TW202110127A - Secure communication key negotiation method - Google Patents

Secure communication key negotiation method Download PDF

Info

Publication number
TW202110127A
TW202110127A TW108129480A TW108129480A TW202110127A TW 202110127 A TW202110127 A TW 202110127A TW 108129480 A TW108129480 A TW 108129480A TW 108129480 A TW108129480 A TW 108129480A TW 202110127 A TW202110127 A TW 202110127A
Authority
TW
Taiwan
Prior art keywords
mobile device
key
reference value
signature
system time
Prior art date
Application number
TW108129480A
Other languages
Chinese (zh)
Other versions
TWI751433B (en
Inventor
賴昌祈
吳錦松
劉政鋼
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW108129480A priority Critical patent/TWI751433B/en
Publication of TW202110127A publication Critical patent/TW202110127A/en
Application granted granted Critical
Publication of TWI751433B publication Critical patent/TWI751433B/en

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The disclosure provides a secure communication key negotiation method suitable for a first mobile device. The method includes: generating a first random value; generating a first reference value based on the first random value and a given base point parameter of an elliptic curve; obtaining a first system time, and creating a first signature of the first reference value and the first system time by using a first private key; transmitting the first signature, the first reference value, the first system time, and a first certificate to a second mobile device; receiving a second signature, a second reference value, a second system time, and accordingly verifying the second mobile device; in response to the second mobile device being valid, generating a reference key, and accordingly obtaining a session key; and establishing a secret peer-to-peer communication session with the second mobile device based on the session key.

Description

安全通訊金鑰協商方法Security communication key negotiation method

本發明是有關於一種網路通訊安全技術,且特別是有關於一種安全通訊金鑰協商方法。The present invention relates to a network communication security technology, and particularly relates to a method for negotiating a secure communication key.

隨著資訊科技的日新月異,資通訊作業需要在開放性網路上安全的傳送,因而使得金鑰(Key)的交換與傳輸變成重要的安全議題。並且,為了防止通訊產品被植入惡意晶片或惡意後門程式,保護使用者資料被竊取的風險,如何在一個零信任的網路上建構一個安全的秘密通訊系統,已是一個迫在眉睫的問題。With the rapid development of information technology, information and communication operations need to be transmitted securely on an open network, which makes the exchange and transmission of keys an important security issue. In addition, in order to prevent communication products from being implanted with malicious chips or malicious backdoor programs and protect user data from being stolen, how to construct a secure and secret communication system on a zero-trust network is an urgent problem.

有鑑於此,本發明提供一種安全通訊金鑰協商方法,其可用以解決上述技術問題。In view of this, the present invention provides a secure communication key negotiation method, which can be used to solve the above technical problems.

本發明提供一種安全通訊金鑰協商方法,包括:由一第一行動裝置生成一第一隨機值,其中第一行動裝置配置有一第一安全晶片元件,第一安全晶片元件儲存有一第一私鑰及一第一通話請求身分憑證;由第一行動裝置基於第一隨機值及一橢圓曲線的一選定基點參數產生一第一參考值;由第一行動裝置取得一第一系統時間,並以第一私鑰製作第一參考值及第一系統時間的一第一簽章;由第一行動裝置發送第一簽章、第一參考值、第一系統時間及第一通話請求身分憑證至一第二行動裝置;由第一行動裝置從第二行動裝置接收第二行動裝置的一第二簽章、一第二參考值、一第二系統時間及一第二通話請求身分憑證,並據以驗證第二行動裝置;反應於第二行動裝置通過驗證,由第一行動裝置基於第一隨機值及第二參考值產生一參考金鑰,並據以產生會話金鑰;以及由第一行動裝置基於會話金鑰與第二行動裝置建立一端對端語音秘密傳輸通訊。The present invention provides a secure communication key negotiation method, including: generating a first random value by a first mobile device, wherein the first mobile device is configured with a first secure chip element, and the first secure chip element stores a first private key And a first call request identity certificate; a first reference value is generated by the first mobile device based on a first random value and a selected base point parameter of an elliptic curve; a first system time is obtained by the first mobile device, and a first system time is obtained by the first mobile device. A private key creates a first signature of the first reference value and the first system time; the first mobile device sends the first signature, the first reference value, the first system time, and the first call request identity certificate to a first Two mobile devices; the first mobile device receives a second signature, a second reference value, a second system time, and a second call request identity certificate of the second mobile device from the second mobile device, and verifies them accordingly The second mobile device; in response to the verification of the second mobile device, a reference key is generated by the first mobile device based on the first random value and the second reference value, and the session key is generated accordingly; and the first mobile device is based on The session key establishes an end-to-end voice secret transmission communication with the second mobile device.

基於上述,本發明的方法令第一行動裝置及第二行動裝置可在交換會話金鑰之後,據以建立端對端語音秘密傳輸通訊。藉此,可在不需中間通訊伺服器介入的情況下,達到秘密安全通訊的目的。Based on the above, the method of the present invention enables the first mobile device and the second mobile device to establish an end-to-end secret voice transmission communication after exchanging the session key. In this way, the purpose of secret and secure communication can be achieved without the intervention of an intermediate communication server.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.

