KR20060113786A - Accessing protected data on network storage from multiple devices - Google Patents

Abstract

The present invention relates to a method and a system of securely storing data on a network (100) for access by an authorized domain (101, 102, 103), which authorized domain includes at least two devices that share a confidential domain key (K), and an authorized domain management system for securely storing data on a network for access by an authorized domain. The present invention enables any member device to store protected data on the network such that any other member device can access the data in plaintext without having to communicate with the device that actually stored the data.

Description

Accessing protected data on network storage from multiple devices

The present invention provides a method of securely storing data on a network for access by devices belonging to an authorized domain, an authentication domain management system for securely storing data on a network for access by devices belonging to an authorized domain, Master device included in the authentication domain management system for securely storing data on the network, Candidate device included in the authentication domain management system for securely storing data on the network, and devices belonging to the authentication domain. A method for removing from the authentication domain, a system for removing devices belonging to an authentication domain from the authentication domain, a computer program comprising elements executable on a computer for causing a device to perform the method according to the invention, data stored on a network For It relates to a system for controlling access to data stored on the method of controlling the access and network.

Storing data on a network is a way of providing back-up storage of the data as well as allowing multiple devices to access the same data. This is a common way for companies and companies to store their data, for example on servers. Since the access to the data is only allowed to company employees and therefore not to external users, the data storage method does not result in any fundamental security issues for companies.

However, when users wish to store data on a network accessible to other users who are not necessarily trusted, they may hesitate to store sensitive data such as personal information. This is because the users are concerned that someone who accesses the storage server (administrator, hacker who breaks into the server, etc.) can access their sensitive data. A common and simple technique for providing a secure means for the data is to encrypt the data using a password. Typically, however, passwords require manual entry by the user. This actually limits the length of the available passwords and the number of possible passwords, which makes the password based security system vulnerable to attacks. In order to alleviate the user's distrust of network storage, it is desirable to give the user the ability to grant access to data only to the device set of his choice. Devices included in the set are referred to as "authorized devices." An authorized domain is typically defined as a group of trusted devices—domain member devices—that are allowed to access a set of resources or services. In the authentication domain, the security level should be rather high, since passwords are generally not used. In addition, domain members should be able to access the same data at the same time, and this typically does not require the relevant devices to communicate directly with each other. For this reason, it is not appropriate to use solutions based on single access-enabled smart cards instead of passwords.

One of the major problems associated with authentication domains is the distribution and management of encryption / decryption keys for domain members / devices. The other major problem faced when designing authentication domains is the resulting tradeoff between the high level of security on the one hand and the need for complexity prohibition in the management of encryption / decryption keys on the other hand. Typically, high levels of security mean complex and advanced key management operations.

It is an object of the present invention to provide a solution which solves the problems given above and facilitates the management of encryption keys in an authorized domain.

Another object of the present invention is to enable any domain member device to store protected data on a network so that any other domain member device can communicate with the device that actually stored the data. To access data in plain text without

The objects according to claim 1, the authentication domain management system according to claim 16, the master device according to claim 31, the candidate device according to claim 33, the method according to claim 35, and the method according to claim 40. A system, a computer program comprising computer-executable elements according to claim 45, a method for controlling access to data stored on a network according to claim 46 and a system for controlling access to data stored on a network according to claim 50 Can be achieved by

According to a first aspect of the present invention, there is provided a method for securely storing data on a network for access by devices belonging to an authentication domain, wherein the method comprises an authentication channel between a domain member device and a candidate device included in the domain. (authenticated channel) is set, and authentication data of the candidate device is transmitted through the set channel. The domain member device encrypts a secret domain key with an encryption key of the candidate device and stores an encrypted domain key, thereby including the candidate device in the domain. Encrypted data is stored on the network, which data is encrypted by a domain key in any storage domain member device.

According to a second aspect of the present invention, there is provided an authentication domain management system for securely storing data on a network for access by devices belonging to an authentication domain, the system comprising a domain member device and a candidate device included in the domain. Means for establishing an authentication channel, wherein channel authentication data of the candidate device is transmitted over the established channel. Also provided in the domain member device is a means for encrypting a secret domain key with the encryption key of the candidate device and storing an encrypted domain key, thereby including the candidate device in the domain. The system also includes means for storing encrypted data on a network, wherein the data is encrypted by a domain key in any storage domain member device.

According to a third aspect of the present invention, there is provided a master device included in an authentication domain management system for securely storing data on a network, the master device establishing an authentication channel to a candidate device included in the domain. Means prepared for transmitting the channel authentication data of the candidate device over the established channel. The master device also includes means for encrypting a secret domain key with an encryption key of the candidate device and means for encrypting data with the domain key. In addition, there are means for outputting the encrypted domain key and the encrypted data in the master device, and means for accessing the encrypted data stored on the network and for decrypting the data by the domain key.

According to a fourth aspect of the present invention, there is provided a candidate device included in an authentication domain management system for securely storing data on a network, wherein the candidate device is an authentication channel established in a master device included in the domain. Means for transmitting the authentication data via. The candidate device also includes means for encrypting a secret domain key with an encryption key of the candidate device and means for encrypting data with a domain key. Also provided are means for outputting the encrypted domain key and the encrypted data and means for accessing encrypted data stored on a network and decrypting the data by the domain key.

According to a fifth aspect of the present invention, there is provided a method for removing devices belonging to an authentication domain from the authentication domain, wherein when a domain member device is removed from the domain, the domain master device corresponds to the domain member device. Deletes the encryption key from the existing domain list and creates a new secret domain key. In addition, the master device encrypts a new domain key by each remaining encryption key, and generates a new message authentication code based on the new domain key and the remaining encryption keys. And each remaining encryption key is associated with a respective domain member device, and each remaining encryption key is obtained from the existing domain list. Further, the master device generates an updated copy of the domain list based on the new domain key and stores the updated domain list in storage capacity accessible to the domain member devices.

