FR3057122A1 - METHOD AND DEVICE FOR DETECTING INTRUSIONS ON A NETWORK USING A HOMOMORPHIC ENCRYPTION ALGORITHM - Google Patents

Abstract

The intrusion detection method comprises: receiving from a security device (RG 6) having access to at least one intrusion detection rule comprising at least one regular expression established from at least one signature, at least one function describing the expression that can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm, and an encryption of each signature by an encryption procedure of the homomorphic algorithm and a public key of the security device; - Receiving from a transmitter (TX 2) a T encrypted content derived from a message obtained by symmetric encryption by means of a secret key; obtaining an encryption T 'of the encryption T and an encryption S of the secret key corresponding to the encryption procedure of the homomorphic algorithm and the public key of the security device; the evaluation of a symmetric decryption on the encrypted T 'by the homomorphic evaluation function with the encrypted S, providing an encrypted V of the message; evaluating said at least one function describing said at least one regular expression on the encrypted V with the encrypted signatures, providing an encryption of a detection result; and the detection of an intrusion if the decrypted result indicates the existence of a regular expression corresponding to the message.

Description

© Publication number: 3,057,122 (to be used only for reproduction orders) (© National registration number: 16 59537 ® FRENCH REPUBLIC

NATIONAL INSTITUTE OF INDUSTRIAL PROPERTY

COURBEVOIE © IntCI ⁸

H 04 L 9/28 (2017.01), H 04 L 29/06

A1 PATENT APPLICATION

©) Date of filing: 03.10.16. (© Applicant (s): ORANGE Société anonyme - FR. (30) Priority: @ Inventor (s): CANARD SEBASTIEN, DIOP AIDA, KHEIR NIZAR and PAINDAVOINE MARIE. (43 / Date of public availability of the request: 06.04.18 Bulletin 18/14. (© List of documents cited in the report of preliminary research: Refer to end of present booklet (© References to other national documents ©) Holder (s): ORANGE Société anonyme. related: ©) Extension request (s): © Agent (s): CABINET BEAU DE LOMENIE.

METHOD AND DEVICE FOR DETECTING INTRUSIONS ON A NETWORK USING A HOMOMORPHIC ENCRYPTION ALGORITHM.

FR 3 057 122 - A1

The intrusion detection method includes:

- reception from a security device (RG 6) having access to at least one intrusion detection rule comprising at least one regular expression established from at least one signature, from at least one function describing the expression can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm, and of an encryption of each signature by an encryption procedure of the homomorphic algorithm and a public key of the security device;

the reception from an emitter (TX 2) of an encrypted T of content derived from a message obtained by symmetric encryption using a secret key;

- obtaining an encrypted T 'encrypted T and an encrypted S of the secret key corresponding to the encryption procedure of the homomorphic algorithm and the public key of the security device;

- the evaluation of a symmetric decryption on the encrypted T 'by the homomorphic evaluation function with the encrypted S, providing an encrypted V of the message;

the evaluation of said at least one function describing said at least one regular expression on the encrypted V with the encrypted signatures, providing an encrypted result of detection; and

- the detection of an intrusion if the deciphered result indicates the existence of a regular expression corresponding to the message.

Invention background

The invention relates to the general field of telecommunications.

It relates more particularly to the detection of intrusions on a telecommunications network via which a transmitting device and a receiving device exchange encrypted traffic.

As is known, the SSL (Secure Sockets Layer) protocols, and more recently TLS (Transport Layer Security), are security protocols commonly used on networks such as for example on the public Internet network by the HTTPS protocol (HyperText Transfer Protocol Secure ) to ensure the confidentiality of exchanges. These protocols make it possible to protect any sensitive data shared by various devices on the network, by encrypting the exchanges between these devices. Unfortunately, this encryption renders existing intrusion detection techniques powerless, which are unable to inspect the encrypted traffic exchanged on the network.

In fact, intrusion detection and protection systems (also commonly designated by IDS (Intrusion Detection Systems) and IPS (Intrusion Protection Systems)) are conventionally configured to monitor traffic exchanged on the network and identify signatures or behaviors characteristics in this traffic associated with various threats likely to affect the network, such as for example the intrusion of malware or malware, the leakage of sensitive data, attacks perpetrated against the network, etc. To this end, these systems implement a deep packet inspection more commonly known as DPI (for Deep Packet Inspection in English), which consists in analyzing the content of a network packet (eg IP packet) and not only its header, and compare this content with signatures (or "patterns" or keywords in English) characteristic of known attack scenarios. Such a comparison can be made via simple equality tests or by using more complete regular expressions derived from these signatures. We then speak of "full IDS" systems. These signatures or keywords, and if necessary the regular expressions, are determined and provided by security editors or other open source software (ie "open source"), which compete between them to offer an up-to-date catalog of signatures covering the widest range of attacks possible, knowing that new attacks appear every day.

The common point of these IDS systems is that they are based on the analysis of communications transmitted in clear on the network in order to be able to compare the content of these communications with the signatures pre-established by the security editors. The use on the network of security procedures such as SSL or TLS therefore makes it impossible to use these systems as they are, so that information systems that rely on encrypted exchanges on the network are vulnerable numerous cyber attacks.

To get around this limitation, many security vendors offer applications that behave in an insecure manner by positioning themselves as "man-in-the-middle" over an SSL / TLS connection. connecting a transmitting device to a receiving device, so as to intercept communications between these two devices. This interception is implemented through the use of false certificates of trust which make it possible to break the end-to-end encryption used between the two devices and to access the content in the clear of their exchange.

While such a solution is satisfactory from the point of view of intrusion detection, it nonetheless poses ethical, legal and privacy and user protection problems, so that several web browsers today 'hui come with plug-ins that detect and revoke false certificates of trust used by IDS systems.

It has long been considered that it was not possible to simultaneously satisfy the two network security conditions in terms of surveillance and detection of intrusions, and guaranteeing the privacy of users by encrypting their communications .

J. Sherry et al., In the document entitled “BlindBox: Deep Packet Inspection over Encrypted Traffic”, SIGCOMM'15, August 17-21, 2015, propose an encrypted traffic inspection technique using advanced encryption protocols. This technique makes it possible to detect attacks perpetrated on encrypted traffic via an IDS proxy being cut off from traffic (also known as “middlebox” in English). It relies on the clear text provided by the security publisher of the keywords to search for in traffic and the encryption by the IDS proxy of these keywords in advance of each encrypted connection (eg each SSL connection) implementation between a transmitting device and a receiving device. The IDS proxy then compares the encrypted keywords via equality tests with the traffic exchanged between the sending device and the receiving device. If a match is detected, traffic is considered suspicious, and various actions can therefore be taken, such as sending a notification to the network administrator, deleting the packet identified as suspicious, stopping the connection between the sending device and the receiving device, etc. The BlindBox solution also provides an embodiment in which, when a suspicious packet is identified, this packet is decrypted by the IDS proxy to apply a conventional IDS procedure to it. It is then possible for the IDS proxy during this procedure to perform simple equality tests on the plaintext using keywords, but also to search in the plaintext for more complex regular expressions constructed from the words- keys.

The BlindBox solution proposed by Sherry et al. however has various major drawbacks.

First, it is incompatible with the rules imposed today by the ecosystem in which security vendors and IDS systems participate. In fact, as mentioned above, the BlindBox solution requires that all of the keywords and detection rules (eg combination of several keywords and / or regular expressions) offered by the security editor be accessible in clear by the IDS proxy so that it can encrypt them, and therefore more generally, by each IDS proxy present in the network. If this constraint is not one from a theoretical point of view, it is not at all in line with the practices in the field of security editors, for obvious economic reasons, the bases of keywords and other rules of detection constituting the added value of security editors. Consequently, although theoretically conceivable, the solution proposed by Sherry et al. is not applicable in practice in a network.

In addition, the BlindBox solution requires that all of the keywords be encrypted at each connection between a sending device and a receiving device processed by the IDS proxy (typically, at each SSL / TLS connection). The time required for this encryption can be considerable since it is directly proportional to the number of keywords to be taken into account, which can easily reach a few hundred or even a few thousand keywords. In addition, the encrypted keywords for each connection must be stored in memory for the duration of the connection. The memory space required for this purpose must therefore be proportional to the number of keywords to be considered, on the one hand, and the number of simultaneous connections that can be inspected by the IDS proxy, on the other. It is therefore clear that the use of the BlindBox solution can only be envisaged under limited network conditions.

Furthermore, the approach adopted by BlindBox only offers a "full IDS" solution at the cost of decrypting the data from a packet identified as suspect. Even if the decryption of the data exchanged between the sending device and the receiving device is not systematic, this nevertheless constitutes an attack on the confidentiality of their exchanges.

Subject and summary of the invention

The invention overcomes these drawbacks by proposing a method of detecting intrusions on a network via which are able to communicate a transmitting device and a receiving device using a symmetric encryption / decryption algorithm parameterized by a secret encryption key. shared between the sending device and the receiving device, this detection method being intended to be implemented by an intrusion detection device and comprising:

A reception step, coming from a security device having access to at least one detection rule of at least one intrusion likely to affect the network, said at least one detection rule comprising a regular expression established from at least one signature characteristic of said at least one intrusion:

o at least one function describing said at least one regular expression and which can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm; and o of an encryption of each signature characteristic of said at least one intrusion, obtained by applying an encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the security device;

A step of reception, from the device sending an encrypted T of content derived from a message intended for the receiving device, this encrypted T having been obtained by using an encryption procedure of the encryption / decryption algorithm symmetrical configured by said secret encryption key;

A step for obtaining an encrypted T 'of the encrypted T and an encrypted S of the secret encryption key, the encrypted T' and S corresponding to the application on the encrypted T and on the secret encryption key the encryption procedure of said homomorphic encryption algorithm configured by the public encryption key of the security device;

A first step of evaluating a decryption procedure for the symmetric encryption / decryption algorithm on the encrypted T using said homomorphic evaluation function of said homomorphic encryption algorithm and the encrypted S of the secret encryption key, this first evaluation step providing an encrypted V of the message intended for the receiving device by the encryption procedure of said homomorphic encryption algorithm parameterized by the public encryption key of the security device;

A second step of evaluating said at least one function describing said at least one regular expression on the encryption V of the message using the encryption of the signatures, this second evaluation step providing an encryption of a detection result indicating l 'existence or not of a said regular expression corresponding to the message; and a step of detecting an intrusion on the network if the decrypted detection result indicates that there is at least one said regular expression corresponding to the message.

