FR2901438A1 - Client e.g. computer, connection establishing method for e.g. bank transaction application, involves handshaking safety parameters by client and server to establish secured session by utilizing pre shared key, and authenticating client - Google Patents

Abstract

The method involves handshaking safety parameters e.g. encrypting algorithm, by a client and a server to establish a secured session between the client and the server by utilizing a pre shared key. The client close to the server is authenticated, and cryptographic keys of the session are generated by utilizing pseudo random function (PRF). Integrity of data exchange between the client and the server is verified.

Description

-2- Several technologies are available to establish sessions

  secure between a client and a server. Here we mention SSL (Secure Sockets Layer), Transport Layer Security (TLS), and Internet Protocol Security (IPSec). Based on SSL which is developed by Netscape, the TLS protocol defined by RFC 2246 is the main security protocol at the Transport level (OSI layer 4 (Open Systems Interconnection)). Various applications such as e-commerce on the Internet, web browsers and banking transactions support secure transactions using the TLS protocol. TLS provides a transparent channel. That is, it is simple to secure the application protocol by inserting TLS between the Application layer (OSI layer number 7) and the Network layer (OSI layer number 3). However, TLS requires a reliable transport protocol such as TCP (Tranport Control Protocol). TLS is suitable for securing different types of traffic and exchange. These types include file transfer, email forwarding, remote access, directory access and object access. However, a TLS version adapted to unreliable transport protocols such as IJDP (User Datagram Protocol) is available. This version is called DTLS (Datagram TLS) and is described by RFC 4347. Another context of TLS is the context of wireless and mobile networks, such as WiFi, the 802 family, and WiMax. For example, the 802 series defines the Extensible Authentication Protocol (EAP) as a generic authentication protocol that supports multiple authentication mechanisms. The extensibility of the EAP makes it possible to encapsulate any authentication mechanism inside the EAP message. The integration of TLS with EAP, defined by RFC 2716, 25 has become a solution for authentication and key distribution in networks that use EAP in their protocol stacks. EAP-TLS is used more specifically for authentication and access control at the Link or MAC level (OSI layer 2). The strengths of TLS allow it to integrate easily into other communication environments; 3GPP (Thirdeneration Partnership Project) and 802.11 wireless communications networks provide an extensible framework for the integration of new services and new encryption and authentication methods using RFC 3546. TLS defines Authentication mechanisms based on certificate exchange During the TLS negotiation phase, the server sends its certificate to the terminal, which in turn must check whether the certificate is valid and not revoked. requires an Internet connection The use of these certificates requires public-key infrastructures that are used to establish a chain of certification or trust between communicating entities The functions required by Public Key Infrastructure (PKI) or Public Key Infrastructure (cryptographic operations, certificate management, data loading, ...) make it extremely expensive It is used for mobile networks, whereas it is already complex for fixed networks. To remedy this problem, we define a mechanism based on the use of a shared key (PSK, Pre Shared Key) and TLS, as described by RFC 4279. This mechanism does not require the use of certificates and PKI for authentication; it is better suited for certain wireless and small-scale networks where customers are pre-configured or customized. Figure 2 illustrates the phase of TLS handshake between a client (121) and a server (131). This phase is divided into three stages. In a first step (201, 202, 203, 204, 205, 206), the client and the server negotiate the security parameters (such as the random values, the key exchange algorithm, the encryption algorithm, the hash function,

