WO2016198277A1 - Procédé et dispositif de communication pour établir une liaison de communication sécurisée - Google Patents
Procédé et dispositif de communication pour établir une liaison de communication sécurisée Download PDFInfo
- Publication number
- WO2016198277A1 WO2016198277A1 PCT/EP2016/062212 EP2016062212W WO2016198277A1 WO 2016198277 A1 WO2016198277 A1 WO 2016198277A1 EP 2016062212 W EP2016062212 W EP 2016062212W WO 2016198277 A1 WO2016198277 A1 WO 2016198277A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- password
- communication device
- communication
- time password
- otp
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0492—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
Definitions
- the invention relates to a method for establishing a secure communication connection as well as an associated communication arrangement and associated communication devices.
- iBeacon is a proprietary standard introduced by Apple Inc. Based on iBeacon, a range of services are possible, ranging from closed-space navigation, targeted display of product information at the point of sale (POS) to special offers, guidance of visitor routes when entering a shop, and mobile retail shopping , iBeacon is based on a transmitter-receiver principle. For this purpose, small transmitters (beacons) are placed in the room as signal transmitters, which send signals at fixed time intervals. Is a receiver - z.
- a mobile communication device e.g.
- iBeacon in the form of a smartphone with an installed mobile app configured to receive iBeacon signals - within range of a transmitter, the transmitter's UUID (Universally Unique Identifier) can be identified and its signal strength measured.
- UUID Universally Unique Identifier
- iBeacons can not normally send push notifications to receivers themselves, collect or store user data. They only send information about their own identity (the values UUID, Major and Minor) within a radius of about 70 meters.
- the data transmission takes place via the so-called Bluetooth Low Energy (BLE) technology, which works extremely power-saving.
- BLE Bluetooth Low Energy
- Bluetooth transmissions are considered tap-proof or secure against unauthorized intrusion only if they are be operated as a connection with multilevel dynamic key assignment. With static key assignment, security is limited. When the key is transmitted, this very part of the communication is particularly at risk because only the successful key exchange protects a connection.
- data phishing is based on interrupting an existing connection with corresponding interference signals and on persuading subscribers to re-establish an authenticated connection.
- the attacked must enter their PIN again for the devices used.
- the subsequent authentication with renegotiation of the connection key can then be intercepted with easily available special hardware and cracked by trying out badly chosen (because, for example, eight-digit numeric) PIN.
- the attacker is in possession of the secret connection key after a successful attack and can establish any connections to the attacked devices.
- the attacker needs to know the Bluetooth address of a connected Bluetooth module. This can not be prevented by the "invisibility mode".
- This attack is possible if the attacker blocks the communication during the Bluetooth pairing process.
- the attacker re-authenticates and uses too short a PIN. Accordingly, there is no danger for devices which store the keys permanently, because after a connection disruption or a manual reconnection no renewed PIN authentication is triggered, but instead the key stored on both devices is used. To protect against such attacks, it is recommended to register remote stations as rarely as possible with PIN entry. It would be safer to store recognized peers permanently in the respective authentication lists and to deactivate a reauthentication via PIN. Another way to increase security is to use the authentication information on the beacon is regularly overwritten manually with a new authentication information.
- the invention claims a method for establishing a secure communication connection via a radio interface between a first communication device and a second communication device, wherein the distance between the two communication devices is in a range suitable for a point-to-point connection, wherein a processing unit assigns a one-time password to Identification of a first of said communication devices generated and wherein
- a transmission device of the same communication device sends the one-time password for reception to the other second communication device
- the Einmalkennwort receiving communication device performs or causes a comparison between the one-time password and a test password and allows establishing a communication connection between said communication devices depending on the comparison result.
- the comparison can be carried out directly by the second communication device if the latter has passed the test code. knows word.
- the second communication device may receive the verification password from a password assigned directly or remotely to it.
- the comparison can also be made by a password assignment office or another authority that identifies the check password.
