The invention pertains to a method and device for automatically diagnosing the first reception of an identifier. The invention also relates to a method for detecting a replayed message as well as a recording medium and computer program to implement these methods.
To illustrate the utility of a method for diagnosing the first reception of an identifier, the description shall be situated in a context where a terminal receives enciphered multimedia contents. In such a context, a module generally called a DRM (digital rights management) agent or CAS (conditional access system) is executed in the terminal or in a chip card (or smart card) connected to this terminal. This DRM agent or CAS is entrusted with verifying the conditions of access to the enciphered multimedia content. If the conditions of access are met, it permits the deciphering of the multimedia content. If not, the deciphering is prohibited.
For example, the conditions of access comprise the possession of a valid license or of a valid right of access. To simplify matters, it is assumed here that the conditions of access are a license comprising:
- a key CEK for deciphering the multimedia content,
- a set of rights defining actions permitted on the deciphered multimedia content, such as its viewing, printing, saving etc, and
- constraints limiting the consumption of these rights, such as a maximum totalized duration Tc for the use of the multimedia content or a maximum number Nc of users of the multimedia content.
In these conditions, a malicious user can record the message containing the license and then present it again to the DRM agent or CAS from time to time as if it were a new message. This action of repeatedly presenting a message is called a “message replay”. The attempt to replay messages is called “replay attack”.
When the terminal is able to communicate in two-way mode with the license server which sends out the message containing the license, there exists an efficient solution for combating replay attacks. This solution consists of the insertion of a random number drawn by the terminal in each request for a license sent out by the terminal to the server. The message containing the requested license which has been sent by the server to the terminal contains the same random number retrieved in the request. This means that the DRM agent or CAS can simply diagnose a replay attack by comparing the random number sent out with the one received in response. However, this approach calls for two-way communications between the terminal and the server. Now such two-way communications are not always possible. For example, there are situations in which the messages can be transmitted only from the server to the terminal but not in the other direction.
Should two-way communication be impossible, there are known ways of including a UID identifier in each message that is not to be replayed. The UID identifier provides a unique identification of this message from a set of messages likely to be generated. When this message is received for the first time, the terminal records the UID identifier in an anti-replay memory of the terminal. This anti-play memory is sometimes called an “anti-replay cache”. However, if this message is received for the second time or more than twice, the terminal detects this replay attack in searching for the UID identifier contained in the message among those already contained in the anti-replay memory. If the UID identifier is already in the anti-replay memory, it means that this message has already been received and that it is therefore a replayed message.
The method for diagnosing implemented therefore comprises:
a) searching for a newly received identifier from among those contained in an anti-replay memory to make a diagnosis of whether or not it is the first reception of this newly received identifier, this anti-replay memory being capable of containing M identifiers at most.
The efficiency of this method for diagnosing the first reception of a UID identifier and therefore for detecting a replayed message is limited by the size of the anti-replay memory. Indeed, a memory necessarily has a limited size. The size of the anti-replay memory depends on the terminal used but it can be particularly restricted when the DRM agent or the CAS is in a smart card.
The anti-replay memory can therefore contain only a limited number of UID identifiers. The maximum number of UID identifiers recordable in the anti-replay memory is herein denoted as M. Consequently, after M messages, and hence M UID identifiers, have been received for the first time, it is necessary to erase certain UID identifiers from the anti-replay memory in order to be able to record the new UID identifiers received. It then becomes possible to replay the messages for which the UID identifiers have been erased.
The invention seeks to improve the efficiency of the method for diagnosing the first reception of an identifier.
An object of the invention therefore is a method of this kind comprising:
b) the building of at least one limit as a function of N already received identifiers where N is strictly greater than M, this limit being built so as to demarcate, on one side, a range of identifiers that have not yet been received and, on the other side, a range of identifiers containing the N already received identifiers,
c) comparing the newly received identifier with this limit to determine whether the newly received identifier belongs to a range of identifiers that have not yet been received,
d) if the newly received identifier belongs to the range of identifiers that have not yet been received, diagnosing a first reception of the newly received identifier and newly building the limit as a function of the newly received identifier, and
e) if the newly received identifier belongs to the range of identifiers containing the N already received identifiers, executing the step a).
