GB2410656A - Secure delivery of encryption key by splitting it amongst messages from many sources to hinder interception - Google Patents

Secure delivery of encryption key by splitting it amongst messages from many sources to hinder interception Download PDF

Info

Publication number
GB2410656A
GB2410656A GB0401942A GB0401942A GB2410656A GB 2410656 A GB2410656 A GB 2410656A GB 0401942 A GB0401942 A GB 0401942A GB 0401942 A GB0401942 A GB 0401942A GB 2410656 A GB2410656 A GB 2410656A
Authority
GB
United Kingdom
Prior art keywords
key
network
devices
encryption key
parts
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0401942A
Other versions
GB0401942D0 (en
GB2410656B (en
Inventor
Georgios Kalogridis
Timothy Adrian Lewis
Chan Yeob Yeun
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toshiba Europe Ltd
Original Assignee
Toshiba Research Europe Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toshiba Research Europe Ltd filed Critical Toshiba Research Europe Ltd
Priority to GB0401942A priority Critical patent/GB2410656B/en
Publication of GB0401942D0 publication Critical patent/GB0401942D0/en
Publication of GB2410656A publication Critical patent/GB2410656A/en
Application granted granted Critical
Publication of GB2410656B publication Critical patent/GB2410656B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A network (20) of communication devices is provided, the network comprising a first device (10) seeking to initiate a secure communication link and a plurality of network devices (21, 22, 23) adapted to communicate securely using a secret encryption key. The plurality of devices each send the first device a unique message including part of the secret encryption key. Splitting the key delivery between many messages makes it harder to intercept, and is particularly useful in wireless networks. (See Figs 3,4). The key parts may be encrypted with an already known weak encryption key.

