EP1362461A2 - Secure messaging method - Google Patents
Secure messaging methodInfo
- Publication number
- EP1362461A2 EP1362461A2 EP02706886A EP02706886A EP1362461A2 EP 1362461 A2 EP1362461 A2 EP 1362461A2 EP 02706886 A EP02706886 A EP 02706886A EP 02706886 A EP02706886 A EP 02706886A EP 1362461 A2 EP1362461 A2 EP 1362461A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- user
- server
- key
- message
- channel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0457—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Definitions
- the present invention relates to a secure messaging method.
- Secure messaging solutions guarantee confidentiality and optionally the integrity and identity of the message sender.
- such methods make it possible to reduce the risks in terms of security, in particular the interception by an attacker of an electronic message to read the content, the impersonation of a correspondent or even the alteration content by an attacker during the message transport phase.
- US patent US 6154543 The closest state of the art is described in US patent US 6154543.
- This patent relates to a public key cryptosystem allowing a roaming user access to a network to establish secure communications between system users, client machines, and encryption servers.
- the client machine generates and stores an encrypted private key in a server 'encryption.
- a user can then access this encrypted private key from any client machine located on the network and decrypt it using a passphrase, thereby enjoying cross-system access.
- the private key can be used to decrypt and encrypt received messages.
- a user can generate a digital message, encrypt it with the public key of a client's recipient, and transmit it to the encryption server from any client machine on the server.
- the invention relates, in its most general sense, to a secure messaging method, comprising a first step of registering a user, consisting in generating a key pair on the client workstation of said user, using a key generation algorithm [RSA for example], to encrypt the private key by a symmetric algorithm executed on the client computer, the key of this symmetric algorithm being derived by a hash function [SHAl function] of a chain of secret characters [pass phrase] entered by means of a peripheral [keyboard for example], to transmit to the server a file comprising said encrypted value of the private key encrypted with the symmetric key, the public key to a server comprising a database data for recording said information and a unique identifier of said user [for example his email address], and the hash value of the symmetric key [derived from the pass phrase],
- the registration step further comprising an operation of signing said user key pair with the server private key [certification key or key signature], the method comprising an operating step comprising an operation authentication of the user by transmission to the server from any client station of his identifier and said secret character string [his “pass phrase”], and validation of the authenticity of the user by comparison between the value derived from said secret character string transmitted by the user, and the derived value stored in said database, in relation to the identifier of the user considered, and an operation of transmission by the server to the user station of said bi-key, then encrypt and / or sign the message prepared on the client computer with the private keys of the recipients of the message, and / or the public key respectively c of said user, and an operation of transmitting said message between the user's workstation and the server, said operation of transmitting the message being carried out by establishing virtual channels [VPN] for encryption and / or signature, characterized in that the compression and the transmission of the message are carried out "in continuous flow" [streaming] without temporary storage in memory on the client station
- the operation of transmitting that is to say sending-receiving, the message consists in opening a plurality of nested virtual channels, the first channel being a communication channel, encompassed a signature channel, encompassed itself a compression channel, included in an encryption channel, allowing the transmission of messages without size limitation; reception encompassing the channels in reverse (decryption included in decompression, included in verification).
- said virtual channels are in series and include an encryption channel and a signature channel in series.
- the plurality of virtual channels further comprises an input-output (I / O) channel on the peripherals of the client station.
- the message transmission step consists in preparing a
- the method according to the invention comprises an encryption operation distinct from each of the hashes of the message of said stream with the private key of said user, in order to create a digital signature, to allow subsequent verification of the signature of each of said components. separately.
- the invention also relates to an architecture for processing secure messages, comprising a server comprising a memory for the encrypted and signed recording of information relating to the registered users, means of sending and receiving messages and means of connection to a public network, and client workstations comprising a navigation application and means of connection to said network, characterized in that the server comprises means of secure connection with the network and means of verifying files transmitted by a user and signed with a server public key, and for recording, after positive verification, in a memory for recording a table comprising, for each user: the encrypted value ["hash"] of the private key encrypted with the symmetric key, the public key to a server comprising a database for recording said information and a unique identifier of said user [for example his email address], and the hash value of the symmetric key [derived from the pass phrase], the architecture comprising furthermore means for establishing virtual channels [VPN] for encryption and / or signing, compression and transmission of the "streaming" message without temporary storage in memory on the client workstation or on the server, nor on a
- FIG. 1 represents the diagram of a secure messaging architecture according to the invention
- FIG. 2 shows the block diagram of the messaging process.
