EP3298721A1 - Procédé pour générer un élément secret ou une clé dans un réseau - Google Patents

Procédé pour générer un élément secret ou une clé dans un réseau

Info

Publication number
EP3298721A1
EP3298721A1 EP16716541.4A EP16716541A EP3298721A1 EP 3298721 A1 EP3298721 A1 EP 3298721A1 EP 16716541 A EP16716541 A EP 16716541A EP 3298721 A1 EP3298721 A1 EP 3298721A1
Authority
EP
European Patent Office
Prior art keywords
subscriber
value
sequence
transmission channel
values
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP16716541.4A
Other languages
German (de)
English (en)
Inventor
Timo Lothspeich
Andreas Mueller
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of EP3298721A1 publication Critical patent/EP3298721A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles

Definitions

  • the present invention relates to a method for generating a secret or a secret, cryptographic key in a network, in particular the generation of a common, secret key in two participants of the network.
  • point-to-point connections are usually counted as networks and should also be addressed here with this term.
  • the two participants communicate via a shared transmission medium.
  • logical bit sequences (or, more generally, value sequences) are transmitted physically by means of corresponding transmission methods as signals or signal sequences.
  • the underlying communication system may e.g. be a CAN bus. This provides for transmission of dominant and recessive bits or correspondingly dominant and recessive signals, whereby a dominant signal or bit of a participant of the network intersperses against recessive signals or bits.
  • a state corresponding to the recessive signal adjusts itself to the transmission medium only if all participants involved provide a recessive signal for transmission or if all participants transmitting at the same time transmit a recessive signal level.
  • suitable cryptographic methods are usually used, which can generally be subdivided into two different categories: first, symmetric methods, in which the sender and receiver have the same cryptographic key, and, on the other hand, asymmetrical methods in which the sender uses the data to be transmitted is encrypted with the public (ie possibly also known to a potential attacker) key of the recipient, but the decryption can be done only with the associated private key, which is ideally known only to the recipient.
  • asymmetric methods usually have a very high computational complexity. Thus, they are only conditionally for resource-constrained nodes, such. As sensors, actuators, or the like., Which usually have only a relatively low processing power and low memory and energy-efficient work, for example due to battery operation or the use of energy harvesting. In addition, there is often limited bandwidth available for data transmission, making the replacement of asymmetric keys with lengths of 2048 bits or even more unattractive.
  • SI M cards inserted into a mobile phone and the associated network can then assign the unique identifier of a SI M card the appropriate key.
  • a manual entry of the keys to be used usually takes place when setting up a network.
  • key management quickly becomes very cumbersome and impractical if one has a very large number of nodes, for example in a sensor network or other machine-to-machine communication systems, e.g. As well as CAN-based vehicle networks.
  • an amendment to the turning key often not at all or possible only with great effort.
  • CAN Controller Area Network
  • CAN-FD Methods for bit stuffing in the Controller Area Network (CAN) and CAN-FD can be found for example in DE 10 2011 080476 AI.
  • the non-prepublished DE 10 2015 207220 AI discloses a method for generating a shared secret or a secret symmetric key by means of public discussion between two communication participants. Disclosure of the invention
  • the methods for generating a secret or a cryptographic key according to the independent claims do not require any manual intervention and thus enable the automated establishment of secure communication relationships between two nodes.
  • the methods have a very low complexity, in particular with regard to the required hardware design, such as e.g. the required memory resources and computing power, and they are associated with a low energy and time requirements.
  • the methods offer very high key generation rates with a simultaneously very low probability of error.
  • the methods assume that participants in a network communicate with each other via a communication channel.
  • they transfer logical sequences of values (in the case of binary logic, bit sequences) with the aid of physical signals on the transmission channel.
  • logical sequences of values in the case of binary logic, bit sequences
  • the transferred, logical value sequences as well as their logical overlay are considered.
  • Subscribers of the network can thus give first signals (for example associated with logical bit "1") and second signals (associated, for example, with logical bit "0") to the communication channel and detect resulting signals on the communication channel.
  • the effective signal resulting from the (largely) simultaneous transmission of two (independent) signals on the communication channel can then in turn be assigned to one (or more) specific logical values (or values).
  • the transmission must be largely synchronous in that a superimposition of the individual signals of a signal sequence on the transmission medium takes place, in particular, that the signal corresponding to the n-th logical value or bit of the first subscriber with the signal corresponding to the n-th logical Value or bit of the second participant at least partially superimposed.