According to a sixth aspect of the present invention, there is provided a system for removing devices belonging to an authentication domain from the authentication domain, wherein the domain master device corresponds to the member device when a domain member device is removed from the domain. Means for removing the corresponding encryption key from the existing domain list and means for generating a new secret domain key. The master device is also provided with means for encrypting a new domain key with each remaining encryption key and generating a new message authentication code (MAC) based on the new domain key and the remaining encryption keys. A remaining encryption key is associated with each domain member device, and each remaining encryption key is obtained from the existing domain list. The master device is also provided with means for generating an updated copy of the domain list based on the new domain key and for storing the updated list in a storage device.

According to a seventh aspect of the invention, when the computer-executable elements are executed by a microprocessor included in an apparatus, it causes the apparatus to perform the steps described in any of claims 1-15. A computer program is provided that includes computer-executable elements.

According to an eighth aspect of the present invention, there is provided a method for controlling access to data stored on a network, wherein the access authentication is known to a network server and to devices that are allowed access to the data stored on the network. Access authentication data is generated. The network server also checks whether the device owns the access authentication data, and then the network server controls the device's access to the data stored on the network.

According to a ninth aspect of the present invention, there is provided a system for controlling access to data stored on a network, wherein the access authentication is known to a network server and devices that are allowed to access the data stored on the network. Means for generating data are provided. Means are also prepared for checking at the network server whether the device possesses the access authentication data, and then the network server controls the access of the device to the data stored on the network.

The idea of the present invention is that, first, when introducing a candidate device into the authentication domain, an authentication channel must be established by a domain member-a device already included in the domain and a device-a candidate device included in the domain. The use of the authentication channel assures the recipient that the identity of the information sender is not false. Many known channel setups are suitable for this purpose. For example, devices can exchange a limited amount of authentication information over a privileged side channel, a so-called location-limited channel, that allows them to authenticate each other. One example of a location-limited channel is an infrastructure (IR) or REID connection. The physical closeness of the communication devices required by the location-limited channel provides a reliability assessment for the information exchanged over the channel. The use of the authentication channel assures the user (i.e. the recipient of the authentication information) that the identity of the information sender is not false.

The candidate device then sends its encryption key to the domain member device. In order to include the candidate device in the domain, a secret domain key is encrypted by the encryption key of the candidate device. The encryption is performed at the domain member device, which then stores the encrypted domain key locally at some suitable location, such as a network or the device. Shared access of the domain member devices to the domain key is in effect associating the devices with the domain. As a result, after a copy of the domain key encrypted by the encryption key of the candidate device is stored on the network, the candidate device is included in the authentication domain. In other words, the candidate device becomes a domain member device. This is a procedure that must be performed for all devices newly included in the domain. Thus, for every device included in the domain, there is a copy of the corresponding encrypted domain key. That is, the copy of the corresponding encryption domain key is made up of a domain key encrypted by the encryption key of the associated device.

When a domain member device wants to store data on a storage device on a network, such as on a server, the domain member device uses the domain key to encrypt the data.

Multiple security requirements include: only a set of devices included in the domain, and thus selected by a domain administrator, are allowed to access data stored on the network; The administrator can manage the domain member device set to some extent easily; There is no need to manually enter keys that enable a higher level of protection by cryptographic mechanisms; It is possible for multiple devices to access the same data simultaneously; Finally, the present invention is effective because data access by domain member devices is satisfied by not requiring the devices to communicate with each other.

According to one embodiment of the invention, the cryptographic domain key is retrieved from the network storage device (or preferably from a local storage device). The domain key is encrypted by the encryption key of the domain member device and decrypted by using the decryption key of the device. After decryption, the domain key becomes plain text and thus can be used to encrypt data stored in the server by a member device.

According to another embodiment of the present invention, when a domain member device wants to access encrypted data stored in a server, the domain member device decrypts the data by using a domain key retrieved from the stored location. The domain key is encrypted by the encryption key of the accessing domain member device and decrypted by using the decryption key of the device. After decryption, the domain key becomes plain text and can thus be used to decrypt the data. If the device has the authority to change its fetched data on the network, the new data must be encrypted before it is stored on the network. The domain key is used to encrypt the data prior to storage.

The two embodiments are very effective because they allow any member device to access any data stored on the network in a less complicated and seamless manner. Since the domain key is always stored in some storage capacity accessible to domain member devices, there is no need to use a complex key distribution system in the authentication domain like most systems in the prior art.

According to other embodiments of the present invention, an encryption key used to encrypt a domain key is a public key of a candidate device (which later becomes a domain member device) and a decryption key used to decrypt an encryption domain key is selected from the candidate device. It is a private key, and the private key corresponds to the public key. Since the public keys do not need to be secret, the embodiment is a preferred embodiment with respect to the selection of encryption keys. This significantly simplifies the management of the keys. For the same reason, it is also possible to send copies of the public keys in plain text over a location-limited channel. Another advantage of using asymmetric key pairs is that digital signatures can be provided if necessary.

It is also possible to establish a secret communication channel between the domain member device and the candidate device, through which the encryption key of the candidate device is transmitted. This is necessary if the encryption key is a secret symmetric key of a candidate device (which later becomes a domain member device). In the case of symmetric encryption keys, the same key is used for encryption and decryption. Symmetric encryption of data does not require as much computation as asymmetric encryption. However, key management requirements are more stringent.

Note that, if the encryption key is a public key, although not required, it is possible to set up a secret channel and transmit the key over the secret channel.