- the secure messaging system implements a server (1) connected to a telecommunications network, in particular the Internet network.
- the user of the messaging service according to the invention has a workstation (2) also connected to the same telecommunications network.
- the server (1) has a memory space for
- the server also includes an application (4) providing the interface between user requests, sent in the form of HTML forms, and access to the data recorded in the database (3).
- the client station (2) establishes an HTTP link with the server (1).
- the consultation request opens a TCP / IP (HTTP) link which will open a first technical channel (5) encapsulated by two technical channels in series respectively for decryption (6) and for checking the signature (7), these two channels (6, 7) being themselves encapsulated by a technical decompression channel (8), for example in ZIP format.
- HTTP TCP / IP
- the client station (2) opens a series of channels (5 to 8) for the continuous transmission of an encrypted, signed and compressed stream from the file from the client computer to the database (3) of the server (1).
Abstract
The invention relates to a secure messaging method comprising an operation step consisting of an operation to authenticate the user and to validate the user's authenticity by comparing the value derived from a pass phrase sent by the user and a derived value that is stored in a database, together with the identifier of the user in question. Said method also comprises an operation whereby said key pair is sent to the user post by the server and the message prepared on the client post is subsequently enciphered and/or signed with the message recipients'private keys and/or said user's private key respectively. The message transmission operation is performed through the establishment of virtual channels [VPN] for the enciphering and/or signing. The message is compressed and transmitted by means of streaming without being temporarily stored in the memory on the client post, the server or a peripheral post.
Description
PROCEDE DE MESSAGERIE SECURISEE SECURE MESSAGING PROCESS
La présente invention concerne un procédé de messagerie sécurisée. Les solutions de messagerie sécurisée permettent de garantir la confidentialité et optionnellement l'intégrité et l'identité de l'émetteur du message. De façon générale, de tels procédés permettent de réduire les risques en terme de sécurité, notamment l'interception par un attaquant d'un message électronique pour en lire le contenu, l'usurpation d'identité d'un correspondant ou encore l'altération du contenu par un attaquant pendant la phase de transport du message.The present invention relates to a secure messaging method. Secure messaging solutions guarantee confidentiality and optionally the integrity and identity of the message sender. In general, such methods make it possible to reduce the risks in terms of security, in particular the interception by an attacker of an electronic message to read the content, the impersonation of a correspondent or even the alteration content by an attacker during the message transport phase.
Il est connu dans l'art antérieur de procéder à la sécurisation de l'envoi de message par le recours à des solutions basées sur la cryptographie, notamment par le recours à des solutions à clé publique et clé privée.It is known in the prior art to secure the sending of messages by the use of solutions based on cryptography, in particular by the use of solutions with public key and private key.
L'état de la technique le plus proche est décrit par le brevet américain US6154543. Ce brevet concerne un cryptosystème à clé publique permettant à un utilisateur itinérant l'accès à un réseau pour établir des communications sûres entre les utilisateurs du système, les machines clientes, et les serveurs de chiffrement. Selon cette solution de l'art antérieur, la machine cliente génère et mémorise une clé privée chiffrée dans un serveur de ' chiffrement. Un utilisateur peut alors accéder à cette clé privée chiffrée depuis n'importe quelle machine cliente située dans le réseau et la déchiffrer en utilisant une phrase passe, jouissant ainsi de l'accès intersystème. La clé privée peut être utilisée pour déchiffrer et chiffrer les messages reçus. Un utilisateur peut générer un message numérique, le chiffrer avec la clé publique du destinataire d'un client, et le transmettre au serveur de chiffrement depuis n'importe quelle machine cliente du serveur.
