FR3081652A1 - METHOD FOR ESTABLISHING KEYS FOR CONTROLLING ACCESS TO A SERVICE OR A RESOURCE - Google Patents

Abstract

A key establishment method for controlling access to a service or resource using attribute-based encryption (ABE) mechanisms.

Description

METHOD OF ESTABLISHING KEYS FOR CONTROLLING ACCESS TO A SERVICE OR RESOURCE

The invention is in the field of data protection, and in particular the field of security in computer networks or telecommunications networks with intermittent, unavailable, or expensive connectivity. Examples of these networks are emerging low resource networks with machine-to-machine communications, the Internet of Things, wireless sensor networks, and vehicular networks, where constrained devices that provide resources or Protected services are deployed and left unattended in locations that are difficult to access. The invention also applies to emergency networks for public protection and disaster relief systems (in English, Public Protection and Disaster Relief or PPDR) when the network and communications infrastructure does not is more reliable because of a disaster.

More specifically, the invention relates to a method for establishing keys allowing access control to a service or a resource by using attribute-based encryption (ABE).

One of the key points to guarantee the security of computer applications is the protection of sensitive data. Data can be protected using cryptographic data encryption algorithms, requiring cryptographic keys to decrypt the data. Keys must be distributed to users authorized to decrypt the data. To selectively manage different types of users who perform different tasks on the data, fine and flexible data access control is required. Attribute-based encryption mechanisms provide both data privacy and data access control, cryptographically combining decryption keys with data access permissions. The encrypted data does not need to be transmitted over a secure channel or stored on a trusted server. To decrypt encrypted data, users must now satisfy an access policy that is defined on attributes that can be associated with data users, data elements, and the environment. For example, an attribute can concern the role of a user, for example his profession, or personal characteristics of the user, for example his function or a level of priority assigned to him for access to data. sensitive.

The publication by Bethencourt et al. [1] describes a particular attribute-based encryption method, called the CP-ABE “Ciphertext-Policy Attribute-Based Encryption” encryption method.

This method is a construction of an encryption method based on the attributes having the access policy incorporated in the encrypted data and the attributes held by the data users. In this way, if the access policy changes regularly, the access control is more flexible than the basic ABE scheme, since it is only necessary to change the access policy which will be incorporated into the encrypted data, rather than distributing new keys to users.

Document [2] describes another encryption method based on attributes, called the KP-ABE "Key-Policy AttributeBased Encryption" encryption method. This method uses a set of attributes to describe the encrypted data and builds the security policy in the user's private key. If the attributes of the encrypted data satisfy the access structure defined in the user's private key, the user can decrypt the encrypted data. The algorithm mainly considers three actors: the sender (eg, the data owner), the receiver (eg the data user), and the authority (also known as the key management service ) whose role is to generate the public and private keys of the receiver. In this way, only people who have the attributes that meet the access policy can access the encrypted data.

The invention is compatible with both CPABE and KP-ABE encryption methods.

Ensuring authentication and authorization is essential to secure access to protected resources and services. Generally, the two security functions are performed by relying on one or more online trust authorities. Trusted authorities control access to resources and services in accordance with a security policy, in particular by participating directly in the authentication procedure to establish a secure channel, or by distributing temporary access tokens to authorized users allowing 'access to resources and services. However, the unavailability of these trusted authorities or their significant associated costs makes it difficult to authenticate and enforce authorization policies on protected resources and services.

Like public key schemes (eg, digital signatures) that can be used as primitives to develop authentication protocols without having to rely on an online trusted authority, encryption schemes based on ABE type attributes can also be used to build authorization protocols, since these schemes allow both to guarantee confidentiality, but also fine-grained access control on encrypted data. ABE-based authorization protocols therefore do without a trusted online authority.

However, these mechanisms do not make it possible to secure the confidential exchanges of users of the same group who share the same attributes. Thus, several users who are authorized to access the same resource or the same service, according to this ABE mechanism, will not be protected in confidentiality from one another.

There are encryption key exchange protocols designed using the ABE mechanism. The protocol of Gorantla and others described in the document [3] allows a group of peers associated with sets of attributes satisfying the same access policy, to share a session key. In the same vein, the protocol of Steinwandt and others described in the document [4] allows a group of peers having all attributes which satisfy the same security policy to share a common key.

A common disadvantage of these two protocols is that any peer who does not belong to the group but who has the right set of attributes can retrieve the established group key.

The protocol of Kolesnikov and others described in the document [5] is based on client / server interactions which allow a server to establish a shared key with a client only when the attributes of the latter satisfy an access policy. To do this, the protocol combines concepts of ABE encryption with elements of scrambled circuits (in English, garbled circuits). The protocol does not use ABE encryption per se, but a new concept, called selective attribute encryption, which allows the client to decrypt only the scrambled values of the input wires of the scrambled circuit, which are associated with its attributes. The protocol of Kolesnikov and others offers strong guarantees of confidentiality for both the client and the server, including the confidentiality of the attributes of the client and the non-associativity (in English, unlinkability) of its sessions. The protocol aims to hide the identity of the users of the data, and requires at least two exchanges of messages (ie, 4 messages), without taking into account the key establishment phase which is based on a bitpar draw protocol -bit (in English, coin tossing).

