WO2021151760A1 - Système de chiffrement et procédé - Google Patents

Système de chiffrement et procédé Download PDF

Info

Publication number
WO2021151760A1
WO2021151760A1 PCT/EP2021/051222 EP2021051222W WO2021151760A1 WO 2021151760 A1 WO2021151760 A1 WO 2021151760A1 EP 2021051222 W EP2021051222 W EP 2021051222W WO 2021151760 A1 WO2021151760 A1 WO 2021151760A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
node
data
encryption
recipient
Prior art date
Application number
PCT/EP2021/051222
Other languages
English (en)
Inventor
Wilhelm VORTISCH
Duc Ngoc Matthias SCHNEEWEISS
Original Assignee
Now-I-Trust Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Now-I-Trust Gmbh filed Critical Now-I-Trust Gmbh
Publication of WO2021151760A1 publication Critical patent/WO2021151760A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/18Commands or executable codes

Definitions

  • the present invention relates to a system and a method for securely encrypting data and/or messages.
  • E-mails are cornerstones of the exchange of information and data in private as well as in the professional area. Companies use e-mail not only for external communication, for example with customers or business partners, but also for uncomplicated internal communication, for example to share files among colleagues. Besides the e-mail there is no communication medium that offers comparable advantages and is yet easily accessible for laypersons.
  • the encryption of means of communication is most secure when the sender uses encryption and the recipient performs the decryption.
  • E2EE end-to-end encryption
  • Any other encryption method - for example, if the encryption or decryption takes place on a server - is insecure, because then a part of the communication would have to be unencrypted, i.e. from the sender to the server and/or from the server to the recipient.
  • it is a mandatory prerequisite for secure encryption of email that it is performed end-to-end and is client-based - then is called a zero-knowledge encryption.
  • US 9819485 B2 A discloses a device that incorporates the subject disclosure may perform, for example, receiving a derived encryption key from a remote management server without receiving a master key from which the derived encryption key was generated, applying a one-way function to the derived encryption key and a nonce to generate a temporary encryption key, obtaining data for transmission to a recipient device, encrypting the data using the temporary encryption key to generate encrypted data, and providing the encrypted data over a network to the recipient device.
  • US9002018B2 discloses a computer-implemented key exchange system and methods for improving the usability of encryption technologies such as Public Key Infrastructure (PKI).
  • PKI Public Key Infrastructure
  • One aspect of the present invention includes registering users, verifying user identity, and classifying users such that the users may send a communication such that communication recipients can verify the user identity and classification of the communication sender.
  • Another aspect of the present invention includes users initiating relationships with other users, approving the establishment of relationships, and exchanging encryption keys between users after the establishment of a relationship.
  • the most secure one is the asymmetric encryption:
  • the recipient of a message has a so-called private key, which only he can access has access.
  • a so-called public key is derived from the private key, which it communicates to each person, who should be able to send him an encrypted message.
  • a sender then encrypts the message with the public key of the recipient and transmits the encrypted message.
  • the private key - and only this specific private key - the recipient now decrypts the message.
  • PGP Pretty Good Privacy
  • Reddoxx GmbH has developed another product, namely Reddcrypt7. This is about a Zero-Knowledge email encryption.
  • the private key is stored on the server of the provider, which represents a major security risk. It's one of the basics of cryptography that one should never share a private key - but this product requires this.
  • a system for managing encryption of data submitted by a sender node and decryption of the data received by a recipient node comprises a key generator.
  • the key generator is configured for automatically generating a decryption key and at least one corresponding encryption key.
  • the system further comprises a key managing component.
  • the system also comprises a communication component.
  • the communication component may be configured for securely submitting the encryption key to the key managing component.
  • the key managing component is configured for providing the encryption key upon request of the sender node at the key managing component and the authentication the sender node and the recipient node.
  • the key generator may be remotely located with respect to the network node.
  • the key generator may be a computer or a computer program product equipped with cryptographic protocols.
  • the key generator may further comprise a plug-in, add-in, add-on which can be supported by at least one of sender node terminal and recipient node terminal. This may be particularly advantageous when the encryption and/or the decryption key is generated locally at the sender node and/or the recipient node. This will eliminate any insecure key exchange.
  • the recipient node terminal and/or the sender node terminal may comprise a memory component such as, main memory (e.g. RAM), cache memory (e.g. SRAM) and/or secondary memory (e.g. HDD, SDD).
  • main memory e.g. RAM
  • cache memory e.g. SRAM
  • secondary memory e.g. HDD, SDD
  • the receiver and/or the sender node terminal may be configured to store the decryption and/or the encryption key, preferably using the memory component.
  • the sender and/or the recipient node terminal may also comprise at least of
  • an output user interface such as: o screens or monitors configured to display visual data (e.g. displaying graphical user interfaces of the questionnaire to the user), o speakers configured to communicate audio data (e.g. playing audio data to the user),
  • o camera configured to capture visual data (e.g. capturing images and/or videos of the user), o microphone configured to capture audio data (e.g. recording audio from the user),
