KR101960583B1 - Method for issuing a certificate - Google Patents

Abstract

A method of issuing a certificate is disclosed. The disclosed certificate issuing method includes generating a security identifier of a server, storing a security identifier of the terminal, transmitting a beacon message including information on a public key of the server, The method comprising the steps of: receiving a connection request message including information of a first EC point on an integer, verifying the first EC point using the security identifier of the terminal, and when verification of the first EC point is completed, And transmitting a connection response message including information for generating a private key of the terminal.

Description

{METHOD FOR ISSUING A CERTIFICATE}

The present invention relates to a method of issuing a certificate by a server and a method of acquiring a certificate of a terminal, and relates to a technology for enhancing security in a certificate issuing process.

Recently, with the development of network technology, interest in internet related technology (IOT) has been increasing. As demand for the Internet increases, new network infrastructures are required. Therefore, network infrastructure such as low power wireless personal area network (LowPAN) is being studied.

In a network environment such as a low-power wireless private network, a plurality of devices are connected and operated based on a wireless network, so that various security threats may occur and there is a risk of illegal access to the network. Therefore, it is necessary to block the use of unauthorized devices in the smart work environment by checking the safety of the devices, and access only legitimate devices. That is, there is a need for an authentication protocol that can provide safe and efficient services only through legitimate devices.

An example of a conventional join protocol is the X.509 certificate method, but the power consumed for protocol operation and data transmission is large and is not suitable for the Internet environment. Also, ECQV

The existing device authentication / authorization technology provides authentication through a public certification authority for mutual authentication between devices in a single domain, or provides authentication using an ID / PW. However, for multi-domain environments like IoT-based smart work environment, it is necessary to develop additional device authentication / authorization technology. In addition, the existing device authentication / authorization technology may cause problems such as the amount of computation to be applied to the sensor device, and the KEY or certificate verification method using the server is not suitable for the IoT environment in which all objects are connected. A join protocol using an implicit certificate based on ECQV (Elliptic curve Qu-Vanstone) may have a security vulnerability in the process of issuing certificates.

In order to solve the above problems, the present invention provides a method for a server to securely issue an ECQV implicit certificate and a method for a terminal to acquire an ECQV implicit certificate.

According to an aspect of the present invention, there is provided a method of issuing a certificate performed by a server,

Generating a security identifier of the server;

Storing a security identifier of the terminal;

Transmitting a beacon message including information on a public key of the server;

Receiving, from the MS, a connection request message including information of a first EC point for a first secret random integer;

Verifying the first EC point using the security identifier of the terminal; And

When the verification of the first EC point is completed, transmitting a connection response message including information for generating a private key of the MS.

here,

The step of generating the security identifier of the server comprises:

The server can generate the private key of the server, calculate the public key of the server from the private key of the server, and calculate the security identifier of the server from the public key of the server.

here,

The step of generating the security identifier of the server comprises:

The security identifier of the server can be calculated by applying a hash function to the public key and the PAN identifier of the server.

here,

Wherein verifying the first EC point comprises:

And compare the hash function value of the first EC point and the PAN identifier with the security identifier of the UE.

here,

Wherein the certificate issuing method further comprises: generating a first random number;

The beacon message may further include information on the first random number.

here,

The connection request message may further include information on the first random number and the second random number generated by the terminal.

here,

The step of receiving the connection request message may include receiving a message integrity code for the connection request message,

And verifying a message integrity code for the connection request message.

here,

Wherein verifying the message integrity code for the connection request message comprises:

Calculating a pairwise key from the private key of the server and the first EC point,

Calculating a symmetric link key from the pairwise key, a first random number generated by the server, a second random number generated by the terminal, a security identifier of the server, and a security identifier of the terminal,

The message integrity code for the connection request message can be verified using the symmetric link key.

here,

Wherein the transmitting the connection response message comprises:

The message integrity code for the connection response message generated using the symmetric link key may be transmitted together.

here,

The certificate issuing method includes:

Generating a second secret random integer;

Calculating a second EC point for the second secret random integer;

Calculating an implicit certificate from the first EC point and the second EC point;

And computing an integer for deriving the private key of the terminal from the server's private key, the second secret random integer, and the implicit certificate,

The information for generating the private key of the terminal may include information about the implicit certificate and an integer for deriving the private key of the terminal.

According to another aspect of the present invention, there is provided a method of acquiring a certificate of a terminal according to an embodiment of the present invention,

Generating a security identifier of the terminal;

Storing a security identifier of the server;

Receiving a beacon message including information on a public key of the server from the server;

Verifying the public key of the server using the security identifier of the server;

Transmitting a connection request message including information of a first EC point for a first secret random integer; And

And receiving, from the server, a connection response message including information for generating a private key of the terminal.

here,

The step of generating the security identifier of the terminal comprises:

Generate the first secret random integer, calculate the first EC point from the first secret random integer, and calculate the security identifier of the terminal from the first EC point.

here,

The step of generating the security identifier of the terminal comprises:

The security identifier of the UE can be calculated by applying a hash function to the first EC point and the fan identifier.

here,

Wherein verifying the public key of the server comprises:

The hash function value of the public key and the fan identifier of the server can be compared with the security identifier of the server.

here,

Wherein the beacon message further includes information on a first random number generated by the server,

The certificate obtaining method may further include generating a second random number.

here,

The connection request message may further include information on the first random number and the second random number.

here,

The step of transmitting the connection request message may include transmitting a message integrity code for the connection request message together with the connection request message.

here,

Wherein the message integrity code for the connection request message comprises:

Calculating a pairwise key from the first secret random integer and the public key of the server,

Calculating a symmetric link key from the pairwise key, a first random number generated by the server, a second random number generated by the terminal, a security identifier of the server, and a security identifier of the terminal,

And encrypting the connection request message using the symmetric link key.

here,

Wherein the step of receiving the connection response message comprises receiving a message integrity code for the connection response message together,

The certificate obtaining method may further include verifying a message integrity code for the connection response message using the symmetric link key.

here,

The information for generating the private key of the terminal includes information on an implicit certificate and an integer for deriving the private key of the terminal,

The certificate obtaining method comprising: calculating the private key of the terminal from the implicit certificate, an integer for deriving the private key of the terminal, and the first secret random integer; And

And calculating a public key of the terminal from the private key of the terminal.

