JP2011082662A - Communication device, and method and program for processing information - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To share a cipher key safely without introducing any public key certificates and any PKIs. <P>SOLUTION: A terminal unit A102 generates a partial key tA and transmits it to a terminal unit B103. A terminal unit B generates a partial key tB, uses the partial key tA to calculate the cipher key 203, performs an ID-based electronic signature 204 based on an ID 13 of the terminal unit B to the partial key tA and the partial key tB, and transmits the partial key tB and the electronic signature to a terminal unit A. The terminal unit A uses the ID 13 of the terminal unit B to verify the electronic signature. When the verification is successful, the terminal unit A uses the partial key tB to calculate the cipher key 205 as a cipher key used for communication with the terminal unit B, or performs an ID-based electronic signature 206 based on an ID 11 of the terminal unit A to the partial key tA and the partial key tB and transmits them to the terminal unit B. The terminal unit B uses the ID 11 of the terminal unit A to verify the electronic signature 206, and sets the previously generated cipher key 203 as a cipher key for communication with the terminal unit A when the verification is successful. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technique for sharing an encryption key among a plurality of communication devices.

In communication between a plurality of communication devices, when encrypting communication contents, it is necessary to share an encryption key with each other.
When sharing an encryption key, only the parties should be able to obtain the encryption key.
For example, in the DH (Diffie-Hellman) key exchange method, key sharing is performed on an open communication path, but the encryption key shared from the information (packet) exchanged between the parties via the communication path cannot be obtained. Key sharing can be realized so that the encryption key is not known.
On the other hand, since the DH key exchange method cannot confirm that the creator and the sender of the packet are the same, it is possible for the unauthorized person to know the shared key by retransmitting or forwarding the packet. There is a possibility that the communication content encrypted with the shared key may be leaked to unauthorized persons.

In response to such a problem, the technique described in Non-Patent Document 1 can detect retransmission and transfer of a packet by an unauthorized person by adding an electronic signature by public key cryptography to the above DH key exchange method. .
However, in order to prevent the electronic signature used in Non-Patent Document 1 from being fraudulent, such as forgery by an unauthorized person, a public key certificate and a public key infrastructure (PKI) are introduced to the public key. You must ensure that the owner of the certificate and the sender of the electronic signature are the same.
As a result, the public key certificate verification process is performed each time the key is shared, leading to a reduction in the overall processing speed. In addition, a PKI facility including a certificate authority server (CA) must be prepared.

Simon Blake-Wilson and Alfred Menezes. Authenticated Diffie-Hellman key agreement protocols. In S. Tavares et al. , Editors, Selected Areas in Cryptography, 5th International Workshop, pages 339-361. Springer-Verlag, 1999. Lecture Notes in Computer Science Volume 1556.

In the technology described in Non-Patent Document 1 above, by introducing a public key certificate and PKI (Public Key Infrastructure), it is possible to realize encryption key sharing without being fraudulent such as forgery by an unauthorized person. Yes.
On the other hand, it is necessary to verify the public key certificate each time a key is shared with a new communication partner, and additional equipment such as a verification server used in PKI is required for efficient verification processing. There is a problem of becoming.

  One of the main objects of the present invention is to solve the above-described problems, and without using a public key certificate and PKI, sharing an encryption key without receiving fraud such as forgery by an unauthorized person. The main purpose is to realize.

The communication device according to the present invention is
A partial key used for generating a shared encryption key is generated as a first partial key, the generated first partial key is transmitted to a shared communication device that is a shared destination of the encrypted key, and the shared destination A communication device that receives a partial key generated by a communication device as a second partial key from the shared communication device,
A secret key storage unit that stores a secret key generated in association with a public ID (Identification) of the communication device;
Using the first partial key, the second partial key, and the public ID of the communication device, an ID-based electronic signature capable of verifying in the shared communication device that the communication partner is the communication device; An electronic signature generation unit that generates using one partial key, the second partial key, and the secret key;
And a communication unit that transmits the ID-based electronic signature generated by the electronic signature generation unit to the shared communication device.

  According to the present invention, it is possible to authenticate a communication partner using an ID-based electronic signature, without introducing a public key certificate and PKI, and without receiving fraud such as forgery by an unauthorized person. Sharing can be realized.

FIG. 3 is a diagram showing an outline of a network according to the first embodiment. FIG. 3 is a system outline diagram at the time of key sharing according to Embodiment 1. FIG. 4 is a process flow diagram during communication according to the first embodiment. FIG. 3 is a system outline diagram at the time of parameter distribution according to the first embodiment. FIG. 4 is a process flow diagram regarding parameter distribution according to the first embodiment. FIG. 3 is a system outline diagram at the time of secret key distribution according to the first embodiment. FIG. 4 is a process flow diagram relating to secret key distribution according to the first embodiment. FIG. 3 is a functional block diagram of a terminal device according to the first embodiment. FIG. 3 is a flowchart of a partial key generation unit according to the first embodiment. FIG. 3 is a flowchart of the encryption key generation unit according to the first embodiment. FIG. 3 is a flowchart of the electronic signature generation unit according to the first embodiment. FIG. 3 is a flowchart of the electronic signature verification unit according to the first embodiment. FIG. 3 is a functional block diagram of the management server device according to the first embodiment. FIG. 3 is a flowchart of a secret generation unit according to the first embodiment. The figure which shows the network outline | summary which concerns on Embodiment 2. FIG. The system outline figure at the time of the key sharing which concerns on Embodiment 2. FIG. FIG. 9 is a process flow diagram during communication according to Embodiment 2. The system outline figure at the time of parameter transmission concerning Embodiment 2. FIG. FIG. 10 is a process flow diagram regarding parameter transmission according to the second embodiment. FIG. 4 is a functional block diagram of a management server device according to a second embodiment. The system outline figure at the time of parameter distribution concerning Embodiment 2. FIG. 9 is a processing flowchart regarding parameter distribution according to the second embodiment. FIG. 9 is a processing flowchart regarding parameter distribution according to the second embodiment. FIG. 10 is a processing flowchart regarding parameter deletion according to the second embodiment. FIG. 4 is a functional block diagram of a terminal device according to a second embodiment. FIG. 10 is a diagram showing an example of a parameter table according to the second embodiment. The figure which shows the hardware structural example of the terminal device and management server apparatus which concern on Embodiment 1 and 2. FIG.

Embodiment 1 FIG.
In this embodiment, by using ID-based encryption technology (ID-based signature) for electronic signatures, without introducing a public key certificate and PKI, the encryption key is not subject to fraud such as forgery by an unauthorized person. The technology that realizes sharing is explained.
In the technique of Non-Patent Document 1 described above, key exchange is performed by a DH key exchange method using a residue group. In this embodiment, key exchange is performed by an ECDH (Electric Curve Diffie-Hellman) key exchange method. The technique to be performed will be described.
The ECDH key exchange method is configured by operations on a field defined by an elliptic curve, and an ID-based signature can also be configured by similar operations. Therefore, an elliptic curve calculation in an ID-based signature and an ellipse in key exchange are performed. An example in which curve calculation is implemented as a common module will be described.
When the function for performing the elliptic curve calculation is implemented as a program, the data size occupied by the program in the memory can be reduced.
Furthermore, since the ECDH key exchange method can keep the size of the partial key smaller than the DH key exchange by the remainder group while maintaining the confidentiality of the shared key, the communication data communication volume between the parties can be kept small. it can.

FIG. 1 is a schematic diagram of a network system to which the key exchange method according to the first embodiment can be applied.
A plurality of terminal devices A102 to B103 and a management server device 104 are connected to a network 101 such as the Internet.
Hereinafter, an example in which key exchange is performed between the terminal device A102 and the terminal device B103 will be described.
Each of the terminal device A102 and the terminal device B103 is an example of a communication device, and is also an example of a sharing destination communication device.
In FIG. 1, for convenience, the terminal device A102 is shown as an example of a communication device, and the terminal device B103 is shown as an example of a shared communication device. However, when the terminal device B103 is an example of a communication device, The device A102 is an example of a sharing destination communication device.

First, an outline of the operation when terminal devices share a key for encrypting communication will be described.
FIG. 2 shows an outline of the operation when the terminal device A 102 and the terminal device B 103 perform key sharing.

