JP2006526314A - Security in communication networks - Google Patents

Abstract

A method for establishing secure peer-to-peer communication between two communication devices. Each communication device stores a set of security associations established in advance with other communication devices. The method includes determining whether two communication devices have a common security association in a set of established security associations. If it is determined that the devices have a common security association, the communication link between the two communication devices based on the common security association is protected. If it is not determined that it has, a new security association is established between the two communication devices, and the communication link based on the new security association is protected. The method also includes extending a set of pre-established security associations in the two communication devices to the corresponding other communication device by exchanging corresponding key data.

Description

  The present invention relates to establishing secure peer-to-peer communication between communication devices.

  With the rapid growth of short-range wireless technology, personal communication devices within a close range of users can be connected locally.

  Today, so-called ad hoc networks are used more frequently. Usually, an ad hoc network between communication devices is temporarily established for a special purpose. In many cases, there is no fixed infrastructure, and the communication devices constituting the nodes of the network are mobile. In this case, the communication device uses a radio link. Ad hoc networks can be used to provide dynamic wide area connections, such as in military operations, rescue / recovery activities and remote construction sites. Ad hoc networks can be used to provide local area connections in temporary conference locations, home networks, robotic networks, and the like. Further, the ad hoc network can be used to form a personal area network (PAN) in interconnected attached devices, ad hoc conference tables, games, and the like. For example, the node may be composed of a mobile phone, a laptop, a television receiver, a washing machine, or the like.

  Bluetooth is well known as a technology that enables the establishment of an ad hoc network. The ad hoc network may be based on other technologies including wireless LAN technologies such as, for example, IEEE 802.11b.

  In many situations, such as military operations or business meetings, it is very important that the communication service is secure when communication between nodes contains sensitive information. In general, a secure communication service should provide a means by which a security association can be created between different communication devices.

  In general, a security association between communication devices includes a secret key or a trusted key shared between devices. This provides a mechanism for obtaining a trust relationship between the two devices. The shared secret or trust key may be combined with other information, such as information about a trusted third party.

  Based on the security association between communication devices, it is possible to authenticate other communication devices and to protect the confidentiality and integrity of communication between devices.

  If the security association between the two devices is based on a symmetric secret key, both devices store the same secret key that is used to encrypt and decrypt messages communicated between the devices. There is a need. Therefore, the transmitting side apparatus can be sure that the message encrypted using the symmetric secret key can be decrypted only by the receiver that knows the symmetric secret key. The receiver can be confident that a message successfully decrypted using a symmetric key is sent from a transmitter that knows the symmetric key and that the message has not been tampered with during transmission. Examples of security associations based on symmetric keys include the security association and IPsec described in the Bluetooth specification ("The Specification of the Bluetooth System, Core, Baseband Specification" by the Bluetooth Special Interest Group, version 1.1, December 2000). There are security associations used in.

  In a public key infrastructure (PKI) system, two corresponding symmetric keys are used to protect information. Information that is encrypted using one of the two keys is decrypted only with the other key. In some PKI systems, one of the two keys is used for encryption and the other key is used for decryption. In other systems, one key is used only for encryption and the other key needs to be used for decryption. One important feature of the PKI system is that it is computationally impossible to use information from one key to estimate the other key. In a typical PKI system, each system owns two such sets of keys. One key is kept private and the other key is freely released. If the sender encrypts the message using the recipient's public key, only the intended recipient can decrypt the message. This is because only the intended recipient possesses a secret personal key corresponding to the public key. If the sender encrypts the message using the sender's personal key before performing the encryption described above, the receiver first performs the decryption using the receiver's personal key, The result is then decrypted using the sender's public key. This is because the sender can encrypt the message so that only the sender's public key can successfully decrypt the message. This not only guarantees secrecy but also authentication.

  The public key infrastructure supports digital certificates that can identify individuals or organizations and directory services that can be stored, and that can revoke certificates as needed. The sender of the message may be authenticated using the certificate and the public key included in the certificate. This authentication can be performed when the recipient trusts the authority that issued the certificate and signed it securely in security, i.e. a so-called certificate authority (CA). Furthermore, the public key in the certificate may be used directly or indirectly for key exchange. As a result, a certificate may be authenticated by another certificate, thereby creating a certificate hierarchy called a certificate chain.

  Examples of public key security mechanisms include Diffie Hellman key exchange, RSA encryption / decryption, and elliptic curve public key technology.

  The creation of a security association between two communication devices, the so-called security initialization procedure, may be performed in several ways. For example, the user may enter a secret value into two devices. Alternatively, the device may be equipped with a secret key and unique identification information during manufacture or as part of the personalization process. The private key may be stored in another device or a network server. Alternatively, the device is loaded with each set of trusted public keys during manufacture or as part of the personalization process. In a set of trusted public keys, all certificates or certificate chains signed using a private key corresponding to the public key are trusted by the corresponding device. A security association is created based on a trusted certificate.

  In many applications, it is the general user who establishes the security association. Therefore, it is important to be able to create a security association in a quick and easy to use manner.

  For example, according to Bluetooth, while a user is required to enter the same secret parent key or PIN into both devices, a so-called pairing or binding procedure between two devices A security association is created. Based on this parent key, the two devices perform key exchange to obtain shared secret information, so-called link key, stored in both devices.

  Thus, in order to establish a security association for n devices, the user needs to enter a parent key for each combination of devices, i.e. n (n 1) / 2 combinations. This is a cumbersome and time consuming procedure.

