WO2014091336A1 - A system and a method for generating secure key - Google Patents

A system and a method for generating secure key Download PDF

Info

Publication number
WO2014091336A1
WO2014091336A1 PCT/IB2013/060272 IB2013060272W WO2014091336A1 WO 2014091336 A1 WO2014091336 A1 WO 2014091336A1 IB 2013060272 W IB2013060272 W IB 2013060272W WO 2014091336 A1 WO2014091336 A1 WO 2014091336A1
Authority
WO
WIPO (PCT)
Prior art keywords
seed
atleast
key
pusher
engineering tool
Prior art date
Application number
PCT/IB2013/060272
Other languages
French (fr)
Inventor
Arijit Kumar BOSE
Fernando Alvarez
Mallikarjun Kande
Sanjeev KOUL
Original Assignee
Abb Research Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Research Ltd filed Critical Abb Research Ltd
Publication of WO2014091336A1 publication Critical patent/WO2014091336A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the invention relates to generating key inside a device, and more particularly to a system and a method for generating secure key inside a device employing a seed pusher.
  • a key is used to encrypt or decrypt a data, and is generated inside a device. Generating such key is initiated using a seed, which is a number or a vector that is used in generating key pseudo-randomly. Hence the choice of a good random seed or a high entropy seed having higher degree of randomness is crucial to generate a secure key.
  • the device accesses the high entropy seed from the Hardware Security Module (HSM) through the communication bus that are secured.
  • HSM Hardware Security Module
  • the validity and authenticity of the device requesting for the seed during the initial participation of the device poses a threat, as to the malicious device may request for such seed from the HSM. This compromises on the security by which the key is generated by the device.
  • the invention is aimed at providing a solution that eliminates the need for additional hardware component inside the device(s) to access the high entropy seed, and to generate a secure key.
  • Yet another object of the invention is to provide a method for generating secure key by the system of the invention.
  • the invention provides a system for generating a secure key.
  • the system of the invention comprises one or more devices that coordinate with the engineering tool correspondingly.
  • the system has at least one seed pusher for providing a seed to the device in order to generate a secure key.
  • the invention also provides a method for generating a secure key by the system of the invention.
  • the method of the invention comprises the steps of checking the validity and / or the authenticity of at least one device requesting the other seed and of the engineering tool, obtaining the certificate of enrollment for the device.
  • the method also comprises establishing secure communication channel between the device and seed pusher, and providing the seed to the device by the said seed pusher for generating a secure key by the device.
  • Fig. 1 shows a system for generating secure key in accordance with the invention
  • Fig. 2 illustrates the transaction between the device and the seed pusher in accordance with the invention.
  • the system (100) for for generating secure key has atleast one device (101) that requires a first key, referred hereinafter as other key to obtain certificate of enrollment, in order to establish itself as a trusted device.
  • the device (101) requests for a seed (110), hereinafter referred to as other seed, to the engineering tool (102).
  • the engineering tool (102) performs the function of engineering, commissioning or the like as required.
  • the engineering tool (102) upon the request for other seed from the device (101) checks the validity or the authenticity (111) of the device (101) by verifying the credentials of the device (101) in its database or the like. Upon successful verification, and finding the device (101) to be a valid and an authenticated device, the engineering tool (102) provides the other seed (112) to the device (101) for generating the other key to obtain certificate of enrollment, and also the information regarding the seed pusher (103) such as IP address etc, through a secure communication channel. By this, the challenge of authenticating a device during the initial stages in the absence of a certificate of enrollment in respect of the device is addressed.
  • the engineering tool (102) also offloads the task of seed management (113) to seed pusher (103), which resides as a part of the engineering tool (102) or external to it.
  • the device (101) based on the information received from the engineering tool (102) about the seed pusher (103), identifies the corresponding seed pusher (103) and requests for a seed (210) to the identified seed pusher (103).
  • the seed pusher (103) makes a request (211) to the device (101) for the certificate of enrollment of the device (101).
  • the device (101) provides its certificate of enrollment (212) to the seed pusher (103), where the certificate of enrollment of the device (101) is verified (213) by the seed pusher (103). Also, the device (101) makes a similar request (214) to the seed pusher (103) for the certificate of enrollment of the seed pusher (103).
  • the seed pusher (103) provides its certificate of enrollment (215) to the device (101) only if the certificate of enrollment of the device (101) is found valid through its verification (213). Similarly, the device (101) also verifies (216) the certificate of enrollment of the seed pusher (103). Upon successful verification (216) of the certificate of enrollment of the seed pusher (103) by the device (101), the device (101) and the seed pusher (103) establishes (217) a secure communication channel.
  • the secure communication channel is based on protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) or the like.
  • the seed pusher then generates a seed (218) and provides the generated seed over the secure communication channel (219) to the device (101).
  • the seed and the other seed referred hereinabove have high degree of randomness rendering them to be a high entropy seed.
  • the seed provided to the device (101) through step (219) is utilized for generating the key to encrypt and / or decrypt data or for future certificate enrollment. (101).
  • the invention therefore provides a system with which a high entropy seed can be provided to generate a highly randomized key that is secure, in an environment or application having resource constraints. Besides this, the need for an additional hardware component in a device to access or obtain the seed is eliminated.
  • the invention provides a suitable solution through deployment of a seed pusher, wherein the existing devices in an environment such as substation etc., does not require an additional hardware component as required currently, to have a high entropy seed to generate a highly randomized key. Since the system is performing based on the certificate of enrolment of each of the participating components like the device, engineering tool, seed pusher etc., the trust between each of these components is built therefore eliminating the risk in relation to the compromise of the security or of its breach.
  • the invention holistically provides a secure system and workflow to generate a high entropy seed with which a highly randomized key is generated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The present invention relates to a system for generating a secure key. The system of the invention comprises one or more devices that coordinate with the engineering tool correspondingly. The system has at least one seed pusher for providing a seed to the device in order to generate a secure key. The present invention also provides a method for generating a secure key by the system of the invention.