概略而言,本發明提出一種互聯網系統的安全通訊金鑰協商之流程與架構方法,透過網路電話總機(IP-Private Branch eXchange,IP-PBX)伺服器,及使用會話發起協議(Session Initiation Protocol,SIP)通訊傳輸技術,提供互聯網系統具有安全通訊的金鑰呼叫傳輸服務與安全的語音加密通話功能,透過可信賴的互聯網憑證驗證系統,進行可靠的憑證管理與憑證即時狀態資訊查詢,內建硬體安全元件,提高行動通訊裝置使用的安全性,強化使用端對端的安全會話金鑰協商產生機制,確保通話內容不會被第三者竊聽,使行動通訊裝置之間的加密通話更安全可靠。具體說明如下。In summary, the present invention proposes a process and architecture method for secure communication key negotiation in an Internet system. It uses an IP-Private Branch eXchange (IP-PBX) server and uses a Session Initiation Protocol (Session Initiation Protocol). , SIP) communication transmission technology, providing Internet system with secure communication key call transmission service and secure voice encryption call function, through a reliable Internet certificate verification system, reliable certificate management and certificate real-time status information query, built-in Hardware security components improve the security of mobile communication devices, strengthen the use of end-to-end secure session key negotiation generation mechanism, ensure that the content of the call will not be eavesdropped by a third party, and make encrypted calls between mobile communication devices safer and more reliable . The specific description is as follows.

請參照圖1,其是依據本發明之一實施例繪示的安全通訊金鑰協商系統示意圖。如圖1所示,系統100包括通訊營運商11a、11b、第一行動裝置12a、第二行動裝置12b、憑證驗證(certificate authentication,CA)伺服器13、線上憑證狀態協定(Online Certificate Status Protocol,OCSP)伺服器14及IP-PBX伺服器15。Please refer to FIG. 1, which is a schematic diagram of a secure communication key agreement system according to an embodiment of the present invention. As shown in FIG. 1, the system 100 includes communication operators 11a, 11b, a first mobile device 12a, a second mobile device 12b, a certificate authentication (CA) server 13, and an online certificate status protocol (Online Certificate Status Protocol, OCSP) server 14 and IP-PBX server 15.

在一實施例中,第一行動裝置12a(例如是智慧型手機、平板電腦或其他任何可安全VoIP通訊軟體的通訊裝置)可具有第一安全晶片,其可儲存。舉例而言,此第一安全晶片可實現為一貼片形式,並可貼附於第一行動裝置12a的用戶身分模組(subscriber identification module,SIM)卡上。在不更換SIM卡的狀況下,第一安全晶片可提供公開金鑰基礎建設(public key infrastructure,PKI)的相關功能,並可作為建立雙方安全通訊的身份驗證裝置。In one embodiment, the first mobile device 12a (for example, a smart phone, a tablet computer, or any other communication device that can secure VoIP communication software) may have a first security chip, which can be stored. For example, the first security chip can be implemented in a patch form and can be attached to a subscriber identification module (SIM) card of the first mobile device 12a. Without replacing the SIM card, the first secure chip can provide related functions of public key infrastructure (PKI), and can be used as an identity verification device for establishing secure communication between the two parties.

在一實施例中,若第一行動裝置12a的使用者欲使用本發明提出的服務,其可使用第一行動裝置12a向通訊營運商11a申請上述第一安全晶片元件及第一SIP帳號。之後,通訊營運商11a可基於對應於第一行動裝置12a的使用者身分向CA伺服器13申請對應於使用者身分的第一通話請求身分憑證,並將第一通話請求身分憑證寫入第一安全晶片元件中。In one embodiment, if the user of the first mobile device 12a wants to use the service proposed by the present invention, he can use the first mobile device 12a to apply for the above-mentioned first secure chip component and the first SIP account from the communication operator 11a. After that, the communication operator 11a can apply to the CA server 13 for the first call request identity certificate corresponding to the user identity based on the user identity corresponding to the first mobile device 12a, and write the first call request identity certificate into the first call request identity certificate. Security chip component.

在一實施例中,上述第一通話請求身分憑證是一種數位檔案,內含第一公鑰跟所有者的身分認證資訊,用來證明第一公鑰的所有權。並且,憑證授權單位透過憑證的簽章,可以認證此憑證的內容是通過此憑證授權單位所認證過。另外,驗憑證時,也會認證憑證效期是否有效。In one embodiment, the above-mentioned first call request identity certificate is a digital file containing the first public key and the identity authentication information of the owner, which is used to prove the ownership of the first public key. In addition, the certificate authority can verify that the content of the certificate has been authenticated by the certificate authority through the signature of the certificate. In addition, when verifying the certificate, it will also verify the validity of the certificate.

之後,通訊營運商11a可向IP-PBX伺服器15可註冊第一SIP帳號。在一實施例中,OCSP伺服器14還可建立第一通話請求身分憑證的狀態的有效性。概略而言,OCSP是一種PKI標準協議,可以進行線上即時憑證狀態查詢,透過OCSP確認憑證的有效性。After that, the communication operator 11a can register the first SIP account with the IP-PBX server 15. In an embodiment, the OCSP server 14 may also establish the validity of the status of the identity certificate of the first call request. Roughly speaking, OCSP is a PKI standard protocol, which can perform online real-time certificate status query and confirm the validity of the certificate through OCSP.