According to another embodiment of the present invention, data encryption and the decryption of the encrypted data before storing the encrypted data on the network are performed by a file encryption key distinguished from the domain key. The file encryption key is generated by a pseudo random function that processes the domain key and domain identifier. For example, a domain key is associated with a domain identifier and the resulting concatenated data is entered into a pseudo random function. The function may be implemented in software using a computer algorithm or in hardware using a linear feedback shift register. Actual functions are known in the art and are not within the scope of the present invention. This has the advantage that significant key independence is achieved: even if a third party attempts to decrypt the file encryption key, the third party cannot recover the domain key. Thus, legitimate domain members can generate new file encryption keys and encrypt new data files with the keys, preventing attackers from reading the data file.

According to another embodiment of the present invention, the action of including the device in the domain may be performed only by the master device included in the domain. Thus, the master device becomes the owner and manager of the authentication domain. This is desirable because it greatly facilitates domain management.

According to another embodiment of the present invention, the domain list is stored on the network. The list includes a domain identifier, the public key of each domain member device, a domain authentication key derived from the domain key and a message authentication code with the public keys, and an encryption domain key corresponding to each domain member device. As described below, the domain list is a structured way of defining the domain and storing domain information when performing revocation of devices from the network. The domain authentication key may be generated in the same manner as the file encryption key described above, that is, using a pseudo random function. Message authentication codes are a mechanism for providing message authentication using cryptographic hash functions.

According to another embodiment of the invention, when a domain member device is to be removed from a domain, that is, when the domain member device is discarded, the master device deletes the corresponding public key from the domain list. The master device also generates a new secret domain key. The new domain key is encrypted by each remaining public key obtained from the domain list and a new message authentication code is generated based on the new domain key and the remaining public keys. In addition, an updated copy of the domain list is generated on the master device based on the new domain key. The updated list is stored on the network in addition to the existing domain list. When an updated list is created and a new list is added to an existing list, since both lists exist, data stored on the network and encrypted by the previously used domain key is stored in the new domain key. Is not re-encrypted. When the remaining devices access the encrypted data stored on the network, they re-encrypt the encrypted data by the new domain key. When all data is re-encrypted by the new network key, the existing network list is no longer needed. If a new device is included in the domain, the new device must also be included in the existing domain lists because the new device must have access to the existing domain keys in order to access the data encrypted by the existing keys.

According to another embodiment of the present invention, instead of adding the updated domain list to the existing domain list, the existing domain list is replaced by the updated list. The encrypted data stored on the network is also decrypted by the existing domain key at the master device and encrypted by the new domain key before being stored on the network. This embodiment has the advantage that the existing domain lists do not need to be maintained on the network since all data is re-encrypted by the new domain key and thus the existing domain key is no longer needed.

According to another embodiment of the present invention, each domain key also has an associated usage counter that forms part of the domain list. When a new domain key is generated, the counter is typically initialized to zero. When the file is encrypted by the domain key, the counter is incremented. When the file is decrypted by the domain key, the counter is decremented. If the domain key of the existing domain list is no longer used, i.e. if the usage counter of the existing domain list is zero and another domain list is added to the existing domain list, the existing domain list can be deleted. An advantage of this embodiment is that existing domain lists can be deleted without having to re-encrypt all data files at the same time.

In addition, in one aspect of the present invention, an access control function is provided that ensures that only members of a domain can modify (or possibly read) files belonging to the domain. Preferably the access control function is based on the following principle: domain-specific access rights are managed by a network server, while file protection by encryption and domain group membership is the domain members themselves. Based on the principle of being managed by The advantages of separating domain management from the server are that existing access control methods can be used and that the server is freed from the complex task of domain membership management. Another advantage is that if the server is considered untrusted, security can be enhanced by separating the server from domain management.

Further features and advantages of the present invention will become apparent upon review of the appended claims and the following description. It will be apparent to those skilled in the art that different features of the present invention can be combined to implement the embodiments and other embodiments described below.

Preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating a plurality of devices included in an authentication domain.

2 is a diagram illustrating a method of including a candidate device in an authentication domain according to an embodiment of the present invention.

3 is a flowchart illustrating a domain key encryption method according to an embodiment of the present invention.

4 is a flowchart illustrating a domain key encryption method according to another embodiment of the present invention.

5 is a flowchart illustrating a data storage and retrieval method on a network according to an embodiment of the present invention.

6 is a flowchart illustrating a method of removing a domain member device from a domain according to an embodiment of the present invention.

7 is a flowchart illustrating a method of deleting an existing domain list when a domain member device is removed from a domain.

1 shows a number of devices interconnected via a network 100 such as the Internet, a wireless local area network (WLAN), a public switched telephone network (PSTN), and the like, such as mobile phones 101, computers 102, individuals A portable information terminal (PDA) 103, a server 104, and the like are shown. An authorized domain is typically defined as a group of devices that are interconnected as trusted devices that are allowed to access a set of resources or services. The interconnection may be implemented via, for example, a wireless interface, an infrastructure interface, a cable interface, or the like. In FIG. 1, mobile phone 101, computer 102 and PDA 103 are domain member devices that store data in network server 104.

One of the main advantages of the present invention is that the network server does not need to be included in the authentication domain. The server may be any (untrusted) storage media provider.

In the authentication domain shown in FIG. 1, a domain management application that allows a user to define authentication domain parameters and / or regulations for access to network data and distributes encryption / decryption keys to domain members. application). Typically the domain management application includes a file browser installed on domain member devices included in the domain. This allows device users to easily browse through the data stored on the network.

2, when a candidate device 202 is included in the domain, a master device 201 included in the domain is connected to the candidate device, that is, a device included in the authentication domain. It is typical to set (connection; 203). The setting is typically accomplished by a microprocessor executing appropriate software provided by the domain management application as the microprocessor 205 of the master device. The microprocessor is the brain of each device and performs all the computation / processing operations given by each device. The candidate device is also equipped with a microprocessor 206 that executes domain management software.

