(19)
(11)EP 3 664 364 A1

(12)EUROPEAN PATENT APPLICATION
published in accordance with Art. 153(4) EPC

(43)Date of publication:
10.06.2020 Bulletin 2020/24

(21)Application number: 18840948.6

(22)Date of filing:  27.07.2018
(51)International Patent Classification (IPC): 
H04L 9/14(2006.01)
H04L 9/08(2006.01)
(86)International application number:
PCT/JP2018/028183
(87)International publication number:
WO 2019/026776 (07.02.2019 Gazette  2019/06)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(30)Priority: 02.08.2017 JP 2017149603

(71)Applicant: Nippon Telegraph And Telephone Corporation
Tokyo 100-8116 (JP)

(72)Inventors:
  • YOSHIDA, Reo
    Musashino-shi, Tokyo 180-8585, (JP)
  • KOBAYASHI, Tetsutaro
    Musashino-shi, Tokyo 180-8585, (JP)
  • KAWAHARA, Yuto
    Musashino-shi, Tokyo 180-8585, (JP)
  • YAMAMOTO, Tomohide
    Musashino-shi, Tokyo 180-8585, (JP)
  • OKUYAMA, Hironobu
    Musashino-shi, Tokyo 180-8585, (JP)

(74)Representative: MERH-IP Matias Erny Reichl Hoffmann Patentanwälte PartG mbB 
Paul-Heyse-Strasse 29
80336 München
80336 München (DE)

  


(54)ENCRYPTED COMMUNICATION DEVICE, ENCRYPTED COMMUNICATION SYSTEM, ENCRYPTED COMMUNICATION METHOD, AND PROGRAM


(57) An encrypted communication is correctly decrypted even when key exchange completion notification is delayed. A key storage (10) stores at least one common key which is shared with another encrypted communication device. A key selecting unit (11) selects an encryption key from the at least one common key stored in the key storage (10). An encrypting unit (12) generates encrypted data by encrypting, by using the encryption key, data to be transmitted to the other encrypted communication device. A transmitting unit (13) transmits, to the other encrypted communication device, the encrypted data with a key index, by which the encryption key is uniquely identified, added thereto. A receiving unit (14) receives the encrypted data with the key index added thereto from the other encrypted communication device. A key obtaining unit (15) obtains, from the at least one common key stored in the key storage (10), a decryption key corresponding to the key index added to the encrypted data. A decrypting unit (16) decrypts the encrypted data by using the decryption key.




Description

[TECHNICAL FIELD]



[0001] The present invention relates to information communication technologies and, in particular, relates to a technology of synchronizing the timing to use a common key in encrypted communication.

[BACKGROUND ART]



[0002] In encrypted communication such as Session Description Protocol (SDP), Real-time Transport Protocol (RTP), and Transport Layer Security (TLS), a common key which is used for encryption is made usable immediately after the transmission or reception of an ACK message or a Finished message (hereinafter referred to as "key exchange completion notification") indicating the completion of a key exchange. The details of SDP are described in Non-patent Literature 1, the details of RTP are described in Non-patent Literature 2, and the details of TLS are described in Non-patent Literature 3.

[0003] For example, in encryption in an IP telephony system, by a multiparty key exchange technique, a Voice over Internet Protocol (VoIP) layer is notified of the completion of a key exchange as the return value of a terminal API in order to assure the completion of a key exchange between terminals which carry out communication. This makes it possible to reproduce a speech sound without interruption of a call even when keys are exchanged at high frequency in one VoIP session.

