WO2016198277A1 - Procédé et dispositif de communication pour établir une liaison de communication sécurisée - Google Patents

Procédé et dispositif de communication pour établir une liaison de communication sécurisée Download PDF

Info

Publication number
WO2016198277A1
WO2016198277A1 PCT/EP2016/062212 EP2016062212W WO2016198277A1 WO 2016198277 A1 WO2016198277 A1 WO 2016198277A1 EP 2016062212 W EP2016062212 W EP 2016062212W WO 2016198277 A1 WO2016198277 A1 WO 2016198277A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
communication device
communication
time password
otp
Prior art date
Application number
PCT/EP2016/062212
Other languages
German (de)
English (en)
Inventor
Rebecca Johnson
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2016198277A1 publication Critical patent/WO2016198277A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities

Definitions

  • the invention relates to a method for establishing a secure communication connection as well as an associated communication arrangement and associated communication devices.
  • iBeacon is a proprietary standard introduced by Apple Inc. Based on iBeacon, a range of services are possible, ranging from closed-space navigation, targeted display of product information at the point of sale (POS) to special offers, guidance of visitor routes when entering a shop, and mobile retail shopping , iBeacon is based on a transmitter-receiver principle. For this purpose, small transmitters (beacons) are placed in the room as signal transmitters, which send signals at fixed time intervals. Is a receiver - z.
  • a mobile communication device e.g.
  • iBeacon in the form of a smartphone with an installed mobile app configured to receive iBeacon signals - within range of a transmitter, the transmitter's UUID (Universally Unique Identifier) can be identified and its signal strength measured.
  • UUID Universally Unique Identifier
  • iBeacons can not normally send push notifications to receivers themselves, collect or store user data. They only send information about their own identity (the values UUID, Major and Minor) within a radius of about 70 meters.
  • the data transmission takes place via the so-called Bluetooth Low Energy (BLE) technology, which works extremely power-saving.
  • BLE Bluetooth Low Energy
  • Bluetooth transmissions are considered tap-proof or secure against unauthorized intrusion only if they are be operated as a connection with multilevel dynamic key assignment. With static key assignment, security is limited. When the key is transmitted, this very part of the communication is particularly at risk because only the successful key exchange protects a connection.
  • data phishing is based on interrupting an existing connection with corresponding interference signals and on persuading subscribers to re-establish an authenticated connection.
  • the attacked must enter their PIN again for the devices used.
  • the subsequent authentication with renegotiation of the connection key can then be intercepted with easily available special hardware and cracked by trying out badly chosen (because, for example, eight-digit numeric) PIN.
  • the attacker is in possession of the secret connection key after a successful attack and can establish any connections to the attacked devices.
  • the attacker needs to know the Bluetooth address of a connected Bluetooth module. This can not be prevented by the "invisibility mode".
  • This attack is possible if the attacker blocks the communication during the Bluetooth pairing process.
  • the attacker re-authenticates and uses too short a PIN. Accordingly, there is no danger for devices which store the keys permanently, because after a connection disruption or a manual reconnection no renewed PIN authentication is triggered, but instead the key stored on both devices is used. To protect against such attacks, it is recommended to register remote stations as rarely as possible with PIN entry. It would be safer to store recognized peers permanently in the respective authentication lists and to deactivate a reauthentication via PIN. Another way to increase security is to use the authentication information on the beacon is regularly overwritten manually with a new authentication information.
  • the invention claims a method for establishing a secure communication connection via a radio interface between a first communication device and a second communication device, wherein the distance between the two communication devices is in a range suitable for a point-to-point connection, wherein a processing unit assigns a one-time password to Identification of a first of said communication devices generated and wherein
  • a transmission device of the same communication device sends the one-time password for reception to the other second communication device
  • the Einmalkennwort receiving communication device performs or causes a comparison between the one-time password and a test password and allows establishing a communication connection between said communication devices depending on the comparison result.
  • the comparison can be carried out directly by the second communication device if the latter has passed the test code. knows word.
  • the second communication device may receive the verification password from a password assigned directly or remotely to it.
  • the comparison can also be made by a password assignment office or another authority that identifies the check password.
  • the body performing the comparison causes the communication link to be established by the second and / or first communication device.
  • the one-time password can be generated according to a method specified by the password proxy.
  • the one-time password and / or the test password can only be valid within a predefinable time window.
  • the generating or generating and / or sending of the one-time password and the comparison with the check password can be synchronized in a time-controlled and / or event-controlled manner. This makes sense that if a new one-time password is to be generated after expiry of the validity of the previous one-time password, the generation and / or transmission of the one-time password should be synchronized with the valid check password.
  • the sending communication device can have a functionality of a so-called IBeacon.
  • the parameters Major and / or Minor of the IBeacon protocol can be used.
  • a further aspect of the invention is a communication arrangement for establishing a secure communication connection via a radio interface between a first communication device and a second communication device, wherein the distance between the two communication devices lies in a range suitable for a point-to-point connection :
  • a processing unit for generating a one - time password for identifying a first of the two communication devices and a transmission unit of the same communication device for transmitting the one-time password for reception at the other second communication device
