1. Patent Search
  2. Details

System and Method for Performing Secure Key Exchange

20220407845 · 2022-12-22

    Inventors

    Cpc classification

    International classification

    Abstract

    A system is provided for performing secure key exchange between a plurality of nodes of a communication network. The system comprises a master node and at least two slave nodes. In this context, the master node is configured to authenticate the at least two slave nodes with a pair-wise authentication key corresponding to each pair of master node and slave nodes. The master node is further configured to generate a group authentication key common to the plurality of nodes. Furthermore, the master node is configured to encrypt the group authentication key with the pair-wise authentication key for each respective pair of master node and slave nodes, thereby generating a respective encrypted group authentication key. Moreover, the master node is configured to communicate the encrypted group authentication key to the respective slave nodes.

    Claims

    1. A system for performing secure key exchange between a plurality of nodes of a communication network, the system comprising a master node and at least two slave nodes, wherein the master node is configured to: authenticate the at least two slave nodes with a pair-wise authentication key corresponding to each pair of master node and slave nodes, generate a group authentication key common to the plurality of nodes, encrypt the group authentication key with the pair-wise authentication key for each respective pair of master node and slave nodes, thereby generating a respective encrypted group authentication key, and communicate the encrypted group authentication key to the respective slave nodes.

    2. The system according to claim 1, wherein the master node is configured to communicate with the at least two slave nodes simultaneously.

    3. The system according to claim 2, wherein the at least two slave nodes are configured to receive the respective encrypted group authentication key from the master node sequentially or simultaneously, and wherein each of the at least two slave nodes is configured to decrypt the encrypted group authentication key with its respective pair-wise authentication key.

    4. The system according to claim 1, wherein the at least two slave nodes are configured to receive the respective encrypted group authentication key from the master node sequentially or simultaneously, and wherein each of the at least two slave nodes is configured to decrypt the encrypted group authentication key with its respective pair-wise authentication key.

    5. The system according to claim 1, wherein the master node is configured to be operable as a verifier node and the at least two slave nodes each configured to be operable as a verifier node or a prover node.

    6. The system according to claim 1, wherein the master node and the at least two slave nodes are synchronized with one another.

    7. The system according to claim 1, wherein the master node and the at least two slave nodes are clock-synchronized with one another.

    8. The system according to claim 7, wherein the master node comprises a transmit mode and a receive mode, and wherein the at least two slave nodes each comprises a transmit mode, a receive mode and a sleep mode.

    9. The system according to claim 8, wherein for a given time slot, the master node operates on the transmit mode and the at least two slave nodes each operates on the receive mode or on the sleep mode, and/or wherein for a given time slot, the master node operates on the receive mode and the at least two slave nodes operate on the transmit mode or on the receive mode or on the sleep mode.

    10. The system according to claim 1, wherein the master node comprises a transmit mode and a receive mode, and wherein the at least two slave nodes each comprises a transmit mode, a receive mode and a sleep mode.

    11. The system according to claim 1, wherein an identity of the master node and of the at least two slave nodes are known to each other, or wherein the identity of the master node and of the at least two slave nodes are unknown to each other.

    12. The system according to claim 11, wherein the master node is configured to be operable as a verifier node and the at least two slave nodes each are configured to be operable as a prover node, and wherein the system comprises at least one further verifier node.

    13. The system according to claim 1, wherein the master node is configured to be operable as a verifier node and the at least two slave nodes each are configured to be operable as a prover node, and wherein the system comprises at least one further verifier node.

    14. The system according to claim 13, wherein the master node is configured to authenticate the at least one further verifier node with a pair-wise authentication key for the pair of master node and the at least one further verifier node.

    15. The system according to claim 14, wherein the master node is configured to transmit a message comprising the pair-wise authentication key for each respective pair of master node and slave nodes and/or the group authentication key to the at least one further verifier node, encrypted with the pair-wise authentication key for the pair of master node and the at least one further verifier node.

    16. The system according to claim 15, wherein the at least one further verifier node is configured to decrypt the message with the pair-wise authentication key for the pair of master node and the at least one further verifier node.

    17. A method for performing secure key exchange between a plurality of nodes of a communication network, the method comprising: authenticating, by a master node, at least two slave nodes with a pair-wise authentication key corresponding to each pair of master node and slave nodes, generating, by the master node, a group authentication key common to the plurality of nodes, encrypting, by the master node, the group authentication key with the pair-wise authentication key for each respective pair of master node and slave nodes, thereby generating a respective encrypted group authentication key, and communicating, by the master node, the encrypted group authentication key to the respective slave nodes.

    18. The method according to claim 17, wherein the method further comprises communicating, by the master node, with the at least two slave nodes simultaneously.

    19. The method according to claim 18, wherein the method further comprises: receiving, by the at least two slave nodes, the respective encrypted group authentication key from the master node sequentially or simultaneously; and decrypting, by each of the at least two slave nodes, the encrypted group authentication key with its respective pair-wise authentication key.

    20. The method according to claim 17, wherein the method further comprises: receiving, by the at least two slave nodes, the respective encrypted group authentication key from the master node sequentially or simultaneously; and decrypting, by each of the at least two slave nodes, the encrypted group authentication key with its respective pair-wise authentication key.

    Description

    BRIEF DESCRIPTION OF THE FIGURES

    [0023] The above, as well as additional, features will be better understood through the following illustrative and non-limiting detailed description of example embodiments, with reference to the appended drawings.

    [0024] FIG. 1 shows a schematic description of a two-party authenticated key exchange (AKE) protocol according to an example embodiment.

    [0025] FIG. 2 shows a block representation of the system according to an example embodiment.

    [0026] FIG. 3 shows an exemplary block representation of a node according to an example embodiment.

    [0027] FIG. 4A shows a first authentication arrangement according to an example embodiment.

    [0028] FIG. 4B shows a scheduling arrangement of the communicating nodes of FIG. 4A according to an example embodiment.

    [0029] FIG. 5 shows a second authentication arrangement according to an example embodiment.

    [0030] FIG. 6 shows a third authentication arrangement according to an example embodiment.

    [0031] FIG. 7 shows a flowchart for a method according to an example embodiment.

