Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/16—Implementing security features at a particular protocol layer
  • H04L63/166—Implementing security features at a particular protocol layer at the transport layer
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Definitions

• the present invention relates to the field of information exchange management performed between two entities of a communication network.
• the present invention relates to securing such exchanges.
• the implementation of a secure connection between two entities of a communication network requires the initiation of a secure session based on either the SSL protocol or the TLS protocol.
• the two entities use mechanisms that are supposed to ensure that the created session can not be hacked or spied.
• the operation of the SSL and TLS protocols is described later. Although this description is more specifically dedicated to the TLS protocol, it also applies to the SSL protocol.
• the TLS protocol is organized on the basis of a set of five cooperating software entities: APPLICATION, HANDSHAKE, CCS, ALERT and RECORD.
• entity “APPLICATION” refers to a software application that wishes to implement a secure communication session (layer 7 of the OSI model).
• Entities “HANDSHAKE”, “CCS”, “ALERT” and “RECORD” are entities that are implemented as part of a TLS application, a detailed description of which will be found under the reference “RFC 2246" through the IETF Committee (" Internet Engineering Task Force "for” Internet Engineering Task Force ").
• Such an application of the TLS protocol is carried out at layer 5 of the OSI model.
• the layer managed by the entity "RECORD” (also called “RECORD” layer) carries the messages produced by the entities “APPLICATION” "HANDSHAKE” "CCS” and “ALERT", using a 5-byte header that specifies the entity that generates the message, the version of the TLS protocol used, and the length of the message.
• the messages themselves also include a header that indicates the type of the message and the length of the associated data.
• the structure of the "APPLICATION” messages is not defined by the TLS standard. Indeed, each application exchanges messages whose structure is defined by the application protocol, such as in the context of Hypertext Transfer Protocol Secured (HTTPS) protocol messages for "secure hypertext transfer protocol”.
• HTTPS Hypertext Transfer Protocol Secured
• an "APPLICATION" application uses the services offered by the TLS protocol which achieves the confidentiality (encryption) and the confidentiality of the data transported by means of the TCP (transmission control protocol) protocol for control protocol transmissions ") acting at the transport layer.
• the implementation of the secure channel by TLS is carried out in two steps, an authentication and key calculation phase, followed, if successful, by a phase of use of a secure communication channel, which uses the set of keys previously determined.
• the "HANDSHAKE” layer entity (also known as the “HANDSHAKE” layer) performs the authentication and key calculation procedures. There are two modes of authentication the complete mode (called “FuIl Session”) and a quick mode (called “Session Resumption”). These two modes will be more precisely described later.
• the layer “HANDSHAKE” negotiates the encryption and integrity algorithms implemented by the entity of the RECORD layer (also called “RECORD” layer), which are identified by a number called “cipher_suite”.
• the layer At the end of a successful authentication procedure, the layer
• PRF Physical Random Function
• the keys block parameter is a pair of two key pairs (KcRx, KiRx) and (KcTx, KiTx) used respectively for the encryption (prefix Kc) and the integrity (prefix Ki) of the received data (suffix Rx). and issued (suffix Tx).
• the Change Cipher Spec (CCS) layer reports to the "RECORD” entity the changes to the security settings. It enables encryption and data integrity procedures, using the "keys_bloc" and "cipher_suite” parameters.
• the entity of the ALERT layer reports errors detected by the entity “HANDSHAKE” (in case of authentication failure), or by the “RECORD” layer (detection of a lack of integrity, or an end of session).
• the "RECORD" layer performs four types of operations: fragmentation of the data into blocks whose maximum size is 2 14 bytes; optional compression of the data; this service is generally not insured; a signature generation (based on the HMAC algorithm, defined by RFC 2104); - data encryption.
• the messages exchanged between the application layer and the TCP layer are encrypted and decrypted by the "RECORD" layer using a set of two key pairs (KcRx, KiRx) and (KcTx, KiTx) previously described.
• the messages received by the "RECORD" layer are encrypted by the key KcRx ((M) KcRx) and provided with an HMAC signature (KiRx, M) associated with the key KiRx.
• KcRx (M) KcRx
• HMAC signature KerRx, M
• the messages sent by the application layer are encrypted by the "RECORD" layer using the KcTx key ((M) KcTx) and provided with an HMAC signature (M 5 KiTx) associated with the KiTx key.