The invention proposes to resolve the aforementioned drawbacks by proposing a cryptographic mechanism based on attributes but which also comprises a key exchange protocol making it possible to guarantee the confidentiality of exchanges between a user and a service provider.

The invention brings several advantages, in particular in terms of safety and performance. The invention makes it possible to establish a session key while controlling access to resources and services. The invention makes it possible to carry out the establishment of keys and to control access according to an access policy in a single exchange of messages. This allows for quick access control and with a limited implementation cost.

The invention makes it possible to exempt the user from authenticating and thus to access resources or services in an anonymous manner (thus protecting the privacy of the user vis-à-vis the supplier) but authorized.

A variant of the invention allows the user to verify whether the resources or services accessed are legitimate in relation to a set of attributes or to an access policy.

The subject of the invention is a method, implemented by computer, of establishing at least one common key for controlling access to a service or a resource offered by a supplier for users having at least one attribute belonging to a first predetermined set of user attributes, the method being executed by the supplier and comprising the steps of:

- Generate a first partial supplier key K ¹ f,

- Encrypt the first partial supplier key K ¹ _F , from a key derived from said first set of user attributes,

- Transmit, to the user, the first partial supplier key encrypted ct _F ,

- Receive, from the user, a first partial user key K ¹ u,

- Determine, from the first partial user key K ¹ u, a first key K ¹ dh common to the supplier and the user,

- Establish a secure communication channel between the supplier and the user from the first common K ¹ _DH key.

According to a particular aspect of the invention, the first partial user key is an encrypted key ctu and the method further comprises a step of decrypting the first partial user key encrypted ctu from a key derived from a supplier attribute sk _F that the supplier has.

According to a particular aspect of the invention:

the first partial supplier key K ¹ _F is obtained (201) from an operation between a generator g of a group and a first secret random variable s _F of the supplier and,

- The first common key K ¹ DH is obtained (204) from an operation between the first partial user key K ¹ u and the first secret random variable sF of the supplier.

In a particular variant embodiment, the method according to the invention further comprises the steps of:

- Generate a second partial supplier key K ² _F and transmit it to the user,

- Receive, from the user, a second partial user key K ² u,

- Determine, from the second partial user key K ² u, a second key K ² _DH common to the supplier and the user,

- Establish a secure communication channel between the supplier and the user from the first common K ¹ dh key and the second common K ² _DH key.

According to a particular aspect of the invention:

the first partial supplier key K ¹ _F is obtained from an operation between a generator g _F of a first group and a first secret random variable s _F of the supplier,

the first common key K ¹ dh is obtained from an operation between the first partial user key K ¹ u and a second secret random variable x of the supplier,

the second partial supplier key K ² f is obtained from an operation between a generator gu of a second group and the second random random variable x of the supplier and,

the second common key K ² _DH is obtained from an operation between the second partial user key K ² u and the first secret random variable sf of the supplier.

The subject of the invention is also a method, implemented by computer, of establishing at least one common key for controlling access to a service or a resource offered by a supplier for users having at least one attribute. belonging to a first predetermined set of user attributes, the method being executed by a user having at least one user attribute and comprising the steps of:

- Generate a first partial user key K ¹ u and transmit it to the supplier,

- Receive, from the supplier, a first partial encrypted supplier key cîf,

- Decrypt the first partial supplier key encrypted cîf from a key derived from the attribute that the user has, to obtain a first partial supplier key K ¹ _F ,

- Determine, from the first partial supplier key K ¹ f, a first key K ¹ dh, K ² dh common to the supplier and the user,

- Establish a secure communication channel between the supplier and the user from the first key K ¹ dh, K ² dh common.

In a particular variant embodiment, the method according to the invention further comprises a step of encrypting the first partial user key K ¹ u from a key derived from a second set of supplier attributes, before the forward to supplier.

According to a particular aspect of the invention:

the first partial user key K ¹ u is obtained from an operation between a generator of a group gp and a first secret random variable su, y of the user and,

- The first common key K ¹ dh is obtained from an operation between the first partial supplier key K ¹ f and the first secret random variable su, y of the user.

In a particular variant embodiment, the method according to the invention further comprises the steps of:

- Generate a second partial user key K ² u and transmit it to the supplier,

- Receive, from the supplier, a second partial supplier key K ² f,

- Determine, from the second partial key of supplier K ² f, a second key K ¹ _DH common to the supplier and to the user,

- Establish a secure communication channel between the supplier and the user from the first common key K ¹ dh and the second common key K ² dh.

According to a particular aspect of the invention:

the first partial user key K ¹ u is obtained from an operation between a generator gu of a first group and a first secret random variable su of the user,

the first common key K ² DH is obtained from an operation between the first partial supplier key K ¹ F and a second secret random variable y of the user,

the second partial user key K ² u is obtained from an operation between a generator g _F of a second group and the second secret random variable y of the supplier and,

- The second common key K ¹ dh is obtained from an operation between the second partial supplier key K ² _F and the first secret random variable Su of the supplier.

According to a particular aspect of the invention, the operation is a modular exponentiation calculation and the group is a finite multiplicative group.

The invention also relates to a computer program comprising instructions for the execution of one of the methods for establishing at least one common key according to the invention, when the program is executed by a processor.

The subject of the invention is also a recording medium readable by a processor on which is recorded a program comprising instructions for the execution of one of the methods for establishing at least one common key according to the invention, when the program is executed by a processor.

