Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/03—Protecting confidentiality, e.g. by encryption
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/08—Access security
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/40—Security arrangements using identity modules
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/80—Wireless
  • H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

• the invention relates to the field of secure telecommunications, and in particular remote services secured by public key systems.
• secure services include, for example, VPN connections to a corporate private network from an Internet network, online electronic signature, or SSL person authentication.
• a cryptographic key of a public key algorithm includes a public part and a private part.
• the public part is generally distributed without restriction to different users.
• the validity of a certificate attests to the trust that one can have in the public key associated with an identity.
• a standard certificate used on the Internet is the X.509v3. This standard defines a certificate including: - the public key to be certified;
• attributes defining the rights of use of the key message signing key or secure Internet server key for example; and a cryptographic signature of these data by the private key of a certification authority issuing the certificate.
• a PKI public key infrastructure (known as the Public Key Infrastructure) is used for certificate management.
• a PKI infrastructure serves on the one hand to create certificates but also to manage their life (revocation, renewal ).
• the VPN technique establishes an encrypted IP tunnel between the user's terminal and the corporate network.
• the VPN technology is usually low * ed on an authentication and encryption architecture based on a password OTP (One Time Password) generated single use by a calculator, on a PKI architecture based on certificates and signature algorithms stored in the hard disk of the user's terminal, on a smart card inserted into a card reader connected to the user's terminal, or on a smart card integrated in a dongle connected to the USB port of the user's terminal.
• OTP One Time Password
• a smart card inserted into a card reader in credit card format, or integrated in a USB dongle requires the user to have an additional smart card causing additional cost and risk of being lost.
• a smart card in credit card format requires the user to have a card reader.
• a SIM card of his mobile phone needs to be transferred to a card reader of the terminal to be used during a certificate generation. This transfer operation is not easy, especially since the SIM card is in "micro-SIM" format of reduced dimensions.
• the present invention aims to overcome these disadvantages.
• the invention also aims to make it possible to exploit public key cryptography applications.
• the invention thus relates to a cryptographic device comprising a terminal and a mobile telephone capable of exchanging data via a non-wired link, said cryptographic device being able to implement public key cryptographic protocols with other cryptographic entities, and the secret key of the cryptographic device being stored in the mobile phone and not in the terminal.
• said terminal is able to establish a wired or non-wired link with another cryptographic entity and able to exchange data with said cryptographic entity via this link.
• said other cryptographic entity is an access server to a computer network, and said data exchanges allow the terminal to authenticate with said server.
• the invention also relates to a method for implementing a public key cryptographic operation, comprising a step of implementing public key cryptographic protocols between at least one cryptographic entity and a device comprising a mobile telephone storing a secret key of the device and comprising a terminal not storing said secret key, said terminal and said mobile phone exchanging data over a wireless link.
• the data exchanges of said cryptographic protocols between said cryptographic entity and said device are carried out by a wired or non-wired link between said terminal and said other cryptographic entity.
• said other cryptographic entity is an access server to a computer network and said data exchanges are authentication exchanges of said terminal with said server.
• FIG. 1 represents a user station connected in VPN to a private network, according to the invention
• FIG. 2 represents the different software layers implemented in the user station, according to the invention.
• FIG. 3 details the implementation of various PKCS # 11 functions
• FIG. 4 represents a user station connected to a signed documents publication server.
• the invention proposes to exploit the capabilities of a smart card housed in a mobile terminal and having public key cryptography applications.
• the smart card is then used as a cryptographic calculation tool in a PKI architecture, for example to implement authentication, encryption or signature functions.
• a terminal connected to a network has a wireless link with the mobile terminal and a library of cryptographic functions.
• a cryptographic function called in the library transmits a cryptographic operation command to the smart card via the wireless link.
• the smart card executes the cryptographic operation and transmits its result to the terminal.
• FIG. 1 shows a user station 6 according to the invention.