According to the embodiment of the present invention, the security of the network can be enhanced in the process of issuing the certificate. Also, the amount of computation and the amount of power consumption required in the certificate issuing process can be reduced.

1 is a block diagram illustrating one embodiment of a station performing methods in accordance with the present invention.
2 is a flowchart illustrating an ECQV implicit certificate issuance process according to the PAuthKey protocol.
3 is a flowchart illustrating an initialization process of a certificate issuing method according to an exemplary embodiment of the present invention.
4 is a flowchart illustrating a certificate issuing method according to an exemplary embodiment of the present invention.
5 is a table comparing PAuthKey Protocol with embodiments of the present invention.
6 is a flowchart illustrating a modification of the initialization process shown in FIG.
7 is a flowchart illustrating a modification of the certificate issuing process shown in FIG.
8 shows an example in which the communication distance between the terminal and the server is extended in the certificate issue process.
9 is a graph comparing power consumed in the PAuthKey protocol and power consumed in the certificate issuing method according to the embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the relevant art and are to be interpreted in an ideal or overly formal sense unless explicitly defined in the present application Do not.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In order to facilitate the understanding of the present invention, the same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

Throughout the specification, the network can be wireless, for example, a low power wireless personal area network (LowPAN), a low power wide area wireless communication (LPWAN), a Zigbee, a wireless fidelity (WiFi) A portable Internet such as the Internet, a wireless broadband internet (WiBro) or a world interoperability for microwave access (WiMax), a 2G mobile communication network such as a global system for mobile communication (GSM) or a code division multiple access (CDMA), a wideband code division multiple (3G) mobile communication network such as CDMA2000, 3.5G mobile communication network such as HSDPA or HSUPA, LTE (Long Term Evolution) network or LTE-Advanced network A communication network, and a 5G mobile communication network.

Throughout the specification, a terminal is referred to as a mobile station, a mobile terminal, a subscriber station, a portable subscriber station, a user equipment, an access terminal, A terminal, a mobile station, a mobile station, a subscriber station, a mobile subscriber station, a user equipment, an access terminal, and the like.

Here, the terminal may include a sensor that is attached to the object and can communicate with the object. Sensors attached to objects can be used to implement Internet Of Things (IOT). The terminal may be a desktop computer, a laptop computer, a tablet PC, a wireless phone, a mobile phone, a smart phone, a smart watch, ), Smart glass, an e-book reader, a portable multimedia player (PMP), a portable game machine, a navigation device, a digital camera, a digital multimedia broadcasting (DMB) player, a digital voice recorder an audio recorder, a digital audio player, a digital picture recorder, a digital picture player, a digital video recorder, a digital video player, Lt; / RTI >

Throughout the specification, a base station is referred to as an access point, a radio access station, a node B, an evolved node B, a base transceiver station, an MMR mobile multihop relay-BS, and may include all or some of the functions of a base station, an access point, a radio access station, a Node B, an eNodeB, a base transceiver station, a MMR-BS A,

1 is a block diagram illustrating one embodiment of a station performing methods in accordance with the present invention.

Referring to FIG. 1, a station 100 may include at least one processor 110, a memory 120, and a network interface device 130 for communicating with a network. In addition, the station 100 may further include an input interface device 140, an output interface device 150, a storage device 160, and the like. Each component included in the station 100 may be connected by a bus 170 and communicate with each other.

The processor 110 may execute a program command stored in the memory 120 and / or the storage device 160. The processor 110 may refer to a central processing unit (CPU), a graphics processing unit (GPU), or a dedicated processor on which the methods of the present invention are performed. The memory 120 and the storage device 160 may be composed of a volatile storage medium and / or a non-volatile storage medium. For example, the memory 120 may be comprised of read only memory (ROM) and / or random access memory (RAM).

In the following, a wireless communication network to which embodiments according to the present invention are applied will be described. The wireless communication network to which the embodiments according to the present invention are applied is not limited to the following description, and the embodiments according to the present invention can be applied to various wireless communication networks.

2 is a flowchart illustrating an ECQV implicit certificate issuance process according to the PAuthKey protocol.

Referring to FIG. 2, the certificate issuance can be performed by communication between the terminal 10 and the server 20. [ The server 20 is a device operated by a Certification Authority (CA). The certification authority refers to an organization that issues a certificate to the terminal 10 and processes authentication services such as extraction, revocation, renewal, and replacement of the certificate. The server 20 can perform operations such as issuing, updating, discarding, replacing, and extracting a certificate by communicating with the terminal 10. [ The server 20 may include a server, a base station, and a personal area network coordinator (PAN coordinator), which are operated by an authentication authority.

The terminal 10 is a device to which a certificate is issued, and may include a sensor device used in object Internet implementation. The terminal 10 can obtain the certificate and obtain the membership of the network. For example, the terminal 10 may obtain a certificate and join the private area wireless network.