  • This overlay should be sufficiently long for the participants to be able to record the overlay or determine the corresponding overlay value.
  • the superimposition can be determined by arbitration mechanisms or by physical signal superposition.
  • arbitration mechanism is meant, for example, the case that a node wants to apply a recessive level, but detects a dominant level on the bus and thus omits the transmission. In this case, there is no physical interference between two signals, but only the dominant signal is seen on the transmission channel.
  • the participants can then generate a key that is secret to an outside attacker.
  • the reason for this is that the outside attacker, who can listen to the effective overall signals applied to the shared transmission medium, sees only the superimposition of the value sequences, but does not have the information about the individual value sequences of the participants. Thus, the participants have more information that they can use against the attacker to generate a secret key.
  • the participants involved in the key generation outside their subscriber value sequences i. in addition to these, give at least one fill value to the common transmission channel such that a change of edge or a value change results (e.g., bit change 0 to 1 or 1 to 0 in a binary system).
  • a change of edge or a value change results (e.g., bit change 0 to 1 or 1 to 0 in a binary system).
  • filling quantities are applied to the transmission channel largely synchronously by both subscribers, so that an edge change or a value change results from the superimposition signal of the filling values.
  • the fill values are given to the transmission channel at certain intervals (i.e., in particular after a certain number of individual values of the value sequences) or as a function of a detected overlay value sequence.
  • the subscribers place the fill values on the transmission channel if they each detect an overlay value sequence having a predetermined number of equal values.
  • the fill values are preferably inverse to the detected same values. Since stuff bits generally increase the overhead of a communication protocol and thus reduce the efficiency of key establishment, it is advantageous to provide such fill values only when in fact a certain number of value repeats is exceeded, which is detected here on the basis of the superposition sequence.
  • the fill values may be added to the transmission channel immediately adjacent to the detected number of equal values in the superposition value sequence.
  • the number to be detected can be set exactly to the permissible maximum number of identical values, so that the filling values are really only inserted in cases which they are necessary.
  • the fill values may also be inserted at a predetermined distance to detect a number of value repeats, which number should then be selected correspondingly lower than the maximum number.
  • the fill values are always inserted by the participants at fixed, predetermined intervals, in particular after a predetermined number of detected values on the transmission channel it must be the same values.
  • two fill values are preferably inserted, which already contain a value change or edge change (for example, the bit sequence 01 from both subscribers or the bit sequence 10 from both).
  • the method can be used in a network in which there is a dominant value (physically: a dominant signal) that prevails when only one subscriber applies it on the transmission channel and a recessive value (physically: a recessive signal ), on the
  • Transmission channel only results if both or all participants transmit a recessive value. Because of the clearly defined overlay rules, the subscribers of such a network can derive from the resulting overlay sequences particularly simple information for generating the key. Alternatively, the transmission of a recessive value of at least one of the subscribers can also be replaced by the fact that at this point the value sequence or, as one of the at least two possible values, nothing is transmitted.
  • the subscriber value sequences which are given largely simultaneously by the subscribers to the transmission channel, are generated in advance in the respective subscribers themselves with the aid of a random generator or pseudo-random generator.
  • the resulting overlay sequence on the transmission channel can be accessible to a potential attacker, it is particularly advantageous for the security of the subsequent communication if the attacker is able to lows having to conclude on the individual value sequences of the participants, if these are generated locally and randomly or at least pseudorandomly in the participants.
  • the methods described can be implemented particularly well in a CAN, TTCAN or CAN FD bus system.
  • a recessive bus level is replaced by a dominant bus level.
  • the superimposition of values or signals of the subscribers thus follows defined rules which the subscribers can use to derive information from the superimposed value or signal and the value or signal transmitted by them.
  • the methods are also well suited for other communication systems such as LIN and I2C.
  • the method can also be used, for example, in a network with on-off-keying amplitude shift keying.
  • the overlay is fixed by allowing the subscribers to be "transmission" and “no transmission” signals and the beat signal corresponding to the "transmission” signal when one or both of the subscribers transmits and corresponds to the "no transmission” signal, if both participants do not transfer.
  • a network or subscriber to a network is set up to do this by having electronic memory and computational resources to perform the steps of a corresponding method.
  • Also stored on a storage medium of such a user or on the distributed storage resources of a network may be a computer program configured to perform all the steps of a corresponding method when executed in the subscriber or in the network.
  • FIG. 1 schematically shows the structure of an exemplary, underlying communication system
  • FIG. 3 shows schematically exemplary signal sequences of two subscribers of a network as well as a resulting superposition value sequence on a transmission channel between the subscribers and
  • FIG. 4 schematically shows the sequence of an exemplary method for generating a key between two subscribers of a network.
  • the present invention relates to a method for generating a shared secret or (secret) symmetric cryptographic key between two nodes of a communication system (participants of a network) communicating with each other via a shared medium (transmission channel of the network).
  • the generation or negotiation of the cryptographic keys is based on a public data exchange between the two participants, although a possible listening third party as an attacker is not or only very difficult to draw conclusions about the generated key.
  • a common secret is first established for this, which can be used to generate the key.
  • such a shared secret can in principle also be used for purposes other than cryptography. tographische key in the strict sense, eg as a one-time pad.
  • the invention is suitable for a variety of wired or wireless as well as optical networks or communication systems, especially those in which the various participants communicate with each other via a linear bus and the media access to this bus using a bitwise bus arbitration.
  • This principle represents, for example, the basis of the widespread CAN bus.
  • Possible fields of application of the invention accordingly include, in particular, CAN-based vehicle networks as well as CAN-based networks in automation technology.
  • the present invention describes an approach with which automatically symmetric cryptographic keys can be generated in one, or in particular between two nodes of a network. This generation takes place by exploiting properties of the corresponding transfer layer. Unlike the usual approaches of "physical layer security", however, physical parameters of the transmission channel such as transmission strength etc. are not evaluated for this purpose, but instead there is a public data exchange between the participating nodes, thanks to the characteristics of the communication system and / or the used modulation method a possible listening aggressor no, or no sufficient conclusions on the negotiated key allows.
  • this divided transmission medium corresponds to a linear bus (wired or optical) 30, as shown by way of example in FIG
  • the network 20 in Figure 2 consists of this linear bus 30 as a shared transmission medium (e.g., a wireline transmission channel), nodes 21, 22 and 23, and (optional) bus terminations 31 and 32.
  • a shared transmission medium e.g., a wireline transmission channel
  • nodes 21, 22 and 23 e.g., a wireline transmission channel
  • (optional) bus terminations 31 and 32 e.g., a wireline transmission channel
  • communication between the various nodes 21, 22 and 23 is assumed to be characterized by the distinction between dominant and recessive values.
  • the possible values are the bits "0" and "1".
  • a dominant bit eg, the logical bit, 0 '
  • quasi displace or overwrite a simultaneously transmitted recessive bit eg, the logical bit, 1').
  • on-off-keying on-off-keying amplitude shift keying
  • a signal is transmitted, for example in the form of a simple carrier signal, in the other case (value 'Off' or '1') no signal is transmitted.
  • the state ' ⁇ ' is dominant while the state 'Off' is recessive.
  • Another example of a corresponding communication system that supports this distinction of dominant and recessive bits is a (wired or optical) system based on bitwise bus arbitration, such as that used in the CAN bus.
  • the basic idea here is also that if, for example, two nodes want to transmit a signal at the same time and one node transmits a '1', whereas the second node transmits a '0' which 'gains' '0' (ie the dominant bit) ie, the signal level that can be measured on the bus corresponds to a logical '0' .
  • This mechanism is used in particular to resolve possible collisions, whereby priority messages (ie messages with a previous, dominant signal level) are transmitted by When the node itself transmits a recessive bit but a dominant bit is detected on the bus, the corresponding node breaks its transmission attempt in favor of the higher priority message (with the earlier dominant bit).
  • FIG. 3 shows, for example, how a subscriber 1 (T1) keeps the bit sequence 0, 1, 1, 0, 1 ready for transmission between the times t0 and t5 via the transmission channel. Subscriber 2 (T2) keeps the bit sequence 0, 1, 0, 1, 1 ready for transmission between times t0 and t5 via the transmission channel.
  • bit string 0, 1, 0, 0, 1 will be seen on the bus (B) Only between times t1 and t2 and between t4 and t5, both subscriber 1 (T1) and subscriber 2 (T2) provide a recessive bit "1", so that only in this case does the logical AND operation result in a bit level of " 1 "on the bus (B) results.