• This user station 6 comprises a terminal 1 equipped with a communication module 8 in VPN with a private network 7 and having access to a SIM card 3 enabling the user to be authenticated in the private network 7.
• the access of the user terminal 1 to the private network 7 is managed by a VPN gateway 4.
• a server 44 has elements for forming a PKI infrastructure, such as a registration authority and a certification authority.
• the connection between the terminal 1 and the SIM card 3 is performed via a wireless link 5, for example of the Bluetooth type, between the terminal 1 and a mobile terminal 2 in which a SIM card 3 of authentication of the mobile terminal 2 in a mobile network.
• a wireless link 5 for example of the Bluetooth type
• the mobile terminal 2 and the terminal 1 implement a set of protocols and procedures called SAP (SIM Access Profile) developed to provide access to a SIM card housed in a terminal, through the Bluetooth 5 link, in a completely transparent way.
• SAP SIM Access Profile
• the mobile terminal 2 comprises an SAP server module 20 which exchanges messages on one side with the SIM card 3 via a reader 21 in accordance with the ISO 7816-3 standard, and the other with the Bluetooth link 5 via a layer 22 implementing the Serial Cable Emulation Protocol (RFCOMM) emulating a serial link, and a low level layer 23 making it possible to establish a Bluetooth radio link with other terminals.
• SAP server module 20 which exchanges messages on one side with the SIM card 3 via a reader 21 in accordance with the ISO 7816-3 standard, and the other with the Bluetooth link 5 via a layer 22 implementing the Serial Cable Emulation Protocol (RFCOMM) emulating a serial link, and a low level layer 23 making it possible to establish a Bluetooth radio link with other terminals.
• RCOMM Serial Cable Emulation Protocol
• the SIM card 3 has a number of public key cryptography applications, including cryptographic operations for authentication, encryption or signature.
• An application using cryptographic tools 35 uses a PKCS # 11 module 24 having access on the one hand to a communication module 26 and to a PC / interface module. SC 25 with a SIM card. PKCS # 11 24 and PC / SC 25 modules are standard.
• the modules 24 use a library 40 of public key cryptographic operations functions when the user application 35 requires a public key cryptography operation to be performed in the smart card 3 housed in the mobile terminal 2.
• the modules 24 also use SIM card access and control functions, performed by the PC / SC interface module 25.
• a function of the library 40 called via its programming interface by the user application 35, thus applies a cryptographic operation command on the interface module 25.
• the interface module 25 transmits this command as a message to a virtual driver 27.
• the virtual driver 27 relays and adapts this message to an SAP module 31.
• the library 40 is essential to allow the use of public key cryptography applications available in the smart card 3 housed in the reader 2.
• the library 40 is, for example, example installed on a terminal 1 of type
• the SIM card 3 housed in the terminal 2 is provided with applications 41 of public key cryptography.
• the cryptography operations proposed by the card can notably include the generation or the verification of signature, encryption / decryption of data, generation of certificates or authentication.
• These applications 41 are for example in the form of JavaCard (registered trademark) applets installed in the SIM card or in the form of a WIM module (for "Wireless Identity Module” in English) integrated in the SIM card.
• a WIM module is typically used by WAP browsers located in a mobile terminal.
• Public key cryptography applications 41 of the card can then be exploited so that the terminal 1 can execute applications using cryptographic operations, such as the VPN or the electronic signature.
• the programming interface of the library 40 may be of the CAPI or PKCS # 11 type.
• the standard PKCS # 11 API is public and free to use.
• This programming interface provides low-level cryptographic functions such as key generation and storage, electronic signature, or data encryption and decryption.
• This programming interface is called in a number of software to open their cryptography features to third-party providers.
• the CAPI programming interface is exclusively available on Windows platforms. This programming interface provides application security functions and signature verification and chain management functions for trusted certificates.
• the CAPI programming interface pools cryptographic resources of different user applications. Libraries of cryptographic functions called CSP (for "Crypto Service Provider" in English) interface with CAPI to provide security services.
• CSP for "Crypto Service Provider” in English
• SIM 3 is implemented as an applet and the library 40 is of the type
• PKCS # 11 The data is thus exchanged in the form of ADPU (for "Application Protocol Data Unit” in English).
• the table in Figure 3 illustrates different PKCS # 11 functions and their implementation according to Javacard or WIM.
• the table also specifies the functions used during an authentication intended to form a virtual private network.
• the abbreviations used are: QRD: reference data qualifier, RD: reference data,
• VD verification data
• FP file path
• HO high offset
• LO reduced offset
• Lc Length of the data field.
