The present application is a non-provisional patent application claiming priority to European Patent Application No. 21180200.4, filed Jun. 18, 2021, the contents of which are hereby incorporated by reference.
This disclosure relates to secure and efficient authentication of multiple devices or nodes of a communication network, e.g., nodes that want to mutually and efficiently evaluate ranging or localization in a secure way, and to exchange group authentication keys and pair-wise authentication keys among the nodes to perform secure communication among the nodes.
Nowadays, group communications have become more essential for many emerging applications, especially in wireless networks, e.g. sensor and mobile ad-hoc networks. Due to their open nature, efficient and secure distribution of common key is an essential issue for secure communications in the group. In order to maintain confidentiality during communication in the group, all authorized devices or nodes require a common key called the group key in advance. However, in order to perform secure exchange of authorization keys among the communicating nodes, the system security is required to be further augmented.
For example, the document U.S. Pat. No. 7,234,058 B1 presents a method for generating pairwise cryptographic transforms based on group keys. Particularly, the method derives pair-wise keys for multiple nodes from a group key, which is received from a key server, and further uses the pair-wise keys for point-to-point communication. However, the technique is not secure since a pair-wise key designated to a particular node can be derived by other nodes in the group.
Accordingly, the description describes a system and a method for performing secure key exchange between a plurality of nodes of a communication system, which can address the aforementioned limitations.
The first independent claim includes features of a system and the second independent claim includes features of a method. The dependent claims contain further features.
According to a first example implementation, a system is provided for performing secure key exchange between a plurality of nodes of a communication network. The system comprises a master node and at least two slave nodes. In this context, the master node is configured to authenticate the at least two slave nodes with a pair-wise authentication key corresponding to each pair of master node and slave nodes. The master node is further configured to generate a group authentication key common to the plurality of nodes. Furthermore, the master node is configured to encrypt the group authentication key with the pair-wise authentication key for each respective pair of master node and slave nodes, thereby generating a respective encrypted group authentication key. Moreover, the master node is configured to communicate the encrypted group authentication key to the respective slave nodes.
Therefore, the communicating nodes are not only provided with a group authentication key for all the nodes in the group but also a pair-wise authentication key for each respective pair of master-slave nodes. The group authentication key is encrypted with the respective pair-wise authentication key, designated to each pair of the master-slave nodes. Hence, the slave nodes do not possess the knowledge of other pair-wise authentication keys except for the one designated to the pair. This facilitates a high degree of security while performing secure communication with a particular node.
In at least some implementations, the master node is configured to communicate with the at least two slave nodes simultaneously. This facilitates efficient authentication of several nodes, e.g. by decreasing the number of transmissions for authentication.
In at least some of those implementations, the at least two slave nodes are configured to receive the respective encrypted group authentication key from the master node sequentially or simultaneously. In addition, each of the at least two slave nodes is configured to decrypt the encrypted group authentication key with its respective pair-wise authentication key. For instance, the master node may transmit the encrypted group authentication key messages sequentially, e.g. in different time slots. Alternately, the master node may transmit the encrypted group authentication key messages simultaneously, e.g. broadcasting one packet containing several messages, i.e. the encrypted group authentication key messages.
Hence, the group authentication key is used to secure the communication between the master node and the plurality of slave nodes. Additionally, the pair-wise authentication key is used to secure the communication between a slave node and the master node. The group authentication key and the pair-wise authentication key are used side-by-side to secure the communication among the nodes.
In at least some implementations, the master node is configured to be operable as a verifier node and the at least two slave nodes each configured to be operable as a verifier node or a prover node. As an example, a verifier node may control access to a resource and a prover node may be used to gain access to the resource controlled by the verifier node, by virtue, at least in part, of physical proximity between the prover node and the verifier node.
Alternatively, the master node and/or the at least two slave nodes are each configured to be operable as a verifier node and a prover node at the same time. Further alternatively, the master node and/or the at least two slave nodes are each configured to be operable as a transient prover node, i.e. an entity that temporarily uses the network in order to localize itself or to gain access to resources for a given duration.
