DE102015205111A1 - System for transmitting a signed message from a signing device via a sanitizing device to a verifying device - Google Patents

System for transmitting a signed message from a signing device via a sanitizing device to a verifying device Download PDF

Info

Publication number
DE102015205111A1
DE102015205111A1 DE102015205111.0A DE102015205111A DE102015205111A1 DE 102015205111 A1 DE102015205111 A1 DE 102015205111A1 DE 102015205111 A DE102015205111 A DE 102015205111A DE 102015205111 A1 DE102015205111 A1 DE 102015205111A1
Authority
DE
Germany
Prior art keywords
message
verifying
authentication code
hash value
signing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
DE102015205111.0A
Other languages
English (en)
Inventor
Dr. Cuellar Jorge
Santiago Reinhard Suppan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Priority to DE102015205111.0A priority Critical patent/DE102015205111A1/de
Publication of DE102015205111A1 publication Critical patent/DE102015205111A1/de
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A signing device for transmitting a signed message via a sanitizing device to be verified by a verifying device is suggested. The signing device comprises a generation unit for generating a message including a fixed portion and a variable portion, a signing unit for signing the generated message by generating a first message authentication code based on the fixed portion of the message and based on a first hash value, and by generating a second message authentication code in a first mode based on the message and based on a second hash value, or in a second mode based on the message and based on the first hash value. Based on the signing device, a corresponding sanitizing device, and a corresponding verifying device, it is possible to send messages and verify these messages, wherein parts of these messages have been varied, for example due to data protection.