此外,對於第二行動裝置12b的使用者而言,若欲使用本發明提出的服務,亦可協同通訊營運商11b進行上述操作,以取得對應於第二行動裝置12b的第二安全晶片元件(包括第二私鑰)、第二SIP帳號、第二通話請求身分憑證(其可寫入至第二安全晶片元件,並包括第二公鑰),但本發明可不限於此。In addition, for the user of the second mobile device 12b, if he wants to use the service provided by the present invention, he can also cooperate with the communication operator 11b to perform the above operations to obtain the second security chip component corresponding to the second mobile device 12b ( Including the second private key), the second SIP account, and the second call request identity certificate (which can be written to the second secure chip element and includes the second public key), but the present invention may not be limited to this.

為便於說明,以下假設第一行動裝置12a及第二行動裝置12b欲透過本發明的方法進行端對端的秘密通訊。在此情況下,第一行動裝置12a及第二行動裝置12b可安裝有對應於本發明服務的特定VoIP應用程式,並可個別以先前申請的第一SIP帳號及第二SIP帳號透過上述VoIP應用程式登入至IP-PBX伺服器15。For ease of description, it is assumed below that the first mobile device 12a and the second mobile device 12b intend to perform end-to-end secret communication through the method of the present invention. In this case, the first mobile device 12a and the second mobile device 12b can be installed with a specific VoIP application corresponding to the service of the present invention, and can separately use the first SIP account and the second SIP account previously applied for through the above VoIP application The program logs in to the IP-PBX server 15.

之後,第一行動裝置12a及第二行動裝置12b可個別進行一定的機制來產生用於建立端對端秘密通訊的會話金鑰(session key),並基於此會話金鑰進行通訊。以下將輔以圖2對上述機制作具體說明。After that, the first mobile device 12a and the second mobile device 12b can separately perform a certain mechanism to generate a session key for establishing end-to-end secret communication, and communicate based on the session key. The following will be supplemented with Figure 2 for a detailed description of the above machine.

請參照圖2,其是依據本發明之一實施例繪示的安全通訊金鑰協商方法。首先,在步驟201中,第一行動裝置12a可隨機產生第一隨機值(以下稱Rb)。在步驟202中,第一行動裝置12a可基於第一隨機值(Rb)及橢圓曲線的選定基點參數(下稱Q(x, y))產生第一參考值(下稱Pb(x, y))。在一實施例中,上述橢圓曲線可選自於橢圓曲線迪菲-赫爾曼短暫金鑰交換(Ephemeral Elliptic Curve Diffie-Hellman Exchange,ECDHE)演算法。具體而言,ECDHE演算法可經定義而具有多條候選橢圓曲線,而步驟202中的橢圓曲線可選自於上述候選橢圓曲線的其中之一。並且,此橢圓曲線及其選定基點參數對於第一行動裝置12a及第二行動裝置12b皆為已知的,但本發明可不限於此。相應地,第一參考值可表徵為:Pb(x, y) = Rb * Q(x, y),其中*為橢圓曲線點乘法運算子,而其相關細節可參照ECDHE演算法的相關文件,於此不另贅述。Please refer to FIG. 2, which is a method for negotiating a secure communication key according to an embodiment of the present invention. First, in step 201, the first mobile device 12a may randomly generate a first random value (hereinafter referred to as Rb). In step 202, the first mobile device 12a may generate a first reference value (hereinafter referred to as Pb(x, y)) based on the first random value (Rb) and the selected base point parameter of the elliptic curve (hereinafter referred to as Q(x, y)) ). In one embodiment, the above-mentioned elliptic curve may be selected from the elliptic curve Diffie-Hellman exchange (Ephemeral Elliptic Curve Diffie-Hellman Exchange, ECDHE) algorithm. Specifically, the ECDHE algorithm can be defined to have multiple candidate elliptic curves, and the elliptic curve in step 202 can be selected from one of the above-mentioned candidate elliptic curves. Moreover, the elliptic curve and its selected base point parameters are known to both the first mobile device 12a and the second mobile device 12b, but the present invention is not limited to this. Correspondingly, the first reference value can be characterized as: Pb(x, y) = Rb * Q(x, y), where * is the elliptic curve point multiplication operator, and the relevant details can refer to the relevant documents of the ECDHE algorithm. I will not repeat them here.

之後,在步驟203中,第一行動裝置12a可取得第一系時間(以Tb代稱),並以(儲存於第一安全晶片中的)第一私鑰製作第一參考值(即,Pb(x, y))及第一系統時間(Tb)的第一簽章。在一實施例中,上述第一簽章可表徵為「簽章(Pb(x, y) +Tb)」。After that, in step 203, the first mobile device 12a can obtain the first time (denoted by Tb), and use the first private key (stored in the first secure chip) to create a first reference value (ie, Pb( x, y)) and the first signature of the first system time (Tb). In one embodiment, the above-mentioned first signature may be characterized as "signature (Pb(x, y) + Tb)".

接著,在步驟204中,第一行動裝置12a可發送第一簽章(即,「簽章(Pb(x, y) +Tb)」)、第一參考值(Pb(x, y))、第一系統時間(Tb)及第一通話請求身分憑證(下稱B憑證)至第二行動裝置12b。Then, in step 204, the first mobile device 12a may send the first signature (ie, "signature (Pb(x, y) + Tb)"), the first reference value (Pb(x, y)), The first system time (Tb) and the first call request identity certificate (hereinafter referred to as the B certificate) are sent to the second mobile device 12b.

在步驟205中,在第二行動裝置12b接收第一簽章(即,「簽章(Pb(x, y) +Tb)」)、第一參考值(Pb(x, y))、第一系統時間(Tb)及B憑證之後,可據以驗證第一行動裝置12b。具體而言,第二行動裝置12b可基於B憑證中的第一公鑰驗證第一簽章,並產生第一驗證結果。之後,第二行動裝置12b可取得其第二系統時間,並判定第二系統時間(下稱Ta)與第一系統時間(Tb)之間的時間差值是否小於預設門限值,並產生第二驗證結果。在一實施例中,反應於第一驗證結果及第二驗證結果皆為通過,則第二行動裝置12b可判定第一行動裝置12a通過驗證。另一方面,反應於第一驗證結果或第二驗證結果為不通過,則第二行動裝置12b可判定第一行動裝置12a未通過驗證。In step 205, the second mobile device 12b receives the first signature (ie, "signature (Pb(x, y) + Tb)"), the first reference value (Pb(x, y)), and the first signature. After the system time (Tb) and the B certificate, the first mobile device 12b can be verified accordingly. Specifically, the second mobile device 12b may verify the first signature based on the first public key in the B certificate and generate the first verification result. After that, the second mobile device 12b can obtain its second system time, and determine whether the time difference between the second system time (hereinafter referred to as Ta) and the first system time (Tb) is less than a preset threshold, and generate a first 2. Verification results. In one embodiment, the second mobile device 12b may determine that the first mobile device 12a has passed the verification, reflecting that both the first verification result and the second verification result are passed. On the other hand, if the first verification result or the second verification result is not passed, the second mobile device 12b can determine that the first mobile device 12a fails the verification.

在一實施例中,在判定第一行動裝置12a通過驗證之後,在步驟206中,第二行動裝置12b可隨機產生第二隨機值(下稱Ra)。並且,在步驟207中,第二行動裝置12b可基於第二隨機值(Rb)及橢圓曲線的選定基點參數(Q(x,y))產生第二參考值(下稱Pa(x, y))。步驟207的細節可參照先前實施例中的說明,於此不另贅述。In one embodiment, after determining that the first mobile device 12a passes the verification, in step 206, the second mobile device 12b may randomly generate a second random value (hereinafter referred to as Ra). Moreover, in step 207, the second mobile device 12b may generate a second reference value (hereinafter referred to as Pa(x, y)) based on the second random value (Rb) and the selected base point parameter (Q(x, y)) of the elliptic curve. ). For details of step 207, reference may be made to the description in the previous embodiment, which will not be repeated here.

接著,在步驟208中,第二行動裝置12b可以(儲存於第二安全晶片中的)第二私鑰製作第二參考值(即,Pa(x, y))及第二系統時間(Ta)的第二簽章。在一實施例中,上述第二簽章可表徵為「簽章(Pa(x, y) +Ta)」。Then, in step 208, the second mobile device 12b can create a second reference value (ie, Pa(x, y)) and a second system time (Ta) with the second private key (stored in the second secure chip) The second signature of. In one embodiment, the above-mentioned second signature may be characterized as "signature (Pa(x, y) +Ta)".

接著,在步驟209中,第二行動裝置12b可發送第二簽章(即,「簽章(Pa(x, y) +Ta)」)、第二參考值(Pa(x, y))、第二系統時間(Ta)及第二通話請求身分憑證(下稱A憑證)至第一行動裝置12a。Then, in step 209, the second mobile device 12b may send a second signature (ie, "signature (Pa(x, y) +Ta)"), a second reference value (Pa(x, y)), The second system time (Ta) and the second call request identity certificate (hereinafter referred to as A certificate) are sent to the first mobile device 12a.

在步驟210中,在第一行動裝置12b接收第二簽章(即,「簽章(Pa(x, y) +Ta)」)、第二參考值(Pa(x, y))、第二系統時間(Ta)及A憑證之後,可據以驗證第二行動裝置12b。具體而言,第一行動裝置12a可基於A憑證中的第二公鑰驗證第二簽章,並產生第一驗證結果。之後,第一行動裝置12a判定第一系統時間(Tb)與第二系統時間(Ta)之間的時間差值是否小於預設門限值,並產生第二驗證結果。在一實施例中,反應於第一驗證結果及第二驗證結果皆為通過,則第一行動裝置12a可判定第二行動裝置12b通過驗證。另一方面,反應於第一驗證結果或第二驗證結果為不通過,則第一行動裝置12a可判定第二行動裝置12b未通過驗證。In step 210, the first mobile device 12b receives a second signature (ie, "signature (Pa(x, y) +Ta)"), a second reference value (Pa(x, y)), and a second signature. After the system time (Ta) and the A certificate, the second mobile device 12b can be verified accordingly. Specifically, the first mobile device 12a can verify the second signature based on the second public key in the A certificate and generate the first verification result. After that, the first mobile device 12a determines whether the time difference between the first system time (Tb) and the second system time (Ta) is less than a preset threshold, and generates a second verification result. In one embodiment, the first mobile device 12a can determine that the second mobile device 12b has passed the verification in response to the first verification result and the second verification result being passed. On the other hand, if the first verification result or the second verification result is not passed, the first mobile device 12a can determine that the second mobile device 12b fails the verification.