를 만족하는 점들의 집합일 수 있다. EC 도메인 파라미터들은 (p, a, b, G, n)으로 표시된다. n은 커브 E(F_P)의 차수의 제수이며, 높은 소수이다. G는 n차수의 베이스 포인트 생성자를 의미한다. Through the certificate issuing procedure shown in FIG. 2, the terminal 10 can acquire an ECQV implicit certificate (Elliptic Curve Qu-Vanstone Implicit Certificate) from the server 20. An implicit certificate is a certificate whose public key is not explicitly revealed. The terminal 10 can confirm the public key by performing a predetermined calculation process on the implicit certificate. The ECQV (Elliptic Curve Qu-Vanstone) implicit certificate can be generated from an elliptic curve parameter. For example, the elliptic curve E (F _P ) for a finite field (F _P )

Lt; / RTI > The EC domain parameters are denoted as (p, a, b, G, n). n is a divisor of the order of the curve E (F _P ), and is a high prime number. G is an n-degree base point constructor.

를 만족할 수 있다.Assuming that the public key of each entity is Q and the private key is q,

Can be satisfied.

In step S102 of FIG. 2, the terminal 10 can transmit a Hello message. The server 20 can receive the Hello message from the terminal 10. [ The Hello message transmitted by the terminal 10 may include information on the identifier I _A of the terminal 10. The identifier I _A of the terminal 10 may include the MAC address of the terminal 10. The MAC address of the terminal 10 may be 64 bits.

In step S103, the server 20 receives the Hello message from the terminal 10 and can verify the identifier (I _A ) information of the terminal 10 included in the Hello message. The server 20 can check whether there is an identifier matching the identifier I _A of the terminal 10 included in the Hello message among the identifiers of terminals registered in advance.

In step S104, when the verification of the identifier (I _A ) of the terminal 10 is completed, the server 20 can transmit the CA Hello message. The terminal 10 can receive the CA Hello message. The CA Hello message may include information on the public key (Qc _A ) of the server 20.

를 만족할 수 있다. 여기서, n은 제1 비밀 랜덤 정수(r_A)의 생성범위를 나타낸다. 단말(10)은 제1 난수(N_A)를 생성할 수 있다. 단말(10)은 후술하는 인증서 요청 메시지에 제1 난수(N_A)를 포함시킴으로써, 메시지의 현재성을 보장할 수 있다.In step S106, the terminal 10 may generate a first secret random integer r _A. The first secret random integer (r _A )

Can be satisfied. Here, n represents the generation range of the first secret random integer (r _A ). The terminal 10 may generate the first random number N _A. The terminal 10 can guarantee the currentness of the message by including the first random number N _A in the certificate request message described later.

In step S108, the terminal 10 may calculate a first EC point R _A for the first secret random integer r _A. The terminal 10 may calculate the first EC point R _A according to Equation (1).

In Equation (1), r _A denotes a first secret random integer, G denotes a base point, and R _A denotes a first EC point for a first secret random integer (r _A ).

In step S110, the terminal 10 may transmit a certificate request message. The certificate request message may include information about a first EC point (R _A ) and a first random number (N _A ). The terminal 10 may transmit a message integrity code (MIC) (MIC (K)) for the certificate request message. The message integrity code may be encrypted using the network key (K). The network key K may be shared with the server 20 and the terminal 10 before issuing the certificate.

In step S114, the server 20 can verify the message integrity code MIC (K). The server 20 can verify the message integrity code MIC (K) using the network key K. [

를 만족할 수 있다. 단말(10)은 후술하는 인증 메시지에 제2 난수(N_CA)를 포함시킴으로써, 메시지의 현재성을 보장할 수 있다.In step S116, when the verification of the message integrity code MIC (K) is completed, the server 20 can generate the second secret random integer r _CA and the second random number N _CA. The second secret random integer (r _CA )

Can be satisfied. The terminal 10 can guarantee the current state of the message by including the second random number N _CA in an authentication message described later.

In step S118, the server 20 may calculate a second EC point (R _CA ) for the second secret random integer (r _CA ). The server 20 may calculate the second EC point (R _CA ) according to equation (2).

In Equation (2), r _CA denotes a second secret random integer, G denotes a base point, and R _CA denotes a second EC point for a second secret random integer (r _CA ).

In step S120, the server 20 may calculate an implicit certificate (Cert _A ) of the terminal 10. The server 20 can calculate the implicit certificate (Cert _A ) of the terminal 10 according to Equation (3).

In Equation (3), Cert _A denotes an implicit certificate of the terminal 10, r _A denotes a first ec point, and r _ca denotes a second ec point.

In step s122, the server 20 may calculate an integer s for deriving the private key of the terminal 10. [ The server 20 can calculate the integer s according to Equation (4).

In Equation (4), s denotes an integer for deriving the private key of the terminal 10, q _CA denotes a private key of the server 20, r _CA denotes a second secret random integer, and H (Cert - _A ) denotes the hash function value for the implicit certificate (Cert _A ).

In step S124, the server 20 can transmit an authentication message. The authentication message may include an implicit certificate (Cert _A ), an integer (s) for deriving the private key of the terminal 10, and information on the second random number (N _CA ). The server 20 can transmit the message integrity code (MIC (K) _ 1) for the authentication message together with the authentication message. The message integrity code (MIC (K) _ 1) may be encrypted using the network key (K).

