WO2008029853A1 - Dispositif et procédé de livraison de clé de cryptage - Google Patents

Dispositif et procédé de livraison de clé de cryptage Download PDF

Info

Publication number
WO2008029853A1
WO2008029853A1 PCT/JP2007/067331 JP2007067331W WO2008029853A1 WO 2008029853 A1 WO2008029853 A1 WO 2008029853A1 JP 2007067331 W JP2007067331 W JP 2007067331W WO 2008029853 A1 WO2008029853 A1 WO 2008029853A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption key
packet
key
multicast
unit
Prior art date
Application number
PCT/JP2007/067331
Other languages
English (en)
Japanese (ja)
Inventor
Kunihiko Sakaibara
Original Assignee
Panasonic Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Panasonic Corporation filed Critical Panasonic Corporation
Publication of WO2008029853A1 publication Critical patent/WO2008029853A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications

Definitions

  • the present invention relates to a secret key distribution apparatus and encryption key distribution method used in multicast communication or broadcast communication.
  • wireless LANs use a fixed encryption key called WEP (Wired Equivalent Privacy) to encrypt data in wireless communications.
  • WEP Wired Equivalent Privacy
  • the cipher is changed from the initial 40-bit unit code to the 128-bit unit code and further to the 256-bit unit code.
  • the complexity of computerization is progressing. In other words, in order to pursue the confidentiality of data, encryption keys that are inevitably long and infinitely long have been required.
  • TKIP Temporal Key Integrity Protocol
  • FIG. 3 is a diagram illustrating an example of a configuration of a conventional communication system.
  • FIG. 4 is a diagram showing an encryption block and a communication form of the communication system of FIG.
  • phase 1 key mixer 70 generates a first key number from temporary key TK, terminal ⁇ AC address, TA, and initialization vector IV.
  • the phase 2 key mixer 71 generates a second encryption key for each packet from the first encryption key generated by the phase 1 key mixer 70 and the initialization vector IV.
  • the encryption encapsulation unit 72 uses the second encryption key generated by the phase 2 key mixer 71, the encryption encapsulation unit 72 encrypts and encapsulates the packet that is the communication data, and the wireless receiving terminals 30 to 32 Communicate with each other individually.
  • the initialization vector IV is incremented for each packet and changes every moment, it is possible to dynamically change the second encryption key used for communication with each wireless receiving terminal.
  • IPSec IP Security
  • Non-Patent Document 1 Wireless Ubiquitous (Hidewa System)
  • the terminal MAC address and TA of the radio receiving terminal are used as elements for generating the encryption key, encryption is individually performed for each radio receiving terminal. There is a problem that it is necessary to generate a stream. Also, fixed IP IPSec, which realizes encrypted tunneling between them, is a security that assumes individual communication with each wireless receiving terminal, and has the same problems. That is, the conventional encryption technology is not suitable for group communication or multicast communication in which the same data is transmitted by designating a plurality of parties.
  • the encryption key can be appropriately updated as described above. Therefore, the network can be used after communication is started without obtaining an initial encryption key.
  • the wireless receiving terminals for example, the wireless receiving terminal 40 and the wireless receiving terminal 50 in FIG. 3 connected to the network are difficult to follow-up to the multicast communication encrypted for the group.
  • a wireless reception terminal for example, wireless reception terminal 60 in FIG. 3 that has been temporarily disconnected due to a failure during communication and has not been able to acquire an intermediate encryption key and has reconnected to the network (for example, wireless reception terminal 60 in FIG. 3)
  • it is difficult to return to the encrypted multi-cast communication The problem of subsequent follow-up / participation and return to multicast communication becomes more difficult as the security of multicast communication increases.
  • the present invention has been made in view of strength and strength, and provides an encryption key distribution device and an encryption key distribution method capable of performing reliable and flexible communication while maintaining security strength.
  • the purpose is to provide.