Cette solution de l'état de la technique est certes acceptable pour des messages électroniques de quelques kilo-octets. Par contre, pour l'utilisation pour des envois plus importants, notamment de fichiers correspondant à des données multimédias, une telle solution nécessite des ressources informatiques très importantes, notamment en terme de mémoire vive. En effet, dans ce système, le serveur est toujours utilisé pour un stockage temporaire des données à transmettre au poste client (cf. colonne 4-5, lignes 58-7). Le but de la présente invention est de remédier à cet inconvénient en proposant un procédé permettant de sécuriser l'envoi de messages quel que soit leur volume, avec des postes clients ne nécessitant pas de ressources informatiques importantes. A cet effet, l'invention concerne selon son acception la plus générale un procédé de messagerie sécurisée, comportant une première étape d'inscription d'un utilisateur, consistant à générer une bi-clé sur le poste client dudit utilisateur, à l'aide d'un algorithme de génération de clés [RSA par exemple], à chiffrer la clé privée par un algorithme symétrique exécuté sur le poste client, la clé de cet algorithme symétrique étant dérivée par une fonction de hachage [fonction SHAl ] d'une chaîne de caractères secrète [pass phrase] saisie au moyen d'un périphérique [clavier par exemple], à transmettre au serveur un fichier comprenant ladite valeur cryptée de la clé privée cryptée avec la clé symétrique, la clé publique à un serveur comportant une base de données pour l'enregistrement desdites informations et d'un identifiant unique dudit utilisateur [par exemple son adresse de courrier électronique], et
la valeur de hachage de la clé symétrique [dérivée de la pass phrase],The closest state of the art is described in US patent US 6154543. This patent relates to a public key cryptosystem allowing a roaming user access to a network to establish secure communications between system users, client machines, and encryption servers. According to this solution of the prior art, the client machine generates and stores an encrypted private key in a server 'encryption. A user can then access this encrypted private key from any client machine located on the network and decrypt it using a passphrase, thereby enjoying cross-system access. The private key can be used to decrypt and encrypt received messages. A user can generate a digital message, encrypt it with the public key of a client's recipient, and transmit it to the encryption server from any client machine on the server. This state-of-the-art solution is certainly acceptable for electronic messages of a few kilobytes. On the other hand, for the use for larger shipments, in particular of files corresponding to multimedia data, such a solution requires very significant IT resources, in particular in terms of RAM. In fact, in this system, the server is always used for temporary storage of the data to be transmitted to the client computer (see column 4-5, lines 58-7). The object of the present invention is to remedy this drawback by proposing a method making it possible to secure the sending of messages regardless of their volume, with client workstations not requiring significant IT resources. To this end, the invention relates, in its most general sense, to a secure messaging method, comprising a first step of registering a user, consisting in generating a key pair on the client workstation of said user, using a key generation algorithm [RSA for example], to encrypt the private key by a symmetric algorithm executed on the client computer, the key of this symmetric algorithm being derived by a hash function [SHAl function] of a chain of secret characters [pass phrase] entered by means of a peripheral [keyboard for example], to transmit to the server a file comprising said encrypted value of the private key encrypted with the symmetric key, the public key to a server comprising a database data for recording said information and a unique identifier of said user [for example his email address], and the hash value of the symmetric key [derived from the pass phrase],
1 ' étape d ' inscription comportant en outre une opération de signature de ladite bi-clé de l'utilisateur par la clé privée du serveur [clé de certification ou de signature des clés], le procédé comportant une étape d'exploitation comportant une opération d' authentification de l'utilisateur par la transmission au serveur depuis un poste client quelconque de son identifiant et de ladite chaîne de caractères secrète [sa « pass phrase »], et de validation de l'authenticité de l'utilisateur par comparaison entre la valeur dérivée de la dite chaîne de caractère secrète transmise par l'utilisateur, et la valeur dérivée stockée dans ladite base de données, en relation avec l'identifiant de l'utilisateur considéré, et une opération de transmission par le serveur vers le poste utilisateur de ladite bi-clé, puis à chiffrer et/ou signer le message préparé sur le poste client avec respectivement les clés privées des destinataires du message, et/ou la clé public dudit utilisateur, et une opération de transmission dudit message entre le poste de l'utilisateur et le serveur, ladite opération de transmission du message étant réalisée par l'établissement de canaux virtuels [VPN] pour le chiffrement et/ou la signature, caractérisé en ce que la compression et la transmission du message sont réalisées "en flux continu" [streaming] sans stockage temporaire en mémoire sur le poste client, ni sur le serveur, ni sur un poste périphérique.The registration step further comprising an operation of signing said user key pair with the server private key [certification key or key signature], the method comprising an operating step comprising an operation authentication of the user by transmission to the server from any client station of his identifier and said secret character string [his “pass phrase”], and validation of the authenticity of the user by comparison between the value derived from said secret character string transmitted by the user, and the derived value stored in said database, in relation to the identifier of the user considered, and an operation of transmission by the server to the user station of said bi-key, then encrypt and / or sign the message prepared on the client computer with the private keys of the recipients of the message, and / or the public key respectively c of said user, and an operation of transmitting said message between the user's workstation and the server, said operation of transmitting the message being carried out by establishing virtual channels [VPN] for encryption and / or signature, characterized in that the compression and the transmission of the message are carried out "in continuous flow" [streaming] without temporary storage in memory on the client station, neither on the server, nor on a peripheral station.
De préférence, l'opération de transmission, c'est-à-dire l'envoi-réception, du message consiste à ouvrir une pluralité de canaux virtuels emboîtés, le premier canal étant un canal de communication, englobé un canal de signature, englobé lui-même un canal de compression, englobé dans un canal de chiffrement, permettant la transmission de
messages sans limitation de taille ; la réception englobant en sens inverse les canaux (déchiffrement englobé dans décompression, englobé dans vérification).Preferably, the operation of transmitting, that is to say sending-receiving, the message consists in opening a plurality of nested virtual channels, the first channel being a communication channel, encompassed a signature channel, encompassed itself a compression channel, included in an encryption channel, allowing the transmission of messages without size limitation; reception encompassing the channels in reverse (decryption included in decompression, included in verification).
Selon un mode de réalisation particulier, lesdits canaux virtuels sont en série et comprennent un canal de chiffrement et un canal de signature en série.According to a particular embodiment, said virtual channels are in series and include an encryption channel and a signature channel in series.
Avantageusement, la pluralité de canaux virtuels comporte en outre un canal d'entrée-sortie (I/O) sur les périphériques du poste client. Selon un mode de mise en œuvre particulier, l'étape de transmission de message consiste à préparer unAdvantageously, the plurality of virtual channels further comprises an input-output (I / O) channel on the peripherals of the client station. According to a particular mode of implementation, the message transmission step consists in preparing a
• bloc comprenant un message en clair, composé de textes et de références à des fichiers du poste utilisateur [fichiers attachés], à ouvrir lesdits canaux virtuels, à pointer chaque canal sur lesdits fichiers de façon séquentielle, et lire et traiter le flux pour réaliser les opérations de chiffrement et/ou de signature, de compression et de transmission. • block comprising a clear message, composed of texts and references to files on the user station [attached files], to open said virtual channels, to point each channel to said files sequentially, and to read and process the flow to carry out encryption and / or signature, compression and transmission operations.
Selon une variante, le procédé selon l'invention comporte une opération de chiffrement distincte de chacun des hashs du message dudit flux avec la clé privée dudit utilisateur, afin de créer une signature numérique, pour permettre une vérification ultérieure de la signature de chacun desdits composants séparément.According to a variant, the method according to the invention comprises an encryption operation distinct from each of the hashes of the message of said stream with the private key of said user, in order to create a digital signature, to allow subsequent verification of the signature of each of said components. separately.
