EP1709764A1 - Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication - Google Patents

Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication

Info

Publication number
EP1709764A1
EP1709764A1 EP05707876A EP05707876A EP1709764A1 EP 1709764 A1 EP1709764 A1 EP 1709764A1 EP 05707876 A EP05707876 A EP 05707876A EP 05707876 A EP05707876 A EP 05707876A EP 1709764 A1 EP1709764 A1 EP 1709764A1
Authority
EP
European Patent Office
Prior art keywords
network
peer
certificate
communication
stored
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP05707876A
Other languages
German (de)
English (en)
Inventor
Jens Uwe Busser
Gerald Volkmann
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks GmbH and Co KG
Original Assignee
Siemens AG
Nokia Siemens Networks GmbH and Co KG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG, Nokia Siemens Networks GmbH and Co KG filed Critical Siemens AG
Publication of EP1709764A1 publication Critical patent/EP1709764A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1087Peer-to-peer [P2P] networks using cross-functional networking aspects
    • H04L67/1091Interfacing with client-server systems or between P2P systems

Definitions

  • Communication security is becoming increasingly important in modern communication networks. Important aspects of communication security are the authenticity of the participants and the confidentiality of messages. Authorization may also be required to participate in communication within networks. This communication security is usually achieved with pre-administered shared secrets such as shared secrets. Furthermore, communication security can also be guaranteed with digital signatures / certificates. Every network subscriber authorized for secure communication receives their own digital certificate from a trustworthy central entity. These certificates bind a public key to the identity of its owner. These certificates can be checked with “the public key of the central instance, which is contained in the so-called root certificate of the central instance, which must be distributed to all network participants in an unadulterated manner.
  • a network subscriber can now use his secret private key to generate a signed message, the authenticity of which can be checked by any recipient using the public key from the certificate of the network subscriber.
  • the recipient of the network subscriber receives the certificate either from the network subscriber himself or from a central server. For the confidential transmission of messages, they are encrypted with the public key from the recipient's certificate, so that only the recipient can decrypt the message.
  • Security functions such as authentication, authorization and encryption / decryption are also used in a peer-to-peer network, hereinafter abbreviated to P2P network.
  • P2P network peer-to-peer network
  • the invention has for its object to provide a circuit arrangement and an associated method for securing the communication of network participants.
  • the invention has the advantage that an authenticity check can also be carried out when the network subscriber is operating offline.
  • the invention has the advantage that an authorization check can be carried out using the certificate of the network subscriber even when the network subscriber is operating offline.
  • the invention has the advantage that confidential information can also be stored in an offline mode of the network subscriber in the P2P network.
  • the invention has the advantage that servers for the provision of created and stored certificates ten are not required during operation.
  • FIG. 1 shows a P2P network within an IP network
  • FIG. 2 shows an allocation of a certificate for a new network subscriber and its distribution in the P2P network
  • FIG. 3 shows a schematic illustration of the authentication of the message from a network subscriber
  • Figure 4 shows a structure of circuit modules within a
  • Figure 5 is a flow diagram of a certificate distribution
  • Figure 6 is a flowchart of an authenticity check and Figure 7 is a flowchart of an encrypted deposit.
  • a digital certificate is stored as a resource in the P2P network. This has the advantage that data can be made available to the other network participants even if the network participant or the network participant cannot be reached offline or for other reasons in the operating mode. Furthermore, it is also possible to encrypt data intended for network units and thus protect them in the P2P network.
  • Figure 1 shows a P2P network within a network designated IP.
  • the data transfer to the transport layer takes place via common protocols, for example the Internet protocol.
  • the layer of is located as an additional layer P2P protocol, which assigns identification ID to other subscribers and data recorders, regulates storage, extraction and replication of data records, etc.
  • P2P protocol assigns identification ID to other subscribers and data recorders, regulates storage, extraction and replication of data records, etc.
  • the elements called peer A, peer B, ..., peer N of the P2P network are, for example independent computers that are connected to each other, for example, both via IP protocol and via P2P protocol.
  • the technology of a P2P network required here is, for example, from a thesis by Thomas Friese on the
  • a server or certificate server for example of a service provider, can also be arranged within the IP network.
  • a network element denoted by Peer X should, for example, have access to network subscribers of a network denoted P2P.
  • the network subscriber Peer X which can be a computer, for example, requests or applies for a certificate ZX from a provider FIRM.
  • the provider FIRM sends the applicant Peer X the assigned certificate, which is also stored in the certificate server CA.
  • This certificate ZX created by the certificate server for the network subscriber Peer X consists, for example, of various categories such as the name of the provider, the company or the trust center that issues the certificate, a serial number of the certificate, a public key of Peer X, a validity period, a name, who the key (Peer X) belongs and a signature that is generated by the provider or trust center.
  • this certificate ZX is sent to the new network subscriber Peer X of the P2P network.
  • the certificate server CA which looks at the P2P network as a whole, also sends the certificate ZX to the P2P network.
  • the certificate server CA sends the certificate ZX to peer A.
  • peer A can assume a gateway function.
  • the certificate ZX is then stored as a resource within the P2P network, for example in the peer M.
  • the information of the digital certificate is also available to the network subscribers of the P2P network if the network unit Peer X is not accessible in offline mode or for other reasons.
  • the validity period of this resource corresponds to the validity period of the certificate. It is thus possible to access a public key, which is stored in the certificate, in order to check the authenticity of the information stored and signed in a network unit in the P2P network.
  • the authorization of the certificate user results from the possession of a valid certificate, which was issued by the provider FIRM.
  • FIG. 3 schematically shows how the network subscriber Peer C receives a message from network subscriber Peer X, the authenticity of which is to be checked by Peer C.
  • Peer C requires the ZX certificate from Peer X.
  • This certificate ZX extracts Peer C from the P2P network and loads it into its memory:
