[go: up one dir, main page]

CN108418811B - Method and apparatus for negotiating a common key between a first and a second node - Google Patents

Method and apparatus for negotiating a common key between a first and a second node Download PDF

Info

Publication number
CN108418811B
CN108418811B CN201810132886.3A CN201810132886A CN108418811B CN 108418811 B CN108418811 B CN 108418811B CN 201810132886 A CN201810132886 A CN 201810132886A CN 108418811 B CN108418811 B CN 108418811B
Authority
CN
China
Prior art keywords
node
sequence
key
bits
computer network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810132886.3A
Other languages
Chinese (zh)
Other versions
CN108418811A (en
Inventor
B.黑特韦尔
R.纪尧姆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of CN108418811A publication Critical patent/CN108418811A/en
Application granted granted Critical
Publication of CN108418811B publication Critical patent/CN108418811B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method (30) for negotiating a common key between a first node (a) and a second node (B) of a computer network (10, 11, 12), characterized by the following features: -negotiating a first sequence of bits of a secret with a third node (C, KM 2) of the computer network (10, 11, 12), -obtaining a third sequence of bits by the second node (B) and the third node (C, KM 2) by means of arbitration of the computer network (10, 11, 12) in such a way that the second node (B) sends a random second sequence of bits, -the third sequence of bits is transmitted by the second node (B) or the third node (C, KM 2) to the first node (a), and-the key is obtained by the first node (a) and the second node (B) from the third sequence of bits.

Description

Method and apparatus for negotiating a common key between a first and a second node
Technical Field
The present invention relates to a method for negotiating a common key between a first node and a second node of a computer network. The invention also relates to a corresponding device, a corresponding computer program and a corresponding storage medium.
Background
Well known in the control and regulation technology is the Controller Area Network (CAN) standardized according to ISO 11898-2 for use in road vehicles. CAN is based on a message-oriented protocol, where each message is represented by an explicit Identifier (ID). Each control device connected to the CAN checks the importance of the messages transmitted via the common bus and decides on the use of these messages independently from the ID.
A transceiver (transceiver) on a bit transport layer (PHY), which is manipulated by a communication controller on a security layer (data link layer), is used to operate control devices in the CAN. The latter can in turn be integrated directly in the microcontroller (μ C), whose software processes the message frames (frames) of the messages on the application layer.
In DE 102015207220 a1, a method for generating secrets or keys in a network, in particular a CAN, is proposed. In this case, the network has at least one first member and at least one second member and a transmission channel between the at least one first member and the at least one second member. The first and second members may transmit the at least one first value and the at least one second value, respectively, onto the transmission channel. The first member or the second member causes the first member value sequence or the second member value sequence to be transmitted onto the transmission channel as synchronously as possible with each other. The first member or the second member generates a common secret or a common key based on information about the first member value sequence or the second member value sequence and based on a superimposed value sequence resulting from the superimposition of the first member value sequence and the second member value sequence on the transmission channel. Subsequently, the method is referred to as PnS.
Disclosure of Invention
The invention provides a method for negotiating a common key between a first node and a second node of a computer network according to the invention, a corresponding apparatus, a corresponding computer program and a corresponding storage medium.
In this context, the PnS method traditionally used for key agreement in a common network segment is more generally used to obtain a sequence of bits from which participating nodes can derive a common secret (shared secret) at least indirectly. Here, the Medium Access Control (MAC) of the computer network is used in a suitable manner: for each of these two nodes, a sequence of values is transmitted simultaneously according to the above scheme, and the respective node determines the sequence of values by concatenating the (determined or random) bit sequence with its complement. (in the following, reference is made to the process simplified to "transmit a bit sequence", without in individual cases explicitly mentioning the complement of the corresponding bit sequence to be transmitted as such)
The result of the "superposition" set at PnS is defined by the MAC protocol used, since the synchronized and thus competitive write access of the node pair to the commonly used transmission medium of the network segments connecting these nodes requires arbitration by medium access control. Therefore, not only PnS but also the solution proposed here based on PnS has proven to be suitable for field buses which provide for multiple access with Carrier Sense Multiple Access (CSMA), especially for CAN systems based on CSMA/CR arbitration bits.
The solution described subsequently is based on the recognition here that: PnS is used first for key generation between two communicating members that directly access a common bus segment. However, if two communication members, which are connected to different bus segments or whose bus segments are connected via another communication technology (e.g., "backbone", car ethernet), should negotiate a key, these bus segments are usually linked via a relay station (gateway). Since the communication partners do not have direct access to the common bus segment, it is not possible to directly apply PnS methods without problems. For different reasons (e.g., efficiency, compatibility, or operational capability of the nodes), it may still be desirable to establish a common symmetric secret.
Thus, with the described embodiments of the invention it is possible to achieve: communication members that do not have direct access to the common bus segment and in this respect cannot directly apply the PnS method can establish the common secret without having to impose the computational power required for an asymmetric key establishment method. Furthermore, depending on the implementation expenditure, it can be ensured that: the relay station does not know the negotiated secret and may not exert an influence on the generated secret, but continues to function as a relay station. In the case of hardware implementation, the complexity of the attack is greatly increased.
Advantageous embodiments and refinements of the basic idea according to the invention are possible by means of the measures listed in the different embodiments. This can provide that: the communication network is extended with a so-called "Key Master" which supports normal nodes here to establish the common secret, even if the "Key Master" does not have direct access to the common bus segment. Furthermore, depending on the implementation of the key master, it is possible to avoid: the relays interposed therebetween, which are physical connection points of different communication technologies, are aware of the negotiated secret or may influence the generated secret.
The corresponding embodiment considers the following cases: in modern network architectures, such relay stations may possess an interface for connectivity applications that enables an attacker to access the network from outside ("remote attack"). If the relay station should have been compromised, an attacker may (unknowingly) influence the key generation process and other data exchanges, however, according to the invention, for example, the negotiated key is not known.
According to another aspect, provision can be made for: the key master is not integrated into the relay station. In this case, the protection effect is independent of the operation mode of the relay station. Furthermore, it is not believed that the relay actually removes the secret from its memory, since the relay does not know the secret at any point in time.
Drawings
Embodiments of the invention are illustrated in the drawings and are further described in the following description. Wherein:
fig. 1 shows a system model of a possible communication scenario.
Fig. 2 shows a first variant of the use of a key master.
Fig. 3 shows a sequence diagram of a first variant.
Fig. 4 shows a second variant in which the relay stations present fulfill the key master function.
Fig. 5 shows a third variant in which other communication nodes with sufficient computing power act as key masters (proxy servers).
Detailed Description
Consider the following initial case: the first node (a) and the second node (B) want to establish a common symmetric secret (fig. 1). Since the first node (A) and the second node (B) are connected to different CAN segments (11, 12), they CAN only communicate with each other via a gateway (G). The latter may not be trustworthy and therefore the symmetric key should not be known.
In a first variant of the proposed method, the computer network (11, 12) is extended by a "key master" (fig. 2) in the form of a third node (KM 2) and a fourth node (KM 1). In this case, the fourth node (KM 1) appears as a representative of the first section (11), and the third node (KM 2) appears as a representative of the second section (12). The third node (KM 2) and the fourth node (KM 1) have the prerequisites necessary for efficient and secure key management, in particular have sufficient computing power, which may not be at the disposal of the first node (a) and the second node (B). In order to satisfy the confidentiality of the communication between the third node (KM 2) and the fourth node (KM 1) or the mutual authentication, both have a previously agreed-upon key (pre-shared key), PKS, which has been deposited in a corresponding memory, for example during production. For dynamic key exchange across the gateway (G), the third node (KM 2) and the fourth node (KM 1) establish cryptographic keys by means of asymmetric key establishment methods, such as the Diffie-Hellman key protocol. Subsequently, the third node (KM 2) and the fourth node (KM 1) appear as if they are representatives of the first segment (11) or the second segment (12), and a common secret with a first node (a) connected to the first segment (11) and a second node (B) connected to the second segment (12) is generated by means of the PnS method. For this purpose, the bit sequence obtained by means of the arbitration of the second bus segment (12) can be introduced from the third node (KM 2) to the fourth node (KM 1) via the protected connection, which ultimately enables protected communication between the first node (a) and the second node (B).
The procedure is as follows (fig. 3):
1. the third node (KM 2) and the fourth node (KM 1) execute a Diffie-Hellman key protocol (15, 16) after exchanging their public keys (13, 14), for example by means of an elliptic curve (elliptic curve Diffie-Hellman key exchange), ECDHE), and establish a common secret K.
2. The first node (A) and the fourth node (KM 1) use their random numbers RAAnd RKM1Performing PnS a key exchange (17) and extracting an intermediate key KI(18)。
3. The fourth node (KM 1) sends the intermediate key K to the third node (KM 2)IAnd other state information (19), such as a session identifier (session ID). However, the message is not transmitted in clear text, but encrypted with the secret K negotiated in step 1.
4. The third node (KM 2) decrypts the message from the fourth node (KM 1) and thus gets the pair KITo access (c).
5. The second node (B) and the third node (KM 2) perform PnS key exchange (20) on their part. The second node (B) uses the random number R in this caseBThe third node (KM 2) uses the intermediate key K instead of the random numberI
6. A bit sequence obtained as a signal level in the second section (12) is forwarded (21) to the first section (11).
7. The first node (a) and the second node (B) extract the common secret K in accordance with the common practice of PnS based on the signal level forwarded in step 6AB(22)。
Fig. 4 shows an alternative network architecture, in which the first section (11) and the second section (12) are connected to one another via a backbone network (23) based on another communication technology. In the second variant, the key master is implemented as a functional component of the respective gateway (G). The advantage over the first variant is a simplified network architecture; it must be ensured, however, that the key master function cannot be compromised in the event of an attack on the gateway (G) and that a dedicated key store is present. The other protocol flows are similar to fig. 3.
Fig. 5 shows a third variant of the key master implementation. The first node (a) is a network node which, if necessary, is connected to a bus segment which does not allow PnS to be used, but which provides sufficient computing power for the asymmetric key establishment method. The second node (B) should be a node for which the assumption does not apply. Furthermore, no key master function should be implemented on the gateway (G). Now, the first node (a) can establish a common secret with all nodes of the bus segment (10) around the second node (B) and a third node (C), wherein the third node (C) fulfills the key master function, as follows:
1. the first node (A) and the third node (C) perform an asymmetric key exchange (e.g. ECDHE) and derive an intermediate key KAC
2. The second node (B) and the third node (C) perform PnS key exchange and get KABC. Here, the second node (B) uses a random number RBAnd the third node (C) uses the common key K with the first node (A)ACRather than a random number.
3. The bit sequence obtained as a signal level in the CAN section (10) is forwarded to the first node (a) via the gateway (G) and, if necessary, further gateways.
4. By means of the monitoring feature of the PnS method, the first node (A) can likewise extract the key KABC
The method can be implemented, for example, in software or hardware or in a hybrid form of software and hardware, for example, in a control device.

Claims (10)

1. Method (30) for negotiating a common key between a first node (A) and a second node (B) of a computer network (10, 11, 12),
the method is characterized by comprising the following steps:
-negotiating a first sequence of bits (13, 14, 15, 16) of a secret with a third node (C, KM 2) of the computer network (10, 11, 12),
-obtaining (20) a third sequence of bits by the second node (B) and the third node (C, KM 2) by means of an arbitration of the computer network (10, 11, 12) by the second node (B) sending a random second sequence of bits,
-the third bit sequence is transmitted (21) by the second node (B) or a third node (C, KM 2) to the first node (a), and
-a key is obtained (22) by the first node (a) and the second node (B) from the third sequence of bits.
2. The method (30) of claim 1,
the method is characterized by comprising the following steps:
-the first sequence of bits is negotiated (13, 14, 15, 16) between the third node (KM 2) and a fourth node (KM 1),
-negotiating a fourth sequence of secrets (17, 18) between the first node (A) and a fourth node (KM 1),
-the fourth bit sequence is cryptographically transmitted (19) by the fourth node (KM 1) to the third node (KM 2) by means of the first bit sequence,
-sending (20) the fourth bit sequence by the third node (KM 2) during arbitration, and
-the third bit sequence is transmitted (21) by the third node (KM 2) through the fourth node (KM 1) to the first node (a).
3. The method (30) of claim 2,
the method is characterized by comprising the following steps:
-the first node (A) and the fourth node (KM 1) are in a first section (11) of the computer network (10, 11, 12),
-the second node (B) and the third node (KM 2) are in a second section (12) of the computer network (10, 11, 12), and
-a gateway (G) connecting the first section (11) with the second section (12).
4. The method (30) of claim 2,
the method is characterized by comprising the following steps:
-the first node (A) and the fourth node (KM 1) are in a first section (11) of the computer network (10, 11, 12),
-the second node (B) and the third node (KM 2) are in a second section (12) of the computer network (10, 11, 12), and
-the third node (KM 2) and fourth node (KM 1) are gateways (G) of a backbone network (23) connecting the first section (11) with the second section (12).
5. The method (30) according to one of claims 2 to 4,
the method is characterized by comprising the following steps:
-the fourth bit sequence is also obtained (17) by means of the arbitration in such a way that the first node (a) sends a random fifth bit sequence and the fourth node (KM 1) sends a random sixth bit sequence.
6. The method (30) of claim 1,
the method is characterized by comprising the following steps:
-the first sequence of bits is negotiated between the first node (a) and the third node (C), and
-transmitting, by the third node (KM 2), the first bit sequence during the arbitration.
7. The method (30) according to one of claims 1 to 4 and 6,
the method is characterized by comprising the following steps:
-said first sequence of bits is negotiated by means of a Diffie-Hellman key protocol, preferably by means of elliptic curves.
8. A computer program, stored on a computer-readable storage medium, which a processor calls for implementing the computer program (30) according to one of claims 1 to 7.
9. A machine-readable storage medium, on which a computer program according to claim 8 is stored, which is called by a processor for implementing the method (30) according to one of claims 1 to 7.
10. An apparatus (A, B, C, KM1, KM 2) for negotiating a common key between a first node (A) and a second node (B) of a computer network (10, 11, 12), the apparatus being set up for carrying out the method (30) according to one of claims 1 to 7.
CN201810132886.3A 2017-02-09 2018-02-08 Method and apparatus for negotiating a common key between a first and a second node Active CN108418811B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102017202052.0A DE102017202052A1 (en) 2017-02-09 2017-02-09 Method and device for agreeing a common key between a first node and a second node of a computer network
DE102017202052.0 2017-02-09

Publications (2)

Publication Number Publication Date
CN108418811A CN108418811A (en) 2018-08-17
CN108418811B true CN108418811B (en) 2022-03-04

Family

ID=62910031

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810132886.3A Active CN108418811B (en) 2017-02-09 2018-02-08 Method and apparatus for negotiating a common key between a first and a second node

Country Status (2)

Country Link
CN (1) CN108418811B (en)
DE (1) DE102017202052A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6766453B1 (en) * 2000-04-28 2004-07-20 3Com Corporation Authenticated diffie-hellman key agreement protocol where the communicating parties share a secret key with a third party
CN1848724A (en) * 2005-04-05 2006-10-18 华为技术有限公司 A Method for Realizing Key Agreement in Mobile Ad Hoc Networks
CN101194529A (en) * 2005-06-10 2008-06-04 西门子公司 Method for negotiating a security key between at least one first communication user and a second communication user to secure a communication connection
CN105721443A (en) * 2016-01-25 2016-06-29 飞天诚信科技股份有限公司 Link session key negotiation method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MX2007009705A (en) * 2005-02-11 2007-10-04 Nokia Corp Method and apparatus for providing bootstrapping procedures in a communication network.
DE102015207220A1 (en) 2014-04-28 2015-10-29 Robert Bosch Gmbh A method of creating a secret or key in a network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6766453B1 (en) * 2000-04-28 2004-07-20 3Com Corporation Authenticated diffie-hellman key agreement protocol where the communicating parties share a secret key with a third party
CN1848724A (en) * 2005-04-05 2006-10-18 华为技术有限公司 A Method for Realizing Key Agreement in Mobile Ad Hoc Networks
CN101194529A (en) * 2005-06-10 2008-06-04 西门子公司 Method for negotiating a security key between at least one first communication user and a second communication user to secure a communication connection
CN105721443A (en) * 2016-01-25 2016-06-29 飞天诚信科技股份有限公司 Link session key negotiation method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于椭圆曲线的可验证密钥协商方案;艾小川等;《微计算机信息》;20090725(第21期);全文 *

Also Published As

Publication number Publication date
DE102017202052A1 (en) 2018-08-09
CN108418811A (en) 2018-08-17

Similar Documents

Publication Publication Date Title
EP3192229B1 (en) Supporting differentiated secure communications among heterogeneous electronic devices
US12432185B2 (en) Secure communications method and apparatus
CN103155512B (en) System and method for providing secure access to service
JP5216014B2 (en) Encryption key management in communication networks
CN113132098B (en) Scalable CAN bus safety communication method and device for large-scale in-vehicle network
CN111049803A (en) Data encryption and platform security access method based on vehicle CAN bus communication system
CN108260102B (en) Proxy signature-based non-access stratum authentication method for LTE-R vehicle-ground communication
US11212265B2 (en) Perfect forward secrecy (PFS) protected media access control security (MACSEC) key distribution
CN106899404A (en) Vehicle-mounted CAN FD bus communication systems and method based on wildcard
CN105187376A (en) Safe communication method of internal automobile network in Telematics
JP7647958B2 (en) Key update method and related device
Püllen et al. Using implicit certification to efficiently establish authenticated group keys for in-vehicle networks
CN105610837A (en) Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system
CN106453326A (en) Authentication and access control method for CAN (Controller Area Network) bus
Carvajal-Roca et al. A semi-centralized dynamic key management framework for in-vehicle networks
CN113900429A (en) A gateway system design method for converting CAN bus to vehicle Ethernet bus
CN101527708B (en) Method and device for restoring connection
CN113839782B (en) Light-weight safe communication method for CAN (controller area network) bus in vehicle based on PUF (physical unclonable function)
CN111245613B (en) Identity-based three-level key negotiation method for in-vehicle and out-vehicle networks
CN108418811B (en) Method and apparatus for negotiating a common key between a first and a second node
CN108429617B (en) Method and apparatus for provisioning a shared key between a first node and a second node
CN107453863A (en) Method for generating secret or key in a network
CN101102191B (en) Method for determining the service type of key request in the general authentication framework
CN115967717B (en) Communication method and device based on relay cluster
US10841085B2 (en) Method for generating a secret or a key in a network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant