• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for establishing end-to-end secure communication between a user terminal (210), resp. a context intermediation server (240), and an object (261) connected to the infrastructure to the IP infrastructure via a gateway (250). The method implements an access authorization server (220) and a production server (230). The method makes it possible to generate a pair of private key and public access key (KF, QF) within the connected object, in particular by means of a cryptosystem on an elliptic curve with implicit certificate of small size, said access keys being used to secure end-to-end communication.
    公开号:FR3044499A1
    申请号:FR1561408
    申请日:2015-11-26
    公开日:2017-06-02
    发明作者:Christine Hennebert
    申请人:Commissariat a lEnergie Atomique CEA;Commissariat a lEnergie Atomique et aux Energies Alternatives CEA;
    IPC主号:
    专利说明:

    METHOD OF ESTABLISHING SECURE END-TO-END COMMUNICATION BETWEEN A USER TERMINAL AND A CONNECTED OBJECT
    DESCRIPTION
    TECHNICAL FIELD The object of the present invention relates to the security of networks and more particularly that of the Internet of Things or loT (Internet of Things).
    STATE OF THE PRIOR ART The advent of low-speed, pervasive radio technologies adapted to stand-alone objects with low energy consumption has recently led to the development of the Internet of Things (loT). The IoT allows a user to access information, also called resources, from sensors or actuators, often remote and low autonomy. The current scheme is to virtualize these resources in a gateway or server connected to the Internet or the infrastructure. End-to-end security, that is, from the user to the resource, is actually provided between the user and the item virtualizing the resource. This implies that the element that stores the virtual resources is a trusted element.
    Fig. 1 represents a classic scenario of access of a user to a resource associated with an object. The user has a "machine", 110 (in the sense of M2M), usually a smartphone, a tablet or a computer and connects to the Internet, 150. Via an application, located on a server 120, in the Cloud, it can access remote resources provided by connected objects 190, constrained in memory, computing power and energy. These objects can communicate with gateways 180 via low energy radio links by means of communication standards such as IEEE 802.15.4, Bluetooth, Zigbee, etc.
    The gateways 180 ensure the interoperability between the aforementioned communication standards and those used by the gateways for their connection to the Internet (eg Wifi, Ethernet, GPRS). On the other hand, the gateways 180 are not capable of ensuring the interoperability of the security protocols between the connected objects and the Internet. For this reason, they store information from different connected objects, which implies that they are trusted.
    It is known in such an architecture to ensure the security of the communication between the user and the virtualization gateway by means of encryption. The principles of security by design require that the encryption material (encryption keys, tokens, seeds of pseudo-random generators) be passed through a path different from that used by the data. In this case, the user first identifies himself by means of a login / password with a security server 130. If successful, the security server distributes the same access token to the security server. 180. This access token indicates that the user has a right of access to the resource via a given application (the application server). Encryption hardware, including symmetric encryption keys, is also distributed to the user and the gateway over a secure channel (SSL / TLS or IPsec). The user and the item storing the virtual resource can then communicate confidentially.
    Various solutions exist to provide end-to-end communication security between the user's machine and the connected object.
    A first solution is to equip the connected object with a secure element such as a SIM card. However in the context of connected objects with very low autonomy, this solution is excluded in practice.
    A second solution is to push the access token and encryption hardware from the security server to the connected object. The access token and possibly the associated cryptographic material then pass through a gateway that must be trusted because it has clear access to this information during the protocol conversion. The concept of end-to-end security is then interrupted at the gateway.
    A third solution is to generate or insert the cryptographic material into the connected object before it is deployed and to use an out-of-band channel to transmit it to the authorization server. For example, the user can, at first, approach his smartphone of the connected object and recover by optical means (light signal, scan of a QR code on the object) information describing numerically the secret value of the symmetric key stored in the object during its deployment. The smartphone then connects to the infrastructure and transmits the symmetric key information to the security server via a secure channel. In this case, the smartphone acts as a trusted gateway. The symmetric key is then stored in the user's profile at the security server for establishing secure communication with the connected object. The security server can then push the encryption hardware (a secret key) and an access token to the connected object. The user has the same information via its secure link with the security server and can therefore establish a secure communication with the connected object.
    This third solution is however not satisfactory insofar as it requires, on the one hand, to use an out-of-band channel and, on the other hand, to use a trusted gateway, the smartphone in this case. The object of the present invention is therefore to propose a method for establishing a secure end-to-end communication between the terminal of a user and a connected object, in particular a connected object constrained in terms of energy, memory and computing capacity, which does not present the disadvantages of the state of the art. In particular, the method of establishment of the secure communication with the connected object will make it possible to dispense with a security element integrated in this connected object as well as an auxiliary communication channel for passing the cryptographic material. Last but not least, it must allow direct access to the resource provided by the connected object without requiring virtualization or trusted gateway.