• a "MESSAGE” sent / received by an entity such as "HANDSHAKE” or “APPLICATION” is provided with a header comprising three parameters: type, version , length.
• the set “MESSAGE”, “HMAC signature” and “stuffing bytes” is encrypted using the algorithm negotiated during the authentication phase and a key Kc.
• the signature "HMAC” is calculated from the header, the "MESSAGE” and a frame number (seq_num) (initialized to the value 0 and incremented with each use of the layer "RECORD") according to the following relation :
• the client entity verifies the validity of the server's certificate, extracts its public RSA key, and then sends it a value called "pre_master_secret” encrypted of this key.
• the "master _secret” is calculated from the “Client-Random”, “Server-Random” and “pre-master-secret” elements.
• the "CertificateVerify” message contains a signature made with the client's RSA private key, which proves the identity of the latter (his certificate present in the "Certifi- cate” message).
• the client entity and the server entity have a new value "master _secret” from which the keys of the "keys_bloc" are deduced.
• a "SessionID” parameter passed in the "ServerHello” message provides an index of the "master _secr and”.
• the data generated by the "APPLICATION” layer is transported by the "RECORD” entity, which ensures the confidentiality and the integrity thereof by means of the keys Kc and Ki.
• Keys_block PRF (master_secret, "key expansion", server _random ⁇ client _random).
• the "Session Resumption” mechanism simplifies the exchange of information during a TLS session.
• a first "FuIl Session” performs simple or mutual authentication of both ends (client and server) and produces a “master _secret”.
• TLS stack i.e., the sequence of steps leading to the exchange information
• the invention proposes a new solution that makes it possible to solve these disadvantages of the prior art, in the form of a method for producing security data, enabling the implementation of a secure session between a first and at least one second entity, according to a protocol for establishing secure sessions.
• a method for producing security data comprises: a step of initialization of a third secure entity, linked to said first entity; a step of generating at least a portion of said security data within said third entity; a step of transmitting said security data from said third secure entity to said first entity.
• the invention allows the production of such data within a third entity different from the first.
• This third entity can be attached either mechanically to the first entity or through an interface of a network, such as a local area network.
• the generation of the data enabling the implementation of the secure session is therefore no longer performed by the entity implementing the secure session, but by a third entity, thus avoiding the various attacks that can be conducted vis-à- vis of the first entity.
• the method according to the invention thus makes it possible to replace the first entity during the production of secure session data.
• Such a substitution authorizes the conduct of at least a part of the data definition operations allowing the establishment of the session within the third entity which can therefore take the place of the first and thus secure the procedure of creating the data at within a safe environment.
• said third entity is a "JavaCard” type smart card.
• the invention makes it possible to dissociate the device which is responsible for implementing the security protocol of the device wishing to have a secure connection.
• the use of a "JavaCard" type smart card ensures that this entity responsible for implementing the security protocol is inviolable and completely secure.
• An additional level of security, resulting from the work carried out by the inventors, is therefore added to the entire security protocol.
• said secure session establishment protocol is the SSL protocol.
• the invention supports the establishment of a secure session respecting the SSL protocol, which is one of the major protocols in this area.
• said secure session establishment protocol is the TLS protocol.
• said production method also comprises: a step of transmission, by said first entity, of at least one message intended for a "RECORD" layer implemented within said third entity; a step of reception, by said first entity, of at least one message coming from said "RECORD" layer; a step of calculating a set of keys by said third entity; a step of collecting said set of keys available from said first entity to said third entity; a step of recovering a secure communication session identifier.
• the invention makes it possible to maintain the conformity of the existing installations by carrying out a transfer of messages instead of the execution of the production steps on the first entity, which may be subject to attacks.
• the invention also relates to a device for producing security data, enabling the implementation of a secure session between a first and at least a second entity, according to a secure session establishment protocol.