In at least some implementations, the master node and the at least two slave nodes are synchronized (for example, clock-synchronized) with one another. A high transmission accuracy is facilitated among the communicating nodes, especially for networks with variable latency.
In at least some implementations, the master node comprises a transmit mode and a receive mode, wherein the at least two slave nodes each comprises a transmit mode, a receive mode and a sleep mode. In this regard, for a given time slot, the master node operates on the transmit mode and the at least two slave nodes each operates on the receive mode or on the sleep mode. Additionally or alternatively, for a given time slot, the master node operates on the receive mode and the at least two slave nodes operate on the transmit mode or on the receive mode or on the sleep mode. This allows a high degree of flexibility for scheduling the communicating nodes based on their operating roles in the network.
In at least some implementations, an identity of the master node and of the at least two slave nodes are known to each other. Alternatively, the identity of the master node and of the at least two slave nodes are unknown to each other. An identity of a communicating node can be understood as a public key, a public key certificate, or a digital certificate of the node.
In at least some implementations, the master node is configured to be operable as a verifier node and the at least two slave nodes each is configured to be operable as a prover node, wherein the system comprises at least one further verifier node. In this regard, the master node is configured to authenticate the at least one further verifier node with a pair-wise authentication key for the pair of master node and the at least one further verifier node. Hence, multiple verifier nodes and multiple prover nodes are provided while at least one verifier node operates as a master node. The implementation of multiple verifiers and multiple provers provides benefits such as higher attack resilience, improved availability by avoiding a single point of compromise or failure, as well as localization using multilateration.
The master node can be configured to transmit a message comprising the pair-wise authentication keys for each pair of master node and slave nodes and/or the group authentication key to the at least one further verifier node, encrypted with the pair-wise authentication key for the pair of master node and the at least one further verifier node. In this context, the at least one further verifier node is configured to decrypt the message with the pair-wise authentication key for the pair of master node and the at least one further verifier node. Hence, the group authentication key is used to secure the communication between the master verifier and the rest of verifiers and provers. Additionally, the pair-wise authentication key is used to secure the communication between a prover or a verifier and the master verifier.
According to a second example implementation, a method is provided for performing secure key exchange between a plurality of nodes of a communication network. The method comprises authenticating, by a master node, at least two slave nodes with a pair-wise authentication key corresponding to each pair of master node and slave nodes. In addition, the method comprises generating, by the master node, a group authentication key common to the plurality of nodes.
The method further comprises encrypting, by the master node, the group authentication key with the pair-wise authentication key for each respective pair of master node and slave nodes, thereby generating a respective encrypted group authentication key. The method moreover comprises communicating, by the master node, the encrypted group authentication key to the respective slave nodes. A high degree of security is incorporated while performing secure communication with a particular node, since the group authentication key and the pair-wise authentication key are used side-by-side to secure the communication among the nodes.
The method further comprises communicating, by the master node, with the at least two slave nodes simultaneously.
The method further comprises receiving, by the at least two slave nodes, the respective encrypted group authentication key from the master node sequentially or simultaneously. In addition, the method further comprises decrypting, by each of the at least two slave nodes, the encrypted group authentication key with its respective pair-wise authentication key.
The above, as well as additional, features will be better understood through the following illustrative and non-limiting detailed description of example embodiments, with reference to the appended drawings.
All the figures are schematic, not necessarily to scale, and generally only show parts which are necessary to elucidate example embodiments, wherein other parts may be omitted or merely suggested.
Example embodiments will now be described more fully hereinafter with reference to the accompanying drawings. That which is encompassed by the claims may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example. Furthermore, like numbers refer to the same or similar elements or components throughout.
Reference will now be made in detail to the embodiments of the present description, examples of which are illustrated in the accompanying drawings. However, the following embodiments of the present description may be variously modified and the range of the present description is not limited by the following embodiments.