    STATEMENT OF THE INVENTION
    The present invention is defined by a method of establishing an end-to-end secure communication between the terminal of a user / a context intermediator server and a connected object, said method implementing a first server, said access authorization server and a second server, said production server, the terminal of the user communicating with the access authorization server by a first secure communication and the production server communicating with the authorization server access by a second secure communication, the access authorization server hosting a first database containing information for authenticating the different users and manage their access rights to different connected objects, the production server hosting a second database containing identifiers of connected objects and having a private and public key pair ue initials (Kinit, Qinit), said method comprising the following steps: (a) on a request from the user containing the identifier of the connected object (SN), requesting verification of the access authorization server from the production server that this identifier is valid; (b) on initialization of the connected object, identification and authentication of the connected object with the production server, by means of a first message (Mj) containing the identifier of the connected object and this same identifier, encrypted by the initial public key (Qinit); (c) in the event of successful authentication of the connected object, generation by the access authorization server of a second message (M2) containing the parameters of a cryptosystem, the second message being previously signed by the production server, the message as well as its signature (sgn (M2)) being transmitted to the connected object; (d) generating by the connected object a pair of private and public access keys (Kf, Qf), from the parameters of the cryptosystem, for establishing a third secure communication (225) between the server of access authorization and the connected object; (e) establishing secure communication between the user's terminal, resp. the context intermediation server, and the connected object by means of a symmetric key, distributed by the access authorization server, on the one hand to the user terminal via the first secure communication, resp. to the intermediation server via a fourth secure communication, and on the other hand to the connected object via the third secure communication. In step (a), the production server advantageously performs a timestamp of the identifier of the connected object and stores the timestamp stamp in the second database in relation to said identifier.
    When or after it is initialized in step (b), the connected object generates a session token (TK) in the form of a first random number (RN,), as well as a second random number (RN2 ).
    The first message (Mj) advantageously comprises a first part in clear comprising the identifier of the connected object (SN), and a second part encrypted by means of the initial public key (Qinit), the second part comprising this same identifier, the session key, as well as, if applicable, a certificate (CQMt) of the initial public key. In step (b), the production server identifies the connected object if its identifier is present in the second database.
    In addition, in step (b), the production server authenticates the connected object by decrypting the second part of the first message using the initial private key and comparing the result of the decryption with the first part.
    Preferably, in step (b), the production server only declares the connected object if, on the date of authentication, the timestamp is not out of date.
    The production server can then transmit to the access authorization server the result of the authentication (ACK, NACK) accompanied by the identification number of the connected object and, if applicable, the certificate of the initial public key. (CQinit).
    In case of authentication success in step (b), the access authorization server stores in the first database the session token in relation to the connected object identifier.
    Advantageously, in step (c), the second message (M2) comprises the connected object identifier (SN), the session token (TK), the public key of the access authorization server (Q ^ ) and the parameters of a cryptosystem.
    Preferably, the cryptosystem is a cryptosystem on an elliptical curve.
    The production server signs the second message using the initial private key and returns the resulting signature (sgn (A / 2) to the access authorization server.
    The access authorization server then transmits the second message (M2) and its signature (sgn (M2) to the connected object.
    According to a first variant, in step (d), the connected object generates a temporary public key from the second random number and a generator point (G) on the elliptic curve. The connected object can then generate a third message (M3) containing, in a first clear part, its identifier and, in a second part encrypted by means of the public key of the access authorization server (Q ^), this same identifier, the certificate of the initial public key (CQΜί), the access token and the temporary public key (Qtemp).
    The access authorization server advantageously generates an implicit certificate of a public access key (CertF) and a signature of this certificate (SignF) from the temporary public key (Qtemp), a third random number (k), the session token (TK), the authorization server private key (K ^) and the elliptic curve cryptosystem parameters.
    The access authorization server then generates a fourth message (M4) comprising the implicit certificate of the public access key (CertF) as well as its signature (SignF), this message and its signature (Sgn (M4) to by means of the private key of the access authorization server being transmitted to the connected object The connected object, after verifying the integrity of the fourth message by means of the public key of the access authorization server, advantageously generates said pair of private and public access keys (KF, QF) from the implicit certificate of the public access key (CertF) and its signature (CertF), the session token [TK), the public access authorization key (Qauth) and cryptosystem parameters on elliptic curve.
    According to a second variant, the connected object generates the access private key (KF) from the second random number (RN2) and the public access key (QF) from the latter and the parameters of the cryptosystem on curve elliptical.
    In this case, the connected object advantageously generates a third message (M3) containing, in a first clear part, its identifier and, in a second portion encrypted by means of the public key of the access authorization server (Qauth ), this same identifier, the initial key certificate, CQinit, the access token, and the public access key (QF).
    The access authorization server then generates an X.509 certificate (Certx 509) of the public access key (QF), from the identifier of the connected object and the public access key, by means of its private access authorization key (K ^).
    The access authorization server may also generate a fourth message (M4) including the certificate of the public access key (Certx5W) as well as its signature (Sign ^ biM4)) by means of the private key of the server of access authorization, this message as well as its signature (Sign ^ iM4)) being transmitted to the connected object.
    After verifying the integrity of the fourth message by means of the public key of the access authorization server, the connected object advantageously stores in its memory the certificate of the public access key (CertX 509).