在一實施例中,在判定第二行動裝置12b通過驗證之後,在步驟211中,第一行動裝置可基於第一隨機值(Rb)及第二參考值(Pa(x, y))產生參考金鑰(下稱Sb)。在一實施例中,此參考金鑰(Sb)可表徵為Sb(x, y) = Rb * Pa(x, y),但可不限於此。In one embodiment, after determining that the second mobile device 12b passes the verification, in step 211, the first mobile device may generate a reference based on the first random value (Rb) and the second reference value (Pa(x, y)) Golden key (hereinafter referred to as Sb). In one embodiment, the reference key (Sb) can be characterized as Sb(x, y) = Rb * Pa(x, y), but it is not limited to this.

此外,在第二行動裝置12b發送第二簽章(即,「簽章(Pa(x, y) +Ta)」)、第二參考值(Pa(x, y))、第二系統時間(Ta)及A憑證至第一行動裝置12a之後,在步驟212中,第二行動裝置12b可基於第二隨機值(Ra)及第一參考值(Pb(x, y))產生參考金鑰(下稱Sa)。在一實施例中,此參考金鑰(Sa)可表徵為Sa(x, y) = Ra * Pb(x, y),但可不限於此。In addition, the second mobile device 12b sends a second signature (ie, "signature (Pa(x, y) +Ta)"), a second reference value (Pa(x, y)), and a second system time ( After Ta) and A certificates are sent to the first mobile device 12a, in step 212, the second mobile device 12b can generate a reference key (Pb(x, y)) based on the second random value (Ra) and the first reference value (Pb(x, y)). Hereinafter referred to as Sa). In one embodiment, the reference key (Sa) can be characterized as Sa(x, y) = Ra * Pb(x, y), but it may not be limited thereto.

在一實施例中,橢圓曲線演算法保證了Sa等於Sb。亦即,步驟211及212所產生的參考金鑰為相同的金鑰(以下統稱S)。因此,在一實施例中,第一行動裝置12a及第二行動裝置12b可個別提取S的x向量作為會話金鑰。In one embodiment, the elliptic curve algorithm guarantees that Sa is equal to Sb. That is, the reference keys generated in steps 211 and 212 are the same key (hereinafter collectively referred to as S). Therefore, in one embodiment, the first mobile device 12a and the second mobile device 12b can separately extract the x vector of S as the session key.

在第一行動裝置12a及第二行動裝置12b皆取得上述會話金鑰之後,即可據以建立兩者之間的端對端語音秘密傳輸通訊。After both the first mobile device 12a and the second mobile device 12b obtain the above-mentioned session key, the end-to-end secret voice transmission communication between the two can be established accordingly.

請參照圖3,其是依據本發明之一實施例繪示的建立端對端語音秘密傳輸通訊的示意圖。在本實施例中,本發明提供一種通話雙方透過共同接取之相同網路中的行動裝置上安裝VoIP通訊應用軟體進行通話,語音通話的資料以端對端加密的方式保護,利用安全晶片元件裡的私密金鑰及憑證中記載的公開金鑰,進行非對稱金鑰交換出雙方語音通話加密的會話金鑰,通話雙方傳輸之語音封包以會話金鑰作對稱式進階加密標準(Advanced Encryption Standard,AES)的語音通話加密,排除中間通訊伺服器介入的機制,以達到使用者端對端直接加密通訊的目的。具體作法如下所示。Please refer to FIG. 3, which is a schematic diagram of establishing end-to-end secret voice transmission communication according to an embodiment of the present invention. In this embodiment, the present invention provides a way for both parties to make a call by installing VoIP communication application software on mobile devices in the same network that are jointly accessed. The data of the voice call is protected by end-to-end encryption, using secure chip components. The private key and the public key recorded in the certificate are exchanged asymmetrically to obtain the session key for the voice call encryption of the two parties. The voice packets transmitted by the two parties use the session key as the symmetric advanced encryption standard (Advanced Encryption). Standard, AES) voice call encryption eliminates the intervention of intermediate communication servers, so as to achieve the purpose of end-to-end direct encryption of communication for users. The specific method is as follows.

步驟301:第一行動通訊裝置12a及第二行動裝置12b均安裝VoIP通訊應用軟體,並經由網路連線至IP-PBX伺服器15以SIP方式登入。步驟302:當IP-PBX伺服器15提送A憑證及B憑證至OCSP伺服器14查證,OCSP伺服器14會回傳查證結果。若驗證成功,回傳訊息會包含憑證主旨名稱(內含SIP帳號)。Step 301: Both the first mobile communication device 12a and the second mobile device 12b install VoIP communication application software, and connect to the IP-PBX server 15 via the network to log in by SIP. Step 302: When the IP-PBX server 15 submits the A certificate and the B certificate to the OCSP server 14 for verification, the OCSP server 14 will return the verification result. If the verification is successful, the return message will include the certificate subject name (including SIP account number).

步驟303:第一行動通訊裝置12a以SIP呼叫第二行動通訊裝置12b來進行秘密通話。步驟304:第一行動通訊裝置12a等待第二行動通訊裝置12b回應接聽。步驟305:當第二行動通訊裝置12b應答後,雙方通訊應用軟體會自動進行安全通訊的會話金鑰交換(即,圖二所示機制)。步驟306:在會話金鑰交換成功後,通話雙方以會話金鑰建立端對端語音秘密傳輸通訊。Step 303: The first mobile communication device 12a uses SIP to call the second mobile communication device 12b to conduct a secret conversation. Step 304: The first mobile communication device 12a waits for the second mobile communication device 12b to respond. Step 305: After the second mobile communication device 12b responds, the communication application software of the two parties will automatically exchange the session key for secure communication (ie, the mechanism shown in Figure 2). Step 306: After the session key exchange is successful, the two parties in the conversation establish an end-to-end voice secret transmission communication using the session key.

