WO2014059952A1 - Method of ensuring the safe communication in untrusted networks and equipment for the implementation of this method - Google Patents

Method of ensuring the safe communication in untrusted networks and equipment for the implementation of this method Download PDF

Info

Publication number
WO2014059952A1
WO2014059952A1 PCT/CZ2012/000115 CZ2012000115W WO2014059952A1 WO 2014059952 A1 WO2014059952 A1 WO 2014059952A1 CZ 2012000115 W CZ2012000115 W CZ 2012000115W WO 2014059952 A1 WO2014059952 A1 WO 2014059952A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
transfer
network
secure
key
Prior art date
Application number
PCT/CZ2012/000115
Other languages
French (fr)
Inventor
Filip SOBOL
Kamil KNOTEK
Original Assignee
Pramacom Prague Spol. S.R.O.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pramacom Prague Spol. S.R.O. filed Critical Pramacom Prague Spol. S.R.O.
Publication of WO2014059952A1 publication Critical patent/WO2014059952A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • the invention applies to communication technology with the usage of electronics, information technology and wireless communication, specifically ensuring of secure data communication via untrusted communication networks.
  • Some existing systems utilize the combination of two various communication channels for the implementation of procedures serving for the verification of authenticity of the communicating parties. So far the only known system combining secure and broadband network utilizes the secure network for the transfer of a one-time key to decrypt the document transferred by the broadband network, but it is not able to establish secure and full two-way communication.
  • the purpose of the invention was to create a unified communication platform for professional mobile data services in the form of full two-way data connection.
  • the disadvantages of both above mentioned categories, i.e. the slow secure and fast untrusted communication channels, are eliminated by the secure communication system via untrusted networks, which consists in the separation of the secured information from the tools for its securing.
  • the data for transfer are encrypted by sufficiently secure code so that in the encrypted form they can be sent via an unsecured broadband communication channel without the risk of their decryption in case of capturing by an unauthorized person.
  • the key by which the sent data are encrypted is one-time and it is generated randomly and individually for every established connection.
  • the key, which is shorter by order of magnitude than the transferred data, is sent to the recipient via the slow secure and trusted network.
  • the method of secure data transfer in untrusted networks and the equipment for this method consist of the following elements:
  • Data gateway is a technological tool providing the encryption of the transfer between the internal network (target of the secured communication) and the untrusted (public) network.
  • Key administrator is a technological tool receiving the requests for the connection establishment by means of the trusted connection, on the basis of which it generates one-time keys for the encryption of the established data channels by the data gateway.
  • Radio terminal is a hardware device connected to a trusted wireless network, which provides sending of the requests for data and receiving of the keys for the decryption of data transferred by means of the broadband connection.
  • Data terminal is an electronic device - portable computer equipped with tools for the communication via the broadband network and tools for the communication with the radio terminal.
  • the data terminal is also equipped with a user interface enabling the user to enter the requests for data and to present the received data in the open form.
  • the system may optimize the data transfer strategy on the basis of the data volume, so that shorter data sessions are realized via the trusted network and the broadband connection is only used in case of a request for larger data transfer.
  • the method of secure data transfer in untrusted networks may be realized in both directions, that is, not only from the data portal to the data terminal, but also from the data terminal to the data portal.
  • the advantages of the new solution are the following:
  • the system enables the realization of high-speed data transfer while maintaining the security on the level of the secure network.
  • the system enables the realization of data transfer at the highest available rate while maintaining the high security standards and confidentiality requirements in secure networks.
  • the used technology combines secure and broadband communication channels so that the user feels that he/she is using a single secure broadband communication tool.
  • All data related to the key business are transferred by via the secure network. If the length of the responses is suitable for the transfer via the secure network, they can be transferred via this network too. However, should the length of the transferred data cause a delay of the response or an inadequate load to the secure network, or if they nature requires a broadband connection, these data are transferred in the encrypted form via the high-speed network. The secure network then transfers only the information necessary for their encryption. In addition, all communication on the high-speed network is secured by the SSL protocol.
  • the system is also secured against a possible high-speed network failure, for example because of a natural disaster, exit from the coverage etc.
  • the system either transfers all data by means of the secure network, or enables the user to specify the query to reduce the volume of the transferred data.
  • FIG. 1 depicts schematically the method of providing secure communication in untrusted networks and the equipment for this method.
  • the example of the application of this invention is the method of the establishment of secure connection in an untrusted network with the utilization of secure communication .channel -3- and- public communication channel 2.
  • the secure-narrowband communication channel 3 serves for the transfer of connection requests and the exchange of the keys designed for the encryption of the transferred data.
  • the public broadband communication channel 2 transfers the encrypted data themselves.
  • Client 7 asks by means of the secure communication channel 3 for the establishment of a secured connection.
  • connection administrator 6 receives the request and generates a unique one-time key. Then it uses this key for the creation of the encrypted virtual connection by means of the encryption device 4.
  • the remote encryption device 5 uses the received channel for the establishment of the secure connection with the encryption device of the private network 4.
  • the proposed platform enables quick, cheap, modular and easily upgradeable implementation of the system.
  • the method of providing secure communication in untrusted networks and the equipment for this method, which form the subject of this invention, have a wide industrial usability especially in the applications of the police, Army, Fire Brigade and other bodies of the Integrated Rescue System, where they enable the transfer of data such as photographs, situation plans, maps, operational control applications etc., which will make the work of the rescue bodies more effective and thus enable more operative protection of property, health and life.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The method of providing secure communication in untrusted networks and the equipment for this method consist of at least one client computer and then of a public unsecured communication channel for the transfer of encrypted data and a secure communication channel for the transfer of the encryption key, in addition the system consists of the encryption device between the private and the untrusted networks, the connection administrator on the secure network and the encryption device between the public network and the client equipment, where the secured data transfer in untrusted networks is performed in the way that the data for transfer are encrypted by sufficiently secure code so that in the encrypted from they can be sent via an unsecured broadband communication channel without the risk of their decryption in case of capturing by an unauthorized person, where the key, by which the sent data are encrypted, is one-time, it is generated randomly and individually for every established connection, it is shorter by order of magnitude than the transferred data, it is sent to the recipient via the slow secure and trusted network, so that it cannot be compromised during the transfer of usage, and the validity of every key expires after the end of the connection or after the set time limit; the recipient uses the key, received via the trusted network, for the decryption of the data received via the untrusted network, which also verifies the authenticity of the received data to prevent the possibility of purposeful data forgery or tampering during their transfer.

