DE102007033846A1 - Cryptographic key generating method for encrypted digital communication between communication devices, involves converting end product address of communication device into part of key, and utilizing address for key agreement - Google Patents

Abstract

The method involves converting an end product address of a communication device (500) into a part of a cryptographic key by direct or indirect application of an inversion function of a non-returnable function with a falling board. The cryptographic key is public or private. The end product address is utilized for key arrangement, and inverse function of the non-returnable function is computation of radical in a circle, where the non-returnable function represents exponentials in the circle. Independent claims are also included for the following: (1) a device for generating a cryptographic key (2) a roaming device for executing a procedure for key agreement (3) a digital data carrier comprising instruction for executing a procedure for key agreement.

Description

The The invention relates to a method and an apparatus for generating of cryptographic keys, and in particular one Method for cryptographic key agreement in communication networks. Such a procedure is called a key agreement protocol denotes (Key Agreement Protocol).

Field of the invention

The Result of key agreement between two communication devices A and B is an authenticated shared cryptographic key S. for the encryption of the following Communication between both communication devices used can be. As a rule, the key S is a symmetrical one Key, because the encryption and decryption much faster due to symmetric encryption can be done. However, the problem is the agreement on this Key.

• [1] Die Schlüsseleinigung findet in einem nicht-vertrauenswürdigem Kommunikationskanal statt.
• [2] In einem nicht-vertrauenswürdigen Kommunikationskanal können die transportierten Nachrichten in jeglicher Art verändert und/oder abgehört werden.
• [3] Das Schlüsseleinigungsprotokoll sorgt dafür, dass der Schlüssel S ausschließlich den beiden Kommunikationsgeräten A und B bekannt wird.
• [4] Die Eigenschaften [2] des nicht-vertrauenswürdigen Kommunikationskanals dürfen die Anforderungen [3] an das Schlüsseleinigungsprotokoll nicht gefährden.
• [5] Keines der existierenden Schlüsseleinigungsprotokolle mit der Eigenschaft von Aspekt [1] erfüllt den Aspekt von [3], da Man-in-the-Middle Angriffe nicht erkannt werden können. Ein Man-in-the-Middle Angreifer steht zwischen beiden Kommunikationsgeräten und kann die zwischen beiden Kommunikationsgeräten ausgetauschten Nachrichten einsehen und manipulieren; er kann den Kommunikationspartnern das jeweilige Gegenüber vortäuschen, ohne dass sie es merken.

Here are the following five aspects to consider:

• [1] The key agreement takes place in a non-trusted communication channel.
• [2] In a non-trusted communication channel, the transported messages can be changed and / or intercepted in any way.
• [3] The key agreement protocol ensures that the key S is known only to the two communication devices A and B.
• [4] The properties [2] of the untrusted communication channel shall not jeopardize the requirements [3] on the key clearance protocol.
• [5] None of the existing key agreement protocols with the property of aspect [1] satisfies the aspect of [3] since man-in-the-middle attacks can not be detected. A man-in-the-middle attacker stands between both communication devices and can view and manipulate the messages exchanged between the two communication devices; He can pretend to the communication partners the respective counterpart, without them noticing it.

in the Generally, key agreement protocols work with public and private cryptographic keys.

each Communication device has a public and a private cryptographic key.

There the claimed identity of the owner of a public Key within an untrusted Channels can not be verified for sure are Man-in-the-Middle Attacks in these key agreement protocols possible.

The Problem exists in the lack of possibility of authentication the public key.

The Authentication of the public key takes place therefore in key agreement protocols that are not the property from aspect [5], namely the possibility man-in-the-middle attack, out-of-band of the communication channel.

A Authentication of the public key requires additional furnishing and operating expenses, additional Communication or in some cases is not feasible.

State of the art

It follows an overview of existing techniques for the authentication of cryptographic (public) Keys, with reference to the bibliography, what is attached as an attachment.

Key agreement protocols as the Diffie-Hellman protocol (bibliography V1a) ensure the agreement on a common key without prior Distribution of keys or other secrets outside of the communication channel. The Diffie-Hellman protocol protects however, it does not preclude man-in-the-middle attacks that are already in progress the key agreement. To prevent such attacks is the authentication of the public key over Certificates issued outside the communication channel carried out by means of a "Public Key Infrastructure" (PKI).

logs from the category of "Public Key Cryptography" like that RSA cryptosystem (Bibliography Pf) allow the safe Sending messages (including symmetric keys), in which the messages with the public key of the communication partner are encrypted. Such Systems offer protection against man-in-the-middle attacks from the very beginning the communication are active as long as the public Key before outside the communication channel were distributed. For this purpose z. B. a PKI infrastructure required (bibliography Pg or Ph). Another Protocol that requires an "out-of-band" mechanism beforehand thus later the authentication of the public key is possible, z. As the interlock protocol (bibliography V2c or Pi, Pb). Unlike the protocols of this category becomes the effort to operate a PKI with the method patented here avoided.

cryptosystems from the categories "Identity-Based Encryption" (IBE) and "Certificateless Cryptography (CC) does not require a public key infrastructure to exchange public keys of Persons, because of the identity (eg the e-mail address) a person calculates the public key can be. As examples here are the patents Pc, Pd or the Publication called V3b. In IBE systems come key generators used in a "Private Key Infrastructure" for the distribution of private keys on demand be used. Unlike the personal identities in IBE or CC cryptosystems are in the here to be patented Method Endpoint addresses of communication devices or the software running on it. Furthermore, the operation a private key infrastructure is not absolutely necessary, since the private key with the allocation of the endpoint address can be awarded.

at Procedures in the Key Agreement Protocols with Public Discussion category two communication partners agree on a common key within an insecure communication channel after both over have received a public source random numbers. Examples are the publication (bibliography V5a) or the document according to bibliography Pe. Man-in-the-middle attacks can be used in these procedures can not be prevented.

The Protocol in patent Pa (see appendix) uses hash values of IP addresses, to make sure a user logs in to a central server legitimate logs in, where he is already registered. The procedure requires a previous "out-of-band" mechanism to transfer a user password. The procedure is not a key initiation protocol, and the IP address is not used as a public key. IP spoofing can not be prevented. Man-in-the-middle attacks, where the attacker is the IP address of the initiator of a communication used are not prevented.

The ZRTP Protocol (bibliography L1), an extension of the RTP = Real-time transport protocol, is secure as a man-in-the-middle Protocol in the Voice over IP area. The authentication takes place here via the verbal exchange of a "key fingerprint", after being connected to his interlocutor.

Overview of the invention:

task The invention is key to implementation to provide a key agreement protocol an authentication of public keys takes place in the same communication channel.

Solved This object is achieved by a method and a device with the features of one or more of the independent claims.

The invention is based on the idea of including the endpoint addresses E _A and E _{B of} the communication devices A and B in the key agreement protocol.

each Communication device has an endpoint address, because without this no communication with the communication device possible would.

Examples of endpoint addresses are: IPv4 / IPv6 addresses in the Internet Protocol, MAC addresses of network adapters, fixed line / mobile telephony numbers, SIP addresses in IP telephony. In the case of wirelessly communicating vehicles in traffic, the vehicle identifiers are endpoint addresses, and in the case of "mini-computers" equipped electronic ID cards, passports and smart cards, the identification numbers are endpoint addresses, in which case the communication is via a corresponding Reader is done with a remote computer.

The Today's communication infrastructures already provide efficient and secure mechanisms available to the endpoint address of a communication device.

Examples for these mechanisms are: Secure Domain Name Service (DNSsec), ARP-based protocols, directories, central SIP server, the (sensory) reading of license plate number plates and the (sensory) reading of identification numbers on electronic ID cards, passports and chip cards.

There without this secure endpoint address resolution at all no communication with a communication device possible would be, such endpoint address resolution assumed and used in the invention.

The Invention is based on that each endpoint address into a unique natural number can be transferred. An example would be the conversion of the IPv4 address 137.248.13.5 in the natural number 137248013005; this applies analogously for all other mentioned examples of endpoint addresses.

It follow some definitions to better understand the Invention.