    [0032] All the figures are schematic, not necessarily to scale, and generally only show parts which are necessary to elucidate example embodiments, wherein other parts may be omitted or merely suggested.

    DETAILED DESCRIPTION

    [0033] Example embodiments will now be described more fully hereinafter with reference to the accompanying drawings. That which is encompassed by the claims may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example. Furthermore, like numbers refer to the same or similar elements or components throughout.

    [0034] Reference will now be made in detail to the embodiments of the present description, examples of which are illustrated in the accompanying drawings. However, the following embodiments of the present description may be variously modified and the range of the present description is not limited by the following embodiments.

    [0035] The present description relates to secure authentication, especially employed in cryptographic protocols such as distance bounding protocols, where a verifier establishes an upper bound on the physical distance to a prover. In the following description, the communicating nodes are labeled as a prover node or a verifier node, based on their role in the communication network. It is to be understood that, in a general case, “prover node” and “verifier node” are mere labels for, respectively, a first and a second node between which secure communication is performed. However, as a specific example, the verifier node may control access to a resource and the prover node may be used to gain access to the resource controlled by the verifier node, by virtue, at least in part, of physical proximity between the prover node and the verifier node.

    [0036] In FIG. 1, a schematic description 100 of a two-party authenticated key exchange (AKE) protocol is illustrated as an elliptic curve based version. The schematic description of the AKE protocol 100 is illustrated based on the two-party AKE disclosed in “Krawczyk, H., SIGMA: The ‘SIGn-and-Mac’ approach to authenticated Diffie-Hellman and its use in the IKE protocols, Annual International Cryptology Conference, pp. 400-425, Springer, Berlin, Heidelberg, August 2003”.

    [0037] The schematic description 100 is illustrated for two parties, namely a verifier 101 and a prover 102. It is to be understood that the public parameters for the elliptic curve, such as the order q, generator G, and the like are known to both verifier 101 and prover 102. The verifier 101 generates a random element x as an ephemeral private key from Zq*, and computes an ephemeral public key xG. Thus, x and xG are verifier's ephemeral or session private key and ephemeral or session public key, respectively. The verifier 101 then transmits its ephemeral public key xG to the prover 102 in a first transmission 112.

    [0038] Upon receiving the transmission 112, particularly upon receiving the verifier's public key xG, the prover 102 generates a random element y as an ephemeral private key from Zq*, and computes an ephemeral public key yG. Thus, y and yG are prover's ephemeral or session private key and ephemeral or session public key, respectively.

    [0039] Next, the prover 102 computes a shared key k as:


    k=KDF(xyG)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xyG.

    [0040] Then, the prover 102 computes a digital signature σ.sub.P.fwdarw.V on xG and yG as:


    σ.sub.P.fwdarw.V=SIGN.sub.sk.sub.p(xG,yG)

    where sk.sub.p is a long term private key of the prover 102.

    [0041] In addition, the prover 102 computes a message authentication code (MAC) τ.sub.P.fwdarw.V using the computed shared key k as:


    τ.sub.P.fwdarw.V=MAC.sub.k(pk.sub.p)

    where pk.sub.p is a long term public key of the prover 102. Here, MAC serves as key confirmation in order to make sure that both verifier 101 and prover 102 computed the same shared key k.

    [0042] Finally, the prover 102 transmits its ephemeral public key yG, the computed digital signature σ.sub.P.fwdarw.V, and the computed MAC tag τ.sub.P.fwdarw.V to the verifier 101 in a second transmission 123.

    [0043] Upon receiving the transmission 123, particularly upon receiving the prover's ephemeral public key yG, the digital signature σ.sub.P.fwdarw.V, and the MAC tag τ.sub.P.fwdarw.V, the verifier 101 verifies the digital signature σ.sub.P.fwdarw.V using the prover's long term public key pk.sub.p. If the digital signature is valid, the verifier 101 computes the shared key k as:


    k=KDF(xyG)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xyG.

    [0044] If, however, the signature is invalid, the protocol is aborted. Next, the verifier 101 verifies the MAC tag τ.sub.P.fwdarw.V using the computed shared key k. Again, if the MAC tag is invalid, the protocol is aborted.

    [0045] Then, the verifier 101 computes a digital signature σ.sub.V.fwdarw.P on yG and xG as:


    σ.sub.V.fwdarw.P=SIGN.sub.sk.sub.V(yG,xG)

    where sk.sub.V is a long term private key of the verifier 101.

    [0046] In addition, the verifier 101 computes a message authentication code (MAC) τ.sub.V.fwdarw.P using the computed shared key k as:


    τ.sub.V.fwdarw.P=MAC.sub.k(pk.sub.V)

    where pk.sub.V is a long term public key of the verifier 101.

    [0047] Finally, the verifier 101 transmits the computed digital signature σ.sub.V.fwdarw.P, and the computed MAC tag τ.sub.V.fwdarw.P to the prover 102 in a third transmission 134.

    [0048] Upon receiving the transmission 134, particularly upon receiving the digital signature σ.sub.V.fwdarw.P, and the MAC tag τ.sub.V.fwdarw.P, the prover 102 verifies their validity. If either one of them is invalid, the protocol is aborted. Otherwise, the protocol is successful and the shared key k will be used in the next phase, e.g. in distance bounding.

    [0049] It is to be noted that the verifier 101 and the prover 102 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described two-party AKE protocol for parties who do not have each other's identities beforehand.

    [0050] For instance, in the second transmission 123, the prover 102 may transmit its long term public key pk.sub.p in addition to its ephemeral public key yG, the computed digital signature σ.sub.P.fwdarw.V, and the computed MAC tag τ.sub.P.fwdarw.V, to the verifier 101. Hence, the verifier 101 will be able to verify the digital signature σ.sub.V.fwdarw.P, using the prover's long term public key pk.sub.p. Analogously, in the third transmission 134, the verifier 101 may transmit its long term public key pk.sub.V in addition to the computed digital signature σ.sub.V.fwdarw.P, and the computed MAC tag τ.sub.V.fwdarw.P to the prover 102. Hence, the prover 102 will be able to verify the digital signature σ.sub.V.fwdarw.P using the verifier's long term public key pk.sub.V.

