This application claims priority under 35 U.S.C. §119(a) to Korean Patent Application No. 10-2008-0109944 filed on Nov. 6, 2008, the disclosure of which is incorporated herein by reference.
The present invention relates to an apparatus and a method for a security key exchange and a system supporting the same, and more particularly to an apparatus and a method for rendering a security key sharable through a security key exchange between two terminals.
Advancement of the communication industry has created various value-added services utilizing networks which are represented by the Internet. The network based value-added services permitted many users to easily share information through its collections and deliveries.
Using the network based services frequently involves deliveries of personally classified information which is increasingly vulnerable to be exposed to third parties. Therefore, there is a practical need to provide different protection methods for securing personal information transmitted on the networks.
A generally used security measure of protecting the personal information is to encrypt and send it by a security key prearranged between the sender and the receiver. Other security techniques being used are based on a certificate issued from public offices or others for the purpose of banking and payment services over the Internet.
In the above example to protect the personal information using the security key, the security key for use between the sender and receiver is necessarily prearranged. For this purpose of making an agreement for the usable security key between the parties, there is a required procedure for the key sharing.
This sharing of the security key involves an indispensable procedure of transmitting information needed for the security key sharing to and from the sender and receiver. This may open an opportunity for intermediate attackers or men in the middle attack to snatch the security sharing information off the networks.
So, in order to provide diverse value-added services worry free, a scheme for the security key sharing that can provide the users with a convenience as well as the elimination of an exposure of personal information is urgently needed.
Therefore, the present disclosure provides an apparatus and a method for exchanging a security key between two terminals with no involvements of an intermediate party.
In addition, the present disclosure provides an apparatus and a method for halving public keys generated independently by respective communication devices before carrying out their data communications and sending the keys to each other via different routes, and a system therefor.
In addition, the present disclosure provides an apparatus and a method for predicting the public key of the counterpart device using a pair of public keys supplied from the counterpart device via the different routes and sending/receiving data by using the predicted public keys, and a system therefor.
In addition, the present disclosure provides an apparatus and a method for authenticating or verifying the predicted public key of the counterpart device provided by using a pair of public keys supplied from the counterpart device via the different routes and performing a verification of a master key acquired from the verified public key.
In accordance with an aspect of the present invention, there is provided a communication system for enabling communication devices for data communication to share security keys, the communication system including: a client device for dividing a public key generated by a communication device into two public key halves; transmitting one of the two divided public key halves in a signaling route to a counterpart communication device; transmitting the other public key half and public information signed by a personal key generated automatically in a media route to the counterpart communication device; predicting a public key generated by the counterpart communication device by using the two public key halves received from the counterpart communication device in the signaling route and the media route; performing a verification of the predicted public key and signed counterpart public information having been received from the counterpart communication device in the media route; and upon a successful verification of the predicted public key and the signed counterpart public information, generating a master key for use in a data communication with the counterpart communication device.
In accordance with an aspect of the present invention, there is provided a method for enabling a client device to share a security key for data communication with a counterpart communication device, the method including steps of: dividing a public key generated by the client device into two public key halves; transmitting one of the two divided public key halves in a signaling route to the counterpart communication device; transmitting the other public key half and public information signed by a personal key generated automatically in a media route to the counterpart communication device; predicting a public key generated automatically in the counterpart communication device by using the two public key halves received from the counterpart communication device through the signaling route and the media route; performing a verification of the predicted public key and signed counterpart public information having been received from the counterpart communication device in the media route; and upon a successful verification of the predicted public key and the signed counterpart public information, generating a master key for use in a data communication with the counterpart communication device.
This disclosure can advantageously divide a public key agreed between two communicating terminals and transmit the key portions in different routs around the interceptor attacks.
In addition, the disclosure is advantageously adaptable to the current VoIP environment by performing the key exchange using the generated personal keys and public keys privately between two terminals.
Furthermore, the disclosure has an advantage of allowing a direct key verification to be performed between two terminals requiring no authentication of the public keys by the users themselves.