  • the communication device receiving the one-time password comprises a receiving unit for obtaining a comparison result from the comparison between the one-time password and a check password, which unit may allow a communication connection between the said communication devices to be established depending on the result of the comparison.
  • a further aspect of the invention is a communication device comprising means for establishing a secure point-to-point communication connection via a radio interface: a receiving unit for receiving a one-time password and
  • a further receiving unit for obtaining a comparison result from the comparison between the one-time password and a test password, which may allow depending on the comparison result to establish a communication connection to another communication device.
  • a further aspect of the invention is a communication device with means for establishing a secure point-to-point communication connection via a radio interface, comprising:
  • a processing unit for generating a one-time password for identifying the communication device
  • a transmitting device for transmitting the one-time password for reception at another communication device.
  • the communication arrangement and the communication devices for establishing a secure communication connection have means or modules for carrying out the above-mentioned method, wherein these may each be pronounced in terms of hardware and / or software or as a computer program or computer program product.
  • a further aspect of the invention may be a computer program or a computer program product with means for carrying out the method and its mentioned embodiments, if the computer program (product) within said communication arrangement or on at least one of said
  • the communication arrangement and the communication devices as well as the computer program (product) can be further developed in the same way as the method.
  • the invention has the following advantages: A secure communication connection between communication devices / devices or in mutual radio range can be established. Pinging or taking along the pairing password is made more difficult by the fact that the one-time password used loses its validity.
  • the invention can be used in particular for devices with a small storage capacity, such as an IBeacon, since only a few bytes are reserved for the one-time password.
  • the figure shows a schematic representation of a communication between a first MSI and a second mobile station MS2.
  • a mobile station MSI intends to establish a communication connection (see FIG. 4) via a radio interface F, which in the example is preferably designed as a Bluetooth interface, to a mobile station MS2.
  • Each communication partner can be designed as a mobile station, but also as fixed communication devices.
  • At least one of the mobile stations, preferably MSI should in this case be equipped with suitable input means or acquisition units (eg microphone for audio, camera K for pictures or video, keyboard for text, etc.) and capable of being connected to a network participate.
  • suitable input means or acquisition units eg microphone for audio, camera K for pictures or video, keyboard for text, etc.
  • the group of potential communication partners is preferably in a range suitable for a point-to-point connection.
  • this range is - as already mentioned - up to about 70 meters or something more.
  • Communication is not limited to a point-to-point connection. It can also include a point-to-multipoint connection. In the example, there would be more mobile stations.
  • a spontaneous ad hoc network can be established between the mobile stations MSI and MS2 (e.g., via Bluetooth or WLAN in the MAN (mobile ad-hoc network)) or a mobile station e.g. MS2 provides a hotspot available in which other mobile stations not shown in the figure can dial.
  • a user wants to initiate a secure interaction or communication connection with his mobile station MSI, then the mobile station MSI transmits with its transmission unit S to the mobile station MS2 (see FIG. 1) a one-time password OTP which, for example, is only approx .30 seconds is valid.
  • a processing unit for generating such a one-time password is integrated. The generation of a one-time password can in this case take place according to a method or an algorithm which is known or predefined by the password assignment point A. becomes.
  • This processing unit for generating the one-time password and the transmitting unit S may be in the form of an IBeacon. When using the IBeacon protocol, the Major and / or Minor parameters are used to send the one-time password.
  • the password assignment point A can be pronounced as server.
  • a one-time password or one-time password is generated for a specific time window, which then expires after this time window expires.
  • the one-time password is then sent to the mobile station MS2.
  • the receiving unit (E) integrated there is designed to forward the one-time password to the password assignment point (see 2).
  • the password proxy compares the one-time password with a check password ID and, depending on the comparison result, sends a consent signal Ok (see FIG. 3) for establishing the communication connection (see FIG. 4) to the mobile station MS2 or, if appropriate, a reject signal that no communication connection is established.
  • the mobile station MS2 receives a check password list from the password assignment point A and compares it with the one-time password itself. Depending on the result of the comparison, the communication link between MSI and MS2 can then be established (see 4).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé pour établir une liaison de communication sécurisée par le biais d'une interface radio (F) entre un premier dispositif de communication (MS1) et un second dispositif de communication (MS2), le procédé étant caractérisé en ce que : - la distance entre les deux dispositifs de communication est dans une portée convenant à une liaison point à point ; - une unité de traitement génère un mot de passe à usage unique (OTP) pour l'identification d'un premier dispositif parmi lesdits dispositifs de communication ; - un dispositif d'émission (S) du même dispositif de communication envoie le mot de passe à usage unique (OTP) à l'autre second dispositif de communication aux fins de réception ; - le dispositif de communication recevant le mot de passe à usage unique effectue ou fait effectuer une comparaison entre le mot de passe à usage unique et un mot de passe de vérification (ID) et autorise l'établissement d'une liaison de communication entre lesdits dispositifs de communication en fonction du résultat de la comparaison. En plus du procédé, la présente invention concerne un agencement de communication associé et des dispositifs de communication associés.
PCT/EP2016/062212 2015-06-10 2016-05-31 Procédé et dispositif de communication pour établir une liaison de communication sécurisée WO2016198277A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102015210614.4 2015-06-10
DE102015210614.4A DE102015210614A1 (de) 2015-06-10 2015-06-10 Verfahren und Kommunikationseinrichtung zum Herstellen einer sicheren Kommunikationsverbindung