The subject of the invention is also an encryption device comprising a computer configured to execute the steps of any of the methods for establishing at least one common key according to the invention.

Other characteristics and advantages of the present invention will appear better on reading the description which follows in relation to the appended drawings which represent:

FIG. 1, a diagram illustrating a protocol for controlling access by a user to a service offered by a supplier, according to a first embodiment of the invention,

FIG. 2, a flow diagram of the steps of a method for establishing encryption keys, executed by the supplier, during an access control protocol according to the first embodiment of the invention,

FIG. 3, a flow diagram of the steps of a method for establishing encryption keys, executed by the user, during an access control protocol according to the first embodiment of the invention,

FIG. 4, a diagram illustrating a protocol for controlling access by a user to a service offered by a supplier and for controlling the legitimacy of the supplier, according to a second embodiment of the invention,

FIG. 5, a flow diagram of the steps of a method for establishing encryption keys, executed by the supplier, during an access control and legitimacy control protocol according to the second embodiment of FIG. 'invention,

FIG. 6, a flow diagram of the steps of a method of establishing encryption keys, executed by the user, during an access control and legitimacy control protocol according to the second embodiment of the invention,

FIG. 7, a diagram illustrating a protocol for controlling access by a user to a service offered by a supplier and for controlling the legitimacy of the supplier, according to a third embodiment of the invention,

- Figure 8, a flow diagram of the steps of a method of establishing encryption keys, executed by the supplier, during an access control and legitimacy control protocol according to the third embodiment of the 'invention,

FIG. 9, a flow diagram of the steps of a method of establishing encryption keys, executed by the user, during an access control and legitimacy control protocol according to the third embodiment of the invention.

Figures 1,2 and 3 show schematically an access control mechanism according to a first embodiment of the invention.

The invention allows a service or resource provider to control access to these services or resources by an unauthenticated user. Access control is carried out according to an access policy. A user is authorized if he has attributes which satisfy the access policy. Remember that an attribute can relate to the user, the resources or services protected, or the context (e.g., date, place, etc.). The notion of attribute makes it possible to define groups of users who have a common attribute. Each user can belong to one or more groups. An access policy is defined as a combination of threshold logical gates on attributes. An attribute can be assigned to a user temporarily or permanently. At its simplest level, an access policy can be to allow access to individuals with a predetermined attribute. For example, in the context of a fire in an intelligent building, the first responders (eg firefighters, police, etc.) have attributes, ie cryptographic materials: the attributes "A" allowing them to '' access to the whole building, the attributes «B >> allowing to control the actuators of the HVAC system (ie, heating, ventilation and air conditioning), and the attributes« C >> allowing to reset the fire alarm system after extinction of the fire. On the other hand, the electricity and supply companies will have just the attributes “B” allowing them to control the actuators of the HVAC system that they manage, but also attributes “D >> allowing to read the meters of the HVAC system remotely. This last service provided by HVAC system requests attributes that verify the policy ("B >> AND" D ").

The invention is based on an attribute-based encryption mechanism. It is compatible both with an encryption mechanism of the CP-ABE type for which a supplier controls access to the resources / services it offers according to an access policy, but also with an encryption mechanism of the type KP-ABE for which a supplier controls access to the resources / services it offers directly according to a list of authorized attributes.

In this first embodiment of the invention, the supplier and the user know the public parameters of the ABE encryption mechanism used. In addition, the user has a set of secret keys associated with a list of attributes which he has (for a mechanism of the CP-ABE type) or a security policy (for a mechanism of the KPABE type).

In the following description, the term "user" is used to designate a terminal used by a user to access the service or the resource offered by the supplier. The term "provider" is used to refer to the equipment that implements the service or hosts the resource. A service can be a service hosted on a remote server and offered by a provider on the Internet. It can be a software application. A resource can be a computer or a processor or a memory in a remote server or on the user’s terminal. For example, the invention can be used to allow a user to unlock their computer or to allow them to access a particular resource on the machine they are using.

We will now describe, before describing the invention, two examples of encryption key exchange protocols on which the invention can be based.

Document [3] introduces an attribute-based key encapsulation mechanism with an encapsulation policy (in English, encapsulation-policy attribute-based key encapsulation mechanism, or EPAB-KEM). An EP-AB-KEM protocol is an encryption technique designed to generate and secure the transmission of a symmetric key by means of attribute-based encryption algorithms and with a policy associated with the encrypted text. An EP-ABKEM type protocol consists of at least the following four algorithms.

A configuration algorithm, Configuration (1 ^A ) (pk, msk) generates a public key pk and a secret master key msk, which are returned as output.

A key generation algorithm, Key generation (msk, S) -F> sk: from the master secret key msk and a set of attributes S associated with a user, this algorithm returns the set sk of keys corresponding to the attributes in set S. These keys are supplied to users who have the corresponding attributes.

A key encapsulation algorithm, Encapsulation (pk, r) -> (ct, K) which generates both a random key K as an element of G _T and the same encrypted key and, the encryption operation being associated with an access policy Γ. Both went back out. The encapsulation operation therefore comprises the generation of a random key and its encryption to produce an encrypted key.

