• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The present invention relates to a method (100) of safeguarding a secret of a user which comprises: - determining (13) a set of obligatory depositories, having a public key, possibly empty, - determining (14) of a set of non-mandatory depositories, having a public key, possibly empty, - selection (15) by the user of a predetermined limit value of the number of partitions necessary to restore the secret, said predetermined limit value being greater than or equal to the number mandatory depositories, if the set of non-compulsory depositories determined is empty - creation (16) of a number of principal partitions equal to the number of mandatory depositories, including a part of the secret and corresponding to a mandatory depositary; if the set of non-compulsory depositories determined is not empty - creation (16) of a number of principal partitions equal to the number of mandatory depositories plus one, including a part of the secret and each partition except one corresponding to a mandatory custodian and - developing (17) a number of secondary partitions comprising the content of the main partition remaining shared by a method of sharing a secret and corresponding to a non-mandatory depository; - encrypting (18) each partition by means of the public key of the corresponding depository and - recording (19) of each partition encrypted on a server. The present invention also relates to a method of restoring a secret of a user.
    公开号:FR3024002A1
    申请号:FR1457016
    申请日:2014-07-21
    公开日:2016-01-22
    发明作者:H Martin Balc;Julien Kowalski;Eric Laubacher;Renaud Lehoux
    申请人:Ercom Engineering Reseaux Communications SAS;
    IPC主号:
    专利说明:

    [0001] BACKGROUND OF THE INVENTION The present invention is directed to a method of safeguarding a user's secret, a method for restoring a secret of a user, a method for restoring a secret of a user, a method of restoring a secret a secret of a user, a device for safeguarding a secret of a user and a device for restoring a secret of a user. The invention applies in particular to the field of cryptography.
    [0002] The present invention applies to the safeguarding and the restoration of secrets and more particularly in the field of storage means of the "cloud" type, in which the secret to be backed up is a keystore ("keystore" in English terminology). Saxon). STATE OF THE ART Currently, the safeguarding of secrets, such as passwords for example, can be carried out in several ways. First, there are ways to back up password-protected secrets, such as the Keeper application or the iTunes application that allows you to back up and restore data contained in a device. marketed by Apple Corporation by means of a password. This technique requires the user to remember a different password depending on the nature of the secret. In addition, the security of secrecy implemented by a password depends on the complexity of the password which is inversely proportional to the ease of storing the password by the user or the facility for the user to type the password. password. A compromise must be made by the user between the security and the ergonomics of the system. The article "Using a high-performance programmable secure coprocessor" by Sean W. Smith et al. published in February 1998 for the 2nd International Conference on Financial Cryptography, gives a second example of safeguarding secrets: the safeguarding of secrets protected by encryption key managed by a trustworthy material. The use of trusted hardware solves the problem of compromising the password-protected secret backup. However, the user must have the trusted hardware at hand in all circumstances. Another secret backup technique is backup protected by an encryption key managed by a trusted third party, such as the server side encryption service of Amazon S3 (registered trademark). The "server side encryption" service is used to encrypt data backed up to Amazon S3 cloud storage, with encryption managed by Amazon. Similarly, there are also methods of key sequestration that allow access by an escrow authority to said keys although the user has forgotten the secrets to access said keys. The methods of key sequestration are explained in the NIST (Requirements for Key Recovery Products) report (NIST) published in November 1998. Encrypted backup solutions, where encryption key is managed by a third party, solve the problems raised by the first two techniques. Indeed, this technique requires no password, nor does it require the use of trustworthy hardware, but the user must trust a third party managing the encryption key and who has access to the data saved by the user. user. Finally, different methods of sharing secrets exist and consist in sharing, between several thirds, the secret elements to be safeguarded. Methods for sharing secrets are described in Blakley, GR's "Safeguarding Cryptographic Keys" published in June 1979 in Shari's "Proceedings of the 1979 AFIPS National Computer Conference, Volume 48" and "How to share a secret". Adi published in November 1979 in "Magazine Communications of the ACM, Volume 22 Issue 11". Secret sharing methods provide mathematical sharing methods, which are not designed to be ergonomic. U.S. Patent No. US 7,916,871 describes a method for backing up keys of sensitive material by sharing secrets. The method described in US Patent No. US 7,916,871 is such that custodians of parts of a secret concertedly perform the actions of backup and restoration. A user who wants to initiate the secret backup or restore can not use the described method. In addition, the method described in US Pat. No. 7,916,871 is of low resistance to long-run attacks. OBJECT OF THE INVENTION The present invention aims to remedy all or part of these disadvantages. For this purpose, according to a first aspect, the present invention aims a method of safeguarding a secret of a user which comprises the following steps: - determination of a set of depositories called "mandatory depositories", each depository having a key public, this set being possibly empty, - determination of a set of depositories called "non-mandatory depositories", each depository having a public key, this set being possibly empty, - selection by the user of a predetermined limit value of number of partitions necessary to restore the secret, said predetermined limit value being greater than or equal to the number of mandatory depositories, if the set of non-compulsory determined depositories is empty - creating a number of partitions called "principal partitions" equal to the number of obligatory depositories, each partition containing at least a part of the secret and corresponding to a mandatory depositary; if the set of non-compulsory depositories determined is not empty - creation of a number of partitions called "main partitions" equal to the number of mandatory depositories plus one, each partition comprising at least part of the secret and each partition except one corresponding to a mandatory depository and - developing a number of partitions called "secondary partitions" comprising the content of the main partition remaining shared by a method of sharing a secret and corresponding to a non-mandatory depository; - encryption of each primary partition and each secondary partition by means of the public key of the corresponding depositary and - recording of each encrypted partition on a server.
