Patent Grant
9699652
This application claims priority under 35 U.S.C. §119 to application no. DE 10 2014 212 224.4, filed on Jun. 25, 2014 in Germany, the disclosure of which is incorporated herein by reference in its entirety.
The disclosure relates to an apparatus set up to carry out such a method, to a corresponding computer program and to a machine-readable storage medium having such a program.
A symmetrical cryptosystem is a cryptosystem in which, in contrast to an asymmetrical cryptosystem, both subscribers use the same key. The use of the same key for encryption and decryption entails the key itself first of all having to be transmitted before any encrypted interchange. However, since the security of the entire method depends on keeping the key secret, conventional approaches usually provide for the key to be interchanged via a secure channel.
In contrast, the practice of interchanging the key via non-secure channels is still a challenge for a person skilled in the art. In this respect, the prior art provides approaches such as the known Diffie-Hellmann key interchange or so-called hybrid encryption methods which make it possible to interchange symmetrical keys by incorporating asymmetrical protocols.
However, in the recent past, cryptosystems which move the problem of key interchange from the application layer of the OSI reference model to its physical layer (PHY) have been increasingly discussed.
Such approaches are used, for instance, in the still new field of cyber-physical systems which are distinguished by a high degree of complexity and the primary use of wireless and therefore inherently non-secure communication channels. Corresponding methods provide for each of the parties involved to derive a key from the technical properties of the channel connecting them in such a manner that the keys generated in this way largely match without the need to transmit specific parts of the key.
These cryptosystems therefore have the common feature of the need to eradicate discrepancies between the keys generated on both sides using the non-secure channel without weakening the negotiated key in the event of electronic eavesdropping. In order to solve this problem, U.S. Pat. No. 7,942,324 B1, for instance, proposes the use of the CASCADE protocol known from quantum computing.
One advantage of this solution is that the key is weakened only insignificantly during the comparison. In comparison with the use of a conventional method for comparing the key, a lower loss of entropy results for the resultant key since—in terms of statistics—it is more rarely necessary to transmit individual key bits via the non-secure communication channel. Rather, the first communication partner uses its knowledge of the physical properties of the communication channel to independently determine, if discrepancies occur, the likely differing key bit without further need for coordination.
Further advantageous refinements allow the method according to disclosure to be carried out with a second communication partner adapted to the conventional CASCADE protocol without extensive adaptations.
The embodiment, according to which, before the parity check bit is calculated, the second communication partner subjects the elements in the third array to a predefined permutation, and, before the parity check, the first communication partner subjects the elements in the first array and in the second array to the same permutation, supplements the described sequence with a preceding permutation which additionally makes it difficult for an attacker to reconstruct the key from the corrections negotiated between the legitimate communication partners.
The preferred variant, according to which the communication channel is wireless and the time-variable property is a transmission quality of the communication channel and the physical variable indicates a reception field strength, adapts the method in question to the frequent application of a wireless communication channel. In this case, the time-variant signal strength proves to be a parameter of the used channel which can be easily determined and at the same time has a high degree of dependence on the position and therefore proves to be a suitable physical starting point for the approach according to the disclosure.
The alternative, according to which the time-variable property is an electromagnetic oscillation and the physical variable is a phase shift, is instead based on the phase shift of the transmitted signal, which phase shift can be measured with high resolution and is largely uniformly distributed over relatively large distances.
Exemplary embodiments of the disclosure are presented in the drawings and are explained in more detail in the the description below.
In the drawings:
The schematic illustration in
In the given case, the relative reception field strength 10, 20 (received signal strength indicator, RSSI) measured by both communication partners when transmitting a known sequence of seven values within a narrowly defined time window is used in this case as the physical measurement variable and therefore as the starting point of the method. It goes without saying that, in an alternative embodiment, the phase shift of the communication channel, as can be measured on both sides, may likewise be used as the measurement variable without departing from the scope of the disclosure.
The nature of wireless transmission entails the fact that the reception field strength 20 measured by the first communication partner differs from that reception field strength 10 determined by the second communication partner. In this respect, the phenomena of distortion and interference familiar to a person skilled in the art are taken into account, for instance, as are measurement errors caused by manufacturing tolerances of the underlying hardware.
In order to convert the respectively measured reception field strength 10, 20 into correlating binary values at discrete intervals of time, both communication partners sample the reception field strength 10, 20 at a predefined rate, the first communication partner obtaining the samples 21 to 27, whereas the second communication partner obtains the differing samples 11 to 17. Two limit values 30, 32 selected in a suitable manner are now used to quantize the samples 11-17, 21-27 from both sides, in which case different statistical methods for determining suitable limit values 30, 32 are known to a person skilled in the art.
In this case, each of the communication partners assigns a first state 0 to those samples which are below the lower limit value 32 and assigns a second state 1 to those samples which are above the upper limit value 30. In the present embodiment, the samples 11, 17, 23, 24 between the lower limit value 32 and the upper limit value 30 are first of all assigned to one of the two states—according to the closer limit value 30, 32—even though differing embodiments may use a different marking by means of further state values.