In step S126, the terminal 10 receives the message integrity code (MIC (K) - 1) for the authentication message and the authentication message, and verifies the message integrity code (MIC (K) - 1). The terminal 10 can verify the message integrity code MIC (K) using the network key K. [

In step S128, when the verification of the message integrity code MIC (K) is completed, the terminal 10 can calculate the private key q _A of the terminal 10 using the information included in the authentication message. The terminal 10 can calculate the private key q _A of the terminal 10 according to Equation (5).

In Equation (5), q _A denotes a private key of the UE 10, s denotes an integer for deriving the private key q _A of the UE 10, r- _A denotes a first secret random integer And H (Cert- _A ) is the hash function value for the implicit certificate (Cert _A ).

In step S 130, the terminal 10 can calculate the public key Q _A of the terminal 10. The terminal 10 can calculate the public key Q _A of the terminal 10 according to Equation (6).

In Equation (6), Q _A denotes a public key of the UE 10, q _A denotes a private key of the UE 10, and G denotes a base point.

In S132 step, the terminal 10 has the public key (Q _A) and a private key (q _A) message integrity for the acquisition is complete received to and from the server 20 to the former in order to notify that the message code (MIC_All ( Q _A ) can be generated and transmitted. The message integrity code MIC_All (Q _A ) may be encrypted using the public key Q _A of the terminal 10.

In step S134, the server 20 can verify the message integrity code MIC_All (Q _A ). The server 20 can verify the message integrity code MIC_All (Q _A ) using the public key Q _A of the terminal 10.

In step S136, when the verification of the message integrity code MIC_All (Q _A ) is completed, the server 20 transmits the message integrity code MIC_All (Q _A ) for the messages exchanged with the terminal 10 until now Can be generated and transmitted. The message integrity code MIC_All (Q _A ) may be encrypted using the public key Q _A of the terminal 10.

In step S138, the terminal 10 can verify the message integrity code MIC_All (Q _A ). The terminal 10 can verify the message integrity code MIC_All (Q _A ) using the public key Q _A of the terminal 10. As the verification of the message integrity code MIC_All (Q _A ) is completed at both ends of the server 20 and the terminal 10, the server 20 and the terminal 10 can confirm that the certificate issuing procedure is completed.

The terminal 10 can join the network by obtaining the public key Q _A and the private key q _A. The terminal 10 can be used to authenticate the message of the terminal 10 in the communication between the terminal 10 and the server 20 with the public key Q _A and the private key q _A.

The certificate issuing process shown in FIG. 2 may have some security vulnerabilities.

First, the server 20 and the terminal 10 use a message integrity code MIC (K) to verify each other, and this verification method is performed using the network key K. However, in the case of the verification method using the network key (K), since the device is not identified in the verification process, it may be vulnerable to attack by the intruder.

Second, once a device is infected, the security of the entire network can be compromised. When a single device is infected and information about the network key K is exposed, the security of the entire network can be collapsed at once.

Third, it may be vulnerable to a replay attack. A replay attack is an attack in which a valid message is picked up from a protocol, copied, and retransmitted later to impersonate a legitimate user. Although the first random number N _A and the second random number N _CA are used, generation of the random number is performed only at the transmitting end, so that it is possible to generate a random number and perform a retransmission attack even in the case of an intruder.

Fourth, the sharing scheme of the network key K is not defined. Therefore, information about the network key K can be exposed while sharing the network key K in the network expansion process, which may result in security vulnerability.

Fifth, since the message integrity code MIC_All (Q _A ) for all of the previously exchanged messages is exchanged in steps S132 and S136, the message integrity code MIC_All (Q _A ) Power can be consumed.

3 is a flowchart illustrating an initialization process of a certificate issuing method according to an exemplary embodiment of the present invention.

Referring to FIG. 3, the certificate issuance can be performed by communication between the terminal 200 and the server 300. The server 300 refers to a device operated by a Certification Authority (CA). The server 300 may include a server, a base station, a PAN coordinator (Personal Area Network Coordinator), etc. operated by an authentication authority.

The terminal 200 is a device to which a certificate is issued, and may include a sensor device or the like used in object Internet implementation. The terminal 200 can obtain the certificate and obtain the membership of the network. For example, the terminal 200 may obtain a certificate and join the private area wireless network.

In step S210 of FIG. 3, terminal 200 may generate a first private random integer (r _A). Information on the first secret random integer r _A generated by the terminal 200 may not be exposed to the outside.

In step S220, the terminal 200 may calculate a first EC point R _A from the first secret random integer r _A. For example, the first EC point R _A may be calculated according to equation (7).

In Equation (7), r _A denotes a first secret random integer generated in the UE 200, G denotes a base point, and R _A denotes a first EC point.

In step S230, the terminal 200 may calculate the security identifier I _A of the terminal 200 from the first EC point R _A. The terminal 200 can calculate the security identifier I- _A of the terminal 200 in a Cryptographically Generated Address (CGA) manner. Illustratively, the security identifier I _A of the terminal 200 may be computed according to equation (8).

In Equation (8), I _A denotes a security identifier of the UE 200, PAN denotes a PAN identifier, R _A denotes a first EC point, H ₆₄ () denotes a 64 bit hash function .

According to Equation (8), I _A can have a size of 64 bits equal to the length of the MAC address. However, the embodiment is not limited thereto. For example, the number of bits of I _A may vary, and thus the output length of the hash function may be changed differently.

The terminal 200 may generate the security identifier I _A of the terminal 200 through steps S210, S220, and S230.

In step S310 of FIG. 3, the server 300 may generate the private key q _CA of the server 300. The private key q _CA of the server 300 may not be exposed to the outside.

In step S320, the server 300 may calculate the public key Q _CA of the server 300 from the private key q _CA of the server 300. For example, the public key (Q _CA ) of the server 300 may be calculated according to Equation (9).

