WO2010106042A1 - Procédé de production de données de sécurisation, dispositif et programme d'ordinateur correspondant - Google Patents
Procédé de production de données de sécurisation, dispositif et programme d'ordinateur correspondant Download PDFInfo
- Publication number
- WO2010106042A1 WO2010106042A1 PCT/EP2010/053334 EP2010053334W WO2010106042A1 WO 2010106042 A1 WO2010106042 A1 WO 2010106042A1 EP 2010053334 W EP2010053334 W EP 2010053334W WO 2010106042 A1 WO2010106042 A1 WO 2010106042A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- entity
- secure
- security
- session
- security data
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Definitions
- the present invention relates to the field of information exchange management performed between two entities of a communication network.
- the present invention relates to securing such exchanges.
- the published patent application WO 2008/145558 describes a method for securing exchanges in which a production of security data is performed for the implementation of a secure session between a first and a second entity, according to an establishment protocol.
- secure sessions such as SSL or TLS.
- This method makes it possible to partially solve the disadvantages posed by the implementation of the SSL and TLS protocols by non-secure entities.
- This method comprises an initialization of a third party secure entity, linked to the first entity, a generation of a part of the security data within the third entity and a transmission of the security data of the third secure entity to said first entity .
- the third entity is for example a JavaCard-type smart card that carries out part of the calculations necessary to establish the secure session.
- WO 2008/145558 makes it possible to initiate an exchange of data between two entities while having the assurance that the crypto graphics material necessary to establish the session has been designed in a secure manner.
- WO 2008/145558 can not be used alone when high performance is required and many secure sessions must run in parallel.
- the invention does not have these disadvantages of the prior art. Indeed, the invention relates to a method for producing security data, allowing the implementation of a secure session between a first and at least a second entity, according to a secure session establishment protocol.
- such a method comprises: a step of initializing a third secure entity linked to said first entity; a step of generating at least a part of said security data within said third entity; a first step of transmitting said generated security data from said third secure entity to said first entity; a second step of transmitting at least a portion of said security data generated within said third entity secure to at least a fourth secure entity previously initialized and linked to said third secure entity.
- the invention allows different secure entities, such as for example chips, smart cards, "dongles" to have security data, such as encryption data while not having the need to generate they themselves these data.
- security data such as encryption data while not having the need to generate they themselves these data. This data is generated through another secure entity and transmitted after creation to be reused thereafter.
- said third entity said master entity, generates at least a portion of a shared secret between said first and said second entity.
- said at least part of said generated security data transmitted to said at least one fourth entity, said slave entity comprises said shared secret in an encrypted form and at least one secure communication session identifier.
- said secure session establishment protocol is the SSL protocol.
- said secure session establishment protocol is the TLS protocol.
- said production method further comprises: a step of transmission, by said first entity, of at least one message to a functional unit "RECORD" implemented within said third entity; a step of receiving, by said first entity, at least one message from said functional unit "RECORD”; a step of calculating a set of keys by said third entity; a step of collecting said set of keys available by said first entity to said third entity.
- the invention is able to generate secrets shared by several secure entities, such as for example several smart cards, because the set of keys is calculated by the third entity.
- said second transmission step is implemented by a security module manager which obtains said security data from said third entity.
- said second transmission step is implemented during a recovery phase of said secure session.
- the invention also relates to a method of establishing a secure communication session between a first and at least a second entity, according to a secure session establishment protocol.
- a method of establishing a secure communication session between a first and at least a second entity comprises: a step of obtaining a session identifier and an ephemeral secret calculated during a previous secure communication session by a third secure entity linked to said first entity; a step of transmitting said session identifier and said ephemeral secret to a fourth secure entity, previously initialized and linked to said third secure entity; a step of establishing said secure communication session using said fourth secure entity.
- the invention makes it possible to use other secure entities, such as smart cards or javacards for the establishment of secure communication sessions that have been previously initialized by another secure entity. Accordingly, the invention allows parallel processing of multiple transactions, such as file downloads, using the services of multiple secure entities, while minimizing the time required for session establishment, while providing excellent security level.
- the invention also relates to a device for producing security data, enabling the implementation of a secure session between a first and at least a second entity, according to a protocol for establishing security data. secure sessions.