  .) to establish a secure session. The "cipher spec" parameter is used to negotiate the key exchange algorithm, the encryption algorithm and the hash function. The second step (207, 208, 209) consists of authenticating the client to the server and generating the cryptographic keys of the session by using the PRF function (Pseudo Random Function). These keys will be used in cryptographic operations to protect the data during their transfer. The cryptographic operations use the cryptographic algorithms negotiated during the first step. During the third step (210, 211, 212, 213), the client and the server verify the integrity of their exchanges by calculating the condensate of all transmitted and received messages and encrypting the result with the encryption key calculated during the second step. During this third phase, the server will be implicitly authenticated to the client. In fact, the client generates during the second phase a random value of 46 bytes called "premaster secret" (208) and concatenates it with the negotiated version of TLS, then it encrypts the result with the public key of the server sent in the message "Certificate" (203) The encrypted value is sent to the decrypting server 35 using its private key to obtain the "secret premaster". This secret is used both by the client and the server to generate the same secret master secret. The "master secret" is used in the generation of the symmetric keys used in the encryption and in the calculation of the MAC (Message Authentication Code) The first messages encrypted and signed with the generated keys are the "Finished" messages (211, 213 ). Therefore, it is impossible for an entity that does not have the private key corresponding to the public key sent by the server during the second step, to discover the "secret premaster" and to generate the same keys. 4 illustrate two methods for completing the TLS handshake phase with a shared key, according to the invention the messages are exchanged in accordance with the TLS protocol as described by RFC 2246, 3546 and 4279. In a first phase, the customer or the "senso?" tells the server that it wants to establish a TLS-PSK session (TLS session using a shared key) The client completes this phase, either by sending a list of cryptographic options supported by the client (301) and based on the use of shared keys, either by the use of an extension (401) In the first case (Figure 3), the client uses the parameter "cipher spec" (301) to send its list of "cipher suite" specified for the use of the shared key with TLS For example, TLS_DHE_PSK_WITH_RC4_128_SHA indicates that the client supports a Diffie-Hellman based key exchange method by introducing the shared key with the use of SHA1 hash function and symmetric RC4 encryption In this case, the client implicitly informs the server that it supports shared key authentication and that it can exchange keys using the Diffie-Hellman algorithm.This mechanism is described in RFC 4279. The client generates the "secret premaster" (46 bytes) and concatenates with the TLS version and encrypts the result the public key sent by the server in the "ServerKeyExchange" message (303). Then, the client sends the result to the server using the "ClientKeyExchange" message (305). The "secret premaster" will then be used in conjunction with the shared secret to calculate the session keys and to establish the mutual authentication Then the client and the server check the integrity of their exchanges by calculating the condensate of all the transmitted messages and received and encrypting the result with the calculated encryption key (306, 307, 308, 309) In the second case (Figure 4), the client adds to its message "ClientHello" an extension (401) which is defined in based on RFC 3546. When this extension is sent, it can carry one or more shared key mode key exchange methods supported by the client .The contents of the extension will carry 2901438 -5-the identifier of the If the server accepts the use of this extension, it responds with the same extension type (402). Then, the client and the server derive the session keys by applying the PRF function (Pseudo Random Function) on the shared key and the random values "ClientHello.randorn" and "ServerHello.random" and 5 activate the use of negotiated parameters (403, 405). Finally, they authenticate via the "Finished" messages (404, 406) Note that in Figure 3 (second case), the client and the server imply the use of the "premaster secret" in the process of generating the session keys. As described in TLS, these messages represent evidence that the client and the server have derived the same keys (encryption, MAC,