  • Peer C determines the identification ID of the ZX certificate, using the method defined in the P2P algorithm used, and searches then with the im P2P algorithm used method according to a peer, the identification of which matches the ID of the certificate as closely as possible, and in whose memory the certificate ZX was therefore stored. After the certificate ZX has been found in the resource of the network subscriber Peer M, the certificate ZX is sent to the searching network subscriber Peer C.
  • the latter now first checks the validity of the ZX certificate using the public key QCA from the root certificate ZCA; he then checks the authenticity of the message using the public key QX, which is contained in the certificate ZX. If the authenticity is confirmed, the message is processed; otherwise it will be ignored.
  • FIG. 1 The structure of a network subscriber is shown schematically in FIG.
  • a network module NWM a network module NWM, a first memory module SMPA, SMCA, SMA, .. and a second memory module SMX, SMY, ..., a crypto module KRM and a processor P connected to these modules are included in the illustration .
  • the network module NWM with network card and associated software etc. regulates communication with all external devices, eg between peers in the P2P network and on the Internet protocol-based IP level.
  • a private key PA from peer A is stored in the memory module SMPA; this must be kept secret by peer A.
  • SMA memory module there is a certificate from Peer A with a public key QA and in the memory module SMCA there is a certificate from Server CA with a public key QCA.
  • the crypto module KRW which is designed for software and / or hardware, has functions such as: Generation of a digital signature using the private key PA. Authenticity check of the digital signature of any peer X using its public key QX, which is included in the certificate kat of X is included. Validity check of a digital certificate via the authenticity check of its digital signature, created by the server CA using its public key QCA, which is contained in the (root) certificate of CA. Encryption of a confidential message to Peer X using the public key QX from Peer X's certificate. Decryption of a confidential message from Peer X to Peer A using the private key PA from Peer A.
  • FIG. 5 shows a program flow of a certificate distribution as shown schematically in FIG.
  • a preliminary remark should be made that all network participants in the P2P network have a self-signed certificate of the certificate generation server CA firmly integrated.
  • Each network subscriber thus has a public key QCA of the certificate product server CA.
  • All peers A, B, ... N also have an identification ID, this identification ID is, for example, the network address in the P2P network mentioned.
  • the certificate generation server CA has generated the certificate ZX for the network subscriber Peer X of the P2P network, i.e. signed with the server's private key PCA. This certificate binds a public key QX to its identity X.
  • the certificate is then distributed according to the following procedural steps:
  • the server sends a certificate to a specific peer.
  • this is peer A in the P2P network.
  • the signature of the certificate ZX can be checked in peer A using the public key QCA known to it. If the signature is found to be invalid, the certificate is not forwarded but deleted. It is also possible that the certificate server itself is such a network participant in the P2P network.
  • the identification ID which determines on which peers a resource is stored in the P2P network
  • the Certificates ZX determined according to a method common in P2P networks, which depends on the P2P algorithm / protocol used.
  • P2P algorithms / protocols see for example Petar Maymounkov, David Mazieres, New York University, Kademia: A Peer to Peer Information System Based on XOR Metric, 2001 or Stoica, Morris, Karger, Kaashoek, Balakrishnan, MIT Laboratory for Computer Science: Chord: A Scalable Peer-to-peer Lookup Service for Internet Applications, August 2001.
  • the peer A calculates this ID of the certificate in such a way that it emerges from a unique identification by the peer X, so that the certificate is only known when this identification is known in the P2P network can be found and extracted.
  • Peer looks for peer M within the P2P network, whose identification ID best matches the ID of the certificate. The match relates to a metric of the P2P network system.
  • Peer A sends the ZX certificate to Peer M.
  • the signature of the certificate can also be checked using the public key QCA. If this is ok, he saves the certificate, otherwise the certificate is deleted.
  • the Peer X certificate is available as a resource in the P2P network as described above, i.e. it can be searched and extracted by any peer A, B, ... N who needs it in the P2P network.
  • the invention thus has the advantage that the ZX certificate is still available even when the server and Peer X are not available.
  • a flowchart of an authenticity check is shown schematically in FIG.
  • All peers in the P2P network have firmly integrated self-signed certificates of the certificate generation server CA.
  • Each peer A, B, ... N thus has a public key QCA of the certificate generation server CA.
  • All peers A, B, ..., N have an identification ID that serves as the network address in the P2P network.
  • the certificate for Peer X is a resource in the P2P network.
  • a data record such as a data file, service request or message ..., signed by the peer X with its private key PX and sent to peer C or in the P2P network in another computer Peer M, ..., Peer N, are filed.
  • Peer C receives this data record from Peer X or from a third computer Peer M.
  • Peer C determines e.g. from a unique identification of Peer X the identification ID of the certificate of Peer X.
  • Peer C uses this ID to search for a network subscriber on which the certificate is stored and receives Peer M as the destination.
  • the computer Peer C causes Peer M to send it the certificate.
  • Peer C now checks the validity of the ZX certificate and then checks the authenticity of the data record received from Peer X. If the certificate and authenticity are ok.
  • Peer C processes the data record that was sent by Peer X. This also enables access control of the P2P network: only participants who have received a certificate from the certificate generation server CA are authorized to generate data records for processing by other participants.
  • each peer A, B, ..N can now check the authenticity of data records in the network in the P2P network. The check can still be carried out even if the server and the Peer X subscriber are not available.
  • the sequence of an encrypted deposit is shown schematically in FIG.
  • the subsequent process of an encrypted deposit is similar to the authenticity check described above.
  • peer C Based on peer C, an encrypted message to peer X is to be stored in the network.
  • the computer peer C determines e.g. from a unique identification of Peer X the ID of the certificate of Peer X.
  • the computer Peer C searches with this ID for a peer on which the certificate is stored and receives Peer M as the destination.
  • the computer Peer C causes Peer M to send it the certificate.
  • Peer C checks the validity of the Peer X certificate.
  • the message is encrypted with the public key QX from the Peer X certificate.
  • the peer C can now store the encrypted message in the P2P network.
  • Peer X When Peer X receives the encrypted message, only Peer X can decrypt the Peer C message addressed to it with its private key PX.
  • each peer A, B, .. Peer N can send or store encrypted messages to other participants in the P2P network.
  • This sending or storing of messages to other participants in the P2P network can take place independently of a server or the accessibility of the target peer.

