FR2899750A1 - Common encryption key generating method for e.g. voice over Internet protocol application, involves verifying correspondence between control data displayed on terminal of one user and control data received from another user by latter user - Google Patents

Abstract

The method involves determining a common encryption key by each of communication terminals (PA, PB) of users (A, B) from random data (a, b) and initialization data (Ga`, Gb`). Control data (Ca, Cb) are determined from locally calculated initialization data (Ga, Gb) and data (Ga`, Gb`), and are displayed on one user`s terminal. The control data are transmitted to the other user via a voice communication channel (CV). Correspondence between the displayed control data and the control data received from the latter user is verified by the latter user using a validation unit. Independent claims are also included for the following: (1) a computer program executed by a terminal connected to another terminal via a digital link of a communication network (2) a terminal for generating an encryption key common to another terminal.

Description

METHOD AND TERMINAL FOR SECURING THE GENERATION OF AN ENCRYPTION KEY

  The invention relates to communications by electronic means, and in particular to securing such communications. Securing electronic communications is becoming increasingly important with the development of computer networks.

  All data exchanged is transmitted over public networks and is likely to be read by people who are not intended to read it. It is therefore often necessary to encrypt communications. The encryption is done using public algorithms, but using confidential data or encryption key that is known only to the sender and the recipient. A possible attacker has no possibility to access the data exchanged if he does not know the encryption key. To ensure a certain level of security, the encryption key must be changed often. Indeed the use of the same key to encrypt a large volume of data makes it vulnerable to statistical type attacks. Usually a new key is generated with each new communication. The generation of a key is conventionally performed by so-called Diffie Hellman protocols, the principle of which is as follows. We work in arithmetic modulo N, where N is a large integer (whose computer representation requires several hundreds or even thousands of bits), and we choose in advance an integer g defined modulo N. These numbers N and g are public and known to all users. Consider then two particular users, hereinafter called Alice and Bob, who wish to communicate with each other confidentially on a public network. Alice secretly generates a random datum a and calculates the number g power modulo N (noted below gAa [Mod N]) that it sends to Bob. The latter, in turn, secretly generates a random datum b and calculates the number g power modulo N (g ^ b [Mod N]) that it sends to Alice. After this exchange, Alice knows a and gAb [Mod N] and uses them to calculate (gAb [Mod N]) ^ a [Mod N]. Bob, for his part, knows b and g''a [Mod N] and calculates on his side (g ^ a [Mod N]) '' b [Mod N] = g ^ ab [Mod N]. The two numbers thus calculated are equal to each other. They are known to both users and are used to determine an encryption key. An attacker who has copied all the information passing through the network, would know the numbers g ^ a [Mod N] and g ^ b [Mod N], but not the random data a and b that do not pass through the network. But without the knowledge of the random data a and b, it is impossible to calculate g ^ ab [Mod N], at least if N is sufficiently large. Other protocols use more complex mathematical objects (elliptic curves on finite fields, Jacobi groups of hyperelliptic curves, ...), but the general principle remains the same. Alice secretly generates a random datum a, and computes, using a cryptographic function applied to the random datum, an initialization datum Ga that she sends in an initialization message to Bob. Bob, for his part, secretly generates a random datum b and calculates, using the same cryptographic function applied to the random datum b, an initialization datum Gb, which he sends to Alice in a message. initializing. Knowing either the pair (Ga, b) or the pair (Gb, a) allows the two users to calculate, each on its own, a common secret data item Gab. The common secret data Gab is known only to the two users and is impossible to calculate by an attacker who would know the initialization data Ga and Gb that pass through the communication channel, but which would know none of the initial random data a and b. The common secret data Gab thus developed is then used to determine an encryption key which will be used to encrypt the sequence of communications between the two users.

