EP1709764A1 - Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication - Google Patents
Ensemble circuit et procede pour securiser la communication au sein de reseaux de communicationInfo
- Publication number
- EP1709764A1 EP1709764A1 EP05707876A EP05707876A EP1709764A1 EP 1709764 A1 EP1709764 A1 EP 1709764A1 EP 05707876 A EP05707876 A EP 05707876A EP 05707876 A EP05707876 A EP 05707876A EP 1709764 A1 EP1709764 A1 EP 1709764A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- network
- peer
- certificate
- communication
- stored
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1087—Peer-to-peer [P2P] networks using cross-functional networking aspects
- H04L67/1091—Interfacing with client-server systems or between P2P systems
Definitions
- Communication security is becoming increasingly important in modern communication networks. Important aspects of communication security are the authenticity of the participants and the confidentiality of messages. Authorization may also be required to participate in communication within networks. This communication security is usually achieved with pre-administered shared secrets such as shared secrets. Furthermore, communication security can also be guaranteed with digital signatures / certificates. Every network subscriber authorized for secure communication receives their own digital certificate from a trustworthy central entity. These certificates bind a public key to the identity of its owner. These certificates can be checked with “the public key of the central instance, which is contained in the so-called root certificate of the central instance, which must be distributed to all network participants in an unadulterated manner.
- a network subscriber can now use his secret private key to generate a signed message, the authenticity of which can be checked by any recipient using the public key from the certificate of the network subscriber.
- the recipient of the network subscriber receives the certificate either from the network subscriber himself or from a central server. For the confidential transmission of messages, they are encrypted with the public key from the recipient's certificate, so that only the recipient can decrypt the message.
- Security functions such as authentication, authorization and encryption / decryption are also used in a peer-to-peer network, hereinafter abbreviated to P2P network.
- P2P network peer-to-peer network
- the invention has for its object to provide a circuit arrangement and an associated method for securing the communication of network participants.
- the invention has the advantage that an authenticity check can also be carried out when the network subscriber is operating offline.
- the invention has the advantage that an authorization check can be carried out using the certificate of the network subscriber even when the network subscriber is operating offline.
- the invention has the advantage that confidential information can also be stored in an offline mode of the network subscriber in the P2P network.
- the invention has the advantage that servers for the provision of created and stored certificates ten are not required during operation.
- FIG. 1 shows a P2P network within an IP network
- FIG. 2 shows an allocation of a certificate for a new network subscriber and its distribution in the P2P network
- FIG. 3 shows a schematic illustration of the authentication of the message from a network subscriber
- Figure 4 shows a structure of circuit modules within a
- Figure 5 is a flow diagram of a certificate distribution
- Figure 6 is a flowchart of an authenticity check and Figure 7 is a flowchart of an encrypted deposit.
- a digital certificate is stored as a resource in the P2P network. This has the advantage that data can be made available to the other network participants even if the network participant or the network participant cannot be reached offline or for other reasons in the operating mode. Furthermore, it is also possible to encrypt data intended for network units and thus protect them in the P2P network.
- Figure 1 shows a P2P network within a network designated IP.
- the data transfer to the transport layer takes place via common protocols, for example the Internet protocol.
- the layer of is located as an additional layer P2P protocol, which assigns identification ID to other subscribers and data recorders, regulates storage, extraction and replication of data records, etc.
- P2P protocol assigns identification ID to other subscribers and data recorders, regulates storage, extraction and replication of data records, etc.
- the elements called peer A, peer B, ..., peer N of the P2P network are, for example independent computers that are connected to each other, for example, both via IP protocol and via P2P protocol.
- the technology of a P2P network required here is, for example, from a thesis by Thomas Friese on the
- a server or certificate server for example of a service provider, can also be arranged within the IP network.
- a network element denoted by Peer X should, for example, have access to network subscribers of a network denoted P2P.
- the network subscriber Peer X which can be a computer, for example, requests or applies for a certificate ZX from a provider FIRM.
- the provider FIRM sends the applicant Peer X the assigned certificate, which is also stored in the certificate server CA.
- This certificate ZX created by the certificate server for the network subscriber Peer X consists, for example, of various categories such as the name of the provider, the company or the trust center that issues the certificate, a serial number of the certificate, a public key of Peer X, a validity period, a name, who the key (Peer X) belongs and a signature that is generated by the provider or trust center.
- this certificate ZX is sent to the new network subscriber Peer X of the P2P network.
- the certificate server CA which looks at the P2P network as a whole, also sends the certificate ZX to the P2P network.