Correlatively, the invention also relates to a device for detecting intrusions on a network via which are able to communicate a transmitting device and a receiving device using a symmetric encryption / decryption algorithm parameterized by a secret encryption key shared between the device transmitter and the receiver device, said detection device being intended to be located between the transmitter device and the receiver device and comprising:

A first reception module, capable of receiving from a security device having access to at least one rule for detecting at least one intrusion liable to affect the network, said at least one detection rule comprising an expression regular established from at least one signature characteristic of said at least one intrusion:

o at least one function describing said at least one regular expression and which can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm; and o an encryption of each signature characteristic of said at least one intrusion, obtained by applying an encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the security device;

A second reception module, capable of receiving from the sending device an encrypted T of content derived from a message intended for the receiving device, this encrypted T having been obtained using an encryption procedure of the encryption algorithm / symmetric decryption configured by said secret encryption key;

A module for obtaining an encrypted T 'of the encrypted T and an encrypted S of the secret encryption key, the encrypted T' and S corresponding to the application on the encrypted T and on the secret encryption key the encryption procedure of said homomorphic encryption algorithm configured by the public encryption key of the security device;

A first module for evaluating a decryption procedure for the symmetric encryption / decryption algorithm on the encrypted T configured to use said homomorphic evaluation function of said homomorphic encryption algorithm and the encrypted S of the secret encryption key , this first evaluation module being further configured to provide an encrypted V of the message intended for the receiving device by the encryption procedure of said homomorphic encryption algorithm parameterized by the public encryption key of the security device;

A second evaluation module configured to evaluate said at least one function describing said at least one regular expression on the encrypted V of the message using the encrypted signatures, this second evaluation module being further configured to provide an encrypted d 'a detection result indicating the existence or not of a said regular expression corresponding to the message; and an intrusion detection module on the activated network if the decrypted detection result indicates that there is at least one said regular expression corresponding to the message.

It is noted that no limitation is attached to the way an intrusion detected by the intrusion detection device is treated. The detection of such an intrusion can thus, for example, only be the subject of a notification sent by the intrusion detection device to the network administrator, or trigger a corrective action, such as for example the rejection of the message examined. , the interruption of the connection between the sending device and the receiving device, etc.

The invention thus proposes a new approach allowing the encryption of a communication between a sending device and a receiving device while keeping possible intrusion detection on the network of DPI type (ie Deep Packet Inspection or deep packet inspection) by an intermediate device or “middlebox” located between the sending device and the receiving device (intrusion detection device within the meaning of the invention). In other words, the invention offers the possibility of ensuring network security while guaranteeing users of this network respect for the confidentiality of their exchanges.

This approach is based on the use of a homomorphic encryption algorithm which complements the symmetric encryption / decryption algorithm used between the sending device and the receiving device (eg symmetric encryption algorithm used during SSL connections / TLS). The homomorphic encryption algorithm advantageously makes it possible to search for regular expressions directly in the encrypted traffic exchanged between the sending device and the receiving device, these regular expressions being derived from signatures (or keywords) characteristic of intrusions and defined. by a security editor (security device within the meaning of the invention). The intrusion detection scheme proposed by the invention is therefore "full IDS" and very effective. It does not require any decryption for this, even partial, of the data exchanged between the sending device and the receiving device, unlike the BlindBox solution.

Indeed, a homomorphic encryption algorithm is conventionally defined by a cryptographic key generation algorithm, an encryption procedure noted here ENC and a decryption procedure noted here DEC, as well as by a homomorphic evaluation function, noted here HOM. This homomorphic evaluation function HOM takes as input a number of ciphers cl, c2, ..., cN, N designating an integer greater than 1, obtained by means of the encryption procedure ENC as well as a function f which presents itself in a form which can be evaluated by the homomorphic evaluation function, for example in the form of an arithmetic circuit. The HOM function then delivers as an output the result of the application of the function f on the figures cl, c2, ..., cN (we then say that the homomorphic evaluation function HOM "evaluates" the function f on the figures cl, c2, ..., cN). By abuse of notation, we note that the homomorphic evaluation function HOM verifies the following relation:

H0M (cl, .... cN-.f) = f (cl, ..., cN) = ENC (f (ml, .... mNfpk ') where ci = ENC (mi) for i = l, ..., N, mi designating a message which, once encrypted by the ENC encryption procedure parameterized by the public key pk, gives the encrypted ci. The abuse of notation comes here from the fact that it is not exactly the same function f which is applied on the plain text messages ml, ..., mN and on the encrypted messages cl, ..., cN Indeed, as mentioned above and in a manner known per se, the function of homomorphic evaluation imposes certain constraints on the form of the function f to be able to evaluate it on the figures cl, ..., cN, constraints which are not necessary to apply this function to the messages in clear. In the strict sense of the term, one therefore has two functions f and f 'applied respectively to the encrypted numbers and to the plain text messages. However, for the sake of simplification in the following description, and to facilitate understanding of the invention, we consider an un ique notation f to designate this function and one understands by evaluation of a function f by the homomorphic evaluation function, the evaluation of the function f in its transformed form. Thus, by way of example, and by abuse of language, the term “evaluation of the deciphering procedure” is understood to mean the evaluation of this deciphering procedure in a form possibly transformed and evaluable by the homomorphic evaluation function.

The homomorphic evaluation function HOM therefore makes it possible to carry out all kinds of operations on ciphers resulting from the ENC encryption procedure. Typically in accordance with the invention, it makes it possible to evaluate on the one hand, the symmetric decryption algorithm corresponding to the symmetric encryption algorithm used to encrypt the clear data exchanged between the sending device and the receiving device, and d 'on the other hand, functions describing the regular expressions to look for in encrypted traffic. By exploiting this property of the homomorphic evaluation function HOM, the invention allows the intrusion detection device to manipulate the encrypted data exchanged between the sending and receiving device without never accessing the data in clear, and to operate a search for regular expressions derived by the security editor from the signatures characteristic of intrusions on the network.

More particularly, and schematically, in accordance with the invention, the clear data exchanged between the transmitting device and the receiving device are encapsulated in two hermetic boxes (that is to say locked relative to each other ), nested one inside the other: the “internal” box results from the encryption of the data in clear using the symmetric encryption algorithm used by the transmitting and receiving devices (giving an encrypted T), and the box “ external ”results from the encryption by the encryption procedure of the homomorphic algorithm of the encrypted T thus obtained (giving an encrypted T '). Then, the invention somehow manipulates the data contained in these boxes to carry out DPI detection on the encrypted data by exploiting twice the properties of the homomorphic evaluation function:

- a first time to remove the internal symmetric encryption layer. This is achieved by evaluating by means of the homomorphic evaluation function HOM the symmetric decryption algorithm on the cipher T '. We thus decipher in a way what is inside the external box, without however directly accessing the data and clear, since the result of this first evaluation is an encrypted V of the data in clear via the encryption procedure homomorphic;

- then a second time, to search in encrypted V for the regular expressions specified by the security editor and defined from the encrypted signatures characteristic of intrusions. This search is permitted via the evaluation by means of the homomorphic evaluation function of the regular expressions or more particularly of an appropriate description of each of the regular expressions supplied to the intrusion detection device and capable of being evaluated by the function d homomorphic evaluation. Such a description is typically an arithmetic circuit (or boolean circuit), provided by the security device for one or more regular expressions intended to be sought in the encrypted traffic exchanged between the sending device and the receiving device. Thanks to this description in the form of an arithmetic circuit, the invention makes it possible not to be limited to simple equality tests but to be able to search in the encrypted traffic exchanged between the sending device and the receiving device for more complexes defined from the signatures characteristic of intrusions.

It is noted that the result of the second application of the homomorphic evaluation function is by definition an encryption of a result of the detection operated by the intrusion detection device. Its decryption makes it possible to detect whether a regular expression specified by the security editor has been detected in the data exchanged between the sending device and the receiving device and as a corollary, to detect the presence or not of an intrusion on the network.

This decryption can be carried out either by the intrusion device itself. Thus, for example, in a particular embodiment, the detection method further comprises:

A step of obtaining a private decryption key associated with the public encryption key of the security device and stored in a hardware security module (or HSM for Hardware Security Module); and a step of decrypting the encryption of the detection result using the decryption procedure of the homomorphic encryption algorithm configured by this private decryption key.

This makes it possible to make the intrusion detection device autonomous with respect to the security device during the final step of intrusion detection. However, this embodiment requires that the security device “deliver” its private decryption key to the intrusion detection device. The use of a hardware security module to store the private key for decrypting the security device makes it possible to secure this solution.

In another embodiment, the intrusion detection method is interactive and further comprises:

A step of transmitting the encrypted detection result to the security device for decryption using a decryption procedure of said homomorphic encryption algorithm configured by a private decryption key associated with the public encryption key of the security device; and - a step of receiving the decrypted detection result from the security device.

In this embodiment, it is not necessary for the security device to supply its secret key to the intrusion detection device. However, this interactive embodiment requires that, during the detection of intrusions implemented by the intrusion detection device, the security device be accessible by the latter.

As mentioned, the invention therefore makes it possible to carry out a DPI full IDS type detection on the network without at any time compromising the confidentiality of the exchanges between the sending device and the receiving device. Furthermore, for this purpose, only the structure of regular expressions is provided by the security device to the intrusion detection device, the signatures characteristic of intrusions being delivered to the latter only in encrypted form. The use of a homomorphic encryption algorithm as proposed by the invention therefore advantageously allows the security editor to keep secrets with respect to the intrusion detection device the signatures that it has established for the detection of intrusions. The approach proposed by the invention is therefore perfectly compatible with the existing economic models of security editors: no signature is provided in plain text by the security editor to the intrusion detection device.

In addition, since the encrypted signatures characteristic of intrusions are encrypted using the public key of the security device, they need only be generated and transmitted once to the intrusion detection device, for example during an initialization step, due to their independence from the transmitting and receiving devices. They can then be used by the intrusion detection device to manage several simultaneous or successive connections between different transmitting and receiving devices. The same is true for the description of regular expressions. This therefore results in a simplified implementation of the fuli IDS DPI detection proposed by the invention, and a substantial gain in terms of complexity compared to the BlindBox solution which requires encryption of the keywords by the IDS proxy at each new connection between a transmitting device and a receiving device.

The invention also offers the possibility of easily and quickly taking into account an update of signatures and regular expressions by the security editor, for example due to the appearance of new types of intrusions liable to affect the network.

In a particular embodiment, the content derived from the message consists of the message intended for the receiving device or of a concatenation of this message and of a known hazard of the security device and of the intrusion detection device.