在一實施例中,上述會話金鑰是一次性用於本次對談中加密使用的對稱式會話金鑰,所有成員使用同一把金鑰來加密明文、解密密文,在此次連線結束後該金鑰即無效。如需重新通訊則重新再進行一次金鑰的產生及交換等步驟。會話金鑰必須使用安全的協定來產生,使其不能被攻擊者預測金鑰值。在任何的加密系統中,沒有安全產生會議金鑰(或任何密鑰)會是一個重大的設計缺陷。In one embodiment, the above-mentioned session key is a one-time symmetrical session key used for encryption in this conversation. All members use the same key to encrypt the plaintext and decrypt the ciphertext. At the end of this connection Then the key is invalid. If you need to re-communication, perform the key generation and exchange steps again. The session key must be generated using a secure protocol so that the key value cannot be predicted by an attacker. In any encryption system, the failure to securely generate the conference key (or any key) would be a major design flaw.

綜上所述,本發明使用憑證來驗證通話對方的身分,及加入雙方系統時間資訊為簽章的參數,讓使用者的通訊身分無法被複製再使用,以防止資料被側錄竄改後,被冒用使用者的身分再重新送出造假的訊息,比傳輸層安全性協定(Transport Layer Security,TLS)增加防止重送攻擊的保護能力,確保端對端通訊安全的主導性,排除中間通訊伺服器分配金鑰介入的機制,以達到終端使用者保護通訊內容的目的。另外,由於本發明採用一次性的會話金鑰進行通話內容加密,可應用在多端通訊的群組上,同一把該會話金鑰在連線結束後即失效,如需重新通訊對話則需要再進行下一次金鑰交換等步驟,避免被攻擊者複製相同的金鑰值,具備前向安全的秘密通訊保護能力。In summary, the present invention uses the certificate to verify the identity of the calling party, and adds the system time information of both parties as a signature parameter, so that the user's communication identity cannot be copied and reused, so as to prevent the data from being altered after being logged. Impersonating the user's identity and re-sending the fake message. Compared with Transport Layer Security (TLS), it increases the protection against retransmission attacks, ensures the dominance of end-to-end communication security, and eliminates intermediate communication servers. The mechanism of distributing the key intervention to achieve the purpose of protecting the content of the communication by the end user. In addition, because the present invention uses a one-time session key to encrypt the content of the call, it can be applied to a multi-terminal communication group. The same session key becomes invalid after the connection is ended. If you need to re-communication, you need to perform the conversation again. Steps such as the next key exchange will prevent the attacker from copying the same key value and have forward-secure secret communication protection capabilities.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the relevant technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.

100:系統 11a、11b:通訊營運商 12a:第一行動裝置 12b:第二行動裝置 13:CA伺服器 14:OCSP伺服器 15:IP-PBX伺服器 201~212、301~306:步驟100: System 11a, 11b: communication operators 12a: The first mobile device 12b: Second mobile device 13: CA server 14: OCSP server 15: IP-PBX server 201~212, 301~306: steps

圖1是依據本發明之一實施例繪示的安全通訊金鑰協商系統示意圖。 圖2是依據本發明之一實施例繪示的安全通訊金鑰協商方法。 圖3是依據本發明之一實施例繪示的建立端對端語音秘密傳輸通訊的示意圖。FIG. 1 is a schematic diagram of a secure communication key agreement system according to an embodiment of the present invention. FIG. 2 shows a method for negotiating a secure communication key according to an embodiment of the present invention. Fig. 3 is a schematic diagram of establishing end-to-end secret voice transmission communication according to an embodiment of the present invention.

201~212:步驟 201~212: Steps

Claims (11)