Description

Method of Ensuring Secure Communication in Untrusted Networks and Equipment for the Execution of Said Method.
Technical Area
The invention applies to communication technology with the usage of electronics, information technology and wireless communication, specifically ensuring of secure data communication via untrusted communication networks.
Current State of the Art
At present it is possible to realize secured wireless data communication by using various professional tools and networks, which provide adequate required level of security of the transferred data against unauthorized access to their content. An example of such networks is the Tetrapol system utilized by the Police and Army of the Czech Republic and other bodies of the Integrated Rescue System. Another possible example is the proprietary communication systems used especially by the military. However, a common denominator of these tools is a relatively low data throughput, which is a result of the fact that these systems were designed especially for secure and reliable voice communication and that the reliability and security have been put high above the data throughput since the beginning.
On the other hand there are many commercially available wireless data networks capable of transfer rates up to units or tens of Mb, but with no exception these networks are operated by private subjects and therefore they shall be considered untrusted from the view of data security. If we do not control who has the access to the data during their transfer, we must assume that everybody has. So, these networks are not suitable for the transfer of data subject to protection.
Now, we have secure networks with insufficient transfer capacity and then networks with high transfer capacity, but insufficient security.
Some existing systems utilize the combination of two various communication channels for the implementation of procedures serving for the verification of authenticity of the communicating parties. So far the only known system combining secure and broadband network utilizes the secure network for the transfer of a one-time key to decrypt the document transferred by the broadband network, but it is not able to establish secure and full two-way communication.
Subject Matter of the Invention
The purpose of the invention was to create a unified communication platform for professional mobile data services in the form of full two-way data connection. The disadvantages of both above mentioned categories, i.e. the slow secure and fast untrusted communication channels, are eliminated by the secure communication system via untrusted networks, which consists in the separation of the secured information from the tools for its securing. The data for transfer are encrypted by sufficiently secure code so that in the encrypted form they can be sent via an unsecured broadband communication channel without the risk of their decryption in case of capturing by an unauthorized person. The key by which the sent data are encrypted is one-time and it is generated randomly and individually for every established connection. The key, which is shorter by order of magnitude than the transferred data, is sent to the recipient via the slow secure and trusted network. Therefore there is no risk that this key could be compromised during the transfer of usage. The validity of every key expires after the end of the connection or after the set time limit. The recipient uses the key, received via the trusted network, for the decryption of the data transfer performed via the untrusted network. In this way there is also verified the authenticity of the received data, which prevents the possibility of purposeful data forgery or tampering during their transfer.
The method of secure data transfer in untrusted networks and the equipment for this method consist of the following elements:
• Data gateway. Data gateway is a technological tool providing the encryption of the transfer between the internal network (target of the secured communication) and the untrusted (public) network.
• Key administrator. Key administrator is a technological tool receiving the requests for the connection establishment by means of the trusted connection, on the basis of which it generates one-time keys for the encryption of the established data channels by the data gateway.
• Radio terminal. Radio terminal is a hardware device connected to a trusted wireless network, which provides sending of the requests for data and receiving of the keys for the decryption of data transferred by means of the broadband connection.
• Data terminal. Data terminal is an electronic device - portable computer equipped with tools for the communication via the broadband network and tools for the communication with the radio terminal. The data terminal is also equipped with a user interface enabling the user to enter the requests for data and to present the received data in the open form.
Owing to the fact that the data transfer in broadband networks is chargeable, the system may optimize the data transfer strategy on the basis of the data volume, so that shorter data sessions are realized via the trusted network and the broadband connection is only used in case of a request for larger data transfer.
Naturally, the method of secure data transfer in untrusted networks may be realized in both directions, that is, not only from the data portal to the data terminal, but also from the data terminal to the data portal. The advantages of the new solution are the following:
1. Preservation of the data transfer security corresponding to the security of the trusted network
2. Transfer rate corresponding to the broadband data connection
3. Optimization of the data communication costs
4. High flexibility
5. Keeping of the possibility of data communication even in case of a broadband network failure
Major benefits of the system providing secure communication in untrusted networks