Furthermore, in an embodiment in which the content derived from the message consists of a concatenation of the message and a known hazard of the security device and of the intrusion detection device, the first evaluation step can provide in addition an encrypted V ′ of the hazard by the encryption procedure of the homomorphic encryption algorithm parameterized by the public encryption key of the security device, the detection method then further comprising a step of transmitting said encrypted V ′ from the hazard to the safety device for verification.

This verification of the hazard carried out by the security device forces the sending device to correctly encrypt the message sent to the receiving device and the hazard under penalty of being "unmasked". This embodiment thus makes it possible to apply the invention not only in a context where the sending device and the receiving device are honest that in a context where at least one of these devices is "dishonest", it is that is, it can be the source of the intrusion perpetrated on the network (voluntarily or involuntarily) or collaborate with the entity responsible for this intrusion. This corresponds, for example, to a case where a transmitting device, the control of which has been taken by an attacker, transmits sensitive data which is received and awaited by the receiving device. Such a context is of paramount importance since we see today that most of the attacks come from the information systems themselves, via malware that takes control of the terminals of the information systems. As a result, both the sending device and the receiving device can be fairly easily corrupted by a malicious remote entity that can take complete or partial control of it (for example, an infected victim terminal can leak sensitive data to its master software via such a takeover). However, we will limit ourselves here to the case where, when the two devices are “dishonest” independently of each other, that is to say that no prior agreement has been concluded between them (for example to transmit sensitive data in a specific way by cutting and transmitting that data in such a way that the method would be ineffective in detecting how the data leak was operated). On the contrary, the approach proposed in the document by J. Sherry et al. does not manage a situation in which the sending and receiving devices are both dishonest independently of each other.

According to the invention, the evaluation of the symmetric decryption algorithm via the homomorphic evaluation function requires the supply to this evaluation function of an encrypted (ie the encrypted T '), but also of an encrypted S of the secret encryption key used during symmetric encryption, generated using the encryption procedure of the homomorphic encryption algorithm configured by the public encryption key of the security device.

In a particular embodiment, the encrypted S of the secret encryption key is obtained from the transmitting device.

This embodiment is particularly simple to implement, the transmitting device having the secret key.

However, in this embodiment, the secret key being encrypted by means of the public encryption key of the security device, nothing prevents a security device that is a little too curious from accessing the secret key and decrypting it. using this key the encrypted message exchanged between the sending device and the receiving device.

To overcome this possibility, in a particular embodiment, the step of obtaining the encrypted S of the secret encryption key comprises:

A step of reception, from the sending device, of a so-called intermediate encryption S ′ of the secret encryption key obtained by using the encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the receiver device;

A step of obtaining a re-encryption key from the receiving device to the security device; and a step of re-encryption of the intermediate encrypted S 'using said re-encryption key, this re-encryption step providing said encrypted S of the secret encryption key.

In other words, in this embodiment, one protects against an overly curious security device by combining with the homomorphic encryption algorithm used in the invention a re-encryption scheme (or "proxy reencryption" in English). In a known manner, such a re-encryption scheme makes it possible to give access to a third party B to encrypted data for example by means of a public key encryption algorithm using the public key of an entity A, and this without the entity A does not have to disclose its private encryption key and even if the data was not initially intended for the third party. To this end, the re-encryption scheme is based on a so-called re-encryption or transition key for the attention of third party B giving a right of access to third party B to the data encrypted with the public key of entity A. This key is used to re-encrypt the encrypted data of entity A so as to make it accessible to third party B using its own private decryption key.

Thus, in this “combined” embodiment, the secret key used by the symmetric encryption algorithm is no longer encrypted using the public encryption key of the security device but using a public encryption key of the receiving device, who is the only one to hold the associated private decryption key. To allow the security device to perform the tasks incumbent upon it (eg decryption of the encryption of the detection result, verification of the hazard, etc.) despite the fact that it does not know the private decryption key of the receiving device, the intrusion detection device uses a re-encryption key from the receiving device to the security device to re-encrypt the encrypted S ′ of the secret key transmitted by the sending device. This allows the intrusion detection device to obtain an encrypted S of the secret encryption key corresponding to the public encryption key of the security device which it can then use during the evaluation of the symmetric decryption algorithm. . Thanks to this re-encryption, the security device is able to decrypt the elements sent to it by the intrusion detection device in an interactive mode.

According to another aspect, the invention relates to a method of communication of a security device with a device for detecting intrusions on a network, the security device having access to at least one rule for detecting at least one intrusion. likely to affect the network, said at least one detection rule comprising a regular expression established from at least one signature characteristic of said at least one intrusion, the communication method comprising:

A step of transforming said at least one regular expression into a function describing said at least one regular expression and which can be evaluated by means of an evaluation function of a homomorphic encryption algorithm;

A step of generating an encrypted of each signature characteristic of said at least one intrusion by applying an encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the security device; and a step of transmitting said at least one function describing said at least one regular expression and of each cipher of each signature characteristic of said at least one intrusion to a device for detecting intrusions on the network.

Correlatively, the invention also relates to a security device having access to at least one rule for detecting at least one intrusion liable to affect a network, said at least one detection rule comprising a regular expression established from at least at least one signature characteristic of said at least one intrusion, the security device comprising:

A transformation module, configured to transform said at least one regular expression into a function describing said at least one regular expression and which can be evaluated by means of an evaluation function of a homomorphic encryption algorithm;

- an encryption module, configured to generate an encryption of each signature characteristic of said at least one intrusion by applying an encryption procedure of said homomorphic encryption algorithm configured by a public encryption key of the security device; and a transmission module, configured to transmit said at least one function describing said at least one regular expression and each cipher of each signature characteristic of said at least one intrusion to an intrusion detection device on the network.

In a particular so-called interactive embodiment, the communication method further comprises:

A step of receiving from the detection device an encrypted result of detection;

A step of decrypting the encryption of the detection result using a decryption procedure of the homomorphic encryption algorithm configured by a private decryption key associated with the public encryption key of the security device; and a step of transmitting the decrypted detection result to the intrusion detection device.

Correspondingly, the security device further comprises:

A reception module, capable of receiving from the detection device an encrypted result of detection;

- a decryption module, configured to decrypt said encrypted detection result using a decryption procedure of said homomorphic encryption algorithm configured by a private decryption key associated with the public encryption key of the security device; and a transmission module, configured to transmit the decrypted detection result to the intrusion detection device.

The communication method and the security device in these different embodiments enjoy the same advantages as those mentioned above for the method and the device for intrusion detection according to the invention.

It should be noted that, in accordance with the invention, the security device supplies the intrusion detection device with various elements enabling it to carry out DPI detection leaks IDS, without never delivering the signatures characteristic of the intrusions that it has established. These are advantageously kept secret by the security device with respect to the intrusion detection device which has access only to the structure in the end of the regular expressions and to the encrypted signatures.

In a particular embodiment, during the transformation step of the communication method, at least one function describing said at least one regular expression is an arithmetic circuit obtained by means of a non-deterministic finite number automaton modeling the regular expression and a function for selecting the states of this automaton.

This embodiment provides a simple and efficient means for generating a description of the regular expressions proposed by the security device that can be evaluated by the homomorphic evaluation function of the homomorphic encryption algorithm.

In a particular embodiment, the different steps of the intrusion detection method and / or the different steps of the communication method are determined by instructions from computer programs.

Consequently, the invention also relates to a computer program on an information medium, this program being capable of being implemented in a security device or more generally in a computer, this program comprising instructions adapted to the implementation of the steps of a communication method as described above.

The invention also relates to a computer program on an information medium, this program being capable of being implemented in an intrusion detection device or more generally in a computer, this program comprising instructions adapted to the implementation of the steps of an intrusion detection method as described above.

Each of these programs can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any what other desirable form.

The invention also relates to an information or recording medium readable by a computer, and comprising instructions of a computer program as mentioned above.

The information or recording medium can be any entity or device capable of storing the program. For example, the support may include a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a floppy disk or a disc. hard,

On the other hand, the information or recording medium can be a transmissible medium such as an electrical or optical signal, which can be routed via an electrical or optical cable, by radio or by other means. The program according to the invention can in particular be downloaded from a network of the Internet type.

Alternatively, the information or recording medium can be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the process in question.

According to yet another aspect, the invention relates to a system for detecting intrusions on a network via which are able to communicate a transmitting device and a receiving device using a symmetric encryption / decryption algorithm parameterized by a shared secret encryption key. between the sending device and the receiving device, this intrusion detection system comprising:

- an intrusion detection device according to the invention; and - a safety device according to the invention.

The invention also relates to a communications system comprising:

- at least one sending device and at least one receiving device able to communicate on a network using a symmetric encryption / decryption algorithm parameterized by a secret encryption key shared between the sending device and the receiving device; and - an intrusion detection system according to the invention, the intrusion detection device of said detection system being intended to be located between said at least one transmitting device and said at least one receiving device.

Intrusion detection and communication systems benefit from the same advantages as those mentioned above for the intrusion detection method and device according to the invention and for the communication method and security device according to the invention.

It can also be envisaged, in other embodiments, that the intrusion detection method, the communication method, the intrusion detection device, the security device, the intrusion detection system, and the communication system according to the invention have all or some of the above characteristics in combination.

Brief description of the drawings

Other characteristics and advantages of the present invention will emerge from the description given below, with reference to the appended drawings which illustrate an embodiment thereof devoid of any limiting character. In the figures:

- Figure 1 shows, schematically, a communications system according to the invention, in a first embodiment of the invention;

- Figure 2 illustrates the hardware architecture of an intrusion detection device according to the invention, belonging to the communications system of Figure 1;

- Figure 3 illustrates the hardware architecture of a security device according to the invention, belonging to the communications system of Figure 1;

- Figures 4, 5 and 7 respectively represent, in the form of a flowchart, the main steps of a communication method according to the invention, of an intrusion detection method according to the invention and of a method of transmission of a message as implemented in the first embodiment of the invention by the security device, by the intrusion detection device, and by a transmitter device of the communications system of the figure 1 ;

- Figure 6 shows by way of illustration an automaton with a number of finite states which can be used by the safety device during the process illustrated in Figure 4; and FIGS. 8 and 9 respectively represent, in the form of a flowchart, the main steps of an intrusion detection method according to the invention and of a method of transmitting a message as they are set implemented in a second embodiment of the invention by the intrusion detection device and by a transmitter device of the communications system according to the invention.

Detailed description of the invention

FIG. 1 represents, in its environment, a communications system 1 according to the invention, in a first embodiment.

The communications system 1 comprises:

- a TX 2 transmitter device;

- an RX 3 receiver device; and a system 4 for intrusion detection according to the invention.

