• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for carrying out a key agreement protocol executed between a pair of entities communicating via a data communication system, a data communication system having a pair of cryptographic correspondent devices configured to implement the method, and a cryptographic correspondent device , In the method according to the invention, a private session key (100, 200) and a cryptographic public session key (102, 202) are generated by each entity. The public session key (102, 202) is passed from one entity to the other entity. Combining the public session keys and the identities of the entities generates a common value (104, 204). This shared value is combined with the private session key and a long-term private session key of the respective entity, thus generating a secret value for each entity (108, 208). Computing an ephemeral value (112, 212) at each entity involves combining the public session key and a long-term public key of the other entity as well as the common value. From the ephemeral value and the secret value, shared secret information (114, 214) is generated at each entity to obtain a shared key.
    公开号:CH708239B1
    申请号:CH00973/14
    申请日:2014-06-26
    公开日:2019-02-28
    发明作者:A Vanstone Scott;Antipa Adrian
    申请人:Infosec Global Inc;
    IPC主号:
    专利说明:

    description
    Technical Field The present invention relates to data communication systems and protocols used in such systems.
    Background of the Invention [0002] Data communication systems are used to exchange information between devices. The information to be exchanged includes data organized as sequences of digital bits that are formatted to be recognizable to other devices and to allow processing and / or restoration of the information.
    The exchange of information may be via a publicly available network, such as via a communication link between two devices, through a dedicated network within an enterprise, or between two devices within the same dedicated component, such as within a computer or point-of-sale device.
    The devices may range from relatively large computer systems to telecommunications devices, cell phones, monitors, sensors, electronic purses and smart cards and numerous devices connected to transfer data between two or more such devices.
    A large number of communication protocols have been developed to allow the exchange of data between different devices. The communication protocols enable the exchange of data in a robust manner, often with a function of error correction and error detection, and the data is forwarded to the intended recipient and restored for further use.
    Since the data may be accessible to other devices, they are susceptible to interception and observation or manipulation. The sensitivity of the information requires that action be taken to secure the information and ensure its integrity.
    A number of techniques, collectively referred to as encryption protocols and authentication protocols, have been developed to provide the necessary attributes and to ensure the security and / or integrity of the exchange of information. These techniques use a key that is combined with the data.
    There are two major types of cryptosystems that implement the protocols, namely symmetric key cryptosystems and asymmetric or public key cryptosystems. In a symmetric key cryptosystem, the devices exchanging information share a common key known only to the devices intended to share the information. Systems with a symmetric key offer the advantage that they are relatively fast and are thus able to process large amounts of data in a relatively short time even with limited computing power. However, the keys must be securely distributed to the various devices, resulting in increased expense and greater vulnerability if the key is questionable.
    [0009] Asymmetric or public key cryptosystems use a pair of keys associated with each device, one public and the other private. The public key and the private key are related by a "difficult" mathematical problem, so even if the public key and the underlying problem are known, the private key can not be recovered in a feasible period of time. One such problem is the factorization of the product of two large primes, as used in RSA cryptosystems. Another is the discrete logarithm problem in a finite group. A generator, a, of the underlying group is identified as a system parameter, and a random integer, k, is generated for use as a private key. To obtain a public key, K, a k-fold group operation is performed such that K = f (a, k).
    Various groups can be used in discrete logarithm cryptosystems, including the multiplicative group of a finite field, the group of integers in a finite cyclic group p. Order, which is usually denoted by Zp * and consists of the integers 0 to p-1 belong. The group operation is a multiplication such that K = f (ak).
    Another group that is used for better security is an elliptic curve group. The elliptic curve group consists of pairs of elements, one of which is denoted by x and the other by y, in a field that satisfies the equation of the selected elliptic curve. For an elliptic curve group p. Order, the elliptic curve would generally be defined by the relationship y2 mod p = x3 + ax + b mod p. Other curves are used for different groups, as is well known. Each such pair of elements is a point on the curve, and a generator of the group is referred to as point P. The group operation is an addition so that a private key k has a corresponding public key f (kP).
