detail.

Protocol steps: Step 1 A creates two (individual) random numbers Rseed (CAM) and Rnonce with sufficient length. Rseed (CAM) will be used as a basic value (seed) for the subsequent derivation, Rnonce acts as a single number and guarantees an instantaneous communication (enforcement of the temporal tie-up) Step 2 A generates a challenge of the form s=PKAe (const | | Rseed (CAM) | | RnOnce) <BR> <BR> and sends s to B. Here, "const"is a fixed byte string, which supports the authentication (of the CAM) with regards to the Smartcard. The symbol | | denotes the concatenation of character strings. The string (which has to be encrypted with PKA) will possibly be filled up (padded) with zeros.

Step 3 B decrypts s with the secret key d, verifies the prefixed constant const and extracts the components Rseed (CAM) and Rnonee.

Step 4 B creates a random number Rseed (SC) and sends the concatenation Rince Rseed (SC) | | Ser (SC) to A.

Here: Ser (SC) is the serial number of the card.

Step 5 A checks Rnonce and Ser (SC) (authentication of SC) and extracts Rseed (SC) Step6 Common creation of the session key S: A and B calculate S=SKAKsc (SKAKCAM (Ser (SC))).

Here: SKA = symmetric encryption algorithm which has been implemented on A and B; KSC=Rseed (SC), KCAM=Rseed (CAM) 3a. Illustration of the procedure The key-exchange-procedure according to Diffie-Hellman is a popular procedure for the common creation and exchange of keys. Two instances A and B create a common key K (rA; rB) by using commutative encryption operations from individually created random numbers rA and rB. The key holds the abstract structure K (rA; rB) = E (E (s; rA); rB) = E (E (s; rB) ; rA) while s is a common information of A and B. Unfortunately only a few (symmetric) encryption procedures and mathematic operations have the necessary commutative feature E (E (s; rA); rB) = E (E (S; rB); rA). This limits the adaptability of the classic Diffie- Hellman-procedure to only a few proceedings such as the modular exponentiation and the respective alternative for elliptic curves. Furthermore those require a high effort of calculating operations that cannot be put into operation for limited capacities. Step 6 which has been described under section 2 limits the method of the key convention according to Diffie-Hellman with a symmetric encryption algorithm SKA and can therefore be executed in an environment with limited resources. The usage of the card's serial number Ser (SC) (which can be read by the CAM with a special command) causes a strong mutual binding between the CAM and the card. Although in step 4 Rseed (CAM) will be transmitted in plaintext it will not be possible for the attacker to create a valid session key because he is not aware of the short-dated key Rseed (CAM). The authentication mechanism contains a redundant component. This is because the verification of the single number Rnonce through the CAM as well as the serial number will be checked and compared with the serial number that will be sent by the card. This complicates the use of piracy cards.

Various options and refinements of the procedure are possible. These could be: Instead of the serial number, another card-specific characteristic can be used for the calculation of the session key

The Challenge can (in excess of the Nonce=R"once) also (on the part of the CAM) be furnished with a time stamp. Furthermore this procedure could be used in an iterated way while previous sequences of the CAM resp. the SC could be logged (by calculating of hash values through past (old) data) Another aspect is to sign the serial number and have the valid signature verified by the CAM.

Finally the transmittal of the data described in step 4 can also occur in an encrypted way.

Exchange of the common key S after the usage through a mutually acquainted function, e. g. depending on time factors or on the number of usages.

4a. Advantages of the procedure and comparison with conventional solutions The procedure combines an authentication mechanism with a key-creation- mechanism/key-exchange-mechanism, whereof two cryptographic instances create a common key. Thereby the key generation is based on the application of a symmetric encryption algorithm that will be applied serially with two different key parts, which are independently generated from the SC and the CAM. This is the main difference between the proposal and similar Challenge-Response- Procedures. The Patent WO 97/38530"Method for Providing a Secure Communication Between Two Devices and Application of this Method"to DigCo BV also describes a combined authentication-/key generation-mechanism.

However, in this case only instance A (here: CAM) contributes to the key generation; instance B is passive. In coincidental awareness of the key dpKF (A; B) any desired instance from part of the CAM could give an accurate answer (respective to the protocol) and establish a communication with the CAM. This procedure pursuant to the invention contains an additional component, which is the link to the card. Moreover the key will be bilaterally calculated through a one- way-function while according to the above-mentioned patent it directly corresponds to an (on the part of the CAM) originated random number. This

improves the protection against reply attacks. For the calculation of the key only symmetric algorithms are used which usually require less effort for the calculation. Therefore the Challenge-Response-Procedure can also be realized in an environment that offers only limited calculation power.

