Method and system for establishing a session key

Abstract

A system and a method is provided for establishing a session key in a context of communications between entities, the identifiers of which are generated cryptographically and for which one of the entities is highly resource-constrained. It includes assigning to assistant entities of the resource-constrained entity, the highest-consuming asymmetric cryptography operations.

Claims

1. In a communication network comprising a plurality of communicating entities, a method to establish a secure end-to-end communication between a source entity and a target entity having different resource constraints a session key between a source entity and a target entity, the method comprising the steps of: generating at the source entity a secret x for the source entity, the secret comprising n secret values (x1, xi, xn); assigning by the source entity each of the n secret values (xi) to a respective assistant entity (Pi) among the plurality of communicating entities, wherein each assistant entity is selected by the source entity to be a proxy entity with fewer resource constraints than the source entity; encrypting and signing by each assistant entity each assigned secret value (xi); authenticating the source entity upon reception by the target entity of one or more encrypted and signed secret values (x1, xi, xn) of the n assistant entities; generating an encrypted and signed secret y with the target entity, wherein the secret y is encrypted with the secret x; authenticating the target entity upon reception, by at least one of the n assistant entities (P1, Pi, Pn), of the encrypted and signed secret y; and generating a session key between the source entity and the target entity upon reception by the source entity of the authenticated secret y and of said secret x of the source entity.

2. The method as claimed in claim 1, comprising, after encrypting and signing the assigned secret value (xi) for each assistant entity, transmitting the encrypted and signed secret values to the target entity.

3. The method as claimed in claim 1, further comprising, after generating the encrypted and signed secret y with the target entity, transmitting the encrypted and signed secret values x and y to the plurality of assistant entities.

4. The method as claimed in claim 1, comprising, after authenticating the target entity, transmitting the secret value y to the source entity.

5. The method as claimed in claim 1, comprising, before generating the secret x for the source entity, detecting a request to set up a secure connection between the source entity and the target entity.

6. The method as claimed in claim 5, comprising, after detecting a request to set up a secure connection between the source entity and the target entity, defining a cryptographic data exchange protocol between the source entity and the target entity.

7. The method as claimed in claim 6, wherein defining a cryptographic data exchange protocol comprises exchanging messages between the source and target entities, the messages comprising at least information relating to security supported by each source and target entity, to identities of the source and target entities, to cryptographic algorithms supported by the source and target entities, and to key establishment methods.

8. The method as claimed in claim 7, in which a key establishment system is applied to an HIP BEX (Host Identity Protocol Base Exchange) protocol.

9. The method as claimed in claim 1, comprising, before assigning each secret value (xi) to the assistant entity (Pi), selecting n assistant entities (P1, Pi, Pn), each assistant entity (Pi) being less resource-constrained than the source entity.

10. The method as claimed in claim 1, comprising, assigning each secret value (xi) to the assistant entity (Pi), transmitting to the assistant entities, elements for proving their representativity of the source entities.

11. The method as claimed in claim 10, comprising, before authenticating the source entity, transmitting said proof elements to the target entity.

12. A system for establishing a session key between a source entity and a target entity in a communication network comprising a plurality of communicating entities, the system comprising means for implementing the steps of the method as claimed claim 1.

13. The system as claimed in claim 12, in which the source entity is resource-constrained and the target entity is a remote server that is not resource-constrained.

14. A non-transitory computer-readable medium comprising code instructions for performing the steps of the method as claimed in claim 1.

15. The method of claim 1, wherein the method is performed without human interaction.

Description

DESCRIPTION OF THE DRAWINGS

(1) Various aspects and advantages of the invention will become apparent from the description of a preferred but nonlimiting implementation of the invention, with reference to the following drawings:

(2) FIG. 1 is a topological representation of a network infrastructure to advantageously implement the invention;

(3) FIG. 2 shows the procedures executed between the source, target and assistant entities of the network of FIG. 1 in an advantageous implementation of the invention;

(4) FIG. 3 shows the steps executed by the method of the invention to establish a session;

(5) FIG. 4 shows the procedures executed between the source, target and assistant entities of the network of FIG. 1 in a variant implementation of the invention.

DETAILED DESCRIPTION OF THE INVENTION

(6) FIG. 1 illustrates a global network environment (100) in which the invention is advantageously implemented. For reasons of simplicity of the description and not of limitation of the invention, the example of FIG. 1 shows only a finite number of entities and connections, but the person skilled in the art will extend the principles described to a plurality and a variety of entities and connection types (wireless, cellular, very high speed).