International Publication No. WO01 / 31836 describes a method for establishing security in an ad hoc network. According to this method, a trust group is established in which all nodes have a mutual trust relationship. This trust relationship is based on a trusted public key. If the new node is a candidate node that participates in a trust group, first a certain node, so-called x-node, included in a trust group having an existing trust relationship with the candidate node is identified. The x node provides a trust relationship between the members of the trust group and the candidate node.
WO01 / 31836 International Publication

  The problem with the conventional method described above is that the trust relationship is limited to group communication established with a group of other devices. Therefore, there is a need for a method for establishing secure peer-to-peer communication between two communication devices, that is, a communication establishment method in which each communication device has equivalent performance and role and does not need to recognize a trust group. ing.

The above-described problems and other problems are solved by a method for establishing secure peer-to-peer communication between a first communication device and a second communication device via a communication link. Each communication device stores a set of pre-established security associations between the corresponding communication device and other communication devices. The method is
Determining whether each of the first communication device and the second communication device has a security association common to a set of established security associations;
If it is determined that the first communication device and the second communication device have a common security association, communication between the first communication device and the second communication device based on the common security association A step of protecting the link and, if not determined to have a common security association, establish a new security association between the first communication device and the second communication device, and based on the new security association Protecting the communication link with;
A set of pre-established security associations respectively possessed by the first communication device and the second communication device by communicating the corresponding key data over the protected communication link, Expanding to the other corresponding device of the second communication devices.

  Thus, when two communication devices are connected for the first time via a communication link, they determine whether they have a pre-established common security association. If such a pre-established security association exists, the security association is used as a basis for protecting the communication link between the two devices. On the other hand, if no security association exists, a new security association, preferably a shared secret state, is established based on a key exchange protocol to protect the communication link. The key exchange protocol is preferably a protocol that performs authentication using a password. That is, it is preferable to require the user to enter a password in at least one device. The two devices then each exchange key data associated with a pre-established security association, thereby extending or propagating these pre-existing security associations to the corresponding other device.

  As a result, a mechanism is provided that allows each device to establish a security association with another device and propagate the security association to the other device. That is, the security mechanism does not depend on the presence of a master device or an authentication server.

  An efficient and secure credit entrustment method is provided. That is, a mechanism is provided for propagating security associations between devices via a new combination of devices, such as devices in a personal area network.

  In addition, there is an advantage that the number of combinations requiring user interaction can be reduced. In order to establish mutual security associations for n devices, the method according to the invention determines the number of combinations that require user interaction n 1 to n (n 1), depending on the order in which the devices are combined. Reduce to / 2.

  A further advantage of the present invention is to provide a simple and easy-to-use method for creating security associations.

  A further advantage of the present invention is to provide a security initialization procedure applicable to symmetric key based security associations and asymmetric key based security associations.

  Protecting the communication link between two devices based on a common security association may include any suitable encryption mechanism. In one embodiment, the two devices perform an authenticated key exchange. In other words, a protocol is executed that guarantees the communicators that the communicators grasp the mutual identification information and provides the communicators with a shared secret key known only to these communicators. An authenticated key exchange is performed based on the determined common security association. That is, a common security association is used to ensure that communicators know each other's identification information. The shared secret key is later used to provide data secrecy, data integrity, or both.

  In one embodiment, the step of establishing a new security association between the first communication device and the second communication device comprises user input by at least one of the first communication device and the second communication device. Including receiving. The user input indicates whether the corresponding other communication device is a reliable device. Extending the set of pre-established security associations is performed only if the received user input indicates that the corresponding other communication device is a trusted device.

  Thus, the propagation of security associations is limited to reliable devices. That is, propagation to a new device depends on user approval. This prevents the propagation of security associations in an uncontrollable manner and improves system security. User input may be received in any suitable form, for example, via a keyboard or any other input device, for example, in response to the user being prompted for approval. Alternatively, the user input may be part of device customization settings. Device customization settings provide rules for trusted devices or device types.

  In another embodiment, each pre-established security association included in the set of pre-established security associations in one of the first communication device and the second communication device is a predetermined number of communication devices. Are stored in association with group identification information for identifying a group. Extending the pre-established security association is limited to pre-established security associations associated with the predetermined group identification information.

  Accordingly, the propagation of security associations may be limited to certain contexts, such as certain services, certain device types, and the like. This restriction improves the security of the method because it can prevent the security association from continuing indefinitely without user control. Further, a single communication device may have an independent group of security associations that should not be confused. For example, a device may have a security association with a device on a local wireless LAN (such as a computer in a company and other devices). In connection with a business conference, the device may establish another group of security associations with other devices participating in the business conference. However, the security association associated with the local wireless LAN should not be extended to other participants in the business conference. Thus, by limiting the propagation of security associations to a given group context, a flexible and secure mechanism is provided. In the following, a key propagated to another device is also called a trust key.

  Further preferred embodiments are disclosed in the appended claims.

  The present invention can be realized by various methods including the above-described method, communication system and means, and the method, communication system and means described below. Each approach provides one or more benefits and advantages described with respect to the initially described approach. Each approach also has one or more preferred embodiments corresponding to the preferred embodiments described with respect to the approach first described and disclosed in the claims.

According to one aspect, the above problem is solved by a communication device that simplifies peer-to-peer communication with other communication devices in a communication system. A communication device includes a storage means for storing a set of pre-established security associations between a corresponding communication device and another communication device, a communication means for communicating with another communication device via a communication link, and And processing means adapted to carry out the steps. The steps are
Determining whether the communication device has a common security association corresponding to the security association of another communication device during a set of established security associations;
If it is determined that the communication device has a common security association, the communication link is protected based on the common security association. On the other hand, if it is not determined that the communication device has a common communication association, Establishing a new security association and protecting the communication link based on the new security association;
Extending a pre-established set of security associations to another communication device by communicating corresponding key data over a protected communication link.

  The term “communication device” is intended to include any electronic device that includes communication means for communicating with other communication devices in a wired or wireless manner. In particular, the term “communication device” includes all portable wireless communication devices, as well as other handheld communication devices or portable communication devices. The term “portable wireless communication device” includes all devices such as mobile phones, pagers, transmitters, etc., ie electronic notebooks, smartphones, PDAs, handheld computers, portable computers or laptops.