    BRIEF DESCRIPTION OF THE DRAWINGS Other features and advantages of the invention will appear on reading a preferred embodiment of the invention, with reference to the appended figures among which:
    Fig. 1 schematically represents a scenario of access by a user to a resource associated with a connected object as known from the state of the art;
    Fig. 2 schematically shows the architecture of a system for establishing a secure communication between the terminal of a user and a connected object;
    Fig. 3 schematically shows a flowchart of a method for establishing a secure communication between the terminal of a user and a connected object, according to one embodiment of the invention;
    Figs. 4A and 4B represent a first part of the exchanges between the elements of the system of FIG. 2 when implementing the method of establishing a secure communication according to the embodiment of the invention shown in FIG. 3;
    Fig. 5A represents a second part of the exchanges between the elements of the system of FIG. 2 when implementing the method of establishing a secure communication according to a first variant of the embodiment of the invention shown in FIG. 3;
    Fig. 5B represents a second part of the exchanges between the elements of the system of FIG. 2 when implementing the method of establishing a secure communication according to a second variant of the embodiment of the invention shown in FIG. 3.
    DETAILED PRESENTATION OF PARTICULAR EMBODIMENTS
    In the following, we will hear objects connected to a connected object, usually by means of a single wireless communication standard (IEEE 802.15.4, Bluetooth, Zigbee, etc.) but having only very limited resources ( CPU, RAM, flash memory size, energy). For example, objects will have only a few tens of bytes of RAM and a few hundred or even a few kilobytes of flash memory. These connected objects may in particular be sensors organized in the form of a wireless network or WSN (Wireless Sensor Network).
    Fig. 2 schematically shows the architecture of a system for establishing secure communication between the terminal of a user and a connected object.
    The system, 200, comprises the terminal of a user, also called simply user, 210, a first server, called access authorization server, 220, and a second server, said production server, 230. The terminal of the user can be a smartphone, a tablet or a computer. The user can connect to the access authorization server over the Internet using secure communication with a protocol such as HTTPS (HyperText Transfer Protocol Secured) or SSH (Secure SHell).
    The access authorization server 220 hosts a first database, 221, containing information that makes it possible to authenticate the various users, to manage their access rights to the various connected objects and thus to authorize the users' access. to these. To do this, it manages the profiles of different users or groups of users. For example, each user (or group of users) is associated with a list of connected objects, determined by their respective identifiers. Thus, the authorization server can determine whether a given user can access this or that resource of a connected object, if necessary by distinguishing whether it can access it via a virtualization gateway or by secure end communication. -in-end.
    The production server 230 is connected to the authorization server by means of secure communication 235, for example by means of a protocol such as HTTPS (HyperText Transfer Protocol Secured) or SSH (Secure SHell).
    The production server hosts a second database, 231, containing in particular the identifiers (for example the serial numbers) of the various connected objects as well as the initial cryptographic material that was used during the flash of their EEPROM (or stored in a internal memory). The initial cryptographic material may comprise a pair of initial public and private keys (ΚΜί, ζ) Μΐ) of an asymmetric encryption system and the CQinit certificate associated with the public key, for example an X.509 certificate. Preferably, however, the encryption used is an elliptic curve encryption using implicit certificates whose principle is recalled below. In this case, the CQinit certificate of the initial public key consists of the implicit certificate
    CertMt and signing the certificate, Signinit, by the production server.
    As noted above, the production server can use elliptic curve encryption with implicit certificates. It is assumed that the production server has an identifier ÏDprod and a private and public key pair (Kprod, Qprod) of an asymmetric system.
    The CertMt implicit certificate is first constructed from two random numbers λ and μ:
    CertiniI = ÀG + μΟ mod. η (1) where G is an n-order generating point of the elliptic cryptosystem. The implicit certificate is therefore a point of the elliptic curve (multiple of G). The initial signature is obtained by means of:
    (2) where hinit - H (Certinit lDprod), H is a hash function such that SHA and | is the concatenation symbol. The initial Qinit public key is deduced directly from the implicit certificate:
    (3) and the associated initial private key is obtained by:
    (4)
    The connected objects 261, possibly organized in the form of a network 260, do not
    do not have the communication resources to connect directly to the Internet. They use a gateway 250 which provides the interface between the wireless communication standard used by the connected objects (IEEE 802.15.4, Bluetooth, Zigbee, etc.) and the IP infrastructure of the Internet.
    Each connected object has a serial number (SN) that is physically associated with it (for example, registered on the object in question). In addition, each connected object contains in its EEPROM: - the URL of the production server, URLprod which was used to flash the EEPROM; - the public elements of the initial cryptographic material, namely the initial public key, Qinit, as well as its CQMt certificate. The URL of the production server, URLprod, as well as the public elements of the initial cryptographic material are advantageously stored in a secure portion (encrypted) of the memory (EEPROM) of the connected object.
    The different connected objects produced during a given production interval may all contain the same elements of Qinit cryptographic material, CQinit However, the production server may have several precompiled images of the software to be installed in the EEPROMs of the connected objects, these precompiled images corresponding to separate cryptographic materials (different key pairs (Kinit, i2init) and different CQMt certificates). During production, precompiled images are then used to flash the EEPROMs of randomly connected objects.
    Once the secure communication is established end-to-end, ie from the user's terminal to the connected object, by the access authorization server 220, the user can then communicate directly secured with the connected object.
    Alternatively, the access authorization server, 220, may make it possible to establish a secure communication, 245, between a context intermediary server, 240, and the connected object. Recall that a contextual intermediator has the function of contextualizing the data provided by different connected objects, for example measurements made by different sensors, for example by geolocating and / or time stamping them. The user can then consult the contextualized data by means of secure communication.
