Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
  • H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
  • H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
  • H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols

Definitions

• the invention relates to a device and a method for routing public or non-sensitive value exchange flows making it possible to create common secret keys between several zones.
• OSI level 2 virtualization through the implementation of IEEE 802.1 P, Q IEEE 802.1 p - Traffic Class Expediting and Dynamic Multicast Filtering (published in 802.1 D-1998) and 802.1 Q - Virtual LANs) ( "Using Doc Ref: Article: Author: E 5 NICLAS, IEEE 802.1 P 1 Q - QoS on the MAC level...
• IGC management key management method
• the main disadvantage of the prior art is the requirement for an IT department to have a key management infrastructure, and to configure each level 2 or 3 routing equipment at each commissioning.
• RFC 802.1 P, Q allows in the case of an Ethernet network to provide the ability to create virtual private networks by setting a network number associated with a network. delimited area of the network by Ethernet switches.
• One of the drawbacks is the fact of not having a sufficient level of security in case of modification of the parameters of the standard 802. P, Q and thus the re-assignment of the network numbers associated with one or more zones. This standard does not provide securing partitioning between configured switch equipment.
• the present invention relates to an equipment for autonomously configuring security between entities that are made to communicate with each other, by group of confidence or partitioning. It also provides an autonomous group key negotiation mechanism between the aforementioned entities in order to be able to create, from the equipment, a cryptographic filtering of the flows flowing in their respective domains.
• the invention relates to a method for routing exchange flows of public or non-sensitive values making it possible to create common keys between several zones in a system where the entities communicate with one another by a group of confidence, characterized in that it comprises minus the following steps: o each entity generates a public value and communicates this public value to a switcher, o said switcher has a table of correspondence between a virtual network number and the MAC addresses of the associated entities, where the switcher retrieves all the addresses entities transmitted by the entities by associating them with their MAC address, and retransmits to each of said entities associated with a virtual network from its correspondence table, a public value of another entity belonging to the same trusted group, this step being reiterated for all entities, where each entity recovers the public value of another entity ntity belonging to the same trusted group then determines the value of the encryption key common to the entities of the same trusted group, where an entity belonging to the same trusted group uses this key to encrypt the data to be transmitted to another entity .
• the invention relates to a system for routing public or non-sensitive value exchange flows making it possible to create common keys between several zones, in a system where the entities communicate with each other by a group of confidence, characterized in that it includes at least the following elements: o an entity includes a cryptography module adapted to generate a public value and a common secret, a referral device comprising a correspondence table establishing the links existing between the virtual network numbers and the MAC addresses of the associated entities, means of communication between the referral device and the entities in such a way that an entity transmits to the referral device a public value, the referral device transmits said public value to another entity belonging to the same confidentiality group and an entity determining the value of the key to encrypt its data.
• Figure 1 a reminder concerning the mechanism of the Diffie-Hellman protocol
• Figure 2 a system architecture implementing the router according to the invention
• Figure 3 a possible correspondence table between a virtual network and MAC addresses (Medium access ..) 4
• Figure 5 the diagram of the sending of public values Diffie-Hellman to the switchman according to the invention
• Figure 5 the routing of public values Diffie-Hellman by the FIG. 6, a first example of secure virtual networks generated
• FIG. 8 the Ethernet Trame format integrating the security option
• FIG. FIG. 9 the format of a frame integrating the option of calculation of integrity.
• the invention can, however, apply as soon as entities can communicate with each other, by trust group or partitioning.
• the router according to the invention makes it possible to create trust groups and to convey the public values of each of the entities in order to enable them to generate a secret element associated with each of the groups.