Description

241 0656 Communication Device Networks This invention relates to
communication device networks, and is concerned more particularly, but not exclusively, with the establishment of secure communications links between a first communication device and a plurality of further communication devices which are already communicating over a series of pre-existing secure communications links.
For the sake of security, two parties communicating over a network may choose to encrypt messages sent between them using an encryption key. The sending party applies an encryption key to the raw message prior to transmission, rendering the message unintelligible to anybody who does not have access to the key. The receiving party decrypts the encrypted message using the encryption key to recover the original message. Both parties must have knowledge of the encryption key used across the link.
The problems associated with such communication across a network are well known.
During the initial stages of establishing a communications link between two parties there is a key-exchange session during which the encryption key is proposed and agreed upon. Since it may be assumed that the two parties have had no prior communication, and consequently no prior common encryption key is available, it will be necessary at some stage to send an encryption key in a raw, unencrypted message over the network.
This message may be intercepted by a third party, who will then be aware of the encryption key used for subsequent communication between the other parties. The other parties may not even be aware that their encryption key (and therefore all their subsequent communication) has been compromised since the third party may intercept the raw message, read its contents (thereby obtaining the encryption key), and allow it to reach its destination unaltered.
An alternative to sending the encryption key unencrypted over the network would be to require a user to directly input the key into each device. This may be impractical, however, either due to the separation of the devices or due to the lack of a sufficient user interface on one of the devices. If the device is a consumer product, it may be undesirable to require the user to input a long alphanumeric sequence into the device since this would introduce the possibility of input error.
US Patent Application No. 20020186846 describes a method for ensuring transmission security between two communication devices over a shortrange wireless network.
After a key exchange stage first and second check strings are formed, each string being based upon a short random number and on the generated encryption key. The security of the connection is supposedly confirmed by the correspondence of the check strings.
However, if a third party can intercept the key during the key exchange, it will be able to impersonate one of the devices and return a check string, or simply eavesdrop on the communication.
US Patent No. 5,241,599 describes a cryptographic protocol for secure communications in which two parties sharing an insecure password bootstrap a secure system over an insecure network. The method involves generating a series of random challenges between the parties to verify the security of a randomly generated key. The method of this reference involves only two parties and one communication link. This single link may be compromised as described above.
A common application in which the need for establishing a secure communication link between a device and a number of already-linked devices may be found is in networks of wireless devices connected via a wireless protocol, e.g. 802.1 lb or Bluetooth_.
Typically, the links are encrypted using a Wireless Encryption Protocol (WEP) technology that relies on a secret key shared between the devices. With BluetoothTM, devices use a short pairing session during which a secret key is negotiated. This key is sent is plain text and may therefore be eavesdropped easily.
The security problems described above are applicable to both fixed-line and wireless networks, although the problems may be lessened to some degree in a fixed-line network since it is possible to implement direct physical wired connections over which it is impossible to eavesdrop. By its nature, a wireless network cannot employ such connections and is inherently more vulnerable to being compromised.
It is an object of the present invention to overcome the disadvantages of the key exchange procedures described above. In particular, it is an object of the present invention to provide a more secure method of bootstrapping a secure link among wirelessly linked devices.
According to a first aspect of the present invention there is provided a communication device network comprising: a first device seeking to initiate a secure communication link; a plurality of network devices adapted to communicate securely using a secret encryption key; means for exchanging between the network devices and the first device a respective message uniquely distinctive of the associated network device; and means for initiating secure communication links between the first device and the network devices encrypted with the secret encryption key using the distinctive messages.
According to a further aspect of the present invention there is provided a method of establishing a secure communications link between a first device seeking to initiate a secure communication link and a plurality of network devices, the network devices communicating securely using a secret encryption key, the method comprising: exchanging a plurality of messages between the first device and the network devices, each message being uniquely distinctive of the associated network device; and initiating secure communication links between the first device and the network devices encrypted with the secret encryption key using the distinctive messages.