The transmitter device TX 2 and the receiver device RX 3 are able to communicate with each other via a telecommunications network NW. No limitation is attached to the nature of this network, except that on this network, communications between the sending device TX 2 and the receiving device RX 3 are secure via the use of a cryptographic encryption / decryption algorithm. symmetrical noted ALG-SYM based on a secret encryption key K shared between the sending device TX 2 and the receiving device RX 3. Here we note SYM-ENC, respectively SYM-DEC, the encryption procedure (or algorithm), deciphering respectively, corresponding symmetric. The symmetric encryption / decryption algorithm ALG-SYM is for example identical to the symmetric encryption / decryption algorithm used by the secure TLS or SSL protocols.

The NW network can thus be either a public network such as the Internet or a private network, a fixed or mobile network, a wired or wireless network, it can be made up of a single network or be made up of a plurality of subnets, etc.

The intrusion detection system 4 is configured to allow the detection of intrusions capable of affecting communications on the NW network, and more particularly here in the example envisaged in FIG. 1, the communications between the transmitter device TX 2 and the RX 3 receiving device. To this end, it comprises:

- an MB 5 intrusion detection device (also known as a “middlebox”), in accordance with the invention, which is located in the NW network between each transmitting device TX capable of transmitting data on this network and each receiving device RX likely to receive data via this network. In this case here, in the example illustrated in FIG. 1, the MB 5 intrusion detection device is located in the NW network between the transmitter device TX 2 and the receiver device RX 3 and is capable of intercepting exchanges on the NW network between these two devices; and - a security device RG 6, managed by (ie under the control of) a security editor able to determine (that is to say to establish) a plurality of intrusion detection rules capable of affecting the NW network. These detection rules are presented in the form of signatures (or patterns or even keywords) SIGi, i = l, ..., I where I designating an integer greater than 1, characteristics of intrusions likely to affect the NW network , as well as one or more regular expressions REGj, j = l, ..., J, J designating an integer greater than or equal to 1, established from these signatures. A regular expression, in a manner known in computer science, is a character string or a pattern which defines a set of possible character strings. In other words, in the context described here, each regular expression REGj defines a set of possible character strings from one or more signatures. It can rely for this purpose on various operators known per se, including in particular:

o the grouping operator “()” which indicates the characters that can be framed on either side by the characters found before and after the operator; for example "Blind (B | b) ox" includes "BlindBox" and "Blindbox";

o the asterisk *, indicating for the character string in which it is used, zero or at least one occurrence of the character or of a set of characters preceding the asterisk and delimited by the grouping operator (). For example "ab *" includes the character strings "a", "ab", "abb", etc.

o the operator "or" or "| Which translates alternative characters or alternative character strings on either side of the operator. For example "rootkit | trojan" designates the character strings "rootkit" or "trojan";

o the question mark “? Which indicates zero or one occurrence of a character or set of characters delimited by the grouping operator (); for example "https? "Includes" http "or" https "; and o the operator “+” which indexes one or more occurrences of a character or a set of characters delimited by the grouping operator (); for example, "/ content / p +" includes "/ content / p", "/ content / pp", "/ content / ppp", etc.

Thus, by way of illustration, the regular expression “p (a | b) *” includes the character strings which contain the character p followed by an arbitrary number (ie zero or more) of “a” or of “b” . It therefore includes the strings "p", "pa", "pb", "paaaabb", "pbbba", etc.

In the first embodiment described here, the signatures SIGi, i = 1, ..., 1 and the regular expressions REGj, j = l, ..., J established by the security editor are stored in a memory not volatile referenced by 15 (see Figure 3) of the RG 6 safety device (and therefore accessible by it).

As a variant, the signatures SIG and the regular expressions REG established by the security editor can be stored in a remote memory, preferably protected in a manner known per se, and accessible by the security device RG 6.

The way in which the detection rules are determined by the security editor, and more particularly the SIG signatures and the REG regular expressions, is known per se and depends on the know-how of each security editor. It is not described in detail here. It is noted that the SIG signatures and the REG regular expressions associated with these signatures are likely to evolve or to be updated, for example following the appearance of new types of intrusions likely to affect the NW network.

In addition, it should also be noted that the same security editor can be required to interact with several separate intrusion detection devices, located in the same network or in different networks. Similarly, an intrusion detection device located in a network can be required to interact with several security editors (and therefore with several security devices managed respectively by these security editors). For the sake of simplification, however, here, we limit ourselves to a security editor and to an intrusion detection device.

In accordance with the invention, a DPI and full IDS type in-depth inspection is permitted on the NW network although the communications between the transmitter device TX 2 and the receiver device RX 3 are encrypted, without the editor of security is forced to disclose to the intrusion detection device MB 5 the signatures that it has established to detect intrusions likely to affect the NW network. In addition, this full IDS DPI inspection is allowed without the traffic exchanged between the TX sending device and the RX receiving device being disclosed to the MB 5 intrusion detection device, even partially, so that the confidentiality of the exchange between the two devices is preserved and their privacy guaranteed. To this end, the invention is based on a homomorphic encryption algorithm noted below ALG-FHE (for Fully Homomorphic Encryption in English).

No limitation is attached to the homomorphic encryption algorithm per se which can be used: it may for example be the homomorphic encryption algorithm described in the document by C. Gentry entitled “Fully homomorphic encryption using ideal lattices ", Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009, or an algorithm described in the document by J. Fan et al. entitled “Somewhat practical fully homomorphic encryption”, IACR Cryptology ePrint Archive 2012: 144, etc.

In known manner, such a homomorphic encryption algorithm is defined by several procedures, namely:

- a key generation algorithm noted FHE.KEYGEN, parameterized by a security parameter λ known per se, taken for example here equal to 128 bits, in accordance with the security recommendations in force. This algorithm is able to generate a pair of cryptographic keys comprising a public encryption key generally noted pk and a corresponding private decryption key noted sk;

- an encryption / decryption algorithm comprising an FHE.ENC encryption procedure capable of generating an encryption from a message and the public encryption key pk, and an FHE.DEC decryption procedure capable of decrypting an encryption from the corresponding private decryption key sk;

- a homomorphic evaluation function FHE.HOM, which takes as input several figures cl, ..., cL and a function f which is in a form which can be evaluated by the homomorphic evaluation function (for example under the form of an arithmetic circuit, as detailed further below), said homomorphic evaluation function then delivering at output f (cl, ..., cL). As mentioned above, if cl, 1 = 1, ..., L denotes the encryption of a message ml obtained using the ENC encryption algorithm parameterized by the public encryption key pk, by abuse of notation, we can write that the homomorphic evaluation function HOM checks the following relation:

FHE.H0M (cl, = / (cl, ..., ci) = FHE. ENC (/ (ml, ..., mL), pk)

The abuse of notation comes from the fact that it is not exactly the same function f which is actually applied to plain text messages ml, ..., mL and to encrypted messages cl, ..., cL. Indeed, in a manner known per se, the homomorphic evaluation function imposes certain constraints on the form of the function f to be able to evaluate it on the figures cl, ..., cL, constraints which are not necessary to apply this clear messages function. In the strict sense of the term, there are therefore two functions f and f 'applied respectively to the cipherwords and to the plain text messages. However, for the sake of simplification in the following description, and to facilitate understanding of the invention, we consider a single notation f to designate this function and by evaluation of a function f is meant by the homomorphic evaluation function , the evaluation of the function f in its transformed form. Thus, by way of example, and by abuse of language, the term “evaluation of the deciphering procedure” is understood to mean the evaluation of this deciphering procedure in a form possibly transformed and evaluable by the homomorphic evaluation function.

The various procedures defining the ALGFHE homomorphic encryption algorithm are implemented in whole or in part, in the first embodiment described here, by the different entities of the communication system 1 (TX transmitter device 2, intrusion detection device MB 5 and safety device RG 6), as detailed further below.

In the first embodiment described here, the MB intrusion detection device has the architecture of a computer, as illustrated in FIG. 2. It notably includes a processor 7, a random access memory 8, a read only memory 9, a non-volatile flash memory 10 as well as communication means 11 enabling it, on the one hand, to intercept any communication between the transmitter TX 2 and receiver RX 3 devices on the NW network, and on the other hand to communicate with the safety device RG 6. Such means are known per se and are not described in more detail here.

The ROM 9 of the MB intrusion detection device 5 constitutes a recording medium according to the invention, readable by the processor 7 and on which a computer program PROG1 according to the invention is recorded here.

The computer program PROG1 defines functional modules and software here, configured to implement the steps of an intrusion detection method on the NW network. These functional modules rely on and / or control the hardware elements 7-11 of the MB 5 intrusion detection device mentioned above. They include in particular here, as illustrated in FIG. 1:

A first reception module 5A capable of receiving from the security device RG 6 various elements, and in particular:

o a function CIRC-REGj describing each regular expression REGj, j = l, ..., J and which can be evaluated by means of the homomorphic evaluation function FHE.HOM of the homomorphic encryption algorithm ALG-FHE. Such a function is here an arithmetic circuit (or boolean circuit), known per se. The way in which this arithmetic circuit is obtained from the regular expression REGj, j = l, ..., J by the safety device RG 6 is described later; and o an encrypted FHE-SIGi, i = l, ..., I of each signature SIGi, i = l, ..., I, obtained here by the security device RG 6 by applying the encryption procedure FHE.ENC of the homogeneous encryption algorithm ALG-FHE parameterized by a public key pk (RG) of encryption of the security device RG 6 generated by means of the algorithm FHE.KEYGEN.

The first reception module 5A is configured to use in particular the communication means 11 of the MB intrusion detection device 5;

A second reception module 5B, capable of receiving from the transmitter device TX 2 an encryption denoted T of content derived from a message m intended for the receiver device RX 3. The encryption T is generated by the transmitter device TX 2 by means of the SYM-ENC encryption procedure of the symmetric encryption / decryption algorithm ALG-SYM, parameterized by the secret encryption key K shared between the sending device TX 2 and the receiving device RX 3. The second receiving module 5B is also configured to use the communication means 11 of the MB intrusion detection device 5.

Furthermore, in the first embodiment described here, the second reception module 5B is configured to receive an encrypted S from the secret encryption key K generated by the transmitter device TX 2 by applying the encryption procedure to the secret key K FHE.ENC of the homomorphic encryption algorithm ALG-FHE, parameterized by the public encryption key pk (RG) of the security device RG 6 (in other words, the reception module 5B is in the first embodiment a module d 'obtaining an encrypted S of the secret encryption key K within the meaning of the invention);

A module 5C for obtaining an encrypted T 'from the encrypted T. The encrypted T' results from the application by the obtaining module 5C on the encrypted T of the encryption procedure FHE.ENC of the algorithm ALG-FHE homomorphic encryption configured by the public encryption key pk (RG) of the security device RG 6.