    Public key cryptosystems reduce the infrastructure necessary in a symmetric key cryptosystem. A device can generate an integer k and can use the appropriate public
    Generate key kP. The public key is published so that it is available to other devices. The device may then use a suitable signature protocol to sign a message using the private key k, and other devices may confirm the integrity of the message using the public key kP.
    Similarly, a device may encrypt a message to be sent to another device using the public key of the other device. The message can then be recovered from the other device using the private key. However, these protocols are computationally intensive and thus relatively slow compared to the protocols of symmetric cryptosystems.
    Public key cryptosystems can also be used to create a key shared by two devices. In its simplest form, as proposed by Diffie-Hellman, each device sends a public key to the other device. The two devices then combine the received public keys with their private key to obtain a shared key.
    A device, commonly referred to as an entity (or correspondent), Alice, generates a private key ka and sends the public key kaP to another device or entity, Bob.
    Bob generates a private key kb and sends Alice the public key kbP.
    Alice calculates ka · kbP and Bob calculates kb · kaP so that they share a common key K = kakbp = kbkaP. The shared key can then be used in a symmetric key protocol. Neither Alice nor Bob can recover the mutual private key, and third parties can not understand the shared key.
    To ensure the integrity of the shared key and to refute attacks designed to recover or replace the shared key and / or private keys within the shared key, key generation protocols have been developed.
    The creation of keys is the process by which two (or more) entities create a shared secret key. The key is then used to achieve a cryptographic goal, such as confidentiality or data integrity.
    In the broadest sense, there are two types of protocols for creating keys: key transport protocols in which a key is created by one entity and securely transferred to the second entity, and key agreement protocols in which both parties contribute information that together Create shared secret key. The present application relates to key agreement protocols for asymmetric (public) key cryptosystems.
    If Alice and Bob have two righteous entities, i. legitimate entities that are performing the steps of a protocol correctly, then one can tell informally from a key agreement protocol that it provides implicit key authentication (from Bob to Alice) if the entity Alice is sure that no other entity except one is specific Identified second identity Bob may possibly learn the value of a particular secret key. Owning implicit key authentication does not necessarily mean that Alice is sure that Bob actually owns the key, but that she is certain that no one but Bob owns the key. A key agreement protocol providing implicit key authentication for the two participating entities is referred to as an authenticated key agreement (AK) protocol.
    Informally, a key agreement protocol is said to provide a key acknowledgment (from Bob to Alice) if the entity Alice is sure that the second entity Bob is indeed in possession of a particular secret key. If both the implicit key authentication and the key acknowledgment (provided by Bob to Alice) are provided, then the key generation protocol is said to provide explicit key authentication (from Bob to Alice). A key agreement protocol that provides explicit key authentication for the two participating entities is referred to as a key authenticated key authentication (AKC) protocol. A detailed treatise on the creation of keys is provided in Chapter 12 of "Handbook of Applied Cryptography" by Menezes, van Oorshot and Vanstone, the contents of which are hereby incorporated by reference.
    In the separation of the key confirmation of the implicit key authentication extreme care is required. If an AK protocol that does not provide a key acknowledgment is used then it is desirable, as described in the 1997 article by S. Blake-Wilson, D. Johnson and A. Menezes, entitled "Key Agreement Protocols and their Security analysis »it is stated that the agreed upon key is confirmed before the cryptographic use. This can be achieved in different ways. For example, if the key is to be subsequently used to achieve confidentiality, encryption with the key may begin with some (carefully selected) known data. Other systems may provide a key acknowledgment during a "real-time" telephone conversation. Separating key authentication from implicit key authentication is sometimes desirable because it allows some flexibility in the particular implementation that is chosen to achieve the key acknowledgment, and thus transfers the workload of the key acknowledgment from the authoring mechanism to the application.