For a better understanding of the present invention and in order to show how the same may be carried into effect, preferred embodiments of the invention will now be described, by way of example, with reference to the accompanying drawings in which: Figure 1 diagrammatically illustrates a traditional bootstrapping process between a pair of devices; Figure 2 diagrammatically illustrates a network of devices in accordance with the embodiments of the present invention; Figures 3 to 5 illustrate the architecture of a third party eavesdropping a network; Figure 6 illustrates a key exchange protocol in accordance with a first embodiment of the present invention; and Figure 7 illustrates the network devices in accordance with a further embodiment of the present invention.
Figure 1 shows the steps of a traditional key-updating bootstrapping process between a pair of devices 1, 2. The term bootstrapping is known in the art to refer to the establishment of a secure link over a previously insecure link. It is assumed that each device 1, 2 has obtained a weak encryption key K/. By "weak", is meant that there is a non-negligible possibility that a third party may be aware of the key's details. The weak key K1 may be supplied to the devices 1, 2 using a SIM card or bar code reader.
The SIM card or bar code may be mass-produced and may not necessarily be unique.
The same code may be shared between manufacturers or product models. In the case of wireless-capable devices the code may further be supplied via wireless means, e.g. a directional beam antenna. The weak key KJ is used to encrypt a simple protocol whereby a secret key K2 is shared between them. Both devices 1, 2 are provided with the same key K/. The second device 2 then generates a secret key K2 and the second device 2 sends a message 3 encrypted using K/ and containing information corresponding to K2. The first device I decrypts message 3 to obtain K2. This new key K2 is then used to encrypt all further messages 4, 5.
Embodiments of the present invention start from the assumption that a network of devices already exists and that this network is secure, by which it is meant that the devices within the network communicate using messages encrypted using a secret encryption key K which has not been compromised. The following embodiments are described with respect to a wireless network of wireless-capable devices, although they are equally applicable to fixed-line networks or networks having a combination of both types of network, e.g. a wireless connection between a mobile telephone via Bluetooth_ and a network of computer workstations. In the case of a network having at least a fixed-line portion, each network entity contributing to the secure key exchange protocol should communicate over a distinct communications link in order to ensure the security of the technique.
There is shown in Figure 2 a first device 10 seeking to initiate a secure communication link with a network 20, the network 20 here comprising three network devices 21, 22, 23 that already communicate with one another using a secret encryption key K It will be appreciated that the network 20 may comprise any number of devices greater than or equal to two, and, as will be described below, having more devices in the network results in a higher level of security. For a network having devices, the devices may be labelled as Al, A2, A3... An. This will be abbreviated throughout the remainder of the specification as A' (i=l...n), with Ax representing one of the Al network devices. The network 20 of Figure 2 has n=3.
All of the devices 21, 22, 23 within the network 20 are called upon to contribute to the process of upgrading the weak encryption key Kw of the first device. By involving a plurality of devices, the risk of the secure network key being compromised is reduced.
The basis of the security provided by the embodiments of the present invention is the assumption that it is more difficult to intercept, impersonate and eavesdrop two wireless links than one wireless link. This is illustrated in Figures 3 to 5, in which a third party wireless node seeks to intercept, eavesdrop, replace or replay wireless signals.
Figure 3 illustrates the traditional topology of interaction between the first device 10 and the network device 21 when a third party 30 attempts to compromise the security of a single wireless link 25.
In Figure 4, the network device 21 requests the assistance of trusted network device 22 in order to securely insert the first device 10 into their network 20. The third party 30 cannot compromise the security of the network 20 since the key K is secret, but it is assumed that it can compromise the links 25, 26 between the first device 10 and the two network devices 21, 22 respectively. It is more difficult to intercept and eavesdrop the two links 25, 26 than the single link 25 only. It is also more difficult to impersonate two network devices 21, 22 than a single network device 21. These two statements are based on a number of assumptions. The physical topology of the network devices 21, 22 will demand that the third party 30 have more expensive equipment in order to monitor and/or intercept both links 25, 26 compared with monitoring and/or intercepting the traffic on only one link 25. This increase in difficulty will vary in a wireless network from a minimum level, when the two devices 21, 22 are co-located, to a maximum level, when the third party 30 is positioned exactly between the two devices 21, 22.
The first device 10 may be able to approximately determine the direction from which a signal is received. If the first device 10 perceives that the strongest signals of the two links 25, 26 come from the same direction, the key updating protocol could be terminated since it is possible that the signals are both emanating from the third party 30. In order to break the security of the protocol the third party 30 will therefore have to be able to intercept signals originating from various directions and be able to transmit from at least two different locations. In order to achieve this, the third party 30 would require more than one device and more computational power to be able to deceive the first device 10 and impersonate the network devices 21, 22 simultaneously.