Description

  • The present invention relates to a signing device for signing a message and transmitting the message to a sanitizing device, a sanitizing device for varying the message and transmitting the message to a verifying device and a verifying device for verifying the message. The present invention further relates to a system comprising a signing device, a sanitizing device and a verification device. Furthermore, the present invention relates to a corresponding signing method, a corresponding sanitizing method and a corresponding verifying method.
  • When sending a message over a communication medium, it may be important for the recipient of the message to be able to verify that the message was originally produced by the expected party and that it has not been modified during the transmission. This property is called the integrity of the message. Thus the recipient is assured somehow of the integrity of the message. But in some situations, it may be necessary that an authorized intermediate party is able to modify the message, for example in a restricted way. This means that the intermediate party may be allowed to modify some previously defined parts of the message, while not being able to modify the other parts of the message.
  • Known solutions for sanitizing messages use signatures based on asymmetric cryptography. However, in scenarios where participants have limited power and constrained computational resources, as for example in the Internet of Things, asymmetric cryptography is not efficient due to required complex computations.
  • It is one object of the present invention to provide an improved way of verifying varied messages.
  • According to a first aspect, a signing device for transmitting a signed message to be verified by a verifying device is suggested. The signing device comprises a generation unit for generating a message m including a fixed portion f and a variable portion a, a storage unit for storing a hash tree including a plurality of hash values, a signing unit for signing the generated message m by generating a first message authentication code |f|L based on the fixed portion f of the message m and based on a first hash value L of the plurality of hash values, wherein the first hash value L is known to the verifying device, and by generating a second message authentication code |m|R, |m|L in a first mode based on the message m and based on a second hash value R of the plurality of hash values, the second hash value R being computable by a sanitizing device and the verifying device, or in a second mode based on the message m and based on the first hash value L of the plurality of hash values, and a transmitting unit for transmitting the generated message m, the first message authentication code |f|L and the second message authentication code |m|R, |m|L to the sanitizing device.
  • The respective unit, e.g. the signing unit, may be implemented in hardware and/or in software. If said unit is implemented in hardware, it may be embodied as a device, e.g. as a computer or as a processor or as a part of a system, e.g. a computer system. If said unit is implemented in software it may be embodied as a computer program product, as a function, as a routine, as a program code or as an executable object.
  • The suggested signing device is based on the following aspect: a signing device wants to write a message with two types of content: one is modifiable (i.e., variable, sanitizable or admissible) and the other is fixed. The signing device sends the message to a recipient over some communication channel. An intermediary, the censor party (herein called the sanitizing device) is allowed to change the admissible part (i.e., the variable portion) of the message but not the fixed part (i.e., the fixed portion) of the message. The recipient (herein called the verifying device for verifying the message (or the integrity of the message)) should be able to verify that the message was originally produced by the expected party (the signing device) and that it has not been modified during the transmission except, possibly, for changes done to admissible parts by authorized intermediate sanitizers. This property is called the relaxed integrity of the message (in the context of sanitization).
  • For signing the message, the signing unit signs a generated message m, which includes a fixed portion f and a variable portion a, by generating message authentication codes (MAC). A message authentication code is an output generated from a message and a secret to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message's origin.
  • As one example for message authentication codes, a keyed-hash message authentication code (HMAC) may be used which is a specific construction for calculating a message authentication code involving a hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message. Any hash function may be used in the calculation of an HMAC.
  • In order to allow the sanitizing device to vary the message, the signing unit generates a message authentication code of the fixed portion using a hash value L being known only to the signing device and the verifying device. A second message authentication code is generated using the whole message and, in a first mode, when the verification device should not be able to detect a variation of the message, using a hash value R being known or at least computable by the verifying device and the sanitizing device. In a second mode, the second message authentication code is generated using the whole message and, the first hash value L.
  • When sending the message to the sanitizing device, the sent message includes the message itself, the first message authentication code and the second authentication code. The message itself includes the fixed portion f and the variable portion a.
  • According to an embodiment, the generated message m includes information for computing the second hash value R.
  • All hash values may be computed based on a hash tree having as a root an initial value. This initial value may only be known to the signing device.
  • The first hash value L may be a node or its dependent nodes being known to the verifying device and the signing device, but not to the sanitizing device.
  • The second hash value R may be a node or its dependent nodes being known to the verifying device, the sanitizing device and the signing device. When the second hash value is not the node R but one of its dependent nodes Ri, the message m may include information regarding the path for computing the second hash value starting from the node.
  • According to a further embodiment, the signing unit is configured to generate a third message authentication code |m|S based on the message m and based on a third hash value S of the plurality of hash values, the third hash value S representing a common secret between the signing device and the sanitizing device.
  • A node from the hash tree may be used as a common secret S between the signing device and the sanitizing device. The node and its dependent nodes are not known to the verifying device. Using the third message authentication code, the sanitizing device can verify the message.
  • According to a further embodiment, the signing unit is configured to select the first mode or the second mode, wherein in the first mode, the verification device is unable to detect a variation of the variable portion of the message and in the second mode, the verification device is able to detect a variation of the variable portion of the message.