In preparation for key sharing, the terminal device A 102 and the terminal device B 103 are respectively connected to the elliptic curve function E and the point P on the elliptic curve, which are parameters used in the ECDH key exchange (in FIG. 2, the parameters E and P are combined into a parameter (E , P) 15) and an ID-based signature parameter (signature) 16 (signature parameter) are shared by a method described later. The ID-based signature parameter is also called a system public key.
The parameters (E, P) 15 held by the terminal device A102 and the parameters (E, P) 15 held by the terminal device B103 are the same information. The parameter (signature) 16 held by the terminal device A102 and the parameter (signature) 16 held by the terminal device B103 are also the same information.
Further, the terminal device A 102 has acquired the ID-based signature private key 12 corresponding to its public ID (hereinafter also simply referred to as ID) 11 from the management server device 104 by a method to be described later. The apparatus B 103 also acquires the ID base signature private key 14 corresponding to its own public ID 13 from the management server apparatus 104 by a method described later.
In addition, the terminal device A102 has a public ID 13 of the terminal device B103, and the terminal device B103 has a public ID11 of the terminal device A102.
The public ID is, for example, an e-mail address of the user of the terminal device.

First, the terminal device A102 performs an elliptic curve calculation on a predetermined random number value to generate a partial key tA201 and transmits it to the terminal device B103.
After receiving the partial key tA201, the terminal device B103 performs an elliptic curve calculation on a predetermined random value to generate a partial key tB202, and performs an elliptic curve calculation on the random value used to generate the partial key tB202 and the partial key tA201. Go to calculate the encryption key Z_AB203.
In addition, the terminal apparatus B103 applies an electronic signature (= Sign_B (tA, tB)) 204 with the secret key 14 to the partial key tA201 and the partial key tB202. The elliptic curve calculation is also performed in the process of generating the electronic signature 204.
Further, the terminal device B103 transmits the partial key tB202 and the electronic signature 204 to the terminal device A102.
For each terminal device, the partial key generated and transmitted to the terminal device that is the encryption key sharing destination corresponds to the first partial key, and the partial key received from the encryption key sharing destination terminal device is It corresponds to the second partial key.
For example, for the terminal device A102, the partial key tA201 is a first partial key, and the partial key tB202 is a second partial key.

When the terminal device A 102 receives the partial key tB 202 and the electronic signature 204, the terminal device A 102 verifies the electronic signature 204 using the public ID 13 of the terminal device B 103. The elliptic curve calculation is also performed in the verification process of the electronic signature 204.
Here, if the electronic signature 204 is incorrect, the process ends as an unauthorized process has been performed.
If the terminal device A 102 can confirm that the electronic signature 204 has been correctly created by the terminal device B 103 (the communication partner is the terminal device B 103), the random value used to generate the partial key tA 201 And an elliptic curve calculation is performed on the partial key tB202 to calculate the encryption key Z_BA205.
Further, the terminal device A102 applies an electronic signature (= Sign_A (tB, tA)) 206 with the secret key 12 to the partial key tA201 and the partial key tB202. The elliptic curve calculation is also performed in the process of generating the electronic signature 206.
Further, the terminal device A102 transmits the electronic signature 206 to the terminal device B103.

The terminal device B103 receives the electronic signature 206, and verifies the electronic signature 206 using the public ID 11 of the terminal device A102. The elliptic curve calculation is also performed in the verification process of the electronic signature 206.
If it is confirmed that the electronic signature 206 is correctly created by the terminal device A102 (the communication partner is the terminal device A102), the terminal device B103 has completed processing normally.
Otherwise, it is determined that an illegal process has been performed, and the process ends.
If it cannot be confirmed that the electronic signature 206 is correctly created by the terminal apparatus A102, the encryption key Z_AB203 is not used because it is considered insecure.

  Since Z_AB203 = Z_BA205 is set as will be described later, if both the terminal device A102 and the terminal device B103 have successfully verified the electronic signature, Z_AB203 (= Z_BA205) is used as a shared encryption key, or By using what can be generated from Z_AB203 (= Z_BA205) as a shared encryption key, sharing of the encryption key is completed.

Next, based on FIG. 3, for example, processing in the case where the terminal device A 102 and the terminal device B 103 share an encryption key in the first embodiment will be described.
FIG. 3 is a flowchart of processing performed with respect to the communication processing of FIG. Hereinafter, “*” means multiplication defined by a field on the elliptic curve function E.

  The terminal device A102 generates a random number rA (step 301), calculates a partial key tA201 = (rA * P) from the parameters (E, P) 15 (step 302), and transmits the partial key tA201 to the terminal device B103 ( Step 303).

The terminal device B103 receives the partial key tA201 from the terminal device A102 (step 304), generates a random number rB (step 305), and calculates the partial key tB202 = (rB * P) from the parameters (E, P) 15 ( In step 306, the encryption key Z_AB203 = (rB * tA) is calculated (step 307).
Further, the terminal device B103 applies an electronic signature (= Sign_B (tA, tB)) 204 with the parameter (signature) 16 and the secret key 14 to the partial key tA201 and the partial key tB202 (step 308), and the terminal device A102 is given to the terminal device A102. The partial key tB 202 and the electronic signature 204 are transmitted (step 309).

The terminal device A 102 receives the partial key tB 202 and the electronic signature 204 from the terminal device B 103 (step 310), and verifies the electronic signature 204 using the parameter (signature) 16 and the ID 13 of the terminal device B 103 (step 311).
If it can be confirmed that the electronic signature 204 is invalid, the process is terminated.
If the electronic signature 204 is authentic, the encryption key Z_BA205 = (rA * tB) is calculated. (Step 312)
The terminal device A102 uses the encryption key Z_BA205 as a key shared with the terminal device B103.
Further, the terminal device A102 applies an electronic signature (= Sign_A (tB, tA)) 206 with the parameter (signature) 16 and the secret key 12 to the partial key tA201 and the partial key tB202 (step 313), and the terminal device B103. The electronic signature 206 is transmitted to (step 314).

The terminal apparatus B103 receives the electronic signature 206 from the terminal apparatus A102 (step 315), and verifies the electronic signature 206 using the parameter (signature) 16 and the ID 11 of the terminal apparatus A102 (step 316).
If it can be confirmed that the electronic signature 206 is invalid, the process ends.
If the electronic signature 206 is authentic, the encryption key Z_AB203 (= Z_BA205) generated in step 307 is used as a shared key used between the terminal device A102 and the terminal device B103.

Next, based on FIG. 4, in the first embodiment, for example, the management server device 104 sends to the terminal device A 102 to the terminal device B 103 an elliptic curve function E that is a parameter used for ECDH key exchange and a point P on the elliptic curve. An outline of the operation in the case of distributing ID-based signature parameters will be described.
In the following description, for convenience, when the ECDH key exchange parameter and the ID base signature parameter are treated as a set, they are collectively referred to as a parameter 401.

The management server device 104 distributes the parameter 401 to the managed terminal devices A102 to B103.
At this time, the distribution method may be multicast communication or one-to-one communication.
Furthermore, communication encryption may be performed as necessary.
In addition, for terminal devices that could not receive parameters in the first distribution, such as when there was an accident on the communication path or when the terminal device was not connected at the time of distribution, distribution is not limited to one time, but depending on the situation. You can repeat it regularly.

Next, based on FIG. 5, for example, processing in the case where the parameter 401 is distributed from the management server device 104 to the terminal device A102 in the first embodiment will be described.
The process for the terminal device B103 is the same.

  The management server apparatus 104 generates an elliptic curve function E and a point P on the elliptic curve, which are parameters used in the ECDH key exchange, by an ECDH key sharing parameter generation unit (to be described later) (step 501), and sets ID-based signature parameters to be described later. The base signature parameter generation unit generates the parameter (step 502), and transmits the parameter 401 to the terminal device A102 (step 503).

  The terminal device A102 receives the parameter 401 (step 504) and holds it in the parameter storage unit (step 505).

If the parameter is not changed and distributed repeatedly, the process starts from step 503.
Further, when changing the parameter, the processing is started from step 501.

  Here, the management server device 104 transmits the parameter 401 to the terminal device A102. However, the ID-based signature parameter is not separately transmitted from the management server device 104 to the terminal device A102, but a safe method (system introduction). Sometimes, an ID-based signature parameter is previously incorporated into a terminal device under management).

Next, based on FIG. 6, in the first embodiment, for example, the operation outline when the terminal device A102 acquires the ID-based signature secret key generated in association with its public ID from the management server device 104, for example. Will be described.
The process for the terminal device B103 is the same.

The management server device 104 transmits the secret key 12 corresponding to the ID 11 of the terminal device A102 to the terminal device A102 periodically or in response to a request from the administrator.
At this time, the communication from the management server device 104 to the terminal device A102 may be encrypted as necessary.