  • the encryption key distribution device of the present invention includes a generation unit capable of generating an encryption key for encrypting a packet transmitted to a plurality of radio reception terminals by multicast or broadcast for each minimum packet, A holding unit that holds a plurality of encryption keys generated by the generation unit for a plurality of consecutive packets, and any of the holding units held by the holding unit with respect to! / Some encryption keys are multicast or It adopts a configuration comprising a distribution unit that distributes independently of packets transmitted by loadcast.
  • the encryption key distribution method of the present invention includes a generation step capable of generating an encryption key for encrypting a packet transmitted to a plurality of radio receiving terminals by multicast or broadcast for each minimum packet, A holding step for holding a plurality of encryption keys generated for a plurality of consecutive packets, and any one of the plurality of key codes for! /, Misalignment of the plurality of wireless receiving terminals And a distribution step of distributing the key number independently of a packet transmitted by multicast or broadcast.
  • a plurality of packet encryption keys for consecutive packets are generated in advance, held, and distributed to a plurality of receiving terminals, so that reliable and flexible communication is maintained while maintaining security strength. It can be performed.
  • FIG. 1 is a diagram showing an example of the configuration of a multicast communication system according to an embodiment of the present invention.
  • FIG. 2 is a diagram showing encryption blocks and communication forms of the multicast communication system of FIG.
  • FIG. 3 is a diagram showing an example of the configuration of a conventional communication system
  • FIG. 4 is a diagram showing an encryption block and a communication form of the communication system of FIG.
  • FIG. 1 is a diagram showing an example of a configuration of a multicast communication system according to an embodiment of the present invention.
  • a multicast communication system 100 includes a server 110, a wireless transmission terminal (hereinafter simply referred to as “transmission terminal” !), six wireless reception terminals (hereinafter simply referred to as “reception terminal” and! 130, 140, 150, 160, 170, 180.
  • transmission terminal hereinafter simply referred to as “transmission terminal” !!
  • reception terminal six wireless reception terminals (hereinafter simply referred to as “reception terminal” and! 130, 140, 150, 160, 170, 180.
  • the main source of data is the sending terminal and the receiving destination is the receiving terminal.
  • Receiving terminals 130 to 180 are the same multicast group in multicast communication. Registered in the group. Therefore, the receiving terminals 130 to 180 have a common multicast address set or hold a common group key! /.
  • the sending terminal 120 and the receiving terminals 130 to 180 are VPN (Virtual Private Network) devices that encrypt the entire packet using a packet encryption key and add a new header to the packet and encapsulate it for transmission. Function.
  • the server 110 stores and manages various data such as video and audio.
  • the server 110 provides data managed by the server 110 to the transmission terminal 120 and other terminals, which are client computers, through a network such as the Internet.
  • the data stored and managed by the server 110 includes, for example, a key such as a temporary key TK used between each multicast group and an ID such as a user ID and a group ID set for each multicast group. included.
  • the transmission terminal 120 as the ⁇ key distribution device is, for example, an access point (AP) or a base station (BS).
  • the transmitting terminal 120 encrypts a packet of data such as video and audio using a packet encryption key, and multicasts it to the receiving terminals 130-180.
  • the sending terminal 120 can send packets to the multicast group consisting of the receiving terminals 130 to 180 simultaneously by setting the multicast address set to the receiving terminals 130 to 180 as the packet destination. .
  • the data constituting the packet transmitted from the transmission terminal 120 is, for example, information provided from the server 110 or information held by itself!
  • the transmitting terminal 120 generates a packet encryption key for encrypting a packet to be transmitted to the receiving terminals 130 to 180 for each packet.
  • the transmission terminal 120 holds the packet encryption key generated for a plurality of consecutive packets as a continuous encryption key applied to the plurality of consecutive packets. That is, the transmission terminal 120 holds a packet encryption key for an arbitrary packet and a packet number key for a packet that is continuous with the arbitrary packet.
