The present invention relates to a method for key agreement for a cryptographically secured point-to-multipoint connection.
The increased use of the Internet also involves the risk of misuse and/or manipulation of the multitude of sometimes sensitive data that is exchanged over the Internet. The majority of Internet users and, of course, even more the experts are aware of the fact that the Internet has to be considered an unsafe environment in this respect. However, to increase the possibilities of use of the Internet in spite of this, there is an increasing demand for solutions for secure data transmission because of the aforementioned reasons. Solutions are required which ensure the confidentiality, integrity and authenticity of data. Due to the technical nature of the Internet as a network which is open to everybody, protection of sensitive data in the form of a physical access barrier is not applicable. Therefore, the solution to the problem consists in that the data that is passed over the Internet is encrypted at least to the extent that it is sensitive data or even generally, and that in the course of this encryption, criteria for proving the authenticity of the respective data are obtained by processing the data in a suitable manner.
In this context, different approaches for securing client-server connections have already become known. A method for key agreement which is used in connection that allow secure data exchange and which, meanwhile, is relatively widespread, is the so-called “Secure Sockets Layer Protocol” (SSL), which, in its standard variant, is also known as “Transport Layer Security” (TLS). This protocol establishes the modalities for a connection between a client and a server in which the data is transmitted in encrypted form. Using the protocol, the client and the server agree on the encryption method to be used, on the session keys used for encryption while the connection is active, on authenticity criteria and, possibly, on further connection modalities as, for example, methods for reducing the data volume by data compression. In this context, the advantage of the method is to be seen in that the SSL protocol seamlessly integrates into the OSI layer model for data transfer. In this respect, the protocol represents a transition (socket) which is transparent in both directions, preferably between the application layer and the transport layer according to the layer model. The SSL protocol is explained in greater detail, for example, by Stephen Thomas in “SSL & TLS Essential”, John Wiley & Sons, New York 2000, which is Stephen Thomas in “SSL & TLS Essential”, John Wiley & Sons, New York 2000, which is hereby incorporated by reference herein. The protocol will be discussed in greater detail later in the context of the explanation of the present invention.
As described, SSL/TLS was designed to secure point-to-point connections. This becomes clear, inter alia, from the fact that two of the three values (PremasterSecret, ClientRandom) from which the cryptographic key is ultimately derived, are generated by the client. Therefore, it is not possible for the server to use the same key in the communication with different clients, respectively. This fact makes it impossible for the SSL handshake, as is known from the standard SSL protocol, to be used in point-to-multipoint connections, with the server as the data source and a plurality of clients as data sinks. In many application cases, such IP multicast connections allow effective use of the bandwidth available in the network and, overall, an economical use of time and hardware resources. They are used, for example, in the streaming of audio/video data. Here too, however, there is of course a need for connections that are protected from misuse and manipulation. In this context, however, only proprietary solutions have become known so far, such as in connection with DVB (Digital Video Broadcast), which, however, cannot be so easily used for other purposes.