(7) The global network (100) comprises a set of fixed or moving entities forming a network of objects (102). The network of objects comprises entities with high resource constraints (102-1, 102-n) and entities with lower resource constraints (112-1, 112-m).

(8) The entities with high resource constraints can be wireless actuators or sensors, having limited computational and/or storage capacities. They can also be active tags. However, an entity which is not intrinsically resource-limited can temporarily be so as soon as it uses a large part of its processor resources for another task, or when its battery level reaches a critical threshold value. And this entity can be made to implement protocols that are less costly in terms of power, such as that of the invention.

(9) The entities with lower resource constraints can be cellphones equipped with an Internet connection and a camera. They can also be gateways for interconnection between a constrained entity network and the Internet. These entities provide very significant computational and storage capacities, can have a greater reserve of power (battery, mains power) and can communicate over a network, either directly to an internet network (104) as illustrated or through intermediate servers and gateways (not shown).

(10) The network of objects (102) can be based on layer 2 communications (for example, 802.15.4 or 802.11) or layer 3 communications (for example, IP) between the entities that form it. Depending on the protocols on which it relies, multicast or broadcast communications schemes can be used therein.

(11) The global network (100) comprises remote entities (106) that do not exhibit resource constraints, in comparison to those of the entities of the network of objects (102).

(12) The remote entities can be servers (for example, a server for storing and/or managing information reported by one or more sensors, or an actuator control server) having significant storage and computational capacities or any other entity exhibiting unconstrained computational, storage and power capacities.

(13) Such a global network forms one that is referred to as an Internet of Things (IoT). It covers two types of communications:

(14) those of object to person;

(15) those of object to object, or machine to machine (M2M).

(16) These communications can be established in a limited context (only one protocol used, for example ZigBee and/or only one targeted scenario, for example the Smart Grid) in which case one refers to the Intranet of Things, or they can be employed to make possible a large number of different services, while relying on many communications protocols, in which case one refers to the Internet of Things. Generally, the Internet of Things is understood to be an architecture which provides for interconnecting the conventional Internet with communicating or perceived objects, and which relies on decentralized communication schemes, while implementing autonomous mechanisms.

(17) The present invention can advantageously be applied in the environment of FIG. 1 between a highly resource-constrained entity (102-1) referred to as initiator and a powerful remote server (106) referred to as responder. The two entities need to establish a session key and do not already share between them a long-term secret. The method described with reference to FIG. 2 takes into account the constraints in terms of resources and uses distributed collaborative techniques to make the session key exchange possible between two heterogeneous entities during the same communication.

(18) FIG. 2 shows the procedures executed between an initiator (202) and a responder (206) to establish a session key.

(19) In a first initialization phase (210), the initiator (202) selects assistant entities that are less resource-constrained than the initiator, and referred to hereafter as proxies (204-1, 204-n).

(20) The selection can be based on the reputations of the entities close to the initiator and/or on their available resources such as for example their computational capacities or their battery levels. For the case in which the selection is based on the reputations of the neighboring nodes, the latter can be assessed locally or by a central server according to their past attitudes. A metric, the reputation, is hence defined which accounts for the types and proportions of positive attitudes (for example, offering a service) and negative attitudes (for example, refusing to offer a service) that a node has demonstrated in the past.

(21) The determination of the number of proxies to which an initiator will turn to is not described in the present invention, and can for example be dependent on the probability that these proxies conduct an attack against the node by collusion. If the initiator is for example a moving device, the selection process comprises a step for discovering in its vicinity entities with which it can have a shared secret. This discovery can be performed dynamically, and can be facilitated by having recourse to a third entity that is aware of the whole network topology through which the initiator moves.

(22) In one variant, the initiator can contain a predefined list of usable proxies, and the selection of proxies to be used for the session is made on this list.

(23) In a next phase (220), information relating to the security supported by the initiator (202) and by the responder (206) is exchanged.