  Similarly, the term “communication means” is intended to include any circuit or device that enables transmission and reception of data with another communication device via a wired or wireless communication link. For example, the communication means may include a wireless transmitter and a wireless receiver. Further examples of communication means include a transmitter / receiver that uses other wireless technologies such as infrared communication.

  The term “storage means” refers to any data storage device such as an electrically erasable programmable ROM (EEPROM), flash memory, erasable programmable ROM (EPROM), random access memory (RAM), or a magnetic storage device such as a hard disk. It is intended to include any suitable arrangement or device. The storage means may be mounted on the electronic device or may be connected to the device, for example removably inserted. For example, the storage means may be a removable storage medium such as a memory card, a PCMCIA card, or a smart card.

  The term “processing means” refers to any suitably programmed general purpose or special purpose programmable microprocessor, digital signal processor (DSP), ASIC, programmable logic array (PLA), field programmable gate array (FPGA), etc., or It is intended to include combinations.

  It should be understood that the features of the method described above and those described below may be implemented in processing means implemented in software and invoked by executing computer-executable instructions. The instructions may be program code loaded into a memory such as a RAM from a storage medium such as a ROM, a flash memory, an EPROM or an EEPROM, or from another computer via a computer network. Alternatively, the above-described features may be realized by a hard wired circuit instead of software, or may be realized in combination with software.

  These and other aspects of the invention will be apparent from the embodiments described hereinafter with reference to the drawings.

  FIG. 1 is a block diagram of a communication apparatus. The communication apparatus 101 includes a processing unit 102, a wireless communication unit 103 connected to the processing unit, and a storage medium 104 connected to the processing unit.

  The wireless communication unit 103 transmits the data received from the processing unit 102 via the wireless channel 105 adopted by the communication network. Further, the wireless communication unit 103 receives data from the wireless channel and transfers the data to the processing unit. For example, the wireless communication unit 103 may perform transmission and reception in the 2.45 GHz ISM band based on Bluetooth technology. In one embodiment, the communication network is a Bluetooth piconet.

  The processing unit 102 processes data received from other devices and data to be transmitted to other devices according to the functions implemented by the communication device. In particular, the processing unit is suitably programmed to implement the security functions described below. Examples of security functions include performing a key exchange with another device, performing an authenticated key exchange with another device, protecting data communicated with another device (eg, integrity protection, encryption) And authentication), and the propagation of security associations to other devices.

  A storage medium 104 such as an EPROM, an EEPROM, a flash memory, or a hard disk stores a set of security associations as, for example, a secret key list or a public key list. The set of security associations may be appropriately indexed. Each entry may include additional information, such as group identification information or a validity period.

  Note that the communication device may include additional components that are omitted from the schematic block diagram of FIG. For example, the communication device may further comprise an automatic gain control (AGC) unit connected to a receiver, decoder, encoder or the like.

  FIG. 2 is a flow chart illustrating a method for establishing a secure peer-to-peer communication link between two communication devices using a symmetric key based security association. The flowchart 200 includes two columns 222 and 223. Each column represents one of the two communication devices A and B communicating with each other. Boxes representing steps performed by apparatus A are arranged in column 222. Boxes representing steps performed by device B are arranged in column 223. Boxes representing the steps performed by both devices are shared by both columns.

Each of the communication devices A and B has an internal database of reliable secret keys. Since these keys may be distributed to a number of trusted devices, as will be described below, these secret keys are also referred to as (trusted) group keys. Each of the databases 214 and 215 includes a list of trusted group key records. Each record includes a group key index and a trusted group key corresponding to the index. In the example of FIG. 2, the reliable group keys stored in the database 214 of the device A are K _A1,. . . , K _AN and the corresponding indices are A1,. . . , AN. Similarly, the trusted group keys stored in device B's database 215 are K _B1,. . . , _KBM . The corresponding index is B1,. . . , BM. For example, during manufacturing, at least one key index and a corresponding group key may be preset for each device. Alternatively, the device may be shipped without the key being set in advance. It should also be understood that the device can store additional keys for other purposes. However, the method uses reliable group keys K _A1 ,. . . , K _AN and K _B1,. . . , _KBM shall be applied to each of the dedicated sets. These key sets will be propagated to other trusted devices as part of the method. For example, the keys K _A1,. . . , K _AN and K _B1,. . . , _KBM may each be stored in a dedicated database or separated from other keys. Alternatively, those keys may be stored in a database along with other keys, and a trusted group key for the method is marked as a trusted key for the method. As described above, each trusted group key may be associated with group identification information that identifies a particular context, such as a group of devices or services. Corresponding key propagation is limited to this context.

  In one embodiment, the key index may be randomly selected from a predetermined index space. Preferably, an index space that is large enough to reduce the possibility that two different secret keys have the same index is selected. For example, the index may be selected from a 48-bit index space. However, since the index is used only to identify a common group key, it is not a strict requirement that the index be unique. If two different keys are mistakenly treated as a common key due to index conflicts, the establishment of the next security function, such as encryption based on these keys, will fail. In this case, another key may be used for identification, or a set formation may be performed manually.

  In the following, it will be assumed that the communication devices can communicate with each other via a wired communication medium or a wireless communication medium, such as a cable, a wireless channel or any other suitable technology. For example, the communication device may communicate using a Bluetooth air interface. If the user wants to connect the two devices A and B for the first time, ie if the two devices have not previously communicated with each other, the following steps are performed.

  In the first step 201, device A has key indexes A1,. . . , AN list is sent to device B.