In a second embodiment, described in more detail later, the obtaining module 5C is further configured to obtain an encryption S of the secret encryption key K, this encryption corresponding to the application of the homomorphic encryption algorithm ALGFHE configured by the public encryption key pk (RG) of the security device RG 6. It is noted that in this second embodiment, the encryption S is obtained by the obtaining module 5C by re-encryption of an intermediate encryption S ' of the secret encryption key K supplied to the intrusion detection device MB 5 by the transmitter device TX 2. The encryption results from the application on the secret key K of the homomorphic encryption algorithm ALG-FHE configured by a public encryption key pk (RX) of the receiver device RX 3, so that the intrusion detection device MB 5 is never in possession of the shared secret key K. The obtaining module 5C is then configured, in the second embodiment, to use a re-encryption key from the receiving device RX 3 to the security device RG 6 to generate the encrypted S;

- a first 5D evaluation module of the symmetric decryption procedure SYM-DEC of the symmetric encryption algorithm ALG-SYM. The first evaluation module is configured to carry out this evaluation on the encrypted T and to use for this purpose the homomorphic evaluation function FHE.HOM of the homomorphic encryption algorithm ALG-FHE and the encrypted S of the secret key K The first evaluation module 5D is further configured to provide an encrypted V of the message m by the encryption procedure FHE.ENC parameterized by the public encryption key pk (RG) of the security device RG 6;

- a second 5E evaluation module configured to evaluate using the evaluation function

FHE.HOM as well as the figures FHE-SIGi, i = l, ..., I of the signatures SIGi, each function CIRCREGj describing a regular expression REGj, j = l, ..., J, on the figure V of the message m . This second evaluation module 5E is further configured to provide an encryption of a detection result indicating the existence or not of a regular expression among the expressions REGj, j corresponding to the message m; and a module 5F for detecting an intrusion on the activated network if the detection result once deciphered indicates that there is at least one regular expression REGj, j = 1, ..., 3 corresponding to the message m.

The functions of these various 5A-5F modules are described in more detail later.

The RG security device 6 also here has the hardware architecture of a computer, as illustrated in FIG. 3. It notably includes a processor 12, a random access memory 13, a read-only memory 14, the non-volatile flash memory 15 in which are stored the signatures SIGi, i = l, ..., I, the encrypted FHE-SIGi, 1 = 1, ..., 1 as well as the regular expressions REGj, j = l, ..., 3 and the arithmetic circuits CIRC-REGj, j = l, ..., 3 describing these regular expressions. The RG security device 6 also includes communication means 16 enabling it to communicate with the MB 5 intrusion detection device.

The read-only memory of the security device RG 6 constitutes a recording medium, readable by the processor of the security device and on which is recorded here a computer program PROG2 defining functional modules, configured to implement the steps of a communication method according to the invention. These functional modules rely on and / or control the hardware elements 12-16 of the safety device RG 6 mentioned above. They include in particular in the first embodiment described here, as illustrated in FIG. 1:

- a key generation module 6A, configured to use the key generation algorithm FHE.KEYGEN of the homomorphic encryption algorithm ALG-FHE in order to generate the key pair of the security device RG 6 comprising the public key of pk encryption (RG) and the corresponding private decryption key sk (RG);

- a transformation module 6B, configured to transform each regular expression REGj, j = l, ..., 3 into a function describing this regular expression and which can be evaluated by means of an evaluation function of an encryption algorithm homomorphic. In the first embodiment described here, as mentioned above, the transformation module 6B is configured to transform each regular expression REGj into an arithmetic circuit CIRC-REGj;

- a 6C encryption module, configured to generate the FHE-SIGi encryption, i = l, ..., I from the SIGi signatures, i = l, ..., I using the FHE.ENC encryption procedure of the homogeneous encryption algorithm ALG-FHE configured by the public key pk (RG) for encryption of the security device RG 6; and - a 6D transmission module, configured to transmit each of the functions (arithmetic circuits here) CIRC-REGj, j = l, ..., 3 describing each regular expression REGj, j = l, ..., J and each cipher FHE-SIGi, i = l, ..., I of each SIGi signature, i = l, ..., I to the MB 5 intrusion detection device. This 6D transmission module relies on the means of communication 16 of the RG 6 safety device.

In the first embodiment described here, the computer program PROG2 also defines the following functional modules and software:

A reception module 6E, also relying on the communication means 16, and able to receive from the intrusion detection device MB 5 an encryption of the detection result generated by the intrusion detection module MB 5 ; and - a decryption module 6F, configured to decrypt this encrypted result of detection using the decryption procedure FHE.DEC of the homomorphic encryption algorithm ALG-FHE, parameterized by the private key sk (RG) of the security device RG 6.

In addition, the transmission module 6D is configured to transmit the detection result deciphered by the module 6F to the intrusion detection device MB 5.

The functions of these different modules 6A-6F are described in more detail later.

As a variant, the key pair pk (RG) / sk (RG) associated with the security device RG 6 can be generated by a trusted authority, which then takes care of publishing the public key pk (RG) and transmitting the key private sk (RG) in a secure manner to the security device RG 6.

It should be noted that no limitation is attached to the nature of the transmitter TX 2 and receiver RX 3 devices. These may be computers, servers, any terminals, as long as they are able to communicate on the network NW securely using here the encryption / decryption procedure of the symmetric encryption algorithm ALG-SYM and for the sending device TX 2, the encryption procedure FHE.ENC of the homomorphic encryption algorithm ALG-FHE . It is assumed here that the devices TX 2 and RX 3 are able to exchange or share the secret encryption key K.

In the first embodiment described here, the TX 2 and RX receiver devices have the hardware architecture of a computer, this architecture being identical to that of the MB 5 intrusion detection device or that of the RB security device 6, namely that they comprise a processor, a random access memory, a read-only memory, the non-volatile flash memory, as well as communication means enabling them to communicate on the NW network.

The read-only memory of the TX 2 sending device constitutes a recording medium, readable by the processor of the TX 2 sending device and on which is recorded here a computer program defining functional modules based on and / or controlling the hardware elements. of the TX 2 transmitter device mentioned above. These functional modules notably include here, as illustrated in FIG. 1:

A module 2A for generating an encrypted from content derived from a message m intended for the receiving device RX 3 using the encryption procedure SYM-ENC of the symmetric encryption algorithm ALG-SYM, parameterized by the secret encryption company K;

A module 2B for generating an encrypted of the secret encryption key K, configured to use for this purpose the encryption procedure FHE.ENC of the homomorphic encryption algorithm ALG-FHE; and - a transmission module 2C, configured to transmit the two ciphers generated by the module 2A and by the module 2B on the network NW.

Furthermore, the read-only memory of the RX 3 receiving device constitutes a recording medium, readable by the processor of the RX 3 receiving device and on which is recorded here a computer program defining functional modules based on and / or controlling the hardware elements of the receiver device RX 3 mentioned above, and in particular a decryption module 3A configured to apply the decryption procedure SYM-DEC of the symmetric encryption / decryption algorithm ALG-SYM configured by the secret key K shared with the device TX transmitter 2.

The functions of the different modules 2A-2C and 3A of the TX 2 and RX 3 receiver devices are described in more detail later.

In the first embodiment described here, it is assumed that the device 2 is the sender of a message m and the device 3 the recipient of this message. Of course, these roles are interchangeable, and the device 2 can be provided with a module identical to the module 3A of the device 3 to receive and decrypt an encrypted message via the NW network, just as the device 3 can be provided with identical modules to the modules 2A-2C of the device 2 for transmitting encrypted messages on the NW network.

We will now describe, with reference to FIGS. 4 and 5 respectively, the main steps of a communication method and of an intrusion detection method according to the invention as they are implemented respectively by the detection device. security RG 6 and by the MB 5 intrusion detection device of the communication system 1 of FIG. 1.

With reference to FIG. 4, it is assumed here that during an initialization phase, the security device RG 6 generates, via its key generation module 6A, a pair of cryptographic keys comprising its public key pk (RG) and his private key sk (RG) (step E10). To this end, it uses, as mentioned previously, the algorithm FHE.KEYGEN of the homomorphic encryption algorithm ALG-FHE, parameterized by the security parameter λ with λ = 128 bits here.

The public key pk (RG) of the security device RG 6 is published (ie made public) on the network NW, so as to be known in particular to the intrusion detection device RG 6 and the transmitter device TX 2 (step E20) .

The security device RG 6 then transforms, via its transformation module 6B, each regular expression REGj, j = l, ..., J relating to one or more signatures SIGi, i = l, ..., I, into a function describing this expression and which can be evaluated by a homomorphic evaluation function and in particular by the homomorphic evaluation function FHE.HOM of the homomorphic encryption algorithm ALG-FHE (step E30). In the first embodiment described here, the transformation operated by the module 6B consists in transforming each regular expression REGj, j = l, ..., J, into an arithmetic circuit CIRC-REGj, j = l, .. J. By transformation of the regular expression REGj, we mean transformation of its structure, that is to say of its algorithmic part properly speaking, this regular expression being intended to be applied here to encrypted elements. This transformation aims to allow the comparison of an encrypted character string with the regular expression in question to determine if a match exists, ie if the encrypted character string that we are examining (ie observing) coincides with one of the strings defined by the regular expression.

In the first embodiment described here, the transformation module 6B uses, to transform each regular expression REGj into an arithmetic circuit, an automaton with finite number of states not deterministic or NFA (for Non Finite Automaton) modeling this regular expression thus only a function for selecting the states of this automaton. By way of illustration, FIG. 6 represents such an NFAex automaton for the regular expression "p (a | b)". It is a directed graph, whose vertices are states and the edges characterize the transitions making it possible to pass from one state to another.

For example in FIG. 6, the NFAex automaton comprises three distinct states, namely:

- an initial state ql;

- an accepted (or verified) state q2; and - a rejected (or not verified) state q3.

The transitions making it possible to pass from one state to another are shown in FIG. 6 in association with the values of the characters controlling these transitions.

The NFAex automaton thus makes it possible to compare any string of characters with the regular expression "p (a | b)". Indeed, starting from the initial state ql, if the first character of the character string observed is a "p", then a transition to the state q2 ("accepted") of the NFAex automaton is effected. If the character is different from "p" (modeled by p), then a transition to state q3 ("rejected") is made. If the state q2 is reached, then the second character of the string is observed. If it is an "a", the automaton remains in state q2. Otherwise, a transition to q3 is made, and so on for the other characters of the character string examined. Thus, starting from the initial state ql, if after examining all the characters in the character string, the final state obtained is the accepted state q2, then this means that the character string observed is well defined by the regular expression "p (a [b)". On the other hand, if the final state obtained is the accepted state q3, this means that the observed regular expression does not meet the definition of the regular expression "p (a | b)".