A key decapsulation algorithm, Decapsulation (pk, ct, sk) This algorithm is executed by a user with certain attributes S and the associated secret keys sk. If the set S of attributes associated with the secret key sk does not satisfy the access policy used to encrypt the key and, then the algorithm returns a constant 1 associated with the "false" event. In other words, this constant 1 is returned by the algorithm to signify that the user is not authorized to access the resources or services defined by the access policy. Otherwise, it decrypts and to find the symmetric key K ’and return it to the output.

The key exchange protocol proposed in document [3] allows a group of users with attributes that satisfy a given access policy to share a common group key. The protocol proceeds as follows. First, each user i runs the Encapsulation algorithm Encapsulation ^, Γ) -> (ctj.Kj) to generate a symmetric key and its encrypted according to the access policy Γ, and then broadcasts the encrypted text ctj . Upon receipt of an encrypted text and ,, each user i executes the decapsulation algorithm Decapsulation (pk, ctpsk,) K, to find the associated key using his secret key skj which verifies the access policy. Finally, each user calculates the session identifier sid = (ct-J ... | ct _n ) and the key of the group composed of n users: K = f _Ki (sid) φ ... φ f _Kn (sid ) where f is a key pseudo-random function.

The protocol proposed in document [3] is intended to secure group communications and does not offer a solution allowing individual access control and protected in confidentiality vis-à-vis other users with attributes satisfying the policy access associated with protected communications, as well as vis-à-vis the escrow authority which generates the secret ABE keys.

Another example of an EP-AB-KEM type protocol is derived from the Waters scheme described in document [6]. In this example, the protocol is composed of the following algorithms by default with a variation made to the output parameters of the encapsulation algorithm.

A configuration algorithm Configuration (1 ^A ) ~ ^ (pk, msk): this algorithm defines three groups G _1; G ₂ , and G _T of first order p = Θ (λ) with Gi and G ₂ having respectively two generators P and Q, and supporting a bilinear map not degenerate, efficient and calculable e: Gj x G ₂ G _T. The algorithm chooses two random values a, a eZ _P , as well as a set of random elements H _n H ₂ , .., H _U e G-ι which will be associated with the set of U attributes. Subsequently, the algorithm calculates a public key pk = (P, Q, aP, e (P, Q) “, H _{1 (} .., Hu) and a secret master key msk = (α.P), which returned to output.

A key generation algorithm Key generation (msk, S) -xsk ·. this algorithm chooses a random value te Z _P. Then, from the master secret key msk and a set of attributes S associated with a user, the algorithm calculates K = a. P + t. (a. P), L = t. Q, and Vy e S ç U: K _y = t. H _y as the secret key sk which is returned on exit.

A key encapsulation algorithm, Encapsulation (pk, r} -> (ct, sy. This algorithm converts the access policy into an MSP matrix (in English, Monotone Span Program), (M, p), where p is a function that maps each row of the matrix M to an attribute of U. An example of conversion techniques is described in appendix G of the document [7], For a matrix M of m rows and d columns, the algorithm chooses random values s, y ₂ , ->yd> ^r i>-> ^r m ^ez p · Considering the vector v = (s, y ₂ , ..., y _m ), the algorithm calculates VI < i <m: μ, = <(M) _i; v> where (M) j is the i-th line of M and <.,.> denotes a scalar product, then the algorithm calculates C '= s.Qetvl < i <m: Cj = pj. (aP) + (-η) .Ηρ (ί) and Di = rj.Q as the ciphertext and. The algorithm returns as output (et = ((M, p), C ', V1 <i <m: Cj, Dj), s).

An algorithm for decapsulating encrypted keys Decapsulation (pk, ct, sk) if the set S of attributes associated with the secret key sk does not satisfy the access policy used to encrypt the key and, then the algorithm returns the constant 1 signifying the “false” logical information Otherwise, there is a set of constants {Υίΐί ^ ι such that ΣϊειΥϊ · (Μ) ϊ = (1,0, ..., 0) where I is a set of indices of rows of the matrix Mqui correspond to attributes in S. Subsequently, the algorithm calculates the symmetric key:

, _ ___________ e (K, C ') ___________ e (n _ia CL) .n _{| eI} e (K _{p (1)} , D) and returns K' as output.

Figure 1 shows schematically an overview of the exchanges between a supplier F offering a service and a user U wishing to use this service. FIG. 2 describes, on a flowchart, the steps of the method according to the invention executed by the supplier. FIG. 3 describes, on a flow diagram, the steps of the method according to the invention executed by the user.

In this first embodiment of the invention, the supplier and the user know and use the same public parameters Pk of the ABE encryption mechanism.

The supplier defines an access policy Γ or a list of attributes {attr} for which access to the service or to the resource it offers is authorized. According to this access policy, the supplier generates, in a first step 201, a partial key K ¹ f and encrypts it using, for example, a key encapsulation algorithm as described in one of the two previous examples . The partial key K ¹ _F is generated by performing a modular exponentiation between the generator g = e (P, Q) ^a of a group included in the public parameters shared by the user and the supplier, and a secret random value s generated by the supplier: Kp = e (P, Q) ^as = g ^s . The group used is a finite group which can be, for example, a multiplicative group or an additive group.

Thus, the supplier generates a partial key K ¹ _F and its encrypted version cîf. It then transmits, in a step 202, the encrypted partial key cîf to the user.