  • the process for generating a symmetric key pair is started in step 41 by one of the two nodes involved in this example (subscriber 1 and subscriber 2). This can be done, for example, by sending a special message or a special message header.
  • Both subscriber 1 and subscriber 2 initially generate a bit sequence locally (ie internally and independently of one another) in step 42.
  • this bit sequence is at least twice, in particular at least three times as long as the common key desired as a result of the method.
  • the bit sequence is preferably in each case as a random or pseudo-random bit sequence, For example, with the help of a suitable random number generator or pseudo random number generator generated.
  • subscriber 1 and subscriber 2 transmit (largely) synchronously their respectively generated bit sequences over the divided transmission medium (using the transmission method with dominant and recessive bits, as already explained above).
  • Different possibilities for synchronizing the corresponding transmissions are conceivable.
  • either subscriber 1 or subscriber 2 could first send a suitable synchronization message to the respective other node and then start the transmission of the actual bit sequences after a certain period of time following the complete transmission of this message.
  • bit sequences of a subscriber generated in step 42 can also be transmitted to several messages distributed in step 43, for example if this necessitates the (maximum) sizes of the corresponding messages.
  • the transmission of the correspondingly large number of correspondingly large messages distributed bit sequences of the other subscriber takes place again (largely) synchronously.
  • Both subscriber 1 and subscriber 2 detect during the transmission of their bit sequences of step 43 in a parallel step 44, the effective (overlaid) bit sequences S eff on the shared transmission medium.
  • the effective (overlaid) bit sequences S eff on the shared transmission medium.
  • this is usually done in conventional systems during the arbitration phase anyway.
  • a node knows that the effective state is dominant on the shared medium if the node itself has sent a dominant bit, but if a node has sent a recessive bit, it does not know the state on the shared transmission medium first Further, however, in this case he can determine by suitable measurement how it looks like, because, in this case, the node itself does not send anything, so there are no problems with so-called self-interference, which is a complex echo cancellation, especially in the case of wireless systems would require.
  • both subscriber 1 and subscriber 2 also transmit (largely) synchronously their initial bit sequences S T i and
  • Both subscriber 1 and subscriber 2 determine during the transmission of their now inverted bit sequences then again the effective, superimposed bit sequences on the shared transmission medium.
  • both nodes subscriber 1 and subscriber 2
  • a possible attacker eg subscriber 3 who overhears the communication on the shared transmission medium
  • participant 1 still knows his initially generated, local bit sequence S T i and participant 2 his initially generated, local bit sequence S T 2- participant 1 but in turn does not know the initially generated, local bit sequence of participant 2 and subscriber 2 does not have the initially generated, local bit sequence of subscriber 1.
  • the detection of the overlay bit sequence again takes place during the transmission in step 46.
  • subscriber 1 and subscriber 2 can also send their inverted, local bit sequence directly with or directly after their original, local bit sequence, ie. Steps 45 and 46 are carried out with the steps 43 and 44.
  • the original and the inverted bit sequence can be transmitted in a message, but also in separate messages as partial bit sequences.
  • step 47 subscriber 1 and subscriber 2 now respectively locally (ie internally) link the effective, superposed bit sequences (S e ff and S e ff '), in particular with a logical OR function.
  • the individual bits in the bit sequence (S g es) resulting from the OR operation now indicate whether the corresponding bits of S T i and S T 2 are identical or different. For example, if the nth bit within S tot is a '0', it means that the nth bit within S T i is inverse to the corresponding bit within S T 2. Likewise, if the nth bit within S g is a '1', the corresponding bits within S A iice and S Bo b are identical.
  • Subscriber 1 and subscriber 2 then cancel in step 48, based on the bit sequence S ges obtained from the OR combination, in their original, initial bit sequences S T i and S T 2 all bits which are identical in both sequences. This consequently leads to correspondingly shortened bit sequences.
  • the thus shared, shortened bit sequence is now processed locally by participant 1 and participant 2 in step 49 in a suitable manner in order to generate the actual desired key of the desired length N.
  • this treatment can be done.
  • One possibility is to select N bits from the common truncated bit sequence, where it must be clearly defined which N bits are to be taken, eg simply by selecting the first N bits of the sequence.
  • the calculation of a hash function via the jointly present, shortened bit sequence which provides a hash of length N.
  • the rendering can be done with any linear and nonlinear function that returns a N bit length bit sequence when applied to the co-present truncated bit sequence.
  • the mechanism of key generation from the common truncated bit sequence is preferably identical in both subscribers 1 and 2 and is performed accordingly in the same way.