  • If the verifying device should be able to recognize whether the message has been varied, the second message authentication code is generated using the first hash value. If the message is not varied by the sanitizing device, the verification device may detect that the first hash value has been used for generating the second message authentication code and thus, that the message is not varied. Else, the verification device may detect that the message is varied.
  • In the first mode, when the verification device is not able to detect whether the message is varied, the second message authentication code is generated using the second hash value R.
  • According to a further embodiment, the first hash value L is a hash value from a first path within the hash tree known to the signing device and the verifying device.
  • As the path is only known to the verifying device and the signing device, the verifying device can be sure, when verifying the message, that the fixed portion is not varied.
  • According to a further embodiment, the second hash value R is a hash value from a second path within the hash tree known to the signing device, the sanitizing device and the verifying device, the second path being different from the first path.
  • As all three devices should be able to decode the second message authentication code, the second hash value R is known to all three devices.
  • According to a second aspect, a sanitizing device for varying a signed message from a signing device to be verified by a verifying device is suggested. The sanitizing device comprises a receiving unit for receiving the signed message from the above-described signing device, the signed message including a message m, a first message authentication code |f|L and a second message authentication code |m|R, |m|L, the message m including a fixed portion f and a variable portion a, a verification unit for verifying the signed message, a sanitizing unit being configured to, in a varying mode, vary the variable portion a and to generate a fourth message authentication code |m’|R based on the message m including the varied variable portion a’ and based on the second hash value R of the plurality of hash values, the second hash value R being computable by the sanitizing device and the verifying device, and a transmitting unit being configured to, in the varying mode, transmit the varied message including the varied variable portion a’, the first message authentication code |f|L and the fourth message authentication code |m’|R to the verifying device, or else, to transmit the received signed message.
  • The respective unit, e.g. the sanitizing unit, may be implemented in hardware and/or in software. If said unit is implemented in hardware, it may be embodied as a device, e.g. as a computer or as a processor or as a part of a system, e.g. a computer system. If said unit is implemented in software it may be embodied as a computer program product, as a function, as a routine, as a program code or as an executable object.
  • When varying the message, the sanitizing unit may vary the variable portion of the message. The message to be sent then includes the varied message (i.e., the fixed portion and the varied variable portion), the first message authentication code and the fourth message authentication code, which is generated using the varied message.
  • When not varying the message, the sanitizing unit just sends the message as originally received.
  • According to an embodiment, the signed message includes a third message authentication code |m|S based on the message m and based on a third hash value S of the plurality of hash values, the third hash value S representing a common secret between the signing device and the sanitizing device, and wherein the verification unit is configured to verify the signed message by verifying the third message authentication code |m|S.
  • Thus, the sanitizing device may be able to verify the integrity of the received message before forwarding the message, or a varied version of the message, to the verifying device. The third message authentication code may also be used to verify the integrity of information regarding the generation of the second hash value as described above.
  • According to a further embodiment, the sanitizing device comprises a deciding unit for deciding if the variable portion a is to be varied.
  • This decision may be based on information included in the message. Some messages may need to be varied for example due to data protection. Other messages should be forwarded without any changes.
  • According to a third aspect, a verifying device for verifying a message from a signing device is suggested. The verifying device comprises a receiving unit for receiving the signed message from the above-described sanitizing device, the message m being signed by the above-described signing device, the signed message including, in a non-varying mode, a message having a fixed portion f and an unvaried variable portion a, a first message authentication code |f|L and a second message authentication code |m|R, |m|L, or the signed message including, in a varying mode, a message having a fixed portion f and a varied variable portion a’, the first message authentication code |f|L and a fourth message authentication code |m’|R, a verification unit for verifying the fixed portion f of the message m by verifying the first message authentication code |f|L based on a first hash value L of a plurality of hash values, wherein the first hash value L is known to the signing device and the verifying device, and for verifying the variable portion a of the message m by verifying, in a first mode, the second message authentication code |m|R, |m|L based on a second hash value R of the plurality of hash values, the second hash value R being computable by the sanitizing device and the verifying device, or by verifying, in a second mode, the second message authentication code |m|R, |m|L based on the second hash value R of the plurality of hash values or the fourth message authentication code |m|L based on the first hash value L of the plurality of hash values.
  • The respective unit, e.g. the verifying unit, may be implemented in hardware and/or in software. If said unit is implemented in hardware, it may be embodied as a device, e.g. as a computer or as a processor or as a part of a system, e.g. a computer system. If said unit is implemented in software it may be embodied as a computer program product, as a function, as a routine, as a program code or as an executable object.
  • In the first mode, the verifying device is not able to detect whether the message is varied or not but is only able to verify the integrity of the message.
  • In the second mode, the verifying device is able to detect whether the message is varied or not and is able to verify the integrity of the message.
  • According to an embodiment, the verification unit is configured to determine in the second mode whether the variable portion a of the message m is varied based on the first hash value L and/or the second hash value R.
  • As the verification unit may determine with which hash value the transmitted message authentication code of the whole message was generated, the verification unit may also determine whether the message was varied or not. If the message was not varied, the message authentication code is generated using the first hash value being known only to the signing device and the verifying device. If the message was varied, the message authentication code is generated using the second hash value being known to the signing device, the sanitizing and the verifying device.