  In step 202, device B stores the received index list in indexes B 1,. . . Compare with BM. If device B is able to identify a common index denoted IC, that is, ICε {A1,. . . , AN} ∩ {B1,. . . , BM} exists, the process proceeds to step 203. On the other hand, if there is no common index, the process proceeds to step 205. If device B can identify more than one common key index, one of the common indexes is selected.

  In step 203, that is, if a common index IC is identified in step 202, device B transmits the common index IC to device A.

In the next step 204, the two devices perform an authenticated key exchange to obtain shared secret information. This authentication process is performed based on a common trusted group key K _IC corresponding to the identified common index IC. The authenticated key exchange may be performed according to any suitable authenticated key exchange process that is known. In one embodiment, authenticated key exchange is performed according to the Bluetooth specification where a common group key K _IC is used as a PIN or initial key. See, for example, “The Specification of the Bluetooth System, Core, Baseband Specification,” version 1.1, December 2000 by the Bluetooth Special Interest Group. Another example of an authenticated key exchange is an authenticated Diffie Hellman key exchange. After the authenticated key exchange is completed, the process proceeds to step 207.

  In step 205, i.e. if no common key index was identified in step 202, device B, for example, by sending a corresponding response message or by sending a request for manual tuple formation. Inform device A that the common key index was not identified.

  In the next step 206, key exchange is executed to obtain shared secret information. In one embodiment, the key exchange is initiated by device A, for example by sending a request to form a set of two devices. In one embodiment, the user is prompted for acceptance, and the request for tuple formation is accepted or rejected depending on the user's input. If device B rejects the request, the process ends. On the other hand, in the case of acceptance, a pair formation process including key exchange is executed by the two apparatuses. As part of the key exchange, user interaction is required by the device. For example, a user who is controlling the device is required to enter a passcode on both devices. In another embodiment, the passcode is generated by one device and displayed to the user. The user is required to enter the generated passcode into the other device. The key exchange may be performed according to any known appropriate key exchange process based on a password. In one embodiment, the key exchange is performed in accordance with the Bluetooth specification (“The Specification of the Bluetooth System, Core, Baseband Specification” supra).

  As part of the key exchange process, the user determines whether devices A and B should continue to exchange their security associations, i.e., whether each other device is considered a reliable device. Required (step 212). If the user refuses to exchange security associations, the process is complete. That is, in this case, the two devices form a set and establish a shared secret state, but do not extend the pre-established security association to the other devices. For example, the established shared secret state may be used to protect subsequent communications between the two devices, such as by establishing encryption, integrity protection, etc. In one embodiment, the exchange of security associations may be limited to a group of security associations. For example, in one embodiment where each record of the group key further includes group identification information, the user may be required to enter one or more group identification information or select from a list. Thereafter, only the security association of the selected group identification information is exchanged. If the user accepts exchange of at least some security associations after completion of the key exchange step, the process moves to step 207.

The shared secret state is established between the devices in step 207, ie, by the authenticated key exchange of step 204 authenticated by the existing common key K _IC or by the key exchange based on the passcode of step 206 including user interaction. If so, the device switches to an encrypted connection using the agreed shared secret state. Encryption may be performed based on any suitable encryption algorithm such as SAFER +, AES, DES, RC5, Bluetooth E0, GSM A5 / 3. In one embodiment, communication between devices is further protected for integrity.

  In step 208, device B sends to device A the list of trusted group keys and corresponding indexes stored in database 215. Device B has a list of key indexes previously received from device A. Thus, in one embodiment, device B may only transmit from the database 215 an index different from the previously received index and the corresponding key. Thereby, a required communication source can be reduced. If the set of trusted group keys is restricted to include only group keys associated with one or more group identification information, only the keys associated with the selected group identification information are transmitted. If no trusted group key is stored in the database 215 because the device B is shipped without including any keys and the trust key has not been exchanged with another device in advance, for example, the device B Generates a group key and a corresponding index. For example, both keys and indexes may be randomly generated from each appropriate space.

  In step 209, device A updates the list of trusted keys in database 214 with the received list of keys and corresponding indexes.

  In step 210, device A sends a list of trust keys and corresponding indexes stored in database 214 to device B. In one embodiment, device A may only transmit from the database 214 an index different from the index received from device B and the corresponding key. Thereby, a required communication source can be reduced.

  In step 211, device B updates the list of trust keys in database 215 with the received list of keys and corresponding indexes.

  In another embodiment, it is understood that the order of steps 208 through 211 may be changed, for example, so that device A first transmits a list of group keys before receiving the corresponding list of device B. It should be.

  Thus, in the above description, a procedure for establishing a security association based on a symmetric key between apparatus A and apparatus B has been disclosed. Here, the pre-established security association is propagated to other devices. As a result, the number of pair formations that require a passcode entered by the user is reduced.

  3a to 3e are diagrams illustrating an example of the method illustrated in FIG. 2 when four communication devices are used. In this example, it is assumed that one or more users desire to establish a security association between four communication devices A, B, C, and D indicated by 301, 302, 303, and 304, respectively.

  FIG. 3a shows the initial situation. In this example, no group key is set in advance in any of the devices 301 to 304. That is, no group key is stored in each group key list in any device.

FIG. 3 b shows the steps of the first set formation between the device 301 and the device 302. Devices 301 and 302 are connected for the first time. Neither device stores a group key. Therefore, these devices perform manual pairing based on the PIN or password entered in both devices, as indicated by arrow 305. The users of both devices present to each device via appropriate user input that this formed set is a set with a highly reliable device. That is, the user starts exchanging group keys. As a result, after authenticating and switching to encryption, one device (device 301) generates a reliable group key K _I1 with index I1, and generates the generated key and index as indicated by arrow 306. Is transmitted to the other device (device 302). Both devices store the reliable group key K _I1 and the corresponding index I1 in their respective databases.