In the above method, given that the limit is computed as a function of a number of already received identifiers greater than that of the M identifiers contained in the anti-replay memory, this limit intrinsically preserves the trace of a number of identifiers strictly greater than the number M. This means that, at least when the newly received identifier belongs to the range of identifiers that have not yet been received, the degree of certainty on the diagnosis made is greater than that obtained at the end of the step a). The efficiency of this method is therefore improved.
The embodiments of this method for diagnosing may include one or more of the following characteristics:
the method comprises:
the building of said limit for different classes of identifiers, for each class of identifiers the limit associated with this class being built as a function of the N identifiers already received and belonging to this class of identifiers,
the identification of the class of identifiers to which the newly received identifier belongs among the existing classes of identifiers, and
the step c) consists in comparing the newly received identifier with the limit associated with the identified class and in not comparing the newly received identifier with the limits associated with the classes to which it does not belong;
the method comprises:
identifying, through a predetermined law of distribution of the different identifiers receivable in different sections of the anti-replay memory, the section of the anti-replay memory in which the newly received identifier is recordable from among several existing sections, and
at the step a), searching for the newly received identifier only among the identifiers contained in the identified section of the anti-replay memory and not among the identifiers contained +in the sections of the anti-replay memory in which the newly received identifier is not recordable;
the method comprises:
counting the number of identifiers newly received during a time slot,
comparing this number with a predetermined threshold, and
if and only if the predetermined threshold is crossed, detecting a replay attack;
the method comprises:
counting the number of identifiers during a time slot for which it is diagnosed that they are not being received for the first time,
comparing this number with a predetermined threshold, and
if and only if this threshold is crossed, detecting a replay attack;
if the step d) is executed, the step a) is not executed for this newly received identifier;
building the limit comprises determining a minorant or a majorant of the N already received identifiers.
These embodiments of the method for diagnosing furthermore have the following advantages:
- the fact of distributing the identifiers into classes of identifiers and having a limit for each class of identifiers increases the efficiency of the method by increasing the number of cases in which the step a) has not been executed,
- the fact of searching for the newly received identifier only among the identifiers contained in a particular section of the anti-replay memory enables faster diagnosis of the first reception of an identifier,
- counting the number of newly received identifiers and comparing this number with the threshold enables the detection of the replay attacks,
- counting the number of identifiers that are not being received for the first time and comparing this number with the threshold also enables detection of replay attacks,
- not executing the step a) when the step d) is executed gives a gain in execution time because it is possible to diagnose the first reception of an identifier without having to search for this newly received identifier among the identifiers contained in the anti-replay memory.
An object of the invention is also a method for detecting a replayed message, each message containing an identifier used to distinguish it from other messages, this method comprising an automatic diagnosis of the first reception of the identifier to establish whether a received message is being replayed, in compliance with the above method for diagnosing.
An object of the invention is also an information-recording medium and a computer program comprising instructions for executing one of the above methods when these instructions are executed by an electronic computer.
Finally, an object of the invention is also a device for automatically diagnosing the first reception of an identifier, this device comprising:
a module for searching for a newly received identifier from among those contained in an anti-replay memory,
this anti-replay memory being capable of containing at most M identifiers with which the newly received identifier can be compared,
a builder of at least one limit as a function of N already received identifiers where N is strictly greater than M, this limit being built so as to demarcate, on one side, a range of identifiers that have not yet been received and, on the other side, a range of identifiers containing the N already received identifiers,
a comparator of the newly received identifier with this limit to determine whether the newly received identifier belongs to a range of identifiers that have not yet been received, this comparator being capable of:,
diagnosing a first reception of the newly received identifier if this new identifier belongs to the range of identifiers that have not yet been received and activating the builder to launch a new building of the limit as a function of the newly received identifier, and
activating the search module to launch a search for a newly received identifier from among those contained in the anti-replay memory if the newly received identifier belongs to the range of identifiers containing the N already received identifiers.