This automaton is translated as an arithmetic circuit by introducing the following Select selection function:

Select (x, y, z) = x.y + (lx) .z where y, z denote relative integers here, and x takes the values 0 or 1. The Select function thus defined returns the value "y" if x = l and the value "z" if x = 0. This Select function is used here to model each transition of the automaton, by applying the following convention:

x = l - ([ci] - [ci '])

Y = [q2] z = [q3] where i denotes the position of the character ci 'observed in the character string being examined (i = l, ..., P if P denotes the number of characters in the string ), and ci designates the character associated by the automaton with the transition between state [qi] and state [qi + 1]. According to this convention, if the characters ci and ci 'are identical, then c is 1, and the accepted state q2 is selected, otherwise c is 0 and the rejected state q3 is selected.

By applying this selection function step by step, the transformation module 6B can model each test implemented by the automaton from an observed character string. Thus in the example of the NFAex automaton, if we consider an observed character string comprising two characters [cl c2] that we wish to compare with the regular expression "p (a | b)", the path in the NFAex PLC can be translated as follows:

- for the first character [cl], starting from ql, we go to a state el defined by:

el = [l - ([p] - [cl])]. [q2] + ([p] - [cl]). [q3] (eql) either el is q2 (state accepted) if [cl] = [ p] and q3 (state rejected) otherwise;

- for the second character [c2], two comparisons are made by means of the automaton with respect to the two possible alternatives “a” and “b” defined by the regular expression (ie (a | b)), which are translated by the following states e2 and e3 in which [el == q2] is worth 1 if el is equal to q2 and 0 otherwise:

e2 = [el == q2]. ([l - ([a] - [c2])] [q2] + ([a] - [c2]). [q3]) (eq2) let e2 be q2 ( state accepted) if [c2] = [a] and q3 (state rejected) otherwise, and e3 = [el == q2]. ([l - ([b] - [c2])]. [q2] + ([ b] - [c2]). [q3]) (eq3) either e3 equals q2 (accepted state) if [c2] = [b] and q3 (rejected state) otherwise.

The final state is the accepted state q2 if e2 or e3 equals q2. The RES result of the detection operated via the PLC can therefore be translated into Boolean language in the following form:

RES = [e2 == q2] + [e3 == q2] (eq4).

The function defining the result RES and given by equation (eq4), in which the states el, e2 and e3 have been replaced by their definitions given in equations (eql), (eq2) and (eq3), constitutes a function representing the regular expression "p (a | b)" as an arithmetic CIRC circuit. Such a function can advantageously be evaluated by the evaluation function FHE.HOM of the homomorphic encryption algorithm.

Note that the relatively simple example of the regular expression "p (a | b)" has been given here only for illustrative purposes. The article by S. Fau et al. entitled “Towards practical program execution overfully homomorphic encryption schemes”, 2013 Eighth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, pages 284-290 introduces other examples based on the Select function and allowing the translation of various algorithms in the form of arithmetic circuits.

In the first embodiment, the transformation module 6B proceeds in an identical manner to what was previously described in the example of the regular expression "p (a | b)" to transform each regular expression REGj, j = l , ..., J in an arithmetic circuit CIRC-REGj. In other words, it is based on the one hand, on an NFA automaton with finite number of non-deterministic states modeling this regular expression, and on the other hand, on the selection function Select previously introduced, and provides an arithmetic circuit CIRC -REGj defining a detection result RESj, j = l, ..., J. It is noted that each arithmetic circuit CIRC-REGj is intended to be applied to encrypted elements and that the detection result RESj which it provides is itself an encrypted element.

It should also be noted that the arithmetic circuit CIRC-REGj obtained by the transformation module 6B for each regular expression REGj offers a compact representation of the regular expression REGj, evaluable by the homomorphic evaluation function FHE.HOM. Other representations can however be envisaged as a variant. So for example, we can consider another function describing the regular expression REGj consisting in enumerating all the possible character strings defined by the regular expression REGj. It is clear, however, that such a representation can become very complex or even inappropriate for certain regular expressions including for example the operator *.

Furthermore, in the embodiment described here, the transformation module 6B determines a separate arithmetic circuit for each regular expression: in other words, an arithmetic circuit represents a single regular expression. In another embodiment, it can be envisaged that the transformation module 6B defines a single arithmetic circuit representing all the regular expressions, or several arithmetic circuits each representing one or more regular expressions.

The arithmetic circuits CIRC-REGj are stored here by the transformation module 6B in the non-volatile memory 15 of the safety device RG 6. As mentioned previously, these arithmetic circuits CIRC-REGj, j = l, ..., J, are intended to be applied to encrypted elements and for this purpose require knowledge of the encrypted signature signatures SIGi, 1 = 1, ..., 1.

Referring again to FIG. 4, the security device RG 6 therefore generates for each signature SIGi, i = l, an encrypted FHE-SIGi of this signature, via its encryption module 6C (step E40).

It is noted that steps E30 and E40 can be reversed chronologically or be implemented in parallel.

More precisely, in the first embodiment described here, the encryption module 6C encrypts each signature SIGi, i = l, ..., I by applying to it the encryption procedure FHE.ENC of the homomorphic encryption algorithm ALG- FHE, configured by the public encryption key pk (RG) of the security device RG 6.

Then the transmission module 6D of the security device RG 6 transmits to the intrusion detection device MB 5, via the communication means 16 of the security device RG 6, the arithmetic circuits CIRC-REGj, j = l, ... , J, describing the regular expressions REGj, j = l, ..., J as well as the encrypted signatures FHE-SIGi, i = l, ..., I (step E50). It is noted that the signatures in clear SIGi, i = l, ..., I are kept secret by the security device RG 6 with respect to the intrusion detection device MB 5: only their encrypted forms and the structure of the regular expressions (in the form of arithmetic circuits) are transmitted to the MB 5 intrusion detection device.

With reference to FIG. 5, the detection device MB 5 stores the arithmetic circuits CIRC-REGj, and the encrypted signatures FHE-SIGi, i = l, ..., I received from the security device RG 6 by its first module reception 5A in its non-volatile memory 10 (step F10).

It is now assumed that the sending device TX 2 wishes to send a message m intended for the receiving device RX 3. The message m can consist of one or more data packets. In the following description for the sake of simplification, we consider a single data packet consisting of a plurality of characters ml, m2, ..., ml, L designating an integer greater than 1.

In preparation for this exchange, the MB 5 intrusion detection device generates, in the first embodiment described here, a random number (ie random) x0 which it sends via the network NW to the transmitter device TX 2 (step F20 ). In the first embodiment described here, this random number xO is intended to allow the safety device RG 6 to check whether the emitting device ΤΧ2 is honest, as detailed further below. It is therefore also transmitted to the safety device RG 6.

FIG. 7 illustrates the main steps implemented by the transmitter device TX 2 during its exchange of the message m with the receiver device RX 3.

In preparation for sending the message m, the sending device TX 2 generates a secret encryption key K, which it shares with the receiving device RX 3, for example, via a secure exchange implemented between the two devices (step G10). This secure exchange can be based, for example, on the standard procedure provided for by the SSL / TLS protocols. The secret key K is here ephemeral, in the sense that it is generated for the connection present with the receiver device RX 3.

Then, in the first embodiment described here, following the reception of the hazard xO (step G20), the transmitter device TX 2 generates CONT content by concatenating the hazard xO with the message m which it wishes to send to the RX 3 receiver device (step G30). The CONT content is content derived from the message m within the meaning of the invention. In another embodiment not using the hazard xO, the content CONT derived from the message m consists solely of the message m.

The sending device TX 2 then generates, by means of its module 2A, an encrypted T of the content CONT by applying to it the encryption procedure SYM-ENC of the symmetric encryption algorithm ALG-SYM configured by the secret encryption key K ( step G40).

The transmitter device TX 2 also generates, in the first embodiment described here, by means of its module 2B, an encrypted S of the secret encryption key K (step G50).

The encryption S is generated by the module 2B by applying to the secret key K the encryption procedure FHE.ENC of the homomorphic encryption algorithm ALG-FHE, parameterized by the public encryption key pk (RG) of the security device RG 6.

Then, the transmitter device TX 2 by means of its transmission module 2C, transmits the encryption T of the content CONT and the encryption S of the secret key K intended for the receiver device RX 3 (step G60).

With reference to FIG. 5 again, the encryption T and the encryption S transmitted by the transmitter device TX 2 intended for the receiver device RX 3 are intercepted by the intrusion detection module MB 5, and more particularly by its second module 5B reception (step F30). The interception of encryption S by the MB 5 intrusion detection device constitutes a step of obtaining encryption S within the meaning of the invention.

The transmitter device TX 2 also generates, by means of its obtaining module 5C, an encrypted T 'of the encrypted T by applying to the encrypted T the encryption procedure FHE.ENC of the homomorphic encryption algorithm ALG-FHE, configured by the public encryption key pk (RG) of the security device RG 6 (step F40). The following relationship results:

T '= FHE.ENC (SYM-ENC ((xO | m), K), pk (RG)).

Then, via its first evaluation module 5D, the intrusion detection device MB 5 evaluates the decryption procedure SYM-DEC of the symmetric encryption / decryption algorithm ALG-SYM on the encrypted T '(step F50). To this end, it uses a description of the SYM-DEC decryption procedure in the form of an arithmetic circuit and the encryption S of the shared secret key K, on which it applies the homomorphic evaluation function FHE.HOM of the encryption algorithm. homomorph ALG-FHE. It is noted that obtaining a description of the SYM-DEC decryption procedure in the form of an arithmetic circuit or more generally in a form which can be evaluated by the homomorphic evaluation function FHE.HOM does not pose any difficulty as such, most decryption algorithms are already in this form.

Thanks to the properties of homomorphic encryption, the first evaluation module 5D obtains on the one hand, an encrypted V of the message m by the encryption procedure FHE.ENC parameterized by the public encryption key pk (RG) of the security device RG 6, and on the other hand, an encrypted V 'of the hazard xO by the encryption procedure FHE.ENC parameterized by the public encryption key pk (RG) of the security device RG 6, that is:

V = FHE.ENC (m, pk (RG)) and V '= FHE.ENC (xO, pk (RG))

The MB 5 intrusion detection device, via its second evaluation module 5E, then evaluates on the cipher V each regular expression REGj, j = l, ..., J. To this end, it uses the description of each regular expression REGj in the form of an arithmetic circuit CIRC-REGj and the figures FHE-SIGi, i = l, ..., I of the signatures on which it applies the homomorphic evaluation function FHE. HOM of the homomorphic encryption algorithm ALG-FHE (step F60).

