JP2002217888A - Method for finding replicated terminal - Google Patents

Abstract

PROBLEM TO BE SOLVED: To automatically find and exclude a replicated terminal in a communication system, consisting of a center and a plurality of terminals. SOLUTION: The center and a plurality of the terminal are connected through a communication network for ciphering communication with individual session keys. The center sends challenge information in the case of delivering a new session key to the terminals. Each of the terminals sends response information obtained by ciphering terminal ID and a terminal random number to a center public key to the center, which retrieves a communication log and inspects the presence/absence of terminals, having the same terminal ID and different terminal random numbers. If corresponding terminals exist, it decides that the replicated terminal exists, and the session key will not be delivered. Since random number generated by an original terminal is difficult to replicate, the replicated terminals cannot generate the same random number. Thus, the existence of the replicated terminal can be detected.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a duplicate terminal finding method, and more particularly, to a duplicate terminal finding method for automatically detecting the presence of a duplicate terminal in a communication system including a center and a plurality of terminals.

[0002]

2. Description of the Related Art In a communication system including a center and a plurality of terminals, there are the following methods for concealing information and authenticating terminals. That is, the center performs encrypted communication with the terminal using the session key. The terminal generates or obtains a session key using an individual secret key stored in advance, and decrypts the encrypted communication from the center. The center checks the authentication information created with the secret key of the terminal and performs terminal authentication.

In such a method, there is a problem how to securely store the secret key in the terminal. Therefore, a secret key is often stored in a tamper-resistant device having tamper resistance, which makes unauthorized access physically difficult. Generally, an IC card is used as a tamper-resistant device. Keep the terminal-specific secret key on the IC card,
A method of inserting this IC card into a terminal and using it is implemented in a GSM mobile phone, a pay satellite broadcasting STB, and the like.

However, in recent years, research on attacks on IC cards has been advanced, and Power Analysis Attacks, which decipher internal secret keys based on current consumption of IC cards, have been devised, and the security of IC cards is not sufficient. If the secret key is leaked, it becomes possible to forge a duplicate terminal using the secret key. In order to prevent the encrypted terminal from intercepting the encrypted communication, it is necessary to take measures such as stopping the encrypted communication and eliminating the duplicated terminal.

[0005] As a method of finding a duplicated terminal, a method of inferring that the contents of encrypted communication are leaked to the outside,
There was a method of regularly examining the duplicate terminal in the black market. Such a method has a low degree of certainty of discovery, takes a long time until discovery, and is difficult to perform automatically without manual intervention.

[0006] To cope with this, a method of detecting duplicate terminals in advance is described in Reference 1 [Tatsuyuki Matsushita, Yuji Watanabe, Kazukuni Furuhara, Hideki Imai, "Pre-authorization of unauthorized subscribers in content distribution suitable for ITS". Detection Methods, "2000 Cryptography and Information Security Symposium, SCIS2000-C09, 2000.]

[0007]

However, in the above-mentioned conventional pre-detection method, a broadcast network, ElGamal encryption, and a secret sharing method are premised, and there are many preconditions and low versatility. When a secret key is created using a secret sharing scheme, there is a collusion threshold, which is not secure against collusion. Even if the center is reliable, the amount of communication and the amount of calculation do not decrease. In the same round, multiple pieces of secret information cannot be handled per terminal. There is no countermeasure for non-receiving. The condition of the random number is unknown and the security is insufficient. The database is large. As described above, there is a problem that the system configuration conditions and the operation procedure are insufficient, and it is difficult to automatically and completely eliminate unauthorized terminals.

An object of the present invention is to solve the above-mentioned conventional problems and to efficiently find and eliminate duplicate terminals.

[0009]

In order to solve the above-mentioned problems, the present invention provides a method for finding a duplicate terminal of a communication system including a center and n (n is a natural number) terminals. A terminal random number is generated, a terminal authentication statement for the terminal random number is generated using a terminal secret key, the terminal authentication statement and the terminal random number are encrypted with a center public key and transmitted to the center as a terminal ciphertext. Decrypts the terminal ciphertext, obtains the terminal authentication text and the terminal random number, verifies the terminal authentication text with the terminal public key (or terminal secret key if the center manages the terminal secret key), and The terminal random number used for the delivery of the secret information and the terminal ID of the terminal are searched in a database in correspondence with each other, and it is checked whether there is a duplicate registration in which the same terminal ID and a different terminal random number are registered. , Terminal authentication statement The terminal random number and terminal ID of the terminal whose verification result is correct and there is no duplicate registration are registered in a database, a common key is generated using the terminal random number, secret information is encrypted with the common key, and the terminal is encrypted as a center ciphertext. , The terminal receives the center cipher text, generates a common key from the terminal random number, and decrypts the center cipher text with the common key to obtain secret information.

[0010] With this configuration, in order to obtain secret information for each round, the terminal generates an authentication statement for the terminal random number using its own secret key, and encrypts the terminal random number and the authentication statement using the public key of the center. Therefore, the center can detect the presence of a duplicate terminal when a different terminal random number is sent from a terminal having the same terminal secret key in the same round. If the duplication terminal does not send the terminal random number for fear of discovery, the duplication terminal cannot obtain the confidential information, and thus can be invalidated. Broadcasting network, ElGamal encryption, and secret sharing method are not premised, and there are few prerequisites. Therefore, versatility (applicability to various systems) is high, and many systems can be applied. Since there is no collusion threshold and an arbitrarily created secret key can be used, it is secure against collusion.

Further, the database means is a database means for registering the terminal random number and the terminal ID used for the delivery of the secret information in correspondence with each round. With this configuration, the size of the database can be reduced.

Further, the authentication text generation means and the authentication text verification means are digital signature systems. By adopting such a configuration, the center does not need to directly manage the secret key of each terminal, so that the center can be easily managed and the terminal can be prevented from falling due to unauthorized use of the center.

Further, the authentication text generation means and the authentication text verification means are a message authentication code (MAC) system using a keyed hash or a common key encryption. With such a configuration, the center can verify the authentication statement at high speed. If the center is assumed to be reliable, the MAC can be used to authenticate the terminal and its random number, minimizing the amount of communication and computation.

Further, the common key generating means is means for outputting the terminal random number as a common key as it is. With such a configuration, a common key can be easily generated.

Further, instead of the public key encrypting means and the public key encrypting / decrypting means, a key sharing method using random numbers (for example,
A key shared using the ffie-Hellman key agreement method is used as a random number. With this configuration, the terminal and the center can generate random numbers equally.

Further, the center ciphertext includes a MAC to detect tampering and spoofing. With such a configuration, falsification and impersonation can be detected at high speed.