  These protocols are described in particular in "Applied Cryptography" by Bruce Schneier, 2nd edition, a French translation published by International Thomson Publishing France in 1997, more particularly in Chapter 22, page 541 and following. The original idea of these protocols was published by W. Diffie and M. E. Hellman in 1976 in "New Directions in Cryptography", IEEE Transactions on Information Theory, vol. IT 22, No. 6, pp 644-654. Generalizations with elliptic and hyperelliptic curves are described, for example, in the article by VS Miller, "Use of Elliptic Curves in Cryptography", Advances in Cryptology, CRYPTO '85 Proceedings, p 417-426, Springer Verlag, Berlin 1986, or in N. Koblitz, Elliptic Curves Cryptosystems, Mathematics of Computation vol. 48, No. 177, 203-209, 1987, and "Hyperelliptic Cryptosystems," Journal of Cryptology, Vol. 1. n 3, pp 129-150, 1989. One of the flaws of the Diffie-Hellman protocol is the so-called Man-in-the-middle attack. This attack assumes that the attacker intervenes on the network by reading and modifying the data that he sees passing. The attacker pretends to be Alice to Bob and Bob to Alice. The protocol of exchange of data of initialization described previously is then applied on the one hand, between Alice and the attacker (in whom Alice thinks to recognize Bob) and on the other hand between Bob and the attacker (in whom Bob believes recognize Alice). In more detail, the attacker generates on his side random data al and bl and calculates his own initialization data Gal and Gbl, subsequently called piracy initialization data. When the attacker sees pass the initialization data Ga sent by Alice, it intercepts and replaces it with the pirate initialization data Gal that it transfers to Bob. Similarly, when Bob passes the initialization data Gb sent by Bob, he replaces it with the pirate initialization data Gbl which he transfers to Alice. After these exchanges, on the one hand, he calculates and shares with Alice the shared secret data Gabl that he will use to encrypt communications with Alice, and on the other hand, he calculates and shares with Bob the common secret data Galb that it will use to encrypt communications with Bob. When Alice wants to send a message to Bob, she encrypts it with the key from Gab1, which she thinks she shares with Bob and actually shares it with the attacker. The latter intercepts the message, decrypts it and therefore has access to the message in the clear, and then encrypts it again, but this time with the key from Galb before sending it to Bob. This one receives an encrypted message with a key which he thinks to share with Alice but which in fact shares with the attacker. The case of a message sent by Bob to Alice is treated in a similar way, mutatis mutandis. In practice, the attacker can read all the data exchanged, and this without the knowledge of both users who believe their message perfectly indecipherable by any third party. To counter the so-called Man-in-the-middle attack, it is necessary that each user can ensure that the initialization message comes from his interlocutor and that this initialization message has not been modified during the transmission. . Good solutions have been put in place for communications between professionals or between the general public and professional sites (e-commerce, home banking applications, etc.). They are based on so-called asymmetric cryptosystems, in which a user has a pair of keys, one of them, called public key being known by all, the other, called private key being confidential and not being known only from him. Anyone can, using the recipient's public key, encrypt a message that the recipient alone can decrypt with his private key. A user can also sign a message using his private key, and anyone can check the signature, using the public key of this user. In the protocol described above, it is sufficient that one of the two users, for example Bob has such a system. He can then sign the message containing Gb he sends to Alice, and the attacker can not in any case sign the message containing Gbl by making believe that Alice is Bob who signed it. Similarly Alice can send Bob the Ga message encrypted with Bob's public key. Only this one can re-read the message. The Man-in-the-middle attack as described above then becomes impossible. However, these solutions are easy to implement between professionals or at least when one of the users is a professional (merchant site, bank, ...). However, they are cumbersome and difficult to implement for applications in which two consumer users wish to communicate in a confidential manner, without the information transmitted being spied on or even modified. To develop a secure communication system, each user should be assigned a private key-public key pair and know the public keys of each of his potential correspondents. Such a solution can be considered within a company in which a security administrator would be responsible for the management and distribution of keys.

  On the other hand, a solution of this type is absolutely inapplicable for a general public application such as for example applications of the VoIP type (Internet Protocol), in which telephone conversations between users are transmitted via the Internet network instead of a network. telephone call. Indeed, it would be necessary, among other things, to transmit the public key of each new user to all other users, and this in a secure manner. This is totally unrealistic for an application likely to have many thousands or even millions of users. One point that has hitherto been unresolved, and to which the object of this patent is intended to respond, is to allow two users engaging in communication with each other to ensure that their initialization messages do not have been modified during the exchange of these, and without resorting to a heavy key management infrastructure, without having to know beforehand the public key of his interlocutor, and more generally, without prior authentication of users.

  The objective of the present invention is that both users are certain that they are alone on the line, that is to say that their communications can only be listened to by them alone. Afterwards, they will be able to invite other users to join their conversation, while being certain that there is no illicit listening to their conversation.