In the following description of the present disclosure, a detailed description of relevant known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present disclosure rather unclear. In addition, the terms used hereinafter are defined with the functions in the disclosure considered and are changeable depending on the user's or operator's intent or practice. So, the definitions should be interpreted based on the overall context of the present disclosure.
The representative security key exchange techniques available for safeguarding personal information on the voice over Internet protocol (VoIP) network are user terminal key exchange techniques for operating a secure real-time transport protocol (SRTP). The SRTP security key exchange techniques are classified into a method using just a signaling route, a method using just a media route, and a method using both of the signaling route and the media route.
The first method using just the signaling route includes the techniques of MIKEY-NULL (Multimedia Internet KEYing-NULL), MIKEY-PSK (MIKEY-Pre-Shared Key), MIKEY-RSA (MIKEY-Rivest Shamir Adleman), MIKEY-RSA-R(MIKEY-RSA-Reverse), MIKEY-DHSIGN (MIKEY-DH SIGNature), MIKEY-DHHMAC (MIKEY-DH Hash Message Authentication Code), and SDP (Security Descriptions for Media Streams).
However, the method using just the signaling route is difficult to apply actually to VoIP services and others for their need of the signaling already served with a security or previously shared security information or a certificate.
Secondly, the method using just the media route is offered by a ZRTP technique which uses a Diffie-Hellman key exchange technique to have the key for the SRTP shared between the opposite terminals and lets a user voices the short words associated with the resultant value of the Diffie-Hellman for the purpose of authentication.
However, such method using just the media route necessarily involves the individual user in the cumbersome attempts to perform the authentication.
Thirdly, the method using both of the signaling route and the media route is offered by DTLS-SRTP (datagram transport layer security-SRTP) technique.
This technique is based on PKI (public key infrastructure) generally using certificates and performs the DTLS steps to exchange the SRTP key.
Other than the PKI base using the certificates, the technique attempts to exchange the SRTP key by means of a self-signed certificate using both the signaling route and the media route.
This method transmits a feature (fingerprint) of the public key to SDP (session description protocol) of the signaling route, and transmits the self-signed certificate as it carries out the DTLS in the media route. As a protection of the transmitted public key feature (fingerprint), a security technique called ‘Enhancements for authenticated identity management in the SIP’ is used midway through the transmission route for a proxy server to add the signature value for the fingerprint.
In the meantime, the user takes advantage of the public key feature (fingerprint) received via the signaling route to authenticate the sender's self-signed certificate.
As described above, it has been necessary in the typical SRTP based key exchange techniques to use the certificates involving a third organization or to have the users' personal involvements.
Therefore, in the embodiments of the present invention in the following description, there is provided a solution to protect the sent/received data through a security key exchange and its verification directly or privately between two data communication devices.
In the embodiment of the present invention for this purpose, the two data communication devices are adapted to share one of two public key halves from their privately generated public key, through the signaling route. In addition, the two data communication devices share public information that is signed by the other one of two public key halves and a personal key, through the media route. Here, the personal key is independently generated along with the public key by the corresponding device.
Each of the two data communication devices predicts the public key generated by its counterpart device using two public keys delivered from its counterpart device, and performs verification with respect to the predicted public key and the signed public information received from the counterpart device.
Then, each of the two data communication devices, in response to a successful verification of the predicted public key and the signed public information from the counterpart device, generates a master key and master key identification information, and sends the generated master key identification information to the counterpart device. Using the master key identification information received from the counterpart device, each of the two data communication devices performs a verification of its own generation of master key, and in response to a success of the verification, uses its own master key send/receive data.
In the following is a detailed description on the presently suggested security key exchange method with reference to the attached drawings.