The invention will be understood more clearly from the following description given purely as a non-exhaustive example and made with reference to the drawings of which:
- Figure 1 is a schematic illustration of the architecture of a system for transmitting information equipped with a device for diagnosing the first reception of an identifier
- Figure 2 is a schematic illustration of a portion of a message transmitted in the system of figure 1,
- Figure 3 is a flowchart of a method for detecting a replayed message using the device for diagnosing of the system of figure 1.
In these figures, the same references are used to designate the same elements.
Here below in this description, the characteristics and functions well known to those skilled in the art shall not be described in detail.
Figure 1 represents a system 2 for transmitting information. By way of an illustration, this system is a system for transmitting enciphered multimedia content. It contains a server 4 of licenses connected to a multitude of terminals by means of an information transmission network 6. For example, the network 6 is a network for transmitting information by satellite.
To simply figure 1, only one terminal 8 has been represented.
The server 4 sends out messages to terminals. These messages contain licenses enabling each terminal to decipher a previously received multimedia content. To this end, the server 4 comprises a generator 10 of UID identifiers. For each message sent out by the server 4, this generator 10 generates a UID identifier which identifies this message uniquely from among the set of messages sent. For example, the UID identifier is obtained by making a watermark of the license by the use of functions such as a hashing function. The UID identifier can also be obtained by drawing a random number.
The required size of the UID depends on the number of terminals to which messages must be transmitted as well as the number of messages transmitted to each terminal. Here, the number of messages transmitted to each terminal corresponds to the number of licenses purchased from this terminal. Typically, the UID is encoded on 16 bytes.
The terminal 8 receives the messages transmitted by the server 4. For example, this terminal 8 is a decoder capable of receiving a license and the enciphered multimedia content and then, using the key contained in the license, deciphering the multimedia content so that it can be viewed in unencrypted form on a screen 10.
The terminal 8 has a device 12 for automatically diagnosing the first reception of a UID identifier. To simplify the illustrations, the device 12 is represented outside the terminal 8. However, in practice, this device 12 is integrated into the terminal 8 or laid out in a safety processor connected to the terminal 8. For example, the safety processor is a smart card. Typically, the device 12 is part of a DRM agent or CAS.
The device 12 has an anti-replay memory 14. Here, this memory 14 is divided into several sections SEi. The intersection of any two unspecified sections SEi is null.
The device 12 also has an electronic computer 16 capable of diagnosing the first reception of a UID identifier. To this end, the computer 16 comprises:
- a module 20 for searching for UID identifiers among those contained in the memory 14,
- a comparator 22 for comparing the newly received identifier with limits,
- a builder 24 of the limits used by the comparator 22,
- a counter 26 of UID identifiers received, and
- a counter 28 of replayed messages.
These elements are connected to one another as well as to the memory 14 and to a memory 30 by a communications bus.
Here, the domain of the values of the UID identifiers is sub-divided into different classes Cj. Each UID identifier is therefore classified in a class Cj. To this end, a predetermined classification function fc is used. For each UID identifier, this function fc returns the index j of the class to which it belongs. Here, the function fc is such that the union of the set of classes Cj corresponds to the set of UID identifiers which may be generated in the system 2. Preferably, the two-by-two intersection of the classes Cj is empty. Thus, a given UID identifier can belong to only one class Cj. Each class Cj brings together several possible UID identifiers.
Preferably, this function fc is a secret function. For example, the function fc is the function that returns the result of the integer division of the newly received UID identifier by 2m-8 where m is the maximum number of bits that can be used to encode a UID identifier in the system 2. Thus, a function fc of this kind divides all the UID identifiers that can be generated in 28 classes. The result of this function is used to identify the class to which the newly received UID identifier belongs.
The memory 30 comprises especially an associative table 32. With each class Cj of identifiers, this table 32 associates a limit Sminj and a limit Smaxj built by the builder 24. The limit Sminj constitutes a minorant of the UID identifiers already received and belonging to the class Cj. Conversely, the limit Smaxj is the majorant for the same already received UID identifiers. Thus, these boundaries demarcate a range [ Sminj; Smaxj] containing all the already received UID identifiers and belonging to the class Cj. These boundaries also demarcate two ranges ]-2m-1 ; Sminj[ and ]Smaxj ; +2m-1 ] of UID identifiers which have not yet been received where m is the maximum number of bits that can be used to encode a UID identifier in the system 2. Here, M is equal to 128.
The counters 26 and 28 are connected to a reliable clock 34.
The computer 16 is for example a programmable computer capable of executing instructions recorded in an information recording medium. To this end, the computer 16 is connected to a memory 36 containing a program formed by instructions for executing the method of figure 3.
Figure 2 represents a portion of a message transmitted from the server 4 to the terminal 8. This message contains a license L. The license L contains a new UID identifier, a cryptographic key CEK, operating rights DE, constraints CT and a signature MAC used to verify the integrity of the license. The signature MAC is computed by the set of contents of the license in taking account especially of the UID identifier.
The operating rights as well as the constraints on these operating rights have been defined in the introduction to the present description.
The working of the system 2 shall now be described in greater detail with reference to the method of figure 3.
Initially, in a step 50, the terminal 8 receives a new message transmitted by the server 4 through the network 6.
In a step 52, the terminal extracts the UID identifier contained in the message and transmits it to the device 12. More specifically, the UID identifier extracted is contained in the license L. The identifier thus transmitted to the device 12 is the newly received UID identifier.
During a step 54, the device 12 identifies the class Cj to which the newly received UID identifier belongs. To this end, the function fc is applied to the newly received UID identifier.
Then, in a step 56, the device 12 makes a search in the table 32 to find out which are the limits Sminj and Smaxj associated with the class Cj identified in the step 54. The limits thus found are then used for all the steps described here below.
In a step 58, the comparator 22 compares the newly received UID identifier with the limits Sminj and Smaxj found at the step 56. If the newly received UID identifier belongs to the range ]- 2m-1 ; Sminj[ or ]Smaxj ; +2m-1 [, then, the operation carries out a step 60. If not, a step 62 is carried out.
At the step 60, a diagnosis is made without any comparison of the newly received UID identifier with those contained in the memory 14, that this identifier is received for the first time. Consequently, the received message is not identified as a replayed message. For example, this information is sent to the terminal 8 which accepts the received message and processes it. The processing consists for example in extracting the key CEK from the license and then in using this extracted key to decipher the multimedia content so as to be able to view it on the screen 10.
At the step 60, the case where the UID is strictly greater than the limit Smaxj is distinguished from the case where the UID is strictly smaller than the limit Sminj
If the UID identifier is strictly greater than the limit Smaxj, then at a step 64 a new value of the limit Smaxj is built as a function of the newly received UID identifier. Indeed, the current value of the limit Smaxj is no longer a majorant of the UID identifiers already received and belonging to the class Cj. For example, the building of the new value of the limit Smaxj consists in replacing its current value by the value of the newly received UID identifier.
Once the new value of the limit Smaxj has been built, in a step 66, this new value is recorded in the table 32 instead of the former value.
Should the newly received UID identifier be strictly smaller than the limit Sminj, at a step 68, a new value of the limit Sminj is built from the newly received UID identifier value. Indeed, in this case, the current value of the limit Sminj is no longer a minorant of the already received UID identifiers belonging to the class Cj. For example, the building of the new value of the limit Sminj consists in replacing its current value by the value of the newly received UID identifier.