  The basic idea of the present invention is to allow the two users to exchange at a time a control message of the type My initialization message contained Ga. However, if this exchange is done through the Manin-the-middle attacking network, it will be easy for the attacker to modify the control message by replacing the real initialization data with a new one. pirate boot data. The control message to be exchanged must be transmitted without being able to be modified by the attacker. Using another communication channel to transmit control information can be a solution, provided that you are sure that this other communication channel has not been compromised as well. In Voice over IP applications, the data exchanged by users are audible messages that are digitized and transmitted as binary data packets. The invention proposes to transmit the control information by an analog communication channel such as the voice. Thus, Alice can, at any moment of the communication, deliver vocally his message of control. It is then sufficient that his interlocutor Bob verifies that the initialization data Ga that he used to calculate the common secret data Gab is identical to the one that Alice has just sent to him for control.

  In practice, if the initialization data Ga is a number that can reach several hundreds or thousands of bits, it is unrealistic to assume that Alice will accept reading this number or that she will do so without error. Likewise Bob will have to check that this gigantic number is the one he received in digital form. Such a protocol is absolutely unthinkable for a mainstream application.

  The invention object of this patent also solves this problem as follows. In a first step, the two users, after exchanging their initialization data Ga and Gb, calculate from these data a number C called control data. It is then sufficient for the control data to be displayed on the terminal of each of the two users, for one of the two users to read and transmit the control data displayed to the other user by voice, and for the other user to verify that the control data received vocally corresponds to that displayed on its terminal. In the case of a Man-in-the-middle attack, the attacker will have calculated pirate control data on the one hand from the initialization data Gb of Bob and the pirate initialization data Gal, on the other hand from the initialization data Ga of Alice and the pirate initialization data Gbl. But it must still be able to change on the fly, in the sentence sent by Alice to Bob, the control data transmitted. This change should be made in a sound message, and moreover, by infringing on Alice's voice at exactly the right moment. It is extremely unlikely that the attacker will achieve such a performance without Bob detecting that the sound message has been tampered with.

  Symmetrically, Bob will be able to read the control data and transmit it vocally to Alice. Again, an attack from the attacker requires modifying a sound message, counterfeit the voice of Bob. More specifically, the invention relates to a method for generating in a secure manner an encryption key common to at least two users each equipped with at least one communication terminal, the terminals being interconnected by at least one communication network. for digitally communicating with each other, the method comprising steps in which a terminal of each of the users determines a common encryption key from a private secret data and initialization data received in digital form from the other terminal via the communication network. According to the invention, the method comprises a security phase comprising: steps performed by each of the terminals and consisting in determining a control data item from a locally calculated initialization data item and / or the initialization data item received , and displaying the control data, and transmission steps by at least one of the users to the other user of the control data displayed by his terminal, via an analog communication channel, and verification by the other user that there is a correspondence between the control data displayed on its terminal and the control data received from the other user by the other communication channel.

  According to one embodiment of the invention, the control data is transmitted by a voice communication channel between the two users. According to one embodiment of the invention, the voice communication channel is established in the voice over IP communication network.

  According to one embodiment of the invention, the control data is transmitted between the two users by a network separate from the network having transmitted the initialization data. According to one embodiment of the invention, the method comprises steps performed by each of the two users' terminals and consisting in: calculating the initialization data computed locally using a common cryptographic function applied to the data item secret private, transmit to the other terminal in digital form, the initialization data calculated locally, 30 develop a common secret data from the private secret data and the initialization data received, and determine from the data common secret, an encryption key to use to encrypt communications between the two users. According to one embodiment of the invention, the cryptographic function is a function which associates a number a with the number modulo N, where g and N are known integers of the terminals. According to one embodiment of the invention, the private secret data of at least one of the terminals is generated randomly.