  • a checksum could be calculated using the generated keys and exchanged between subscribers 1 and 2. If both checksums are not identical, then obviously something has failed. In this case, the described method for key generation could be repeated.
  • a whole series of resulting shortened bit sequences which are each present in the case of subscribers 1 and 2 can be generated, which are then combined into a single large sequence before the actual key is derived therefrom , If necessary, this can also be done adaptively. If after performing the described procedure once, e.g. For example, if the length of the common, truncated bit sequence is less than the desired key length N, one could re-run e.g. Generate further bits before the actual key derivation.
  • the generated symmetric key pair can be subsumed by Subscriber 1 and Subscriber 2 in conjunction with established (symmetric) cryptographic methods, e.g. Ciphers for data encryption.
  • established (symmetric) cryptographic methods e.g. Ciphers for data encryption.
  • a goal of the linking of the two overlay partial value sequences, in particular by means of a logical OR function, is to be able to carry out a deletion of those bits which are also a passive attacker who controls the communication observed, can easily determine on the basis of his observations.
  • An alternative to this would be to keep those bits, but initially generate significantly more bits than desired (that is, if, for example, a secret or a key of 128 bits is desired to first generate 300 bits) and then at the end, eg with the help of a Hash function or similar, to reduce to the desired length.
  • a potential attacker eg subscriber 3 can listen to the public data transmission between subscriber 1 and subscriber 2 and thus gain knowledge of the effective, superposed bit sequences (S e ff and S e ff ') as described. The attacker then only knows which bits in the locally generated bit sequences of nodes 1 and 2 are identical and which are not. In addition, with the identical bits, the attacker can even determine whether it is a '1' or a '0'. For a complete knowledge of the resulting, shortened bit sequence (and thus the basis for the key generation), however, he lacks the information about the non-identical bits.
  • bit values identical in the original, locally generated bit sequences of the users 1 and 2 are additionally deleted. This means that participant 3 has only information that is not used for key generation. Although he knows that correspondingly shortened bit sequences emerge from the different between the local bit sequences of the participants 1 and 2 participants bits. However, he does not know which bits have been sent by subscriber 1 and subscriber 2 respectively.
  • subscriber 1 and subscriber 2 also have the information about the locally generated bit sequence transmitted by them in each case.
  • the fact that the keys generated in subscribers 1 and 2 remain secret as a basis despite the public data transmission results from this information advantage over a subscriber 3 following only the public data transmission.
  • 'stuff bit' with a complementary value must be inserted into the actual bit sequence to be transmitted, which is automatically removed at the receiver.
  • 'stuff bits' are not information bits but have the following background:
  • Bit sequences with more than N 5 consecutive equivalent bits are used for control purposes (eg as an "end-of-frame” indication or as an "error frame”) and therefore it must be ensured that such sequences do not occur in the actual information part ,
  • CAN uses a non-return-to-zero coding for the transmission of CAN messages.
  • this favors synchronization losses due to not perfectly synchronous clocks in different nodes, which is why during the transmission or reception of a CAN message, a time synchronization must be performed in order to keep the hardware requirements low (eg requirements for the local oscillators ).
  • Due to the introduction of a stuff bit, an edge change takes place at the latest after N 5 consecutive bits, which can then be used for such a post-synchronization.
  • suitable 'stuff bits' is intended to prevent more than N consecutive bits from having the same value.
  • this can not be done by transmission rules for the individual participants regardless of the other participants, since it depends on the described method to appropriate edge change or value change of a superposition value sequence.
  • various possibilities are proposed.
  • the first and second subscribers in the described method for generating the key during the synchronous transmission of the random bit sequences in step 43 always have the effective signal level (or the effective bit sequence) on the shared transmission medium Detect in parallel step 44. If the nodes notice that the effective bit value on the transmission medium is always the same N times in succession, both nodes will next send a stuff bit which is inverse to the effective N consecutive times.
  • An essential difference to conventional bit stuffing is thus that the decision as to whether a stuff bit must be inserted does not depend primarily on the own message or bit string but only on the effective bit string on the shared transmission medium. The same applies to the value of the stuff bit to be sent.
  • the underlined bit is the additionally introduced stuff bit, which is inserted and sent by both user 1 and user 2 after having detected the bit '0' on the common transmission medium 5 times.
  • the actual bit sequences of Alice and Bob look like this example for this example:
  • the approach of the first exemplary embodiment can be adapted such that the insertion of a stuff bit is already prepared after the detection of N-M (1 ⁇ M ⁇ N-2) of identical successive effective bits on the shared transmission medium is, but only after the transmission of N bits from the detection of the first bit of the sequence of (at least) NM same consecutive bits is actually sent.
  • this prepared stuff bit will be sent even if, after the NM identical bits and before the transmission of the stuff bit, an (effective) bit change takes place on the common transmission medium and thus there is actually no stuffing error even without the stuff bit in this case, there would be no more than N identical bits on the transmission medium).
  • This also leads to a valid bit sequence (without stuffing error), but in this case with a higher overhead due to the (here actually unnecessary) stuff bit.
  • a method for avoiding stuffing errors and / or synchronization losses according to a third preferred embodiment is the periodic enforcement of bit or edge changes independently of the actual information bits, ie independent of subscriber sequences and independently from the detected overlay sequence.
  • the two stuff bits may already contain a bit change for this purpose, eg either the bit sequence '01' or '10', so that the superimposition likewise results in the bit sequences '01' or '10'. Which of these two possible cases is inserted is irrelevant in this example, as long as it is ensured that both subscriber 1 and subscriber 2 always insert the same sequence.
  • This embodiment leads to a relatively high overhead, but is very robust and inexpensive to implement and can also be carried out particularly well with existing standard components.
  • the stuff bits themselves are preferably discarded at the receiver side.
  • they are not used as a basis for the generation of a symmetric cryptographic key in order to prevent the key from being weakened by the consideration of non-random structures in the key generation.
  • the described embodiments of the method can also be modified in an alternative embodiment such that the fill values (stuff bits) are not given by both participants to the common transmission medium, but that only one of the two participants generates and outputs the fill values.
  • This method has the advantage that the participants can synchronize each other via this sequence of values.
  • one of the participants is preferably determined to transmit the fill values. This can be, for example, the subscriber who initiates the key generation or a (for example by configuration) predetermined subscriber. The other participant detects the fill values and can use these, for example, to gain synchronization information.
  • a possible time offset of his clock with the clock of the other subscriber can be detected and, based on this determined offset, a re-synchronization of his clock can be carried out.
  • the presented methods represent an approach for the generation of symmetric, cryptographic keys between two nodes by exploiting properties of the physical layer.
  • the approach is particularly suitable for wired and optical communication systems, provided that this 'on-off-keying' or a bitwise bus arbitration support (eg CAN, TTCAN, CAN-FD, LIN, I2C).
  • a bitwise bus arbitration support eg CAN, TTCAN, CAN-FD, LIN, I2C.
  • wireless, (radio based) communication systems preferably with a very short distance between transmitter and receiver and a possible direct line of sight, the approach can be used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé pour générer un élément secret ou une clé dans un réseau. Ce réseau présente au moins un premier et un deuxième abonné comportant un canal de transmission commun entre au moins le premier et le deuxième abonné. Le premier abonné peut donner au moins une première et une deuxième valeur et le deuxième abonné peut donner au moins la première et la deuxième valeur sur le canal de transmission, le premier abonné et le deuxième abonné provoquant respectivement la transmission, dans une large mesure synchronisée entre eux, d'une première et d'une deuxième série de valeurs d'abonné sur le canal de transmission. Le premier abonné, sur la base d'informations relatives à la première série de valeurs d'abonné et sur la base d'une série de valeurs superposées résultant d'une superposition de la première série de valeurs d'abonné et de la deuxième série de valeurs d'abonné sur le canal de transmission, ainsi que le deuxième abonné, sur la base d'informations relatives à la deuxième série de valeurs d'abonné et sur la base d'une série de valeurs superposées résultant de la superposition de la première série de valeurs d'abonné et de la deuxième série de valeurs d'abonné sur le canal de transmission, génèrent respectivement un élément secret commun ou une clé commune. À des intervalles déterminés ou en fonction d'une série de valeurs superposés détectée, au moins le premier abonné, en dehors de la première série de valeurs d'abonné, ou le deuxième abonné, en dehors de la deuxième série de valeurs d'abonné, donne au moins une valeur de remplissage sur le canal de transmission, de sorte qu'un changement de flanc ou de valeur se produit sur le canal de transmission.
EP16716541.4A 2015-05-22 2016-04-13 Procédé pour générer un élément secret ou une clé dans un réseau Withdrawn EP3298721A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102015209496.0A DE102015209496A1 (de) 2015-05-22 2015-05-22 Verfahren zur Erzeugung eines Geheimnisses oder Schlüssels in einem Netzwerk
PCT/EP2016/058103 WO2016188667A1 (fr) 2015-05-22 2016-04-13 Procédé pour générer un élément secret ou une clé dans un réseau