    [0051] In FIG. 2, an exemplary block representation of the system 200 according to the first implementation is illustrated. The system 200 comprises a master node or device or entity 201 and at least two slave nodes or devices or entities 202, 203, communicating with each other in a communication network 210, e.g. a wireless network. Although only two slave nodes 202, 203 are illustrated herein, the number of slave nodes can be more than two. However, the number of simultaneously communicating slave nodes is limited by the amount of network resource allocated by the communication network 210.

    [0052] Herein, the master node 201 communicates with the slave nodes 202, 203 so as to form a master-slave pair with each corresponding slave nodes 202, 203, in order to authenticate and to further communicate. The transmission direction of broadcasts between each master-slave pair is depicted as a respective two-directional arrow as a transmission path, however only exemplarily. For instance, the master node 201 may communicate with a first slave node 202 through a transmission path 212, and the first slave node may communicate with the master node through a transmission path 221. Analogously, the master node 201 may communicate with a second slave node 203 through a transmission path 213, and the second slave node may communicate with the master node through a transmission path 231.

    [0053] In at least some implementations, the master node 201 agrees on a unique pair-wise authentication key with each slave node 202, 203. During this procedure, a mutual authentication between the master node 201 and the respective slave nodes 202, 203 takes place. Then, the master node 201 generates a group authentication key that is common for all slave nodes of the network group, and encrypts the group authentication key with the respective pair-wise authentication key for each master-slave pair. Next, the master node 201 communicates the encrypted group authentication key to the slave nodes 202, 203. Thus, the respective slave nodes 202, 203 is only able to decrypt the encrypted group authentication key with its designated pair-wise authentication key.

    [0054] In FIG. 3, an exemplary block representation of a communicating node 300, e.g. a master node 201 or a slave node 202 or 203, is illustrated. The communicating node 300 comprises a transceiver module 301 for broadcasting communication as well as to receive broadcasts to and from a neighboring communicating node. The communicating node 300 further comprises a processing module or processor 302, operably coupled to the transceiver module 301. The communicating node 300 moreover comprises a memory module or memory 303, operably coupled to the processing module 302.

    [0055] For example, the communicating node 300 may be generalized as a mobile or fixed station device, a mesh point device, or a hub device representing either an access point device in an infrastructure network or a group owner device in a peer-to-peer network, in accordance with example embodiments. The communicating node 300 may be a modern smartphone configured as an access point so that it may share its cellular telephone connection with other surrounding devices via a WLAN link.

    [0056] The processing module 302 may include a single core central processing unit (CPU) or multiple core CPU, interface circuits to interface with the transceiver module 301, battery or house power sources, keyboard, display, etc. The memory module 303 may include a random access memory (RAM), a programmable read only memory (PROM), removable memory devices such as smart cards, SIMs, WIMs, flash memory devices, or a combination thereof.

    [0057] The functional instructions respective to the role of the communicating node 300 within the communication network, e.g. being a verifier or a prover or both, may be implemented as computer code instructions stored in the memory module 303, which when executed by the processing module 302, carry out the functions of the example embodiments.

    [0058] Next, in FIG. 4A and FIG. 4B, a first authentication arrangement 400 according to the first implementation is illustrated. Particularly, FIG. 4A shows a master node operating as a verifier node 401, whereas a first slave node and a second slave node operating as a first prover node 402 and a second prover node 403, respectively. FIG. 4B shows an exemplary operation schedule for the nodes of the network group. The verifier node 401 may correspond to the master node 201 of FIG. 2. Additionally, the first prover node 402 and the second prover node 403 may correspond to the first slave node 202 and the second slave node 203 of FIG. 2, respectively, or vice versa. The authentication arrangement 400 represents a schematic description of an extended authenticated key exchange based on elliptic curve. It is assumed that the public parameters for the elliptic curve, such as the order q, generator G, and the like are known to the verifier node 401 and the prover nodes 402, 403.

    [0059] The verifier node 401 generates a random element x as its ephemeral private key from Zq*, and computes its ephemeral public key xG. The verifier node 401 then transmits its ephemeral public key xG to the first prover node 402 and to the second prover node 403 simultaneously in a first transmission 412.

    [0060] Upon receiving the transmission 412, particularly upon receiving the verifier node's ephemeral public key xG, the first prover node 402 generates a random element y.sub.P.sub.1 as its ephemeral private key from Zq*, and computes its ephemeral public key y.sub.P.sub.1G. Next, the first prover node 402 computes a pair-wise authentication key k.sub.1 for the pair of the verifier node 401 and the first prover node 402 as:


    k.sub.1=KDF(xy.sub.p.sub.1G)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xy.sub.p.sub.1G.

    [0061] Then, the first prover node 402 computes a digital signature σ.sub.P.sub.1.sub..fwdarw.V and y.sub.P.sub.1 G using its long term private key sk.sub.P.sub.1 as:


    σ.sub.P.sub.1.sub..fwdarw.V=SIGN.sub.sk.sub.p.sub.1(xG,y.sub.P.sub.1G).

    [0062] In addition, the first prover node 402 computes a message authentication code (MAC) τ.sub.P.sub.1.sub..fwdarw.V on its long term public key pk.sub.p.sub.1 using the computed pair-wise authentication key k.sub.1 as:


    τ.sub.P.sub.1.sub..fwdarw.V=MAC.sub.k.sub.1(pk.sub.p.sub.1).

    [0063] Here, MAC serves as key confirmation in order to make sure that both the verifier node 401 and the first prover node 402 computed the same pair-wise authentication key k.sub.1.

    [0064] Finally, the first prover node 402 transmits its ephemeral public key y.sub.P.sub.1G, the computed digital signature σ.sub.P.sub.1.sub..fwdarw.V, and the computed MAC tag τ.sub.P.sub.1.sub..fwdarw.V to the verifier node 401 in a second transmission 423.