- the body performing the comparison causes the communication link to be established by the second and / or first communication device.
- the one-time password can be generated according to a method specified by the password proxy.
- the one-time password and / or the test password can only be valid within a predefinable time window.
- the generating or generating and / or sending of the one-time password and the comparison with the check password can be synchronized in a time-controlled and / or event-controlled manner. This makes sense that if a new one-time password is to be generated after expiry of the validity of the previous one-time password, the generation and / or transmission of the one-time password should be synchronized with the valid check password.
- the sending communication device can have a functionality of a so-called IBeacon.
- the parameters Major and / or Minor of the IBeacon protocol can be used.
- a further aspect of the invention is a communication arrangement for establishing a secure communication connection via a radio interface between a first communication device and a second communication device, wherein the distance between the two communication devices lies in a range suitable for a point-to-point connection :
- a processing unit for generating a one - time password for identifying a first of the two communication devices and a transmission unit of the same communication device for transmitting the one-time password for reception at the other second communication device
- the communication device receiving the one-time password comprises a receiving unit for obtaining a comparison result from the comparison between the one-time password and a check password, which unit may allow a communication connection between the said communication devices to be established depending on the result of the comparison.
- a further aspect of the invention is a communication device comprising means for establishing a secure point-to-point communication connection via a radio interface: a receiving unit for receiving a one-time password and
- a further receiving unit for obtaining a comparison result from the comparison between the one-time password and a test password, which may allow depending on the comparison result to establish a communication connection to another communication device.
- a further aspect of the invention is a communication device with means for establishing a secure point-to-point communication connection via a radio interface, comprising:
- a processing unit for generating a one-time password for identifying the communication device
- a transmitting device for transmitting the one-time password for reception at another communication device.
- the communication arrangement and the communication devices for establishing a secure communication connection have means or modules for carrying out the above-mentioned method, wherein these may each be pronounced in terms of hardware and / or software or as a computer program or computer program product.
- a further aspect of the invention may be a computer program or a computer program product with means for carrying out the method and its mentioned embodiments, if the computer program (product) within said communication arrangement or on at least one of said
- the communication arrangement and the communication devices as well as the computer program (product) can be further developed in the same way as the method.
- the invention has the following advantages: A secure communication connection between communication devices / devices or in mutual radio range can be established. Pinging or taking along the pairing password is made more difficult by the fact that the one-time password used loses its validity.
- the invention can be used in particular for devices with a small storage capacity, such as an IBeacon, since only a few bytes are reserved for the one-time password.
- the figure shows a schematic representation of a communication between a first MSI and a second mobile station MS2.
- a mobile station MSI intends to establish a communication connection (see FIG. 4) via a radio interface F, which in the example is preferably designed as a Bluetooth interface, to a mobile station MS2.
- Each communication partner can be designed as a mobile station, but also as fixed communication devices.
- At least one of the mobile stations, preferably MSI should in this case be equipped with suitable input means or acquisition units (eg microphone for audio, camera K for pictures or video, keyboard for text, etc.) and capable of being connected to a network participate.
- suitable input means or acquisition units eg microphone for audio, camera K for pictures or video, keyboard for text, etc.
- the group of potential communication partners is preferably in a range suitable for a point-to-point connection.
- this range is - as already mentioned - up to about 70 meters or something more.
- Communication is not limited to a point-to-point connection. It can also include a point-to-multipoint connection. In the example, there would be more mobile stations.
- a spontaneous ad hoc network can be established between the mobile stations MSI and MS2 (e.g., via Bluetooth or WLAN in the MAN (mobile ad-hoc network)) or a mobile station e.g. MS2 provides a hotspot available in which other mobile stations not shown in the figure can dial.
- a user wants to initiate a secure interaction or communication connection with his mobile station MSI, then the mobile station MSI transmits with its transmission unit S to the mobile station MS2 (see FIG. 1) a one-time password OTP which, for example, is only approx .30 seconds is valid.