    [0003] We recall here that a public key is one of the keys of a couple of keys (also called "biclef") of a public key infrastructure (in English terminology "Public Key Infrastructure" or "PKI"). These embodiments have the advantage of presenting an increased security of the saved secret since the confidentiality and the integrity of the secret saved are independent of the quality of a password. In addition, the security of the saved secret does not depend on the trust of the user in a single third party. In addition, the user does not need to memorize an item such as a password or have a trusted hardware. These embodiments also make it possible to obtain improved ergonomics and integrity. Indeed, the secret backup is fully automated once the user has selected each secret agent. In embodiments, at least one custodian is a server.
    [0004] Having a server as a repository makes it possible to have a partition of the backup corresponding to a server. During a secret restoration, the restoration procedure is simplified for the user and the duration of the procedure is decreased. In addition, the server is available at any time.
    [0005] In embodiments, at least one custodian is a user. These embodiments have the advantage of being able to authenticate a repository in a voice or visual way for example, and to be able to detect the author of a disclosure of a partition of the secret. Indeed, certain problems of compromise of a server are avoided and the user can evaluate the level of trust that he places in a custodian user. In addition, in the embodiments in which the user selects at least one depository server and at least one depository user, the backup and eventual restoration of the secret are not only computer. The user of the device can therefore have an assurance of confidentiality in case of attack of the server.
    [0006] According to a second aspect, the present invention aims at a method of restoring a secret of a user which comprises the following steps: - establishment of a secure channel between the user and at least one predetermined limit value of depositaries of a partition of the secret, said predetermined limit value corresponding to a number of partitions of the secret necessary to restore the secret, the user authenticating each depository and each depository authenticating the user, - request for restoration of the secret by the user to a server, decryption of at least the predetermined limit value of partitions, each partition being decrypted by means of a private key of said corresponding custodian, transmission to the user by each custodian corresponding to said deciphered repository, by means of the established secure channel and user reconstruction of the secret from each decrypted partition ed. The advantage of these embodiments is to distribute the secret in order to make a possible restoration from a part of the partitions of the secret. In addition, each depository is independent of the others and the partition of the corresponding secret does not disclose the number of depositories and the contents of the other partitions. In addition, the established secure channel ensures the confidentiality and integrity of the data passing through the channel and the establishment of the secure channel is independent of a storage of a secret by a user.
    [0007] In embodiments, the method for restoring a secret object of the present invention further comprises the following steps: sending an authentication challenge to the user by the server; transmission by the server; user to the challenge response server authenticating the user to the server.
    [0008] The advantage of this embodiment is to allow the server to authenticate the user requesting the restoration of the secret or to authenticate a repository user accepting the restoration of a partition of the secret. In embodiments, the method of restoring a secret object of the present invention further comprises a step of establishing a secure channel between the user and a custodian user which comprises the following steps: - determination of a password by the user, - sending by the user of a Diffie-Hellman exchange said "DiffieHellman exchange user" encrypted by said password to a custodian user by means of the server, - determination of a password said "depository password" by the depositary user, - sending by said custodian user of a Diffie-Hellman exchange called "Diffie-Hellman exchange custodian" encrypted by said depository password to the user by means of of the server, - mutual authentication of the user and said custodial user by a third-party channel, - exchange of each password between the user and said custodial user by means of said third channel, - decryption of the depository Diffie-Hellman exchange by means of the depository password by the user and - decryption of the user Diffie-Hellman exchange by means of the password by said depository user. We recall here that the Diffie-Hellman exchange, in cryptography, consists of an exchange of keys in a method by which two people can agree on a number (which they can use as a key to encrypt the following conversation) without a third person can discover the number, even having listened to all their exchanges. The Diffie-Hellman user exchange is the part of the exchange performed by the user and the DiffieHellman exchange custodian is the part of the exchange made by the custodian. These embodiments have the advantage of having an interaction, preferably telephone, between the user and a custodian user to ensure the identity of the user. In these embodiments, the custodian and the user identify themselves with the server and the custodian and the user identify with each other, the security of the backup is increased. In addition, the use of Diffie-Hellman exchanges allows increased robustness.
    [0009] In embodiments, the secret restore request step includes a step of notifying the repository of a restore request.
    [0010] The advantage of these embodiments is to inform the custodian that an intervention of said custodian in a secret restore operation is requested.
    [0011] In embodiments, at least one partition corresponds to a server and at least one partition corresponds to a user, and the decryption step of each partition corresponding to each server is performed after the authentication of the user by each user. depositary. These embodiments have the advantage of enhanced security, the server decrypting and disclosing its partition after multi-factor authentication comprising a challenge response and an authentication by each user of the user's custodian. In embodiments, each transmission step, by each repository of the partition corresponding to said decrypted repository, is performed after each secure channel between the user and each repository is established. The advantage of these embodiments is to wait for all secure connection establishment steps to be established before transferring the partitions to be decrypted. According to a third aspect, the present invention aims at a device for safeguarding a secret, which comprises: - a memory of a program and - a central unit which comprises at least one server and which, by executing instructions of the program, realizes the steps of the backup method object of the present invention. These embodiments have the advantage of having a program stored in a memory for implementing the method of safeguarding a secret. According to a fourth aspect, the present invention aims a device for restoring a secret, which comprises: - a memory of a program and - a central unit which comprises at least one server and which, by executing instructions of the program, realizes the steps of the restoration process object of the present invention. The advantage of these embodiments is to implement a method of restoring a secret by means of a program stored in a memory. BRIEF DESCRIPTION OF THE FIGURES Other advantages, aims and features of the invention will emerge from the following nonlimiting description of at least one particular embodiment of a method for safeguarding a secret of a user, a a method of restoring a secret of a user, a device for safeguarding a secret of a user and a device for restoring a secret of a user, in which: FIG. 1 represents, in logic diagram form, the steps of a particular embodiment of a backup method that is the subject of the present invention; FIG. 2 represents, in the form of a logic diagram, the steps of an embodiment. In particular, in the form of a logic diagram, FIG. 3 represents the steps of a second particular embodiment of a restoration method that is the subject of the present invention. FIG. 4 represents , in the form of a logic diagram, the steps of a third particular embodiment of a restoration method that is the subject of the present invention; FIG. 5 represents, in the form of a logic diagram, the steps of a fourth particular embodiment of FIG. A method of the present invention and - Figure 6 shows, schematically, a device for safeguarding a secret and / or restoration of a secret object of the present invention.