In a step 70, the new value of the limit Sminj is recorded in the table 32 instead of its former value.
At the end of the step 66 or the step 70, a step 71 is performed for identifying the section SEi in which the former value of the limit Smaxj or Sminj must be recorded. Indeed, the former value of the limit is that of a UID identifier received for the first time but which has not yet been recorded in the memory 14. It is therefore processed like a UID identifier received for the first time. Thus, here below in these explanations, this former value of the limit is called the “newly received UID identifier”. To this end, a predetermined distribution function fd is used. For each UID identifier, this function fd returns the index i of the section in which it must be recorded. Here, the function fd is surjective. Furthermore, with each UID identifier that can be generated, it associates only one index i. Thus, a given UID identifier cannot be recorded except in only one section SEi. Each section SEi enables the recording of several UID identifiers. However, the size of each section SEi cannot contain all the UID identifiers likely to be generated in the system 2 which are recordable in this section.
For example, the function fd is identical to the function fc. In this case, it is possible to use the result of the step 54. Another example of a function fd is a function which returns the remainder of the UID identifier modulo 1024 which in this case can be used to group the identifiers together in 1024 sections.
Then, in a step 72, the newly received UID identifier is recorded in the identical section at the step 71. If this section is not full, the newly received UID identifier is recorded in addition to the UID identifiers already contained in the same section. However, if the section SEi of the memory 14 is already full, the UID identifier is recorded instead of another UID identifier contained in the same section. This other UID identifier may for example be chosen at random or according to the “first-in-first-out principle.
At the end of the step 72, the procedure returns to the step 50.
The step 62 is a step for determining the section SEi in which the newly received UID identifier must be recorded. This step is identical to the step 71.
Then, in a step 73, the newly received UID identifier is sought solely among the identifiers recorded in the section identified at the step 62. It can therefore be understood that the distribution of the UID identifiers in the different sections of the memory using the section fd enables this comparison to be accelerated since only one part of the identifiers recorded in the memory 14 must be compared with the newly received UID identifier.
If the newly received UID identifier is identical to one of those recorded in the memory 14, then in a step 74 the device 12 diagnoses the fact that this is not the first reception of this identifier. Consequently, the message containing this identifier is replayed. This information is communicated to the terminal 8.
This identification of a replayed message activates corrective or coercive measures in the terminal 8. For example, the replayed message may be rejected so that the key CEK is not extracted from the license, making the deciphering of the multimedia content impossible.
Should the newly received UID identifier not be in the section identified at the step 62 then, in a step 76, the device 12 diagnoses the fact that this UID identifier is beingd for the first time. This piece of information is communicated to the terminal 8 which reacts accordingly. For example, the terminal 8 accepts the received message, extracts the license from it and especially the key CEK which authorizes the deciphering of the multimedia content by means of the extracted key.
Then, in a step 78, the newly received UID identifier is recorded in the section identified at the step 62. This step is identical to the step 72.
At the end of the step 74 or 78, the method returns to the step 50.
Here, the value of the limit Smaxj is built by recurrence on the basis of the former value of the limit Smaxj and the newly received identifier. As a consequence, the value of the limit Smaxj is a function of the N identifiers already received and belonging to the same class Cj. The value of the limit Smaxj is not reset. Thus, swiftly, this number N exceeds the number M of identifiers recordable in the memory 14 with which the newly received identifier can be compared. Should the memory 14 be divided into several sections, the number N corresponds to the maximum number of UID identifiers recordable in the section SEi. Indeed, here, the newly received identifier is sought solely from those contained in the section SEi in which it should be recorded. The same is true for the building of the limit Sminj.
At the same time as the step 50 to 78, the device 12 goes to a phase 84 for identifying a massive replay attack.
Initially, at a step 86, the current instant t0 given by the clock 34 is recorded by the counter 26. At the same time, a counter Nm-c is set at zero.