Endpoint address:

A Endpoint address is an identifier or an identification number a communication device that can be used to establish communication with this device, such as z. An IPv4 / IPv6 address, MAC address, telephone number, SIP address, a vehicle registration number or an identification number on electronic ID cards, passports and chip cards. Unlike purely personal Identities bind to an endpoint address a communication device or software running on it where. The endpoint address should be for the recipient be apparent from the received information.

One-way function with trapdoor ("trapdoor-oneway-function"):
A trap-type one-way function is a function L whose function value L (x) = y is computable in polynomial time for a given x, but where computing the inverse function L ^-1 (y) = x requires exponential time computation. Only with knowledge of a key S (the "trap door") can the calculation of the inverse function be performed in polynomial time.

Note: The existence of one-way functions (with trapdoor) is so far has not been proved mathematically, as the proof of the Inequality of the complexity classes P and NP not yet was provided. However, there are functions that you suspect that they have the required property.

basis of the invention of the underlying method is the product N of two primes P and Q.

For the algorithm irrelevant, but for security important in the process is the order of magnitude the prime numbers P and Q and the prime factorization of P - 1 and Q - 1.

The Binary representation of P and Q should be one of the current ones Capacity of computers corresponding number of bits (eg in 2007> = 512 bits). One speaks in this case of "safe magnitude".

In the prime factorization of both P - 1 and Q - 1 should have at least one prime in a safe order occurrence.

Be G is a non-divisive number of order e.

The order of a number G with respect to another, divisive number N is defined as the smallest number e for which holds: G e Mod 1 mod N

• [6] Sei R > 1 eine natürliche Zahl, dann wird P und Q so gewählt, dass gilt: GCD(R, P – 1) = GCD(R, Q – 1) = 1, mit GCD = Greatest Common Divisor.

Since e divides the number (P - 1) (Q - 1), G should be chosen such that e has a prime factor of "safe order".

• [6] Let R> 1 be a natural number, then choose P and Q such that GCD (R, P - 1) = GCD (R, Q - 1) = 1, with GCD = Greatest Common Divisor.

• [7] Das heißt, für jedes v, 0 < v < N, existiert eine eindeutige natürliche Zahl d, mit d^R ≡ v mod N. Diese eindeutige Abbildung wird als Funktion D(v) ≡ v^1/R mod N bezeichnet.

If P and Q are chosen as described in [6], then for every natural, natural number N of n, there exists an Rth root.

• [7] That is, for every v, 0 <v <N, there exists a unique natural number d, with d ^R ≡ v mod N. This unique mapping is called a function D (v) ≡ v ^{1 / R} mod N.

The function D (·) belongs to the class of presumed one-way functions, where D (·) here corresponds to the inverse function L (·) ^-1 , which can only be calculated in exponential time.

There there exists for each v such a unique number d exists also for each converted endpoint address one, unique number d.

If E _A , E _{B are} two endpoint addresses then let F (E _A ) and F (E _B ) be the endpoint addresses each converted to a unique natural number, with F (.) <N.

Let D (F (E _A )) and D (F (E _B )) be the corresponding unique numbers from [7] for the endpoint addresses E _A and E _B.

The allocation of the numbers D (F (E _A )) and D (F (E _B )) to the communication devices A and B can take place via various routes. For example, this can be done at an IP address via a (local) DHCP server or a (local) key server, using secure communication.

Here For example, the key server can be exploited knows the factorization of N. Thus, a communication device could with methods such. B. the RSA encryption the key server to provide a symmetric key through which the award is secured. With a MAC address, this can be direct in the manufacture of the network adapter, in a mobile device on delivery of the SIM card, with a SIP address via a SIP server, with a vehicle license plate over the Approval office and with an identification number on electronic ID cards, passports and chip cards are issued when they are awarded.

• [8] Zu Beginn des vorgeschlagenen Schlüsseleinigungsprotokolls sind dem Kommunikationsgerät B die Funktion F(·) und folgende Zahlen bekannt: N, G, R, E_B, F(E_B), D(F(E_B)). Zusätzlich besitzt B noch eine private Zufallszahl Z_B.
• [9] Die Zahlen N, G, R und die Funktion F(·) sind öffentliche Parameter des der Erfindung zugrunde liegenden Verfahrens; der private Schlüssel von Kommunikationsgerät A ist D(F(E_A)), der öffentliche Schlüssel von A ist
  
  Dies gilt analog für Kommunikationsgerät B.

At the beginning of the proposed key agreement protocol, the communication device A is aware of the function F (·) and the following numbers: N, G, R, E _A , F (E _A ), D (F (E _A )). In addition, A still has a private random number Z _A.

• [8] At the beginning of the proposed key agreement protocol, the communication device B is aware of the function F (·) and the following numbers: N, G, R, E _B , F (E _B ), D (F (E _B )). In addition, B still has a private random number Z _B.
• [9] The numbers N, G, R and the function F (·) are public parameters of the method on which the invention is based; the private key of communication device A is D (F (E _A )), which is A's public key
  
  This applies analogously to communication device B.

The Key agreement between two communication devices A and B works the following way, where A is the key agreement initiated.

• [10] A sendet eine Nachricht an B, welche den öffentlichen Schlüssel aus Abs[9] enthält:
  
  und zusätzlich E_A als Absender-Adresse.

A as an initiator uses the existing communication infrastructure to obtain the endpoint address E _{B of} the communication device B. A now has E _B.

• [10] A sends a message to B containing the public key from [9]:
  
  and additionally E _A as sender address.

• [11] B berechnet
  
• [12] B schickt anschließend
  
  an die Endpunktadresse E_A.

After B has received the message, B extracts the endpoint address E _A from the message and calculates F (E _A ).

• [11] B calculated
  
• [12] B then sends
  
  to the endpoint address E _A.

A already has E _B and therefore does not need to extract E _B from the message.

A calculated

A and B now both have the key S as a result of Execution of the key agreement protocol.

One important aspect is the verification or verification the legitimate possession of endpoint addresses.

nachzuweisen und von Kommunikationsgerät B überprüfen zu lassen. Beides gilt analog für Kommunikationsgerät B. Dies verhindert, dass ein Kommunikationsgerät eine Endpunktadresse vortäuscht, die ihm nicht zugeordnet wurde.By using the matching to an endpoint address E _A private key D (F (E _A )), it is possible for communication device A to prove the legitimate possession of his endpoint address E _A or to be checked by communication device B. It also makes possible the authenticity of the public key

and have it checked by communication device B. Both apply analogously to communication device B. This prevents a communication device from pretending an endpoint address that was not assigned to it.

For example is the sending of IP packets with fake, fake Source IP address known as IP spoofing.

The Procedure for preventing such fake endpoint addresses follows the scheme of so-called zero-knowledge proofs.

With A Zero-Knowledge Proof makes it possible for someone to prove that you are in possession of a secret, without the secret to betray.

A simple example would be: A person X claims to have found an algorithm that could factorize any number. X wants to prove this to a person Y, without whom X tells the person Y the algorithm. Now, if Y sends several numbers to person X and then person X returns the prime factorization, Y will attest to the knowledge of such an algorithm after only a few correct results of person X have been obtained. The secret for which a communication device A should provide ownership proof in the method of the invention is D (F (E _A )).

to Prevention of replay attacks is still in the ownership-proof used a nonce μ. A nonce (English number used only once) is a number that is used only once. For example a random number or timestamp can be a nonce.

According to [7], D (F (E _A )) is the Rth root of F (E _A ). As a prerequisite, it must hold that R does not share the number μ. However, this is easy to achieve since R, apart from the requirement stated in [6], has no other conditions. Furthermore, μ can also be replaced / concatenated by / to a hash value of a message, whereby non-repudiation proof is given for the message. This allows the recipient of a proof of ownership and the associated message to prove that the message came from A.

For possession proof, A chooses a random number W _A.

• [13] Schickt nun ein Kommunikationsgerät A einen Besitz-Beweis für E_A unter Angabe der Endpunktadresse E_A als Absenderadresse einem Kommunikationsgerät B zu, so überprüft B den Besitz-Beweis mittels
  
  Falls die Überprüfung aus [13] korrekt ist, so ist A im rechtmäßigen Besitz von E_A.