- a device for producing security data comprises: means for initializing a third secure entity, attached to said first entity; means for generating at least a part of said security data; means for transmitting said security data to said first entity; means for transmitting at least a portion of said security data generated within said third secure entity to at least a fourth secure entity previously initialized and linked to said third secure entity.
- said generation means and said transmission means are grouped together in a smart card.
- the invention also relates to a portable device, such as a USB token, comprising means for storing a security module manager and at least two card readers in SIM format and a device for production of security data as described above.
- the invention also relates to a computer program product downloadable from a communication network and / or stored on a computer-readable medium and / or executable by a microprocessor, and comprising program code instructions for the computer. execution of the production method as described above.
- the invention also relates to a computer program product downloadable from a communication network and / or stored on a computer-readable medium and / or executable by a microprocessor, and comprising program code instructions for the computer. execution of the session establishment method as described above. 4 LIST OF FIGURES
- FIG. 1 presents a block diagram of the method for producing secure data according to the invention
- FIG. 2 illustrates an exemplary implementation of the security method using a security module grid according to the invention
- FIG. 3 presents the logical architecture of a grid of security modules according to the invention
- FIG. 4 describes an architecture of a device for producing security data, also called a security module.
- the general principle of the invention is based on a joint implementation of a set comprising several security modules, and called security module grid.
- This grid of security modules thus comprises several secure entities involved in the establishment of the secure communication session.
- the invention solves the performance problems inherent in the use of external secure entities.
- the invention raises the level of security during the establishment of the secure session while maintaining the general performance of the authentication system consisting of entities wishing to establish a secure session (for example a client and a server ) and the security module grid (comprising the third and fourth entities) which is for example linked to the customer.
- the security module grid may be embodied in the form of one or more smart cards to be inserted in a specific card reader, of a "dongle” type module, for example to be inserted into a slot.
- type “USB” of the “Universal Serial Bus” of a computer or any other form allowing communication between the entity that wishes to establish the secure session and the security module grid.
- the grid of security modules can be dedicated to the implementation of a particular protocol such as SSL and / or TLS. However, this is not the only possible embodiment of the invention. It is indeed quite possible that the grid of security modules can implement several protocols to ensure greater interoperability.
- a security module designates, in the context of the invention, a chip usually qualified as "Tamper Resistant Device ", literally a” component that resists attacks ", which is able to handle physical and logical countermeasures.
- This security module includes an SSL / TLS software stack comprising the functional units HANDSHAKE, ALERT, CCS and RECORD which are well known to those skilled in the art.
- This security module communicates with a user entity (client or server) using a functional interface for exchanging SSL / TLS protocol messages and for obtaining at least four types of parameters: "keys_bloc", “cipher_suite” ",” SessionID "and the numerical value of the" master _secret ".
- the encrypted value of the "master-secret” ⁇ Master _secr and *) is obtained by means of a secret key shared between the different security modules and a public value knows, according to the relation,
- the user entity of the security module manages a communication layer and integrates the functional units ALERT and RECORD and optionally the functional units HANDSHAKE and CCS.
- the information from the APPLICATION layer is secured by the RECORD layer.
- the invention proposes to jointly implement the user entity and the security module grid to establish a secure session with a server. Cleverly, some of the steps necessary to establish the session is performed through the security module grid while the other part is performed by the user entity. It may be, in a particular embodiment of the invention, that the steps implemented by the user entity and by the security module grid differ each time a new secure session is created. In this way, it is more difficult to predict the general operation of the system and to attempt to force the security mechanism offered by the invention.
- a slave security module depends on a master security module without which it can not operate. More particularly, according to the invention, a master module is the only one capable of calculating a particular ephemeral secret (the "mastersecret", the latter term being used later). It will be recalled that the "mastersecret”, in the context for example of the implementation of the TLS protocol, is calculated during the so-called "Ml mode" phase. During this phase, the exchanges between the client and the server make it possible to calculate a common secret, shared between the client and the server and which serves as a basis for the creation of all the other encryption data necessary for the secure session.
- a slave module can use the "mastersecret" calculated by its master module to continue a session secure or to perform other operations during the secure session.