    [0065] Simultaneously or sequentially, upon receiving the transmission 412, particularly upon receiving the verifier node's ephemeral public key xG, the second prover node 403 generates a random element y.sub.P.sub.2 as its ephemeral private key from Zq*, and computes its ephemeral public key y.sub.P.sub.2G. Next, the second prover node 403 computes a pair-wise authentication key k.sub.2 for the pair of the verifier node 401 and the second prover node 403 as:


    k.sub.2=KDF(xy.sub.p.sub.2G)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xy.sub.P.sub.2G.

    [0066] Then, the second prover node 403 computes a digital signature σ.sub.P.sub.2.sub..fwdarw.V on xG and y.sub.P.sub.2G using its long term private key sk.sub.P.sub.2 as:


    σ.sub.P.sub.2.sub..fwdarw.V=SIGN.sub.sk.sub.p.sub.2(xG,y.sub.P.sub.2G).

    [0067] In addition, the second prover node 403 computes a message authentication code (MAC) τ.sub.P.sub.2.sub..fwdarw.V on its long term public key pk.sub.P.sub.2 using the computed pair-wise authentication key k.sub.2 as:


    σ.sub.P.sub.2.sub..fwdarw.V=MAC.sub.k.sub.2(pk.sub.P.sub.2).

    [0068] Here, MAC serves as key confirmation in order to make sure that both the verifier node 401 and the second prover node 403 computed the same pair-wise authentication key k.sub.2.

    [0069] Finally, the second prover node 403 transmits its ephemeral public key y.sub.P.sub.2G, the computed digital signature σ.sub.P.sub.2.sub..fwdarw.V, and the computed MAC tag τ.sub.P.sub.2.sub..fwdarw.V to the verifier node 401 in a second transmission 423′.

    [0070] The verifier node 401 receives the transmissions 423 and 423′ from the first prover node 402 and the second prover node 403, respectively, either simultaneously or sequentially. Upon receiving the respective prover's ephemeral public key, the digital signature and the MAC tag, the verifier node 401 verifies the digital signatures using the respective prover's long term public key. If the digital signature is valid, the verifier node 401 computes the respective pair-wise authentication key for the respective prover nodes as:


    k.sub.i=KDF(xy.sub.P.sub.iG)

    where, [0071] i=1 denotes the first prover node 402, and [0072] i=2 denotes the second prover node 403, and so on.

    [0073] However, if the digital signature is invalid, the protocol is aborted. Next, the verifier node 401 verifies the respective MAC tags of the first prover node 402 and the second prover node 403 using the respective computed pair-wise authentication key k.sub.i. Again, if the MAC tag is invalid, the protocol is aborted.

    [0074] Then, the verifier node 401 computes a respective digital signature for the respective prover nodes 402, 403 on the respective prover's ephemeral public key and the verifier's ephemeral public key using its long term private key sk.sub.V as:


    σ.sub.V.fwdarw.P.sub.i=SIGN.sub.sk.sub.V(y.sub.P.sub.iG,xG)

    where, [0075] i=1 denotes the first prover node 402, and [0076] i=2 denotes the second prover node 403, and so on.

    [0077] In addition, the verifier node 401 computes a respective message authentication code (MAC) on its long term public key pk.sub.V for the respective prover nodes 402, 403 using the respective computed pair-wise authentication key k.sub.i as:


    τ.sub.V.fwdarw.P.sub.i=MAC.sub.k.sub.i(pk.sub.v)

    where, [0078] i=1 denotes the first prover node 402, and [0079] i=2 denotes the second prover node 403, and so on.

    [0080] Further, the verifier node 401 generates a random element k as a group authentication key for all the nodes of the network group. The verifier node 401 encrypts the group authentication key k with the respective computed pair-wise authentication key k.sub.i for the respective prover nodes 402, 403 as:


    C.sub.i=Enc.sub.k.sub.i(k)

    where, [0081] i=1 denotes the first prover node 402, and [0082] i=2 denotes the second prover node 403, and so on.

    [0083] Finally, the verifier node 401 transmits the computed digital signatures σ.sub.V.fwdarw.P.sub.i, the computed MAC tags τ.sub.V.fwdarw.P.sub.i, and the encrypted group authentication key C.sub.i to the respective prover nodes 402, 403, either simultaneously or sequentially, in a third transmission 434, 434′.

    [0084] Upon receiving the transmission 434, e.g. upon receiving the digital signature σ.sub.V.fwdarw.P.sub.1, the MAC tag τ.sub.V.fwdarw.P.sub.1, and the encrypted group authentication key C.sub.1, the first prover node 402 verifies their validity. If either one of them is invalid, the protocol is aborted. The first prover node 402 then decrypts the encrypted group authentication key C.sub.1 to obtain the group authentication key as:


    k=Dec.sub.k.sub.1(C.sub.1).

    [0085] If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.

    [0086] Simultaneously or sequentially, upon receiving the transmission 434′, e.g. upon receiving the digital signature σ.sub.V.fwdarw.P.sub.2, the MAC tag τ.sub.V.fwdarw.P.sub.2, and the encrypted group authentication key C.sub.2, the second prover node 403 verifies their validity. If either one of them is invalid, the protocol is aborted. The second prover node 403 then decrypts the encrypted group authentication key C.sub.2 to obtain the group authentication key as:


    k=Dec.sub.k.sub.2(C.sub.2).

    [0087] If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.

    [0088] It is to be noted that the verifier node 401 and the prover nodes 402, 403 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described protocol for parties who do not have each other's identities beforehand, as discussed with respect to FIG. 1 above.

    [0089] Turning back to FIG. 4B, the exemplary scheduling of the communicating nodes is illustrated for N number of nodes, where at least one node acts as a master node and remaining N−1 nodes act as slave nodes. The period of operation for each node is defined as a time slot, which is repetitive after N number of time slots. For example, during a first time slot 1, the master node is operating on transmit mode (Tx) and all the slave nodes are operating on receive mode (Rx). Thus, it is conceivable that the master node simultaneously broadcasts the first transmission towards the slave nodes and the slave nodes simultaneously receive the first broadcast from the master node.