    Fig. 3 schematically shows a flowchart of a method for establishing a secure communication between the terminal of a user and a connected object, according to one embodiment of the invention. At a prior step 310, the user 210 saves a connected object 261 from the access authorization server. More precisely, the user transmits to the access authorization server a registration request having for argument the serial number SN of the connected object in question and the URL URL of the production server. The access authorization server stores the SN serial number under the user's profile as well as the URL address pwd associated with the connected object.
    In a first step, 320, at the request of the user containing the identifier of the connected object (SN), the access authorization server requests from the production server if this identifier is valid.
    Upon receipt of this verification request, the production server can perform a timestamp of the serial number SN and record the timestamp (or timestamp value) obtained, TS (SN), in the second database 231. , in relation to the serial number.
    In a second step, 330, independent of the first, the connected object is initialized. Following this initialization, the production server authenticates the connected object. To do this, the connected object transmits by means of a first message (Mx) containing the identifier of the connected object and this same identifier, encrypted by the initial public key (Qinit).
    More precisely, during its initialization, the connected object generates a first random number {RN ^ which will serve as a session token TK (TK = RNX) and a second random number (RN2) which will be used to subsequently generate the private key of the connected object. Random numbers are generated for example from a series of physical measurements. The connected object then transmits to the production server 230 a logon request. For this purpose, the connected object transmits to the production server a first message, Mx, comprising in a clear part the serial number of the connected object and in a portion encrypted by the initial public key, Qinit, the token of session, the serial number, SN, as well as the certificate of the initial public key, CQinit.
    The production server 230 checks whether the serial number is valid, that is to say if it is listed in the database 231. It also authenticates the connected object. To do this, the production server decrypts the encrypted part of the first message using the initial private key Kinit and determines whether the serial number contained in the encrypted part is that the serial number SN contained in the part in question. clear of the first message.
    Optionally, the production server verifies that the timestamp value TS (SN) of the serial number SN is recent, ie it is not earlier than tA where t is the check date and Δ is the duration of expiry. In the case where the expiry check is set up, the authentication is considered successful only to the extent that the timestamp is not expired.
    In a third step, 340, in case of authentication success, the access authorization server generates a second message (M2) containing the parameters of a cryptosystem, this second message being previously signed by the server of production, the message as well as its signature being transmitted to the connected object.
    More precisely, in the event of successful authentication, the production server records in its database 231 the session token, TK, in relation with the serial number SN. It also transmits to the access authorization server the result of the authentication (ACK), along with the session token, TK, and the certificate, CQinit, of the initial public key.
    If authentication fails, the end-to-end secure call setup procedure is aborted.
    The authorization server is thus informed of the identification and authentication of the object connected by the production server.
    The access authorization server then transmits to the connected object a second message, M2, containing all the information necessary for the creation of a secure channel between the access authorization server and the connected object. However, since the access authorization server is unknown to the connected object at this stage, the latter has the M2 server previously signed by the production server by means of the key, Kinit. The access authorization server sends the message M2, accompanied by the signature Sgnprorf (M2) thus obtained, to the connected object. It should be noted that the information contained in the message M2 is public. Preferably, the message M2 will contain (in clear) the serial number SN, the session token TK, the public key of the access authorization server, Qauth as well as the parameters of a cryptosystem to generate a pair of keys private and public. For example, if the chosen cryptosystem is based on elliptic curves, that is to say an ECC (Elliptic Curve Cryptography) cryptosystem, the transmitted parameters are the standard parameters describing the elliptic curve (size of the domain, parameters of the curve , generator point, order of the curve and cofactor). In step 350, the connected object and the access authorization server can establish secure communication using the private and public key pair (Kauth, Qauth). The connected object and the access authorization server exchange, by means of this secure communication, the information necessary to generate a pair of private and public keys (KF, QF) as well as a certificate CertF of the public key QF. More precisely, during this exchange, the connected object generates the key pair (KF, QF) and the access authorization server generates the CertF certificate. Note that the most computationally intensive operation, namely the generation of the certificate, is performed by the access authorization server.
    At the end of step 350, the access authorization server has on the one hand a first secure channel, 215, with the user and a second secure channel, 225, (by means of the pair of keys (KF, QF) with the connected object). Note that unlike the state of the art the secret key KF was generated by the connected object itself. In step 360, the access authorization server can then distribute to both parties (user and connected object) a symmetric key via the secure channels 215 and 225, to establish a secure end-to-end communication between them.
    Alternatively, the access authorization server may distribute to the connected object and the context intermediary server, 240, a symmetric key via the secure channels 215 and 245 to establish a secure communication between them.
    In addition, the access authorization server can transmit via these same secure channels an access token to both parties (the connected object, on the one hand, and the user terminal on the other, or the connected object on the one hand and the context intermediary server, on the other hand). The access token notably makes it possible to access particular resources or services provided by the intermediary server.
    Figs. 4A and 4B represent a first part of the exchanges between the various elements of the system of FIG. 2 during the implementation of the method of establishing a secure communication according to the embodiment of the invention described above. This first part is common to a first and a second variant of this embodiment.
