JP2002290397A - Secure communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a secure communication method with high security that can decrease a load on calculation processing and data transmission. SOLUTION: The secure communication method is characterized in that this method uses a key management server S that authenticates registered entities Cl1, Cl2 and generates a private key, provides the same private key to each entity making mutual communication, conducts mutual authentication between the entities for the mutual communication by confirming the possession of the same private key (session key), uses the private key to encrypt data sent/received between the entities going to make mutual communication according to the symmetrical encryption system after the end of mutual authentication and transmits the encrypted data.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a secure communication method capable of ensuring simple and effective security when exchanging information via a network.

[0002]

2. Description of the Related Art A wide-area use of medical-related information using a communication network for medical institutions and medical service participants has been planned and studied for practical use. In this case, the medical-related information includes the patient's chart, diagnostic image, test data, and the like, and the information is transmitted using a communication network. Therefore, falsification of the data and personal privacy can be guaranteed. Must be a system,
In addition, the system must be able to prevent unauthorized intrusion including spoofing.

As a communication layer security method for a client / server system, SSL [Ref.
he SSL, Protocol V3.0, Netscape Communication
Corporation, 1996.3 ”]. SSL provides security features between client / server entities, such as mutual authentication, concealment of transmitted data, and guaranteeing the integrity of transmitted data. The use of security schemes is considered.

[0004] However, the key management in the SSL system is based on a public key encryption technology for unspecified majority communication. For this reason, there are the following problems, particularly when considering application to the construction of a local network security system.

(1) First, the overhead of key generation processing and key distribution is large.

That is, the public key is generally 1024
Since a capacity of about [bit] is provided, the amount of communication becomes large, and the amount of calculation required for key processing is large, and the problem of long processing time remains.

(2) Second, the secret key of the client-side user cannot be recovered. That is, there is a problem that the recovery cannot be performed when the secret key is lost.

(3) Thirdly, it is unclear how secure it is against various protocol attacks in the future. One of the attacks on the algorithm, which breaks into the protocol exchanges and makes it unclear how much security is guaranteed against protocol attacks.

(4) Fourth, global PKI,
X. Considering the cooperation of cryptosystems related to public keys such as 509, early security construction is not an issue.

[0010]

The key management of the SSL system, which provides security functions such as mutual authentication, transfer data concealment, and transfer data integrity assurance between client / server entities, is intended for unspecified multiple communication. Based on public key cryptography. Therefore, particularly when constructing a local network security system, (1) the overhead of key generation processing and key distribution is large.

(2) The secret key of the client-side user cannot be recovered.

(3) It is unclear how safe it is against various protocol attacks in the future.

(4) Global PKI and X.400 Considering the cooperation of cryptosystems related to public keys such as 509, early security construction is not a factor.

There is such a problem.

Therefore, there is an urgent need for a system that can reduce the load on calculation processing and data transmission, can prevent data tampering and guarantee personal privacy, and is resistant to unauthorized intrusion including spoofing. Is done.

Therefore, an object of the present invention is to reduce the load on calculation processing and data transmission, to prevent data tampering and to guarantee the privacy of individuals, and to withstand against intrusion including spoofing. It is to provide a strong secure communication method.

[0017]

In order to achieve the above object, the present invention is configured as follows. That is, first, while performing authentication of a registered entity, a key management server that generates a secret key is used, and at the time of entity authentication, the same secret key is given to each entity that intends to perform mutual communication. The mutual authentication between the entities attempting the mutual communication is performed by confirming possession of the same secret key (session key). After the mutual authentication is completed, the data exchanged between the entities attempting the mutual communication is performed. Is encrypted by the symmetric encryption method using the secret key and transmitted.

Secondly, the individual key of each entity generated by processing the ID information of each entity using the master key is stored in the corresponding entity, and a key management server is provided to register the registered key therein. The key management server generates a first random number when there is a communication request between the entities, and uses the first random number for the entity that has made a communication request when there is a communication request between the entities. In the key management server, the key management server transmits the data together with the second random number generated by itself and receives the second random number generated by the entity together with the second random number generated by the entity. The first random number is reproduced and compared with the generated first random number, and the second random number is converted with the individual key of the entity. The second random number is reproduced by performing a re-conversion process on the entity side, and the key management server and the entity are authenticated by comparing the second random number with the original second random number. After the mutual authentication between the client and the entity is completed, the key management server sends the secret key information (that is, the session key (or its kind) k
s) is temporarily generated with a limited expiration date, and the generated secret key information is distributed to each of the target entities that have made a communication request. The mutual authentication is performed by sharing the secret key information, and the subsequent communication between the entities establishes a secure communication path by using the secret key information for the encryption process. .

Third, the transmitting side processes the data to be transmitted by using a hash function and encrypts the data to add signature-processed information to the transmission data, and the receiving side processes the received data using the hash function. A verification function (data integrity compensation function) for verifying falsification of transmission data based on the presence or absence of a match by comparing the encrypted information with the signature-processed information on the transmission side by the first or second secure communication method. Used together.

According to the present invention, whether or not an entity that has made a communication request is a registered entity is confirmed by mutual authentication with a key management server. Private key information is given to each entity that communicates with the entity, mutual authentication of the entities is performed by sharing the secret key information, and thereafter, data communication is performed with symmetric key encryption technology using the secret key information, By employing the symmetric key encryption technology, the following can be expected.

First, since the individual key of each client is generated by encrypting using the ID information of each client (entity) and the master key of the key management server S, the individual key can be generated at high speed. Then, since the symmetric key encryption is used, the length of the generated key is 56 [bit] to 168 [bit].
And therefore the traffic overhead is small,
The amount of calculation required for the encryption process can be reduced.

Second, the client-side individual key can be recovered from the client ID information by utilizing ID-based key management. Therefore, recovery is possible even if the individual key is lost.

Third, a protocol attack in the symmetric key cryptosystem is mainly a Replay attack, and it is sufficient to add a session number N or time information T to plaintext (including session key information).

Fourth, the key management server S is used as a trust point (certificate authority).
By doing so, the signature method using the trust point and the encryption protocol between each client can guarantee uniqueness, and therefore a local secure communication network can be easily realized with a simple key management server.

The above effect can be obtained.

Fifth, by using the data integrity assurance function together, the resistance against data tampering can be increased, and further security can be ensured.

Therefore, according to the present invention, it is possible to provide a secure communication method capable of ensuring simple and effective security when exchanging information via a network.

Further, according to the present invention, the same secret key information (mutually shared secret key information (session key)) given to each entity communicating with each other from the key management server.
Encrypts the first result obtained by encrypting the secret information to be sent with the secret key of the second recipient and the result obtained by performing the hash function processing on the first result again using the secret key of the second recipient. The combined second result into a combined one,
A third result obtained by encrypting secret information to be sent with the first recipient's secret key is added, and a result obtained by performing a hash function process on the first to third results is obtained by the first method. The fourth result obtained by encryption with the recipient's secret key is combined.

By using such a session key format, the key information is sent to one of the transmission lines established at that time, so that the data can be sent safely. Regardless of the route of the network, sending the key to one of the concerned entities allows the data to be sent securely to all.

Further, the same secret key information given to each entity communicating with each other from the key management server is managed by defining an expiration date. In particular, it shall be generated and used temporarily within the expiration date.

As described above, when the expiration date is determined and managed, if the expiration date is set short, security during use within the expiration date can be assured more reliably.
In addition, since it is generated and used temporarily, a secure communication method with higher security can be established.

The same secret key information (session key or a kind thereof) given to each entity communicating with each other from the key management server has an expiration date and a management expiration date, and can be used within the management expiration date. There is a feature.

In this case, the “storage term” can be set as a synchronization term with the “use term”. However, by setting the “storage term” to be longer than the “use term”, past secret information can be saved. Also has the advantage of maintaining data persistence. In other words, if the "expiration date" has expired, the expired session key can be used if the "expiration date" has expired, and if the use is within the management expiration date, the expired session key can be distributed. The receiving entity can use the session key to decrypt the data, so that it can be used when there is encrypted past information and the user wants to refer to it.

The same secret key information (session key or its kind) given to each entity that communicates with each other from the key management server may be one or plural kinds.

When a method using a plurality of session keys (or a kind thereof) is employed, a new key can be created and used without being limited by the expiration date of the current key. Is expected to be continued, communication can be continued without being affected by the current expiration date of the key, and an environment in which secure communication can be guaranteed can be provided.

[0036]

DESCRIPTION OF THE PREFERRED EMBODIMENTS A key is used for an encryption technique.
This key includes an encryption technique using a public key and an encryption technique using a symmetric key. When applying encryption technology to a communication system, the most important point to consider is key management, which greatly differs depending on whether a public key encryption technology or a symmetric key encryption technology is selected.

The former is superior in the simplicity of key management and the uniqueness of signature / verification. However, this is because the public key of each client managed by the server and the secret key that signs the public key are changed. This is based on the premise that there is a certificate authority (CA authority) that is not leaked. If the reliability of the certificate authority cannot be ensured, the failure in the certificate authority will spread to all clients as in the case of the trust station (TTP station) of the symmetric key cryptosystem.

The symmetric key encryption technique is superior in terms of signature uniqueness. The symmetric key cryptosystem can guarantee uniqueness in a signature scheme using an encryption protocol between a trust point (certificate authority) and each client.

Therefore, when comparing the two, it can be said that there is no technical difference between the two. However, in the symmetric key cryptosystem, great advantages can be expected in the future in terms of processing speed and security. Therefore, in the present invention, a public key is not used at all, and a symmetric key encryption technique is adopted. By using the symmetric key encryption technology, a higher processing speed can be expected, and security is high.

The medical-related information includes a patient's medical record, a diagnostic image, test data, and the like. Since such information is transmitted using a communication network, falsification of the data and personal privacy can be guaranteed. The system must be a system that can prevent unauthorized entry, including spoofing.

For such a purpose, the applicant of the present invention has led the development of standardization, and the integrated secure communication system (ISCL: Integrated S
ecure Communication Layer).

The ISCL is a communication protocol for securing a secret communication path on a general public line, and employs a symmetric encryption method using a shared secret key as a basis of security. In this symmetric encryption method, it is necessary for communicating parties to share a secret key before starting secret communication.

For this reason, in ISCL version 1.0 (V1.0), all the subscribers are provided with a secure module (such as an IC card) storing a common shared secret key, so as to cope with the problem. One step further, [i] generation of an individual secret key based on a subscriber ID, and [ii] distribution of a session key temporarily used on a communication path established between communication applicants. A protocol called a “key management server” having a function and based on a trust point (TTP) is adopted.

The details will be described below.

FIG. 1 is a conceptual diagram showing an example of the configuration of the present system. A CT (computer tomography) device Cln-1 or an ultrasonic diagnostic device Cln in a medical institution or the like collects and stores diagnostic images. There is a system in which an image server Cl2, a workstation Cl3, and the like are connected to a DICOM network NW1, which is an international standard network developed for medical use, and this network NW1 is connected to a public network NW2. Cl1 is the public network NW2
It is an intelligent terminal such as a personal computer connected to. Further, a key management server S is connected to the DICOM network NW1.

The key management server S is a TTP (trusted station of a symmetric key cryptosystem) in a limited network.
As all entities (entities) Cl in the network
1 to Cln in advance, and has an arbitrary entity Clm (m =
1, 2, 3, 4,...) Can be generated. The secret key is 56 [bit] to 168 [b
It is an encryption key having a capacity of about [it], and the capacity is greatly reduced as compared with 1024 [bit] in the case of a public key. The secret key of each of the entities Cl1 to Cln can be known or generated by the entity Cl1.
1 to Cln and the key management server S only.

The feature of the present invention is a scheme in which authentication is performed by using secret information, and secret information having a validity period is temporarily generated and shared between entities to communicate with each other and used for authentication.

In the present invention, each of the entities Cl1 to Cln, including the key management server S, is a communication layer security system which can smoothly respond to a request for promoting IT (Information Technology) in the medical and insurance fields. Based on the ISCL V2.0 system, various security components of the system and a method of selecting the system will be described.

Here, a symmetric key encryption technique is employed as the encryption technique.

<ISCL Authentication Method and Securing of Secure Communication Channel> In the ISCL described here, the mutual authentication between two entities (entities) is assumed to be "established by confirming the sharing of secret information". Like that. Symmetric encryption method (F) that is appropriate from secret information
Key (K) (the secret information itself may be the key), and the sharing of the key K is confirmed by a protocol called a three-pass four-way method in which challenge and response are repeated bidirectionally. To fit.

The two entities (entities) that have confirmed the sharing of the key K thereafter exchange encryption information using the symmetric encryption method F and the key K. Thus, a secure communication path can be secured in principle.

By employing symmetric key encryption technology,
The following can be expected.

[1] Individual key generation for each client
Since the ID information of each client is encrypted with the master key of the key management server S, an individual key of each client can be generated at high speed. Moreover, since symmetric key encryption is used, the length of the generated key is 56 [bit] to 168.
[Bit], the communication overhead is small, and the amount of calculation required for the encryption process is small.

[2] By utilizing ID-based key management,
The individual key on the client side can be recovered from the client ID information.

[3] A protocol attack in the symmetric key cryptosystem is mainly a Replay attack, and a sufficient measure can be taken if the session number N or time information is added to plaintext (including session key information).

[4] A local secure communication network can be easily realized with a simple key management server.

<Authentication Method of ISCL and Securing of Secure Communication Channel> In ISCL, mutual authentication between two entities (entities) takes a position that "is established by confirming the sharing of secret information". . A key (K) of the symmetric encryption method (F) appropriately composed of secret information
(The secret information itself may be the key),
Repetition of challenge and response in both directions 3
The sharing of the key K is confirmed by a protocol called a pass 4-way method.

After confirming the sharing of the key K, the two parties can exchange a piece of encryption information based on the symmetric encryption method F and the key K, thereby securing a secure communication path in principle.

The feature of the present invention is a method in which authentication is performed by using secret information. Secret information having a validity period is temporarily generated, shared, and used for authentication.

The key management server S generates this secret information. The key management server S is a TTP (trusted station of a symmetric key cryptosystem) in a limited network.
In this configuration, certain entities have secret information in advance for all entities in the network, and a secret key of an arbitrary entity can be generated using the secret information. It is about 56 [bits] to 168 [bits], which is much smaller than 1024 [bits] in the case of a public key.

Incidentally, the secret key of each entity can be known.
Alternatively, only the entity and the key management server can be generated.

Specifically, as shown in FIG. FIG.
Indicates a client / server key management model of ISCL V2.0. In this operation, each client Cl
A and ClB register their ID information in the key management server S, which is a trust point, in advance, and each client ClA and ClB
The key management server S distributes the individual keys Ka and Kb to B by secure means (for example, storing the keys in a secure module such as an IC card or a PC card).

The key management server S is provided with each client Cl
ID register I in which ID information of A and ClB is registered in advance
Df, a master key KM, and a storage unit St for storing the session key (or seed) key ks for a certain validity period.

The individual keys Ka and Kb of the clients ClA and ClB are issued by the key management server S. The individual keys Ka and Kb of the clients ClA and ClB are registered in the ID registry IDf of the key management server S in advance. The ID information is obtained by the key management server S converting (encrypting) the ID information using the master key KM of the key management server S.

The clients ClA and ClB perform authentication between the client and the server using the distributed individual keys Ka and Kb.

The operation of the present system having such a configuration will be described.

The key management server S and the individual entity Cl
1 to Cln can authenticate each other by sharing the secret information of the entities Cl1 to Cln to secure a secure communication path.

Based on this premise, when any two entities (eg, clients (terminals)) Cl1 and Cl2 on the network perform secret communication, they respond to the request of one or both of the two entities Cl1 and Cl2. Thus, the secret information (that is, the session key (or its kind) ks) that only the three entities Cl1 and Cl2 and the key management server S know is temporarily generated with a limited expiration date. It is the role of the key management server S to deliver using a secure communication path established between the server and the key management server S.

That is, an arbitrary 2 on the network
When there is a request for communication between the entities Cl1 and Cl2, first, mutual authentication is performed between them and the key management server S.

<Mutual Authentication Function> FIG. 3 shows an example of a mutual authentication protocol between the entity (client A) Cl1 and the key management server S. This authentication is performed by sharing the individual key Ka, which is the individual key of the entity Cl1, between the two parties when establishing a communication session. That is, the entity Cl1
Requests the key management server S for mutual authentication. Then, the key management server S generates a random number r1 and sends it to the entity Cl1.

In response to this, the entity Cl1 performs a conversion process (that is, an encryption process) on the random number r1 according to a predetermined algorithm using its own individual key Ka. This is the conversion random number EKa (r1). The entity Cl1 generates a random number r2, and transmits the random number r2, the converted EKa (r1), and the key management server S. The key management server S uses the random number r2 received from the entity Cl1 and the converted random number EKa (r1) to generate EKa (r1).
1) extracts the random number r1 issued by itself by performing an inverse conversion process (that is, decryption process), compares the random number r1 issued by itself with the random number r1 issued by itself, and if they match, according to a predetermined algorithm, the individual key of the entity Cl1 The conversion process is performed on r2 using Ka to obtain a conversion random number EKa (r2), which is sent to the entity Cl1.

In the entity Cl1, the key management server S
Transforms the converted random number EKa (r2) received from
2 is compared with the random number r2 issued by itself, and if they match, it is authenticated as correct. By performing such authentication also in the entity Cl2, the entity Cl2
1 and Cl2 authenticate that they are authorized counterparts managed by the key management server S.

This function is employed to detect early a communication disturbance from a third party.

Authentication between clients is performed by sharing a session key (or seed) ks.

In the present system, the following data integrity assurance function is used in combination as a function to guarantee data integrity.

That is, in the present system, the following methods are used in combination for authentication and data transfer,
Ensures data integrity. The data integrity assurance function used in this system is one in which the sender performs signature processing and the receiver performs verification processing. This function is used when a session key ks is delivered or data is transferred between two or three parties. Adopted to detect tampering from three parties or client intermediaries.

<Data Integrity Assurance Function> That is, in the present invention, data for a data integrity compensation function is added in addition to encryption of transmission data by symmetric key encryption processing using a session key ks as a secret key. And send. Of course, the data for the data integrity compensating function is arranged at a specific position of the transmission data, etc., is collectively transmitted by performing symmetric key encryption processing, and the receiver side decrypts the transmission data and then decrypts the transmission data. The data for the data integrity compensation function may be extracted from the data and used for the data integrity compensation function.

The data of the data integrity assurance function is obtained as shown in FIG. As shown in FIG. 4, data to be transmitted is processed by a hash function. The hash function is a one-way function that cannot be reversibly processed. The hash function performs an exclusive OR (EOR) process with the data processed by the hash function, and processes the processed data with the hash function to obtain a hash value. This is encrypted with a key to obtain MAC (message authenticator) data (to check that no alteration or error has occurred in the course of communication (data integrity)) (that is, signature processing). While transmitting the MAC data to the other party, the other party obtains the MAC data by performing the same processing as above with the data obtained by decrypting the received encrypted data as input data, and comparing it with the MAC data received from the other party. If it matches and matches, it is positive (yes
s) If they do not match, verification is made by making a false (no) determination.

In FIG. 4, the Hash function is used for DES (Data Encryption Standard) and AES (Advanced Encryption Standard: NIST).
In the case of (public procedure common key encryption, which is regarded as the next generation international standard encryption of DES by the U.S. Department of Commerce), the key uses the system common parameters, Is adopted to facilitate the change of the key of the hash value HC.

<Generation of Secret Information (Session Key)> When the mutual authentication is completed, the key management server S
In response to the request of either or both of l1 and Cl2, the secret information (that is, the session key (or its kind) ks) that only the two entities Cl1 and Cl2 and the key management server S will know will be limited to the expiration date. To generate temporarily.

The generated secret information is distributed to the two entities Cl1 and Cl2, and the generated secret information (session (seed) key ks) is stored in the storage unit St.
Store.

The two entities Cl1 and Cl2 authenticate each other based on the shared secret information distributed from the key management server S in this way, and secure communication by sharing the session key (or a kind thereof) ks. A road can be established. That is, the session key k
The data is encrypted and transmitted using s as the encryption key, and the receiver side decrypts the data using the shared session key ks, thereby securing communication through a secure communication path.

Information characterizing the session key ks used in the present system is, for example, the following six types.

That is, “id1 (client Cl1
ID information) "," id2 (ID of client Cl2)
Information) "," session key ks body "," key number (ki
d), “expiration date (T)”, and “storage expiration date (KI)”.

Of these, the “expiration date (T)” is the session key ks recommended by the key management server to the entity.
It is the user's responsibility to guarantee the risk of use beyond the time limit specified here. The “storage term” is a term by which the key management server keeps the session key ks.

Although the “retention period” can be set to be the same as the “expiration date”, by setting the “retention period” to be longer than the “expiration date”, even if the past secret information is There is a merit that persistence is maintained. In other words, if the "expiration date" has expired, it is possible to use the expired session key within the "retention period",
If it is used within the management period, the entity that received the distribution of the expired session key can decrypt using the session key, so there is encrypted past information and refer to it It can be used when you want to. The session key can be operated so as to be usable only within the “expiration date”.

The key management server S has the entities Cl1,
The stored key is delivered to the key storage unit St in response to a request from Cl2. In the system of the present invention, basically, between the two entities Cl1 and Cl2, the session key ks remains valid for a certain period of time.
A new session key may be distributed. At this time, a plurality of session keys within the storage period between the two parties exist in the key storage unit St of the key management server S.

For example, in the example shown in FIG. 5, after the session key k1 is generated, the session key k2 is generated, and then the third new session key k3 is generated and distributed as the session key ks. In the key storage server St, which is a key storage in the key management server S, 3
Keys k1 to k3 are stored. Also, in a period in which the use periods of the session keys k1 and k2 overlap, the session key k2 is selected in response to the generated key distribution request. In some cases, a desired session key may be distributed depending on the intention of the user.

When such a method using a plurality of session keys is adopted, a new key can be created and used without being limited by the expiration date of the current key, so that communication can be continued within a certain period. Is expected, communication can be continued without being affected by the current expiration date of the key, and there is an advantage that secure communication can be guaranteed.

In this system, mutual authentication between two entities is performed by confirming that they have the same secret information (session key). That is, a key (K) for the symmetric encryption method (F) is generated (k
s itself), two-way challenge and
Mutual authentication is performed by confirming the sharing of K by a three-pass four-way protocol that repeats a response.

After the mutual authentication is completed, a secure communication path is established by exchanging information encrypted by the symmetric encryption method (F) and the key (K) used therefor.

<Key distribution pattern and distribution protocol> Key distribution depends on the number of distribution requesting entities and the communication direction of the entity that desires secure communication, as shown in FIG.
There may be street delivery patterns. (A) is a configuration in which the key management server S and the entities A and B are connected together and can be distributed to both, and (b) is a configuration in which the key management server S is connected to the entity A but not to the entity B. The connection is not connected, and the entity A and the entity B are connected. (C) The key management server S and the entity B are connected but not connected to the entity A, and the entity B and the entity A are connected. It is a form that is.

In any case, the session key information sent from the key management server to the entity is as follows. However, this example shows a case where the data is sent to the client Cl1.

{F (k1, ks | Supplementary Information | id2), F (k2, ks | Supplementary Information | id1) F (k2, HC)} F (k1, HC ′) (1) where “k1 "And" k2 "are Cl1 and Cl2 secret keys, respectively," ks "is a delivery session key," Collateral information "is a unique number and expiration date of the delivery session key ks, and" HC "is F
Transmission information authenticator (HAS) for (k2, ks | Collateral information | id1)
H), “HC ′” is {F (k1, ks | Collateral information | id2), F (k2, ks
| Collateral information | id1) F (k2, HC)} is an information authenticator (in the case of Cl2, 1 and 2 are exchanged).

The above equation (1) shows the format of the session key. The meaning of this equation is that “the secret information to be sent is encrypted with the secret key of the second recipient”.
"Hash (HASH) processing result of the encryption result is again encrypted with the recipient's (first recipient's) private key", and "the other recipient (second
"Encrypted secret information to be sent with the recipient's private key" is added, and the result of the entire hashing process encrypted with the other recipient's (second recipient) private key is combined. What did you do? "

By using the session key format, [i] data can be transmitted safely by transmitting key information to one of the transmission lines established at that time (delivery patterns 2 and 3). [Ii] Regardless of the route of the network, there is an advantage that if one key is sent to the related entity, data can be sent securely to all.

In the case of pattern 1 (FIG. 6 (a)), the key distribution schedule normally follows the diagram shown in FIG.

That is, in FIG. 7, the client Cl1 as the entity sends the key management server S with Cl2.
When there is a communication request between the session key ks and the session key ks, the key management server S generates a session key ks.
Cl1 including the information of kid which is D information and information of the validity period T
A request Req1 specifying ID1 and Cl2 (that is, including id1 which is ID information of Cl1 and id2 which is ID information of Cl2) is sent to Cl1, and communication processing between Cl1 and the key management server S is started. . Then, Cl1 receives the request and transmits a request Req2 including information of id1 and kid and the validity period T among these pieces of information.
2 and Cl2 receives this and id1 in this
Re that includes the information of id2 and id2
q3 is sent to the key management server S. In response to this, the key management server S searches for a key and checks which session key it is. Then, the found session key ks and the information on the validity period T of the key are sent to Cl2, and upon receiving the acknowledgment Ack from Cl2, Cl1 knows the completion of key distribution.

After receiving the delivery of the session key ks in accordance with such a diagram, an authentication process is performed between the client Cl1 and the client Cl2 based on the sharing of the session key ks. After the authentication process is completed, the data is encrypted by using the symmetric encryption method (F) using ks to exchange data with Cl2.

In this figure, if it is known that the session key ks within the expiration date T has already been distributed, the exchange of the requests Req1 and Req3 (and their replies) is omitted, and the requests Req2 and The authentication process of the client Cl1 and the client Cl2 may be directly performed by exchanging only the acknowledgment Ack.

The whole protocol system including the key distribution schedule has a block configuration as shown in FIG.

"Process for starting communication between Cl1 and key management server S", then "authentication process for Cl1 and key management server S", then "request for ks by Cl1", and then "key management server S" Generation and storage of ks by C.I., then "delivery of ks to Cl1", then "communication start processing between Cl1 and Cl2", and then "authentication processing between Cl2 and key management server S (k
2) ", then" ks request by Cl2 ", then" Cl2
Ks delivery to "and then" Cl1 and Cl2
Authentication processing (ks) ”, and the authentication is completed.
The information in parentheses indicates the shared information that is the basis for authentication.

In the above-described block, after the authentication processing is normally completed, secure communication is performed for each subsequent communication. It enters the stage of “secure communication between Cl1 and Cl2”. According to such a procedure, communication between Cl1 and Cl2 is started.

FIG. 8A shows the hierarchical concept of ISCL.
As shown in FIG. 8A, the ISCL exists between the upper application layer and the lower physical layer. I for the physical layer
There are C cards and PC cards, and their reader / writers are linked to the ISCL via an interface. Communication layer side is Ethernet (registered trademark), TCP / I
P and an interface, and communication can be performed via these. In other words, the application sends and receives information through the physical layer communication layer and processes the information. The ISCL of the present invention intervenes between the applications, and the ISCL intervenes.
Is authenticated by the communication between the entity that intends to perform communication and the key management server S through the intermediation of the session key as a secret key having the above-mentioned validity period T to the key management server S on the network NW. The mutual authentication between the entities attempting to communicate is performed by sharing the session key as the secret key between the entities trying to perform communication. A secure communication path is secured by a symmetric encryption process using a key with a period T (session key).

By adopting the symmetric key encryption technology,
The following can be expected.

First, since the individual key of each client is generated by encrypting using the ID information of each client (entity) and the master key of the key management server S, the individual key can be generated at high speed. Then, since the symmetric key encryption is used, the length of the generated key is 56 [bit] to 168 [bit].
And therefore the traffic overhead is small,
The amount of calculation required for the encryption process can be reduced.

Second, by utilizing ID-based key management, the individual key on the client side can be recovered from the client ID information. Therefore, recovery is possible even if the individual key is lost.

Third, a protocol attack in the symmetric key cryptosystem is mainly a Replay attack, and it is sufficient to add the session number N or the time information T to plaintext (including session key information).

Fourth, the key management server S is set as a trust point (certificate authority).
By doing so, the signature method using the trust point and the encryption protocol between each client can guarantee uniqueness, and therefore a local secure communication network can be easily realized with a simple key management server.

The above effects can be obtained.

It is to be noted that a form in which the network is applied to the Internet is conceivable, but in this case, it is necessary to safely access information in the Web server from the Web browser. Therefore, it is necessary to secure secure communication against unauthorized access to the Web server.

A secure system can be constructed by using an IC card in which key information related to security is recorded, and by installing proxies in the client and the server. As shown in FIG. 12, the software configuration in this case is as follows: the client side has a Web browser in the upper layer, a proxy for the browser below it, an ISCL for the client side Web in the lower layer, and an IC card in the ISCL. Physical layers are connected.
On the server side, there is a server proxy in the lower layer of the Web server, and there is an ISCL for the server side Web in the lower layer,
Each client-side and server-side Web ISCL to which a key management box is connected as a physical layer is connected to an ISCL network NW.

With such a configuration, a system applicable to the Internet can be constructed.

Next, the communication speed of the present system will be verified.

The above-mentioned integrated security communication standard (I
SCL) specifies a communication protocol for securing a secure communication layer above the transport layer. Also, I
The ISCL standard software specification based on SCL uses an application program interface (API) that provides a mutual authentication function as a countermeasure against spoofing and a message authentication and concealment function as a countermeasure against data falsification and eavesdropping. Mechanism for this) is provided.

Therefore, although there is no problem in security, in order to make software conforming to the ISCL standard suitable for a medical field having a relatively large data amount such as a medical image, in addition to security, communication is required. One of the important factors is whether the speed can be secured. If the communication speed cannot be secured, it may hinder practical application.

In the following, the performance of the standard software that implements the ISCL in terms of the specification and speed, and the DI of the ISCL
COM (Digital Imaging and Communications in Medic)
The application to ine) is described.

Specification of ISCL Standard Software Modules constituting the API of ISCL standard software include sockets (Windows environment (Window environment)
s is the OS name of the personal computer and is a registered trademark of Microsoft Corporation)
There is a communication module that provides an interface with the TCP / IP layer using WinSock, and a secure access module that provides an interface for key management, authentication, and concealment functions. The secure access module includes an authentication module that provides a key management and a mutual authentication function for an IC card, and an encryption module that provides a message concealment and authentication function.

FIG. 10 shows modules constituting ISCL standard software. Currently, these modules are implemented as dynamic link libraries that can be statically loaded from C language.

The Windows version of the ISCL standard software was developed by Visual C ++ of Microsoft Corporation, and uses Microsoft Foundation Class (MFC) Library. In addition, since it operates in a multi-thread environment in which a thread is generated for each communication session, a background operation can be performed by dispatching a Windows event of a user program even in a connection waiting state or a reception waiting state.

The authentication module of the ISCL standard software is based on the assumption that an IC card conforming to the JICSAP specification is used.

<Performance Evaluation by ISCL Standard Software> The operating environment of the ISCL standard software is currently UNIX (registered trademark) and Solaris (registered trademark) 2.5. x, Windows is guaranteed to run on 95 and NT4.0. The hardware is Windows NT4.
0, CP of the performance of Intel Pentium III 500 [MHz]
U and two recommended machines equipped with 32 MB or more of memory are connected peer-to-peer, and the LAN card is 100 Ba
The execution was performed with a configuration using se-TX.

FIG. 11 is a graph showing the measured data transmission rate of the ISCL standard software. The ISCL data transmission mode includes an encryption mode for encrypting and transmitting data, a data authentication mode for performing data authentication, a normal mode for not performing encryption and data authentication, and a through mode in which the procedure is omitted for high-speed communication. . In FIG. 11, in order to compare the transmission rates of the respective data transmission modes, the data transmission rate when the API function of WinSock was directly used was measured as a reference.

It can be seen that the transmission rate in the normal mode is not significantly different from the speed of only the lower-layer socket communication, despite the overhead of the ISCL communication protocol. When the transmission data is small, a case where the data is reversed depending on the movement of the TCP layer on the OS side is also observed. But,
In the case of data encryption and authentication, the transmission rate has been significantly reduced, and there is still room for improvement by introducing high-speed algorithms and improving hardware performance. Where you are.

[0125] The data transmission time in the experiment does not include the mutual authentication time required for line connection. During this time, the ratio of the time for accessing the IC card is large, and when the IC card reader FZ1333 manufactured by Toshiba is currently used, the total time is about 1.5 seconds.

DICO, an international standard for medical imaging
M defines ISCL as one of the Secure Channels together with SSL. FIG. 8B shows the position of the ISCL in DICOM.
It occupies the lower layer in the Upper Layer protocol. At present, some medical facilities have begun to use ISCL for data transmission between medical facilities in a regional medical cooperation system or for online electronic storage in medical facilities. The present invention can be effectively applied to these, and it is possible to secure necessary security and provide necessary medical information and insurance information to qualified persons from anywhere.

Note that the present invention is not limited to the above-described embodiment, and can be implemented with various modifications. In the present invention, the above embodiments include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent features. For example, even if some components are deleted from all the components shown in the embodiment, at least one of the problems described in the column of the problem to be solved by the invention can be solved, and the problem described in the column of the effect of the invention can be solved. In the case where at least one of the effects described above is obtained, a configuration from which this component is deleted can be extracted as an invention.

[0128]

As described in detail above, according to the present invention, individual keys can be generated at a high speed, and since symmetric key encryption is used, the length of the generated key can be shortened. The communication overhead is small, the amount of calculation required for the encryption process is small, and the individual key on the client side can be recovered from the client ID information. Therefore, even if the individual key is lost, it can be recovered. Since it is a system, strong effects and strong security against attacks can be ensured, and an effect that a local secure communication network can be easily realized with a simple key management server is obtained.

[Brief description of the drawings]

FIG. 1 is a diagram for explaining the present invention, and is a diagram for explaining a configuration example of a system to which the present invention is applied;

FIG. 2 is a diagram for explaining the present invention, and is a diagram for explaining a client / server key management model of ISCL V2.0 to which the present invention is applied.

FIG. 3 is a diagram for explaining the present invention, and is a diagram for explaining an example of a mutual authentication protocol between the entity (client A) Cl1 and the key management server S in the present invention.

FIG. 4 is a diagram for explaining the present invention, and is a diagram for explaining a processing example of a data integrity guarantee function used in the present invention.

FIG. 5 is a diagram for explaining the present invention.

FIG. 6 is a diagram for explaining the present invention, and is a diagram for explaining a key distribution pattern.

FIG. 7 is a diagram for explaining the present invention.

FIG. 8 is a diagram for explaining the present invention, and is a conceptual conceptual diagram of an ISCL in the present invention.

FIG. 9 is a diagram for explaining the present invention, and is a diagram for explaining an entire protocol system including a key distribution schedule in the present invention.

FIG. 10 is a diagram for explaining the present invention, and is a diagram showing modules constituting ISCL standard software in the system of the present invention.

FIG. 11 is a diagram for explaining the present invention, and is a graph in which a data transmission rate of ISCL standard software in the system of the present invention is measured.

FIG. 12 is a diagram for explaining the present invention, and is a diagram showing an example of a software configuration when the present invention is applied to a Web.

[Explanation of symbols]

Cl1, Cl2, ... Cln: Entity (client) S: Key management server NW1, NW2: Network St: Key storage unit ks: Session key (or its kind) Ka, Kb: Individual key KM: Master key

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5B017 AA08 BA07 CA16 5J104 AA01 AA09 AA18 AA41 EA01 EA06 EA26 JA03 KA01 KA04 KA06 KA21 LA01 LA06 MA06 NA03 NA11 NA12 NA35 NA36 NA37 NA38 NA41

Claims (9)

[Claims] 1. A method for authenticating a registered entity and using a key management server for generating secret key information, wherein the same secret key information is given to each entity attempting to communicate with each other at the time of entity authentication. Mutual authentication between the entities that intend to perform the mutual communication is performed by confirming possession of the same secret key information. A secure communication method, characterized in that the data is encrypted and transmitted by a symmetric encryption method using key information. 2. An individual entity key generated by processing ID information of each entity using a master key is stored in a corresponding entity. A key management server is provided, and the ID of each entity registered here is provided. The information is held, and when there is a communication request between the entities, a first random number is generated in the key management server, and the entity requesting the communication is converted by the individual key using the first random number on the entity side. The key management server transmits the data to the key management server together with the second random number generated by itself, and the key management server receives the data together with the second random number generated on the entity side and performs re-conversion processing. ,
The original first random number is reproduced and compared with the generated first random number, the second random number is converted with the individual key of the entity, transmitted to the entity, and re-converted on the entity side. Play a second random number,
Authentication between the key management server and the entity is performed by collating with the original second random number. When mutual authentication between the key management server and the entity is completed, secret key information is generated from the key management server for a limited period of time. The secret key information is distributed to each of the target entities that have made the communication request, and the entities having the communication request that have obtained the secret key information authenticate each other by sharing the secret key information. A secure communication method characterized by establishing a secure communication path by utilizing the secret key information for encryption processing in subsequent communication between these entities. 3. The transmitting side processes the data to be transmitted by a hash function and encrypts the information to add signature-processed information to the transmission data, and the receiving side processes and encrypts the received data by a hash function. 3. The secure communication method according to claim 1, wherein a verification function of verifying the information and the information on which the signature processing has been performed on the transmission side and verifying falsification of transmission data based on the presence or absence of a match is used together. . 4. The same secret key information given to each entity communicating with each other from the key management server includes a first result obtained by encrypting secret information to be sent with a secret key of a second recipient and the first result. The result obtained by performing the hash function processing on the result is again combined with the second result encrypted with the secret key of the second recipient, and further, the secret to be transmitted with the secret key of the first recipient. A fourth result obtained by adding a third result obtained by encrypting information and encrypting a result obtained by performing a hash function processing on the first to third results with a secret key of the first recipient. 3. The secure communication method according to claim 1, wherein the result is combined. 5. The secure communication method according to claim 1, wherein the same secret key information given to each entity communicating with each other from the key management server is one or more kinds. Communication method. 6. The secure secret information according to claim 1, wherein the same secret key information given to each entity communicating with each other from the key management server has an expiration date. Communication method. 7. The same secret key information given to each entity communicating with each other from the key management server has an expiration date, and can be used within the expiration date. 5. The secure communication method according to any one of 5. 8. The same secret key information given from the key management server to each entity that communicates with each other has an expiration date, and is temporarily generated within the expiration date and can be used. The secure communication method according to any one of claims 1 to 5, wherein 9. The same secret key information given to each entity communicating with each other from the key management server has a validity period and a management period, and is usable within the management period. Item 6. The secure communication method according to any one of Items 1 to 5.