    [0090] During a second time slot 2, e.g. the first slave node is operating on transmit mode (Tx) and the master node is operating on receive mode (Rx), whereas all the remaining slave nodes are operating on sleep mode (I), i.e. possess an idle state of operation. The idle operation of the remaining slave nodes significantly reduces the cumulative loading on network resources. For each successive time slots, the subsequent slave nodes are operating on transmit mode one by one, while the rest of the slave nodes are in idle state, and the master node remains at its receive mode. The above scheduling again repeats after the time slot N.

    [0091] In FIG. 5, a second exemplary authentication arrangement 500 according to the first implementation is illustrated. Particularly, FIG. 5 shows a master node operating as a first verifier node 501, whereas a first slave node and a second slave node operating as a second verifier node 502 and a prover node 503, respectively. The first verifier node 501 may correspond to the master node 201 of FIG. 2. Additionally, the second verifier node 502 and the prover node 503 may correspond to the first slave node 202 and the second slave node 203 of FIG. 2, respectively, or vice versa. The authentication arrangement 500 represents a schematic description of an extended authenticated key exchange based on elliptic curve. It is assumed that the public parameters for the elliptic curve, such as the order q, generator G, and the like are known to the first verifier node 501, the second verifier node 502, and the prover node 503.

    [0092] The first verifier node 501 generates a random element x as its ephemeral private key from Zq*, and computes its ephemeral public key xG. The first verifier node 501 then transmits its ephemeral public key xG to the second verifier node 502 and to the prover node 503 simultaneously in a first transmission 512.

    [0093] Upon receiving the transmission 512, particularly upon receiving the first verifier node's ephemeral public key xG, the second verifier node 502 generates a random element x.sub.v.sub.2 as its ephemeral private key from Zq*, and computes its ephemeral public key x.sub.V.sub.2G. Next, the second verifier node 502 computes a pair-wise authentication key k.sub.12 for the pair of the first verifier node 501 and the second verifier node 502 as:


    k.sub.12=KDF(xx.sub.v.sub.2G)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xx.sub.v.sub.2G.

    [0094] Then, the second verifier node 502 computes a digital signature σ.sub.V.sub.2.sub..fwdarw.v.sub.1 on xG and x.sub.V.sub.2G using its long term private key sk.sub.V.sub.2 as:


    σ.sub.V.sub.2.sub..fwdarw.V.sub.1=SIGN.sub.sk.sub.V.sub.2(xG,x.sub.V.sub.2G).

    [0095] In addition, the second verifier node 502 computes a message authentication code (MAC) τ.sub.V.sub.2.sub..fwdarw.V.sub.1 on its long term public key pk.sub.V.sub.2 using the computed pair-wise authentication key k.sub.12 as:


    τ.sub.V.sub.2.sub..fwdarw.V.sub.1=MAC.sub.k.sub.12(pk.sub.V.sub.2).

    [0096] Here, MAC serves as key confirmation in order to make sure that both the first verifier node 501 and the second verifier node 502 computed the same pair-wise authentication key k.sub.12.

    [0097] Finally, the second verifier node 502 transmits its ephemeral public key x.sub.V.sub.2G, the computed digital signature σ.sub.V.sub.2.sub..fwdarw.V.sub.1, and the computed MAC tag τ.sub.V.sub.2.sub..fwdarw.V.sub.1 to the first verifier node 501 in a second transmission 523.

    [0098] Simultaneously or sequentially, upon receiving the transmission 512, particularly upon receiving the verifier node's ephemeral public key xG, the prover node 503 generates a random element y as its ephemeral private key from Zq*, and computes its ephemeral public key yG. Next, the prover node 503 computes a pair-wise authentication key k for the pair of the first verifier node 501 and the prover node 503 as:


    k=KDF(xyG)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xyG.

    [0099] Then, the prover node 503 computes a digital signature σ.sub.P.fwdarw.V.sub.1 on xG and yG using its long term private key sk.sub.p as:


    σ.sub.P.fwdarw.V.sub.1=SIGN.sub.sk.sub.p(xG,yG).

    [0100] In addition, the prover node 503 computes a message authentication code (MAC) τ.sub.P.fwdarw.V.sub.1 on its long term public key pk.sub.p using the computed pair-wise authentication key k as:


    τ.sub.P.fwdarw.V.sub.1=MAC.sub.k(pkp).

    [0101] Here, MAC serves as key confirmation in order to make sure that both the first verifier node 501 and the prover node 503 computed the same pair-wise authentication key k.

    [0102] Finally, the prover node 503 transmits its ephemeral public key yG, the computed digital signature σ.sub.P.fwdarw.V.sub.1, and the computed MAC tag τ.sub.P.fwdarw.V.sub.1 to the first verifier node 501 in a second transmission 523′.

    [0103] The verifier node 501 receives the transmissions 523 and 523′ from the second verifier node 502 and the prover node 503, respectively, either simultaneously or sequentially. Upon receiving the respective slave's ephemeral public key, the digital signature and the MAC tag, the first verifier node 501 verifies the digital signatures using the respective slave's long term public key. If the digital signature is valid, the first verifier node 501 computes the respective pair-wise authentication key for the respective slave nodes as:


    k.sub.12=KDF(xx.sub.V.sub.2G),

    for the second verifier node 502, and


    k=KDF(xyG),

    for the prover node 503.

    [0104] However, if the digital signature is invalid, the protocol is aborted. Next, the first verifier node 501 verifies the respective MAC tags of the second verifier node 502 and the prover node 503 using the respective computed pair-wise authentication keys k.sub.12, k. Again, if the MAC tag is invalid, the protocol is aborted.

    [0105] Then, the first verifier node 501 computes a respective digital signature for the slave nodes 502, 503 on the slave's ephemeral public key and the first verifier's ephemeral public key using its long term private key sk.sub.V.sub.1 as:


    σ.sub.V.sub.1.sub..fwdarw.V.sub.2=SIGN.sub.sk.sub.V.sub.1(x.sub.V.sub.2G,xG),

    for the second verifier node 502, and


    σ.sub.V.sub.1.sub..fwdarw.P=SIGN.sub.sk.sub.V.sub.1(yG,xG),

    for the prover node 503.