Abstract

L'invention concerne un ensemble circuit et un procédé associé pour authentifier un abonné d'un réseau, selon lequel un certificat numérique est mémorisé comme ressource dans le réseau P2P. L'avantage est que des données peuvent être fournies aux autres abonnés du réseau, même lorsque ces abonnés sont déconnectés ou, pour d'autres raisons, non joignables. Il est également possible de mémoriser dans ce réseau P2P des données spécifiques sous forme codée et, donc, protégée pour des unités de réseau.
EP05707876A 2004-01-29 2005-01-28 Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication Withdrawn EP1709764A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102004004606A DE102004004606A1 (de) 2004-01-29 2004-01-29 Schaltungsanordnung und Verfahren zur Kommunikationssicherheit innerhalb von Kommunikationsnetzen
PCT/EP2005/050360 WO2005074189A1 (fr) 2004-01-29 2005-01-28 Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication

Publications (1)

Publication Number Publication Date
EP1709764A1 true EP1709764A1 (fr) 2006-10-11

Family

ID=34801230

Family Applications (1)

Application Number Title Priority Date Filing Date
EP05707876A Withdrawn EP1709764A1 (fr) 2004-01-29 2005-01-28 Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication

Country Status (4)

Country Link
US (1) US20070266251A1 (fr)
EP (1) EP1709764A1 (fr)
DE (1) DE102004004606A1 (fr)
WO (1) WO2005074189A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8041942B2 (en) * 2006-09-05 2011-10-18 Panasonic Corporation Robust peer-to-peer networks and methods of use thereof
EP1898330A1 (fr) * 2006-09-06 2008-03-12 Nokia Siemens Networks Gmbh & Co. Kg Procédé pour l'authentification d'ouverture unique pour les applications poste à poste
US10764748B2 (en) * 2009-03-26 2020-09-01 Qualcomm Incorporated Apparatus and method for user identity authentication in peer-to-peer overlay networks
US8874769B2 (en) 2011-06-30 2014-10-28 Qualcomm Incorporated Facilitating group access control to data objects in peer-to-peer overlay networks
WO2015108845A1 (fr) * 2014-01-14 2015-07-23 Biohitech America Système de suivi de poids connecté en réseau pour une machine d'élimination de déchets

