DE102007033845A1 - Public/private cryptographic key producing method for executing key agreement in digital data carrier, involves converting terminal end point address into key portion by applying inverse function of trap door one-way function for agreement - Google Patents

Abstract

The method involves directly or indirectly converting an end point address of a terminal into a portion of a public or private cryptographic key by applying an inverse function of a trap door one-way function, which is used for a key agreement for an encrypted digital voice communication between the terminals. The cryptographic key of the terminal is provided from a communications provider for regulation, so that all the terminals of the communications provider execute the key arrangement with the terminal. An independent claim is also included for a device for producing a cryptographic key for executing a key agreement for an encrypted digital voice communication between terminals.

Description

The The invention relates to a method and a device for a secure digital voice communication, and in particular a Method for encrypting Voice over IP (VoIP), avoiding a man-in-the-middle attack on key agreement (English Key Agreement Protocol).

Field of the invention

The Result of key agreement between two communication devices A and B is an authenticated shared cryptographic key S, for the encryption of the following Communication between both communication devices used can be. As a rule, the key S is a symmetrical one Key, because the encryption and decryption much faster due to symmetric encryption can be done. However, the problem is the agreement on this Key.

• [1] Die Schlüsseleinigung findet in einem nicht-vertrauenswürdigem Kommunikationskanal statt.
• [2] In einem nicht-vertrauenswürdigen Kommunikationskanal können die transportierten Nachrichten in jeglicher Art verändert und/oder abgehört werden.
• [3] Das Schlüsseleinigungsprotokoll sorgt dafür, dass der Schlüssel S ausschließlich den beiden Kommunikationsgeräten A und B bekannt wird.
• [4] Die Eigenschaften [2] des nicht-vertrauenswürdigen Kommunikationskanals dürfen die Anforderungen [3] an das Schlüsseleinigungsprotokoll nicht gefährden.
• [5] Keines der existierenden Schlüsseleinigungsprotokolle mit der Eigenschaft von Aspekt [1] erfüllt den Aspekt von [3], da Man-in-the-Middle Angriffe nicht erkannt werden können. Ein Man-in-the-Middle Angreifer steht zwischen beiden Kommunikationsgeräten und kann die zwischen beiden Kommunikationsgeräten ausgetauschten Nachrichten einsehen und manipulieren; er kann den Kommunikationspartnern das jeweilige Gegenüber vortäuschen, ohne dass sie es merken.

Here are the following five aspects to consider:

• [1] The key agreement takes place in a non-trusted communication channel.
• [2] In a non-trusted communication channel, the transported messages can be changed and / or intercepted in any way.
• [3] The key agreement protocol ensures that the key S is known only to the two communication devices A and B.
• [4] The properties [2] of the untrusted communication channel shall not jeopardize the requirements [3] on the key clearance protocol.
• [5] None of the existing key agreement protocols with the property of aspect [1] satisfies the aspect of [3] since man-in-the-middle attacks can not be detected. A man-in-the-middle attacker stands between both communication devices and can view and manipulate the messages exchanged between the two communication devices; He can pretend to the communication partners the respective counterpart, without them noticing it.

in the Generally, key agreement protocols work with public and private cryptographic keys.

each Communication device has a public and a private cryptographic key.

There the claimed identity of the owner of a public Key within an untrusted Channels can not be verified for sure are Man-in-the-Middle Attacks in these key agreement protocols possible.

The Problem exists in the lack of possibility of authentication the public key.

The Authentication of the public key takes place therefore in key agreement protocols that are not the property from aspect [5], namely the possibility Man-in-the-Middle Attack, Out-of-Band of the communication channel.

A Authentication of the public key requires additional furnishing and operating expenses, additional Communication or in some cases is not feasible.

State of the art

It follows an overview of existing techniques for the authentication of cryptographic (public) Keys, with reference to the bibliography, what is attached as an attachment.

Key agreement protocols as the Diffie-Hellman protocol (bibliography V1a) ensure the agreement on a common key without prior Distribution of keys or other secrets outside of the communication channel. The Diffie-Hellman protocol protects however, it does not preclude man-in-the-middle attacks that are already in progress the key agreement. To prevent such attacks is the authentication of the public key over Certificates issued outside the communication channel carried out by means of a "Public Key Infrastructure" (PKI).

Protocols from the category of "Public Key Cryptography" such as the RSA cryptosystem (Literaturver pf) allow the secure sending of messages (including symmetric keys), in which the messages are encrypted with the public key of the communication partner. Such systems provide protection against man-in-the-middle attacks that are active from the beginning of the communication as long as the public keys have previously been distributed outside the communication channel. For this purpose z. As a PKI infrastructure required (bibliography Pg or Ph). Another protocol that previously requires an "out-of-band" mechanism for later authentication of public keys is, for example, the interlock protocol (bibliography V2c or Pi, Pb), unlike the protocols In this category, the effort to operate a PKI with the method to be patented here is avoided.

cryptosystems from the categories "Identity-Based Encryption" (IBE) and "Certificateless Cryptography (CC) does not require a public key infrastructure to exchange public keys of Persons, because of the identity (eg the e-mail address) a person calculates the public key can be. As examples here are the patents Pc, Pd or the Publication called V3b. In IBE systems come key generators used in a "Private Key Infrastructure" for the distribution of private keys on demand be used. Unlike the personal identities in IBE or CC cryptosystems are in the here to be patented Method Endpoint addresses of communication devices or the software running on it. Furthermore, the operation a private key infrastructure is not absolutely necessary, since the private key with the allocation of the endpoint address can be awarded.

at Procedures in the Key Agreement Protocols with Public Discussion category two communication partners agree on a common key within an insecure communication channel after both over have received a public source random numbers. Examples are the publication (bibliography V5a) or the document according to bibliography Pe. Man-in-the-middle attacks can be used in these procedures can not be prevented.

The Protocol in the patent Pa uses hashes of IP addresses to ensure that a user logs on to a central server legitimized, where he is already registered. The procedure is needed a previous "out-of-band" mechanism for transmission a user password. The process is not a key-inughness protocol, and the IP address is not considered a public key used. IP spoofing can not be prevented. Man-in-the-middle Attacks where the attacker gets the IP address of the initiator a communication are not prevented.

The ZRTP Protocol (bibliography L1), an extension of the RTP = Real-time transport protocol, is secure as a man-in-the-middle Protocol in the Voice over IP area. The authentication takes place here via the verbal exchange of a "key fingerprint", after being connected to his interlocutor.

Overview of the invention:

task The invention is for a voice communication, in particular a VOIP communication to provide a key which allows a key agreement protocol that requires authentication of public keys in preferably the same channel as the one who is responsible for the communication itself is used.

Solved This object is achieved by a method and a device with the features of one or more of the independent claims.

The invention is based on the idea of including the endpoint addresses E _A and E _{B of} the communication devices A and B in the key agreement protocol.

each Communication device has an endpoint address, because without this no communication with the communication device possible would.

Examples of endpoint addresses are: IPv4 / IPv6 addresses in the Internet Protocol, MAC addresses of network adapters, fixed line / mobile telephony numbers, SIP addresses in IP telephony. In the case of wirelessly communicating vehicles in traffic, the vehicle identifiers are endpoint addresses, and in the case of "mini-computers" equipped electronic ID cards, passports and smart cards, the identification numbers are endpoint addresses, in which case the communication is via a corresponding Reader is done with a remote computer.

The Today's communication infrastructures already provide efficient and secure mechanisms available to the endpoint address of a communication device.

Examples for these mechanisms are: Secure Domain Name Service (DNSsec), ARP-based protocols, directories, central SIP server, the (sensory) reading of license plate number plates and the (sensory) reading of identification numbers on electronic ID cards, passports and chip cards.

There without this secure endpoint address resolution at all no communication with a communication device possible would be, such endpoint address resolution assumed and used in the invention.

The Invention is based on that each endpoint address into a unique natural number can be transferred. An example would be the conversion of the IPv4 address 137.248.13.5 in the natural number 137248013005; this applies analogously for all other mentioned examples of endpoint addresses.

It follow some definitions to better understand the Invention.

Endpoint address:

A Endpoint address is an identifier or an identification number a communication device that can be used to establish communication with this device, such as z. An IPv4 / IPv6 address, MAC address, telephone number, SIP address, a vehicle registration number or an identification number on electronic ID cards, passports and chip cards. Unlike purely personal Identities bind to an endpoint address a communication device or software running on it where. The endpoint address should be for the recipient be apparent from the received information.

One-way function with trapdoor ("trapdoor-oneway-function"):

A trap-type one-way function is a function L whose function value L (x) = y is computable in polynomial time for a given x, but where computing the inverse function L ^-1 (y) = x requires exponential time computation. Only with knowledge of a key S (the "trap door") can the calculation of the inverse function be performed in polynomial time.

Note: The existence of one-way functions (with trapdoor) is so far has not been proved mathematically, as the proof of the Inequality of the complexity classes P and NP not yet was provided. However, there are functions that you suspect that they have the required property.

basis of the invention of the underlying method is the product N of two primes P and Q.