    [0106] In addition, the first verifier node 501 computes a respective message authentication code (MAC) on its long term public key pk.sub.V.sub.1 for the respective slave nodes 502, 503 using the respective computed pair-wise authentication key k.sub.12, k as

    :


    τ.sub.V.sub.1.sub..fwdarw.V.sub.2=MAC.sub.k.sub.12(pk.sub.V.sub.i),

    for the second verifier node 502, and


    τ.sub.V.sub.1.sub..fwdarw.P=MAC.sub.k(pk.sub.V.sub.1),

    for the prover node 503.

    [0107] Since the illustrated embodiment comprises only one prover node 503, the first verifier node 501 selects the computed pair-wise authentication key k as a group authentication key for the group of the first verifier node 501, the second verifier node 502 and the prover node 503. This process contradicts to the embodiment of FIG. 4A, since the embodiment illustrated in FIG. 4A comprises a plurality of prover nodes 402, 403, and therefore the verifier node 401 was required to generate a random element as a group authentication key common for all the nodes of the network group.

    [0108] Subsequently, the first verifier node 501 encrypts the group authentication key k with the computed pair-wise authentication key k.sub.12 for the second verifier node 502, since only the second verifier node 502 does not possess the group authentication key k. Hence, the encrypted group authentication key may be formulated as:


    C.sub.12=Enc.sub.k.sub.12(k).

    [0109] Finally, the first verifier node 501 transmits the computed digital signatures, the computed MAC tags to the respective slave nodes 502, 503, either simultaneously or sequentially, in a third transmission 534, 534′. Additionally, the first verifier node 501 transmits the encrypted group authentication key to the second verifier node 502 in the third transmission 534.

    [0110] Upon receiving the transmission 534, e.g. upon receiving the digital signature σ.sub.V.sub.1.sub..fwdarw.V.sub.2, the MAC tag τ.sub.V.sub.1.sub..fwdarw.V.sub.2, and the encrypted group authentication key C.sub.12, the second verifier node 502 verifies the validity of the digital signature and the MAC tag. If either one of them is invalid, the protocol is aborted. The second verifier node 502 then decrypts the encrypted group authentication key C.sub.12 to obtain the group authentication key as:


    k=Dec.sub.k.sub.12(C.sub.12).

    [0111] If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.

    [0112] Simultaneously or sequentially, upon receiving the transmission 534′, e.g. upon receiving the digital signature σ.sub.V.sub.1.sub..fwdarw.P and the MAC tag τ.sub.V.sub.1.sub..fwdarw.P, the prover node 503 verifies their validity. If either one of them is invalid, the protocol is aborted. If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k , i.e. the pair-wise authentication key for the pair of first verifier node 501 and the prover node 503, will be used in the next phase, e.g. in distance bounding.

    [0113] It is to be noted that the first verifier node 501, the second verifier node 502, and the prover node 503 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described protocol for parties who do not have each other's identities beforehand, as discussed with respect to FIG. 1 above.

    [0114] Next, FIG. 6 shows a third authentication arrangement 600 according to the first implementation is illustrated. Particularly, FIG. 6 shows a master node operating as a first verifier node 601, whereas a first slave node operating as a second verifier node 602, a second slave node operating as a first prover node 603, and a third slave node operating as a second prover node 604. The first verifier node 601 may correspond to the master node 201 of FIG. 2. Additionally, the second verifier node 602, the first prover node 603, and the second prover node 604 may correspond to any of the slave nodes 202, 203 of FIG. 2. The authentication arrangement 600 represents a schematic description of an extended authenticated key exchange based on elliptic curve. It is assumed that the public parameters for the elliptic curve, such as the order q, generator G, and the like are known to the verifier nodes 601, 602 as well as to the prover nodes 603, 604.

    [0115] The first verifier node 601 generates a random element x as its ephemeral private key from Zq*, and computes its ephemeral public key xG. The first verifier node 601 then transmits its ephemeral public key xG to the second verifier node 602, to the first prover node 603, and to the second prover node 604 simultaneously in a first transmission 612.

    [0116] Upon receiving the transmission 612, particularly upon receiving the first verifier node's ephemeral public key xG, the second verifier node 602 generates a random element x.sub.V.sub.2 as its ephemeral private key from Zq*, and computes its ephemeral public key x.sub.V.sub.2G. Next, the second verifier node 602 computes a pair-wise authentication key k.sub.12 for the pair of the first verifier node 601 and the second verifier node 602 as:


    k.sub.12=KDF(xx.sub.V.sub.2G)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xx.sub.V.sub.2G.

    [0117] Then, the second verifier node 602 computes a digital signature σ.sub.V.sub.2.sub..fwdarw.V.sub.1 on xG and x.sub.V.sub.2G using its long term private key sk.sub.V.sub.2 as:


    σ.sub.V.sub.2.sub..fwdarw.V.sub.1=SIGN.sub.sk.sub.V.sub.2(xG,x.sub.V.sub.2G).

    [0118] In addition, the second verifier node 602 computes a message authentication code (MAC) τ.sub.V.sub.2.sub..fwdarw.V.sub.1 on its long term public key pk.sub.V.sub.2 using the computed pair-wise authentication key k.sub.12 as:


    τ.sub.V.sub.2.sub..fwdarw.V.sub.1=MAC.sub.k.sub.12(pk.sub.V.sub.2).

    [0119] Here, MAC serves as key confirmation in order to make sure that both the first verifier node 601 and the second verifier node 602 computed the same pair-wise authentication key k.sub.12.

    [0120] Finally, the second verifier node 602 transmits its ephemeral public key x.sub.V.sub.2G, the computed digital signature σ.sub.V.sub.2.sub..fwdarw.V.sub.1, and the computed MAC tag τ.sub.V.sub.2.sub..fwdarw.V.sub.1 to the first verifier node 601 in a second transmission 623.

    [0121] Simultaneously or sequentially, upon receiving the transmission 612, particularly upon receiving the first verifier node's ephemeral public key xG, the first prover node 603 generates a random element y.sub.P.sub.1 as its ephemeral private key from Zq*, and computes its ephemeral public key y.sub.PG. Next, the first prover node 603 computes a pair-wise authentication key k.sub.P.sub.1 for the pair of the first verifier node 601 and the first prover node 603 as:


    k.sub.P.sub.1=KDF(xy.sub.P.sub.1G)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xy.sub.P.sub.1G.

    [0122] Then, the first prover node 603 computes a digital signature σ.sub.P.sub.1.sub..fwdarw.V.sub.1 on xG and y.sub.P.sub.1G using its long term private key sk.sub.P.sub.1 as:


    σ.sub.P.sub.1.sub..fwdarw.V.sub.1=SIGN.sub.skp.sub.1(xG,y.sub.P.sub.1G).

    [0123] In addition, the first prover node 603 computes a message authentication code (MAC) τ.sub.P.sub.1.sub..fwdarw.V.sub.1 on its long term public key pk.sub.P.sub.i using the computed pair-wise authentication key k.sub.P.sub.1 as:


    τ.sub.P.sub.1.sub..fwdarw.V.sub.1=MAC.sub.kp.sub.1(pk.sub.P.sub.1).

    [0124] Here, MAC serves as key confirmation in order to make sure that both the first verifier node 601 and the first prover node 603 computed the same pair-wise authentication key k.sub.P.sub.1.

    [0125] Finally, the first prover node 603 transmits its ephemeral public key y.sub.P.sub.1G, the computed digital signature σ.sub.P.sub.1.sub..fwdarw.V, and the computed MAC tag τ.sub.P.sub.1.sub..fwdarw.V to the first verifier node 601 in a second transmission 623′.

    [0126] Simultaneously or sequentially, upon receiving the transmission 612, particularly upon receiving the first verifier node's ephemeral public key xG, the second prover node 604 generates a random element y.sub.p.sub.2 as its ephemeral private key from Zq*, and computes its ephemeral public key y.sub.p.sub.2G. Next, the second prover node 604 computes a pair-wise authentication key k.sub.p.sub.2 for the pair of the first verifier node 601 and the second prover node 604 as:


    k.sub.p.sub.2=KDF(xy.sub.p.sub.2G)

    where KDF is a key derivation function implemented to destroy any algebraic structures in xy.sub.p.sub.2G.

    [0127] Then, the second prover node 604 computes a digital signature σ.sub.P.sub.2.sub..fwdarw.V.sub.1 on xG and y.sub.P.sub.2G using its long term private key sk.sub.P.sub.2 as:


    σ.sub.P.sub.2.sub..fwdarw.V.sub.1=SIGN.sub.skp.sub.2(xG,y.sub.P.sub.2G).

    [0128] In addition, the second prover node 604 computes a message authentication code (MAC) τ.sub.P.sub.2.sub..fwdarw.V.sub.1 on its long term public key pk.sub.P.sub.2 using the computed pair-wise authentication key k.sub.P.sub.2 as:


    τ.sub.P.sub.2.sub..fwdarw.V.sub.1=MAC.sub.kp.sub.2(pk.sub.P.sub.2).

    [0129] Here, MAC serves as key confirmation in order to make sure that both the first verifier node 601 and the second prover node 604 computed the same pair-wise authentication key k.sub.p.sub.2.

    [0130] Finally, the second prover node 604 transmits its ephemeral public key y.sub.P.sub.2G, the computed digital signature σ.sub.P.sub.2.sub..fwdarw.V.sub.1, and the computed MAC tag τ.sub.P.sub.2.sub..fwdarw.V.sub.1 to the first verifier node 601 in a second transmission 623″.

    [0131] The first verifier node 601 receives the transmissions 623, 623′, and 623″ from the second verifier node 602, the first prover node 603, and the second prover node 604, respectively, either simultaneously or sequentially. Upon receiving the respective slave's ephemeral public key, the digital signature and the MAC tag, the first verifier node 601 verifies the digital signatures using the respective slave's long term public key. If the digital signature is valid, the first verifier node 601 computes the respective pair-wise authentication key for the respective slave nodes as:


    k.sub.12=KDF(xx.sub.V.sub.2G),

    for the second verifier node 602, and


    k.sub.p.sub.i=KDF(xy.sub.P.sub.iG),

    for the prover nodes 603, 604;
    where, [0132] i=1 denotes the first prover node 603, and [0133] i=2 denotes the second prover node 604.

    [0134] However, if the digital signature is invalid, the protocol is aborted. Next, the first verifier node 601 verifies the respective MAC tags of the second verifier node 602, the first prover node 603, and the second prover node 604 using the respective computed pair-wise authentication key k.sub.12, k.sub.P.sub.1, k.sub.P.sub.2. Again, if the MAC tag is invalid, the protocol is aborted.

    [0135] Then, the first verifier node 601 computes a respective digital signature for the second verifier node 602, and the respective prover nodes 603, 604 on their ephemeral public keys and the first verifier's ephemeral public key using its long term private key sk.sub.V.sub.1 as:


    σ.sub.V.sub.1.sub..fwdarw.V.sub.2=SIGN.sub.sk.sub.V.sub.1(x.sub.V.sub.2G,xG),

    for the second verifier node 602, and


    σ.sub.V.sub.1.sub..fwdarw.P.sub.i=SIGN.sub.sk.sub.V.sub.1(y.sub.P.sub.iG,xG),

    for the prover nodes 603, 604;

    [0136] where, [0137] i=1 denotes the first prover node 603, and [0138] i=2 denotes the second prover node 604.

    [0139] In addition, the first verifier node 601 computes a respective message authentication code (MAC) on its long term public key pk.sub.V.sub.1 for the respective slave nodes 602, 603, 604 using the respective computed pair-wise authentication key k.sub.12, k.sub.p.sub.1, k.sub.P.sub.2 as:


    τ.sub.V.sub.1.sub..fwdarw.V.sub.2=MAC.sub.k.sub.12(pk.sub.V.sub.1),

    for the second verifier node 602, and


    τ.sub.V.sub.1.sub..fwdarw.P.sub.i=MAC.sub.k.sub.P.sub.i(pk.sub.V.sub.1),

    for the prover nodes 603, 604;
    where, [0140] i=1 denotes the first prover node 603, and [0141] i=2 denotes the second prover node 604.

    [0142] Further, the first verifier node 601 generates a random element k as a group authentication key for all the nodes of the network group. The first verifier node 601 encrypts the group authentication key k with the respective computed pair-wise authentication key k.sub.12, k.sub.P.sub.ifor the respective slave nodes 602, 603, 604. Additionally, the first verifier node 601 encrypts the respective computed pair-wise authentication keys for the pair of the first verifier node 601 and the first prover node 603 as well as for the pair of the first verifier node 601 and the second prover node 604 along with the group authentication key for the second verifier node 602. The encrypted transmissions can be illustrated as:


    C.sub.V.sub.1.sup..fwdarw.V.sub.2=Enc.sub.k.sub.12(k,k.sub.P.sub.1,k.sub.P.sub.2),

    for the second verifier node 602, and


    C.sub.V.sub.1.sub..fwdarw.P.sub.i=Enc.sub.k.sub.P.sub.i(k),

    for the prover nodes 603, 604;
    where, [0143] i=1 denotes the first prover node 603, and [0144] i=2 denotes the second prover node 604.

    [0145] Finally, the first verifier node 601 transmits the computed digital signatures, the computed MAC tags, and the encrypted group authentication key to the respective slave nodes 602, 603, 604, either simultaneously or sequentially, in a third transmission 634, 634′, 634″.

    [0146] Upon receiving the transmission 634, e.g. upon receiving the digital signature σ.sub.V.sub.1.sub..fwdarw.V.sub.2, the MAC tag τ.sub.V.sub.1.sub..fwdarw.V.sub.2, and the encrypted group authentication key C.sub.V.sub.1.sub..fwdarw.V.sub.2, the second verifier node 602 verifies their validity. If either one of them is invalid, the protocol is aborted. The second verifier node 602 then decrypts the encrypted group authentication key C.sub.V.sub.1.sub..fwdarw.V.sub.2 to obtain the group authentication key as well as the pair-wise authentication keys as:


    k,k.sub.p.sub.1,k.sub.p.sub.2=Dec.sub.k.sub.12(C.sub.V.sub.1.sub..fwdarw.V.sub.2).

    [0147] If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.

    [0148] Simultaneously or sequentially, upon receiving the transmission 634′, e.g. upon receiving the digital signature σ.sub.V.sub.1.sub..fwdarw.P.sub.1, and the encrypted group authentication key C.sub.V.sub.1.sub..fwdarw.P.sub.1, the first prover node 603 verifies their validity. If either one of them is invalid, the protocol is aborted. The first prover node 603 then decrypts the encrypted group authentication key C.sub.V.sub.1.sub..fwdarw.P.sub.1 to obtain the group authentication key as:


    k=Dec.sub.k.sub.P.sub.1(C.sub.V.sub.1.sub..fwdarw.P.sub.1).

    [0149] If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.

    [0150] Simultaneously or sequentially, upon receiving the transmission 634″, e.g. upon receiving the digital signature σ.sub.V.sub.1.sub..fwdarw.P.sub.2, the MAC tag τ.sub.V.sub.1.sub..fwdarw.P.sub.2, and the encrypted group authentication key C.sub.V.sub.1.fwdarw.P.sub.2, the second prover node 604 verifies their validity. If either one of them is invalid, the protocol is aborted. The second prover node 604 then decrypts the encrypted group authentication key C.sub.V.sub.1.sub..fwdarw.P.sub.2 to obtain the group authentication key as:


    k=Dec.sub.k.sub.P.sub.2(C.sub.V.sub.1.sub..fwdarw.P.sub.2).

    [0151] If the digital signature and the MAC tag are valid, the protocol is successful and the group authentication key k will be used in the next phase, e.g. in distance bounding.

    [0152] It is to be noted that the verifier nodes 601, 602 and the prover nodes 603, 604 do not communicate their identities, e.g. a public key or a certificate on the public key, to each other, since they are assumed to know each other's identities. However, it is possible to extend the above-described protocol for parties who do not have each other's identities beforehand, as discussed with respect to FIG. 1 above.

    [0153] In FIG. 7, an exemplary embodiment of the method 700 according to the second implementation is illustrated. In block 701, a master node authenticates at least two slave nodes with a pair-wise authentication key corresponding to each pair of master node and slave nodes. In block 702, the master node generates a group authentication key common to the plurality of nodes. In block 703, the master node encrypts the group authentication key with the pair-wise authentication key for each respective pair of master node and slave nodes, thereby generates a respective encrypted group authentication key. Finally, in block 704, the master node communicates the encrypted group authentication key to the respective slave nodes.

    [0154] This description describes a system and a method to efficiently authenticate several devices in close proximity and further to securely exchange authentication keys among the communicating nodes or entities. The underlying technique can be utilized for systems that require a high security and a high efficiency in distance measurements among multiple communicating nodes, e.g. wireless devices, particularly in close proximity. The term “security” refers to, e.g. impersonation and man-in-the-middle or relay attack resistance. The term “efficiency” refers to, e.g. low number of transmissions among the communicating nodes. The benefits include, but not limited to, higher attack resilience, improved availability by avoiding a single point of compromise or failure, as well as localization using multilateration.

    [0155] It is important to note that, in the description as well as in the claims, the word “comprising” does not exclude other elements or steps and the indefinite article “a” or “an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. It is further to be noted that the system according to the first aspect corresponds to the method according to the second aspect. Therefore, the disclosure with regard to any of the aspects is also relevant with regard to the other aspects of the description.

    [0156] Although one or more implementations are illustrated and described herein, equivalent alterations and modifications will occur to others skilled in the art upon the reading and understanding of this specification and the annexed drawings. In addition, while a particular feature may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired for any given or particular application.

    [0157] While some embodiments have been illustrated and described in detail in the appended drawings and the foregoing description, such illustration and description are to be considered illustrative and not restrictive. Other variations to the disclosed embodiments can be understood and effected in practicing the claims, from a study of the drawings, the disclosure, and the appended claims. The mere fact that certain measures or features are recited in mutually different dependent claims does not indicate that a combination of these measures or features cannot be used. Any reference signs in the claims should not be construed as limiting the scope.