L'invention concerne également une architecture pour le traitement de messages sécurisés, comprenant un serveur comportant une mémoire pour l'enregistrement chiffré et signé des informations relatives aux utilisateurs inscrits, des moyens d'envoi et de réception de messages et des moyens de connexion à un réseau public, et des postes clients comportant une application de navigation et des moyens de connexion audit réseau, caractérisée en ce que le serveur comporte des moyens de liaison sécurisée avec le réseau et des moyens de vérification de fichiers transmis par un utilisateur et signés avec une clé publique du serveur, et
pour l'enregistrement, après vérification positive, dans une mémoire pour l'enregistrement d'une table comprenant, pour chaque utilisateur : la valeur cryptée ["hash"] de la clé privée cryptée avec la clé symétrique, la clé publique à un serveur comportant une base de données pour 1 ' enregistrement desdites informations et d'un identifiant unique dudit utilisateur [par exemple son adresse de courrier électronique], et la valeur de hachage de la clé symétrique [dérivée de la pass phrase], l'architecture comprenant en outre des moyens pour l'établissement de canaux virtuels [VPN] pour le chiffrement et/ou la signature, la compression et la transmission du message "en flux continu" [streaming] sans stockage temporaire en mémoire sur le poste client, ni sur le serveur, ni sur un poste périphérique.The invention also relates to an architecture for processing secure messages, comprising a server comprising a memory for the encrypted and signed recording of information relating to the registered users, means of sending and receiving messages and means of connection to a public network, and client workstations comprising a navigation application and means of connection to said network, characterized in that the server comprises means of secure connection with the network and means of verifying files transmitted by a user and signed with a server public key, and for recording, after positive verification, in a memory for recording a table comprising, for each user: the encrypted value ["hash"] of the private key encrypted with the symmetric key, the public key to a server comprising a database for recording said information and a unique identifier of said user [for example his email address], and the hash value of the symmetric key [derived from the pass phrase], the architecture comprising furthermore means for establishing virtual channels [VPN] for encryption and / or signing, compression and transmission of the "streaming" message without temporary storage in memory on the client workstation or on the server, nor on a peripheral station.
La présente invention sera mieux comprise à la lecture de la description d'un exemple non limitatif de réalisation qui suit, ce référant aux dessins annexés où : la figure 1 représente le schéma d'une architecture de messagerie sécurisée selon l'invention ; - la figure 2 représente le schéma fonctionnel du procédé de messagerie.The present invention will be better understood on reading the description of a nonlimiting exemplary embodiment which follows, with reference to the appended drawings where: FIG. 1 represents the diagram of a secure messaging architecture according to the invention; - Figure 2 shows the block diagram of the messaging process.
Le système de messagerie sécurisée selon l'invention met en œuvre un serveur (1) relié à un réseau de télécommunication, notamment le réseau Internet.The secure messaging system according to the invention implements a server (1) connected to a telecommunications network, in particular the Internet network.
L'utilisateur du service de messagerie conforme à l'invention dispose d'un poste de travail (2) également relié au même réseau de télécommunication.
Le serveur (1) comporte un espace de mémoire pourThe user of the messaging service according to the invention has a workstation (2) also connected to the same telecommunications network. The server (1) has a memory space for
- l'enregistrement d'une base de données (3) destinée au stockage de façon sécurisée des clés des utilisateurs, ainsi que les références des messages, et de leurs pièces jointes cryptées sur le disque dur du serveur.- the recording of a database (3) intended for the secure storage of the keys of the users, as well as the references of the messages, and of their encrypted attachments on the server's hard disk.
Le serveur comporte en outre un applicatif (4) réalisant l'interface entre les requêtes des utilisateurs, adressées sous forme de formulaires HTML, et l'accès aux données enregistrées dans la base de données ( 3 ) . Lors de l'utilisation, le poste client (2) établit un lien HTTP avec le serveur (1).The server also includes an application (4) providing the interface between user requests, sent in the form of HTML forms, and access to the data recorded in the database (3). During use, the client station (2) establishes an HTTP link with the server (1).
Il établit ensuite une requête, par exemple une requête de récupération de sa clé privée cryptée en mémoire du poste client. Lors de la consultation d'un message, la requête de consultation ouvre un lien TCP/IP (HTTP) qui va ouvrir un premier canal technique (5) encapsulé par deux canaux techniques en série respectivement de déchiffrement ( 6 ) et de vérification de la signature (7), ces deux canaux (6, 7) étant eux-mêmes encapsulés par un canal technique de décompression (8), par exemple au format ZIP.It then establishes a request, for example a request to recover its private key encrypted in the memory of the client station. During the consultation of a message, the consultation request opens a TCP / IP (HTTP) link which will open a first technical channel (5) encapsulated by two technical channels in series respectively for decryption (6) and for checking the signature (7), these two channels (6, 7) being themselves encapsulated by a technical decompression channel (8), for example in ZIP format.