Publications (1)

Publication Number Publication Date
EP3298721A1 true EP3298721A1 (fr) 2018-03-28

Family

ID=55754267

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16716541.4A Withdrawn EP3298721A1 (fr) 2015-05-22 2016-04-13 Procédé pour générer un élément secret ou une clé dans un réseau

Country Status (7)

Country Link
US (1) US10841085B2 (fr)
EP (1) EP3298721A1 (fr)
JP (1) JP2018516019A (fr)
KR (1) KR20180009753A (fr)
CN (1) CN107624229B (fr)
DE (1) DE102015209496A1 (fr)
WO (1) WO2016188667A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10833851B2 (en) * 2017-08-29 2020-11-10 Robert Bosch Gmbh Methods and systems for linear key agreement with forward secrecy using an insecure shared communication medium
CN110730067B (zh) * 2019-09-06 2021-10-19 深圳开源互联网安全技术有限公司 密钥生成方法、装置、计算机可读存储介质及终端设备

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050195975A1 (en) * 2003-01-21 2005-09-08 Kevin Kawakita Digital media distribution cryptography using media ticket smart cards
KR20070101097A (ko) * 2006-04-10 2007-10-16 삼성전자주식회사 전송 프레임을 생성하는 방법 및 장치 및 전송 프레임을처리하는 방법 및 장치
CN101287277B (zh) * 2007-04-13 2012-07-25 华为技术有限公司 一种为无线个域网中的用户终端提供业务的方法及系统
US20090103726A1 (en) * 2007-10-18 2009-04-23 Nabeel Ahmed Dual-mode variable key length cryptography system
DE102009002396A1 (de) 2009-04-15 2010-10-21 Robert Bosch Gmbh Verfahren zum Manipulationsschutz eines Sensors und von Sensordaten des Sensors und einen Sensor hierzu
DE102009045133A1 (de) 2009-09-29 2011-03-31 Robert Bosch Gmbh Verfahren zum Manipulationsschutz von Sensordaten und Sensor hierzu
CN101873212B (zh) * 2010-06-09 2012-04-18 中国农业大学 门限秘密信息分配、还原装置及方法
FR2970130B1 (fr) * 2011-01-03 2013-08-30 Centre Nat Etd Spatiales Procede de decodage et decodeur
DE102011080476A1 (de) 2011-08-05 2013-02-07 Robert Bosch Gmbh Verfahren und Vorrichtung zur Verbesserung der Datenübertragungssicherheit in einer seriellen Datenübertragung mit flexibler Nachrichtengröße
DE102012215326A1 (de) 2012-08-29 2014-03-06 Robert Bosch Gmbh Verfahren und Vorrichtung zur Ermittlung eines kryptografischen Schlüssels in einem Netzwerk
CN106233661B (zh) 2014-04-28 2019-11-05 罗伯特·博世有限公司 用于在网络中生成秘密或密钥的方法
DE102014208975A1 (de) 2014-05-13 2015-11-19 Robert Bosch Gmbh Verfahren zur Generierung eines Schlüssels in einem Netzwerk sowie Teilnehmer an einem Netzwerk und Netzwerk
DE102014209042A1 (de) 2014-05-13 2015-11-19 Robert Bosch Gmbh Verfahren und Vorrichtung zum Erzeugen eines geheimen Schlüssels
DE102015207763A1 (de) * 2015-04-28 2016-11-03 Robert Bosch Gmbh Verfahren und Vorrichtung zum Erzeugen eines einem ersten Knoten und einem zweiten Knoten gemeinsamen geheimen kryptografischen Schlüssels mittels mindestens eines Helferknotens