The security key exchange system according to an embodiment of the present invention includes a client device 101, a server 102, and a proxy server 103. By this chance, the embodiment of the present invention will recite the client device 101 abbreviated to denote apparatuses operating as a user agent client and the server 102 to denote a client operating as a user agent server. In addition, the client device 101 and server 102 are differently identified in the description for the sake of convenience. However, it will be obvious to the readers that the operation of the client device 101 in this embodiment may be carried out using the server 102 and vice versa.
Further, the proxy server 103 in the embodiment of the present invention is a kind of communication server for setting a signaling route between the client device 101 and server 102.
The client device 101 independently generates an RSA personal key and an RSA public key. The server 102 also generates an RSA personal key and an RSA public key on its own. Then, in order to divide their respective RSA public keys, the client device 101 and server 102 generate arbitrary Diffie-Hellman secure values, and use these generated values to calculate Diffie-Hellman public information. In addition, the client device 101 and server 102 respectively use the calculated Diffie-Hellman public information to divide or halve their RSA public keys into first RSA public keys (hereinafter called “first public key half”) and second RSA public keys (hereinafter called “second public key half”).
Next in step 110, the client device 101 delivers its first public key half to the proxy server 103 via the signaling route. The proxy server 103 in step 111 relays the first public key half received from the client device 101 to the server 102 via the signaling route.
Meanwhile, the server 102 delivers its first public key half to the proxy server 103 via the signaling route in step 112. The proxy server 103 in step 113 relays the first public key half received from the server 102 to the client device 101 via the signaling route.
The client device 101 in step 114 signs previously calculated Diffie-Hellman public information by using its own RSA personal key, and delivers its own public key half and the signed Diffie-Hellman public information directly to the server 102. At this time, the client device 101 also sends Diffie-Hellman public information lacking a signature by the RSA personal key.
This allows the server 102 to acquire the first public key half of the client device 101, its second public key half, the signed Diffie-Hellman public information, and the unsigned Diffie-Hellman public information.
In step 115, the server 102 generates an RSA public key of the client device 101 by using the previously acquired first and second public key halves of the client device 101.
Additionally in step 116, the server 102 performs a verification process of whether the server-generated RSA public key of the client device 101 is identical to the RSA public key generated by the client device 101. In addition, the server 102 uses the verified RSA public key of the client device 101 to perform a verification on the earlier signed and acquired Diffie-Hellman public information of the client device 101.
Upon successful completion of the verification of the server-generated RSA public key of the client device 101 and the signed Diffie-Hellman public information of the client device 101, the server 102 in step 117 generates a security master key, and uses public parameter values required for the generation of the security master key to generate the value of security master key identification information. In step 118, the server 102 uses its own RSA personal key to sign the earlier calculated Diffie-Hellman public information, and sends its own second public key half, the signed Diffie-Hellman public information, the earlier generated security master key, and the value of security master key identification information to the client device 101 via the media route. At the same time, the server 102 also sends the unsigned Diffie-Hellman public information.
In step 119, the client device 101 generates the RSA public key of the server 101 by using the first and second public key halves delivered from the server 102.
Next in step 120, the client device 101 performs a verification process of whether the server-generated RSA public key of the server 102 is identical to the RSA public key actually generated by the server 102. In addition, the client device 101 uses the verified RSA public key of the server 102 to perform a verification on the earlier signed and acquired Diffie-Hellman public information of the server 102.
Upon successful completion of the verification of the server-generated RSA public key of the server 102 and the earlier signed and acquired Diffie-Hellman public information of the server 102, the client device 101 in step 121 generates a security master key, and uses public parameter values required for the generation of the security master key to generate the value of security master key identification information.
By using the security master key received from the server 102 and the value of security master key identification information generated by the client device 101, the client device 101 verifies whether the security master key generated by the server 102 is a normal value.
When the security master key generated by the server 102 is verified as a normal value, step 123 delivers the earlier generated value of the security master key identification information to the server 102.
Upon receiving the value of the security master key identification information from the client device 101, the server 102 in step 124 uses the received value of the security master key identification information of the client device 101 and its own generation of the value of the security master key identification information to verify if the former is a normal value.