    The various elements of the system have been represented in the time diagram, namely the user terminal 210, the production server 230, the access authorization server 220, the gateway 250 and the connected object 261. In step 410, the user transmits to the access authorization server a registration request having for argument the identifier (for example the serial number SN) of the connected object in question and the URL URLprod the production server. This request is transmitted on the secure channel 215 (HTTPS or SSH).
    The access authorization server then transmits in 420, via the secure channel 235, a verification request to the production server whose argument is the identifier of the connected object. The production server then determines whether the identifier is in the second database 231. If so, it proceeds to 421 with a timestamp of the request and stores the timestamp TS (SN) in the second database 231, in connection with the identifier. It then confirms in 422 to the authorization server that the connected object is well identified. In step 430, the user initializes the connected object. During its initialization or following it, the connected object generates a first random number (RNX) which will serve as a session token TK (TK = RN1) and a second random number (RN2) which will be used to generate the key later. private of the connected object. It then transmits at 431 to the production server a first message Mx including a clear part and a second part encrypted by the initial public key, Qinit. The first part contains the identifier (SN) and the second part contains the session token, the identifier and the certificate of the initial public key, CQinit. When encryption is elliptic curve encryption using implicit certificates, the CQinit certificate consists of the implicit certificate Certinit and its signature, Signinit, by the production server.
    The production server retrieves the timestamp stamp in the second database, from the identifier of the connected object. In 432, if the timestamp value is before tA where t is the check date and Δ is an expiry time, the declaration of the connected object is considered out of date (which requires a renewal of its declaration by the user) and authentication fails. The production server then decrypts the second part of the message and compares at 433 the value of the identifier in the second part decrypted with that in the first part. When these two values coincide, the production server considers that the connected object is authenticated. Otherwise, authentication fails. In any event, at 434, the production server transmits to the access authorization server, via the secure channel 215, an authentication message. This includes the identifier of the connected object (SN), the session token, TK, the certificate of the initial public key CQmit, as well as the authentication result (ACK or NACK).
    The access authorization server is thus notified that the connected object has been identified and authenticated. It then records in 435, in the first database, the session token in relation to the identifier of the object in question.
    The access authorization server constructs a second message, M2, containing all the information necessary for the creation of a secure channel between the access authorization server and the connected object, and sends it at 440 to production server. The message M2 contains (in clear) the identifier SN, the session token TK, the public key of the access authorization server, as well as the parameters of a cryptosystem (Cryptosystem) to generate a pair of private keys and public.
    The production server 441 signs the message M2 by means of the initial private key, Kinil and returns, in 442, the signature thus obtained, Signprod (M2), to the access authorization server. The latter transmits at 443 the message M2, accompanied by the Signpwd signature (M2) thus obtained, to the connected object.
    In 444, the connected object verifies by means of the initial public key, QMt, that the message M2 is indeed intact and, if so, stores in its memory the public key, Qauth as well as the parameters of the cryptosystem ( Cryptosystem).
    The continuation of the exchanges between the elements of the system depends on the considered variant.
    Fig. 5A represents a second part of the exchanges between the elements of the system of FIG. 2 during the implementation of the method of establishing a secure communication according to a first variant of the embodiment. This second part follows the first part previously described in relation with FIGS. 4A and 4B.
    This first variant uses a cryptosystem on elliptic curves with implicit certificates. In this case, the parameters of the cryptosystem (Cryptosystem) in the message M2 are p the characteristic of the body, a, b the parameters of the elliptic curve, G, a generator point belonging to the elliptic curve and n the order of G. In step 450, the connected object generates a temporary public key Qtemp from a private key Ktemp taken equal to the second random number RN2. In 451, the connected object transmits a third message, M3, comprising a first portion in clear and a second portion encrypted using the public key, Qauth, it obtained in the previous step. The first part contains the identifier of the connected object. The second part also contains this identifier, the certificate of the initial key, CQinit, the session token, and the temporary public key, Qtemp. The presence in the M3 message of the initial key certificate, CQinit, makes it possible to authenticate the connected object with the access authorization server and consequently to avoid "man-in-the-middle" type attacks. .
    At 452, the access authorization server authenticates the connected object by means of the initial key certificate, CQinit. After authenticating the connected object, it generates a third random number RN3 and calculates an implicit certificate:
    CertF = Qtemp + kG (5)
    It then obtains a hash value from the certificate and the session token, ie: hF = h (CertF TK) (6) where h is a hash function and CertF | TK represents the implicit certificate concatenated to the token of session.
    The access authorization server then signs the certificate by means of its private key K ^ (here playing the role of master key), to provide the signature of the certificate:
    SignF = hFk + Kauth (7)
    Finally, the access authorization server 460 forms a fourth message, M4, comprising the certificate (CertF, SignF) and transmits it to the connected object. It also transmits the signature of the message M4, Signauth (M4), by means of the private key, K ^.
    In 461, the object verifies that the fourth message is integrity using the public key Qauth. If this is the case, it calculates a pair of private key KF and public key Qf by: KF - h [CertF | 7 ^) RN-, + SignF mod. n (8)
    Qf = h (CertF, TK) CertF + Qauth (9)
    At the end of step 461, the connected object and the access authorization server each have an asymmetric key set, respectively (KF, QF) and (Kauth, Qauth), which allows them to establish a secure communication, 225, between them.
    The access authorization server can then transmit a symmetric key to both the terminal of the user and the connected object, or to the context intermediary server and the connected object. These two elements can then directly establish between them a secure link without the need to qualify the gateway as a trusted gateway.
    Fig. 5B represents a second part of the exchanges between the elements of the system of FIG. 2 during the implementation of the method of establishing a secure communication according to a second variant of the embodiment. This second part thus follows the first part previously described in relation to FIGS. 4A and 4B. Unlike the first variant, in step 450, it does not generate a temporary key but directly the private key, KF, and public key, QF, from the second random number RN2 and the cryptosystem parameters received at the previous step. In the case where a cryptosystem is used on elliptic curves of parameters (p, a, b, G, n), the private key KF is none other than KF = RN2 and the public key QF is obtained by:
    Qf = Kf.G (10) The connected object then requests a certification of its public key from the access authorization server. For this purpose, the connected object transmits at 451 a third message, M3, comprising a first portion in clear and a second portion encrypted using the public key, Q ^, that it obtained in the previous step. . The first part contains the identifier of the connected object. The second part also contains the identifier, the initial key certificate, CQinit, and the public key, QF, generated in 450. As in the first variant, the initial key certificate, CQinit, makes it possible to authenticate the connected object. to the access authorization server and therefore avoid "man-in-the-middle" attacks.
    At 452, the access authorization server checks the integrity of the message Af3 by means of its private key Kauth and authenticates the connected object by means of the initial key certificate, CQinit. It then generates a certificate of public key, Certxm in X.509 format from the identifier SN and the public key QF. The certificate is signed using his Kauth private key. It should be noted that the certificate is here self-signed insofar as the authorization authorization server also plays the role of certification authority.
    In 461, the access authorization server transmits to the connected object a fourth message M4 and its signature Signauth (M4) by means of the private key KaMh. The connected object checks the integrity of the message M4, by means of the public key Q ^. When the message is intact, the connected object stores in its memory the certificate X.509, Certxm.
    This second variant however requires a larger memory capacity than in the first variant because of the size of the X.509 certificate.
    As in the first variant, the access authorization server can transmit a symmetric key to both the user's terminal and the connected object, (alternatively to the context intermediary server and to the connected object) to establish a secure communication between these two elements. In both cases, the gateway 250 providing the interface between the wireless communication standard used by the connected object and the Internet IP infrastructure does not need to be trusted.
    权利要求:
    Claims (23)
    [1" id="c-fr-0001]
    A method of establishing end-to-end secure communication between a user's terminal (210) / context intermediator server (240) and a connected object (261), characterized in that implements a first server, called access authorization server (220) and a second server, called production server (230), the terminal of the user communicating with the access authorization server by a first secure communication (215) and the production server communicating with the access authorization server by a second secure communication (235), the access authorization server hosting a first database (221) containing information permitting to authenticate the different users and to manage their access rights to the different connected objects, the production server hosting a second database (231) containing identifiers of connected objects and having a pair of c private and public initials (Kinit, Qinit), characterized in that it comprises the following steps: (a) on a request from the user containing the identifier of the connected object (SN), server verification request access authorization from the production server that this identifier is valid; (b) on initialization of the connected object, identification and authentication of the connected object with the production server, by means of a first message (Mt) containing the identifier of the connected object and this same identifier, encrypted by the initial public key (Qinit); (c) in the event of successful authentication of the connected object, generation by the access authorization server of a second message (M2) containing the parameters of a cryptosystem, the second message being previously signed by the production server, the message as well as its signature (sgn (M2)) being transmitted to the connected object; (d) generating by the connected object a pair of private and public access keys (Kf, Qf), from the parameters of the cryptosystem, for establishing a third secure communication (225) between the server of access authorization and the connected object; (e) establishing secure communication between the user's terminal, resp. the context intermediation server, and the connected object by means of a symmetric key, distributed by the access authorization server, on the one hand to the user terminal via the first secure communication, resp. to the intermediation server via a fourth secure communication, and on the other hand to the connected object via the third secure communication.
    [2" id="c-fr-0002]
    2. Method for establishing a secure end-to-end communication according to claim 1, characterized in that in step (a), the production server performs a timestamp of the identifier of the connected object and stores the timestamp stamp in the second database in relation to said identifier.
    [3" id="c-fr-0003]
    3. Method for establishing an end-to-end secure communication according to claim 1 or 2, characterized in that during or following its initialization in step (b), the connected object generates a session token. (TK) in the form of a first random number (RN ^, as well as a second random number (RN2).
    [4" id="c-fr-0004]
    4. Method for establishing an end-to-end secure communication according to claim 3, characterized in that the first message (M,) comprises a first part in clear comprising the identifier of the connected object (SN), and a second portion encrypted by means of the initial public key (Qinit), the second part comprising the same identifier, the session key, and, where appropriate, a certificate (CQinit) of the initial public key.
    [5" id="c-fr-0005]
    5. Method of establishing an end-to-end secure communication according to claim 4, characterized in that in step (b), the production server identifies the connected object if its identifier is present in the second database.
    [6" id="c-fr-0006]
    6. Method for establishing an end-to-end secure communication according to claim 5, characterized in that in step (b), the production server authenticates the connected object by deciphering the second part of the first message. using the initial private key and comparing the result of the decryption with the first part.
    [7" id="c-fr-0007]
    7. Method for establishing an end-to-end secure communication according to claims 2 and 6, characterized in that in step (b), the production server only declares the connected object if, at the date of authentication, the timestamp is not out of date.
    [8" id="c-fr-0008]
    8. Method of establishing a secure end-to-end communication according to claim 6 or 7, characterized in that at the end of step (b), the production server transmits to the access authorization server. the result of the authentication (ACK, NACK) accompanied by the ID number of the connected object and, if applicable, the certificate of the initial public key (CQMt).
    [9" id="c-fr-0009]
    9. The method of establishing an end-to-end secure communication according to claim 8, characterized in that in case of authentication success in step (b), the access authorization server stores in the first database the session token in relation to the connected object identifier.
    [10" id="c-fr-0010]
    10. Method for establishing a secure end-to-end communication according to one of the preceding claims, characterized in that in step (c), the second message (M2) comprises the connected object identifier. (SN), the session token (TK), the public key of the access authorization server (Qaulh) and the parameters of a cryptosystem.
    [11" id="c-fr-0011]
    11. Method for establishing an end-to-end secure communication according to claim 10, characterized in that the cryptosystem is a cryptosystem on an elliptic curve.
    [12" id="c-fr-0012]
    12. The method for establishing an end-to-end secure communication according to claim 11, characterized in that in step (c) the production server signs the second message by means of the initial private key and returns the signature thus obtained (sgn (A / 2) to the access authorization server.
    [13" id="c-fr-0013]
    13. The method of establishing an end-to-end secure communication according to claim 12, characterized in that the access authorization server transmits the second message (M2) and its signature (sgn (M2)). connected object.
    [14" id="c-fr-0014]
    The method of establishing an end-to-end secure communication as claimed in claim 13, wherein in step (d) the connected object generates a temporary public key from the second random number and a generator point (G) on the elliptic curve.
    [15" id="c-fr-0015]
    15. Method for establishing an end-to-end secure communication according to claim 14, characterized in that the connected object generates a third message (M3) containing, in a first clear part, its identifier and, in a second part encrypted using the public key of the access authorization server (Qauth), the same identifier, the certificate of the initial public key (CQinit), the access token and the temporary public key (Qtemp) .
    [16" id="c-fr-0016]
    16. Method for establishing an end-to-end secure communication according to claim 15, characterized in that the access authorization server generates an implicit certificate of a public access key (CertF) as well as a signature of this certificate (SignF) from the temporary public key (Qtemp), a third random number (k), the session token (TXT), the private key of the authorization server (K ^) and cryptosystem parameters on elliptic curve.
    [17" id="c-fr-0017]
    17. The method of establishing an end-to-end secure communication according to claim 16, characterized in that the access authorization server generates a fourth message (M4) comprising the implicit certificate of the public access key. (CertF) as well as its signature (SignF), this message and its signature (Sgn (M4) by means of the private key of the access authorization server being transmitted to the connected object.
    [18" id="c-fr-0018]
    18. A method for establishing an end-to-end secure communication according to claim 17, characterized in that the connected object, after checking the integrity of the fourth message by means of the public key of the authorization server d access, generates said pair of private and public access keys (KF, QF) from the implicit certificate of the public access key (CertF) and its signature (CertF), the session token (TK), the public access authorization key (Q ^) and the cryptosystem parameters on elliptic curve.
    [19" id="c-fr-0019]
    19. The method of establishing an end-to-end secure communication according to claim 13, characterized in that the connected object generates the access private key (KF) from the second random number (RN2) and the key public access [QF] from the latter and cryptosystem parameters on elliptic curve.
    [20" id="c-fr-0020]
    20. A method for establishing an end-to-end secure communication according to claim 19, characterized in that the connected object generates a third message (M3) containing, in a first clear part, its identifier and, in a second part encrypted using the public key of the access authorization server (Qauth), the same identifier, the initial key certificate, CQinit, the access token, and the public access key (QF) .
    [21" id="c-fr-0021]
    21. Method for establishing an end-to-end secure communication according to claim 20, characterized in that the access authorization server generates an X.509 certificate (Certx 509) of the public access key ( QF), from the identifier of the connected object and the public access key, using its private access authorization key (Kauth).
    [22" id="c-fr-0022]
    22. A method for establishing an end-to-end secure communication according to claim 21, characterized in that the access authorization server generates a fourth message (M4) comprising the certificate of the public access key ( Certx 509) as well as its signature (Sign ^ iM4)) by means of the private key of the access authorization server, this message as well as its signature (Sign ^ iM4)) being transmitted to the connected object.
    [23" id="c-fr-0023]
    23. The method for establishing an end-to-end secure communication according to claim 21, characterized in that, after verifying the integrity of the fourth message by means of the public key of the access authorization server, the connected object stores in its memory the certificate of the public access key (Certxm).
    类似技术:
    公开号 | 公开日 | 专利标题
    EP3174241B1|2018-01-03|Method for establishing secure end-to-end communication between a user terminal and a connected object
    FR2988942A1|2013-10-04|METHOD AND SYSTEM FOR ESTABLISHING A SESSION KEY
    EP1480375A1|2004-11-24|Method for digital group signature with revokable anonymity, apparatuses and programs for carrying out said method
    EP2820795B1|2018-11-28|Method for verifying the identity of a user of a communication terminal and associated system
    EP3375133B1|2020-01-01|Method for securing and authenticating a telecommunication
    EP3506557B1|2020-07-01|Method of key exchange via a smart contract deployed over a blockchain
    EP3506556B1|2020-08-05|Method of authenticated key exchange via blockchain
    EP2979390A1|2016-02-03|Method and device for establishing session keys
    EP2056565A1|2009-05-06|Method of authenticating a user accessing a remote server from a computer
    EP3758322A1|2020-12-30|Method and system for generating encryption keys for transaction or connection data
    CA2895189A1|2014-10-02|Group signature using a pseudonym
    FR2975518A1|2012-11-23|METHOD FOR SECURING AN AUTHENTICATION ARCHITECTURE, MATERIAL DEVICES AND CORRESPONDING SOFTWARE
    FR3102024A1|2021-04-16|A method of managing a public key database, a method of authenticating public keys, and server and client devices implementing these methods
    WO2018211026A1|2018-11-22|Method for securing communication without management of states
    FR3086829A1|2020-04-03|SECURE TEMPORAL ESTIMATE
    FR3065552A1|2018-10-26|METHOD AND SYSTEM OF AUTHENTICATION AND NON-REPUDIATION
    FR2898447A1|2007-09-14|METHOD FOR THE SECURE PAIRING OF TWO SYSTEMS PRIOR TO THEIR COMMUNICATION
    FR2901084A1|2007-11-16|User`s identity protecting method for e.g. mobile telephone, involves ensuring protection of identity of client device user, and deriving encryption key from less weightage bits of key generated from premaster secret and random values
    FR2900776A1|2007-11-09|METHOD OF SECURING DATA
    FR2972317A1|2012-09-07|Method for authentication between e.g. entities connected to information transmission network, involves checking whether all entities generate same key by applying derived keys and cryptographic or mathematical functions on data
    同族专利:
    公开号 | 公开日
    EP3174241A1|2017-05-31|
    US20170155647A1|2017-06-01|
    US10158636B2|2018-12-18|
    FR3044499B1|2017-12-15|
    EP3174241B1|2018-01-03|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US5694471A|1994-08-03|1997-12-02|V-One Corporation|Counterfeit-proof identification card|
    US20130230166A1|2006-03-31|2013-09-05|International Business Machines Corporation|Using identifier tags and authenticity certificates for detecting counterfeited or stolen brand objects|
    US20080170693A1|2007-01-16|2008-07-17|Terence Spies|Format-preserving cryptographic systems|
    US7936878B2|2006-04-10|2011-05-03|Honeywell International Inc.|Secure wireless instrumentation network system|
    US20120284506A1|2010-04-30|2012-11-08|T-Central, Inc.|Methods and apparatus for preventing crimeware attacks|
    EP2461613A1|2010-12-06|2012-06-06|Gemalto SA|Methods and system for handling UICC data|
    US10111267B2|2013-06-28|2018-10-23|Samsung Electronics Co., Ltd.|Method and apparatus for performing device-to-device communication|
    US9350550B2|2013-09-10|2016-05-24|M2M And Iot Technologies, Llc|Power management and security for wireless modules in “machine-to-machine” communications|
    US9036820B2|2013-09-11|2015-05-19|At&T Intellectual Property I, Lp|System and methods for UICC-based secure communication|US9641522B1|2014-11-11|2017-05-02|Amazon Technologies, Inc.|Token management in a managed directory service|
    CN109302412B|2018-11-06|2021-09-21|晋商博创(北京)科技有限公司|VoIP communication processing method based on CPK, terminal, server and storage medium|
    US11184181B2|2019-02-20|2021-11-23|ControlThings Oy Ab|System for assigning access rights to user device and method thereof|
    CN109714167B|2019-03-15|2020-08-25|北京邮电大学|Identity authentication and key agreement method and equipment suitable for mobile application signature|
    法律状态:
    2016-11-30| PLFP| Fee payment|Year of fee payment: 2 |
    2017-06-02| PLSC| Publication of the preliminary search report|Effective date: 20170602 |
    2017-11-30| PLFP| Fee payment|Year of fee payment: 3 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1561408A|FR3044499B1|2015-11-26|2015-11-26|METHOD OF ESTABLISHING SECURE END-TO-END COMMUNICATION BETWEEN A USER TERMINAL AND A CONNECTED OBJECT|FR1561408A| FR3044499B1|2015-11-26|2015-11-26|METHOD OF ESTABLISHING SECURE END-TO-END COMMUNICATION BETWEEN A USER TERMINAL AND A CONNECTED OBJECT|
    US15/358,423| US10158636B2|2015-11-26|2016-11-22|Method for setting up a secure end-to-end communication between a user terminal and a connected object|
    EP16200383.4A| EP3174241B1|2015-11-26|2016-11-24|Method for establishing secure end-to-end communication between a user terminal and a connected object|
    [返回顶部]