- a processing unit for generating such a one-time password is integrated. The generation of a one-time password can in this case take place according to a method or an algorithm which is known or predefined by the password assignment point A. becomes.
- This processing unit for generating the one-time password and the transmitting unit S may be in the form of an IBeacon. When using the IBeacon protocol, the Major and / or Minor parameters are used to send the one-time password.
- the password assignment point A can be pronounced as server.
- a one-time password or one-time password is generated for a specific time window, which then expires after this time window expires.
- the one-time password is then sent to the mobile station MS2.
- the receiving unit (E) integrated there is designed to forward the one-time password to the password assignment point (see 2).
- the password proxy compares the one-time password with a check password ID and, depending on the comparison result, sends a consent signal Ok (see FIG. 3) for establishing the communication connection (see FIG. 4) to the mobile station MS2 or, if appropriate, a reject signal that no communication connection is established.
- the mobile station MS2 receives a check password list from the password assignment point A and compares it with the one-time password itself. Depending on the result of the comparison, the communication link between MSI and MS2 can then be established (see 4).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
La présente invention concerne un procédé pour établir une liaison de communication sécurisée par le biais d'une interface radio (F) entre un premier dispositif de communication (MS1) et un second dispositif de communication (MS2), le procédé étant caractérisé en ce que : - la distance entre les deux dispositifs de communication est dans une portée convenant à une liaison point à point ; - une unité de traitement génère un mot de passe à usage unique (OTP) pour l'identification d'un premier dispositif parmi lesdits dispositifs de communication ; - un dispositif d'émission (S) du même dispositif de communication envoie le mot de passe à usage unique (OTP) à l'autre second dispositif de communication aux fins de réception ; - le dispositif de communication recevant le mot de passe à usage unique effectue ou fait effectuer une comparaison entre le mot de passe à usage unique et un mot de passe de vérification (ID) et autorise l'établissement d'une liaison de communication entre lesdits dispositifs de communication en fonction du résultat de la comparaison. En plus du procédé, la présente invention concerne un agencement de communication associé et des dispositifs de communication associés.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102015210614.4 | 2015-06-10 | ||
DE102015210614.4A DE102015210614A1 (de) | 2015-06-10 | 2015-06-10 | Verfahren und Kommunikationseinrichtung zum Herstellen einer sicheren Kommunikationsverbindung |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016198277A1 true WO2016198277A1 (fr) | 2016-12-15 |
Family
ID=56119465
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2016/062212 WO2016198277A1 (fr) | 2015-06-10 | 2016-05-31 | Procédé et dispositif de communication pour établir une liaison de communication sécurisée |
Country Status (2)
Country | Link |
---|---|
DE (1) | DE102015210614A1 (fr) |
WO (1) | WO2016198277A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107580001A (zh) * | 2017-10-20 | 2018-01-12 | 珠海市魅族科技有限公司 | 应用登录及鉴权信息设置方法、装置、计算机装置及存储介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110083161A1 (en) * | 2008-06-04 | 2011-04-07 | Takayuki Ishida | Vehicle, maintenance device, maintenance service system, and maintenance service method |
US8832807B1 (en) * | 2010-08-05 | 2014-09-09 | Christine E. Kuo | Method and apparatus for asynchronous dynamic password |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060136739A1 (en) * | 2004-12-18 | 2006-06-22 | Christian Brock | Method and apparatus for generating one-time password on hand-held mobile device |