(24) The initiator (202) sends a message (222) to notify the responder (206) of its identity ID(I), to indicate the cryptographic algorithms that it supports, and the key establishment method which it desires to use. If the responder (206) accepts the proposed key establishment technique, it responds to the initiator with a message (224) which can contain its identity ID(R) as well as a choice of the cryptographic algorithm chosen from among those proposed by the initiator. Specifically, the negotiated key establishment method can for example be based on RSA, ECC; the cryptographic algorithms can include the encryption algorithms: RC4, RC2, DES, AES, 3DES and/or the hash functions MD5 and SHA-1.

(25) At the end of the phase 220, the initiator and the responder have established the connection parameters for their session.

(26) In a next phase (230), the initiator notifies the proxies of the identity of the responder, and a message (232) containing the identity of the responder ID(R) is sent to each proxy selected in phase 210.

(27) In a variant implementation, each message (232) can also contain an item of information PR(Kpi) which will enable each proxy to prove its representativity to the responder.

(28) In a first variant of the invention, the proxies, provided with a public key/private key pair, directly receive from the initiator the proof that they are authorized to act in its name. This proof can be, for example, a certificate associating the public key of the proxy with the entitlement to sign in the name of the initiator right, the whole certificate being signed by the private key of the initiator. This certificate can include other parameters added by the initiator with the aim of restricting the capabilities of the proxies to sign in its name, such as the identity of the responder or an expiry date. In the case of a certificate including only the identity of the proxy and its entitlement to sign in the name of the initiator entity status, this certificate may have been sent by the initiator to the proxy outside its active session. Alternatively, in the case of a certificate featuring the identity of the responder or including an expiry date, the certificate is sent to the proxy during the active session.

(29) In a second variant of the invention, the authorization of proxies to act in the name of the initiator is managed by a third-party trust entity. The initiator supplies to the trust entity T a certificate associating rights, for giving the network entities rights to sign in the name of the initiator, the identity of T, the whole certificate being signed by a private key corresponding to the cryptographically generated identifier. Advantageously, the trust entity T can be a single physical entity, or it can be a logical entity physically instantiated in the form of different physical entities, implementing a redundancy system so as to ensure a continuity of service in the event of a crash.

(30) The initiator transmits the list of proxies to the trust entity which upon reception transmits to each proxy all the cryptographic information necessary to authenticate the message that each proxy sends to the responder.

(31) In the preferred implementation of this second variant of the invention, the cryptographic information comprises a public key/private key pair of a signature system. Advantageously, such a one-time signature system can be the system referred to as HORS described in the paper by L. Reyzin et al. Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying, LNCS 2384, pp. 144-153, 2002.

(32) The trust entity also supplies to each proxy a means which authorizes the latter to sign protocol exchange messages in the name of the initiator, i.e. to prove its authorization to act in the name of the initiator. This means can take the form of a message cryptographically associating the right assigned to the proxy to sign in the name of the initiator, the certificate sent beforehand by the initiator to the trust entity, the public part of the cryptographic material handed over to the proxy by the trust entity, the whole message being signed by the private key of the trust entity.

(33) After the message 232 is sent, containing the identity of the responder and if necessary the proof of representativity, each proxy establishes a connection with the responder and if necessary sends a message (234) containing the proof of representativity which it has received from the initiator or from a trust entity.

(34) At the end of the phase 230, the responder and the proxies have established the connection parameters for their session.

(35) The next step will involve preparing and exchanging initial models of the session key between the initiator and the responder (also called pre-master secrets x and y) in order to later calculate the shared session key. The initiator hands over to the responder a randomly generated secret x, and the responder hands over to the initiator a secret y. The session key will then be calculated from these two secret values.

(36) In the next phase (240), the initiator (202) breaks up (242) its secret x into n secret fragments, where n is the number of proxies selected to support the session. Each secret value is assigned to a proxy.

(37) Advantageously, an error correction procedure can be applied on the original secret x before breaking it up, so as to add redundancy to it. This allows the responder to be capable of reconstructing the secret sent by the initiator provided that a sufficient number of packets is received from the assistant nodes, but without requiring all messages from all the assistant nodes to be received. This system protects our solution from being compromised or from a refusal by assistant nodes to collaborate. Furthermore, it provides for not imposing a reliable delivery for each connection between a proxy and the responder.

(38) The initiator transmits (244) to each proxy the secret fragment which is assigned to it. Advantageously, each message is sent securely, using a security association based on a symmetric key (k.sub.I-Pi) between the initiator and each proxy.

(39) Upon reception of its secret fragment, the proxy encrypts the fragment and signs the result using its private key. The proxy advantageously encrypts its fragment using the public key of the server which corresponds to its cryptographically generated identifier, as communicated by the initiator in the previous phase.

(40) Then, each proxy transmits (246) to the responder a signed message containing the secret fragment which was assigned to it, and encrypted.

(41) After having received a sufficient number of fragments, the responder can retrieve the original secret x and reconstruct the secret x of the initiator.

(42) The responder in turn randomly generates (248) a secret y and transmits it (249) in a message to the proxies. The message is also constructed from the secret x reconstructed by the responder. The proxies support the computational load required to verify the message received from the responder and to then transmit it (250) to the initiator.

(43) Advantageously, each proxy transmits to the initiator a message protected by means of symmetric keys k.sub.I-Pi shared between the initiator and each proxy. In order to preserve the confidentiality of y, the latter is encrypted with the secret x transmitted beforehand to the responder by the initiator.

(44) Advantageously, in order to assure the initiator that the secret x has definitely been received, the secret y encrypted by x is provided with a Message Authentication Code (MAC) calculated with x as key. This MAC message assures the initiator that the encrypted message received has definitely been sent by an entity that is aware of the value x.

(45) In one variant of the invention, the receiver or responder sends to all the proxies a message containing y encrypted by x, provided with a MAC calculated from x, the whole message being signed by means of the private key of the receiver. Upon receiving this message, the proxies verify the validity of the signature of the receiver and, if the message is valid, forward to the initiator the received message without its signature, i.e.: y encrypted by x, provided with a MAC calculated from x, this message being encrypted by means of the symmetric key k.sub.I-Pi.

(46) In another variant of the invention, the receiver sends to one or more proxies the message containing y encrypted by x, provided with a MAC calculated from x, the whole message being signed by means of the private key of the receiver. The proxy or proxies to which the receiver has sent the message verify the validity of the signature of the receiver and, if the message is valid, forward to the initiator the received message without its signature i.e.: y encrypted by x, provided with a MAC calculated from x, this message being encrypted by means of the symmetric key k.sub.I-Pi.

(47) In a next phase (260), the method proceeds with calculating the session key. The two entities, initiator (202) and responder (206), calculate the final key as a function of the two exchanged secrets x and y and additional parameters.

(48) Advantageously, at the end of the exchange, the responder returns a message to the initiator containing the proxies which have actually and reliably cooperated during the exchange of secrets, in order to enable it to refine its future selection of participants and to remove malicious nodes.

(49) In a variant implementation, the messages (232) from the initiator to the proxies containing the identity of the responder and the proof of representativity are grouped together with the respective n messages (244) to the proxies containing the values of the secret fragments (x1, . . . , xn).

(50) FIG. 3 sets out the steps (300) carried out by the method of the invention to establish a session in a preferred implementation.

(51) At the step (302), a request to establish a secure connection between a source entity and a target entity is transmitted. The request can be initiated by the resource-constrained entity or by a remote server to a resource-constrained entity. The transmission of the request triggers the previously described phase (220) in order that the initiator and the responder establish the connection parameters for their session.

(52) At the step (304), the initial model of the secret x is broken down into a plurality n of values (x1, . . . , xn).

(53) At the step (306), the n secret values (x1, . . . , xn) are assigned to n selected proxies (P1, . . . , Pn). Each proxy receives the secret value which is assigned to it in a manner encrypted with a symmetric key.

(54) The proxies are informed of the identity of the responder either at the step (306), or as described above in an initial step (230) where they receive the proof of their representativity for the responder.

(55) At the next step (308), the n secret values are encrypted and signed by the proxies.

(56) Each encrypted/signed value is transmitted to the responder at the next step (310).

(57) The step (312) consists in reconstructing the secret x from the secret values received from the proxies. The method waits until a sufficient number of values is received in order to retrieve the initial secret value x and proceed to the next step.

(58) At the step (314), a secret y is randomly generated by the responder and is encrypted and signed in order to transmit it to the proxies with the secret x.

(59) At the step (316), if the signature received by the proxies is verified and validated, the secret y is transmitted to the initiator (step 318), otherwise the method is stopped.

(60) The step (320) consists in calculating the final session key as a function of the two exchanged secrets (x, y).

(61) FIG. 4 shows the procedures executed between the source, target and assistant entities of the network of FIG. 1 in a variant implementation of the invention applied to the HIP BEX protocol. The known puzzle mechanism specified in the HIP BEX protocol is maintained in order to protect the responder against resource starvation attacks when the protocol is being executed.

(62) In a first phase similar to the phase 220 described with reference to FIG. 2, the initiator (402) sends a first message 422 to the responder (406) to obtain the HIP association and to inform it of the supported cooperation technique for the key exchange. The responder responds with a message 424 to begin the protocol exchange. The message 424 from the responder contains the identifier of the responder, i.e. its public key K.sub.R, and a puzzle composed of a cryptographic challenge that the initiator must solve before continuing the exchange protocol. The level of difficulty of the puzzle can be adjusted according to the trust level of the initiator and its present resource capacities. The puzzle exchange in the HIP protocol is a means of defense to protect the responder against denial-of-service attacks. The latter remains passive until a valid response is received from the initiator. The initiator calculates the solution of the received puzzle.

(63) Then, the initiator transmits (426) the solution to the n proxies (404-1, 404-n) in messages I21.sub.1 . . . I21.sub.n. These messages are also used to transmit the n fragments of the secret x to the n proxies. Each connection between the initiator and a proxy is a connection secured by a symmetric key k.sub.I-Pi.

(64) Each proxy, upon receiving its respective message, encrypts it by means of the public key K.sub.R from the receiver and transmits it (428) to the responder in a message I22.sub.i.

(65) Upon receiving a message I22.sub.i, the responder verifies the validity of the puzzle solution. In the absence of a correct solution, the corresponding message is rejected. If there is a correct solution present, the responder continues with the protocol exchange. It sends (430) a message R21.sub.i to each proxy containing its secret y encrypted with the secret key x, attaching thereto a Message Authentication Code (MAC) authentication value calculated on the message with the key x. This authentication value enables the initiator to make sure that the value received definitely comes from the responder, and also that the responder has definitely received the key x transmitted initially.

(66) Upon receiving the message (430) from the responder, the proxy verifies its integrity and securely transmits (432) the content to the initiator in a message R22.sub.i. As soon as an appropriate number, typically greater than n/2, of the same content is received from the various proxies, the initiator makes sure that the message transmitted by the responder is valid. After that, it verifies the MAC in order to make sure that the responder has obtained the same secret x and to verify the integrity of the message. Once this integrity is validated, the initiator decrypts the secret y in order to finalize the installation of the main session key.

(67) Advantageously, the final key, referred to as Master Key (MK) established between the initiator and the responder is calculated as follows:
MK:=H((P|HIT-I|HIT-R|x|y)

(68) where: H ( ) is a unidirectional cryptographic hash function; P is a parameter of the puzzle, included to ensure the freshness of the session key; HIT-I is the Host Identity Tag of the initiator, i.e. a truncated hash of its cryptographically generated identifier; HIT-R is the Host Identity Tag of the responder; and x and y are the secret values of the initiator and the responder respectively.

(69) The person skilled in the art will appreciate that variations can be brought about on the method as described in a preferred manner, while maintaining the principles of the invention. Thus, it is possible that the establishment of the connection between a resource-constrained entity and an unconstrained server be initiated by the latter. The first message sent (222, 422) is by the server, and then the method follows the steps described above.

(70) In one variant where the constrained entities are in the context of the Internet of Things, the identities of nodes having to act as proxies can be provided securely by a trust resolution infrastructure. They also make possible the simple placing into communication of nodes based on different technologies, such as active tags, IP nodes, non-IP nodes, as soon as the cryptographic identifiers are used at a layer higher than the IP layer.

(71) The present invention can be implemented from hardware and/or software components. It can be available as a computer program product on a medium that can be read by a computer. The medium can be electronic, magnetic, optical or electromagnetic, or it can be an infrared type broadcast medium. Such media are for example semiconductor memories (Random Access Memory (RAM), Read-Only Memory (ROM)), tapes, floppy disks or magnetic or optical disks (Compact Disc-Read-Only Memory (CD-ROM), Compact Disc-Read/Write (CD-R/W) and DVD).

(72) Thus, the present description illustrates a preferred implementation of the invention, but is not limiting. An example has been chosen to provide a good understanding of the principles of the invention, and an actual application, but it is not at all exhaustive and must enable the person skilled in the art to bring about modifications and variant implementations while observing the same principles.