- a slave module enters into possession of the "mastersecret” via the master module with which it is associated. To do this, the master module distributes, according to the invention, this "mastersecret” to the slave modules, but in a secure manner.
- the distribution of the "mastersecret” is performed according to a particular protocol governing data exchanges between the master module and the slave module to which it is associated.
- a protocol can take the form of commands that are transmitted to these modules to enable the exchange.
- the identity of the user entity is linked only to the master module. This means that in the process of establishing the secure session, the user entity is not aware of the presence of the slave modules.
- the method for producing secure data comprises: an initialization step (100) of a security module 1001 (for example a smart card), attached to a first entity 1002 (for example a personal computer); a step of generating (101) a portion of the security data within the security module; a step of transmitting (102) the securing data of the security module to the first entity. a step of transmitting (103) at least a portion of said data of security generated within the security module 1001 to a second security module 1003 previously initialized and linked to the first security module 1001, thus forming a security module grid 1004 in which at least some security data is shared.
- a security module 1001 for example a smart card
- a first entity 1002 for example a personal computer
- generating (101) a portion of the security data within the security module
- the invention proposes a grid of security modules, used to establish secure data transmission sessions and which share data to establish these secure transmission sessions.
- a security module performs the functions of client or TLS server, its embedded software thus includes the functional units HANDSHAKE, ALERT, CCS and RECORD.
- FIG. 2 shows the TLS security module and its user, that is to say an application provided with a subset of the TLS stack, that is to say the RECORD and ALERT layers and optionally the CCS layers and HANDSHAKE.
- This user entity can be a client (for example a web browser client application) or a server (for example a web server managing secure sessions).
- a security module provides a functional interface that includes nine commands, SET-Credentials, Start, Process-TLS, GET-Keys Block, Compute-Keys Block, GET-Cipher Suite, GET-SessionID, GE T-Master_secret, SET-Master - Secret.
- Such commands can be realized by following the ISO 7816 standard according to a coding commonly called “APDUs” (from the English “Application Protocol Data Unit” for “Data Unit (PDU) Application Layer”).
- the security module (210) which implements the production method according to the invention comprises the functional units necessary for the implementation of the security method, namely the "RECORD" layers (2104) and
- the functional interface (220) allows the user entity (200) to call the security module (210) for the production of security data.
- SET-Credentials command The role of the module, that is to say its behavior client or server entity and the various parameters necessary for its operation, usually qualified letters of credit or "credentials" in English (certificates X509, RSA private key) is enabled by the SET-Credentials () command:
- a "Start" command initializes a session
- TLS since the security modules do not generally include a clock, it also informs the GMT time in the so-called UNIX format, that is to say a number of 32 bits which measures the number of seconds elapsed since January 1, 1970. :
- Such a command allows, as it were, to prepare the security module to perform the calculations required in the context of the invention.
- Process-TLS TLS packets that is messages produced by a RECORD functional unit, are transmitted to the security module using the Process-TLS (Record-Packets) command. returns one or more RECORD messages.
- a TLS security module When a TLS security module has successfully conducted the authentication of its interlocutor it calculates the keys block, the RECORD layer switches to encrypted mode, and delivers the messages CCS and FINISHED.
- the user of the services of the security module can then manage autonomously (without the help of the security module) his own layer
- the Compute-Keys_bloc () command associated with the random numbers generated by the client entity and the server entity makes it possible to calculate the "keys block” parameter. It is useful during a session of type "Session Resumption", or the user of the security module uses the latter, only to obtain the keys block.
- keys_bloc Compute-Keys_bloc (Client-Random, Server-Random) It is important to note that in this case the security module does not export the value of the "master secret”. It is therefore impossible to conduct a Session Resumption session in the absence of the security module, which guarantees the good faith of the service user.
- a command GET-Cipher suite allows to know the security parameters, indexed by the number cipher suite, associated with the functional unit RECORD.
- cipher_suite Get-Cipher_suite ()
- the GET-SessionID command returns the "SessionID" parameter associated with the previous session associated with a particular mastersecret. This is useful information for the security module grid that allows slave modules to perform a Session Resumption phase.