In Equation (9), Q _CA means the public key of the server 300, q _CA means the private key of the server 300, and G means the base point.

In step S330, the server 300 may calculate the security identifier (I _CA ) of the server 300 from the public key (Q _CA ) of the server 300. The server 300 may calculate the security identifier (I _-CA ) of the server 300 in a CGA manner. Illustratively, the security identifier (I _CA ) of the server 300 may be computed according to Equation (10).

In Equation (10), I _CA denotes a security identifier of the server 300, PAN denotes a PAN identifier, Q _CA denotes a public key of the server 300, H ₆₄ () denotes a 64 bit hash function it means.

According to Equation (10), the I _CA can have a size of 64 bits equal to the length of the MAC address. However, the embodiment is not limited thereto. For example, the number of bits of the I _CA may vary, and thus the output length of the hash function may be changed differently.

The server 300 may generate the security identifier I _CA of the server 300 through steps S310, S320, and S330.

The terminal 200 and the server 300 can exchange information on security identifiers with each other. In step S240, the terminal 200 may store the security identifier (I _CA ) of the server 300. In step S340, the server 300 may store the security identifier (I- _A ) of the terminal 200.

Information sharing on security identifiers can be done by the administrator. For example, at the time of network construction, an administrator may input the security identifier (I _A ) of the terminal (200) to the server (300) and input the security identifier (I _CA ) of the server (300) have. The security identifier I _A of the terminal 200 and the security identifier I _{CA of the} server 300 are securely shared between the terminal 200 and the server 300 in this embodiment.

4 is a flowchart illustrating a certificate issuing method according to an exemplary embodiment of the present invention.

Referring to FIG. 4, in step S402, the server 300 may generate a first random number N _CA. The first random number N _CA may ensure the current state of the beacon message transmitted by the server 300. Also, the first random number N _CA can guarantee the current state of a connection request message and a connection response message, which will be described later. Ensuring currentness means preventing an attacker's replay attack.

In step S404, the server 300 may transmit a beacon message. The beacon message may include information on the first random number (N _CA ) and information on the public key (Q _CA ) of the server 300. The terminal 200 can receive the beacon message transmitted by the server 300. [

In step S406, the terminal 200 can confirm the public key (Q _CA ) of the server 300 in the beacon message. The terminal 200 can verify the public key Q _CA of the server 300. For example, the terminal 200 can substitute the public key (Q _CA ) received from the server 300 and a known PAN identifier into the right side of Equation (10). The terminal 200 may compare the calculation result using the public key Q _CA received from the server 300 with the security identifier I _CA of the server 300 stored in step S240 of FIG. Terminal 200 a when the public key calculation result using the (Q _CA) matches the security identifier (I _CA) of the server 300, the public key (Q _CA) of the server 300 received from the server 300 It can be judged to be verified. On the other hand, if the calculation result using the public key (Q _CA ) received from the server 300 does not coincide with the security identifier (I _CA ) of the server 300, the terminal 200 transmits the public key Q _CA ) is not verified.

In step S408, the terminal 200 may generate a second random number N _A. The second random number N _A can guarantee the continuity of a connection request message and a connection response message, which will be described later.

In step S410, the terminal 200 may calculate the pairwise key (DH _A ). For example, the terminal 200 may calculate the fairness key DH _A according to Equation (11).

In Equation (11), DH _A denotes a pairwise key, r _A denotes a first secret random integer generated by the UE 200, and Q _CA denotes a public key of the server 300. The terminal 200 extracts the pairwise keys R _A from the product of the first secret random integer r _A generated in step S210 shown in FIG. 3 and the public key Q _CA of the server 300 acquired in step S404 of FIG. (DH _A ) can be calculated.

In step S412, the terminal 200 may calculate the symmetric link key K _A from the pair-wise key DH _A. For example, the terminal 200 may calculate the symmetric link key K _A according to Equation (12).

In Equation 12, K _A denotes a symmetric link key, DH _A denotes a pairwise key, I _CA denotes a security identifier of the server 300, I _A denotes a security identifier of the terminal 200 , N _CA- denotes a first random number generated by the server 300, and N _A denotes a second random number generated by the terminal 200. Also, kdf () denotes a key derivation function.

In step S414, the terminal 200 may transmit a connection request message. The connection request message may include information on a first random number (N _CA ), a second random number (N _A ), and a first EC point (R _A ). The terminal 200 can calculate the message integrity code (MIC (K _A )) for the connection request message. The terminal 200 may calculate the message integrity code MIC (K _A ) for the connection request message by encrypting the connection request message using the symmetric link key K _A obtained in step S412. The server 300 may receive a message integrity code (MIC (K _A )) for the connection request message and the connection request message from the terminal 200.

In step S416, the server 300 may verify the first EC point R _A. The server 300 may verify the first EC point R _A using the security identifier I _A of the terminal 200 stored in step S340 of FIG. The server 300 can substitute the first EC point R _A received from the terminal 200 and a known PAN identifier into the right side of Equation (9). The server 300 may compare the calculation result using the first EC point R _A received from the terminal 200 with the security identifier I _A of the terminal 200 stored in step S340 of FIG. The server 300 verifies that the first when the calculated result using the EC points (R _A) matches the security identifier (I _A) of the terminal 200, the first EC points (R _A) received from the terminal (200) . On the other hand, the server 300 is a first security identifier of the computation result using the EC points (R _A), terminal 200 (I _A) and do not match each other, the first EC point (R received from the terminal (200) _A ) may be terminated as not verified.