  • the transmitting terminal 120 transmits a packet encryption key corresponding to a previously transmitted packet, a packet encryption key corresponding to a previously transmitted packet, and a packet corresponding to a subsequently transmitted packet together with the packet encryption key corresponding to the currently transmitted packet. Holds the encryption key. That is, the transmitting terminal 120 In addition to the packet encryption key to be used, a plurality of packet encryption keys used before or after the update are generated in advance (advanced generation). Note that the number of packet number keys generated in advance can be arbitrarily determined according to the capability of the transmission terminal 120 or an agreement between the transmission terminal 120 and the reception terminals 130 to 180.
  • the transmitting terminal 120 is generated in advance when receiving a request to distribute a packet code key (hereinafter referred to as a "packet encryption key distribution request") from a receiving terminal that is a member of a multicast group. Distribute the packet encryption key to the receiving terminal. At this time, the transmitting terminal 120 delivers together the packet encryption key requested by the packet encryption key distribution request and the packet encryption key continuous with the packet encryption key. For example, when the transmitting terminal 120 distributes a packet encryption key corresponding to a currently transmitted packet, the transmitting terminal 120 transmits a packet encryption key corresponding to a previously transmitted packet and a packet number corresponding to a subsequently transmitted packet. The ability to distribute keys in a batch is possible.
  • the receiving terminal to which the packet encryption key is distributed can smoothly follow-up / enter / return to / from multicast communication.
  • storing and holding the distribution data allows the previously transmitted packet to be decoded, so that more accurate data can be reproduced.
  • the receiving terminals 130 to 180 are, for example, a personal computer having a wireless LAN interface or its peripheral devices.
  • the receiving terminals 130 to 180 receive the packets transmitted from the transmitting terminal 120.
  • the receiving terminals 130 to 180 use the packet encryption key delivered from the transmitting terminal 120 to decrypt the received packet.
  • the receiving terminals 130 to 180 reproduce the decrypted packet.
  • the receiving terminals 130 to 180 do not hold the packet encryption key corresponding to the packet that is desired to be decrypted, and therefore cannot decrypt the packet and cannot participate in multicast communication.
  • the packet encryption key distribution request is transmitted to the transmission terminal 120.
  • This packet encryption key distribution request is an inquiry about the state of the packet encryption key, that is, the packet encryption key currently used and the packet encryption key used before and after it. Information inquiry.
  • the packet encryption key distribution request is required when, for example, the network is connected after the start of communication without acquiring the initial packet encryption key (follow-up entry), or after the communication is temporarily disconnected. It may be possible to reconnect to (return).
  • FIG. 2 is a diagram showing an encryption block and a communication form of the multicast communication system 100 of FIG.
  • the encryption block includes a first phase key mixer 210, a packet encryption key holding unit 220, a message integrity check (MIC) unit 230, and a fragment unit 240.
  • a ⁇ number encapsulation unit 250 and a packet ⁇ number key distribution unit 260 are provided.
  • the packet encryption key holding unit 220 includes a plurality of second phase key mixers, here, three second phase key mixers 221, 222, 223.
  • the first phase key mixer 210 as the first generation unit uses the temporary key TK, the multicast address or group key (Group Key), and the initialization vector IV to generate the packet number key.
  • An element key (hereinafter referred to as “reserve key”) is generated.
  • the first phase key mixer 210 generates this spare key once in N packets (N is an arbitrary integer). That is, the first phase key mixer 210 updates the spare key by generating a new spare key every N packets.
  • the first phase key mixer 210 outputs the generated spare key to each of the second phase key mixers 22;! To 223 of the packet encryption key holding unit 220.
  • the temporary key TK is a long (for example, 128 bits) key that is shared between the transmitting terminal 120 and the receiving terminals 130 to 180 and generated by a hash function or the like. Each receiving terminal can obtain the temporary key TK by various methods, for example, key distribution by ⁇ 802.1 ⁇ .