- the certificate server CA sends the certificate ZX to peer A.
- peer A can assume a gateway function.
- the certificate ZX is then stored as a resource within the P2P network, for example in the peer M.
- the information of the digital certificate is also available to the network subscribers of the P2P network if the network unit Peer X is not accessible in offline mode or for other reasons.
- the validity period of this resource corresponds to the validity period of the certificate. It is thus possible to access a public key, which is stored in the certificate, in order to check the authenticity of the information stored and signed in a network unit in the P2P network.
- the authorization of the certificate user results from the possession of a valid certificate, which was issued by the provider FIRM.
- FIG. 3 schematically shows how the network subscriber Peer C receives a message from network subscriber Peer X, the authenticity of which is to be checked by Peer C.
- Peer C requires the ZX certificate from Peer X.
- This certificate ZX extracts Peer C from the P2P network and loads it into its memory:
- Peer C determines the identification ID of the ZX certificate, using the method defined in the P2P algorithm used, and searches then with the im P2P algorithm used method according to a peer, the identification of which matches the ID of the certificate as closely as possible, and in whose memory the certificate ZX was therefore stored. After the certificate ZX has been found in the resource of the network subscriber Peer M, the certificate ZX is sent to the searching network subscriber Peer C.
- the latter now first checks the validity of the ZX certificate using the public key QCA from the root certificate ZCA; he then checks the authenticity of the message using the public key QX, which is contained in the certificate ZX. If the authenticity is confirmed, the message is processed; otherwise it will be ignored.
- FIG. 1 The structure of a network subscriber is shown schematically in FIG.
- a network module NWM a network module NWM, a first memory module SMPA, SMCA, SMA, .. and a second memory module SMX, SMY, ..., a crypto module KRM and a processor P connected to these modules are included in the illustration .
- the network module NWM with network card and associated software etc. regulates communication with all external devices, eg between peers in the P2P network and on the Internet protocol-based IP level.
- a private key PA from peer A is stored in the memory module SMPA; this must be kept secret by peer A.
- SMA memory module there is a certificate from Peer A with a public key QA and in the memory module SMCA there is a certificate from Server CA with a public key QCA.
- the crypto module KRW which is designed for software and / or hardware, has functions such as: Generation of a digital signature using the private key PA. Authenticity check of the digital signature of any peer X using its public key QX, which is included in the certificate kat of X is included. Validity check of a digital certificate via the authenticity check of its digital signature, created by the server CA using its public key QCA, which is contained in the (root) certificate of CA. Encryption of a confidential message to Peer X using the public key QX from Peer X's certificate. Decryption of a confidential message from Peer X to Peer A using the private key PA from Peer A.
- FIG. 5 shows a program flow of a certificate distribution as shown schematically in FIG.
- a preliminary remark should be made that all network participants in the P2P network have a self-signed certificate of the certificate generation server CA firmly integrated.
- Each network subscriber thus has a public key QCA of the certificate product server CA.
- All peers A, B, ... N also have an identification ID, this identification ID is, for example, the network address in the P2P network mentioned.
- the certificate generation server CA has generated the certificate ZX for the network subscriber Peer X of the P2P network, i.e. signed with the server's private key PCA. This certificate binds a public key QX to its identity X.
- the certificate is then distributed according to the following procedural steps:
- the server sends a certificate to a specific peer.
- this is peer A in the P2P network.
- the signature of the certificate ZX can be checked in peer A using the public key QCA known to it. If the signature is found to be invalid, the certificate is not forwarded but deleted. It is also possible that the certificate server itself is such a network participant in the P2P network.
- the identification ID which determines on which peers a resource is stored in the P2P network
- the Certificates ZX determined according to a method common in P2P networks, which depends on the P2P algorithm / protocol used.
- P2P algorithms / protocols see for example Petar Maymounkov, David Mazieres, New York University, Kademia: A Peer to Peer Information System Based on XOR Metric, 2001 or Stoica, Morris, Karger, Kaashoek, Balakrishnan, MIT Laboratory for Computer Science: Chord: A Scalable Peer-to-peer Lookup Service for Internet Applications, August 2001.
- the peer A calculates this ID of the certificate in such a way that it emerges from a unique identification by the peer X, so that the certificate is only known when this identification is known in the P2P network can be found and extracted.
- Peer looks for peer M within the P2P network, whose identification ID best matches the ID of the certificate. The match relates to a metric of the P2P network system.
- Peer A sends the ZX certificate to Peer M.
- the signature of the certificate can also be checked using the public key QCA. If this is ok, he saves the certificate, otherwise the certificate is deleted.