  • Any embodiment of the first aspect may be combined with any embodiment of the first aspect, second aspect or third aspect to obtain another embodiment of the first, second or third aspect.
  • According to a fourth aspect, a system for transmitting a signed message from a signing device via a sanitizing device to a verifying device is suggested. The system comprises the above-described signing device, the above-described sanitizing device and the above-described verifying device.
  • According to a further aspect, a signing method for transmitting a signed message to be verified by a verifying device is suggested. The signing method comprises the following steps: generating a message including a fixed portion and a variable portion, storing a hash tree including a plurality of hash values, signing the generated message by generating a first message authentication code based on the fixed portion of the message and based on a first hash value of the plurality of hash values, wherein the first hash value is known to the verifying device and the signing device, and by generating a second message authentication code in a first mode based on the message m and based on a second hash value R of the plurality of hash values, the second hash value R being computable by a sanitizing device and the verifying device, or in a second mode based on the message m and based on the first hash value R of the plurality of hash values, and transmitting the generated message, the first message authentication code and the second message authentication code to the sanitizing device.
  • According to a further aspect, a sanitizing method for varying a signed message from a signing device to be verified by a verifying device is suggested. The sanitizing method comprises the following steps: receiving a signed message, the signed message including a message, a first message authentication code and a second message authentication code, the message including a fixed portion and a variable portion, verifying the signed message, in a varying mode, varying the variable portion and generating a fourth message authentication code based on the message including the varied variable portion and based on the second hash value of the plurality of hash values, the second hash value being computable by the sanitizing device and the verifying device, and in the varying mode transmitting the varied message including the varied variable portion, the first message authentication code and the fourth message authentication code to the verifying device, or else, transmitting the received signed message.
  • According to a further aspect, a verifying method for verifying a message from a signing device is suggested. The verifying method comprises the following steps: receiving the signed message from a sanitizing device, the message being signed by a signing device, the signed message including, in a non-varying mode, a message having a fixed portion and an unvaried variable portion, a first message authentication code and a second message authentication code, or the signed message including, in a varying mode, a message having a fixed portion and a varied variable portion, the first message authentication code and a fourth message authentication code, and verifying the fixed portion of the message by verifying the first message authentication code based on a first hash value of a plurality of hash values, wherein the first hash value is known to the signing device and the verifying device, and for verifying the variable portion of the message by verifying, in a first mode, the second message authentication code based on a second hash value of the plurality of hash values, the second hash value being computable by the sanitizing device and the verifying device, or by verifying, in a second mode, the second message authentication code based on the second hash value of the plurality of hash values or the fourth message authentication code based on the first hash value of the plurality of hash values.
  • According to a further aspect, the invention relates to a computer program product comprising a program code for executing the above-described method for transmitting a signed message to be verified by a verifying device when run on at least one computer.
  • According to a further aspect, the invention relates to a computer program product comprising a program code for executing the above-described method for varying a signed message from a signing device to be verified by a verifying device when run on at least one computer.
  • According to a further aspect, the invention relates to a computer program product comprising a program code for executing the above-described method for verifying a message from a signing device when run on at least one computer.
  • A computer program product, such as a computer program means, may be embodied as a memory card, USB stick, CD-ROM, DVD or as a file which may be downloaded from a server in a network. For example, such a file may be provided by transferring the file comprising the computer program product from a wireless communication network.
  • The embodiments and features described with reference to the devices and system of the present invention apply mutatis mutandis to the methods of the present invention.
  • Further possible implementations or alternative solutions of the invention also encompass combinations – that are not explicitly mentioned herein – of features described above or below with regard to the embodiments. The person skilled in the art may also add individual or isolated aspects and features to the most basic form of the invention.
  • Further embodiments, features and advantages of the present invention will become apparent from the subsequent description and dependent claims, taken in conjunction with the accompanying drawings, in which:
  • 1 shows a schematic block diagram of an embodiment of a system for transmitting a signed message from a signing device via a sanitizing device to a verifying device;
  • 2 shows a first embodiment of a hash tree providing hash values;
  • 3 shows a second embodiment of a hash tree providing hash values;
  • 4 shows a message flow diagram according to a first embodiment of the system of 1;
  • 5 shows a message flow diagram according to a second embodiment of the system of 1;
  • 6 shows a sequence of methods steps for transmitting a signed message to be verified by a verifying device;
  • 7 shows a sequence of methods steps for varying a signed message from a signing device to be verified by a verifying device; and
  • 8 shows a sequence of methods steps for verifying a message from a signing device.
  • In the Figures, like reference numerals designate like or functionally equivalent elements, unless otherwise indicated.
  • 1 shows a system 100 comprising a signing device 10, a sanitizing device 20 and a verifying device 30.
  • The signing device 10 comprises a generation unit 11, a storage unit 12, a signing unit 13 and a transmitting unit 14.
  • The generation unit 11 generates a message m including a fixed portion f and a variable portion a. The storage unit 12 stores a hash tree including a plurality of hash values. These hash values may be used for signing the message.