Publications (1)

Publication Number Publication Date
WO2016198277A1 true WO2016198277A1 (fr) 2016-12-15

Family

ID=56119465

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/062212 WO2016198277A1 (fr) 2015-06-10 2016-05-31 Procédé et dispositif de communication pour établir une liaison de communication sécurisée

Country Status (2)

Country Link
DE (1) DE102015210614A1 (fr)
WO (1) WO2016198277A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107580001A (zh) * 2017-10-20 2018-01-12 珠海市魅族科技有限公司 应用登录及鉴权信息设置方法、装置、计算机装置及存储介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110083161A1 (en) * 2008-06-04 2011-04-07 Takayuki Ishida Vehicle, maintenance device, maintenance service system, and maintenance service method
US8832807B1 (en) * 2010-08-05 2014-09-09 Christine E. Kuo Method and apparatus for asynchronous dynamic password

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060136739A1 (en) * 2004-12-18 2006-06-22 Christian Brock Method and apparatus for generating one-time password on hand-held mobile device
JP5950691B2 (ja) * 2012-02-09 2016-07-13 シャープ株式会社 情報処理システム、情報処理装置、及び通信接続方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110083161A1 (en) * 2008-06-04 2011-04-07 Takayuki Ishida Vehicle, maintenance device, maintenance service system, and maintenance service method
US8832807B1 (en) * 2010-08-05 2014-09-09 Christine E. Kuo Method and apparatus for asynchronous dynamic password