  • the initialization vector IV indicates an initial value extracted from the temporary key TK according to a certain rule, and is automatically generated by the transmission terminal 120. This initialization vector IV is 48 bits, for example, and is incremented every packet and changes every moment.
  • the second phase key mixer 22;! To 223 generates a packet encryption key for each one of consecutive packets transmitted to each receiving terminal.
  • the packet encryption key generated by the second phase key mixer 221 is Key (n—1)
  • the packet encryption key generated by the second phase key mixer 222 is Key (n).
  • the packet encryption keys generated by the second phase key mixer 223 are represented by Key (n + 1), respectively.
  • Key (n) is a packet encryption key corresponding to the currently transmitted packet
  • Key (n-l) is a packet signature key corresponding to the packet transmitted before Key (n)
  • Key (n n + 1) is a packet encryption key corresponding to a packet transmitted after Key (n).
  • Key (n-l), Key (n), and Key (n + 1) function as a continuous sign key generated for a plurality of consecutive packets, for example, three consecutive packets.
  • Each of Key (n ⁇ 1), Key (n), and Key (n + 1) is the above-described WEP key.
  • the generation unit configured by the first phase key mixer 210 and the second phase key mixer 22;! To 223 is transmitted to a plurality of radio receiving terminals by multicast. It functions as a generator that generates a packet encryption key for each packet.
  • the packet number key holding unit 220 serving as a holding unit receives the packet encryption key generated by the second phase key mixer 22;! To 223 of the continuous packet transmitted to each receiving terminal. It is stored as a continuous encryption key corresponding to each. That is, the packet encryption key holding unit 220 converts the packet encryption key generated by the second phase key mixer 22;! It is stored as a common continuous encryption key that is used while updating every packet with the Yust Group. As a result, the packet encryption key holding unit 220 supports the packet encryption key corresponding to the currently transmitted packet, the packet key corresponding to the previously transmitted packet, and the packet transmitted thereafter. Packet encryption key to be stored.
  • the packet number key has a multicast address common to the multicast group, not the terminal MAC address and information unique to the receiving terminal such as TA, the menno of the same multicast group, In this case, the receiving terminals 130 to 180 can use the same packet encryption key.
  • MIC section 230 checks the integrity of the communication data by detecting tampering of the communication data carried in the packet. More specifically, the MIC unit 230 is a packet source address SA (Source Address), a packet destination address DA (Destination Address), and unencrypted raw data using the MIC key. Priority plaintext MSDU (MA C Service Data Unit) Data integrity check. The MIC unit 230 outputs the MSDU data after the inspection to the fragment unit 240.
  • SA Source Address
  • DA Destination Address
  • Priority plaintext MSDU MA C Service Data Unit
  • the fragment unit 240 converts the MSDU data input from the MIC unit 230 into MPDU (MAC Protocol Data Unit) data that is a MAC frame.
  • the fragment unit 240 outputs the converted MPDU data to the No. 2 encapsulation unit 250.
  • MPDU MAC Protocol Data Unit
  • the ⁇ number encapsulation unit 250 encrypts and encapsulates the MPDU data input from the fragment unit 240 using the packet number key held by the packet number key holding unit 220. That is, the ⁇ encapsulation unit 250 encrypts the MPDU data itself with the packet ⁇ key and generates a packet with a new header added thereto.
  • the cryptographic encapsulation unit 250 multicasts the generated packet to the receiving terminals 130 to 180 that are members of the multicast group.
  • the ⁇ encapsulating unit 250 is used for each packet. Packets can be continuously encrypted using different packet encryption keys. For example, the encryption encapsulating unit 250 encrypts these three packets when encrypting three consecutive packets. The packet is continuously encrypted in the order of Key (n-l), Key (n), and Key (n + 1). For example, assuming that Key (n) is the packet encryption key for encrypting the currently transmitted packet, Key (n—1) encrypts the packet transmitted before Key (n). Key (n + 1) is a packet encryption key for encrypting packets transmitted after Key (n).
  • the ⁇ encapsulation unit 250 encrypts the MPDU data using RC4, which is an encryption algorithm used in the ⁇ method with the same ⁇ key and decryption key. Therefore, in order for the receiving terminals 130 to 180 that are members of the multicast group to participate in multicast communication, it is necessary to share the packet encryption key held in the packet encryption key holding unit 220.