• the terminal 1 comprises an SAP client module 31, which communicates with the SAP server module 20 via a layer 32 implementing the RFCOMM protocol and a low level layer 33 of Bluetooth 5 radio link establishment, these three layers being collected in a Bluetooth module
• the SAP server 20 and client 31 modules only exchange messages with the SIM card 3, and apply commands to it, such as commands for switching the SIM card on and off.
• the SAP client module 31 is designed to execute a connection procedure with the SAP server module 20 via a Bluetooth link, and a disconnect procedure.
• the SAP server module 20 is designed to interrogate the SIM card reader 21 and the SIM card that can be read by the reader 21, and send back to the SAP client module 31 information on the state of the reader 21, the presence of a SIM card in the reader 21 and the state of the SIM card 3.
• the SAP client module 31 is in particular designed to issue commands for the SIM card 3 for switching on / off, initialization and control containing APDU (Application Protocol Data Unit) messages, the SAP server module being designed to relay these commands for application to the SIM card via the reader 21.
• the SAP server module is also designed to notify the SAP client module 31 of all status change events of the SIM card 3 housed in the reader 21, for example as a result of a user action of inserting or removing the card from the reader.
• the PC / SC interface module 25 is designed to communicate with several readers 39 of smart cards (memory cards or microprocessor) or SIM cards 42, through drivers 38 adapted to the readers.
• a virtual pilot 27 is designed to relay and adapt the messages exchanged between the interface module 25 and the SAP module 31, these messages containing information exchanged with the SIM card 3.
• the exchange of messages between the virtual pilot 27 and the SAP client 31 is for example performed using an exchange memory or communication 28 in which the messages to be transmitted are inserted.
• the virtual pilot 27 is designed as a driver 38. It notably enables the user to select a mobile terminal or to add a mobile terminal in order to pair it with its terminal 1.
• the PC / SC interface module comprises a resource management module 37 and a service provider module 36.
• the resource management module 37 is designed to detect accessible smart cards and make this information available to several applications such as the user application 35. This module 37 is also designed to manage requests for access to smart cards issued by applications, and order smart cards.
• the service provider module 36 is designed to offer applications high-level functions, linking several commands applied to a smart card to perform a single function of access or processing of information provided by it, these functions including in particular cryptographic and authenticating functions.
• Figure 4 illustrates the application of the invention to the signing of documents and their publication.
• a document is selected by a user of the terminal 1.
• An application of the terminal 1 requires the library to generate a cryptographic signature command to the SIM card 3. This command and the document are transmitted to the mobile terminal 2 and to the SIM card 3 according to the mechanisms described previously.
• the SIM card 3 processes the command and performs the cryptographic signature from a cryptographic application that it stores.
• the SIM card 3 transmits the signed document to the terminal 1.
• the terminal 1 then transmits the signed document to a server 43 for publication of signed documents.
• the person skilled in the art can notably consider a wireless proximity link of the IrDA (infrared) or non-contact NFC type (defined in the ISO 14443 standard). All that is required is then to provide the mobile terminal with a software module for accessing the SIM for scanning the IrDA or contactless ports if necessary, and for providing the terminal 1 with a PC / SC interface 25 specific to a communication with this scanning software module.
• a mobile terminal 2 of the card emulation mode (“card emulation mode" in English) can be passed for a contactless card. If the SIM card 3 is connected to its contactless communication module, the module 25 of the terminal 1 will be able to access the cryptographic applications of the SIM card.
• the invention has been described in its application to the formation of a VPN connection or to the publication of signed documents, the invention can also be applied to other applications and in particular to User authentication when connecting to any network, including an IP network such as the Internet.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Mobile Radio Communication Systems (AREA)
• Computer And Data Communications (AREA)
• Telephonic Communication Services (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=34955316

Family Applications (1)

Country Status (6)

Families Citing this family (39)

Family Cites Families (10)

• 2006
  • 2006-04-05 CN CNA2006800116209A patent/CN101167298A/zh active Pending
  • 2006-04-05 WO PCT/FR2006/000753 patent/WO2006111626A2/fr active Application Filing
  • 2006-04-05 EP EP06743638A patent/EP1872507A2/fr not_active Withdrawn
  • 2006-04-05 JP JP2008507112A patent/JP2008538668A/ja not_active Abandoned
  • 2006-04-05 KR KR1020077024508A patent/KR20080007564A/ko not_active Application Discontinuation
  • 2006-04-05 US US11/918,684 patent/US20080285755A1/en not_active Abandoned

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events