If the security master key generated by the client device 101 is verified a normal value, the server 102 recognizes that the same one as its own generation of security master key was generated by the client device 101.
Upon completion of the verifications of the generated security master keys between the client device 101 and server 101, step 125 uses the corresponding security master key for sending or receiving data.
Typically in the case of exchanging keys between two users without an intervention of a third party, the security master key was susceptible to an exposure to a man in the middle attack or MITM. To deal with such middle attackers, the ZRTP technique has had the users carry out actions in person for the authentication in short authentication string (SAS) method. This required the users to actually do some jobs to complete the authentication.
However, according to the present disclosure as above, the public keys between the client device and the server are halved and exchanged in two different routes and hence the public keys can be prevented from being exposed by the middle attackers. Besides, the users are saved from having to personally involve in the exchange of the security key between the client device and the server and its verifying activity.
Referring to
In step 201, the client device 101 calculates the Diffie-Hellman public information for use in halving its own generated public key PKAlice+. The above Diffie-Hellman public information may be calculated by arbitrary Diffie-Hellman secure values. The arbitrary Diffie-Hellman secure values are generated by the client device 101.
For example, when the generated arbitrary Diffie-Hellman secure value is x, Diffie-Hellman Diffie-Hellman public information (DHPartAlice) calculated using the arbitrary Diffie-Hellman secure value x may be defined as gx mod p. Here, g represents a generator, mod is a modular operator, and p (prime number) means large prime numbers that can be divided only by 1 and its own number of p.
In step 202, the client device 101 uses the earlier generated Diffie-Hellman public information gx mod p to divide the public key PKAlice+ into a first public key half PKAlice
Equation 1 below defines the public key PKAlice+ which is divided into the first public key half PKAlice
PKAlice
PKAlice
Based on Equation 1, the second public key half PKAlice
In addition, the first public key half PKAlice
In step 203, the client device 101 inserts the first public key half PKAlice
In step 204, the client device 101 checks whether there is a receipt, from the proxy server 103 through the signaling route, of the first public key half PKBob
If the client device 101 is in receipt, through the signaling route, of the first public key half PKBob
Meanwhile, the client device 101 in step 206 checks whether there is a receipt, from the server 102, of the signed Diffie-Hellman public information SignPK
Upon receipt of the desired information from the server 102, the client device 101 in step 207 uses the received first public key half PKBob
For example, the client device 101 may produce the public key PKBob+ generated by the server 102, using Equation 2 below.
PKBob+=PKBob
By Equation 2, the client device 101 may predict PKBob+, which could have been generated by the server 102, by an XOR operation on the first public key half PKBob
Meanwhile, the client device 101 in step 208 uses the hash function to calculate a hash result value gy mod p of the Diffie-Hellman public information received from the server 102.
Then, the client device 101 in step 209 performs a verification of the predicted server public key PKBob+. The verification is performed depending on whether the calculated hash result value is identical to the second public key half PKBob
This may be determined as in Equation 3 below if the received Diffie-Hellman public information from the server 102 of gy mod p with the hash function H applied calculates the second server public key PKBob
H(gy mod p)=PKBob
The client device 101 performs step 210 if the calculated hash result value is equal to the received second public key half PKBob
When the verification is completed for the predicted server public key PKBob+, the client device 101 in step 210 uses the same predicted server public key PKBob+ to verify the signed and received Diffie-Hellman public information from the server 102 SignPK
At this time, signed and received Diffie-Hellman public information from the server 102 SignPK
VerifyPK
By Equation 4, the Diffie-Hellman public information SignPK
By the above description, if the client device 101 fails to verify the signed and received Diffie-Hellman public information SignPK
The client device 101 in step 211 uses Equation 5 to generate a security master key.
Here, radix g is a constructor, one of indices is y or a secure value of the server 102, and the remaining index x represents a secure value of the client device 101. In addition, p represents large prime numbers and mod means a modular operation.