Due to the properties of homomorphic encryption, the second evaluation module 5E obtains at the end of this evaluation an intermediate detection result encrypted RESj for each regular expression REGj, j = l, ..., J. Each intermediate detection result RESj is equal to 1 if the number V corresponds to the regular expression REGj, and to 0 otherwise.

Thus, a correspondence with a detection rule established by the security editor is detected if at least one of the intermediate results RESj is equal to 1. The second evaluation module evaluates here, from the intermediate results, a result detection encrypted B according to the expression:

B-RES1 + RES2 + ... + RESJ where “+” designates here the Boolean operator OR, so that the result B is equal to 0 or 1.

Note that in the embodiment described here, each regular expression is described by means of a separate arithmetic circuit. As mentioned above, in another embodiment, it is possible to envisage having a single and same function, that is to say here a single and same arithmetic circuit, describing the set of regular expressions in which case the result of encrypted detection B is directly obtained at the output of the evaluation function FHE.HOM. In another embodiment, several arithmetic circuits are considered, each describing one or more regular expressions, the encrypted detection result B then being obtained by summing the intermediate results obtained after evaluation of each of these circuits.

The encrypted detection result B also verifies the following relation: B = FHE.ENC (det (m), pk (RG)).

where det (m) designates the detection result which would be obtained by applying the regular expressions REGj directly to the message m.

In the first embodiment described here, the MB intrusion detection device 5 transmits via its communication means 11 the encrypted detection result B to the security device RG 6 (step F70). It also transmits the encrypted V 'to it.

With reference to FIG. 4, on reception of the encrypted B and V ′ by its reception module 6E (step E60), the security device RG 6 deciphers the encrypted detection result B (step E70). Its decryption module 6F uses for this purpose the decryption procedure FHE.DEC of the homomorphic encryption algorithm ALG-FHE parameterized by the private decryption key sk (RG) of the security device RG 6. It thus obtains the result of detection det (m), which it transmits in return, via its transmission module 6D, to the intrusion detection device MB 5 (step E80).

Furthermore, in the first embodiment described here, the safety device RG 6 also checks the integrity of the hazard xO (step E90). To this end, it deciphers by means of its decryption module 6F the encrypted V 'by applying to it the decryption procedure FHE.DEC parameterized by the private decryption key sk (RG) of the security device RG 6. The result of this decryption is compared with the value of the hazard xO previously transmitted in step F20 by the intrusion detection device. If the two values coincide (ie are equal), the verification is validated, in other words, the transmitter device TX 2 acted honestly and transmitted the right hazard to the intrusion detection device MB 5. Otherwise, this means that the TX 2 sending device is dishonest.

The security device RG 6 can then, when discordant values are detected during the verification step E90, inform the intrusion detection device MB 5, and / or an administrator of the network NW.

It is noted that this verification step, and correlatively the use of the hazard xO by the transmitter device TX 2, by the intrusion detection device MB 5 and by the security device RG 6, are optional. The invention can be implemented by considering CONT content consisting solely of the message m.

Referring to Figure 5, upon receipt. of the detection result det (m) coming from the security device RG 6, the detection module 5F of the intrusion detection device determines whether an intrusion has been committed on the network NW (step F90). More precisely, it determines here that there is an intrusion on the network if det (m) is equal to 1, and deduces the absence of intrusion if det (m) is equal to 0.

In the first embodiment described here, if no intrusion has been detected by the detection module 5F (response no to test step F90), the intrusion detection device MB 5 transmits the encryption T of the message m to the RX receiver device for decryption. The reception device RX 3, via its decryption module 3A, can then decrypt the encrypted T by applying to it the decryption procedure SYM-DEC of the symmetric encryption / decryption algorithm ALG-SYM configured by its private decryption key sk (PG).

If, on the contrary, an intrusion is detected by the detection module 5F (response yes to the test step F90), different actions can be taken by the intrusion detection device MB 5 depending on its configuration (step Fl 10) . For example, it can, via its communication means 11, notify the administrator of the NW network of this detection. As a variant or in addition, the intrusion detection device MB 5 can delete the encrypted message T and not transmit them to the receiving device RX 3, the latter being corrupted, etc.

The invention therefore makes it possible, thanks to the use of the homomorphic encryption algorithm ALG-FHE, to apply a full IDS deep inspection procedure on the encrypted traffic exchanged between the sending device TX 2 and the receiving device RX 3 without the MB 5 intrusion detection device being aware of the keywords defined by the RG security device 6. The invention thus makes it possible to guarantee the confidentiality of the exchanges between the sending device TX 2 and the receiving device RX 3 and their privacy, while allowing intrusion detection on the network used by these devices.

Note that the first embodiment is an interactive mode in that it is based on an exchange between the MB 5 intrusion detection device and the RG 6 security device so that the MB intrusion detection device 5 can access the decrypted detection result det (m). This interactive mode allows the security device RG 6 not to disclose its private decryption key sk (RG).

However, as a variant, the invention can be implemented in a non-interactive mode. For this purpose, for example, the private decryption key sk (RG) of the security device RG 6 can be stored in a hardware security module (or HSM for Hardware Secure Module), accessible by the intrusion detection device MB 5 In a known manner, such an HSM module is an electronic module considered to be inviolable offering cryptographic functions, such as in particular the storage of cryptographic keys. Thus, in a variant of the first embodiment, it can be envisaged that the intrusion detection device MB 5 obtains the private decryption key sk (RG) of the HSM module and then decrypts the encrypted detection result B using this key private decryption in order to obtain the detection result det (m). In another variant, it can be envisaged that it is the HSM module which itself deciphers the encrypted B and provides in return the detection result det (m) to the intrusion detection device MB 5. It can of course be envisaged by in addition to supplementing these variant embodiments with additional mechanisms making it possible to protect against dishonest behavior by the MB 5 intrusion detection device (such as for example a verification by the HSM module of the consistency of what is deciphered by the device MB intrusion detection system 5).

In the first embodiment which has just been described, the secret key K shared between the transmitter device TX 2 and the receiver device RX 3 and used to encrypt the exchanges between these two devices, is encrypted by the transmitter device TX 2 at means of the public encryption key of the security device RG 6. It follows that an unscrupulous security device RG 6 can listen to the exchanges between the transmitter device TX 2 and the receiver device RX 3, access the encrypted message T and at encryption S of the shared key K, decrypt encryption S and access the message m in clear. To overcome this drawback, in a second embodiment of the invention, the secret key K shared between the transmitter device TX 2 and the receiver device RX 3 is no longer encrypted by the transmitter device TX 2 by means of the public key encryption pk (RG) of the security device RG 6 but by means of a public encryption key pk (RX) of the receiver device RX 3, previously published. The second embodiment is also based on a procedure for re-encrypting the secret key, as detailed now.

FIG. 8 illustrates the steps implemented by the transmitter device TX 2 in this second embodiment. The steps bearing the same references as the steps illustrated in FIG. 7 are identical to the steps implemented in the first embodiment.

Thus, with reference to FIG. 8, in preparation for sending the message m, the sending device TX 2 generates a secret encryption key K, which it shares with the receiving device

RX 3 (step G10). Then, following the reception of the hazard xO (step G20), it generates the content CONT by concatenating the hazard xO with the message m that it wishes to send to the receiving device RX 3 (step G30). The transmitting device TX 2 generates, by means of its module 2A, the encryption T of the content CONT by applying to it the encryption procedure SYM-ENC of the symmetric encryption algorithm ALG-SYM configured by the secret encryption key K (step G40) .

The transmitter device TX 2 also generates, in the second embodiment described here, by means of its module 2B, an encrypted said intermediate S 'of the secret encryption key K (step G50'). The intermediate encryption is generated in the second embodiment by applying to the secret key K the encryption procedure FHE.ENC of the homomorphic encryption algorithm ALG-FHE, parameterized by the public encryption key pk (RX) of the RX receiver device 3.

Then, the transmitter device TX 2 by means of its transmission module 2C, transmits the encryption T of the content CONT and the intermediate encryption S 'of the secret key K intended for the receiver device RX 3 (step G60').

In other words, the method implemented by the transmitter device TX 2 differs in this second embodiment from the method implemented by the transmitter device TX 2 in the first embodiment by steps G50 'and G60'.

FIG. 9 illustrates the steps implemented by the MB 5 intrusion detection device in the second embodiment. The steps bearing the same references as the steps illustrated in FIG. 5 are identical to the steps implemented in the first embodiment. Note that the safety device RG 6 is not affected by the modifications made in the second embodiment so that the steps implemented by the safety device RG 6 in the second embodiment are identical to steps E10 to E90 shown in Figure 4 and implemented in the first embodiment.

In particular, the steps E10 to E50 of generation and transmission of the arithmetic circuits CIRC-REGj, j = l, .. J of the regular expressions and of the figures FHE-SIGi, i = l, ..., I of the signatures by the security device RG 6 to the intrusion detection device MB 5 are identical to those implemented in the first embodiment. The same is true in FIG. 10 of steps F10 and F20 implemented by the intrusion detection device MB 5.

The encryption T and the intermediate encryption S 'sent by the sending device TX 2 to the receiving device RX 3 are intercepted by the intrusion detection device MB 5, and more particularly by its second receiving module 5B (step F30' ).

On receipt of the intermediate encryption S ′, in the second embodiment, the intrusion detection device MB 5 then obtains from the receiver device RX 3 a re-encryption key rk (RX-> RG) from the receiver device RX 3 to the device safety RG 6 (step F31 '). In the second embodiment described here, this rk re-encryption key (RX-> RG) comprises:

A first part rkl equal to the public encryption key pk (RG) of the security device RG 6, ie kl = pk (RG); and a second part rk2 obtained by encrypting a secret decryption key sk (RX) associated with the public encryption key pk (RX) of the receiver device RX 3 by means of the encryption procedure FHE.ENC of the encryption algorithm. homomorphic ALG-FHE configured by the public encryption key pk (RG) of the security device RG 6, namely:

k2 = FHE.ENC (sk (RX), pk (RG)).

After obtaining the re-encryption key rk (RX-> RG), the intrusion detection device MB 5 re-encrypts the intermediate encryption S 'of the secret key S by means of the re-encryption key rk (RX-> RG) and of the encryption procedure FHE.ENC of the homomorphic encryption algorithm ALG-FHE (step F32 '). It obtains via this re-encryption step an encrypted S of the shared key K encrypted by means of the public encryption key pk (RG) of the security device RG 6, that is:

S = FHE.ENC (K, pk (RG)).