The present description relates to secure authentication, especially employed in cryptographic protocols such as distance bounding protocols, where a verifier establishes an upper bound on the physical distance to a prover. In the following description, the communicating nodes are labeled as a prover node or a verifier node, based on their role in the communication network. It is to be understood that, in a general case, “prover node” and “verifier node” are mere labels for, respectively, a first and a second node between which secure communication is performed. However, as a specific example, the verifier node may control access to a resource and the prover node may be used to gain access to the resource controlled by the verifier node, by virtue, at least in part, of physical proximity between the prover node and the verifier node.
In
The schematic description 100 is illustrated for two parties, namely a verifier 101 and a prover 102. It is to be understood that the public parameters for the elliptic curve, such as the order q, generator G, and the like are known to both verifier 101 and prover 102. The verifier 101 generates a random element x as an ephemeral private key from Zq*, and computes an ephemeral public key xG. Thus, x and xG are verifier's ephemeral or session private key and ephemeral or session public key, respectively. The verifier 101 then transmits its ephemeral public key xG to the prover 102 in a first transmission 112.
Upon receiving the transmission 112, particularly upon receiving the verifier's public key xG, the prover 102 generates a random element y as an ephemeral private key from Zq*, and computes an ephemeral public key yG. Thus, y and yG are prover's ephemeral or session private key and ephemeral or session public key, respectively.
Next, the prover 102 computes a shared key k as:
k=KDF(xyG)
where KDF is a key derivation function implemented to destroy any algebraic structures in xyG.
Then, the prover 102 computes a digital signature σP→V on xG and yG as:
σP→V=SIGNsk
where skP is a long term private key of the prover 102.
In addition, the prover 102 computes a message authentication code (MAC) τP→V using the computed shared key k as:
τP→V=MACk(pkP)
where pkP is a long term public key of the prover 102. Here, MAC serves as key confirmation in order to make sure that both verifier 101 and prover 102 computed the same shared key k.
Finally, the prover 102 transmits its ephemeral public key yG, the computed digital signature σP→V, and the computed MAC tag τP→V to the verifier 101 in a second transmission 123.
Upon receiving the transmission 123, particularly upon receiving the prover's ephemeral public key yG, the digital signature σP→V, and the MAC tag τP→V, the verifier 101 verifies the digital signature σP→V using the prover's long term public key pkP. If the digital signature is valid, the verifier 101 computes the shared key k as:
k=KDF(xyG)
where KDF is a key derivation function implemented to destroy any algebraic structures in xyG.
If, however, the signature is invalid, the protocol is aborted. Next, the verifier 101 verifies the MAC tag τP→V using the computed shared key k. Again, if the MAC tag is invalid, the protocol is aborted.
Then, the verifier 101 computes a digital signature σV→P on yG and xG as:
σV→P=SIGNsk
where skV is a long term private key of the verifier 101.
In addition, the verifier 101 computes a message authentication code (MAC) τV→P using the computed shared key k as:
τV→P=MACk(pkV)
where pkV is a long term public key of the verifier 101.
Finally, the verifier 101 transmits the computed digital signature σV→P, and the computed MAC tag τV→P to the prover 102 in a third transmission 134.
Upon receiving the transmission 134, particularly upon receiving the digital signature σV→P, and the MAC tag τV→P, the prover 102 verifies their validity. If either one of them is invalid, the protocol is aborted. Otherwise, the protocol is successful and the shared key k will be used in the next phase, e.g. in distance bounding.
It is to be noted that the verifier 101 and the prover 102 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described two-party AKE protocol for parties who do not have each other's identities beforehand.
For instance, in the second transmission 123, the prover 102 may transmit its long term public key pkP in addition to its ephemeral public key yG, the computed digital signature σP→V, and the computed MAC tag τP→V, to the verifier 101. Hence, the verifier 101 will be able to verify the digital signature σV→P, using the prover's long term public key pkP. Analogously, in the third transmission 134, the verifier 101 may transmit its long term public key pkV in addition to the computed digital signature σV→P, and the computed MAC tag τV→P to the prover 102. Hence, the prover 102 will be able to verify the digital signature σV→P using the verifier's long term public key pkV.
In
Herein, the master node 201 communicates with the slave nodes 202, 203 so as to form a master-slave pair with each corresponding slave nodes 202, 203, in order to authenticate and to further communicate. The transmission direction of broadcasts between each master-slave pair is depicted as a respective two-directional arrow as a transmission path, however only exemplarily. For instance, the master node 201 may communicate with a first slave node 202 through a transmission path 212, and the first slave node may communicate with the master node through a transmission path 221. Analogously, the master node 201 may communicate with a second slave node 203 through a transmission path 213, and the second slave node may communicate with the master node through a transmission path 231.
In at least some implementations, the master node 201 agrees on a unique pair-wise authentication key with each slave node 202, 203. During this procedure, a mutual authentication between the master node 201 and the respective slave nodes 202, 203 takes place. Then, the master node 201 generates a group authentication key that is common for all slave nodes of the network group, and encrypts the group authentication key with the respective pair-wise authentication key for each master-slave pair. Next, the master node 201 communicates the encrypted group authentication key to the slave nodes 202, 203. Thus, the respective slave nodes 202, 203 is only able to decrypt the encrypted group authentication key with its designated pair-wise authentication key.
In
For example, the communicating node 300 may be generalized as a mobile or fixed station device, a mesh point device, or a hub device representing either an access point device in an infrastructure network or a group owner device in a peer-to-peer network, in accordance with example embodiments. The communicating node 300 may be a modern smartphone configured as an access point so that it may share its cellular telephone connection with other surrounding devices via a WLAN link.
The processing module 302 may include a single core central processing unit (CPU) or multiple core CPU, interface circuits to interface with the transceiver module 301, battery or house power sources, keyboard, display, etc. The memory module 303 may include a random access memory (RAM), a programmable read only memory (PROM), removable memory devices such as smart cards, SIMs, WIMs, flash memory devices, or a combination thereof.
The functional instructions respective to the role of the communicating node 300 within the communication network, e.g. being a verifier or a prover or both, may be implemented as computer code instructions stored in the memory module 303, which when executed by the processing module 302, carry out the functions of the example embodiments.
Next, in
The verifier node 401 generates a random element x as its ephemeral private key from Zq*, and computes its ephemeral public key xG. The verifier node 401 then transmits its ephemeral public key xG to the first prover node 402 and to the second prover node 403 simultaneously in a first transmission 412.
Upon receiving the transmission 412, particularly upon receiving the verifier node's ephemeral public key xG, the first prover node 402 generates a random element yP
k1=KDF(xyP
where KDF is a key derivation function implemented to destroy any algebraic structures in xyP
Then, the first prover node 402 computes a digital signature σP
σP
In addition, the first prover node 402 computes a message authentication code (MAC) τP
τP
Here, MAC serves as key confirmation in order to make sure that both the verifier node 401 and the first prover node 402 computed the same pair-wise authentication key k1.
Finally, the first prover node 402 transmits its ephemeral public key yP
Simultaneously or sequentially, upon receiving the transmission 412, particularly upon receiving the verifier node's ephemeral public key xG, the second prover node 403 generates a random element yP
k2=KDF(xyP
where KDF is a key derivation function implemented to destroy any algebraic structures in xyP
Then, the second prover node 403 computes a digital signature σP
σP
In addition, the second prover node 403 computes a message authentication code (MAC) τP
σP
Here, MAC serves as key confirmation in order to make sure that both the verifier node 401 and the second prover node 403 computed the same pair-wise authentication key k2.
