FR2950767A1 - Entities e.g. web server, communication method for e.g. Internet, involves deducing current value of transaction number and value of session key, if value of transaction identifier does not correspond to expected value of transaction number - Google Patents

Abstract

The method involves generating transaction identifier by an authorization server (S), and sending the transaction identifier to an entity (A). Elements containing the transaction identifier are sent to another entity (B) by the former entity. A determination is made to find whether the value of the transaction identifier corresponds to expected value of transaction number. Current value of the transaction number and the value of the session key are deduced, if the value of the transaction identifier does not correspond to expected value of transaction number. Independent claims are also included for the following: (1) an authorization server for securely communicating between entities in a telecommunication network, comprising an identifying unit (2) a fixed data storing unit comprising computer program code instructions to perform a method for securely communicating between entities (3) a downloaded computer program comprising instructions to perform a method for securely communicating between entities.

Description

METHOD FOR SECURE COMMUNICATIONS IN A TELECOMMUNICATIONS NETWORK

The present invention relates to securing communications in a telecommunications network.

Telecommunications networks, such as the Internet, transmit data between different network entities, such as a web server or e-mail server, via a common infrastructure. The invention can be applied for example to the secure access of a network entity to a service platform.

The invention can also be applied, for example, to the transmission of an "original message" from a network entity to one or more other network entity (s) (by "original message" here means a set any information, for example an e-mail or a request for VoIP call initiation or an "instant message"). It will generally be said that an original message is sent by a "sending client" attached to a "sender" domain and connected to a "sender" domain, to a "recipient client" attached to a "recipient" domain and connected to a "receiver" domain (in the context of the present invention, it will be said that an entity is "attached" to a network domain when this entity has a service and / or logical and / or administrative link with this domain; case of the electronic mail, the logical address corresponds to the address "email"). The sender domain may or may not be separate from the sender domain, and the receiving domain may or may not be distinct from the recipient domain; this distinction between domains is useful, for example, when a sender domain relays to a recipient client a message sent by a roaming sender client that is connected to this sender domain but is not attached to the sender domain.

As is well known, telecommunications networks are attacked by professional, administrative or individual targets. A common attack nowadays is to send as many recipients as possible unwanted messages that they have not solicited, such as "Spam" for e-mails or "Spits" for Internet phone calls. . The term "undesirable" is taken in a broad sense and applies both to the identity of the sender of the message, which may be authentic or falsified, and to the content of the message.

The possibility of Spam-type attacks is mainly due to the following factors: - the weakness of the protocols used on the Internet, such as the Simple Mail Transfer Protocol (SMTP), which is the most used for the transfer of electronic mail and which not including any authentication functions of the sender of a mail - the increase in the power of computers that can send unwanted messages in bulk automatically over a very short period of time - and - the increase the number of networks with access to the Internet and the connectivity between these networks, which presents a very large number of targets to attackers who can shelter behind relatively permissive networks or out of the legal or administrative scope of the target networks. moreover, it is not easy, for a transmitter domain of the type "issuer.fr", to determine if an address of the type usereexpéditeur.fr provided by a customer ex Itinerant sender connected to this sender domain is valid, ie if the address of this client is actually assigned in the domain "sender.fr" and if this client has the rights to send a message from this address: indeed, the sender domain does not manage the identities, that is to say the logical addresses of the type "sender.fr". This control difficulty is often used by attackers to send messages under a false identity from a domain to which attackers have access, or via a corrupt machine located in a legitimate domain. For example, an Internet domain "domaine.fr" created by an attacker can be used to make VoIP calls with a caller ID + 332abcdefghedomain.fr, when in fact the subscriber number " + 332abcdefgh "is attributed, say, to the domain" orange.fr ". Faced with this type of attack, adding a digital signature to the calling domain (see RFC 4474 of the IETF) is inefficient, because if it guarantees to the recipient that the call comes from "domain .fr ", this does not guarantee that the calling number is actually registered in this area. A solution to this difficulty of control is to block in the sending domain the sending of any message whose original address is not attached to the issuer domain, but this solution is too limiting, especially for the mobility of the services of Voice over Internet Protocol (VoIP) which allows a roaming terminal to use a third party relay such as a sender domain to establish a telephone call, which poses the problem of finding ways to a recipient domain to ensure that sufficient controls have been achieved at the level of the domain issuing the message.In the context of the present invention, will be called "transaction" all the protocol exchanges allowing the establishment of a secret shared, or primary session key, between two network entities A and B for the duration of a session The transaction corresponds to the initialization phase of the session, this sess can last much longer than the transaction. In some parts of the description, the terms transaction and session may be considered equivalent. For the sake of simplification, the session primary key will also be noted session key between A and B, independently of derivation or diversification operations that can be applied to it. This session key can for example be used to derivate other secret keys to set up a secure connection (TLS, IPSec, etc.) between the entities A and B. As another example, this session key can make it possible to guarantee the confidentiality or the integrity of an original message sent by the entity A (sending client) to the entity B (recipient customer); each new original message sent from a sending client to one or more client (s) recipient (s) corresponds to a new transaction; conversely, the repetition of a protocol step, for example because of a network problem, is not considered as a new transaction. A network entity can obviously, in principle, authenticate another network entity using a public key infrastructure PKI ("Public Key Infrastructure" in English). But as it is well known, PKI infrastructures are cumbersome to set up and use. Alternatively, some methods, such as the Diffie-Hellman algorithm, provide for the common determination of a session key by two entities prior to any exchange of original messages between them. But such an algorithm does not, in itself, give an entity A any guarantee on the identity of an entity B with which it thus establishes a session key. Alternatively, in networks comprising a small number of users, such as peer networks, provision may be made for a "manual" installation (for example by on-site visit) of a shared secret key for each pair of interested entities. . But such a facility is not suitable for networks with a large number of users. A solution well suited to networks with a large number of users is to set up a trusted third party, commonly called "Key Distribution Center". Each network entity A wishing to use this secure communications service subscribes to the Key Distribution Center, and consequently obtains, for a predetermined period of time or for a predetermined transaction, a secret key KsA shared between A and a server. Authorization S associated with the Key Distribution Center. Advantageously, the subscribers to this service do not have to store secrets or certificates concerning the other subscribers, the security of the communications being done transaction by transaction with the help of the Center of Distribution of Keys. In addition, the Key Distribution Center may, as required, securely transmit secret keys to support entities (storage, gateways, and so on) under its control, or to legal entities for the interception of certain communications. Since the Key Distribution Center is the repository of all the secret keys of the subscribers, it is obviously essential that it be powerfully protected against hostile intrusions, but this does not represent any particular difficulty. For example, under the name "Kerberos" (see RFC 4120 of the IETF), there is known such a method of secure communications between two entities A and B subscribed to the service. This Kerberos process essentially comprises the following steps: 1) An entity A identifies and authenticates itself as the holder of an identifier ID4 to said Authorization Server S (after having addressed an authentication server separate from the Authorization Server S); the Authorization Server S determines the secret key KsA that it shares with this entity A; 2) Entity A declares to Authorization Server S its intention to communicate with a certain entity B; the Authorization Server S determines the secret key KsB that it shares with this entity B; 3) the authorization server S generates a session key KAB, and sends it to the entity A, encrypted by means of said secret key KsA 4) the authorization server S also generates a "ticket" T comprising at least said identifier ID ,, of the entity A and said session key KAB; Authorization Server S sends entity A CHECKA data resulting from the encryption of said ticket T by means of said secret key KsB; 5) the entity A decrypts the session key KAB by means of its secret key KsA, and sends to the entity B, on the one hand, the data CHECKA (as previously received by the entity A from the Authorization Server S), and on the other hand VA data resulting from the encryption, with the session key KAB, of a set of elements comprising at least its IDA identifier; and 6) the entity B decrypts the ticket T by means of its secret key KsB; the KAB session key then allows him to decrypt the IDA identifier of the entity A; Entity B verifies that this identifier is the same as that contained in the ticket T; if Entity B approves the transaction, it informs Entity A.