  According to one embodiment of the invention, the control data is obtained by applying to the common secret data a control function common to the terminals. According to one embodiment of the invention, the control data is obtained by applying a control function such that a modification of a bit of an input data of the function causes a modification of the control data. According to one embodiment of the invention, the control data is obtained by applying a common control function to the terminals, to the locally calculated initialization data item and to the initialization data item received from the other terminal. According to one embodiment of the invention, the control function applies an exclusive OR function between the locally calculated initialization data item and the received initialization data item. According to one embodiment of the invention, the control function applies to the result of the exclusive OR function applied to the locally calculated initialization data item and to the received initialization data, a computation of a condensate or a calculation of the remainder of the invention. an entire division, to limit the size of the control data to a number of digits. According to one embodiment of the invention, the digital communications are established in the communication network according to the IP protocol. According to one embodiment of the invention, the method comprises steps in which: a communication terminal of a third user determines a common encryption local key with one of the two terminals hereafter referred to as the reference terminal, from secret data and initialization data received in digital form from the reference terminal, via the communication network, the third terminal and the reference terminal execute the security phase between each other and the terminal referent transmits to the third terminal the encryption key determined by the two terminals, in an encrypted form using the common local encryption key determined by the third terminal and the referring terminal.

  The invention also relates to a computer program intended to be executed by a terminal connected to at least one other terminal by at least one digital link of a communication network, designed to implement the method defined above, to secure the generating an encryption key common to the terminal and to the other terminal. The invention also relates to a terminal for securely generating a common encryption key with at least one other communication terminal, the terminal being connected to the other terminal by at least one digital link of a communication network, the terminal comprising means for determining a common encryption key from a private secret data and initialization data received in digital form from the other terminal through the communication network. According to the invention, the terminal comprises: means for determining a control data item from a locally calculated initialization data item and / or received initialization data, means for displaying the control data item, and validation means for allowing a user of the terminal to validate the common encryption key when there is a correspondence between the control data displayed by the terminal and a control data received from a user of the other terminal by the intermediate of an analog communication channel, the common encryption key being used by the terminal only after activation of the validation means by the user. According to one embodiment of the invention, the terminal comprises means for establishing the communication channel between the two users, in voice form. According to one embodiment of the invention, the voice communication channel is established in the voice over IP communication network.

  According to one embodiment of the invention, the terminal comprises means for: calculating the initialization data computed locally using a cryptographic function common to the other terminal, applied to the private secret datum, transmitting to the other terminal in digital form, the locally calculated initialization data, developing a common secret data from the private secret data and the initialization data received, and determining from the common secret data, a key of encryption to use to encrypt communications between users of both terminals. According to one embodiment of the invention, the cryptographic function is a function that associates a number a with the number modulo N, where g and N are known integers of the terminals. According to one embodiment of the invention, the terminal comprises means for randomly generating the private secret data. According to one embodiment of the invention, the terminal comprises means for performing a common control function with the other terminal, and providing the control data from the common secret data. According to one embodiment of the invention, the terminal comprises means for performing a common control function with the other terminal and providing the control data, the control function being such that a modification of a bit of an input data of the function causes a modification of the control data. According to one embodiment of the invention, the control function is applied to the locally calculated initialization data item and to the initialization data item received from the other terminal. According to one embodiment of the invention, the control function applies an exclusive OR function between the locally calculated initialization data item and the received initialization data item. According to one embodiment of the invention, the control function applies to the result of the exclusive OR function applied to the locally calculated initialization data item and to the received initialization data, a computation of a condensate or a calculation of the remainder of the invention. an entire division, to limit the size of the control data to a number of digits. According to one embodiment of the invention, the terminal comprises means for transmitting to a second other terminal the common encryption key in an encrypted form, and encryption means for the common encryption key, using a local encryption key common to the terminal and the other second terminal. According to one embodiment of the invention, the terminal comprises means for developing the local encryption key common to the terminal and the second other terminal, from a private secret datum and initialization data received from the second other terminal, and means for allowing the user to validate the local encryption key. According to one embodiment of the invention, the terminal comprises means for receiving from another terminal a general encryption key, in encrypted form, and means for decrypting the general encryption key by using the common encryption key. at the terminal and at the other terminal.

  These and other objects, features and advantages of the present invention will be set forth in more detail in the following description of an embodiment of the invention, given in a non-limiting manner in relation to the accompanying figures illustrating the operation of the invention. the invention in a particular embodiment, and in which: Figure 1 shows schematically different steps of a securing method according to the invention, Figure 2 shows schematically the application of the method according to the invention to three users . In FIG. 1, a first user A having a communication terminal PA and a second user B having a communication terminal PB wish to establish secure communication between them. Each of the terminals PA, PB comprises means for establishing at least digital and voice communications with the other terminal via at least one Net communication network. For voice communications, the terminals each include a microphone and headphones or loudspeakers. Digital communications can be established in accordance with the Internet Protocol (IP). Voice communications may be established in accordance with the VoIP protocol in the communication network, or via another communication network such as a terrestrial or mobile telephone network.