一種安全通訊金鑰協商方法,包括: 由一第一行動裝置隨機產生一第一隨機值,其中該第一行動裝置配置有一第一安全晶片元件,該第一安全晶片元件儲存有一第一私鑰及一第一通話請求身分憑證; 由該第一行動裝置基於該第一隨機值及一橢圓曲線的一選定基點參數產生一第一參考值; 由該第一行動裝置取得一第一系統時間,並以該第一私鑰製作該第一參考值及該第一系統時間的一第一簽章; 由該第一行動裝置發送該第一簽章、該第一參考值、該第一系統時間及該第一通話請求身分憑證至一第二行動裝置; 由該第一行動裝置從該第二行動裝置接收該第二行動裝置的一第二簽章、一第二參考值、一第二系統時間及一第二通話請求身分憑證,並據以驗證該第二行動裝置; 反應於該第二行動裝置通過驗證,由該第一行動裝置基於該第一隨機值及該第二參考值產生一參考金鑰,並據以取得一會話金鑰;以及 由該第一行動裝置基於該會話金鑰與該第二行動裝置建立一端對端語音秘密傳輸通訊。A method for negotiating a secure communication key, including: A first random value is randomly generated by a first mobile device, wherein the first mobile device is configured with a first secure chip element, and the first secure chip element stores a first private key and a first call request identity certificate; Generating a first reference value by the first mobile device based on the first random value and a selected base point parameter of an elliptic curve; Obtaining a first system time from the first mobile device, and using the first private key to create the first reference value and a first signature of the first system time; Sending the first signature, the first reference value, the first system time, and the first call request identity certificate to a second mobile device by the first mobile device; The first mobile device receives a second signature, a second reference value, a second system time, and a second call request identity certificate of the second mobile device from the second mobile device, and verifies the identity certificate accordingly Second mobile device In response to the verification of the second mobile device, the first mobile device generates a reference key based on the first random value and the second reference value, and obtains a session key accordingly; and The first mobile device establishes an end-to-end secret voice transmission communication with the second mobile device based on the session key. 如申請專利範圍第1項所述的方法,其中該第一安全晶片元件貼附於該第一行動裝置的用戶身分模組上。According to the method described in claim 1, wherein the first security chip element is attached to the user identity module of the first mobile device. 如申請專利範圍第1項所述的方法,更包括: 由該第一行動裝置向一通訊營運商申請該第一安全晶片元件及一第一會話發起協議帳號; 由該通訊營運商基於對應於該第一行動裝置的一使用者身分向一憑證驗證伺服器申請對應於該使用者身分的該第一通話請求身分憑證,並將該第一通話請求身分憑證寫入該第一安全晶片元件中; 由該通訊營運商向一網路電話總機伺服器註冊該第一會話發起協議帳號。As the method described in item 1 of the scope of patent application, it also includes: The first mobile device applies to a communication operator for the first secure chip element and a first session initiation protocol account; The communication operator applies to a certificate verification server for the first call request identity certificate corresponding to the user identity based on a user identity corresponding to the first mobile device, and writes the first call request identity certificate Into the first security chip element; The communication operator registers the first session initiation protocol account with a VoIP switchboard server. 如申請專利範圍第3項所述的方法,更包括: 由一線上憑證狀態協定伺服器建立該第一通話請求身分憑證的狀態的有效性。The method described in item 3 of the scope of patent application further includes: An online certificate status agreement server establishes the validity of the status of the first call request identity certificate. 如申請專利範圍第4項所述的方法,其中在由該第一行動裝置生成該第一隨機值的步驟之前,所述方法更包括: 由該第一行動裝置以該第一會話發起協議帳號登入該網路電話總機伺服器; 由該網路電話總機伺服器向該線上憑證狀態協定伺服器要求驗證該第一通話請求身分憑證的憑證狀態; 反應於該第一通話請求身分憑證的憑證狀態為有效,由該網路電話總機伺服器允許該第一行動裝置生成該第一隨機值。The method according to claim 4, wherein before the step of generating the first random value by the first mobile device, the method further includes: Log in to the VoIP switchboard server by the first mobile device with the first session initiation protocol account; The VoIP switchboard server requests the online certificate status protocol server to verify the certificate status of the identity certificate of the first call request; In response to the certificate status of the first call request identity certificate being valid, the VoIP switchboard server allows the first mobile device to generate the first random value. 如申請專利範圍第1項所述的方法,更包括: 由該第二行動裝置隨機產生一第二隨機值,其中該第二行動裝置配置有一第二安全晶片元件,該第二安全晶片元件儲存有一第二私鑰及一第二通話請求身分憑證; 由該第二行動裝置基於該第二隨機值及該橢圓曲線的該選定基點參數產生一第二參考值; 由該第二行動裝置取得一第二系統時間,並以該第二私鑰製作該第二參考值及該第二系統時間的一第二簽章; 由該第二行動裝置發送該第二簽章、該第二參考值、該第二系統時間及該第二通話請求身分憑證至該第一行動裝置; 由該第二行動裝置從該第一行動裝置接收該第一行動裝置的該第一簽章、該第一參考值、該第一系統時間及該第一通話請求身分憑證,並據以驗證該第一行動裝置; 反應於該第一行動裝置通過驗證,由該第二行動裝置基於該第二隨機值及該第一參考值產生該參考金鑰,並據以取得該會話金鑰;以及 由該第二行動裝置基於該會話金鑰與該第一行動裝置建立該端對端語音秘密傳輸通訊。As the method described in item 1 of the scope of patent application, it also includes: A second random value is randomly generated by the second mobile device, wherein the second mobile device is configured with a second secure chip element, and the second secure chip element stores a second private key and a second call request identity certificate; Generating a second reference value by the second mobile device based on the second random value and the selected base point parameter of the elliptic curve; Obtain a second system time from the second mobile device, and use the second private key to create the second reference value and a second signature of the second system time; Sending the second signature, the second reference value, the second system time, and the second call request identity certificate to the first mobile device by the second mobile device; The second mobile device receives the first signature of the first mobile device, the first reference value, the first system time, and the first call request identity certificate from the first mobile device, and verifies the identity certificate accordingly First mobile device In response to the first mobile device being verified, the second mobile device generates the reference key based on the second random value and the first reference value, and obtains the session key accordingly; and The second mobile device establishes the end-to-end secret voice transmission communication with the first mobile device based on the session key. 如申請專利範圍第1項所述的方法,其中該橢圓曲線選自於一橢圓曲線迪菲-赫爾曼短暫金鑰交換演算法。According to the method described in claim 1, wherein the elliptic curve is selected from an elliptic curve Diffie-Hellmann transient key exchange algorithm. 如申請專利範圍第1項所述的方法,其中該第一參考值表徵為: Pb(x, y) = Rb * Q(x, y), 其中Rb為該第一隨機值,Q(x, y)為該橢圓曲線的該選定基點參數,*為一橢圓曲線點乘法運算子。For the method described in item 1 of the scope of patent application, the first reference value is characterized as: Pb(x, y) = Rb * Q(x, y), Where Rb is the first random value, Q(x, y) is the selected base point parameter of the elliptic curve, and * is an elliptic curve point multiplication operator. 如申請專利範圍第1項所述的方法,其中該第一簽章表徵為: 簽章(Pb(x, y) +Tb), 其中Pb(x, y)為該第一參考值,Tb為該第一系統時間。Such as the method described in item 1 of the scope of patent application, wherein the first signature is characterized as: Signature (Pb(x, y) +Tb), Where Pb(x, y) is the first reference value, and Tb is the first system time. 如申請專利範圍第1項所述的方法,其中該參考金鑰表徵為: Sb(x, y) = Rb * Pa(x, y) ,其中Rb為該第一隨機值,Pa(x , y)為該第二參考值,*為一橢圓曲線點乘法運算子。Such as the method described in item 1 of the scope of patent application, wherein the reference key is characterized as: Sb(x, y) = Rb * Pa(x, y) , Where Rb is the first random value, Pa(x, y) is the second reference value, and * is an elliptic curve point multiplication operator. 如申請專利範圍第1項所述的方法,其中該第二通話請求身分憑證包括對應於該第二行動裝置的一第二公鑰,且驗證該第二行動裝置的步驟包括: 基於該第二公鑰驗證該第二簽章,並產生一第一驗證結果; 判定該第二系統時間與該第一系統時間之間的一時間差值是否小於一預設門限值,並產生一第二驗證結果; 反應於該第一驗證結果及該第二驗證結果皆為通過,判定該第二行動裝置通過驗證; 反應於該第一驗證結果或該第二驗證結果為不通過,判定該第二行動裝置未通過驗證。The method according to claim 1, wherein the second call request identity certificate includes a second public key corresponding to the second mobile device, and the step of verifying the second mobile device includes: Verify the second signature based on the second public key, and generate a first verification result; Determine whether a time difference between the second system time and the first system time is less than a preset threshold, and generate a second verification result; Reflecting that both the first verification result and the second verification result are passed, it is determined that the second mobile device is verified; In response to the failure of the first verification result or the second verification result, it is determined that the second mobile device fails the verification.
TW108129480A 2019-08-19 2019-08-19 Secure communication key negotiation method TWI751433B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108129480A TWI751433B (en) 2019-08-19 2019-08-19 Secure communication key negotiation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108129480A TWI751433B (en) 2019-08-19 2019-08-19 Secure communication key negotiation method