Entity A can then complete the transaction with Entity B. For example, if Entity B is a service provider, Entity A will be able to request a particular service, and obtain it, by exchanging with the entity B encrypted data by means of the session key KAB. As another example, if the entity B waits for a document from the entity A, the entity A can send to the entity B an original message accompanied by the "MAC" code of this original message obtained by means of the key K4B session (it is recalled in this regard that, conventionally, a message authentication code, called "Message Authentication Code", or "MAC", is a short value - usually a few tens of bits - deduced from the data contained in a message and a secret key shared between the sender and the receiver of the message using a cryptographic algorithm, by sending a message accompanied by its authentication code, the sender allows the receiver to verify that this data does not emanate from another entity and have not been altered between transmission and reception).

The Kerberos method therefore provides for the transmission of the session key, on the one hand, directly to the entity A, and on the other hand indirectly (via the entity A) to the entity B; the latter therefore does not need to communicate with the Authorization Server S to obtain this session key. The Kerberos method also advantageously enables entity B to verify the identity of entity A; this check prevents a phishing attack, in which an attacker would first identify himself under his true identity with the Authorization Server S, in order to obtain a transaction authorization from the latter, then under a Identity impersonated from Entity B (for example by impersonating the Bank of Entity B to obtain confidential banking information). However, the Kerberos process has the disadvantage that entity B is susceptible to flood attacks. Let's go back to step # 6 above: Entity B must, before it can identify an attack, perform two decryptions plus an equality check. Decryptions are computationally heavy operations, so an attacker can overwhelm entity B by repeatedly sending arbitrary CHECKA and SA data to it. Worse, an attacker could send to entity B CHECKA and (5A data that the attacker has previously read or intercepted during a transaction initiated by a legitimate A entity (replay attacks): in this case, the attacker not only floods Entity B, but also legitimate Entity A, which repeatedly receives confirmation messages from Entity B. In fact, "Version 5" of the Kerberos process protects legitimate A entities from attacks by flooding by recommending the insertion of a time stamp in the data item 8A, but this further increases the task of the entity B which must verify that the data (SA successive it receives from a certain entity A all have a time stamp The present invention thus relates to a method of secure communications in a telecommunications network, in which a transaction between an entity A e a entity B of said network comprises the following steps: a) the entity A sends to an Authorization Server S an authorization request in which the entity A identifies and authenticates itself as the holder of an identifier IDA; b) Entity A declares to Authorization Server S its intention to communicate with a certain Entity B; the Authorization Server S determines a secret key KSB that it shares with this entity B; and c) the Authorization Server S generates a session key KAB, N and sends it to the entity A. This method is notable in that said session key KAB, N is a one-way function of said secret key KSB and is also a function of an integer N, called transaction number, assigned to said transaction, and in that it further comprises the following steps: d) the Authorization Server S also generates a transaction identifier IDTRN, which is a function dependent at least on said non-invertible transaction number N, and sends to entity A said transaction identifier IDTRN; e) the entity A sends to the entity B elements comprising at least the transaction identifier IDTRN; and f) entity B at least verifies that the value of the received IDTRN transaction identifier is within a set of pre-calculated values corresponding to at least one expected value of the transaction number; if so, the entity B deduces first the current value of the transaction number N, and then the value of the session key KAB, N. It is clear that step b) is not necessarily subsequent to step a). Likewise, step d) is not necessarily subsequent to step c). It should be noted that the evaluation of the authenticity of the entity A can be carried out by any known means of authentication. In addition, it can be done by previously addressing an Authentication Server separate from the Authorization Server S (similar to the Kerberos method). It will also be noted that in practice, and for cryptographic separation purposes, it is not necessarily the (primary) session key KAB N that will be used for data encryption, but rather a key derived from K B N. For the sake of simplification, the keys 25 derived from a primary key will not be systematically explained, but, according to the state of the art, the derivation or diversification operation will be implicit when the same shared secret serves more than one cryptographic function.