For the algorithm irrelevant, but for security important in the process is the order of magnitude the prime numbers P and Q and the prime factorization of P - 1 and Q - 1.

The Binary representation of P and Q should be one of the current ones Capacity of computers corresponding number of bits (eg in 2007> = 512 bits). One speaks in this case of "safe magnitude".

In the prime factorization of both P - 1 and Q - 1 should have at least one prime in a safe order occurrence.

Be G is a non-divisive number of order e.

The order of a number G with respect to another, divisive number N is defined as the smallest number e for which holds: G e ≡ 1 mod N.

• [6] Sei R > 1 eine natürliche Zahl, dann wird P und Q so gewählt, dass gilt: GCD(R, P – 1) = GCD(R, Q – 1) = 1, mit GCD = Greatest Common Divisor.

Since e divides the number (P - 1) (Q - 1), G should be chosen such that e has a prime factor of "safe order".

• [6] Let R> 1 be a natural number, then choose P and Q such that GCD (R, P - 1) = GCD (R, Q - 1) = 1, with GCD = Greatest Common Divisor.

• [7] Das heißt, für jedes v, 0 < v < N, existiert eine eindeutige natürliche Zahl d, mit d^R ≡ v mod N. Diese eindeutige Abbildung wird als Funktion D(v) ≡ v^1/R mod N bezeichnet.

If P and Q are chosen as described in [6], then for every natural, natural number N of n, there exists an Rth root.

• [7] That is, for every v, 0 <v <N, there exists a unique natural number d, with d ^R ≡ v mod N. This unique mapping is called a function D (v) ≡ v ^{1 / R} mod N.

The function D (·) belongs to the class of presumed one-way functions, where D (·) here corresponds to the inverse function L (·) ^-1 , which can only be calculated in exponential time.

There there exists for each v such a unique number d exists also for each converted endpoint address one, unique number d.

If E _A , E _{B are} two endpoint addresses then let F (E _A ) and F (E _B ) be the endpoint addresses each converted to a unique natural number, with F (.) <N.

Let D (F (E _A )) and D (F (E _B )) be the corresponding unique numbers from [7] for the endpoint addresses E _A and E _B.

The allocation of the numbers D (F (E _A )) and D (F (E _B )) to the communication devices A and B can take place via various routes. For example, this can be done at an IP address via a (local) DHCP server or a (local) key server, using secure communication.

Here For example, the key server can be exploited knows the factorization of N. Thus, a communication device could with methods such. B. the RSA encryption the key server to provide a symmetric key through which the award is secured. With a MAC address, this can be direct in the manufacture of the network adapter, in a mobile device on delivery of the SIM card, with a SIP address via a SIP server, with a vehicle license plate over the Approval office and with an identification number on electronic ID cards, passports and chip cards are issued when they are awarded.

• [8] Zu Beginn des vorgeschlagenen Schlüsseleinigungsprotokolls sind dem Kommunikationsgerät B die Funktion F(·) und folgende Zahlen bekannt: N, G, R, E_B, E(E_B), D(F(E_B)). Zusätzlich besitzt B noch eine private Zufallszahl Z_B.
• [9] Die Zahlen N, G, R und die Funktion F(·) sind öffentliche Parameter des der Erfindung zugrunde liegenden Verfahrens; der private Schlüssel von Kommunikationsgerät A ist D(F(E_A)), der öffentliche Schlüssel von A ist
  
  D(F(E_A)) mod N. Dies gilt analog für Kommunikationsgerät B.

At the beginning of the proposed key agreement protocol, the communication device A is aware of the function F (·) and the following numbers: N, G, R, E _A , F (E _A ), D (F (E _A )). In addition, A still has a private random number Z _A.

• [8] At the beginning of the proposed key agreement protocol, the communication device B is aware of the function F (·) and the following numbers: N, G, R, E _B , E (E _B ), D (F (E _B )). In addition, B still has a private random number Z _B.
• [9] The numbers N, G, R and the function F (·) are public parameters of the method on which the invention is based; the private key of communication device A is D (F (E _A )), which is A's public key
  
  D (F (E _A )) mod N. This applies analogously to communication device B.

The Key agreement between two communication devices A and B works the following way, where A is the key agreement initiated.

• [10] A sendet eine Nachricht an B, welche den öffentlichen Schlüssel aus Abs[9] enthält:
  
  D(F(E_A)) mod N und zusätzlich E_A als Absender-Adresse.

A as an initiator uses the existing communication infrastructure to obtain the endpoint address E _{B of} the communication device B. A now has E _B.

• [10] A sends a message to B containing the public key from [9]:
  
  D (F (E _A )) mod N and additionally E _A as sender address.

• [11] B berechnet
  
• [12] B schickt anschließend
  
  D(F(E_B)) mod N an die Endpunktadresse E_A.

After B has received the message, B extracts the endpoint address E _A from the message and calculates F (E _A ).

• [11] B calculated
  
• [12] B then sends
  
  D (F (E _B )) mod N to the endpoint address E _A.

A already has E _B and therefore does not need to extract E _B from the message.

A calculated

A and B now both have the key S as a result of Execution of the key agreement protocol.

One important aspect is the verification or verification the legitimate possession of endpoint addresses.

D(F(E_A)) mod N nachzuweisen und von Kommunikationsgerät B überprüfen zu lassen. Beides gilt analog für Kommunikationsgerät B. Dies verhindert, dass ein Kommunikationsgerät eine Endpunktadresse vortäuscht, die ihm nicht zugeordnet wurde.By using the matching to an endpoint address E _A private key D (F (E _A )), it is possible for communication device A to prove the legitimate possession of his endpoint address E _A or to be checked by communication device B. It also makes possible the authenticity of the public key

D (F (E _A )) mod N and have it checked by communication device B. Both apply analogously to communication device B. This prevents a communication device from pretending an endpoint address that was not assigned to it.

For example is the sending of IP packets with fake, fake Source IP address known as IP spoofing.

The Procedure for preventing such fake endpoint addresses follows the scheme of so-called zero-knowledge proofs.

With A Zero-Knowledge Proof makes it possible for someone to prove that you are in possession of a secret, without the secret to betray.

One simple example would be: A person X claims that she would have found an algorithm with which to arbitrary Could factorize numbers. X wants this now proving a person Y, without the X of the person Y the algorithm reveals. Now, if Y sends several numbers to person X. and person X then returns the prime factorization, so Y becomes already after few correct results obtained Person X knows about such an algorithm attest.

The secret for which a communication device A should provide ownership proof in the method of the invention is D (F (E _A )).

to Prevention of replay attacks is still in the ownership-proof used a nonce μ. A nonce (English number used only once) is a number that is used only once. For example a random number or timestamp can be a nonce.

According to [7], D (F (E _A )) is the Rth root of F (E _A ). As a prerequisite, it must hold that R does not share the number μ. However, this is easy to achieve since R, apart from the requirement stated in [6], has no other conditions. Furthermore, μ can also be replaced / concatenated by / to a hash value of a message, whereby a non-repudiation proof is given for the message. This allows the recipient of a proof of ownership and the associated message to prove that the message came from A.

For possession proof, A chooses a random number W _A.

• [13] Schickt nun ein Kommunikationsgerät A einen Besitz-Beweis für E_A unter Angabe der Endpunktadresse E_A als Absenderadresse einem Kommunikationsgerät B zu, so überprüft B den Besitz-Beweis mittels
  

The ownership proof is now the following triple:

• [13] Now sends a communication device A possession proof for E _A , stating the endpoint address E _A as a sender address to a communication device B, so B checks the ownership-proof means
  

If the check in [13] is correct, then A is in the legitimate possession of E _A.

By This approach provides a number of advantages of the invention over the prior art.

So prevents the procedure man-in-the-middle attacks, without one previous exchange (English: Pre-Exchange) between the communication partners necessary is.

One By definition, Pre-Exchange is a prior exchange of one Message between two communication partners to communicate with in the Message contained prior knowledge after a man-in-the-middle To discover attack.

In In accordance with the present invention, private keys become common with the assignment of the endpoint address to each communication device output.

It There is no exchange between the communication partners.

It There is no exchange for knowledge about the public key of the communication partner provides.

It So this is not a pre-exchange.

Alone exploiting the existing communications infrastructure to gain access the endpoint address of the communication partner is sufficient for a secure connection.

Without Obtaining the endpoint address is a communication in general impossible.

The prevention is done by the following facts:
A man-in-the-middle attacker can not generate the value from Abs [12] because he can not create the private key D (F (E _B )) at the A known endpoint address E _B.

The Procedure is a Public Key Infrastructure (PKI) attached to communication devices managed bound keys, superior.

Would you have a PKI or certificates for the authentication of public Keys instead of the invention of the underlying Select method, so you lift the union between the endpoint address and the public key a communication device.

you gets two objects (certificate & endpoint address), which you get over manage two different infrastructures.

This means: higher communication costs, higher Administrative burden and higher costs.

Further the fake possession of an endpoint address is prevented.

By the presence of a private key for an endpoint address may be the lawful possession an endpoint address are checked. The verification follows the scheme of a zero-knowledge proof. This prevents For example, IP spoofing in IP-based networks.

Brief Description:

The The following figure description is for better understanding the detailed description below.

1 shows the procedure before starting the key agreement;

2 shows the general procedure of the key agreement

3 shows the process for a mobile network

4 shows the process for an IP network

5 shows the process for a VoIP network based on SIP

6 shows the process at the MAC level

7 shows the procedure in an IP network with a NAT router

8th shows the procedure for setting up a virtual private network (VPN).

9 shows the procedure for license plates on number plates.

10 shows the procedure for identification numbers on electronic ID cards, passports and chip cards.

Description of the embodiments:

1 explains the procedure before starting the key agreement. 500 . 501 are the two communication devices. 502 . 503 symbolize ownership of the endpoint addresses E _A and E _B. In 504 . 505 the unique number F (E _A ) and F (E _B ) is calculated. In 506 . 507 Both communication devices are assigned their unique private keys D (F (E _A )) and D (F (E _B )). In 508 . 509 the communication devices generate their random numbers Z _A and Z _B.

2 shows the general procedure of the key agreement. 500 . 501 are the two communication devices A and B. 510 . 511 are the public keys of A or B. 512 . 513 symbolize the calculations performed by A and B, respectively.

3 shows the procedure for a mobile radio network: (1) The public parameters N, G, R, F (.) and the private key D (F (E _A )) and D (F (E _B )) are stored on the SIM card. Card saved. This is done by the communications provider when the SIM card has been assigned to a telephone number; (2) The SIM cards are inserted in the phones; (3) If a communication subscriber wishes to call another communication subscriber with the mobile telephone B with the mobile telephone A, the telephone number of B is looked up in the telephone book or z. B. the information called; (4) Once this has been done, a secure key exchange between A and B can take place.

4 shows the procedure for an IP network: (1) the private keys D (F (E _A )) and D (F (E _B )) are output to each communication device along with the assignment of the end point address; (2) These are transmitted via (local) DHCP server to the computers A and B; (3) If computer A wants to communicate with computer B, then this gets the IP address of B via DNS (Sec) request; (4) Once this has been done, a secure key exchange between A and B can take place.

5 shows the sequence for a VoIP network based on SIP: (1) After registration with a VoIP server, the corresponding VoIP software is downloaded; (2) This is populated with the public parameters N, G, R, F (.) And the private keys D (F (E _A )) and D (F (E _B )) according to the selected SIP address; (3) If communication subscriber A wishes to call communication subscriber B, A searches for the SIP address in the telephone book; (4) Once this has been done, a secure key exchange between A and B can take place.

6 shows the procedure at the MAC level: (1) / (2) The public parameters N, G, R, F (.) and the private keys D (F (E _A )) and D (F (E _B )) are stored on the network card during manufacture. This is done by the manufacturer if the MAC address has been assigned to a network card; (3) Through appropriate protocols at the Ethernet level, the MAC addresses of other participants are learned. After that, a secured key exchange can take place.

7 shows the procedure of the key agreement in an IP network, in which the technique of Network Address Translation (NAT) is used: If the communication device A ( 500 ) from the private sector ( 514 ) with the communication device B ( 501 ) in the public sector ( 515 ), the NAT router X ( 516 ) the source endpoint address of A against its publicly known endpoint address ² E _X ( 519 ) out. Before replacement, the public hybrid key from A ( 517 ) not to the endpoint address E _A ( 504 ). After the exchange arises with ( 519 ) and ( 517 ) a valid combination. The package with the public key of B ( 511 ), stating E _B ( 505 ) as sender address, does not need to be changed here. The second endpoint address of X ¹ E _X ( 518 ) is used for internal communication in the area ( 514 ).

8th shows the procedure in an IP network to establish a Virtual Private Network (VPN): (1) The private key D (F (E _VS )) is output to the VPN server VS together with the assignment of the endpoint address. (2) The private key D (F (E _VC )) is output to the computer VC along with the assignment of the internal VPN endpoint address. (3) This is done by means of a (local) DHCP server. (4) If the computer VC wants to establish a VPN connection in an insecure network with the server VS, it sends a message to VS with its insecure endpoint address E _UC with the content of its MAC address, E _VC or another to E _VC belonging identifier, in which case the MAC address was selected as the identifier. The endpoint address E _VS is known to the computer VC. (5) The VPN server sends the non-secure endpoint address E _UC a nonce μ. (6) VC sends ownership proof B (μ) for E _VC using μ to VS. Based on the MAC address, VS can assign the internal endpoint address E _VC and initiate the VPN connection. (7) Once this has been done, a secure key pairing between VS and VC can take place with the endpoint addresses E _VS and E _VC for a VPN connection.

9 shows the procedure when using license plates: (1) At the registration office, the public parameters N, G, R, F (.) and the private keys D (F (E _A )) and D (F (E _B )) ) issued according to the issued vehicle license plates on a corresponding medium; (2) In the respective vehicle these are then plugged into a transmitting / receiving unit; (3) Once this has been done, a safe key agreement between the vehicles may be carried out after reading the vehicle registration plate in traffic.

10 shows the procedure for the use of identification numbers on electronic ID cards, passports and chip cards. (1) / (2) In the case of a central office, such as a bank, hospital or government agency, the chip cards or badges with the public parameters N, G, R, F (.) And the identification number will be displayed at the time of issue provided with private key. The public parameters are also assigned to the corresponding counterpart equipment / stations. (3) If this has happened, the identity / authenticity of the smart cards or badges at the respective verification stations of the remote sites can be verified.

unter Verwendung von μ an VS. VS überprüft den rechtmäßigen Besitz der zuzuordnenden Endpunktadresse mittels:

By using the matching to an endpoint address E _VC private key D (F (E _VC )), it is possible communication device VC without further passwords or certificates to establish a VPN connection with a VPN server VS. The private key D (F (E _VS )) is output to the VPN server VS together with the assignment of the endpoint address. The private key D (F (E _VC )) is output to the communication device VC along with the assignment of the internal VPN end point address. The communication device VC is assigned the endpoint address E _UC in an insecure network. To establish a VPN connection, the communication device VC sends the VPN server VS a message with its MAC address from the insecure network. The VPN server sends the non-secure endpoint address E _UC a unique number ("NONCE") μ. VC sends a proof of ownership B (μ) for E _VC consisting of the triple:

using μ an VS. VS verifies the legitimate possession of the endpoint address to be mapped by:

Based on the MAC address, VS can then assign the internal endpoint address E _VC and initiate the VPN connection using the endpoint address based key termination protocol with the endpoint addresses E _VS and E _VC . Thus, each authorized communication device with the existing allocation infrastructure for endpoint addresses can securely establish a VPN connection, without in contrast to the current VPN technology more VPN passwords or certificates are needed.

It follows a numerical example for the use of endpoint addresses for key generation and key agreement using IPv4 addresses as endpoint addresses

The numbers used in this example are for clarity chosen small and do not correspond to the usual Safety requirements. It is understood that other numbers too who meet the requirements.

All Congruences are to be understood as modulo N; N is the product of two Primes selected; This is not the only option the choice of N. R = 3 is chosen.

The Assignment of IP address to numeric value consists of the omission the points of the IP addresses and the filling of the components with zeros, if one component has less than three decimal places has; This is not the only way to transform.

We choose the prime P = 51874849463, because (P - 1) / 2 = 25937424731 is also a prime and P is of the form P ≡ 2 mod 3 is.

We choose the prime Q = 6973569047, because (Q - 1) / 2 = 3486784523 is also a prime and Q is of the form Q ≡ 2 mod 3 is.

Consequently GCD (P - 1, 3) = GCD (Q - 1, 3) = 1.

It N = P · Q = 361752844532961371761.

Thus, φ (N) = (P-1) · (Q-1) = 4 · 25937424731 · 3486784523. We now choose G such that one of the two prime numbers 25937424731 or 3486784523 occurs in its order. The number G = 258201056061078543287 satisfies this condition, since the order of G is 25937424731, ie G ^{2593742473 1} ≡ 1 mod N.

It follows for N and G: N = 361752844532961371761 G = 258201056061078543287

Let the IPv4 address of communication device A be E _A = 137.248.131.121, from which the numerical value F (E _A ) = 137248131121 becomes. The natural number D (F (E _A )) assigned to the communication device A is then 165644296807138459965, since 165644296807138459965 is ³ ≡ 137248131121.

Let the IPv4 address of communication device B be E _B = 217.73.49.24, from which the numerical value F (E _B ) = 217073049024 becomes. The communication device B assigned natural number D (F (E _B )) is then 74121947444567397753, since 74121947444567397753 ³ ≡ 217073049024.

It It is noted that the numbers with knowledge of the "trapdoor", namely the factorization of N or by knowledge of Number φ (N) can be found in polynomial time.

The private, randomly generated number of communication device A is Z _A = 17464865284867458.

The private, randomly generated number of communication device B is Z _B = 34526974652949654.

communication device A hits the I2v4 address of communication device B via a "Name Resolution Protocol" such as DNS after. The backup of this lookup process can be over Traditional techniques like DNS-Sec are made or based on the Technology presented here for the authentication of the DNS server become.