Publications (2)

Publication Number Publication Date
TW202110127A true TW202110127A (en) 2021-03-01
TWI751433B TWI751433B (en) 2022-01-01

Family

ID=76035590

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108129480A TWI751433B (en) 2019-08-19 2019-08-19 Secure communication key negotiation method

Country Status (1)

Country Link
TW (1) TWI751433B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MXPA04005487A (en) * 2001-12-07 2004-12-06 Qualcomm Inc Apparatus and method of using a ciphering key in a hybrid communications network.
TWI224456B (en) * 2002-11-26 2004-11-21 Matsushita Electric Ind Co Ltd Data encryption and decryption method and apparatus
WO2006076804A1 (en) * 2005-01-21 2006-07-27 Certicom Corp. Elliptic curve random number generation
US7835528B2 (en) * 2005-09-26 2010-11-16 Nokia Corporation Method and apparatus for refreshing keys within a bootstrapping architecture
EP2151947A1 (en) * 2008-08-05 2010-02-10 Irdeto Access B.V. Signcryption scheme based on elliptic curve cryptography
TWI444028B (en) * 2011-12-23 2014-07-01 Univ Nat Chiao Tung Method of using enhanced window-based and method of mutual opposite form for scalar multiplication in elliptic curve cryptography

Also Published As

Publication number Publication date
TWI751433B (en) 2022-01-01

Similar Documents

Publication Publication Date Title
CN108390851B (en) Safe remote control system and method for industrial equipment
CN107040513B (en) Trusted access authentication processing method, user terminal and server
JP2020080530A (en) Data processing method, device, terminal, and access point computer
WO2016177052A1 (en) User authentication method and apparatus
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
US20120284506A1 (en) Methods and apparatus for preventing crimeware attacks
CN109728909A (en) Identity identifying method and system based on USBKey
WO2019085531A1 (en) Method and device for network connection authentication
CN105871797A (en) Handshake method, device and system of client and server
CN110933484A (en) Management method and device of wireless screen projection equipment
TW200818838A (en) Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords
CN116614599B (en) Video monitoring method, device and storage medium for secure encryption
CN110933078B (en) H5 unregistered user session tracking method
KR20100050846A (en) System and method for interchanging key
CN109525565B (en) Defense method and system for short message interception attack
CN110635901A (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
JP4783340B2 (en) Protecting data traffic in a mobile network environment
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN114362946B (en) Key agreement method and system
CN114466353A (en) App user ID information protection device and method, electronic equipment and storage medium
CN114362925A (en) Key negotiation method, device and terminal
WO2022135388A1 (en) Identity authentication method and apparatus, device, chip, storage medium, and program
TWI751433B (en) Secure communication key negotiation method
WO2012166669A2 (en) Methods and apparatus for preventing crimeware attacks
JP2004274134A (en) Communication method, communication system using the communication method, server and client