The minimum requirement for the established connection-or channel-203 is that the channel must be able to be considered authenticated, for example based on physical proximity between the communicating devices.

It should be ensured that the information exchanged over the channel allows the two devices 201, 202 to mutually authenticate later. For example, the devices may exchange a limited amount of authentication information over a privileged side channel, a so-called location-limited channel 203, which information may then cause the devices to exchange. Complete an authenticated key exchange protocol for the wireless channel 204 and secure the wireless channel 204 based on the exchanged keys.

In the master device 201, a user starts the domain management application and puts the master device 201 and the candidate device 202 in physical proximity to each other (location-limited channel is determined by means of IR or RFID technology means. Is set). In the candidate device 202, an application launches automatically and prompts the user. The prompt is "Accept introduction from master device"? Is displayed. Three choices are available: "Accept", "Reject" and "Edit". The edit button can be used to edit a number of parameters that are shown to the user. When the user clicks the "OK" button, the application silently completes execution. For the master device 201, the procedure is the same.

Referring to FIG. 3, in the basic pre-authentication steps, as shown in step S301, the devices exchange their public key authentication information via a location-limited channel. The information actually exchanged can be the security "traces" of the public keys themselves, their certificates, or simply keys using cryptographic hash functions such as SHA-1. The only requirement is that the information exchanged should allow the recipient to verify the authenticity of the key used in the authentication protocol of the (non-location-limited) wireless channel.

The devices can exchange the values, or traces, of their respective public keys in a pre-authentication step over any type of channel, eg a wireless channel or cable such as IR, radio or audio. For convenience, each device 201, 201 may also transmit its own address (eg, IP address and port number, or Bluetooth device address) in the wireless space. Accordingly, the master device 201 may transmit the hash value of its address and its public key to the candidate device 202. The candidate device then sends its address and a hash value of its public key to the master device. The pre-authentication data is used for mutual authentication of the devices via a confidential channel 204.

Once pre-authentication is complete, the devices proceed to step S302 of establishing a secure connection between them via the wireless channel 204. Because of this, the devices require all established public-key-based key exchange protocols (e.g. SSL / TLS, SKEME, IKE, etc.) to require them to prove possession of a particular private key. In this case, the private key will correspond to the public key authentication information of the pre-authentication step. The choice of key exchange protocol will affect the exact form of pre-authentication data being exchanged, especially whether parties will exchange their complete public keys or just their traces. Will give. If the key exchange protocol used in the wireless link explicitly transmits public keys or certificates, it is only traces of the public keys that need to be exchanged in the pre-authentication phase. It is then possible to limit the amount of pre-authentication data exchanged over the location-limiting channel. Instead, if the key exchange protocol requires parties to already have each other's public keys, then the keys themselves must be exchanged during the pre-authentication phase. In this particular case, the devices exchange public keys over the secret channel 204.

In order to include the candidate device 202 in the domain, the secret domain key is encrypted by the public encryption key of the candidate device (S303). This is performed in the domain member device 201, and the domain member device then stores the encryption key on the network 100 (S304). The candidate device then becomes a member device of the authentication domain.

In another embodiment of the present invention, the public key may be exchanged over the position-limited channel 203 when an asymmetric key pair is used. Referring to FIG. 4, as shown in step S401, devices 201 and 202 exchange authentication information associated with their public keys as well as their public key via the location-limited channel.

Accordingly, the master device 201 transmits the hash value of its address, its public key, and its public key to the candidate device 202. Thereafter, the candidate device 202 transmits a hash value of its address, its public key, and its public key to the master device 201. Pre-authentication data can be used for mutual authentication of the devices. Since the public keys do not need to be secret, it is possible to send the public keys in plain text over a location-limited channel. Thereafter, similarly to the procedure of FIG. 3, in step S402, the public key of the candidate device, 202, is included in the domain, in order to include the candidate device 202 in the domain. In the master device 201, which has already been sent via), the secret domain key is encrypted. The master device then stores the encrypted domain key on a network, typically in a remote network storage device such as a server (S403).

Once the candidate device 202 becomes a domain member device, the secret symmetric key of the candidate device 202 can also be used for encryption / decryption of the domain key in the pre-authentication step. In that case the hash values of the symmetric keys can be sent over the position-limited channel 203 and the symmetric keys are encrypted before being sent over the wireless channel 204.

When the device is included in the authentication domain, the domain list is stored on the network. The domain list may be stored in the server 104 as encrypted data files. In the case where multiple domain lists are stored in multiple network servers, domain member devices recognize the server used for storing each domain list. This can be implemented by sending a notification from the master device to each domain member device indicating which list is stored on which server.

The list above is:

Domain identifier;

The public key (PK1, PK2, ...) of each domain member device;

A message authentication code MAC having a domain authentication key KA derived from each public key and domain key K; And

Encryption domain keys (EPK1 (K), EPK2 (K), ...) corresponding to each domain member device.

In the following, the list is illustrated schematically.

Domain ID (PK1, PK2, ...) MAC (KA, PK1│PK2│ ...) EPK1 (K) EPK2 (K) ......

As described below, the domain list is a structured way of defining domains and storing domain information when excluding devices from the domain. The domain authentication key KA is generated by a pseudo random function based on the domain key K and the domain ID. In an exemplary embodiment, the domain key is associated with the domain identifier and consequent resulting concatenated data is input to the pseudo random function. The function may be implemented in software using a computer algorithm or in hardware using a linear feedback shift register. Message authentication code is a mechanism for providing message authentication using cryptographic hash functions. The domain list may also have a timestamp to facilitate management operations. The timestamp is in the form of the last calendar time the domain list was changed, or generated by a counter that is initialized to zero when the domain list is created and increments each time when the domain list is changed. Can be. Since each domain member device draws its own encryption domain key, ie its component from the domain list, all domain member devices must be able to access the domain list.