5a. System Components In order to realize the protocol any desired tools with cryptographic function (Smartcard, Terminal) can be useful. More general this could also mean different software-system-or network interfaces. Besides the two encryption algorithms SKA/PKA mainly a mechanism for the creation of random numbers adequate to good quality will be necessary. This has to be effective for both sides but also needs to be differently implemented. (hardware-based or as a software solution).

Second Embodiment With reference to Fig. 2, a second embodiment of the invention will be disclosed in detail.

Protocol steps Step 1 A creates 2 (individual) random numbers Rseed (CAM) and Rnonce with sufficient length. Rseed (CAM) will be used as a basic value (seed) for the subsequent dissipation, Rnonce acts as a single number and guarantees an instantaneous communication (enforcement of the temporal tie-up) Step 2 A is reading the serial number Ser (SC) from B, generates a Challenge which is S=PKAe (const ! ! Ser (SC) | | Rseed (CAM) j ! Rnonce) and sends it to B. You will here find const as a fixed byte string, which supports the authentication (of the CAM) with regards to the Smartcard. The symbol ! ! describes the

concatenation of character strings. The string (which has to be encrypted with PKA) will possibly be filled up with zeros.

Step 3 B decrypts s with the secret key d, verifies the prefixed constant const and/or the serial number Ser (SC) and extracts the components Rseed (CAM) and Rnonce- Step4 B sends the (unencrypted) random number Rnonce to A Step 5 A verifies Rnonce (authentication of the SC) Step 6 Common creation of the session key S: A and B calculate S=SKAcAM (Ser (SC)) Here: SKA = symmetric encryption algorithm which has been implemented to A and B, KCAM= Rseed (CAM).

3b. Illustration of the procedure The procedure combines a unilateral authentication of the SC with the mechanism for the creation of a session key between two instances A and B (here SC and CAM) based on the common information shared by A and B. The characteristic that stands for both A and B is here described as the serial number of the card which will be used together with the random number Rseed (CAM) that has been generated by A for the derivation of the common key S. The usage of the card's serial number usually always enables an implemented authentication against the SC because the SC has the possibility to verify its own serial number after decrypting the Challenge in Step 1.

Hereby the creation of recent valid Challenges (see Step 1) will be complicated by simply copying one-off Challenges (i. e. Challenges, which also come from"authentic"cards). The usage of the card's serial number Ser (SC) therefore causes a strong mutual binding between the CAM and the card.

Various options and refinements of the procedure are possible. These are outlined with the following: Instead of the serial number another card-specific characteristic can be used for the calculation of the session key The Challenge can (in excess of the Nonce=Rnonce) also (on the part of the CAM) be furnished with a time stamp. Furthermore this procedure could be used in an iterated way while previous sequences of the CAM and/or the SC could be logged (by calculating of hash values through past/old data and/or proceeding sequences of the protocol). Thereby, the CAM has the possibility to register an exchange of the Smartcard (possibly as a method against the application of piracy cards) Another aspect is to sign the serial number and have the valid signature verified by the CAM Finally the transmittal of the data described in step 4 can occur in an encrypted way.

Exchange of the common key S after the usage through a mutually acquainted function, e. g. depending on time factors or on the number of usages.

4b. Advantages of the procedure and comparison with familiar solutions The patent WO 97/38530"Method for Providing a Secure Communication Between Two Devices and Application of this Method"to DigCo BV also describes a combined authentication-/key-production-mechanism. Through the retrieval of the card's serial number and/or the verification of the serial number on part of the SC this invention-specific procedure also contains an additional

authentication mechanism. Moreover the key will be bilaterally calculated through a one-way-function (coming from the SC) while according to the above- mentioned patent it directly corresponds to a (on the part of the CAM) originated random number. This improves the protection against replay attacks. For the calculation of the key only symmetric algorithms are used which usually require less effort for the calculation. Therefore the Challenge-Response-Procedure can also be realized in a surrounding that offers only limited calculation power.

5b. System Components In order to realize the protocol any desired tools with cryptographic function (Smartcard, Terminal) can be useful. More general this could also mean different software-system-or network interfaces. Besides the two encryption algorithms SKA/PKA mainly a mechanism (on instance A, here CAM) for the creation of random numbers adequate to good quality will be necessary.