Next, based on FIG. 7, in the first embodiment, for example, processing when the terminal device A 102 acquires the ID-based signature private key corresponding to the ID of the terminal device from the management server device 104 will be described.
The process for the terminal device B103 is the same.

The management server device 104 generates the secret key 12 by inputting the ID 11 of the terminal device A102 to a secret key generation unit described later (step 701) periodically or in response to a request from the administrator. The key 12 is transmitted to the terminal device A102 (step 702).
The terminal device A102 receives the secret key 12 (step 703) and holds the secret key 12 in the storage unit (step 704) (secret key storage step). At this time, the past secret key held in the storage unit may be deleted.

Next, functions of terminal device A102 to terminal device B103 in the first embodiment will be described with reference to FIG.
FIG. 8 is a functional block diagram illustrating functional configurations of the terminal device A102 to the terminal device B103.
Here, for convenience, reference numeral 801 is attached to the terminal device.

  The terminal device 801 includes a communication interface 802, an elliptic curve calculation unit 803, a partial key generation unit 804, an encryption key generation unit 805, an electronic signature verification unit 806, an electronic signature generation unit 807, a parameter acquisition unit 808, a secret key acquisition unit 809, The parameter storage unit 810, the encryption key storage unit 811, and the secret key storage unit 812 are configured.

The communication interface 802 is a communication unit that communicates with an external device.
More specifically, the communication interface 802 receives from the management server device 104 an elliptic curve function E, which is a parameter used for ECDH key exchange, a point P on the elliptic curve, and a parameter used for an ID-based signature.
Also, as shown in FIG. 2, a partial key and an electronic signature based on an ID-based signature are transmitted to a terminal device that is an encryption key sharing destination, and the partial key and ID base are transmitted from the terminal device that is an encryption key sharing destination. Receive an electronic signature by signature.

The elliptic curve calculation unit 803 performs calculations on the elliptic curve in response to requests from the partial key generation unit 804, the encryption key generation unit 805, the digital signature verification unit 806, and the digital signature generation unit 807.
More specifically, the elliptic curve calculation unit 803 generates a partial key by performing an elliptic curve calculation on a predetermined random number value based on a request from the partial key generation unit 804, and the encryption key generation unit 805 Based on the request, an elliptic curve calculation is performed on the random number and the partial key from the encryption key sharing destination terminal device to generate an encryption key.
The elliptic curve calculation unit 803 performs an elliptic curve calculation in the ID-based electronic signature generation process based on the request of the electronic signature generation unit 807, and also verifies the electronic signature based on the request of the electronic signature verification unit 806. The elliptic curve calculation is performed at.
The elliptic curve calculation unit 803 is an example of a calculation unit.

  The partial key generation unit 804 generates a random number, supplies the generated random number, the elliptic curve function E, and the point P on the elliptic curve to the elliptic curve calculation unit 803 to obtain a partial key.

The encryption key generation unit 805 supplies the random key generated by the partial key generation unit 804, the elliptic curve function E, and the partial key from the encryption key sharing destination terminal device to the elliptic curve calculation unit 803 to obtain an encryption key.
The encryption key generation unit 805 stores the generated encryption key in the encryption key storage unit 811.
The encryption key stored in the encryption key storage unit 811 is, for example, the encryption key Z_BA205 in the case of the terminal device A102 of FIG.

The electronic signature verification unit 806 verifies the electronic signature received by the communication interface 802 and determines whether or not the communication partner is the encryption key sharing destination terminal device.
More specifically, the partial key (first partial key) generated by the partial key generation unit 804, the partial key (second partial key) received from the encryption key sharing destination terminal device, and the encryption key sharing destination The received electronic signature is verified using the public ID of the terminal device and the ID-based signature parameter in the parameter storage unit 810.
As described above, the elliptic curve calculation is performed in the verification process.

The electronic signature generation unit 807 generates an ID-based electronic signature using the first partial key, the second partial key, the private key in the private key storage unit 812, and the ID-based signature parameter in the parameter storage unit 810. To do.
As described above, the elliptic curve calculation is performed in the generation process.
The ID-based signature is obtained by using two partial keys (a partial key tB generated by the terminal device B 103 and a partial key tA generated by the terminal device A 102) and a terminal device (for example, the terminal device B 103) and the terminal device (for example, the terminal device B 103). It is an electronic signature that can determine whether or not the communication partner is a valid terminal device (terminal device A102) by performing verification using the public ID of the terminal device A102) and the ID-based signature parameter.

  The parameter acquisition unit 808 inputs from the communication interface 802 the elliptic curve function E, which is a parameter used in the ECDH key exchange generated by the management server device 104, the point P on the elliptic curve, and the parameter used in the ID-based signature, and stores the parameters. Stored in the part 810.

The secret key acquisition unit 809 inputs the secret key generated by the management server device 104 from the communication interface 802 and stores it in the secret key storage unit 812.
The secret key stored in the secret key storage unit 812 is an ID-based signature secret key corresponding to the ID of the terminal device 801.
For example, the terminal device A 102 holds the secret key 12 corresponding to the ID 11 of the terminal device A 102 in the secret key storage unit 812.

  The ID storage unit 813 stores the public ID of the encryption key sharing destination terminal device.

FIG. 9 is a flowchart of the partial key generation unit 804 of the terminal device 801.
The partial key generation unit 804 generates a random number rA (step 821), and acquires parameters E and P from the parameter storage unit 810 (step 822).
Then, the random number rA and the parameters E and P are transmitted to the elliptic curve calculation unit 803, and the ECDH key exchange partial key tA (r times the parameter P) is acquired from the elliptic curve calculation unit 803 (step 823). (Step 824).
The random number rA is transmitted to the encryption key generation unit 805 (step 825).

FIG. 10 is a flowchart of the encryption key generation unit 805 of the terminal device 801.
The encryption key generation unit 805 receives the random number rA from the partial key generation unit 804 (step 826), acquires the parameter E from the parameter storage unit 810 (step 827), and receives an ECDH key from another terminal device via the communication interface 802. The exchange partial key tB is received (step 828).
The random number rA, parameter E, and partial key tB are transmitted to the elliptic curve calculation unit 803, and an encryption key (r times tB) is acquired from the elliptic curve calculation unit 803 (step 829).
The generated encryption key is stored in the encryption key storage unit 811 (step 830).

FIG. 11 is a flowchart of the electronic signature generation unit 807 of the terminal device 801.
The electronic signature generation unit 807 obtains the ECDH key exchange partial key tA from the partial key generation unit 804 (step 831) (electronic signature generation step), and the ECDH key exchange partial key from another terminal device via the communication interface 802. tB is received (step 832) (electronic signature generation step), and the private key S is acquired from the private key storage unit 812 (step 833) (electronic signature generation step).
Next, ID-based signature parameters are acquired from the parameter storage unit 810 (step 834) (electronic signature generation step).
Then, an electronic signature SignA is generated using the parameters of the partial key tA, the partial key tB, the secret key S, and the ID base signature (step 835) (electronic signature generation step), and is transmitted to another terminal device via the communication interface 802. Transmit (step 836) (communication step).
Note that, when generating the electronic signature SignA, it is necessary to perform operations on the elliptic curve, and the calculation process is performed by the elliptic curve calculation unit 803.

FIG. 12 is a flowchart of the electronic signature verification unit 806 of the terminal device 801.
The electronic signature verification unit 806 receives the ECDH key exchange partial key tB and the electronic signature SignB from another terminal device via the communication interface 802 (step 837), and receives the ECDH key exchange partial key tA from the partial key generation unit 804. The ID base signature parameter is acquired from the parameter storage unit 810 (step 838).
Then, the electronic signature SignB is verified using the ID of the terminal device that is the transmission source of the electronic signature SignB, and the parameters of the partial key tA, the partial key tB, and the ID base signature (step 840).
Note that, when verifying the electronic signature SignB, it is necessary to perform operations on an elliptic curve, and the calculation process is performed by the elliptic curve calculation unit 803.
As a result of verification of the electronic signature SignB in step 840, if it can be confirmed that the electronic signature SignB is authentic, if the terminal device 801 corresponds to the terminal device A102 in FIG. 3, step 311 in FIG. From Step 312 to Step 312, the electronic signature verification unit 806 instructs the encryption key generation unit 805 to generate an encryption key. The encryption key generation unit 805 generates an encryption key according to the flow of FIG.
As a result of verification of the electronic signature SignB in step 840, if it can be confirmed that the electronic signature is authentic, if the terminal device 801 corresponds to the terminal device B103 in FIG. 3, the process proceeds to step 316 in FIG. As illustrated, the electronic signature verification unit 806 uses the encryption key generated in step 307 as the encryption key shared with the sharing destination terminal device.
On the other hand, if the terminal device 801 corresponds to the terminal device A102 in FIG. 3 when the electronic signature SignB cannot be confirmed to be authentic as a result of the verification of the electronic signature SignB in step 840, in step 311 in FIG. The electronic signature verification unit 806 stops the subsequent processing and does not instruct the generation of the encryption key.
Further, as a result of the verification of the electronic signature SignB in step 840, if it cannot be confirmed that the electronic signature SignB is authentic, if the terminal device 801 corresponds to the terminal device B103 in FIG. 3, in step 316 in FIG. The electronic signature verification unit 806 does not use the encryption key generated in step 307 as the encryption key shared with the sharing destination terminal device. Note that the encryption key generated in step 307 may be discarded.