In Figure 5, where n=3, there are three network devices 21, 22, 23 and three corresponding links 25, 26, 27. The complexity of the requirements to be met by the third party 30 to compromise all three links has increased, since it has to simultaneously impersonate three devices and intercept three links from three possibly separate locations.
It can therefore be asserted that the level of difficulty to intercept, eavesdrop and impersonate distinct wireless links increases with the number of links.
In order to utilise the security inherent in using multiple distinct links, it is necessary to send a different message on each link. If the same message is sent on every link then it is only necessary for the third party 30 to compromise one link to obtain all of the information pertinent to the security of the network. The embodiments of the present invention described achieve enhanced security over standard bootstrapping protocols by splitting secret information (e.g. information pertaining to the secure key K or other secure encryption keys) into a number of separate and distinct parts, and sending each part from the network 20 to the first device 10 over a different link.
A first embodiment of the present invention which implements the concept of splitting and sending secret information across a plurality of links will now be described, with reference to the network 20 comprising n network devices A,.
The first device 10 seeks to initiate a secure communications link with the network devices Al within the network 20. The first device 10 and a network device 21 within the network 20 may be provided with a weak encryption key KW in the same way as previously described. The first device 10 seeks to replace the weak encryption key KW with a more secure key. This key will usually be the well-established encryption key K used in the network 20, or may ultimately be a separate key KU provided by a user.
The weak key Kw may be passed to the remaining network devices by the first network device 21 over the network 20 using the secure key K, or alternatively the weak key may be supplied to each network device by external means, as described previously.
In the absence of a weak key KW having been provided to the network devices, messages will initially be sent over the links unencrypted. In this case the object is to provide a secure key rather than to replace a weak key. The embodiments will be described with reference to the weak key, although it will be appreciated that its use is not essential to the present invention, in that it only provides another level of security.
Each network device Ax, having obtained the weak key Kw, generates an encryption key PUB-AX which corresponds uniquely to network device Ax, and sends this key in a message to the first device 10, the message being encrypted using key Kw. The generated key PUB-AX may be the public key of an asymmetric key pair, in which case the corresponding private key is never transmitted or otherwise disclosed. The generated key PUB-AX may alternatively be a symmetric key. The first device therefore receives a unique message from each network device, of the form KPUB-AX), the notation indicating that key PUB-AX has been encrypted using key Kw.
In the event that PUB AX is a symmetric key, the overall security of the protocol will be reduced since the encrypted messages with which the first device replies to each network device will no longer be distinctive; everybody having the symmetric key will be able to decrypt the messages. If, however, the messages are encrypted with the public key of an asymmetric key pair, only the device having the private key of the pair will be able to decrypt the messages. This makes a difference when considering so- called "man in the middle" attacks. If the attack is passive (reading messages only), using an asymmetric key pair ensures that even if the public key is compromised the adversary will not be able to decrypt the message since it does not possess the private key. If the attack is active (the adversary impersonates the network device and replays the message), the asymmetric key will obviously not provide any better level of security than the symmetric key, and in that case the security of the present protocol relies on the fact that the adversary will have to compromise every distinctive message exchanged between the first device and each one of the network devices.
The plaintext data of encrypted messages sent during the key exchange process may include further information corresponding to items such as the identity of the sender or a timestamp/nonce which would assist in preventing, for example, denial of service or reply attacks.
When the first device 10 has received all of the messages, it decrypts each one to obtain the keys PUB AX for each network device Ax. The first device 10 then generates a new encryption key KB. The new key KB may be, for example, randomly generated, chosen from a list stored within the first device 10, or supplied by a user. This new key KB IS then broken down into key-parts KBi (i=l...n), which satisfy the equation KB = S({KB, },=] n), where S is a mathematical method. The first device 10 then sends a message to each of the r' network devices of the form KW(PUB AXFKBX)), where KBX IS the key-part of key KB corresponding to network device Ax.
Upon receipt of this message, each network device Ax can then decrypt the message to obtain the corresponding key-part KBX If the generated key PUB AX is a symmetric key, then key-part KBX can only be decrypted by the corresponding network device Ax and the first device 10. If, alternatively, the generated key PUB AX is the public key of an asymmetric key pair, only the network device Ax can decrypt the key-part KBX, as described above. It is generally preferred to implement an asymmetric key pair rather than using symmetric keys, to ensure the security if the system. It is computationally more expensive to generate asymmetric key pairs, so in those cases where computational power is at a premium and security is not so important, it may be preferable to use symmetric keys.