JP5950691B2 (ja) * | 2012-02-09 | 2016-07-13 | シャープ株式会社 | 情報処理システム、情報処理装置、及び通信接続方法 |
-
2015
- 2015-06-10 DE DE102015210614.4A patent/DE102015210614A1/de not_active Withdrawn
-
2016
- 2016-05-31 WO PCT/EP2016/062212 patent/WO2016198277A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110083161A1 (en) * | 2008-06-04 | 2011-04-07 | Takayuki Ishida | Vehicle, maintenance device, maintenance service system, and maintenance service method |
US8832807B1 (en) * | 2010-08-05 | 2014-09-09 | Christine E. Kuo | Method and apparatus for asynchronous dynamic password |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107580001A (zh) * | 2017-10-20 | 2018-01-12 | 珠海市魅族科技有限公司 | 应用登录及鉴权信息设置方法、装置、计算机装置及存储介质 |
CN107580001B (zh) * | 2017-10-20 | 2021-04-13 | 珠海市魅族科技有限公司 | 应用登录及鉴权信息设置方法、装置、计算机装置及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
DE102015210614A1 (de) | 2016-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3138258B1 (fr) | Procédé de génération d'un secret ou d'une clé dans un réseau | |
EP3175384B1 (fr) | Procédé et dispositif de connexion à des appareils médicinaux | |
DE112009000416B4 (de) | Zweiwege-Authentifizierung zwischen zwei Kommunikationsendpunkten unter Verwendung eines Einweg-Out-Of-Band(OOB)-Kanals | |
EP3416140B1 (fr) | Procédé et dispositif d'authentification d'un utilisateur sur un véhicule | |
DE102011016513A1 (de) | Bedrohungsmilderung in einem Fahrzeug-zu-Fahrzeug-Kommunikationsnetz | |
DE102014222222A1 (de) | Verfahren zur Absicherung eines Netzwerks | |
CN106134232A (zh) | 设备到设备发现中的认证 | |
DE102012103106A1 (de) | Verfahren zum Authentifizieren eines Nutzers an einem Dienst auf einem Diensteserver, Applikation und System | |
EP2011302B1 (fr) | Procédé et système d'établissement d'une clé cryptographique sans risque de manipulation | |
WO2012010381A1 (fr) | Procédé pour enregistrer un dispositif de communication sans fil sur un dispositif de base ainsi que système correspondant | |
WO2016198277A1 (fr) | Procédé et dispositif de communication pour établir une liaison de communication sécurisée | |
WO2023217645A1 (fr) | Système d'accès sécurisé | |
DE102014208965A1 (de) | Verfahren zur Authentifizierung eines Netzwerkteilnehmers sowie Netzwerkteilnehmer, Netzwerk und Computerprogramm hierzu | |
DE102015225222A1 (de) | Verfahren zur Erzeugung einer geheimen Wertefolge in einem Gerät abhängig von gemessenen physikalischen Eigenschaften eines Übertragungskanals | |
EP3363145B1 (fr) | Procédé et dispositif permettant de générer un secret partagé | |
WO2011144418A1 (fr) | Procédé de convention protégée d'une clef de sécurité via une interface radio non codée | |
DE102014208974A1 (de) | Verfahren zur Ermittlung einer Information über die Entfernung zwischen zwei Geräten sowie hierzu eingerichtete Geräte und Computerprogramme | |
DE102015221372A1 (de) | Verfahren zur Aktivierung eines Konfigurationsmodus eines Geräts | |
DE102012104955A1 (de) | Verfahren zum kryptographisch gesicherten Beweis der Anwesenheit eines Identity-Tokens im Bereich eines Identity-Sensors sowie Identity-Sensor für ein solches Verfahren | |
DE102023121500A1 (de) | Erkennung eines nicht vertrauenswürdigen konfigurators | |
DE102014222216A1 (de) | Verfahren und Vorrichtung zur Absicherung einer Kommunikation | |
DE102014212229A1 (de) | Verfahren und Vorrichtung zum Authentifizieren eines Mobilgerätes | |
DE102014217330A1 (de) | Verfahren zum Informationsabgleich zwischen Geräten sowie hierzu eingerichtetes Gerät | |
DE102014205331A1 (de) | Sender zum Senden einer Nachricht und Empfänger zum Empfangen einer Nachricht | |
DE102014212226A1 (de) | Verfahren und Vorrichtung zum Koppeln zweier Kommunikationspartner |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16728642 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16728642 Country of ref document: EP Kind code of ref document: A1 |