  • The signing unit 13 signs the generated message m by generating a first message authentication code |f|L based on the fixed portion f of the message m and based on a first hash value L of the plurality of hash values. The first hash value L is known to the verifying device 30, but not to the sanitizing device 20. The signing unit 13 further generates a second message authentication code |m|R or |m|L based on the message m and based on the first hash value L or a second hash value R of the plurality of hash values. The second hash value R is computable by the sanitizing device 20 and the verifying device 30.
  • The transmitting unit 14 then transmits the generated message m, the first message authentication code |f|L and the second message authentication code |m|R or |m|L to the sanitizing device 20.
  • The sanitizing device 20 comprises a receiving unit 21, a verification unit 22, a sanitizing unit 23, a transmitting unit 24 and a deciding unit 25.
  • The receiving unit 21 receives the signed message from the signing device 10.
  • The verification unit 22 verifies the signed message. The deciding unit 25 decides if the variable portion a is to be varied or not. The sanitizing unit 23 can then operate in a varying mode.
  • In the varying mode, the sanitizing unit 23 varies the variable portion a of the message m and generates a fourth message authentication code |m’|R based on the message m including the varied variable portion a’ and based on the second hash value R of the plurality of hash values.
  • The transmitting unit 24 transmits in the varying mode the varied message including the varied variable portion a’, the first message authentication code |f|L and the fourth message authentication code |m’|R to the verifying device 30.
  • Else, the transmitting unit 24 transmits the received signed message to the verifying device 30.
  • The verifying device 30 comprises a receiving unit 31 and a verifying unit 32.
  • The receiving unit 31 receives the signed message from the sanitizing device 20.
  • In a non-varying mode, the signed message includes the message m having a fixed portion f and an unvaried variable portion a, a first message authentication code |f|L and a second message authentication code |m|R or |m|L. In the varying mode, the signed message includes the message m having a fixed portion f and a varied variable portion a’, the first message authentication code |f|L and a fourth message authentication code |m’|R.
  • The verification unit 32 verifies the fixed portion f of the message m by verifying the first message authentication code |f|L based on the first hash value L. The verification unit 32 further verifies the variable portion a of the message m by verifying, in a first mode, the second message authentication code |m|R based on the second hash value R.
  • In a second mode, the verification unit 32 verifies the variable portion a of the message m by verifying the second message authentication code |m|R based on the second hash value R of the plurality of hash values or the second message authentication code |m|L based on the first hash value L of the plurality of hash values.
  • 2 shows a first embodiment of a hash tree providing hash values.
  • The signing device 10, the verifying device 30 and the sanitizing device 20 share some secrets which correspond to certain positions of one binary graph as illustrated in 2
  • The signing device 10 has the root secret x 1. The signing device 10 is able to generate every node of the hash-tree.
  • The verifying device’s 30 initial secret is a node 2 in the tree and therefore a descendant of the hash-tree’s root secret 1. Thus, the verifying device 30 is able to verify some MACs created by the signing device 10, but not all, and is not able to forge MACs with keys that are not descendants of the verifying device’s 30 initial secret 2.
  • The sanitizing device 20 knows R, a secret descendant of the initial secret 2 of the verifying device 30. This will imply that the signing device 10, the verifying device 30 and the sanitizing device 20 are able to generate many common secrets Ri.
  • Additionally, the signing device 10 and the sanitizing device 20 share a common secret S to allow the sanitizing device 20 to verify an incoming message from the signing device 10. This secret S is a node in the tree that is not in the path to the verifying device’s 30 initial secret 2.
  • 3 shows a second embodiment of a hash tree providing hash values.
  • In addition to the hash tree of 2, the hash tree of 3 includes several blank nodes 3, 4, 5 between each party’s secret. Blank nodes allow the party with knowledge of the superseding secret to revoke another party’s secrets by means of a canonical jump, i.e. by going back to another path of the tree descending from the starting node.
  • 4 shows a message flow diagram according to a first embodiment of the system of 1.
  • The signing device 10 has a message, which he wants to send to the verifying device 30. The message m is composed of two parts:
    f, contains the fixed part of the message, and a path path_to_R, which will allow generating the sanitizing key R.
    a, which solely contains the admissible part of the message.
  • The signing device 10 now generates a MAC |f|L. The used secret L is the first secret of the path known to the signing device 10 and the verifying device 30. Path_to_R is later used by the verifying device 30 (and occasionally the sanitizing device 20) to generate the sanitizing key R.
  • The Path_to_R can be a sequence of bits to generate a branch with certain descendants from node 2. This is recommended if the sanitizing device 20’s initial key needs to be replaced or refreshed. Instead of generating a path for every message, which might result in longer paths and higher computational costs due to the execution of hashes to generate the tree’s branches, the signing device 10 could include key material KMi for every new sanitization key Ri, where Ri = h(<sanitizing device 20’s initial key, KMi>)
  • The signing device 10 then computes a second MAC for the whole message |m|R with the current sanitizing key R.
  • Additionally, one additional signature |m|S can be generated by the signing device 10 with a special key S, which is only known to the signing device 10 and the sanitizing device 20. The purpose of this additional signature is to allow the sanitizing device 20 to verify the message part a (the one he is allowed to sanitize) and the used path (to generate the sanitization key R).
  • The signing device 10 sends (401) m, |f|L, |m|R, and |m|S to the sanitizing device 20.
  • The sanitizing device 20 first verifies (401) |m|S with the key S. If the verification holds, the sanitizing device 20 is now able to identify the admissible part a of the message, and is able to generate the sanitization key R with path_to_R, where path_to_R is a part of the fixed message f (see above).
  • In the case of no sanitization (402), i.e. no variation of the message: If the sanitizing device 20 agrees to the content of a, he redirects the original message and MACs from the signing device 10 to the verifying device 30 (m, |f|L, |m|R).
  • In the case of sanitation (403): The sanitizing device 20 decides to change the admissible part of the message a, resulting in a’. He then creates a new MAC |m’|R with m’ = f + a’, and the secret R. The sanitizing device 20 now sends m’ = (f + a’), |f|L, |m’|R to the verifying device 30.
  • The verifying device 30 knows L and is able to compute R from path_to_R.
  • In the case of no sanitization (404): If the verifying device 30 is able to verify |f|L and |m|R with R, the message was left as originally signed by the signing device 10. The verifying device 30 does not need to verify |f|L.
  • The verifying device 30 verifies |f|L with L and computes R from path (part of f) and then verifies |m|R. If the verification holds, the verifying device 30 knows the message is authentic.
  • In the case of sanitization (405): The verifying device 30 does the same as above, with the small difference that he verifies |m’|R (and not |m|R). As the verifying device 30 does not know the original message m, he is not able to recognize whether a message was sanitized or not.
  • 5 shows a message flow diagram according to a second embodiment of the system of 1.
  • As in the scheme of 4, the signing device 10 has a message, which he wants to send to the verifying device 30.
  • The signing device 10 sends m, |f|L, |m|L, and |m|S to the sanitizing device 20. That means, the message itself is verified by a MAC that is generated with the secret L (instead of R).
  • The sanitizing device 20 first verifies (501) |m|S and generates R.
  • In the case of no sanitization (502): If the sanitizing device 20 agrees to the content of a, he redirects the original message and MACs from the signing device 10 to the verifying device 30 (m, |f|L, |m|L).
  • In the case of sanitization (503): The sanitizing device 20 decides to change the admissible part of the message a, resulting in a’. He then creates a new MAC |m’|R with m’ = f + a’, and the secret R. The sanitizing device 20 now sends m’ = (f + a’), |f|L, |m’|R to the verifying device 30.
  • The verifying device 30 knows L.
  • In the case of no sanitization (504): If the verifying device 30 is able to verify |m|L with L, the message was left as originally signed by the signing device 10. The verifying device 30 does not need to verify |f|L.
  • In the case of sanitization (505): The verification of |m’|R with L fails. In this case, the verifying device 30 verifies |f|L with L and computes R from path_to_R (part of f) and retries the verification. If the verification holds, the verifying device 30 knows the message was sanitized by a trusted party and thus remains authentic.
  • In this case, the sanitizing device 20 may leave the message unchanged and still make use of the secret R. By doing this, he can make the verifying device 30 believe that the message was changed, even if it was not. Otherwise, the sanitizing device 20 is not able to change the message without the verifying device 30’s notification. The reason for this is usage of the secret L, which is unknown to the sanitizing device 20, but necessary for verifying the case of no sanitization.
  • Another embodiment uses a sanitization by value. In the case of sanitization, the sanitizing device 20 may add one specific bit to acknowledge sanitization. The signing device 10 may set this additional bit to zero as the message is not varied. The sanitizing device 20 may change this bit to 1 if the message is varied. The verifying device 30 may detect based on this bit whether the message was varied or not.
  • 6 shows a signing method for transmitting a signed message to be verified by a verifying device 30. The signing method comprises the following method steps 601604.
  • In a first step 601, a message including a fixed portion f and a variable portion a is generated.
  • In a second step 602, a hash tree including a plurality of hash values is stored.
  • In a third step 603, the generated message m is signed by generating a first message authentication code |f|L based on the fixed portion f of the message m and based on a first hash value L of the plurality of hash values, wherein the first hash value L is known to the verifying device 30, and by generating a second message authentication code |m|R, |m|L. In a first mode, the second message authentication code is based on the message m and based on a second hash value R of the plurality of hash values, the second hash value R being computable by a sanitizing device 20 and the verifying device 30. In a second mode, the second message authentication code is based on the message m and based on the first hash value L of the plurality of hash values.
  • In a fourth step 604, the generated message m, the first message authentication code |f|L and the second message authentication code |m|R, |m|L are transmitted to the sanitizing device 20.
  • 7 shows a sanitizing method for varying a signed message from a signing device 10 to be verified by a verifying device 30. The sanitizing method comprises the following method steps 701705.
  • In a first step 701, a signed message is received. The signed message includes a message, a first message authentication code |f|L and a second message authentication code |m|R, |m|L, the message m including a fixed portion f and a variable portion a.
  • In a second step 702, the signed message is verified.
  • In a third step 703, in a varying mode the variable portion a is varied and a fourth message authentication code |m’|R is generated based on the message m including the varied variable portion a’ and based on the second hash value R of the plurality of hash values, the second hash value R being computable by the sanitizing device 20 and the verifying device 30.
  • In a fourth step 704, in the varying mode the varied message is transmitted including the varied variable portion a’, the first message authentication code |f|L and the fourth message authentication code |m’|R to the verifying device 30.
  • Else, i.e. in a non-varying mode, the received signed message is transmitted in a fifth step 705 representing an alternative to steps 703 and 704.
  • 8 shows a verifying method for verifying a message from a signing device 30. The verifying method comprises the following method steps 801802.
  • In a first step 801, the signed message is received from a sanitizing device 20, the message m being signed by a signing device 10, the signed message including, in a first mode, a message having a fixed portion f and an unvaried variable portion a, a first message authentication code |f|L and a second message authentication code |m|R, |m|L, or the signed message including, in a second mode, a message having a fixed portion f and a varied variable portion a’, the first message authentication code |f|L and a fourth message authentication code |m’|R.
  • In a second step 802, the fixed portion f of the message m is verified by verifying the first message authentication code |f|L based on a first hash value L of a plurality of hash values, wherein the first hash value L is known to the signing device 10 and the verifying device 30, and the variable portion a of the message m is verified by verifying, in the first mode, the second message authentication code |m|R, |m|L based on a second hash value R of the plurality of hash values, the second hash value R being computable by the sanitizing device 20 and the verifying device 30, or by verifying, in the second mode, the second message authentication code |m|R, |m|L based on the second hash value R of the plurality of hash values or the fourth message authentication code |m|L based on the first hash value L of the plurality of hash values.
  • Although the present invention has been described in accordance with preferred embodiments, it is obvious for the person skilled in the art that modifications are possible in all embodiments.

Claims (15)

  1. A signing device (10) for transmitting a signed message to be verified by a verifying device (30), the signing device (10) comprising: a generation unit (11) for generating a message (m) including a fixed portion (f) and a variable portion (a), a storage unit (12) for storing a hash tree including a plurality of hash values, a signing unit (13) for signing the generated message (m) by generating a first message authentication code (|f|L) based on the fixed portion (f) of the message (m) and based on a first hash value (L) of the plurality of hash values, wherein the first hash value (L) is known to the verifying device (30), and by generating a second message authentication code (|m|R, |m|L), in a first mode based on the message (m) and based on a second hash value (R) of the plurality of hash values, the second hash value (R) being computable by a sanitizing device (20) and the verifying device (30), or in a second mode based on the message (m) and based on the first hash value (R) of the plurality of hash values, and a transmitting unit (14) for transmitting the generated message (m), the first message authentication code (|f|L) and the second message authentication code (|m|R, |m|L) to the sanitizing device (20).
  2. The signing device according to claim 1, wherein the generated message (m) includes information for computing the second hash value (R).
  3. The signing device according to claim 1 or 2, wherein the signing unit (13) is configured to generate a third message authentication code (|m|S) based on the message (m) and based on a third hash value (S) of the plurality of hash values, the third hash value (S) representing a common secret between the signing device (10) and the sanitizing device (20).
  4. The signing device according to one of claims 1–3, wherein the signing unit (13) is configured to select the first mode or the second mode, wherein in the first mode, the verification device (30) is unable to detect a variation of the variable portion (a) of the message (m) and in the second mode, the verification device (30) is able to the detect a variation of the variable portion (a) of the message (m).
  5. The signing device according to one of claims 1–4, wherein the first hash value (L) is a hash value from a first path within the hash tree known to the signing device (10) and the verifying device (30).
  6. The signing device according to claim 5, wherein the second hash value (R) is a hash value from a second path within the hash tree known to the signing device (10), the sanitizing device (20) and the verifying device (30), the second path being different from the first path.
  7. A sanitizing device (20) for varying a signed message from a signing device (10) to be verified by a verifying device (30), the sanitizing device (20) comprising: a receiving unit (21) for receiving the signed message from a signing device (10) according to one of claims 1–6, the signed message including a message (m), a first message authentication code (|f|L) and a second message authentication code (|m|R, |m|L), the message (m) including a fixed portion (f) and a variable portion (a), a verification unit (22) for verifying the signed message, a sanitizing unit (23) being configured to, in a varying mode, vary the variable portion (a) and to generate a fourth message authentication code (|m’|R) based on the message (m) including the varied variable portion (a’) and based on the second hash value (R) of the plurality of hash values, the second hash value (R) being computable by the sanitizing device (20) and the verifying device (30), and a transmitting unit (24) being configured to, in the varying mode, transmit the varied message including the varied variable portion (a’), the first message authentication code (|f|L) and the fourth message authentication code (|m|R) to the verifying device (30), or else, to transmit the received signed message.
  8. The sanitizing device according to claim 7, wherein the signed message includes a third message authentication code (|m|S) based on the message (m) and based on a third hash value (S) of the plurality of hash values, the third hash value (S) representing a common secret between the signing device (10) and the sanitizing device (20), and wherein the verification unit (22) is configured to verify the signed message by verifying the third message authentication code (|m|S).
  9. The sanitizing device according to claim 7 or 8, further comprising a deciding unit (25) for deciding if the variable portion (a) is to be varied.
  10. A verifying device (30) for verifying a message from a signing device (10), the verifying device (30) comprising: a receiving unit (31) for receiving the signed message from a sanitizing device (20) according to one of claims 7–9, the message (m) being signed by a signing device (10) according to one of claims 1–6, the signed message including, in a non-varying mode, a message having a fixed portion (f) and an unvaried variable portion (a), a first message authentication code (|f|L) and a second message authentication code (|m|R, |m|L), or the signed message including, in a varying mode, a message having a fixed portion (f) and a varied variable portion (a’), the first message authentication code (|f|L) and a fourth message authentication code (|m’|R), a verification unit (32) for verifying the fixed portion (f) of the message (m) by verifying the first message authentication code (|f|L) based on a first hash value (L) of a plurality of hash values, wherein the first hash value (L) is known to the signing device (10) and the verifying device (30), and for verifying the variable portion (a) of the message (m) by verifying, in a first mode, the second message authentication code (|m|R, |m|L) based on a second hash value (R) of the plurality of hash values, the second hash value (R) being computable by the sanitizing device (20) and the verifying device (30), or by verifying, in a second mode, the second message authentication code (|m|R, |m|L) based on the second hash value (R) of the plurality of hash values or the fourth message authentication code (|m|L) based on the first hash value (L) of the plurality of hash values.
  11. The verifying device according to claim 10, wherein the verification unit (32) is configured to determine in the second mode whether the variable portion (a) of the message (m) is varied based on the first hash value (L) and/or the second hash value (R).
  12. A system (100) for transmitting a signed message from a signing device (10) via a sanitizing device (20) to a verifying device (30), the system (100) comprising: a signing device (10) according to one of claims 1–6, a sanitizing device (20) according to one of claims 7–9, and a verifying device (30) according to one of claims 10–
  13. A signing method for transmitting a signed message to be verified by a verifying device (30), the signing method comprising: generating (601) a message (m) including a fixed portion (f) and a variable portion (a), storing (602) a hash tree including a plurality of hash values, signing (602) the generated message (m) by generating a first message authentication code (|f|L) based on the fixed portion (f) of the message (m) and based on a first hash value (L) of the plurality of hash values, wherein the first hash value (L) is known to the verifying device (30) and the signing device (10), and by generating a second message authentication code (|m|R, |m|L), in a first mode based on the message (m) and based on a second hash value (R) of the plurality of hash values, the second hash value (R) being computable by a sanitizing device (20) and the verifying device (30), or in a second mode based on the message (m) and based on the first hash value (R) of the plurality of hash values, and transmitting (604) the generated message (m), the first message authentication code (|f|L) and the second message authentication code (|m|R, |m|L) to the sanitizing device (20).
  14. A sanitizing method for varying a signed message from a signing device (10) to be verified by a verifying device (30), the sanitizing method comprising: receiving (701) the signed message, the signed message including a message (m), a first message authentication code (|f|L) and a second message authentication code (|m|R, |m|L), the message (m) including a fixed portion (f) and a variable portion (a), verifying (702) the signed message, in a varying mode (703), varying the variable portion (a) and generating a fourth message authentication code (|m’|R) based on the message (m) including the varied variable portion (a’) and based on the second hash value (R) of the plurality of hash values, the second hash value (R) being computable by the sanitizing device (20) and the verifying device (30), and in the varying mode (704), transmitting the varied message including the varied variable portion (a’), the first message authentication code (|f|L) and the fourth message authentication code (|m|R) to the verifying device (30), or else, transmitting (705) the received signed message.
  15. A verifying method for verifying a message from a signing device, the verifying method comprising: receiving (801) the signed message from a sanitizing device (20), the message (m) being signed by a signing device (10), the signed message including, in a non-varying mode, a message having a fixed portion (f) and an unvaried variable portion (a), a first message authentication code (|f|L) and a second message authentication code (|m|R, |m|L), or the signed message including, in a varying mode, a message having a fixed portion (f) and a varied variable portion (a’), the first message authentication code (|f|L) and a fourth message authentication code (|m’|R), and verifying (802) the fixed portion (f) of the message (m) by verifying the first message authentication code (|f|L) based on a first hash value (L) of a plurality of hash values, wherein the first hash value (L) is known to the signing device (10) and the verifying device (30), and for verifying the variable portion (a) of the message (m) by verifying, in a first mode, the second message authentication code (|m|R, |m|L) based on a second hash value (R) of the plurality of hash values, the second hash value (R) being computable by the sanitizing device (20) and the verifying device (30), or by verifying, in a second mode, the second message authentication code (|m|R, |m|L) based on the second hash value (R) of the plurality of hash values or the fourth message authentication code (|m|L) based on the first hash value (L) of the plurality of hash values.
DE102015205111.0A 2015-03-20 2015-03-20 System for transmitting a signed message from a signing device via a sanitizing device to a verifying device Pending DE102015205111A1 (de)

Priority Applications (1)

Application Number Priority Date Filing Date Title
DE102015205111.0A DE102015205111A1 (de) 2015-03-20 2015-03-20 System for transmitting a signed message from a signing device via a sanitizing device to a verifying device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
DE102015205111.0A DE102015205111A1 (de) 2015-03-20 2015-03-20 System for transmitting a signed message from a signing device via a sanitizing device to a verifying device

Publications (1)

Publication Number Publication Date
DE102015205111A1 true DE102015205111A1 (de) 2016-03-03

Family

ID=55312421

Family Applications (1)

Application Number Title Priority Date Filing Date
DE102015205111.0A Pending DE102015205111A1 (de) 2015-03-20 2015-03-20 System for transmitting a signed message from a signing device via a sanitizing device to a verifying device

Country Status (1)

Country Link
DE (1) DE102015205111A1 (de)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100042842A1 (en) * 2008-08-12 2010-02-18 Industrial Technology Research Institute Light weight authentication and secret retrieval
US20130083926A1 (en) * 2011-09-30 2013-04-04 Los Alamos National Security, Llc Quantum key management
US20150046981A1 (en) * 2010-02-12 2015-02-12 Telefonaktiebolaget L M Ericsson (Publ) Trust discovery in a communications network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100042842A1 (en) * 2008-08-12 2010-02-18 Industrial Technology Research Institute Light weight authentication and secret retrieval
US20150046981A1 (en) * 2010-02-12 2015-02-12 Telefonaktiebolaget L M Ericsson (Publ) Trust discovery in a communications network
US20130083926A1 (en) * 2011-09-30 2013-04-04 Los Alamos National Security, Llc Quantum key management

Similar Documents

Publication Publication Date Title
CN108885741B (zh) 一种实现区块链上交换的令牌化方法及系统
CN109495249B (zh) 一种区块链系统的数据存储方法、节点和区块链系统
US9628276B2 (en) Discovery of secure network enclaves
US9742560B2 (en) Key management in secure network enclaves
US7127067B1 (en) Secure patch system
KR101330392B1 (ko) 분산 저장 네트워크에서 데이터 인가를 위한 네트워크 노드 및 방법
KR101772553B1 (ko) 파일에 대한 공증 및 검증을 수행하는 방법 및 서버
US20170230182A1 (en) Technologies for remote attestation
Chikouche et al. A privacy-preserving code-based authentication protocol for Internet of Things
US8681986B2 (en) Single-round password-based key exchange protocols
JP6950745B2 (ja) 鍵交換装置、鍵交換システム、鍵交換方法、及び鍵交換プログラム
KR20150036104A (ko) 로그인 검증의 방법, 클라이언트, 서버 및 시스템
KR101727126B1 (ko) 파일에 대한 공증 및 검증을 수행하는 방법 및 서버
TWI807103B (zh) 用於共享公共秘密之電腦實施系統及方法
US11258588B2 (en) Key exchange method and key exchange system
Carter et al. For your phone only: custom protocols for efficient secure function evaluation on mobile devices
CN114297678A (zh) 一种联盟链系统运行方法、装置、设备及存储介质
JPWO2016199507A1 (ja) 鍵交換方法、鍵交換システム、鍵配送装置、通信装置、およびプログラム
DE102015205111A1 (de) System for transmitting a signed message from a signing device via a sanitizing device to a verifying device
Huang et al. A novel key distribution scheme based on transmission delays
McLoughlin et al. Full Post-Quantum Datagram TLS Handshake in the Internet of Things
Colombo et al. Secure communication in the quantum era:(group) key establishment
CN113536355B (zh) 会话密钥的生成方法及装置
Roscoe Detecting failed attacks on human-interactive security protocols (transcript of discussion)
KR20090071874A (ko) 무선 네트워크 환경에서의 노드 아이디/키 생성 방법과그를 이용한 노드 인증 방법

Legal Events

Date Code Title Description
R163 Identified publications notified
R230 Request for early publication
R437 Application is deemed to be withdrawn due to failure to submit translation