Method for creating and distributing cryptographic keys
11128445 · 2021-09-21
Assignee
Inventors
- Stephan Krenn (Moedling, AT)
- Thomas Loruesner (Vienna, AT)
- Bernhard Schrenk (Ulrichskirchen, AT)
- Christoph Pacher (Vienna, AT)
Cpc classification
H04L9/0855
ELECTRICITY
H04L63/0435
ELECTRICITY
H04L9/0819
ELECTRICITY
G06F17/16
PHYSICS
International classification
H04L9/08
ELECTRICITY
G06F17/16
PHYSICS
Abstract
A method creates and distributes cryptographic keys for securing communication at two terminals. Signals for creating correlated values in the two terminals are distributed via a first communication channel burdened with error, and the correlated values are present as keys. A checksum is formed on the basis of the first key present in the first terminal and the checksum is transferred to the second terminal via a second communication channel. A second checksum is formed on the basis of the second key present, and information derived from the two checksums is transferred via the second communication channel to a server. Based on the information derived from the checksums, the server determines a correction value, which, when applied to one or both keys, brings the keys into correspondence. The correction value is transferred to one or both terminals via the second communication channel and is applied to one or both keys.
Claims
1. A method for creating and distributing cryptographic keys for securing communication on two terminals, which comprises the steps of: distributing signals for creating correlated values in the two terminals via a first error-prone communication channel and the correlated values exist as keys in the two terminals; forming a first checksum on a basis of a first key present in a first terminal and the first checksum is transferred to a second terminal via a second communication channel different from the first error-prone communication channel; forming a second checksum based on a second key present in the second terminal and the first and second checksums is transmitted to a server which is different from the first and second terminals and physically separated therefrom; determining, via the server, and on a basis of the first and second checksums, a correction value, which when applied to one or both of the first and second keys brings the first and second keys into correspondence; and transmitting the correction value to one or both of the first and second terminals via the second communication channel and applied to one or both of the first and second keys.
2. The method according to claim 1, wherein the signals generating the correlated values in the first and second terminals are distributed, by: a random signal being created by the first terminal and being transmitted to the second terminal; or a random signal being created by the second terminal and being transmitted to the first terminal; or an entangled quantum state being generated by an external signal source and transmitted to both of the first and second terminals by means of quantum communication.
3. The method according to claim 1, wherein to form the correlated values, parts of a transmitted signal are selected and remaining parts of the transmitted signal are discarded.
4. The method according to claim 1, wherein: a key is specified as a binary vector of a given length; a publicly known test matrix containing binary numbers as entries is defined, a number of rows of which corresponds to a given length of the keys and a number of columns of which corresponds to a length of the first and second checksums; and the first and second checksums are formed by forming a matrix-vector multiplication, in which an XOR operation is used as addition of bits and an AND operation as multiplication of bits.
5. The method according to claim 1, wherein: a key is specified as a vector of a given length, elements of which originate from a Galois field; a publicly known test matrix is defined, containing elements of a Galois field as entries, a number of lines of which corresponds to a length of the first and second keys and a number of columns of which corresponds to a length of the first and second checksums; and the first and second checksums are formed by forming a matrix-vector multiplication, wherein relevant operations of an element from the Galois field are used as addition and multiplication.
6. The method according to claim 1, which further comprises reducing a length of the first and second keys in a predefined way by a number of bits that is at least equal to a number of bits of a checksum.
7. The method according to claim 1, which further comprises exchanging between the first and second terminals messages, which have been protected by means of a symmetric cryptography procedure in each case using a key stored in the terminals.
8. The method according to claim 1, which further comprises exchanging between the first and second terminals messages, wherein a hash value is appended to each of the messages, which is derived in a predefined way from a key and from information to be transmitted in a message, wherein upon reception a receiving terminal checks whether the hash value transmitted is derived in a predefined way from the key and from the information to be transmitted in the message, and if this is valid an authenticity of the message is verified.
9. The method according to claim 1, wherein the first error-prone communication channel is a quantum communication channel.