In step S418, when the verification of the first EC point R _A is completed, the server 300 can calculate the pair-wise key DH _A. The server 300 may compute a pair-wise key (DH _A) from the private key (q _CA) and a 1 EC points (R _A) of the server 300. For example, the server 300 may calculate the fairness key (DH _A ) according to Equation (13).

In Equation 13, DH _A denotes a pairwise key, q _CA denotes a private key of the server 300, and R _A denotes a first EC point. The server 300 extracts a pairwise key DH from the product of the private key q _CA of the server 300 generated in step S310 of FIG. 3 and the first EC point R _A acquired in step S414 of FIG. _A ) can be calculated. The pair-wise key DH _A calculated by the server 300 in step S418 may match the pair-wise key DH _A calculated by the terminal 200 in step S410. That is, the server 300 and the terminal 200 can share the pair-wise key (DH _A ).

In step S420, the server 300 is the pair-wise key (DH _A) and the security identifier of the first random number (N _CA), a second random number (N _A), and a server 300 (I _CA) and the terminal ( 200 from the security identifier (I _A ) of the symmetric link key (K _A ). For example, the server 300 may calculate the symmetric link key K _A according to equation (12). The symmetric link key K _A calculated by the server 300 in step S420 may match the symmetric link key K _A calculated by the terminal 200 in step S412. That is, the server 300 and the terminal 200 may share the symmetric link key K _A.

In step S422, the server 300 may verify the message integrity code (MIC (K _A )) for the connection request message received in step S414. The server 300 may calculate the message integrity code MIC (K _A ) using the symmetric link key K _A calculated in step S420.

In step S424, when verification of the message integrity code (MIC (K _A )) is completed, the server 300 may generate a second secret random integer (r _CA ).

In step S426, the server 300 may calculate a second EC point (R _CA ) from the second secret random integer (r _CA ). For example, the server 300 may calculate a second EC point (R _CA ) according to equation (14).

In Equation 12, R _CA denotes a second EC point, r _CA denotes a second secret random integer, and G denotes a base point.

In step S428, the server 300 may calculate an implicit certificate (Cert _A ). The implicit certificate Cert _A may be used by the terminal 200 to derive the private key q _A of the terminal 200. Illustratively, the server 300 may calculate an implicit certificate (Cert _A ) according to Equation (15).

Referring to Equation (15), the server 300 obtains an implicit certificate (Cert _A ) from the sum of the first EC point (R _A ) obtained in step S414 and the second EC point (R _CA ) calculated in step S426, Can be calculated.

In step S430, the server 300 may calculate an integer s for deriving the private key q _A of the terminal 200. The server 300 may calculate the integer s from the private key q _CA of the server 300, the second secret random integer r _CA , and the implicit certificate Cert _A. For example, the server 300 may calculate the integer s according to equation (16).

In Equation 16, s denotes an integer for deriving the private key q _A of the UE 200. q _CA denotes a private key of the server 300, r _CA denotes a second secret random integer, Cert _A denotes an implicit certificate, and H () denotes a hash function. info _A is certificate related information and may include information on the security identifier (I _A ) of the terminal 200 and the expiration date of the implicit certificate (Cert _A ).

In step S432, the server 300 may transmit a connection response message. The connection response message may include information about the certificate related information (Info _A ) and an integer (s) for deriving an implicit certificate (Cert _A ) and a private key (q _A ). The server 300 may transmit the message integrity code (MIC (K _A ) _ 1) for the connection response message together with the connection response message. The server 300 may calculate the message integrity code MIC (K _A ) _ 1 using the symmetric link key K _A calculated in step S420. The terminal 200 may receive the message integrity code (MIC (K _A ) - 1) for the connection response message and the connection response message from the server 300.

In step S433, the terminal 200 can verify the message integrity code (MIC (K _A ) _ 1) for the connection response message. The terminal 200 may calculate the message integrity code MIC (K _A ) _ 1 using the symmetric link key K _A calculated in step S 412.

In step S434, the terminal 200 may calculate the private key q _A of the terminal 200. The terminal 200 can calculate the private key q _A of the terminal 200 using the information included in the connection response message. For example, the terminal 200 can calculate the private key q _A of the terminal 200 according to Equation (17).

In Equation 17, q _A denotes a private key of the UE 200, s denotes an integer for deriving the private key of the UE 200, r _A denotes a first secret random integer, and Cert _A Denotes an implicit certificate, and info _A denotes certificate-related information. H () denotes a hash function.

Referring to Equation (17), the UE 200 receives an encryption key (Cert _A ), an integer s for deriving the private key of the UE 200 and a first secret random integer (r _A ) (Q _A ) < / RTI >

In step S436, the terminal 200 may calculate the public key Q _A of the terminal 200 from the private key q _A of the terminal 200. For example, the terminal 200 may calculate the public key Q _A of the terminal 200 according to Equation (18).

In Equation (18), Q _A means the public key (Q _A ) of the terminal 200, q _A means the private key of the terminal 200, and G means the base point.

According to the embodiments described with reference to FIGS. 3 and 4, security, computation efficiency, and transmission energy efficiency can be improved in the certificate issuance process. The performance of the PAuthKey protocol shown in FIG. 2 is compared with the embodiment of the present invention as follows.

First, in the case of the PAuthKey protocol, the device authentication between the server 20 and the terminal 10 is performed in step S114 and step S126 in the verification of the message integrity codes MIC (K) and MIC (K) . Therefore, it is possible for an intruder to disguise a network key (K) only with another device.

However, according to the embodiment of the present invention, the terminal 200 verifies the public key (Q _CA ) of the server in step S406, and the server 300 verifies the first EC point R _A in step S416 can do.