  • keyboard configured to allow the insertion of text and/or other keyboard commands (e.g. allowing the user to enter text data and/or another keyboard
  • the key generator may be configured to generate the corresponding encryption key for each decryption key, preferably by using the respective decryption key as a scalar.
  • the key generator may further be equipped with symmetric- key algorithms (such as DES and AES) and public key algorithms (such as RSA).
  • symmetric- key algorithms such as DES and AES
  • public key algorithms such as RSA
  • the encryption and/or decryption key may comprise a cryptographic key, which may be a string of data that may be used to lock or unlock a cryptographic function.
  • the key generator may be configured for generating the encryption key and the at least one corresponding decryption key associated with the at least one of sender node and recipient node. This may be facilitated by encoding a personal ID of the sender node and/or the recipient node in the keys.
  • the key generator may also comprise a linear-feedback shift register (LFSR).
  • the key generator may be configured for generating at least one digital signature associated with the sender node terminal.
  • the sender node may further be configured to encrypt at least one message using the digital signature in combination with the encryption key.
  • the recipient node nay be configured for decrypting the message using the decryption key.
  • the system may be configured to add a new sender node in the system through a registration process.
  • the system may further be configured to add a new recipient node in the system through the registration process.
  • the registration process is initiated by a node at a node terminal.
  • the node acts as a sender node if the node terminal of the respective node requests the key managing component for an encryption key of a second node.
  • the second node may already be added to the system via the registration process.
  • the second node in this case become the recipient node.
  • the recipient node can be the sender node and the sender node can be the recipient node based on the request sent at the key managing component.
  • the key managing component is configured for receiving node data, preferably node identification data, such as personal data, associated with the sender and recipient node during the registration process.
  • the node data may also comprise audio samples, visual samples.
  • the audio samples such as a voice command.
  • the system may be configured with an automatic speech recognition component.
  • the visual samples such an image or video data.
  • the visual sample may comprise a visual representation of facial features, or a physical identification document, such as passport, or biometric data, such as finger prints, iris, palm print, hand geometry.
  • the system may be configured with computer vision technology, preferably equipped with artificial intelligence.
  • the node data may also comprise the encryption key.
  • the system may further comprise the key managing component configured for prompting the sender node and/or the recipient node for node data, and the respective node provides the node data.
  • the system may further provide a storing unit configured to store the node data.
  • the sender node and/or the recipient node may be configured to automatically input the node data into the sender node terminal and/or the recipient node terminal respectively.
  • the sender node terminal and/or the recipient node terminal may be configured to enable a bilateral data exchange with the key managing component, preferably using the communication component.
  • the key managing component may further be configured to receive the node data and storing the node data in a storage unit.
  • the system may be configured to install the communication component locally art the key managing component.
  • the communication component may comprise a transmitter, such as a radio wave transmitter.
  • the communication component may comprise a physical transmission medium such as a wire, or a logical connection.
  • the communication may further comprise a communication protocol, equipped with WLAN, Bluetooth, etc.
  • the storage unit may comprise a cloud storage unit.
  • the storage unit may further comprise a physical database configured to store the node data.
  • the storage unit may be configured to store electronic documents, barcodes, machine readable data, etc.
  • the storage unit may be singular or plural, and may be, but not limited to, a volatile or non-volatile memory, such as a random access memory (RAM), Dynamic RAM (DRAM), Synchronous Dynamic RAM (SDRAM), static RAM (SRAM), Flash Memory, Magneto-resistive RAM (MRAM), Ferroelectric RAM (F-RAM), or Parameter RAM (P-RAM).
  • the storage unit may further be configured for storing node data for a pre-determined time.
  • the system may notify the node in advance to renew the node data before deleting it from the storage unit.
  • the pre determined time may be from 6 weeks to a year.
  • the node may further be able to input the time using the node terminal.
  • the communication component may further be configured for submitting the encryption key from the key generator to the key managing component.
  • the communication component may be a remote communication component configured to enable a data exchange between the key generator and the key managing component.
  • the communication component may comprise a local communication component equipped at the key generator and/or the key managing component.
  • the key managing component may be placed on a remote or a local server.
  • the key managing component may be a computer program product or a device.
  • the communication component may be configured for submitting the encryption key to the key managing component via an encrypted chancel, such as an encrypted communication channel.
  • the key managing component may comprise an authenticating unit.
  • the authenticating unit may further be configured to access the node data in the storage unit.
  • the key managing component and the storage unit may be on the same network device.
  • the authenticating unit may further be configured for verifying recipient node associated with the encryption key.