According to the present invention, unlike the Kerberos method, the Authorization Server S provides, for each new transaction identified by its number N, the session key KAB.N to the entity A, but not to the entity B. Indeed, according to the invention, the entity B has means for calculating itself this session key from the secret key KSB that it shares with the Authorization Server S, and the current transaction number N , that the entity B determines after receiving the transaction identifier IDTRN. Thanks to the invention, the above-mentioned advantages of secure communication methods of the "Key Distribution Center" type can be used. In particular, it imposes a verification of any subscriber entity to the secure communications service before it is addressed to another subscriber entity, to provide security guarantees to the other entity. In addition, the invention advantageously eliminates the disadvantage of the Kerberos method, mentioned above, concerning the sensitivity of entity B to flooding attacks. According to the invention, the entity B calculates the value of the transaction identifier IDTRN for at least one value N of the transaction number, this value being provided to follow a value used in a previous transaction. The IDTRN transaction identifier is transmitted in clear from the entity A to the entity B, which requires modifying its value for each transaction. In view of the potential for disorder of arrival that may occur when several transactions have been initiated over a short period by one or more entity (ies) A for the same entity B, it is actually preferable that the entity B calculate the value of the transaction identifier IDTRN for a predetermined sequence of several values of the integer N, and that, after receiving a certain IDTRN transaction identifier, it identifies by scanning in this set of values of IDTRN which number of transaction N is the received transaction identifier. It is recalled in this respect that the value of IDTRN is a function dependent at least on the integer N in a non-invertible manner, so that it is not possible to calculate the value of the integer N from the value of IDTRN by inverting this function, or calculating any one of the values IDTRN + r (i> 0) by knowing all or part of the previous values IDTRN_ (j 0). Thanks to these provisions, the entity B easily detects an attack (that is to say in few calculation operations) when it finds that an alleged IDTRN transaction identifier received does not appear within said set pre-calculated values (as explained below, an attacker has a small chance of guessing an N transaction value acceptable at a given time by a given B entity, so that this attacker can not compute a value of IDTRN 15 acceptable, even if the IDTRN (N) function is made public). This protects the entities subscribed to the secure communications service against flood attacks. An additional advantage of the invention over the Kerberos method lies in the size (in number of bits) of the protocol messages. In fact, according to the Kerberos method, the entity A sends to the entity B the CHECKS data obtained by encrypting the ticket T; However, this ticket T is necessarily large because it includes, in particular, the K`lB session key. This can be problematic in the case of some architectures using an unconnected transport mode (for example, those using the SIP signaling protocol) in which the nominal size of the signaling messages sometimes prevents the insertion of large data. cut.

On the other hand, according to the present invention, the entity A advantageously does not have to send a representative of the session key KAB N to the entity B. Moreover, the IDTRN transaction identifier can be a function of modest size (typically a few bytes) while providing good cryptographic security. Note finally that, when the confidentiality of the exchanges between the Authorization Server S and the entity A is not ensured by the underlying transport protocol, the Authorization Server S sends to the entity A, when steps c) and d) above, said session key KAB, N and said preferably IDTRN transaction identifier encrypted by means of a secret key KS4 shared between the authorization server S and the entity A (or a key derived from this secret key KSA), similarly to the transmission of the session key K4B of the Authorization Server S to the entity A in the Kerberos process. In this case, during said step e) above, the entity A obviously uses its secret key KSA to decrypt the session key KAB N and the transaction identifier IDTRN. According to particular features, all or part of said elements sent by the entity A to the entity B during said step e) are protected in integrity. Thanks to these provisions, these elements are protected against any alteration; however, such tampering would cause the transaction to fail in most cases. This integrity protection can in particular be achieved by means of a MAC code. According to even more particular characteristics, this integrity protection is carried out by means of said session key KAB N or a key derived from this session key KAB, N.

With these provisions, entity B will be able to ensure that entity A has the session key KAB N associated with the current transaction. According to other particular characteristics, during said step d), the Authorization Server S sends in addition to the entity A a CHECKA N data item deduced, by means of a cryptographic function dependent on a secret key KsB, N derived from said secret key KsB and the transaction number N, from a set of elements derived from said authorization request.

