KR101760718B1 - System and method for managing mobile device based on pairing - Google Patents
System and method for managing mobile device based on pairing Download PDFInfo
- Publication number
- KR101760718B1 KR101760718B1 KR1020160011641A KR20160011641A KR101760718B1 KR 101760718 B1 KR101760718 B1 KR 101760718B1 KR 1020160011641 A KR1020160011641 A KR 1020160011641A KR 20160011641 A KR20160011641 A KR 20160011641A KR 101760718 B1 KR101760718 B1 KR 101760718B1
- Authority
- KR
- South Korea
- Prior art keywords
- mdm
- mid
- message
- manager
- client
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
- H04L9/3073—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Abstract
Description
BACKGROUND OF THE
Recently, there has been an increasing number of BYOD (Bring Your Own Device) services that do business or study by carrying their own devices and using them, rather than installing desktop computers or laptops in their own places in enterprises or schools. Various services utilizing mobile devices are being developed and provided.
Since BYOD service stores company and personal information in each device, if the stored information is exposed to others, there is a risk factor that can cause serious damage due to exposure of business confidentiality as well as privacy invasion of the individual.
MDM (Mobile Device Management) technology is a technology to control and manage mobile devices remotely by preventing such damage. In recent years, D2D (Device to Device) based MDM technology has been developed which allows MDM administrators, who have been granted authority by the server, to directly control peripheral mobile devices.
In order to directly control the mobile devices in the vicinity, the MDM manager must receive the authorization from the MDM server. In the conventional authorization method, the MDM client directly connects to the MDM server whether the public key of the MDM manager or the private key is legitimately granted There is a problem that validity is verified or a public key revocation list (CRL) is checked.
In addition, since the MDM manager needs to check the list of the server or the public key revocation list every time the MDM manager is connected, the protocol efficiency may deteriorate, and the MDM client can not authenticate in a situation where the MDM client can not access the Internet through Wi- It is also an issue to be solved.
The present invention has been made in view of the technical background as described above, and it is an object of the present invention to provide a protocol which can confirm the authority of an MDM manager through direct connection between devices without having to connect to the MDM server.
The objects of the present invention are not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.
According to another aspect of the present invention, there is provided a method for managing a pairing-based mobile device, the method comprising the steps of: receiving an MID as an ID for identifying a mobile device management (MDM) manager, 0.0 > M1 < / RTI > to the MDM server; The M1 and by applying a hash function to the MID the MDM generates a public key MID pub of the manager, and wherein the generated public key to the MID pub generated by applying the master key of the MDM server decryption key D MID MDM server ; Transferring the Ml and the MID to the MDM client; Encrypts the message M including the CID, the MID, the authentication key, and the token included in the M1 using the public key MID pub of the MDM manager generated by applying the hash function to the MI and the MID Receiving an encryption message C1 from the MDM client; And decrypting the encrypted message C1 using the decryption key D MID to obtain the authentication key and the token.
The mobile device management system according to another embodiment of the present invention includes a MID that is an ID for identifying an MDM manager and a message M1 that includes an ID for identifying an MDM client to be managed and a control time, And receives the decryption key D MID from the MDM server, receives the encryption message C1 from the MDM client, decrypts the received message C1 using the decryption key D MID , An MDM manager for obtaining the following authentication key and the following token contained in C1; By applying a hash function to the MID and M1 received from the MDM administrator generates a public key MID pub of the MDM administrator, and generates a decryption key D MID by applying the master key to the generated public key MID pub the MDM Manager MDM server; And generating a public key MID pub of the MDM manager by applying a hash function to the MID and M1 received from the MDM manager and encrypting the message M including the CID, MID, authentication key and token using the MID pub , And an MDM client for generating an encryption message C1 and transmitting the generated message C1 to the MDM manager.
According to the present invention, since the MDM client does not have to verify whether the public key of the MDM manager is valid every time when the MDM client connects with the MDM manager, the MDM client can efficiently grant the authority, and the MDM client can not use the Wi- Even if the MDM manager has the effect of managing the MDM client.
FIG. 1 illustrates a mobile device management system according to an embodiment of the present invention. FIG.
2 is a flowchart of a mobile device management method according to another embodiment of the present invention.
FIG. 3 is a flowchart illustrating an authorization step of a mobile device management method according to another embodiment of the present invention; FIG.
4 is a flowchart illustrating authentication and authentication key sharing steps of a mobile device management method according to another embodiment of the present invention.