  • the verifying may comprise the authenticating unit pulling the node data from the node and matching it with the node data stored in the storage unit.
  • the node data stored in the storage unit may comprise the node data collected during the registration process of the node.
  • the authenticating unit may further be configured to block a node if the input node data does not match the stored node data.
  • the authenticating unit may be configured to prompt the blocked node to renew the node data by participating in the registration process and generate a new encryption key.
  • the authenticating unit may comprise a scheduling component.
  • the scheduling component may be configured for automatically determining a time interval for verifying recipient node associated with the encryption key.
  • the time-interval may be determined based on a number of times the encryption key is requested at the sender node terminal. This is particularly advantageous as there are higher risks of being hacked when multiple users have the key.
  • the time interval may comprise a time between 1 week to 1 year.
  • the authenticating unit may further be configured for a periodic visual identification of a recipient.
  • the visual identification may comprise sharing live video data, preferably via the recipient terminal.
  • the visual identification may further comprise identification and authentication on HTTP based networks, such as by using identity verification platform for example IDnow and alike.
  • the recipient node may be configured to share the at least one node data and visual identification data to a proxy node.
  • the recipient node may further be configured to share the node data and/or the visual identification data to the proxy node, preferably by network synchronization or via the LDAP directory.
  • the proxy node may comprise a plurality of nodes.
  • the proxy node may further be configured to send the node data to the key managing component, preferably using batch processing.
  • the key managing component may further comprise a public key infrastructure.
  • the key managing component may further be configured to operate on a distributed decentralized network, such as blockchain.
  • the key managing component may further comprise a key storage unit.
  • the key storage unit may further be configured to store the encryption key associated with the recipient only after the verification by the authenticating unit, preferably in key-value database.
  • system may be configured to enable an access of the recipient node to the encryption key stored in the key storage unit only after the verification process by the authenticating unit.
  • key managing component is configured for registering the recipient node prior to the verification by the authenticating unit.
  • the key managing component may further be configured for automatically pulling the node data from the recipient node terminal.
  • the key managing component may further be configured to activate a smart contract with the recipient node.
  • the smart contract may comprise at least one conditions in the agreement, preferably, renewing the encryption key within a pre-determined time interval.
  • the key managing component may be configured to access the conditions in the agreement and scheduling component may be configured to notify the node at least 3-20 days in prior to the time interval ends.
  • the time interval may comprise between 1 week to 1 year.
  • the key managing component may further be configured to prompt the at least one of recipient node and key generator to submit a renewed encryption key according to the smart contract.
  • the key managing component may be configured for providing the encryption key to the sender node only after identification and registration of the sender node, via the registration process.
  • the key managing component is operated on a distributed decentralized network which may be implement by the blockchain technology.
  • the sender node prompting for the encryption key may also be embedded in blockchain documentation.
  • the decryption and/or encryption key may be configured to be renewed by the key managing component when an attempt of hack of a key storage is detected.
  • the attempt of hack may comprise at least one of Son force attack and side channel attack and physical access of the key management component and replay attack.
  • the recipient node terminal may be configured to input a command to renew the encryption and/or the decryption key to the key managing component, such as manual trigger.
  • the recipient node may further be configured to determine a key renewal routine.
  • the recipient node terminal may further be configured to input a command to the key managing component to renew the decryption key associated with the respective recipient node. This may be advantageous in a case where a recipient suspects of a key hack.
  • the user can also follow their own schedule routine, for example 'renew the keys on my birthday'. This can be an audio input recognized by the authenticating unit.
  • the key generator may be configured to determine more than one decryption key(s) from one encryption key.
  • the key managing component may comprise a computing unit, wherein for each computing unit the respective authenticating unit, that the computing unit may be configured to access may be integrated into a single device.
  • the device can be a system-on-chip comprising processing units, memory components and busses.
  • the device can be a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer.
  • the device can be a server.
  • the device can be a processing unit or a system- on-chip that can be interfaced with a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer and/or user interface (such as the upper-mentioned user interfaces).
  • the key managing component may comprise the computing unit, wherein for each computing unit the respective storage unit, that the computing unit is configured to access, may be integrated into a single device.
  • the device can be a system- on-chip comprising processing units, memory components and busses.
  • the device can be a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer.
  • the device can be a server.