- SessionID GET-SessionID ()
- the GET-Master_secret () command collects an encrypted value of the master_secret (master _secret *) as well as a set of parameters (knows) that can be used to decrypt this information.
- knows GET-Master_secret ()
- the secret master is encrypted using a symmetric or asymmetric secret key (Key_Module), shared by a set of security modules, and associated with an encryption algorithm (such as AES, Triple DES, RSA) and a random number knows generated by the security module.
- Key_Module a symmetric or asymmetric secret key
- an encryption algorithm such as AES, Triple DES, RSA
- the Set-Master_Secret command (Master_Secret *
- the invention thus also relates to any smart card or secure entity of this type which comprises the preceding commands for reading, transferring and initializing a secure session from an ephemeral secret (the "mastersecret") calculated by another secure entity.
- mastersecret an ephemeral secret
- the invention also relates to a method of establishing a communication session using a secure entity that retrieves the ephemeral secret and the identifier of a session that was previously initialized by another secure entity.
- These two secure entities are preferably linked together so that they are either present within the same smart card, or they communicate via a specific module that will manage interactions (eg the execution of some of the previously described commands) between the secured entities.
- a management module also called security module manager, of the type hosting and executing a software providing in particular management and control functions.
- said software comprising means for executing recovery, storage and transmission commands, for example sent to the software by at least one client software and belonging to a set of recovery, storage and predetermined transmission (GET-Session_ID, GET-Master_Secret, Set-Master_Secret, etc.).
- GET-Session_ID GET-Master_Secret
- Set-Master_Secret etc.
- FIG. 3 presents the logical architecture of a grid of security modules according to the invention.
- a functional unit called Security Module Manager controls a plurality of security modules.
- the master modules are identified by indexes ranging from 1 to p.
- the slave modules are identified by indexes strictly greater than p.
- a master module stores an X509 certificate but also the private key
- the master modules share a KeyModule key, used for the encryption and decryption operations of the mastersecret.
- a slave module shares a KeyModule cryptographic key with the master modules, but does not store the client's private key.
- p being greater than or equal to 1
- k n-p slave modules (k may be equal to zero).
- the Security Module Manager When opening a TCP session, the Security Module Manager first selects a master security module. If this operation is impossible, ie all the master modules are assigned to sessions being opened, a slave module is chosen. If no module is free, the Security Module Manager will wait for the availability of a module.
- the Security Modules Manager updates the parameters (SessionID, MasterSecrei) used by a previous session using, according to the invention, the Set-Master Secret command. With this procedure it allows a module (master or slave) to manage a session in Resumption mode.
- a slave module fails in an attempt to open a session in Resumption mode using the data sent by the security module manager, that is, if the server imposes a session in FuIl mode (for example, because the lifetime of the "summarize" session has expired), it completes the current session.
- the Security Modules Manager collects the SessionID and Master Secret parameters) using the Get-SessionID and Get-MasterSecret commands introduced by the invention. So, the Module Manager Security is able to provide, in a next session, the data collected, both to the master modules and to the slave modules.
- This grid of security modules 300 comprises a component hosting a security module manager (GMS)
- the security module gate 300 also includes master modules 302 to 305 that generate at least a portion of the security data related to the entity to which the security module gate is connected.
- the master modules calculate the value of the MasterSecret for a session in "FuIl" mode.
- the gate also includes slave security modules 307 to 318.
- the master modules can be associated with a predetermined number of slave modules (for example three in the example of FIG. 3) thus forming a group of security modules 306. This pre-association is not mandatory.
- the security module manager 301 can dynamically, as needed, associate the slave security modules according to the number of security sessions required using a functional unit comprising means for obtaining a number of security modules. connection or a number of elements to download, if it is for example an "http" communication session requiring the downloading of images or other elements from a web server.
- TF and 77? the time required to complete a FULL and RESUMPTION session in a security module. For theoretical reasons mentioned in several scientific publications 77? is less than TF (TR ⁇ TF), for example 77? is about half of TF. This property is detailed for example in the article entitled “The OpenEapSmartcard Platform", written by Pascal Urien and Mesmin Dandjinou, which is available under the reference “Network Control and Engineering for QoS, Security and Mobility," IV: Fourth IFIP International Conference on Network Control and Engineering for QoS, Security, and Mobility, Lannion, France, November 14-18, 2005, by Anthony Ga ⁇ ti, Edition: illusîraîed, Springer, 2007, ISBN 0387496890, 9780387496894.