Thanks to these provisions, Authorization Server S can prove to Entity B that it has authorized the transaction and indicate the information on which it relied to do so. According to still other particular characteristics, said elements sent by the entity A to the entity B during said step e) comprise a derived identifier ID'A of the entity A, identical or not to said IDA identifier. Thanks to these provisions, the entity B is informed of the derived identity ID'A of the entity A which initiated with it the transaction number N.

According to even more particular characteristics: said set of elements from which said data CHECKA N is deduced comprises said derived identifier ID'A of the entity A, said elements sent by the entity A to the entity B during said step e) also comprise said data CHECKA N, and - during said step f), the entity B checks, by means of said secret key KsB.N, the coherence between, on the one hand, the data CHECKA N, and on the other hand said elements comprising the ID'A derived identifier received from the entity A as briefly described above. Thanks to these provisions, entity B can verify that the entity A which is addressed to it has been authorized by the Authorization Server S under the same identity ID'A ("anti-phishing"). The mechanism used in this embodiment of the invention is therefore equivalent to the mechanism used in Kerberos by decryption of the ticket T. On the other hand, in Kerberos, the entity A knows the value of the ticket T and the result of the encryption of the ticket T by means of the secret key KsB; if entity A is dishonest (and has powerful computing means), it could deduce KsB, brute force or other cryptographic means (the encryption algorithm is usually public). The invention, in this embodiment, solves this problem because, if it is true that the entity A knows CHECKA N and the elements whose encryption produces CHECKA N, it would be of no use for it to deduce therefrom value of the secret key KsB, N, since it is impossible from this last to calculate the secret key "mother" KsB, or else KsB, N + 1 (or even the current transaction number N). It will further be noted that this quantity CHECKA N is, in contrast to the CHECKA quantity of the Kerberos process, of modest size since it does not necessarily result in the encryption of a secret key. Correlatively, the invention relates to various devices. It thus concerns, firstly, a device, called Authorization Server, for securing communications in a telecommunications network during a transaction between an entity A and an entity B, comprising means for: identifying and authenticating an entity A holder of an IDA identifier, - determining a secret key KSB that said Authorization Server S shares with an entity B with which the entity A declares its intention to communicate, - generating a session key KAB, N and the send to the entity A. The said device is remarkable in that, said session key KAB N being a one-way function of said secret key KSB and also being a function of an integer N, called a transaction number, assigned to said transaction, it further comprises means for: generating a transaction identifier IDTRN, which is a function dependent at least on said non-invertible transaction number N, and sent er to the entity A said IDTRN transaction identifier. It also concerns, secondly, a device, said entity A, of secure communications in a telecommunications network, comprising means for, during a transaction involving said entity A and an entity B: - identify and authenticate as the holder of an IDA identifier with an Authorization Server S, - declare to said Authorization Server S his intention to communicate with a certain entity B, and - receive from the Authorization Server S a key of session 25 Said device is remarkable in that, said session key KAB N being a one-way function of a secret key KSB shared by the Authorization Server S and the entity B and also being a function of an integer N called transaction number, assigned to said transaction, it further comprises means for: receiving from the Authorization Server S a transaction identifier IDTRN, which is a dependent function at least of said transaction number N in a non-invertible manner, and - send to the entity B elements comprising at least said IDTRN transaction identifier. It also concerns, thirdly, a device, said entity B, for secure communications in a telecommunications network, remarkable in that it comprises means for, during a transaction involving said entity B and an entity A: - to receive the part of the entity A of elements comprising at least one IDTRN transaction identifier, said IDTRN transaction identifier being an at least non-invertible dependent function of an integer N, called a transaction number, assigned to said transaction, - check that the value of the received IDTRN transaction identifier is included in a set of pre-calculated values corresponding to at least one expected value of the transaction number, - deduce from it the current value of an integer N , called transaction number, assigned to said transaction, and - deduce a session key KAB, N which is, on the one hand, a one-way function of a secret key KSB shared by the Authorization Server S and entity B, and secondly function of said transaction number N.

The invention also relates to a device combining the means of the last two devices described briefly above (that is to say that behave, depending on the circumstances, either as an entity A, or as an entity B).

The advantages offered by these devices are essentially the same as those offered by the correlative methods succinctly set forth above. Note that it is possible to implement the secure communications method according to the invention by means of software instructions and / or by means of electronic circuits. The invention therefore also relates to a computer program downloadable from a communication network and / or stored on a computer readable medium and / or executable by a microprocessor. This computer program is notable in that it includes instructions for implementing said means included in any of the secure communication devices described briefly above. The advantages offered by this computer program are essentially the same as those offered by said devices. Other aspects and advantages of the invention will appear on reading the detailed description below of particular embodiments, given by way of non-limiting examples. The description refers to the figures which accompany it, in which: FIG. 1 schematically represents a telecommunications network and the main entities to which the invention applies, and FIG. 2 schematically represents the steps of a method of secure communications according to an embodiment.

The system illustrated in FIG. 1 comprises at least three entities interconnected via a communication network, for example an Internet type network. The method is particularly advantageous in the case of an unconnected transport mode, but is also suitable for a connected transport mode.