• a device for producing security data comprises: initialization means, attached to said first entity; means for generating at least a part of said data of security; means for transmitting said security data to said first entity.
• such a device comprises means enabling it to implement the steps of the production method as described above.
• said generation means and said transmission means are grouped together in a smart card.
• Such a device according to the invention has means of resistance to malicious attacks.
• the invention also relates to a computer program product downloadable from a communication network and / or stored on a computer readable medium and / or executable by a microprocessor.
• a computer program product comprises program code instructions for executing the production method as described above. 4 LIST OF FIGURES
• FIG. 1 presents a block diagram of the method for producing secure data according to the invention
• FIG. 2 illustrates an exemplary implementation of the production method within a security module according to the invention
• FIG. 3 describes a mode of implementation of the production method by two entities using two security modules in a mode known as
• FIG. 4 describes a mode of implementation of the production method by two entities using two security modules in a mode called
• FIG. 5 also describes a mode of implementation of the production method by two entities using two security modules in a so-called “Session Resumption” mode;
• FIG. 6 describes an architecture of a device for producing security data, also called a security module. DETAILED DESCRIPTION OF THE INVENTION
• the invention thus makes it possible to solve the problems related to the intrinsic insecurity of the entities on which the SSL and TLS protocols are implemented.
• these entities are, in general, servers running on proprietary operating systems or from the free world or personal computers of conventional users. While most of the time is given relatively broad trust in the "server” category, the personal computers of individual users do not have the same level of security as the servers and are therefore more often (but not exclusively) subject to the risks. attacks.
• the communication session security protocols such as TLS and SSL perform their functions correctly, it is very likely that an attack on a workstation or a server entity using malicious software could occur. introduce into a "software stack" or modify operating system files.
• the invention makes it possible to implement at least certain authentication steps in a third party entity of the entity that generally implements this authentication phase.
• a third entity which is a device for producing security information according to the invention, is also called a "security module”. This entity puts then available the information necessary to continue the authentication session.
• Such information can be, for example, the session keys (keys_bloc) or the "master_secret” (depending on the required security level) for software that needs secure information exchange through SSL / TLS protocols.
• the general principle of the invention relies on delocalization, within a trusted entity, such as a security module, of at least some steps of a protocol, such as an authentication protocol, to enforce. Indeed, although the application data is exchanged between the client and server entities, the authentication phase is the most critical process and establishes the identity of both parties, verifies their certificates and calculates the cryptographic keys.
• the invention differs from the techniques of the prior art, which implement smart cards, in that these prior mechanisms do not offer, within the card in question, a software execution, but a simple storage data such as certificates or keys.
• An entity according to the invention does not contain, in its primary function, data, but a set of mechanisms allowing the execution, independently, of at least some steps of a secure protocol.
• the method for producing secure data comprises: an initialization step (100) of the security module (for example a smart card), attached to a first entity (for example a personal computer); a step of generating (101) a portion of the security data within the security module; a step of transmitting (102) the securing data of the security module to the first entity.
• an initialization step (100) of the security module for example a smart card
• a first entity for example a personal computer
• generating (101) a portion of the security data within the security module
• a security module implementing the method according to the invention for the SSL / TLS protocol authentication steps. It is clear, however, that the invention is not limited to this particular application, but can also be implemented in many other fields, and for example in entities that could implement initialization or start-up mechanisms.
• a smart card carrying means for executing computer programs (security module).
• security module can for example be a "JavaCard” that is to say a smart card that integrates a Java virtual machine.
• Such smart cards have the advantage of being resistant to attacks. This means that these cards have physical characteristics that drastically reduce the risks and possibilities of hacking. They are therefore particularly well suited for the implementation of secure procedures.
• the method according to the invention makes it possible to "delocalize” the implementation of the SSL or TLS protocol within this security module.
• the TLS stack (that is to say the sequence of steps of the process leading to the authentication) is entirely executed on the same computer and thus does not allow to separate the procedures of Authentication and exchange of information.
• a security module implementing the method according to the invention therefore comprises original features that enable it to perform the authentication phase of the TLS protocol, and to transfer the right to an application to use the previously established secure tunnel. .
• a security module implementing the method according to the invention performs the functions of client or TLS server entity.
• the method according to the invention implements the entities "HANDSHAKE”, “ALERT”, “CCS” and “RECORD” described above.
• FIG. 2 shows a security module (210) implementing the TLS protocol according to the production method of the invention and a user entity (200), that is to say an application (2000). ) comprising a subset of the TLS stack, namely the layers “RECORD” (2004) and “ALERT” (2002) and optionally the layers “CCS” (2003) and “HANDSHAKE” (2001).
• the "RECORD” layer (2004) presents a communication interface with the "TCP” layer (2005).
• such a security module provides a functional interface (220) which comprises eight commands: “SET-Credentials”, “Start”, “Process-TLS”, “GET-Keys_bloc”, “Compute-Keys_bloc” , “GET- Cipher_suite”, “GET-SessionID”, “GET-Master_secret”.
• commands can be performed according to the ISO 7816 standard according to a coding commonly called “APDUs” (of the English “Application Protocol Data Unit” for "Data Unit (PDU) of the layer seven (Application) of the OSI model” ).
• the security module (210) which implements the production method according to the invention comprises the entities necessary for the implementation of the method the "RECORD” (2104) and "ALERT” (2102) layers and optionally the "CCS” (2103) and "HANDSHAKE” (2101) layers.
• the functional interface (220) allows the user entity (200) to call the security module (210) for the production of security data.
• the role of the module that is to say its behavior client or server entity and the various parameters necessary for its operation, usually qualified letters of credit or "credentials" in English (X509 certificates, RSA private key) is enabled by SET-Credentials () command, SET-Credentials (role)
• a "Start" command initializes a session
• TLS since the security modules do not generally include a clock, it also informs the GMT time in the so-called UNIX format, that is to say a number of 32 bits which measures the number of seconds elapsed since January 1, 1970. .
• TLS packets that is, messages generated by a RECORD entity, are transmitted to the security module using the Process-TLS (Record-Packets) command that returns one or more RECORD messages.
• Record-Packets Process-TLS (Record-Packets)
• the user of the services of the security module can then manage autonomously (without the help of the security module) his own layer RECORD. Indeed it knows the keys of the secure channel (keys_bloc) and the current value of the parameter seq_num equal to 1 (the value 0 was used for the calculation of HMAC integrity of the message FINISHED).
• Compute-Keys_bloc () command associated with the random numbers generated by the client entity and the server entity (Client-Random and Server-Random) makes it possible to calculate the "keys_bloc" parameter. It is useful during a session of type "Session Resumption", or the user of the security module uses the latter, only to obtain keys_bloc.
• keys_bloc Compute-Keys_bloc (Client-Random, Server-Random)
• the GET-SessionID command returns the "SessionID" parameter associated with the current session or the previous session. This is useful information for the user who wants to partially manage a Session Resumption.
• SessionID GET-SessionID ()
• the GET-Master_secret () command collects the "master_secret” associated with the "SessionID" of the current or previous session. It is optional and corresponds to a "Session Resumption" management policy for which the user does not use the "keys_bloc" calculation service.
• master_secret GET-Master_secret () 5.4 Implementation of the protocol
• a first mode is illustrated in FIG. 3. It concerns the implementation of the method according to the invention applied to a "full session” mode login using the RSA algorithm, with mutual authentication (" Client Authentication Handshake ").
• a client entity (350) initiates the latter with a ClientHello message (301).
• a server entity entity (360) responds with a set of ServerHello (302), Certificate (303), CertificateRequest (304), ServerHelloDone (305) messages.
• the client entity then delivers the messages Certificate (306), CertificateVerify (307), ClientKeyExchange (308), ChangeCipherSpec (309), and Finished (310).
• the client entity verifies the validity of the server certificate, extracts its public RSA key, and then sends it a value called encrypted pre_master_secret of this key.
• the master_secret is calculated from the Client-Random, Server-Random and pre-master-secret elements.
• the CertificateVerify message (307) contains a signature made with the RSA private key of the client, which proves the identity of the latter (its certificate present in the message Certificate (306)).
• the client entity and the server entity have a new value master_secret from which the keys of the keys_bloc are deduced.
• a SessionID parameter passed in the ServerHello message provides an index of the master_secret.
• the data generated by the APPLICATION layer is transported by the RECORD entity (313) (313), which ensures the confidentiality and integrity thereof by means of the keys Kc and Ki.
• the previously described steps are implemented within security modules: one for the client entity (35) and one for the entity server entity (36). As shown in FIG. 3, the previously described steps are not implemented within client entities (350) and entity entities server (360) but only "transit” through these entities). The actual implementation is carried out with the security modules using commands of the functional interface of the module.
• Cipher_suite (3005, 3006) indicates the list of cryptographic algorithms used for managing the secure channel.
• the client entity opens a TLS session with a server entity typically listening on TCP port 443.
• a security module is implemented on the client entity side
• a second mode is shown in Figure 4.
• a previous session type "FuIl Session” has obtained a "master_secret” identified by a "SessionID” index.
• the authentication phase is simplified and consists of both parties (client entity and server) to prove their knowledge of the master_secret value.
• the client entity (440) opens the TLS session with a ClientHello message (401) containing the index (SessionID) of a previous session.
• the server entity (460) responds with a set of messages "ServerHello” (402), “ChangeCipherSpec” (403), and "Finished” (404).
• PRF master_secret, "key expansion", server_random
• Session Resumption mechanism simplifies the exchange of information during a TLS session.
• a first session FuIl performs simple or mutual authentication of both ends (client entity and server) and produces a master_secret.
• a Session Resumption session is negotiated between a client entity and a server entity.
• the value of the "master_secret" is protected by the security module on the client entity and / or server side.
• Session Resumption is negotiated between a client entity (550) and a server entity (560).
• the value of the "master_secret” is stored by the client-side (55) and / or server (56) security module.
• a security module in the form of a silicon integrated circuit (600), usually referred to as "Tamper Resistant Device”, literally a “component that resists attacks”, such as for example the ST22 component (produced by the company ST Microelectronics) and available in different formats such as PVC cards, (smart cards, SIM card, ...) integrated into USB tokens, or in MMC (MultiMedia Card) memories.
• ST22 component produced by the company ST Microelectronics
• PVC cards smart cards, SIM card, ...) integrated into USB tokens, or in MMC (MultiMedia Card) memories.
• MMC MultiMedia Card
• Such a security module incorporates all secure means of data storage, and also allows the execution of software in a secure and protected environment. More precisely, it comprises a central unit (CPU, 601), a memory
• ROM storing operating system code (602), RAM memory (603), and nonvolatile memory (NVR, 604), used as a hard disk-like storage device, and which contains, for example, software embedded TLS.
• a system bus (610) connects the various members of the secure module.
• the interface to the outside world (620) is provided by an IO input / output port (605), compliant with standards such as ISO6816, USB, USB-OTG, ISO6816-12, MMC, IEEE 802.3, IEEE 802.11 etc.
• JAVA smart cards commonly referred to as JAVACARD, are a special class of security module.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Computer And Data Communications (AREA)
• Communication Control (AREA)
• Data Exchanges In Wide-Area Networks (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=38690408

Family Applications (1)

Country Status (7)

Families Citing this family (20)

Citations (1)

Family Cites Families (18)

• 2007
  • 2007-05-25 FR FR0703743A patent/FR2916592B1/fr active Active
• 2008
  • 2008-05-19 CN CN200880024587A patent/CN101809964A/zh active Pending
  • 2008-05-19 WO PCT/EP2008/056136 patent/WO2008145558A2/fr active Application Filing
  • 2008-05-19 RU RU2009147315/08A patent/RU2487482C2/ru not_active IP Right Cessation
  • 2008-05-19 CA CA002689015A patent/CA2689015A1/en not_active Abandoned
  • 2008-05-19 EP EP08750344A patent/EP2153613A2/de not_active Withdrawn
  • 2008-05-19 US US12/602,000 patent/US8646041B2/en active Active

Patent Citations (1)

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events