    Numerous Diffie-Helman based AK and AKC protocols have been proposed in recent years; however, many later turned out to have security flaws. The main problems were that appropriate threat models and the objectives of secured AK and AKC protocols had no formal definition. Blake-Wilson, Johnson, and Menezes, who adapted Bellare's and Rogaway's earlier work in the symmetric environment, provided a formal model for distributed computing and rigorous definitions of the targets of the secured AK and AKC protocols within this model. Concrete AK and AKC protocols have been proposed and proven to be secure within this framework in the random predictive model.
    It is believed that a secure protocol should be able to handle both passive attacks (in which an adversary attempts to prevent a protocol from achieving its goals by simply watching righteous entities that execute the protocol) also to withstand active attacks (in which an opponent additionally undermines the communications by switching on, deleting, changing or repeating messages).
    In addition to the implicit key authentication and key acknowledgment, a number of desirable security attributes of AK and AKC protocols have been identified: 1. Security of known keys. Each pass of a key agreement protocol between A and B must generate a unique secret key; such keys are called session keys. A log must continue to reach its target against an opponent who has experienced some other session keys. 2. (Perfect) forward secrecy. If long-term keys of one or more entities are called into question, the secrecy of previous session keys created by righteous entities is not compromised. 3. key compromising imitation. Suppose A's long-term key was uncovered. Obviously, an opponent who knows this value can now mimic A, since that very value identifies A. However, it may be desirable that this loss does not allow an opponent to mimic other entities from A. 4. Share unknown keys. The entity A can not be forced to share a key with the entity B without knowledge of A, that is, if A believes that the key is shared with an entity C * B, and B (correctly) believes that the key shared with A. 5. Key control. None of the entities must be able to forcibly set the session key to a preselected value.
    Desirable performance attributes of AK and AKC protocols include a minimum number of passes (the number of messages exchanged in one pass of the protocol), low communication overhead (total number of bits transmitted), and low computational overhead. Other attributes that may be desirable in some circumstances include role symmetry (the messages that are transferred between the entities have the same structure), non-interactivity (the messages that are transmitted between the two entities are independent of each other), and not relying on encryption, hash functions (as they are known to be difficult to create), and timestamping (as it is difficult to translate this into practice).
    It is therefore an object of the present invention to provide a key agreement protocol in which the above disadvantages are avoided or mitigated and in which the achievement of the desired attributes is facilitated.
    Summary In one aspect, there is provided a method of executing a protocol for agreeing on a key executed between a pair of entities communicating through a data communication system, wherein each of the entities is a long term private key, one associated therewith A cryptographic long-term public key generated using the long-term private key and a generator point belonging to a discrete logarithmic problem, and associated with an identity, the method comprising the steps of: generating for each entity a private session key associated with that entity; a cryptographic public session key associated with this entity; Passing on to the other entity of the public session key of each entity; Achieve at each entity an identifier for the two entities; Generating a common value comprising combining at each entity of the public session key of the entity, the public session key of the other entity, and the identities of each entity; Generating for each entity a secret value associated with that entity, comprising combining the common value with the private session key and the entity's long term private key; Calculating at each entity an ephemeral value comprising combining the public session key of the other entity, the common value, and the long-term public key of the other entity; and generating at each entity a shared secret information from the secret value and the ephemeral value of the entity to obtain a shared key.
    In another aspect, there is provided a data communication system, the data communication system comprising a pair of cryptographic correspondent devices configured to implement the method of any one of claims 1 to 10.
    According to a further aspect, there is provided a cryptographic correspondent device, the correspondent device comprising a processor and a memory, wherein the memory stores a long-term private key, the device further comprising a cryptographic corresponding long-term public key generated using the long-term private key and a generator point, and an identity are associated with the memory further storing computer instructions which, when executed by the processor, cause the processor to implement a method comprising the steps of: generating one private session key associated with said cryptographic correspondent device and a cryptographically corresponding public session key associated with said cryptographic correspondent device; Forwarding the public session key to another cryptographic correspondent device via a data communication system; Obtaining from the other cryptographic correspondent device a public session key; Obtaining an identifier from both of the cryptographic correspondent devices; Generating a common value comprising combining the public session key of the cryptographic correspondent device, the public session key of the other cryptographic correspondent device, and the identities of each of the cryptographic correspondent devices; Generating a secret value associated with this cryptographic correspondent device, comprising combining the common value with the private session key and the long term private key of the cryptographic correspondent device; Calculating an ephemeral value comprising combining the public session key of the other cryptographic correspondent device, the common value, and the long-term public key of the other cryptographic correspondent device; and generating shared secret information from the secret value and the ephemeral value of the cryptographic correspondent device to obtain a shared key.