Entities A and B subscribe to the same secure communications service. They each use, in a conventional manner, a terminal or a server capable of transmitting or receiving messages of any kind such as, for example, e-mails or telephone calls on fixed or mobile channels. It should be noted that, in the context of the present invention, the word "server" is, to simplify the disclosure, used to designate uniformly any type of computing device, and not only the computing devices conventionally referred to as "servers". .

In practice, the entity A can act as a server or relay for an entity A 'connected to A; likewise, the entity B can act as server or relay for a B 'entity connected to B. The entity S is an "Authorization Server" (which can, of course, be composed in practice of several physical servers) . It allows any subscriber A to address securely to any subscriber entity B; in addition, it protects the entity B against the reception of undesirable messages. Depending on the applications and deployment scenarios, the entity S may be independent of the application domains or networks to which the entities A and B belong, or the entity S may belong to the same application domain or network as the entity A and / or that the entity B. The Authorization Server S takes into account a sequence of integer values, called "transaction numbers", separately for each entity B subscribed to the secure communications service. The transaction number N is used to order the transactions. At the initialization of the method, the entities S and B agree on an initial transaction number No, which preferably varies from one entity B to another. Then, at each transaction, the transaction number N is modified according to an algorithm that can be public; for example, N can be incremented by 1 for each new transaction, but this algorithm can also vary from one B entity to another, in which case it must be included in the secrets shared by the S and B entities. , the transaction number is never transmitted in clear from one entity to another. Thanks to these provisions, it is impossible for an attacker to find the current value of the transaction number of an entity B. The transaction of the transaction number N must be authorized by the authorization server S, following a request from authorization issued by the entity A to S. The Authorization Server S responds to this authorization request by providing the entity A with the information necessary to contact the entity B. During each transaction, following An identification of the entity A, the Authorization Server S determines a long-term secret key KsA that it shares with this entity A. This long-term secret key KsA makes it possible to derive other secret keys that are used in need to ensure the integrity or confidentiality of messages exchanged between A and S. Similarly, there is a long-term shared secret KsB between S and B entities. This long-term secret key KsB allows to derive from other secret keys that are used as needed to ensure the integrity or confidentiality of messages exchanged (indirectly) between S and B. For any N number transaction, the S and B entities are capable of independently generating, using algorithms may be public: - an IDTRN transaction identifier, which must depend on at least N and be generated by means of an algorithm such that, if one or more IDTRN values previously received by the entity B are known, no can not deduce the current value of N, or a value IDTRN + r (i> 0); and the (primary) session key KAB, N used between the entities A and B for the current transaction; this session key must depend on at least N and KSB, and be generated by means of an algorithm such that, even if we know the value of KAB, N and the value of N, we can not deduce from it the value of KSB. In a conventional manner, the primary key of session (or transaction) KAB N makes it possible to derive other secret keys which are used as needed to ensure the integrity or the confidentiality of the messages exchanged between A and B. Figure 2 represents schematically the steps of an embodiment of the method according to the invention. In the present embodiment, it is assumed that an entity A, called the "sending client", wishes to send an "original message" MES to one or more entity (s) B, called "customer (s)". recipient (s). " The main steps of this embodiment will now be described. In a first step El, a new transaction is authenticated, and authorized, by an Authorization Server S.

More specifically, during a substep E11, the entity A initiates a transaction by sending a authorization request REQ to the Authorization Server S, with which it shares a secret key KSA. This REQ authorization request contains at least elements allowing Authorization Server S to authenticate entity A, these elements comprising at least one IDA identifier of this entity. The request REQ authorization may further contain: - information to identify the transaction between the entities A and S, - information characterizing the message MES or to identify the entity A or entity B, and a random value serving as a transaction indicator between A and S. Finally, when the integrity of the exchanges between A and S is not ensured by the underlying transport protocol, the authorization request REQ preferably contains a MAC code calculated on all or part of the aforementioned elements of the REQ request. To do this, use a secret key KS.A, MACI derived from the secret key KsA. It will also be noted, concerning the identities of the entities A and B, that: in certain cases, the entity A does not completely know the identity of the recipient client of its original message MES; this identity is then determined by the Authorization Server S; - in some cases, it is possible that, for reasons of anonymity, the IDA ID of Entity A is not revealed to Entity B, or Entity A requests Authorization Server S to present entity A to entity B under a "derived identifier" ID'A; and where appropriate, depending on the architecture under consideration, the identities of A or B may be replaced or supplemented by those of A 'or B' (see description of FIG. 1 above). During a substep E12, upon receipt of the authorization request REQ, the Authorization Server S decides, according to the information contained in this request, to authorize or not the transaction. If necessary, the Authorization Server S determines the identity of the or the client (s) recipient (s) B (or B '). If the transaction is authorized, the Authorization Server S transmits to the entity A, during a step E2, a response authorization RESP containing at least the session key KAB N and the transaction identifier IDTRN. Note that: - when the confidentiality of the exchanges between the Authorization Server S and the entity A is not ensured by the underlying transport protocol, the Authorization Server S sends the entity A the key KAB session, N preferably encrypted by means of said secret key KsA or a key derived from this secret key KsA; - the IDTRN transaction identifier can be passed in clear, but if an attacker was able to read its value, it could send to entity B one or more invalid messages before the entity A emits the legitimate message; to be able to detect such an attack, Entity B should carry out additional checks (since the value of the IDTRN transaction identifier would not be sufficient security), which would expose Entity B to a risk of attack by flood; also, in the case where the confidentiality of the exchanges between the Authorization Server S and the entity A is not ensured by the underlying transport protocol, the Authorization Server S sends to the entity A the preferably IDTRN transaction identifier encrypted by means of the secret key KsA or a secret key derived from this secret key KsA.

The RESP authorization response may further contain: - for verification purposes, a subset of the information contained in the REQ authorization request; in particular, if the latter contained a transaction witness, then this cookie should preferably be included in the RESP authorization response; and a CHECKA data item N deduced, by means of a cryptographic function dependent on a secret key KSB, N derived from said secret key Kse and the transaction number N, from a set of elements taken from the request of authorization REQ and, preferably, a randomly generated simultaneously, at each transaction, by the Authorization Server S and the entity B (this hazard prevents a malicious entity A to find the secret key KsB, N by inversion of the data CHECKA, N). Note that it is possible to envisage applications of the invention in which the entity A is allowed to remain anonymous with respect to the entity B; in this case, as possibly in other cases, the said elements taken from the REQ authorization request will not contain the IDA identifier of the entity A. In the opposite case, the Authorization Server S will preferably include the ID'A derived identifier of the entity A in the elements whose encryption provides the data CHECKA, N. Finally, when the integrity of the exchanges between A and S is not ensured by the underlying transport protocol, the authorization response RESP preferably contains a MAC code calculated on all or part of the aforementioned elements of the response. RESP. To do this, use a secret key KSA, MAC2 (equal or not to said secret key KsA, MACI) derived from the secret key KsA. In a step E3, the entity A receives the authorization response 20 RESP from the Authorization Server S, and sends an "authenticated message" AM to the entity B. More precisely, during a Sub-step E31, after receiving the RESP authorization response, the entity A verifies that: the verification information contained in the authorization response RESP corresponds to a REQ authorization request previously issued by the entity A, and - the MAC code using the secret key KSA, MAC2, if present, is valid.

If the checks are positive, during a substep E32, the entity A extracts from the authorization response RESP the session key KAB ,, v, the transaction identifier IDTRN, and, if applicable, the given CHECKA N. The entity A then sends to the entity B an "authenticated message" AM comprising the original message MES, the transaction identifier IDTRN, and, where appropriate, the data CHECKA, .N. When the integrity of the exchanges between A and B is not ensured by the underlying transport protocol, the authenticated message AM preferably contains a MAC code, 5.4, N calculated on all or part of the aforementioned elements of this AM message. To do this, the session key KAB N or a secret key KAB, N, MAC derived from the session key KAB, N will advantageously be used. In the case where the entity A is not authorized, or does not wish to remain anonymous with respect to the entity B, the entity A will include its derived identifier ID '4 in the authenticated message AM. This derived identifier ID '4 can of course also be included in said elements serving as a basis for computing the MAC code Ô'A, N. It will be noted that, in a variant (see, in particular, the architecture examples presented below), the authenticated message AM may be sent by an authorized entity other than the entity A itself, for example another network server, under reservation that this authorized entity has been identified in the information contained in the REQ authorization request. In a step E4, the entity B receives the authenticated message AM and determines the session key. More specifically, during a substep E41, after receiving an authenticated message AM, the entity B verifies that the received IDTRN element corresponds to an expected transaction identifier. Preferably, the entity B pre-calculates IDTRN values for a predetermined sequence of values of N, after the end of the previous transaction and therefore before receiving a new authenticated message AM.

If the received IDTRN value is valid, the entity B deduces the current value N from the transaction number, and retrieves or calculates the session key KAB.N, as well as, optionally, said secret key KSB, N and / or said secret key KAB, N.MAC associated with this transaction. Entity B then optionally verifies that: the information that the entity B has received is consistent with the MAC code b'A N (if present) and the session key KAB N or the secret key KAB, N, MAC, and / or - the information that the entity B has received is consistent with the data CHECKA N (Si present) and the secret key KsB, N.

In particular, the entity B checks, if necessary, by means of said secret key Ks8 N, the coherence between, on the one hand, the data CHECK.4, N and on the other hand said elements comprising the ID derivative ID Received from the entity A. Finally, if all the checks are positive, during a substep E42, the entity B extracts the original message MES from the authenticated message AM, and transmits, if necessary, this message. original MES to a recipient customer B '. We will now examine, as examples, various possible architectures for the implementation of the invention.

The first three examples apply to VoIP. VoIP services and networks are a particularly interesting application context, because in addition to strong security constraints, they also have real-time constraints, the number of deployed entities (currently several million in some networks), power terminals, as well as legal constraints that require the ability to intercept sensitive communications. This need for legal interceptions naturally militates for the control of session keys by a trusted entity (here the Authorization Server S), which could then be a proxy of a network operator. (a) Intra-domain VoIP Communications The client entities A and B, as well as the Authorization Server S belong to the network of the same operator. The Authorization Server S is a VoIP proxy of this network which conventionally has a shared secret with each of the client terminals, this secret having been established during the subscription phase to the service, and then checked during the registration phase. from the terminal to the network.

The authorization request sent by the entity A allows the Authorization Server S to authenticate it and determine the routing to reach the entity B. The call can then be established directly between the entities A and B without that it is necessary to establish a TLS connection between A and B to ensure the integrity and confidentiality of the signaling. The message AM corresponds to the INVITE request. (b) VolP Mode 1 Interconnections In this embodiment, the sending and receiving entities are located in two separate networks belonging to different operators; the sender domain is noted D-EXP and the destination domain D-DEST. Entity A is one of the outgoing proxies of the DEXP sender domain. Entity A serves several client terminals A 'of the D-EXP domain or A' sending servers in the same domain, or in a third domain when the client terminal is in a mobility situation. The Authorization Server S is one of the incoming proxies of the destination domain D-DEST. The Authorization Server S protects and serves one or more entities B that may belong to the destination domain D-DEST or to third-party domains. Entity B can correspond directly to the destination client terminal. Alternatively, the entity B may correspond to a receiving server, belonging to the recipient domain D-DEST or a third domain, in which case the real recipient client terminal corresponds to the entity B '. In the authorization request, the entity A references the destination entity B via one or more network, transport or application level identifiers such as the network address of the entity B, the domain name to which the entity belongs. entity B, a SIP_URI or Tel_URI designating the destination client entity. Similarly, the entity A identifies itself by one or more network, transport or application level identifiers such as its network address, or the domain name to which it belongs, or a SIP_URI or Tel_URI designating the sending client entity.

Performing the number N transaction allows A and B to share the KAB N session primary key. This session key authenticates the INVITE call setup message. In addition, it can also be used to authenticate the other phases of the call (CANCEL requests, ACK, BYE or associated responses). It can also be used to derive secondary keys for media stream encryption. The REQ authorization request and the RESP authorization response are exchanged between a sending server and a destination server, whereas the AM message is sent by a sending or sending server to a receiving server. (c) Mode 2 VoIP Interconnections As above, the sending and receiving entities are located in two separate networks denoted D-EXP and D-DEST. Entity A is a client terminal of the D-EXP domain or a sender server of the sender domain or a third domain. If the entity A is a sending server, then the real sending client corresponds to an entity A '.

Authorization Server S is one of the outgoing proxies of the sending domain D-EXP, that is to say a sender server. The Authorization Server S serves the entities A of the sender domain or third-party domains, and authorizes the communications with the destination domain.

Entity B is one of the incoming proxies of the destination domain DDEST. This entity serves and protects entities B 'which are either directly client terminals or receiving servers belonging to the destination domain or to third-party domains. The REQ authorization request and the RESP authorization response are exchanged in the sender domain or between the sender domain and the sender domain, while the AM message is sent by a client entity or sender server to the recipient server. (d) IM e-mail or instant message sending The architecture is similar to that for VoIP interconnects (mode 1 or mode 2) with respect to entities A, A ', S, B, and B' . The identifiers used in the transaction request to designate the entities A or A '(respectively B or B') are e-mail addresses, IM addresses or domain names.

Performing the number N transaction allows A and B to share the primary session key K, 4B, N. This session key is used to authenticate and ensure the integrity of the e-mail or IM message sent from A to B. (e) Secured connection establishment Entity A sends an authorization request to the Authorization Server S which protects access to Entity B with which Entity A wants to communicate. The authorization request includes the identifiers of the entities A and B, in the form of network or transport addresses, or application addresses with respect to the service in question. Performing the number N transaction allows A and B to share the primary session key Kl4B N. This session key is then used to establish a secure connection (IPSec, TLS, DTLS, ...) between the A and B entities. (F) Application to a DNS / ENUM type service The principle here is to apply the method according to the invention to a connection service, where the Authorization Server S is a DNS or ENUM type server in the case of VoIP applications. This avoids attacks in which a calling VoIP entity claims a telephone number that is not assigned to its network or application domain. In this case of application, the entity A is one of the outgoing proxies of the "domainel" domain and has a secret shared with the Authorization Server S. Before issuing a call to the entity B , the entity A sends an authorization request to the Authorization Server S to authenticate the caller and obtain a secret call key to B.

Authorization Server S is a DNS / ENUM server that has shared secrets KsA, KsB with a number of domains, via a prior linking phase. Authorization Server S acts as a trusted third party.

Entity B is one of the incoming proxies of domain "domain2" and has a shared secret with Authorization Server S. The completion of the transaction allows Entity B to verify that the identifier of caller presented by the entity A in the INVITE request has been authenticated by the Authorization Server S. It also allows the entities A and B to have a shared secret KAB, N that can be used to protect the continuation of the exchange or media streams. The implementation of the invention within the nodes of the telecommunications network (in particular, the terminals or servers of entities such as A or B subscribed to the secure communications service according to the invention, or the Authorization Server S) can be realized by means of software and / or hardware components. The software components can be integrated into a typical network node management computer program. Therefore, as indicated above, the present invention also relates to a computer system. This computer system conventionally comprises a central processing unit controlling signals by a memory, as well as an input unit and an output unit. In addition, this computer system can be used to execute a computer program comprising instructions for implementing the secure communications method according to the invention. Indeed, the invention also relates to a downloadable computer program from a communication network comprising instructions for performing at least some of the steps of a secure communications method according to the invention, when it is executed on a computer. This computer program may be stored on a computer readable medium and may be executable by a microprocessor. This program can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any another desirable form. The invention is also directed to a computer-readable information carrier having instructions of a computer program as mentioned above. The information carrier may be any entity or device capable of storing the program. For example, the medium may comprise storage means, such as a ROM, for example a CD-ROM or a microelectronic circuit ROM, or a magnetic recording medium, for example a diskette ("floppy disc"). English) or a hard drive. On the other hand, the information medium may be a transmissible medium such as an electrical or optical signal, which may be routed via an electrical or optical cable, by radio or by other means. The computer program according to the invention can in particular be downloaded to an Internet type network. Alternatively, the information carrier may be an integrated circuit in which the program is incorporated, the circuit being adapted for use in a secure communications device according to the invention.

Claims (12)

REVENDICATIONS1. A method of secure communications in a telecommunications network, wherein a transaction between an entity A and a B entity of said network comprises the following steps: a) the entity A sends to an Authorization Server S an authorization request (REQ ) in which entity A identifies and authenticates itself as the holder of an IDA ID; b) Entity A declares to Authorization Server S its intention to communicate with a certain Entity B; the Authorization Server S determines a secret key KSB that it shares with this entity B; and c) the Authorization Server S generates a session key KAB, N and sends it to the entity A; said method being characterized in that said session key KAB, N is a one-way function of said secret key KSB and is also a function of an integer N, called a transaction number, assigned to said transaction, and that it further comprises the following steps: d) Authorization Server S also generates a transaction identifier IDTRN, which is a function at least dependent on said transaction number N in a non-invertible manner, and sends to the entity A said IDTRN transaction identifier; e) the entity A sends to the entity B elements comprising at least the transaction identifier IDTRN; and f) Entity B at least verifies that the value of the received IDTRN transaction identifier is within a set of pre-calculated values corresponding to at least one expected value of the transaction number; if so, the entity B deduces first the current value of the transaction number N, and then the value of the session key KAB N. 2. secure communication method according to claim 1, characterized in that all or part of said elements sent by the entity A to the entity B during said step e) are protected in integrity. 3. secure communication method according to claim 2, characterized in that this integrity protection is performed by means of said session key K4B N or a key derived from this session key KAB, N. 4. secure communication method according to any one of claims 1 to 3, characterized in that, in said step d), the Authorization Server S further sends to the entity A a data item CHECKA N deduced, by means of a cryptographic function dependent on a secret key KsB, N derived from said secret key KsB and the transaction number N, of a set of elements derived from said authorization request (REQ). 5. secure communication method according to any one of claims 1 to 4, characterized in that said elements sent by the entity A to the entity B during said step e) comprise a derived identifier ID'A of the entity A, identical or not to said identifier ID4. 6. Secure communication method according to claim 4 and claim 5, characterized in that: said set of elements from which said data CHECKA N is deduced comprises said derived ID'A identifier of the entity A, said elements sent by the entity A to the entity B during said step e) also comprise said data CHECK4 N, and - during said step f), the entity B checks, by means of said secret key KsB.N, the coherence between, on the one hand, the data CHECKA N, and on the other hand said elements comprising the derived identifier ID 'a received from the entity A according to claim 5. 7. Device, called Authorization Server, for securing communications in a telecommunications network during a transaction between an entity A and an entity B, comprising means for: identifying and authenticating an entity A holding an identifier ID4, - determining a secret key KsB that said Authorization Server S shares with an entity B with which the entity A declares its intention to communicate, - generating a session key KAB, N and sending it to the entity A characterized in that, said session key KAB N being a one-way function of said secret key KsB and also being a function of an integer N, called transaction number, assigned to said transaction, it further comprises means for generating a transaction identifier IDTRN, which is a function dependent at least on said transaction number N in a non-invertible manner, and sending to the entity A said IDTRN transaction identifier. 8. Device, said entity A, of secure communications in a telecommunications network, comprising means for, during a transaction involving said entity A and an entity B: - identify and authenticate as the holder of a identifier IDA with an Authorization Server S, - declare to said Authorization Server S its intention to communicate with a certain entity B, and - receive from the Authorization Server S a session key KAB, N characterized in that, said session key KAB N being a one-way function of a secret key KSB shared by the Authorization Server S and the entity B and also being a function of an integer N, called the transaction number, assigned to said transaction, it further comprises means for: - receiving from the Authorization Server S a transaction identifier IDTRN, which is a function dependent at least on said transaction number N in a non-invertible manner , and - send to the entity B elements comprising at least said IDTRN transaction identifier. 9. Device, said entity B, for secure communications in a telecommunications network, characterized in that it comprises means for, during a transaction involving said entity B and an entity A: - receive from the entity A elements comprising at least one transaction identifier IDTRN, said IDTRN transaction identifier being an at least non-invertible dependent function of an integer N, called transaction number, assigned to said transaction, - check the value of the received IDTRN transaction identifier is included in a set of pre-calculated values corresponding to at least one expected value of the transaction number, - deducing from it the current value of an integer N, called the number of transaction, assigned to said transaction, and - deriving a session key KAB, N which is, on the one hand, a one-way function of a secret key KSB shared by the Authorization Server S and the B, and secondly according to said transaction number N. 10. Device for secure communications in a telecommunications network, characterized in that it comprises means according to claim 8 and according to claim 9. An immovable, or partially removable, or removable data storage means having computer program code instructions for implementing said means included in a secure communications device according to any one of claims 7 to 10. Computer program downloadable from a communication network and / or stored on a computer readable medium and / or executable by a microprocessor, characterized in that it comprises instructions for the implementation of said means included in a secure communication device according to one of claims 7 to 10.