Finally, the second prover node 403 transmits its ephemeral public key yP
The verifier node 401 receives the transmissions 423 and 423′ from the first prover node 402 and the second prover node 403, respectively, either simultaneously or sequentially. Upon receiving the respective prover's ephemeral public key, the digital signature and the MAC tag, the verifier node 401 verifies the digital signatures using the respective prover's long term public key. If the digital signature is valid, the verifier node 401 computes the respective pair-wise authentication key for the respective prover nodes as:
ki=KDF(xyP
where,
However, if the digital signature is invalid, the protocol is aborted. Next, the verifier node 401 verifies the respective MAC tags of the first prover node 402 and the second prover node 403 using the respective computed pair-wise authentication key ki. Again, if the MAC tag is invalid, the protocol is aborted.
Then, the verifier node 401 computes a respective digital signature for the respective prover nodes 402, 403 on the respective prover's ephemeral public key and the verifier's ephemeral public key using its long term private key skV as:
σV→P
where,
In addition, the verifier node 401 computes a respective message authentication code (MAC) on its long term public key pkV for the respective prover nodes 402, 403 using the respective computed pair-wise authentication key ki as:
τV→P
where,
Further, the verifier node 401 generates a random element k as a group authentication key for all the nodes of the network group. The verifier node 401 encrypts the group authentication key k with the respective computed pair-wise authentication key ki for the respective prover nodes 402, 403 as:
Ci=Enck
where,
Finally, the verifier node 401 transmits the computed digital signatures σV→P
Upon receiving the transmission 434, e.g. upon receiving the digital signature σV→P
k=Deck
If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.
Simultaneously or sequentially, upon receiving the transmission 434′, e.g. upon receiving the digital signature σV→P
k=Deck
If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.
It is to be noted that the verifier node 401 and the prover nodes 402, 403 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described protocol for parties who do not have each other's identities beforehand, as discussed with respect to
Turning back to
During a second time slot 2, e.g. the first slave node is operating on transmit mode (Tx) and the master node is operating on receive mode (Rx), whereas all the remaining slave nodes are operating on sleep mode (I), i.e. possess an idle state of operation. The idle operation of the remaining slave nodes significantly reduces the cumulative loading on network resources. For each successive time slots, the subsequent slave nodes are operating on transmit mode one by one, while the rest of the slave nodes are in idle state, and the master node remains at its receive mode. The above scheduling again repeats after the time slot N.
In
The first verifier node 501 generates a random element x as its ephemeral private key from Zq*, and computes its ephemeral public key xG. The first verifier node 501 then transmits its ephemeral public key xG to the second verifier node 502 and to the prover node 503 simultaneously in a first transmission 512.
Upon receiving the transmission 512, particularly upon receiving the first verifier node's ephemeral public key xG, the second verifier node 502 generates a random element xV
k12=KDF(xxV
where KDF is a key derivation function implemented to destroy any algebraic structures in xxV
Then, the second verifier node 502 computes a digital signature σV
σV
In addition, the second verifier node 502 computes a message authentication code (MAC) τV
τV
Here, MAC serves as key confirmation in order to make sure that both the first verifier node 501 and the second verifier node 502 computed the same pair-wise authentication key k12.
Finally, the second verifier node 502 transmits its ephemeral public key xV
Simultaneously or sequentially, upon receiving the transmission 512, particularly upon receiving the verifier node's ephemeral public key xG, the prover node 503 generates a random element y as its ephemeral private key from Zq*, and computes its ephemeral public key yG. Next, the prover node 503 computes a pair-wise authentication key k for the pair of the first verifier node 501 and the prover node 503 as:
k=KDF(xyG)
where KDF is a key derivation function implemented to destroy any algebraic structures in xyG.
Then, the prover node 503 computes a digital signature σP→V
σP→V
In addition, the prover node 503 computes a message authentication code (MAC) τP→V
τP→V
Here, MAC serves as key confirmation in order to make sure that both the first verifier node 501 and the prover node 503 computed the same pair-wise authentication key k.