Further, to cross check with the server 102 for the identity of the generated security master key, the client device 101 generates security master key identification information H(gxy mod p,gy mod p∥gx mod p). Here, the security master key identification information may be calculated by having the security master key gyz mod p and required public parameter values for generating the security master key gx mod p and gy mod p subject to hash function.
Meanwhile, the client device 101 in step 212 performs verification on the security master key gyz mod p. The generated security master key gyz mod p may be verified by using the received security master key identification information from the server 102 H(gxy mod p,gy mod p∥gx mod p).
This can be generalized by Equation 6 below.
Check(H(gxy mod p,gy mod p∥gx mod p)) [Equation 6]
To verify the generated security master key gyz mod p, the client device 101 compares between the previously calculated security master key identification information H(gxy mod p,gy mod p∥gx mod p) and the security master key identification information H(gxy mod p,gy mod p∥gx mod p) received from the server 102.
When the calculated security master key identification information is identical to the received security master key identification information received from the server 102, the client device 101 determines that the generated security master key is same as the generated master key by the server 102. However, when the calculated security master key identification information is not identical to the received security master key identification information received from the server 102, the client device 101 determines that an intermediate attacker changed the received security master key identification information from the server 102.
Upon completion of the verification with respect to the master key, the client device 101 in step 213 sends newly calculated security master key identification information H(gyx mod p,gx mod p∥gy mod p) to the server 102.
At the completion of the verification of the security master key as described above, the client device 101 in step 214 uses the verified security master key to perform sending/receiving data to and from the server 102.
As is clearly described, the client device 101 advantageously divides its own public key and sends the key halves via two different routes and hence safeguards the public key from being exposed even at the receipt of an attack from the intermediate perpetrator.
Referring to
In step 301, the server 102 generates Diffie-Hellman public information for use in dividing its own generated public key PKBob+. The Diffie-Hellman public information may be calculated by using arbitrary Diffie-Hellman secure values y. The arbitrary Diffie-Hellman secure values y is generated by the server 102.
At this time, the calculated Diffie-Hellman public information (DHPartBob) may be defined by
gy mod p.
In step 302, the server 102 uses the previously generated Diffie-Hellman public information gy mod p to divide the public key PKBob+ into a first public key half PKBob
Equation 7 below defines the divisions of the public key PKBob+ into the first public key half PKBob
PKBob
PKBob
Based on Equation 7, the second public key half PKBob
In addition, the first public key half PKBob
In step 303, the server 102 checks whether there is a receipt, from the proxy server 103 through the signaling route, of the first public key half PKAlice
If the server 102 receives from the proxy server 103 through the signaling route, the first public key half of the client device 101 PKAlice
In addition, the server 102 in step 305 checks whether there are receipts from the client device 101, of signed Diffie-Hellman public information SignPK
Upon receipt of the desired information from the client device 101, the server 102 in step 306 uses the received first public key half PKAlice
For example, the server 102 may produce the generated public key by the client device 101 using Equation 8 below, which is PKAlice+.
PKAlice+=PKAlice
By Equation 8, the server 102 may predict a possible generation by the client device 101 of PKAlice+ that could have been available by an XOR operation on the first public key half PKAlice
Meanwhile, the client device 101 in step 307 uses the hash function to calculate a hash result value gy mod p of the Diffie-Hellman public information received from the client device 101.
Then, the server 102 in step 308 performs a verification of the predicted client device public key PKAlice+. The verification is performed depending on whether the calculated hash result value is identical to the second public key half PKAlice
This may be determined as in Equation 9 below if the received Diffie-Hellman public information from the client device 101 of gx mod P with the hash function H applied calculates the second server public key PKAlice
H(gx mod p)=PKAlice
The server 102 performs step 309 if the calculated hash result value is equal to the received second public key half PKAlice
When the verification is completed for the predicted client device public key PKAlice+, the server 102 in step 309 uses the same predicted client device public key PKAlice+ to verify the signed and received Diffie-Hellman public information from the client device 101 SignPK
At this time, signed and received Diffie-Hellman public information from the client device 101 SignPK
VerifyPK
By Equation 10, the Diffie-Hellman public information SignPK
By the above description, if the server 102 fails to verify the signed and received Diffie-Hellman public information SignPK
The server 102 in step 310 uses Equation 11 to generate a security master key.