Further, the parameter acquisition unit 808 acquires parameters used for E and P, which are parameters for ECDH key exchange, and an ID-based signature from the management server device 104 via the communication interface 802.
Also, the secret key acquisition unit 809 acquires the secret key S corresponding to the ID of the terminal device from the management server device 104 via the communication interface 802.

Next, the function of the management server device 104 in the first embodiment will be described with reference to FIG.
FIG. 13 is a functional block diagram illustrating a functional configuration of the management server device 104.
Here, for the sake of convenience, reference numeral 901 is given to the verification server device.

The management server device 901 includes a communication interface 902, an ECDH key sharing parameter generation unit 903, a secret key generation unit 904, an ID-based signature parameter generation unit 905, a parameter distribution unit 906, and a parameter storage unit 907.
The communication interface 902 has the same function as that constituting the terminal device 801 of FIG.

  The parameters stored in the parameter storage unit 907 are the parameters generated by the ID base signature parameter generation unit 905 and the parameters generated by the ECDH key sharing parameter generation unit 903.

  The ECDH key sharing parameter generation unit 903 generates an elliptic curve function E and a point P on the elliptic curve, which are parameters of ECDH key exchange, and stores the generated parameters in the parameter storage unit 907.

  An ID-based signature parameter generation unit 905 generates an ID-based signature parameter and stores the generated parameter in the parameter storage unit 907.

  The secret key generation unit 904 generates a secret key in association with the public ID of the terminal device 801.

  The parameter delivery unit 906 delivers the ID-based signature parameters and the ECDH key exchange parameters E and P held in the parameter storage unit 907 to the terminal device 801 to be distributed.

FIG. 14 is a flowchart of the secret key generation unit 904 of the management server device 901.
The secret key generation unit 904 acquires the ID-based signature parameter from the parameter storage unit 907 (step 911), generates a secret key from the ID and parameter of the terminal device to be distributed (step 912), and uses the communication interface 902. The secret key is delivered to the terminal device 801 to be distributed (step 913).

  In the terminal device A102 to the terminal device B103 and the management server device 104 configured as described above, the public key certificate verification process and the PKI are performed by using both the ECDH key exchange and the electronic signature based on the ID-based signature. The encryption key can be shared without requiring any additional equipment and without being subjected to fraud such as forgery by an unauthorized person.

  That is, in the key sharing method according to the first embodiment, terminal device A102 to terminal device B103 exchange ECDH keys and transmit an electronic signature based on an ID-based signature to each other in order to share an encryption key between the two devices. And distributing the parameters of the ECDH key exchange method from the management server device 104 to the terminal devices A102 to B103, and from the management server device 104 to each of the terminal devices A102 to B103, An ID-based signature private key is distributed.

Further, in this embodiment, the key exchange is performed by the ECDH key exchange method, and the ECDH key exchange method is configured by calculation on the body defined by the elliptic curve, and the elliptic curve calculation is also performed for the ID base signature. Therefore, it is possible to implement the elliptic curve calculation as a common part.
For this reason, for example, by mounting the elliptic curve calculation unit 803 as a program, the data size occupied by the program in the memory can be reduced.

  Furthermore, since the ECDH key exchange method can keep the size of the partial key smaller than the DH key exchange by the remainder group while maintaining the confidentiality of the shared key, the communication data communication volume between the parties can be kept small. it can.

  As described above, in this embodiment, when an encryption key used for encryption communication or the like is shared between terminals, verification of a public key is performed by using an ID-based signature for an electronic signature provided to authenticate a key sharing partner. A communication system that shares a key with an intended sharing partner without performing processing has been described.

  In the present embodiment, a communication system has been described in which an encryption key is shared by an ECDH key exchange method and an ID-based signature is implemented by computation on an elliptic curve.

  Further, in the present embodiment, a communication system has been described in which the ECDH key exchange method and the arithmetic processing on the elliptic curve in the ID-based signature are implemented as a common module.

  In the present embodiment, the ECDH key exchange method and the ID-base signature public parameters are the same for terminals in the same organization, and the management server delivers the public parameters to the terminals in the organization. Explained the system.

  In this embodiment, when the public parameter is delivered from the management server to the terminal in the organization, the management server gives the public parameter an electronic signature for the public parameter, and the received terminal verifies the electronic signature. Explained.

Embodiment 2. FIG.
FIG. 15 is a schematic diagram of a network system to which the key exchange method according to the second embodiment can be applied.
A plurality of management server devices 1002 to 1003 and a plurality of terminal devices A 1004 to 1005 and 1006 to 1007 are connected to a network 1001 such as the Internet under the management of each of the management server devices.
For example, in FIG. 15, the management server device 1002 manages the terminal devices A 1004 to 1005, and the management server device 1003 manages the terminal devices B 1006 to 1007.
Hereinafter, an example in which key exchange is performed between the terminal device A 1004 and the terminal device B 1006 will be described.
Note that each of the terminal device A 1004 and the terminal device B 1006 is an example of a communication device and an example of a shared communication device.
In FIG. 15, for convenience, the terminal device A 1004 is shown as an example of a communication device, and the terminal device B 1006 is shown as an example of a shared communication device. However, when the terminal device B 1006 is an example of a communication device, The device A 1004 is an example of a sharing destination communication device.
In FIG. 15, the management server device 1002 that manages the terminal device A 1004 that is an example of the communication device is an example of the first management device, and the management server device 1003 that manages the terminal device B 1006 that is the shared communication device is the first one. This is an example of the second management apparatus.
Conversely, when the terminal device B 1006 is an example of a communication device, the management server device 1003 is an example of a first management device, and the management server device 1002 that manages the terminal device A 1004 that is a shared communication device is the second management device. An example of a management device.

  In the second embodiment, key sharing between terminal devices managed by the same management server device, for example, between the terminal device A 1004 and the terminal device 1005 in FIG. 15, is performed in the same manner as in the first embodiment. Is called.

Next, key sharing between terminal devices under the management of different management server devices will be described.
In FIG. 16, when key sharing is performed between terminal devices managed by different management server devices, for example, the terminal device A 1004 managed by the management server device 1002 and the terminal device B 1006 managed by the management server device 1003 The system outline figure in the case of performing key sharing is shown.

In preparation for key sharing, the terminal device A 1004 uses an ECDH key exchange parameter (E, P) 1101 and an ID base signature parameter (signature) 1102 generated by the management server device 1002 from the management server device 1002 by a method described later. The management server apparatus 1003 acquires the ECDH key exchange parameter (E, P) 1103 and the ID base signature parameter (signature) 1104 generated.
When the terminal device A 1004 is taken as an example of a communication device, the ID-based signature parameter (signature) 1102 acquired from the management server device 1002 as the first management device is the first signature parameter, and the second The ID-based signature parameter (signature) 1104 acquired from the management server device 1003 as the management device is a second signature parameter.
In preparation for key sharing, the terminal device B 1006 uses the method described later, the ECDH key exchange parameters (E, P) 1103 and the ID-based signature parameters (signature) generated by the management server device 1003 from the management server device 1003. 1104, an ECDH key exchange parameter (E, P) 1101 and an ID-based signature parameter (signature) 1102 generated by the management server apparatus 1002 are acquired.
Also, the terminal device A 1004 acquires the ID-based signature secret key 1106 corresponding to its own ID 1105 from the management server device 1002, and the terminal device B 1006 also acquires the ID-based signature secret key 1108 corresponding to the ID 1107 to the management server device 1003. Is getting from.
Further, the terminal device A 1004 has the ID 1107 of the terminal device B 1006, and the terminal device B 1006 also has the ID 1105 of the terminal device A 1004.

First, the terminal device A 1004 and the terminal device B 1006 select an ECDH key exchange parameter (E, P) from either a parameter (E, P) 1101 or a parameter (E, P) 1103.
Here, for convenience, the selected parameter is assumed to be a parameter (E, P) 1109.
Any selection method may be used.
The selected parameters (E, P) 1109 are examples of key generation selection parameters.