Finally, the prover node 503 transmits its ephemeral public key yG, the computed digital signature σP→V
The verifier node 501 receives the transmissions 523 and 523′ from the second verifier node 502 and the prover node 503, respectively, either simultaneously or sequentially. Upon receiving the respective slave's ephemeral public key, the digital signature and the MAC tag, the first verifier node 501 verifies the digital signatures using the respective slave's long term public key. If the digital signature is valid, the first verifier node 501 computes the respective pair-wise authentication key for the respective slave nodes as:
k12=KDF(xxV
for the second verifier node 502, and
k=KDF(xyG),
for the prover node 503.
However, if the digital signature is invalid, the protocol is aborted. Next, the first verifier node 501 verifies the respective MAC tags of the second verifier node 502 and the prover node 503 using the respective computed pair-wise authentication keys k12, k. Again, if the MAC tag is invalid, the protocol is aborted.
Then, the first verifier node 501 computes a respective digital signature for the slave nodes 502, 503 on the slave's ephemeral public key and the first verifier's ephemeral public key using its long term private key skV
σV
for the second verifier node 502, and
σV
for the prover node 503.
In addition, the first verifier node 501 computes a respective message authentication code (MAC) on its long term public key pkV
τV
for the second verifier node 502, and
τV
for the prover node 503.
Since the illustrated embodiment comprises only one prover node 503, the first verifier node 501 selects the computed pair-wise authentication key k as a group authentication key for the group of the first verifier node 501, the second verifier node 502 and the prover node 503. This process contradicts to the embodiment of
Subsequently, the first verifier node 501 encrypts the group authentication key k with the computed pair-wise authentication key k12 for the second verifier node 502, since only the second verifier node 502 does not possess the group authentication key k. Hence, the encrypted group authentication key may be formulated as:
C12=Enck
Finally, the first verifier node 501 transmits the computed digital signatures, the computed MAC tags to the respective slave nodes 502, 503, either simultaneously or sequentially, in a third transmission 534, 534′. Additionally, the first verifier node 501 transmits the encrypted group authentication key to the second verifier node 502 in the third transmission 534.
Upon receiving the transmission 534, e.g. upon receiving the digital signature σV
k=Deck
If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.
Simultaneously or sequentially, upon receiving the transmission 534′, e.g. upon receiving the digital signature σV
It is to be noted that the first verifier node 501, the second verifier node 502, and the prover node 503 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described protocol for parties who do not have each other's identities beforehand, as discussed with respect to
Next,
The first verifier node 601 generates a random element x as its ephemeral private key from Zq*, and computes its ephemeral public key xG. The first verifier node 601 then transmits its ephemeral public key xG to the second verifier node 602, to the first prover node 603, and to the second prover node 604 simultaneously in a first transmission 612.
Upon receiving the transmission 612, particularly upon receiving the first verifier node's ephemeral public key xG, the second verifier node 602 generates a random element xV
k12=KDF(xxV
where KDF is a key derivation function implemented to destroy any algebraic structures in xxV
Then, the second verifier node 602 computes a digital signature σV
σV
In addition, the second verifier node 602 computes a message authentication code (MAC) τV
τV
Here, MAC serves as key confirmation in order to make sure that both the first verifier node 601 and the second verifier node 602 computed the same pair-wise authentication key k12.
