DE102007033848A1 - Method for verification of ownership of terminal address of communications device in network, involves verifying ownership of terminal address by communications device belonging to it, by private cryptographic key - Google Patents

Abstract

The method involves verifying an ownership of a terminal address by a communications device belonging to it, by utilization of the private cryptographic key by multiple one-way functions with trap door of another communications device. The verification is carried out by an exchanged message. Independent claims are also included for the following: (1) a method for the examination of the possession of a terminal address of a communication device in a network (2) a virtual private network server method for setting up a secured connection of a virtual private network server for communications device in a network (3) virtual private network method for the preparation of a virtual private network (4) virtual private network method for setting up a secured connection of a virtual private network client to a virtual private network server in a network (5) a device for verifying the possession of a terminal address of a communications device in a network (6) a device for the examination of the possession of a terminal address of a communications device in a network (7) a virtual private network client for setting up a virtual private network (8) a digital data medium.

Description

The The invention relates to a method and a device for safe Communication in an IP network; in particular, that relates Procedures for secure communication on the Internet as they pass through a VPN (Virtual Private Network) is enabled.

Field of the invention

The Result of key agreement between two communication devices A and B is an authenticated shared cryptographic key S, for the encryption of the following Communication between both communication devices used can be. As a rule, the key S is a symmetrical one Key, because the encryption and decryption much faster due to symmetric encryption can be done. However, the problem is the agreement on this Key.

• [1] Die Schlüsseleinigung findet in einem nicht-vertrauenswürdigem Kommunikationskanal statt.
• [2] In einem nicht-vertrauenswürdigen Kommunikationskanal können die transportierten Nachrichten in jeglicher Art verändert und/oder abgehört werden.
• [3] Das Schlüsseleinigungsprotokoll sorgt dafür, dass der Schlüssel S ausschließlich den beiden Kommunikationsgeräten A und B bekannt wird.
• [4] Die Eigenschaften [2] des nicht-vertrauenswürdigen Kommunikationskanals dürfen die Anforderungen [3] an das Schlüsseleinigungsprotokoll nicht gefährden.
• [5] Keines der existierenden Schlüsseleinigungsprotokolle mit der Eigenschaft von Aspekt [1] erfüllt den Aspekt von [3], da Man-in-the-Middle Angriffe nicht erkannt werden können. Ein Man-in-the-Middle Angreifer steht zwischen beiden Kommunikationsgeräten und kann die zwischen beiden Kommunikationsgeräten ausgetauschten Nachrichten einsehen und manipulieren; er kann den Kommunikationspartnern das jeweilige Gegenüber vortäuschen, ohne dass sie es merken.

Here are the following five aspects to consider:

• [1] The key agreement takes place in a non-trusted communication channel.
• [2] In a non-trusted communication channel, the transported messages can be changed and / or intercepted in any way.
• [3] The key agreement protocol ensures that the key S is known only to the two communication devices A and B.
• [4] The properties [2] of the untrusted communication channel shall not jeopardize the requirements [3] on the key clearance protocol.
• [5] None of the existing key agreement protocols with the property of aspect [1] satisfies the aspect of [3] since man-in-the-middle attacks can not be detected. A man-in-the-middle attacker stands between both communication devices and can view and manipulate the messages exchanged between the two communication devices; He can pretend to the communication partners the respective counterpart, without them noticing it.

in the Generally, key agreement protocols work with public and private cryptographic keys.

each Communication device has a public and a private cryptographic key.

There the claimed identity of the owner of a public Key within an untrusted Channels can not be verified for sure are Man-in-the-Middle Attacks in these key agreement protocols possible.

The Problem exists in the lack of possibility of authentication the public key.

The Authentication of the public key takes place therefore in key agreement protocols that are not the property from aspect [5], namely the possibility man-in-the-middle attack, out-of-band of the communication channel.

A Authentication of the public key requires additional furnishing and operating expenses, additional Communication or in some cases is not feasible.

State of the art

It follows an overview of existing techniques for the authentication of cryptographic (public) Keys, with reference to the bibliography, what is attached as an attachment.

Key agreement protocols as the Diffie-Hellman protocol (bibliography Via) ensure the Agreement on a common key without prior Distribution of keys or other secrets outside of the communication channel. The Diffie-Hellman protocol protects however, it does not preclude man-in-the-middle attacks that are already in progress the key agreement. To prevent such attacks is the authentication of the public key over Certificates issued outside the communication channel carried out by means of a "Public Key Infrastructure" (PKI).

Protocols from the category of "Public Key Cryptography" such as the RSA cryptosystem (Literaturver pf) allow the secure sending of messages (including symmetric keys), in which the messages are encrypted with the public key of the communication partner. Such systems provide protection against man-in-the-middle attacks that are active from the beginning of the communication as long as the public keys have previously been distributed outside the communication channel. For this purpose z. As a PKI infrastructure required (bibliography Pg or Ph). Another protocol that previously requires an "out-of-band" mechanism for later authentication of public keys is, for example, the interlock protocol (bibliography V2c or Pi, Pb), unlike the protocols In this category, the effort to operate a PKI with the method to be patented here is avoided.

cryptosystems from the categories "Identity-Based Encryption" (IBE) and "Certificateless Cryptography (CC) does not require a public key infrastructure to exchange public keys of Persons, because of the identity (eg the e-mail address) a person calculates the public key can be. As examples here are the patents Pc, Pd or the Publication called V3b. In IBE systems come key generators used in a "Private Key Infrastructure" for the distribution of private keys on demand be used. Unlike the personal identities in IBE or CC cryptosystems are in the here to be patented Method Endpoint addresses of communication devices or the software running on it. Furthermore, the operation a private key infrastructure is not absolutely necessary, since the private key with the allocation of the endpoint address can be awarded.

at Procedures in the Key Agreement Protocols with Public Discussion category two communication partners agree on a common key within an insecure communication channel after both over have received a public source random numbers. Examples are the publication (bibliography V5a) or the document according to bibliography Pe. Man-in-the-middle attacks can be used in these procedures can not be prevented.

The Protocol in the patent Pa uses hashes of IP addresses to ensure that a user logs on to a central server legitimized, where he is already registered. The procedure is needed a previous "out-of-band" mechanism for transmission a user password. The process is not a key-inughness protocol, and the IP address is not considered a public key used. IP spoofing can not be prevented. Man-in-the-middle Attacks where the attacker gets the IP address of the initiator a communication are not prevented.

The ZRTP Protocol (bibliography L1), an extension of the RTP = Real-time transport protocol, is secure as a man-in-the-middle Protocol in the Voice over IP area. The authentication takes place here via the verbal exchange of a "key fingerprint", after being connected to his interlocutor.

Overview of the invention:

task The invention is to provide secure communication in an IP network to allow, and in particular the Internet, being VPN (Virtual Private Network) and spoofing.

Solved This object is achieved by a method and a device with the features of one or more of the independent claims.

The invention is based on the idea of including the endpoint addresses E _A and E _{B of} the communication devices A and B in the key agreement protocol.

each Communication device has an endpoint address, because without this no communication with the communication device possible would.

Examples endpoint addresses are: IPv4 / IPv6 addresses in the Internet Protocol, MAC addresses of network adapters, fixed line / mobile telephony numbers, SIP addresses in IP telephony. When communicating wirelessly Vehicles in traffic are the vehicle license plates Endpoint addresses, and in the case of "mini-computers" equipped electronic ID cards, passports and chip cards are the identification numbers Endpoint addresses, the communication in this case via a corresponding reader with a remote computer he follows.

The Today's communication infrastructures already provide efficient and secure mechanisms available to the endpoint address of a communication device.

Examples for these mechanisms are: Secure Domain Name Service (DNSsec), ARP-based protocols, directories, central SIP server, the (sensory) reading of license plate number plates and the (sensory) reading of identification numbers on electronic ID cards, passports and chip cards.

There without this secure endpoint address resolution at all no communication with a communication device possible would be, such endpoint address resolution assumed and used in the invention.

The Invention is based on that each endpoint address into a unique natural number can be transferred. An example would be the conversion of the IPv4 address 137.248.13.5 in the natural number 137248013005; this applies analogously for all other mentioned examples of endpoint addresses.

It follow some definitions to better understand the Invention.

Endpoint address:

A Endpoint address is an identifier or an identification number a communication device that can be used to establish communication with this device, such as z. An IPv4 / IPv6 address, MAC address, telephone number, SIP address, a vehicle registration number or an identification number on electronic ID cards, passports and chip cards. Unlike purely personal Identities bind to an endpoint address a communication device or software running on it where. The endpoint address should be for the recipient be apparent from the received information.

One-way function with trapdoor ("trapdoor-oneway-function"):

A trap-type one-way function is a function L whose function value L (x) = y is computable in polynomial time for a given x, but where computing the inverse function L ^-1 (y) = x requires exponential time computation. Only with knowledge of a key S (the "trap door") can the calculation of the inverse function be performed in polynomial time.

Note: The existence of one-way functions (with trapdoor) is so far has not been proved mathematically, as the proof of the Inequality of the complexity classes P and NP not yet was provided. However, there are functions that you suspect that they have the required property.

basis of the invention of the underlying method is the product N of two primes P and Q.

For the algorithm irrelevant, but for security important in the process is the order of magnitude the prime numbers P and Q and the prime factorization of P - 1 and Q - 1.

The Binary representation of P and Q should be one of the current ones Capacity of computers corresponding number of bits (eg in 2007> = 512 bits). One speaks in this case of "safe magnitude".

In the prime factorization of both P - 1 and Q - 1 should have at least one prime in a safe order occurrence.

Be G is a non-divisive number of order e.

The order of a number G with respect to another non-divisive number N is defined as the smallest number e for which the following applies: G ^e ≡ 1 mod N.

• [6] Sei R > 1 eine natürliche Zahl, dann wird P und Q so gewählt, dass gilt: GCD(R, P – 1) = GCD(R, Q – 1) = 1, mit GCD = Greatest Common Divisor.

Since e divides the number (P - 1) (Q - 1), G should be chosen such that e has a prime factor of "safe order".

• [6] Let R> 1 be a natural number, then choose P and Q such that GCD (R, P - 1) = GCD (R, Q - 1) = 1, with GCD = Greatest Common Divisor.

• [7] Das heißt, für jedes v, 0 < v < N, existiert eine eindeutige natürliche Zahl d, mit d^R ≡ v mod N. Diese eindeutige Abbildung wird als Funktion D(v) ≡ v^1/R mod N bezeichnet.

If P and Q are chosen as described in [6], then for every natural, natural number N of n, there exists an Rth root.

• [7] That is, for every v, 0 <v <N, there exists a unique natural number d, with d ^R ≡ v mod N. This unique mapping is called a function D (v) ≡ v ^{1 / R} mod N.

The function D (∙) belongs to the class of presumed one-way functions, where D (∙) here corresponds to the inverse function L (∙) ^-1 , which can only be calculated in exponential time.

There there exists for each v such a unique number d exists also for each converted endpoint address one, unique number d.

If E _A , E _{B are} two endpoint addresses then let F (E _A ) and F (E _B ) be the endpoint addresses each converted to a unique natural number, with F (.) <N.

Let D (F (E _A )) and D (F (E _B )) be the corresponding unique numbers from [7] for the endpoint addresses E _A and E _B.

The allocation of the numbers D (F (E _A )) and D (F (E _B )) to the communication devices A and B can take place via various routes. For example, this can be done at an IP address via a (local) DHCP server or a (local) key server, using secure communication.

Here For example, the key server can be exploited knows the factorization of N. Thus, a communication device could with methods such. B. the RSA encryption the key server to provide a symmetric key through which the award is secured. With a MAC address, this can be direct in the manufacture of the network adapter, in a mobile device on delivery of the SIM card, with a SIP address via a SIP server, with a vehicle license plate over the Approval office and with an identification number on electronic ID cards, passports and chip cards are issued when they are awarded.

• [8] Zu Beginn des vorgeschlagenen Schlüsseleinigungsprotokolls sind dem Kommunikationsgerät B die Funktion F(∙) und folgende Zahlen bekannt: N, G, R, E_B, F(E_B), D(F(E_B)). Zusätzlich besitzt B noch eine private Zufallszahl Z_B.
• [9] Die Zahlen N, G, R und die Funktion F(∙) sind öffentliche Parameter des der Erfindung zugrunde liegenden Verfahrens; der private Schlüssel von Kommunikationsgerät A ist D(F(E_A)), der öffentliche Schlüssel von A ist
  
  D(F(E_A)) mod N. Dies gilt analog für Kommunikationsgerät B.

At the beginning of the proposed key agreement protocol, the communication device A is aware of the function F (∙) and the following numbers: N, G, R, E _A , F (E _A ), D (F (E _A )). In addition, A still has a private random number Z _A.

• [8] At the beginning of the proposed key agreement protocol, the communication device B is aware of the function F (∙) and the following numbers: N, G, R, E _B , F (E _B ), D (F (E _B )). In addition, B still has a private random number Z _B.
• [9] The numbers N, G, R and the function F (∙) are public parameters of the method of the invention; the private key of communication device A is D (F (E _A )), which is A's public key
  
  D (F (E _A )) mod N. This applies analogously to communication device B.

The Key agreement between two communication devices A and B works the following way, where A is the key agreement initiated.

• [10] A sendet eine Nachricht an B, welche den öffentlichen Schlüssel aus Abs[9] enthält:
  
  D(F(E_A)) mod N und zusätzlich E_A als Absender-Adresse.

A as an initiator uses the existing communication infrastructure to obtain the endpoint address E _{B of} the communication device B. A now has E _B.

• [10] A sends a message to B containing the public key from [9]:
  
  D (F (E _A )) mod N and additionally E _A as sender address.

• [11] B berechnet
  
• [12] B schickt anschließend
  
  D(F(E_B)) mod N an die Endpunktadresse E_A.

After B has received the message, B extracts the endpoint address E _A from the message and calculates F (E _A ).

• [11] B calculated
  
• [12] B then sends
  
  D (F (E _B )) mod N to the endpoint address E _A.

A already has E _B and therefore does not need to extract E _B from the message.

A calculated

A and B now both have the key S as a result of Execution of the key agreement protocol.

One important aspect is the verification or verification the legitimate possession of endpoint addresses.

D(F(E_A)) mod N nachzuweisen und von Kommunikationsgerät B überprüfen zu lassen. Beides gilt analog für Kommunikationsgerät B. Dies verhindert, dass ein Kommunikationsgerät eine Endpunktadresse vortäuscht, die ihm nicht zugeordnet wurde.By using the matching to an endpoint address E _A private key D (F (E _A )), it is possible for communication device A to prove the legitimate possession of his endpoint address E _A or to be checked by communication device B. It also makes possible the authenticity of the public key

D (F (E _A )) mod N and have it checked by communication device B. Both apply analogously to communication device B. This prevents a communication device from pretending an endpoint address that was not assigned to it.

For example is the sending of IP packets with fake, fake Source IP address known as IP spoofing.

The Procedure for preventing such fake endpoint addresses follows the scheme of so-called zero-knowledge proofs.

With A Zero-Knowledge Proof makes it possible for someone to prove that you are in possession of a secret, without the secret to betray.

One simple example would be: A person X claims that she would have found an algorithm with which to arbitrary Could factorize numbers. X wants this now proving a person Y, without the X of the person Y the algorithm reveals. Now, if Y sends several numbers to person X. and person X then returns the prime factorization, so Y becomes already after few correct results obtained Person X knows about such an algorithm attest.

The secret for which a communication device A should provide ownership proof in the method of the invention is D (F (E _A )).

to Prevention of replay attacks is still in the ownership-proof used a nonce μ. A nonce (English number used only once) is a number that is used only once. For example a random number or timestamp can be a nonce.

According to [7], D (F (E _A )) is the Rth root of F (E _A ). As a prerequisite, it must hold that R does not share the number μ. However, this is easy to achieve since R, apart from the requirement stated in [6], has no other conditions. Furthermore, μ can also be replaced / concatenated by / to a hash value of a message, whereby non-repudiation proof is given for the message. This allows the recipient of a proof of ownership and the associated message to prove that the message came from A.

For possession proof, A chooses a random number W _A.

• [13] Schickt nun ein Kommunikationsgerät A einen Besitz-Beweis für E_A unter Angabe der Endpunktadresse E_A als Absenderadresse einem Kommunikationsgerät B zu, so überprüft B den Besitz-Beweis mittels
  

The ownership proof is now the following triple:

• [13] Now sends a communication device A possession proof for E _A , stating the endpoint address E _A as a sender address to a communication device B, so B checks the ownership-proof means
  

If the check in [13] is correct, then A is in the legitimate possession of E _A.

By This approach provides a number of advantages of the invention over the prior art.

So prevents the procedure man-in-the-middle attacks, without one previous exchange (English: Pre-Exchange) between the communication partners necessary is.

One By definition, Pre-Exchange is a prior exchange of one Message between two communication partners to communicate with in the Message contained prior knowledge after a man-in-the-middle To discover attack.

In In accordance with the present invention, private keys become common with the assignment of the endpoint address to each communication device output.

It There is no exchange between the communication partners.

It There is no exchange for knowledge about the public key of the communication partner provides.

It So this is not a pre-exchange.

Alone exploiting the existing communications infrastructure to gain access the endpoint address of the communication partner is sufficient for a secure connection.

Without Obtaining the endpoint address is a communication in general impossible.

The prevention is done by the following facts:
A man-in-the-middle attacker can not generate the value from Abs [12] because he can not create the private key D (F (E _B )) at the A known endpoint address E _B.

The Procedure is a Public Key Infrastructure (PKI) attached to communication devices managed bound keys, superior.

Would you have a PKI or certificates for the authentication of public Keys instead of the invention of the underlying Select method, so you lift the union between the endpoint address and the public key a communication device.

you gets two objects (certificate & endpoint address), which you get over manage two different infrastructures.

This means: higher communication costs, higher Administrative burden and higher costs.

Further the fake possession of an endpoint address is prevented.

By the presence of a private key for an endpoint address may be the lawful possession an endpoint address are checked. The verification follows the scheme of a zero-knowledge proof. This prevents For example, IP spoofing in IP-based networks.

Brief Description:

The The following figure description is for better understanding the detailed description below.

1 shows the procedure before starting the key agreement;

2 shows the general procedure of the key agreement

3 shows the process for a mobile network

4 shows the process for an IP network

5 shows the process for a VoIP network based on SIP

6 shows the process at the MAC level

7 shows the procedure in an IP network with a NAT router

8th shows the procedure for setting up a virtual private network (VPN).

9 shows the procedure for license plates on number plates.

10 shows the procedure for identification numbers on electronic ID cards, passports and chip cards.

Description of the embodiments:

1 explains the procedure before starting the key agreement. 500 . 501 are the two communication devices. 502 . 503 symbolize ownership of the endpoint addresses E _A and E _B. In 504 . 505 the unique number F (E _A ) and F (E _B ) is calculated. In 506 . 507 Both communication devices are assigned their unique private keys D (F (E _A )) and D (F (E _B )). In 508 . 509 the communication devices generate their random numbers Z _A and Z _B.

2 shows the general procedure of the key agreement. 500 . 501 are the two communication devices A and B. 510 . 511 are the public keys of A or B. 512 . 513 symbolize the calculations performed by A and B, respectively.

3 shows the procedure for a mobile radio network: (1) The public parameters N, G, R, F (.) and the private key D (F (E _A )) and D (F (E _B )) are stored on the SIM card. Card saved. This is done by the communications provider when the SIM card has been assigned to a telephone number; (2) The SIM cards are inserted in the phones; (3) If a communication subscriber wishes to call another communication subscriber with the mobile telephone B with the mobile telephone A, the telephone number of B is looked up in the telephone book or z. B. the information called; (4) Once this has been done, a secure key exchange between A and B can take place.

4 shows the procedure for an IP network: (1) the private keys D (F (E _A )) and D (F (E _B )) are output to each communication device along with the assignment of the end point address;
(2) These are transmitted via (local) DHCP server to the computers A and B; (3) If computer A wants to communicate with computer B, then this gets the IP address of B via DNS (Sec) request;
(4) Once this has been done, a secure key exchange between A and B can take place.

5 shows the sequence for a VoIP network based on SIP: (1) After registration with a VoIP server, the corresponding VoIP software is downloaded; (2) This is populated with the public parameters N, G, R, F (.) And the private keys D (F (E _A )) and D (F (E _B )) according to the selected SIP address; (3) If communication subscriber A wishes to call communication subscriber B, A searches for the SIP address in the telephone book; (4) Once this has been done, a secure key exchange between A and B can take place.

6 shows the procedure at the MAC level: (1) / (2) The public parameters N, G, R, F (.) and the private keys D (F (E _A )) and D (F (E _B )) are stored on the network card during manufacture. This is done by the manufacturer if the MAC address has been assigned to a network card; (3) Through appropriate protocols at the Ethernet level, the MAC addresses of other participants are learned. After that, a secured key exchange can take place.

7 shows the procedure of the key agreement in an IP network, in which the technique of Network Address Translation (NAT) is used: If the communication device A ( 500 ) from the private sector ( 514 ) with the communication device B ( 501 ) in the public sector ( 515 ), the NAT router X ( 516 ) the source endpoint address of A against its publicly known endpoint address ² E _X ( 519 ) out. Before replacement, the public hybrid key from A ( 517 ) not to the endpoint address E _A ( 504 ). After the exchange arises with ( 519 ) and ( 517 ) a valid combination. The package with the public key of B ( 511 ), stating E _B ( 505 ) as sender address, does not need to be changed here. The second endpoint address of X ¹ E _X ( 518 ) is used for internal communication in the area ( 514 ).

8th shows the procedure in an IP network to establish a Virtual Private Network (VPN): (1) The private key D (F (E _VS )) is used together with the assignment of the endpoint address to the VPN server VS output. (2) The private key D (F (E _VC )) is output to the computer VC along with the assignment of the internal VPN endpoint address. (3) This is done by means of a (local) DHCP server. (4) If the computer VC wants to establish a VPN connection in an insecure network with the server VS, it sends a message to VS with its insecure endpoint address E _UC with the content of its MAC address, E _VC or another to E _VC belonging identifier, in which case the MAC address was selected as the identifier. The endpoint address E _VS is known to the computer VC. (5) The VPN server sends the non-secure endpoint address E _UC a nonce μ. (6) VC sends ownership proof B (μ) for E _VC using μ to VS. Based on the MAC address, VS can assign the internal endpoint address E _VC and initiate the VPN connection. (7) Once this has been done, a secure key pairing between VS and VC can take place with the endpoint addresses E _VS and E _VC for a VPN connection.

9 shows the procedure when using license plates: (1) At the registration office, the public parameters N, G, R, F (.) and the private keys D (F (E _A )) and D (F (E _B )) ) issued according to the issued vehicle license plates on a corresponding medium; (2) In the respective vehicle these are then plugged into a transmitting / receiving unit; (3) Once this has been done, a safe key agreement between the vehicles may be carried out after reading the vehicle registration plate in traffic.

10 shows the procedure for the use of identification numbers on electronic ID cards, passports and chip cards. (1) / (2) In the case of a central office, such as a bank, hospital or government agency, the chip cards or badges with the public parameters N, G, R, F (.) And the identification number will be displayed at the time of issue provided with private key. The public parameters are also assigned to the corresponding counterpart equipment / stations. (3) If this has happened, the identity / authenticity of the smart cards or badges at the respective verification stations of the remote sites can be verified.

·D(F(E_VC)) mod N, μ mod N,

mod N) unter Verwendung von μ an VS. VS überprüft den rechtmäßigen Besitz der zuzuordnenden Endpunktadresse mittels:

By using the right to an endpoint address E _VC private key D (F (E _VC)), it is communication device VC possible to establish a VPN connection with a VPN server VS without passwords or certificates. The private key D (F (E _VS )) is output to the VPN server VS together with the assignment of the endpoint address. The private key D (F (E _VC )) is output to the communication device VC along with the assignment of the internal VPN end point address. The communication device VC is assigned the endpoint address E _UC in an insecure network. To establish a VPN connection, the communication device VC sends the VPN server VS a message with its MAC address from the insecure network. The VPN server sends the non-secure endpoint address E _UC a unique number ("NONCE") μ. VC sends a proof of ownership B (μ) for E _VC consisting of the triple: (

· D (F (E _VC )) mod N, μ mod N,

mod N) using μ an VS. VS verifies the legitimate possession of the endpoint address to be mapped by:

VS can then assign the internal endpoint address E _VC based on the MAC address and initiate the VPN connection using the endpoint address based key termination protocol with the endpoint addresses E _VC and E _VC . Thus, each authorized communication device with the existing allocation infrastructure for endpoint addresses can securely establish a VPN connection, without in contrast to the current VPN technology more VPN passwords or certificates are needed.

It follows a numerical example for the use of endpoint addresses for key generation and key agreement using IPv4 addresses as endpoint addresses

The numbers used in this example are for clarity chosen small and do not correspond to the usual Safety requirements. It is understood that other numbers too who meet the requirements.

All Congruences are to be understood as modulo N; N is the product of two Primes selected; This is not the only option the choice of N. R = 3 is chosen.

The Assignment of IP address to numeric value consists of the omission the points of the IP addresses and the filling of the components with zeros, if one component has less than three decimal places has; This is not the only way to transform.

We choose the prime P = 51874849463, because (P - 1) / 2 = 25937424731 is also a prime and P is of the form P ≡ 2 mod 3 is.

We choose the prime Q = 6973569047, because (Q - 1) / 2 = 3486784523 is also a prime
and Q is of the form Q ≡ 2 mod 3.

Consequently GCD (P - 1, 3) = GCD (Q - 1, 3) = 1.

It N = P · Q = 361752844532961371761.

Thus, φ (N) = (P-1) · (Q-1) = 4 · 25937424731 · 3486784523. We now choose G such that one of the two prime numbers 25937424731 or 3486784523 occurs in its order. The number G = 258201056061078543287 satisfies this condition, since the order of G is 25937424731, ie G ^{2593742473 1} ≡ 1 mod N.

It follows for N and G:
N = 361752844532961371761
G = 258201056061078543287

Let the IPv4 address of communication device A be E _A = 137.248.131.121, from which the numerical value F (E _A ) = 137248131121 becomes. The natural number D (F (E _A )) assigned to the communication device A is then 165644296807138459965, since 165644296807138459965 is ³ ≡ 137248131121.

Let the IPv4 address of communication device B be E _B = 217.73.49.24, from which the numerical value F (E _B ) = 217073049024 becomes. The communication device B assigned natural number D (F (E _B )) is then 74121947444567397753, since 74121947444567397753 ³ ≡ 217073049024.

It It is noted that the numbers with knowledge of the "trapdoor", namely the factorization of N or by knowledge of Number φ (N) can be found in polynomial time.

The private, randomly generated number of communication device A is Z _A = 17464865284867458.

The private, randomly generated number of communication device B is Z _B = 34526974652949654.

communication device A beats the IPv4 address of communication device B via a "Name Resolution Protocol" such as DNS after. The backup of this lookup process can be over Traditional techniques like DNS-Sec are made or based on the Technology presented here for the authentication of the DNS server become.

The public key of the communication device A is

The public Key of the communication device B is

communication device A sends his public key to communication device B stating the IP address 137.248.131.121 as sender address.

Communication device B calculated (212413932090578443320 3 × 137248131121 -1 ) 34526974652949654

modulo N results from this the value 324349152832633430269.

communication device B sends his public key to communication device A with the IP address 217.73.49.24 as sender address.

Communication device A calculated (292942897134135556504 3 × 217073049024 1 ) 17464865284867458

modulo N results from this the value 324349152832633430269.

Both communication devices A and B now have the common number 324349152832633430269. This can now be used, for example, by the symmetric encryption method AES [ Joan Daemen and Vincent Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Springer-Verlag 2002 (238 pp.) ] secure connection. Other methods are also conceivable.

It follows a numerical example of an endpoint address detection using IPv4 addresses as endpoint addresses.

The numbers N and G are taken from the example above:
N = 361752844532961371761
G = 258201056061078543287

Similarly, E _{A is} again 137.248.131.121, thus D (F (E _A )) is also again 165644296807138459965. Communication device A wants to prove to communication device B that it is in legitimate possession of the endpoint address E _A.

·D(F(E_A)) ≡ 211960759887420950241 und

≡ 279712538859918245040. Damit ergibt sich das Tripel (

D(F(E_A)) mod N, T mod N,

mod N) = (211960759887420950241, 1178982692, 279712538859918245040). Dieses Tripel schickt Kommunikationsgerät A an Kommunikationsgerät B. B berechnet

Communication device A calculates a random number W _A = 9364594753971. As Nonce μ current timestamp T = 1178982692 is selected, which corresponds to the time 12/05/2007 17:11:25. Now A calculates

· D (F (E _A )) ≡ 211960759887420950241 and

≡ 279712538859918245040. This results in the triple (

D (F (E _A )) mod N, T mod N,

mod N) = (211960759887420950241, 1178982692, 279712538859918245040). This triple sends communication device A to communication device B. B is calculated

The left side corresponds 211960759887420950241 3 · 137248131121 -1 61838026459164934808

The right side corresponds 279712538859918245040 1178982692 61838026459164934808

There Both sides provide the same result, becomes the legitimate possession the endpoint address ER confirmed.

• [14] Durch Austausch der IPv4-Adresse durch den NAT-Router ist nun die Berechnung von [11] fehlerhaft.

The following is a detailed consideration of the invention using IPv4 addresses as endpoint addresses with respect to the NAT protocol. When using IPv4 addresses as the endpoint address, the Network Address Translation (NAT) technique requires special handling. NAT is a technique to virtually extend the relatively narrow range of possible IPv4 addresses (2 ³² ). With NAT, it is possible to hide multiple IP-based communication devices behind a NAT router (see 7 ). The hidden IP communication devices have IPv4 addresses from a private area (eg 192.168.xx) that is not unique worldwide. IP packets with these addresses will not be passed on the global Internet. Only the NAT router has an IPv4 address that can be communicated worldwide. The internal communication devices each have private keys for their IPv4 addresses with which they can communicate internally. This internal communication can be secured according to the method already described, since the internal internal IPv4 addresses are unique. The internal area is a separate security domain, ie the keys are generated with their own output parameters (P and Q) from the NAT router (or from a key server available in the internal area). In order for an internal communication device to communicate with a public area communication device, its IPv4 address is replaced by the globally valid IPv4 address of the NAT router as it passes the NAT router.

• By replacing the IPv4 address by the NAT router, the calculation of [11] is now incorrect.

If A's IPv4 address is called E _A , the internal IPv4 address of the NAT router is called ¹ E _X and the external as ² E _X , the solution to the problem consists of the following: All internal IP communication devices receive to their output numbers (see [7, 8]), in addition the private key D (F ( ² E _X ) ) of the NAT router, which is based on the public IP address ² E _{X of} the NAT router. The IP address ¹ E _X is the second, internal IP address of the NAT router.

D(F(²E_X)) mod N zu.Instead of as described in [10], the internal communication device A sends now the slightly changed IP packet with the content to the external communication device B.

D (F ( ² E _X )) mod N to.

By substituting AE _A's IPv4 address with the NAT router's IPv4 address, ² E _X , a correct packet is generated according to [11].

• a. Für die interne Kommunikation werden nur die internen Endpunktadressen verwendet; auch der NAT-Router besitzt eine eindeutige interne Endpunktadresse (d. h. er besitzt somit eine interne und eine externe (öffentliche) IPv4-Adresse). Für die rein interne Kommunikation ist somit die Weitergabe des privaten Schlüssels der öffentlichen IPv4-Adresse des NAT-Routers sicherheitsunkritisch und ohne Bedeutung.
• b. Möchte ein internes Kommunikationsgerät A eine Verbindung zu einem externen Kommunikationsgerät B aufbauen und ist A im Besitz der zugehörigen Ziel- Endpunktadresse, so kann kein internes Kommunikationsgerät einen Man-in-the-Middle-Angriff starten, selbst der NAT-Router nicht: i. Ein internes Kommunikationsgerät kann keinen Man-in-the-Middle Angriff starten, da der erste Schritt der Verbindung, vom Kommunikationsgerät zum NAT-Router, mit Hilfe des öffentlichen Schlüssels der internen Endpunktadresse des NAT-Routers gesichert werden kann. ii. Der NAT-Router kann keinen Man-in-the-Middle Angriff starten, da er nicht im Besitz des privaten Schlüssels desjenigen externen Kommunikationsgeräts ist, zu dem das interne Kommunikationsgerät eine Verbindung aufbauen möchte.

Passing the private key D (F ( ² E _X )) of the NAT router to the internal communication devices is an unusual practice, but does not pose any security risks:

• a. For internal communication, only the internal endpoint addresses are used; The NAT router also has a unique internal endpoint address (ie it has an internal and an external (public) IPv4 address). For purely internal communication, the passing on of the private key of the public IPv4 address of the NAT router is security-critical and of no significance.
• b. If an internal communication device A wants to establish a connection to an external communication device B and A is in possession of the associated destination endpoint address, then no internal communication device can start a man-in-the-middle attack, even the NAT router does not: i. An internal communication device can not start a man-in-the-middle attack because the first step of the connection, from the communication device to the NAT router, can be secured using the public key of the internal endpoint address of the NAT router. ii. The NAT router can not start a man-in-the-middle attack because it is not in possession of the private key of the external communication device to which the internal communication device wishes to connect.

To be considered critical are all communication links that are initiated from the outside, since here the internal communication device is not sure from which IPv4 address the connection comes. In most organizations, external connections are generally prohibited for security reasons. Such connections are only possible if the NAT router for a specified port forwards incoming connections on this port to a defined internal computer. If incoming connections are desired, since, for example, one has a particular service running on an internal computer, then one generates a private key for the internal communication device A, which includes this port and has the form D (F ( ² E _X Port)) where the operator ∘ represents a join operation. This is only output to the computer running the service bound to this port. Even the NAT router does not get this key if a key server in the internal network generates the keys. The calculation of the external communication device B after receiving the key of the internal communication device A is thus

These Solution is only practicable if its own security trough operated with key generator in the internal network, to generate the port-dependent keys.

Here is an example for illustration. The numbers N and G are taken from the example above.
N _G = 361752844532961371761
G _G = 258201056061078543287

These represent the global / external parameters of the system. Within the NAT network, ie for the communication in the private network "behind" the NAT server in this example the parameters
N _P = 35813530660934177120521
G _P = 12718647769806831085000
which have been calculated analogously and therefore have the same properties as the global parameters.

Let the IPv4 addresses of the NAT router X be ¹ E _X = 192.168.0.1 and ² E _X = 137.248.3.15. Let the IPv4 address of the communication device A be E _A = 192.168.0.2 and that of the communication device B be E _B = 209.85.135.147 (which, for example, is www.google.de corresponds). The private key to the IP address ² E _{X of} the NAT server X with F ( ² E _X ) = 137248003015 D (F ( 2 e X )) ≡ 127305603288901208592 mod N G ,

The private key of the IP address ¹ E _X with F ( ¹ E _X ) = 192168000001 is (with regard to the intranet modulo) D (F ( 1 e X )) ≡ 8764387150301768383530 mod N P ,

For the IPv4 address of the communication device A with F (E _A ) = 192168000002 applies D (F (E A )) ≡ 15901565656352459335637mod N P ,

The communication device A now has two public keys, one for the internal NAT network and one for communication with external communication devices. To do this, A calculates two random numbers ¹ Z _A = 9873284762321 and ² Z _A = 1332223872819.

The two keys are:
The key to the internal NAT network:

The key to the external network:

The public key of communication device B is (with Z _B = 34526974652949654)

The private key to address ² E _X = 137.248.3.15 has all communication devices in the internal NAT network. By contrast, the NAT router X is unique in that it is the only one that has the private key to the address ¹ E _X = 192.168.0.1. Thus, no other communication device in the internal NAT network of the NAT router "spoof" because it can not prove the legitimate possession of the address 192.168.0.1.

D(F(²E_X)) unter Angabe der IP-Adresse 192.168.0.2 als Absenderadresse los. (Anm: Mit dieser Nachricht, zusammen mit der verwendeten IP-Adresse, würde keine erfolgreiche Schlüsseleinigung zustande kommen, da der verschickte Schlüssel nicht zu der IP-Adresse passt). Kommt diese Nachricht bei dem NAT-Router X an, so substituiert X die IP-Adresse 192.168.0.2 mit seiner eigenen externen IP-Adresse 137.248.3.15. Durch diese Substitution wird die Nachricht gültig.The following is an example of communication setup from A to B. Since B is a global-scale communication device, A takes the global key. A sends now

D (F ( ² E _X )) stating the IP address 192.168.0.2 as the sender address. (Note: With this message, along with the IP address used, a successful key agreement would not be achieved because the key sent does not match the IP address). If this message arrives at the NAT router X, X substitutes the IP address 192.168.0.2 with its own external IP address 137.248.3.15. This substitution makes the message valid.

Communication device B now calculates (37434419775649604698 3 · 137248003015 -1 ) 34526974652949654 which gives 96527559674518842237 (modulo N _G ).

B now sends his public key to A. The NAT server leaves this message untouched. A calculated (128451006445006878090 3 · 208085135147 -1 ) 1332223872819 which gives 96527559674518842237 (modulo N _G ).

There both sides can now own the number 96527559674518842237 They use these as AES keys for the more symmetrical Use encryption.

den der NAT-Router nicht besitzt, wobei die Konkatenationsstriche || hier eine Instanz des ∘ Operators darstellen. B sendet eine Anfrage auf Port 21 an den NAT-Router, welche durch den NAT-Router an A weitergeleitet wird. B schickt nun seinen öffentlichen Schlüssel

D(F(E_B)) ≡ 128451006445006878090 mod N_G an A, und A berechnet dannAn example follows in which the external communication device B establishes a connection to the internal network. In this example, an FTP server is running on port 1234 on internal communication device A. Anfra from the outside to port 21 are forwarded by the NAT router to the internal communication device A. Communication device A has the public key for this purpose

which the NAT router does not possess, with the concatenation strokes || represent here an instance of the ∘ operator. B sends a request on port 21 to the NAT router, which is forwarded to A by the NAT router. B now sends his public key

D (F (E _B )) ≡ 128451006445006878090 mod N _G at A, and then A calculates

A sends his public key to B, and B then calculates

in the Below is the key agreement between two communication devices described their keys to different security domains belong, d. H. their keys with different ones Output parameters (P and Q) were generated.

As already described above, the key agreement leads to problems if the private keys for the endpoint addresses belong to different moduli (eg: N ₁ or N ₂ ), since for a private key belonging to the modulus N ₁ with respect to. of another modulus N ₂ , the key is not the Rth root from the converted endpoint address (F (∙)).

To solve this problem, one goes to the modulus N = N ₁ · N ₂ and the number G = G ₁ · G ₂ .

in this connection it is assumed that the number R and the function F (∙) is the same for both security domains. This requirement is safety-critical, since R and F (∙) are public anyway Parameters are.

For this purpose, the two private keys from the different security domains must now be adapted, but in a way that does not require the factorization of N ₁ or N ₂ , because this is not known to the two communication devices.

The adaptation takes place in that the two private keys the congruences D ~ (F (E A )) ≡ D (F (E A )) mod N 1 and D ~ (F (E A )) ≡ 1 mod N 2 respectively. D ~ (F (E B )) ≡ 1 mod N 1 and D (F (E B )) ≡ D ~ (F (E B )) mod N 2 fulfill.

Calculated this is done by means of the theorem of the Chinese Remainder theorem or with appropriate algorithms.

When calculating the joint key S resulting from the key agreement, it is no longer taken F (E _A ) or F (E _B ), but rather F ~ (E. A ) ≡ F (E A ) mod N 1 and F ~ (E. A ) ≡ 1mod N 2 respectively. F ~ (E. B ) ≡ 1 mod N 1 and F ~ (E. B ) ≡ F (E B ) mod N 2

So now D ~ (F (E A )) R ≡ F ~ (E. A ) mod N or D ~ (F (E B )) R ≡ F ~ (E. B ) mod N

The Calculation is then for communication device A

[F1]

The Calculation is then for communication device B

[F2]

The following example should make the approach of roaming easier to understand. This example looks at two security domains whose parameters are chosen as follows (similar to the example above):
N ₁ = 361752844532961371761
G ₁ = 258201056061078543287
R = 3
N ₂ = 35813530660934177120521
G ₂ = 12718647769806831085000
R = 3

The communication devices A and B have the IP addresses E _A = 137.248.131.121 and E _B = 217.141.12.3. Analogous to the first examples, the private keys result D (F (E A )) ≡ 25860829056029300846832 mod N 1 D (F (E B )) 29 292947890423430020984 mod N 2

The roaming adjustment is now made so that the two numbers are adjusted using the Chinese Remainder Theorem. It results in the numbers D ~ (F (E A )) 30 1230559696114446419779508987105680948292197 mod N 1 · N 2 D ~ (F (E B )) ≡ 9189257507665222873678140085008212062937148 mod N 1 · N 2

With These two new private keys then become the public Key calculated analogously to the other examples.

It applies (using the example for D ~ (F (E _A )))
1230559696114446419779508987105680948292197 ≡ 25860829056029300846832 mod 361752844532961371761
1230559696114446419779508987105680948292197 ≡ 1 mod 35813530660934177120521

The adaptation of the numbers F (E _A ) and F (E _B ) is also done via the Chinese Remainder Theorem, which gives the numbers F ~ (E. A ) 80 10809397770265955989181871047017298016361291 mod N 1 · N 2 F ~ (E. B ) 14 3314228663601259516632595659356914554799147 mod N 1 · N 2 result. The two numbers are now the R-th residues with respect to the corresponding private keys and it applies (using the example of F ~ (E _A ))
10809397770265955989181871047017298016361291 ≡ 137248131121 mod 361752844532961371761
10809397770265955989181871047017298016361291 ≡ 1 mod 35813530660934177120521

The Key agreement is then analogous to the first example instead, where A is the formula [F1] and communication device B calculates the formula [F2].

Since the method underlying the invention uses endpoint addresses as the basis for the private key generation, the handover of one and the same endpoint address to different commu a problem. This corresponds to the transfer of a public key to another person in other cryptosystems. The common knowledge of the associated private key to an endpoint address is thus critical to safety in the transmission of the same endpoint address to different communication devices.

The The problem addressed occurs in IPv4 networks with dynamic IP address assignment on, such as For example, at major online providers such as T-Online or AOL.

The solution to the problem is based on varying the private keys every U time units, where U is a publicly known value, which is based on a fixed time Φ _i , which is the same for all participating communication devices, where Φ _i expresses that i have been time units since one defined starting time have elapsed.

The private keys are then calculated (eg for the endpoint address E _A ) by means of: D (F (E A ), (Φ i - (Φ i mod U)) ≡ (F (E A ) + Φ i - (Φ i mod U)) 1 / R mod N

This change The public key must be synonymous with everyone further calculation.

Since now the private key D (F (E _A ), Φ _i - (Φ _i mod U)) is no longer valid after U past time units, the problem of passing on the IP address is solved if the transfer earliest after U Time units takes place.

When applying this method, care must be taken that F (E _A ) is no longer valid on its own. Communication devices must now transition to F (E _A , Φ _i ) = (F (E _A ) + Φ _i - (Φ _i mod U)) whenever the inverse formation F () ^{-1 of} a foreign endpoint address is requested during key agreement is.

It follows a numerical example of varying private Keys using IPv4 addresses.

Again, for this example
N = 361752844532961371761
G = 258201056061078543287
R = 3

When common time unit between all communication devices Let's take the example of the "Unix-Timestamp". The value U is U = 86400, which corresponds to one day in time. at the chosen U is the change to a new private Key at 2 o'clock in the morning.

The IPv4 address of E _A is 137.248.131.121. On 29.05.2007 at 12:13:01 was the time stamp 1180433581. Thus follows for the key for E _A : (F (E A ) + 1180433581 - (1180433581 mod 86400)) 3.1 ≡ (137248131121 + 1180396800) 3.1 mod N ≡ 138428527921 3.1 mod N ≡ 31295567477849577417 mod N ≡ D (F (137.248.131.121, 1180433581)) mod N

On the following day at 30/05/2007 at 14:33:03, the timestamp is at the value 1180528383. This yields the following private key to E _A at this time: (F (E A ) + 1180528383 - (1180528383 mod 86400)) 3.1 ≡ (137248131121 + 1180528383) 3.1 mod N ≡ 138428614321 3.1 mod N ≡ 110097337710939828430 mod N ≡ D (F (137.248.131.121, 1180528383)) mod N

It It should be noted that parts of the invention are embodied in software can be, and when loading into a computer to an inventive Become device.

Further serve the embodiments only for understanding and are not intended to limit the invention. Much more the spirit and scope of the invention is the enclosed Claims to be taken.

Bibliography

P. Related Patents

• a. US020050022020A1 , / - / [EN] Authentication protocol
• b. US020030147537A1 / JING DONGFENG PERKINS CHARLES E / [EN] Secure key distribution protocol in AAA for mobile IP
• c. WO2006051517 / MCCULLAGH NOEL (IE); SCOTT MICHAEL (IE); COSTIGAN NEIL (IE), / Identity based encryption
• d. US20030081785A1 / Boneh, Dan (Palo Alto, CA, US), Franklin, Matthew (Davis, CA, US) / Systems and methods for identity-based encryption and related cryptographic techniques
• e. US5161244 / Maurer, Ueli / Cryptographic system based on information difference
• f. US4405829 , / Cryptographic Communications System and Method / Rivest; Ronald L., Shamir; Adi, Adleman; Leonard M.
• G. US000006766453B1 / 3COM CORP, US / Authenticated diffiehellman key agreement protocol where the communicating parties share a secret key with a third party.
• H. EP000001626598A1 / AXALTO SA, FR / Procedure for securing an authentication and key distribution protocol.
• i. WO002003026197A2 / Non-Elephant encryption systems (BARBADOS) Inc. Bruen, Aiden Forcinito, Mario Wehlau, David Coyle, Philip, A / A Key Agreement Protocol Based on Network Dynamics

V1. Asymmetric encryption methods

• a. Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions On Information Theory, no. 6, pp. 644-654, 1976
• b. RL Rivest and A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, no. 2, pp. 120-126, 1978 ,
• c. Taher El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," in Proceedings of CRYPTO 84 on Advances in Cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, p. 10-18 ,
• d. Neal Koblitz and Alfred J. Menezes. A Survey of Public-Key Cryptosystems. SIAM Review, 46 (4): 599-634, 2004 ,

V2. Key exchange or Key agreement protocols

• a. Rainer Rueppel and Paul C. van Oorschot, "Modern Key Agreement Techniques," Computer Communications, vol. 17, no. 7, pp. 458-465, 1994 ,
• b. Ratna Dutta and Rana Barua, "Overview of Key Agreement Protocols," Cryptology ePrint Archive, Report 2005/289, 2005, http://eprint.iacr.org/ ,
• c. R. Rivest and A. Shamir. How to Expose to Eavesdropper. CACM, Vol. 27, April 1984, pp. 393-395

V3. Identity-Based Cryptosystems

• a. Jing-Shyang Hwu, Rong-Jaye Boss, Yi-Bing Lin, An Efficient Identity-Based Cryptosystem for End-to-End Mobile Security, IEEE Transactions on Wireless Communications, vol. 5, no. 9, pp. 2586-2593, 2006
• b. Dan Boneh and Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal of Computation, vol. 32, no. 3, pp. 586-615, 2003
• c. M. Gorantla and R. Gangishetti and A. Saxena, A Survey on ID-Based Cryptographic Primitives, Cryptology ePrint Archive, Report 2005 ,
• d. Joonsang Baek, Jan Newmarch, Reihaneh Safavi-Naini and Willy Susilo, A Survey of Identity-Based Cryptography, Journal of Computer Research and Development, vol. 43, no. 10, pp. 1810-1819, 2006

V4. Infrastructures for managing public Keys (Public Key Infrastructures)

• a. Dieter Gollmann: Coding Theory and Cryptology. Lecture Notes Series, Institute for Mathematical Sciences, National University of Singapore, 2002 pages 143-175 ,
• b. Hui Li and Yumin Wang: Public Key Infrastructure. Payment Technologies for Ecommerce, Springer New York Publishing, 2003 pages 39-70 ,
• c. K. Aberer and A. Datta and M. Hauswirth: A Decentralized Public Key Infrastructure for Customer-to-Customer E-Commerce. International Journal of Business Process Integration and Management, 2005 - Vol. 1, no. 1 pp 26-33
• d. Ruggero Morselli, Bobby Bhattacharjee, Jonathan Katz, Michael A. Marsh: Key Chains - A Decentralized Public-Key Infrastructure. Technical Report CS-TR-4788, University of Maryland (2006)

V5. Key Einigungs protocols with public discussion

• a. Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions an Information Theory, 39 (3): 733-742, May 1993 ,

L. References / Links

• 1. ( http://zfoneproject.com/docs/ietf/draft-zimmermann-avt-zrtp-03.html )

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited patent literature

• US 020050022020 A1 [0188]
• - US 020030147537 A1 [0188]
• - WO 2006051517 [0188]
• US 20030081785 A1 [0188]
• US 5161244 [0188]
• US 4405829 [0188]
• US 000006766453 B1 [0188]
• EP 000001626598 A1 [0188]
• WO 002003026197 A2 [0188]

Cited non-patent literature

• - Joan Daemen and Vincent Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Springer-Verlag 2002 (238 pp.) [0126]
• - www.google.com [0143]
• - Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions On Information Theory, no. 6, pp. 644-654, 1976 [0188]
• - RL Rivest and A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, no. 2, pp. 120-126, 1978 [0188]
• - Taher El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," in Proceedings of CRYPTO 84 on Advances in Cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, pp. 10-18 [0188]
• - Neal Koblitz and Alfred J. Menezes. A Survey of Public-Key Cryptosystems. SIAM Review, 46 (4): 599-634, 2004 [0188]
• - Rainer Rueppel and Paul C. van Oorschot, "Modern Key Agreement Techniques," Computer Communications, vol. 17, no. 7, pp. 458-465, 1994 [0188]
• - Ratna Dutta and Rana Barua, "Overview of Key Agreement Protocols," Cryptology ePrint Archive, Report 2005/289, 2005, http://eprint.iacr.org/ [0188]
• R. Rivest and A. Shamir. How to Expose to Eavesdropper. CACM, Vol. 27, April 1984, pp. 393-395 [0188]
• - Jing-Shyang Hwu, Rong-Jaye Boss, Yi-Bing Lin, An Efficient Identity-Based Cryptosystem for End-to-End Mobile Security, IEEE Transactions on Wireless Communications, vol. 5, no. 9, pp. 2586-2593, 2006 [0188]
• - Dan Boneh and Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal of Computation, vol. 32, no. 3, pp. 586-615, 2003 [0188]
• - M. Gorantla and R. Gangishetti and A. Saxena, A Survey on ID-Based Cryptographic Primitives, Cryptology ePrint Archive, Report 2005 [0188]
• - Joonsang Baek, Jan Newmarch, Reihaneh Safavi-Naini and Willy Susilo, A Survey of Identity-Based Cryptography, Journal of Computer Research and Development, vol. 43, no. 10, pp. 1810-1819, 2006 [0188]
• - Dieter Gollmann: Coding Theory and Cryptology. Lecture Notes Series, Institute for Mathematical Sciences, National University of Singapore, 2002 pages 143-175 [0188]
• - Hui Li and Yumin Wang: Public Key Infrastructure. Payment Technologies for Ecommerce, Springer Verlag New York, 2003 pages 39-70 [0188]
• - K. Aberer and A. Datta and M. Hauswirth: A Decentralized Public Key Infrastructure for Customer-to-Customer E-Commerce. International Journal of Business Process Integration and Management, 2005 - Vol. 1, no. 1 pp 26-33 [0188]
• - Ruggero Morselli, Bobby Bhattacharjee, Jonathan Katz, Michael A. Marsh: Key Chains - A Decentralized Public-Key Infrastructure. Technical Report CS-TR-4788, University of Maryland (2006) [0188]
• - Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions an Information Theory, 39 (3): 733-742, May 1993 [0188]
• - http://zfoneproject.com/docs/ietf/draft-zimmermann-avt-zrtp-03.html [0188]

Claims (43)

A method of proving possession of an endpoint address of a communication device in a network, wherein a communication device A owns an endpoint address E _A associated therewith to use the associated private cryptographic key by using one or more disposable functions U _i with trapdoor to another communication device B proves, so that the possession of the endpoint address E _A for B is verifiable. The method of the preceding claim, wherein proof is provided by a single message exchanged can. The method according to one or more of the preceding claims, wherein one of the one-way functions U _{i is} the discrete exponentiation and the inverse function U _i ^{-1 is} the calculation of the discrete logarithm. The method of one or more of the preceding claims, wherein one of the one-way functions U _{i is} the multiplication of large primes and the inverse function U _i ^{-1 is} the prime factorization. The method of one or more of the preceding claims, wherein one of the one-way functions U _{i is} the calculation of R-th powers in the ring Z _N , where N is a number whose factorization can not be calculated in polynomial time and the inverse function U _i ^{-1 is} the calculation of discrete roots. The method according to one or more of the preceding Claims, wherein a unique number ("NONCE") and / or a hash value of a message is integrated in the proof. The method according to one or more of the preceding claims, wherein a communication device A is capable of detecting the legitimate possession of an endpoint address by transmitting a ownership proof for E _A to the communication device B using the endpoint address E _A. The method according to one or more of the preceding claims, wherein the proof for communication device A with the end point address E _{A is} indicated by the triple (

· D (F (E _A )) mod N, μ mod N,

mod N) as ownership proof, where μ is a NONCE and / or a hash of a message, G is a number whose order in the ring Z _N is a fixed-order prime number, W _{A is} a random number, F (. ) is a function that converts an endpoint address into a unique number in the ring Z _N , the number R has the property that it does not divide any of the prime factors of N reduced by the number one, and D an instance of a one-way inverse function U _i ^-1 with trapdoor with D (F (E _A )) ≡ F (E _A ) ^{1 / R} mod N. The method according to one or more of the preceding Claims, where G is a point on an elliptic curve E is. A method for checking the possession of an endpoint address of a communication device in a network, wherein for a communication device B possession of an endpoint address E _{A of} a communication device A using one or more one-way functions U _{i is} verifiable. The method according to the preceding verification claim, wherein B indicates the ownership proof transmitted by A by means of

can check. If the check is correct, then A is in the legitimate possession of E _A. The method according to one or more of the preceding test claims, wherein a communication device B is an address pretense (English spoofing) of communication device A by review of ownership proof, and thereby further communication can be avoided. The method according to one or more of the preceding checking claims, wherein singular or distributed (denial-of-service) service blocks are prevented based on the fake possession of an endpoint address of a communication device. A VPN method for preparing a virtual private network (VPN), wherein at a VPN server VS a private key D (F (E _VS )) is output together with the assignment of the endpoint address, the endpoint address E _VS or the in a unique natural number E (E _VS ) converted endpoint address of the VPN server VS is converted directly or indirectly by application of the inverse function D ^{-1 of} a one-way mathematical function D with a trapdoor into a part of the private cryptographic key. The VPN method according to the preceding VPN method claim, wherein the private key D (F (E _VC )) of a communication device VC is output together with the allocation of the internal VPN end point address E _VC to the communication device VC. The VPN method according to one or more of the preceding VPN method claims, wherein the assignment of the key D (F (E _VC )) by means of a (local) DHCP server or a (local) key server. A VPN server method for establishing a secure connection from a VPN server VS to a communication device VC in a network, wherein - the communication device VC with its unsafe endpoint address E _UC a message to VS with the content E _VC or another to E _VC belonging identifier sends; the endpoint address E _VS is known to VC; The VPN server VS sends the communication device VC a uniquely used number ("NONCE") μ to the insecure endpoint address E _UC , the communication device VC a possession proof B (μ) for E _VC , which is generated using μ and a or multiple one-way functions U _{i was created} with trap door, sent to VS using the associated private cryptographic key D (F ( _EVC )), where D is an instance of a one-way inverse function U _i ^-1 with trapdoor VS checks the received ownership proof B (μ) for E _VC ; VS assigns the internal endpoint address E _VC based on the content E _VC or the identifier sent by VC and initiates the VPN connection, then a secure key agreement between VS and VC with the endpoint addresses E _VS and E _VC for a VPN connection. The VPN server method according to the preceding VPN server method claim, wherein - communication device VC is assigned the end point address E _UC in an insecure network, - communication device VC for setting up a VPN connection communication device VC from the insecure network to the VPN server VS sends a message with the content E _VC or another identifier belonging to E _VC , - the VPN server sends to the communication device VC a uniquely used number ("NONCE") μ to the unsecure endpoint address E _UC , - communication device VC a possession-proof B (μ) for E _VC consisting of the triple: (

· D (F (E _VC )) mod N, μ mod N,

mod N) to VS, where G is a non-divisive number of order e and e has a fixed-order prime factor, N is the product of at least two prime numbers P and Q, R is a number that satisfies these none of the prime factors of N divided by one divides, E _{VC is} the endpoint address of the communication device VC and F (E _VC ) is an endpoint address each converted to a unique natural number, W _{VC is} a private random number, and D is an instance of a one-way inverse function U _i ^-1 with trapdoor with D (F (E _VC )) ≡ F (E _VC ) ^{1 / R} mod N; - VS the legitimate possession of the endpoint address to be assigned by means of:

checks; VS, based on the content E _VC or another identifier belonging to E _VC , assigns the internal endpoint address E _VC and initiates the VPN connection with the endpoint addresses E _VS and E _VC using the endpoint address based key agreement protocol. A VPN client method for establishing a secure connection from a VPN client VC to a VPN server VS in a network, wherein - the VPN client VC with its insecure endpoint E _UC a message to VS with the content E _VC or sends another ID belonging to E _VC ; the endpoint address E _VS is known to VC; The VPN server VS sends to the VPN client VC a uniquely used number ("NONCE") μ to the insecure endpoint address E _UC ; the VPN client VC stores a ownership proof B (μ) for E _VC using of μ and one or more one-way functions U _i with trapdoor is sent to VS, this is done using the associated private cryptographic key D (F (E _VC )), where D is an instance of a one-way inverse function U _i ^-1 with trapdoor, - VS checks the received ownership proof B (μ) for E _VC , - VS assigns the internal endpoint address E _VC based on the content E _VC or the identifier sent by VC and initiates the VPN connection; - Then there is a secure key agreement between VS and VC with the endpoint addresses E _VS and E _VC for a VPN connection takes place. The VPN client method according to the preceding VPN client method claim, wherein - VPN client VC is assigned the end point address E _UC in an insecure network, - VPN client VC for setting up a VPN connection from the unsecure network to the VPN Server VS sends a message with the content E _VC or another identifier belonging to E _VC , - the VPN server sends the VPN client VC to the unsecure endpoint address E _UC a once used number ("NONCE") μ, - VC one Possession-proof B (μ) for E _VC consisting of the triple: (

· D (F (E _VC )) mod N, μ mod N,

mod N) to VS, where G is a non-divisive number of order e and e has a fixed-order prime factor, N is the product of at least two prime numbers P and Q, R is a number that satisfies these none of the prime factors of N divided by one divides, E _VC the endpoint address of VC and F (E _VC ) is an endpoint address each converted to a unique natural number, W _VC a private random number, and D an instance of a one-way inverse function U _i ^-1 with trapdoor with D (F (E _VC )) ≡ F (E _VC ) ^{1 / R} mod N; - VS the legitimate possession of the endpoint address to be assigned by means of:

checks; VS, based on the content E _VC or another identifier belonging to E _VC , assigns the internal endpoint address E _VC and initiates the VPN connection with the endpoint addresses E _VS and E _VC using the endpoint address based key agreement protocol. The VPN client method according to one or more of the preceding VPN client method claims, wherein it is possible for the VPN client VC by using the matching to an endpoint address E _VC private key D (F (E _VC )), without further Passwords or certificates to establish a VPN connection with a VPN server VS. An apparatus for detecting ownership of an endpoint address of a communication device in a network, comprising: a memory area having a private cryptographic key; A communication unit which can be addressed via an endpoint address E _A ; - An arithmetic unit that under the help of belonging to E _A private cryptographic key by using one or more disposable functions U _i with trap door another communication device B, the possession of the endpoint E _A so that their possession for B is verifiable. The device according to the preceding device claim, evidence being provided by a single message exchanged can. The device according to one or more of the preceding apparatus claims, wherein one of the one-way functions U _{i is} the discrete exponentiation and the inverse function U _i ^{-1 is} the calculation of the discrete logarithm. The device according to one or more of the preceding device claims, wherein one of the one-way functions U _{i is} the multiplication of large primes and the one-way inverse function U _i ^{-1 is} the prime factorization. The device according to one or more of the preceding device claims, wherein one of the one-way functions U _{i represents} the calculation of R-th powers in the ring Z _N , where N is a number, de can not be calculated in polynomial time, and the inverse function U _i ^{-1 is} the calculation of discrete roots. The device according to one or more of the preceding Device claims, where a once used number ("NONCE") and / or a hash of a message in evidence is integrated. The device according to one or more of the preceding device claims, wherein a communication device A can demonstrate the rightful possession of an end point address by a holding-A proof of E _A using the endpoint address E _A transmits a communication device B. The device according to one or more of the preceding device claims, wherein detection by the triple (

· D (F (E _A )) mod N, μ mod N,

mod N), where μ is a NONCE, G is a number whose order in the ring Z _N exists a prime number of a secure order, N is the product of at least two prime numbers P and Q, R is a number for which that it does not divide one of the prime factors of N, E _A the endpoint address of the communication device A and F (E _A ) is an endpoint address converted to a unique natural number, W _{A is} a private random number, and D is an inverse one-way instance Function U _i ^-1 with trapdoor with D (F (E _A )) ≡ F (E _A ) ^{1 / R} mod N. The device according to one or more of the preceding Device claims, where G is a point on an elliptical Curve E is. A device for checking the ownership of an endpoint address of a communication device in a network, wherein for a communication device B, the possession of an endpoint address E _{A of} a communication device A can be checked by utilizing a one-way function U with a trapdoor. The device according to the preceding device claim, wherein B is the ownership proof by means of

can check. If the check is correct, then A is in the legitimate possession of E _A. The device according to one or more of the preceding Device claims, being a communication device B is an address spoofing of communication device A can recognize by checking the proof and thereby avoid further communication. The device according to one or more of the preceding Device claims, being singular or distributed Service Blockages (Distributed) Denial-of-Service Attacks be prevented on the pretended possession of a Endpoint address of a communication device based. A VPN server (VS) for establishing a virtual private network (VPN), comprising - a network interface and an endpoint address E _VS ; A memory area storing a private key D (F (E _VS )), the end point address E _{VS being converted,} directly or indirectly, to a part of the cryptographic key, by using the inverse function D ^{-1 of} a one-way trapdoor function D; A processing unit configured to issue a private key D (F (E _VC )) along with the assignment of the internal VPN endpoint address to a communication device VC; If the communication device VC wishes to establish a VPN connection with the VPN server VS in an insecure network, then VS receives a message with an identifier for E _VC stating the unsecure endpoint address E _UC as the sender address. VS sends the non-secure endpoint address E _UC a NONCE μ and receives from VC a ownership proof B (μ) for E _VC , this is done using the associated private cryptographic key; the processing unit is set up so that, based on the proof of ownership for E _VC VS, the internal endpoint address E _{VC can be} assigned and the VPN connection initiated; If this has happened, a secure key agreement between VS and VC can take place with the endpoint addresses E _VS and E _VC for a VPN connection. The VPN server according to one or more of the preceding VPN server claims, wherein the processing unit receives a message with the content E _VC or another identifier belonging to E _VC of VC, wherein the communication device VC in the insecure network, the endpoint address E _UC Has; the processing unit sends the communication device VC a uniquely used number ("NONCE") μ to the insecure endpoint address E _UC , the processing unit then sends it from the communication device VC Possession-proof B (μ) for E _VC consisting of the triple:

· D (F (E _VC )) mod N, μ mod N,

mod N), where G is a non-divisive number of order e and e has a fixed-order prime factor, N is the product of at least two prime numbers P and Q, R is a number that is not one of the divides by one decremented prime factors of N, E _{VC is} the endpoint address of the communication device VC and F (E _VC ) is an endpoint address each converted to a unique natural number, W _{VC is} a private random number, and D is an instance of one-way inverse function U _i ^{- 1} with trapdoor with D (F (E _VC )) ≡ F (E _VC ) ^{1 / R} mod N; the processing unit means the legitimate possession of the endpoint address to be assigned by means of

checks; VS can then assign the internal endpoint address E _VC based on E _VC and initiate the VPN connection using the endpoint address based key agreement protocol with the endpoint addresses E _VS and E _VC . The VPN server according to one or more of the preceding VPN server claims, wherein the private key D (F (E _VS )) is obtained along with the assignment of the endpoint address by the VPN server VS. The VPN server according to one or more of the preceding VPN server claims, wherein it is possible by using the matching to an endpoint address E _VC private key D (F (E _VC )) communication device VC, without more passwords or certificates a VPN Connection with the VPN server VS. A VPN client (VC) for establishing a virtual private network (VPN), wherein originally a private key D (F (E _VC )) was issued together with the assignment of the endpoint address E _VC to the VPN client VC, the endpoint address E _{VC is} directly or indirectly converted to part of the private cryptographic key D (F (E _VC )) by using the inverse function D of a one-way trap-door function D (F (E _VC )) comprising a network unit and a processing unit; If VC wants to establish a VPN connection in an insecure network with the VPN server VS, then VC sends a message to VS with its insecure endpoint address E _UC , the processing unit is configured such that a VPN server sends it to the insecure endpoint address E _UC transmitted NONCE μ is received; the processing unit of VC sends ownership proof B (μ) for E _VC using μ to VS, this is done using the associated private cryptographic key D (F (E _VC )); based on the proof of ownership check, VS can assign the internal endpoint address E _VC and initiate the VPN connection; If this has happened, a secure key agreement between VS and VC can take place with the endpoint addresses E _VS and E _VC for a VPN connection. The VPN client according to one or more of the preceding VPN client claims, VC is assigned the endpoint address E _UC in an insecure network, the processing unit for establishing a VPN connection from the insecure network the VPN server VS a message with the Content E _VC or other identifier associated with E _VC , the processing unit is adapted to receive a unique number ("NONCE") μ sent by the VPN server, the processing unit having ownership proof B (μ) for E _VC from the triple (

· D (F (E _VC )) mod N, μ mod N,

mod N) to VS using μ, where G is a non-divisive number of order e and e has a fixed order prime factor, N is the product of at least two prime numbers P and Q, R is a number for which that is, it does not divide any of the one-prime prime factors of N, E _{VC is} the endpoint address of VC and F (E _VC ) is an endpoint address converted to a unique natural number, W _{VC is} a private random number, and D is an inverse one-way instance Trap-door function U _i ^-1 with D (F (E _VC )) ≡ F (E _VC ) ^{1 / R} mod N; wherein the ownership proof is verifiable by VS

based on the content E _VC or another identifier associated with E _VC , VS can then assign the internal endpoint address E _VC and initiate the VPN connection using the endpoint address based key agreement protocol with the endpoint addresses E _VS and E _VC . The VPN client according to one or more of the preceding VPN client claims, wherein the assignment of the private key D (F (E _VC )) by means of a (local) DHCP server or a key server. The VPN client according to one or more of the preceding VPN client claims, wherein by using the matching to an endpoint address E _VC private key D (F (E _VC )) it communication device VC is possible without further passwords or certificates a VPN Connection with a VPN server VS. A digital disk that has a data structure includes when loading into the computer a procedure after a or more of the foregoing method claims.