The setup of a session key between two entities of a communication network is a fundamental prerequisite for the implementation of the great majority of cryptographic services that are intended to provide security for exchanges between these entities. Thus, the protection of interchanged data against attacks aiming to modify said data or simply to gain knowledge thereof is generally reliant on symmetrical cryptographic primitives, in which the entities communicating with one another use the same key for sending (ciphering, integrity protection) and receiving (deciphering, checking integrity) a message.
The setup of a session key is a procedure that is intended to take place numerous times over the life of a communicating entity. A new symmetrical key must be used for every secure exchange with every new correspondent. These correspondents are all the more numerous when the entity is a participant in a scenario promoting interactions between members, for example of sensor network (Wireless Sensor Network, WSN), Machine to Machine (M2M) or Internet of Things (IoT) type. Furthermore, a session key is characterized by a limited life, and must regularly be refreshed. Thus, the procedure implemented for setting up a session key is particularly important and requires careful design.
Several parameters need to be considered for judging the quality of a session key setup protocol. Firstly, the security of the protocol must be guaranteed. Thus, the confidentiality of the key that is set up and the mutual authentication of the two correspondents must be ensured. Added to this are other security parameters, such as protection against denial of service attacks, which protects the entities involved in the execution of the protocol against attacks that aim to exhaust the power resources and/or system resources thereof. Secondly, the session key setup protocol must be efficient in terms of required passband and power consumption, and particularly from the point of view of cryptographic computations that are implemented. This second criterion is particularly important when the session key setup protocol needs to be implemented by entities that have only small power resources, such as a battery, or only low computation and/or memory capacity. Finally, the protocol can provide additional functionalities, such as interoperability of the authentication mechanisms between two nodes implementing it or the possibility of centralized control over the exchange of keys and/or the possibility of centralized definition of security policies that accompany the keys that are set up.
Principally, three approaches have been developed for setting up session keys between two nodes.
The first family is key transport, which involves transporting, in a manner secured by encryption, one or more secret values from one of the two participants in a session to the other. These transportations of secret values can either take place in a single direction, this mode being known as “one-pass key transport protocol”, or can take place in both directions, this mode then being known as “two-pass key transport protocol”. The session key is then derived from these secret values.
The second family of solutions for setting up session keys is key agreement. This approach involves exchanging public values between the two nodes, from which a common session key is recovered by the two entities participating in the exchange without the exchanged public values needing to be deciphered. The main protocol known for “key agreement” is the Diffie-Hellman protocol. In terms of resources consumed, principally with regard to the power consumed for cryptographic operations, “key agreement” is a costly approach.
A third family of solutions for setting up session keys is key distribution. In this approach, a third entity often called a “trusted third party” intervenes to provide the other two participants with either a secret value that allows them to compute the session key or with the session key itself. However, key distribution likewise calls on direct exchanges between the two participants. This is because the latter have to provide evidence of their involvement in the protocol, establish the freshness of the messages that they send and prove that they know the secret that is established. Key distribution, although a solution that is simple to implement and that is lightweight in terms of cryptographic operations required and power consumed, has disadvantages that have not yet been resolved by existing solutions.
Well known ‘key distribution’ solutions are those of Needham and Schroeder, or else the Kerberos protocol or even the MIKEY-Ticket approach.
The Needham and Schroeder key transport protocol, which is presented in the document “Using encryption for authentication in large networks of computers”, Communication of the ACM, volume 21, number 12, 1978, contains five message exchanges between two entities, an initiator (I) and a responder (R), that each share a ciphering key with a trusted third party (TC). The exchange of the five messages is shown in FIG. 1. One of the major problems of the Needham and Schroeder protocol is an impersonation attack by an attacker pretending to be the initiator and replaying the third message (Message3) between the initiator and the responder. The attacker, who may know the key generated by the trusted third party, can then decipher the fourth message and usurp the session by sending the last message.
The normalized Kerberos protocol described in the document by Kohl and Neuman “The Kerberos network authentication service”, September 1993, is illustrated in FIG. 2 and is based on the exchange of four messages. The first two messages are exchanged between the initiator and the trusted third party. The last two messages are exchanged between the initiator and the responder. A disadvantage of the Kerberos protocol is that it is not symmetrical vis-à-vis the initiator and the receiver. The trusted third party has no assurance that the receiver has actually been contacted or has actually agreed to participate in the secure transaction. In fact, the Kerberos protocol has limited applications and is rather intended to allow access from an initiating client to a resource that is assumed not to be subject to malicious behavior, such as a printer or a file server, for example.
A known improvement to the Needham and Schroeder protocol is the Otway and Rees protocol illustrated in FIG. 3 and described in the document from the authors “Efficient and timely mutual authentication”, 1987. However, this protocol still has the disadvantage that the trusted third party interacts directly only with a single one of the two participants, in this case the responder.
The patent WO 2009/070075 A1 from Blom et al. entitled “Key management for secure communication” presents a method for setting up session keys for secure communications between two entities. The method relies on the MIKEY-Ticket key distribution protocol specified in RFC 6043 from Mattsson and Tian, “MIKEY-Ticket: Ticket-based modes of key distribution in Multimedia Internet KEYing (MIKEY)”. The key management is based on a centralized key management trust service where the initiator and the responder each share a common key with a trusted third party.
In point of fact, owing to its design, this protocol can be the target for denial of service attacks. A person skilled in the art knows the various forms of denial of service attacks. An attacker can carry out a denial of service by exploiting implementation errors in communication protocols, for example if the protocol used is implemented so as to block the nodes when they receive unknown data. An attacker will then be able to carry out a denial of service attack by sending messages containing erroneous fields to the responder, its target. Another way of carrying out a denial of service is to start a communication with the target and then to stop sending messages so as to block the target in a state of waiting for acknowledgement and to saturate its reception stack. Finally, the denial of service can be distributed by using several attackers at the same time in order to saturate the target as quickly as possible and to make it difficult to trace the attacker.
Thus, known approaches, although providing alternative solutions for setting up session keys, do not meet all the security needs that are expected for a session key setup protocol owing to their disadvantages.
The proposed invention allows these needs to be met.