  • the device can be a processing unit or a system-on-chip that can be interfaced with a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer and/or user interface (such as the upper-mentioned user interfaces).
  • key managing component may comprise the computing unit, wherein for each computing unit the respective storage unit and the authenticating unit and the key storage unit, that the computing unit is configured to access, may be integrated into a single device.
  • the device can be a system-on-chip comprising processing units, memory components and busses.
  • the device can be a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer.
  • the device can be a server.
  • the device can be a processing unit or a system-on-chip that can be interfaced with a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer and/or user interface (such as the upper-mentioned user interfaces).
  • the device can further comprise processor can be provided and may be singular or plural, and may be, but not limited to, a CPU, GPU, DSP, APU, or FPGA.
  • the memory 26 may be singular or plural, and may be, but not limited to, being volatile or non-volatile, such an SDRAM, DRAM, SRAM, Flash Memory, MRAM, F-RAM, or P-RAM.
  • the device can comprise means of data processing, such as, processor units, hardware accelerators and/or microcontrollers.
  • the device can comprise memory components, such as, main memory (e.g. RAM), cache memory (e.g. SRAM) and/or secondary memory (e.g. HDD, SDD).
  • the device can comprise busses configured to facilitate data exchange between components of the device, such as, the communication between the memory components and the processing components.
  • the device can comprise network interface cards that can be configured to connect the data processing device to a network, such as, to the Internet.
  • a key managing component which may comprise instructions executable by a computer
  • the computer may have one or more physical central processing units, wherein the instructions when executed, may cause the computer to perform operations for registering a device to a computer system, the computer system comprising a blockchain and a key storage unit, wherein the key storage unit may be an add-on database to the blockchain, wherein the key storage unit can be modified using an authenticating protocol, the authenticating protocol may comprise at least one of receiving from the device, identification data and an encryption key and generating a first blockchain transaction, wherein the first blockchain transaction adds the identification data and the encryption key to a first block, and adds the first block to a blockchain, further adds the encryption key and the identification data to the key storage unit.
  • the key managing component may further be configured for transmitting to the device an instruction to generate a new encryption key after a pre-determined time interval.
  • the invention discloses a method which may comprise managing encryption of data submitted by a sender node and decryption of the data received by a recipient node. The method may further comprise automatically generating a decryption key and at least one corresponding encryption key. Furthermore, the method may comprise securely submitting the encryption key to a key managing component. The method also comprises the step of providing the encryption key upon request of the sender node at the key managing component and the identification of the sender node.
  • the system as described may further be configured to carry out the method according to the method embodiments.
  • the present invention also refers to a use of the system according to any of the preceding system or method embodiments for carrying out the method according to any of the preceding method embodiments.
  • the present invention also covers a computer related product for carrying out the method according to any of the preceding method embodiments.
  • a node terminal device may comprise a sender node terminal device and/or a recipient node terminal device.
  • the invention tries to improve the art by combining techniques and further boosting the outcome by a machine-learning approach in combination with the blockchain technology.
  • SI. System for managing encryption of data submitted by a sender node (10) and decryption of the data received by a recipient node (11,12), comprising: a. a key generator (3) configured for automatically generating a decryption key (5) and at least one corresponding encryption key; b. a key managing component (1); c. a communication component (4) configured for securely submitting the encryption key (5) to the key managing component (1); and d. wherein the key managing component (1) is configured for providing the encryption key (5) upon request of the sender node (10) at the key managing component (1) and the authentication of the sender node (10) and the recipient node (11,12).
  • the key generator is configured to generate the corresponding encryption key for each decryption key, preferably by using the respective decryption key as a scalar.
  • the key generator (3) is configured for generating the encryption key (5) and the corresponding decryption key associated with at least one of the sender node (10) and the recipient node (12,13).
  • LFSR linear-feedback shift register
  • RSA Rivest-Shamir-Adleman
  • the key managing component is configured to receive node data, preferably node identification data, such as personal data, associated with the sender and recipient node during the registration process.
  • node data preferably node identification data, such as personal data
  • the storage unit further comprises a database configured to store node data for a pre-determined time.
  • System according to any of the preceding system embodiments further comprising the communication component (4) configured for submitting the encryption key (5) from the key generator (3) to the key managing component (1).
  • System according to any one of the preceding embodiments further comprising the communication component (4) configured for submitting the encryption key (5) to the key managing component (1) via an encrypted channel.
  • the key managing component (1) comprises an authenticating unit.
  • the authenticating unit is configured to access the node data stored in the storage unit.