10. The method according to claim 2, wherein: the random signal is transmitted to the second terminal by means of quantum communication; and the random signal is transmitted to the first terminal by means of quantum communication.
11. A method for creating and distributing cryptographic keys for securing communication on two terminals, which comprises the steps of: distributing signals for creating correlated values in the two terminals via a first error-prone communication channel and the correlated values exist as keys in the two terminals; forming a first checksum on a basis of a first key present in a first terminal and the first checksum is transferred to a second terminal via a second communication channel different from the first error-prone communication channel; forming a second checksum based on a second key present in the second terminal and a difference of the first and second checksums is transmitted to a server which is different from the first and second terminals and physically separated therefrom; determining, via the server, and on a basis of the difference of the first and second checksums, a correction value, which when applied to one or both of the first and second keys brings the first and second keys into correspondence; and transmitting the correction value to one or both of the first and second terminals via the second communication channel and applied to one or both of the first and second keys.
12. A method for creating and distributing cryptographic keys for securing communication on two terminals, which comprises the steps of: distributing signals for creating correlated values in the two terminals via a first error-prone communication channel and the correlated values exist as keys in the two terminals; forming a first checksum on a basis of a first key present in a first terminal and the first checksum is transferred to a second terminal via a second communication channel different from the first error-prone communication channel; forming a second checksum based on a second key present in the second terminal and information derived from the first and second checksums about the second communication channel, is transmitted to a server which is different from the first and second terminals and physically separated therefrom; determining, via the server, and on a basis of the information derived from the first and second checksums, a correction value, which when applied to one or both of the first and second keys brings the first and second keys into correspondence; and transmitting the correction value to one or both of the first and second terminals via the second communication channel and applied to one or both of the first and second keys.
Description
BRIEF DESCRIPTION OF THE DRAWING
(1) The single FIGURE of the drawing is an illustration of a communications system having two terminals in which cryptographic keys are created and distributed according to the invention.
DESCRIPTION OF THE INVENTION
(2) In the FIGURE of the drawing the terminals A, B of two communication subscribers are shown, which are connected to each other via a potentially insecure second communication channel L and via a first communication channel Q, in particular via a quantum communication channel. In the present exemplary embodiment of the invention, the terminal A has a transmitting device, with which signals can be transmitted to the terminal B via the first communication channel Q. The terminal B has a receiving device, with which outbound signals from the terminal A can be received via the first communication channel Q.
(3) For the signals to be transferred via the first communication channel Q, quantum signals are typically used. These are signals represented only by a very small number of photons. In the process of quantum communication it is thus possible to detect attackers, since in the event of individual signals being read via the first communication channel Q perturbations are caused on the channel, so that the signal either does not arrive at the receiving terminal B at all, or only with errors. However, other signals can also be alternatively transmitted over a communications channel Q, for which the attacker is also not able to copy the complete signal.
(4) As the signal, a random data signal is advantageously transmitted from the first terminal A via the first communication channel Q. This data signal is additionally stored as a key k.sub.A. The second terminal B stores the data signal received via the first communication channel Q as key k.sub.B.
(5) In addition, in the distribution of the key it can be provided that the signal-generating terminal A emits the individual photons generating the signal with a constantly changing polarization. In this case, the terminal B can also adjust its receiver to a different polarization, wherein the polarization of the emitted photons is not matched to the polarization of the receiving device in the second terminal B. Only after the transmission of the signal in an alignment step will the two terminals A, B match the signal components with one another, in which the polarization of the photons emitted by the first terminal A corresponds to the polarization of the receiver unit of the second terminal B. The other signal components, in which the polarization of the signal component emitted by terminal A does not correspond to the polarization of the receiving device of the second terminal B, are discarded. If two polarization directions are defined in both terminals A, B, the information content of the signal available for generating the key is reduced by half.