  In the present embodiment, the parameters (E, P) 1109 selected at the time of partial key generation and encryption key generation are used in common between terminal devices, and parameters at the time of electronic signature generation and electronic signature verification are used. The only difference is that the (signature) 1102 and the parameter (signature) 1104 are used, and the processing procedure for key exchange is the same as that shown in the first embodiment.

First, the terminal apparatus A 1004 performs elliptic curve calculation using a predetermined random number value and parameters (E, P) 1109 to generate a partial key tA 1201 and transmits it to the terminal apparatus B 1006.
After receiving the partial key tA1201, the terminal device B1006 performs an elliptic curve calculation using a predetermined random value and parameters (E, P) 1109 to generate a partial key tB1202.
Also, the encryption key Z_AB1203 is calculated by performing an elliptic curve calculation on the random number used to generate the partial key tB1202 and the partial key tA1201.
Further, the terminal device B 1006 uses the parameter (signature) 1104 generated by the management server device 1003 and the private key 1108 generated by the management server device 1003 for the partial key tA 1201 and the partial key tB 1202, and uses the electronic signature (= Sign_B (TA, tB)) 1204 is applied.
Further, the terminal device B 1006 transmits the partial key tB 1202 and the electronic signature 1204 to the terminal device A 1004.

When the terminal device A 1004 receives the partial key tB 1202 and the electronic signature 1204, the terminal device A 1004 verifies the electronic signature 1204 using the parameter (signature) 1104 generated by the management server device 1003 and the public ID 1107 of the terminal device B 1006.
If it can be confirmed that the electronic signature is authentic (the communication partner is the terminal device B 1006), the cryptographic key Z_BA 1205 is obtained by performing an elliptic curve calculation on the random value used to generate the partial key tA1201 and the partial key tB1202. calculate.
This encryption key Z_BA 1205 is a key shared with the terminal device B 1006.
Further, the terminal device A 1004 applies an electronic signature (= Sign_A (tB, tA)) 1206 with a parameter (signature) 1102 and a private key 1106 to the partial key tA 1201 and the partial key tB 1202.
Further, the terminal device A 1004 transmits an electronic signature 1206 to the terminal device B 1006.

The terminal device B 1006 receives the electronic signature 1206, and verifies the electronic signature 1206 using the parameter (signature) 1102 and the public ID 1105 of the terminal device A 1004.
If the terminal apparatus B 1006 can confirm that the electronic signature 1206 has been correctly created by the terminal apparatus A 1004 (the communication partner is the terminal apparatus A 1004), the processing has been completed normally.
Otherwise, it is determined that an illegal process has been performed, and the process ends.
If it cannot be confirmed that the electronic signature 1206 is correctly created by the terminal device A 1004, the encryption key Z_AB 1203 is considered to be insecure and is not used.

  Since Z_AB1203 = Z_BA1205 as will be described later, if both the terminal device A1004 and the terminal device B1006 have successfully verified the electronic signature, the Z_AB1203 (= Z_BA1205) is used as a shared encryption key, or By using what can be generated from Z_AB 1203 (= Z_BA 1205) as a shared encryption key, sharing of the encryption key is completed.

Next, based on FIG. 17, in the second embodiment, for example, processing when the terminal device A 1004 and the terminal device B 1006 share an encryption key will be described.
FIG. 17 is a diagram showing a flow chart of processing performed regarding the communication processing of FIG.

  The terminal device A1004 generates a random number rA (step 1301), calculates a partial key tA1201 = (rA * P) from the parameters (E, P) 1109 (step 1302), and transmits the partial key tA1201 to the terminal device B1006 (step 1302). Step 1303).

The terminal device B1006 receives the partial key tA1201 from the terminal device A1004 (step 1304), generates a random number rB (step 1305), and calculates the partial key tB1202 = (rB * P) from the parameters (E, P) 1109 ( In step 1306, the encryption key Z_AB1203 = (rB * tA) is calculated (step 1307).
Further, the terminal apparatus B 1006 applies an electronic signature (= Sign_B (tA, tB)) 1204 with the parameter (signature) 1104 and the private key 1108 to the partial key tA 1201 and the partial key tB 1202 (step 1308). The partial key tB 1202 and the electronic signature 1204 are transmitted (step 1309).

The terminal device A 1004 receives the partial key tB 1202 and the electronic signature 1204 from the terminal device B 1006 (step 1310), and verifies the electronic signature 1204 using the parameter (signature) 1104 and the ID 1107 of the terminal device B 1006 (step 1311).
If it can be confirmed that the electronic signature 1204 is invalid, the process ends.
If the electronic signature 1204 is authentic, an encryption key Z_BA 1205 = (rA * tB) is calculated (step 1312).
Further, the terminal device A 1004 applies an electronic signature (= Sign_A (tB, tA)) 1206 with the parameter (signature) 1102 and the private key 1106 to the partial key tA 1201 and the partial key tB 1202 (step 1313), and the terminal device B 1006. The electronic signature 1206 is transmitted to (step 1314).

The terminal apparatus B 1006 receives the electronic signature 1206 from the terminal apparatus A 1004 (step 1315), and verifies the electronic signature 1206 using the parameter (signature) 1102 and the ID 1105 of the terminal apparatus A 1004 (step 1316).
If it can be confirmed that the electronic signature 1206 is invalid, the processing is terminated.
If the electronic signature 1206 is authentic, the encryption key Z_AB1203 (= Z_BA1205) generated in step 1307 is used as a shared key used between the terminal device A1004 and the terminal device B1006.

  Next, based on FIG. 18, in the second embodiment, for example, an ECDH key exchange is performed from the management server device 1002 to the management server device 1003 in order to enable key sharing between terminal devices managed by different management server devices. The operation outline when transmitting the parameter 91 and the ID-based signature parameter 92 will be described.

The management server device 1002 transmits the ECDH key exchange parameter 91 and the ID base signature parameter 92 used by the managed terminal device to the management server device 1003.
At this time, the management server apparatus 1002 assigns its own electronic signature to the parameter 91 and the parameter 92.
The management server device 1003 that has received the parameter 91 and the parameter 92 transmits the parameter 91 and the parameter 92 to the managed terminal device by a method described later.

  Next, based on FIG. 19, in the second embodiment, in order to enable key sharing between terminal devices managed by different management server devices, for example, an ECDH key exchange is performed from the management server device 1002 to the management server device 1003. The process in the case of transmitting the parameter 91 and the ID-based signature parameter 92 will be described.

  The management server device 1002 obtains an elliptic curve function E and a point P on the elliptic curve, which are parameters 91 used in the ECDH key exchange, and an ID-based signature parameter 92 from the parameter storage unit described later (step 1401). And the parameter 92 are transmitted to the management server apparatus 1003 (step 1402).

The management server device 1003 receives the parameter 91 and the parameter 92 (step 1403), and verifies the electronic signature given to the parameter 92.
If the electronic signature is authentic, the parameter 91 and the parameter 92 are held in the parameter storage unit together with the electronic signature (step 1404).
If the electronic signature is not correct, the process ends without changing the information in the parameter storage unit.

Next, functions of the management server device 1002 and the management server device 1003 in the second embodiment will be described with reference to FIG.
FIG. 20 is a functional block diagram illustrating functional configurations of the management server device 1002 and the management server device 1003.
Here, for the sake of convenience, reference numeral 1501 is assigned to the management server device.

The management server device 1501 includes a communication interface 1502, an ECDH key sharing parameter generation unit 1503, a secret key generation unit 1504, an ID-based signature parameter generation unit 1505, a parameter transmission unit 1506, a parameter reception unit 1507, an electronic signature generation unit 1508, parameter delivery A unit 1509 and a parameter storage unit 1510 are included.
The communication interface 1502, the ECDH key sharing parameter generation unit 1503, the secret key generation unit 1504, and the ID-based signature parameter generation unit 1505 have the same functions as those constituting the terminal device 801 in FIG.

  The parameters stored in the parameter storage unit 1510 are parameters generated by the ECDH key sharing parameter generation unit 1503 and the ID-based signature parameter generation unit 1505 and parameters received by the parameter reception unit 1507 from other management server devices.

  The parameter transmission unit 1506 acquires from the parameter storage unit 1510 the elliptic curve function E, which is an ECDH key exchange parameter generated by the management server apparatus 1501, the point P on the elliptic curve, and the ID-based signature parameters, and the electronic signature of itself. Is transmitted to another management server device.