Referring to FIG. 5, when a domain member device, such as a PDA 101, wishes to store data in a network storage device on a network 100, such as a server 104, the PDA is a domain withdrawn from the server 104. The data is encrypted by using the key k (S501). The copy of the specific domain key is encrypted by the public key of the PDA and stored in the domain list, and is decrypted by using the private key of the PDA. The domain key is used to encrypt data stored on the server. The encrypted data is then stored on the network (S502).

When a domain member device, e.g., computer 102, wants to access encrypted data stored in the server 104, the computer fetches the encrypted data on the network (S503) and the domain key (K) withdrawn from the server. ) To decode the data. The domain key is already encrypted by the computer's public key and decrypted by using the computer's corresponding private key. After decryption, the domain key K may be used to decrypt the data (S504). As a result, the data becomes plain text.

If the computer is allowed to change the data, the changed data must be re-encrypted by the computer before being stored on the network.

When data is encrypted and stored on the network, the encryption can be performed by a file encryption key KE. The file encryption key is generated in the same manner as the domain authentication key KA, using the domain key as a seed.

Referring to FIG. 6, when a domain member device is excluded from the authentication domain, the domain master device deletes the corresponding public key (or symmetric key if symmetric encryption is used) from the domain list (S601). In addition, the domain master device generates a new secret domain key K '(S602). The new domain key is encrypted by the public key of each remaining domain member device which is the public keys obtained from the domain list (S603), and a new message authentication code is generated based on the new domain key and the remaining domain public keys. do. After the changes, an updated domain list is generated at the master device (S604). The updated list is added to the existing domain list and stored on the network.

In the following, the updated list is schematically illustrated. Note that only the updated list is illustrated below. The updated list is added to the illustrated existing list.

Domain ID (PK1, PK2, ...) MAC (KA ', PK1│PK3│ ...) EPK1 (K ') EPK3 (K ') ......

The specific appearance of the updated list means that the domain member device corresponding to PK2 has been removed from the domain.

When an updated list is created and added to an existing list, since both lists are still present, the data stored on the network and encrypted by the existing domain key (K ') are added to the new domain key (K'). It does not need to be re-encrypted by. When the remaining domain member devices access the encrypted data stored on the network, they encrypt the data with a new domain key. When all data has been re-encrypted with the new domain key, the existing network list can be deleted.

In Figure 7, another approach used when a domain member device is removed from a domain is to delete the existing domain list. This means that encrypted data stored on the network must be decrypted by the existing domain key K in the master device (S701) and encrypted by the new domain key K 'before being stored on the network again (S702). It results.

In one embodiment of the invention, each domain key has an associated usage counter that forms part of a particular domain list to which the domain key belongs. The counter is initialized when a new domain key is generated. Also, the counter is incremented when the data file is encrypted by the new domain key and decremented when the data file is decrypted by the new domain key. This has the effect that the existing domain list can be deleted if the domain key of the existing domain list is no longer used. When the usage counter reaches its initialization value, which is typically zero, and when another domain list is added to the deleted domain list, the domain key is considered to be no longer used. As a result, existing domain lists can be deleted without having to re-encrypt all data files at the same time.

As mentioned above, the domain master device manages the domain. In theory, any domain member device can be used to include candidate devices in the domain. However, if any domain member device is allowed to perform domain management, such as adding / deleting devices to or from the domain, or exchanging domain keys, then the domain member devices verify the authenticity of the member list and generate a new domain list. You need to use it to generate it. This requires that the member list includes device IDs so that device IDs can be displayed to users of other domain member devices.

According to another aspect of the present invention, an access control function is provided that ensures that only members of a domain can change (or possibly read) files belonging to the domain. Preferably the access control function is based on the following principle: domain-specific access rights are managed by a network server, while file protection by encryption and domain group membership is managed by the domain members themselves. Is based on the principle of The advantage of separating domain management from the server is that existing access control methods can be used, and the server is freed from the complex task of domain membership management. Another advantage is that if you consider a server to be untrusted, you can increase security by separating it from domain management.

In an implementation of the access control function, as is commonly done in existing systems, access control is based on usernames and passwords. For example, there is a specific access key A known to both the server 104 and all member devices 101, 102, 103 in the domain. The access key A may be different for each domain. Only when the device proves that it knows the access key (A) for a particular domain can the network server cause the device to change files belonging to that particular domain.

In this embodiment, the device may prove itself to the network server by username = domain ID, and password = f (A), where f () is a one-way hash function of type SHA-1, for example. Alternatively, the device proves itself to the network server by encrypting the message with a common shared access key used to ensure that the message is sent by the access key holder at the network server. In order to prevent replay attacks, the server first sends a random number C to the device and the password calculation must include the random number. That is, password = f (A, C).

The access key A may be stored in a domain list. That is, the access key can be encrypted with a domain key K, individually for each device using the public key of each device: EPK1 (K, A), EPK2 (K, A) and the like. Then, if the member is removed from the domain, the domain master device generates a new access key A 'and passes the new key to the server. The new corresponding domain list will contain a new access key A '. Anyone can read the domain list. An advantage of the access control function is that users of domain member devices do not need to be aware of password-controlled access.

Members and nonmembers can equally read a new domain list, but only legitimate members can extract a new access key (A ') from the new domain list and thus change existing files or create new files. Can be. An additional advantage is that after the password is changed, the new password does not need to be distributed immediately to legitimate domain members.

Note that the access authentication data can be associated with the device group in a number of different ways. For example, it may be possible to (a) use the same access authentication data for users in multiple domains, or (b) use different access authentication data for each member, regardless of the domains.