  • scheduling component is configured for automatically determining a time-interval for verifying recipient node associated with the encryption key.
  • time-interval is determined based on a number of times the encryption key is requested at the sender node terminal.
  • time-interval configured to be between 1 week to 1 year.
  • System according to any of the preceding embodiments wherein the visual identification of a recipient comprises the recipient sharing live video data, preferably via the recipient terminal to the key managing component.
  • System according to the preceding embodiment wherein the visual identification comprises identification and authentication on HTTP based networks.
  • the recipient node is configured to share the at least one of node data and visual identification data to a proxy node.
  • the recipient node is configured to share the node data and/or the visual identification data to the proxy node, preferably by network synchronization or via the LDAP directory.
  • the key managing component (1) comprises a public key infrastructure (PKI).
  • PKI public key infrastructure
  • the key storage unit is configured for storing the encryption key associated with the recipient after the verification by the authenticating unit, preferably in key-value database.
  • the smart contract comprises at least one conditions in the agreement, preferably renewing the encryption key within a pre-determined time interval.
  • the key managing component (1) is configured to prompt the at least one of recipient node and key generator to submit a renewed encryption key, according to the smart contract.
  • System according to the preceding embodiment wherein the attempt of hack comprises at least one of Son force attack and side channel attack and physical access of the key management component and replay attack.
  • each key managing component comprises a computing unit, wherein for each computing unit the respective authenticating unit, that the computing unit is configured to access, are integrated into a single device.
  • each key managing component comprises the computing unit, wherein for each computing unit the respective storage unit, that the computing unit is configured to access, are integrated into a single device.
  • each key managing component comprises the computing unit, wherein for each computing unit the respective storage unit and the authenticating unit and the key storage unit, that the computing unit is configured to access, are integrated into a single device.
  • key managing component embodiments will be discussed. These embodiments are abbreviated by the letter “K” followed by a number. Whenever reference is herein made to “key managing component embodiments”, these embodiments are meant.
  • a key managing component comprising instructions executable by a computer, the computer having one or more physical central processing units, wherein the instructions when executed, cause the computer to perform operations for registering a device to a computer system, the computer system comprising a blockchain and a key storage unit, wherein the key storage unit is an add-on database to the blockchain, wherein the key storage unit is modified using an authenticating protocol, the authenticating protocol comprising: a. receiving from the device, identification data and an encryption key, b. generating a first blockchain transaction, wherein the first blockchain transaction adds the identification data and the encryption key to a first block, and adds the first block to a blockchain, further adds the encryption key and the identification data to the key storage unit.
  • the key managing component according to the preceding embodiment further configured for transmitting to the device an instruction to generate a new encryption key after a pre-determined time interval.
  • Ml Method for managing encryption of data submitted by a sender node (10) and decryption of the data received by a recipient node (11,12), the method comprising the steps of: a. automatically generating a decryption key (5) and at least one corresponding encryption key; b. securely submitting the encryption key (5) to a key managing component (1); and c. providing the encryption key (5) upon request of the sender node (11,12) at the key managing component (1) and the identification of the sender node (12,13).
  • M2. Method according to the preceding method embodiment wherein the encryption key (5) and the decryption key are automatically generated remotely to the key managing component by a key generator (3).
  • Method according to any of the preceding embodiments wherein the method comprises the step of generating the encryption key for each decryption key, preferably by using the respective decryption key as a scalar.
  • Methods further comprises the step of automatically associating exactly one encryption key and exactly one decryption key with the at least one of sender node and the recipient node.
  • Method according to any of the preceding embodiments wherein the method comprises generating at least one digital signature associated with each sender node terminal.
  • node data preferably node identification data, such as personal data
  • Method according to any of the preceding embodiments comprises prompting at least one of the sender node and recipient node and at least one sender node and recipient node providing the node data to the key managing component.
  • Method according to any of the preceding embodiments comprises automatically inputting the node data via at least one sender node terminal and recipient node terminal.
  • Method according to any of the preceding embodiments comprises enabling a bilateral data exchange between at least one of the sender node terminal and recipient node terminal and the key managing component.
  • Method according to any of the preceding embodiments wherein the method comprises the step of submitting the encryption key from the key generator to the key managing component via an encrypted channel.
  • Method according to any of the preceding embodiments wherein the method comprises accessing the node data stored in the storage unit via an authenticating unit.
  • Method according to any of the preceding embodiments wherein the method comprises determining a time interval for verifying recipient node associated with the encryption key.