  In order to secure the communications between the two terminals, the PA terminal of the first user A generates a random data item a by means of a random data generation function Rnd, and calculates with a cryptographic function Algl a data item of initialization Ga that it sends in a digital initialization message to the terminal PB of the second user B via the communication network Net. For its part, the terminal PB generates a random data item b using a random data generation function Rnd, and calculates with the aid of a cryptographic function identical to the function Alg1 used by the workstation PA. , an initialization data Gb that it sends in a digital initialization message to the terminal PA via the communication network Net. The terminal PA of the first user A receives via the communication network Net an initialization message comprising an initialization data Gb 'which is in principle the initialization data Gb sent by the terminal PB. However, it is not known if the initialization message was changed during the communication. It is therefore not known whether the initialization data Gb 'thus received by the terminal PA is identical to the initialization data Gb that has been sent by the terminal PB. Symmetrically, the terminal PB receives via the communication network Net an initialization message which contains in principle the initialization data Ga sent by the terminal PA. However, it is not known if the initialization message was changed during the communication. It is therefore not known whether the initialization data Ga 'thus received by leterminal PB is identical to that Ga which has been sent by the terminal PA.

  Moreover, the terminal PA calculates, using a cryptographic function Alg2 applied to the random data item a and to the data item Gb 'that it has received via the communication network Net, a secret data item Gab' that it will use to determine an encryption key for encrypting communications to the PB terminal.

  Symmetrically, the terminal PB calculates a secret data Gba 'using a cryptographic function identical to the function Alg2, applied to the random data item b and to the initialization data Ga' that it has received via the data network. Net communication. The secret data Gba 'will then be used by the terminal PB to determine an encryption key for encrypting communications to the terminal PA.

  According to the invention, the terminal PA calculates a control data Ca by means of a control function FC, applied to the initialization data Ga that it has sent to the second terminal PB, and to the data item. initialization Gb 'received via the communication network Net. The terminal PA then displays the control data Ca thus obtained.

  Symmetrically, the terminal PB calculates a control data Cb using the same control function FC as that used by the terminal PA, applied to the initialization data Gb that it sent to the terminal PA, and to the initialization data Ga 'he received via the communication network Net. The terminal PB then displays the control data Cb thus obtained. It is then sufficient that one of two users, for example A, uses a voice communication channel CV to transmit orally to the second user B the control data Ca displayed by its terminal PA, in a control voice message of the type: The data The control that appears on my screen is as follows .... On receipt of the control message transmitted by the voice channel CV, the second user B can check whether the control data Ca which has been so transmitted to him vocally is identical to the control data Cb which is displayed on its terminal PB. If it is different, it means that the communication is likely being listened to by a Man-in-the-middle attack. On the other hand, if the control data Ca, Cb are identical, it means that the initialization data received Ga ', Gb' are very probably identical to the initialization data Ga, Gb transmitted by the net network. The terminals PA, PB include a validation command allowing the users A, B to validate the common secret data Gab which is then most probably equal to Gab 'or Gba' when, according to the control messages exchanged vocally by the two users A, B, the control data Ca, Cb displayed by the terminals PA, PB are identical. When the data Gab is validated by both users, the encryption key obtained from the data Gab is considered safe and can be used safely by the terminals A, B, for example to encrypt a digital communication and / or between the users A, B. The security is increased when the control function FC used to calculate the control data Ca, Cb is such that a modification of one bit of one or the other of the data of initialization Ga, Gb modifies the value of the control data Ca, Cb. In a particular embodiment of the invention, the control data Ca, Cb is a few digits (for example 6 or more if additional security is required). The control function FC for obtaining the numbers Ca, Cb connects the two following steps. The first step consists of applying a bitwise exclusive OR operator (XOR) between the initialization data Ga, Gb generated by each terminal PA, PB and the initialization data Gb ', Ga' received from the terminal of the other user. Remember that the result of the operator XOR applied to two bits is 0 if the two bits are equal, and 1 in the opposite case. In a second step, the remainder modulo one million (for 6 decimal digits) of the result of this first step is calculated. More generally, the modulo value is chosen equal to 10 power n, where n is the number of decimal digits required for the control data. This particular mode of calculation of the control data Ca, Cb ensures a quasi equiprobability of all the sequences of 6 decimal digits (or more generally of n decimal digits). There is then a one in a million chance that the control data Ca, Cb are equal when the calculated and received initialization data are different.