FIG. 5 is a flowchart illustrating a control and synchronization step of a mobile device management method according to another embodiment of the present invention. FIG.
BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Is provided to fully convey the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. As used herein, the terms " comprises, " and / or "comprising" refer to the presence or absence of one or more other components, steps, operations, and / Or additions.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. 1 shows the structure of an MDM system using D2D according to the present invention.
The MDM system includes MDM clients 130-133, an
The
The
The MDM
The
The
The
The present invention performs encryption and decryption based on pairing between devices. In order to do this, the pairing-based encryption and decryption algorithm is composed of four algorithms of setting, extracting, encrypting, and decrypting.
The setup step is performed through the following steps if a security parameter k ∈ Z + is given.
G 1 , G 2 , an Admissible Bilinear Map having a prime number q and an order q by executing a parameter generator G,
: G 1 x G 1 ? G 2 and a random generator P? G 1 .Next, s∈Z q * is randomly selected, and SID pub = sP is set. The SID means the ID (Identity) of the MDM server.
Then, a cryptographic hash function H 1 : {0,1} * → G 1 * , H 2 : G 2 → {0,1} n is selected and a security analysis selects G 1 and G 2 is regarded as random oracle.
The message space M is {0,1} n And the ciphertext space C is G 1 * x {0, 1} n . The system parameter params is <q, G 1 , G 2 , n, P, SID pub , H 1 , H 2 > and the master key is s∈Z q * .
The Extract step is MID pub = H 1 (ID) ∈ G 1 * , D ID = sSID pub for ID ∈ {0,1} * . For example, the ID may be composed of <MID, Group ID or Client ID, and Control_time>. MID stands for the ID of the MDM manager.
In the Encryption step, for the ID, MID = H 1 (ID) ∈ G 1 * is calculated to encrypt the message (M ∈ M ), randomly selected r ∈ Z q * &Quot; (1) "
Finally, the decrypting step decrypts the cipher text C using the following equation (2) using D MID when C = (U, V). D MID is a decryption key received from the MDM server.
Using the pairing-based encryption and decryption technology as described above, the MDM manager receives the decryption key D MID from the MDM server, authenticates its authority to the surrounding mobile devices, and generates a token and a secret key, .
2 is a flowchart illustrating a method of managing a mobile device according to an exemplary embodiment of the present invention.
First, the MDM manager performs an authorization step of receiving a pairing-based decryption key D MID from the MDM server (S210). This is the step for the MDM administrator to receive the authority needed to control the MDM client from the MDM server.
FIG. 3 is a flowchart illustrating in detail an authorization process for transferring a message M1 from an MDM manager to generate a decryption key D MID in the MDM server and delivering it to the MDM manager.
The MDM manager generates a message M1 consisting of an ID (Group ID or Client ID) and a control time (Control_time) of the group or client to be controlled (S310) and transmits it to the MDM server (S320) Communication is done through a secure channel such as HPPTS for security.
The control time refers to the time at which message M1 is valid, and once the generated message can not continue to be valid, the message is valid for a certain period of time.
MDM server is decrypted by the a MID to the message M1 received by the hash (Hash) with H 1 generates a public key MID pub and (S330), generating MID pub from MDM administrator uses his person s master key key D MID (S340), and then transmits it to the MDM manager (S350).
The decryption key D MID is a kind of authorization key that enables the MDM administrator to obtain the authority to access and control the MDM client.
After completing the authorization step, authentication and key sharing are performed (S220).
4 is a flowchart showing authentication and authentication key sharing steps.
The MDM manager transmits the M1 generated in the granting step S210 to the MDM client in step S410, and the MDM client verifies whether the time and the like of the received M1 are valid in step S420. For example, it is checked whether the current time is included in the range of the control time, and whether the MDM client itself is included in the group ID or the client ID is verified.
Next, MID and M1 are hashed to generate MID pub , which is a public key of the MDM manager (S430).
We also randomly select r from Zq * and generate a message M consisting of <CID, MID, key, token>. The CID is the identity of the client and the authentication key is an authentication key used for secret key algorithms such as Advanced Encryption Standard (AES) and Data Encryption Standard (DES) Is a key value used to control the operation.
Finally, the message M is encrypted using admissible pairing (S440), and the generated cipher text C1 is transmitted to the MDM manager (S450).
The message M is encrypted by the following equation (3).