Then, in a step 88, for each newly received UID identifier, the counter Nm-c is incremented by one. Then, at a step 90, the counter Nm-c is compared with a predetermined threshold Nm-s. This threshold Nm-s is for example set by the operator. For example, its value is 40.
If the counter Nm-c has not reached the value of the threshold Nm-s, then the method returns to the step 88.
If the counter Nm-c reaches the value of the threshold Nm-s, then the current instant t1 is recorded by the counter 26.
Then, at a step 92, the time slot ?tc between the instants t0 and t1 is compared with a predetermined time threshold Ts. This threshold Ts is set by the operator. For example, this threshold is equal to six hours.
If the interval ?tc is smaller than the threshold Ts then, at a step 94, the device 12 detects a massive replay attack. Indeed, a massive replay attack takes the form of the sending of an abnormally large number of UID identifiers over a short period of time. If not, no replay attack is detected. If a replay attack is detected, this piece of information is communicated to the terminal 8. In response, the terminal 8 triggers corrective or coercive measures.
The phase 84 is repeated from time to time.
At the same time as the phase 84, another phase 100 for detecting a massive replay attack is executed..
Initially, at a step 102, the counter 28 records the current instant t0 and sets a counter Nm-r at the value zero.
Then, at a step 104, the counter Nm-r is incremented by one whenever a UID identifier is diagnosed as having been received. Then, at a step 106, the counter Nm-r is compared with a threshold Nm-r-s. The value of this threshold Nm-r-s is for example ten.
So long as the counter Nm-r is smaller than this threshold Nm-r-s, the step 104 is reiterated.
However, if the contrary is the case, the counter 28 records the current instant t1. Then, at a step 108, the interval ?tr obtained by computing the difference between the instants t0 and t1 is compared with the threshold Tr. The value of this threshold Tr is for example equal to 5. If the interval ?tr is below the threshold Tr, then it means that a large number of UID identifiers have not been received for the first time over a predetermined period of time. Such a situation represents a massive replay attack. Thus, at a step 110, the counter 26 detects the existence of a massive replay attack. This piece of information is transmitted to the terminal 8 which processes it similarly to what was described with reference to the step 94.
After the step 110 or if the interval ?tr is greater than the threshold Tr, the method returns to the step 102.
Thus, the phases 84 and 100 are used to detect replay attacks and hence take the corresponding corrective or coercive measures. These corrective or coercive measures can be a direct sanction such as the prohibition of any deciphering by means of the terminal 8. These sanctions may also be gradual sanctions which increase as and when there is an increase in the number of replay attacks detected. Finally, the corrective or coercive measure can also entail an increase in the monitoring of the replay attacks to confirm the reality of such attacks. The monitoring can be increased by increasing the frequency at which the phases 84 and 100 are executed.
Many other embodiments are possible. For example, when a server needs to detect whether the identifiers are received for the first time, the device for diagnosing the first reception of an identifier described herein can be implemented on the server side. For example, in this case, it is the requests transmitted from the terminals to the server that will each have UID identifiers.
The terminal 8 is not necessarily a decoder. It may be a mobile terminal of a computer, a chip card (or smart card) or any other electronic terminal in which the first reception of an identifier needs to be identified.
The memory 14 may be a file such as for example a file recorded on a hard disk drive.
In the memory 14, the UID identifiers may be associated with time stamps TS. These time stamps indicate the order in which the UID identifiers were recorded in the memory 14 or the instant of recording of each of these identifiers. These time stamps are used to place the oldest UID identifier contained in a section or in the entire memory 14 by the newly received identifier, when the memory is full. When the time stamps are used, the clock 34 can also be omitted. For example, to implement the phases 84 and 100, the time stamp associated with each UID identifier is used rather than a measuring of the instant of reception of this UID identifier by means of the clock 34.
The values of the limits Sminj and Smaxj associated with each class can be reset from time to time.