  Of course, other functions of calculation of the control data Ca, Cb can be used, without departing from the scope of the present invention. The security is increased when the calculation function of the control data Ca, Cb is such that a modification of a bit of one or the other of the initialization data modifies the value of the control data.

  Note that in the particular embodiment presented here, the determination of the control data Ca, Cb implements only information that has already passed through the network. The knowledge of this data by an attacker does not provide him with any additional information in relation to the information he already accesses by listening to the network. The implementation of this protocol does not introduce any weakness compared to the Diffie Hellman protocol and its derivatives.

  This would not be the case if the control data was calculated from all or part of the common data item Gab used to determine the encryption keys. Indeed, in the latter case, information on the control data could introduce a weakness in the encryption.

  The invention thus described may be generalized to any number of users wishing to put themselves together in communication, hereinafter referred to as a conference. In FIG. 2, the first two users in communication A, B implement the protocol described above to determine a common secret data item Gab that will be used to determine an encryption key. The encryption key thus obtained will then be the general encryption key used by all participants in the conference. Each newcomer C has a reference interlocutor A among the users already arrived A, B (thus knowing the general encryption key determined on the basis of the secret data Gab). The protocol described above is then implemented between the newcomer C and its reference interlocutor A, to generate a secret data Gac used to determine a local encryption key. Thus, PA and PC terminals generate random data a and c, calculate by applying the same cryptographic function Alg1 initialization data Ga, Gc they exchange via the Net network. The PA and PC terminals then calculate a control data Ca, Cc by applying a control function to the generated initialization data Ga, Gc and to the received initialization data Gc ', Ga', and display the control data. calculated. One and / or the other of the users A and C then vocally transmits by a CV channel the value of the control data Ca, Cc displayed on its terminal in a control message, to check whether the control data displayed by the two terminals PA, PC are identical. If the control data Ca, Cc are identical, the terminals PA, PC calculate a common secret data Gac ', Gca' and the users A and C validate the common secret data Gac (= Gac '= Gca') using a validation command offered by the PA, PC terminals. Following the validation of the data Gac, the terminals PA, PC determine from the Gac data which has been secured, an encryption key called local key. The local key is then used by the PA terminal of the reference interlocutor A to encrypt the general encryption key or the secret data item Gab using an encryption function Alg3, and to send it securely to the the new user's PC terminal C. Being the only one with the terminal PA to know the local encryption key, the terminal PC can thus decrypt the general encryption key or the secret data item Gab by using a decryption function Alg3 'corresponding to the function Alg3 encryption. If the PC terminal has decrypted the secret data Gab, it has the general encryption key and can therefore participate in the conference. It will be apparent to those skilled in the art that the present invention is susceptible to various embodiments and applications. In particular, it is not necessary that each of the two users vocally transmit the control data displayed by its terminal. Indeed, it is sufficient to ensure that the communication is not the subject of a Man-in-the-middle attack that only one of the two users reads the control data displayed on its terminal and that the Another user verifies that the control data received vocally corresponds to that which is displayed on his terminal. Other functions than the exclusive OR function combined with a modulo function can be used to determine the control data. For example, a hash function such as MD5 or SHA1 can be applied to any of the received or locally generated initialization data, or to the shared secret data, or to the result of the exclusive OR function applied. initialization data received and developed locally.

  Nor is it necessary for the control data displayed by the two terminals to be identical. It is simply important for the users to be able to verify the existence of a correspondence between the displayed control data and the control data received from the other user.

  The invention is not limited to a voice transmission of the control data but extends to any transmission of this data in another form than a digital form. We can indeed consider that the screen of each of the terminals is filmed by a digital camera, the images captured by the camera being transmitted to the terminal of the other user to be displayed. In this way, each user can check on the screen of his terminal, the identity between the control data displayed by the two terminals. To be able to access the communication between the two users, the attacker will have to modify on the fly the images transmitted by at least one of the two terminals. The transmission of the control data can be done by the same network (for example voice over IP) or by another network than that used to transmit the initialization data. Thus, the control data can be transmitted by a terrestrial or mobile telephone network. Also, the expression analog communication channel used in the foregoing description and in the appended claims designates any means of communication receiving as input data in a form of analog origin (sound, video or other) and outputting the data transmitted in their original form, the data being transmitted in any format, analog or digital, by one or more communication networks.