(6) In order to perform an alignment, after the transmission of the key the two terminals exchange the polarization direction used with each other so that for the respective signal component or key present on them, they can determine which of the bits were sent with matched transmitting and receiving devices. The remaining bits of the respective key are discarded. The polarizations are only exchanged after the signal from the first terminal A has been transferred to the second terminal B via the first communication channel Q. Of particular advantage here is that the exchange of the polarization directions used for the sending and receiving does not give an attacker any information whatsoever about the exchanged key.
(7) After this initial step of the key matching, a key k.sub.A, k.sub.B now exists in each of the two terminals A, B. As a result of non-ideal transmission characteristics of the channel and the possible influence of attackers, the keys k.sub.A, k.sub.B are not identical.
(8) In a first step, one of the two terminals, in the present case the first terminal A, now creates a checksum s.sub.A based on the key k.sub.A present on it. This checksum can be formed in different ways, wherein in this exemplary embodiment a variant is chosen which leads to a particularly simple numerical treatment. In this case, the key k.sub.A is treated as a bit vector comprising a plurality of individual bits. In addition, a publicly known test matrix P of a specified size is agreed between the two terminals A, B, which can also be known to any attackers.
(9) The test matrix P used in forming the checksum has a number of rows which corresponds to the number of the elements in the row vector of the key k.sub.a. The test matrix P has a number of columns which corresponds to the number of desired entries in the column vector of the checksum s.sub.A. The specific formation of test matrices is conveniently presented in more detail in Information Theory, Inference, and Learning algorithms, by David J. C. MacKay, discusses LDPC codes in Chapter 47.
(10) For generating a checksum vector s.sub.A, a matrix-vector multiplication is performed between the test matrix P and the key vector k.sub.A, represented here as a row vector, whereupon a row checksum vector s.sub.A is obtained. In the present exemplary embodiment, to simplify the presentation a binary vector is used for the key k.sub.A, a test matrix P filled with binary numbers and a column vector filled with binary numbers as the checksum s.sub.A. If as part of the matrix-vector multiplication a multiplication between individual binary numbers is required, then the AND operation is used for this. If in the matrix-vector multiplication an addition is required, the individual values to be summed are subjected to an XOR operation. A structure provided with the AND and XOR operations as multiplication and addition with the values 0 and 1 forms a field and is also referred to in mathematics as a Galois field GF2.
(11) Instead of the Galois field GF2 used here, other linear structures, in particular other Galois fields, can also be used as elements of the key, the checksums or the test matrix. These structures have, as does GF2, the properties of a field, in particular also offering the possibility of addition and multiplication.
(12) As the result of this matrix-vector multiplication, a checksum s.sub.A is obtained, which in turn is treated in the following as a row vector.
(13) The first terminal A transmits the first checksum s.sub.A thus transmitted via the additional communication channel L to the second terminal B. The second terminal B in turn then forms a checksum s.sub.B, based on the key k.sub.B present on it, in the same way as the first terminal A. The second terminal B then forms the difference s.sub.err as the difference between the two checksums s.sub.A and s.sub.B.
S.sub.err=S.sub.A−S.sub.B=(k.sub.A−k.sub.B).Math.P=k.sub.err.Math.P
(14) Instead of the formation of the direct difference between the two checksums a different function can also be used, which depends linearly on the checksums and on the two keys and returns a specified value, in particular a zero vector, if the two keys match.
(15) From the above formula it can be derived that the difference s.sub.err of the two checksums s.sub.A, s.sub.B, in particular due to the linearity of the Galois field used with regard to its two operations, can also be represented as a product of the test matrix P with a vectorial correction value k.sub.err. If the second terminal B now transfers the difference s.sub.err of the two checksums s.sub.A, s.sub.B to a server C, which is different from the two terminals A, B and spatially separated from them, via the potentially insecure communication channel L, then this server can only calculate a correction vector k.sub.err with knowledge of the difference s.sub.err of the two checksums s.sub.A, s.sub.B, wherein if said factor is added to one of the two keys k.sub.A, k.sub.B it yields the other key.