- WEB servers largely use the RESUMPTION mode to limit the load of asymmetric calculations (RSA, etc.).
- a browser downloads, via an HTTPS request, a first file (an HTML page) in FULL mode, then it keeps the same MasterSecret (and thus allows the RESUMPTION mode) for a predefined period of time, for example 10 minutes.
- HTTP 1.1 (RFC 2616) standard recommends the use of two or more TCP connections between a browser and a WEB server.
- commercial browsers such as Internet Explorer, use up to four simultaneous TCP connections.
- the use of a single security module allows the download of up to I / TF files per second in FULL mode and at most I / TR files per second in RESUMPTION mode.
- N security modules does not allow to exceed the limit of N / TF files per second. Indeed, as the security modules do not share data, they are obliged to initiate, independently, secure sessions. However, such an initialization must be performed in FULL mode, and not in RESUMPTION mode. Therefore, the maximum number of files transmitted per second can not exceed the N / TF limit.
- One of the advantageous features of the invention is to set up the secure exchange of the "MasterSecret" between security modules. In this case the implementation of TV security modules allows the download of up to N / TR files per second.
- the modules Slaves may be allowed to initiate a session in RESUMPTION mode.
- FIG. 4 shows a security module in the form of a silicon integrated circuit (400), usually referred to as "Tamper
- Resistant Device literally a component that resists attacks ", such as for example the ST22 component (produced by the company ST Microelectronics) and available in different formats such as PVC cards, (smart cards, card
- SIM Single SIM
- MMC MultiMedia Card
- Such a security module incorporates all secure means of data storage, and also allows the execution of software in a secure and protected environment.
- CPU central unit
- ROM read-only memory
- RAM random access memory
- a system bus (410) connects the different members of the secure module.
- the interface with the outside world (420) is provided by an input / output port IO (405), compliant with standards such as ISO 7816, USB, USB-
- JAVA smart cards commonly referred to as JAVACARD, are a special class of security module.
- a device embodying the method of the invention is in the form of a portable device, such as a token or a USB key.
- This device comprises, on the one hand, storage means, in particular a "Security Module Manager” software according to the invention and at least two SIM card readers.
- the storage of the security module manager according to the invention can be realized on a specific electronic component of the FPGA type ("field-programmable trick array" for "programmable gate network”)
- the smart card readers can respectively accommodate master security modules and slave security modules to compose a grid of security modules.
- the device When connected, for example to a personal computer, the device acts as a provider of security resources.
- the Security Module Manager provides an interface between the personal computer and the security modules. It is particularly capable of transmitting the secret key creation commands to the master module and the secret key transmission commands previously calculated to the slave module.
- the invention makes it possible to provide, in a very simple manner, a strong security solution without the need to make numerous modifications in the existing communication architectures: at worst, it is necessary to install a device-specific driver on the computer on which this device is to be connected: this will be valid, for example, for computers with a rather old operating system.
- the device of the invention is recognized as being a standard smart card reader, requiring no additional installation.
- the component "Manager Security Modules” is responsible for the interface between the security module grid and the terminal in which the device is plugged.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
- Communication Control (AREA)
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/257,221 US20120072994A1 (en) | 2009-03-16 | 2010-03-16 | Method to produce securing data, corresponding device and computer program |
RU2011139616/08A RU2011139616A (ru) | 2009-03-16 | 2010-03-16 | Способ и устройство получения защищенных данных |
CA2754895A CA2754895A1 (fr) | 2009-03-16 | 2010-03-16 | Procede de production de donnees de securisation, dispositif et programme d'ordinateur correspondant |
EP10711036A EP2409474A1 (fr) | 2009-03-16 | 2010-03-16 | Procédé de production de données de sécurisation, dispositif et programme d'ordinateur correspondant |
CN2010800123317A CN102356621A (zh) | 2009-03-16 | 2010-03-16 | 一种产生安全数据的方法以及其对应装置和计算机程序 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0951646 | 2009-03-16 | ||
FR0951646A FR2943198B1 (fr) | 2009-03-16 | 2009-03-16 | Procede de production de donnees de securisation, dispositif et programme d'ordinateur correspondant |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010106042A1 true WO2010106042A1 (fr) | 2010-09-23 |
Family
ID=41402590
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2010/053334 WO2010106042A1 (fr) | 2009-03-16 | 2010-03-16 | Procédé de production de données de sécurisation, dispositif et programme d'ordinateur correspondant |
Country Status (7)
Country | Link |
---|---|
US (1) | US20120072994A1 (fr) |
EP (1) | EP2409474A1 (fr) |
CN (1) | CN102356621A (fr) |
CA (1) | CA2754895A1 (fr) |
FR (1) | FR2943198B1 (fr) |
RU (1) | RU2011139616A (fr) |
WO (1) | WO2010106042A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106330692B (zh) * | 2016-08-30 | 2019-10-08 | 泉州台商投资区钰宝商贸有限公司 | 轻量级高性能虚拟专用网软件的设计和实现 |
US10599849B2 (en) * | 2018-05-03 | 2020-03-24 | Dell Products L.P. | Security module authentication system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999039475A1 (fr) * | 1998-02-03 | 1999-08-05 | Tandem Computers, Inc. | Systeme de chiffrement |
WO2001060040A2 (fr) * | 2000-02-10 | 2001-08-16 | Bull Cp8 | Procede de transmission de donnees sur un reseau internet entre un serveur et un terminal a carte a puce, qui contient des agents intelligents |
EP1349032A1 (fr) * | 2002-03-18 | 2003-10-01 | Ubs Ag | Authentification securisée d'un utilisateur dans un réseau d'ordinateurs |
WO2006021865A1 (fr) * | 2004-08-24 | 2006-03-02 | Axalto Sa | Jeton personnel et procede d'authentification commandee |
WO2008145558A2 (fr) | 2007-05-25 | 2008-12-04 | Groupe Des Ecoles Des Telecommunications / Ecole Nationale Superieure Des Telecommunications | Procede de securisation d'echange d'information, dispositif, et produit programme d'ordinateur correspondant |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7360075B2 (en) * | 2001-02-12 | 2008-04-15 | Aventail Corporation, A Wholly Owned Subsidiary Of Sonicwall, Inc. | Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols |
US7529933B2 (en) * | 2002-05-30 | 2009-05-05 | Microsoft Corporation | TLS tunneling |
US7587598B2 (en) * | 2002-11-19 | 2009-09-08 | Toshiba America Research, Inc. | Interlayer fast authentication or re-authentication for network communication |
US8190895B2 (en) * | 2005-08-18 | 2012-05-29 | Microsoft Corporation | Authenticated key exchange with derived ephemeral keys |
US8578159B2 (en) * | 2006-09-07 | 2013-11-05 | Motorola Solutions, Inc. | Method and apparatus for establishing security association between nodes of an AD HOC wireless network |
-
2009
- 2009-03-16 FR FR0951646A patent/FR2943198B1/fr not_active Expired - Fee Related
-
2010
- 2010-03-16 EP EP10711036A patent/EP2409474A1/fr not_active Withdrawn
- 2010-03-16 WO PCT/EP2010/053334 patent/WO2010106042A1/fr active Application Filing
- 2010-03-16 US US13/257,221 patent/US20120072994A1/en not_active Abandoned
- 2010-03-16 CA CA2754895A patent/CA2754895A1/fr not_active Abandoned
- 2010-03-16 RU RU2011139616/08A patent/RU2011139616A/ru not_active Application Discontinuation
- 2010-03-16 CN CN2010800123317A patent/CN102356621A/zh active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999039475A1 (fr) * | 1998-02-03 | 1999-08-05 | Tandem Computers, Inc. | Systeme de chiffrement |