  The invention does not necessarily apply to security protocols involving random data that is generated during the establishment of the communication. It applies more generally to any security protocol using a common secret key that is developed at the time of establishment of communication between the two users.

Claims (30)

claims   A method for generating in a secure manner an encryption key common to at least two users (A, B) each equipped with at least one communication terminal (PA, PB), the terminals being connected to each other by at least a communication network (Net) for communicating with each other numerically, the method comprising steps in which a terminal of each of the users determines a common encryption key (Gab) from a private secret data (a, b) and an initialization data item (Gb ', Ga') received in digital form from the other terminal via the communication network, characterized in that it comprises a security phase comprising: steps executed by each terminals (PA, PB) and consisting in determining a control data (Ca, Cb) from a locally calculated initialization datum (Ga, Gb) and / or the received initialization datum (Gb ', Ga '), and to display the gift control, and transmission steps by at least one of the users (A, B) to the other user of the control data displayed by his terminal, via an analog communication channel (CV ), and verification by the other user that there is a correspondence between the control data displayed on its terminal and the control data received from the other user by the other communication channel.   The method of claim 1, wherein the control data (Ca, Cb) is transmitted by a voice communication channel (CV) between the two users (A, B).   3. Method according to claim 2, wherein the voice communication channel (CV) is established in the communication network (Net) voice over IP.   4. The method of claim 1 or 2, wherein the control data (Ca, Cb) is transmitted between the two users by a network distinct from the network (Net) having transmitted the initialization data (Ga, Gb). 30   5. Method according to one of claims 1 to 4, comprising steps performed by each of the terminals (PA, PB) of the two users (A, B) and consisting of: calculating the initialization data calculated locally (Ga, Gb) ) using a common cryptographic function (Alg1) applied to the private secret data (a, b), to transmit to the other terminal (PA, PB) in digital form, the locally calculated initialization data, elaborate a common secret data (Gab) from the private secret data (a, b) and the received initialization data (Gb ', Ga'), and determining from the common secret data, an encryption key to use to encrypt communications between the two users.   6. The method according to claim 5, wherein the cryptographic function (Alg1) is a function that associates a number a with the number g power modulo N, g and N being integers known terminals.   7. Method according to one of claims 1 to 6, wherein the private secret data (a, b) of at least one of the terminals (PA, PB) is generated randomly.   8. Method according to one of claims 1 to 7, wherein the control data (Ca, Cb) is obtained by applying to the common secret data (Gab) a control function (FC) common to the terminals (PA, PB).   9. Method according to one of claims 1 to 7, wherein the control data (Ca, Cb) is obtained by applying a control function (FC) such as a modification of a bit of a datum d input of the function causes a modification of the control data.   10. Method according to one of claims 1 to 7, wherein the control data (Ca, Cb) is obtained by applying a control function (FC) common to the terminals, to the locally calculated initialization data (Ga, Gb) and the initialization data (Ga ', Gb') received from the other terminal.   The method of claim 10, wherein the control function (FC) applies an exclusive OR function between the locally calculated initialization data (Ga, Gb) and the received initialization data (Ga ', Gb'). .   The method of claim 11, wherein the control function (FC) applies to the result of the exclusive OR function applied to the locally calculated initialization data (Ga, Gb) and to the received initialization data (Ga ', Gb'), a condensed calculation or a remainder calculation of an integer division, to limit the size of the control data (Ca, Cb) to a number of digits. 15   Method according to one of claims 1 to 12, wherein the digital communications are established in the communication network (Net) according to the IP protocol. 20   14. Method according to one of claims 1 to 13, comprising steps in which: a communication terminal (PC) of a third user (C) determines a local encryption key (Gac) with one of the two terminals (PA, PB), hereinafter referred to as the reference terminal (PA), from a secret data item (c) and an initialization data item (Ga ') received in digital form from the reference terminal, by via the communication network (Net), the third terminal (PC) and the reference terminal (PA) execute the security phase between them, and the reference terminal transmits to the third terminal the encryption key (Gab) determined by the two terminals (PA, PB), in an encrypted form using the common local encryption key (Gac) determined by the third terminal and the referring terminal.   