In a first embodiment of the access control function, access authentication data is explicitly included in the domain list after being independent of the domain ID and domain key K and encrypted by the public key of each domain member device. Thus, the server does not need to be notified of the change of the domain key, which can be a reasonable trade-off between security and ease of management. If security is to be emphasized, although not strictly required, it is desirable that the access authentication data be changed when members are removed from the domain. Otherwise, revoked members can cause denial-of-service attacks on the system. In the second embodiment, access authentication data is derived deterministically from the domain ID and the domain key K, and consequently need not be explicitly included in the domain list. The access authentication data may be generated in a manner similar to that of the domain authentication key KA described above. The second embodiment requires that the server be notified each time a domain key is changed.

It will be apparent that the term "access authentication data" has different meanings depending on the context in which the term appears; For example, when using an access key A to generate a password, the password and corresponding username are interpreted as "access authentication data", while in other contexts the term "access authentication data" refers only to access key A. May contain only. Various modifications are possible for generating access authentication data, and modifications may be made to the above-described embodiments to generate data for device authentication in a network server without departing from the basic idea of using the access authentication information described above. It is obvious to those skilled in the art.

Although the present invention has been described with reference to specific exemplary embodiments in accordance with the present invention, various other changes, modifications, and the like will be apparent to those skilled in the art. Thus, as defined by the appended claims, the foregoing embodiments are not intended to limit the scope of the invention.

Claims (57)