WO2001060040A2 (fr) * | 2000-02-10 | 2001-08-16 | Bull Cp8 | Procede de transmission de donnees sur un reseau internet entre un serveur et un terminal a carte a puce, qui contient des agents intelligents |
EP1349032A1 (fr) * | 2002-03-18 | 2003-10-01 | Ubs Ag | Authentification securisée d'un utilisateur dans un réseau d'ordinateurs |
WO2006021865A1 (fr) * | 2004-08-24 | 2006-03-02 | Axalto Sa | Jeton personnel et procede d'authentification commandee |
WO2008145558A2 (fr) | 2007-05-25 | 2008-12-04 | Groupe Des Ecoles Des Telecommunications / Ecole Nationale Superieure Des Telecommunications | Procede de securisation d'echange d'information, dispositif, et produit programme d'ordinateur correspondant |
Non-Patent Citations (1)
Title |
---|
DOMINIQUE GAI'TI: "Network Control and Engineering for QoS, Security and Mobility, 1V· Fourth IFIP International Conference on Network Contrai and Engineering for QoS, Security, and Mobility", 14 November 2005, SPRINGER |
Also Published As
Publication number | Publication date |
---|---|
RU2011139616A (ru) | 2013-04-27 |
FR2943198B1 (fr) | 2011-05-20 |
FR2943198A1 (fr) | 2010-09-17 |
CA2754895A1 (fr) | 2010-09-23 |
CN102356621A (zh) | 2012-02-15 |
US20120072994A1 (en) | 2012-03-22 |
EP2409474A1 (fr) | 2012-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2008145558A2 (fr) | Procede de securisation d'echange d'information, dispositif, et produit programme d'ordinateur correspondant | |
EP3238474B1 (fr) | Procédé de sécurisation de transactions sans contact | |
EP2614458B1 (fr) | Procede d'authentification pour l'acces a un site web | |
EP2279581A1 (fr) | Procede de diffusion securisee de donnees numeriques vers un tiers autorise | |
FR2906661A1 (fr) | Procede pour fournir des parametres d'authentification et des images logicielles dans des environnements de reseaux securises | |
FR2899749A1 (fr) | Procede de protection d'identite, dispositifs, et produit programme d'ordinateur correspondants. | |
WO2007012584A1 (fr) | Procédé de contrôle de transactions sécurisées mettant en oeuvre un dispositif physique unique à bi-clés multiples, dispositif physique, système et programme d'ordinateur correspondants | |
EP3375133B1 (fr) | Procede de securisation et d'authentification d'une telecommunication | |
FR2930391A1 (fr) | Terminal d'authentification d'un utilisateur. | |
WO2007012583A1 (fr) | Procede de controle de transactions securisees mettant en oeuvre un dispositif physique unique, dispositif physique, systeme, et programme d'ordinateur correspondants | |
EP3991381B1 (fr) | Procédé et système de génération de clés de chiffrement pour données de transaction ou de connexion | |
WO2010106042A1 (fr) | Procédé de production de données de sécurisation, dispositif et programme d'ordinateur correspondant | |
FR2946822A1 (fr) | Dispositif et procede d'acces securise a un service distant. | |
EP3673633B1 (fr) | Procédé d'authentification d'un utilisateur auprès d'un serveur d'authentification | |
EP2710779A1 (fr) | Procede de securisation d'une platforme d'authentification, dispositifs materiels et logiciels correspondants | |
EP3266148B1 (fr) | Dispositif et procédé d'administration d'un serveur de séquestres numériques | |
EP3825882A1 (fr) | Procede et systeme pour le provisionnement ou remplacement securise d'un secret dans au moins un dispositif de communication portable | |
CA3206749A1 (fr) | Procede d'echanges securises entre un lecteur de controle d'acces, concentrateur iot et une unite de traitement de donnees | |
FR2901438A1 (fr) | Un procede d'embarquement d'un protocole securise dans des cartes a puces, des capteurs et des objets intelligents | |
WO2019048119A1 (fr) | Enrôlement perfectionné d'un équipement dans un réseau sécurisé | |
WO2016034812A1 (fr) | Sécurisation de clés de cryptage pour transaction sur un dispositif dépourvu de module sécurisé |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201080012331.7 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10711036 Country of ref document: EP Kind code of ref document: A1 |
|
DPE1 | Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2010711036 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2754895 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 7072/DELNP/2011 Country of ref document: IN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2011139616 Country of ref document: RU Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13257221 Country of ref document: US |