The concepts of encryption key and encryption of an encrypted are known per se and are not described in detail here.

The steps F30 ', F31' and F32 'together constitute a step for obtaining an encryption S of the shared key K within the meaning of the invention.

The steps then implemented by the intrusion detection device MB 5 and by the security device RG 6 respectively in the second embodiment are identical to steps F40 to Fl 10 and E60 to E90 described previously in the first embodiment. production. The same applies to the decryption of the encrypted T by the receiver device RX 3.

The invention therefore makes it possible, in this second embodiment as in the first embodiment, to make it possible to apply a full IDS deep inspection procedure on the encrypted traffic exchanged between the transmitter device TX 2 and the receiver device RX 3 without the MB 5 intrusion detection device being aware of the keywords defined by the RG security device 6. It also makes it possible to guarantee the confidentiality of the exchanges between the transmitter device TX 2 and the receiver device RX 3 and their privacy, not only with regard to the MB 5 intrusion detection device but also with respect to the RG 6 security device.

Claims (18)

1. Method for detecting intrusions on a network (NW) via which are able to communicate a transmitting device (TX 2) and a receiving device (RX 3) using a symmetric encryption / decryption algorithm parameterized by an encryption key secret shared between the transmitting device and the receiving device, said detection method being intended to be implemented by an intrusion detection device (MB 5) and comprising: A reception step (F10), coming from a security device (RG 6) having access to at least one detection rule of at least one intrusion likely to affect the network, said at least one detection rule comprising at least one regular expression established from at least one signature characteristic of said at least one intrusion: o at least one function (CIRC-REGj) describing said at least one regular expression (REGj) and which can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm; and o an encrypted (FHE-SIGi) of each signature (SIGi) characteristic of said at least one intrusion, obtained by applying an encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the security device; A reception step (F30, F30 ′) from the device sending an encrypted T of content derived from a message intended for the receiving device, this encrypted T having been obtained using an encryption procedure of the symmetric encryption / decryption algorithm parameterized by said secret encryption key; A step for obtaining (F40, F30, F32 ') an encrypted T' of the encrypted T and an encrypted S of the secret encryption key, said encrypted T 'and S corresponding to the application on the encrypted T and on the secret encryption key of the encryption procedure of said homomorphic encryption algorithm configured by the public encryption key of the security device; A first evaluation step (F50) of a decryption procedure of the symmetric encryption / decryption algorithm on the encrypted T 'using said homomorphic evaluation function of said homomorphic encryption algorithm and the encrypted S of the key secret encryption, this first evaluation step providing an encrypted V of the message intended for the receiving device by the encryption procedure of said homomorphic encryption algorithm configured by the public encryption key of the security device; A second evaluation step (F60) of said at least one function describing said at least one regular expression on the encrypted V of the message using the encrypted signatures, this second evaluation step providing an encrypted result of detection indicating the existence or not of a said regular expression corresponding to the message; and a step of detecting (F90) an intrusion on the network if the decrypted detection result indicates that there is at least one said regular expression corresponding to the message. 2. Detection method according to claim 1 in which the encrypted S of the secret encryption key is obtained (F30) from the transmitting device (TX 2). 3. Detection method according to claim 1, in which the step of obtaining (F30'F32 ') the encrypted S of the secret encryption key comprises: A reception step (F30 ′), originating from the transmitting device, of a so-called intermediate encryption S ′ of the secret encryption key obtained using the encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the receiving device; A step for obtaining (F31 ′) a re-encryption key from the receiving device to the security device; and a step of re-encryption (F32 ') of the intermediate encryption S' using said re-encryption key, this re-encryption step providing said encryption S of the secret encryption key. 4. Detection method according to any one of claims 1 to 3 further comprising: A step of transmitting (F70) the encrypted result of detection to the security device for decryption using a decryption procedure of said homomorphic encryption algorithm parameterized by a private decryption key associated with the public encryption key of the security device; and a reception step (F80) of the decrypted detection result coming from the security device. 5. Detection method according to any one of claims 1 to 3 further comprising: A step of obtaining a private decryption key associated with the public encryption key of the security device and stored in a hardware security module; and a step of decrypting the encryption of the detection result by using the decryption procedure of said homomorphic encryption algorithm configured by this private decryption key. 6. Detection method according to any one of claims 1 to 5 wherein at least one function describing at least one regular expression received from the transmitting device is an arithmetic circuit (CIRC-REGj). 7. Detection method according to any one of claims 1 to 6 in which the content (CONT) derived from the message consists of the message (m) intended for the receiving device or of a concatenation of this message (m) and of a known hazard (xO) of the security device and of the intrusion detection device. 8. The detection method according to claim 7, in which the content derived from the message consists of a concatenation of the message (m) and of a hazard (xO) known from the security device and from the intrusion detection device, and wherein the first evaluation step (F50) further provides an encryption V 'of the hazard by the encryption procedure of said homomorphic encryption algorithm parameterized by the public encryption key of the security device, said detection method comprising in besides a step of transmitting (F70) said encryption V 'of the hazard to the security device for verification. 9. Method for communicating a security device (RG 6) with an intrusion detection device (MB 5) on a network, said security device having access to at least one rule for detecting at least one intrusion likely to affect the network, said at least one detection rule comprising at least one regular expression established from at least one signature characteristic of said at least one intrusion, said communication method comprising: A step of transformation (E30) of said at least one regular expression (REGj) into a function (CIRC-REGj) describing said at least one regular expression and which can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm; A step of generation (E40) of an encrypted (FHE-SIGi) of each signature (SIGi) characteristic of said at least one intrusion by applying an encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the device of security ; and - a step of transmitting (E50) said at least one function describing said at least one regular expression and each encrypted of each signature characteristic of said at least one intrusion to an intrusion detection device on the network. 10. The communication method as claimed in claim 9, in which during the transformation step, at least one function describing at least one regular expression is an arithmetic circuit obtained by means of a non-deterministic finite number automaton modeling said at least one regular expression and a function for selecting the states of said automaton. 11. The communication method according to claim 9 or 10 further comprising: - a reception step (E60) from the device for detecting an encrypted result of detection; - a decryption step (E70) of said encrypted detection result using a decryption procedure of said homomorphic encryption algorithm configured by a private decryption key associated with the public encryption key of the security device; and - a step of transmitting (E80) the detection result decrypted to the intrusion detection device. 12. Computer program (PROG1, PROG2) comprising instructions for the execution of the steps of the intrusion detection method according to any one of claims 1 to 8 or of the communication method according to any one of claims 9 to 11 when said program is executed by a computer. 13. Recording medium readable by a computer on which a computer program is recorded comprising instructions for the execution of the steps of the intrusion detection method according to any one of claims 1 to 8 or of the communication method according to any one of claims 9 to 11. 14. Intrusion detection device (MB 5) on a network via which are capable of communicating a transmitting device (TX 2) and a receiving device (RX 3) using a symmetric encryption / decryption algorithm parameterized by a secret encryption shared between the sending device and the receiving device, said detection device being intended to be located between the sending device and the receiving device and comprising: - a first reception module (5A), capable of receiving from a security device having access to at least one detection rule of at least one intrusion capable of affecting the network, said at least one detection rule comprising a regular expression established from at least one signature characteristic of said at least one intrusion: o at least one function describing said at least one regular expression and which can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm; and o an encryption of each signature characteristic of said at least one intrusion, obtained by applying an encryption procedure of said homomorphic encryption algorithm parameterized by a public encryption key of the security device; - A second reception module (5B), capable of receiving from the sending device an encrypted T of content derived from a message intended for the receiving device, this encrypted T having been obtained using an encryption procedure of the symmetric encryption / decryption algorithm parameterized by said secret encryption key; A module for obtaining (5C) an encrypted T 'of the encrypted T and an encrypted S of the secret encryption key, said encrypted T' and S corresponding to the application on the encrypted T and on the key secret encryption of the encryption procedure of said homomorphic encryption algorithm configured by the public encryption key of the security device; A first evaluation module (5D) of a decryption procedure for the symmetric encryption / decryption algorithm on the encrypted T 'configured to use said homomorphic evaluation function of said homomorphic encryption algorithm and the encrypted S of the secret encryption key, this first evaluation module being further configured to provide an encrypted V of the message intended for the receiving device by the encryption procedure of said homomorphic encryption algorithm configured by the public encryption key of the security device; - a second evaluation module (5E) configured to evaluate said at least one function describing said at least one regular expression on the encrypted V of the message using the encrypted signatures, this second evaluation module being further configured to provide an encryption of a detection result indicating the existence or not of a said regular expression corresponding to the message; and - a detection module (5F) of an intrusion on the activated network if the decrypted detection result indicates that there is at least one said regular expression corresponding to the message. 15. Security device (6) having access to at least one rule for detecting at least one intrusion liable to affect a network, said at least one detection rule comprising a regular expression established from at least one signature characteristic of said at least one intrusion, said security device comprising: - a transformation module (6B), configured to transform said at least one regular expression into a function describing said at least one regular expression and which can be evaluated by means of a homomorphic evaluation function of a homomorphic encryption algorithm; - an encryption module (6C), configured to generate an encryption of each signature characteristic of said at least one intrusion by applying an encryption procedure of said homomorphic encryption algorithm configured by a public encryption key of the security device; and - a transmission module (6D), configured to transmit said at least one function describing said at least one regular expression and each encrypted of each signature characteristic of said at least one intrusion to an intrusion detection device on the network. 16. Security device according to claim 15, further comprising: - a reception module (6E), capable of receiving from the detection device an encrypted result of detection; - a decryption module (6F), configured to decrypt said encrypted detection result using a decryption procedure of said homomorphic encryption algorithm configured by a private decryption key associated with the public encryption key of the security device; and - a transmission module (6D), configured to transmit the decrypted detection result to the intrusion detection device. 17. Network intrusion detection system (4) through which are capable of communicating a transmitting device and a receiving device using a symmetric encryption / decryption algorithm configured by a secret encryption key shared between the transmitting device and the receiving device, said intrusion detection system comprising: - an intrusion detection device (MB 5) according to claim 14; and - a safety device (RG 6) according to claim 15 or 16. 18. Communications system (1) comprising: - at least one sending device (TX 2) and at least one receiving device (RX 3) able to communicate on a network using a symmetric encryption / decryption algorithm configured by a secret encryption key shared between the sending device and the device receiver; and - an intrusion detection system (4) according to claim 17, the intrusion detection device of said detection system being intended to be located between said at least one transmitting device and said at least one receiving device. 1/4 MB 5 J-