  • the packet encryption key distribution unit 260 as the distribution unit is held in the packet encryption key holding unit 220! /, And any one of the packet numbers is received by the receiving terminals 130-180 that are members of the multicast group. Deliver to either. Thereby, the packet encryption key is shared between the transmitting terminal 120 and the receiving terminals 130 to 180.
  • the packet encryption key distribution unit 260 distributes the packet encryption key independently of the packet transmitted by multicast.
  • the packet number key distributing unit 260 upon receiving a packet encryption key distribution request from any of the receiving terminals 130 to 180 that are members of the multicast group, the packet number key distributing unit 260 sends the request to the receiving terminal. , Deliver the packet encryption key. At this time, the packet encryption key distribution unit 260 distributes the packet encryption key requested by the packet encryption key distribution request together with the packet encryption key and the packet encryption key continuous. For example, if the packet encryption key requested by the packet encryption key distribution request is Key (n), the packet encryption key distribution unit 260, together with Key (n), Key (n-l), Key (n + 1) Is distributed to the receiving terminal that is the transmission source of the packet number key distribution request.
  • the packet encryption key distribution unit 260 can also provide means for detecting a receiving terminal that failed to acquire the packet encryption key in the packet encryption key distribution unit 260.
  • the bucket number key distribution unit 260 is unable to acquire the packet encryption key for the receiving terminal that has failed to acquire the packet encryption key, the packet encryption key, and the continuous packet encryption key.
  • Deliver [0048] since the packet encryption key is individually distributed to the receiving terminal that requests acquisition of the packet encryption key, that is, the receiving terminal that enters or returns to multicast communication or broadcast communication, each receiving terminal It is possible to smoothly follow up on communication and return to multicast communication that was disconnected on the way.
  • each receiving terminal since not only the required packet encryption key but also the packet encryption keys used before and after the update are delivered together, each receiving terminal has a reliable connection to the once-connected multicast communication. Can be maintained.
  • the number of packet encryption keys distributed collectively by the packet encryption key distribution unit 260 can be arbitrarily set. For example, when there are five or more second phase key mixers, the packet number key distribution unit 260 can collectively distribute packet encryption keys corresponding to five consecutive packets. Maintaining communication can be ensured by increasing the margin of packet encryption key distribution.
  • the packet number key distributing unit 260 When receiving a packet encryption key distribution request from one of the receiving terminals that are members of the multicast group, the packet number key distributing unit 260 distributes the packet number key to the receiving terminal. At this time, the packet encryption key distribution unit 260 distributes the packet encryption key requested by the packet encryption key distribution request together with the packet encryption key continuous with the packet encryption key. For example, when the packet encryption key distribution unit 260 has the packet encryption key strength e y (n) requested by the packet encryption key distribution request, the key encryption key e y (n), Ke y (n ⁇ l), Key (n + 1) is delivered to the receiving terminal that sent the packet encryption key delivery request.
  • the receiving terminal can smoothly follow up on multicast communication and return to multicast communication disconnected on the way.
  • a receiving terminal 160 connected to the network after a multicast communication session is established, a receiving terminal 170 that has moved from outside the multicast communication area, and a multicast terminal.
  • Receiving terminal 180 that has been disconnected because it is located at the boundary of the communication area of multicast communication receives exceptional packet signature key distribution by sending a packet encryption key distribution request. Can do.
  • the receiving terminals 160, 170, and 180 can follow-up V, enter or return to multicast communication using the packet encryption key distributed from the packet signal key distribution unit 260.
  • the receiving terminal can maintain the connection to the multicast communication once connected with high reliability. For example, a receiving terminal that has transmitted a packet encryption key distribution request for Key (n), together with Key (n), Key (n—1), Key (n + 1) used before and after updating Key (n) ) Can be obtained. As a result, even if the packet encryption key is updated shortly after sending the packet encryption key distribution request, the receiving terminal uses the Key (n + 1) distributed with the Key (n), Connection to multicast communication can be maintained. In addition, since the receiving terminal can decrypt the previously transmitted packet by using Key (n-1), it is possible to reproduce data with higher accuracy.
  • transmitting terminal 120 generates and holds a plurality of packet encryption keys for consecutive packets transmitted to a plurality of receiving terminals in advance. These packet encryption keys are distributed to multiple receiving terminals. That is, a server for generating the encryption key or an equivalent replacement means is prepared, and the current key is notified by a separate means in response to the request. As a result, even if each receiving terminal cannot acquire a packet encryption key on the way for some reason, it can smoothly follow up on multicast communication and return to multicast communication that was cut off on the way. Can do.
  • transmitting terminal 120 distributes a plurality of packet encryption keys for consecutive packets in a lump.
  • each receiving terminal can maintain the participation in the multicast communication once connected with high reliability.
  • each receiving terminal can decode a previously transmitted packet, and can reproduce data with higher accuracy.
  • the first phase key mixer 210 has been described as calculating and updating a new spare key every N packets, but the present invention is not limited to this.
  • the first The phase key mixer 210 may calculate and update a new spare key every M packets (M is an arbitrary integer different from N) determined for each system. In doing so, the first phase key mixer 210 can calculate and update a new reserve key according to a certain cycle based on a random number.
  • the backup key may be updated by irregular and ruled means. Encrypted communication with higher security strength can be realized by refreshing the packet encryption key by using such update of the spare key.
  • the force S in which the packet encryption key distribution mechanism (encryption key distribution device) is provided inside the transmission terminal 120 is not limited to this.
  • the encryption key distribution device may be provided in the multicast communication system as a device unit separate from the transmission terminal 120.
  • the present embodiment is applied to multicast communication
  • the same effect as that in the case of multicast communication can be realized even when applied to broadcast communication. Further, it may be applied to unicast communication. Moreover, the effect may be improved by combining them.
  • the encryption key distribution device and the encryption key distribution method according to the present invention have an effect of performing reliable and flexible communication while maintaining security strength, and in multicast communication or broadcast communication. It is useful as the encryption key distribution device and encryption key distribution method used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention permet de fournir un dispositif et un procédé de livraison de clé de cryptage capables de maintenir l'intensité de la sécurité et de réaliser une communication flexible et fiable. Une unité de génération formée par un mélangeur de clé de première phase (210) et des mélangeurs de clé de seconde phase (221-223) génère une clé de cryptage de paquet pour chaque paquet à transmettre à une pluralité de terminaux de réception radio par multidiffusion ou diffusion de manière à crypter le paquet. Une unité de conservation de clé de cryptage de paquet (220) conserve une pluralité de clés de cryptage de paquet générées par l'unité de génération pour une pluralité de paquets continus. Une unité de livraison de clé de cryptage de paquet (260) délivre n'importe quelle clé de cryptage de paquet contenue par l'unité de conservation de clé de cryptage de paquet (220) à l'un des terminaux de réception radio indépendamment du paquet transmis par multidiffusion ou diffusion.
PCT/JP2007/067331 2006-09-05 2007-09-05 Dispositif et procédé de livraison de clé de cryptage WO2008029853A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2006-240691 2006-09-05
JP2006240691A JP2008066882A (ja) 2006-09-05 2006-09-05 暗号鍵配信装置および暗号鍵配信方法

Publications (1)

Publication Number Publication Date
WO2008029853A1 true WO2008029853A1 (fr) 2008-03-13

Family

ID=39157279

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2007/067331 WO2008029853A1 (fr) 2006-09-05 2007-09-05 Dispositif et procédé de livraison de clé de cryptage

Country Status (2)

Country Link
JP (1) JP2008066882A (fr)
WO (1) WO2008029853A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019217692A1 (fr) * 2018-05-10 2019-11-14 Alibaba Group Holding Limited Procédé, appareil, dispositif et système de traitement de données de chaîne de blocs

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9811476B2 (en) 2013-02-28 2017-11-07 Panasonic Intellectual Property Management Co., Ltd. Encryption and recording apparatus, encryption and recording system, and encryption and recording method
KR102024058B1 (ko) * 2019-05-31 2019-09-24 주식회사 유니온플레이스 멀티캐스트 그룹 내의 디바이스
KR102024062B1 (ko) * 2019-05-31 2019-09-24 주식회사 유니온플레이스 멀티캐스트 그룹 내의 구독자에게 키 데이터를 전송하는 디바이스

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005117656A (ja) * 2003-10-03 2005-04-28 Fujitsu Ltd 自己組織化マルチホップ無線アクセスネットワーク用の装置、方法及び媒体

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005117656A (ja) * 2003-10-03 2005-04-28 Fujitsu Ltd 自己組織化マルチホップ無線アクセスネットワーク用の装置、方法及び媒体

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SEKI Y.: "WPA (W-FI protected access)", NIKKEI COMMUNICATIONS, NIKKEI BUSINESS PUBLICATIONS, INC., no. 401, 27 October 2003 (2003-10-27), pages 168 - 176, XP003021643 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019217692A1 (fr) * 2018-05-10 2019-11-14 Alibaba Group Holding Limited Procédé, appareil, dispositif et système de traitement de données de chaîne de blocs
US11315112B2 (en) 2018-05-10 2022-04-26 Advanced New Technologies Co., Ltd. Blockchain data processing method, apparatus, device, and system

Also Published As

Publication number Publication date
JP2008066882A (ja) 2008-03-21

Similar Documents

Publication Publication Date Title
US20220006627A1 (en) Quantum key distribution node apparatus and method for quantum key distribution thereof
US9148421B2 (en) Method and system for encryption of messages in land mobile radio systems
US11575660B2 (en) End-to-end encryption for personal communication nodes
KR100832893B1 (ko) 무선 근거리 통신망으로 이동 단말의 보안 접근 방법 및 무선 링크를 통한 보안 데이터 통신 방법
US8838972B2 (en) Exchange of key material
CN108599925B (zh) 一种基于量子通信网络的改进型aka身份认证***和方法
US8831227B2 (en) Method and system for establishing secure connection between stations
JPH07107083A (ja) 暗号通信システム
US20060212936A1 (en) Method of integrating QKD with IPSec
CN108540436B (zh) 基于量子网络实现信息加解密传输的通信***和通信方法
US11962685B2 (en) High availability secure network including dual mode authentication
US20140355763A1 (en) Method and apparatus for generation and distributing a group key in wireless docking
WO2017075134A1 (fr) Gestion de clés pour conférence à confidentialité assurée
KR20180130203A (ko) 사물인터넷 디바이스 인증 장치 및 방법
CN108964888B (zh) 一种基于对称密钥池和中继通信的改进型aka身份认证***和方法
CN108768632B (zh) 一种基于对称密钥池和中继通信的aka身份认证***和方法
CN100571133C (zh) 媒体流安全传输的实现方法
CN102905199A (zh) 一种组播业务实现方法及其设备
WO2008029853A1 (fr) Dispositif et procédé de livraison de clé de cryptage
CA3190801A1 (fr) Procede de gestion de cles et appareil de communication
KR100599199B1 (ko) 무선 랜(lan) 보안 시스템에서의 무선 장치의 암호 키생성 시스템
JP4694240B2 (ja) 暗号キー配信装置及びそのプログラム
CN108768661B (zh) 一种基于对称密钥池和跨中继的改进型aka身份认证***和方法
JP2005223838A (ja) 通信システムおよび中継装置
JPH07107084A (ja) 暗号通信システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07806773

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07806773

Country of ref document: EP

Kind code of ref document: A1