The n network devices then cooperate in order to calculate a new key KA, based upon all of the key-parts KB! and the secret key K, the keys satisfying the relationships KA = S ({KA' },=, n) and K = S'(KB KA), where KAi are the key-parts of the key KA and S' and S" are mathematical methods. The methods S. S' and S" may be the same method or they may be different methods. Each of these functions must satisfy at least three conditions: (i) knowledge of any key-part upon which the function operates should give no knowledge of any other key or key-part; (ii) loss of any key-part should make the reconstruction of the full key a hard problem; and (iii) all key-parts upon which the function operates should be random.
The cooperation of the devices to calculate the new key KA takes place in the secure environment of the network 20, and may vary in implementation. However, a typical implementation would involve the n network devices having decided on one trusted network device As who will be "in charge" of the appropriate computations. This decision may depend, for example, on the amount of resources (processing power, bandwidth, etc.) available to each network device. The decision may vary in a dynamic manner, such that the "label" A5 does not always belong to the same network device.
Each of the n network devices sends their key-part KBX to the device As (using the secure key A), which then makes all of the necessary computations. The device A5 then returns the appropriate output to the corresponding network device.
When the new key KA has been generated, it is broken down into n keyparts KA! (i=l...n) which satisfy the above equation and are distributed among the network devices such that each network device AX has a corresponding key- part KAX. Each network device then sends a message to the first device 10, the n messages being of the form KBXFKAX) and corresponding to the key-part KAX being encrypted using the key- part KBX. In an alternative implementation, at least one of the network devices randomly generates a corresponding key-part KAX and sends it to the trusted network device As, which then computes the remaining key- parts. If every network device sends its corresponding key-part to the trusted network device, the remaining key-part will just be a single key- part corresponding to the trusted network device. The remaining key-parts are calculated in order to satisfy the relationship K=S'(KB,KA). These calculations may also be performed in a more distributed manner.
The first device 10 knows all of the key-parts KB! (since it generated them) and can therefore decrypt the messages to ascertain the key-parts KA!. The first device 10 can also perform a verification at this stage, by reconstructing KR from the key-parts KB! returned from the n network devices and ensuring that it matches the key KB generated earlier. The methods S. 5' and S" are openly known to all of the devices, and the first device 10 can therefore compute the keys KA and, more importantly the secure key K used in the secure network. The first device 10 may then reply to each of the n network devices to confirm the success of the key exchange by sending a message encrypted using the secret key K The message to each network device Ax might comprise the corresponding key parts KAX and KBX, SO that the message is of the form K(KAX, KBX) This message also allows authentication of the first device 10 with each of the network devices.
The network devices can decrypt the confirmation messages to obtain the respective KA! and KB,, thereby verifying that the first device now knows the secret key K The first device 10 can then communicate with the network devices over secure communications links using the secure encryption key K. An example of this embodiment is shown in Figure 6, where two network devices 21, 22 exchange a series of messages with the first device 10. The first messages 31, 31' contain the public encryption keys generated by each of the network devices 21, 22, encrypted with the weak encryption key. The second messages 32, 32' contain the key parts of the new key KB generated by the first device 10, encrypted with the public encryption keys and the weak key. The third messages 33, 33' contain key-parts of the new encryption key KA generated by the network devices 21, 22 on the basis of the keys KB and K. The final messages 34, 34' are the confirmation messages sent from the first device 10 to the network devices to authenticate itself, encrypted using the secure key K. In the first embodiment of the present invention, all of the network devices in the network having a secure encryption key K are used in bootstrapping the first device into the secure network, where n is the total number of devices in the secure network.
In a second embodiment of the present invention, only a sub-set of the total number of devices is used to communicate with the first device during the process of bootstrapping the first device into the secure network. This is illustrated in Figure 7, where the class C represents the n network devices as described above, a sub-class C1 contains m network devices, where m < n, and a further class C2 is a super-class of Cl and a sub-class of C, containing k network devices, where m < k < n.
During the first round of messages sent from the network devices to the first device 10, the m network devices send k public encryption keys to the first device 10, thereby reducing the communication overhead compared with n devices sending n keys. At least one of the m network devices will have to send more than one message to the first device. This is determined among the n network devices, for example by the trusted computing network device As, which decides how to allocate the message- sending tasks. The number of communications links is therefore reduced.