If the resulting state sequences are expressed as bit strings, the first communication partner determines the sequence “1010101” corresponding to the samples 21-27, whereas the second communication partner records the differing sequence “1000101” on the basis of the samples 11-17 illustrated in a hatched manner. In this case, the second communication partner identifies the first and last bits as questionable since the corresponding samples are in the limit range between the lower limit value 32 and the upper limit value 30. This circumstance—illustrated by hatched stars 38 according to the figure—causes the first communication partner to store only the relatively certain bits “00010”—indicated by hatched circles 36 according to the figure—which correspond to the samples 22-26. In contrast, the first and last bits in the array 34 which are identified as dubious are added to a selection—here symbolized by the marking “X”—of bit positions to be rejected. It goes without saying that this symbolic marking may be replaced with any means familiar to a person skilled in the art, for instance with a corresponding bit mask or a list of the relevant bit positions.
In order to also make the described selection of bits to be rejected available to the first communication partner, the second communication partner generates a corresponding selection message and transmits the latter to the first communication partner using the common communication channel. The information content of the selection message transmitted via the non-secure channel comprises in this case only the selected bit positions and not the entire array 34 in order to avoid disclosing any fragments of the key to be negotiated to possible attackers.
After receiving the selection message, the first communication partner in turn rejects the selected bits—corresponding to the samples 21, 27 in the present case—in its bit sequence “1010101”, with the result that only the bit string “01010” represented as array 40 according to the figure remains. However, the first communication partner in turn 160 identifies the second and third bits in the remaining array 40 as marginal in this case since the corresponding samples 23, 24 are likewise in the range between the lower limit value 32 and the upper limit value 30. Although the first communication partner does not immediately reject these bits, it does take account of said circumstance by storing a second array 42 in order to locally mark the bit positions identified as unreliable. This symbolic marking is illustrated in
Even before the first pass of the protocol, the communication partners 50, 52 subject the bit fields stored on both sides to a randomly selected permutation which is, however, identical on both sides. Therefore, only the partial sequence “0000” corresponding to the second, third, fourth and sixth bits in the array 34 is then taken into account by the second communication partner 50 and the partial sequence “0100” corresponding to the corresponding bit positions in the array 40 is taken into account by the first communication partner 52.
In the first pass 54, the second communication partner 50 calculates the parity of said partial sequence “0000” and therefore determines the parity check bit “0” which is transmitted by the second communication partner to the first communication partner 52 via the non-secure communication channel using a further message 60. The first communication partner in turn subjects the partial sequence “0100” stored by it to a parity check on this basis, which parity check is therefore condemned to fail in this case on account of the differing result “1”.
The failure of the parity check in the first pass 54 causes the communication partners 50, 52 to carry out a second pass 56 of the protocol. For this purpose, the second communication partner 50 now subdivides the sequence “0000” stored by it into two identical partial sequences “00” along the dividing line 64 illustrated in the drawing and again calculates the corresponding parity check bits “0” for both partial sequences, which parity check bits are transmitted by the second communication partner to the first communication partner 52 in the form of a further message 62. In contrast, the first communication partner 52 equally subdivides the sequence “0100” stored by it into the partial sequences “01” and “00” which are each subjected to a parity check by the first communication partner on the basis of the transmitted parity check bits. In this manner, the first communication partner 52 manages, as it were, to limit the discrepancy between the locally stored bit string “0100” and the corresponding bit string “0000” of the second communication partner 50 to the first two bits in both sequences upon conclusion of the second pass 56.
The third pass 58 of the key comparison according to the disclosure begins at this point, which third pass now differs from the use of the conventional CASCADE protocol. In this respect, the first communication partner 52 is now able to benefit from the information represented by the second array 42 in
The first communication partner 52 uses this indication to invert said second bit “1” to “0” without further interchange with the second communication partner 50 and therefore to correct the discrepancy between the bit strings on both sides. The resulting bit string “0000” which is identical between the communication partners 50, 52 can be used as a secret key for the further interchange between the communication partners 50, 52 as part of a symmetrical cryptosystem.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2014 212 224 | Jun 2014 | DE | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6622260 | Marisetty | Sep 2003 | B1 |
| 6978343 | Ichiriu | Dec 2005 | B1 |
| 7653858 | Nefedov | Jan 2010 | B2 |
| 7942324 | Chabanne | May 2011 | B2 |
| 8713400 | Chen | Apr 2014 | B2 |
| 20060179401 | Nefedov | Aug 2006 | A1 |
| 20060242540 | Cherian | Oct 2006 | A1 |
| 20080162791 | Eldredge | Jul 2008 | A1 |
| 20080197197 | Simske | Aug 2008 | A1 |
| 20080235559 | Yang | Sep 2008 | A1 |
| 20090073009 | Oda | Mar 2009 | A1 |
| 20110066918 | Ramaraju | Mar 2011 | A1 |
| 20120017136 | Ordentlich | Jan 2012 | A1 |
| 20130141992 | Lee | Jun 2013 | A1 |
| 20130141997 | Lee | Jun 2013 | A1 |
| 20140095101 | Gizdarski | Apr 2014 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20150381357 A1 | Dec 2015 | US |