[PRIOR ART LITERATURE]


[NON-PATENT LITERATURE]



[0004] 

Non-patent Literature 1: "Session Description Protocol (SDP)", [online], [searched on July 18, 2017], the Internet <URL: https://tools.ietf.org/html/rfc4568>

Non-patent Literature 2: "ZRTP: Media Path Key Agreement for Unicast Secure RTP", [online], [searched on July 18, 2017], the Internet <URL: https://tools.ietf.org/html/rfc6189>

Non-patent Literature 3: "The Transport Layer Security (TLS) Protocol", [online], [searched on July 18, 2017], the Internet <URL: https://tools.ietf.org/html/rfc5246>


[SUMMARY OF THE INVENTION]


[PROBLEMS TO BE SOLVED BY THE INVENTION]



[0005] However, in a best-effort network, an adequate communication band for a lower layer cannot be provided due to priority control or the like, which sometimes makes an encrypted communication arrive before key exchange completion notification. In this case, in spite of the fact that an exchange of a common key is completed, the common key cannot be used, which makes it impossible to decrypt the encrypted communication correctly. For instance, when a mobile virtual network operator (MVNO) network whose communication band is less than 100 kbps is used in a mobile network, it has been shown that a reception timing of key exchange completion notification, which is returned to each terminal from a server, is deviated in some terminals, which causes a phenomenon in which speech cannot be correctly decrypted temporarily.

[0006] In light of the foregoing, an object of the present invention is to implement an encrypted communication technology that can correctly decrypt an encrypted communication even when key exchange completion notification is delayed.

[MEANS TO SOLVE THE PROBLEMS]



[0007] In order to solve the above-described problem, an encrypted communication device of the present invention includes: a key storage that stores at least one common key which is shared with another encrypted communication device; a key selecting unit that selects an encryption key from the at least one common key stored in the key storage; an encrypting unit that generates encrypted data by encrypting, by using the encryption key, data to be transmitted to the other encrypted communication device; a transmitting unit that transmits, to the other encrypted communication device, the encrypted data with a key index, by which the encryption key is uniquely identified, added thereto; a receiving unit that receives the encrypted data with the key index added thereto from the other encrypted communication device; a key obtaining unit that obtains, from the at least one common key stored in the key storage, a decryption key corresponding to the key index added to the encrypted data; and a decrypting unit that decrypts the encrypted data by using the decryption key.

[EFFECTS OF THE INVENTION]



[0008] With the encrypted communication technology of the present invention, it is possible to decrypt an encrypted communication correctly even when key exchange completion notification is delayed.

[BRIEF DESCRIPTION OF THE DRAWINGS]



[0009] 

Fig. 1 is a diagram for explaining an existing encrypted communication technology.

Fig. 2 is a diagram for explaining an encrypted communication technology of the present invention.

Fig. 3 is a diagram illustrating the functional configuration of an encrypted communication system.

Fig. 4 is a diagram illustrating the functional configuration of an encrypted communication device.

Fig. 5 is a diagram illustrating a procedure of an encrypted communication method.


[DETAILED DESCRIPTION OF THE EMBODIMENTS]



[0010] Fig. 1 shows how a common key is used in an existing encrypted communication technology. An example of Fig. 1 illustrates a situation in which a key A and a key B were exchanged between two encrypted communication devices and, while key exchange completion notification for the key A has been received, key exchange completion notification for the key B has not been received. If an encrypted communication device on the transmitting side performs encryption by using the key B in this situation, an encrypted communication device on the receiving side cannot correctly decrypt an encrypted communication because the encrypted communication device cannot use the key B.

[0011] In the present invention, at the time of transmission of an encrypted communication, a key index, by which a common key used for encryption is uniquely identified, is added to encrypted data and transmitted therewith and, at the time of reception of the encrypted communication, a common key corresponding to the key index is obtained and the received encrypted data is decrypted. Fig. 2 shows how a common key is used in an encrypted communication technology of the present invention. In an example of Fig. 2, an encrypted communication device has a key database of a common key and a key index which are correlated with each other, and an encrypted communication device on the transmitting side transmits a key index (= 2) corresponding to a key B used for encryption to an encrypted communication device on the receiving side. Although the encrypted communication device on the receiving side has not yet received key exchange completion notification for the key B, the encrypted communication device on the receiving side can correctly decrypt the encrypted data by using the key B because the encrypted communication device can obtain the key B from the key database by using the key index as a key.

[0012] The example of Fig. 2 is based on the assumption that creating the database is performed by sharing a key index with the same timing as a key exchange; however, the example is not limited to this mode because a key index only has to be a key index by which a common key can be uniquely identified. For instance, a configuration may be adopted in which a one-way function which is shared between an encrypted communication device on the transmitting side and an encrypted communication device on the receiving side is provided; at the time of transmission, an output which is obtained when a common key used for encryption is input to the one-way function is added to encrypted data as a key index and transmitted therewith and, at the time of reception, a common key is obtained, the common key by which an output, which is equal to the received key index, is obtained when the common key held by an encrypted communication device is input to the one-way function, and the encrypted data is decrypted. When a key exchange is performed between two encrypted communication devices, one encrypted communication device generates a key index and transmits the key index to the other encrypted communication device, whereby the encrypted communication devices can share the key index. When a key management server, which is different from an encrypted communication device, generates a common key and distributes the common key to encrypted communication devices to perform a key exchange, the key management server generates a key index and distributes the key index to the encrypted communication devices with the common key, whereby the encrypted communication devices can share the key index.

[0013] Hereinafter, embodiments of the present invention will be described in detail. In the drawings, constituent units having the same function are identified with the same reference character, and overlapping explanations will be omitted.

[First embodiment]



[0014] As illustrated in Fig. 3, an encrypted communication system of a first embodiment includes a plurality of encrypted communication devices 1. Fig. 3 shows an example in which two encrypted communication devices 11 and 12 are present; the number of encrypted communication devices 1 is not limited as long as two or more encrypted communication devices 1 are present. In the following description, it is assumed that the encrypted communication device 11 encrypts data and transmits the encrypted data and the encrypted communication device 12 decrypts the received encrypted data. In this embodiment, the encrypted communication device 11 and the encrypted communication device 12 are connected to a communication network 2. The communication network 2 is a circuit switching or packet-switching communication network that allows devices connected thereto to communicate with each other on a one-to-one basis, and, for example, the Internet, a local area network (LAN), a wide area network (WAN), or the like can be used. The devices do not necessarily have to be able to communicate with each other online via the communication network 2. For instance, a configuration may be adopted in which information which is output from the encrypted communication device 11 is stored in a portable recording medium such as a magnetic tape or Universal Serial Bus (USB) memory and the information is input to the encrypted communication device 12 from the portable recording medium offline.

[0015] As illustrated in Fig. 4, the encrypted communication device 1i (i = 1, 2) included in the encrypted communication system includes a key storage 10i, a key selecting unit 11i, an encrypting unit 12i, a transmitting unit 13i, a receiving unit 14i, a key obtaining unit 15i, and a decrypting unit 16i. As a result of the two encrypted communication devices 11 and 12 performing processing in steps shown in Fig. 5 in cooperation with each other, an encrypted communication method of the first embodiment is implemented.

[0016] The encrypted communication device 1i is a special device configured as a result of a special program being read into a publicly known or dedicated computer including, for example, a central processing unit (CPU), a main storage unit (random access memory: RAM), and so forth. The encrypted communication device 1i executes each processing under the control of the central processing unit, for example. The data input to the encrypted communication device 1 and the data obtained by each processing are stored in the main storage unit, for instance, and the data stored in the main storage unit is read into the central processing unit when necessary and used for other processing. At least part of each processing unit of the encrypted communication device 1i may be configured with hardware such as an integrated circuit. Each storage of the encrypted communication device 1i can be configured with, for example, a main storage unit such as random access memory (RAM), an auxiliary storage unit configured with a hard disk, an optical disk, or a semiconductor memory device such as flash memory, or middleware such as a relational database or a key-value store.

[0017] Hereinafter, the encrypted communication method which is executed by the encrypted communication system of the first embodiment will be described with reference to Fig. 5.