Description

A SYSTEM AND A METHOD FOR GENERATING SECURE KEY
FIELD OF THE INVENTION
The invention relates to generating key inside a device, and more particularly to a system and a method for generating secure key inside a device employing a seed pusher.
BACKGROUND
Generally, a key is used to encrypt or decrypt a data, and is generated inside a device. Generating such key is initiated using a seed, which is a number or a vector that is used in generating key pseudo-randomly. Hence the choice of a good random seed or a high entropy seed having higher degree of randomness is crucial to generate a secure key.
Typically in the present practices, the device accesses the high entropy seed from the Hardware Security Module (HSM) through the communication bus that are secured. This requires an additional hardware component, namely the HSM to be deployed into the device. Owing to the additional cost, and to the constraints in accommodating such additional hardware component into the legacy devices, there is a need for a solution that eliminates the need for additional hardware component in the devices. Also, the validity and authenticity of the device requesting for the seed during the initial participation of the device poses a threat, as to the malicious device may request for such seed from the HSM. This compromises on the security by which the key is generated by the device.
The invention is aimed at providing a solution that eliminates the need for additional hardware component inside the device(s) to access the high entropy seed, and to generate a secure key.
OBJECTS OF THE INVENTION
It is an object of the invention to provide a system for generating secure key, in which additional hardware component in the device for accessing the seed is eliminated.
It is also an object of the invention to provide a system for generating secure key, having a seed pusher to provide high entropy seed required for generating key securely by the device. Another object of the invention is to provide a system for generating secure key, in which the device and the seed pusher are authenticated and certified, to establish secure communication channel and of its participation thereof to generate secure key.
Yet another object of the invention is to provide a method for generating secure key by the system of the invention.
SUMMARY OF THE INVENTION
Accordingly the invention provides a system for generating a secure key. The system of the invention comprises one or more devices that coordinate with the engineering tool correspondingly. The system has at least one seed pusher for providing a seed to the device in order to generate a secure key.
Accordingly the invention also provides a method for generating a secure key by the system of the invention. The method of the invention comprises the steps of checking the validity and / or the authenticity of at least one device requesting the other seed and of the engineering tool, obtaining the certificate of enrollment for the device. The method also comprises establishing secure communication channel between the device and seed pusher, and providing the seed to the device by the said seed pusher for generating a secure key by the device.
BRIEF DESCRIPTION OF THE DRAWINGS
With reference to the accompanying drawings in which:
Fig. 1 shows a system for generating secure key in accordance with the invention; and
Fig. 2 illustrates the transaction between the device and the seed pusher in accordance with the invention.
DETAILED DESCRIPTION
The invention is hereinafter described with reference to Figs. 1 and 2 through a non-exhaustive exemplary embodiment.
In Figs. 1 and 2, the system for generating secure key and the transaction between the device and the seed pusher of the system, in accordance with the invention are shown. The system (100) for for generating secure key has atleast one device (101) that requires a first key, referred hereinafter as other key to obtain certificate of enrollment, in order to establish itself as a trusted device. The device (101) requests for a seed (110), hereinafter referred to as other seed, to the engineering tool (102).
The engineering tool (102) performs the function of engineering, commissioning or the like as required. The engineering tool (102) upon the request for other seed from the device (101) checks the validity or the authenticity (111) of the device (101) by verifying the credentials of the device (101) in its database or the like. Upon successful verification, and finding the device (101) to be a valid and an authenticated device, the engineering tool (102) provides the other seed (112) to the device (101) for generating the other key to obtain certificate of enrollment, and also the information regarding the seed pusher (103) such as IP address etc, through a secure communication channel. By this, the challenge of authenticating a device during the initial stages in the absence of a certificate of enrollment in respect of the device is addressed. The engineering tool (102) also offloads the task of seed management (113) to seed pusher (103), which resides as a part of the engineering tool (102) or external to it.