The MDM manager decrypts the received ciphertext C1 using the decryption key D MID of its own to obtain the message M and obtain the authentication key and the token from it (S460). M is C1 = (U, V) (2) < / RTI >
The MDM client decrypts the token and the packet ID (packet_ID) obtained from C1 by using the AES to generate C2 (S470) and transmits it to the MDM client (S480). The MDM client decrypts the token and the packet ID (S490).
When the authentication and the authentication key sharing are completed, the MDM manager can be granted the authority to the MDM client, and the MDM client can access and control the MDM client by sharing the token and the authentication key (S230).
5 is a flowchart of a process in which an MDM manager controls an MDM client and uploads the state of the MDM client to a server and synchronizes the state.
The MDM manager generates a control message M2 containing contents for controlling the MDM client (S510), generates an encryption message C3 in which the token and the packet ID are encrypted together with the authentication key, and transmits the encrypted message C3 to the MDM client (S530). The packet ID is incremented by 1 every time the packet is used and identifies the message to be transmitted.
The MDM client having received the C3 decrypts C3 with the authentication key shared with the MDM manager to obtain M2, and verifies the validity of the token and the packet ID included in the M2 (S540).
When the validity of the token and the packet ID is confirmed, the contents of M2 are executed (S550), the result of the execution is encrypted with the authentication key to generate an encryption message C4 (S560), and the generated message C4 is transmitted to the MDM manager (S570).
The MDM manager decrypts C4 using the authentication key, obtains the execution result, and stores the result in the state of the MDM client (S580).
The MDM server transmits the device status to the MDM server to update the execution status of the last saved MDM client to the MDM server (S590), and the MDM server updates the status of the received device (S595). At this time, transmission is performed through a secure channel such as HTTPS.
Since the pairing-based authorization method between devices can be obtained only by the MDM manager every time the authentication key is required and the control authority of the MDM client can be obtained only for a certain period of time, there is no problem in renewing, maintaining, and managing the authentication key , The MDM client does not need to be connected to the MDM server, so that efficient authorization can be provided.
While the present invention has been described in detail with reference to the accompanying drawings, it is to be understood that the invention is not limited to the above-described embodiments. Those skilled in the art will appreciate that various modifications, Of course, this is possible. Accordingly, the scope of protection of the present invention should not be limited to the above-described embodiments, but should be determined by the description of the following claims.
Claims (6)
The MDM manager transmitting to the MDM server a message M1 including an MID as an ID for identifying the MDM manager, a CID as an ID for identifying the MDM client to be managed, and a control time;
The MDM administrator, decoding is the MDM server that generated by applying the master key of the MDM server to the MDM generates a public key MID pub of the administrator and the generated public key MID pub by applying a hash function to the M1 and the MID Receiving the key D MID when it is transmitted;
The MDM manager transmitting the M1 and the MID to the MDM client;
The MDM manager uses the public key MID pub of the MDM manager generated by applying the hash function to the MI and the MID, and the CID, the MID, the authentication key, and the token included in the M1 Receiving an encrypted message C1 encrypted with a message M including the encrypted message C1;
The MDM manager decrypting the encryption message C1 using the decryption key D MID to obtain the authentication key and the token;
Encrypting the control command using the token and delivering the encrypted control command to the MDM client;
When the client decrypts the encrypted control command using the token to perform the control command, the MDM manager receives a message obtained by encrypting the execution result of the control command using the token;
The MDM manager decrypts the received message using the token;
The MDM manager storing the execution result obtained by decrypting the message as the state of the MDM client; And
And the MDM manager transmitting the result of the execution to the MDM server to allow the MDM server to update the status of the MDM client.
The step of transmitting the message M1 to the MDM server includes using a secure channel using a Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) protocol
A method of managing mobile devices based on inferencing.
The step of encrypting the message M comprises encrypting using an admittable bilinear map
A method of managing mobile devices based on inferencing.