In response to the public encryption keys, the first device 10 sends keyparts KB! to the network devices. According to a further embodiment, the first device 10 reduces the communication overhead by exchanging only with k network devices, instead of Liz, and also maybe sending the k key- parts to only the m network devices rather than the k network devices. This requires the first device to send more than one key-part KBX to a specific one of the k network devices.
Further communication between the network devices and the first device 10 may also be limited to the m network devices as hereinbefore described. By reducing the number of links, the security of the key-exchange protocol is reduced. However, in the case where the first device sends authentication messages, encrypted using secure key K, to the m network devices (instead of k), security is not reduced since by that stage the secure key K will either have been compromised or not compromised by an eavesdropper. This does sacrifice having the first device 10 authenticated with every one of the k network devices, but may not be so important given the assumption that the k network devices highly trust one another, so that authentication with m secure trusted network devices should be sufficient for authentication with k secure trusted network devices.
The key-exchange protocol requires that an encryption key be split into n parts on at least two separate occasions. In the general case, to split an encryption key Y into a set of n uncorrelated key-parts {A},=' n there exists a function S such that Y = S({Y, }I=, n) . The function S must have several properties to ensure the security of the protocol: knowledge of any one key-part Yx should give no knowledge of any other key or keypart; loss of any one key-part Yx should make the reconstruction of Y a hard problem; and all key-parts Yx should be random.
A first preferred method to satisfy these requirements involves firstly using a random number generator to calculate n -1 random and uncorrelated key-parts {Ye}=, no-. The final key-part Yn is then calculated as Yn = (Y) XOR(Y, )XOR(Y2)...XOR(Yn, ), and key reconstruction is then performed using Y=(Y,)XOR(Y2)XOR(Y3)...XOR(Yn), where XOR is an exclusive-or logic operation. Although currently no true random number generator exists, it is expected that implementations of this method will employ a pseudorandom number generator that can pass various tests of randomness, such as those described in International Standards Organisation ISO/IEC 18031, Random Number Generator Working Draft, 2000.
An alternative key-splitting method is to physically split a key Y into n parts, so that it may be reconstructed by concatenation of the n parts. Reconstruction may be aided by including information regarding the serial number of the key, for example sending the pair {Y:,i} to the decrypting device. In this case, there is no need for a number of devices to cooperate to split the key, since each device, knowing its position i, can obtain the appropriate key-part from the original key itself. The sending device may use a mask or add a nonce to a specific Yx in order to transmit it more securely.
It can be shown that, in order to intercept the secure key K, all of the communications must be eavesdropped. Assuming that a third party has obtained the weak key Kid, but misses one of the messages M, then i f M=KW(PUB AX) the third party will not be able to replicate the key PUB AX. Consequently, the third party will not be able to decrypt KBX, and hence cannot generate KB or K If M=KW(PUB_AA{KBX)), similarly only the first device can reconstruct K If M=KBX(KAX), the third party will be able to reconstruct KB but cannot reconstruct KA, since it is missing KAX, and again only the first device can reconstruct K If M=K(KAX, KBX), it is too late, since the third party has intercepted all the information it needs to reconstruct K already. The loss of just one message during the keyexchange process is enough for a third party to be unable to reconstruct the secure key K, even if the weak key KW has been compromised. Therefore,in order to compromise the secure key K it is necessary to compromise all of the communication links involved, rendering this protocol a very secure method of bootstrapping a device into a trusted network.
The protocol of the present invention allows one to be certain that adequate security can be achieved in a fully automatic manner when more than two devices cooperate for such purposes. The protocol can operate with an indefinite number of network devices; the more devices, the greater the security. The communication overhead for the protocol of the present invention is of the order of a few kilobits, which is expected to be negligible to the network. However, for performance reasons there may be a practical limit to the number of participating devices, for example a large number of contributing network devices could create a significant computational overhead when trying to split an encryption key. A dynamic method could determine the optimal number of devices that contribute to the protocol in order to achieve the best trade-off between security and perfonnance by adjusting the value of n.
All of the temporary and automatically generated keys and key-parts implemented in the techniques described herein may be permanently erased from the memory of each of the associated devices. For security reasons, a log of these keys and key-parts could be maintained. This log should be stored securely using a secure storage encryption key, the log only being accessible to an authorised entity. Application of intrusion detection algorithms to the log would reveal attempts to compromise the secure network.
The present invention provides a method and apparatus for exploiting an already established and trusted network in order to welcome a new device within it. The contribution of each device within the pre-existing network is arranged in such a way as to significantly reduce the overall risk of having the procedure compromised. It will be appreciated by the person skilled in the art that various modifications may be made to the above embodiments without departing from the scope of the present invention.

Claims (28)

  1. CLAIMS: 1. A communication device network comprising: a first device
    seeking to initiate a secure communication link; a plurality of network devices adapted to communicate securely using a secret encryption key; means for exchanging between the network devices and the first device a respective message uniquely distinctive of the associated network device; and means for initiating secure communication links between the first device and the network devices encrypted with the secret encryption key using the distinctive messages.
  2. 2. A network according to claim 1, wherein the first device is adapted to securely generate the secret encryption key using the distinctive messages from the network devices.
  3. 3. A network according to claim 1 or 2, wherein the distinctive messages exchanged between the network devices and the first device correspond to a part of an encryption key.
  4. 4. A network according to any preceding claim, wherein an encryption key used to encrypt at least one of the distinctive messages is a weak encryption key known to all of the devices.
  5. 5. A network according to claim 4, wherein all of the devices are adapted to receive the weak encryption key prior to exchange of any messages between the network devices and the first device.
  6. 6. A network according to claim 4 or 5, wherein the first device and a first one of the network devices are adapted to receive the weak encryption key, the first one of the network devices being adapted to subsequently send the weak encryption key to the other network devices in a message encrypted using the secret encryption key.
  7. 7. A network according to any preceding claim, wherein each network device is adapted to generate a device-specific encryption key which is uniquely distinctive of the network device, and to send this device- specific encryption key in a message to the first device.
  8. 8. A network according to claim 7, wherein, for each network device, the device- specific encryption key is the public key of an asymmetric key pair.
  9. 9. A network according to claim 7, wherein, for each network device, the device- specific encryption key is a symmetric key.
  10. 10. A network according to any one of claims 7 to 9, wherein the first device is adapted to determine the device-specific encryption key for each network device.
  11. 11. A network according to any preceding claim, wherein the first device is adapted to generate an encryption key KB, to split the encryption key KB into n key-parts KB.
    (i=l...n) where n corresponds to the plurality of network devices, and to send to each network device a key-part KBX, the key-part KBX being one of the n key-parts KB,.
  12. 12. A network according to claim 11, wherein the network devices are adapted to decrypt the corresponding key-parts KBX, to calculate a further key KA based on the key- parts KB' and the secret encryption key, to split the key KA into n key- parts KA! (i=l...n), and to send from each network device to the first device a corresponding key-part KAX in a message encrypted using the key-part KBX, the key-part KAX being one of the n keyparts KA.
  13. ] 3. A network according to claim 12, wherein a single, trusted one of the network devices is adapted to calculate the key KA, a given network device sending at least its respective key-part KBX to the trusted network device, and the trusted network device if necessary calculating any remaining key-parts and returning the appropriate result to the given network device.
  14. 14. A network according to claim 13, wherein the splitting of the key KA is performed by the trusted network device.
  15. 15. A network according to any one of claims 12 to 14, wherein the first device is adapted to decrypt the key-parts KA!, combine them to generate the key KA, and calculate the secret encryption key based upon the keys KA and KB.
  16. 16. A network according to any one of claims 11 to 15, wherein the encryption keys are split by application of functions which have the properties that knowledge of any one key-part gives no knowledge of any other key-parts, that loss of any one key-part makes reconstruction of the key difficult, and that the key-parts are random.
  17. 17. A network according to claim 16, wherein the encryption key is split into n parts using a pseudo-random number generator and XOR logic operations.
  18. 18. A network according to claim 16, wherein the encryption key is split into n parts by splitting the key into parts such that the key may be reconstructed via concatenation of the n parts.
  19. 19. A network according to any one of claims 12 to 18, wherein the encryption keys satisfy the relationships KB=S((KB,),=In), K=S'(KB,KA), KA=S ((KAI),=1,n)' where S,S',S" are mathematical operations used to split the encryption keys and known to all of the devices.
  20. 20. A network according to any preceding claim, wherein the first device is adapted to authenticate itself to each of the network devices using the secret key.
  21. 21. A network according to any preceding claim, wherein the devices are wireless- capable devices and the communication links are wireless communication links.
  22. 22. A network according to any preceding claim, wherein the devices are arbitrary network entities comprising means with which to communicate via distinct physical links.
  23. 23. A network according to any preceding claim, wherein the messages exchanged between the devices include information corresponding to items such as the identity of the sender and a timestamp.
  24. 24. A network according to any preceding claim, wherein at least one of the network devices is adapted to exchange messages on behalf of at least one further network device.
  25. 25. A method of establishing a secure communications link between a first device seeking to initiate a secure communication link and a plurality of network devices, the network devices communicating securely using a secret encryption key, the method comprising: exchanging a plurality of messages between the first device and the network devices, each message being uniquely distinctive of the associated network device; and initiating secure communication links between the first device and the network devices encrypted with the secret encryption key using the distinctive messages.
  26. 26. A method according to claim 25, wherein at the first device the distinctive messages are used to securely generate the secret encryption key.
  27. 27. A method according to claim 25 or 26, wherein all of the distinctive messages must be successfully exchanged for the first device to be able to securely generate the secret encryption key.
  28. 28. A network of devices having secure communication links, substantially as hereinbefore described with reference to the accompanying drawings.
GB0401942A 2004-01-29 2004-01-29 Communication device networks Expired - Fee Related GB2410656B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0401942A GB2410656B (en) 2004-01-29 2004-01-29 Communication device networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0401942A GB2410656B (en) 2004-01-29 2004-01-29 Communication device networks