Ces canaux permettent d'établir un lien persistant et synchrone entre le pointeur de lecture sur la base de données (3) et un fichier ouvert en mode écriture qui enregistre progressivement, et sans stockage intermédiaire dans une mémoire tampon, le flux déchiffré, vérifier et décompressé.These channels make it possible to establish a persistent and synchronous link between the read pointer on the database (3) and a file opened in write mode which progressively records, and without intermediate storage in a buffer memory, the decrypted stream, check and decompressed.
De la même façon, pour transmettre un message, le poste client (2) procède à l'ouverture d'une série de canaux (5 à 8) pour la transmission en continu d'un flux chiffré, signé et compressé à partir du fichier du poste client vers la base de données (3) du serveur (1).
Similarly, to transmit a message, the client station (2) opens a series of channels (5 to 8) for the continuous transmission of an encrypted, signed and compressed stream from the file from the client computer to the database (3) of the server (1).
Claims
REVENDICATIONS
1 — Procédé de messagerie sécurisée, comportant une première étape d'inscription d'un utilisateur, consistant à générer une bi-clé sur le poste client dudit utilisateur, à l'aide d'un algorithme de génération de clés [RSA par exemple], à chiffrer la clé privée par un algorithme symétrique exécuté sur le poste client, la clé de cet algorithme symétrique étant dérivée par une fonction de hachage [fonction SHAl] d'une chaîne de caractères secrète [pass phrase] saisie au moyen d'un périphérique [clavier par exemple] , à transmettre au serveur un fichier comprenant ladite valeur cryptée de la clé privée cryptée avec la clé symétrique, - la clé publique à un serveur comportant une base de données pour l'enregistrement desdites informations et d'un identifiant unique dudit utilisateur [par exemple son adresse de courrier électronique], et - la valeur de hachage de la clé symétrique1 - Method of secure messaging, comprising a first step of registering a user, consisting in generating a key pair on the client workstation of said user, using a key generation algorithm [RSA for example] , to encrypt the private key by a symmetric algorithm executed on the client computer, the key of this symmetric algorithm being derived by a hash function [SHAl function] from a secret character string [pass phrase] entered using a peripheral [keyboard for example], to transmit to the server a file comprising said encrypted value of the private key encrypted with the symmetric key, - the public key to a server comprising a database for recording said information and an identifier unique of said user [for example his email address], and - the hash value of the symmetric key
[dérivée de la pass phrase], l'étape d'inscription comportant en outre une opération de signature de ladite bi-clé de l'utilisateur par la clé privée du serveur [clé de certification ou de signature des clés], le procédé comportant une étape d ' exploitation comportant une opération d ' authentification de l'utilisateur par la transmission au serveur depuis un poste client quelconque de son identifiant et de ladite chaîne de caractères secrète [sa[derived from the pass phrase], the registration step further comprising an operation of signing said user key pair with the private key of the server [certification key or key signature], the method comprising an operating step comprising an operation of authenticating the user by transmitting to the server from any client station his identifier and said secret character string [sa
« pass phrase »], et de validation de l'authenticité de l'utilisateur par comparaison entre la valeur dérivée de la dite chaîne de caractère secrète transmise par l'utilisateur, et la valeur dérivée stockée dans ladite base de données, en relation avec l'identifiant de l'utilisateur considéré, et une opération de transmission par le serveur vers le poste
utilisateur de ladite bi-clé, puis à chiffrer et/ou signer le message préparé sur le poste client avec respectivement les clés privées des destinataires du message, et/ou la clé public dudit utilisateur, et une opération de transmission dudit message entre le poste de l'utilisateur et le serveur, ladite opération de transmission du message étant réalisée par l'établissement de canaux virtuels [VPN] pour le chiffrement et/ou la signature, caractérisé en ce que la compression et la transmission du message sont réalisées "en flux continu" [streaming] sans stockage temporaire en mémoire sur le poste client, ni sur le serveur, ni sur un poste périphérique."Pass phrase"], and validation of the authenticity of the user by comparison between the value derived from said secret character string transmitted by the user, and the derived value stored in said database, in relation to the identifier of the user considered, and a transmission operation by the server to the station user of said key pair, then encrypting and / or signing the message prepared on the client station with the private keys of the recipients of the message, and / or the public key of said user, respectively, and an operation for transmitting said message between the station of the user and the server, said message transmission operation being carried out by establishing virtual channels [VPN] for encryption and / or signature, characterized in that the compression and transmission of the message are carried out "by continuous stream "[streaming] without temporary storage in memory on the client computer, nor on the server, nor on a peripheral computer.