    [0012] Description of Exemplary Embodiments of the Invention It is already noted that the figures are not to scale.
    [0013] From now on, a secret is defined as being an authentication element of the user to different services, such as a signature private key, or a password for example, and / or an encrypted document. A trustee (trustee) is defined as a user, a server, or a means of storage that can be authenticated by the user to whom a partition of the secret corresponds. The custodian is a partition of the secret but the custodian does not have access to the contents of this partition of the secret. In the case of the use of a single server holding a partition of the secret and managing the steps of a method of safeguarding a secret object of the present invention and / or the steps of a method of restoring a secret object of the present invention, said server has access to the contents of the partition corresponding to said server. An application is defined as being a computer program installed on a computer or a portable terminal communicating such a mobile phone, preferably of the Smartphone type, a digital tablet, a laptop, for example. In the embodiments described below, each connection of a user to a server is protected in confidentiality and integrity, and said server is authenticated by said user. The connection of a user to a server is performed using a TLS connection (acronym for "Transport Layer Security" in English terminology), for example. A server is defined as a hardware or software computer device. A server can handle steps of a method of safeguarding a secret object of the present invention. A server can manage the management of the steps of a method for restoring a secret object of the present invention.
    [0014] Preferably, the same server manages the steps of the method of saving a secret and the method of restoring a secret. A server can also be a custodian of the secret. The server managing the steps of the method of safeguarding a secret and / or the method of restoring a secret can be a repository of a partition of the secret.
    [0015] FIG. 1 shows the steps of a particular embodiment 100 of a backup method that is the subject of the present invention. The method 100 comprises the following steps: - connection 11 of a user to a server, - authentication 12 of the user, - determination 13 of a set of depositories called "mandatory depositories", each depository having a public key, this together possibly being empty, - determination 14 of a set of depositories called "non-mandatory depositories", each depository having a public key, this set being possibly empty, - selection by the user of a predetermined limit value of number of partitions necessary to restore the secret, said predetermined limit value being greater than or equal to the number of mandatory depositaries, if the set of non-compulsory determined depositories is empty - creation 16 of a number of partitions called "principal partitions" equal to the number of obligatory depositories, each partition containing at least part of the secrecy and correspon to a mandatory depositary; if the set of non-compulsory depositories determined is not empty - creation 16 of a number of partitions called "main partitions" equal to the number of mandatory depositories plus one, each partition comprising at least a part of the secret and each partition except one corresponding to a mandatory depository and - elaboration of a number of partitions called "secondary partitions" comprising the content of the main partition remaining shared by a method of sharing a secret and corresponding to a non-mandatory depository; - Encryption 18 of each main partition and each secondary partition by means of the public key of the corresponding depository and - record 19 of each partition encrypted on the server.
    [0016] The step 11 of connecting a user to the server is performed by means of an application. The connection to the server is preferably a TLS connection. The connection step 11 is followed by a step 12 of authentication of the user. The authentication step 12 can be authentication by: - password, - PIN code (acronym for "Personal Identification Number"), - passphrase, - magnetic card, - RFID (acronym for "Radio Frequency Identification") "In English terminology), - USB key (acronym for" Universal Serial Bus "in English terminology), - smart card, - mobile terminal communicating type smartphone for example, - fingerprint, - retinal footprint, - a biometric element, - voice recognition, - or any other form of authentication. The authentication step 12 may be a strong authentication type authentication. It is recalled here that in information systems security, strong authentication is an identification procedure that requires the concatenation of at least two authentication factors.
    [0017] After authentication of the user, the user proceeds to step 13 of determining a set of mandatory depositories, the set possibly being empty. A mandatory custodian is a custodian whose partition is necessary for the restoration process. Preferably, at least one user, called "contact", who may be a custodial user is registered in the user's application. At least one server, called "contact server", which can be a depository server is presented to the user by means of the application of the user. The determination of the set of mandatory depositories is a selection by the user of at least one registered contact and / or a contact server presented. Upon selection by the user, the user may designate each selected depository as a mandatory depository or a non-obligatory depository. Once each obligatory depositary has been designated, the user performs the step 14 of determining a set of non-obligatory depositories, the set possibly being empty. A non-mandatory custodian is a custodian corresponding to a secondary partition. Preferably, the determination of the set of non-mandatory depositories is a selection by the user of at least one registered contact and / or a contact server presented and designated as non-mandatory depository.
    [0018] The set of non-mandatory repositories is empty if the user has not selected contacts or contact servers as a non-mandatory repository of a secret partition. Each custodian has a public key. A custodian may be another user called a "custodial user" or a server. The user 15 determines a number n of non-mandatory depositories and a number p of mandatory depositories. The step of selecting by the user a predetermined limit value of the number of partitions necessary to restore the secret, said predetermined limit value being greater than or equal to the number p of mandatory depositories is then carried out by means of the application of the user. The predetermined limit value may be equal to the number p of mandatory depositories plus at least one non-mandatory depository, for example. The predetermined limit value is stored on the server. The partitions needed to restore the secret are at least each partition corresponding to each mandatory custodian. Preferentially, the user's application proposes to the user a number of non-mandatory depositories n such that the predetermined limit value selected by the user is equal to n + p, where n is a positive integer. Each non-mandatory custodian being designated as such by the user at the determination step 14 of a set of non-obligatory depositories. During the step of selecting the predetermined limit value, the application records on the server the identifier of each custodian and the predetermined limit value selected by the user. In step 15, the user application records each repository corresponding to a partition necessary for the restoration of the secret.
