EP2850774A1

EP2850774A1 - Method and system for authenticating the nodes of a network

Info

Publication number: EP2850774A1
Application number: EP13720831.0A
Authority: EP
Inventors: Nouha OUALHA; Alexis Olivereau; Christophe Janneteau
Original assignee: Commissariat a lEnergie Atomique et aux Energies Alternatives CEA
Current assignee: Commissariat a lEnergie Atomique et aux Energies Alternatives CEA
Priority date: 2012-04-26
Filing date: 2013-04-15
Publication date: 2015-03-25
Also published as: US20150149767A1; WO2013160140A1; FR2990094A1

Abstract

The present invention relates to a system and a method for authenticating the nodes of a communication network in order to access the services of a service provider. The invention involves a collective authentication of the nodes, which is performed in a single exchange between the nodes of the network that are declared as a group and an authentication server. According to the result of the authentication, the service provider is supplied with cryptographic materials so as to individually control access to the resources or to the services offered for each node.

Description

METHOD AND SYSTEM FOR AUTHENTICATING NODES OF A

NETWORK

Field of the invention

The invention relates to the field of security in communication networks and in particular the authentication of nodes in networks with low resources.

State of the art

Currently, authentication of the nodes in a low resource network is done in an individual way. Either each node is authenticated with its real or virtual identity, or it is authenticated by identifying itself as a member of a group of nodes.

A well-known solution for authenticating several nodes consists in carrying out, successively or in parallel, several individual authentications. The most widespread technology is the Extensible Authentication Protocol (EAP) described in Extensible Authentication Protocol (EAP), IETF RFC 3748, June 2004 by B. Aboba et al. which defines how a client authenticates to a server.

By serializing the authentications Independent individual server considers each authentication procedure as strictly independent, which leads to a significant resource consumption such as energy costs of communications or a decrease in bandwidth. Another limitation is that the server can not use the EAP protocol to send security settings to the service provider.

In order to limit the overhead on an authentication server, systems have been proposed which make it possible to delegate the authentication functionality by the server to other nodes of the network. Thus, in third-generation cellular networks, the "Authentication and Key Agreement" protocol of B. Aboba et al. or (AKA) implemented for authentication and bootstrapping provides in particular to delegate the ability to authenticate the mobile station and to be authenticated by it from a "Home Subscriber Server" or (HSS) to a " BootStrapping Function "or (BSF) of the service provider. To this end, authentication vectors are handed over from the HSS to the BSF which are then used as part of a local authentication between the BSF and the User Equipment in English or (UE). However, the delivery of these parameters is not aggregated when several different users wish to authenticate with the same BSF. In addition, the authentication vectors are strictly for a single user and must be generated for each customer by the HSS.

An authentication method for machine-to-machine communications is provided in [CN102088668, "Group-based authentication method of communication type machine (MTC) devices," Xidian University, 2011]. This method authenticates a group of nodes as a single unit. The nodes register in a group by a server "Machine-Type Communication" or (MTC in English). Based on a group authentication vector, the nodes authenticate to the Authentication Center (AuC) as members of that group.

In a similar manner, the method described in patent application WO2011131052 of Tian Tian et al. entitled "Group Authentication Method and System in Machine-to-Machine Communication Systems", authenticates a group of nodes in an MTC network based on group-generated group cryptographic material. authorization and sent to an Access Security Management Equipment (ASME).

Both of these group authentication methods reduce traffic at the infrastructure level, either between the MTC server and the AuC for the first method, or between the authorization server and the ASME for the second method. However, they do not reduce the number of messages exchanged at the level of the MTC network which is generally low resources. There is then the need for a solution that allows collective authentication of the nodes of a group where all members of the group are authenticated in a single exchange. The present invention meets this need.

SUMMARY OF THE INVENTION An object of the present invention is to provide a method of collective authentication in a single exchange of a group of nodes in a communication network. Another object of the invention is to enable nodes of a network to authenticate to a service provider by using an authentication server and, depending on the result of authentication, to provision the service provider. in cryptographic materials to achieve individualized access control to the resources or services offered.