를 만족하는 R_Adv 를 찾아 내야만 한다. 그런데, 64 bit 해쉬 함수의 해를 찾아내는 데는 상당한 시간이 소요되기 때문에, 침입자(Adv)가 위장 공격에 성공할 가능성이 상당히 낮아진다.For example, if a scenario in which an intruder Adv is disguised as a terminal 200 is expected, the following will be described. The intruder Adv must acquire information on the security identifier I _A of the terminal 200. Even if the intruder Adv finds out the security identifier (I _A ) information of the terminal 200, the intruder Adv

_Should be found. However, since it takes a considerable amount of time to find the solution of the 64-bit hash function, the probability that an intruder (Adv) succeeds in a camouflage attack is considerably lowered.

Second, in case of the PAuthKey protocol, security of all terminals is managed by one network key (K), so that even if one terminal is attacked by an intruder, the entire network can be collapsed.

However, according to the embodiment of the present invention, The first EC point R _A used for the verification of the UE may be different for each UE since it generates different secret random integers r _A for each UE. Therefore, even if one terminal is attacked by an intruder, the remaining network can be secure from the intruder.

Third, in the case of the PAuthKey protocol, the random number N _A , N _CA is included in the message in steps S110 and S124 of FIG. 2. However, since the random number is generated only at the transmitting end of the message, it is vulnerable to a replay attack can do.

According to the embodiment of the present invention, in steps S414 and S432 of FIG. 4, the message integrity codes MIC (K _A ) and MIC (K _A ) 1 using the symmetric link key K _A are verified Lt; / RTI > Referring to Equation (12), the symmetric link key (K _A ) may depend on both the first random number (N _CA ) and the second random number (N _A ). Both the first random number N _CA generated by the server 300 and the second random number N _A generated by the terminal 200 are required in the message verification process. That is, since a random number necessary for message verification is generated at both the transmitting end and the receiving end, it may not be subjected to a retransmission attack. For example, when the intruder Adv replaces the message transmitted from the terminal 200 with the second random number N _A with a different random number N _Adv , the first random number generated by the server 300, The message of the intruder Adv can be ignored because the message N _CA has been changed to a different value.

Fourth, in the case of the PAuthKey protocol, a total of six messages are transmitted and received in steps S102, S104, S110, S124, S132, and S136 in FIG.

On the other hand, according to the embodiment of the present invention, a total of three messages can be transmitted and received in steps S404, S414, and S432 of FIG. As the number of message transmission / reception decreases, the power consumption required for signal transmission / reception during the certificate issuance process may be reduced.

Fifth, in the case of the PAuthKey protocol, the computation time and the power consumption can be long because the message integrity code for all the messages in the previous steps S132 and S136 must be calculated.

On the other hand, according to the embodiment of the present invention, since there is no process of calculating an integrity code for a large amount of messages, calculation time and power consumption can be reduced.

5 is a table comparing PAuthKey Protocol with embodiments of the present invention.

5, the PAuthKey protocol presupposes that the network key K and the identifier I _A of the terminal 10 are to be shared in advance, while the present embodiment assumes that the security identifier ( _CA ) of the server 300 And the security identifier I _A of the terminal 200 are shared in the initialization process. In the PAuthKey protocol, the entire group of terminals is authenticated. In the present embodiment, individual authentication based on the first EC point R _A and the symmetric link key K _A may be performed for each of the terminals 200.

6 is a flowchart illustrating a modification of the initialization process shown in FIG.

In the following description of the embodiment of FIG. 6, the description overlapping with FIG. 3 is omitted.

Referring to FIG. 6, in step S225, the terminal 200 may generate a security enhancement modifier. The security enhancement modifier may satisfy equation (19).

In Equation 19, modifier means a security enhancement variable, PAN means a PAN identifier, and R _A means a first EC point. H ₁₆ () denotes a 16-bit hash function. The output length of the hash function depends on the bit size of the PAN.

7 is a flowchart illustrating a modification of the certificate issuing process shown in FIG.

In the following description of the embodiment of FIG. 7, the description overlapping with FIG. 4 is omitted.

Referring to FIG. 7, in step S414, the connection request message transmitted by the terminal 200 may further include information on a security enhancement modifier.

In step S415, the server 300 can verify the security enhancement modifier. The server 300 can calculate the security enhancing variable included in the connection request message received from the terminal 200 by substituting the security enhancing variable into the left side of the expression (19). The server 300 may compare the PAN ID with the calculation result using the security enhancement modifier included in the connection request message.

및

를 동시에 만족하는 (R_Adv, modifier_Adv) 를 찾아내야 한다. 침입자(Adv)가 솔루션 (R_Adv, modifier_Adv)을 찾기 위해 요구되는 계산 과정이 더 복잡해질 수 있다. 따라서, 네트워크의 보안이 더 강화될 수 있다.As shown in Figures 6 and 7, by introducing a security enhancement modifier, the security of the network can be further enhanced. For example, in order for the intruder Adv to disguise himself to the terminal 200, the intruder Adv

And

(R _Adv , modifier _Adv ) at the same time. The computation process required by the intruder (Adv) to find the solution ( _Adv , modifier _Adv ) can become more complex. Thus, the security of the network can be further strengthened.

8 shows an example in which the communication distance between the terminal 200 and the server 300 is extended in the certificate issue process.