[0018] In the key storage 101 of the encrypted communication device 11 on the transmitting side, at least one common key, which is shared with the encrypted communication device 12 on the receiving side, and a key index, by which each common key is uniquely identified, are stored in a state in which they are correlated with each other. In the key storage 102 of the encrypted communication device 12 on the receiving side, the at least one common key, which is shared with the encrypted communication device 11 on the transmitting side, and the key index, by which each common key is uniquely identified, are stored in a state in which they are correlated with each other. Here, "each common key is uniquely identified" means that each common key can be uniquely identified in the entire encrypted communication system, not that each common key is uniquely identified in each key storage 10i. That is, when a key index of a common key A which is stored in the key storage 101 is 1 and a key index of a common key B which is stored therein is 2, a key index of the common key A which is stored in the key storage 102 is also 1 and a key index of the common key B which is stored therein is also 2. When the encrypted communication device 1i (i = 1, 2) communicates also with the other encrypted communication device 1j (j = 1, 2 and i ≠ j), for each encrypted communication device 1j with which the encrypted communication device 1i communicates, the encrypted communication device 1i only has to store at least one common key, which is shared with the encrypted communication device 1j, and a key index, by which each common key is uniquely identified, in a state in which they are correlated with each other. As a method by which the encrypted communication device 11 and the encrypted communication device 12 share a common key, an existing key exchange technology can be used.

[0019] In Step S11, the key selecting unit 111 of the encrypted communication device 11 selects one common key which is used for encryption from the at least one common key stored in the key storage 101 and obtains the selected common key and a key index correlated with the common key from the key storage 101. Hereinafter, the selected common key is referred to as the "encryption key". In this case, the key selecting unit 111 may select a common key, for which key exchange completion notification has not been received, of the at least one common key stored in the key storage 101. The key selecting unit 111 outputs a set made up of the selected encryption key and the key index to the encrypting unit 121.

[0020] In Step S12, the encrypting unit 121 of the encrypted communication device 11 receives the set made up of the encryption key and the key index from the key selecting unit 111 and encrypts data to be transmitted to the encrypted communication device 12 by using the encryption key. As an encryption scheme which is used by the encrypting unit 121, an existing encryption scheme defined by a communication protocol corresponding to data to be transmitted can be used. Hereinafter, the data which is encrypted is referred to as the "encrypted data". The encrypting unit 121 outputs a set made up of the generated encrypted data and the key index to the transmitting unit 131.

[0021] In Step S13, the transmitting unit 131 of the encrypted communication device 11 receives the set made up of the encrypted data and the key index from the encrypting unit 121 and transmits the encrypted data with the key index added thereto to the encrypted communication device 12.

[0022] In Step S14, the receiving unit 142 of the encrypted communication device 12 receives the encrypted data with the key index added thereto from the encrypted communication device 11. This key index is a key index corresponding to the encryption key used when the encrypted data was encrypted and is a key index corresponding to any one of the at least one common key stored in the key storage 102 of the encrypted communication device 12. The receiving unit 142 outputs the received key index to the key obtaining unit 152 and outputs the received encrypted data to the decrypting unit 162.

[0023] In Step S15, the key obtaining unit 152 of the encrypted communication device 12 receives the key index from the receiving unit 142 and retrieves and obtains a common key correlated with the key index from the key storage 102 of the encrypted communication device 12. Hereinafter, the obtained common key is referred to as the "decryption key". It goes without saying that, since the encryption key and the decryption key are correlated with the same key index, they are one and the same common key. The key obtaining unit 152 outputs the obtained decryption key to the decrypting unit 162.

[0024] In Step S16, the decrypting unit 162 of the encrypted communication device 12 receives the decryption key from the key obtaining unit 152 and decrypts the encrypted data received from the receiving unit 142 by using the decryption key. A decryption scheme which is used by the decrypting unit 162 is a decryption scheme corresponding to the encryption scheme used by the encrypting unit 121.

[0025] As a result of the encrypted communication system of the first embodiment being configured as described above, the encrypted communication system transmits encrypted data with a key index, which corresponds to a common key used for encryption, added thereto, which makes it possible to use even a common key, for which key exchange completion notification has not been received, for encryption and decryption if a key exchange itself is completed. Thus, even when key exchange completion notification is delayed due to the influence of, for example, priority control of a network or the like and encrypted data arrives before the key exchange completion notification, the encrypted data can be correctly decrypted.

[Second embodiment]



[0026] In the first embodiment, a configuration in which a key index, by which each common key is uniquely identified, is stored in advance in the key storage 10i in a state in which a key index is correlated with each common key has been described. In an encrypted communication system of a second embodiment, a configuration is adopted in which a key index is generated as occasion arises by using a one-way function which is shared between encrypted communication devices. Hereinafter, a difference between the encrypted communication system of the second embodiment and the encrypted communication system of the first embodiment will be mainly described.

[0027] In the key storage 101 of the encrypted communication device 11 of the second embodiment, at least one common key, which is shared with the encrypted communication device 12 on the receiving side, and a one-way function, which is shared with the encrypted communication device 12 of the second embodiment, are stored. In the key storage 102 of the encrypted communication device 12 of the second embodiment, at least one common key, which is shared with the encrypted communication device 11 on the transmitting side, and the one-way function, which is shared with the encrypted communication device 11 of the second embodiment, are stored. As this one-way function, a hash function such as SHA-256 can be used.

[0028] In Step S11, the key selecting unit 111 of the encrypted communication device 11 selects one encryption key which is used for encryption from the at least one common key stored in the key storage 101 and obtains the selected encryption key from the key storage 101. Moreover, the key selecting unit 111 generates an output which is obtained when the obtained encryption key is input to the one-way function stored in the key storage 101 as a key index. The key selecting unit 111 outputs a set made up of the selected encryption key and the key index to the encrypting unit 121.

[0029] The processing from Steps S12 to S14 is the same as that of the first embodiment.

[0030] In Step S15, the key obtaining unit 152 of the encrypted communication device 12 receives the key index from the receiving unit 142 and obtains a common key by which an output, which is equal to the received key index, is obtained when the common key stored in the key storage 102 is input to the one-way function stored in the key storage 102 as a decryption key. The key obtaining unit 152 outputs the obtained decryption key to the decrypting unit 162.

[0031] The processing in Step S16 is the same as that of the first embodiment.

[0032] As a result of the encrypted communication system of the second embodiment being configured as described above, although the amount of computation needed to calculate a key index every time an encryption key is selected and every time a decryption key is obtained is increased, there is no need to store a key index in advance in the encrypted communication devices in such a way that the key index is shared therebetween, which eliminates the need for key index sharing processing at the time of a key exchange and makes it possible to reduce the capacity of the key storage 10i of the encrypted communication device 1i.

[0033] While the embodiments of the present invention have been described, specific configurations are not limited to these embodiments, but design modifications and the like within a range not departing from the spirit of the invention are encompassed in the scope of the invention, of course. The various processes described in the embodiments may be executed in parallel or separately depending on the processing ability of a device executing the process or on any necessity, rather than being executed in time series in accordance with the described order.

[Program and recording medium]



[0034] When various types of processing functions in the devices described in the above embodiments are implemented on a computer, the contents of processing function to be contained in each device is written by a program. With this program executed on the computer, various types of processing functions in the above-described devices are implemented on the computer.

[0035] This program in which the contents of processing are written can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.

[0036] Distribution of this program is implemented by sales, transfer, rental, and other transactions of a portable recording medium such as a DVD and a CD-ROM on which the program is recorded, for example. Furthermore, this program may be stored in a storage unit of a server computer and transferred from the server computer to other computers via a network so as to be distributed.

[0037] A computer which executes such program first stores the program recorded in a portable recording medium or transferred from a server computer once in a storage unit thereof, for example. When the processing is performed, the computer reads out the program stored in the storage unit thereof and performs processing in accordance with the program thus read out. As another execution form of this program, the computer may directly read out the program from a portable recording medium and perform processing in accordance with the program. Furthermore, each time the program is transferred to the computer from the server computer, the computer may sequentially perform processing in accordance with the received program. Alternatively, a configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition. It should be noted that a program according to the present embodiment includes information which is provided for processing performed by electronic calculation equipment and which is equivalent to a program (such as data which is not a direct instruction to the computer but has a property specifying the processing performed by the computer).

[0038] In the present embodiment, the present device is configured with a predetermined program executed on a computer. However, the present device may be configured with at least part of these processing contents realized in a hardware manner.


Claims

1. An encrypted communication device comprising:

a key storage that stores at least one common key which is shared with another encrypted communication device;

a key selecting unit that selects an encryption key from the at least one common key stored in the key storage;

an encrypting unit that generates encrypted data by encrypting, by using the encryption key, data to be transmitted to the other encrypted communication device;

a transmitting unit that transmits, to the other encrypted communication device, the encrypted data with a key index, by which the encryption key is uniquely identified, added thereto;

a receiving unit that receives the encrypted data with the key index added thereto from the other encrypted communication device;

a key obtaining unit that obtains, from the at least one common key stored in the key storage, a decryption key corresponding to the key index added to the encrypted data; and

a decrypting unit that decrypts the encrypted data by using the decryption key.


 
2. The encrypted communication device according to Claim 1, wherein
the key storage stores a key index, by which each common key is uniquely identified, in a state in which the key index is correlated with each common key,
the key selecting unit selects the encryption key from the at least one common key stored in the key storage and obtains the key index correlated with the encryption key, and
the key obtaining unit obtains, as the decryption key, the common key correlated with a same key index as the key index added to the encrypted data from the at least one common key stored in the key storage.
 
3. The encrypted communication device according to Claim 1, wherein
the key selecting unit selects the encryption key from the at least one common key stored in the key storage and obtains, as the key index, an output which is obtained when the encryption key is input to a one-way function, and
the key obtaining unit obtains, as the decryption key, the common key by which an output, which is equal to the key index added to the encrypted data, is obtained when the common key stored in the key storage is input to the one-way function.
 
4. An encrypted communication system in which a plurality of encrypted communication devices transmit and receive encrypted data, wherein
each encrypted communication device includes

a key storage that stores at least one common key which is shared with another encrypted communication device,

a key selecting unit that selects an encryption key from the at least one common key stored in the key storage,

an encrypting unit that generates the encrypted data by encrypting, by using the encryption key, data to be transmitted to the other encrypted communication device,

a transmitting unit that transmits, to the other encrypted communication device, the encrypted data with a key index, by which the encryption key is uniquely identified, added thereto,

a receiving unit that receives the encrypted data with the key index added thereto from the other encrypted communication device,

a key obtaining unit that obtains, from the at least one common key stored in the key storage, a decryption key corresponding to the key index added to the encrypted data, and

a decrypting unit that decrypts the encrypted data by using the decryption key.


 
5. An encrypted communication method by which a first encrypted communication device and a second encrypted communication device transmit and receive encrypted data, wherein
the first encrypted communication device stores at least one common key, which is shared with the second encrypted communication device, in a first key storage,
the second encrypted communication device stores the at least one common key, which is shared with the first encrypted communication device, in a second key storage,
the first encrypted communication device selects an encryption key from the at least one common key stored in the first key storage,
the first encrypted communication device generates the encrypted data by encrypting, by using the encryption key, data to be transmitted to the second encrypted communication device,
the first encrypted communication device transmits, to the second encrypted communication device, the encrypted data with a key index, by which the encryption key is uniquely identified, added thereto,
the second encrypted communication device receives the encrypted data with the key index added thereto from the first encrypted communication device,
the second encrypted communication device obtains, from the at least one common key stored in the second key storage, a decryption key corresponding to the key index added to the encrypted data, and
the second encrypted communication device decrypts the encrypted data by using the decryption key.
 
6. A program for making a computer function as the encrypted communication device according to any one of Claims 1 to 3.
 




Drawing













Search report










Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Non-patent literature cited in the description