In addition, a digital signature is included in the center ciphertext to detect tampering or spoofing. With this configuration, the center can detect falsification or impersonation without managing the secret key of each terminal.

The secret information is used as a session key between the center and the terminal. With such a configuration, a session key that can be used for temporary encrypted communication and authentication can be shared between the center and each terminal.

The secret information is configured as a group key shared by the center and a plurality of terminals. With such a configuration, the group and the terminal can share a group key that can be used for encrypted broadcast communication.

Further, a center random number is added as transmission information of the center, a terminal generates an authentication statement for the center random number, and the center verifies the authentication statement, so that the authentication method becomes challenge-response authentication and secure. Performance can be improved.

The center random number is a center random number common to a plurality of terminals. With this configuration,
Only one center random number required for the total number of terminals is required.

If there are a plurality of types of secret information in one round, the terminal specifies the type of desired secret information in the terminal cipher text, and always uses the same terminal random number in the terminal cipher text in the same round, The center has a configuration in which, in the same round, secret information of a specified type is encrypted with a common key generated from the terminal random number and delivered for the terminal ciphertext in which the same terminal random number is used. With such a configuration, a duplicated terminal can be found even if there are a plurality of types of secret information.

When the terminal cannot receive the communication from the center, the terminal is provided with an inquiry means for inquiring the center about the current round number. And a retransmission requesting means for requesting retransmission to the center. With this configuration, even when the terminal cannot receive the information from the center, the discovery of the duplicate terminal and the distribution of the secret information can be resumed.

The communication system is a broadcast communication system. With such a configuration, the communication amount can be reduced by broadcasting the center random number, and the encrypted broadcasting using the group key can be realized.

Also, the terminal random number generation means must be capable of generating another random number generator that outputs the same random number, and have an output length that can neglect the probability of being the same output as the output of another random number generator by chance. Must be satisfied. With such a configuration, sufficient security against a certain attack can be ensured.

Also, during the distribution of the group key,
If a duplicate terminal is found, the group key is encrypted with the terminal public key of the terminal to which the terminal has not been distributed (or the terminal private key if the center manages the terminal private key) and distributed to the terminal to which the terminal has not been distributed. With means. With such a configuration, group communication can be restarted at an early stage. However, since a communication amount depending on the number of terminals is required, it is effective only when the number of terminals is small.

[0027]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be described below in detail with reference to FIGS.

(First Embodiment) In a first embodiment of the present invention, in a communication system in which a center and a plurality of terminals are connected by a communication network for performing cryptographic communication using individual session keys, the center is used. In this method, when a new session key is distributed to each terminal, a duplicate terminal is detected by checking for duplication of terminal IDs by using the fact that random numbers generated at the terminals are difficult to duplicate.

FIG. 1 is a flowchart of a duplicate terminal finding method according to the first embodiment of the present invention. In FIG. 1, a center C is an organization that distributes a session key to each terminal. The communication path N is a wireless or wired communication medium capable of performing encrypted communication. The terminal T _i is a communication device that performs encrypted communication with the center C using a session key. There are multiple terminals, i
Is a unique terminal ID for each terminal. The number of terminals may be one. Phase # 1 is a step of performing a procedure for finding a duplicate terminal. Phase # 2 is a step of performing a procedure for delivering the session key from the center C to the terminal T _i.

FIG. 2 is a configuration diagram of a center used in the duplicate terminal finding method according to the first embodiment of the present invention. In FIG. 2, a random number generating means 1 is a means for generating a pseudo random number. The transmitting unit 2 is a unit that transmits data to a terminal by wire or wirelessly. The public key decryption means 3 is a means for decrypting a cipher text encrypted with the public key of the center C. The authentication text verification unit 4 is a unit that decrypts and verifies the authentication text encrypted with the terminal private key using the terminal public key. The database means 5 is a database in which communication records with terminals are compiled. The detecting means 6 is a means for searching a database to detect terminal duplication. Common key generation means 7
Is a means for generating a common key with the terminal from the terminal random number. The common key encrypting means 8 is a means for encrypting the session key with a common key with the terminal.

FIG. 3 is a configuration diagram of a terminal used in the duplicate terminal finding method according to the first embodiment of the present invention. FIG.
, The random number generation means 1 is means for generating pseudo-random numbers that are difficult to copy. The transmitting means 2 is a means for transmitting data to the center by wire or wirelessly. Common key generation means 7
Is means for generating a common key with the center from terminal random numbers. The common key encryption / decryption means 9 is means for decrypting the session key encrypted with the common key. Authentication statement generation means 10
Is a means for encrypting a terminal random number and a center random number with a terminal secret key to generate an authentication text. The public key encryption unit 11 is a unit for encrypting the authentication text and the terminal random number with the center public key.

FIG. 4 is a flowchart of a duplicate terminal discovery phase (phase # 1) of the duplicate terminal discovery method according to the first embodiment of the present invention. FIG. 5 is a flowchart of the session key distribution phase (phase # 2) of the duplicate terminal finding method according to the first embodiment of the present invention.

The operation of the duplicate terminal finding method according to the first embodiment of the present invention configured as described above will be described.
First, the principle of the duplicate terminal finding method will be described with reference to FIG. Replication terminal discovery methods, only the center C is encrypted so that it can not decrypt the terminal random number R _i ^b and terminal authentication statements sent from the terminal T _i, verified in the center C, terminal authentication statement is correct and current only when the terminal random number different from the terminal having the same terminal ID in R _i ^b is not transmitted,
Session key SK _i depending on the terminal random number R _i ^b to the terminal T _i
^This is the protocol that gives ^b . However, the superscript b is a round number and does not mean a power. A round is the validity period of a session key. The round number is
Since each terminal is independent, it should be strictly identified by the terminal ID. However, since the description is complicated and will not be confused, it is simply written as b. The terminal ID i and the round number b may be omitted.

The duplicate terminal discovery method includes two phases: a duplicate terminal discovery phase and a session key distribution phase. In the duplicate terminal discovery phase (phase # 1), the center C performs the terminal T
and _i, the terminal T _i to authenticate the terminal random number R _i ^b that delivered encrypted by a public key of the center C. Using this terminal random number R _i ^b, sharing a common key with the terminal T _i. The center C searches the database to check for duplicate terminal identification codes. When a terminal T _i ′ having the same terminal ID and transmitting a different terminal random number is detected, the original terminal T having this terminal ID is detected.
_It can be determined that a duplicate terminal of _i exists. In the session key distribution phase (phase # 2), the center C transmits the session key SK _i ^b to the terminal T _{i having} no duplicate terminal by using the common key C
To deliver encrypted by K _i ^b.

The challenge-response authentication will be described.
The center C generates a center random number Z _i ^b and generates a challenge CH
It sent as A to the terminal T _i. The terminal T _i receives the center random number Z _i ^b received from the center C and the terminal random number R generated by itself.
against _i ^b, the authentication statements generated by its own secret key, and transmits to the center C as a response RES. By verifying this by the center C, the terminal T _i and its terminal random number R _i ^b
Authenticate. Here, the center C checks the correspondence between the terminal T _i and the terminal random number R _i ^b . When a digital signature is used, there is no need to store the secret key of each terminal in the center C, and key management becomes easy.

[0036] described the encryption of the terminal random number R _i ^b. The terminal random number R _i ^b to the secret to the facsimile reproduction terminal for holding the same terminal secret key, encrypts the terminal random number R _i ^b by center public key. Alternatively, a key shared by a method using a random number such as the Diffie-Hellman key sharing method is used instead of the terminal random number.

The search of the database will be described. Center C
Searches the database to confirm whether the session key SK _i ^b has already been delivered to the terminal T _i . If Shipped, a terminal random number R _i ^b 'used for delivery, by comparing the sent terminal random number R _i ^b, if a mismatch, it is determined that the duplicate terminal of the terminal T _i is present. Terminal T _i, since using the same random number is the same round, as long as the duplicate terminal does not exist, a response RES _i ^b using different terminal random number R _i ^b will not come.
However, whether the one terminal random number R _i ^b 'and a terminal random number R _i ^b is a random number of replicas terminal it can not be distinguished. Also, if replication terminal plurality, but could be a terminal random number R _i ^b 'terminal random number R _i ^b is a random number of both replication terminal, even if duplication terminal of any single multiple, by replicating the terminal discovery method The presence of a duplicate terminal can be detected.

The generation of the common key CK _i ^b will be described. Properly authenticated and the terminal T _i replication terminal is not found, the center C may share a common key with the terminal random number of the terminal T _i. Here, for generating the common key, it is necessary to use a method that can be generated only by the center C and the holder of the terminal random number. The simplest method is to use the terminal random number as a common key.

The encryption of the session key SK _i ^b will be described. The center C encrypts the session key SK _i ^b using the common key CK _i ^b . The terminal T _i is, like the center C, a terminal random number R _i
It generates a common key CK _i ^b than ^b. The session key SK _i ^b is decrypted using the common key CK _i ^b . Even if the terminal secret key S _i is leaked, the common key CK _i ^b cannot be generated without the terminal random number R _i ^b, so that the session key SK _i ^b can be obtained from the set of the original terminal and the copy terminal. Only one can be used. In addition, the encryption used here, unlike in the case of the response RES _i ^b, may be a common key encryption. Also, if necessary, MAC
(Message Authentication Code), you can add a function to detect tampering or spoofing.

The updating of the session key SK _i ^b will be described. The center C needs to periodically update the session key and execute the duplicate terminal discovery method in order to cope with the leakage of the session key due to the temporary passing. The shorter this period, the more
Quickly find and invalidate duplicate terminals.

A case where there are a plurality of session keys SK _i ^b will be described. If there are a plurality of types of session keys, each terminal T
_i, if the same round using the same terminal random number, and transmits the response RES _i ^b you specify the type of session key. Center C is a random number from the database to verify the same, the session key terminal T _i-specified delivery encrypted with key by the same random number.

A countermeasure against unreceived data will be described. Terminal T _i is or power-off, such as by having moved to not communicate areas, in the event that can not receive the challenge CHA _i ^b and the session key, the ability to query the current round number to the center, is added to the terminal T _i . If the round is advanced, the terminal T _i requests a retransmission to the center.

As described above, a duplicate terminal can be found. Proper terminal T _i transmits a response RES _i ^b above, when the replication terminal does not send a response RES _i ^b is duplicated terminal can not be found, since replication terminal can not obtain the session key, substantially Can be invalidated.

Second, each step of the procedure for finding a duplicate terminal (phase # 1) will be described with reference to FIGS. 2, 3, and 4. In preparation stage, the system administrator trusted not shown, a center private key Sc, a center public key Yc, a terminal secret key S _i of each terminal T _i, to generate a terminal public key Y _i. The center C, to distribute the center secret key Sc and the terminal public key Y _i in secret. The corresponding terminal secret key S _i and center public key Yc are secretly distributed to each terminal T _i .

[0045] In phase # 1-1 shown in FIG. 4, center C as shown in Figure 1, center random number Z _i ^b by the random number generator 1 in FIG. 2
Generate The transmitting unit 2 transmits a challenge CHA _i ^b = Z _i ^b that also serves as a session key update notification to the terminal T _i .

In phase # 1-2, terminal T _i shown in FIG.
It is the number generating means 1 in FIG. 3, to produce a terminal random number R _i ^b. Using its own terminal secret key S _i ,
A center random number Z _i ^b sent as a challenge CHA _i ^b from the center C, the digital signature SIG for the terminal random number R _i ^{b
_{(S i, (i‖Z i b}} ‖R i b)) , and generates the authentication sentence generating means 10. Here, (x‖y) indicates a concatenation of codes in which x is the upper digit and y is the lower digit. SIG (x, y) indicates that the key x is used to calculate the digital signature of y. The digital signature, and terminal authentication statement D _i ^b.

Using the center public key Yc, the terminal ID i
When the terminal random number R _i ^b and the terminal ciphertext for the terminal authentication statement ^{_{D i b E i b = Yc}} [i‖R i b ‖D i b] = Yc [i‖R i b ‖SIG (S i, ^{_{(i‖Z i b ‖R i b)}} )] , and it produces a public key encryption means 11. Where x [y]
Indicates that y is encrypted with the key x. This, the center C, the response also serves as a session key request notification ^{_{RES i b = E i b =}} Yc [i‖R i b ‖D i b] = Yc [i‖R i b ‖SIG (S i, (i as ^{_{‖Z i b ‖R i b))}} ], and transmits the transmitting unit 2.

In phase # 1-3, the center C in FIG.
The response RES _i ^b from the terminal T _{i is} received by a receiving unit (not shown ^).
Is received by the public key encryption / decryption means 3, and the center secret key Sc
It decodes the response RES _i ^b with to give a terminal random number R _i ^b. Authentication text verifying unit 4, using the terminal's public key Y _i of the terminal _{T i, SIG (S i,} (i‖Z i b ‖R i b)) to verify. If the verification is correct, it accepted as authenticating the terminal T _i and the terminal random number R _i ^b, the process proceeds to Phase # 1-4. If the verification result is invalid, the protocol ends.

In phase # 1-4, the center C refers to the database means 5 in which the detection means 6 stores a database in which the terminal ID and the random number used for delivery are registered in association with the terminal ID as a key. Random number used for the delivery is not registered, that is, if the session key SK _i ^b is undelivered records the terminal random number R _i ^b in the database, the process proceeds to Phase # 1-5. If the random number used for delivery has been registered, that is, if the session key SK _i ^b has been delivered, if the terminal random number R _i ^b ′ recorded in the database is equal to the received terminal random number R _i ^b, phase # 1- Go to 5. If not, it is determined that a duplicate terminal has been found, and the protocol is terminated.

[0050] In phase # 1-5, the center C is the common key generation unit 7 in FIG. 2, the terminal random number R _i ^b and the common key CK _i ^b.

Third, each step of the session key delivery procedure (phase # 2) will be described with reference to FIGS. 2, 3, and 5. The center C distributes the session key only to terminals for which no duplication has been detected.

In phase # 2-1 shown in FIG.
Terminal by a common key encryption unit 8, generates a session key SK _i ^b the common key CK _i ^b in encrypted center ciphertext ^{_{EC i b = CK i b [}} SK i b], the transmission unit 2 to send to the T _i.

[0053] In phase # 2-2, terminal T _i is the receiving unit, not shown, the center ciphertext ^{_{EC i b (= CK i b}} [SK i
^b ]). The terminal random number R _i ^b as the common key CK _i ^b, by common decryption means 9 of FIG. 3, the center ciphertext EC _i ^b (=
^{_{CK i b [SK i b]}} ) decodes to obtain the session key SK _i ^b. Terminal T _i is the case of not receiving a center ciphertext ^{_{EC i b (= CK i b}} [SK i b]), the response RESi ^b generated in phase # 1-2, retransmits the center C.

Fourth, the conditions of the random number generator will be described. The condition that the random number generation means incorporated in the terminal should satisfy is that it cannot create another random number generator that outputs the same random number,
And have an output length that can neglect the probability of being the same output as the output of another random number generator by chance. " This means that although the structure of the random number generator can be duplicated, the state of the random number or seed cannot be duplicated, and the output is 128 bits.
It is satisfied if there is some degree. Therefore, the next 12
The 8-bit random number generator satisfies the condition. -True random number generator using white noise, etc.-Pseudo random number generator or pseudo random number generator software that receives a seed that is difficult to predict and is updated based on the constantly changing unique state of each terminal

As such seeds, there are the following and combinations thereof. • Terminal memory status and system clock value • Time, time, and count related to terminal operation

Fifth, security will be described. The duplicate terminal finding method aims at finding a duplicate terminal. The purpose of the attacker is to forge a duplicate terminal to decrypt the encrypted communication. First, an attack assumed in the duplicate terminal finding method will be described. The duplicate terminal discovery method assumes an attack on the assumption that the attacker already holds the secret key of the original terminal to be duplicated. At the opportunity to illegally obtain the terminal secret key, an attacker analyzes the terminal when the member analyzes his / her terminal and while the member keeps his / her eyes away from the terminal (when lost or charged). In some cases, a secret key of another member is created by collusion of a plurality of members. On this assumption, the attacker forges the duplicate terminal and attempts to decrypt the encrypted communication.

The attack is a side attack in which the attacker can obtain the remaining secret information (session key, random number) without changing the original terminal, and the original terminal is modified or replaced with another terminal (duplicate terminal). Thus, it is divided into a modification attack that invalidates the original terminal.

Of the side-by-side attacks, in the temporary side-by-side attack,
At some point, the session key of the original terminal
A random number for obtaining this session key is leaked, and an attacker forges a duplicate terminal. In a constant diversion attack,
An unauthorized member circulates a session key of the original terminal or a random number for obtaining the session key, and an attacker forges a duplicate terminal. The alteration attack is an attack in which the original terminal is invalidated by altering the original terminal or replacing it with a duplicate terminal, and the original terminal is not found even when the duplicate terminal is used.

The method of finding a duplicated terminal in the present embodiment aims at finding a duplicated terminal against a temporary sneak attack. We do not consider that always-on and tamper attacks need to be considered for the following reasons.

It is considered that an always-distributed attack cannot easily be executed by an unauthorized member because the communication cost and the possibility of unauthorized detection of the unauthorized member increase depending on the frequency of the dissemination.

The following two cases are specifically considered as modifications. The first is a case where an attacker replaces the original terminal with a duplicate terminal when the user of the original terminal takes his eyes off. As long as the random number is synchronized with another duplicate terminal, the duplicate terminal cannot find the duplicate terminal by the random number as long as the modified original terminal is used. However, it is considered difficult to forge a duplicate terminal that is not noticed by the user of the original terminal who always uses the terminal in terms of time and cost. Detecting physical alteration is generally easier and less expensive than detecting duplicated information, and can be dealt with together.

The second is a case where the user of the original terminal is an attacker or an unauthorized member cooperating with the attacker. The original terminal is invalidated by modifying the random number generator of the original terminal so as to synchronize with the duplicate terminal or replacing the original terminal with a synchronous duplicate terminal. First, there is a high likelihood of success with the cooperation of unauthorized members. However, it cannot be easily executed because an unauthorized member is identified by a modified terminal or a duplicated terminal possessed at the time of detecting a fraud. In addition, an attack for synchronizing a duplicate terminal and a random number generator by causing a terminal to fail and always output the same random number can be detected by storing and analyzing a log for a certain period.

From the above examination, the duplicate terminal finding method is
Suppose the following assumptions are satisfied: At this time, the duplicate terminal finding method is secure. 1. The attacker holds the secret key of the terminal to be copied. 2. A temporary diversion attack is possible. 3. It is difficult to constantly circumvent and alter attacks. 4. The terminal is equipped with the random number generator defined above. 5. The original terminal is used by the member. 6. The common key cryptosystem, public key cryptosystem, MAC and digital signature system are secure.

Assumptions 1 and 2 are realistic. on the other hand,
Although the attack of Assumption 3 is theoretically possible, it is not considered because the burden on the attacker is heavy and it is predicted that it is unlikely to occur in reality. According to assumptions 3 to 5, it can be assumed that no replacement or modification is performed on the original terminal, and that the members always use the above-described random number generator. Assumption 6
Use a common key cryptosystem with a key length of about 128 bits as a common key cryptosystem, use RSA encryption or ElGamal cryptography with a key length of about 1024 bits, or use an elliptical ElGamal cryptography with a key length of about 160 bits as a public key cryptosystem, and use a key length as a MAC Using a common key encryption of about 128 bits and a hash function with a key of about 128 bits output, a DSA signature or RSA signature with a key length of about 1024 bits,
It is satisfied by using an elliptical DSA signature with a key length of about 160 bits.

The security against a temporary sneak attack will be described. The information available to the attacker is the secret key of the original terminal, the session key of the round at the time of successful attack, and the corresponding random number. It is assumed that one or more duplicated terminals and the original terminal are forged as described above.

When the session key of the round at the time of the attack is updated, if the original terminal transmits the response RES first and the duplicate terminal transmits the response RES later, the duplicate terminal can be found from the difference in the random numbers. response
If the RES is not transmitted, the duplicate terminal cannot obtain the session key, and thus is effectively invalidated. On the other hand, if the duplicate terminal transmits the response RES first and the original terminal transmits the response RES later, the duplicate terminal can be found from the difference in the random numbers.

That is, among the set of the original terminal and the duplicate terminal, only one can obtain the session key at any time, and if at least one of them transmits the response RES, the duplicate terminal can be found or invalidated. Here, according to the above assumption,
Since at least one of the sets transmits a response RES, the method of finding a duplicated terminal is safe against this attack.

The security against other attacks will be described. Other than forgery, Replay At which resends the response RES
There is tack. In response to the response RES, the center distributes the session key encrypted with the common key, so that the communication volume increases. However, since there is no random number, there is no problem because the communication cannot be decrypted. In addition, since the encryption function and the authentication text generation function are safe by assumption, it is difficult to decrypt the ciphertext and forgery / falsify the response RES. The attack that breaks down the terminal as described in the alteration attack can be dealt with if the center records and inspects the past database. Therefore, it is safest to maintain and inspect the databases of all the past rounds, but in practice, only the database for a certain period is kept due to a trade-off between cost and security. It is difficult for the center to fall into the terminal because the center does not hold the secret key of the terminal.

Sixth, differences from the conventional art will be described. This method uses RS with public key e33bit and legal / private key 1024bit.
In the conventional method, p is 1024 bits, q is 160 bits, and the output of the hash function is 128 bits. However, RSA considers the use of a method to speed up the operation of the secret key by the commonly used Chinese Remainder Theorem. The calculation amount is converted with one power residue of 1024 bits for all parameters as one. Also, n is the total number of terminals, and k is the collusion threshold. Ignore the amount of computation and ID size of common key cryptography / MAC. At this time,
This method is more efficient than the conventional method except for the amount of computation for response verification.

Conventional method This method Challenge communication amount (1024bit × (k + 2)) × n 128bit × n Challenge operation amount 0.16 × (2k + 1) None Response communication amount 2176bit 1024bit Response generation operation amount 0.48 0.28 Response verification operation amount 0.16 0.28 Database size 2176bit × n 128bit × n

As described above, according to the first embodiment of the present invention, the method of finding a duplicate terminal includes the steps of:
In a communication system connected by a communication network that performs cryptographic communication using individual session keys, when the center distributes a new session key to each terminal, terminal ID duplication is performed using the fact that random numbers generated at terminals are difficult to duplicate. Is inspected to find a duplicated terminal, so that the presence of the duplicated terminal can be automatically detected and eliminated.

(Second Embodiment) A second embodiment of the present invention relates to a communication system in which a center and a plurality of terminals are connected by a broadcast network that performs cryptographic communication using a common group key. In this method, when a center distributes a new group key to each terminal, a duplicate terminal is detected by checking for duplication of terminal IDs by using the fact that random numbers generated at the terminals are difficult to duplicate.

FIG. 6 is a flowchart of a duplicate terminal finding method according to the second embodiment of the present invention. In FIG. 6, a center C is a station that distributes a group key to each terminal. The communication path N is a wireless or wired communication medium capable of broadcast encryption communication. The terminal T _i is a communication device that performs encrypted communication with the center C using a group key. There are a plurality of terminals, and i is a terminal ID unique to each terminal. The number of terminals may be one.
Phase # 1 is a step of performing a procedure for finding a duplicate terminal. Phase # 2 is from terminal C to terminal T
_{In this} step, the procedure for delivering the group key to _i is performed. The system configuration of the duplicate terminal discovery method according to the second embodiment of the present invention is basically the same as that of the first embodiment.

FIG. 7 is a flowchart of the duplicate terminal discovery phase (phase # 1) of the duplicate terminal discovery method according to the second embodiment of the present invention. FIG. 8 is a flowchart of the group key distribution phase (phase # 2) of the duplicate terminal finding method according to the second embodiment of the present invention.

The operation of the duplicate terminal finding method according to the second embodiment of the present invention configured as described above will be described.
First, the overall operation of the duplicate terminal finding method will be described with reference to FIG. In the preparation stage, a reliable center C
Is, and its own center secret key Sc and the center public key Yc, to generate a terminal secret key S _i of each terminal, to each terminal, the corresponding terminal secret key S _i and the center public key Yc be distributed to the secret.

The duplicate terminal discovery method includes two phases, a duplicate terminal discovery phase and a group key distribution phase. In the duplicate terminal discovery phase (phase # 1), the center C performs the terminal T
and _i, the terminal T _i to authenticate the terminal random number R _i ^b which is sent encrypted with the public key of the center C. Using this terminal random number R _i ^b, sharing a common key with the terminal T _i. The center C searches the database and checks for duplicate terminal IDs. When a terminal T _i ′ having the same terminal ID and transmitting a different terminal random number is detected, it can be determined that a duplicate terminal of the original terminal T _i having this terminal ID exists. In group key distribution phase (phase # 2), center C, to the no replication terminal terminal T _i, delivers encrypted group key GK ^b by the common key CK _i ^b. In order to match the expression with the first embodiment, a form using challenge-response authentication has been described. However, in the present invention, since a challenge by the center is not essential, efficiency is more important than restrictions and security in a system to be mounted. In that case, the center does not have to send the challenge.

In the duplicate terminal discovery phase (phase # 1), the center C broadcasts a common challenge CHA to all terminals using the broadcast network N. Each terminal returns an individual response RES to the common challenge CHA.

The challenge-response authentication will be described.
Terminal, and the total terminal common center random Z ^b of the center,
Against itself generated terminal random number R _i ^b, and transmits the MAC generated by its own terminal secret key as a response RES, to the center. By this center to verify, authenticate the terminal and the terminal random number R _i ^b. Here, the center checks the correspondence between the terminal and the terminal random number. In the MAC, the center needs to store the terminal secret keys of all terminals, but the processing is light. Challenge CH by using broadcast network
A can be shared by each terminal.

[0079] described the encryption of the terminal random number R _i ^b. The terminal random number is encrypted with the center public key in order to keep the terminal random number secret from the duplicate terminal holding the same terminal secret key. Alternatively, a key shared by a method using a random number such as the Diffie-Hellman key sharing method is used instead of the terminal random number.

The search of the database will be described. center
Searches the database and finds terminal T _iAlready glue
Key GK^bHas been delivered (terminal random number R_i ^b’Is registered
Check). If delivered, the terminal used for delivery
Random number R_i ^b’And the transmitted terminal random number R_i ^bCompare
If they do not match, the terminal T_iIt is determined that a duplicate terminal exists.
Refuse. Terminal T_iUses the same random number in the same round
Therefore, unless a duplicate terminal exists, a different terminal random number R
_i ^bNo response RES using. However, the terminal random number
R_i ^b’And terminal random number R_i ^bIs the random number of the duplicate terminal
Cannot be distinguished. If there are multiple duplicate terminals,
Random number R_i ^b’And terminal random number R_i ^bAre both terminal random numbers of the duplicate terminal
There may be, but in any case, duplicate terminal discovery
A duplicate terminal can be found by the method.

The generation of the common key CK _i ^b will be described. The center is
Terminals that are correctly authenticated and whose duplicate terminals are not found,
The common key is shared by the random number. Here, for generating the common key, it is necessary to use a method that can be generated only by the center and the holder of the terminal random number. The simplest method is to use the terminal random number as a common key.

Group Key Distribution Phase (Phase # 2)
, The center C encrypts the group key GK ^b with the common key CK _i ^b and delivers it to the terminal T _{i having} no copy terminal. Explaining the encryption of the group key GK ^b. The center is
By using the common key CK _i ^b, to encrypt the group key GK ^b. The terminal T _i , like the center, receives the common key CK _i from the terminal random number R _i ^b.
Generate ^b . In the common key CK _i ^b, to decrypt the group key GK ^b. Even if the terminal secret key S _i is leaked, the common key CK _i ^b cannot be generated without the terminal random number R _i ^b, so that the group key GK ^b can be obtained from the set of the original terminal and the duplicate terminal. There is only one. If necessary, a function for detecting tampering or impersonation can be added by using a MAC.

[0083] described the update of the group key GK ^b. The center needs to periodically update the group key and execute the duplicate terminal discovery method in order to cope with the leakage of the group key due to the temporary passing. The shorter this period is, the sooner the duplicate terminal can be found and invalidated.

[0084] group key GK ^b will be described a case of multiple.
When there are a plurality of types of group keys, each terminal transmits a response RES specifying the type of the group key using the same random number in the same round. The center confirms that the terminal random numbers are the same from the database, encrypts the group key specified by the terminal using the same random number, and delivers the encrypted group key.

The measures against non-reception will be described. When the terminal is turned off or moved to an area where communication is not possible, a challenge CHA or group key cannot be received. , The terminal requests retransmission to the center.

As described above, a duplicate terminal can be found. If the legitimate terminal sends the response RES first and the duplicate terminal does not send the response RES,
Although the duplication terminal cannot be found, the duplication terminal cannot obtain the group key, and thus can be substantially revoked. The difference from the first embodiment is that, since a MAC is used instead of a digital signature, the processing is fast and the challenge CHA can be shared by each terminal by using a broadcast network. That is, the communication volume is small, and the group key is delivered instead of the session key. The difference in security is that the center needs to be a trusted organization to store the terminal private key of each terminal.

Second, each procedure of duplicate terminal discovery (phase # 1) will be described with reference to FIG. 2, FIG. 3, and FIG. In phase # 1-1 of Figure 7, the center C generates a center random number Z ^b by the random number generator 1 in FIG. 2, in all terminals, Challenge CHA ^b = Z ^b serving as the update notification group key, transmits Transmit by means 2. However, the superscript b is a round number and does not mean a power. A round is the validity period of a group key.

In phase # 1-2, each terminal T _i
The random number generator 1 generates a terminal random number R _i ^b. The authentication statement generation means 10 uses the terminal secret key S _i of its own and the terminal ID i and the challenge CHA ^b from the center C.
MAC for the center random number Z ^b and the terminal random number R _i ^b
(Message Authentication Code: message authentication code) to generate, and the terminal authentication statement D _i ^{b. _{That, D i b = MAC (S}} i, (i‖Z b ‖R i b)) to generate a. However, MAC (x, y) uses key x and y
Is calculated. The public key encryption unit 11, using the center public key Yc of the center C, the terminal ID and the terminal random number R _i ^b and the terminal ciphertext for the terminal authentication statement ^{_{D i b E i b = Yc}} [i‖R ^{_{i b ‖D i b] = Yc}} [i‖R i b ‖MAC (S i, (i‖Z b ‖R i b)) for generating a. This, the center C, the response also serves as a session key request notification ^{_{RES i b = E i b =}} Yc [i‖R i b ‖D i b] = Yc [i‖R i b ‖MAC (S i, (i as ^{_{‖Z b ‖R i b))]}} , it is transmitted by the transmitting means 2.

In phase # 1-3, the center C in FIG.
The terminal T is received by a receiving unit (not shown). _iResponse R from
ES_i ^bTo receive. The public key decryption means 3
Response RES using center secret key Sc_i ^bDecrypt
And the terminal random number R_i ^bGet. The authentication statement verification means 4
End T_iTerminal secret key S_iUsing the terminal authentication statement D_i ^bVerify
I do. If the verification result is correct, the terminal T_iAnd terminal random number R_i
^bAnd proceed to phase # 1-4.
No. If the verification result is invalid, the protocol ends.

In phase # 1-4, the center C receives the terminal ID
Database means 5 storing a database in which the database is registered in association with a random number used for delivering the group key.
Is referred to by the detecting means 6 using the terminal ID as a key.
If the group key GK ^b is undelivered (terminal random number is not registered), in the database, and record the terminal random number R _i ^b, the process proceeds to Phase # 1-5. If the group key GK ^b has been delivered (terminal random number is registered), the terminal random number R _i ^b ′ recorded in the database and the received terminal random number R _i ^b
If are equal, proceed to phase # 1-5. If different,
It determines that a duplicate terminal has been found, and terminates the protocol.

[0091] In phase # 1-5, the center C is the common key generation unit 7, the terminal random number R _i ^b and the common key CK _i ^b.

Third, each procedure of group key distribution (phase # 2) will be described with reference to FIGS. 2, 3, and 8. In phase # 2-1 shown in FIG. 8, the center C is the common key encryption means 8, the common key CK _i ^b using a center ciphertext by encrypting the group key ^{_{GK b EC i b = CK i}} b generates a [GK ^b], the transmission unit 2 to the terminal T _i.

In phase # 2-2, terminal T _{i of} FIG.
The center ciphertext EC _i ^b (=
CK _i ^b [GK ^b ]) is received. The common key decryption means 9, a terminal random number R _i ^b and common key CK _i ^b, center ciphertext EC _i ^b
(= CK _i ^b [GK ^b ]) to obtain the group key GK ^b . Terminal T _i is the case of not receiving a center ciphertext ^{_{EC i b (= CK i b}} [GK b]), a response RES generated in phase # 1-2, retransmits the center C.

The difference from the prior art will be described. Conventional method This method Condition Challenge communication amount 1024bit × (k + 2) 128bit Challenge operation amount 0.16 × (2k + 1) None Response communication amount 2176bit 1024bit Response generation operation amount 0.48 0.03 Response verification operation amount 0.16 0.25 Verification of this method is MAC Database size 2176bit × n 128bit × n

The present method is more efficient than the conventional method except for the operation amount of the response verification. In particular, the center is reliable,
The condition that the total communication amount and the operation amount of the terminal are small is suitable for mobile communication. The communication volume can be further reduced by using the elliptical ElGamal encryption instead of the RSA, but the calculation amount of the terminal increases more than in the case of the RSA. The conventional method has the advantage that there is no need to verify the certificate of the terminal's public key in the PKI, but the center can store the verified public key in advance, so the amount of computation for certificate verification is Can be ignored.

Group communication with a large number of terminals belonging to a group
Group key GK ^bThe distribution end during distribution
If found, the current group key GK^b-1Dark using
Canceled communication and early GK^bResumes encrypted communication using
Need to be However, the group key GK^bDistribution
Requires two-way communication for each terminal,
Key GK^bMay take some time to complete distribution
You. Therefore, the inspection of the duplicate terminal of the remaining terminals is postponed.
And the untested terminal T_iFor the terminal secret key S_iOr end
End public key Y_iBy group key GK_bAnd encrypt and distribute
As a result, it is possible to distribute at high speed.

As described above, according to the second embodiment of the present invention, the method for finding a duplicated terminal includes the steps of:
In a communication system connected by a broadcast network that performs cryptographic communication using a common group key, when the center distributes a new group key to each terminal, it uses the fact that random numbers generated at the terminals are difficult to duplicate, and the terminal ID is used. Since the configuration is such that duplicate terminals are found by checking for duplication, the existence of the duplicate terminals is automatically detected and eliminated, and the group key can be distributed.

[0098]

As is apparent from the above description, according to the present invention, a method for finding a duplicate terminal in a communication system including a center and a plurality of terminals is described. The secret information update notification and the center random number are sent to the terminal as a challenge.
Receiving the challenge, generating a terminal random number for each round, generating a terminal random number and a terminal authentication statement for the terminal random number using a terminal private key, encrypting the terminal authentication statement and the terminal random number with the center public key to generate a terminal cipher text The terminal transmits to the center, the center C decrypts the terminal cipher text with the center secret key, obtains the terminal authentication text and the terminal random number, verifies the terminal authentication text with the terminal public key, and uses the terminal used for delivery of secret information. Random number and terminal ID
Is searched in the database registered in correspondence with the same terminal ID and different terminal random numbers are registered for the presence or absence of duplicate registration, the verification result of the terminal authentication statement is correct,
In addition, the terminal random number of the terminal having no duplicate registration is registered in the database, a common key is generated using the terminal random number, secret information is encrypted with the common key, and transmitted to the terminal as a center ciphertext. The center receives the ciphertext, generates a common key from the terminal random numbers, and decrypts the center ciphertext with the common key to obtain secret information. If the duplication terminal does not send a random number, the duplication terminal cannot obtain the secret information, so that there is an effect that the duplication terminal can be invalidated.

[Brief description of the drawings]

FIG. 1 is a flowchart of a duplicate terminal discovery method according to a first embodiment of the present invention;

FIG. 2 is a configuration diagram of a center used in a duplicate terminal discovery method according to the first embodiment of the present invention;

FIG. 3 is a configuration diagram of a terminal used in a duplicate terminal discovery method according to the first embodiment of the present invention;

FIG. 4 is a flowchart of a duplicate terminal discovery phase (phase # 1) of the duplicate terminal discovery method according to the first embodiment of the present invention;

FIG. 5 is a flowchart of a session key distribution phase (phase # 2) of the duplicate terminal finding method according to the first embodiment of the present invention;

FIG. 6 is a flowchart of a duplicate terminal discovery method according to the second embodiment of the present invention;

FIG. 7 is a flowchart of a duplicate terminal discovery phase (phase # 1) of the duplicate terminal discovery method according to the second embodiment of the present invention;

FIG. 8 is a flowchart of a group key distribution phase (phase # 2) of the duplicate terminal finding method according to the second embodiment of the present invention.

[Explanation of symbols]

 REFERENCE SIGNS LIST 1 random number generation means 2 transmission means 3 public key encryption / decryption means 4 authentication text verification means 5 database means 6 detection means 7 common key generation means 8 common key encryption means 9 common key encryption / decryption means 10 authentication text generation means 11 public key encryption Means

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor Natsume Matsuzaki 3-20-8 Shin-Yokohama, Kohoku-ku, Yokohama-shi, Kanagawa Prefecture Inside Advanced Mobile Communication Security Technology Research Institute, Inc. (72) Inventor Tsutomu Matsumoto Aoba-ku, Yokohama-shi, Kanagawa Persimmon wood stand 13-45 F term (reference) 5B017 AA03 BA07 5B085 AE29 5J104 AA07 AA08 AA09 AA16 AA18 BA03 EA06 EA18 KA02 KA06 LA01 LA06 NA02 NA03

Claims (18)

[Claims] 1. A center C and n terminals T (n is a natural number)
_i (where i is a terminal ID), the terminal T _i generates a terminal random number R _i ^b (superscript b is a subscript indicating a round number) in round b, and the terminal random number R _i ^b terminal authentication statement D _i ^b generated by the terminal secret key S _i with respect to the terminal authentication statement D _i ^b and the terminal random number R _i and ^b encrypted with center public key Yc terminal ciphertext E _i ^b To the center C, and the center C transmits the terminal ciphertext E _i with the center secret key Sc.
^b to obtain the terminal authentication text D ^ib and the terminal random number R _ib , and use the terminal public key Y _i (or the terminal secret key S _i when the center manages the terminal secret key) to obtain the terminal authentication text D _i ^b and the terminal random number R _i ^b. verifies the terminal authentication statement D _i ^b, for each round, and the terminal random number R _i ^b used for delivery of confidential information, and a terminal ID of the terminal T _i, by searching the database registered in correspondence, Same terminal ID
In and different terminal random number checks for duplicate registration that has been registered, the terminal random number R _i ^b of the verification result of the terminal authentication statement D _i ^b are correct and the duplicate registration is not the terminal T _i
The terminal ID registered in the database as, by using this device random number R _i ^b, the common key CK _i ^b generates the common key CK _i ^b by the secret information K _i ^b the encrypted center ciphertext transmitted to the terminal T _i as EC _i ^b, the terminal T _i, the center receives the ciphertext EC _i ^b, generates a common key CK _i ^b from the terminal random number R _i ^b, the center ciphertext EC replication terminal discovery method characterized by obtaining the secret information K _i ^b a _i ^b and decrypted by the common key CK _i ^b. 2. A center C and n terminals T (n is a natural number)
_iFinding duplicate terminal of communication system including (i is terminal ID)
In the scheme, the terminal T_iIs the terminal random number R in round b_i ^b(Up
Append b is a subscript indicating the round number) Terminal random number that generates
Generating means, and the terminal random number R_i ^bAuthentication statement D for_i ^b
To the terminal secret key S_iAuthentication statement generation means generated by
Terminal authentication statement D_i ^bAnd the terminal random number R_i ^bTo the center public key Y
Encrypt with c and encrypt the terminal E_i ^bPublic key encryption to generate
Means and said terminal ciphertext E_i ^bTerminal transmitting means for transmitting
And the terminal random number R_i ^bFrom the common key CK_i ^bTerminal that generates
Side common key generation means and secret information K_i ^bTo the common key CK_i ^b
Center ciphertext EC encrypted by_i ^bTo the common key CK
_i ^bAnd a common key encryption / decryption means for decrypting the terminal ciphertext E with a center secret key Sc._i
^bTo decrypt the terminal authentication statement D_i ^bAnd the terminal random number R_i ^bTo
Public key encryption / decryption means for obtaining the terminal authentication statement D _i ^bThe terminal
Public key Yi (if the center manages the terminal secret key,
Terminal secret key S_i) And the authentication statement verification means
Terminal random number R used for delivery of secret information_i ^b
And the terminal T_iData to be registered in association with the terminal ID of
Database means and the same terminal by searching the database
Duplicate registration with ID and different terminal random numbers registered
Detecting means for detecting, and the terminal authentication statement D_i ^bThe verification result of
The terminal T that is correct and has no duplicate registration_iThe end of
Terminal random number R_i ^bUsing the common key CK_i ^bCenter that generates
Side common key generation means, and the common key CK_i ^bBy confidential information
K_i ^bThe center ciphertext EC obtained by encrypting_i ^bGenerate
Key-pass encryption means, and the center ciphertext EC_i ^bThe terminal
T_iTransmission means for transmitting to the
Terminal discovery method. 3. The duplicate terminal discovery method according to claim 2, wherein said authentication text generation means and said authentication text verification means use a digital signature. 4. The duplication according to claim 2, wherein said authentication text generating means and said authentication text verification means are means using a message authentication code (MAC) using a keyed hash or a common key cryptosystem. Terminal discovery method. 5. A method according to claim, characterized in that the center-side common key generating means and the terminal-side common key generating means, and a means for outputting the terminal random number R _i ^b as it is as the common key CK _i ^b 2 Described duplicate terminal discovery method. 6. A means for sharing a key by using one of key sharing methods using random numbers including a Diffie-Hellman key sharing method instead of the public key encryption means and the public key encryption / decryption means,
3. The method according to claim 2, further comprising means for using the shared key as a terminal random number. 7. The center C is provided with the center ciphertext EC.
The means for including the message authentication code (MAC) provided _i ^b, to the terminal T _i, replication terminal discovery method according to claim 2, characterized in that a means for detecting tampering or spoofing. 8. The center C is provided with the center ciphertext EC.
_a means for including a digital signature in _i ^b , the terminal T _i
3. The duplicate terminal discovery method according to claim 2, further comprising means for detecting tampering or spoofing. Wherein said secret information K _i ^b is duplicated terminal discovery method according to claim 2, characterized in that the session key SK _i ^b of the center C and the terminal T _i. Wherein said secret information K _i ^b and replication terminal discovery method according to claim 2, characterized in that a group key GK ^b shared by the center C and a plurality of terminals. 11. The terminal T_iIs received from the center C.
Received center random number Z_i ^bAnd the terminal random number R_i ^bTerminal for
Authentication statement D_i ^bTo the terminal secret key S_iGenerated authentication statement generated by
Means, wherein the center C is the center random number Z_i ^bCenter that generates
Random number generator and update of secret information in previous round
Notification and center random number Z_i ^bTo the terminal T_iTo send to
3. A transmission device according to claim 2, further comprising:
Duplicate terminal discovery method described above. 12. The center random number Z_i ^bTo multiple devices
Common center random number Z ^b3. The method according to claim 2, wherein
Described duplicate terminal discovery method. To 13. The terminal T _i, and means for the secret information in the same round to specify the type of desired secret information to the terminal ciphertext E _i ^b when multiple types exist, always the same in the same round provided and means for using said terminal random number R _i ^b to the terminal ciphertext E _i ^b, the center C
In the same said terminal random number R _i ^b is designated at the terminal ciphertext E _i ^b used types of secret information in the same round, by the terminal random number R _i the common key generated from ^b CK _i ^b 3. The method according to claim 2, further comprising means for encrypting and delivering. To 14. The terminal T _i, the inquiry means for inquiring the current round number for the center C if it can not receive a communication from the center C, the round number of the terminal T _i and the center C 3. The duplicate terminal discovery method according to claim 2, further comprising retransmission request means for requesting the center C to perform retransmission when b is different. 15. The method according to claim 2, wherein the communication system is a broadcast communication system. 16. A means for generating the center public key Yc and the center secret key Sc and the terminal public key Y _i and the terminal secret key S _i, and means for distributing the center public key Yc to all terminals , A means for distributing the center secret key Sc and all the terminal public keys Y _i to the center C, and means for distributing the terminal secret key S _i to the corresponding terminals T _i. 3. A method according to claim 2, wherein said communication system comprises means. 17. The terminal random number generation means cannot generate another random number generator that outputs the same random number, and has an output length that can neglect the probability of being the same output as the output of another random number generator by chance. 3. The condition is satisfied.
Described duplicate terminal discovery method. 18. The middle of the distribution of the group key GK ^b, if replication terminal is found, the group key GK ^b
The said group key GK ^b by the terminal public key Y _i of the terminal T _i of undelivered (terminal secret key S _i if center manages the terminal secret key) to the terminal T _i of encrypting the undelivered 11. The duplicate terminal discovery method according to claim 10, further comprising means for distributing.