(16) Alternatively, the possibility also exists that the two checksums s.sub.A, s.sub.B are transferred to the server C independently of each other via the second communication channel L and this server C forms the difference between the checksums s.sub.A, s.sub.B. The formation of the difference between the two checksums s.sub.A, s.sub.B can be carried out numerically with very little resources, so that it does not matter whether this operation is carried out by one of the terminals A, B or by the server C. The main task of the server C consists of forming a correction vector k.sub.err based on the difference s.sub.err of the two checksums s.sub.A, s.sub.B, for which the following applies:
S.sub.err=k.sub.err.Math.P
(17) In simplified terms, a correction vector k.sub.err is sought, which when applied to the jointly agreed test matrix P, yields a checksum equal to the difference s.sub.err between the two test vectors s.sub.A, s.sub.B. Such a correct procedure is shown, for example, in Robert G. Gallager (1963). Low Density Parity Check Codes (PDF). Monograph, M.I.T. Press. Retrieved Aug. 7, 2013. Such a method can only be solved with great computational effort, even if the checksums used are as short as possible.
(18) After implementation the correction value k.sub.err in accordance with the agreement is transferred to one or both of the terminals A, B. In the present case, the key k.sub.B of the second terminal B is adjusted by adding the correction vector k.sub.err, in such a way that it matches the key k.sub.A of the first terminal. Alternatively, it would of course also be possible to add the correction value k.sub.err only to the key k.sub.A of the first terminal A, in order to obtain in the first terminal A a key k.sub.A′, whose value matches the key of the second terminal B. Since random signals are usually selected for the generation of the signal anyway, it is not necessary to reconstruct exactly the value that was transmitted via the first communication channel Q.
(19) After the keys k.sub.A, k.sub.B in the terminals A, B have been brought into correspondence, in the following optional step, consideration must be given to the fact that any attackers, because of the transmitted checksum and the information that the attacker has acquired while eavesdropping, were able to access individual properties of the key k.sub.A, k.sub.B used. If the number of bits of the individual keys k.sub.A, k.sub.B is then reduced in a possibly known manner, at least agreed in advance between the terminals A, B, to a number of bits which is at least equal to the number of bits of the checksum s.sub.A, s.sub.B, then a potential attacker gains the least amount of information possible about the key k.sub.A, k.sub.B from the transmitted checksums s.sub.A, s.sub.B.
(20) With regard to the manner of the creation of the signal containing the key, there are several different possible variants. This signal can advantageously be a quantum signal, but also a different signal which is transferred via an error-prone first communication channel Q, specifically designed to be not ideally copiable by an attacker.
(21) It is possible that in an otherwise identical approach, the second terminal B transmits a signal to the first terminal A via the communication channel Q, which is received by the latter. Again, in both terminals A, B, different keys k.sub.A, k.sub.B are obtained.
(22) In addition, it is also possible that the signal is transmitted as a quantum signal via the first communication channel Q, which in this case is implemented as a quantum communication channel, from a third location to the two terminals A, B. In this case, photons entangled with each other are typically transmitted via the first communication channel Q, so that signals corresponding to each other can be detected in each of the two terminals A, B.
(23) It is also possible within the scope of the invention that both terminals A, B, each form a checksum separately and transmit them via the second potentially insecure communication channel L to the server C. In this alternative the server determines the difference between the checksums itself.
(24) Later in the process, messages can be exchanged between the two terminals A, B which have been protected by means of a symmetric cryptography procedure, in each case using the key k.sub.A, k.sub.B stored in the terminal A, B and brought into correspondence.
(25) In particular, the possibility also exists to improve the authenticity of the messages by generating key-dependent hash values. In this case, messages are exchanged between the terminals A, B. A hash value is appended to each of the messages, which is derived in a predefined way from the key and from the information to be transmitted in the message. The message is then transferred via the second communication channel L. Upon reception the respective receiving terminal A, B checks whether the hash value transmitted is derived in the predefined way from the key and from the information to be transmitted in the message. If this is the case, the authenticity of the message is verified and the message is considered to be genuine.