    In general, the protocol combines the public session keys of each entity and the identities of each entity to obtain a common value that binds the two entities. It is used by each entity to generate a respective secret value by combining the common value and both the private session key and the entity's long-term private key. The secret value is used as an ephemeral private key. The other entity computes an ephemeral public key corresponding to the secret value of the one entity using the common value. Each entity can then generate shared secret information from its ephemeral private key and the ephemeral public key of the other entity.
    Preferably, the shared secret information is used as input to a key derivation function to obtain a shared key.
    Preferably, the protocol is implemented in a cryptosystem with elliptic curves, and the combination of public keys is carried out by dot addition.
    More preferably, the identity of the entities is obtained from a cryptographic certificate issued by a trusted third party.
    By binding the entities as described above, each pass generates a new secret value, and with the right choice of parameters related to normal cryptographic practices, the desirable attributes are achieved.
    DESCRIPTION OF THE DRAWINGS An embodiment of the present invention will now be described, by way of example only, with reference to the accompanying drawings. It shows:
    Fig. 1 is a schematic representation of a data communication system;
    Fig. 2 is an illustration of a device used in the data communication system of Fig. 1; and
    FIG. 3 is a flowchart showing the protocol implemented between a pair of devices shown in FIG. 1. FIG.
    DETAILED DESCRIPTION As described below, an efficient two-pass AK protocol is proposed which is based on the Diffie-Hellman key agreement and has many of the desirable security and performance attributes described in S. Blake's 1997 article. Wilson, D. Johnson and A. Menezes, entitled "Key Agreement Protocols and Their Security Analysis".
    The protocol described below has been described within the group of points on an elliptic curve defined over a finite field. However, it can easily be changed to function in any finite group in which the discrete logarithm problem appears intractable. Suitable possibilities include the multiplicative group of a finite field, subgroups of Z * n, where n is a composite integer, and nontrivial subgroups of Z * p of the prime order q. Elliptic curve groups are advantageous because they provide equivalent security to other groups, but with smaller key sizes and faster computation times.
    Thus, referring to FIG. 1, a data communication system includes a plurality of devices 12 interconnected by communication links 14. The devices 12 may be of any known type, including a computer 12a, a server 12b, a cellular phone 12c, an ATM 12d, and a smart card 12e. The communication links 14 may be conventional landline phone lines, wireless links that are implemented between the devices 12, near field communication links, such as Bluetooth, or any other conventional form of communication.
    The devices 12 differ according to their intended purpose, but typically include a communication module 20 (Figure 2) for communicating with the links 14. A memory 22 provides a non-transitory instructions storage medium to implement protocols and as needed Save data. The instructions are executed by a cryptographic processor. A secure memory module 24, which may be part of the memory 22 or a separate module, is used to store private information, such as the private keys used in the encryption protocols, and to withstand manipulation of that data. An arithmetic logic unit (ALU) 26 is provided to execute the instructions of the arithmetic operations by the memory 22 using data stored in the memories 22, 24. A random or pseudorandom number generator 28 is also included to generate bit strings representing random numbers in a cryptographically secure manner.
    It is understood that the device 12 shown in Fig. 2 is very schematic and represents a conventional device used in a data communication system.
    The memory 22 stores system parameters to be implemented for the cryptosystem and a set of computer-readable instructions to implement the required protocol. For the case of a cryptosystem with elliptic curves, the domain parameters of the elliptic curves consist of six quantities q, a, b, P, n and h, namely: - the field size q - the elliptic curve coefficients a and b
    the base point generator P - the nth order of the base point generator - the cofactor h, which is a number such that hn is the number of points on the elliptic curve.