• Possibility to introduce new mobile data services requiring larger data volumes
• Significant acceleration of the system response at the queries to databases
• Significant increase of the total capacity in the mobile data service system
• Optimization and reduction of the data transfer load in the trusted network
• Significant increase of the entire system's throughput (increase of speed)
• Significant reduction of the response times (times of waiting for the response)
The system enables the realization of high-speed data transfer while maintaining the security on the level of the secure network. The system enables the realization of data transfer at the highest available rate while maintaining the high security standards and confidentiality requirements in secure networks.
Major Benefits
The method of providing secure communication in untrusted networks and the equipment for the implementation of this method bring the following benefits in comparison with the present state:
• Possibility to introduce new mobile data services requiring larger data volumes
• Significant acceleration of the system response at the queries to databases
• Significant increase of the total capacity in the mobile data service system
• Optimization and reduction of the data transfer load in the trusted network
• Significant increase of the entire system's throughput (increase of speed)
• Significant reduction of the response times (times of waiting for the response) The system enables the implementation of remote data access systems, which so far could not be implemented in any other way. These applications include for example:
• Application of the transfer of large tactical information such as maps, situation plans, photographs, event descriptions etc.
• Continuous monitoring of the activity of terminals including their operating condition, data transfers and position
• Coordination and multiple distribution of information to large teams
• Full and secure utilization of intranet applications in remote terminals
At the same time this significantly improves the present data services, such as:
• Application of the remote access to databases
• Transfer of photographs from documents
Features of the Solution
The basic features of our professional mobile services solution include:
• Securing of data corresponding to the security of the trusted network
• Transfer rate corresponding to the maximum commercially available transfer rate for mobile data (24 Mbit/s at present)
• Full integration into Windows, WCE, Windows Mobile platforms
• Full integration into Linux and Android platforms
Technology
The used technology combines secure and broadband communication channels so that the user feels that he/she is using a single secure broadband communication tool.
All data related to the key business are transferred by via the secure network. If the length of the responses is suitable for the transfer via the secure network, they can be transferred via this network too. However, should the length of the transferred data cause a delay of the response or an inadequate load to the secure network, or if they nature requires a broadband connection, these data are transferred in the encrypted form via the high-speed network. The secure network then transfers only the information necessary for their encryption. In addition, all communication on the high-speed network is secured by the SSL protocol.
The system is also secured against a possible high-speed network failure, for example because of a natural disaster, exit from the coverage etc. In such case the system either transfers all data by means of the secure network, or enables the user to specify the query to reduce the volume of the transferred data. Overview of the Pictures in the Drawing
The subject matter of the invention will be clarified in detail in the attached drawing, where Fig. 1 depicts schematically the method of providing secure communication in untrusted networks and the equipment for this method.
Examples of the Invention's Application
The example of the application of this invention, depicted in Fig. 1 , is the method of the establishment of secure connection in an untrusted network with the utilization of secure communication .channel -3- and- public communication channel 2. The secure-narrowband communication channel 3 serves for the transfer of connection requests and the exchange of the keys designed for the encryption of the transferred data. The public broadband communication channel 2 transfers the encrypted data themselves.
Procedure
1. Client 7 asks by means of the secure communication channel 3 for the establishment of a secured connection.
2. The connection administrator 6 receives the request and generates a unique one-time key. Then it uses this key for the creation of the encrypted virtual connection by means of the encryption device 4.
3; The key used for the establishment of the encrypted connection is sent back to the remote encryption device 5 via the secure communication channel 3.
4. The remote encryption device 5 uses the received channel for the establishment of the secure connection with the encryption device of the private network 4.
Compromising of the private network is not assumed.
The proposed platform enables quick, cheap, modular and easily upgradeable implementation of the system.
Industrial Applications
The method of providing secure communication in untrusted networks and the equipment for this method, which form the subject of this invention, have a wide industrial usability especially in the applications of the Police, Army, Fire Brigade and other bodies of the Integrated Rescue System, where they enable the transfer of data such as photographs, situation plans, maps, operational control applications etc., which will make the work of the rescue bodies more effective and thus enable more operative protection of property, health and life.