    [0019] A partition of the secret is preferentially such that for a number n of non-obligatory depositories and a number p of mandatory depositories, p being a positive integer, n being a positive integer. A secret K is shared in: a number p + 1 of partitions Kq called "main partitions" preferentially random, with q a number between one and p + 1 such that K = K1 XOR ... XOR Kp + 1 and - the primary partition Kp + 1 is divided into n distinct values, called "secondary partitions", according to a method of sharing the secret. If the set of non-compulsory depositories determined is empty, the process proceeds to the step of creating a number p of partitions called "principal partitions" equal to the number of mandatory depositories, each partition comprising at least part of the secret and corresponding to a mandatory depositary. The development step 17 is not performed. If the set of non-obligatory depositories is not empty, the backup process proceeds to the creation step 16 of a number of principal partitions equal to the number of mandatory depositories p plus one, comprising at least part of the secret , the p main partitions each corresponding to a separate mandatory depositary, the remaining partition being shared in secondary partitions according to a method of sharing the secret.
    [0020] The step of creating the number of partitions is such that a number p + 1 of random principal partitions Kq are created, with q a number between one and p + 1 such that K = K1 XOR ... XOR Kp + 1. Each partition Kq for q between 1 and p is assigned to a mandatory custodian. A secret sharing method is selected depending on the type of secret to be saved.
    [0021] The development step 17 consists in producing a number n of secondary partitions comprising the contents of the remaining partition Kp + 1 of the secret. Each secondary partition is shared according to a method of sharing a secret and each secondary partition corresponds to a non-mandatory custodian. Each secondary partition corresponding to a non-mandatory custodian is such that the partition Kp + 1 is shared in n distinct values according to a secret sharing method. The method of sharing a secret is a method described in the article "How to share a secret" by Shamir, Adi published in November 1979 in "Magazine Communications of the ACM, Volume 22 Issue 11".
    [0022] Once the n + p partitions have been performed, each partition is encrypted during the encryption step 18 of each partition by means of the public key of the corresponding custodian. The recording step 19 of each encrypted partition on the server is then implemented. The server records during the recording step 19 the correspondence between each partition and each depository and logs this step. FIG. 2 shows the steps of a particular embodiment of a restoration method 200 which is the subject of the present invention. The method 200 is an embodiment in which a custodian is a server. The method 200 details the steps to arrive at the transmission to the user of the decrypted partition corresponding to a depository server. The method 200 comprises the following steps: establishing a secure channel between the user and a depositary server, the user authenticating the depository server, requesting the user to restore the secret to the server, sending 23 of a challenge of authentication to the user by the server, - transmission 24 by the user to the server of the response to challenge 20 authenticating the user by the server, - decryption 25 of the partition corresponding to the depository server, the partition being decrypted by means of a private key of said authenticated depository server and transmission of the partition decrypted by the server to the user by means of the established secure channel. The establishment of a secure channel between the user and a depository server, the user authenticating the depository server, is performed by means of an application of the user. The establishment 21 of the secure channel is preferably a TLS connection. The user proceeds to the secrecy restoration request step 22. Preferably, the request for restoration of the secret comprises means for identifying the secret to be restored. The request is logged by the server that accepts the request.
    [0023] The request is preferably a request made by means of an application of the user. The user application has a graphical interface element, called "restore its secrets" or "I lost my secrets" for example, triggering the query. The GUI element is placed on the user's identification page on the user's application, for example. The method of restoring the partition entrusted to the server comprises a step 23 of sending an authentication challenge to the user from the server. The challenge is preferably a URI (acronym for "Uniforme Ressource Identifier" in English terminology) sent by email to the user. The challenge can be sent by SMS (acronym for "Short Message Service" in English terminology) or MMS (acronym for "Multimedia Messaging Service" in English terminology). The challenge can be provided by the user's application.
    [0024] Step 23 is followed by a step of transmitting an answer to the authentication challenge to the server. The transmission 24 of the response is preferably carried out using the TLS protocol. The sending 23 and transmission 24 steps implicitly authenticate the user to the server as being the legitimate user of the means for receiving the sending of the challenge, the receiving means being an application for example. Following the authentication of the user to the server, the server accepts the restore request. Once authentication has been validated, the server proceeds to decrypt the partition whose depository server is depository by means of the private key of said depositary server. The transmission step 26 of the partition decrypted by the server to the user by means of the secure channel is implemented after decryption of the partition by the custodian server. The transmission is preferably carried out using a TLS protocol. Steps 25 and 26 are comprised of a step 27 of the user retrieving a decrypted partition. FIG. 3 shows the steps of a particular embodiment of a method for restoring a secret object of the present invention.
    [0025] The method 300 is an embodiment in which a custodian is a user called "custodian user". The method 300 details the steps to arrive at the transmission to the user of the partition of the decrypted secret corresponding to a custodian user.
    [0026] The method 300 comprises the following steps: - establishment of a secure channel between the user and a server, the user authenticating the server, - request 22 to restore the secret by the user to the server, - sending 23 of a challenge of authentication to the user by the server, - transmission by the user to the server of the challenge response authenticating the user by the server, - determination of a password by the user, - sending by the user of a Diffie-Hellman exchange said "User DiffieHellman exchange" encrypted by said password to a custodian user by means of the server, - determining a password said to be a "depository password" By the depository user, sending by said custodial user a Diffie-Hellman exchange called "Depository Diffie-Hellman exchange" encrypted by said depositary password to the user by means of the server, - authenti reciprocal instruction of the user and of said custodial user by a third party channel, which can not be modified on the fly, exchange of each password between the user and said custodial user by means of said third party channel, decryption of the depository Diffie-Hellman exchange by means of the depository password by the user, - decryption 42 of the user Diffie-Hellman exchange by means of the password by said depository user, - calculation 43 by the user and said user storing a shared key 30 by means of each Diffie-Hellman exchange, - constitution 44 of a verification key called "user verification key" issued from the shared key calculated by the user, and a key confidentiality protocol called "user confidentiality key" derived from the shared key calculated by the user, - sending to the server 45 of said user verification key, - constitution 46 a verification key called "verification key depository" from the shared key calculated by said custodian user, and a confidentiality key called "key depository confidentiality" from the shared key calculated by the custodian user, - sending 47 to the server of said depositary verification key, - verification by the server 48 of each verification key, - transfer 49 by the server of the encrypted depository partition to the custodial user, - decryption 50 of the partition corresponding to said user depository, the partition being decrypted by means of a private key of said authenticated correspondent depository user, - re-encryption 51 of the partition corresponding to said depository user by said depositary user by means of the depository confidentiality key, - transmission 52 by the depositary of the partition to the user, encrypted by the key d the confidentiality depository, - decryption 53 by the user of the partition transmitted by the custodian user by means of the user confidentiality key. The establishment of a secure channel between the user and a server, the user authenticating the server, is performed by means of an application. The establishment 21 of the secure channel is preferably a TLS connection. The user proceeds to the request step 22 to restore the secret. The request is logged by the server that accepts the request. The request is preferably made by means of a user application.
    [0027] The method of restoring the partition entrusted to the server comprises a step 23 of sending an authentication challenge to the user from the server. The challenge is preferably a URI sent by email to the user. The challenge can be sent via SMS or MMS. The challenge can be provided by the user's application.
    [0028] Step 23 is followed by a step of transmission 24 by the user of a response to the authentication challenge to the server. The transmission 24 of the response is preferably carried out using the TLS protocol. The sending 23 and transmission 24 steps implicitly authenticate the user to the server as being the owner of the means for receiving the sending of the challenge. Following the authentication of the user to the server, the server accepts the restore request. If the response to the authentication challenge sent by the user to the server is incorrect, the server terminates the secret restoration process.
    [0029] Once the user has been authenticated by the server and the server authenticated by the user, the method proceeds to a step of determining a password by the user. The password is determined by means of a user application. The password is preferably a short code type PIN. Preferably, the password comprises four digits.
    [0030] The user sending step 36 of a Diffie-Hellman exchange called "user Diffie-Hellman exchange" encrypted by said password to the custodian user by means of the server is performed immediately after the determination of the word password. The method proceeds to a step of determining a depository password. The depository password is determined by means of a depository user application. The depository password is preferably a short PIN type code. The depository password is preferably of the same format as the password determined in step 35. The sending step 38 by the said depositary user of a Diffie-Hellman exchange called "encrypted Diffie-Hellman exchange" by said depository password to the user by means of the server is carried out immediately after the determination 37 of the password. The steps 35 and 37 for determining each password can be performed in parallel. The sending steps 36 and 38 of each Diffie-Hellman exchange can be performed in parallel. Once the encrypted Diffie-Hellman challenges have been transmitted through the server, the user and the repository user enter into communication, preferably by telephone, and proceed to the reciprocal authentication step of the user and said user. user trustee by a third party channel. Preferably, the third-party channel can not be modified on the fly. Authentication is preferentially oral. Once the authentication 39 has been performed, the user and the custodian user proceed to the exchange step 40 of each password by means of said third party channel. The custodian user transmits the depository password to the user and the user transmits the password to the custodian user by means of said third party channel. The third channel being a means of communication such as a secure phone call for example. The decryption 41 of the depository Diffie-Hellman exchange is performed by means of the depository password by the user. Similarly, the custodian user decrypts the user Diffie-Hellman exchange 42 using the password. Steps 41 and 42 may be performed in parallel. Steps 35 to 42 constitute a step of establishing a secure channel between the user and the custodian user. The step of establishing a secure channel between the user and the custodial user is preferentially without prior secret sharing. In embodiments, steps 35 to 42 may be replaced by establishing a secure channel using the ZRTP protocol.
    [0031] The ZRTP protocol being configured to establish a shared key. The calculation 43 by the user and said user depository of a shared key is performed by means of each decrypted Diffie-Hellman exchange. The user application constitutes a verification key called "user verification key" derived from the shared key calculated by the user, and a confidentiality key called "user confidentiality key" issued from the shared key calculated by the user. . The user verification key and the user confidentiality key are obtained in a similar manner. The user application sends the server said user verification key to the server. The depositary application constitutes a verification key called a "depository verification key" issued from the shared key calculated by said depository user, and a confidentiality key called "depository confidentiality key" issued from the shared key calculated by the custodian user. The depository verification key and the depository confidentiality key are obtained in a similar way. The user application sends the server said user verification key. The server proceeds to the verification 48 of each verification key. If the verification keys are incorrect, the server interrupts the secret restore procedure.
    [0032] Once each verification key verified by the server, the server transfers 49 the encrypted depository partition to the custodian. The custodian user decrypts the partition corresponding to said depository user, the partition being decrypted by means of the private key of said authenticated depository user corresponding to the partition. Then the custodian user proceeds to the re-encryption 51 of the partition corresponding to said custodian user by means of the custodian confidentiality key calculated in step 46. The custodian user proceeds to the transmission 52 of the partition to the user, said partition is encrypted by the depository confidentiality key by means of the server. The user then proceeds to the decryption 53 of the partition transmitted by the custodial user by means of the user confidentiality key constituted in step 46.
    [0033] Steps 35 to 52 are comprised of a step 54 of user recovery of a decrypted partition. FIG. 4 shows the steps of a third embodiment 400 of a restoration method that is the subject of the present invention.
    [0034] The method 400 is an embodiment in which s repositories are servers, with s a positive integer and u repositories are repository users, with u a positive integer. The method 400 details the steps to arrive at the reconstruction of the secret from at least each decrypted partition corresponding to each depository, necessary for the restoration of the secret.
    [0035] The method 400 comprises the following steps: - establishment of a secure channel between the user and a server, the user authenticating the server, - request 22 for restoration of the secret by the user to the server, - sending 23 of a challenge of authentication to the user by the server, - 24 transmission by the user to the server of the challenge response authenticating the user by the server. recovering 27-1 to 27-s and 54-1 to 54-u, each s + u partition decrypted by the user, s corresponding to a number of depository servers, u corresponding to a number of depository users, and s + u corresponding to at least a number of partitions needed to restore a secret and - 401 reconstruction of the secret from each decrypted partition. Steps 21 to 24 are identical to steps 21 to 24 detailed for method 200 for a depository server or steps detailed in method 300 and corresponding to steps 21 to 24 of method 200 for a depository user. Steps 27-1 to 27-s are identical to step 27 of the method 200 for the repository servers. Steps 54-1 to 54-u are the same as step 54 of method 300 for a repository user. Steps 27-1 to 27-s and 54-1 to 54-u are performed in parallel or sequentially. Each partition decrypted in steps 27-1 to 27-s and 54-1 to 54-u is transmitted by each custodian by means of each secure channel established for each custodian during a transmission step by each repository of the partition. decrypted corresponding to said depositary. Each partition of the secret is sent to the user's application using the established secure channel. This secure channel is the channel established between the user and each repository in step 21 of method 200 for each repository server, or steps 35 to 42 of method 300 for each repository user. The secret reconstruction step 401 from each decrypted partition is implemented by a user application once each partition necessary to restore the secret has been decrypted and received by the user's application. The partitions necessary to restore the secret are at least 25 each partition called "main partition" corresponding to each mandatory depositary, the correspondence being defined during the process of safeguarding the secret. If, during the secret backup process, at least one non-obligatory custodian has been determined, an additional secondary partition among the secondary partitions corresponding to a non-mandatory custodian may be necessary to restore the secret. The said complement being such that the sum of the number of obligatory depository partitions and the complement of non-compulsory depository partitions is equal to a predetermined limit value of depositaries determined during the safeguarding of the secret.
    [0036] A partition called "secondary partition" is a partition corresponding to a non-mandatory depository. In embodiments, a server is a mandatory custodian. In embodiments, a single depository user is a mandatory custodian. In embodiments, each transmission step, by each repository of the decrypted partition corresponding to said repository, is performed after each secure channel between the user and each repository is established.
    [0037] FIG. 5 shows the steps of a particular embodiment of a method 500 for restoring a secret object of the present invention. The method 500 is an embodiment in which the user has determined two repositories. Both depositories are mandatory depositories and no non-mandatory depository is determined. A custodian is a user called "custodial user", the second custodian is a server. The method 500 details the steps to arrive at the decryption of each partition of the secret. In addition the recovery steps of the partition corresponding to the depository server and the partition corresponding to the depository user are scheduled so as to increase the security and ergonomics of the restoration process. The steps of the method 500 are performed by: a user 501, an application 505 of said user 501, a server 510 on which each partition of the secret is recorded, a custodial user 520 or an application 515 of said user depositary 520 said "Depositary application". Each action of the server 510 is recorded for auditing purposes.
    [0038] The user 501 communicates to the application 505 a restore request 525. The application 505 makes a connection 530 to the server 510. The connection 530 to the server 510 is preferably a TLS connection. After connection 530 of the application 505 to the server 510, the application 505 communicates to the server 510 a request 535 to restore the partition of the secret corresponding to the depository user 520. The request 535 is logged by the server 510. Once the request 535 made by the application 505, the server 510 sends 540 an authentication challenge to the user from the server. The challenge is preferably a URI. The challenge is sent to the user by e-mail if the user has entered an e-mail address. The challenge can be sent via SMS or MMS. The user 501 indicates 545 the challenge response to the application 505, the application 505 relays 550 this response to the server 510.
    [0039] The server 510 performs a verification 555 of the challenge. The server 510 may reject the request 535 if the challenge is not verified. If the challenge is verified, the server 510 communicates 560 to the application 505 that the procedure is accepted. The check 555 is logged by the server 510. The application 505 determines 565 a short code and uses it to encrypt a challenge. The short code is a password, for example. Preferably, the short code is a PIN code. Preferably, said encrypted challenge is a Diffie-Hellman exchange. The application 505 transmits 570 to the server 510 an X * result value of the encryption performed by the application 505.
    [0040] The depository user 520 connects 575 to the server 510 through the trustee application 515. The trustee user 520 then authenticates itself to the server 510 via the trustee application 515. As long as the trustee user 520 is not authenticated with the server 510, the method 500 is put on hold.
    [0041] Then, the server 510 notifies 585 to the trustee application 515 of the request to restore the user 501. The server 510 transfers 590 the value X * of the result of the encryption to the trustee application 515. The notification 585 of the request for restoration is signaled by the trustee application 515 to the trustee user 520. The trustee user 520 may accept 600 by the trustee application 515 the restore request. Once the restore request has been accepted by the trustee user 520, the trustee application 515 determines a short code 605 called "short code custodian" and uses it to encrypt a challenge. The short code is a password, for example. Preferably, the custodian short code is a PIN code. Preferably, said encrypted challenge is a Diffie-Hellman exchange. The application 515 transmits to the server 510 a value Y * of the result of the encryption performed by the application 515.
    [0042] Then, the server 510 notifies the application 505 of the acceptance of the restore request by the custodial user 520. The server 510 transfers the result value of the challenge encryption to the custodian application 515. Notification 585 of the restore request is signaled by the trustee application 515 to the trustee user 520. At the same time, the application 505 displays 630 the short code and the trustee application 515 displays 635 the trustee short code. A communication 640 between the user 501 and the custodial user 520 is established by the user 501 or the custodial user 520. The user 501 and the custodial user 520 identify with each other. The user 501 and the custodial user 520 exchange the short code and the short code depositary. Preferably, the communication 640 is a telephone call. In embodiments, the communication 640 is an oral communication, by email, SMS or MMS.
    [0043] Once the short codes are exchanged, the user 501 composes the short deposit code 645 by means of the application 505. The application 505 calculates a common secret and a common verification key by means of the values x (a secret Diffie -Hellman being such that X = gX) and Y result of the deciphering of the challenge Y *. The common verification key is transmitted 655 by the application 505 to the server 510. The transmission step 655 includes a confirmation step to the server 510 by the user 501 of the establishment of a verification key. Once the short codes are exchanged, the user 520 dials the short code 660 by means of the application 515. The application 515 calculates a common secret and a common verification key by means of the values y (a secret Diffie- Hellman being such that Y = gY) and X result of the deciphering of the challenge X *. The common verification key is transmitted 670 by the application 515 to the server 510. The transmission step 670 comprises a confirmation step to the server 510 by the custodial user 520 of the establishment of a verification key. The common secret and the common verification key must be identical for the calculation 650 performed by the application 505 and the calculation 665 performed by the application 515. The steps 660, 665 and 670 can be performed in parallel with the 5 steps 645, 650 and 655. After receiving and verifying the identity of the common verification key, the server 510 sends to the depository application 515 the partition encrypted by the public key of the depository user 520 corresponding to said depository user 520. 515 application decrypts 680 the partition 10 corresponding to said depository user 520 by means of the private key of said depository user 520, then in the same step, the depository application 515 re-encrypts the partition corresponding to said depository user 520 by means of the common secret. The re-encrypted partition is transferred 685 to the server 510. The server 510 decrypts the partition of which it is depositary, and transmits 690 the decrypted partition of which said server is depository and the re-encrypted partition of the depositary user to the application 505. Finally, the application 505 decrypts the re-encrypted partition 695 by means of the common verification key, and reconstitutes the user's secret by means of the two received partitions. FIG. 6 shows a device 60 for safeguarding a secret object of the present invention and / or for restoring a secret object of the present invention. The device 60 comprises a memory 61 of a program and a central unit 62 which comprises at least one server and which, by executing instructions of the program, performs the steps of a backup method that is the subject of the present invention and / or a restoration method object of the present invention. The steps performed by the program are preferably steps included in the particular detailed embodiments of the methods 100, 200, 300, 400 and / or 500. The central unit 62 is connected to the memory 61 and accesses the stored program 63 on the memory 61. The central unit 62 executes, by means of the server, the instructions of the program stored on the memory 61.
    [0044] Preferably, the server records each action performed for auditing purposes.
    权利要求:
    Claims (11)
    [0001]
    REVENDICATIONS1. A method (100) for safeguarding a secret of a user characterized in that it comprises the following steps: - determination (13) of a set of depositaries called "mandatory depositories", each depository having a public key, this together being possibly empty, - determination (14) of a set of depositories called "non-mandatory depositories", each depository having a public key, this set being possibly empty, - selection (15) by the user of a limit value predetermined number of partitions necessary to restore the secret, said predetermined limit value being greater than or equal to the number of obligatory depositories, if the set of non-compulsory depositories determined is empty - creation (16) of a number of partitions called "partitions" the number of mandatory depositories, each partition containing at least part of the secret and corresponding to a mandatory depositary; if the set of non-compulsory depositories determined is not empty - creation (16) of a number of partitions called "main partitions" equal to the number of mandatory depositories plus one, each partition comprising at least a part of the secret and each partition except one corresponding to a mandatory custodian and - development (17) of a number of partitions called "secondary partitions" comprising the content of the main partition remaining shared by a method of sharing a secret and corresponding to a non-mandatory custodian ; - Encrypting (18) each primary partition and each secondary partition by means of the public key of the corresponding depository and - recording (19) of each partition encrypted on a server.
    [0002]
    The method (10) of claim 1, wherein at least one custodian is a server.
    [0003]
    3. Method (10) according to one of claims 1 or 2, wherein at least one depository is a user.
    [0004]
    4. A method (200, 300, 400) for restoring a secret of a user, characterized in that it comprises the following steps: establishing (21) a secure channel between the user and at least one value predetermined limit of custodians of a secret partition, said predetermined limit value corresponding to a number of secret partitions necessary to restore the secret, the user authenticating each custodian and each custodian authenticating the user, - restoration request (22) of the secret by the user to a server, - decryption (25 or 50) of at least the predetermined limit value of partitions, each partition being decrypted by means of a private key of said corresponding custodian, - transmission (26 or 52) to the user by each custodian corresponding to said deciphered custodian, by means of the established secure channel and - reconstruction (401) by the secret user from each e decrypted partition.
    [0005]
    5. Method (200, 300 or 400) according to claim 4, which further comprises the following steps: - sending (23) an authentication challenge to the user by the server, - transmission (24) by the user to the server of the authentication challenge response authenticating the user to the server.
    [0006]
    6. Method (300) according to one of claims 4 or 5, which further comprises a step of establishing a secure channel between the user and a custodian user which comprises the following steps: - determination (35) ) a password by the user, - sending (36) by the user of a Diffie-Hellman exchange called "user Diffie-Hellman exchange" encrypted by said password to a custodian user by means of the server , - determination (37) of a password said "depository password" by the depositary user, - sending (38) by said custodian user of a Diffie-Hellman exchange called "encrypted Diffie-Hellman exchange" encrypted by said depository password to the user by means of the server, - reciprocal authentication (39) of the user and said custodial user by a third-party channel, - exchange (40) of each password between the user and said custodian user through said channel third party, - decryption (41) of the depository Diffie-Hellman exchange by means of the depository password by the user and - decryption (42) of the user Diffie-Hellman exchange by means of the password by said depository user .
    [0007]
    7. The method (200, 300, 400, 500) according to one of claims 4 to 6, wherein the step of requesting (22) for restoration of secrecy comprises a step of notifying (585) the depositary of a request restoration.
    [0008]
    8. Method (200, 300, 400) according to one of claims 4 to 7, wherein at least one partition corresponds to a server and at least one partition corresponds to a user, and wherein the decryption step (25) or 50) of each corresponding partition each server is performed after the authentication of the user by each custodian user.