The ownership proof is now the following triple:

• [13] Now sends a communication device A possession proof for E _A , stating the endpoint address E _A as a sender address to a communication device B, so B checks the ownership-proof means
  
  If the check in [13] is correct, then A is in the legitimate possession of E _A.

By This approach provides a number of advantages of the invention over the prior art.

So prevents the procedure man-in-the-middle attacks, without one previous exchange (English: Pre-Exchange) between the communication partners necessary is.

One By definition, Pre-Exchange is a prior exchange of one Message between two communication partners to communicate with in the Message contained prior knowledge after a man-in-the-middle To discover attack.

In In accordance with the present invention, private keys become common with the assignment of the endpoint address to each communication device output.

It There is no exchange between the communication partners.

It There is no exchange for knowledge about the public key of the communication partner provides.

It So this is not a pre-exchange.

Alone exploiting the existing communications infrastructure to gain access the endpoint address of the communication partner is sufficient for a secure connection.

Without Obtaining the endpoint address is a communication in general impossible.

The prevention is done by the following facts:
A man-in-the-middle attacker can not generate the value from Abs [12] because he can not create the private key D (F (E _B )) at the A known endpoint address E _B.

The Procedure is a Public Key Infrastructure (PKI) attached to communication devices managed bound keys, superior.

Would you have a PKI or certificates for the authentication of public Keys instead of the invention of the underlying Select method, so you lift the union between the endpoint address and the public key a communication device.

you gets two objects (certificate & endpoint address), which you get over manage two different infrastructures.

This means: higher communication costs, higher Administrative burden and higher costs.

Further the fake possession of an endpoint address is prevented.

By the presence of a private key for an endpoint address may be the lawful possession an endpoint address are checked. The verification follows the scheme of a zero-knowledge proof. This prevents For example, IP spoofing in IP-based networks.

Brief Description:

The The following figure description is for better understanding the detailed description below.

1 shows the procedure before starting the key agreement;

2 shows the general procedure of the key agreement

3 shows the process for a mobile network

4 shows the process for an IP network

5 shows the process for a VoIP network based on SIP

6 shows the process at the MAC level

7 shows the procedure in an IP network with a NAT router

8th shows the procedure for setting up a virtual private network (VPN).

9 shows the procedure for license plates on number plates.

10 shows the procedure for identification numbers on electronic ID cards, passports and chip cards.

Description of the embodiments:

1 explains the procedure before starting the key agreement. 500 . 501 are the two communication devices. 502 . 503 symbolize ownership of the endpoint addresses E _A and E _B. In 504 . 505 the unique number F (E _A ) and F (E _B ) is calculated. In 506 . 507 Both communication devices are assigned their unique private keys D (F (E _A )) and D (F (E _B )). In 508 . 509 the communication devices generate their random numbers Z _A and Z _B.

2 shows the general procedure of the key agreement. 500 . 501 are the two communication devices A and B. 510 . 511 are the public keys of A or B. 512 . 513 symbolize the calculations performed by A and B, respectively.

3 shows the procedure for a mobile radio network: (1) The public parameters N, G, R, F (.) and the private key D (F (E _A )) and D (F (E _B )) are stored on the SIM card. Card saved. This is done by the communications provider when the SIM card has been assigned to a telephone number; (2) The SIM cards are inserted in the phones; (3) If a communication subscriber wishes to call another communication subscriber with the mobile telephone B with the mobile telephone A, the telephone number of B is looked up in the telephone book or z. B. the information called; (4) Once this has been done, a secure key exchange between A and B can take place.

4 shows the procedure for an IP network: (1) the private keys D (F (E _A )) and D (F (E _B )) are output to each communication device along with the assignment of the end point address;
(2) These are transmitted via (local) DHCP server to the computers A and B; (3) If computer A wants to communicate with computer B, then this gets the IP address of B via DNS (Sec) request;
(4) Once this has been done, a secure key exchange between A and B can take place.

5 shows the sequence for a VoIP network based on SIP: (1) After registration with a VoIP server, the corresponding VoIP software is downloaded; (2) This is populated with the public parameters N, G, R, F (.) And the private keys D (F (E _A )) and D (F (E _B )) according to the selected SIP address; (3) If communication subscriber A wishes to call communication subscriber B, A searches for the SIP address in the telephone book; (4) Once this has been done, a secure key exchange between A and B can take place.

6 shows the procedure at MAC level: (1) / (2) The public parameters N, G, R, F (.) and the priva The keys D (F (E _A )) and D (F (E _B )) are stored on the network card during manufacture. This is done by the manufacturer if the MAC address has been assigned to a network card; (3) Through appropriate protocols at the Ethernet level, the MAC addresses of other participants are learned. After that, a secured key exchange can take place.

7 shows the procedure of the key agreement in an IP network, in which the technique of Network Address Translation (NAT) is used: If the communication device A ( 500 ) from the private sector ( 514 ) with the communication device B ( 501 ) in the public sector ( 515 ), the NAT router X ( 516 ) the source endpoint address of A against its publicly known endpoint address ² E _x ( 519 ) out. Before replacement, the public hybrid key from A ( 517 ) not to the endpoint address E _A ( 504 ). After the exchange arises with ( 519 ) and ( 517 ) a valid combination. The package with the public key of B ( 511 ), stating E _B ( 505 ) as sender address, does not need to be changed here. The second endpoint address of X ¹ E _x ( 518 ) is used for internal communication in the area ( 514 ).

8th shows the procedure in an IP network to establish a Virtual Private Network (VPN): (1) The private key D (F (E _VS )) is output to the VPN server VS together with the assignment of the endpoint address. (2) The private key D (F (E _VC )) is output to the computer VC along with the assignment of the internal VPN endpoint address. (3) This is done by means of a (local) DHCP server. (4) If the computer VC wants to establish a VPN connection in an insecure network with the server VS, it sends a message to VS with its insecure endpoint address E _UC with the content of its MAC address, E _VC or another to E _VC belonging identifier, in which case the MAC address was selected as the identifier. The endpoint address E _VS is known to the computer VC. (5) The VPN server sends the non-secure endpoint address E _UC a nonce μ. (6) VC sends ownership proof B (μ) for E _VC using μ to VS. Based on the MAC address, VS can assign the internal endpoint address E _VC and initiate the VPN connection. (7) Once this has been done, a secure key pairing between VS and VC can take place with the endpoint addresses E _VS and E _VC for a VPN connection.

9 shows the procedure when using license plates: (1) At the registration office, the public parameters N, G, R, F (.) and the private keys D (F (E _A )) and D (F (E _B )) ) issued according to the issued vehicle license plates on a corresponding medium; (2) In the respective vehicle these are then plugged into a transmitting / receiving unit; (3) Once this has been done, a safe key agreement between the vehicles may be carried out after reading the vehicle registration plate in traffic.

10 shows the procedure for the use of identification numbers on electronic ID cards, passports and chip cards. (1) / (2) In the case of a central office, such as a bank, hospital or government agency, the chip cards or badges with the public parameters N, G, R, F (.) And the identification number will be displayed at the time of issue provided with private key. The public parameters are also assigned to the corresponding counterpart equipment / stations. (3) If this has happened, the identity / authenticity of the smart cards or badges at the respective verification stations of the remote sites can be verified.

unter Verwendung von μ an VS. VS überprüft den rechtmäßigen Besitz der zuzuordnenden Endpunktadresse mittels:

By using the right to an endpoint address E _VC private key D (F (E _VC)), it is communication device VC possible to establish a VPN connection with a VPN server VS without passwords or certificates. The private key D (F (E _VS )) is output to the VPN server VS together with the assignment of the endpoint address. The private key D (F (E _VC )) is output to the communication device VC along with the assignment of the internal VPN end point address. The communication device VC is assigned the endpoint address E _UC in an insecure network. To establish a VPN connection, the communication device VC sends the VPN server VS a message with its MAC address from the insecure network. The VPN server sends the non-secure endpoint address E _UC a unique number ("NONCE") μ. VC sends a proof of ownership B (μ) for E _VC consisting of the triple:

using μ an VS. VS verifies the legitimate possession of the endpoint address to be mapped by:

Based on the MAC address VS can then assign the internal endpoint address E _VC and the Initiate a VPN connection using the endpoint address based key resolution protocol with the endpoint addresses E _VS and E _VC . Thus, each authorized communication device with the existing allocation infrastructure for endpoint addresses can securely establish a VPN connection, without in contrast to the current VPN technology more VPN passwords or certificates are needed.