The public key of the communication device A is

The public key of the communication device B is

communication device A sends his public key to communication device B stating the IP address 137.248.131.121 as sender address.

Communication device B calculated (212413932090578443320 3 × 137248131121 -1 ) 34526974652949654

modulo N results from this the value 324349152832633430269.

communication device B sends his public key to communication device A with the IP address 217.73.49.24 as sender address.

Communication device A calculated (292942897134135556504 3 × 217073049024 -1 ) 17464865284867458

modulo N results from this the value 324349152832633430269.

Both communication devices A and B now have the common number 324349152832633430269. This can now be used, for example, by the symmetric encryption method AES [ Joan Daemen and Vincent Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Springer-Verlag 2002 (238 pp.) ] secure connection. Other methods are also conceivable.

It follows a numerical example of an endpoint address detection using IPv4 addresses as endpoint addresses.

The numbers N and G are taken from the example above: N = 361752844532961371761 G = 258201056061078543287

Similarly, E _{A is} again 137.248.131.121, thus D (F (E _A )) is also again 165644296807138459965. Communication device A wants to prove to communication device B that it is in legitimate possession of the endpoint address E _A.

·D(F(E_A)) ≡ 211960759887420950241 und

≡ 279712538859918245040. Damit ergibt sich das Tripel

D(F(E_A)) mod N, T mod N,

mod N) = (211960759887420950241, 1178982692, 279712538859918245040). Dieses Tripel schickt Kommunikationsgerät A an Kommunikationsgerät B. B berechnet

Communication device A calculates a random number W _A = 9364594753971. As Nonce μ current timestamp T = 1178982692 is selected, which corresponds to the time 12. 05. 2007 17:11:25. Now A calculates

· D (F (E _A )) ≡ 211960759887420950241 and

≡ 279712538859918245040. This results in the triple

D (F (E _A )) mod N, T mod N,

mod N) = (211960759887420950241, 1178982692, 279712538859918245040). This triple sends communication device A to communication device B. B is calculated

The left side corresponds 211960759887420950241 3 · 137248131121 -1 61838026459164934808

The right side corresponds 279712538859918245040 1178982692 61838026459164934808

Since both sides provide the same result, the legitimate possession of the endpoint address E _{A is} confirmed.

• [14] Durch Austausch der IPv4-Adresse durch den NAT-Router ist nun die Berechnung von [11] fehlerhaft.

The following is a detailed consideration of the invention using IPv4 addresses as endpoint addresses with respect to the NAT protocol. When using IPv4 addresses as the endpoint address, the Network Address Translation (NAT) technique requires special handling. NAT is a technique to virtually extend the relatively narrow range of possible IPv4 addresses (2 ³² ). With NAT, it is possible to hide multiple IP-based communication devices behind a NAT router (see 7 ). The hidden IP communication devices have IPv4 addresses from a private area (eg 192.168.xx) that is not unique worldwide. IP packets with these addresses will not be passed on the global Internet. Only the NAT router has an IPv4 address that can be communicated worldwide. The internal communication devices each have private keys for their IPv4 addresses with which they can communicate internally. This internal communication can be secured according to the method already described, since the internal internal IPv4 addresses are unique. Of the internal area is a separate security domain, ie the keys are generated with their own output parameters (P and Q) from the NAT router (or from a key server in the internal area). In order for an internal communication device to communicate with a public area communication device, its IPv4 address is replaced by the globally valid IPv4 address of the NAT router as it passes the NAT router.

• By replacing the IPv4 address by the NAT router, the calculation of [11] is now incorrect.

If A's IPv4 address is referred to as E _A , the internal IPv4 address of the NAT router as ¹ E _X and the external as ² E _X , the solution to the problem consists of the following: [14] All internal IP addresses Communication devices receive their output numbers (see [7, 8]), in addition the private key D (F ( ² E _X )) of the NAT router, which is based on the public IP address ² E _{X of} the NAT router. The IP address ¹ E _X is the second, internal IP address of the NAT router.

D(F(²E_X)) mod N zu.Instead of as described in [10], the internal communication device A sends now the slightly changed IP packet with the content to the external communication device B.

D (F ( ² E _X )) mod N to.

By substituting AE _A's IPv4 address with the NAT router's IPv4 address, ² E _X , a correct packet is generated according to [11].

• a. Für die interne Kommunikation werden nur die internen Endpunktadressen verwendet; auch der NAT-Router besitzt eine eindeutige interne Endpunktadresse (d. h. er besitzt somit eine interne und eine externe (öffentliche) IPv4-Adresse). Für die rein interne Kommunikation ist somit die Weitergabe des privaten Schlüssels der öffentlichen IPv4-Adresse des NAT-Routers sicherheitsunkritisch und ohne Bedeutung.
• b. Möchte ein internes Kommunikationsgerät A eine Verbindung zu einem externen Kommunikationsgerät B aufbauen und ist A im Besitz der zugehörigen Ziel-Endpunktadresse, so kann kein internes Kommunikationsgerät einen Man-in-the-Middle-Angriff starten, selbst der NAT-Router nicht: i. Ein internes Kommunikationsgerät kann keinen Man-in-the-Middle Angriff starten, da der erste Schritt der Verbindung, vom Kommunikationsgerät zum NAT-Router, mit Hilfe des öffentlichen Schlüssels der internen Endpunktadresse des NAT-Routers gesichert werden kann. ii. Der NAT-Router kann keinen Man-in-the-Middle Angriff starten, da er nicht im Besitz des privaten Schlüssels desjenigen externen Kommunikationsgeräts ist, zu dem das interne Kommunikationsgerät eine Verbindung aufbauen möchte.

Passing the private key D (F ( ² E _X )) of the NAT router to the internal communication devices is an unusual practice, but does not pose any security risks:

• a. For internal communication, only the internal endpoint addresses are used; The NAT router also has a unique internal endpoint address (ie it has an internal and an external (public) IPv4 address). For purely internal communication, the passing on of the private key of the public IPv4 address of the NAT router is security-critical and of no significance.
• b. If an internal communication device A wants to establish a connection to an external communication device B and A is in possession of the associated destination endpoint address, then no internal communication device can start a man-in-the-middle attack, even the NAT router does not: i. An internal communication device can not start a man-in-the-middle attack because the first step of the connection, from the communication device to the NAT router, can be secured using the public key of the internal endpoint address of the NAT router. ii. The NAT router can not start a man-in-the-middle attack because it is not in possession of the private key of the external communication device to which the internal communication device wishes to connect.

When Critical to consider are all communication links that be initiated from the outside, because here the internal communication device not sure knows from which IPv4 address the connection comes. In most organizations there are outside connections for safety reasons generally prohibited. Possible are such connections only if the NAT router accordingly a specified port on this port to a defined internal computer forwards.

If incoming connections are desired, since, for example, one has a particular service running on an internal computer, then one generates a private key for the internal communication device A, which includes this port and has the form D (F ( ² E _X Port)) where the operator ∘ represents a join operation. This is only output to the computer running the service bound to this port. Even the NAT router does not get this key if a key server in the internal network generates the keys. The calculation of the external communication device B after receiving the key of the internal communication device A is thus

These Solution is only practicable if its own security trough operated with key generator in the internal network, to generate the port-dependent keys.

Here is an example for illustration. The numbers N and G are taken from the example above. N G = 361752844532961371761 G G = 258201056061078543287

These represent the global / external parameters of the system. Within the NAT network, ie for the communication in the private network "behind" the NAT server in this example the parameters N P = 35813530660934177120521 G P = 12718647769806831085000 which have been calculated analogously and therefore have the same properties as the global parameters.

Let the IPv4 addresses of the NAT router X be ¹ E _X = 192.168.0.1 and ² E _X = 137.248.3.15. Let the IPv4 address of the communication device A be E _A = 192.168.0.2 and that of the communication device B be E _B = 209.85.135.147 (which, for example, is www.google.de corresponds). The private key to the IP address ² E _{X of} the NAT server X with F ( ² E _X ) = 137248003015 D (F ( 2 e X )) ≡ 127305603288901208592 mod N G ,

The private key of the IP address ¹ E _X with F ( ¹ E _X ) = 192168000001 is (with regard to the intranet modulo) D (F ( 1 e X )) ≡ 8764387150301768383530 mod N P ,

For the IPv4 address of the communication device A with F (E _A ) = 192168000002 applies D (F (E A )) ≡ 15901565656352459335637 mod N P ,

The communication device A now has two public keys, one for the internal NAT network and one for communication with external communication devices. To do this, A calculates two random numbers ¹ Z _A = 9873284762321 and ² Z _A = 1332223872819. The two keys are:

The key to the internal NAT network:

The key to the external network:

The public key of communication device B is (with Z _B = 34526974652949654)

The private key to address ² E _X = 137.248.3.15 has all communication devices in the internal NAT network. By contrast, the NAT router X is unique in that it is the only one that has the private key to the address ¹ E _X = 192.168.0.1. Thus, no other communication device in the internal NAT network of the NAT router "spoof" because it can not prove the legitimate possession of the address 192.168.0.1.