The values of the limits Sminj and Smaxj are not necessarily set at zero. For example, the limits Sminj and Smaxj can be set at non-zero values obtained on the basis of knowledge possessed on the UID identifiers already used in the system 2.
Other functions fc are possible. Another example of a function fc is the function which returns the rest of the UID identifier modulo 127 which in this case enables 127 classes to be defined.
The function fd can be different from the function fc. In this case, it is necessary to apply this function fd to the value of the newly received UID identifier received at the step 71 to determine which is the section in which this newly received UID identifier should be recorded.
The functions fc and fd are made public or, on the contrary, they are kept secret.
The function fc or fd may for example be chosen from the cyclic redundancy codes CRC8 or CRC16 to respectively define 256 sections or 65535 sections.
In one alternative embodiment, the function fd may be selected dynamically according to the class of the newly received UID identifier, this identifier being determined by fc,.In this case, the function fd applied could be noted as fcd or fd(fc, ).
The messages containing the UID identifiers are not necessarily received by means of a telecommunications network. For example, these messages may be conveyed from the server 4 up to the terminal 8 by means of a recording medium such as a CD-ROM or a USB (universal serial bus) key.
The associative table 32 can be replaced by other similar mechanisms. For example, the limits Sminj and Smaxj can be stored in the section of the memory 14 corresponding to the class with which they are associated.
At the step 58, it is also possible by means of a monotonic function g to convert the newly received UID identifier into a UID’ identifier. Then, it is this UID’ identifier that is compared with the limits Sminj’ and Smaxj’. In this variant, the limits Sminj’ and Smaxj’ are built as described with reference to the steps 64 and 68 except that the building of the new value of the limits Sminj’ and Smaxj’ is done by using the UID’ identifier instead of the UID identifier. These limits Sminj’ and Smaxj’ are therefore built as a function of N already received UID identifiers. Furthermore, the function g is a monotonically increasing or decreasing function. Thus, the comparison of the UID’ identifier with the limits Sminj’ and Smaxj’ is the functional equivalent of a comparison of the UID identifier with the limits Sminj and Smaxj. Thus, this comparison of the UID’ identifier with the limit Sminj’ or Smaxj’ is also qualified as a step of “comparison of the newly received identifier with the limit Sminj or Smaxj”.
Preferably, the limits Sminj and Smaxj are used simultaneously. However, this description applies also if one of these limits Sminj or Smaxj is used alone.
In one simplified embodiment, the UID identifiers are not distributed among different classes. In this case, there is only one limit Smin and only one limit Smax associated with the set of identifiers liable to be generated. Similarly, in a simplified embodiment, the memory 14 is not divided into several sections. This prevents the need to resort to a distribution function.
The threshold used at the phases 84 and 100 can be fixed as a function of a chronology of exchanges of messages between the terminal 8 and the server 4 or as a function of a user profile.
In another embodiment, the observation period ?tc or ?tr is fixed.
In another simplified embodiment, the counters 26 and 28 are omitted and the phases 84 and 100 are omitted too. Thus, in these embodiments, the replay attacks are not detected as a function of the number of UID identifiers received or as a function of the number of times when a UID identifier is diagnosed as not being received for the first time.

We claim:
1. Method for automatically diagnosing the first reception of an identifier, this method comprising:
a) searching (73) for a newly received identifier among those contained in an anti-replay memory, this anti-replay memory being capable of containing at most M identifiers with which the newly received identifier can be compared,
characterized in that the method comprises:
b) building (64, 68) at least one limit as a function of N already received identifiers where N is strictly greater than M, this limit being built so as to demarcate, on one side, a range of identifiers that have not yet been received and, on the other side, a range of identifiers containing the N already received identifiers,
c) comparing (58) the newly received identifier with this limit to determine whether the newly received identifier belongs to a range of identifiers that have not yet been received,
d) if the newly received identifier belongs to the range of identifiers that have not yet been received, diagnosing (60) a first reception of the newly received identifier and newly building (64, 68) the limit as a function of the newly received identifier, and
e) if the newly received identifier belongs to the range of identifiers containing the N already received identifiers, executing the step a).