2 — Procédé de messagerie selon la revendication 1 caractérisé en ce que ladite opération de transmission, c'est-à-dire l'envoi-réception, du message consiste à ouvrir une pluralité de canaux virtuels emboîtés, le premier canal étant un canal de communication, englobé un canal de signature, englobé lui-même un canal de compression, englobé dans un canal de chiffrement, permettant la transmission de messages sans limitation de taille ; la réception englobant en sens inverse les canaux (déchiffrement englobé dans décompression, englobé dans vérification) .2 - A messaging method according to claim 1 characterized in that said transmission operation, that is to say sending-receiving, of the message consists in opening a plurality of nested virtual channels, the first channel being a communication, including a signature channel, including a compression channel, included in an encryption channel, allowing the transmission of messages without limitation of size; reception encompassing the channels in reverse (decryption included in decompression, included in verification).
3 — Procédé de messagerie selon la revendication3 - Messaging method according to claim
2 caractérisé en ce que lesdits canaux virtuels sont en série et comprennent un canal de chiffrement (6) et un canal de signature (7) en série.2 characterized in that said virtual channels are in series and include an encryption channel (6) and a signature channel (7) in series.
4 — Procédé de messagerie selon la revendication4 - Messaging method according to claim
2 ou 3 caractérisé en ce que la pluralité de canaux virtuels comporte en outre un canal d'entrée-sortie (I/O) sur les périphériques du poste client.
5 — Procédé de messagerie selon la revendication 4 caractérisé en ce que ladite étape de transmission de message consiste à préparer un bloc comprenant un message en clair, composé de textes et de références à des fichiers du poste utilisateur [fichiers attachés], à ouvrir lesdits canaux virtuels, à pointer chaque canal sur lesdits fichiers de façon séquentielle, et lire et traiter le flux pour réaliser les opérations de chiffrement et/ou de signature, de compression et de transmission.2 or 3 characterized in that the plurality of virtual channels further comprises an input-output channel (I / O) on the peripherals of the client station. 5 - Messaging method according to claim 4 characterized in that said message transmission step consists of preparing a block comprising a clear message, composed of texts and references to files of the user station [attached files], to open said virtual channels, to point each channel to said files sequentially, and read and process the stream to perform the operations of encryption and / or signature, compression and transmission.
6 — Procédé de messagerie selon l'une au moins des revendications précédentes caractérisé en ce qu'il comporte une opération de chiffrement distincte de chacun des hashs du message dudit flux avec la clé privée dudit utilisateur, afin de créer une signature numérique, pour permettre une vérification ultérieure de la signature de chacun desdits composants séparément.6 - Messaging method according to at least one of the preceding claims, characterized in that it comprises an encryption operation distinct from each of the hashes of the message of said stream with the private key of said user, in order to create a digital signature, to allow a subsequent verification of the signature of each of said components separately.
7 — Architecture pour le traitement de messages sécurisés , comprenant un serveur comportant une mémoire pour l'enregistrement chiffré et signé des informations relatives aux utilisateurs inscrits, des moyens d'envoi et de réception de messages et des moyens de connexion à un réseau public, et des postes clients comportant une application de navigation ' et des moyens de connexion audit réseau, caractérisée en ce que le serveur comporte des moyens de liaison sécurisée avec le réseau et des moyens de vérification de fichiers transmis par un utilisateur et signés avec une clé publique du serveur, et pour l'enregistrement, après vérification positive, dans une mémoire pour l'enregistrement d'une table comprenant, pour chaque utilisateur : la valeur cryptée ["hash"] de la clé privée cryptée avec la clé symétrique,
la clé publique à un serveur comportant une base de données pour 1 ' enregistrement desdites informations et d'un identifiant unique dudit utilisateur [par exemple son adresse de courrier électronique], et la valeur de hachage de la clé symétrique7 - Architecture for the processing of secure messages, comprising a server comprising a memory for the encrypted and signed recording of information relating to the registered users, means of sending and receiving messages and means of connection to a public network, and client workstations comprising a navigation application and means of connection to said network, characterized in that the server comprises means of secure connection with the network and means of verifying files transmitted by a user and signed with a public key of the server, and for recording, after positive verification, in a memory for recording a table comprising, for each user: the encrypted value ["hash"] of the private key encrypted with the symmetric key, the public key to a server comprising a database for recording said information and a unique identifier of said user [for example his email address], and the hash value of the symmetric key
[dérivée de la pass phrase], l'architecture comprenant en outre des moyens pour l'établissement de canaux virtuels [VPN] pour le chiffrement et/ou la signature, la compression et la transmission du message "en flux continu" [streaming] sans stockage temporaire en mémoire sur le poste client, ni sur le serveur, ni sur un poste périphérique.
[derived from the pass phrase], the architecture further comprising means for establishing virtual channels [VPN] for encryption and / or signing, compression and transmission of the "streaming" message [streaming] without temporary storage in memory on the client station, nor on the server, nor on a peripheral station.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0102351 | 2001-02-21 | ||
FR0102351A FR2821220B1 (en) | 2001-02-21 | 2001-02-21 | SECURE MESSAGING PROCESS |
PCT/FR2002/000654 WO2002067535A2 (en) | 2001-02-21 | 2002-02-21 | Secure messaging method |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1362461A2 true EP1362461A2 (en) | 2003-11-19 |
Family
ID=8860273
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02706886A Withdrawn EP1362461A2 (en) | 2001-02-21 | 2002-02-21 | Secure messaging method |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1362461A2 (en) |
FR (1) | FR2821220B1 (en) |
WO (1) | WO2002067535A2 (en) |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6154543A (en) * | 1998-11-25 | 2000-11-28 | Hush Communications Anguilla, Inc. | Public key cryptosystem with roaming user capability |
-
2001
- 2001-02-21 FR FR0102351A patent/FR2821220B1/en not_active Expired - Fee Related
-
2002
- 2002-02-21 EP EP02706886A patent/EP1362461A2/en not_active Withdrawn
- 2002-02-21 WO PCT/FR2002/000654 patent/WO2002067535A2/en not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO02067535A3 * |
Also Published As
Publication number | Publication date |
---|---|
FR2821220B1 (en) | 2004-10-01 |
WO2002067535A3 (en) | 2002-12-12 |
WO2002067535A2 (en) | 2002-08-29 |
FR2821220A1 (en) | 2002-08-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7680281B2 (en) | Method and apparatus for intercepting events in a communication system | |
US10135771B2 (en) | Secure end-to-end transport through intermediary nodes | |
US7653815B2 (en) | System and method for processing encoded messages for exchange with a mobile data communication device | |
US8499156B2 (en) | Method for implementing encryption and transmission of information and system thereof | |
US6904521B1 (en) | Non-repudiation of e-mail messages | |
US6978378B1 (en) | Secure file transfer system | |
CN101667999B (en) | Method and system for transmitting peer-to-peer broadcast stream, data signature device and client | |
CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
JP2005107935A (en) | Program for electronic mail processor, and electronic mail processor | |
CN115396177A (en) | Encrypted communication method for realizing efficient communication of web end based on WASM | |
EP3568964B1 (en) | Method for end-to-end transmission of a piece of encrypted digital information and system implementing this method | |
CN112637230B (en) | Instant messaging method and system | |
WO2002067535A2 (en) | Secure messaging method | |
CN108243198B (en) | A kind of data distribution, retransmission method and device | |
WO2001075559A2 (en) | Agent-based secure handling of e-mail header information | |
EP1300980A1 (en) | Process for providing non repudiation of receipt (NRR) in an electronic transaction environment | |
US11968188B2 (en) | Secure email transmission via treasury portal | |
US20230198969A1 (en) | On-demand secure email transformation | |
Wang et al. | A solution of mobile e-commerce security problems | |
CN115001871A (en) | File encryption sharing method and system based on block chain technology | |
CN116886690A (en) | Method for supporting safe transmission of end-to-end message file by multiple persons simultaneously | |
CN115567226A (en) | Binary end-to-end encryption method based on session communication | |
CN116980170A (en) | Chat record retrieving mechanism with end-to-end encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20030820 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20060901 |