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2002234258A1 (en) * 2001-01-22 2002-07-30 Sun Microsystems, Inc. Peer-to-peer network computing platform
US7222187B2 (en) * 2001-07-31 2007-05-22 Sun Microsystems, Inc. Distributed trust mechanism for decentralized networks
US7383433B2 (en) * 2001-07-31 2008-06-03 Sun Microsystems, Inc. Trust spectrum for certificate distribution in distributed peer-to-peer networks
US7068789B2 (en) * 2001-09-19 2006-06-27 Microsoft Corporation Peer-to-peer name resolution protocol (PNRP) group security infrastructure and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2005074189A1 *

Also Published As

Publication number Publication date
DE102004004606A1 (de) 2005-08-25
WO2005074189A1 (fr) 2005-08-11
US20070266251A1 (en) 2007-11-15

Similar Documents

Publication Publication Date Title
EP1793525B1 (fr) Procédé pour changer la clé de groupe dans un groupe d'éléments de réseau dans un réseau
DE60312659T2 (de) Leichtgewicht identifizierung von informationen
DE60114986T2 (de) Verfahren zur herausgabe einer elektronischen identität
DE102016224537B4 (de) Masterblockchain
DE10025626A1 (de) Verschlüsseln von abzuspeichernden Daten in einem IV-System
EP0903027B1 (fr) Procede de gestion de cles cryptographiques, fonde sur un groupe, entre une premiere unite informatique et des unites informatiques d'un groupe
DE102016115193A1 (de) Verfahren zur sicheren Datenhaltung in einem Computernetzwerk
DE102020003739A1 (de) Verfahren zur Verteilung und Aushandlung von Schlüsselmaterial
EP1709764A1 (fr) Ensemble circuit et procede pour securiser la communication au sein de reseaux de communication
AT504634B1 (de) Verfahren zum transferieren von verschlüsselten nachrichten
DE102017212474A1 (de) Verfahren und Kommunikationssystem zur Überprüfung von Verbindungsparametern einer kryptographisch geschützten Kommunikationsverbindung während des Verbindungsaufbaus
WO2019242947A1 (fr) Procédé de rattachement d'un appareil terminal dans une infrastructure informatique pouvant être mise en réseau
DE102018002466A1 (de) Verfahren und Anordnung zum Herstellen einer sicheren Datenübertragungsverbindung
DE102009031143B3 (de) Vorrichtung und Verfahren zum Erstellen und Validieren eines digitalen Zertifikats
DE60218554T2 (de) Verfahren und System zur Übertragung eines Zertifikats zwischen einem Sicherheitsmodul und einem Server
EP3618348B1 (fr) Procédé de fonctionnement d'un système de banques de données distribuée, système de banques de données distribuée et système d'automatisation industrielle
EP3955511B1 (fr) Transfert de données sécurisé dans un noeud de réseau qkd
DE102006009725A1 (de) Verfahren und Vorrichtung zum Authentifizieren eines öffentlichen Schlüssels
DE102022000857B3 (de) Verfahren zur sicheren Identifizierung einer Person durch eine Verifikationsinstanz
WO2019115580A1 (fr) Procédé destiné à actionner un système de mémoire décentralisé
EP1626551A1 (fr) Méthode pour assurer authenticité et confidentialité dans un réseau p2p
EP4243342A1 (fr) Procédé, dispositif et produit-programme informatique de communication sécurisée par internet
DE10325816B4 (de) Infrastruktur für öffentliche Schlüssel für Netzwerk-Management
EP1936859B1 (fr) Procédé, noeud de communication et dispositif de serveur central destinés à la sécurisation d'une communication
DE102015001817B4 (de) Verfahren, Vorrichtungen und System zur Online-Datensicherung

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20060711

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): DE ES FR GB

17Q First examination report despatched

Effective date: 20070209

DAX Request for extension of the european patent (deleted)
RBV Designated contracting states (corrected)

Designated state(s): DE ES FR GB

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NOKIA SIEMENS NETWORKS GMBH & CO. KG

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NOKIA SIEMENS NETWORKS S.P.A.

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NOKIA SIEMENS NETWORKS GMBH & CO. KG

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20080626