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107580001A (zh) * 2017-10-20 2018-01-12 珠海市魅族科技有限公司 应用登录及鉴权信息设置方法、装置、计算机装置及存储介质
CN107580001B (zh) * 2017-10-20 2021-04-13 珠海市魅族科技有限公司 应用登录及鉴权信息设置方法、装置、计算机装置及存储介质

Also Published As

Publication number Publication date
DE102015210614A1 (de) 2016-12-15

Similar Documents

Publication Publication Date Title
EP3138258B1 (fr) Procédé de génération d'un secret ou d'une clé dans un réseau
EP3175384B1 (fr) Procédé et dispositif de connexion à des appareils médicinaux
DE112009000416B4 (de) Zweiwege-Authentifizierung zwischen zwei Kommunikationsendpunkten unter Verwendung eines Einweg-Out-Of-Band(OOB)-Kanals
EP3416140B1 (fr) Procédé et dispositif d'authentification d'un utilisateur sur un véhicule
DE102011016513A1 (de) Bedrohungsmilderung in einem Fahrzeug-zu-Fahrzeug-Kommunikationsnetz
DE102014222222A1 (de) Verfahren zur Absicherung eines Netzwerks
CN106134232A (zh) 设备到设备发现中的认证
DE102012103106A1 (de) Verfahren zum Authentifizieren eines Nutzers an einem Dienst auf einem Diensteserver, Applikation und System
EP2011302B1 (fr) Procédé et système d'établissement d'une clé cryptographique sans risque de manipulation
WO2012010381A1 (fr) Procédé pour enregistrer un dispositif de communication sans fil sur un dispositif de base ainsi que système correspondant
WO2016198277A1 (fr) Procédé et dispositif de communication pour établir une liaison de communication sécurisée
WO2023217645A1 (fr) Système d'accès sécurisé
DE102014208965A1 (de) Verfahren zur Authentifizierung eines Netzwerkteilnehmers sowie Netzwerkteilnehmer, Netzwerk und Computerprogramm hierzu
DE102015225222A1 (de) Verfahren zur Erzeugung einer geheimen Wertefolge in einem Gerät abhängig von gemessenen physikalischen Eigenschaften eines Übertragungskanals
EP3363145B1 (fr) Procédé et dispositif permettant de générer un secret partagé
WO2011144418A1 (fr) Procédé de convention protégée d'une clef de sécurité via une interface radio non codée
DE102014208974A1 (de) Verfahren zur Ermittlung einer Information über die Entfernung zwischen zwei Geräten sowie hierzu eingerichtete Geräte und Computerprogramme
DE102015221372A1 (de) Verfahren zur Aktivierung eines Konfigurationsmodus eines Geräts
DE102012104955A1 (de) Verfahren zum kryptographisch gesicherten Beweis der Anwesenheit eines Identity-Tokens im Bereich eines Identity-Sensors sowie Identity-Sensor für ein solches Verfahren
DE102023121500A1 (de) Erkennung eines nicht vertrauenswürdigen konfigurators
DE102014222216A1 (de) Verfahren und Vorrichtung zur Absicherung einer Kommunikation
DE102014212229A1 (de) Verfahren und Vorrichtung zum Authentifizieren eines Mobilgerätes
DE102014217330A1 (de) Verfahren zum Informationsabgleich zwischen Geräten sowie hierzu eingerichtetes Gerät
DE102014205331A1 (de) Sender zum Senden einer Nachricht und Empfänger zum Empfangen einer Nachricht
DE102014212226A1 (de) Verfahren und Vorrichtung zum Koppeln zweier Kommunikationspartner

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16728642

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16728642

Country of ref document: EP

Kind code of ref document: A1