  .). In our approach, the "Finished" messages represent an additional service: the two entities have read the shared key, which means that no one can calculate a valid "Finished" without having the real shared key. Hence the mutual authentication by the "Finished." We will now describe a means of implementing the authentication method with the use of the shared keys, using a security module, illustrated in FIG. Figure 5. The term security module refers to a silicon integrated circuit (501a), usually referred to as a smart object, a sensor or a Tamper Resistant Device, which are components that are resistant to attacks and available in different formats such as PVC cards, smart cards (SIM card, USIM card, RUIM card, UIM card, ...) embedded in USB tokens, in memory MMC (MultiMedia Caro, or in other types of terminals ... DTD: A security module incorporates all secure means of data storage and also allows the execution of software in a secure and protected environment, more specifically, it comprises a central unit (CPU, 501). ), a ROM memory tockant the operating system code (502), the RAM memory (503) and a non-volatile memory (NVR, 504) used as a storage device analogous to a hard disk and which contains, for example, embedded software TLS, EAP -TLS, TLS with shared key-based authentication or EAP-TLS with shared key-based authentication. A system bus (500) connects the different members of the secure module. The interface with the outside world (501b) is provided by an IO input / output port (505), compliant with standards such as ISO7816, USB, ISO7816-12, MMC, IEEE 802.3, IEEE 802.11, .. We now refer to FIGS. 6 and 7. We consider a security module ((611) or (612) or (613)) which comprises EAP-TLS-PSK software (615) and TLS-PSK software ( 616) with authentication based on a shared key (617). This module realizes the TLS protocol with a shared key, it receives through an IO port (FIG. 5, 505) EAP-TLS-PSK messages sent by the NAS (Network Access Server) (EAP-TLS session using a shared key The module stores the shared key (617) and the identity of the module and its shared keys are also stored securely at the end of the EAP-TLS-PSK session. ((620, 621, 622, 623, 624, 625, 626, 627) or (720, 721, 722, 723, 724, 725, 726, 727, 728, 729)), a key MSK (Master Session Key) (619) is available for the user entity of the module, typically an operating system.The key MSK is derived from, among others, the "secret premaster" (FIG.6, 618) or the shared key (FIG. The MSK key 2901438 -7- is used to ensure the security of the communications of an access point and client pair of a wireless network. by a security module ((611) or (612) or (613)) of a software EAP-TLS-PSK (615) or TLS-PSK (616), equipped according to the invention with a mechanism 5 authentication based on shared keys, the following advantages: - With EAP-TLS, the use of certificates is mandatory. The EAP-TLS client can not have a network connection until successfully authenticated. During the EAP-TLS authentication phase, viewing the revocation list requires an Internet connection. Since the client will not have this connection until the successful completion of the authentication phase, he must assume that the server's certificate is unrevoked and he can verify his hypothesis as soon as the connection is provided. With EAP-TLS-PSK, the client can authenticate the server without having a network connection during the authentication phase. Current TLS and EAP-TLS specifications allow mutual authentication between entities through the use of certificates. The use of these certificates requires public key infrastructures that serve to establish a chain of certification or trust between the communicating entities. The functions required by PKIs (cryptographic operations, certificate management, data loading, etc.) make their use for mobile networks extremely expensive, whereas it is already complex for fixed networks. EAP-TLS-PSK is capable of reducing protocol load, cryptographic load, and management overhead while maintaining the level of security provided by the current TLS and EAP-TLS specifications. By nature, TLS messages exchanged between a server and a client can be read and analyzed by any observer in the network. For this and in the case of EAP-TLS-PSK, the server can send the client a new identifier securely after the authentication phase. This prevents an observer from capturing the data and correlating the identity of the key with the communicating person. 30 -8-Consider a network infrastructure and several clients each equipped with an EAP-TLS-PSK or TLS-PSK security module. These clients are managed by one or more RADIUS (Remote Authentication Cria / User Service) or AAA (Authentication, Authorization, and Accounting) servers based on network constraints.

  We now consider Figure 1. Security modules ((111), (112)), qualified by an intelligent object (101) or a smart card (102) or sensors ((103), (104)) and are controlled by NASs or access points (106). These modules include EAP-TLS-PSK software or TLS-PSK software. These modules are attached to a terminal (105) provided with at least one communication interface or they communicate directly with the NASs and the access points using a radio or wireless interface. Smart cards, smart objects and sensors are associated with one or more RADIUS or AAA authentication servers (108) provided with at least one communication interface and implementing EAP-TLS-PSK software or TLS software. PSK.

  Numerous free software such as OPENRADIUS or FREERADIUS offer RADIUS authentication services. Figure 8 details the information exchanged between an access point (801) and a RADIUS authentication server (802) implementing EAP-TLS-PSK and TLS-PSK. The server comprises, in accordance with the preceding descriptions, the shared keys.

  We designate under the term RADIUS session (801a) a sequence of packets (803, 804, 805, 806, 807, 808) exchanged between the access point and the RADIUS authentication server. These packets convey information exchanged between an EAP client and an EAP server. On the RADIUS server side, a session begins with the receipt of an "EAP-Identity.response" included in an "Access-Requesf" (803) package, and ends with the generation of a typical "EAP-Succ9ss" notification. in an "Access-Accepf" package (808). At the end of the session, an MSK key is available on the server. This key is derived in the same way previously described.30

Claims (3)

claims   1) Method for establishing a secure link by the TLS protocol or by one of its versions, in particular DTLS, SSL, EAP-TLS, characterized in that: the authentication is performed by a shared key and; - the customer is in itself or integrates a smart object, a sensor or a smart card or one of its types, including SIM, USIM, UIM, RUIM, PIM, UICC.   2) Client device for implementing the method according to claim 1, provided with at least one communication interface and in that it implements the TLS protocol or one of its versions, including DTLS, SSL, EAP-TLS.   3) server device for implementing the method according to claim 1, characterized in that it may or may not or does not include a sensor, a smart object or a smart card or one of its types, including SIM , USIM, UIM, RUIM, PIM, UICC, provided with at least one communication interface and in that it implements the TLS protocol or one of its versions, in particular DTLS, SSL, EAP-TLS, and / or the protocol EAP and / or RADIUS Protocol or AAA protocol services.