    The parameters are represented as bit sequences, and the representation of the base point G is represented as a bit string pair, each representing an element of the underlying field. As usual, one of these episodes can be truncated because you can restore the full representation from the other coordinate and the truncated representation.
    The secure memory module 24 contains a bit string representing a long-term private key d and the corresponding public key Q. For a cryptosystem with elliptic curves, the key is Q = dP.
    The secure storage 24 also includes an identifier ID of the device 12. Conveniently, this is a certificate issued by a trusted entity to enable a foreign verification of the identity. A practical form of certificate is an ECQV certificate as set forth in the SEC 4 standard.
    Ephemeral values computed by the ALU may also be stored in the secure module 24 if their value is to be kept secret.
    The key agreement protocol is shown in Figure 3 as performed between a pair of devices referred to as Alice and Entity Bob entity. The values associated with Alice are denoted by the suffix A and Bob's by the suffix B. Alice has a long-term private key dA and a corresponding public key QA stored in the secure storage module 24. Similarly, Bob has a private key de and a corresponding public key Qb stored in his secure storage module 24.
    The entities Alice and Bob want to share a common key and therefore, via the instructions stored in the memory 22, translate the protocol shown in FIG.
    In block 100, Alice generates a random integer using the RNG 28 and stores the integer value as a private session key in the secure module 24. Alice's ALU 26 calculates in block 102 a corresponding public session key aP, which it over a communication connection 14 sends to Bob. The public session key aP is a representation of a point on the curve and has a pair of bit strings, each representing an element in the underlying field. In some implementations of the calculations performed by the ALU 26, it is only necessary to use the X-coordinate of the point, where the Y-coordinate is then not necessary. The X coordinate is representative of the public key aP in this situation. The y-coordinate can be restored from the x-coordinate as needed. Point compression techniques, where an indication of the value of the Y coordinate with the X coordinate may be sent, may also be used to reduce the bandwidth in transmission.
    Similarly, in block 200, Bob, with his RNG 28, generates a random integer, which he stores in his secure module 24 as a private session key b. A corresponding public session key bP is computed in block 202 and sent to Alice via a communication link 14.
    Both Alice and Bob perform point addition using the ALU 26 to calculate γ = bP + aP as shown at 104, 204. This in turn becomes another point, γ, on the curve and is thus represented as an element pair. In some embodiments, it is possible to use only the X coordinate of the sum of the public keys in the calculation of y.
    In other embodiments where the protocol is implemented in a hyperelliptic curve cryptosystem, the public key combination is implemented by point addition in the Jacobi matrix of the hyperelliptic curve.
    Both Alice and Bob obtain copies of the mutual identity ID (106, 206). This can be done before the protocol is implemented, or the certificate can be sent using the public session key. The certificate can be checked by the recipient if necessary.
    In block 108, 208, Alice and Bob each compute a common value c = H (y // IDa // IDb), where H is a cryptographically-secured hash function, such as a SHA2 hash function. The value c is stored in the memory 22. The common value c binds Alice and Bob. By concatenating the identities ID, it is necessary to determine the order in which the sequence representing c is assembled. As an alternative, the identities can therefore be combined by an operation XOR of the ID, thereby allowing the sequence to be assembled without worrying about their order. If preferred, γ can similarly undergo an XOR operation with the ID.
    Alice calculates in block 110 the component sA = a + cdA (mod n), which uses the long term and short term private keys stored in the secure module 24.
    Similarly, in block 210, Bob computes sB = b + cdB (mod n).
    From public information, including the public session key bP received from Bob, Alice may calculate sBP = bP + cQB, as shown in FIG. 112.
    Similarly, Bob may compute sAP = aP + cQA (212).
    Alice and Bob each have a component calculated from private information and the common value and a component calculated from public information. These can be combined to provide shared secret information.
    Thus, in block 114, 214, Alice and Bob can both compute the value K = hsAsBP as the shared secret information.
    Alice has calculated sBP from public information and has stored the value sA.
    Similarly, Bob has calculated sAP and has stored the value sB.
    Another option to calculate the shared secret information is that Alice calculates K = sA · sBP and that Bob calculates K = sB · sAP, ignoring the cofactor h. This is useful if the value of h is small, e.g. 1, or in case of resistance to the small group attack.
    The protocol described above thus creates a shared secret information K between two entities. A key derivation function must then be used to derive a secret key from the shared secret information. This is necessary because the shared secret information K may have a weak bit - bits with information about K that can be predicted to no inconsiderable advantage.
    One way to derive a key from the shared secret information K is to apply a one-way hash function, such as SHA-1, to K. Alternatively, other key derivation functions may be used, as described in more detail in Chapter XX of "Handbook of Applied Cryptography," the contents of which are hereby incorporated by reference.
    In summary, the key agreement protocol can be implemented using the following algorithm: 1. Alice obtains an authentic copy of Bob's long-term public key QB. 2. Alice generates a random integer to provide a private session key a (0 <a <n). 3. Alice calculates aP and sends it to Bob. 4. Bob gets an authentic copy of Alice's public key Qa. 5. Bob generates a random integer b (0 <b <n). 6. Bob calculates bP and sends it to Alice. 7. Alice calculates sA = a + cdA (mod n), where c = H (y // IDa // IDb). (Note: IDA and IDB may each contain the public keys of Alice and Bob). Alice calculates sBP = bP + cQB. (Note: Bob sent Alice bP and she made an authentic copy of Qb). 9. Bob calculates sB = b + cdB (mod n). 10. Bob calculates from the public information sAP = aP + cQA. 11. Both Alice and Bob can now compute K = h · sA · sBP as shared secret information, where h is the cofactor. 12. The shared secret information can be used as input for a key derivation function if required.
    权利要求:
    Claims (21)
    [1]
    claims
    A method of executing a key agreement protocol executed between a pair of entities communicating over a data communication system, wherein each of the entities is a long term private key, a long term public key cryptographic associated therewith, using the long term private key private key and a generator point belonging to a discrete logarithmic problem, and an identity is associated, the method comprising the steps of: - generating for each entity a private session key associated with that entity and a cryptographic public session key associated with that entity; - passing on to the other entity of the public session key of each entity; Achieve at each entity an identifier for the two entities; Generating a common value comprising combining at each entity the public session key of the entity, the public session key of the other entity, and the identities of each entity; Generating for each entity a secret value associated with that entity, comprising combining the common value with the private session key and the entity's long term private key; - calculating at each entity of an ephemeral value, comprising combining the public session key of the other entity, the common value, and the long-term public key of the other entity; and - generating at each entity of shared secret information the secret value and the ephemeral value of the entity to obtain a shared key.
    [2]
    The method of claim 1, wherein the shared secret information is used as an input to a key derivation function to obtain the shared key.
    [3]
    The method of claim 1 or 2, wherein generating a common value comprises applying an XOR operation to the identities of each entity.
    [4]
    4. The method according to any one of claims 1 to 3, wherein the method is implemented in a cryptosystem with elliptic curves and the combination of the public session key is carried out by point addition.
    [5]
    5. The method of claim 1, wherein the method is implemented in a cryptosystem having elliptic curves, and generating the common value comprises obtaining an X coordinate of the sum of the public keys.
    [6]
    The method of any one of claims 1 to 3, wherein the method is implemented in a hyperelliptic curve cryptosystem and the public key combination is performed by point addition in the Jacobian matrix of the hyperelliptic curve.
    [7]
    7. The method of claim 1, wherein generating the public session key comprises a scalar multiplication of the private session key and the generator point.
    [8]
    The method of any of claims 1 to 7, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of the secret value and the ephemeral value.
    [9]
    The method of any one of claims 1 to 7, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of a cofactor, the secret value and the ephemeral value.
    [10]
    The method of any one of claims 1 to 9, wherein the identity of the entities is obtained from a cryptographic certificate issued by a trusted third party.
    [11]
    A data communication system comprising a pair of cryptographic correspondent devices configured to implement the method of any one of claims 1 to 10.
    [12]
    A cryptographic correspondent device comprising a processor and a memory, wherein the memory stores a long term private key, the device further comprising a cryptographic corresponding long term public key generated using the long term private key and a generator point, and a Identity, wherein the memory further stores computer instructions which, when executed by the processor, cause the processor to implement a method comprising the steps of: generating a private session key associated with that cryptographic correspondent device and one this cryptographic correspondent device belonging cryptographically corresponding public session key; Passing the public session key to another cryptographic correspondent device via a data communication system; Obtaining from the other cryptographic correspondent device a public session key; Obtaining an identifier from both of the cryptographic correspondent devices; - generating a common value comprising combining the public session key of the cryptographic correspondent device, the public session key of the other cryptographic correspondent device, and the identities of each of the cryptographic correspondent devices; - generating a secret value associated with this cryptographic correspondent device, comprising combining the common value with the private session key and the long-term private key of the cryptographic correspondent device; Calculating an ephemeral value comprising combining the public session key of the other cryptographic correspondent device, the common value, and the long-term public key of the other cryptographic correspondent device; and generating shared secret information from the secret value and the ephemeral value of the cryptographic correspondent device to obtain a shared key.
    [13]
    The cryptographic correspondent device according to claim 12, wherein the shared secret information is used as an input to a key derivation function to obtain a shared key.
    [14]
    The cryptographic correspondent device of claim 12 or 13, wherein generating a common value comprises applying an XOR operation to the identities of each cryptographic correspondent device.
    [15]
    The cryptographic correspondent device according to any one of claims 12 to 14, wherein the method is implemented in a crypto system having elliptic curves, and the combination of the public session keys is performed by point addition.
    [16]
    The cryptographic correspondent device of any one of claims 12 to 15, wherein the method is implemented in a elliptic curve crypto-system and generating the common value comprises obtaining an X-coordinate of the sum of the public key.
    [17]
    The cryptographic correspondent device according to any one of claims 12 to 14, wherein the method is implemented in a hyperelliptic curve crypto system, and the public key combination is performed by dot addition in the Jacobian matrix of the hyperelliptic curve.
    [18]
    18. The cryptographic correspondent device of claim 12, wherein generating the public session key comprises a scalar multiplication of the private session key and the generator point.
    [19]
    The cryptographic correspondent device according to any one of claims 12 to 18, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of the secret value and the ephemeral value.
    [20]
    The cryptographic correspondent device according to any one of claims 12 to 18, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of a cofactor, the secret value and the ephemeral value.
    [21]
    The cryptographic correspondent device of any one of claims 12 to 20, wherein the identity of the cryptographic correspondent device is obtained from a cryptographic certificate issued by a trusted third party.
    类似技术:
    公开号 | 公开日 | 专利标题
    CH708239B1|2019-02-28|Key agreement protocol.
    DE69534603T2|2006-08-03|ENCRYPTION SYSTEM FOR ELLIPTIC CURVE
    DE602004004029T2|2007-11-15|Method for distributing conference keys, according to an identity-based encryption system
    DE69935469T2|2007-11-29|Method for fast execution of decryption or authentication
    DE60313704T2|2008-01-17|Method and apparatus for generating a secret key
    DE69917356T2|2005-02-17|Security technology on a computer network
    DE112018001285B4|2020-11-19|Cryptographic key generation with application to data deduplication
    DE112012001828B4|2016-09-15|Password-based single-round key exchange protocols
    JP2020515087A5|2020-09-03|
    CH711133B1|2019-07-15|Protocol for signature generation
    DE69838258T2|2008-05-08|Public key data transmission systems
    DE102010002241B4|2012-03-22|Apparatus and method for efficient one-way authentication
    JP4305049B2|2009-07-29|Secret sharing method, secret sharing system, and distributed computing device
    Fujioka et al.2018|Supersingular isogeny Diffie–Hellman authenticated key exchange
    CH708240A2|2014-12-31|Signature log and device for its implementation.