    [0009]
    9. Method (500) according to one of claims 4 to 8, wherein each step of transmission (685) by each depository, the partition corresponding to said deciphered depository, is performed after each secure channel between the user and each depositary is established.
    [0010]
    10. Device (60) for safeguarding a secret, characterized in that it comprises: - a memory (61) of a program and - a central unit (62) which comprises at least one server and which, by executing instructions of the program, performs the steps of the backup method according to one of claims 1 to 3.
    [0011]
    11. Device (60) for restoring a secret, characterized in that it comprises: - a memory (61) of a program and - a central unit (62) which comprises at least one server and which, by executing instructions of the program, performs the steps of the restoration method according to one of claims 4 to 9.
    类似技术:
    公开号 | 公开日 | 专利标题
    US9832016B2|2017-11-28|Methods, systems and computer program product for providing verification code recovery and remote authentication
    TWI722116B|2021-03-21|Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
    EP3340531B1|2021-10-13|Method for restoring a user's secret
    CN109151053B|2021-08-10|Anti-quantum computing cloud storage method and system based on public asymmetric key pool
    CN109150519B|2021-11-16|Anti-quantum computing cloud storage security control method and system based on public key pool
    US20170142082A1|2017-05-18|System and method for secure deposit and recovery of secret data
    CN108985099B|2020-08-11|Proxy cloud storage security control method and system based on public key pool
    US20110145576A1|2011-06-16|Secure method of data transmission and encryption and decryption system allowing such transmission
    KR101777698B1|2017-09-12|User terminal, method and computer for receiving and sending messages
    CN108989033B|2021-10-22|Cloud storage security control method and system based on public key pool
    EP1514377A1|2005-03-16|Interface method and device for the on-line exchange of contents data in a secure manner
    CN109347923B|2022-01-25|Anti-quantum computing cloud storage method and system based on asymmetric key pool
    CN105812349A|2016-07-27|Asymmetric secret key distribution and message encryption method based on identity information
    Athena et al.2017|Survey on public key cryptography scheme for securing data in cloud computing
    CN109412788B|2020-08-11|Anti-quantum computing agent cloud storage security control method and system based on public key pool
    CN109299618B|2020-06-16|Quantum-resistant computing cloud storage method and system based on quantum key card
    US20220006621A1|2022-01-06|Multi-factor-protected private key distribution
    CN108768613A|2018-11-06|A kind of ciphertext password method of calibration based on multiple encryption algorithms
    EP2568406B1|2018-10-31|Implementation method, from a terminal, of cryptographic data for a user stored in a database
    KR101933444B1|2018-12-28|Message server
    Dimeo et al.2021|SoK: Multi-Device Secure Instant Messaging
    CN109302283B|2020-09-08|Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool
    WO2020169542A1|2020-08-27|Cryptographic data verification method
    FR3107415A1|2021-08-20|ENCRYPTION PROCESS FOR SENDING PERSONAL DATA
    同族专利:
    公开号 | 公开日
    EP3340531B1|2021-10-13|
    EP2978161A2|2016-01-27|
    EP3340531A1|2018-06-27|
    FR3024002B1|2018-04-27|
    EP2978161A3|2016-04-20|
    US20160021101A1|2016-01-21|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    EP0851629A2|1996-12-27|1998-07-01|Canon Kabushiki Kaisha|Key management method, encryption system, and sharing digital signature system which have hierarchies|
    US20050111657A1|2003-10-08|2005-05-26|Samsung Electronics Co., Ltd.|Weighted secret sharing and reconstructing method|
    EP1183816A4|1999-05-26|2005-09-14|Ascom Hasler Mailing Sys Inc|Technique for split knowledge backup and recovery of a cryptographic key|
    EP1839405B1|2005-10-27|2013-04-24|NDS Limited|Network security system|US10162978B2|2015-09-22|2018-12-25|Mastercard International Incorporated|Secure computer cluster with encryption|
    US9860064B2|2016-03-07|2018-01-02|Citrix Systems, Inc.|Encrypted password transport across untrusted cloud network|
    US9815031B2|2016-03-29|2017-11-14|Sabic Global Technologies B.V.|Porous membranes and associated separation modules and methods|
    CN109660543A|2018-12-26|2019-04-19|山东浪潮商用系统有限公司|A kind of implementation method of message security mechanism|
    US11075755B2|2019-04-24|2021-07-27|Vmware, Inc.|Zero-knowledge key escrow|
    法律状态:
    2015-07-27| PLFP| Fee payment|Year of fee payment: 2 |
    2016-01-22| PLSC| Publication of the preliminary search report|Effective date: 20160122 |
    2016-08-01| PLFP| Fee payment|Year of fee payment: 3 |
    2017-07-31| PLFP| Fee payment|Year of fee payment: 4 |
    2018-07-30| PLFP| Fee payment|Year of fee payment: 5 |
    2019-07-29| PLFP| Fee payment|Year of fee payment: 6 |
    2020-07-31| PLFP| Fee payment|Year of fee payment: 7 |
    2021-07-30| PLFP| Fee payment|Year of fee payment: 8 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1457016A|FR3024002B1|2014-07-21|2014-07-21|METHOD FOR SECURING A SECRET OF A USER AND METHOD FOR RESTORING A SECRET OF A USER|FR1457016A| FR3024002B1|2014-07-21|2014-07-21|METHOD FOR SECURING A SECRET OF A USER AND METHOD FOR RESTORING A SECRET OF A USER|
    EP15177194.6A| EP2978161A3|2014-07-21|2015-07-17|METHOD FOR SAVING A USERýS SECRET AND METHOD FOR RESTORING A USERýS SECRET|
    EP18156896.5A| EP3340531B1|2014-07-21|2015-07-17|Method for restoring a user's secret|
    US14/803,092| US20160021101A1|2014-07-21|2015-07-19|Method for backing up a user secret and method for recovering a user secret|
    [返回顶部]