Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
  • H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
  • H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
  • H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
  • H04L63/0457—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

• the present invention relates to a secure messaging method.
• Secure messaging solutions guarantee confidentiality and optionally the integrity and identity of the message sender.
• such methods make it possible to reduce the risks in terms of security, in particular the interception by an attacker of an electronic message to read the content, the impersonation of a correspondent or even the alteration content by an attacker during the message transport phase.
• US patent US 6154543 The closest state of the art is described in US patent US 6154543.
• This patent relates to a public key cryptosystem allowing a roaming user access to a network to establish secure communications between system users, client machines, and encryption servers.
• the client machine generates and stores an encrypted private key in a server 'encryption.
• a user can then access this encrypted private key from any client machine located on the network and decrypt it using a passphrase, thereby enjoying cross-system access.
• the private key can be used to decrypt and encrypt received messages.
• a user can generate a digital message, encrypt it with the public key of a client's recipient, and transmit it to the encryption server from any client machine on the server.
• the invention relates, in its most general sense, to a secure messaging method, comprising a first step of registering a user, consisting in generating a key pair on the client workstation of said user, using a key generation algorithm [RSA for example], to encrypt the private key by a symmetric algorithm executed on the client computer, the key of this symmetric algorithm being derived by a hash function [SHAl function] of a chain of secret characters [pass phrase] entered by means of a peripheral [keyboard for example], to transmit to the server a file comprising said encrypted value of the private key encrypted with the symmetric key, the public key to a server comprising a database data for recording said information and a unique identifier of said user [for example his email address], and the hash value of the symmetric key [derived from the pass phrase],
• the registration step further comprising an operation of signing said user key pair with the server private key [certification key or key signature], the method comprising an operating step comprising an operation authentication of the user by transmission to the server from any client station of his identifier and said secret character string [his “pass phrase”], and validation of the authenticity of the user by comparison between the value derived from said secret character string transmitted by the user, and the derived value stored in said database, in relation to the identifier of the user considered, and an operation of transmission by the server to the user station of said bi-key, then encrypt and / or sign the message prepared on the client computer with the private keys of the recipients of the message, and / or the public key respectively c of said user, and an operation of transmitting said message between the user's workstation and the server, said operation of transmitting the message being carried out by establishing virtual channels [VPN] for encryption and / or signature, characterized in that the compression and the transmission of the message are carried out "in continuous flow" [streaming] without temporary storage in memory on the client station
• the operation of transmitting that is to say sending-receiving, the message consists in opening a plurality of nested virtual channels, the first channel being a communication channel, encompassed a signature channel, encompassed itself a compression channel, included in an encryption channel, allowing the transmission of messages without size limitation; reception encompassing the channels in reverse (decryption included in decompression, included in verification).
• said virtual channels are in series and include an encryption channel and a signature channel in series.
• the plurality of virtual channels further comprises an input-output (I / O) channel on the peripherals of the client station.
• the message transmission step consists in preparing a
• the method according to the invention comprises an encryption operation distinct from each of the hashes of the message of said stream with the private key of said user, in order to create a digital signature, to allow subsequent verification of the signature of each of said components. separately.
• the invention also relates to an architecture for processing secure messages, comprising a server comprising a memory for the encrypted and signed recording of information relating to the registered users, means of sending and receiving messages and means of connection to a public network, and client workstations comprising a navigation application and means of connection to said network, characterized in that the server comprises means of secure connection with the network and means of verifying files transmitted by a user and signed with a server public key, and for recording, after positive verification, in a memory for recording a table comprising, for each user: the encrypted value ["hash"] of the private key encrypted with the symmetric key, the public key to a server comprising a database for recording said information and a unique identifier of said user [for example his email address], and the hash value of the symmetric key [derived from the pass phrase], the architecture comprising furthermore means for establishing virtual channels [VPN] for encryption and / or signing, compression and transmission of the "streaming" message without temporary storage in memory on the client workstation or on the server, nor on a
• FIG. 1 represents the diagram of a secure messaging architecture according to the invention
• FIG. 2 shows the block diagram of the messaging process.
• the secure messaging system implements a server (1) connected to a telecommunications network, in particular the Internet network.
• the user of the messaging service according to the invention has a workstation (2) also connected to the same telecommunications network.
• the server (1) has a memory space for
• the server also includes an application (4) providing the interface between user requests, sent in the form of HTML forms, and access to the data recorded in the database (3).
• the client station (2) establishes an HTTP link with the server (1).
• the consultation request opens a TCP / IP (HTTP) link which will open a first technical channel (5) encapsulated by two technical channels in series respectively for decryption (6) and for checking the signature (7), these two channels (6, 7) being themselves encapsulated by a technical decompression channel (8), for example in ZIP format.
• HTTP TCP / IP
• the client station (2) opens a series of channels (5 to 8) for the continuous transmission of an encrypted, signed and compressed stream from the file from the client computer to the database (3) of the server (1).

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer And Data Communications (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Information Transfer Between Computers (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=8860273

Family Applications (1)

Country Status (3)

Family Cites Families (1)

• 2001
  • 2001-02-21 FR FR0102351A patent/FR2821220B1/fr not_active Expired - Fee Related
• 2002
  • 2002-02-21 WO PCT/FR2002/000654 patent/WO2002067535A2/fr not_active Application Discontinuation
  • 2002-02-21 EP EP02706886A patent/EP1362461A2/de not_active Withdrawn

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events