  • Methods comprises sharing the node and/or the visual identification data to a proxy node, preferably via network synchronization or via the LDAP directory.
  • the key managing component (1) comprises a public key infrastructure (PKI).
  • PKI public key infrastructure
  • program embodiments will be discussed. These embodiments are abbreviated by the letter “P” followed by a number. Whenever reference is herein made to “program embodiments”, these embodiments are meant.
  • a computer program product comprising instructions, which, when the program is executed by a node terminal device, causes a node terminal device to perform the method steps according to any method embodiment, which have to be executed on the node terminal device, wherein the node terminal device is according to any system embodiment that comprises a node terminal that is compatible to said method embodiment.
  • a computer program product comprising instructions, which, when the program is executed by a combination of a server and a node terminal device, cause the node terminal device and the server to perform the method steps according to any method embodiment, which have to be executed on the server and the node terminal device, wherein the node terminal device and the server is according to any system embodiment that comprises a sever and/or the node terminal device that is compatible to said method embodiment.
  • a computer program product comprising instructions, which, when the program is executed by a server, cause the server to perform the method steps according to any method embodiment, which have to be executed on the server, wherein the server is according to any system embodiment that comprises a server that is compatible to said method embodiment.
  • Fig. 1 schematically exemplifies an embodiment of a workflow between components according to the present invention
  • Fig. 2 schematically exemplifies a method according to the present invention
  • Fig. 3 exemplifies a computer implement product according to the present invention.
  • Fig. 1 schematically depicts an embodiment of a method and components of a respective system configured for carrying out the method.
  • the key generator 3 may be configured to generate at least one corresponding encryption key 5 for each decryption key 5, preferably by using the respective decryption key as a scalar.
  • the key generator 3 may further be equipped with symmetric-key algorithms (such as DES and AES) and public key algorithms (such as RSA).
  • symmetric-key algorithms such as DES and AES
  • public key algorithms such as RSA
  • the encryption and/or decryption key 5 may comprise a cryptographic key, which may be a string of data that may be used to lock or unlock a cryptographic function.
  • the key generator 3 may be placed remotely.
  • the key generator 3 may be a plug-in key generator which can be plugged it at a recipient node 10 and/or a sender node 11,12. The key generator 3 may be then transmitting the encryption key 5 to a key managing component 1, preferably via a communication component 4.
  • the communication component 5 may be an encrypted communication channel.
  • the key managing component 1 may comprise a storage unit and further a key storage unit 2.
  • the storage unit may be singular or plural, and may be, but not limited to, a volatile or non-volatile memory, such as a random access memory (RAM), Dynamic RAM (DRAM), Synchronous Dynamic RAM (SDRAM), static RAM (SRAM), Flash Memory, Magneto-resistive RAM (MRAM), Ferroelectric RAM (F-RAM), or Parameter RAM (P-RAM).
  • the storage unit may further be configured for storing node data for a pre-determined time.
  • the key managing component 1 may be storing the generated encryption key and/or the decryption key 5 on the key storage unit 2.
  • the key managing component 3 may further be configured to operate on a distributed decentralized network, such as blockchain.
  • the key storage 2 unit may further be configured to store the encryption key 5 associated with the recipient and/or sender 10-12 only after the verification by the authenticating unit, preferably in key-value database.
  • the sender node 11-12 can also be configured to request the key managing component 1 for the encryption key 5, which can be stored on a distributed ledger.
  • the step SI can comprise registering of a user.
  • the user may comprise a sender node and/or a recipient node 10-12.
  • the registering of the user SI can be facilitated by the key managing component 1.
  • the key managing component 1 can then send a verification instruction to the user terminal in S2.
  • the verification instruction may comprise a command to share a live video data.
  • the verification command can further comprise verifying an email address by clicking on a verifying link, etc.
  • the key generator 3 can generate the key for the registered and verified user S3.
  • the generated key 5 is/are then shared with the key managing component 1 preferably using an encrypted communication channel 4.
  • the key managing component 1 can further be stored on a distributed ledger, such as blockchain.
  • the key 5 is then stored in the distributed ledger S4.
  • the sender node, receiver node and/or a user node 10-12 can only participate in a key exchange process after being registered and verified.
  • the sender node 11-12 can prompt the key managing component 1 to share a key.
  • the key managing component 1 can then, preferably via the authenticating unit, verify the sender node before sharing the key 5.
  • Fig. 3 provides a schematic of a user device 100.
  • the user device 100 may comprise a sender node terminal device and/or a recipient node terminal device.
  • the user device 100 may comprise a computing unit 35, a data storage unit 30A, a key storage unit 30B and a key generator 30C.
  • the computing unit 35 can access the data storage unit 30A, the key storage unit 30B and the key generator 30C through the internal communication channel 160, which can comprise a bus connection 160.
  • the computing unit 30 may be single processor or a plurality of processors, and may be, but not limited to, a CPU (central processing unit), GPU (graphical processing unit), DSP (digital signal processor), APU (accelerator processing unit), ASIC (application-specific integrated circuit), ASIP (application-specific instruction-set processor) or FPGA (field programable gate array).