Advantageously, the present invention applies when the members of a group want to access at the same time resources or services administered by a remote infrastructure.

Another advantage of the present invention is to consume fewer resources in terms of bandwidth in the network and less energy at the nodes, than in the methods of individual authentication of the nodes.

Another advantage is that the control of access to resources and services remains individualized for each of the members of the group.

Advantageously, the invention enables the messages of an authentication server to be broadcast to the group in a multicast routing tree and the authentication messages of the nodes to be sent back to the server according to a reverse multicast method. by aggregating the content of the messages. Another object of the present invention is to be able to handle situations where some members of a group are failing or disconnected or when a limited number of nodes of a group fail at aggregate authentication.

Advantageously, the invention allows an authentication server to authenticate and export for each of the nodes of a group, security parameters, such as keys, rights of access, to the service provider. Advantageously, the present invention will be implemented in the context of security services such as bootstrapping in initial authentication, re-authentication, and authorization.

Still advantageously but without limitation, the invention will find applications in the industrial fields of machine-to-machine communications security.

To achieve the desired results, a method as described in independent claim 1, a system as described in independent claim 10 and a computer program product as described in claim 12 are provided.

In particular, a method for

to authenticate a group of nodes among a plurality of nodes of a communication network, the method

comprising the steps of:

identifying, among the plurality of nodes, a group of nodes to be authenticated;

- generate a challenge for the node group;

sending from an authentication server the challenge to a first node of the plurality of nodes;

- broadcast from the first node, the challenge to all nodes of the node group according to a multicast routing tree;

- Aggregate at the level of the first node according to a tree of Inverse multicast routing of the multicast routing tree, the responses to the challenge of the nodes of the group;

- send the aggregated responses to the server

authentication;

- check the aggregated answers; and

- generate a success message for the node group if the collective verification is successful.

Different variants of implementations are described in the dependent claims.

Description of figures

Various aspects and advantages of the invention will appear in support of the description of a preferred mode of implementation of the invention but not limiting, with reference to the figures below:

Figure 1 is a topological representation of a network infrastructure in which to advantageously implement the invention; Figure 2 shows the steps performed by the method of the present invention to authenticate the nodes of a group;

Figure 3 shows the exchanges made between the nodes of a group and the authentication server in a preferred implementation of the invention; Figure 4 illustrates an alternative implementation of the exchanges of Figure 3.

Detailed description of the invention

The invention is advantageously applied in a network formed of nodes having low resources, and some nodes must access a resource or service associated with a remote infrastructure. Examples of low-resource networks are sensor networks that are increasingly deployed in the industrial and vehicular networks.

Figure 1 shows an example of a general context 100 in which to advantageously implement the invention. A group of nodes (102) composed of low resource equipment must access services or resources associated with a service provider (104) of a remote infrastructure. The services or resources required may be connectivity or data requirements. The nodes can be mobile or static and are connected to the remote network through a gateway (110). The service provider server may in an implementation variant be co-located on the gateway, as for example in the case of network access.

To access these services or resources, the nodes must be authenticated to an authentication server (106).

The remote infrastructure may contain intermediate entities such as routers (108).

For reasons of simplicity of description and not limitation of the invention, the example of FIG. 1 only shows a finite number of entities and connections, but the person skilled in the art will extend the principles described for the present invention. invention to a plurality and variety of nodes of a group and type of servers, gateway or connections (wireless, mobile, very high speed).

The node network (102) may be based on level 2 (e.g., 802.15.4 or 802.11) or level 3 (e.g., IP) communications. Depending on the protocols on which it is based, multicast or broadcast communication schemes can be used. Such a global network forms what is referred to as an Internet of Things (IoT). It covers two types of communication:

• those of object to person;

• object-to-object, or machine-to-machine (M2M).

These communications can be established in a limited context (a single protocol used, for example ZigBee and / or a single scenario targeted, for example the Intelligent Electric Network or Smart Grid) and one speaks then about "Intranet of the objects" or may have vocation to make possible a great number of distinct services, while relying on many communications protocols, and we are talking about the "Internet of Things". Generally, the Internet of Things is an architecture that allows the interconnection of the classic Internet with communicating or perceived objects, and which relies on decentralized communication schemes, while implementing autonomous mechanisms.

The authentication server (106), responsible for the authentication of the nodes, stores the cryptographic data necessary for the authentication of each of the nodes of the group (102). If the collective authentication, as described below with reference to FIG. 2, is validated, the authentication server derives and sends the security parameters (the session keys, the access rights) of each of the nodes of the group. to the service provider (104). The service provider then establishes a security association with each of the nodes.

The service provider (104) may in a first implementation variant not be involved in the exchanges for the authentication of the nodes of the group (102). In this case, the authentication server (106) exports the security parameters associated with the nodes, after successful authentication, in a message separate from a success message of the authentication for the node group. Alternatively, in another implementation, the authentication exchanges are relayed by the service provider (104). Such a situation can occur when the service provider provides access to the network. In this case, after a successful authentication, the security parameters are transferred to the service provider (104) according to two variants:

in a first variant, the security parameters are transferred in a message separate from the authentication success message intended for the group of nodes;

in a second variant, the security parameters are transferred with the success message of the authentication for the group of nodes. This variant of implementation is that adopted in the following description. Figure 2 shows the method (200) operated by the method of the present invention for authenticating the nodes of a group.

Step (202) consists of forming a group of nodes. The formation of the group of nodes can be carried out in a spontaneous manner or prior to

1 authentication.

For a spontaneous formation of the group, the nodes can be grouped on the basis of temporal and geographical proximity criteria or of common interest to the services offered by the supplier of the group. service. The identities of the nodes are sent for authentication to the authentication server which will constitute a group model by bringing together under the same set all the identities of the nodes received.

Alternatively, in the case of prior training, the group of nodes is formed using a multicast group address. Advantageously, in an implementation variant, once the group is formed and designated, a multicast routing tree is constructed to allow messages from the authentication server to be broadcast within the group.

At the same time, another inverse multicast reverse multicast routing tree is built. The reverse routing tree considers the members of the group as sources / transmitters of broadcast messages and the authentication server as target / receiver of these messages.

Those skilled in the art can refer to the known multicast routing tree construction techniques, such as the "RPL" protocol described by T. Winter et al., In "RPL: IPv6 Routing Protocol for Low Power and Lossy Networks". This protocol, which is dedicated to low-resource networks, can advantageously be used in the context of the invention. However, any routing protocol supporting means for broadcasting a single point to multiple points for the construction of the first multicast routing tree and multiple points to a single point for the construction of the reverse multicast routing tree can be used. A variant for building the reverse multicast routing tree is based on the first multicast routing tree, ensuring that each child node in the tree sends the message to its parent node as identified by the tree. multicast routing.

Intermediate entities, such as the gateway (110), "cluster heads" or intermediate nodes of the network, belonging or not to the node group, are responsible for broadcasting messages from the authentication server to these nodes. and aggregating messages from the nodes back to the server. In step (204), the collective authentication process is initiated, and an identification request is issued. The request is sent from the authentication server to the nodes.

If the group of nodes has been formed spontaneously according to determined grouping criteria, each node responds to reception of the request by its identity. The identity of each node can take the form of, for example, a "Network Access Identifier" in English or (NAI) as described in the document "The Network Access Identifier", IETF RFC 4282 B. Aboba et al. , December 2005. The authentication server receives the identities of the nodes either in separate messages or concatenated in a single message.

If the group of nodes has been formed beforehand, each node responds as soon as the identification request is received by the group identity (multicast address). The message containing the identity of the group is aggregated all along the routing tree in "reverse multicast".

Alternatively, the identification request may not be broadcast within the group of nodes but only sent to an intermediate entity in the network, such as the gateway, a router or a cluster-head. The intermediate entity is responsible for responding to the identification request by the identity of the group.

In an implementation variant where the authentication server is aware of the identity of the nodes implicitly in the message received as a response to its authentication challenge, the identification step can then be omitted.

In step (206), a "defi-response" message exchange takes place between the nodes of the group and the authentication server. Advantageously, the invention makes it possible to authenticate a group of nodes in a single exchange. The authentication server sends a request to the nodes. The origin of the request is authenticated by the nodes by means of a known authentication method. Authentication the server can be made by a MAC signature with a key generated according to for example the "TESLA" protocol described by A. Perrig et al., in "The TESLA Broadcast Authentication Protocol", UC Berkeley and IBM Research, 5 (2), 2002.

At the node group level, the responses of the nodes are aggregated by using authentication message aggregation functions which guarantee on the one hand the integrity of the aggregated responses and on the other hand the verification of the responses. identities of the transmitters. Those skilled in the art will find it possible to apply known commutative aggregation functions, such as the MAC aggregation schemes described by J. Katz et al., In "Aggregate message authentication codes", In Proceedings of the 2008 The Cryptopgraphers' Track at the RSA Conference on Topics in Cryptology, Tal Malkin (Ed.). Springer-Verlag, Berlin, Heidelberg, 155-169. Alternatively, quasi-commutative functions can be applied, such as the one-way accumulative functions described by J. Benaloh et al., In "One-way accumulators: a decentralized alternative to digital signatures", Advances in Cryptology-Eurocrypt 93, LNCS, vol. 765, Springer-Verlag, 1993, pp. 274-285.

Advantageously, schemes based on homomorphic encryption algorithms or signatures, such as that described by C. Castellucia et al., In "Efficient aggregation of encrypted data in wireless sensor networks", In Mobile and Ubiquitous Systems: Networking and Services, 2005 , can be also considered.

In an alternative implementation, if mutual authentication is not required, authentication of the authentication server by the nodes may be omitted.

In a preferred implementation where the node group is identified by a multicast address, the challenge sent by the authentication server is broadcast to all the nodes of the group following the previously built multicast routing tree. The responses of the nodes are aggregated by a parent node as they are transported to the reverse multicast routing tree.

When the responses are received, the aggregator node aggregates them and the aggregated responses are transmitted in "reverse multicast".

As will be detailed later, if nodes have not responded to the challenge after a predefined waiting time, the router adds to the aggregated responses the identity of the failed nodes in a message ^y NACK '. The authentication server can identify each failed or disconnected node in the tree of the multicast routing tree and authenticate them directly by means of an individual authentication protocol.

Advantageously, if a router belongs to the declared node group, it calculates its own response to the challenge and collects responses from responding nodes in its subtree. The router adds its response to the responses received and aggregates the set.

In an implementation variant where a router does not have an aggregation function, the responses received are transmitted directly to another router, placed higher in the reverse routing tree, which can take care of aggregating them.

The aggregate of the responses is transmitted to the authentication server, and can be relayed by the service provider in an implementation variant.

The next step (208) of the method is for the authentication server to check the integrity of the aggregate of the responses received and the identities of its transmitters. The server uses cryptographic material specific to each member of the group, such as keys shared with each member of the group or public keys associated with the private keys of each group member, for the verification.

If the verification fails, the authentication server sends a failure message to the nodes. The method continues with an individual authentication (214).

If the check is completely correct, the authentication server sends a success message to the nodes of the group and the method continues in step (210).

If the check is only partially successful, the authentication server sends an individual message of success or failure respectively to each node according to the result of the check. Then, the process continues in step (212).

The next steps (210 and 212) are to supply the service provider with security hardware either fully (210) or partially (212). The success or failure message of the authentication sent by the authentication server to the nodes is also sent to the service provider. Alternatively, the service provider can also be the relay of the message of success or failure to the nodes.

If the verification step (208) is successful, the authentication server attaches the success message, cryptographic material to the service provider. The term "cryptographic material" is understood in this description as any information, data, that can be used to establish an authentication, such as keys, access rights, identities or certificates for example. The cryptographic hardware allows the service provider to establish a security association with each node that has been verified. The cryptographic material is derived from hardware that the authentication server establishes individually with each node. Advantageously, the authentication server can attach to the success message a group key associated with the group of nodes and intended for the service provider, in the case where all the nodes of the group have authenticated.

After the step (210) of complete provisioning of security equipment, the collective authentication process is completed (216).

After the verification step (208) has resulted in failure or partial provisioning of security hardware (212), the method continues with an individual authentication step (214).

If the check is partial, the authentication server applies a protocol

individual authentication to verify

individually unauthenticated nodes after the collective authentication.

Then the authentication process is finished

(216).

Figure 3 shows the exchanges made between the nodes of a group and the authentication server in a preferred implementation of the invention.

In an initial phase (302), the node group is formed and the routing trees defined.

The authentication server acquires the group, for example from a group management center. Alternatively, the server itself manages the group (the group management center is co-located with the authentication server) and handles requests for registration of the nodes to this group.

The group formation phase is thus done once for a group, and then adapts according to the dynamics of the group, for example by registering new members or unsubscribing members. This phase remains independent of the choice of the service provider.

The 'multicast' and 'reverse multicast' routing trees are created with the members of the group, in which certain nodes are defined as the aggregator router to aggregate the responses of the peripheral nodes and broadcast an aggregated response to the authentication server.

The next phase (304) consists of the collective authentication of the nodes of the group, and groups the intermediate phases 306 to 312.

In the phase (306), an identification request is broadcast in the multicast routing tree to the nodes of the group. The nodes respond and a message containing the group identity is broadcast in the reverse multicast routing tree to the authentication server.

In the next phase (308) the authentication server generates a challenge that is common to all nodes in the group. The challenge is broadcast in the multicast routing tree to all nodes. Each node that operates as an aggregator initiates a counter that will measure the response time of the peripheral nodes attached to it in the inverse multicast routing tree. This time is known as the "Round-Trip Time" or (RTT) in English.

In a preferred implementation, in the absence of a response from a group node to the identification request after an elapsed time, calculated from the RTT in its multicast subtree, a negative acknowledgment "Negative acknowledgment" or (NACK) is issued. The lack of response may be due to a node standby state or inaccessibility or failure. The negative acknowledgment (NACK) is joined by the router node to the response in the reverse routing tree.

Advantageously, the router verifies that the total number of 'NACKs' does not exceed a threshold number so as not to significantly lengthen the message returned in reverse multicast, otherwise the router does not respond to the request.

Node responses to the challenge are returned to a router node. The parent router node in the reverse multicast routing tree aggregates the received responses and returns the aggregated responses to the authentication server.

For the aggregation of the responses, the role of a node changes according to its place in the routing tree "reverse multicast". If a node occupies a peripheral place, then it calculates its response and sends it directly, as soon as it receives the challenge. If a node acts as a router in the reverse routing tree multicast ", it aggregates the answers received.

Those skilled in the art will understand that the root of the multicast tree, for example the authentication server or the gateway, can be aware of the tree structure of the reverse multicast routing tree to be able to determine the group members who are not going to participate in the collective authentication of the group.

The authentication server checks in a phase (310) the aggregated message received.

Preferably, the authentication server comprises authentication message aggregation functions, and can thus authenticate the members of the group.

After successful authentication of all members of the group, the server sends to the service provider in a next phase (312) the security cryptographic material (eg cryptographic keys), as well as other parameters (e.g. access, security contexts). This security information is specific to each member of the group to create security associations between the service provider and each member of the group. In an implementation variant where the service provider is not involved in the In the authentication exchanges, the authentication server exports the security parameters associated with the nodes, after a successful authentication, in a separate message from the authentication success message intended for the group of nodes.

In another variant of implementation, the authentication exchanges are relayed by the service provider. In this case, the security parameters may be transferred to the service provider, after successful authentication, either in a message separate from the authentication success message for the node group, or in conjunction with the success message of 1 authentication for the node group.

FIG. 4 illustrates the exchanges involved in an implementation of the authentication method of the present invention based on the EAP-PSK protocol. The EAP-PSK protocol is described by F. Bersani et al. in "The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method," IETF RFC 4764, 2007.

Only the elements specific to the present invention are described, and those skilled in the art will refer to the literature available for the general principles related to the 'EAP-PSK' protocol. Figure 4 is based on the example of two nodes to simplify the description but is in no way limiting. The described implementation (400) allows the authentication of the nodes of the same group in one only exchange between the authentication server and the node group, exchange represented by a challenge {RAND_S, ID_S} broadcast from the server to the node group, and a response {MAC_P, ID_G} of the group of nodes received by the server.

After a node group formation phase (not shown), an identification phase (402) comprising the identities (ID_1, ID_2) of the nodes of the group (ID_G) is initiated.

After the identification phase, a challenge generation phase and aggregation of responses (404) is performed.

The server (ID_S) generates a first message (RAND_S, ID_S) sent to the group of nodes and diffused within the group according to the defined multicast routing tree. The message contains a random challenge (RAND_S) to which each node will respond.

Each node calculates its response to the challenge. As illustrated, the peripheral node (ID_1) calculates:

· MAC_P_1 = MAC (AK_1, ID_1, ID_S, RANS_S), and the aggregator node ID_2 calculates its answer:

• MAC_P_2 = MAC (AK_2, ID_2, ID_S, RANS_S), where AK_1 is the key shared between the ID_1 node and the authentication server and

AK_2 is the key shared between the ID_2 node and the authentication server.

The peripheral node (ID_1) sends its response to the aggregator node according to the reverse routing tree in a message (MAC_P_1, ID-G). The aggregator node (ID_2) aggregates the responses received, and an aggregate of the responses is generated:

MAC_P = Θ {MAC (AK_i, ID_P_i, ID_S, RA D_S)} where ^y MAC_P 'designates the sum XOR of the MACs calculated by each node of the group identified by ID_P_i, and where:

• AK_i denotes the shared key between the node ID_P_i and the server ID_S; and

• ID_G is the identity of the node group.

A second message is generated from the responses of the aggregated nodes progressively along the reverse multicast tree. The aggregated responses are returned to the authentication server.

The nodes have authenticated to the authentication server by demonstrating that they are able to compute MAC values from their shared keys with the server.

Upon receiving the second message, the authentication server checks the aggregated responses (406). It calculates the XOR sum of the MACs using the keys shared with the nodes, and compares the result with the received response.

If the comparison is identical, the authentication server derives (408) the cryptographic material for the service provider and generates (MSK_1) from (AK_1) and (MSK_2) from of (AK_2). "MSK" means the "Master Session Key" in English according to the terminology of the protocol (EAP), and corresponds to the key generated by the server and the node after a successful authentication. The MSK is transported from the authentication server to the service provider.

The authentication server sends the service provider a validation message (Success, ID_1, MSK_1, ID_2, MSK_2) and the cryptographic elements generated.

The service provider retains the keys (MSK_1, MSK_2) of the nodes and returns a validation message to the node group.

Those skilled in the art will appreciate that variations can be made on the method as preferentially described while maintaining the principles of the invention. Thus, it is possible that the authentication is done through an entity belonging to the domain of the service provider or other entities of the infrastructure, such as for example the gateway 110. The authentication server then delegates 1 authentication to this entity by providing the hardware necessary for authentication and parameters relating to each user. The hardware for authentication may for example be authentication vectors such as those described in [3GPP TS] 33.220, "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)", Release 11 vil.1.0, December 2011]. In an advantageous variant, several groups can be authenticated in a single exchange. Group identities and aggregated responses associated with a common challenge can be concatenated before being passed to the authentication server for verification.

In a new variant, the aggregation can be performed on parts of the multicast routing tree. For each subtree, a multicast group is dynamically created and processed according to the principles of the method of the present invention. The aggregates of the responses on each part of the tree are concatenated and transmitted to the authentication server. Authentication only fails on the parts infected by a pollution attack or other types of attacks, the nodes on the other parts of the tree are, on the other hand, correctly authenticated.

Advantageously, specific routers in the multicast routing tree can be defined to check the aggregates of the responses received before transmitting them to other routers, in order to limit the attacks of pollution by malicious routers.

In an advantageous variant, the routing tree multicast can consist of a secure overlay logical network composed only of members of the group with established security associations.

The present invention may be implemented from hardware and / or software elements. It may be available as a computer program product on a computer readable medium. The support can be electronic, magnetic, optical, electromagnetic or be an infrared type of diffusion medium. Such media are, for example, Random Access Memory RAMs (ROMs), magnetic or optical tapes, floppy disks or disks (Compact Disk - Read Only Memory (CD-ROM), Compact Disk - Read / Write (CD-R / W) and DVD).

Thus, the present description illustrates a preferred implementation of the invention, but is not limiting. An example has been chosen to allow a good understanding of the principles of the invention, and a concrete application, but it is in no way exhaustive and should allow the skilled person to make changes and implementation variants in keeping the same principles.

Claims

claims

A method for authenticating a group of nodes among a plurality of nodes of a network of

communication, the method comprising the steps of:

identifying, among the plurality of nodes, a group of nodes to be authenticated (302);

- generate a challenge for the node group (306);

- sending from an authentication server the challenge to a first node of the plurality of nodes (306);

broadcasting from the first node the challenge to all nodes of the node group according to a multicast routing tree (308);

aggregating at the first node according to an inverse multicast routing tree of the multicast routing tree, the responses to the challenge of the nodes of the group;

- send the aggregated responses to the server

authentication (310);

- check the aggregated answers; and

generate a success message for the node group if the collective verification is successful (312).

2. The method of claim 1 wherein the step of identifying a group of nodes to be authenticated further comprises a step of registering the identities of the nodes of the group of nodes to be authenticated.

3. The method according to claim 1 or 2

including after the step of identifying the group of nodes, a step to build a multicast routing tree for broadcasting messages to the nodes of the group.

4. The method according to any one of

Claims 1 to 3 comprising after the step

identification of the group of nodes, a step of constructing an inverse multicast routing tree for broadcasting messages from the nodes of the group.

5. The method according to any one of

Claims 1 to 4, comprising, before the step of generating a challenge, a step of sending a request for identification of the nodes of the group of nodes to be authenticated.

6. The method according to any of the

Claims 1 to 5 further comprising a step of initiating a counter for measuring the response times of the nodes to the challenge.

7. The method of claim 5 or 6 wherein the step of broadcasting the request

identification and / or diffusion of the challenge to the nodes of the group is done according to the multicast routing tree.

8. The method according to any one of

Claims 1 to 7 further comprising a step of generating an authentication success message for each authenticated node or failure message for each unauthenticated node.

The method of claim 8 wherein the success message further comprises cryptographic material having keys, access rights or certificates.

A system for authenticating a plurality of nodes in a communication network comprising means for implementing the steps of the method according to any one of claims 1 to 9.

The system according to claim 10 comprising an authentication server (106) remote from the node group, the server being in communication with a service provider (104) able to receive the cryptographic material after a successful collective authentication of the group of nodes. nodes.

12. A computer program product, said

computer program comprising code instructions for performing the steps of the method according to any one of claims 1 to 9, when said program is executed on a computer.