Finally, the second verifier node 602 transmits its ephemeral public key xV
Simultaneously or sequentially, upon receiving the transmission 612, particularly upon receiving the first verifier node's ephemeral public key xG, the first prover node 603 generates a random element yP
kP
where KDF is a key derivation function implemented to destroy any algebraic structures in xyP
Then, the first prover node 603 computes a digital signature σP
σP
In addition, the first prover node 603 computes a message authentication code (MAC) τP
τP
Here, MAC serves as key confirmation in order to make sure that both the first verifier node 601 and the first prover node 603 computed the same pair-wise authentication key kP
Finally, the first prover node 603 transmits its ephemeral public key yP
Simultaneously or sequentially, upon receiving the transmission 612, particularly upon receiving the first verifier node's ephemeral public key xG, the second prover node 604 generates a random element yP
kP
where KDF is a key derivation function implemented to destroy any algebraic structures in xyP
Then, the second prover node 604 computes a digital signature σP
σP
In addition, the second prover node 604 computes a message authentication code (MAC) τP
τP
Here, MAC serves as key confirmation in order to make sure that both the first verifier node 601 and the second prover node 604 computed the same pair-wise authentication key kP
Finally, the second prover node 604 transmits its ephemeral public key yP
The first verifier node 601 receives the transmissions 623, 623′, and 623″ from the second verifier node 602, the first prover node 603, and the second prover node 604, respectively, either simultaneously or sequentially. Upon receiving the respective slave's ephemeral public key, the digital signature and the MAC tag, the first verifier node 601 verifies the digital signatures using the respective slave's long term public key. If the digital signature is valid, the first verifier node 601 computes the respective pair-wise authentication key for the respective slave nodes as:
k12=KDF(xxV
for the second verifier node 602, and
kP
for the prover nodes 603, 604;
where,
However, if the digital signature is invalid, the protocol is aborted. Next, the first verifier node 601 verifies the respective MAC tags of the second verifier node 602, the first prover node 603, and the second prover node 604 using the respective computed pair-wise authentication key k12, kP
Then, the first verifier node 601 computes a respective digital signature for the second verifier node 602, and the respective prover nodes 603, 604 on their ephemeral public keys and the first verifier's ephemeral public key using its long term private key skV
σV
for the second verifier node 602, and
σV
for the prover nodes 603, 604;
where,
In addition, the first verifier node 601 computes a respective message authentication code (MAC) on its long term public key pkV
τV
for the second verifier node 602, and
τV
for the prover nodes 603, 604;
where,
Further, the first verifier node 601 generates a random element k as a group authentication key for all the nodes of the network group. The first verifier node 601 encrypts the group authentication key k with the respective computed pair-wise authentication key k12, kP
CV
for the second verifier node 602, and
CV
for the prover nodes 603, 604;
where,
Finally, the first verifier node 601 transmits the computed digital signatures, the computed MAC tags, and the encrypted group authentication key to the respective slave nodes 602, 603, 604, either simultaneously or sequentially, in a third transmission 634, 634′, 634″.
Upon receiving the transmission 634, e.g. upon receiving the digital signature σV
k,kp
If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.
Simultaneously or sequentially, upon receiving the transmission 634′, e.g. upon receiving the digital signature σV
k=Deck
If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.
Simultaneously or sequentially, upon receiving the transmission 634″, e.g. upon receiving the digital signature σV
k=Deck
If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.
It is to be noted that the verifier nodes 601, 602 and the prover nodes 603, 604 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described protocol for parties who do not have each other's identities beforehand, as discussed with respect to
In
This description describes a system and a method to efficiently authenticate several devices in close proximity and further to securely exchange authentication keys among the communicating nodes or entities. The underlying technique can be utilized for systems that require a high security and a high efficiency in distance measurements among multiple communicating nodes, e.g. wireless devices, particularly in close proximity. The term “security” refers to, e.g. impersonation and man-in-the-middle or relay attack resistance. The term “efficiency” refers to, e.g. low number of transmissions among the communicating nodes. The benefits include, but not limited to, higher attack resilience, improved availability by avoiding a single point of compromise or failure, as well as localization using multilateration.
It is important to note that, in the description as well as in the claims, the word “comprising” does not exclude other elements or steps and the indefinite article “a” or “an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. It is further to be noted that the system according to the first aspect corresponds to the method according to the second aspect. Therefore, the disclosure with regard to any of the aspects is also relevant with regard to the other aspects of the description.
Although one or more implementations are illustrated and described herein, equivalent alterations and modifications will occur to others skilled in the art upon the reading and understanding of this specification and the annexed drawings. In addition, while a particular feature may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired for any given or particular application.