  • the first data storage unit 30A may be singular or plural, and may be, but not limited to, a volatile or non-volatile memory, such as a random access memory (RAM), Dynamic RAM (DRAM), Synchronous Dynamic RAM (SDRAM), static RAM (SRAM), Flash Memory, Magneto-resistive RAM (MRAM), Ferroelectric RAM (F-RAM), or Parameter RAM (P-RAM).
  • RAM random access memory
  • DRAM Dynamic RAM
  • SDRAM Synchronous Dynamic RAM
  • SRAM static RAM
  • Flash Memory Magneto-resistive RAM
  • MRAM Magneto-resistive RAM
  • F-RAM Ferroelectric RAM
  • the key storage unit 30B may be singular or plural, and may be, but not limited to, a volatile or non-volatile memory, such as a random access memory (RAM), Dynamic RAM (DRAM), Synchronous Dynamic RAM (SDRAM), static RAM (SRAM), Flash Memory, Magneto-resistive RAM (MRAM), Ferroelectric RAM (F-RAM), or Parameter RAM (P-RAM).
  • RAM random access memory
  • DRAM Dynamic RAM
  • SDRAM Synchronous Dynamic RAM
  • SRAM static RAM
  • Flash Memory Flash Memory
  • MRAM Magneto-resistive RAM
  • F-RAM Ferroelectric RAM
  • P-RAM Parameter RAM
  • the data storage unit 30A the key storage unit 30B can also be part of the same memory. That is, only one general data storage unit 30 per device may be provided, which may be configured to store the respective encryption key (such that the section of the data storage unit 30 storing the encryption key may be the encryption key storage unit 30B), the respective data element share (such that the section of the data storage unit 30 storing the data element share may be the data share storage unit 30B), and the respective decryption key (such that the section of the data storage unit 30 storing the decryption key may be the decryption key storage unit 30B).
  • the respective encryption key such that the section of the data storage unit 30 storing the encryption key may be the encryption key storage unit 30B
  • the respective data element share such that the section of the data storage unit 30 storing the data element share may be the data share storage unit 30B
  • the respective decryption key such that the section of the data storage unit 30 storing the decryption key may be the decryption key storage unit 30B).
  • the key generator 30C can also comprise a secure memory device, such as, a self-encrypted memory, hardware-based full disk encryption memory and the like which can automatically encrypt all of the stored data.
  • a secure memory device such as, a self-encrypted memory, hardware-based full disk encryption memory and the like which can automatically encrypt all of the stored data.
  • the key storage unit 30B may not be provided but instead the user device 100 can be configured to receive a corresponding encrypted share from the key managing component 1.
  • the user device 100 may comprise the key storage unit 30B and can be configured to receive a corresponding encrypted share from the key managing component 1.
  • the user device 100 may comprise a further memory component 140 which may be singular or plural, and may be, but not limited to, a volatile or non-volatile memory, such as a random access memory (RAM), Dynamic RAM (DRAM), Synchronous Dynamic RAM (SDRAM), static RAM (SRAM), Flash Memory, Magneto-resistive RAM (MRAM), Ferroelectric RAM (F-RAM), or Parameter RAM (P-RAM).
  • the memory component 140 may also be connected with the other components of the user device 100 (such as the computing component 35) through the internal communication channel 160.
  • the user device 100 may comprise an external communication component 130.
  • the external communication component 130 can be configured to facilitate sending and/or receiving data to/from an external device (e.g. key managing component 1, authenticating unit, storage unit).
  • the external communication component 130 may comprise an antenna (e.g. WIFI antenna, NFC antenna, 2G/3G/4G/5G antenna and the like), USB port/plug, LAN port/plug, contact pads offering electrical connectivity and the like.
  • the external communication component 130 can send and/or receive data based on a communication protocol which can comprise instructions for sending and/or receiving data. Said instructions can be stored in the memory component 140 and can be executed by the computing unit 35 and/or external communication component 130.
  • the external communication component 130 can be connected to the internal communication component 160.
  • data received by the external communication component 130 can be provided to the memory component 140, computing unit 35, data storage unit 30A and/or key storage unit 30B and/or key generator 30C.
  • data stored on the memory component 140, data storage unit 30A and/or key storage unit 30B and/or key generator 30C and/or data generated by the commuting unit 35 can be provided to the external communication component 130 for being transmitted to an external device.
  • the user device 100 may comprise an input user interface 110 which can allow the user of the user device 100 to provide at least one input (e.g. instruction) to the user device 100.
  • the input user interface 110 may comprise a button, keyboard, trackpad, mouse, touchscreen, joystick and the like.
  • the user device 100 may comprise an output user interface 120 which can allow the user device 100 to provide indications to the user.
  • the output user interface 110 may be a LED, a display, a speaker and the like.
  • the output and the input user interface 100 may also be connected through the internal communication component 160 with the internal component of the device 100.
  • the term "at least one of a first option and a second option" is intended to mean the first option or the second option or the first option and the second option.
  • step (X) preceding step (Z) encompasses the situation that step (X) is performed directly before step (Z), but also the situation that (X) is performed before one or more steps (Yl), ..., followed by step (Z).
  • step (Z) encompasses the situation that step (X) is performed directly before step (Z), but also the situation that (X) is performed before one or more steps (Yl), ..., followed by step (Z).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