The device (101) based on the information received from the engineering tool (102) about the seed pusher (103), identifies the corresponding seed pusher (103) and requests for a seed (210) to the identified seed pusher (103). The seed pusher (103) makes a request (211) to the device (101) for the certificate of enrollment of the device (101). The device (101) provides its certificate of enrollment (212) to the seed pusher (103), where the certificate of enrollment of the device (101) is verified (213) by the seed pusher (103). Also, the device (101) makes a similar request (214) to the seed pusher (103) for the certificate of enrollment of the seed pusher (103). The seed pusher (103) provides its certificate of enrollment (215) to the device (101) only if the certificate of enrollment of the device (101) is found valid through its verification (213). Similarly, the device (101) also verifies (216) the certificate of enrollment of the seed pusher (103). Upon successful verification (216) of the certificate of enrollment of the seed pusher (103) by the device (101), the device (101) and the seed pusher (103) establishes (217) a secure communication channel. The secure communication channel is based on protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) or the like. The seed pusher then generates a seed (218) and provides the generated seed over the secure communication channel (219) to the device (101). The seed and the other seed referred hereinabove have high degree of randomness rendering them to be a high entropy seed. The seed provided to the device (101) through step (219) is utilized for generating the key to encrypt and / or decrypt data or for future certificate enrollment. (101).
The invention therefore provides a system with which a high entropy seed can be provided to generate a highly randomized key that is secure, in an environment or application having resource constraints. Besides this, the need for an additional hardware component in a device to access or obtain the seed is eliminated. By this, the invention provides a suitable solution through deployment of a seed pusher, wherein the existing devices in an environment such as substation etc., does not require an additional hardware component as required currently, to have a high entropy seed to generate a highly randomized key. Since the system is performing based on the certificate of enrolment of each of the participating components like the device, engineering tool, seed pusher etc., the trust between each of these components is built therefore eliminating the risk in relation to the compromise of the security or of its breach. Thus, the invention holistically provides a secure system and workflow to generate a high entropy seed with which a highly randomized key is generated.
Only certain features of the invention have been specifically illustrated and described herein, and many modifications and changes will occur to those skilled in the art. The invention is not restricted by the preferred embodiment described herein in the description. It is to be noted that the invention is explained by way of exemplary embodiment and is neither exhaustive nor limiting. Certain aspects of the invention that not been elaborated herein in the description are well understood by one skilled in the art. Also, the terms relating to singular form used herein in the description also include its plurality and vice versa, wherever applicable. Any relevant modification or variation, which is not described specifically in the specification are in fact to be construed of being well within the scope of the invention. The appended claims are intended to cover all such modifications and changes which fall within the spirit of the invention.
Thus, it will be appreciated by those skilled in the art that the present invention can be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The presently disclosed embodiments are therefore considered in all respects to be illustrative and not restricted. The scope of the invention is indicated by the appended claims rather than the foregoing description and all changes that come within the meaning and range and equivalence thereof are intended to be embraced therein.