While some embodiments have been illustrated and described in detail in the appended drawings and the foregoing description, such illustration and description are to be considered illustrative and not restrictive. Other variations to the disclosed embodiments can be understood and effected in practicing the claims, from a study of the drawings, the disclosure, and the appended claims. The mere fact that certain measures or features are recited in mutually different dependent claims does not indicate that a combination of these measures or features cannot be used. Any reference signs in the claims should not be construed as limiting the scope.
Number | Date | Country | Kind |
---|---|---|---|
21180200 | Jun 2021 | EP | regional |
Number | Name | Date | Kind |
---|---|---|---|
5003593 | Mihm, Jr. | Mar 1991 | A |
7234058 | Baugher et al. | Jun 2007 | B1 |
20080016350 | Braskich et al. | Jan 2008 | A1 |
20080075280 | Ye et al. | Mar 2008 | A1 |
20100031036 | Chauncey | Feb 2010 | A1 |
20130036305 | Yadav et al. | Feb 2013 | A1 |
20160149908 | Unagami | May 2016 | A1 |
Number | Date | Country |
---|---|---|
2015184385 | Dec 2015 | WO |
Entry |
---|
Shan Wu, Chingfang Hsu, Zhe Xia, Jinlong Zhang, and Di Wu; “Symmetric-bivariate-polynomial-based lightweight authenticated group key agreement for industrial internet of things;” Journal of Internet Technology, vol. 21, Issue 7, 2020, pp. 1969-1979. |
Sungchul Heo, Zeen Kim, and Kwangjo Kim; “Certificateless authenticated group key agreement protocol for dynamic groups;” IEEE Globecom 2007—IEEE global telecommunications conference, pp. 464-468. IEEE, 2007. |
Eun-Jung Lee, Sang-Eon Lee, and Kee-Young Yoo; “A certificateless authenticated group key agreement protocol providing forward secrecy;” International Symposium on Ubiquitous Multimedia Computing, pp. 124-129. IEEE, 2008. |
Hugo Krawczyk; “Sigma: The ‘SIGn-and-MAc’approach to authenticated Diffie-Hellman and its use in the IKE protocol;” Annual international cryptology conference, pp. 400-425. Springer, Berlin, Heidelberg, Aug. 2003. |
European Patent Office; Extended European Search Report and Written Opinion, Application No. EP21180200.4, mailed Nov. 17, 2021, 8 pages. |
Musfiq Rahman and Srinivas Sampalli; “An efficient pairwise and group key management protocol for wireless sensor network.” Wireless Personal Communications 84, pp. 2035-2053; Apr. 2, 2015. |
Lung-Chung Li, Yao-Pin Tsai, and Ru-Sheng Liu; “A novel ID-based authenticated group key agreement protocol using bilinear pairings;” 2008 5th IFIP International Conference on Wireless and Optical Communications Networks (WOCN'08), pp. 1-5. IEEE, 2008. |
Shogo Ochiai, Keiichi Iwamura, and Ahmad Akmal Aminuddin Mohd Kamal; “Secure pairwise key sharing using geometric group key sharing method (full paper);” Cryptology ePrint Archive (2019). |
Sencun Zhu, Sanjeev Setia, and Sushil Jajodia; “Leap+ Efficient security mechanisms for large-scale distributed sensor networks.” ACM Transactions on Sensor Networks (TOSN) 2, No. 4 (2006): 500-528. |
Abdalkahik W. Hussain, and Mahmood K. Ibrahem; “An efficient pairwise and group key management scheme for wireless sensor network;” International Journal of Enhanced Research in Science Technology & Engineering, vol. 4, Issue 1, Jan. 2015; pp. 25-31. |
Lein Harn, Chingfang Hsu, and Zhe Xia; “Lightweight group key distribution schemes based on pre-shared pairwise keys;” IET Communications vol. 14, Issue 13, 2020, pp. 2162-2165. |
Number | Date | Country | |
---|---|---|---|
20220407845 A1 | Dec 2022 | US |