Here, in gxy radix g is a constructor, one of indices is y or a secure value of the server 102, and the remaining index x represents a secure value of the client device 101. In addition, p represents large prime numbers and mod means a modular operation.
Further, to cross check with the client device 101 for the identity of the generated security master key, the server 102 generates security master key identification information H(gxy mod p,gy mod p∥gx mod p). Here, the security master key identification information may be calculated by having the security master key gxy mod p and required public parameter values for generating the security master key gx mod p and gy mod p subject to a hash function.
Upon generating the security master key identification information, the server 102 in step 311 its own personal key PKBob− the earlier generated Diffie-Hellman public information gy mod p. Then, it transmits the above signed Diffie-Hellman public information Sign SignPK
Meanwhile, the server 102 in step 312 checks whether there is a receipt, from the client device 101, of the security master key identification information H(gxy mod p,gy mod p∥gx mod p).
On the other hand, the server 102 in step 313 performs verification on the generated security master key gxy mod p. The generated security master key gxy mod p may be verified by using the received security master key identification information H(gyx mod p,gx mod p∥gy mod p) from the client device 101.
This can be generalized by Equation 12 below.
Check(H(gyx mod p,gx mod p∥gy mod p)) [Equation 12]
To verify the generated security master key gxy mod p, the sever 102 compares between the newly calculated security master key identification information H(gyx mod p,gx mod p∥gy mod p) and the received security master key identification information H(gyx mod p,gx mod p∥gy mod p) from the client device 101.
When the calculated security master key identification information is identical to the received security master key identification information from the client device 101, the server 102 determines that the generated security master key is same as the generated master key by the client device 101. However, when the calculated security master key identification information is not identical to the received security master key identification information from the client device 101, the server 102 determines that an intermediate attacker changed the received security master key identification information from the client device 101.
Upon completion of the verification with respect to the master key, the server 102 in step 314 performs sending/receiving data to and from the client device 101 using the verified security master key.
As described, through dividing its own public key and sending the key halves via two different routes to the client device 101, the public key is advantageously shielded from an exposure to a possible attack by an intermediate attacker.
According to the embodiments of the present invention, each of the public keys between the user terminals are halved and exchanged via separate routes and thus a public key half under attack from an intermediate attacker is still capable of achieving a secure key exchange between the terminals.
Number | Date | Country | Kind |
---|---|---|---|
10-2008-0109944 | Nov 2008 | KR | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/KR2009/006532 | 11/6/2009 | WO | 00 | 5/6/2011 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2010/053319 | 5/14/2010 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
7596697 | Sandhu et al. | Sep 2009 | B2 |
7634091 | Zhou et al. | Dec 2009 | B2 |
7660419 | Ho | Feb 2010 | B1 |
20050078821 | Jin et al. | Apr 2005 | A1 |
20080229104 | Ju et al. | Sep 2008 | A1 |
Number | Date | Country |
---|---|---|
10-0720726 | May 2007 | KR |
10-2008-0051947 | Jun 2008 | KR |
Entry |
---|
Cristiano et al., On Splitting Public Keys for the Public Key Infrastructure, IEEE, 2005. |
Menezes et al., Handbook of Applied Cryptography, 1996, CRC Press, pp. 515-524. |
International Search Report for PCT/KR2009/006532 issued May 31, 2010 [PCT/ISA/210]. |
Written Opinion for PCT/KR2009/006532 issued May 31, 2010 [PCT/ISA/237]. |
Number | Date | Country | |
---|---|---|---|
20110211700 A1 | Sep 2011 | US |