Also Published As

Publication number Publication date
CN107624229A (zh) 2018-01-23
US20180123786A1 (en) 2018-05-03
WO2016188667A1 (fr) 2016-12-01
CN107624229B (zh) 2021-03-30
KR20180009753A (ko) 2018-01-29
US10841085B2 (en) 2020-11-17
DE102015209496A1 (de) 2016-11-24
JP2018516019A (ja) 2018-06-14

Similar Documents

Publication Publication Date Title
EP3138258B1 (fr) Procédé de génération d'un secret ou d'une clé dans un réseau
DE102015220038A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder Schlüssels in einem Netzwerk
WO2016188667A1 (fr) Procédé pour générer un élément secret ou une clé dans un réseau
DE102016208451A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder eines Schlüssels in einem Netzwerk
EP3363145B1 (fr) Procédé et dispositif permettant de générer un secret partagé
EP3363146B1 (fr) Procédé de génération d'une clé dans un agencement de circuits
WO2017064124A1 (fr) Agencement de circuits de génération d'un secret ou d'une clé dans un réseau
WO2017064027A1 (fr) Procédé de génération d'un élément secret ou d'une clé dans un réseau
WO2017064075A1 (fr) Agencement de circuits pour la génération d'un secret ou d'une clé dans un réseau
DE102016208453A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder eines Schlüssels in einem Netzwerk
WO2017064067A1 (fr) Procédé pour générer une clé dans un réseau et pour activer une sécurisation d'une communication dans le réseau sur la base de la clé
WO2017064025A1 (fr) Procédé de génération d'un élément secret ou d'une clé dans un réseau
WO2017064129A1 (fr) Procédé permettant de générer un élément secret pour un chiffrement à usage unique dans un réseau
WO2017064125A1 (fr) Procédé permettant de générer un élément secret ou une clé dans un réseau
DE102015219989A1 (de) Verfahren und Vorrichtung zur Auffrischung eines gemeinsamen Geheimnisses, insbesondere eines symmetrischen kryptographischen Schlüssels, zwischen einem ersten Knoten und einem zweiten Knoten eines Kommunikationssystems
DE102015219993B4 (de) Verfahren und Vorrichtung zum Erzeugen eines gemeinsamen Geheimnisses vorgegebener Länge
WO2017064131A1 (fr) Procédé permettant de générer un élément secret ou une clé dans un réseau
DE102016208448A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder eines Schlüssels in einem Netzwerk
DE102016208452A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder eines Schlüssels in einem Netzwerk
WO2017064002A1 (fr) Procédé et dispositif permettant de générer un secret partagé
DE102015220014A1 (de) Verfahren zur Generierung eines Geheimnisses in einem Netzwerk
DE102016208442A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder eines Schlüssels in einem Netzwerk
DE102016208444A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder eines Schlüssels in einem Netzwerk
WO2017063995A1 (fr) Procédé de génération d'un secret ou d'une clé dans un réseau
DE102015219991A1 (de) Verfahren und Vorrichtung zum Etablieren eines gemeinsamen Geheimnisses

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20171222

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20180724