The embodiments herein relate to a method and a system for manipulation-protected generation of a common cryptographic key between two nodes via a radio interface.
In near-field communication systems, such as Bluetooth, WLAN, ZigBee or WiMax, terminals communicate with each other via a radio interface. To protect the information transmitted via the radio interface against manipulation or eavesdropping by third parties the information is transmitted between the nodes or terminals of the near field communication systems in encrypted form. To do this it is necessary for the terminals or nodes to create a common cryptographic key.
With near field radio systems end users must create the cryptographic key themselves and are not supported by any network operator in doing so. For private end users the configuration or the creation of a cryptographic key is cumbersome and prone to errors. Many end users have a tendency to create easily recognizable keys or passwords, for example “1234”, which can be discovered relatively easily by third parties.
Conventional security protocols are known for the creation of a common cryptographic key, which create a secret key which is only known to those actively involved in the protocol execution sequence, but not however to an external passive, i.e. only eavesdropping, attacker. Two known security protocols are the security protocol according to Diffie-Hellman for key negotiation and an anonymous, non-authenticatable variant of the SSL/TLS (Secure Source Layer/Transport Layer Security) security protocol.
Key negotiation according to Diffie Hellman allows a key to be negotiated over an insecure channel. In such cases two subscribers A, B know two public values, a module value m, i.e. a large prime number, and an integer g.
In the key negotiation A initially computes a large random number a and subsequently computes X=ga mod m. The other subscriber B computes a large random number b and computes Y=gb mod m.
After subscriber A has sent the computed value X to the other subscriber B, this subscriber B computes a value W1=Xb mod m.
The subscriber B sends the computed value Y to the subscriber A. Subsequently the subscriber A computes the value W2=Ya·mod m. The values W1, W2 computed by the two subscribers A, B are gDB mod m. The computed values W1, W2 represent the common secret key of the two subscribers A, B. This negotiated key S cannot be created by a third party without the knowledge of A, B. The reversal of the exponentiation executed by A, B demands an extremely large number of computing steps and takes a correspondingly long time. This characteristic ensures the secrecy of the negotiated common key W1=W2=S.
A common cryptographic key S negotiated in this way is safe from passive attacks by third parties, i.e. safe from eavesdropping by third parties. However, such creation of a secret key is not secure against an active attacker (man-in-the-middle), who manipulates the communication between the two subscribers when the key negotiation runs without authentication. It is then namely possible for a “constructed” message not to originate from the supposed sender but from an unauthorized third party. The receiver of the message is not in a position to notice this difference.
FIG. 1 shows a schematic diagram of an active attack by a third node during creation of a common cryptographic key S between two nodes K1, K2 in a conventional key negotiation protocol. The attacker A attempts, for example, to influence the execution sequence or the order of the messages exchanged in accordance with the security protocol such that, after execution of the security protocol, a security relationship between the first node K1 and the attacker A and a further security relationship between the second node K2 and the attacker A is configured, so that the attacker A is linked without being noticed by the two nodes K1, K2 into communication between the two nodes K1, K2 (man-in-the-middle).