Upon receipt 303 of the key cîf, the user executes a decapsulation algorithm 304 (for example one of the algorithms described above) to decrypt the key cîf using the public parameters pk and the secret key sk _u associated with the attributes that he owns. If the attributes possessed by the user verify the access policy of the supplier, then the key is decrypted and the user recovers the partial key K ¹ _F from the supplier.

In another step 301, the user generates a random value y and calculates another partial key K ¹ u from this random value and from the generator g = e (P, Q) ^a of the group by performing a modular exponentiation.

Kb = e (P, Q) ^ay = g ^y

The user transmits 302 the partial key K ¹ u to the supplier.

Upon reception 203 of the partial key K ¹ u from the user, the supplier calculates 204 a common key ^k dh = Kb ^s by performing a modular exponentiation between this key and the secret random value s used to generate the partial key K ¹ _F from the supplier.

Similarly, the user calculates 305 the same common key Κθ _Η = Kp ^y by performing a modular exponentiation between the partial key of the supplier and the secret random value y.

From the common key Κθ _Η , the supplier and the user can establish 205,306 a secure communication channel.

For example, they can each generate, from this common key, session keys to protect the communication channel through which the resources or services will be accessed. Protection is possible with integrity and confidentiality.

A possible method for deriving session keys from a common key is proposed in document [8].

The establishment of a common key from partial keys is based on the Diffie-Hellman key exchange protocol described in [9]. The common key is usually a master key used to derive other encryption keys which are used to guarantee confidentiality or integrity. This protocol allows two parties to establish a common key. For this, the two parties choose a finite group (eg a multiplicative group) and a generator g from this group. The first part chooses a random number x, calculates g ^x , and sends g ^x . Respectively, the second part chooses a random number y, calculates g ^y , and sends g ^y . The two parties then calculate the common key g ^xy .

An advantage of the method according to the invention is that it makes it possible to protect the exchanges between a supplier and a user, with integrity and confidentiality, vis-à-vis users of the same group having the same attributes and also vis-à-vis of the authority that issues the public parameters.

Another advantage is that the invention makes it possible to have persistent confidentiality. Indeed, in the case where the public parameters are recovered by an unauthorized third party, this third party cannot find the common key simply by having access to exchanges between the supplier and the user. Indeed, access to the encrypted partial key ct _F allows, knowing the public parameters, to find the partial key K ¹ F of the supplier but knowledge of the two partial symmetric keys K ¹ F and K ¹ u does not allow find the common key Ko _H.

Also, the invention also allows confidentiality vis-à-vis the escrow authority which issues public parameters.

The invention also retains the advantage of an attribute-based encryption mechanism which allows access to a service by being authenticated on the basis of its attributes without being identified personally.

Figures 4,5 and 6 describe a second embodiment of the invention. Figure 4 shows schematically an overview of the exchanges between a supplier F offering a service and a user U wishing to use this service. FIG. 5 describes, on a flow diagram, the steps of the method according to the second embodiment of the invention executed by the supplier. FIG. 6 describes, on a flow diagram, the steps of the method according to the second embodiment of the invention executed by the user.

The second embodiment of the invention allows both a provider of resources or services associated with an access policy to control access by an unauthenticated user but also the user to check whether the provider is legitimate to provide the service or resources.

Thus, in this variant embodiment, the invention includes a mechanism for authentication, by the user, of the legitimacy of the supplier. The provider and user always share the same public pk parameters used to generate the partial symmetric keys, which are known to them and provided by a third-party authority.

In this second embodiment, the user also performs an encryption step 601 of the partial key K ¹ u generated in step 301. This encryption step 601 can be performed using an identical encapsulation algorithm to that used by the supplier and which produces an encrypted ctu- key as output. Encapsulation 601 is carried out using a Γυ policy allowing the legitimacy of the service provider to be verified to provide the service or offer the resources. This policy Γυ is, for example, a logical combination of several attributes that a legitimate supplier must verify. If the KP-ABE encryption mechanism is used, the Γυ policy is replaced by a list of attributes {attru}.

On reception 203 of the encrypted key ctu, the supplier executes a decapsulation algorithm 501 to find the partial key K ¹ u of the user. This operation is only possible if the supplier has the attributes which satisfy the user's security policy Γυ.

The other steps of the method are identical to those described for the first embodiment of the invention.

An advantage of this second embodiment is that it allows the user to authenticate the supplier to be sure that it is legitimate to offer the service or provide the resources.

Figures 7,8 and 9 describe a third embodiment of the invention. Figure 7 shows schematically an overview of the exchanges between a supplier F offering a service and a user U wishing to use this service. FIG. 8 describes, on a flow diagram, the steps of the method according to the third embodiment of the invention executed by the supplier. FIG. 9 describes, on a flow diagram, the steps of the method according to the third embodiment of the invention executed by the user.

This third embodiment is a variant of the second embodiment described above. In this third embodiment of the invention, the process of authentication of the user by the supplier uses a first set of public parameters associated with a first set of public keys pkp, while the process of verifying the legitimacy of the provider by user uses a second set of public parameters associated with a second set of pku public keys.

The two sets of public parameters are, for example, provided to the provider and the user respectively by two different third-party authorities. Thus, the groups used respectively to generate partial keys are different respectively for the authentication process (described in the first embodiment of the invention) and for the legitimacy verification process (described in the second embodiment of the invention).