FIG. 3 c shows the situation during connection of the next devices 303 and 304. Devices 303 and 304 are connected for the first time. Neither device stores a group key. Accordingly, the devices perform manual pairing based on the PIN or password entered in both devices, as indicated by arrow 307. The users of both devices present to each device via appropriate user input that this pairing is a pair with a highly reliable device. That is, the user starts exchanging group keys. After authentication and encryption, one device (device 303) generates a trusted group key K _I2 with index I2, and the generated key and index are displayed on the other device (device) as indicated by arrow 308. 304). Both devices store the reliable group key K _I2 and the corresponding index I2 in their respective databases.

FIG. 3d shows the situation during connection of the next devices 301 and 303. FIG. Devices 301 and 303 are connected to each other for the first time. Since the device 301 has already stored the trust key K _I1 , the corresponding index I 1 is transmitted to the device 303 as indicated by the arrow 309. Since the key having the index I1 is not stored in the database, the device 303 returns a request for forming a set (arrow 310). These devices perform manual pairing based on PINs or passwords entered into the two devices, as indicated by arrow 311. The users of both devices indicate to each device via appropriate user input that this combination is with a reliable device. That is, the user starts exchanging group keys. After authenticating and switching to encryption, device 301 sends a list of trusted group keys, ie, KI1 and corresponding index I1 to device 303 (arrow 312). Device 303 returns a list of trusted group keys, ie, _KI2 and corresponding index I2 (arrow 313). Both devices store their new keys in their databases.

FIG. 3e shows the situation when the next devices 301 and 304 are connected. Devices 301 and 304 are connected to each other for the first time. Device 301 transmits a list of group key indexes, ie, indexes I1 and I2, to device 304, as indicated by arrow 314. The device 304 stores the key having the index I2 in the database, and returns the key index I2 (arrow 315). This requests an authenticated key exchange using a common key with index I2. The devices perform an authenticated key exchange based on the common key _KI2 (arrow 316). After authenticating and switching to encryption, the devices exchange their list of group keys. The device 301 transmits the reliable group key K _I1 and the corresponding index I1 to the device 304 (arrow 317). Since the key _KI2 has already been identified as a common key, the device 301 does not need to transmit the key _KI2 . The device 304 stores the received key _KI1 and the corresponding index I1 in the database. Since the device 304 does not store an additional key that the device 301 does not recognize in the database, there is no key transmitted from the device 304 to the device 301.

  FIG. 4 is a flowchart illustrating a method for establishing a secure peer-to-peer communication link between two communication devices using a public key based security association. The flowchart 400 includes two columns 422 and 423, each column representing one of the two communication devices A and B as described above.

Each of the communication devices A and B includes an internal database with a trusted public key and a certificate proving the trusted public key. Each of the databases 414 and 415 includes a list of records. Each record includes a trusted public key and a corresponding certificate chain. In the example of FIG. 4, the public keys stored in the database 414 of the device A are K _A1,. . . , K _AN and the corresponding chain of certificates is C _A1,. . . , _CAN . C _A1 represents a chain of one or more certificates that link the trusted public key K _A1 to the public key of device A. Similarly, the public keys stored in the database 415 of the device B are K _B1,. . . , K _BM and the corresponding certificate chain is C _B1,. . . , _CBM . Furthermore, the database 414 includes at least one public key KA _{, PU} and private key KA _{, PR} each having a corresponding self-signed certificate. Similarly, device B's database 415 includes at least one public key KB _{, PU} and private key KB _{, PR} each having a corresponding self-signed certificate. For example, at least one public key and private key, as well as a self-signed certificate, may be preconfigured on each device during manufacture. Here, a pair of at least one public key and private key realizes a signature function. It should also be understood that these devices may store additional keys or certificates for other purposes. However, the method does not rely on reliable public keys K _A1 ,. . . , K _AN and K _B1,. . . , _KBM , and certificates C _A1,. . . , _CAN and C _B1,. . . , _CBM respectively. These key sets and certificates will be propagated to other trusted devices as part of the method. As mentioned above, it should also be understood that each public key may be associated with group identification information.

  In the following, it will be assumed that the communication devices can communicate with each other via a wired or wireless communication medium, such as a cable, a wireless channel or any other suitable technology. For example, the devices may communicate using a Bluetooth air interface. If the user wants to connect two devices A and B for the first time, ie if the two devices have not previously contacted each other, the following steps are performed.

In the first step 401, device A has public keys K _A1,. . . , K _AN corresponding to the hash values H _A1,. . . , _HAN to the device B. Hash values H _A1,. . . , H _AN may be stored in the database 414 as a pre-calculated value for the corresponding key. Alternatively, device A may calculate a hash value from the stored key before transmitting.

  The hash value may be calculated based on any known suitable hash function, eg SHA 1 or MD5. In general, a hash function for a hash table lookup should be fast and reduce contention as much as possible. That is, different keys should rarely have the same hash value. However, if two keys are mistakenly presented as a common key due to a hash value conflict, establishing a security function such as encryption based on these keys will fail. In this case, another key may be specified instead, or manual pairing may be performed.

In step 402, device B sends the received hash list to keys K _B1,. . . , K _BN hashes. If device B can identify a common hash value, that is, H _C ε {H _A1 ,. . . , H _AN } ∩ {HASH (K _B1 ),. . . , HASH (K _BN )}, the process proceeds to step 403. If not, the process proceeds to step 405. When the device B can identify two or more common hash values, one of the common hash values is selected.

In step 403, that is, if a common hash value H _C is identified in step 402, device B transmits the common hash value H _C to device A. In the following, the common public key corresponding to the common hash value H _C is denoted as K _C.

In the next step 404, the two devices perform an authenticated key exchange to obtain a shared secret state. Authentication is performed based on the certificate or public key tied to a common public key K _C. That is, the public key K _C is used as a public root key of the certificate chain. Authenticated key exchange may be performed according to any known suitable authenticated key exchange process based on public keys or certificates such as IKEv2 or TLS.

  In step 405, i.e., if no common hash value has been identified in step 402, device B can be shared, for example, by sending a corresponding response message or by sending a manual pairing request. The apparatus A is notified that the hash value is not identified.

  In the next step 406, a key exchange is performed to obtain a shared secret state. Key exchange may be initiated by device A, for example by sending a request to perform pairing of two devices. In one embodiment, the user is prompted to accept depending on the input request. The request for pair formation is accepted or rejected depending on the user's input. If device B rejects the request, the process ends. If accepted, the pairing process including key exchange is performed by the two devices. As part of the key exchange, user interaction is required by the device. For example, a user controlling a device is required to enter a passcode on both devices. In another embodiment, the passcode is generated by one device and displayed to the user. The user is required to enter the generated passcode into the other device. The key exchange may be performed according to a key exchange process based on any known appropriate password. In one embodiment, the key exchange is performed in accordance with the Bluetooth specification (“The Specification of the Bluetooth System, Core, Baseband Specification” supra).

  As part of the key exchange process, the user determines whether devices A and B should continue to exchange their security associations, i.e., whether each other device is considered a highly reliable device. Requested (step 416). If the user refuses to exchange security associations, the process is complete. That is, in this case, the two devices are paired to establish a shared secret state, but do not extend the pre-established security association to other devices. For example, the established shared secret state may be used to protect subsequent communications between the two devices, such as by establishing encryption, integrity protection, etc. In one embodiment, the exchange of security associations may be limited to a group of security associations. For example, in one embodiment where each record of the public key further includes group identification information, the user may be required to enter one or more group identification information or select from a list. Thereafter, only the security association of the selected group identification information is exchanged. If the user accepts the exchange of at least some security associations after completing the key exchange step, the process moves to step 407.

In step 407, i.e., between the authenticated key exchange step 404 have been authenticated based on the existing common key K _C, or by key exchange based on the passcode in step 406 including the user interaction, the shared secret state device Once established, the device switches to an encrypted connection that uses the matched shared secret state. Encryption may be based on any suitable encryption algorithm such as Bluetooth 1.1 E0 or AES. In one embodiment, communication between devices is further protected for integrity.

In step 408, device B sends public key KB _{, PU} or a self-signed certificate to device A.

  In step 409, device A receives device B's public key. Device A may choose to sign device B's public key using its private key.

Next, in step 410, device A receives the trusted public keys K _A1 ,. . . , K _AN and the corresponding certificate or certificate chain C ′ _A1,. . . , C ′ _AN is transmitted to the device B. Certificate / Certificate Chain C ′ _A1,. . . , C ′ _AN is a certificate / certificate chain C _A1,. . . , _CAN , and in addition, a trusted public key K _A1 ,. . . , K _AN further proves the received public key K _{B, PU} of the device B. Furthermore, the device A transmits its own public key KA _{, PU} or a self-signed certificate to the device B. Device A has a list of hash values previously received from device B. Thus, in one embodiment, device A may only send from the database 414 a public key that has a different hash than the previously received hash. If there is no difference between the two sets of trusted keys, device A may choose not to send any keys. If the set of trusted public keys is restricted to include only keys associated with one or more group identification information, only the keys associated with the selected group identification information are transmitted. In both the device A and the device B, when the reliable group key is not stored in each database, the device A creates its own public key, that is, the root key, and the root key (or in the self-signed certificate). And the certificate that proves the public key of the device B for the root key is transmitted to the device B.

  In step 411, device B receives a list of public keys and certificate / certificate chains from device A. Device B updates the trusted public key and the list of certificates proving its public key for the trusted key. Device B may choose to sign device A's public key using its private key.

Next, in step 412, device B sends trusted public keys K _B1,. . . , K _BM and the corresponding certificate / certificate chain C ′ _B1,. . . , C ′ _BM list is transmitted. Certificate / Certificate Chain C ′ _B1,. . . , C ′ _BM are the trust public keys K _B1,. . . , K _BM certifies the received public key KA _{, PU} of apparatus A. Since device B has a list of hash values previously received from device A, in one embodiment, device B may send only a public key from database 415 that has a different hash than the previously received hash. Good. If there is no difference between the two sets of trusted keys, device B may choose not to send any keys. If the trusted public key set is restricted to include only keys associated with one or more group identification information, only the keys associated with the selected group identification information are transmitted.

  In step 413, device A receives a list of public keys and certificate / certificate chains from device B. Device A updates the list of trusted public keys and the list of certificates proving its public key for the trusted key.

  It should be understood that the order of the key exchange steps 408-411 may be changed.

  Therefore, in the above description, a procedure for establishing a security association based on a public key between the device A and the device B has been disclosed. Here, the pre-established security association is propagated to other devices.

  As described above, the method described above reduces the number of combinations requiring user interaction from n 1 to n (n 1) / 2, depending on the order in which the devices are combined. In the following, this will be shown in connection with two examples of forming a set in five communication devices.

  5a to 5e show a first example in the case of forming a set with respect to five communication devices. In this example, assume that one or more users wish to establish security associations between five communication devices A, B, C, D, and E, designated 501, 502, 503, 504, and 505, respectively. Is done.

  FIG. 5a shows the initial situation. In this example, it is assumed that the devices 501 to 505 have no group key set in advance. That is, none of the devices stores the group key in each group key list.

FIG. 5 b shows the steps of the first set formation between the device 501 and the device 502. Devices 501 and 502 are connected for the first time. Since neither device stores a group key, they perform manual pairing based on a PIN or password as described above and as indicated by the dotted line 506. After authenticating and switching to encryption, one device generates a reliable group key K ₁ and sends the generated key to the other device. Both device stores the group key K ₁ that trusted their respective databases. It will be appreciated that in some embodiments, the key K ₁ is stored in association with the corresponding index as described above.

FIG. 5 c shows the situation after connection of the next devices 501 and 503. Since devices 501 and 503 do not have a common key, they perform manual pairing based on the PINs or passwords entered into the two devices, as indicated by dotted line 507. After switching to the authentication and and encryption, device 501 transmits a list of trusted group key, i.e. the key K _1, the apparatus 503 where the key K ₁ is stored.

FIG. 5d shows the situation after the next devices 501 and 505 are connected. Devices 501 and 505 perform manual pairing as indicated by dotted line 508. The device 501 transmits the reliable group key K ₁ to the device 505 in which the key K ₁ is stored.

FIG. 5e shows the situation after the next devices 501 and 504 are connected. Devices 501 and 504 perform manual pairing as indicated by dotted line 509. The device 501 transmits the reliable group key K ₁ to the device 504 in which the key K ₁ is stored.

  Thus, in this example, after four manual pairings, all five devices (n = 5) have a reliable group key in common with all other devices. Therefore, the above-described procedure in which one device (device 502) is manually combined with all the other devices having n 1 is an example of a procedure that requires n 1 manual pair formation.

  6a to 6f show a second example in the case of combining the five communication devices described above. Assume that one or more users desire to establish a security association between five communication devices A, B, C, D and E.

  FIG. 6a shows an initial situation in which none of the devices 501 to 505 has a group key set in advance.

FIG. 6 b shows the steps of the first set formation between the device 501 and the device 502. This pairing step includes manual pairing based on a PIN or password, as described above and indicated by dotted line 606. Exchange step and the next security associations for this set formation provides the key K ₁ stored in both of the device as a result.

FIG. 6 c shows the situation after performing the next pairing step between device 503 and device 504. Since none of the devices stores a group key, these devices perform manual pairing based on a PIN or password, as indicated by the dotted line 607. After switching to the authentication and and encryption, one device generates a group key K ₂ for trusted, and transmits the generated key to the other device. Both device stores the group key K ₂ for trusted to each database.

FIG. 6 d shows the situation after connection of the next devices 501 and 505. Devices 501 and 505 perform manual pairing as indicated by dotted line 608. The device 501 transmits the reliable group key K ₁ to the device 505 in which the key K ₁ is stored.

FIG. 6 e shows the situation after connection of the next devices 504 and 505. Before connecting, device 504 has stored only key _{K 2,} device 505 stores only the key _{K 1.} Therefore, these devices do not have a common key and perform manual pairing as indicated by the dotted line 609. Thereafter, they devices exchange the keys _{K 1} and _{K 2,} respectively. Thus, as a result, both keys K ₁ and K ₂ are now stored in both devices 504 and 505.

Finally, FIG. 6 f shows the situation after connection of the next devices 502 and 503. Before connecting, device 502 has stored only key _{K 1,} apparatus 503 stores only the key _{K 2.} Thus, these devices do not have a common key and perform manual pairing as indicated by the dotted line 610. Thereafter, they devices exchange the keys _{K 1} and _{K 2,} respectively. Thus, as a result, both keys K ₁ and K ₂ are now stored in both devices 502 and 503.

  In this example, after 5 manual pairings, all 5 devices (n = 5) have at least one reliable group key in common with all other devices. Therefore, the above-described procedure is an example of a procedure that requires manual group formation more than n 1 times and less than n (n 1) / 2 times.

  It will be appreciated that in the above-described embodiment, two devices may exchange their list of group keys more than once. For example, if two devices that previously exchanged the list of group keys are reconnected in the next session, they may exchange their trusted group key list again. After the initial connection in two devices, one device or both devices may have expanded their list of group keys because they have paired with one or more other devices. If the devices are reconnected, this expanded list may be propagated to the corresponding other device of the two devices. This improves the efficiency of key distribution and increases the possibility that there is at least one common security association that can be used when one device connects to a new device for the first time. Thus, in one embodiment, each time the devices connect, they exchange a list of security associations, and if there is a new security association from each of the other device lists, each device uses the new security association. Extend the list.

  As used herein, the term “comprising” is used to specify the presence of the features, numbers, steps and components described above, but one or more other features, numbers, steps, configurations. It does not exclude the presence or addition of elements or groups thereof.

  While the preferred embodiments of the present invention have been described and illustrated, the present invention is not limited thereto. It may be realized by other methods within the scope of the technical idea defined in the claims. For example, the present invention has been described mainly with reference to wireless communication technology, but may be applied to the case of wired communication.

FIG. 1 is a block diagram of a communication apparatus. FIG. 2 is a flowchart illustrating a method for establishing a secure peer-to-peer communication link between two communication devices using a symmetric key based security association. , , , , FIGS. 3a to 3e show an example of the method of FIG. 2 when using four devices. FIG. 4 is a flowchart illustrating a method for establishing a secure peer-to-peer communication link between two communication devices using a public key based security association. , , , , 5a to 5e are diagrams illustrating a first example in which five communication devices are combined. , , , , , 6a to 6f are diagrams illustrating a second example in the case of combining five communication devices.

Claims (12)

A method of establishing secure peer-to-peer communication between a first communication device (A) and a second communication device (B) via a communication link, each communication device corresponding Each contains a set of pre-established security associations between the communication device and other communication devices;
The method
Determining whether the first communication device and the second communication device each have a common security association (K _IC , K _C ) in the set of pre-established security associations (201, 202; 401, 402),
When it is determined that the first communication device and the second communication device have the common security association, the first communication device and the second communication are based on the common security association. If the communication link to the device is protected (204, 207; 404, 407), but is not determined to have the common security association, the first communication device and the second Establishing (207; 407) a new security association with the communication device and protecting the communication link based on the new security association;
By communicating the corresponding key data via the protected communication link, the first communication device and the second communication device each have a set of pre-established security associations. And a step (208, 209, 210, 211; 408, 409, 410, 411, 412, 413) of extending to the other communication device corresponding to the second communication device. how to. Establishing a new security association between the first communication device and the second communication device comprises:
Receiving user input by at least one communication device of the first communication device and the second communication device,
The user input indicates whether the corresponding other communication device is a reliable communication device;
The step of expanding the set of pre-established security associations is performed only if the received user input indicates that the corresponding other communication device is a reliable communication device. The method according to claim 1. Each of the pre-established security associations included in the pre-established security association set in one of the first communication device and the second communication device is a predetermined communication device. Stored in association with group identification information for identifying the group,
The step of extending the pre-established security association is performed limited to the pre-established security association associated with the predetermined group identification information. 2. The method according to 2.   4. The method according to claim 1, wherein the security association is based on a symmetric key security mechanism.   The method of claim 4, wherein the set of pre-established security associations includes a set of corresponding personal keys, each personal key being stored in association with a corresponding personal key index. . Determining whether the first communication device and the second communication device have a common security association,
A step (201) of transmitting a first personal key index from one communication device of the first communication device and the second communication device to the corresponding other communication device;
Comparing at least one personal key index stored in the other communication device with the first personal key index (202);
Extending the pre-established security association includes transmitting at least a personal key and a personal key index corresponding to the personal key from the first communication device to the second communication device; 210. The method of claim 5, comprising: 210). Communicating (201) a personal key index corresponding to one of the personal keys stored in the first communication device from the first communication device to the second communication device;
Identifying an existing common personal key by comparing the received personal key index with a personal key stored by the second communication device;
When the existing common personal key is identified, a common secret key is established by executing an authenticated key exchange process based on the existing common personal key (204), If an existing common personal key is not identified, establishing a common secret key by performing a key exchange including user interaction (206);
Protecting the communication link with the common secret key (207);
Sending a first number of personal keys and a corresponding personal key index from the first communication device to the second communication device (210), and receiving the first number of personal keys; Updating the pre-established set of security associations in the second communication device with the corresponding personal key index (211);
Transmitting a second number of personal keys and a corresponding personal key index from the second communication device to the first communication device (208); and receiving the second number of personal keys; Updating the pre-established set of security associations in the first communication device with the corresponding personal key index (209), according to claim 5 or 6, The method described.   The security association is based on a public key security mechanism, and the pre-established security association includes a pre-established public key and a corresponding chain of certificates, each certificate chain being 4. A method as claimed in any preceding claim, comprising at least one certificate. Determining whether the first communication device and the second communication device have a common security association,
Transmitting (401) first data for identifying at least a first public key from one of the first communication device and the second communication device to the corresponding other communication device; ,
Comparing at least one data for identifying at least one public key stored in the other communication device with the first data (402);
Extending the pre-established security association includes transmitting a corresponding public key and a corresponding certificate chain from the first communication device to the second communication device (410). 9. The method of claim 8, comprising: Communicating (401) data corresponding to one of the public keys respectively stored in the first communication device from the first communication device to the second communication device;
Identifying an existing common public key by comparing the received data with data for identifying a public key stored by the second communication device;
Once the existing common public key is identified, a common secret key is established (404) by performing an authenticated key exchange process based on the existing common public key (404), If an existing common public key is not identified, establishing a common secret key by performing a key exchange including user interaction (406);
Protecting the communication link using the common secret key (407);
Transmitting (408) the first public key of the second communication device from the second communication device to the first communication device;
Transmitting a first number of public keys and a first number of certificate chains from the first communication device to the second communication device (410);
Updating the pre-established set of security associations in the second communication device using the received first number of public keys and the corresponding chain of certificates (411); When,
Transmitting the second public key of the first communication device from the first communication device to the second communication device (410);
Sending (212) a second number of public keys and a second number of certificate chains from the second communication device to the first communication device;
Updating the pre-established set of security associations in the first communication device using the received second number of public keys and the corresponding chain of certificates (413); Including
Each of the first number of certificate chains corresponds to one public key of the first number of public keys, and certifies the received first public key. Yes,
Each of the second number of certificate chains corresponds to one public key of the second number of public keys, and certifies the received second public key. 10. Method according to claim 8 or 9, characterized in that it is. A communication device (101) for simplifying peer-to-peer communication with another communication device in a communication system, comprising:
The communication device
Storage means (104) for storing a set of pre-established security associations between the corresponding communication device and other communication devices;
Communication means for communicating with the other communication device via a communication link (105);
Processing means (102),
The processing means includes
Determining whether the communication device has a common security association corresponding to a security association of the other communication device during the set of established security associations;
If it is determined that the communication device has the common security association, the communication device protects the communication link based on the common security association, while the communication device has the common security association. If not, establishing a new security association with the other communication device and protecting the communication link based on the new security association;
Extending the pre-established set of security associations to the other communication device by communicating corresponding key data over the protected communication link. Communication device. A computer program that, when executed in the processing means of a communication device, simplifies peer-to-peer communication with other communication devices in a communication system,
The communication device includes storage means for storing a set of security associations established in advance between the corresponding communication device and another communication device, and communication means for communicating with the other communication device via a communication link. And the processing means,
The processing means includes
Determining whether the communication device has a common security association corresponding to a security association of the other communication device during the set of established security associations;
If it is determined that the communication device has the common security association, the communication device protects the communication link based on the common security association, while the communication device has the common security association. If not, establishing a new security association with the other communication device and protecting the communication link based on the new security association;
Extending the pre-established set of security associations to the other communication device by communicating corresponding key data over the protected communication link. Computer program.

Images