15. Computer program intended to be executed by a terminal (PA, PB) connected to at least one other terminal (PB, PA) by at least one digital link of a communication network (Net), characterized in that it is designed to implement the method 5 according to one of claims 1 to 14 to secure the generation of an encryption key common to the terminal (PA) and the other terminal (PB).   16. Terminal (PA) for securely generating a common encryption key with at least one other communication terminal 10 (PB), the terminal being connected to the other terminal by at least one digital link of a communication network (Net), the terminal comprising means for determining a common encryption key (Gab) from a private secret data item (a) and an initialization data item (Gb ') received in digital form from the other terminal through the communication network, characterized in that the terminal (PA) comprises: means for determining a control data (Ca) from a locally calculated initialization data (Ga) and / or received initialization data (Gb '), means for displaying the control data, and validation means for allowing a user (A) of the terminal to validate the common encryption key (Gab) when there is a correspondence between the data of control displayed by the terminal and a control data (Cb) received from a user (B) of the other terminal (PB) via an analog communication channel (CV), the encryption key common terminal being usable by the terminal only after activation of the validation means by the user.   Terminal according to claim 16, comprising means for establishing the communication channel (CV) between the two users (A, B), in voice form.   18. Terminal according to claim 17, wherein the voice communication channel (CV) is established in the communication network (Net) in voice over IP.   19. Terminal according to one of claims 16 to 18, comprising means for: calculating the initialization data calculated locally (Ga) using a cryptographic function (Alg 1) common with the other terminal (PB ), applied to the private secret data item (a), transmitting to the other terminal (PB) in digital form, the locally calculated initialization data item, developing a common secret data item (Gab) from the private secret data item and the received initialization data (Gb '), and determining from the common secret data, an encryption key to be used to encrypt the communications between the users (A, B) of the two terminals (PA, PB).   20. Terminal according to claim 19, wherein the cryptographic function (Alg 1) is a function which associates a number a with the number g power modulo N, g and N being integers known terminals.   21. Terminal according to one of claims 16 to 20, comprising means for randomly generating the private secret data (a).   22. Terminal according to one of claims 16 to 21, comprising means for performing a control function (FC) common with the other terminal (PB), and providing the control data (Ca) from the data Secret Joint (Gab).   23. Terminal according to one of claims 16 to 21, comprising means for performing a control function (FC) common with the other terminal (PB) and providing the control data (Ca), the control function being such that a modification of a bit of an input data of the function causes a modification of the control data.   24. The terminal of claim 23, wherein the control function (FC) is applied to the locally calculated initialization data (Ga) and to the initialization data (Gb ') received from the other terminal (PB). .   Terminal according to claim 24, wherein the control function (FC) applies an exclusive OR function between the locally calculated initialization data (Ga) and the received initialization data (Gb ').   The terminal of claim 25, wherein the control function (FC) applies to the result of the exclusive OR function applied to the locally calculated initialization data (Ga) and to the received initialization data (Gb '), a digest calculation or a remainder calculation of an integer division, to limit the size of the control data (Ca) to a number of digits.   Terminal according to one of claims 16 to 26, wherein the digital communications are established in the communication network (Net) in accordance with the IP protocol.   28. Terminal according to one of claims 16 to 27, comprising means for transmitting to a second other terminal (PC) the common encryption key (Gab) in encrypted form, and encryption means (Alg3) of the common encryption key, using a local encryption key (Gac) common to the terminal (PA) and the second other terminal (PC).   29. The terminal of claim 28, comprising means for developing the local encryption key (Gac) common to the terminal (PA) and the second other terminal (PC), from a private secret data (a) and an initialization data (Gc ') received from the second other terminal (PC), and validation means for allowing the user (A) of the terminal (PA) to validate the local encryption key. 30   30. Terminal according to one of claims 16 to 29, comprising means for receiving from a different terminal (PA) a general encryption key (Gab), in encrypted form, and means for decrypting (Alg3 ') the general encryption key using the encryption key 35 (Gac) common to the terminal (PC) and the other terminal (PA).