In this case, the operation of the key establishment mechanism must be modified compared to the operation described in Figures 4,5,6 because it is no longer possible for the supplier and the user to calculate a single common key.

In a first step 201, the supplier generates, according to the access policy or the list of attributes that he has, a first partial key K ¹ f and encrypts it using, for example, a key encapsulation algorithm . The partial key K ¹ f is generated from a first set of public parameters {Pf, Qf, c (f} by performing for example a modular exponentiation between the generator g _F = e (PF, QF) ^a F d ' a group included in this first set and a first secret random value sf generated by the supplier: Kp = e (PF, QF) ^a F ^S F = Qf ^s f · The first set of public parameters is used for the authentication mechanism of the user.

In an additional step 801, the supplier also generates a second partial key K ² _F from a second set of public parameters {Pu, Qu, au}, for example by performing a modular exponentiation between the generator gu = e (Pu, Qu) ^a u of a group included in this first set and a second secret random value x generated by the supplier: K ² F = e (Pu, Qu) ^a u ^x = gu *

The second set of public parameters is used for the provider's legitimacy verification mechanism.

Then, the supplier transmits 202, the first encrypted key cîf and the second partial key K ² _F to the user.

Upon receipt 303 of the two keys, the user executes a decapsulation algorithm 304 (for example one of the algorithms described above) to decrypt the key cîf using the public keys pk _F of the first set of public parameters and the secret key sk _u associated with the attributes it has. If the attributes possessed by the user verify the access policy of the supplier, then the key is decrypted and the user recovers the first partial key K ¹ F from the supplier. He also holds the second partial key K ² F that he received.

In another step 301, the user generates a first partial key K ¹ u from public parameters of the second set and a random value Su: Kjj = eCPu.Qu) ⁰ ^ = gu ^Su . This first key is intended for the supplier's legitimacy verification mechanism. This first partial key is then encrypted 601 via an encapsulation algorithm to produce an encrypted key ctu. In another step 901, the user also generates a second partial key K ² u from public parameters of the first set and a value random y: Ku = e (PF, QF) ^ai7y = gF ^y . This second partial key is intended for the user authentication mechanism.

The user then transmits 302 the first encrypted key ctu and the second partial key K ² u to the supplier.

Upon receipt 203 of the two keys, the supplier decrypts 501 the encrypted key ctu via a decapsulation algorithm.

The supplier 803 then determines a first common partial key Kq _H = Kjj * by performing a modular exponentiation between the first decrypted partial key K ¹ u and the secret random variable x used to calculate the second partial key of the supplier K ² _F. This first common key is calculated from public parameters of the second set and is used to verify the legitimacy of the supplier.

The supplier also determines 802 a second common key ^k dh = K & ^SF θ ^η performing a modular exponentiation between the second symmetric key K ² u received and the secret random variable sF used to calculate the first partial key of the supplier K ¹ F. This second common key is calculated from public parameters of the first set and is used to authenticate the user.

Similarly, the user also calculates 902 the first common key Κθ _Η = K _F ^Su by performing a modular exponentiation between the second partial key received K ² _F and the secret random variable Su used to calculate the first partial key of the user K ¹ u- This first common key is calculated from public parameters of the second set and is used to verify the legitimacy of the supplier.

The user also determines 305 also a second common key Κθ _Η = Kp ^y by performing a modular exponentiation between the first symmetric key K ¹ _F deciphered and the secret random variable y used to calculate the second partial key of the user K ² u. This second common key is calculated from public parameters of the first set and is used to authenticate the user.

From the first common key Κθ _Η , the user can verify the legitimacy of the supplier. From the second common key Κθ _Η , the supplier can authenticate the user. Using these two common encryption keys, the provider and the user can establish a secure channel 903 for exchange.

An advantage of this third embodiment of the invention is that it makes it possible to adapt the method of establishing common keys in the case where the user and the supplier do not share the same public parameters to perform a on the one hand the verification of the legitimacy of the supplier and on the other hand the authentication of the user. This is the case, for example, when the public parameters are provided by two separate third-party authorities.

In an alternative embodiment of the third embodiment, the method comprises a phase of prior negotiation between the supplier and the user so that they exchange the respective public parameters that they will use.

In another alternative embodiment of the invention, applicable to all of its embodiments, the method further comprises a step of identifying the user by the supplier and / or the supplier by the user for example by means of '' a digital signature by digital certificate. The protocol using the SIGMA technique described in document [10] can be used for this purpose.

This variant offers an additional function of establishing responsibility by identifying and logging access. In fact, the invention only allows the authentication of a user on the basis of attributes that it has but does not allow its precise identification and the traceability of this user's access to the service offered by the supplier. This alternative embodiment makes it possible to add an additional identification function to the invention.

The present invention can be implemented using hardware and / or software elements. It may be available as a computer program product on computer-readable media. The support can be electronic, magnetic, optical or electromagnetic.

In particular, the “supplier” device and the “user” device can use one or more dedicated electronic circuits or a general-purpose circuit. The technique of the invention can be carried out on a reprogrammable calculation machine (a processor or a microcontroller for example) executing a program comprising a sequence of instructions, or on a dedicated calculation machine (for example a set of logic gates like an FPGA or ASIC, or any other hardware module).

According to one embodiment, the “supplier” device and the “user” device comprise at least one computer-readable storage medium (RAM, ROM, EEPROM, flash memory or another memory technology, CD-ROM, DVD or a other optical disc media, magnetic cassette, magnetic tape, magnetic storage disc or other storage device, or other non-transient computer-readable storage medium) encoded with a computer program (i.e. several executable instructions) which, when executed on a processor or several processors, performs the functions of the embodiments described above.

As an example of a hardware architecture adapted to implementing the invention, a device according to the invention may include a communication bus to which a central processing unit or microprocessor (CPU, acronym for "Central Processing Unit") is connected. in English), which processor can be multi-core or many-core; a read only memory (ROM, acronym for “Read Only Memory” in English) which may include the programs necessary for implementing the invention; a random access memory or cache memory (RAM, acronym for "Random Access Memory" in English) comprising registers suitable for recording variables and parameters created and modified during the execution of the aforementioned programs; and a communication or I / O interface (I / O acronym for "Input / ouput" in English) adapted to transmit and receive data.

In the case where the invention is implemented on a reprogrammable computing machine, the corresponding program (that is to say the sequence of instructions) can be stored in or on a removable storage medium (for example an SD card , a DVD or Bluray, a mass storage means such as a hard disk (eg an SSD) or non-removable, volatile or nonvolatile, this storage medium being partially or totally readable by a computer or a processor. The computer-readable medium can be transportable or communicable or mobile or transmissible (i.e. by a 2G, 3G, 4G, Wifi, BLE, fiber optic or other telecommunications network).

The invention can also be implemented as a computer program product.

The reference to a computer program which, when executed, performs any of the functions described above, is not limited to an application program running on a single host computer. On the contrary, the terms computer program and software are used here in a general sense to refer to any type of computer code (for example, application software, firmware, microcode, or any other form of computer instruction) which can be used to program one or more processors to implement aspects of the techniques described here. IT resources or resources can in particular be distributed (Cloud computing), possibly using peer-to-peer technologies. The software code can be executed on any suitable processor (for example, a microprocessor) or processor core or a set of processors, whether provided in a single computing device or distributed among several computing devices (for example example as possibly accessible in the environment of the device). The executable code of each program allowing the programmable device to implement the processes according to the invention can be stored, for example, in the hard disk or in read-only memory. In general, the program or programs can be loaded into one of the storage means of the device before being executed. The central unit can control and direct the execution of the instructions or portions of software code of the program or programs according to the invention, instructions which are stored in the hard disk or in the read-only memory or else in the aforementioned other storage elements. The executable code can also be downloaded from a remote server.

The computer program may include source code, object code, intermediate source code or partially compiled object code or any other form of program code instructions adapted to implement the invention in the form of a computer program.

Such a program can present various functional architectures. For example, a computer program according to the invention can be broken down into one or more routines which can be adapted to execute one or more functions of the invention as described above. The routines can be saved together in the same executable file but can also be saved in one or more external files in the form of libraries which are associated with a main program in a static or dynamic way. Routines can be called from the main program but can also include calls to other routines or subroutines.

All the processes or steps of processes, programs or subprograms described in the form of flowcharts must be interpreted as corresponding to modules, segments or portions of program code which include one or more code instructions to implement the logic functions and the steps of the invention described.

The invention applies to the general context of low-resource networks in which a resource constrained device (eg CPU, memory, battery) controls access to the resources or services that it hosts. These networks can be deployed in remote locations that are difficult to access where regular connection to an authentication and authorization authority is not possible. Under these conditions, the protocol proposed in the invention allows the device to apply the access policy associated with the resources or services without going through the trusted authority and without a trust relationship previously established with the users.

The invention can also be applied in the context of emergency networks for public protection and disaster relief systems. In this type of network, the connection to a trusted authority can be damaged, disrupted, or subject to technical constraints (eg very heavy traffic). The solution proposed in the invention allows users, especially first responders, to access the resources and services deployed in the disaster area in a secure manner.

Within a general framework of federated identity management in the field of information technology (in English, federated identity) in a set of organizations, the invention can make it possible to simplify access management by users of an organization resources or services offered by another organization in the group. Thus, the provider of resources or services of the organization no longer requires the organization of the user, when requesting access from the user, to authenticate the latter and to provide information relating to access rights.

References [1] J. Bethencourt, A. Sahai, and B. Waters. Ciphertext-Policy AttributeBased Encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP Ό7). 2007.

[2] V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, ”in Proceedings of the 13th ACM conference on Computer and communications security, pp. 89-98, 2006.

[3] M. C. Gorantla, C. Boyd, and J. M. G. Nieto, "Attribute-based authenticated key exchange", ACISP 2010.

[4] R Steinwandt and AS Corona, "Attribute-based group key establishment", Advances in Mathematics of Communications 4 (3), 381-398.

[5] Kolesnikov, H. Krawczyk, Y. Lindell, A. Malozemoff, and T. Rabin, "Attribute-based Key Exchange with General Policies", CCS 2016.

[6] B. Waters, "Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization", Public Key Cryptography 2011: 53-70.

[7] A. Lewko and B. Waters, “Decentralizing attribute-based encryption >>, EUROCRYPT'11.

[8] NIST SP 800-108 "Recommendation for Key Derivation Using Pseudorandom Functions", October 2009.

[9] W. Diffie and M. Hellman, "New directions in cryptography", IEEE Transactions on Information Theory, vol. 22, no 6, 1976.