Claims

WE CLAIM:
1. A system for generating a secure key comprising: atleast one device having corresponding coordination with an engineering tool; characterized in that the said system comprising at least one seed pusher for providing a seed to the said atleast one device to generate a secure key thereof.
2. The system as claimed in claim 1, wherein the said engineering tool is provided to perform engineering or commissioning or the like, of the said atleast one device in the said system.
3. The system as claimed in claim 1, wherein the said engineering tool is provided to check the validity and / or the authenticity of the said atleast one device.
4. The system as claimed in claim 1 or 3, wherein the said engineering tool provides other seed to the said atleast one device to generate other key and to obtain certificate of enrollment.
5. The system as claimed in claim 1, wherein the said engineering tool provides information for identifying the said seed pusher, to the said atleast one device.
6. The system as claimed in claiml, wherein the said seed pusher and the said atleast one device establishes secure communication channel there between.
7. The system as claimed in claim 6, wherein the said secure communication channel is based on protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) or the like.
8. The system as claimed in claim 1 or 6, wherein the said seed pusher is a part of the said engineering tool or external thereto.
9. The system as claimed in any one of the preceding claims, wherein the said seed and the said other seed is a high entropy seed.
10. A method for generating a secure key by the system as claimed in any one of the preceding claims, characterized in that the said method comprising the steps of:
checking the validity and / or the authenticity of atleast one device requesting the other seed and of the engineering tool;
obtaining the certificate of enrollment for the said atleast one device;
establishing secure communication channel between the said atleast one device and seed pusher; and providing the seed to the said atleast one device by the said seed pusher for generating a secure key by the said atleast one device.
11. The method as claimed in claim 10, wherein checking the validity and / or the authenticity includes verifying the credentials of the said atleast one device by the said engineering tool, and of the certificate of the said engineering tool by the said atleast one device.
12. The method as claimed in claim 10 or 11, wherein obtaining the certificate of enrollment for the said atleast one device includes providing the other key by the said engineering tool to the said atleast one device for generating the other key by the said atleast one device for obtaining the said certificate of enrollment.
13. The method as claimed in claim 10, wherein establishing secure communication channel includes successfully verifying the certificate of enrollment of the said atleast one device by the said seed pusher.
14. The method as claimed in claim 10, wherein establishing secure communication channel includes successfully verifying the certificate of enrollment of the said seed pusher by the said atleast one device.
15. The method as claimed in any one of the preceding claims, wherein generating the said secure key by the said atleast one device includes checking the authenticity and integrity of the said seed.
PCT/IB2013/060272 2012-12-13 2013-11-20 A system and a method for generating secure key WO2014091336A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN5195CH2012 2012-12-13
IN5195/CHE/2012 2012-12-13

Publications (1)

Publication Number Publication Date
WO2014091336A1 true WO2014091336A1 (en) 2014-06-19

Family

ID=49759485

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2013/060272 WO2014091336A1 (en) 2012-12-13 2013-11-20 A system and a method for generating secure key

Country Status (1)

Country Link
WO (1) WO2014091336A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102014226388A1 (en) 2014-12-18 2016-03-24 Siemens Aktiengesellschaft Configuration device and method for configuring field devices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095772A1 (en) * 2004-11-03 2006-05-04 Cisco Technology, Inc. System and method for establishing a secure association between a dedicated appliance and a computing platform
US20100191970A1 (en) * 2009-01-27 2010-07-29 Noam Singer Generating protected access credentials
EP2373019A1 (en) * 2010-03-29 2011-10-05 Nagravision S.A. Secure descrambling of an audio / video data stream
EP2375627A1 (en) * 2008-12-09 2011-10-12 China Iwncomm Co., Ltd Three-way handshake protocol method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095772A1 (en) * 2004-11-03 2006-05-04 Cisco Technology, Inc. System and method for establishing a secure association between a dedicated appliance and a computing platform
EP2375627A1 (en) * 2008-12-09 2011-10-12 China Iwncomm Co., Ltd Three-way handshake protocol method
US20100191970A1 (en) * 2009-01-27 2010-07-29 Noam Singer Generating protected access credentials
EP2373019A1 (en) * 2010-03-29 2011-10-05 Nagravision S.A. Secure descrambling of an audio / video data stream

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Chapter 11: Digital Signatures ED - Menezes A J; Van Oorschot P C; Vanstone S A", 1 October 1996 (1996-10-01), XP001525011, ISBN: 978-0-8493-8523-0, Retrieved from the Internet <URL:http://www.cacr.math.uwaterloo.ca/hac/> *
"Chapter 13: Key Management Techniques ED - Menezes A J; Van Oorschot P C; Vanstone S A", 1 October 1996 (1996-10-01), XP001525013, ISBN: 978-0-8493-8523-0, Retrieved from the Internet <URL:http://www.cacr.math.uwaterloo.ca/hac/> *
"Chapter 9: ED - Menezes A J; Van Oorschot P C; Vanstone S A", 1 October 1996 (1996-10-01), XP001525009, ISBN: 978-0-8493-8523-0, Retrieved from the Internet <URL:http://www.cacr.math.uwaterloo.ca/hac/> *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102014226388A1 (en) 2014-12-18 2016-03-24 Siemens Aktiengesellschaft Configuration device and method for configuring field devices

Similar Documents

Publication Publication Date Title
EP3318003B1 (en) Confidential authentication and provisioning
CN105162772B (en) A kind of internet of things equipment certifiede-mail protocol method and apparatus
US9460567B2 (en) Establishing secure communication for vehicle diagnostic data
US10878080B2 (en) Credential synchronization management
US8677466B1 (en) Verification of digital certificates used for encrypted computer communications
US9053318B2 (en) Anti-cloning system and method
US20160050193A1 (en) System and methods for secure communication in mobile devices
US10642664B2 (en) System and method for securing an inter-process communication via a named pipe
US20150163211A1 (en) Unclonable id based chip-to-chip communication
US20150038118A1 (en) Method for verifying the identity of a user of a communicating terminal and associated system
KR20140127303A (en) Multi-factor certificate authority
CN112491881A (en) Cross-platform single sign-on method, system, electronic equipment and storage medium
CN104735065A (en) Data processing method, electronic device and server
US9398024B2 (en) System and method for reliably authenticating an appliance
CN103634265A (en) Method, device and system for security authentication
CN106992978B (en) Network security management method and server
US20150180862A1 (en) Method of generating one-time password and apparatus for performing the same
US9961074B2 (en) System and method for providing an authentication certificate for a wireless handheld device a data center environment
Kim et al. Puf-based iot device authentication scheme on iot open platform
KR101358704B1 (en) Method of authenticating for single sign on
CN116707983A (en) Authorization authentication method and device, access authentication method and device, equipment and medium
CN110771087A (en) Private key update
KR101912403B1 (en) Method for security authentication between equipment
WO2014091336A1 (en) A system and a method for generating secure key
CN112653676A (en) Identity authentication method and equipment of cross-authentication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13803262

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13803262

Country of ref document: EP

Kind code of ref document: A1