In a method for securely storing data on a network for access by devices (101, 102, 103) belonging to an authorized domain: Establishing an authentication channel 203 between a domain member device 201 and a candidate device 202 included in the domain, wherein authentication data of the candidate device is established through the established channel; a setting step (S301) in which (authentication data) is transmitted; Encrypting a secret domain key with an encryption key of the candidate device at the domain member device (S303) and storing the encrypted domain key (S304) as Storing the candidate device in the domain; And Storing encrypted data on a network (S502), wherein the encrypted data is encrypted by the domain key in any storage domain member device (101, 102, 103) (S501). And a storage step. The method of claim 1, The storing step S304 of storing the encrypted domain key further includes locally storing the encrypted domain key in the domain member device 201 or storing it on the network 100. Data storage method, characterized in that. The method according to claim 1 or 2, The storage step (S304) of storing the encryption domain key is for retrieving an encryption domain key, and encrypting the encryption domain by a corresponding decryption key of any storage domain member device (101, 102, 103). Decrypting a domain key, the decryption step of encrypting the encryption domain key by an encryption key of the arbitrary storage domain member device. The data storage method according to any one of claims 1 to 3, wherein Accessing encrypted data stored on the network 100 (S503), and decrypting the encrypted domain key by a corresponding decryption key of an accessing domain member device (101, 102, 103), The encrypted data is decrypted by a domain key at the arbitrary access domain member device, the domain key is obtained by retrieving an encrypted domain key, and the encrypted domain key is encrypted by an encryption key of the arbitrary access domain member device. And a decrypting step. The method of claim 1, wherein the data storage method, Sending (S401) the encryption key from the candidate device 202 to the domain member device 201 via the authentication channel 203, wherein the encryption key is a public key; and The decryption key is a private key of the candidate device, and the private key corresponds to the public key. The method of claim 1, wherein the data storage method, Establishing a secret channel 204 between the domain member device 201 and the candidate device 202 included in the domain (S302), wherein an encryption key of the candidate device is transmitted through the set secret channel; The data storage method further comprises a setting step. The method of claim 6, And wherein said encryption key is a public key and said decryption key is a private key of said candidate device (202), said private key corresponding to said public key. The method of claim 6, And the encryption key is a secret symmetric key of the candidate device and the decryption key is the same key as the secret symmetric key. The method according to any one of claims 1 to 8, Encrypting data (S501) and decrypting the encrypted data (S504) before the storing step (S502) of storing the encrypted data on the network 100 include a domain key K and a domain identifier. And executing a pseudo random function based on a function input comprising a). The method according to any one of claims 1 to 9, And including a candidate device (202) in the domain is performed by a master device (201) included in the domain. The method of claim 10, wherein the data storage method, A message authentication code (MAC) having a domain identifier, an encryption key of each domain device, a domain authentication key KA derived from the encryption keys and the domain key K, and each Storing on the network (100) a domain list comprising an encryption domain key corresponding to a domain member device. The method of claim 11, wherein the data storage method, When a domain member device is removed from the domain (S601), at the master device (201), deleting the corresponding encryption key from the existing domain list; In step S602, generating a new secret domain key K 'at the master device; In the master device, encrypt the new domain key by each remaining encryption key obtained from the existing domain list (S603) and a new message authentication code based on the new domain key and the remaining encryption keys. Generating a; And Generating an updated copy of the domain list on the master device based on the new domain key (S604) and storing the updated domain list on the network 100. Way. The method of claim 12, The step of storing the updated domain list on the network 100 includes: And adding the updated domain list to the existing domain list. The method of claim 13, wherein the data storage method, When a new domain key is generated, initializing a usage counter; Incrementing the usage counter when a data file is encrypted by the new domain key; And Decrementing the usage counter when the data file is decrypted by the new domain key, and if the domain key of the existing domain list is no longer used, the existing domain list may be deleted, and the existing domain And that the domain counter of the list is no longer used is indicated by the usage counter reaching its initialization value and added to the domain list from which the domain list is deleted. The method of claim 12, wherein the data storage method, Decrypting (S701) the encrypted data stored on the network (100) by the domain key (K) in the master device (201); Encrypting (S702) the data by the new domain key (K ') and storing the encrypted data on a network at the master device; And And deleting the existing domain list (S703). In an authorized domain management system for securely storing data on a network for access by devices (101, 102, 103) belonging to an authorized domain: Means (205) for establishing an authentication channel (203) between a domain member device (201) and a candidate device (202) included in the domain, the candidate device over the established channel; Setting means for transmitting authentication data of the; At the domain member device, encrypt a secret domain key with an encryption key of the candidate device and store the encrypted domain key, thereby transferring the candidate device to the domain. Means for inclusion in; And Means (104) for storing encrypted data on a network, wherein said encryption data is encrypted by said domain key in any storage domain member device (101, 102, 103); Authentication domain management system comprising a. The method of claim 16, Wherein said encrypted domain key is stored locally on said domain member device (201) or on said network (100). The method of claim 16 or 17, wherein the authentication domain management system, Means (205, 206) for retrieving an encryption domain key and decrypting the encryption domain key by a corresponding decryption key of the any storage domain member device, wherein the encryption domain key is the arbitrary storage. And decrypting means encrypted by an encryption key of the domain member device. The system of claim 16, wherein the authentication domain management system is Means (205, 206) for accessing encrypted data stored on the network (100), and for decrypting the encrypted domain key by the corresponding decryption key of any accessing domain member device (101, 102, 103). Wherein the encrypted data is decrypted by a domain key at the arbitrary access domain member device, the domain key is obtained by withdrawing an encrypted domain key, and the encrypted domain key is added to the encryption key of the arbitrary access domain member device. Authentication domain management system, characterized in that it further comprises a decryption means encrypted by. The method of claim 16, wherein the authentication domain management system, Means 206 for transmitting the encryption key from the candidate device 202 to the domain member device 201 via the authentication channel 203, wherein the encryption key is a public key and And the decryption key is a private key of the candidate device, and the private key corresponds to the public key. The method of claim 16, wherein the authentication domain management system, Means 206 for establishing a secret channel 204 between the domain member device 201 and a candidate device 202 included in the domain, the encryption key of the candidate device being transmitted over the established secret channel; Authentication domain management system, characterized in that it further comprises a setting means. The method of claim 21, And wherein said encryption key is a public key and said decryption key is a private key of said candidate device (202), said private key corresponding to said public key. The method of claim 16, And said encryption key is a secret symmetric key of said candidate device (202) and said decryption key is the same key as said secret symmetric key. The method according to any one of claims 16 to 23, wherein Generated by executing a pseudo random function based on a function input comprising a domain key (K) and a domain identifier to encrypt the data before storing the encrypted data on the network 100 Authentication file management key characterized in that the file encryption key (file encryption key) is configured. The method according to any one of claims 16 to 24, Authorized domain management system, characterized in that a master device (201) included in the domain is configured to include a candidate device (202). The method of claim 23, wherein the authentication domain management system, A message authentication code (MAC) having a domain identifier, an encryption key of each domain device, a domain authentication key KA derived from the encryption keys and the domain key K, and each And means (104) for storing (104) a domain list on the network (100) comprising an encryption domain key corresponding to the domain member device. The system of claim 26, wherein the authentication domain management system, Means (205) for deleting, at the master device (201), a corresponding encryption key from an existing domain list when a domain member device is removed from the domain; Means (205) for generating a new secret domain key (K ') in the master device (201); In the master device, encrypt the new domain key by each remaining encryption key obtained from the existing domain list (S603) and a new message authentication code based on the new domain key and the remaining encryption keys. Means for generating (MAC); And Means for generating an updated copy of the domain list on the master device based on the new domain key and storing the updated domain list on the network 100 (205). Management system. The method of claim 27, wherein the authentication domain management system, Means (205) for adding the updated domain list to the existing domain list. The method of claim 28, Each domain key has an associated usage counter that forms part of a specific domain list to which the domain key belongs, the usage counter is initialized when a new domain key is created and the data file is initialized by the new domain key. Incremented when encrypted and decremented when the data file is decrypted by the new domain key, the existing domain list can be deleted if the domain key