La présente invention concerne en particulier un procédé et un système de gestion du chiffrement de données soumises par un nœud expéditeur et le déchiffrement des données reçues par un nœud récepteur. Un générateur de clé est configuré pour générer automatiquement une clé de déchiffrement et au moins une clé de chiffrement correspondante. Un composant de gestion de clé est également décrit dans la présente invention. En outre, l'invention concerne un composant de communication configuré pour soumettre de manière sécurisée la clé de chiffrement au composant de gestion de clé. En outre, le composant de gestion de clé est configuré pour fournir la clé de chiffrement lors de la requête du nœud expéditeur au niveau du composant de gestion de clé et du nœud expéditeur et du nœud destinataire.
PCT/EP2021/051222 2020-01-30 2021-01-20 Système de chiffrement et procédé WO2021151760A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP20154579 2020-01-30
EP20154579.5 2020-01-30

Publications (1)

Publication Number Publication Date
WO2021151760A1 true WO2021151760A1 (fr) 2021-08-05

Family

ID=69423069

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/051222 WO2021151760A1 (fr) 2020-01-30 2021-01-20 Système de chiffrement et procédé

Country Status (1)

Country Link
WO (1) WO2021151760A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9002018B2 (en) 2006-05-09 2015-04-07 Sync Up Technologies Corporation Encryption key exchange system and method
US9819485B2 (en) 2014-05-01 2017-11-14 At&T Intellectual Property I, L.P. Apparatus and method for secure delivery of data utilizing encryption key management
US20180343238A1 (en) * 2012-05-24 2018-11-29 Smart Security Systems Llc System and method for protecting communications
US20190034923A1 (en) * 2017-07-31 2019-01-31 Chronicled, Inc Secure and confidential custodial transaction system, method and device using zero-knowledge protocol
WO2019072823A1 (fr) * 2017-10-09 2019-04-18 Grant Jedediah S Procédé et système pour partage de données traçable asynchrone dans un réseau de communication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9002018B2 (en) 2006-05-09 2015-04-07 Sync Up Technologies Corporation Encryption key exchange system and method
US20180343238A1 (en) * 2012-05-24 2018-11-29 Smart Security Systems Llc System and method for protecting communications
US9819485B2 (en) 2014-05-01 2017-11-14 At&T Intellectual Property I, L.P. Apparatus and method for secure delivery of data utilizing encryption key management
US20190034923A1 (en) * 2017-07-31 2019-01-31 Chronicled, Inc Secure and confidential custodial transaction system, method and device using zero-knowledge protocol
WO2019072823A1 (fr) * 2017-10-09 2019-04-18 Grant Jedediah S Procédé et système pour partage de données traçable asynchrone dans un réseau de communication

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Distributed Ledger Technology: beyond block chain", UK GOVERNMENT OFFICE FOR SCIENCE, 10 December 2015 (2015-12-10), XP055620806, Retrieved from the Internet <URL:https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1-distributed-ledger-technology.pdf> [retrieved on 20190911] *
HINAREJOS M FRANCISCA ET AL: "A Solution for Secure Certified Electronic Mail Using Blockchain as a Secure Message Board", IEEE ACCESS, vol. 7, 28 February 2019 (2019-02-28), pages 31330 - 31341, XP011715638, DOI: 10.1109/ACCESS.2019.2902174 *
MARCELA S MELARA ET AL: "Bringing Deployable Key Transparency to End Users", IACR, INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH, vol. 20150404:205019, 31 March 2015 (2015-03-31), pages 1 - 16, XP061017982 *

Similar Documents

Publication Publication Date Title
US10880732B2 (en) Authentication of phone caller identity
US11665147B2 (en) Blockchain systems and methods for user authentication
US11329981B2 (en) Issuing, storing and verifying a rich credential
US10516538B2 (en) System and method for digitally signing documents using biometric data in a blockchain or PKI
CN108650082B (zh) 待验证信息的加密和验证方法、相关装置及存储介质
US10003582B2 (en) Technologies for synchronizing and restoring reference templates
EP1782213B1 (fr) Systeme de messagerie securise avec cles derivees
JP2021536698A (ja) 利用者識別認証データを管理する方法および装置
US11882226B1 (en) Gesture-extracted passwords for authenticated key exchange
WO2015072203A1 (fr) Système de distribution d&#39;informations
CN106464496A (zh) 用于创建对用户身份鉴权的证书的方法和系统
US20220005039A1 (en) Delegation method and delegation request managing method
CN109981287A (zh) 一种代码签名方法及其存储介质
CN110597836A (zh) 基于区块链网络的信息查询请求响应方法及装置
US20080250245A1 (en) Biometric-based document security
WO2010090252A1 (fr) Système de délivrance de compte, serveur de compte, serveur de service et procédé de délivrance de compte
CA3227278A1 (fr) Procedes et systemes pour generer et valider des utilisations de justificatifs d&#39;identite numeriques et d&#39;autres documents
WO2021151760A1 (fr) Système de chiffrement et procédé
TWM601403U (zh) 金融業務審核之整合系統
US20220393882A1 (en) Secured private credential certificate

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21705105

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21705105

Country of ref document: EP

Kind code of ref document: A1