    Meshram2011|A cryptosystem based on double generalized discrete logarithm problem
    EP3443705A1|2019-02-20|Method and assembly for establishing a secure communication between a first network device | and a second network device |
    CH711134A2|2016-11-30|Key tuning protocol.
    DE10061697A1|2002-06-27|Method and device for determining a key pair and for generating RSA keys
    WO2007107450A1|2007-09-27|Cryptographic method with elliptical curves
    Aly et al.2018|Practically efficient secure distributed exponentiation without bit-decomposition
    WO2016187690A1|2016-12-01|Key agreement protocol
    Cianciullo et al.2018|Efficient information theoretic multi-party computation from oblivious linear evaluation
    Vaishnav et al.2017|Efficient implementation of private license plate matching protocols
    Jiang2021|Transforming Secure Comparison Protocol from Passive to Active Adversary Model
    同族专利:
    公开号 | 公开日
    US20150003615A1|2015-01-01|
    WO2014205570A1|2014-12-31|
    CH708239A2|2014-12-31|
    CA2855099A1|2014-12-27|
    CA2855099C|2016-05-17|
    US9571274B2|2017-02-14|
    SA114350627B1|2016-08-04|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US7773754B2|2002-07-08|2010-08-10|Broadcom Corporation|Key management system and method|
    US7725730B2|2002-08-09|2010-05-25|Emc Corporation|Cryptographic methods and apparatus for secure authentication|
    US7783041B2|2005-10-03|2010-08-24|Nokia Corporation|System, method and computer program product for authenticating a data agreement between network entities|
    US20080077976A1|2006-09-27|2008-03-27|Rockwell Automation Technologies, Inc.|Cryptographic authentication protocol|
    US8069346B2|2006-11-15|2011-11-29|Certicom Corp.|Implicit certificate verification|
    EP2395698B1|2010-06-11|2014-08-13|Certicom Corp.|Implicit certificate generation in the case of weak pseudo-random number generators|DE102013108713B8|2013-08-12|2016-10-13|WebID Solutions GmbH|Method for verifying the identity of a user|
    US9178699B2|2013-11-06|2015-11-03|Blackberry Limited|Public key encryption algorithms for hard lock file encryption|
    WO2016187690A1|2015-05-26|2016-12-01|Infosec Global Inc.|Key agreement protocol|
    CN105306212B|2015-08-31|2019-09-10|上海扈民区块链科技有限公司|A kind of label decryption method that identity is hiding and safe by force|
    US11170094B2|2016-01-27|2021-11-09|Secret Double Octopus Ltd.|System and method for securing a communication channel|
    WO2017130200A1|2016-01-27|2017-08-03|Secret Double Octopus Ltd|System and method for securing a communication channel|
    US9596079B1|2016-04-14|2017-03-14|Wickr Inc.|Secure telecommunications|
    US10341102B2|2016-09-02|2019-07-02|Blackberry Limited|Decrypting encrypted data on an electronic device|
    US10348502B2|2016-09-02|2019-07-09|Blackberry Limited|Encrypting and decrypting data on an electronic device|
    CN109687969B|2018-12-03|2021-10-15|上海扈民区块链科技有限公司|Lattice-based digital signature method based on key consensus|
    US10630476B1|2019-10-03|2020-04-21|ISARA Corporation|Obtaining keys from broadcasters in supersingular isogeny-based cryptosystems|
    US10880278B1|2019-10-03|2020-12-29|ISARA Corporation|Broadcasting in supersingular isogeny-based cryptosystems|
    CN112511554B|2020-12-15|2021-12-17|中国电子科技集团公司第三十研究所|Symbolic modeling system of network security protocol|
    法律状态:
    2018-05-15| PCAR| Change of the address of the representative|Free format text: NEW ADDRESS: HOLEESTRASSE 87, 4054 BASEL (CH) |
    2018-07-13| NV| New agent|Representative=s name: ISLER AND PEDRAZZINI AG, CH |
    优先权:
    申请号 | 申请日 | 专利标题
    US201361839961P| true| 2013-06-27|2013-06-27|
    [返回顶部]