D(F(²E_X)) unter Angabe der IP-Adresse 192.168.0.2 als Absenderadresse los. (Anm: Mit dieser Nachricht, zusammen mit der verwendeten IP-Adresse, würde keine erfolgreiche Schlüsseleinigung zustande kommen, da der verschickte Schlüssel nicht zu der IP-Adresse passt). Kommt diese Nachricht bei dem NAT-Router X an, so substituiert X die IP-Adresse 192.168.0.2 mit seiner eigenen externen IP-Adresse 137.248.3.15. Durch diese Substitution wird die Nachricht gültig.The following is an example of communication setup from A to B. Since B is a global-scale communication device, A takes the global key. A sends now

D (F ( ² E _X )) stating the IP address 192.168.0.2 as the sender address. (Note: With this message, along with the IP address used, a successful key agreement would not be achieved because the key sent does not match the IP address). If this message arrives at the NAT router X, X substitutes the IP address 192.168.0.2 with its own external IP address 137.248.3.15. This substitution makes the message valid.

Communication device B now calculates (37434419775649604698 3 · 137248003015 -1 ) 34526974652949654 which gives 96527559674518842237 (modulo N _G ).

B now sends his public key to A. The NAT server leaves this message untouched. A calculated (128451006445006878090 3 · 208085135147 -1 ) 1332223872819 which gives 96527559674518842237 (modulo N _G ).

There both sides can now own the number 96527559674518842237 They use these as AES keys for the more symmetrical Use encryption.

den der NAT-Router nicht besitzt, wobei die Konkatenationsstriche || hier eine Instanz des ∘ Operators darstellen. B sendet eine Anfrage auf Port 21 an den NAT-Router, welche durch den NAT-Router an A weitergeleitet wird. B schickt nun seinen öffentlichen Schlüssel

D(F(E_B)) ≡ 128451006445006878090 mod N_G an A, und A berechnet dann

A schickt seinen öffentlichen Schlüssel an B, und B berechnet dann

An example follows in which the external communication device B establishes a connection to the internal network. In this example, an FTP server runs on port 1234 on internal communication device A. Requests from outside to port 21 are forwarded to internal communication device A by the NAT router. Communication device A has the public key for this purpose

which the NAT router does not possess, with the concatenation strokes || represent here an instance of the ∘ operator. B sends a request on port 21 to the NAT router, which is forwarded to A by the NAT router. B now sends his public key

D (F (E _B )) ≡ 128451006445006878090 mod N _G at A, and then A calculates

A sends his public key to B, and B then calculates

in the Below is the key agreement between two communication devices described their keys to different security domains belong, d. H. their keys with different ones Output parameters (P and Q) were generated.

As already described above, the key agreement leads to problems if the private keys for the endpoint addresses belong to different moduli (eg: N ₁ or N ₂ ), since for a private key belonging to the modulus N ₁ with respect to. of another modulus N ₂ does not hold that the key is the Rth root from the converted endpoint address (F (·)).

To solve this problem, one goes to the modulus N = N ₁ · N ₂ and the number G = G ₁ · G ₂ .

in this connection it is assumed that the number R and the function F (·) is the same for both security domains. This requirement is safety-critical, since R and F (·) are public in any case Parameters are.

For this purpose, the two private keys from the different security domains must now be adapted, but in a way that does not require the factorization of N ₁ or N ₂ , because this is not known to the two communication devices.

The adaptation takes place in that the two private keys the congruences D ~ (F (E A )) ≡ D (F (E A )) mod N 1 and D ~ (F (E A )) ≡ 1 mod N 2 respectively. D ~ (F (E B )) ≡ 1 mod N 1 and D ~ (F (E B )) ≡ D (F (E B )) mod N 2 fulfill.

Calculated this is done by means of the theorem of the Chinese Remainder theorem or with appropriate algorithms.

In the calculation of the common key S resulting from the key agreement, no longer F (E _A ) or F (E _B ) is taken, but instead F ~ (E. A ) ≡ F (E A ) mod N 1 and F ~ (E. A ) ≡ 1 mod N 2 respectively. F ~ (E. B ) ≡ 1 mod N 1 and F ~ (E. B ) ≡ F (E B ) mod N 2

So now D ~ (F (E A )) R ≡ F ~ (E. A ) mod N or D ~ (F (E B )) R ≡ F ~ (E. B ) mod N

The calculation is then for communication device A [F1]

The calculation is then for communication device B [F2]

The following example should make the approach of roaming easier to understand. This example looks at two security domains whose parameters are chosen as follows (similar to the example above): N 1 = 361752844532961371761 G 1 = 258201056061078543287 R = 3 N 2 = 35813530660934177120521 G 2 = 12718647769806831085000 R = 3

The communication devices A and B have the IP addresses E _A = 137.248.131.121 and E _B = 217.141.12.3. Analogous to the first examples, the private keys result D (F (E A )) ≡ 25860829056029300846832 mod N 1 D (F (E B )) 29 292947890423430020984 mod N 2

The roaming adjustment is now made so that the two numbers are adjusted using the Chinese Remainder Theorem. It results in the numbers D ~ (F (E A )) 30 1230559696114446419779508987105680948292197 mod N 1 · N 2 D ~ (F (E B )) ≡ 9189257507665222873678140085008212062937148 mod N 1 · N 2

With These two new private keys then become the public Key calculated analogously to the other examples.

It applies (using the example for D ~ (F (E _A )))
1230559696114446419779508987105680948292197 ≡ 25860829056029300846832 mod 361752844532961371761
1230559696114446419779508987105680948292197 ≡ 1 mod 35813530660934177120521

The adaptation of the numbers F (E _A ) and F (E _B ) is also done via the Chinese Remainder Theorem, which gives the numbers F ~ (E. A ) 80 10809397770265955989181871047017298016361291 mod N 1 · N 2 F ~ (E. A ) 14 3314228663601259516632595659356914554799147 mod N 1 · N 2 result. The two numbers are now the R-th residues with respect to the corresponding private keys and it applies (using the example of F ~ (E _A ))
10809397770265955989181871047017298016361291 137248131121 mod 361752844532961371761
10809397770265955989181871047017298016361291 ≡ 1 mod 35813530660934177120521

The Key agreement is then analogous to the first example instead, where A is the formula [F1] and communication device B calculates the formula [F2].

There the method underlying the invention endpoint addresses as Basis used for private key generation, is the passing of one and the same endpoint address to different ones Communication devices a problem. This corresponds to the Passing a public key to a another person in other cryptosystems. The common knowledge the private key associated with an endpoint address is different when passing the same endpoint address Communication devices thus safety-critical.

The The problem addressed occurs in IPv4 networks with dynamic IP address assignment on, such as For example, at major online providers such as T-Online or AOL.

The solution to the problem is based on varying the private keys every U time units, where U is a publicly known value, which is based on a fixed time Φ _i , which is the same for all participating communication devices, where Φ _i expresses that i have been time units since one defined starting time have elapsed.

The private keys are then calculated (eg for the endpoint address E _A ) by means of: D (F (E A ), (Φ i - (Φ i mod U)) ≡ (F (E A ) + Φ i - (Φ i mod U)) 1 / R mod N

This change The public key must be synonymous with everyone further calculation.

Since now the private key D (F (E _A ), Φ _i - (Φ _i mod U)) is no longer valid after U past time units, the problem of passing on the IP address is solved if the transfer earliest after U Time units takes place.

When applying this method, care must be taken that F (E _A ) is no longer valid on its own. Communication devices must now transition to F (E _A , Φ _i ) = (F (E _A ) + Φ _i - (Φ _i mod U)) whenever the inverse formation F () ^{-1 of} a foreign endpoint address is requested during key agreement is.

It follows a numerical example of varying private Keys using IPv4 addresses.

Again, for this example N = 361752844532961371761 G = 258201056061078543287 R = 3

When common time unit between all communication devices Let's take the example of the "Unix-Timestamp". The value U is U = 86400, which corresponds to one day in time. at the chosen U is the change to a new private Key at 2 o'clock in the morning.

The IPv4 address of E _A is 137.248.131.121. On 29. 05. 2007 at 12:13:01 the time stamp was 1180433581. Thus follows for the key for E _A : (F (E A ) + 1180433581 - (1180433581 mod 86400)) 3.1 ≡ (1372481311 21 + 1180396800) 3.1 mod N ≡ 1384285279 21 3.1 mod N ≡ 3129556747 7849577417 mod N ≡ D (F (137.24 8.131.121, 1180433581)) mod N

On the following day, at time 30/5/2007 at 14:33:03, the timestamp is at the value 1180528383. This results in the following private key at E _A at this time: (F (E A ) + 1180528383 - (1180528383 mod 86400)) 3.1 ≡ (1372481311 21 + 1180528383) 3.1 mod N ≡ 1384286143 21 3.1 mod N ≡ 1100973377 1093982843 0 mod N ≡ D (F (137.24 8.131.121, 1180528383)) mod N

It It should be noted that parts of the invention are embodied in software can be, and when loading into a computer to an inventive Become device.

Further serve the embodiments only for understanding and are not intended to limit the invention. Much more the spirit and scope of the invention is the enclosed Claims to be taken.

Bibliography

P. Related Patents

• a. US020050022020A1 , / - / [EN] Authentication protocol
• b. US020030147537A1 / JING DONGFENG PERKINS CHARLES E / [EN] Secure key distribution protocol in AAA for mobile IP
• c. WO2006051517 / MCCULLAGH NOEL (IE); SCOTT MICHAEL (IE); COSTIGAN NEIL (IE), / Identity based encryption
• d. US20030081785A1 / Boneh, Dan (Palo Alto, Calif., US), Franklin, Matthew (Davis, Calif., US) / Systems and methods for identity-based encryption and related cryptographic techniques
• e. US5161244 / Maurer, Ueli / Cryptographic system based on information difference
• f. US4405829 , / Cryptographic Communications System and Method / Rivest; Ronald L., Shamir; Adi, Adleman; Leonard M.
• G. US000006766453B1 / 3COM CORP, US / Authenticated diffiehellman key agreement protocol where the communicating parties share a secret key with a third party.
• H. EP000001626598A1 / AXALTO SA, FR / Procedure for securing an authentication and key distribution protocol.
• i. WO002003026197A2 / Non-Elephant encryption systems (BARBADOS) Inc. Bruen, Aiden Forcinito, Mario Wehlau, David Coyle, Philip, A / A Key Agreement Protocol Based on Network Dynamics

V1. Asymmetric encryption methods

• a. Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions On Information Theory, no. 6, pp. 644-654, 1976
• b. RL Rivest and A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, no. 2, pp. 120-126, 1978 ,
• c. Taher El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," in Proceedings of CRYPTO 84 on Advances in Cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, p. 10-18 ,
• d. Neal Koblitz and Alfred J. Menezes. A Survey of Public-Key Cryptosystems. SIAM Review, 46 (4): 599-634, 2004 ,

V2. Key exchange or Key agreement protocols

• a. Rainer Rueppel and Paul C. van Oorschot, "Modern Key Agreement Techniques," Computer Communications, vol. 17, no. 7, pp. 458-465, 1994 ,
• b. Ratna Dutta and Rana Barua, "Overview of Key Agreement Protocols," Cryptology ePrint Archive, Report 2005/289, 2005, http://eprint.iacr.org/ ,
• c. R. Rivest and A. Shamir. How to Expose to Eavesdropper. CACM, Vol. 27, April 1984, pp. 393-395

V3. Identity-Based Cryptosystems

• a. Jing-Shyang Hwu, Rong-Jaye Boss, Yi-Bing Lin, An Efficient Identity-Based Cryptosystem for End-to-End Mobile Security, IEEE Transactions on Wireless Communications, vol. 5, no. 9, pp. 2586-2593, 2006
• b. Dan Boneh and Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal of Computation, vol. 32, no. 3, pp. 586-615, 2003
• c. M. Gorantla and R. Gangishetti and A. Saxena, A Survey on ID-Based Cryptographic Primitives, Cryptology ePrint Archive, Report 2005 ,
• d. Joonsang Baek, Jan Newmarch, Reihaneh Safavi-Naini and Willy Susilo, A Survey of Identity-Based Cryptography, Journal of Computer Research and Development, vol. 43, no. 10, pp. 1810-1819, 2006

V4. Infrastructures for managing public Keys (Public Key Infrastructures)

• a. Dieter Gollmann: Coding Theory and Cryptology. Lecture Notes Series, Institute for Mathematical Sciences, National University of Singapore, 2002 pages 143-175 ,
• b. Hui Li and Yumin Wang: Public Key Infrastructure. Payment Technologies for Ecommerce, Springer New York Publishing, 2003 pages 39-70 ,
• c. K. Aberer and A. Datta and M. Hauswirth: A Decentralized Public Key Infrastructure for Customer-to-Customer E-Commerce. International Journal of Business Process Integration and Management, 2005 - Vol. 1, no. 1 pp 26-33
• d. Ruggero Morselli, Bobby Bhattacharjee, Jonathan Katz, Michael A. Marsh: Key Chains - A Decentralized Public-Key Infrastructure. Technical Report CS-TR-4788, University of Maryland (2006)

V5. Key Einigungs protocols with public discussion

• a. Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions an Information Theory, 39 (3): 733-742, May 1993 ,

L. References / Links

1. (Http://zfoneproject.com/docs/ietf/draft-zimmermann-avtzrtp-03.html)

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited patent literature

• US 020050022020 A1 [0188]
• - US 020030147537 A1 [0188]
• - WO 2006051517 [0188]
• US 20030081785 A1 [0188]
• US 5161244 [0188]
• US 4405829 [0188]
• US 000006766453 B1 [0188]
• EP 000001626598 A1 [0188]
• WO 002003026197 A2 [0188]

Cited non-patent literature

• - Joan Daemen and Vincent Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Springer-Verlag 2002 (238 pp.) [0126]
• - www.google.com [0144]
• - Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions On Information Theory, no. 6, pp. 644-654, 1976 [0188]
• - RL Rivest and A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, no. 2, pp. 120-126, 1978 [0188]
• - Taher El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," in Proceedings of CRYPTO 84 on Advances in Cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, pp. 10-18 [0188]
• - Neal Koblitz and Alfred J. Menezes. A Survey of Public-Key Cryptosystems. SIAM Review, 46 (4): 599-634, 2004 [0188]
• - Rainer Rueppel and Paul C. van Oorschot, "Modern Key Agreement Techniques," Computer Communications, vol. 17, no. 7, pp. 458-465, 1994 [0188]
• - Ratna Dutta and Rana Barua, "Overview of Key Agreement Protocols," Cryptology ePrint Archive, Report 2005/289, 2005, http://eprint.iacr.org/ [0188]
• R. Rivest and A. Shamir. How to Expose to Eavesdropper. CACM, Vol. 27, April 1984, pp. 393-395 [0188]
• - Jing-Shyang Hwu, Rong-Jaye Boss, Yi-Bing Lin, An Efficient Identity-Based Cryptosystem for End-to-End Mobile Security, IEEE Transactions on Wireless Communications, vol. 5, no. 9, pp. 2586-2593, 2006 [0188]
• - Dan Boneh and Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal of Computation, vol. 32, no. 3, pp. 586-615, 2003 [0188]
• - M. Gorantla and R. Gangishetti and A. Saxena, A Survey on ID-Based Cryptographic Primitives, Cryptology ePrint Archive, Report 2005 [0188]
• - Joonsang Baek, Jan Newmarch, Reihaneh Safavi-Naini and Willy Susilo, A Survey of Identity-Based Cryptography, Journal of Computer Research and Development, vol. 43, no. 10, pp. 1810-1819, 2006 [0188]
• - Dieter Gollmann: Coding Theory and Cryptology. Lecture Notes Series, Institute for Mathematical Sciences, National University of Singapore, 2002 pages 143-175 [0188]
• - Hui Li and Yumin Wang: Public Key Infrastructure. Payment Technologies for Ecommerce, Springer Verlag New York, 2003 pages 39-70 [0188]
• - K. Aberer and A. Datta and M. Hauswirth: A Decentralized Public Key Infrastructure for Customer-to-Customer E-Commerce. International Journal of Business Process Integration and Management, 2005 - Vol. 1, no. 1 pp 26-33 [0188]
• - Ruggero Morselli, Bobby Bhattacharjee, Jonathan Katz, Michael A. Marsh: Key Chains - A Decentralized Public-Key Infrastructure. Technical Report CS-TR-4788, University of Maryland (2006) [0188]
• - Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions an Information Theory, 39 (3): 733-742, May 1993 [0188]
• - (http://zfoneproject.com/docs/ietf/draft-zimmermann-avtzrtp-03.html) [0189]

Claims (54)

A method for generating one or more cryptographic keys for performing a key agreement for an encrypted digital voice communication between two or more terminals, wherein an endpoint address E _{A of} a terminal A directly or indirectly by application of the inverse function L ^{-1 of} a one-way function L with trapdoor into a part of the cryptographic keys used for the key agreement. The method of the preceding claim, wherein the cryptographic key of the terminal A of provided to a communications provider, so that all terminals of the communication provider with make a key agreement to the terminal A. can. The method of one or more of the preceding claims, wherein the one-way trap-door function L represents exponentiation in the ring Z _N , where N is a number whose factorization can not be calculated in polynomial time; the inverse function L ^-1 is the calculation of a root in the ring Z _N. The method according to one or more of the preceding claims, wherein the cryptographic key can be public or private and the public key is the product in the ring Z _N from the result of the trap-in-one-way inverse function L ^-1 and the number

where Z _{A is} a random number and G is a number whose order in the ring Z _{N has} a fixed-order prime number. The method according to one or more of the preceding claims, wherein the cryptographic key can be public or private and the public key is the product in the ring Z _N from the result of the trap-type inverse one-way function L ^-1 and the number G * Z _A where Z _{A is} a random number and the number G is a point on an elliptic curve. The method according to one or more of the preceding claims, wherein the communication provider K ₁ the terminal A at logon the function F (.) And the following numbers known: N ₁ , G ₁ , R, E _A , F (E _A ), D (F (e _a), N _1), where D is an instance of an inverse one-way function with a trapdoor, N ₁ is the product of at least two prime numbers P ₁ and Q _1, G ₁ a to N ₁ prime number so that the order of which a Has a fixed-order prime factor, R is a number for which it does not divide any of the prime factors of N _{1 which have been} decremented, E _A the endpoint address of the terminal A and F (E _A ) each having an endpoint address converted to a unique natural number is; for D and D (F (E _A ), N ₁ ) D (F (E _A ), N ₁ ) ≡ F (E _A ) ^{1 / R} mod N ₁ ; Furthermore, communication device A still has a private random number Z _A , the private key of terminal A is D (F (E _A ), N ₁ ), which is A's public key

D (F (E _A ), N ₁ ) mod N ₁ ; All this applies analogously to all terminals of the communication provider K ₁ . The method according to one or more of the preceding claims, wherein the communication provider K ₁ discloses to a terminal B of a communications provider K ₂ the function F (.) And the following numbers: N ₁ , G ₁ , R, such that a key agreement between terminal A of the Communication provider K ₁ and terminal B of the communication provider K _{2 can} take place without that terminal B of communication provider K ₁ must receive a cryptographic key; this applies analogously to the communications provider K ₂ and the terminal A. The method according to one or more of the preceding Claims, wherein the communication provider in the creation the cryptographic key is a one-time used Number or a string adds, so the keys be limited in their validity. The method according to the preceding claim, wherein the private key for communication device A looks like D (F (E _A ) * μ, N ₁ ), where μ is a unique number or string and the squiggle is a bind operator. A method for encrypted voice communication using cryptographic keys having the property that the endpoint address E _{A of} a terminal A directly or indirectly through the application of the inverse function L ^{-1 of} a one-way function L with trapdoor in the public and private keys Cryptographic key is integrated. The method according to one or more of the preceding speech communication claims, wherein the one-way function L represents the exponentiation in the ring Z _N , where N is a number whose factorization can not be calculated in polynomial time; the inverse function L ^-1 is the calculation of a root in the ring Z _N. The method according to one or more of the preceding speech communication claims, wherein at the beginning of the key agreement, the terminal A has the function F (.) And the following numbers known: N ₁ , G ₁ , R, E _A , F (E _A ), D (F (e _a), N _1), where D is an instance of an inverse one-way function with a trapdoor, N _1, the product of at least two prime numbers P ₁ and Q _1, G ₁ a to N ₁ prime number so that the order of which a prime factor in fixed order, R is a number for which it does not divide any of the prime factors of N which have been decremented by one, E _{A is} the endpoint address of the terminal A and F (E _A ) each being an endpoint address which has been converted into a unique natural number; for D as a one-way function with trap door or D (F (E _A ), N ₁ ), D (F (E _A ), N ₁ ) ≡ F (E _A ) ^{1 / R} mod N ₁ ; Furthermore, terminal A still has a private random number Z _A , the private key of terminal A is D (F (E _A ), N ₁ ), the public key of A

D (F (E _A ), N ₁ ) mod N ₁ ; All this applies analogously to a terminal B. The method according to one or more of the preceding Speech communication claims, wherein at least two primes P and Q are managed by a communications provider who is responsible for the participants based on P and Q the private key created, allowing a key agreement between the terminals the communication provider can take place. The method according to one or more of the preceding Voice communication claims, wherein the private key is loaded on the terminal and from this in a secured Area is managed. The method according to one or more of the preceding Voice communication claims, wherein several private keys from different communication providers on the terminal managed, and the selection of the right key based on parameters, through trial and error or through a communication exchange he follows. The method according to one or more of the preceding voice communication claims, wherein a terminal A of communication provider K ₁ and a terminal B of communication provider K ₂ can perform a key agreement in which the public parameters of the communication providers K ₁ and K ₂ are combined. The method according to one or more of the preceding voice communication claims, wherein the combination (N, G, R, F (.)) Of the public parameters of K ₁ (N ₁ , G ₁ , R, F (.)) And K ₂ (N ₂ , G ₂ , R, F (.)) Is performed by means of (N = N ₁ .N ₂ , G = G ₁ .G ₂ , R, F (.)), Wherein the terminal A of the communication provider K ₁ its private Key D (F (E _A ), N ₁ ) to D ~ (F (E _A )) with D ~ (F (E _A )) ≡ D (F (E _A ), N ₁ ) mod N ₁ and D ~ (F (E _A )) ≡ 1 mod N ₂ extended; wherein the converted endpoint address F (E _B ) of the terminal B from communication provider K ₂ to F ~ (E _B ) with F ~ (E _B ) ≡ 1 mod N ₁ and F ~ (E _B ) ≡ F (E _B ) mod N _{2 is} extended; wherein the key agreement can be carried out with communication devices of communication provider K ₂ in which terminal A, after receiving the public key from terminal B, calculates:

where F (.) is a function that converts an endpoint address into a unique number in the ring Z _N , the function D (.) is an instance of the trapdoor inverse one-way function L ^-1 , Z _{A is} a private random number of A. and Z _{B is} a private random number of B; this applies analogously to terminal B. The method according to one or more of the preceding Voice communication claims, wherein a domain of terminal owners use their own prime numbers P and Q. can be encrypted to within this domain to communicate. The method of one or more of the preceding voice communication claims, wherein one or more of the following parameters may be public: N, G, R, N ₁ , G ₁ , N ₂ , G _2, and the function F (.). The method according to one or more of the preceding Voice communication claims, wherein the device address one or more of the following parameters used: SIP address, Phone number, IMEI, TIMSI, IMSI, Messenger addresses, XMPP, H323. The method of one or more of the preceding voice communication claims, wherein the key agreement provides only one same key on both terminals when using dete endpoint address E _{A of} the terminal A and the public key used

D (F (E _A ), N ₁ ) mod N _{1 of} the terminal A satisfy the following equation:

wherein the function F () is a function that converts the endpoint address E _B into a unique number in the ring Z _N , D is an instance of a trap-type inverse one-way function, N _{1 is} the product of at least two prime numbers P ₁ and Q ₁ , G ₁ is a relatively prime to N ₁ number so that the order of which has a prime factor in a safe order, R is a number for which it holds that this does not share the decreased by one prime factors of N, Z _a is a private random number from a; all this applies analogously to terminal B, as well as for D ~ (F (E _A )), D ~ (F (E _B )),

(E _A ),

(E _B ), D (F (E _A ) · μ, N ₁ ), D (F (E _B ) · μ, N ₂ ), (F (E _A ) · μ), (F (E _B ) · μ), where μ is a unique number or string, which limits the validity of the keys. The method according to one or more of the preceding speech communication claims wherein terminal A can calculate a common key S by performing the following calculation on the public key received from terminal B:

wherein the function F () is a function that converts the endpoint address E _B into a unique number in the ring Z _N , D is an instance of a trap-type inverse one-way function, N is the product of at least two prime numbers P and Q, G is one is a non-divisive number of order e such that its order has a fixed-order prime factor, R is a number that does not share any of the one-prime prime factors of N, Z _{A is} a private random number of A. and Z _{B is} a private random number of B, and for D ~ (F (E _A )), D ~ (F (E _B )), F ~ (E _A ), F ~ (E _B ), D (F ( E _A ) · μ, N ₁ ), D (F (E _B ) · μ, N ₁ ), (F (E _A ) · μ), (F (E _B ) · μ), where μ is a unique number or a string, which limits the validity of the keys. The method according to one or more of the preceding Voice communication claims, wherein the terminal an exchange of public keys through it recognizes that the calculation is not on both terminals provides the same key S and thus no encrypted Connection can be established. The method according to one or more preceding Voice communication claims, with an agreement on a cryptographic key within the same Communication channel is enabled. The method according to one or more of the preceding Voice communication claims, wherein the terminals communicate in one or more of the following networks: Lan, Wan, Fixed network, ISDN, GSM, UMTS, CDMA, WLAN, Bluetooth, Internet. A terminal for an encrypted voice communication, comprising - a communication unit associated with an endpoint address E _A , - a storage area for storing digital keys, the endpoint address E _A directly or indirectly by using the inverse function L ^{-1 of} a one-way function L is transformed with trap door into a part of a cryptographic key, wherein from the key both a private key and a public can be derived; And an arithmetic unit, which agree on a common cryptographic key with the help of the public key with another terminal B, which can be used to encrypt the voice communication. The terminal according to the previous terminal claim, being the cryptographic keys of the terminal A and the cryptographic keys of the terminal B used to reach agreement on a common key to achieve cryptographic keys between A and B. The terminal according to one or more of the previous terminal claims, wherein the one-way trap-door function L represents exponentiation in the ring Z _N , where N is a number whose factorization can not be calculated in polynomial time; the inverse function L ^-1 is the calculation of a root in the ring Z _N. The terminal according to one or more of the previous terminal claims, wherein the public key is the product in the ring Z _N from the result of the inverse one-way function L ^-1 with trap door and the number

where Z _{A is} a random number and G is a number whose order in the ring Z _{N has} a fixed-order prime number. The terminal according to one or more of the previous terminal claims, wherein the public key is the product in the ring Z _N from the result of the one-way inverse one-trap function L ^-1 and the number G * Z _A , where Z _{A is} a random number and the Number G is a point on an elliptic curve. The terminal according to one or more of the preceding terminal claims, wherein at the beginning of the key agreement, the terminal A has the function F (.) And the following numbers known: N ₁ , G ₁ , R, E _A , F (E _A ), D (F (e _a), N _1), where D is an instance of an inverse one-way function with a trapdoor, N _1, the product of at least two prime numbers P ₁ and Q _1, G ₁ is a relatively prime to N ₁ number e with the order, so that their order has a prime factor of a fixed order, R is a number for which it does not share any of the prime factors of N ₁ decreased by one, E _A the endpoint address of the terminal A and F (E _A ) each in one unique natural number converted endpoint address is; for D as a one-way function with trap door or D (F (E _A ), N ₁ ), D (F (E _A ), N ₁ ) ≡ F (E _A ) ^{1 / R} mod N ₁ ; Furthermore, terminal A still has a private random number Z _A , the private key of terminal A is D (F (E _A ), N ₁ ), which is A's public key

D (F (E _A ), N ₁ ) mod N ₁ ; all this applies analogously to terminal B. The terminal after one or more of previous terminal claims, wherein the private key is loaded on the terminal and from this in a secured Area is managed. The terminal after one or more of previous terminal claims, wherein several private keys from different communication providers be managed in memory on the terminal, and the Choosing the right key based on parameters, through trial and error or through a communication exchange. The terminal according to one or more of the preceding terminal claims, wherein a terminal A of communication provider K ₁ and a terminal B of communication provider K ₂ can perform a key agreement in which the public parameters of the communication providers K ₁ and K ₂ are combined. The terminal according to one or more of the previous terminal claims, wherein the combination (N, G, R, F (.)) Of the public parameters of K ₁ (N ₁ , G ₁ , R, F (.)) And K ₂ (N ₂ , G ₂ , R, F (.)) Is performed by means of (N = N ₁ .N ₂ , G = G ₁ .G ₂ , R, F (.)), Wherein the terminal A of the communication provider K ₁ its private Key D (F (E _A ), N ₁ ) to D ~ (F (E _A )) with D ~ (F (E _A )) ≡ D (F (E _A ), N ₁ ) mod N ₁ and D ~ (F (E _A )) ≡ 1 mod N ₂ extended; wherein the converted endpoint address F (E _B ) of the terminal B from communication provider K ₂ to F ~ (E _B ) with F ~ (E _B ) ≡ 1 mod N ₁ and F ~ (E _B ) ≡ F (E _B ) mod N _{2 is} extended; wherein the key agreement with communication devices of communication provider K ₂ can be performed, in the terminal A after receipt of the public key of terminal B calculated as follows:

where F (.) is a function that transforms an endpoint address into a unique number in the ring Z _N , the function D (.) is an instance of the trapdoor inverse one-way function L ^-1 , Z _{A is} a private random number of A. and Z _{B is} a private random number of B; this applies analogously to terminal B. The terminal after one or more of previous terminal claims, wherein a Domain of terminal owners use their own P and Q can to be encrypted within this domain too communicate. The terminal according to one or more of the preceding terminal claims, wherein one or more of the following parameters may be public: N, G, R, N ₁ , G ₁ , N ₂ , G ₂ and the function F (·). The terminal after one or more of previous terminal claims, where the device address one or more of the following parameters used. SIP address Phone number, IMEI, TIMSI, IMSI, Messenger addresses, XMPP, H323. The terminal according to one or more of the preceding terminal claims, wherein the key agreement only provides a same key at both terminals, if the endpoint address used E _{A of} the terminal A and the public key used

D (F (E _A , N ₁ )) mod N _{1 of} the end device A fulfill the following equation:

where the function F () is a function that converts the endpoint address E _A into a unique number in the ring Z _N1 , where D is an instance of a trap-type inverse one-way function. N _1, the product of at least two prime numbers P ₁ and Q _1, G ₁ a to N ₁ relatively prime number with the index e is such that the order of which has a prime factor in safer magnitude, r is a number, for which holds that they no dividing by one the decremented prime factors of N ₁ , Z _{A is} a private random number of A; all this applies analogously for terminal B, as well as for D ~ (F (E _A )), D ~ (F (E _B )), F ~ (E _A ), F ~ (E _B ), D (F (E _A ) · μ, N _1), D (F (e _B) · μ, N _1), (F (e _a) · μ), (F (e _B) · μ), where μ is a number or a unique used String, which limits the validity of the keys. The terminal according to one or more of the preceding terminal claims wherein terminals A can calculate a common key S by performing the following calculation on the public key received by the terminal B:

wherein the function F (.) is a function that transforms the endpoint address E _B into a unique number in the ring Z _N , D is an instance of a trap-type inverse one-way function, N is the product of at least two prime numbers P and Q, G is a number divisor to N of order e, such that its order has a fixed-order prime factor, R is a number for which it does not share any of the one prime factor of N that has been decremented, Z _A a private random number of A and Z _{B is} a private random number of B, and for D ~ (F (E _A )), D ~ (F (E _B )), F ~ (E _A ), F ~ (E _B ), D (F (E _A ) · μ, N ₁ ), D (F (E _B ) · μ, N ₁ ), (F (E _A ) · μ), (F (E _B ) · μ), where μ is a one-time used Number or a string, which limits the validity of the keys. The terminal after one or more of previous terminal claims, wherein the computing unit an exchange of public keys through it recognizes that the calculation is not on both terminals provides the same key S and thus no encrypted Connection can be established. The terminal after one or more of previous terminal claims, wherein a Agreement on a cryptographic key for encryption voice communication within the same communication channel is possible. The terminal after one or more of previous terminal claims, wherein communication unit communicates in one or more of the following networks: Lan, Wan, Fixed network, ISDN, GSM, UMTS, CDMA, WLAN, Bluetooth, Internet. A device for generating cryptographic keys for performing a key agreement for an encrypted digital voice communication between two or more terminals, wherein an endpoint address E _{A of} a terminal A directly or indirectly by applying the inverse function L ^{-1 of} a one-way function L with trapdoor in a part the cryptographic key used for the key agreement is converted. The device according to the previous claim, the cryptographic key of the terminal A provided by a communications provider will, so all the devices of the communication provider Carry out a key cleaning with the terminal A. can. The apparatus of one or more of the preceding apparatus claims, wherein the one-way trap-door function L represents exponentiation in the ring Z _N , where N is a number whose factorization can not be calculated in polynomial time; the inverse function L ^-1 is the calculation of a root in the ring Z _N. The device according to one or more of the preceding device claims, wherein the cryptographic key can be public or private and the public key is the product in the ring Z _N from the result of the one-way trap-in function L ^-1 , where Z _A is a random number and G is a number whose order in the ring Z _{N has} a prime number of a safe order. The device according to one or more of the preceding device claims, wherein the cryptographic key can be public or private and the public key is the product in the ring Z _{N is} the result of the inverse one-way trap function L ^-1 and the number G * Z _A , where Z _{A is} a random number and the number G is a point on an elliptic curve. The device according to one or more of the preceding device claims, wherein the communication provider K _{1 announces} to the terminal A the function F (.) And the following numbers when registering terminal A: N ₁ , G ₁ , R, E _A , F (E _a), D (F (e _a), N _1), where N ₁ is the product of at least two prime numbers P ₁ and Q _1, G ₁ a to N ₁ prime number having the order of e, so that the order of a prime factor in safe order of magnitude, R is a number for which it does not divide any of the prime factors of N ₁ decreased by one, E _{A is} the endpoint address of the terminal A and F (E _A ) is an endpoint address, each converted to a unique natural number ; for D as a one-way function with trap door or D (F (E _A ), N ₁ ), D (F (E _A ), N ₁ ) ≡ F (E _A ) ^{1 / R} mod N ₁ ; Furthermore, communication device A still has a private random number Z _A , the private key of terminal A is D (F (E _A ), N ₁ ), which is A's public key

D (F (E _A , N ₁ )) mod N ₁ ; All this applies analogously to a terminal B. The device according to one or more of the preceding device claims, wherein the communication provider K ₁ discloses to a terminal B of a communication provider K ₂ the function F (.) And the following numbers: N ₁ , G ₁ , R, such that a key agreement between terminal A and Terminal B can take place without terminal B having to receive a cryptographic key from communication provider K ₁ ; this applies analogously to the communications provider K ₂ and the terminal A. The device according to one or more of the preceding Device claims, the communications provider when creating the cryptographic key one adds a unique number or a string, so the keys are limited in their validity become. The device according to the previous device claim, wherein the private key for communication device A looks like D (F (E _A ) * μ), where μ is a unique number or string, thereby restricting the validity of the keys. A digital medium in a terminal for a voice communication, a key according to claim 1. A digital disk that has a data structure when loading into a terminal for voice communication, a method according to claim 1 implemented on this terminal.