of the existing domain list is no longer used, and the domain key of the existing domain list is And no longer used is indicated by the usage counter reaching its initialization value and being added to the domain list from which the domain list is deleted. The method of claim 27, wherein the authentication domain management system, Means (205) for decrypting said encrypted data stored on said network (100) by said domain key (K) in said master device (201); Means (205) for encrypting the data with the new domain key (K ') and storing the encrypted data on a network at the master device; And Means (205) for deleting said list of existing domains. In a master device 201 included in an authorized domain management system for securely storing data on the network 100: Means (205) for establishing an authentication channel (203) by a candidate device (202) included in the domain, wherein authentication data of the candidate device is transmitted over the established channel; Setting means; Means (205) for encrypting a secret domain key with an encryption key of the candidate device; Means (205) for encrypting data with the domain key; Means (205) for outputting the encrypted domain key and the encrypted data; And Means (205) for accessing encrypted data stored on a network and for decrypting said data by said domain key. The method of claim 31, wherein the master device 201, Means (205) for establishing a secret channel (204) by the candidate device (202) included in the domain, further comprising setting means for transmitting an encryption key of the candidate device over the established secret channel (205). Master device, characterized in that. In a candidate device (202) included in an authorized domain management system for securely storing data on the network (100), Means (206) for transmitting authentication data via an authentication channel (203) established by a master device (201) included in the domain; Means (206) for encrypting a secret domain key with an encryption key of the candidate device; Means (206) for encrypting data with the domain key; Means (206) for outputting the encrypted domain key and the encrypted data; And Means (206) for accessing encrypted data stored on a network and for decrypting said data by said domain key. The method of claim 33, wherein the candidate device 202, And means (206) for transmitting said encryption key of said candidate device (202) over a secret channel established by said master device (201). In the method for removing devices (101, 102, 103) belonging to an authorized domain from the authorized domain, When a domain member device is removed from the domain (S601), at the domain master device 201, deleting an encryption key corresponding to the domain member device from an existing domain list; In step S602, generating a new secret domain key K 'at the master device; In the master device, the new domain key is encrypted by each remaining encryption key (S603) and a new message authentication code is generated based on the new domain key and the remaining encryption keys. Generating, wherein each remaining encryption key is associated with each domain member device, wherein each remaining encryption key is obtained from the existing domain list; And The master device generates an updated copy of the domain list based on the new domain key (S604) and stores the updated domain list in a storage capacity 104 that the domain member devices can access. And storing the device. 36. The method of claim 35 wherein A message authentication code (MAC) in which the domain list has a domain identifier, an encryption key of each domain device, a domain authentication key KA derived from the encryption keys and a domain key K, And an encryption domain key corresponding to each domain member device, and wherein the domain list is stored in the storage capacity (104). The method of claim 35 or 36, Storing the updated domain list in the storage capacity (104) further comprises adding the updated domain list to the existing domain list. The method of claim 37, wherein the device removal method is When a new domain key is generated, initializing a usage counter; Incrementing a usage counter when a data file is encrypted by the new domain key; And Decrementing the usage counter when the data file is decrypted by the new domain key, and if the domain key of the existing domain list is no longer used, the existing domain list may be deleted, and the existing domain And that the domain counter of the list is no longer used is indicated by the usage counter reaching its initialization value and added to the domain list from which the domain list is deleted. 36. The method of claim 35, wherein the device removal method is Decrypting (S701) the encrypted data stored in the storage capacity (104) by the domain key (K) in the master device (201); Encrypting (S702) the data by the new domain key (K ') and storing the encrypted data in the storage device at the master device; And And deleting the existing domain list (S703). In a system for removing devices (101, 102, 103) belonging to an authorized domain from the authorized domain, Means (205) for deleting, at a domain master device (201), a corresponding encryption key corresponding to the member device from an existing domain list when a domain member device is removed from the domain; Means (205) for generating a new secret domain key (K ') in the master device; At the master device, encrypt the new domain key with each remaining encryption key (S603) and based on the new domain key and the remaining encryption keys a new message authentication code (MAC). Means (205) for generating each remaining encryption key associated with each domain member device, wherein each remaining encryption key is obtained from the existing domain list; And Means (205) for generating an updated copy of the domain list on the master device based on the new domain key and storing the updated domain list in a storage capacity (104). Device removal system. 41. The system of claim 40, wherein the device removal system is A message authentication code (MAC) having a domain identifier, an encryption key of each domain member device, a domain authentication key KA derived from the encryption keys and a domain key K, and each And means (104) for storing in said storage capacity (104) a domain list comprising an encryption domain key corresponding to a domain member device. 42. The system of claim 40 or 41, wherein the device removal system is Means (205) for adding the updated domain list to the existing domain list. The method of claim 42, wherein Each domain key has an associated usage counter that forms part of the specific domain list to which the domain key belongs, which counter is initialized when a new domain key is created and the data file is initialized by the new domain key. Incremented when encrypted and decremented when a data file is decrypted by the new domain key, the existing domain list may be deleted if the domain key of the existing domain list is no longer used, and the domain key of the existing domain list Is no longer used, indicated by the usage counter reaching its initialization value and added to the domain list from which the domain list is deleted. 41. The system of claim 40, wherein the device removal system is Means (205) for decrypting said encrypted data stored in said storage capacity (104) by said domain key (K) in said master device (201); Means (205) at the master device for encrypting the data with the new domain key (K ') and storing the encrypted data in the storage capacity; And Means (205) for deleting the existing domain list. 16. When the computer-executable components are executed by microprocessors 205 and 206, which are included in devices 101, 102 and 103, the device causes any of the claims 1-15. A computer program comprising computer-executable elements to perform the steps described in. In a method of controlling access to data stored on a network (100): Generating access authentication data known to a network server (104) and devices (101, 102, 103) that are allowed to access the data stored on the network; At the network server, checking whether a device owns the access authentication data; And At the network server, controlling access by the device to the data stored on the network. 47. The method of claim 46 wherein The step of checking whether to possess the access authentication data comprises: checking the identity of the device at the network server 104 and authenticating the device by a cryptographic operation requiring the access authentication data. Access control method further comprising the step of. The method of claim 47, The device ID is an ID of a domain to which the device belongs, and the device authentication is performed by providing a hash value of the access authentication data to the network server (104). The method of claim 48, wherein the access control method, Storing a list of domains having copies of the access authentication data on network 100, wherein each copy is capable of accessing the data stored on the network; And storing the data encrypted by the public key. The method of claim 49, wherein the access control method, Generating new access authentication data at a domain master device 201 when member devices (101, 102, 103) are removed from the domain; Replacing an existing domain list with a new domain list with the new access authentication data; And And forwarding the new access authentication data to the network server (104). 51. The method of any one of claims 46-50. And the access authentication data is an access key (A). In a system for controlling access to data stored on a network (100): Means (205) for generating access authentication data known to a network server (104) and devices (101, 102, 103) that are allowed to access the data stored on the network; Means for checking at the network server whether a device owns the access authentication data; And Means for controlling access by the device to the data stored on the network at the network server. The method of claim 52, wherein The network server 104 further comprises means 205 for checking the identity of the device and for authenticating the device by a cryptographic operation that requires the access authentication data. Access control system. The method of claim 53, The device ID is an ID of a domain to which the device belongs, and the device authentication is performed by providing a hash value of the access authentication data to the network server (104). The method of claim 54, A master device 201 is further configured to store a domain list having copies of the access authentication data on the network 100, each copy being able to access the data stored on the network. Access control system, characterized in that encrypted by the public key of each device (101, 102, 103). The method of claim 55, The master device (201) comprises: means (205) for generating new access authentication data when member devices (101, 102, 103) are removed from the domain; Means (205) for replacing an existing domain list with a new domain list with the new access authentication data; And Means (205) for forwarding said new access authentication data to said network server (104). 57. The method of any of claims 52-56, And said access authentication data is an access key (A).

Images