Referring to FIG. 8, the repeater 400A and 400B relay the communication between the terminal 200 and the server 300, so that the communication distance between the terminal 200 and the server 300 can be increased. For example, the terminal 200 may receive a beacon message and a connection response message from the repeater 400A. The repeater 400A may receive a connection request message from the terminal 200. [ The server 300 may receive a connection request message from the repeater 400B. The repeater 400B may receive a connection response message and a beacon message from the server 300. [

9 is a graph comparing power consumed in the PAuthKey protocol and power consumed in the certificate issuing method according to the embodiment of the present invention.

Referring to FIG. 9, in the case of the PAuthKey protocol, 1056 mu J is consumed in the calculation process, and 988 mu J in the signal transmission / reception process can be consumed. On the other hand, according to the embodiment of the present invention, the calculation process can be simplified and the number of signal transmission / reception can be reduced. For example, according to the embodiment of the present invention, 302 mu J is consumed in the calculation process, and 705 mu J in the signal transmission / reception process can be consumed.

Hereinbefore, the certificate issuing method of the server 300 and the certificate obtaining method of the terminal 200 according to the exemplary embodiment of the present invention have been described with reference to FIG. 1 through FIG. According to the above-described embodiments, the security of the network can be enhanced in the process of issuing the certificate. Also, the amount of computation and the amount of power consumption required in the certificate issuing process can be reduced.

The methods according to the present invention can be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer readable medium may be those specially designed and constructed for the present invention or may be available to those skilled in the computer software.

Examples of computer readable media include hardware devices that are specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by the compiler 1, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate with at least one software module to perform the operations of the present invention, and vice versa.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims. It will be possible.

10, 200: terminal
20, 300: server

Claims (20)

A method of issuing a certificate performed by a server, the method comprising: generating a security identifier of the server;
Generating a first random number;
Storing a security identifier of the terminal;
Transmitting a beacon message including information on a public key of the server and information on the first random number;
Receiving, from the MS, a connection request message including information of a first EC point for a first secret random integer;
Verifying the first EC point using the security identifier of the terminal; And
And transmitting a connection response message including information for generating a private key of the MS when the verification of the first EC point is completed. The method according to claim 1,
The step of generating the security identifier of the server comprises:
Generating a private key of the server, calculating a public key of the server from the private key of the server, and calculating a security identifier of the server from the public key of the server. The method of claim 2,
The step of generating the security identifier of the server comprises:
And a security identifier of the server is calculated by applying a hash function to the public key and the PAN identifier of the server. The method according to claim 1,
Wherein verifying the first EC point comprises:
And comparing the hash function value of the first EC point and the PAN identifier with the security identifier of the UE. delete The method according to claim 1,
Wherein the connection request message further includes information on the first random number and the second random number generated by the terminal. The method according to claim 1,
The step of receiving the connection request message may include receiving a message integrity code for the connection request message,
And verifying a message integrity code for the connection request message. The method of claim 7,
Wherein verifying the message integrity code for the connection request message comprises:
Calculating a pairwise key from the private key of the server and the first EC point,
Calculating a symmetric link key from the pairwise key, a first random number generated by the server, a second random number generated by the terminal, a security identifier of the server, and a security identifier of the terminal,
And verifying a message integrity code for the connection request message using the symmetric link key. The method of claim 8,
Wherein the transmitting the connection response message comprises:
And a message integrity code for the connection response message generated using the symmetric link key. The method according to claim 1,
Generating a second secret random integer;
Calculating a second EC point for the second secret random integer;
Calculating an implicit certificate from the first EC point and the second EC point;
And computing an integer for deriving the private key of the terminal from the server's private key, the second secret random integer, and the implicit certificate,
Wherein the information for generating the private key of the terminal includes information on the implicit certificate and an integer for deriving the private key of the terminal. A method for obtaining a certificate of a terminal,
Generating a security identifier of the terminal;
Storing a security identifier of the server;
Receiving a beacon message from the server, the beacon message including information on a public key of the server and information on a first random number generated by the server;
Verifying the public key of the server using the security identifier of the server;
Transmitting a connection request message including information of a first EC point for a first secret random integer; And
And receiving a connection response message including information for generating a private key of the terminal from the server. The method of claim 11,
The step of generating the security identifier of the terminal comprises:
Generating the first secret random integer, computing the first EC point from the first secret random integer, and computing the security identifier of the terminal from the first EC point. The method of claim 12,
The step of generating the security identifier of the terminal comprises:
And calculating a security identifier of the terminal by applying a hash function to the first EC point and the fan identifier. The method of claim 11,
Wherein verifying the public key of the server comprises:
And comparing the hash function value of the public key and the fan identifier of the server with the security identifier of the server. The method of claim 11,
And generating a second random number. 16. The method of claim 15,
Wherein the connection request message further includes information on the first random number and the second random number. 16. The method of claim 15,
Wherein the step of transmitting the connection request message comprises transmitting a message integrity code for the connection request message together with the connection request message. 18. The method of claim 17,
Wherein the message integrity code for the connection request message comprises:
Calculating a pairwise key from the first secret random integer and the public key of the server,
Calculating a symmetric link key from the pairwise key, a first random number generated by the server, a second random number generated by the terminal, a security identifier of the server, and a security identifier of the terminal,
And encrypting the connection request message using the symmetric link key. 19. The method of claim 18,
Wherein the step of receiving the connection response message comprises receiving a message integrity code for the connection response message together,
And verifying a message integrity code for the connection response message using the symmetric link key. The method of claim 11,
The information for generating the private key of the terminal includes information on an implicit certificate and an integer for deriving the private key of the terminal,
Calculating the private key of the terminal from the implicit certificate, an integer for deriving the private key of the terminal, and the first secret random integer; And
And calculating a public key of the terminal from the private key of the terminal.

Images