It follows a numerical example for the use of endpoint addresses for key generation and key agreement using IPv4 addresses as endpoint addresses

The numbers used in this example are for clarity chosen small and do not correspond to the usual Safety requirements. It is understood that other numbers too who meet the requirements.

All Congruences are to be understood as modulo N; N is the product of two Primes selected; This is not the only option the choice of N. R = 3 is chosen.

The Assignment of IP address to numeric value consists of the omission the points of the IP addresses and the filling of the components with zeros, if one component has less than three decimal places has; This is not the only way to transform.

We choose the prime P = 51874849463, because (P - 1) / 2 = 25937424731 is also a prime and P is of the form P ≡ 2 mod 3 is.

We choose the prime Q = 6973569047, because (Q - 1) / 2 = 3486784523 is also a prime
and Q is of the form Q ≡ 2 mod 3.

Consequently GCD (P - 1, 3) = GCD (Q - 1, 3) = 1.

It N = P · Q = 361752844532961371761.

Thus, φ (N) = (P-1) · (Q-1) = 4 · 25937424731 · 3486784523. We now choose G such that one of the two prime numbers 25937424731 or 3486784523 occurs in its order. The number G = 258201056061078543287 satisfies this condition, since the order of G is 25937424731, ie G ^25937424731 ≡ 1 mod N.

It follows for N and G:
N = 361752844532961371761
G = 258201056061078543287

Let the IPv4 address of communication device A be E _A = 137.248.131.121, from which the numerical value F (E _A ) = 137248131121 becomes. The natural number D (F (E _A )) assigned to the communication device A is then 165644296807138459965, since 165644296807138459965 is ³ ≡ 137248131121.

Let the IPv4 address of communication device B be E _B = 217.73.49.24, from which the numerical value F (E _B ) = 217073049024 becomes. The communication device B assigned natural number D (F (E _B )) is then 74121947444567397753, since 74121947444567397753 ³ ≡ 217073049024.

It It is noted that the numbers with knowledge of the "trapdoor", namely the factorization of N or by knowledge of Number φ (N) can be found in polynomial time.

The private, randomly generated number of communication device A is Z _A = 17464865284867458.

The private, randomly generated number of communication device B is Z _B = 34526974652949654.

communication device A beats the IPv4 address of communication device B via a "Name Resolution Protocol" such as DNS after. The backup of this lookup process can be over Traditional techniques like DNS-Sec are made or based on the Technology presented here for the authentication of the DNS server become.

The public key of the communication device A is

The public Key of the communication device B is

communication device A sends his public key to communication device B stating the IP address 137.248.131.121 as sender address.

Communication device B calculated (212413932090578443320 3 × 137248131121 -1 ) 34526974652949654

modulo N results from this the value 324349152832633430269.

communication device B sends his public key to communication device A with the IP address 217.73.49.24 as sender address.

Communication device A calculated (292942897134135556504 3 × 217073049024 -1 ) 17464865284867458

modulo N results from this the value 324349152832633430269.

Both communication devices A and B now have the common number 324349152832633430269. This can now be used, for example, by the symmetric encryption method ABS [Joan Daemen and Vincent Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Springer-Verlag 2002 (238 pp.)] Establish secure connection. Other methods are also conceivable.

It follows a numerical example of an endpoint address detection using IPv4 addresses as endpoint addresses.

The numbers N and G are taken from the example above:
N = 361752844532961371761
G = 258201056061078543287

Similarly, E _{A is} again 137.248.131.121, thus D (F (E _A )) is also again 165644296807138459965. Communication device A wants to prove to communication device B that it is in legitimate possession of the endpoint address E _A.

211960759887420950241 und

Damit ergibt sich das Tripel

1178982692, 279712538859918245040). Dieses Tripel schickt Kommunikationsgerät A an Kommunikationsgerät B. B berechnet

Communication device A calculates a random number W _A = 9364594753971. As Nonce μ current timestamp T = 1178982692 is selected, which corresponds to the time 12/05/2007 17:11:25. Now calculated

211960759887420950241 and

This results in the triple

1178982692, 279712538859918245040). This triple sends communication device A to communication device B. B is calculated

The left side corresponds 211960759887420950241 3 · 137248131121 -1 61838026459164934808

The right side corresponds 279712538859918245040 1178982692 61838026459164934808

Since both sides provide the same result, the legitimate possession of the endpoint address E _{A is} confirmed.

• [14] Durch Austausch der IPv4-Adresse durch den NAT-Router ist nun die Berechnung von [11] fehlerhaft.

The following is a detailed consideration of the invention using IPv4 addresses as endpoint addresses with respect to the NAT protocol. When using IPv4 addresses as the endpoint address, the Network Address Translation (NAT) technique requires special handling. NAT is a technique to virtually extend the relatively narrow range of possible IPv4 addresses (2 ³² ). With NAT, it is possible to hide multiple IP-based communication devices behind a NAT router (see 7 ). The hidden IP communication devices have IPv4 addresses from a private area (eg 192.168.xx) that is not unique worldwide. IP packets with these addresses will not be passed on the global Internet. Only the NAT router has an IPv4 address that can be communicated worldwide. The internal communication devices each have private keys for their IPv4 addresses with which they can communicate internally. This internal communication can be secured according to the method already described, since the internal internal IPv4 addresses are unique. The internal area is a separate security domain, ie the keys are generated with their own output parameters (P and Q) from the NAT router (or from a key server available in the internal area). In order for an internal communication device to communicate with a public area communication device, its IPv4 address is replaced by the globally valid IPv4 address of the NAT router as it passes the NAT router.

• By replacing the IPv4 address by the NAT router, the calculation of [11] is now incorrect.

If A's IPv4 address is referred to as E _A , the internal IPv4 address of the NAT router as ¹ E _x, and the external as ² E _x , the solution to the problem consists of the following: [14] All internal IP addresses In addition to their output numbers (see [7,8]), communication devices also receive the private key D (F ( ² E _x ) of the NAT router, which is based on the public IP address ² E _{x of} the NAT router. Address ¹ E _x is the second, internal IP address of the NAT router.

zu.Instead of as described in [10], the internal communication device A sends now the slightly changed IP packet with the content to the external communication device B.

to.

By substituting AE _A's IPv4 address with the NAT router's IPv4 address, ² E _x , a correct packet is generated according to [11].

• a. Für die interne Kommunikation werden nur die internen Endpunktadressen verwendet; auch der NAT-Router besitzt eine eindeutige interne Endpunktadresse (d. h. er besitzt somit eine interne und eine externe (öffentliche) IPv4-Adresse). Für die rein interne Kommunikation ist somit die Weitergabe des privaten Schlüssels der öffentlichen IPv4-Adresse des NAT-Routers sicherheitsunkritisch und ohne Bedeutung.
• b. Möchte ein internes Kommunikationsgerät A eine Verbindung zu einem externen Kommunikationsgerät B aufbauen und ist A im Besitz der zugehörigen Ziel- Endpunktadresse, so kann kein internes Kommunikationsgerät einen Man-in-the-Middle-Angriff starten, selbst der NAT-Router nicht: i. Ein internes Kommunikationsgerät kann keinen Man-in-the-Middle Angriff starten, da der erste Schritt der Verbindung, vom Kommunikationsgerät zum NAT-Router, mit Hilfe des öffentlichen Schlüssels der internen Endpunktadresse des NAT-Routers gesichert werden kann. ii. Der NAT-Router kann keinen Man-in-the-Middle Angriff starten, da er nicht im Besitz des privaten Schlüssels desjenigen externen Kommunikationsgeräts ist, zu dem das interne Kommunikationsgerät eine Verbindung aufbauen möchte.

Passing the private key D (F ( ² E _x ) of the NAT router to the internal communication devices is an unusual practice, but does not result in security risks:

• a. For internal communication, only the internal endpoint addresses are used; The NAT router also has a unique internal endpoint address (ie it has an internal and an external (public) IPv4 address). For purely internal communication, the passing on of the private key of the public IPv4 address of the NAT router is security-critical and of no significance.
• b. If an internal communication device A wants to establish a connection to an external communication device B and A is in possession of the associated destination endpoint address, then no internal communication device can start a man-in-the-middle attack, even the NAT router does not: i. An internal communication device can not start a man-in-the-middle attack because the first step of the connection, from the communication device to the NAT router, can be secured using the public key of the internal endpoint address of the NAT router. ii. The NAT router can not start a man-in-the-middle attack because it is not in possession of the private key of the external communication device to which the internal communication device wishes to connect.

Critical to consider are all communication links that are initiated from outside, since here the internal communication device does not know for sure, from which IPv4 address the connection comes. In most organizations, external connections are generally prohibited for security reasons. Such connections are only possible if the NAT router for a specified port forwards incoming connections on this port to a defined internal computer.

If incoming connections are desired, since, for example, one has a particular service running on an internal computer, then one generates a private key for the internal communication device A, which includes this port and has the form D (F ( ² E _× Port)) where the operator ∘ represents a join operation. This is only output to the computer running the service bound to this port. Even the NAT router does not get this key if a key server in the internal network generates the keys. The calculation of the external communication device B after receiving the key of the internal communication device A is thus

These Solution is only practicable if its own security trough operated with key generator in the internal network, to generate the port-dependent keys.

Here is an example for illustration. The numbers N and G are taken from the example above.
N _G = 361752844532961371761
G _G = 258201056061078543287

These represent the global / external parameters of the system. Within the NAT network, ie for the communication in the private network "behind" the NAT server in this example the parameters
N _P = 35813530660934177120521
G _P = 12718647769806831085000
which have been calculated analogously and therefore have the same properties as the global parameters.

Let the IPv4 addresses of the NAT router X be ¹ E _x = 192.168.0.1 and ² E _x = 137.248.3.15. Let the IPv4 address of the communication device A be E _A = 192.168.0.2 and that of the communication device B be E _B = 209.85.135.147 (which, for example, is www.google.de corresponds). The private key to the IP address ² E _{x of} the NAT server X with F ( ² E _x ) = 137248003015 is D (F ( 2 e x )) ≡ 127305603288901208592 mod N G ,

The private key of the IP address ¹ E _x with F ( ¹ E _x ) = 192168000001 is (with regard to the intranet modulo) D (F ( 1 e x )) ≡ 8764387150301768383530 mod N P ,

For the IPv4 address of the communication device A with F (E _A ) = 192168000002 applies D (F (E A )) ≡ 15901565656352459335637 mod N P ,

The communication device A now has two public keys, one for the internal NAT network and one for communication with external communication devices. To do this, A calculates two random numbers ¹ Z _A = 9873284762321 and ² Z _A = 1332223872819.

Der Schlüsssel für das externe Netzwerk:

Der öffentliche Schlüssel von Kommunikationsgerät B sei (mit Z_B = 34526974652949654)

The two keys are: The key for the internal NAT network:

The key to the external network:

The public key of communication device B is (with Z _B = 34526974652949654)

The private key to address ² E _x = 137.248.3.15 owns all communication devices in the internal NAT network. By contrast, the NAT router X is unique in that it is the only one that has the private key to the address ¹ E _x = 192.168.0.1. Thus, no other communication device in the internal NAT network of the NAT router "spoof" because it can not prove the legitimate possession of the address 192.168.0.1.

unter Angabe der IP-Adresse 192.168.0.2 als Absenderadresse los. (Anm: Mit dieser Nachricht, zusammen mit der verwendeten IP-Adresse, würde keine erfolgreiche Schlüsseleinigung zustande kommen, da der verschickte Schlüssel nicht zu der IP-Adresse passt). Kommt diese Nachricht bei dem NAT-Router X an, so substituiert X die IP-Adresse 192.168.0.2 mit seiner eigenen externen IP-Adresse 137.248.3.15. Durch diese Substitution wird die Nachricht gültig.The following is an example of communication setup from A to B. Since B is a global-scale communication device, A takes the global key. A sends now

stating the IP address 192.168.0.2 as the sender address. (Note: With this message, along with the IP address used, a successful key agreement would not be achieved because the key sent does not match the IP address). If this message arrives at the NAT router X, X substitutes the IP address 192.168.0.2 with its own external IP address 137.248.3.15. This substitution makes the message valid.

Communication device B now calculates (37434419775649604698 3 · 137248003015 -1 ) 34526974652949654 which gives 96527559674518842237 (modulo N _G ).

B now sends his public key to A. The NAT server leaves this message untouched. A calculated (128451006445006878090 3 · 208085135147 -1 ) 1332223872819 which gives 96527559674518842237 (modulo N _G ).

There both sides can now own the number 96527559674518842237 They use these as AES keys for the more symmetrical Use encryption.

den der NAT-Router nicht besitzt, wobei die Konkatenationsstriche || hier eine Instanz des ∘ Operators darstellen. B sendet eine Anfrage auf Port 21 an den NAT-Router, welche durch den NAT-Router an A weitergeleitet wird. B schickt nun seinen öffentlichen Schlüssel

an A, und A berechnet dannAn example follows in which the external communication device B establishes a connection to the internal network. In this example, an FTP server runs on port 1234 on internal communication device A. Requests from outside to port 21 are forwarded to internal communication device A by the NAT router. Communication device A has the public key for this purpose

which the NAT router does not possess, with the concatenation strokes || represent here an instance of the ∘ operator. B sends a request on port 21 to the NAT router, which is forwarded to A by the NAT router. B now sends his public key

at A, and then A calculates

A sends his public key to B, and B then calculates

in the Below is the key agreement between two communication devices described their keys to different security domains belong, d. H. their keys with different ones Output parameters (P and Q) were generated.

As already described above, the key agreement leads to problems if the private keys for the endpoint addresses belong to different moduli (eg: N ₁ or N ₂ ), since for a private key belonging to the modulus N ₁ with respect to. of another modulus N ₂ , the key is not the Rth root from the converted endpoint address (F (∘)).

To solve this problem, one goes to the modulus N = N ₁ · N ₂ and the number G = G ₁ · G ₂ .

in this connection it is assumed that the number R and the function F (·) is the same for both security domains. This requirement is safety-critical, since R and F (·) are public in any case Parameters are.

For this purpose, the two private keys from the different security domains must now be adapted, but in a way that does not require the factorization of N ₁ or N ₂ , because this is not known to the two communication devices.

The adaptation takes place in that the two private keys the congruences D ~ (F (E A )) ≡ D (F (E A )) mod N 1 and D ~ (F (E A )) ≡ 1 mod N 2 respectively. D ~ (F (E B )) ≡ 1 mod N 1 and D ~ (F (E B )) ≡ D (F (E B )) mod N 2 fulfill.

Calculated this is done by means of the theorem of the Chinese Remainder theorem or with appropriate algorithms.

When calculating the joint key S resulting from the key agreement, it is no longer taken F (E _A ) or F (E _B ), but rather F ~ (E. A ) ≡ F (E A ) mod N 1 and F ~ (E. A ) ≡ 1 mod N 2 respectively. F ~ (E. B ) ≡ 1 mod N 1 and F ~ (E. B ) ≡ F (E B ) mod N 2

So now D ~ (F (E A )) R ≡ F ~ (E. A ) mod N or D ~ (F (E B )) R ≡ F ~ (E. B ) mod N

The Calculation is then for communication device A

[F1]

The Calculation is then for communication device B

[F2]

The following example should make the approach of roaming easier to understand. In this example Two security domains are considered whose parameters are chosen as follows (analogous to the example above):
N ₁ = 361752844532961371761
G ₁ = 258201056061078543287
R = 3

N ₂ = 35813530660934177120521
G ₂ = 12718647769806831085000
R = 3

The communication devices A and B have the IP addresses E _A = 137.248.131.121 and E _B = 217.141.12.3. Analogous to the first examples, the private keys result D (F (E A )) ≡ 25860829056029300846832 mod N 1 D (F (E B )) 29 292947890423430020984 mod N 2

The roaming adjustment is now made so that the two numbers are adjusted using the Chinese Remainder Theorem. It results in the numbers D ~ (F (E A )) 30 1230559696114446419779508987105680948292197 mod N 1 · N 2 D ~ (F (E B )) ≡ 9189257507665222873678140085008212062937148 mod N 1 · N 2

With These two new private keys then become the public Key calculated analogously to the other examples.

It applies (using the example for D ~ (F (E _A )))
1230559696114446419779508987105680948292197 ≡ 258608290560293008 46832 mod 361752844532961371761
1230559696114446419779508987105680948292197 ≡ 1 mod 35813530660934177120521

The adaptation of the numbers F (E _A ) and F (E _B ) is also done via the Chinese Remainder Theorem, which gives the numbers F ~ (E. A ) 80 10809397770265955989181871047017298016361291 mod N 1 · N 2 F ~ (E. B ) 14 3314228663601259516632595659356914554799147 mod N 1 · N 2 result. The two numbers are now the R-th residues with respect to the corresponding private keys and it applies (using the example of F ~ (E _A ))
10809397770265955989181871047017298016361291 ≡ 137248131121 mod 361752844532961371761
10809397770265955989181871047017298016361291 ≡ 1 mod 35813530660934177120521

The Key agreement is then analogous to the first example instead, where A is the formula [F1] and communication device B calculates the formula [F2].

There the method underlying the invention endpoint addresses as Basis used for private key generation, is the passing of one and the same endpoint address to different ones Communication devices a problem. This corresponds to the Passing a public key to a another person in other cryptosystems. The common knowledge the private key associated with an endpoint address is different when passing the same endpoint address Communication devices thus safety-critical.

The The problem addressed occurs in IPv4 networks with dynamic IP address assignment on, such as For example, at major online providers such as T-Online or AOL.

The solution to the problem is based on varying the private keys every U time units, where U is a publicly known value, which is based on a fixed time Φ _i , which is the same for all participating communication devices, where Φ _i expresses that i have been time units since one defined start time have passed.

The private keys are then calculated (eg for the endpoint address E _A ) by means of: D (F (E A ), (Φ i - (Φ i mod U)) ≡ (F (E A ) + Φ i - (Φ i mod U)) 1 / R mod N

This change The public key must be synonymous with everyone further calculation.

Since now the private key D (F (E _A ), Φ _i - (Φ _i mod U)) is no longer valid after U past time units, the problem of passing on the IP address is solved if the transfer earliest after U Time units takes place.

When applying this method, care must be taken that F (E _A ) is no longer valid on its own. Communication devices must now transition to F (E _A , Φ _i ) = (F (E _A ) + Φ _i - (Φ _i mod U)) whenever the inverse formation F () ^{-1 of} a foreign endpoint address is requested during key agreement is.

It follows a numerical example of varying private Keys using IPv4 addresses.

Again, for this example
N = 361752844532961371761
G = 258201056061078543287
R = 3

When common time unit between all communication devices Let's take the example of the "Unix-Timestamp". The value U is U = 86400, which corresponds to one day in time. at the chosen U is the change to a new private Key at 2 o'clock in the morning.

The IPv4 address of E _A is 137.248.131.121. On 29.05.2007 at 12:13:01 was the time stamp 1180433581. Thus follows for the key for E _A : (F (E A ) + 1180433581 - (1180433581 mod 86400)) 3.1 ≡ (1372481311 21 + 1180396800) 3.1 mod N ≡ 1384285279 21 3.1 mod N ≡ 3129556747 7849577417 mod N ≡ D (F (137.24 8.131.121, 1180433581)) mod N

On the following day at 30/05/2007 at 14:33:03, the timestamp is at the value 1180528383. This yields the following private key to E _A at this time: (F (E 4 ) + 1180528383 - (1180528383 mod 86400)) 3.1 ≡ (1372481311 21 + 1180528383) 3.1 mod N ≡ 1384286143 21 3.1 mod N ≡ 1100973377 1093982843 0 mod N ≡ D (F (137.24 8.131.121, 1180528383)) mod N

It It should be noted that parts of the invention are embodied in software can be, and when loading into a computer to an inventive Become device.

Further serve the embodiments only for understanding and are not intended to limit the invention. Much more the spirit and scope of the invention is the enclosed Claims to be taken.

Bibliography

• P. Related Patents a. US020050022020A1 .//[EN] Authentication protocol b. US020030147537A1 / JING DONGFENG PERKINS CHARLES E / [EN] Secure key distribution protocol in AAA for mobile IP c. WO2006051517 / MCCULLAGH NOEL (IE); SCOTT MICHAEL (IE); COSTIGAN NEIL (IE), / Identity based encryption d. US20030081785A1 / Boneh, Dan (Palo Alto, CA, US), Franklin, Matthew (Davis, CA, US) / Systems and methods for identity-based encryption and related cryptographic techniques e. US5161244 / Maurer, Ueli / Cryptographic system based on information difference f. US4405829 ./Cryptographic Communications System and Method / Rivest; Ronald L., Shamir; Adi, Adleman; Leonard M. g. US000006766453B1 / 3COM CORP, US / Authenticated diffiehellman key agreement protocol where the communicating parties share a secret key with a third party. H. EP000001626598A1 / AXALTO SA, FR / Procedure for securing an authentication and key distribution protocol. i. WO002003026197A2 / Non-Elephant encryption systems (BARBADOS) Inc. Bruen, Aiden Forcinito, Mario Wehlau, David Coyle, Philip, A./A Key Agreement Protocol Based on Network Dynamics
• V1. Asymmetric encryption techniques a. Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions On Information Theory, no. 6, pp. 644-654, 1976 b. RL Rivest and A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, no. 2, pp. 120-126, 1978 , c. Taher El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," in Proceedings of CRYPTO 84 on Advances in Cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, pp. 10-18 , d. Neal Koblitz and Alfred J. Menezes. A Survey of Public-Key Cryptosystems. SIAM Review, 46 (4): 599-634, 2004 ,
• V2. Key Exchange and Key Cleaning Protocols a. Rainer Rueppel and Paul C. van Oorschot, "Modern Key Agreement Techniques," Computer Communications, vol. 17, no. 7, pp. 458-465, 1994 , b. Ratna Dutta and Rana Barua, "Overview of Key Agreement Protocols," Cryptology ePrint Archive, Report 2005/289, 2005, http://eprint.iacr.org/ , c. R. Rivest and A. Shamir. How to Expose to Eavesdropper. CACM, Vol. 27, April 1984, pp. 393-395
• V3. Identity-Based Cryptosystems a. Jing-Shyang Hwu, Rong-Jaye Boss, Yi-Bing Lin, An Efficient Identity-Based Cryptosystem for End-to-End Mobile Security, IEEE Transactions on Wireless Communications, vol. 5, no. 9, pp. 2586-2593, 2006 b. Dan Boneh and Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal of Computation, vol. 32, no. 3, pp. 586-615, 2003 c. M. Gorantla and R. Gangishetti and A. Saxena, A Survey on ID-Based Cryptographic Primitives, Cryptology ePrint Archive, Report 2005 , d. Joonsang Baek, Jan Newmarch, Reihaneh Safavi-Naini and Willy Susilo, A Survey of Identity-Based Cryptography, Journal of Computer Research and Development, vol. 43, no. 10, pp. 1810-1819, 2006
• V4. Infrastructure for the management of public keys (Public Key Infrastructures) a. Dieter Gollmann: Coding Theory and Cryptology. Lecture Notes Series, Institute for Mathematical Sciences, National University of Singapore, 2002 pages 143-175 , b. Hui Li and Yumin Wang: Public Key Infrastructure. Payment Technologies for Ecommerce, Springer New York Publishing, 2003 pages 39-70 , c. K. Aberer and A. Datta and M. Hauswirth: A Decentralized Public Key Infrastructure for Customer-to-Customer E-Commerce. International Journal of Business Process Integration and Management, 2005 - Vol. 1, no. 1 pp 26-33 d. Ruggero Morselli, Bobby Bhattacharjee, Jonathan Katz, Michael A. Marsh Key-Chains - A Decentralized Public-Key Infrastructure. Technical Report CS-TR-4788, University of Maryland (2006)
• V5. Key agreement protocols with public discussion a. Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions an Information Theory, 39 (3): 733-742, May 1993 ,
• L. References / Links 1. (Http://zfoneproject.com/docs/ietf/draft-zimmermann-avt-zrtp-03.html)

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited patent literature

• US 020050022020 A1 [0185]
• US 020030147537 A1 [0185]
• - WO 2006051517 [0185]
• US 20030081785 A1 [0185]
• US 5161244 [0185]
• US 4405829 [0185]
• US 000006766453 B1 [0185]
• EP 000001626598 A1 [0185]
• WO 002003026197 A2 [0185]

Cited non-patent literature

• - [Joan Daemen and Vincent Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Springer-Verlag 2002 (238 pp.)] [0124]
• - www.google.com [0142]
• - Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions On Information Theory, no. 6, pp. 644-654, 1976 [0185]
• - RL Rivest and A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, no. 2, pp. 120-126, 1978 [0185]
• - Taher El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," in Proceedings of CRYPTO 84 on Advances in Cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, pp. 10-18 [0185]
• - Neal Koblitz and Alfred J. Menezes. A Survey of Public-Key Cryptosystems. SIAM Review, 46 (4): 599-634, 2004 [0185]
• - Rainer Rueppel and Paul C. van Oorschot, "Modern Key Agreement Techniques," Computer Communications, vol. 17, no. 7, pp. 458-465, 1994 [0185]
• - Ratna Dutta and Rana Barua, "Overview of Key Agreement Protocols," Cryptology ePrint Archive, Report 2005/289, 2005, http://eprint.iacr.org/ [0185]
• R. Rivest and A. Shamir. How to Expose to Eavesdropper. CACM, Vol. 27, April 1984, pp. 393-395 [0185]
• - Jing-Shyang Hwu, Rong-Jaye Boss, Yi-Bing Lin, An Efficient Identity-Based Cryptosystem for End-to-End Mobile Security, IEEE Transactions on Wireless Communications, vol. 5, no. 9, pp. 2586-2593, 2006 [0185]
• - Dan Boneh and Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal of Computation, vol. 32, no. 3, pp. 586-615, 2003 [0185]
• - M. Gorantla and R. Gangishetti and A. Saxena, A Survey on ID-Based Cryptographic Primitives, Cryptology ePrint Archive, Report 2005 [0185]
• - Joonsang Baek, Jan Newmarch, Reihaneh Safavi-Naini and Willy Susilo, A Survey of Identity-Based Cryptography, Journal of Computer Research and Development, vol. 43, no. 10, pp. 1810-1819, 2006 [0185]
• - Dieter Gollmann: Coding Theory and Cryptology. Lecture Notes Series, Institute for Mathematical Sciences, National University of Singapore, 2002 pages 143-175 [0185]
• - Hui Li and Yumin Wang: Public Key Infrastructure. Payment Technologies for Ecommerce, Springer Verlag New York, 2003 pages 39-70 [0185]
• - K. Aberer and A. Datta and M. Hauswirth: A Decentralized Public Key Infrastructure for Customer-to-Customer E-Commerce. International Journal of Business Process Integration and Management, 2005 - Vol. 1, no. 1 pp 26-33 [0185]
• - Ruggero Morselli, Bobby Bhattacharjee, Jonathan Katz, Michael A. Marsh Key-Chains - A Decentralized Public-Key Infrastructure. Technical Report CS-TR-4788, University of Maryland (2006) [0185]
• - Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions an Information Theory, 39 (3): 733-742, May 1993 [0185]
• - (http://zfoneproject.com/docs/ietf/draft-zimmermann-avt-zrtp-03.html) [0185]

Claims (33)

A method for generating a cryptographic key for performing a method for key encryption for an encrypted digital communication, wherein an endpoint address E _{A of} a communication device A directly or indirectly by applying the inverse function L ^{-1 of} a one-way function L with trapdoor in a part of the cryptographic Key is converted and used for the key agreement. The method of the preceding claim, wherein the one-way function L represents the exponentiation in the ring Z _N , where N is a number whose factorization can not be calculated in polynomial time; the inverse function L ^-1 is the calculation of a root in the ring Z _N. The method according to one or more of the preceding claims, wherein the cryptographic key can be public or private and the public key the product in the ring Z _N from the result of the inverse one-way function L ^-1 and the number

where Z _{A is} a random number and G is a number whose order in the ring Z _{N has} a fixed-order prime number. The method according to one or more of the preceding claims, wherein the cryptographic key can be public or private and the public key is the product in the ring Z _N from the result of the inverse one-way function L ^-1 and the number G * Z _A , where Z _{A is} a random number and the number G is a point on an elliptic curve. The method according to one or more of the preceding claims, at the beginning of the key agreement, the communication device A has the function F (.) And the following numbers are known: N, G, R, E _A , F (E _A ), D (F (E _A ) ), where the function F (.) is a function that converts an endpoint address into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , N is the product of at least two primes P and Q, G is a non-prime number of order e, and e has a fixed-order prime factor, R is a number that does not share any of the one-prime prime factors of N, E _A the endpoint address the communication device A and F (E _A ) is an endpoint address converted to a unique natural number, respectively; for D as a one-way function with trapdoor or D (F (E _A )), D (F (E _A )) ≡ F (E _A ) ^{1 / R} mod N; Further, communication device A still has a private random number Z _A , the private key of communication device A is D (F (E _A )), which is A's public key

All this applies analogously to a communication device B. The method of the preceding claim, wherein one or more of the following parameters be public can: N, G, R and the function F (.). A method for cryptographic key agreement between two communication devices A and B in communication networks, using endpoint address based cryptographic keys, wherein an endpoint address E _{A of} the communication device A directly or indirectly by applying the inverse function L ^{-1 of} a one-way function L with trapdoor in a part of a cryptographic key is converted, the key may be public or private. The method according to the preceding key Einigungsanspruch, wherein the key agreement only provides a same key in both communication devices, if the endpoint address used E _{A of} the communication device A and the public key used

of the communication device A satisfy the following equation:

where the function F (.) is a function that converts the endpoint address E _A into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , N is the product of at least two Prime numbers P and Q, G is a non-prime number of order e, and e has a fixed-order prime factor, R is a number that does not share any of the first-order decremented factors of N, Z _{A is} one private random number of A is; all this applies analogously to communication device B. The method according to one or more of the preceding key claims, wherein communication device A can calculate a common key S by performing the following calculation on the public key received by the communication device B:

where the function F (.) is a function that converts the endpoint address E _B into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , N is the product of at least two primes P and Q, G is a non-prime number of order e, and e has a fixed-order prime factor, R is a number that does not share any of the one-prime prime factors of N, Z _{A is} private Is random number of A and Z _{B is} a private random number of B. The method according to one or more of the preceding Key cleaning claims, wherein the communication devices an exchange of the public key thereby recognize that the calculation is not at both communication devices the same key after the key agreement delivers and thus no encrypted connection established can be. The method according to one or more of the preceding Key settlement claims, with an agreement on a cryptographic key within the same Communication channel is enabled. A roaming procedure for cryptographic key agreement between two communication devices A and B, which are located in two different security domains K ₁ and K ₂ , the different public parameters (N ₁ , G ₁ , R, F (.)) And (N ₂ , G ₂ , R, F (.)) Using endpoint address-based cryptographic keys, F (.) Is a function that divides the endpoint addresses E _A and E _{B of} the communication devices A and B into a unique number in the ring Z _N converting an endpoint address directly or indirectly by applying the inverse function L ^{-1 of} a one-way trap-door function L into a part of a cryptographic key which may be public or private, N ₁ or N ₂ the product of at least two primes P ₁ and Q ₁ or P ₂ and Q ₂ , G ₁ or G _{2 is} a non-prime to N ₁ or N ₂ number with the order e ₁ or e ₂ and e ₁ and e _{2 is} a prime factor in has a secure order of magnitude; R is a number that does not share any of the one-prime prime factors of N ₁ and N ₂ . The roaming method according to the preceding roaming method claim, wherein the public parameters of the security domains K ₁ and K ₂ are combined. The roaming method according to one or more of the preceding roaming method claims, wherein the combination (N, G, R, F (.)) Of the public parameters of K ₁ (N ₁ , G ₁ , R, F (.)) And K ₂ (N ₂ , G ₂ , R, F (.)) Is performed by means of (N = N ₁ .N ₂ , G = G ₁ .G ₂ , R, F (.)), The communication device A being from the security domain K ₁ its private key D (F (E _A )) to D ~ (F (E _A )) with D ~ (F (E _A )) ≡ D (F (E _A )) mod N ₁ and D ~ (F (E _A )) ≡ 1 mod N ₂ extended; wherein the converted endpoint address F (E _B ) of the communication device B from the security domain D ₂ to F ^~ (E _B ) with F ~ (E _B ) ≡ 1 mod N ₁ and F ~ (E _B ) ≡ F (E _B ) mod N _{2 is} extended; wherein the key agreement can be performed with communication devices of the security domain K ₂ , in the communication device A after receiving the public key of communication device B calculated as follows:

where F (.) is a function that converts an endpoint address into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , Z _{A is} a private random number of A, and Z _{B is} a private random number of B; all this applies analogously to communication device B. The roaming procedure according to one or more of previous roaming method claims, wherein a Security domain own primes P and Q can use to encrypted within this domain to communicate. The roaming method according to one or more of the preceding roaming method claims in which several private keys are administered by different security domains on the communication device, and the selection of the correct key is made by parameters, by trial and error or by a communication exchange. An apparatus for generating a cryptographic key for performing a method for key encryption for encrypted digital communication, comprising a computing unit, a communication unit and an endpoint address E _{A ,} wherein the arithmetic unit, the endpoint address E _A directly or indirectly by applying the inverse function L ^-1 of One-way function L with trapdoor converted to a part of the cryptographic key and used for key agreement. The device of the preceding device claim, wherein the one-way function L represents the exponentiation in the ring Z _N , where N is a number whose factorization can not be calculated in polynomial time; the inverse function L ^-1 is the calculation of a root in the ring Z _N. The device according to one or more of the preceding device claims, wherein the cryptographic key may be public or private and the public key is the product in the ring Z _N from the result of the inverse one-way function L ^-1 and the number

where Z _{A is} a random number and G is a number whose order in the ring Z _{N has} a fixed-order prime number. The device according to one or more of the preceding device claims, wherein the cryptographic key can be public or private and the public key is the product in the ring Z _N from the result of the inverse one-way function L ^-1 and the number G * Z _A , where Z _{A is} a random number and the number G is a point on an elliptic curve. The device according to one or more of the preceding device claims, wherein at the beginning of the key agreement protocol of device A the function F (.) And the following numbers are known N, G, R, E _A , F (E _A ), D (F (E _A )), where the function F (.) is a function that converts an endpoint address into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , N is the product of at least two Prime numbers P and Q, G is a non-divisive number of order e, and e has a fixed-order prime factor, R is a number that does not share any of the one-prime prime factors of N, E _{A is} the number Endpoint address of device A and F (E _A ) is an endpoint address, each converted to a unique natural number; for D as a one-way function with trapdoor or D (F (E _A )), D (F (E _A )) ≡ F (E _A ) ^{1 / R} mod N; furthermore, device A still has a private random number Z _A , the private key of device A is D (F (E _A )), which is A's public key

all this applies analogously to device B. The device according to one or more of the preceding Device claims wherein one or more of the following Parameters can be public: N, G, R and the function F (.). A cryptographic key fusing apparatus with another apparatus interconnected by a communication network, comprising a computing unit and a network unit, having an endpoint address, the computing unit using an endpoint address based cryptographic key for key fiduciation, an endpoint address E _{A of} the apparatus A is converted directly or indirectly into a part of the cryptographic key by using the inverse function L ^{-1 of} a one-way function L with a trapdoor. The device according to the preceding device claim, wherein the key agreement provides a same key on both devices only if the endpoint address E _{A of} the device A used and the public key used

of device A satisfy the following equation:

where the function F (.) is a function that converts the endpoint address E _A into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , N is the product of at least two primes P and Q, G is a non-prime number of order e, and e has a fixed-order prime factor, R is a number that does not share any of the one-prime prime factors of N, Z _{A is} private Is random number of A, and D (F (E _A )) is the private key of device A; all this applies analogously to device B. The device according to one or more of the preceding device claims, wherein device A calculates a common key S by performing the following calculation on the public key received from device B:

where the function F (.) is a function that converts the endpoint address E _B into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , N is the product of at least two primes P and Q, G is a number divisor to N of order e and e has a prime factor of safe order; R is a number for which it does not share any of the one prime prime factors of N, Z _{A is} a private random number of A, and Z _{B is} a private random number of B. The device according to one or more of the preceding Device claims, wherein the device has an exchange the public key recognizes that the calculation is not the same for both communication devices same key after key agreement delivers and thus no encrypted connection established can be. The device according to one or more of the preceding Device claims, with an agreement on a cryptographic Key within the same communication channel in the Network is enabled. A cryptographic key fob roaming device between two devices A and B located in two different security domains K ₁ and K ₂ having different public parameters (N ₁ , G ₁ , R, F (.)) And (N ₂ , G ₂ , R, F (.)) Using endpoint address based cryptographic keys, an end point address E _{A of} the device A directly or indirectly by applying the inverse function L ^{-1 of} a one-way trap-door function L into a part of a cryptographic one Key is converted, the key can be public or private, N ₁ or N _{2 is} the product of at least two primes P ₁ and Q ₁ or P ₂ and Q ₂ , G ₁ and G _{2 is} one to N ₁ and N, respectively _{2 is a} non-divisive number with the order e ₁ or e ₂ and e ₁ or e _{2 has} a prime factor in a reliable order of magnitude; R is a number that does not share any of the one-prime prime factors of N ₁ and N ₂ . The roaming device according to the preceding roaming device claim, wherein the public parameters of the security domains K ₁ and K ₂ are combined. The roaming device according to one or more of the preceding roaming device claims, wherein the combination (N, G, R, F (.)) Of the public parameters of K ₁ (N ₁ , G ₁ , R, F (.)) and K ₂ (N ₂ , G ₂ , R, F (.)) is performed by means of (N = N ₁ .N ₂ , G = G ₁ .G ₂ , R, F (.)), wherein the device A is made of of the security domain K _1, its private key D (F (E _A )) to D ~ (F (E _A )) with D ~ (F (E _A )) D (F (E _A )) mod N ₁ and D ~ ( F (E _A )) ≡ 1 mod N ₂ extended; wherein the converted endpoint address F (E _B ) of the device B from the security domain K ₂ to F ^~ (E _B ) with F ~ (E _B ) ≡ 1 mod N ₁ and F ~ (E _B ) ≡ F (E _B ) mod N _{2 is} extended; wherein the key agreement can be performed with security domain K ₂ devices in which device A, after receiving the public key from device B, calculates:

where F (.) is a function that converts an endpoint address into a unique number in the ring Z _N , the function D (.) is an instance of the inverse one-way function L ^-1 , Z _{A is} a private random number of A, and Z _{B is} a private random number of B; all this applies analogously to device B. The roaming device after one or more the foregoing roaming device claims, wherein a security domain use its own primes P and Q can be encrypted to within this domain to communicate. The roaming device after one or more the foregoing roaming device claims, wherein multiple private keys from different security domains managed on the device, and choosing the right one Key by parameters, by trial or by a communication exchange takes place. A digital disk containing a key according to claim 1.