[10] H. Krawczyk, "SIGMA: The‘ SIGn-and-MAc "Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols >>, CRYPTO 2003.

Claims (14)

1. Method, implemented by computer, of establishing at least one common key for controlling access to a service or resource offered by a supplier for users having at least one attribute belonging to a first predetermined set user attributes, the method being executed by the supplier and comprising the steps of: - Generate (201) a first partial supplier key K ¹ _F , - Encrypt (201) the first partial supplier key K ¹ _F , from a key derived from said first set of user attributes, - Transmit (202), to the user, the first partial supplier key encrypted ct _F , - Receive (203), from the user, a first partial user key K ¹ u, - Determine (204), from the first partial user key K ¹ u, a first key K ¹ dh common to the supplier and the user, - Establish (205) a secure communication channel between the supplier and the user from the first common key K ¹ dh. 2. Method for establishing at least one common key according to claim 1 wherein the first partial user key is an encrypted key ctu and the method further comprises a step of decrypting (501) the first partial key of user encrypted ctu from a key derived from a supplier attribute sk _F that the supplier has. 3. Method for establishing at least one common key according to one of claims 1 or 2 in which: the first partial supplier key K ¹ _F is obtained (201) from an operation between a generator g of a group and a first secret random variable s _F of the supplier and, - The first common key K ¹ dh is obtained (204) from an operation between the first partial user key K ¹ u and the first secret random variable s _F of the supplier. 4. Method for establishing at least one common key according to one of claims 1 or 2 further comprising the steps of: - Generate (801) a second partial supplier key K ² _F and transmit it (202) to the user, - Receive (203), from the user, a second partial user key K ² u, - Determine (802), from the second partial user key K ² u, a second key K ² _DH common to the supplier and to the user, - Establish (804) a secure communication channel between the supplier and the user from the first common key K ¹ dh and the second common key K ² _DH . 5. Method for establishing at least one common key according to claim 4 in which: the first partial supplier key K ¹ _F is obtained (201) from an operation between a generator g _F of a first group and a first secret random variable s _F of the supplier, the first common key K ¹ dh (803) is obtained from an operation between the first partial user key K ¹ u and a second secret random variable x of the supplier, the second partial supplier key K ² _F is obtained (801) from an operation between a generator gu of a second group and the second random variable x secret of the supplier and, - the second common key K ² dh is obtained (802) from an operation between the second partial user key K ² u and the first secret random variable Sf of the supplier. 6. Method, implemented by computer, of establishing at least one common key for controlling access to a service or resource offered by a supplier for users having at least one attribute belonging to a first predetermined set user attributes, the method being executed by a user having at least one user attribute and comprising the steps of: - Generate (301) a first partial user key K ¹ u and transmit it (302) to the supplier, - Receive (303), from the supplier, a first partial supplier key, encrypted, - Decrypt (304) the first encrypted partial supplier key cîf from a key derived from the attribute that the user has, to obtain a first partial supplier key K ¹ f, - Determine (305), from the first partial supplier key K ¹ F, a first key K ¹ DH, K ² _DH common to the supplier and the user, - Establish (306) a secure communication channel between the supplier and the user from the first key K ¹ dh, K ² dh common. 7. Method for establishing at least one common key according to claim 4 further comprising a step of encrypting (601) the first partial user key K ¹ u from a key derived from a second set d 'attributes supplier, before transmitting it to the supplier. 8. Method for establishing at least one common key according to one of claims 6 or 7 in which: the first partial user key K ¹ u is obtained (301) from an operation between a generator of a group gF and a first secret random variable su, y of the user and, the first common key K ¹ DH is obtained (305) from an operation between the first partial supplier key K ¹ F and the first secret random variable su, y of the user. 9. Method for establishing at least one common key according to one of claims 6 or 7 further comprising the steps of: - Generate (901) a second partial user key K ² u and transmit it to the supplier, - Receive (303), from the supplier, a second partial supplier key K ² f, - Determine (902), from the second partial supplier key K ² f, a second key K ¹ DH common to the supplier and the user, - Establish (903) a secure communication channel between the supplier and the user from the first common K ¹ DH key and the second common K ² DH key. 10. Method for establishing at least one common key according to claim 9 in which: the first partial user key K ¹ u is obtained (301) from an operation between a generator gu of a first group and a first secret random variable su of the user, the first common key K ² DH is obtained (305) from an operation between the first partial supplier key K ¹ F and a second secret random variable y of the user, the second partial user key K ² u is obtained (901) from an operation between a generator g _F of a second group and the second secret random variable y of the supplier and, - The second common key K ¹ dh is obtained (902) from an operation between the second partial supplier key K ² _F and the first secret random variable Su of the supplier. 11. Method for establishing at least one common key according to one of claims 3,5,8 or 10 in which the operation is a modular exponentiation calculation and the group is a finite multiplicative group. 12. Computer program comprising program code instructions for the execution of the steps of any one of the methods for establishing at least one common key according to one of claims 1 to 11, when said program is executed by a processor. 13. Recording medium readable by a processor on which a program is recorded comprising instructions for the execution of the steps of any one of the methods for establishing at least one common key according to one of claims 1 to 11, when the program is executed by a processor. 14. An encryption device comprising a computer configured to execute the steps of any one of the methods for establishing at least one common key according to any one of claims 1 to 11.