- the Peer X certificate is available as a resource in the P2P network as described above, i.e. it can be searched and extracted by any peer A, B, ... N who needs it in the P2P network.
- the invention thus has the advantage that the ZX certificate is still available even when the server and Peer X are not available.
- a flowchart of an authenticity check is shown schematically in FIG.
- All peers in the P2P network have firmly integrated self-signed certificates of the certificate generation server CA.
- Each peer A, B, ... N thus has a public key QCA of the certificate generation server CA.
- All peers A, B, ..., N have an identification ID that serves as the network address in the P2P network.
- the certificate for Peer X is a resource in the P2P network.
- a data record such as a data file, service request or message ..., signed by the peer X with its private key PX and sent to peer C or in the P2P network in another computer Peer M, ..., Peer N, are filed.
- Peer C receives this data record from Peer X or from a third computer Peer M.
- Peer C determines e.g. from a unique identification of Peer X the identification ID of the certificate of Peer X.
- Peer C uses this ID to search for a network subscriber on which the certificate is stored and receives Peer M as the destination.
- the computer Peer C causes Peer M to send it the certificate.
- Peer C now checks the validity of the ZX certificate and then checks the authenticity of the data record received from Peer X. If the certificate and authenticity are ok.
- Peer C processes the data record that was sent by Peer X. This also enables access control of the P2P network: only participants who have received a certificate from the certificate generation server CA are authorized to generate data records for processing by other participants.
- each peer A, B, ..N can now check the authenticity of data records in the network in the P2P network. The check can still be carried out even if the server and the Peer X subscriber are not available.
- the sequence of an encrypted deposit is shown schematically in FIG.
- the subsequent process of an encrypted deposit is similar to the authenticity check described above.
- peer C Based on peer C, an encrypted message to peer X is to be stored in the network.
- the computer peer C determines e.g. from a unique identification of Peer X the ID of the certificate of Peer X.
- the computer Peer C searches with this ID for a peer on which the certificate is stored and receives Peer M as the destination.
- the computer Peer C causes Peer M to send it the certificate.
- Peer C checks the validity of the Peer X certificate.
- the message is encrypted with the public key QX from the Peer X certificate.
- the peer C can now store the encrypted message in the P2P network.
- Peer X When Peer X receives the encrypted message, only Peer X can decrypt the Peer C message addressed to it with its private key PX.
- each peer A, B, .. Peer N can send or store encrypted messages to other participants in the P2P network.
- This sending or storing of messages to other participants in the P2P network can take place independently of a server or the accessibility of the target peer.
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102004004606A DE102004004606A1 (de) | 2004-01-29 | 2004-01-29 | Schaltungsanordnung und Verfahren zur Kommunikationssicherheit innerhalb von Kommunikationsnetzen |
PCT/EP2005/050360 WO2005074189A1 (fr) | 2004-01-29 | 2005-01-28 | Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1709764A1 true EP1709764A1 (fr) | 2006-10-11 |
Family
ID=34801230
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05707876A Withdrawn EP1709764A1 (fr) | 2004-01-29 | 2005-01-28 | Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication |
Country Status (4)
Country | Link |
---|---|
US (1) | US20070266251A1 (fr) |
EP (1) | EP1709764A1 (fr) |
DE (1) | DE102004004606A1 (fr) |
WO (1) | WO2005074189A1 (fr) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8041942B2 (en) * | 2006-09-05 | 2011-10-18 | Panasonic Corporation | Robust peer-to-peer networks and methods of use thereof |
EP1898330A1 (fr) * | 2006-09-06 | 2008-03-12 | Nokia Siemens Networks Gmbh & Co. Kg | Procédé pour l'authentification d'ouverture unique pour les applications poste à poste |
US10764748B2 (en) * | 2009-03-26 | 2020-09-01 | Qualcomm Incorporated | Apparatus and method for user identity authentication in peer-to-peer overlay networks |
US8874769B2 (en) | 2011-06-30 | 2014-10-28 | Qualcomm Incorporated | Facilitating group access control to data objects in peer-to-peer overlay networks |
WO2015108845A1 (fr) * | 2014-01-14 | 2015-07-23 | Biohitech America | Système de suivi de poids connecté en réseau pour une machine d'élimination de déchets |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2002234258A1 (en) * | 2001-01-22 | 2002-07-30 | Sun Microsystems, Inc. | Peer-to-peer network computing platform |
US7222187B2 (en) * | 2001-07-31 | 2007-05-22 | Sun Microsystems, Inc. | Distributed trust mechanism for decentralized networks |
US7383433B2 (en) * | 2001-07-31 | 2008-06-03 | Sun Microsystems, Inc. | Trust spectrum for certificate distribution in distributed peer-to-peer networks |
US7068789B2 (en) * | 2001-09-19 | 2006-06-27 | Microsoft Corporation | Peer-to-peer name resolution protocol (PNRP) group security infrastructure and method |
-
2004
- 2004-01-29 DE DE102004004606A patent/DE102004004606A1/de not_active Withdrawn
-
2005
- 2005-01-28 EP EP05707876A patent/EP1709764A1/fr not_active Withdrawn
- 2005-01-28 US US10/587,273 patent/US20070266251A1/en not_active Abandoned
- 2005-01-28 WO PCT/EP2005/050360 patent/WO2005074189A1/fr not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO2005074189A1 * |
Also Published As
Publication number | Publication date |
---|---|
DE102004004606A1 (de) | 2005-08-25 |
WO2005074189A1 (fr) | 2005-08-11 |
US20070266251A1 (en) | 2007-11-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1793525B1 (fr) | Procédé pour changer la clé de groupe dans un groupe d'éléments de réseau dans un réseau | |
DE60312659T2 (de) | Leichtgewicht identifizierung von informationen | |
DE60114986T2 (de) | Verfahren zur herausgabe einer elektronischen identität | |
DE102016224537B4 (de) | Masterblockchain | |
DE10025626A1 (de) | Verschlüsseln von abzuspeichernden Daten in einem IV-System | |
EP0903027B1 (fr) | Procede de gestion de cles cryptographiques, fonde sur un groupe, entre une premiere unite informatique et des unites informatiques d'un groupe | |
DE102016115193A1 (de) | Verfahren zur sicheren Datenhaltung in einem Computernetzwerk | |
DE102020003739A1 (de) | Verfahren zur Verteilung und Aushandlung von Schlüsselmaterial | |
EP1709764A1 (fr) | Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication | |
AT504634B1 (de) | Verfahren zum transferieren von verschlüsselten nachrichten | |
DE102017212474A1 (de) | Verfahren und Kommunikationssystem zur Überprüfung von Verbindungsparametern einer kryptographisch geschützten Kommunikationsverbindung während des Verbindungsaufbaus | |
WO2019242947A1 (fr) | Procédé de rattachement d'un appareil terminal dans une infrastructure informatique pouvant être mise en réseau | |
DE102018002466A1 (de) | Verfahren und Anordnung zum Herstellen einer sicheren Datenübertragungsverbindung | |
DE102009031143B3 (de) | Vorrichtung und Verfahren zum Erstellen und Validieren eines digitalen Zertifikats | |
DE60218554T2 (de) | Verfahren und System zur Übertragung eines Zertifikats zwischen einem Sicherheitsmodul und einem Server | |
EP3618348B1 (fr) | Procédé de fonctionnement d'un système de banques de données distribuée, système de banques de données distribuée et système d'automatisation industrielle | |
EP3955511B1 (fr) | Transfert de données sécurisé dans un noeud de réseau qkd | |
DE102006009725A1 (de) | Verfahren und Vorrichtung zum Authentifizieren eines öffentlichen Schlüssels | |
DE102022000857B3 (de) | Verfahren zur sicheren Identifizierung einer Person durch eine Verifikationsinstanz | |
WO2019115580A1 (fr) | Procédé destiné à actionner un système de mémoire décentralisé | |
EP1626551A1 (fr) | Méthode pour assurer authenticité et confidentialité dans un réseau p2p | |
EP4243342A1 (fr) | Procédé, dispositif et produit-programme informatique de communication sécurisée par internet | |
DE10325816B4 (de) | Infrastruktur für öffentliche Schlüssel für Netzwerk-Management | |
EP1936859B1 (fr) | Procédé, noeud de communication et dispositif de serveur central destinés à la sécurisation d'une communication | |
DE102015001817B4 (de) | Verfahren, Vorrichtungen und System zur Online-Datensicherung |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20060711 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): DE ES FR GB |
|
17Q | First examination report despatched |
Effective date: 20070209 |
|
DAX | Request for extension of the european patent (deleted) | ||
RBV | Designated contracting states (corrected) |
Designated state(s): DE ES FR GB |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NOKIA SIEMENS NETWORKS GMBH & CO. KG |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NOKIA SIEMENS NETWORKS S.P.A. |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NOKIA SIEMENS NETWORKS GMBH & CO. KG |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN |
|
18W | Application withdrawn |
Effective date: 20080626 |