Publications (3)

Publication Number Publication Date
GB0401942D0 GB0401942D0 (en) 2004-03-03
GB2410656A true GB2410656A (en) 2005-08-03
GB2410656B GB2410656B (en) 2006-04-12

Family

ID=31971662

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0401942A Expired - Fee Related GB2410656B (en) 2004-01-29 2004-01-29 Communication device networks

Country Status (1)

Country Link
GB (1) GB2410656B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7299357B2 (en) * 2002-08-07 2007-11-20 Kryptiq Corporation Opaque message archives
DE102008060445A1 (en) * 2008-08-28 2010-03-04 Jacobian Innovation Unlimited LLC, Wilmington Passierschlüssel deployment
SE2150250A1 (en) * 2021-03-04 2022-09-05 Munters Europe Ab A system and methods for communication of sensor data and/or user control data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11298470A (en) * 1998-04-16 1999-10-29 Hitachi Ltd Key distribution method and system
WO2000041357A1 (en) * 1999-01-08 2000-07-13 Nortel Networks Limited Exchanging a secret over an unreliable network
WO2000074298A1 (en) * 1999-05-26 2000-12-07 Ascom Hasler Mailing Systems, Inc. Technique for split knowledge backup and recovery of a cryptographic key
JP2004015598A (en) * 2002-06-10 2004-01-15 Nippon Telegr & Teleph Corp <Ntt> Method and system for changing authorized person of ic card on-line

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11298470A (en) * 1998-04-16 1999-10-29 Hitachi Ltd Key distribution method and system
WO2000041357A1 (en) * 1999-01-08 2000-07-13 Nortel Networks Limited Exchanging a secret over an unreliable network
WO2000074298A1 (en) * 1999-05-26 2000-12-07 Ascom Hasler Mailing Systems, Inc. Technique for split knowledge backup and recovery of a cryptographic key
JP2004015598A (en) * 2002-06-10 2004-01-15 Nippon Telegr & Teleph Corp <Ntt> Method and system for changing authorized person of ic card on-line

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7299357B2 (en) * 2002-08-07 2007-11-20 Kryptiq Corporation Opaque message archives
US8230517B2 (en) 2002-08-07 2012-07-24 Kryptiq Corporation Opaque message archives
DE102008060445A1 (en) * 2008-08-28 2010-03-04 Jacobian Innovation Unlimited LLC, Wilmington Passierschlüssel deployment
SE2150250A1 (en) * 2021-03-04 2022-09-05 Munters Europe Ab A system and methods for communication of sensor data and/or user control data
WO2022184529A1 (en) * 2021-03-04 2022-09-09 Munters Europe Aktiebolag A system and methods for communication of sensor data and/or user control data

Also Published As

Publication number Publication date
GB0401942D0 (en) 2004-03-03
GB2410656B (en) 2006-04-12

Similar Documents

Publication Publication Date Title
CN101238677B (en) Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved safety
US8670563B2 (en) System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
Tseng et al. A chaotic maps-based key agreement protocol that preserves user anonymity
US20060034456A1 (en) Method and system for performing perfectly secure key exchange and authenticated messaging
US20100042841A1 (en) Updating and Distributing Encryption Keys
US20050084114A1 (en) Conference session key distribution method in an ID-based cryptographic system
CN108886468A (en) System and method for distributing the keying material and certificate of identity-based
JP2011501585A (en) Method, system and apparatus for key distribution
US20210167963A1 (en) Decentralised Authentication
CN112351037B (en) Information processing method and device for secure communication
Murtaza et al. A lightweight authentication and key sharing protocol for satellite communication
Castiglione et al. An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update
Muth et al. Smartdhx: Diffie-hellman key exchange with smart contracts
WO2004102871A1 (en) A process for secure communication over a wireless network, related network and computer program product
CN115834038A (en) Encryption method and device based on national commercial cryptographic algorithm
Ming et al. A secure one-to-many authentication and key agreement scheme for industrial IoT
GB2410656A (en) Secure delivery of encryption key by splitting it amongst messages from many sources to hinder interception
WO2022185328A1 (en) System and method for identity-based key agreement for secure communication
JP2004274134A (en) Communication method, communication system using the communication method, server and client
CN108429717B (en) Identity authentication method and device
WO2008004174A2 (en) Establishing a secure authenticated channel
Alshahrani et al. Anonymous IoT mutual inter-device authentication scheme based on incremental counter (AIMIA-IC)
CN108683627B (en) Internet of things node-to-node communication encryption method and system
Mian et al. Arcanum: A secure and efficient key exchange protocol for the internet
Yoon et al. An optimized two factor authenticated key exchange protocol in PWLANs

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20130129