• Figure 1 recalls the Diffie-Hellman or DH protocol, whose principles are described in the article published by Diffie-Hellman in 1976, under the title "New Directions in Cryptography.” IEEE Trans. On The Information Theory, Vol.lT-22-6, November 1976. The main result of this article is the possibility for two users communicating via an unsafe network to agree on a session key, intended to encode their communications later.
• G ⁇ g> be a cyclic group.
• the two participants U 1 , U 2 each randomly choose X 15 X 2 belonging to G respectively and exchange the values g x1 , g x2 on the network.
• the user Ui (respectively U 2 ) then calculates the Diffie-Hellman secret g x1x2 by receiving the message of U 2 (resp Ui).
• FIG. 2 represents an example of an architecture integrating the mechanism and the switchman according to the invention comprising:
• the network implements, for example, the IP internet protocol.
• the router the various entities communicate with each other via a switch 4 for example, which allows the connection of the entities to each other according to the configuration data from the switchman.
• the design of this switch is known to those skilled in the art and will not be detailed in the present patent application.
• the router 1 is characterized, for example by means of its MAC (Medium Access Control) address and IP Internet address, in the example. It includes ways to manage group rules and the associated protocol. It is designated "switchman".
• An encryption module (or cryptography) in the form of a software or a circuit (in English term “Hardware") is integrated in each of the equipment or entity 2i of the network.
• This encryption module 5 has the particular function of enabling the implementation of the Diffie-Hellman protocol or any other similar protocol for each entity and calculating the group DH secret value for the common secret.
• An entity is for example characterized by its MAC address and has cryptographic capabilities.
• the device according to the invention implements in this example a protocol on the Ethernet layer 2, integrating several fields characterizing the identification of a virtual network generated by the router, and the integrity patterns of the level 2 frame. .
• the "switchman" equipment 1 has a set of rules for creating virtual networks. For this, it has a correspondence table described in Figure 3 between the virtual network numbers and the MAC addresses of the associated entities.
• Each of the entities of the network generates a secret or public value Diffie Hellman g IDl , then each of the entities sends a message to the switchman with his public value Diffie-Hellman g IDl .
• the transmitted messages are shown schematically in Figure 4 by arrows F, an arrow being indexed with a public value g IDl .
• the router 1 retrieves all the public values transmitted by the entities by associating them with their MAC address:
• the public value g ID1 is associated with the MACi address of the entity 1 and so on for the following entities 2 to N, g ID2 , MAC address 2 , g IDN , Address
• the router then sends each entity the Diffie-Hellman value corresponding to the entities associated with a virtual network (component of the trusted network) from its correspondence table.
• the sender transmits the public value generated by the entity 2 g ID2
• the sender transmits the public value generated by the entity 1g ID1
• the frame format used is for example the format described in FIG. 8.
• the frame comprises the following fields: a source MAC field, a destination MAC field, a SKP field corresponding to the security option, a DATA data field and a security field. Error control field or CRC.
• the SKP field comprises, for example, the number RV (virtual network number), the identifier of the entities belonging to the virtual network concerned and the value of Diffie-
• Each of the entities retrieves the Diffie-Hellman value of the entity associated with the same virtual network and will calculate from this value the secret common to the entities belonging to the same virtual network. For example, in Figure 5.
• entity 1 calculates the common secret g ID1
• ID2 ID1 (MACi): (g ID2 ) ID1 -> g ID1 ID2 ; entity 2, ID2 (MAC 2 ): (g ID1 ) ID2 -> g ID1 ID2
• ID3 (MAC 3 ) and ID4 (MAC 4 ) ID3 (MAC 3 ) entity (g ID4 ) ID3 -> g ID3 ID4 ;
• Each of the entities then calculates the integrity pattern from a SHA1 hash algorithm described for example in the FIPS 180-2 reference "Federal Information Processing Standards Publications”: FIPS PUB 180-2 - Secure Hash Standard (SHS) - August 2002, and integrates it into the ETHERNET frame to define the partitioning between virtual networks by the verification of the integrity reason.
• This step is shown in FIG. 6.
• the partitioning of the networks is represented by solid lines Ci which connect, for example, the addresses ID 1 and ID 2 , the virtual network formed corresponding to the virtual network 1, etc.
• the parameters defining the virtual network and its security will take the form of an option to be inserted in the Ethernet.v2 format.
• the format is for example that described in FIG. 9.
• the field SKP is replaced by a field RVS (Secure Virtual Network) which includes the identifier ID, the label and the control of message integrity or "MIC" abbreviated Billboard Integrity Control message.