The MDM manager,
A message M1 including an MID as an ID for identifying an MDM manager, a CID as an ID for identifying an MDM client to be managed and a control time, to the MDM server and the MDM client,
The MDM server is sent by applying a hash function to the MID and M1 and generates a public key MID pub of MDM manager and the generated public key by applying the master key to the MID pub generate a decryption key D MID the decryption key D MID In addition,
Message to the MDM client includes the CID, MID, the authentication key and the token by applying a hash function to the MID and M1 generates a public key MID pub of the MDM manager, using the generated public key MID pub M And transmits the message C1. Upon receipt of the message C1, the message C1 is decrypted using the decryption key D MID to acquire the authentication key and the token included in the C1,
Encrypts the control command using the token, delivers the encrypted control command to the MDM client, and when the client decrypts the encrypted control command using the token to execute the control command, Receives the message encrypted with the token,
Decrypts the received message using the token,
Storing the execution result obtained by decoding the message as a state of the MDM client,
And transmits the result of the execution to the MDM server so that the MDM server updates the status of the MDM client.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160011641A KR101760718B1 (en) | 2016-01-29 | 2016-01-29 | System and method for managing mobile device based on pairing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160011641A KR101760718B1 (en) | 2016-01-29 | 2016-01-29 | System and method for managing mobile device based on pairing |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101760718B1 true KR101760718B1 (en) | 2017-08-04 |
Family
ID=59654307
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160011641A KR101760718B1 (en) | 2016-01-29 | 2016-01-29 | System and method for managing mobile device based on pairing |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101760718B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114238867A (en) * | 2022-02-28 | 2022-03-25 | 南开大学 | Automatic switching access method for distributed multi-backup copyright content |
KR20230013713A (en) | 2021-07-19 | 2023-01-27 | 주식회사 메디트 | Wireless scanning system and wireless scanning method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101397480B1 (en) * | 2007-10-10 | 2014-05-21 | 삼성전자주식회사 | Electronic device and method for encrypting thereof |
KR101503813B1 (en) * | 2014-03-11 | 2015-03-18 | 재단법인대구경북과학기술원 | Mobile device management system and method using device to device communication |
-
2016
- 2016-01-29 KR KR1020160011641A patent/KR101760718B1/en active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101397480B1 (en) * | 2007-10-10 | 2014-05-21 | 삼성전자주식회사 | Electronic device and method for encrypting thereof |
KR101503813B1 (en) * | 2014-03-11 | 2015-03-18 | 재단법인대구경북과학기술원 | Mobile device management system and method using device to device communication |
Non-Patent Citations (1)
Title |
---|
Boneh, Dan, and Matt Franklin. "Identity-based encryption from the Weil pairing." Annual International Cryptology Conference. Springer Berlin Heidelberg, 2001.* |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20230013713A (en) | 2021-07-19 | 2023-01-27 | 주식회사 메디트 | Wireless scanning system and wireless scanning method |
KR102612159B1 (en) | 2021-07-19 | 2023-12-12 | 주식회사 메디트 | Wireless scanning system and wireless scanning method |
CN114238867A (en) * | 2022-02-28 | 2022-03-25 | 南开大学 | Automatic switching access method for distributed multi-backup copyright content |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11228442B2 (en) | Authentication method, authentication apparatus, and authentication system | |
US10243742B2 (en) | Method and system for accessing a device by a user | |
EP3432532B1 (en) | Key distribution and authentication method, apparatus and system | |
WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
CN108599925B (en) | Improved AKA identity authentication system and method based on quantum communication network | |
US9055047B2 (en) | Method and device for negotiating encryption information | |
US10938554B2 (en) | Managing private key access in multiple nodes | |
KR20190073472A (en) | Method, apparatus and system for transmitting data | |
US9716591B2 (en) | Method for setting up a secure connection between clients | |
US20080285756A1 (en) | Random shared key | |
CN104641592A (en) | Method and system for a certificate-less authentication encryption (CLAE) | |
TWI581599B (en) | Key generation system, data signature and encryption system and method | |
CN108809633B (en) | Identity authentication method, device and system | |
CN110087240B (en) | Wireless network security data transmission method and system based on WPA2-PSK mode | |
CN104917759A (en) | Third-party-based safety file storage and sharing system and method | |
WO2013007525A1 (en) | Method and system to share or storage personal data without loss of privacy | |
CN108880995B (en) | Block chain-based unfamiliar social network user information and message pushing encryption method | |
WO2019056957A1 (en) | Data processing and identity authentication methods and systems, and terminal | |
ES2575881T3 (en) | Method for tracking a mobile device in a remote display unit via a mobile switching center and a header | |
US20180063105A1 (en) | Management of enciphered data sharing | |
KR101760718B1 (en) | System and method for managing mobile device based on pairing | |
Doh et al. | Key establishment and management for secure cellular machine-to-machine communication | |
US20140185808A1 (en) | Apparatus, systems, and methods for encryption key distribution | |
WO2016176902A1 (en) | Terminal authentication method, management terminal and application terminal | |
US8769280B2 (en) | Authentication apparatus and method for non-real-time IPTV system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |