JP2008219619A - Authentication apparatus, authentication method and authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent illegal access to a database that is made accessible by authentication using information recorded in a token device, without reducing easiness of system construction due to performing the authentication using the information recorded in the token device. <P>SOLUTION: When there is an Init command, a terminal device reads a private key and a random number n1 recorded in a token device 104 using a multiplexer 402 and generates multiplexed data by multiplexing the read private key and random number n1. Shares d1, d2 are then generated by performing distributed encoding upon the generated multiplexed data using a distributed encoder 403. Between the generated shares d1, d2, the share d1 is outputted to the token device 104 and the share d2 is written on an HD 205. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an authentication apparatus, an authentication method, and an authentication program for performing authentication by a public key cryptosystem.

  In recent years, for example, management of customer information in a specific room or building, management of customer information in a company, management of financial results using a credit card or cash card, etc. An increasing number of cases introduce authentication systems that authenticate whether or not information related to management is correct.

  In an authentication system that performs authentication by a public key cryptosystem that is a general authentication technique, a secret key is used for authentication. In such an authentication system, since the system construction is easy, for example, a secret key is often stored in a token device such as a USB token or an IC card. As the secret key, for the purpose of preventing forgery, unpredictable data that cannot be known by the owner of the token device is used.

  Conventionally, for example, a secret key and a public key generated based on a public key infrastructure (PKI) method are written in a storage unit having a write-only area that cannot be read from the outside, and the authentication information input from the outside is authenticated. In such a case, there is a technique for preventing unauthorized acquisition of the secret key by performing predetermined security processing using the secret key written in the storage unit (see, for example, Patent Document 1 below). ).

  Conventionally, for example, one electronic data among randomly divided electronic data is left in a storage medium provided in the device, and the other electronic data is stored in an external storage medium. There has been a technique for avoiding the risk of leakage of electronic data by recording and saving the recorded divided map in its own device or an external storage medium (see, for example, Patent Document 2 below).

JP 2004-266360 A JP 2006-221259 A

  However, in the conventional technology that uses the secret key stored in the token device for authentication, the raw secret key is used on the communication line connecting the token device and the terminal when the secret key used for authentication is read from the token device to the terminal side. Therefore, the secret key may be stolen by being copied (skimmed) while it is on the communication line.

  If a secret key is stolen, a third party who is not a legitimate holder of the secret key, using a stolen secret key and a terminal that can be connected to the authentication system, originally needs strict management. There was a problem that could be accessed illegally.

  Further, in the above-described conventional technique, when an authentication system including an arbitrary terminal such as a PC connected to the Internet is constructed, a terminal equipped with a token device that records a secret key can access the server. Therefore, for example, when a user who has a legitimate access right loses the token device, there is a problem that a third party who obtains the token device can illegally access the database without having a legitimate access right.

  In such a case, a third party who does not have a valid access right until the process (initialization) for invalidating the secret key recorded in the lost token device and exchanging it with a new secret key is performed by the database. There was a problem that could be accessed illegally.

  It is desirable to perform authentication within the token device in order to avoid the above problems and securely manage the private key. However, with this method, programs and data for authentication are stored in the token device. There is a problem that it is not feasible because the token device must secure a memory having a capacity capable of storing these programs and data.

  In addition, the technique described in Patent Document 1 described above requires a storage unit that has a write-only area that cannot be read from the outside and writes a secret key and a public key. There was a problem that the ease of construction was reduced.

  In general, since the amount of information representing a secret key is about several bytes to 100 bytes, the secret key is restored using a part of the divided data even if the technique described in Patent Document 2 described above is used. There is a problem that confidentiality cannot be secured.

  In order to solve the above-described problems caused by the prior art, the present invention can record information recorded in the token device without reducing the ease of system construction by performing authentication using the information recorded in the token device. An object of the present invention is to provide an authentication apparatus, an authentication method, and an authentication program that can prevent unauthorized access to a database that can be accessed by the used authentication.

  In order to solve the above-described problems and achieve the object, an authentication apparatus according to the present invention generates a random number in an authentication apparatus that performs authentication by a public key cryptosystem, and generates a secret key from a token device, a generated random number, Is multiplexed, and the obtained multiplexed data is distributed and encoded, and a part of the distributed encoded data obtained by the distributed encoding is output to the token device, and the remaining distributed encoded data is output to the token. It is characterized by writing to a device other than the device.

  According to the present invention, distributed encoded data each having no meaning can be distributed and recorded in the token device and other devices.

  Further, in the authentication apparatus according to the present invention, in the above authentication apparatus, a part of the distributed encoded data output to the token device and the remaining distributed encoded data written to the other device are read, Decrypting the multiplexed data, extracting the secret key from the decrypted multiplexed data, and performing authentication using the extracted secret key.

  According to the present invention, a token device and another device are associated with each other in one-to-one correspondence, and a part of the distributed encoded data recorded in the token device and the remaining distributed encoded data recorded in the other device The secret key can be extracted only when both are available.

  In the authentication device according to the present invention, when the secret key is extracted, the authentication device newly generates a random number, multiplexes the extracted secret key and the newly generated random number, The distributed data obtained in the above is distributedly encoded, a part of the distributed encoded data obtained by the distributed encoding is output to the token device, and the remaining distributed encoded data is output to the other device. It is characterized by writing.

  According to the present invention, it is possible to extract a secret key using different distributed encoded data every time.

  The authentication apparatus according to the present invention is characterized in that, in the authentication apparatus, the other device is a device inside the authentication apparatus.

  According to the present invention, a token device and an authentication device can be associated with each other on a one-to-one basis.

  The authentication apparatus according to the present invention is characterized in that, in the above authentication apparatus, the other device is a device outside the authentication apparatus.

  According to the present invention, a token device and another device can be associated with each other on a one-to-one basis.

  An authentication apparatus according to the present invention is characterized in that in the above authentication apparatus, the distributed encoding is performed by a secret sharing method.

  According to the present invention, it is possible to prevent the secret key from being extracted using only the distributed encoded data recorded in the token device or other devices.

  According to the present invention, if the distributed encoded data recorded in the token device or another device is skimmed and used earlier than the authorized user, the authorized user fails in authentication. You can discover data theft.

  The authentication method and the authentication program according to the present invention generate a random number when authenticating by a public key cryptosystem, multiplex the secret key from the token device and the generated random number, and obtain the multiplexed Perform distributed encoding of data, output a part of the distributed encoded data obtained by the distributed encoding to the token device, and write the remaining distributed encoded data to another device other than the token device It is characterized by.

  According to the present invention, distributed encoded data each having no meaning can be distributed and recorded in the token device and other devices.

  According to the authentication apparatus, the authentication method, and the authentication program according to the present invention, the information recorded in the token device is reduced without reducing the ease of system construction by performing authentication using the information recorded in the token device. There is an effect that it is possible to prevent unauthorized access to a database that can be accessed by the used authentication.

  Exemplary embodiments of an authentication device, an authentication method, and an authentication program according to the present invention will be described below in detail with reference to the accompanying drawings.

(System configuration of authentication system)
First, the system configuration of the authentication system according to the embodiment of the present invention will be described. FIG. 1 is a system configuration diagram of an authentication system according to an embodiment of the present invention. In FIG. 1, the authentication system 100 is realized by a plurality of computer devices that are communicably connected to each other via a communication network such as the Internet.

  The plurality of computer devices are a computer device (hereinafter referred to as “server”) 101 serving as a server and a computer device (hereinafter referred to as “terminal device”) 102 serving as a host computer or a client, and includes LAN, WAN. , And can communicate with each other by being connected to a network 110 such as the Internet.

  In the authentication system 100, a plurality of terminal devices 102 are provided. In the authentication system 100, an arbitrary terminal device 102 set by the administrator of the authentication system 100 is a host computer, and the other terminal devices 102 are clients. The terminal device 102 serving as a host computer (see reference numeral 102a in FIG. 3) can issue various commands to the terminal device 102 serving as a client (see reference numeral 102b in FIG. 3) (FIGS. 4 to 4 below). 7).

  Note that the terminal device 102 serving as the host computer only needs to be able to communicate with the terminal device 102 serving as the client. The terminal device 102 serving as the host computer and the terminal device 102 serving as the client are connected to a communication network such as the Internet. It may be directly connected via a USB cable or the like without being interposed. Further, the terminal device 102 serving as a host computer may have a function as a client in addition to a function as a host computer.

  In the authentication system 100, when the terminal device 102 serving as a client makes an access request to the server 101, it is authenticated whether the terminal device 102 is a terminal device 102 having an access right to the server 101. Authentication in the authentication system 100 is performed by a public key cryptosystem. The public key cryptosystem is an encryption scheme in which data is encrypted using a public key and the encrypted data is decrypted using a secret key.

  In the present embodiment, the public key of the user who uses the authentication system 100 is registered in the server 101 in advance, and the secret key paired with the public key is written in the token device 104 for each user. It is assumed that it is distributed to. The server 101 and the token device 104 store a registered public key and a secret key that is paired with the public key in a state of being associated with each other. In the present embodiment, the server 101 and the token device 104 share the user name (identification information) of the user who performs encryption / decryption using a paired public key and secret key.

  The server 101 is a computer device managed by, for example, a provider or a predetermined management company. The terminal device 102 is a computer device realized by, for example, an office section in charge of office processing such as company reception or a personal computer owned by an individual.

  In addition, the server 101 is a database 103 that records data that is not intended to be disclosed to an unspecified number of people, such as personal information such as addresses, names, telephone numbers, and preferences, and business results, trading companies, and business (research) contents. It has. In addition, the database 103 stores the above user name (identification information), public key, and secret key in association with each other.

  Each terminal device 102 includes an interface (hereinafter referred to as “I / F”) to which the token device 104 is detachably attached (see reference numeral 214 in FIG. 2). The token device 104 can be realized by, for example, a USB token or an IC card. Although the description is omitted because it is a known technique, the token device 104 such as a USB token or an IC card includes an IC chip.

  The IC chip is provided with a contact for exchanging data with the terminal device 102 via a connector pin in the I / F. Further, the IC chip has a memory for erasable recording of arbitrary data input via the contacts. In the memory, a secret key used for authentication according to the public key cryptosystem is recorded. Here, the secret key is information representing a secret key used for authentication according to the public key cryptosystem, and is information used when accessing the server 101.

  In response to the command output from the terminal device 102, the token device 104 records data in the memory in the IC chip, sends the data recorded in the memory to the terminal device 102, and stores the data recorded in the memory. Or erase.

  The authentication system 100 tries to establish a connection when a request for establishing a connection between the server 101 and the terminal device 102 occurs, for example, when the data recorded in the database 103 is viewed on the terminal device 102. It is authenticated whether or not the terminal device 102 to be authorized has a proper access right to the server 101.

(Hardware configuration of computer device)
Next, the hardware configuration of the computer apparatus shown in FIG. 1 will be described. FIG. 2 is a block diagram showing a hardware configuration of the computer apparatus shown in FIG. In FIG. 2, the computer apparatus serving as the server 101 includes a CPU 201, a ROM 202, a RAM 203, an HDD (hard disk drive) 204, an HD (hard disk) 205, an FDD (flexible disk drive) 206, and an FD (flexible disk). 207, a display 208, a communication I / F (interface) 209, a keyboard 210, a mouse 211, a scanner 212, a printer 213, and an I / F 214 for the token device 104. Each component 201 to 214 is connected by a bus 200.

  Here, the CPU 201 controls the entire computer apparatus. The ROM 202 stores a program such as a boot program. The RAM 203 is used as a work area for the CPU 201. The HDD 204 controls data read / write with respect to the HD 205 according to the control of the CPU 201. The HDD 204 holds the recorded information regardless of whether the power of the computer device is on or off. The information recorded in the HDD 204 is continuously recorded except for being erased by a predetermined command. In the present embodiment, an example of another device can be realized by the HD 205 in the terminal apparatus 102.

  The FDD 206 controls reading / writing of data with respect to the FD 207 according to the control of the CPU 201. The FD 207 stores data written under the control of the FDD 206 or causes the computer device to read data stored in the FD 207. The FD 207 holds the recorded information regardless of whether the power of the computer apparatus is turned on or off, and continues to record the recorded information except for being erased by a predetermined command. Therefore, in the present embodiment, an example of another device can be realized by the FD 207 that is detachable from the terminal apparatus 102.

  In addition to the FD 207, the removable recording medium may be a CD-ROM (CD-R, CD-RW), MO, DVD (Digital Versatile Disk), memory card, or the like. The display 208 displays data such as a document, an image, and function information as well as a cursor, an icon, or a tool box. As the display 208, for example, a CRT, a TFT liquid crystal display, a plasma display, or the like can be adopted.

  The communication I / F 209 is connected to a network 110 such as the Internet through a communication line, and is connected to other devices via the network 110. The communication I / F 209 controls an internal interface with the network 110 and controls data input / output from an external device. As the communication I / F 209, for example, a modem or a LAN adapter can be employed.

  The keyboard 210 includes keys for inputting characters, numbers, various instructions, and the like, and inputs data. Moreover, a touch panel type input pad or a numeric keypad may be used. The mouse 211 performs cursor movement, range selection, window movement, size change, and the like. A trackball or a joystick may be used as long as they have the same function as a pointing device.

  The scanner 212 optically reads an image and takes in the image data into the computer apparatus. The scanner 212 may have an OCR function. The printer 213 prints image data and document data. As the printer 213, for example, a laser printer or an ink jet printer can be employed.

  The data recorded in the token device 104 can be read when the CPU 201 recognizes that the token device 104 is attached to the terminal device 102 and the token device 104 is connected to the I / F 214 of the terminal device 102. In addition, when the token device 104 is attached to the terminal device 102 and the CPU 201 recognizes that the token device 104 is connected to the I / F 214, the terminal device 102 can record data on the token device 104. .

(Schematic configuration of authentication system 100)
Next, a schematic configuration of the authentication system 100 shown in FIG. 1 will be described. FIG. 3 is a block diagram illustrating a schematic configuration of the authentication system 100. In FIG. 3, each part related to the authentication performed in the authentication system 100 is shown. In FIG. 3, the terminal device 102 in the authentication system 100 includes a key management unit 301, an authentication unit 302, and a command processing unit 303.

  In FIG. 3, the HD 205 of the terminal apparatus 102 functions as another device, and the FD 207 of the terminal apparatus 102 functions as an external device. The authentication unit 302 communicates with the server 101 via the communication I / F 209. The command processing unit 303 communicates with the terminal device 102a serving as a host computer via the I / F 214.

  The key management unit 301 generates a random number, multiplexes the secret key from the token device 104 and the generated random number, performs distributed encoding of the obtained multiplexed data, and obtains the one obtained by the distributed encoding. Are output to the token device 104, and the remaining distributed encoded data is written to a device other than the token device 104. As a result, distributed encoded data each having no meaning can be distributed and recorded on the HD 205 in the token device 104 and the terminal device 102.

  In addition, the key management unit 301 reads a part of the distributed encoded data output to the token device 104 and the remaining distributed encoded data written in the HD 205 in the terminal device 102, decodes it into the multiplexed data, A secret key is extracted from the decrypted multiplexed data. As a result, the token device 104 and the HD 205 in the terminal device 102 are associated with each other in a one-to-one correspondence, and a part of the distributed encoded data recorded in the token device 104 and the remaining distributed encoding recorded in the HD 205 in the terminal device 102 A secret key can be extracted only when both data and data are available.

  The authentication unit 302 performs authentication using the secret key extracted by the key management unit 301. Description of authentication using a secret key is omitted because it is a known technique, but the authentication unit 302 can access the server 101 by the terminal device 102 to which the token device 104 is attached, using the secret key as a password. It authenticates whether or not. In the authentication system 100, it is possible to improve the security of authentication by using a secret key obtained by using distributed encoded data that is distributed and recorded in the HD 205 in the token device 104 and the terminal device 102.

  The secret key is information that a user who tries to access the server 101 using the token device 104 cannot know, and cannot be predicted by a human. The authentication unit 302 transmits an access request to the server 101 via the communication I / F 209 in the terminal device 102 when the secret key extracted by the authentication key management unit 301 is a correct secret key.

  When an access request is transmitted from the terminal device 102 via the authentication unit 302, the server 101 performs processing for establishing a connection with the terminal device 102, and transmits a response according to the access request to the terminal device 102. When the terminal device 102 receives a response corresponding to the access request, the connection between the server 101 and the terminal device 102 is established, and the terminal device 102 can access the server 101.

  In addition, when the secret key is extracted, the key management unit 301 newly generates a random number, multiplexes the extracted secret key and the newly generated random number, and obtains the newly obtained multiplexed data. By performing the distributed encoding, a part of the distributed encoded data obtained by the distributed encoding is output to the token device 104, and the remaining distributed encoded data is written to the HD 205 in the terminal apparatus 102. As a result, the terminal apparatus 102 can extract the secret key using different distributed encoded data each time.

  Although the description is omitted because it is a known technique, there are many multiplexing techniques used for generating multiplexed data as a technique for realizing multi-channel communication in a predetermined frequency band determined in advance. In the present embodiment, multiplexed data can be generated using a multiplexing technique such as TDM (Time Division Multiplex) or CDM (Code Division Multiplex).

  In generating multiplexed data, for example, exclusive OR obtained using a secret key and a random number may be used as multiplexed data. As a result, it is possible to reduce the processing burden on each unit involved in the generation of multiplexed data.

  Note that the terminal apparatus 102 in the present embodiment generates new distributed encoded data when it is determined that the distributed (skimmed) data has been copied, for example, when a part of the distributed encoded data is copied (skimmed). This makes it possible to immediately invalidate the distributed (skimmed) distributed encoded data.

  The command processing unit 303 outputs various commands corresponding to information input via the I / F 214 in the terminal device 102 to the key management unit 301. The command processing unit 303 outputs a command output from the terminal device 102 serving as a host computer to the key management unit 301. As a command output from the command processing unit 303 to the key management unit 301, for example, a command (hereinafter referred to as an “Init command”) for generating a process for generating distributed encoded data using a raw secret key is generated. A command for executing processing for generating new distributed encoded data using the distributed encoded data (hereinafter referred to as “Create command”), and the recording destination of the generated distributed encoded data is separated from the HD 205 in the terminal device 102. There are commands (hereinafter referred to as “Move command”) for executing processing to be changed to the device of the device, and commands (hereinafter referred to as “Set command”) for executing processing for acquiring distributed encoded data from the changed recording destination. .

(Function of Key Management Unit 301 (Part 1))
Next, the function (part 1) of the key management unit 301 will be described in detail. FIG. 4 is a block diagram (part 1) illustrating the key management unit 301. In FIG. 4, among the units included in the key management unit 301, the units related to the Init function realized when an Init command is input from the command processing unit 303 to the key management unit 301 are illustrated.

  4, the key management unit 301 includes a random number generation unit 401, a multiplexing unit 402, and a distributed encoding unit 403, and implements the Init function using these units 401 to 403. The random number generation unit 401 generates an arbitrary random number and outputs the generated random number to the multiplexing unit 402. The multiplexing unit 402 uses the secret key recorded in the token device 104 and the random number n1 output from the random number generation unit 401 to generate multiplexed data obtained by multiplexing the secret key and the random number n1.

  The distributed encoding unit 403 generates shares d1 and d2 that are distributed encoded data using the multiplexed data generated by the multiplexing unit 402. The encoding method by the distributed encoding unit 403 is performed according to a method that can be decoded by the following distributed decoding unit (see reference numeral 601 in FIGS. 4 to 6), and each share d1 or d2 Then, any method that cannot restore the original secret key may be used.

  Specifically, distributed encoding section 403 in the present embodiment generates shares d1 and d2 using a secret sharing method. Here, the secret sharing method is an encryption method in which secret information (here, multiplexed data including a secret key) is divided into a plurality of distributed encoded data and distributed to conceal the secret information.

  Description of the secret sharing method is omitted because it is a known technique, but according to the secret sharing method, a predetermined number of distributed encoded data among a plurality of distributed encoded data generated to have the same data size. It is possible to restore the secret information only when the information is prepared, and it is not possible to restore the secret information when the predetermined number of distributed encoded data is not prepared. The predetermined number that makes it possible to restore the secret information can be arbitrarily set.

  For example, when generating n shares (where n ≧ k) that can be restored using k pieces of distributed encoded data arbitrarily set by the distributed encoding unit 403, among the generated shares When k ′ (where k ′ <k) distributed encoded data is recorded in the token device 104, even when the share recorded in the token device 104 is copied (skimmed), it is copied (skimmed). Since it is impossible to decrypt the multiplexed data (multiplexed data including the secret key) only by sharing, it is possible to improve the security for authentication.

  That is, by setting the number of shares to be recorded in the token device 104 to k ′ smaller than k shares that can be decoded into multiplexed data, the shares recorded in the token device 104 are copied (skimming). ), It is impossible to restore the multiplexed data only with the copied (skimmed) share, so that the security of authentication can be improved.

  In the secret sharing method, the data size of individual data after division can be arbitrarily designated, or the data size of individual data after division can be made different. Further, in the secret sharing method, instead of the method (threshold method) in which the secret information can be restored by collecting k pieces of distributed encoded data determined by the threshold k as described above, the secret information It is also possible to use a method (a secret sharing method for a general access structure) that can arbitrarily set a set that can / cannot be restored and restore secret information when a set that can be restored is collected.

  According to the secret sharing method for the general access structure described above, secret information can be decoded from a specified subset of distributed encoded data among n distributed encoded data, and other shared information It is possible to prevent any information relating to confidential information from being stored. By using the secret sharing method at the time of distributed encoding, the confidentiality of the secret information can be ensured.

  The distribution encoding unit 403 generates the shares d1 and d2, and then outputs a share d1 that is a part of the generated distributions d1 and d2 to the token device 104 to generate the remaining distribution codes. The share d2 that is the digitized data is recorded in the HD 205 in the terminal device 102. As a result, the shares d1 and d2 that have no meaning by themselves can be distributed and recorded in the HD 205 in the token device 104 and the terminal device 102.

  By realizing the Init function, for example, when the share d1 recorded in the token device 104 is copied (skimmed) when reading the information recorded in the token device 104, the secret key is extracted based on the share d1. Can be prevented. Thereby, leakage of the secret key can be prevented.

  As a result, unauthorized access to the database 103 using a secret key obtained illegally by theft without reducing the ease of system construction by performing authentication using information recorded in the token device 104 Can be prevented.

  Further, by realizing the Init function, the token device 104 and the terminal device 102 that performs authentication using the token device 104 are associated one-to-one, and the terminal device is associated one-to-one with the token device 104 Authentication can be performed only when the apparatus 102 is used. Accordingly, unauthorized access to the database 103 can be effectively prevented without reducing the ease of system construction by performing authentication using information recorded in the token device 104.

(Function of key management unit 301 (part 2))
Next, the function (part 2) of the key management unit 301 will be described in detail. FIG. 5 is a block diagram (part 2) of the key management unit 301. In FIG. 5, among the units included in the key management unit 301, each unit related to the Create function realized when a Create command is input from the command processing unit 303 to the key management unit 301 is illustrated. In addition, about the same part as the structure shown in FIG. 4 mentioned above, it shows with the same name and the same code | symbol, and abbreviate | omits description.

  In FIG. 5, the key management unit 301 includes a distributed decryption unit (decryption unit) 501, a random number removal (extraction) unit 502, a multiplexing unit 503, a distributed encoding unit 504, and a random number generation unit 401. The Create function is realized using ˜504 and 501. The distributed decryption unit 501 reads the share d1 recorded in the token device 104 by the above Init function and the share d2 written in the HD 205 in the terminal device 102, and multiplex data obtained by multiplexing the secret key and the random number n1. To decrypt.

  A random number removal (extraction) unit 502 removes the random number n1 from the multiplexed data decrypted by the distributed decryption unit 501, and extracts a secret key. Although not shown in FIG. 5, the extracted secret key is output to the authentication unit 302 and used for authentication in the authentication unit 302.

  The random number generation unit 401 in FIG. 5 generates an arbitrary random number n2 and outputs the generated random number n2 to the multiplexing unit 503. The multiplexing unit 503 generates multiplexed data by multiplexing the secret key and the random number n2 using the secret key extracted by the random number removal (extraction) unit 502 and the random number n2 output from the random number generation unit 401. To do.

  The distributed encoding unit 504 generates shares d3 and d4 which are distributed encoded data using the multiplexed data generated by the multiplexing unit 503, and a part of the generated shares d3 and d4 is distributed encoded The share d3 that is data is output to the token device 104, and the share d4 that is the remaining distributed encoded data is recorded on the HD 205 in the terminal apparatus 102.

  By realizing the Create function, the token device 104 and the HD 205 in the terminal device 102 are associated one-to-one, the share d3 that is a part of the distributed encoded data recorded in the token device 104, and the terminal device 102 The secret key can be extracted only when both the share d4, which is the remaining distributed encoded data recorded in the HD 205, are prepared.

  Further, by realizing the Create function, it is possible to extract a secret key using a different share each time. In other words, by realizing the Create function, the extraction of the secret key performed using the shares d1 and d2 generated by realizing the above Init function was generated by realizing the Create function next time. This is performed using the shares d3 and d4.

  Thus, for example, even when the share d1 recorded in the token device 104 is copied (skimmed) at the time of reading the information recorded in the token device 104, the share d1 becomes invalid when the share d3 is generated. The period in which d3 can be used can be shortened.

  Thus, for example, even if the token device 104 is stolen, the secret key cannot be extracted and the authentication cannot be performed only with the stolen token device 104, so that the data recorded in the token device 104 can be used. Unauthorized access to the database 103 can be effectively prevented without reducing the ease of system construction by performing authentication.

  By realizing the Create function, the secret key exists only inside the terminal device 102. Accordingly, for example, when reading information recorded in the token device 104, a secret key is not transmitted and received between the token device 104 and the terminal device 102, so that leakage of the secret key can be effectively prevented. it can.

  Then, before providing the token device 104 to the user of the authentication system 100, the above Init function is realized at the provider of the authentication system 100, so that the raw secret key is recorded. Since the token device 104 is not distributed in the market, it is possible to prevent the leakage of the secret key more reliably.

  Further, the above-described Init function is performed before providing the token device 104 to the user of the authentication system 100, and then the Create function is realized, so that the token device 104 (or another device) is temporarily recorded. If the distributed encoded data is skimmed and the skimmed distributed encoded data is used earlier than the authorized user, the authentication performed by the authorized user fails thereafter. As a result, it is possible to detect at an early stage that data such as distributed encoded data or a secret key has been stolen.

(Function of key management unit 301 (part 3))
Next, the function (part 3) of the key management unit 301 will be described in detail. FIG. 6 is a block diagram (part 3) illustrating the key management unit 301. In FIG. 6, among the units included in the key management unit 301, the units related to the Move function realized when a Move command is input from the command processing unit 303 to the key management unit 301 are illustrated. In addition, about the same part as the structure shown in FIGS. 4-5 mentioned above, it shows with the same name and the same code | symbol, and abbreviate | omits description.

  6, the key management unit 301 includes a distributed decryption unit 501, a random number removal (extraction) unit 502, a multiplexing unit 503, a distributed encoding unit 504, and a random number generation unit 401. These units 501 to 504 and 401 are included. The Move function is realized using. The distributed decryption unit 501 reads the share d3 recorded in the token device 104 by the above Create function and the share d4 written in the HD 205 in the terminal device 102, and multiplex data obtained by multiplexing the secret key and the random number n2. To decrypt.

  A random number removal (extraction) unit 502 removes the random number n2 from the multiplexed data decrypted by the distributed decryption unit 501, and extracts a secret key. Although not shown in FIG. 6, the extracted secret key is output to the authentication unit 302 and used for authentication in the authentication unit 302.

  The random number generation unit 401 in FIG. 6 generates an arbitrary random number n3 and outputs the generated random number n3 to the multiplexing unit 503. The multiplexing unit 503 generates multiplexed data by multiplexing the secret key and the random number n3 using the secret key extracted by the random number removal (extraction) unit 502 and the random number n3 output from the random number generation unit 401. To do.

  The distributed encoding unit 504 generates shares d5 and d6, which are distributed encoded data, using the multiplexed data generated by the multiplexing unit 503, and some of the generated shares d5 and d6 are distributed encoded The share d5 that is data is output to the token device 104, and the share d6 that is the remaining distributed encoded data is recorded on the FD 207 that is detachable from the terminal apparatus 102 as a device other than the HD 205 in the terminal apparatus 102.

  By realizing the Move function, the token device 104 and the FD 207 that can be attached to and detached from the terminal device 102 can be associated one-to-one, and the token device 104 and the terminal device 102 that are associated one-to-one can be attached to and detached from each other. Authentication can be performed only when the FD 207 is ready.

  That is, authentication can be performed using any terminal device 102 that can be connected to the server 101 and can read data recorded in the FD 207 that is detachable from the token device 104 and the terminal device 102. It becomes possible. As a result, unauthorized access to the database 103 can be prevented, and convenience can be improved by performing authentication using information recorded in the token device 104.

(Function of Key Management Unit 301 (Part 4))
Next, the function (part 4) of the key management unit 301 will be described in detail. FIG. 7 is a block diagram (part 4) illustrating the key management unit 301. In FIG. 7, among the units included in the key management unit 301, each unit related to the Set function realized when a Set command is input from the command processing unit 303 to the key management unit 301 is illustrated. In addition, about the same part as the structure shown in FIGS. 4-6 mentioned above, it shows with the same name and the same code | symbol, and abbreviate | omits description.

  7, the key management unit 301 includes a distributed decryption unit 501, a random number removal (extraction) unit 502, a multiplexing unit 503, a distributed encoding unit 504, and a random number generation unit 401. These units 501 to 504 and 401 are included. The Set function is realized using. The distributed decryption unit 501 reads the share d5 recorded in the token device 104 by the Move function and the share d6 written in the FD 207 detachable from the terminal device 102, and multiplexes the secret key and the random number n3. Decode into multiplexed data.

  A random number removal (extraction) unit 502 removes the random number n3 from the multiplexed data decrypted by the distributed decryption unit 501, and extracts a secret key. Although not shown in FIG. 7, the extracted secret key is output to the authentication unit 302 and used for authentication in the authentication unit 302.

  The random number generation unit 401 in FIG. 7 generates an arbitrary random number n4 and outputs the generated random number n4 to the multiplexing unit 503. The multiplexing unit 503 generates multiplexed data by multiplexing the secret key and the random number n4 using the secret key extracted by the random number removing (extracting) unit 502 and the random number n4 output from the random number generating unit 401. To do.

  The distributed encoding unit 504 generates shares d7 and d8, which are distributed encoded data, using the multiplexed data generated by the multiplexing unit 503, and some of the generated shares d7 and d8 are distributed encoded The share d7 that is data is output to the token device 104, and the share d8 that is the remaining distributed encoded data is recorded on the HD 205 in the terminal apparatus 102.

  By realizing the Set function, authentication can be performed using the share d6 recorded in the FD 207 detachable from the terminal apparatus 102, and the newly generated share d8 is again stored in the HD 205 in the terminal apparatus 102. Can be recorded. That is, it is possible to perform authentication using any terminal device 102 that can be connected to the server 101 and can read data recorded in the FD 207 in the token device 104 and the terminal device 102. . As a result, unauthorized access to the database 103 can be prevented, and convenience can be improved by performing authentication using information recorded in the token device 104.

(Processing procedure of terminal device 102 (part 1))
Next, a processing procedure (part 1) of the terminal apparatus 102 will be described. FIG. 8 is a flowchart illustrating a processing procedure (part 1) of the terminal apparatus 102. FIG. 8 shows a processing procedure executed when the Init function is realized. The processing procedure shown in FIG. 8 is performed on the assumption that the token device 104 in which the secret key is recorded in advance is attached to the terminal device 102. In FIG. 8, first, it waits until there is an Init command (step S801: No).

  If there is an Init command in step S801 (step S801: Yes), the multiplexing unit 402 reads the private key and random number n1 recorded in the token device 104 (step S802), and the read private key Then, multiplexed data is generated by multiplexing the random number n1 (step S803).

  Then, the distributed encoder 403 generates shares d1 and d2 by performing distributed encoding of the multiplexed data generated in step S803 (step S804), and sets the share d1 among the generated shares d1 and d2. In addition to outputting to the token device 104, the share d2 is written to the HD 205 in the terminal apparatus 102 (step S805), and a series of processing ends.

  Although not shown, the share d1 output to the token device 104 in step S805 is controlled by the CPU included in the token device 104 and written to the memory included in the token device 104. The share d1 written in the token device 104 is continuously recorded until a predetermined operation is performed using the terminal device 102 or the like.

(Processing procedure of terminal device 102 (part 2))
Next, a processing procedure (part 2) of the terminal apparatus 102 will be described. FIG. 9 is a flowchart illustrating the processing procedure (part 2) of the terminal apparatus 102. FIG. 9 shows a processing procedure executed when the Create function is realized. In FIG. 9, first, it waits until there is a Create command (step S901: No).

  If there is a Create command in step S901 (step S901: Yes), it is determined whether or not the token device 104 is attached (step S902). When the token device 104 is attached (step S902: Yes), the share d1 recorded in the attached token device 104 and the share recorded in the HD 205 in the terminal device 102 by the distributed decoding unit 501. d2 is read (step S903), and the read shares d1 and d2 are decrypted into multiplexed data obtained by multiplexing the secret key and the random number n1 (step S904).

  Subsequently, the random number removal (extraction) unit 502 extracts the secret key by removing the random number n1 from the multiplexed data (secret key + random number n1) decrypted in step S904 (step S905). The secret key extracted in step S905 is used for authentication by the authentication unit 302. Since authentication using a secret key is a known technique, the description thereof is omitted here.

  Then, the multiplexing unit 503 obtains the random number n2 newly generated by the random number generation unit 401 (step S906), and multiplexes the secret key extracted in step S905 and the random number n2 acquired in step S906. Generated data is generated (step S907).

  Then, the distributed encoding unit 504 generates shares d3 and d4 by performing distributed encoding of the multiplexed data generated in step S907 (step S908), and sets the share d3 among the generated shares d3 and d4. In addition to outputting to the token device 104, the share d4 is written to the HD 205 in the terminal apparatus 102 (step S909), and a series of processing ends.

  Although not shown, the share d3 output to the token device 104 in step S909 is controlled by the CPU included in the token device 104 and written to the memory included in the token device 104. The share d3 written in the token device 104 is continuously recorded until a predetermined operation is performed using the terminal device 102 or the like.

  On the other hand, if the token device 104 is not attached in step S902 (step S902: No), it is determined whether or not a predetermined time has elapsed since the Create command was issued in step S901 (step S910). If the predetermined time has not elapsed (step S910: No), the process returns to step S902.

  In step S910, when the predetermined time has elapsed (step S910: Yes), for example, error processing such as displaying a predetermined error message on the display 208 is performed (step S911), and the series of processing is terminated.

(Processing procedure of terminal device 102 (part 3))
Next, a processing procedure (part 3) of the terminal apparatus 102 will be described. FIG. 10 is a flowchart illustrating a processing procedure (part 3) of the terminal apparatus 102. FIG. 10 shows a processing procedure executed when the Move function is realized. In FIG. 10, first, it waits until there is a Move command (step S1001: No).

  If there is a Move command in step S1001 (step S1001: Yes), it is determined whether or not the token device 104 is attached (step S1002). When the token device 104 is attached (step S1002: Yes), the share d3 recorded in the attached token device 104 and the share recorded in the HD 205 in the terminal device 102 by the distributed decoding unit 501. d4 is read (step S1003), and the read shares d3 and d4 are decrypted into multiplexed data obtained by multiplexing the secret key and the random number n2 (step S1004).

  Subsequently, the random number removing (extracting) unit 502 extracts the secret key by removing the random number n2 from the multiplexed data (secret key + random number n2) decrypted in step S1004 (step S1005). The secret key extracted in step S1005 is used for authentication by the authentication unit 302. Since authentication using a secret key is a known technique, the description thereof is omitted here.

  Then, the multiplexing unit 503 acquires a random number n3 newly generated by the random number generation unit 401 (step S1006), and multiplexes the secret key extracted in step S1005 and the random number n3 acquired in step S1006. Generated data (step S1007).

  Then, the distributed encoding unit 504 generates shares d5 and d6 by performing distributed encoding of the multiplexed data generated in step S1007 (step S1008), and sets the share d5 among the generated shares d5 and d6. In addition to outputting to the token device 104, the share d6 is written to the FD 207 detachably attached to the terminal device 102 (step S1009), and a series of processing ends.

  Although not shown, the share d5 output to the token device 104 in step S1009 is controlled by the CPU included in the token device 104 and written to the memory included in the token device 104. The share d5 written in the token device 104 is continuously recorded until a predetermined operation is performed using the terminal device 102 or the like.

  On the other hand, if the token device 104 is not attached in step S1002 (step S1002: No), it is determined whether or not a predetermined time has elapsed since the move command was issued in step S1001 (step S1010). If the predetermined time has not elapsed (step S1010: No), the process returns to step S1002.

  In step S1010, when a predetermined time has elapsed (step S1010: Yes), for example, error processing such as displaying a predetermined error message on the display 208 is performed (step S1011), and the series of processing ends.

(Processing procedure of terminal device 102 (part 4))
Next, a processing procedure (part 4) of the terminal apparatus 102 will be described. FIG. 11 is a flowchart illustrating the processing procedure (part 4) of the terminal apparatus 102. FIG. 11 shows a processing procedure executed when the Set function is realized. In FIG. 11, first, it waits until there is a Set command (step S1101: No).

  If there is a Set command in step S1101 (step S1101: Yes), it is determined whether or not the token device 104 is attached (step S1102). When the token device 104 is attached (step S1102: Yes), the distributed decoding unit 501 records the share d5 recorded in the attached token device 104 and the FD 207 that is detachable from the terminal device 102. The share d6 is read (step S1103), and the read shares d5 and d6 are decrypted into multiplexed data in which the secret key and the random number n3 are multiplexed (step S1104).

  Subsequently, the random number removal (extraction) unit 502 extracts the secret key by removing the random number n3 from the multiplexed data (secret key + random number n3) decrypted in step S1104 (step S1105). The secret key extracted in step S1105 is used for authentication by the authentication unit 302. Since authentication using a secret key is a known technique, the description thereof is omitted here.

  Then, the multiplexing unit 503 acquires a random number n4 newly generated by the random number generation unit 401 (step S1106), and multiplexes the secret key extracted in step S1105 and the random number n4 acquired in step S1106. Generated data is generated (step S1107).

  Then, the distributed encoding unit 504 generates shares d7 and d8 by performing distributed encoding of the multiplexed data generated in step S1107 (step S1108), and sets the share d7 out of the generated shares d7 and d8. In addition to outputting to the token device 104, the share d8 is written to the HD 205 in the terminal apparatus 102 (step S1109), and a series of processing ends.

  Although not shown, the share d7 output to the token device 104 in step S1009 is controlled by the CPU included in the token device 104 and written to the memory included in the token device 104. The share d7 written in the token device 104 is continuously recorded until a predetermined operation is performed using the terminal device 102 or the like.

  On the other hand, when the token device 104 is not attached in step S1102 (step S1102: No), it is determined whether or not a predetermined time has elapsed since the Set command was issued in step S1101 (step S1110). If the predetermined time has not elapsed (step S1110: No), the process returns to step S1102.

  In step S1110, when a predetermined time has elapsed (step S1110: Yes), for example, error processing such as displaying a predetermined error message on the display 208 is performed (step S1111), and the series of processing ends.

  As described above, according to the present embodiment, in the terminal device 102 that performs authentication by the public key cryptosystem, a random number is generated, and the secret key from the token device 104 and the generated random number are multiplexed. The distributed data is subjected to distributed encoding, a part of the distributed encoded data obtained by the distributed encoding is output to the token device 104, and the remaining distributed encoded data is transmitted to other devices other than the token device. By writing in the, it is possible to distribute and record distributed encoded data that has no meaning on its own in the token device 104 and the HD 205.

  As a result, since the raw secret key does not flow on the communication line connecting the token device 104 and the terminal device 102 when reading the data recorded in the token device 104, the data recorded in the token device 104 is copied. Even in the case of (skimming), leakage of the secret key can be prevented.

  Further, according to the present embodiment, the share d1 or d3 output to the token device 104 and the share d2 recorded on the HD 205 in the terminal device 102 or the share d6 recorded on the FD 207 detachable from the terminal device 102 are obtained. The token device 104 and the HD 205 or FD 207 in the terminal device 102 are set to 1 by reading and decrypting into multiplexed data, extracting a secret key from the decrypted multiplexed data, and performing authentication using the extracted secret key. The secret key is extracted only when both of the part of the distributed encoded data recorded in the token device 104 and the remaining distributed encoded data recorded in the other device are in correspondence with each other. Can do.

  As a result, for example, even when the token device 104 is stolen, authentication cannot be performed only with the stolen token device 104. Therefore, it is easy to construct a system by performing authentication using information recorded in the token device 104. Unauthorized access to the database 103 can be prevented without degrading performance.

  Further, according to the present embodiment, when a secret key is extracted, a random number is newly generated, the extracted secret key and a newly generated random number are multiplexed, and newly obtained multiplexed data is obtained. Is distributed, and a part of the distributed encoded data obtained by the distributed encoding is output to the token device 104, and the remaining distributed encoded data is written to the other device, so that the distribution is different each time. The secret key can be extracted using the encoded data.

  Thus, for example, even when the distributed encoded data recorded in the token device 104 is copied (skimmed) when reading the information recorded in the token device 104, the period in which the distributed encoded data can be used is shortened. Thus, unauthorized access to the database 103 can be effectively prevented without reducing the ease of system construction by performing authentication using the information recorded in the token device 104.

  Further, according to the present embodiment, the shares d2, d4, and d8 are recorded in the HD 205 in the terminal device 102 that is a device inside the terminal device 102, whereby the token device 104 and the terminal device 102 are in a one-to-one relationship. Can be associated.

  As a result, authentication can be performed only when the terminal device 102 associated with the token device 104 in a one-to-one relationship is used, and authentication is performed using information recorded in the token device 104. Accordingly, unauthorized access to a database that can be accessed by authentication using information recorded in the token device 104 can be effectively prevented without reducing the ease of system construction.

  Further, according to the present embodiment, the share d6 is recorded in the FD 207 in the terminal device 102 that is detachable to the terminal device 102 that is a device external to the terminal device 102, whereby the token device 104 and the FD 207 in the terminal device 102 are recorded. One-to-one correspondence is possible.

  As a result, authentication can be performed only when the token devices 104 associated with the one-to-one correspondence and the FD 207 in the terminal device 102 are prepared, and unauthorized access to the database 103 is prevented, and It is possible to improve convenience by performing authentication using information recorded in the device 104.

  In addition, according to the present embodiment, the distributed encoding unit 504 generates a share by performing distributed encoding by the secret sharing method, whereby the token device 104, the HD 205 in the terminal apparatus 102, or the FD 207 in the terminal apparatus 102 It is possible to prevent extraction of the secret key using only the recorded share. Accordingly, unauthorized access to the database 103 can be effectively prevented without reducing the ease of system construction by performing authentication using information recorded in the token device 104.

  As described above, according to the authentication device, the authentication method, and the authentication program of the present invention, the token device can be used without reducing the ease of system construction by performing authentication using information recorded in the token device. It is possible to prevent unauthorized access to a database that can be accessed by authentication using information recorded in the database.

  The authentication method described in the present embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO, and a DVD, and is executed by being read from the recording medium by the computer. The program may be a transmission medium that can be distributed via a network such as the Internet.

  Further, the terminal device 102 described in the present embodiment is a PLD (Programmable Logic) such as an application specific integrated circuit (hereinafter referred to simply as “ASIC”) such as a standard cell or a structured ASIC (hereinafter simply referred to as “ASIC”). (Device). Specifically, for example, the functional configurations 401 to 403 and 501 to 504 of the terminal device 102 described above are defined by HDL description, and the HDL description is logically synthesized and given to the ASIC or PLD, thereby the terminal device 102. Can be manufactured.

(Appendix 1) In an authentication device that performs authentication by public key cryptography,
Random number generating means for generating a random number;
A multiplexing means for multiplexing the secret key from the token device and the random number generated by the random number generating means;
Performs distributed encoding of the multiplexed data obtained by the multiplexing means, outputs a part of the distributed encoded data obtained by the distributed encoding to the token device, and outputs the remaining distributed encoded data to the token device. Distributed encoding means for writing to devices other than token devices;
An authentication device comprising:

(Supplementary Note 2) Decoding means for reading a part of the distributed encoded data output to the token device and the remaining distributed encoded data written to the other device, and decoding the read data into the multiplexed data;
Extraction means for extracting the secret key from the multiplexed data decrypted by the decryption means;
Authentication means for performing authentication using the secret key extracted by the extraction means;
The authentication apparatus according to appendix 1, further comprising:

(Supplementary Note 3) The random number generation means includes:
When the secret key is extracted by the extracting means, a random number is newly generated,
The multiplexing means includes
Multiplexing the secret key extracted by the extracting means and the random number newly generated by the random number generating means,
The distributed encoding means includes
The distributed data obtained by the multiplexing means is distributedly encoded, a part of the distributed encoded data obtained by the distributed encoding is output to the token device, and the remaining distributed encoded data is output. The authentication apparatus according to appendix 2, wherein the authentication device is written in the other device.

(Appendix 4) The other devices are:
4. The authentication apparatus according to any one of appendices 1 to 3, wherein the authentication apparatus is a device inside the authentication apparatus.

(Appendix 5) The other device is
4. The authentication apparatus according to any one of appendices 1 to 3, wherein the authentication apparatus is a device outside the authentication apparatus.

(Supplementary Note 6) The distributed encoding means includes:
The authentication apparatus according to any one of appendices 1 to 5, wherein the distributed encoding is performed by a secret sharing method.

(Appendix 7) In an authentication method for performing authentication by public key cryptography,
A random number generation step for generating a random number;
A multiplexing step of multiplexing the secret key from the token device and the random number generated by the random number generation step;
Perform distributed encoding of the multiplexed data obtained by the multiplexing step, and output a part of the distributed encoded data obtained by the distributed encoding to the token device, and the remaining distributed encoded data to the A distributed encoding process for writing to a device other than the token device;
The authentication method characterized by including.

(Supplementary note 8) In an authentication program for causing a computer to perform authentication by public key cryptography,
A random number generation step for generating a random number;
A multiplexing step for multiplexing the secret key from the token device and the random number generated by the random number generation step;
The distributed data of the multiplexed data obtained by the multiplexing process is distributed and a part of the distributed encoded data obtained by the distributed encoding is output to the token device, and the remaining distributed encoded data is A distributed encoding step for writing to a device other than the token device;
An authentication program that causes the computer to execute.

(Additional remark 9) The said computer-readable recording medium which recorded the authentication program of Additional remark 8.

  As described above, the authentication device, authentication method, and authentication program according to the present invention are useful for authentication using a secret key by a public key cryptosystem, and in particular, authentication using a secret key recorded in a token device. Suitable for

1 is a system configuration diagram of an authentication system according to an embodiment of the present invention. It is a block diagram which shows the hardware constitutions of the computer apparatus shown in FIG. It is a block diagram which shows schematic structure of an authentication system. It is a block diagram (the 1) which shows a key management part. It is a block diagram (the 2) which shows a key management part. It is a block diagram (the 3) which shows a key management part. It is a block diagram (the 4) which shows a key management part. It is a flowchart which shows the process sequence (the 1) of a terminal device. It is a flowchart which shows the process sequence (the 2) of a terminal device. It is a flowchart which shows the process sequence (the 3) of a terminal device. It is a flowchart which shows the process sequence (the 4) of a terminal device.

Explanation of symbols

102 Terminal device 104 Token device 205 HD
207 FD
302 Authentication Unit 401 Random Number Generation Unit 402, 503 Multiplexing Unit 403, 504 Distributed Coding Unit 501 Distributed Decoding Unit

Claims (5)

In an authentication device that authenticates using public key cryptography,
Random number generating means for generating a random number;
A multiplexing means for multiplexing the secret key from the token device and the random number generated by the random number generating means;
Performs distributed encoding of the multiplexed data obtained by the multiplexing means, outputs a part of the distributed encoded data obtained by the distributed encoding to the token device, and outputs the remaining distributed encoded data to the token device. Distributed encoding means for writing to devices other than token devices;
An authentication device comprising: Decoding means for reading a part of the distributed encoded data output to the token device and the remaining distributed encoded data written to the other device and decoding the multiplexed data;
Extraction means for extracting the secret key from the multiplexed data decrypted by the decryption means;
Authentication means for performing authentication using the secret key extracted by the extraction means;
The authentication apparatus according to claim 1, further comprising: The random number generation means includes
When the secret key is extracted by the extracting means, a random number is newly generated,
The multiplexing means includes
Multiplexing the secret key extracted by the extracting means and the random number newly generated by the random number generating means,
The distributed encoding means includes
The distributed data obtained by the multiplexing means is distributedly encoded, a part of the distributed encoded data obtained by the distributed encoding is output to the token device, and the remaining distributed encoded data is output. The authentication apparatus according to claim 2, wherein the authentication device is written in the other device. In an authentication method that authenticates using public key cryptography,
A random number generation step for generating a random number;
A multiplexing step of multiplexing the secret key from the token device and the random number generated by the random number generation step;
Perform distributed encoding of the multiplexed data obtained by the multiplexing step, and output a part of the distributed encoded data obtained by the distributed encoding to the token device, and the remaining distributed encoded data to the A distributed encoding process for writing to a device other than the token device;
The authentication method characterized by including. In an authentication program that causes a computer to execute authentication using a public key cryptosystem,
A random number generation step for generating a random number;
A multiplexing step for multiplexing the secret key from the token device and the random number generated by the random number generation step;
The distributed data of the multiplexed data obtained by the multiplexing process is distributed and a part of the distributed encoded data obtained by the distributed encoding is output to the token device, and the remaining distributed encoded data is A distributed encoding step for writing to a device other than the token device;
An authentication program that causes the computer to execute.

Images