• RVS Secure Virtual Network
• each of the control modules of the flow direction between the entities has all the security elements that allows it to secure the flow through its referral module (via the creation of a common key by the DH mechanism).
• the switching equipment will have to send the public values defined by the pairs formed by the network entities by repeating the above phase so that each entity can calculate the Diffie-Hellman group secret.
• the operation of the invention is therefore defined in several phases described below:
• Each of the network entities generates a Diffie Hellman secret ID1 , then each entity will send a message to the switchman with its public value Diffie-Hellman g IDi (FIG 4).
• the switcher will retrieve all the values of the entities by associating them with their MAC address: g ID1 , MACi address g ID2 , MAC address 2 g IDN , MAC address N
• the switcher will exchange (according to the format figure 8) with each of the entities the value Diffie-Hellman with respect to entities associated with a virtual network from its correspondence table (FIG.5).
• Virtual Network 1 MACi
• Each of the entities will then recover the Diffie-Hellman value of the entity associated with the same virtual network and will calculate from this value a first common secret, and will return this value to the switchman as long as the number of public secret received is different from the number of participants in the virtual network.
• ID3 (MAC 3 ): (g ID4 ) ID3 -> g ID4 ID3 ; ID4 (MAC 4 ): (g ID3 ) ID4 -> g ID3 ID4
• ID4 (MAC 4 ): (g ID5 ) ID4 -> g ID4 ID5 ; ID5 (MAC 5 ): (g ID4 ) ID5 -> g ID4 ID5 For ID3 (MAC 3 ) and ID5 (MAC 5 )
• ID3 (MAC 3 ): (g ID5 ) ID3 -> g ID3 ID5 ; ID5 (MAC 5 ): (g ID3 ) ID5 -> g ID3 ID5
• Each of the entities will then return this value to the switchman until the number of public secret received is equal to the number of participants in the virtual network.
• the referral device will then direct these values to the network entity to finalize the group value.
• ID3 (MAC 3 ) entity ID4 ID5 g) ID3 -> g ID3 ID4 ID5
• ID4 (MAC 4 ) entity ( ID3 ID5 g) ID4 -> g ID3 ID4 ID5
• ID5 (MAC 5 ) entity (g ID3 ID4 ) ID5 -> g ID3 ID4 ID5
• Each of the entities will then be able to calculate the integrity pattern from a SHA1 type hashing algorithm, and integrate it. in the ETHERNET frame to define the partitioning between virtual networks by checking the reason of integrity.
• the partitioning is represented by the arrows Dj in solid lines of FIG.
• an entity is, for example, equipment that is usually used in an Ethernet network and the flows exchanged are IP flows.
• the switcher according to the invention is therefore an entity that allows to create trusted groups, and to route the public values of each entity to allow them to create a secret element associated with each group.
• Each entity has crypto (DH) capabilities.
• the switcher has only abilities to manage group rules and the associated protocol.
• the invention can be implemented with software bus techniques (middleware, or middleware in English), in which the entities are represented by the notion of interconnected software services (between them following a service d 'phone book).
• the router according to the invention will be a particular service accessible by all other services.
• the application to partitioned networks is also possible, for example, the invention is used for Ethernet / IP networks via a local virtual network system or in English VLAN (virtual local area network) based on switches or based on on routers in the case of VPN (Virtual Private Network).
• the invention particularly has the following advantages: a simplification in the configuration and flexibility in the parameterization of the equipment in a virtual network, and secondly, the security in terms of integrity and confidentiality of the communication flow between the equipment forming a virtual network.
• the method and the system according to the invention are based on the fact of distributing the notion of trust and groups between the switcher and the communicating nodes, and thus to manage the creation of dynamic keys in a compartmentalized manner, in which the switcher has no concept of cryptographic security but just a notion of trust group, while the nodes individually bear this cryptographic capacity but without notion of security associations.
• the invention thus allows the effective separation between the group management and the dynamic securing of these groups.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Data Exchanges In Wide-Area Networks (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=39491370

Family Applications (1)

Country Status (4)

Families Citing this family (16)

Family Cites Families (9)

• 2007
  • 2007-10-12 FR FR0707180A patent/FR2922392B1/fr not_active Expired - Fee Related
• 2008
  • 2008-10-10 EP EP08837866A patent/EP2206276A1/de not_active Withdrawn
  • 2008-10-10 US US12/682,764 patent/US20110093696A1/en not_active Abandoned
  • 2008-10-10 WO PCT/EP2008/063609 patent/WO2009047325A1/fr active Application Filing

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events