  The parameter receiving unit 1507 receives the elliptic curve function E, which is an ECDH key exchange parameter, the point P on the elliptic curve, and the ID-based signature parameter from another management server device, and after verifying the electronic signature, If the electronic signature is authentic, the parameter and the electronic signature are stored in the parameter storage unit 1510.

  The electronic signature generation unit 1508 gives the electronic signature of the management server apparatus 1501 to the parameter generated by one or both of the ECDH key sharing parameter generation unit 1503 and the ID base signature parameter generation unit 1505.

  The parameter delivery unit 1509 extracts the ID-based signature parameters and the ECDH key exchange parameters E and P held in the parameter storage unit 1510 that are permitted to be delivered to the terminal device to be distributed, The extracted parameter and the attached electronic signature are delivered to the terminal device to be distributed.

Next, based on FIG. 21, in the second embodiment, for example, when the management server apparatus 1002 distributes the parameter 1601 generated or received from the management server apparatus 1003 to the terminal apparatus A 1004 to the terminal apparatus 1005 An outline of the operation will be described.
Here, the parameter 1601 includes an elliptic curve function E, which is a parameter used in the ECDH key exchange, a point P on the elliptic curve, and a parameter used in the ID base signature.

The management server device 1002 distributes the parameter 1601 to the terminal devices A 1004 to 1005 under management.
At this time, the distribution method may be multicast communication or one-to-one communication.
Furthermore, communication encryption may be performed as necessary.
In addition, for terminal devices that could not receive parameters in the first distribution, such as when there was an accident on the communication path or when the terminal device was not connected at the time of distribution, distribution is not limited to one time, but depending on the situation. You can repeat it regularly.

  Next, based on FIG. 22, for example, processing in the case where the parameter 1601 is generated by the management server apparatus 1002 and distributed to the terminal apparatus A 1004 in the second embodiment will be described.

The management server apparatus 1002 generates an elliptic curve function E and a point P on the elliptic curve, which are parameters used in the ECDH key exchange, by an ECDH key sharing parameter generation unit 1503 described later (step 1701), and sets ID-based signature parameters as ID-based. It is generated by the signature parameter generation unit 1505 (step 1702).
A combination of the above two parameters corresponds to the parameter 1601 described above.
The management server device 1002 gives an electronic signature 1711 to the parameter 1601 (step 1703).
Also, the management server device 1002 transmits the parameter 1601 and the electronic signature 1711 to the terminal device A 1004 (step 1704).

The terminal device A 1004 receives the parameter 1601 and the electronic signature 1711 (step 1705), and verifies the electronic signature 1711 (step 1706).
If it is confirmed that the electronic signature 1711 is correct, the parameter 1601 is held in the parameter table in the parameter storage unit (step 1707). Here, in the parameter table, the ID of the management server device that generated the parameter, and the electronic signature of the management server device for the parameter are written together. In the case of FIG. 22, the ID of the management server device 1002, the parameter 1601, and the electronic signature 1711 are described in the parameter table.
If the parameter is not changed and distributed repeatedly, the process starts from step 1704. Further, when changing the parameter, the processing starts from step 1701.

  Here, the management server apparatus 1002 transmits the parameter 1601 and the electronic signature 1711 to the terminal apparatus under management. However, the ID base signature parameter is transmitted from the management server apparatus 1002 to the terminal apparatus A1004. In addition, a safe method (such as incorporating ID-based signature parameters in a terminal device under management in advance when the system is installed) may be used.

Next, based on FIG. 23, for example, processing in the case of distributing the parameter 1601 generated by the management server device 1003 from the management server device 1002 to the terminal device A 1004 in the second embodiment will be described.
Here, it is assumed that the parameter 1601 and the electronic signature 1711 have already been transmitted from the management server apparatus 1003 to the management server apparatus 1002.

First, the management server apparatus 1002 confirms whether or not the terminal apparatus A 1004 is allowed to share a key with a terminal apparatus under the management of the management server apparatus 1003 (step 1751).
If it is confirmed that the permission is granted, the parameter 1601 and the electronic signature 1711 are transmitted to the terminal device A 1004 (step 1752).

The terminal device A 1004 receives the parameter 1601 and the electronic signature 1711 (step 1753), and verifies the electronic signature 1711 (step 1754).
If it is confirmed that the electronic signature 1711 is correct, the parameter 1601 is held in the parameter table in the parameter storage unit (step 1755).
For example, the ID of the management server device 1003, the parameter 1601, and the electronic signature 1711 are described in the parameter table.
When distributing repeatedly, the processing starts from step 1751.

In the example of FIG. 23, the management server apparatus 1002 transmits the electronic signature 1711 received from the management server apparatus 1003 as it is to the terminal apparatus A 1004 together with the parameter 1601, but the management server apparatus 1002 sends a new electronic signature. You may make it use.
In other words, the management server device 1002 uses the electronic signature parameters (the electronic signature parameters used in the organization to which the management server device 1002 and the terminal device A 1004 belong) that both the management server device 1002 and the terminal device A 1004 possess. A new electronic signature may be generated, and the generated new electronic signature may be transmitted instead of the electronic signature 1711 from the management server apparatus 1003.

The internal configurations of the terminal devices A 1004 to 1007 are the same as those shown in FIG.
Also, the operation flow of the partial key generation unit 804 is as shown in FIG. In the present embodiment, the parameters E and P acquired in step 822 are the parameters (E and P) 1109 selected between terminals. The operation of the elliptic curve calculation unit 803 at the time of partial key generation is the same as that of the first embodiment, but the parameters E and P used for the elliptic curve calculation are parameters (E, P) 1109 selected between terminals. .
The operation flow of the encryption key generation unit 805 is also as shown in FIG. In the present embodiment, parameter E acquired in step 827 is E of parameters (E, P) 1109 selected between terminals. The operation of the elliptic curve calculation unit 803 at the time of generating the encryption key is the same as that of the first embodiment, but the parameter E used for the elliptic curve calculation is E of parameters (E, P) 1109 selected between terminals. It is.
Also, the operation flow of the electronic signature generation unit 807 is as shown in FIG. In the present embodiment, the ID-based signature parameters acquired in step 834 and used in step 835 are the parameters of the own apparatus. That is, in this embodiment, the terminal device A 1004 performs an electronic signature using the parameter (signature) 1102 generated by the management server device 1002.
Also, the operation flow of the electronic signature verification unit 806 is as shown in FIG. In the present embodiment, the ID-based signature parameter obtained in step 839 and used in step 840 is a parameter of another terminal device. That is, in this embodiment, the terminal device A 1004 verifies the electronic signature using the parameter (signature) 1104 generated by the management server device 1003.

  Next, for example, when the terminal device A 1004 is not permitted to perform key sharing with a terminal device under the management of the management server device 1003 belonging to another organization due to an administrator's judgment or the like, the management server device 1002 and A process in which the terminal device A 1004 deletes the ID-based signature parameter will be described.

When an ID-based signature is used, the verifier's ID is used as a public key. Therefore, in order to invalidate the public key, the signer deletes the verifier's ID from his storage device.
However, this ID may be an ID used for other purposes such as an e-mail address. For this reason, the ID itself may not be deleted due to the invalidation of the public key.
Therefore, in the following, as a method for revoking the public key, the ID-based signature parameter is deleted.
Accordingly, since the ID cannot be used as a public key, the public key can be invalidated without deleting the ID.

FIG. 24 shows a procedure for deleting an ID-based signature parameter.
First, the management server apparatus 1002 confirms whether the parameter 1601 of the management server apparatus 1003 is held in the parameter storage unit of the terminal apparatus A 1004 (step 1761).
For example, a log of parameters previously transmitted from the management server device 1002 to the terminal device A 1004 is referred to.
If the parameter 1601 is not held, the process ends.
If the holding is confirmed, the management server device 1002 transmits a parameter deletion command to the terminal device A 1004 (step 1762).
The parameter deletion command includes information indicating a parameter to be deleted and an electronic signature of the management server device 1002.

The terminal device A 1004 receives the parameter deletion command (step 1763), and verifies the attached electronic signature (step 1764).
If it is confirmed that the electronic signature is correct, the parameter described in the information indicating the deletion target is deleted from the parameter table in the parameter storage unit (step 1765).
In the case of FIG. 24, the parameter and the electronic signature described in the ID portion of the management server apparatus 1003 in the parameter table are deleted.

Next, functions of terminal devices A 1004 to 1005 and 1006 to 1007 in the second embodiment will be described with reference to FIG.
FIG. 25 is a functional block diagram illustrating functional configurations of the terminal devices A 1004 to 1005 and 1006 to 1007.
Here, for convenience, reference numeral 1801 is assigned to the terminal device.

The terminal device 1801 includes a communication interface 1802, an elliptic curve calculation unit 1803, a partial key generation unit 1804, an encryption key generation unit 1805, an electronic signature verification unit 1806, an electronic signature generation unit 1807, a parameter acquisition unit 1808, a private key acquisition unit 1809, The parameter deletion unit 1810, the encryption key storage unit 1811, the secret key storage unit 1812, the parameter storage unit 1813, and the ID storage unit 1814 are configured.
Communication interface 1802, elliptic curve calculation unit 1803, partial key generation unit 1804, encryption key generation unit 1805, electronic signature verification unit 1806, electronic signature generation unit 1807, private key acquisition unit 1809, encryption key storage unit 1811, private key storage unit 1812 and the ID memory | storage part 1814 are the same functions as what comprises the terminal device 801 of FIG.

The parameter storage unit 1813 manages and holds parameters used when key sharing is performed for each management server device that has generated parameters.
For example, it is held in the form of a table shown in FIG. 26, and the management server apparatus ID, parameters, and electronic signature are written together.
Also, the column corresponding to the management server device from which no parameter has been acquired is blank except for the ID.
In the second embodiment, the parameter storage unit 1813 is an example of a first signature parameter storage unit, a second signature parameter storage unit, and a key generation selection parameter storage unit.

The parameter acquisition unit 1808 acquires parameters and electronic signatures assigned to them from the management server device that manages the terminal device 1801 via the communication interface 1802.
Here, the parameters are composed of E, P, which are parameters for ECDH key exchange, and parameters used in the ID-based signature.
Only when the electronic signature is verified by the electronic signature verification unit 1806 and it is confirmed that the electronic signature is correct, the parameter and the electronic signature are stored in the table in the parameter storage unit 1813. It is described in the column of ID.
At this time, if the corresponding ID does not exist in the table, it is newly created.

The parameter deletion unit 1810 receives a parameter deletion command from the management server device via the communication interface 1802.
The received parameter deletion command includes information indicating a parameter to be deleted and an electronic signature of the management server device.
The electronic signature is verified by the electronic signature verification unit 1806, and only when the electronic signature is confirmed to be correct, the corresponding parameter is deleted from the table in the parameter storage unit 1813 based on the information indicating the parameter to be deleted. To do.
For example, when “invalidate the parameter of the management server device Serv_C” is described in the information indicating the parameter to be deleted, the parameter in the column where the ID in the table is described as “Serv_C” and the electronic signature Is deleted.
Further, when “delete management server device Serv_C” is described, all the columns in which the ID in the table is described as “Serv_C” are deleted.
If the corresponding parameter is not in the table, the process is terminated.

  In the management server device and the terminal device configured in this way, even between terminal devices under the management of different management server devices, the public key certificate is the same as the processing between the terminal devices in the first embodiment. It is possible to share an encryption key that does not receive fraud such as forgery by an unauthorized person without requiring additional equipment for performing the verification process or PKI.

The ID-based signature is a method for realizing an electronic signature using an ID as a public key, but is premised on sharing parameters with each other.
In order to invalidate the public key, the signer deletes the verifier ID from his storage device. However, the ID may be used for other purposes, and the ID may not be deleted due to the invalidation of the public key.
Therefore, in the present embodiment, as a method for revoking the public key, the management server device transmits a parameter deletion command to the managed terminal device as in the above-described method, and the ID base signature parameter is transmitted from the terminal device. delete.
Since the ID cannot be used as the public key by deleting the parameter, the public key is invalidated without deleting the ID, and the management server device can restrict key sharing between the terminal devices.

  In other words, in addition to the operation of the key sharing method according to the first embodiment, the key sharing method according to the second embodiment transmits and receives the ECDH key exchange parameter and the ID-based signature parameter between the management server devices, and performs different management. In order to share an encryption key between terminal devices managed by the server device, an ECDH key exchange is performed and an electronic signature based on an ID-based signature is transmitted to each other. The key sharing between the terminal devices is restricted by deleting the set parameters.

  As described above, in this embodiment, when keys are shared between terminals belonging to different organizations, the management servers of each organization exchange the public parameters of the organizations and the digital signatures assigned to each other, and exchange the electronic signatures with each other. A communication system has been described in which the key sharing can be realized even between terminals in different organizations by the management server of each organization delivering the public parameters of the other party to the terminals in the organization after verifying the signature.

  In this embodiment, when the management server delivers the public parameters received from the management server of the different organization to the terminals in the organization, the electronic signature of the management server of the different organization given to the public parameters is also stored in the organization. A communication system has been described in which a terminal that receives and verifies an electronic signature.

  Further, in the present embodiment, when the management server delivers the public parameters received from the management server of a different organization to the terminals in the organization, the electronic parameters are given to the public parameters and delivered to the terminals in the organization, A communication system in which a receiving terminal verifies an electronic signature has been described.

  Further, in the present embodiment, when the public parameters of an external organization are already delivered to the terminals in the organization, and the public parameters of the external organization described above are held in the terminals in the organization In response to an instruction from the management server, by deleting the parameters of the external organization described above in the terminal in the organization, the ID does not function as a public key without deleting the ID corresponding to the public key in the ID-based signature. A communication system enabling the above has been described.

Finally, a hardware configuration example of the terminal device and the management server device shown in the first and second embodiments will be described.
FIG. 27 is a diagram illustrating an example of hardware resources of the terminal device and the management server device illustrated in the first and second embodiments.
27 is merely an example of the hardware configuration of the terminal device and the management server device, and the hardware configuration of the terminal device and the management server device is not limited to the configuration illustrated in FIG. It may be a configuration.

In FIG. 27, the terminal device and the management server device include a CPU 1911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 1911 is connected to, for example, a ROM (Read Only Memory) 1913, a RAM (Random Access Memory) 1914, a communication board 1915, a display device 1901, a keyboard 1902, a mouse 1903, and a magnetic disk device 1920 via the bus 1912. Control hardware devices.
Further, the CPU 1911 may be connected to an FDD 1904 (Flexible Disk Drive), a compact disk device 1905 (CDD), a printer device 1906, and a scanner device 1907. Further, instead of the magnetic disk device 1920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 1914 is an example of a volatile memory. The storage media of the ROM 1913, the FDD 1904, the CDD 1905, and the magnetic disk device 1920 are an example of a nonvolatile memory. These are examples of the storage device.
The “˜storage units” such as the parameter storage unit 810 and the secret key storage unit 812 described in the first and second embodiments are realized by the RAM 1914, the magnetic disk device 1920, and the like.
A communication board 1915, a keyboard 1902, a mouse 1903, a scanner device 1907, an FDD 1904, and the like are examples of input devices.
A communication board 1915, a display device 1901, a printer device 1906, and the like are examples of output devices.

  The communication board 1915 is connected to the network as shown in FIG. For example, the communication board 1915 may be connected to a LAN (Local Area Network), the Internet, a WAN (Wide Area Network), a SAN (Storage Area Network), or the like.

The magnetic disk device 1920 stores an operating system 1921 (OS), a window system 1922, a program group 1923, and a file group 1924.
The programs in the program group 1923 are executed by the CPU 1911 using the operating system 1921 and the window system 1922.

Further, the RAM 1914 temporarily stores at least a part of the operating system 1921 program and application programs to be executed by the CPU 1911.
The RAM 1914 stores various data necessary for processing by the CPU 1911.

The ROM 1913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 1920 stores a boot program.
When the terminal device and the management server device are activated, the BIOS program in the ROM 1913 and the boot program in the magnetic disk device 1920 are executed, and the operating system 1921 is activated by the BIOS program and the boot program.

  The program group 1923 stores programs that execute the functions described as “˜unit” in the description of the first and second embodiments (other than “˜storage unit”, the same applies below). The program is read and executed by the CPU 1911.

In the file group 1924, in the description of the first and second embodiments, “determination of”, “determination of”, “calculation of”, “calculation of”, “comparison of”, and “verification of” ”,“ Generation of ”,“ Update of ”,“ Setting of ”,“ Registration of ”,“ Selection of ”, etc. Values and parameters are stored as items of “˜file” and “˜database”.
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 1911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowcharts described in the first and second embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 1914 memory, the FDD 1904 flexible disk, the CDD 1905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 1920, other optical disks, mini disks, and DVDs. Data and signals are transmitted online via a bus 1912, signal lines, cables, or other transmission media.