2. Method for automatically diagnosing the first reception of an identifier, this method comprising:
a) searching (73) for a newly received identifier among those contained in an anti-replay memory, this anti-replay memory being capable of containing at most M identifiers with which the newly received identifier can be compared,
characterized in that the method comprises:
f) building (64, 68) at least one limit as a function of N already received identifiers where N is strictly greater than M, this limit being built so as to demarcate, on one side, a range of identifiers that have not yet been received and, on the other side, a range of identifiers containing the N already received identifiers,
g) comparing (58) the newly received identifier with this limit to determine whether the newly received identifier belongs to a range of identifiers that have not yet been received,
h) if the newly received identifier belongs to the range of identifiers that have not yet been received, diagnosing (60) a first reception of the newly received identifier and newly building (64, 68) the limit as a function of the newly received identifier, and
i) if the newly received identifier belongs to the range of identifiers containing the N already received identifiers, executing the step a).

3. Method according to any one of the above claims, wherein the method comprises:
identifying (62, 71), through a predetermined law of distribution of the different identifiers receivable in different sections of the anti-replay memory, the section of the anti-replay memory in which the newly received identifier is recordable from among several existing sections, and
at the step a), searching (73) for the newly received identifier only among the identifiers contained in the identified section of the anti-replay memory and not among the identifiers contained in the sections of the anti-replay memory in which the newly received identifier is not recordable.

4. Method according to any one of the above claims, wherein the method comprises:
counting (88) the number of identifiers newly received during a time slot,
comparing (90) this number with a predetermined threshold, and
if and only if the predetermined threshold is crossed, detecting a replay attack (94).

5. Method according to any one of the above claims, wherein the method comprises:
counting (104) the number of identifiers, during a time slot, for which it is diagnosed that they are not being received for the first time,
comparing (106) this number with a predetermined threshold, and
if and only if this threshold is crossed, detecting a replay attack (110).

6. Method according to any one of the above claims, if the step d) is executed, the step a) is not executed for this newly received identifier.

7. Method according to any one of the above claims, wherein building the limit comprises determining a minorant or a majorant of the N already received identifiers.

8. Method for detecting the replay of a message, each message containing an identifier used to distinguish it from other messages, this method comprising:
an automatic diagnosis of the first reception of the identifier to establish whether a received message is being replayed,
characterized in that the diagnosis is done in compliance with any one of the above claims.

9. Information recording medium (36) characterized in that it comprises instructions for executing a method according to any one of the above claims when these instructions are executed by an electronic computer.

10. Computer program characterized in that it comprises instructions for executing a method according to any one of the claims 1 to 8, when these instructions are executed by an electronic computer

11. Device for automatically diagnosing the first reception of an identifier, this device comprising:
a module for searching (20) for a newly received identifier from among those contained in an anti-replay memory,
the anti-replay memory (14), this memory being capable of containing at most M identifiers with which the newly received identifier can be compared,
a builder (24) of at least one limit as a function of N already received identifiers where N is strictly greater than M, this limit being built so as to demarcate, on one side, a range of identifiers that have not yet been received and, on the other side, a range of identifiers containing the N already received identifiers,
a comparator (22) of the newly received identifier with this limit to determine whether the newly received identifier belongs to the range of identifiers that have not yet been received, this comparator being capable of:
diagnosing a first reception of the newly received identifier if this new identifier belongs to the range of identifiers that have not yet been received and activating the builder to launch a new building of the limit as a function of the newly received identifier, and
activating the search module to launch a search for a newly received identifier from among those contained in the anti-replay memory if the newly received identifier belongs to the range of identifiers containing the N already received identifiers.