The invention relates to a method and a system and for transmitting data from a transmitter to a receiver, and to the transmitter and the receiver therefor.
The transmission of data is known, by way of example, on the basis of the OSI reference model as described in Andrew S. Tanenbaum, Computer-Netzwerke; Wolfram's Fachverlag, Attenkirchen 1992, pages 17-32. The OSI reference model (OSI model for short) from the International Standards Organization (ISO) has seven layers, each of which has a different functionality (in terms of abstraction). In the OSI model, layer 1 corresponds to a physical layer, where data and messages are transmitted from the transmitter to the receiver using a physical protocol. In layer 2, a data link layer is provided, and a data link protocol is used for transmission from layer 2 of the transmitter to layer 2 of the receiver. In a similar manner, layer 3, a network layer, uses a network protocol between transmitter and receiver, and layer 4, a transport layer, uses a transport protocol. In the OSI model, layer 5 corresponds to a session layer using a session protocol, layer 6 corresponds to a presentation layer using a presentation protocol, and layer 7 corresponds to an application layer using an application protocol. In practice, many applications do not always permit exact nomination of strict boundaries specifically between the upper protocol layers, particularly layers 5 to 7. By way of example, within the context of Internet telephony, i.e. use of the telephone service using the medium of the Internet, the three layers above the transport layer 4 combine to form an “application layer” for which, in a similar way to in the implementation above, an “application protocol” is used.
A special feature of the OSI model and hence of all communication models following the OSI model is that, as a result of the division into layers, in each layer the bottom layers perform functions fully transparently with regard to the currently considered layer and provide this upper layer with a service which is determined by all of the functionalities of the bottom layers. In this context, “transparent” means that currently considered layer does not need to concern itself with the functionalities of the bottom layers. In the case discussed here, the application protocol can thus be used between an application layer transmitter and an application layer receiver. This may cover numerous services, for example for switching, for protection or for actual transmission via a physical channel; these need no longer be a concern from the point of view of the application protocol, particularly as a user of this protocol.
Similarly with respect to this consideration, the individual layers have “protocol data units” (PDUs) between them which can be designed specifically for each protocol of the respective layer. Thus, for each layer, the respective protocol can comprise a dedicated header containing administrative information for the respective layer's protocol, with this header also being able to be seen and used only by the respective protocol's layer in accordance with the OSI model. Details about the design of the OSI model can be found in numerous pieces of literature, inter alia in those cited above.
When referring to application layer below, this denotes the layers above the transport layer (layers above 4). The application protocol also denotes the protocol for communication between a transmitter application layer situated above the transport layer and a receiver application layer situated above the transport layer.
A message authentication code (MAC) is known generally and denotes a cryptographic checksum which is intended to be used to identify an alteration in a message or in data (see Christoph Ruland, Informationssicherheit in Datennetzen (which translates as Information Security in Data Networks), DATACOM-Verlag; Bergheim, 1993, pp. 61-63 and 68-79).
A one-way hash function is known from Ruland, pp. 68-79, for example. Such a one-way hash function cannot be used to calculate the correct input value for a given function value. Another feature is the absence of collision, i.e. it must not be possible to use the one-way hash function to obtain the same output value for two different input values.
One difference between the hash code and the MAC is that the MAC requires a secret key in order to calculate it, whereas the hash function can be independent of a key and can be known publicly.
In addition, an asymmetric cryptographic method (also: public key method) is known, e.g. from Ruland, pp. 73-79. Each party involved in an asymmetric cryptographic method receives two keys, a public key and a secret (or private) key. In principle, the secret key can be derived from the public key, with this task needing to be as complex as possible. The asymmetric method can also be used to produce an electronic signature (authentication) and/or to encrypt the content of a message (using the receiver's public key) such that only the receiver can decrypt the message again using its secret key.
Finally, there is also a symmetric method, which requires a (secret) key used both for encryption and decryption. An example of a symmetric encryption method is the DES algorithm.
A communication system is subject to a multiplicity of possible attacks which can target, inter alia, the content of the messages interchanged in the communication system or the availability of the communication system. Taking the example of Internet telephony, then it is firstly important for the content of the telephone conversation not to be able to be monitored by an unauthorized third party, and secondly it is also necessary for the third party not to be able to initiate countless calls, and hence for him not to interfere with the receiver and unnecessarily encumber the communication system. Such attacks are also called denial-of-service attacks. Possible examples of such attacks are mass data or mass messages which are automatically generated and sent to one or more receivers, where they significantly encumber availability and performance. In the Internet telephony example, it is at least unwanted for an Internet telephone to ring incessantly and hence not only to load the network unnecessarily but also to distract the receiver's attention. It is likewise perceived to be disruptive if an attacker interferes with the flow of communication between transmitter and receiver by sending unauthorized voice data.
To fend off attacks on a private communication network, “firewalls” are often used which ensure, in particular, that the private communication network is separated from public networks. However, it is a simple matter for an attacker to send his meaningless (mass) data to addressees within the private network as well, that is to say behind the firewall. There, these data are decoded and possibly reproduced. Thus, the effect achieved by the attacker is that, by way of example, the reproduction of such meaningless data produces nothing but annoying audio interference or noise and hence restricts the bandwidth and availability of the private network. In the extreme case, part or all of the private communication network can even crash.
In addition, an RTP protocol for transmitting media data (“payload”), i.e. video or audio data, is known from H. Schulzrinne: RTP: A Transport Protocol for Real-Time Applications; Internet Engineering Task Force, RFC1889, 1996.
One approach to holding off unwanted data is provided by the IPSEC protocol described S. Kent, R. Atkinson; IP Authentication Header, Internet Engineering Task Force, RFC2402, 1998 and S. Kent, R. Atkinson; IP Encapsulating Security Payload (ESP), Internet Engineering Task Force, RFC2406, 1998. In this case, data packets of the Internet protocol (IP data packets) can be encapsulated and can be protected in terms of confidentiality and/or integrity (implicit sender authentication). In addition, the IPSEC protocol affords a key management method using a “cookie” mechanism (see D. Harkins, D. Carrel, The Internet Key Exchange (IKE), Internet Engineering Task Force, RFC2409, 1998), which can be used to fend off the mass data attacks (denial-of-service attacks) discussed above during the key management phase. The cookie mechanism involves linking fast one-way hash functions (e.g. SHA-1), random numbers and IP addresses to one another. However, the first “cookie” transmitted from the transmitter to the receiver is not protected, which results in a security gap. In addition, the IPSEC cookie method is not suitable for ensuring protection against such unwanted mass data on the application layer (for the application protocol) under real-time conditions as well. However, the OSI layer structure means that a drawback for IPSEC is, among other things, that it is not possible to link IPSEC to the security functions of an application layer in this manner.