Claims

PATENT CLAIMS
The method of providing secure communication in untrusted networks and the equipment for this method, consisting of at least one client computer and then of a public unsecured communication channel for the transfer of encrypted data and a secure communication channel for the transfer of the encryption key, characterized in that in addition the system consists of the connection administrator (6) on the secured communication channel (3), the encryption device (4) between the public communication channel (3) and the private network (1) and the encryption device (5) between the public network and the client device 111.
The method of providing secure communication in untrusted networks and the equipment for this method according to Claim 1, characterized in that the secure communication channel (3) is realized by means of non-public digital radio system and the unsecured broadband channel (2) is realized by means of some of the data modes of the GSM, UMTS and HSDPA network, satellite connection or another proper carrier.
The method of providing secure communication in untrusted networks and the equipment for this method according to Claim 1, characterized in that the data for transfer are encrypted by sufficiently secure code so that in the encrypted form they can be sent via an unsecured broadband communication channel without the risk of their decryption in case of capturing by an unauthorized person, where the key, by which the sent data are encrypted, is one-time and it is generated randomly and individually for every established connection, it is shorter by order of magnitude than the transferred data, it is sent to the recipient via the slow secure and trusted network and the validity of every key expires after the end of the connection or after the set time limit; the recipient uses the key, received via the trusted network, for the decryption of the data received via the untrusted network, which also verifies the authenticity of the received data to prevent the possibility of purposeful data forgery or tampering during their transfer.
The method of providing secure communication in untrusted networks and the equipment for this method according to Claims 1 and 2, characterized in that the connection administrator (6), encryption device (4) and encryption device (5) are implemented as software.
PCT/CZ2012/000115 2012-10-19 2012-11-16 Method of ensuring the safe communication in untrusted networks and equipment for the implementation of this method WO2014059952A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CZ2012-717A CZ2012717A3 (en) 2012-10-19 2012-10-19 Method of ensuring safe communication in untrustworthy networks and device for making the same
CZPV2012-717 2012-10-19

Publications (1)

Publication Number Publication Date
WO2014059952A1 true WO2014059952A1 (en) 2014-04-24

Family

ID=47562891

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CZ2012/000115 WO2014059952A1 (en) 2012-10-19 2012-11-16 Method of ensuring the safe communication in untrusted networks and equipment for the implementation of this method

Country Status (2)

Country Link
CZ (1) CZ2012717A3 (en)
WO (1) WO2014059952A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11194918B2 (en) 2019-07-10 2021-12-07 International Business Machines Corporation Data transmission based on verification codes
US11582204B2 (en) * 2017-12-19 2023-02-14 Mobulus Net. Ltd Systems, and methods for transferring data between secure networks through less secure networks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1187483A2 (en) * 2000-09-07 2002-03-13 Eastman Kodak Company An encryption apparatus and method for synchronizing multiple encryption keys with a data stream
US20070271106A1 (en) * 2006-05-19 2007-11-22 Lee David H System and method for secure internet channeling agent
US8254579B1 (en) * 2007-01-31 2012-08-28 Hewlett-Packard Development Company, L.P. Cryptographic key distribution using a trusted computing platform

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1187483A2 (en) * 2000-09-07 2002-03-13 Eastman Kodak Company An encryption apparatus and method for synchronizing multiple encryption keys with a data stream
US20070271106A1 (en) * 2006-05-19 2007-11-22 Lee David H System and method for secure internet channeling agent
US8254579B1 (en) * 2007-01-31 2012-08-28 Hewlett-Packard Development Company, L.P. Cryptographic key distribution using a trusted computing platform

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11582204B2 (en) * 2017-12-19 2023-02-14 Mobulus Net. Ltd Systems, and methods for transferring data between secure networks through less secure networks
US11194918B2 (en) 2019-07-10 2021-12-07 International Business Machines Corporation Data transmission based on verification codes

Also Published As

Publication number Publication date
CZ2012717A3 (en) 2014-06-04

Similar Documents

Publication Publication Date Title
CN111247773B (en) Method and apparatus for ultra-secure last-mile communication
CN101836422B (en) Bidirectional gateway with enhanced security level
US9432346B2 (en) Protocol for controlling access to encryption keys
CN104933654B (en) Community medicine Internet of Things method for secret protection
US6377810B1 (en) Method of operation of mobile wireless communication system with location information
US11082423B2 (en) Communications system, communications device used in same, management device, and information terminal
CN101297517B (en) Method and system for total exchange session security
CN105528306B (en) A kind of data read-write method and dual system termi-nal of dual system termi-nal
CN101946454A (en) Method to allow secure communications among communication units
CN101188851B (en) Access control method for mobile terminal
US20100005510A1 (en) Architecture and method for controlling the transfer of information between users
CN104113839A (en) Mobile data safety protection system and method based on SDN
CA2403488A1 (en) Automatic identity protection system with remote third party monitoring
CN104065485A (en) Power grid dispatching mobile platform safety guaranteeing and controlling method
CN102348210A (en) Method and mobile security equipment for security mobile officing
CN110191052A (en) Across the protocol network transmission method of one kind and system
US8874067B2 (en) Medical data access system
CN103036883A (en) Secure communication method and system of secure server
WO2014059952A1 (en) Method of ensuring the safe communication in untrusted networks and equipment for the implementation of this method
CN106921677A (en) A kind of multiple encryption system of block chain houseclearing
CN106302425A (en) A kind of virtualization system communication method between nodes and virtualization system thereof
CN101437228B (en) Method, apparatus and system for implementing wireless business based on smart card
EP2769520B1 (en) Access method and communication system for accessing a protected communication service
WO2016204700A1 (en) System for secure transmission of voice communication via communication network and method of secure transmission of voice communication
CN1322727C (en) Method for filtering packets in wireless network system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12816227

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12816227

Country of ref document: EP

Kind code of ref document: A1