  In addition, what is described as “˜unit” in the description of the first and second embodiments may be “˜circuit”, “˜device”, “˜device”, and “˜step”, It may be “˜procedure” or “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 1913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 1911 and executed by the CPU 1911. That is, the program causes the computer to function as “to part” in the first and second embodiments. Alternatively, the computer executes the procedure and method of “to unit” in the first and second embodiments.

  As described above, the terminal device and the management server device shown in the first and second embodiments include a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, and a display device as an output device. The computer includes a communication board and the like, and realizes the functions indicated as “˜unit” as described above using these processing devices, storage devices, input devices, and output devices.

  101 network, 102 terminal device A, 103 terminal device B, 104 management server device, 801 terminal device, 802 communication interface, 803 elliptic curve calculation unit, 804 partial key generation unit, 805 encryption key generation unit, 806 electronic signature verification unit, 807 Electronic signature generation unit, 808 parameter acquisition unit, 809 secret key acquisition unit, 810 parameter storage unit, 811 encryption key storage unit, 812 secret key storage unit, 813 ID storage unit, 901 management server device, 902 communication interface, 903 ECDH Key sharing parameter generation unit, 904 secret key generation unit, 905 ID-based signature parameter generation unit, 906 parameter distribution unit, 907 parameter storage unit, 1001 network, 1002 management server device, 1003 management server device, 1004 end Device A, 1006 Terminal device B, 1501 Management server device, 1502 Communication interface, 1503 ECDH key sharing parameter generation unit, 1504 Private key generation unit, 1505 ID-based signature parameter generation unit, 1506 Parameter transmission unit, 1507 Parameter reception unit, 1508 Electronic signature generation unit, 1509 parameter distribution unit, 1510 parameter storage unit, 1801 terminal device, 1802 communication interface, 1803 elliptic curve calculation unit, 1804 partial key generation unit, 1805 encryption key generation unit, 1806 electronic signature verification unit, 1807 electronic signature Generation unit, 1808 parameter acquisition unit, 1809 private key acquisition unit, 1810 parameter deletion unit, 1811 encryption key storage unit, 1812 private key storage unit, 1813 parameter storage unit, 1814 ID憶部.

Claims (16)

A partial key used for generating a shared encryption key is generated as a first partial key, the generated first partial key is transmitted to a shared communication device that is a shared destination of the encrypted key, and the shared destination A communication device that receives a partial key generated by a communication device as a second partial key from the shared communication device,
A secret key storage unit that stores a secret key generated in association with a public ID (Identification) of the communication device;
Using the first partial key, the second partial key, and the public ID of the communication device, an ID-based electronic signature capable of verifying in the shared communication device that the communication partner is the communication device; An electronic signature generation unit that generates using one partial key, the second partial key, and the secret key;
And a communication unit that transmits the ID-based electronic signature generated by the electronic signature generation unit to the shared communication device. The communication unit is
Receive an electronic signature,
The communication device further includes:
An ID storage unit for storing a public ID of the shared communication device;
The electronic signature received by the communication unit is verified using the first partial key, the second partial key, and the public ID of the shared communication device, and whether or not the communication partner is the shared communication device The communication apparatus according to claim 1, further comprising an electronic signature verification unit that determines whether or not. The communication unit is
Receiving the second partial key generated by performing an elliptic curve calculation in the shared communication device;
The communication device further includes:
Performing an elliptic curve operation on a predetermined random value to generate the first partial key;
Performing an elliptic curve calculation in the process of generating an ID-based electronic signature by the electronic signature generating unit;
Performing elliptic curve calculation in the verification process of the electronic signature by the electronic signature verification unit,
If the electronic signature verification unit determines that the communication partner is the shared communication device, an elliptic curve calculation is performed using the random number value used for generating the first partial key and the second partial key. The communication apparatus according to claim 2, further comprising: a calculation unit that performs an operation to generate an encryption key shared with the shared communication apparatus. The communication unit is
Receiving the second partial key generated by performing an elliptic curve calculation in the shared communication device;
The communication device further includes:
Performing an elliptic curve operation on a predetermined random value to generate the first partial key;
Performing an elliptic curve calculation in the process of generating an ID-based electronic signature by the electronic signature generating unit;
Performing elliptic curve calculation in the verification process of the electronic signature by the electronic signature verification unit,
Prior to verification of the electronic signature by the electronic signature verification unit, a calculation unit that generates an encryption key by performing an elliptic curve calculation using the random value used for generating the first partial key and the second partial key Have
The electronic signature verification unit
An encryption key that shares the encryption key generated by the computing unit with the sharing destination communication device when the electronic signature received by the communication unit is verified and the communication partner is determined to be the sharing destination communication device; The communication device according to claim 2 or 3, wherein   Elliptic curve calculation processing at the time of generating the first partial key, elliptic curve calculation processing in the generation process of the ID-based electronic signature, elliptic curve calculation processing in the verification process of the electronic signature, and generation of the encryption key The communication apparatus according to claim 3, wherein the elliptic curve calculation process is realized by a common elliptic curve calculation program. The shared communication device is:
It has signature parameters used for generating and verifying ID-based electronic signatures,
The communication device further includes:
A parameter storage unit for storing the same signature parameter as the signature parameter possessed by the shared communication device;
The electronic signature generation unit
ID-based electronic that can be verified in the shared communication device that the communication partner is the communication device using the first partial key, the second partial key, the public ID of the communication device, and the signature parameter Generating a signature using the first partial key, the second partial key, the secret key, and the signature parameters;
The electronic signature verification unit
The electronic signature received by the communication unit is verified using the first partial key, the second partial key, the public ID of the shared communication device and the signature parameter, and the communication partner communicates with the shared communication It is determined whether it is an apparatus, The communication apparatus in any one of Claims 2-5 characterized by the above-mentioned. The communication device
Managed by a first management device that generates the secret key using a predetermined first signature parameter;
The shared communication device is:
Managed by a second management device different from the first management device, having the first signature parameter,
The communication device further includes:
A first signature parameter storage unit for storing the first signature parameter;
The electronic signature generation unit
The shared communication device can verify that the communication partner is the communication device using the first partial key, the second partial key, the public ID of the communication device, and the first signature parameter. 7. The ID-based electronic signature is generated using the first partial key, the second partial key, the secret key, and the first signature parameter. The communication device described. The shared communication device is:
Managed by a second management device that generates a secret key of the shared destination communication device in association with a public ID of the shared destination communication device using a predetermined second signature parameter, and the second signature parameter Holding
The communication unit is
Receive an electronic signature,
The communication device further includes:
An ID storage unit for storing a public ID of the shared communication device;
A second signature parameter storage unit for storing the second signature parameter;
The electronic signature received by the communication unit is verified using the first partial key, the second partial key, the public ID of the shared communication device, and the second signature parameter, and the communication partner is The communication apparatus according to claim 7, further comprising an electronic signature verification unit that determines whether the communication apparatus is a shared communication apparatus. The communication device further includes:
A parameter deletion unit that deletes the second signature parameter from the second signature parameter storage unit while holding the public ID of the shared communication device in the ID storage unit. 8. The communication device according to 8. The shared communication device is:
Holding a selection parameter for key generation selected as a parameter commonly used for generation of the first partial key, generation of the second partial key, and generation of the encryption key;
The communication device further includes:
A key generation selection parameter storage unit for storing the key generation selection parameters;
The communication unit is
Receiving the second partial key generated using the key generation selection parameter in the shared communication device;
The communication device further includes:
Generating the first partial key using the key generation selection parameter for a predetermined random value;
When the electronic signature verification unit determines that the communication partner is the shared communication device, the random value used for generating the first partial key, the second partial key, and the key generation selection The communication device according to claim 8, further comprising an arithmetic unit that generates an encryption key shared with the shared communication device using a parameter. The shared communication device is:
Holding a selection parameter for key generation selected as a parameter commonly used for generation of the first partial key, generation of the second partial key, and generation of the encryption key;
The communication device further includes:
A key generation selection parameter storage unit for storing the key generation selection parameters;
The communication unit is
Receiving the second partial key generated using the key generation selection parameter in the shared communication device;
The communication device further includes:
Generating the first partial key using the key generation selection parameter for a predetermined random value;
Prior to verification of the electronic signature by the electronic signature verification unit, an operation for generating an encryption key using the random value used for generating the first partial key, the second partial key, and the key generation selection parameter Part
The electronic signature verification unit
An encryption key that shares the encryption key generated by the computing unit with the sharing destination communication device when the electronic signature received by the communication unit is verified and the communication partner is determined to be the sharing destination communication device; The communication device according to any one of claims 8 to 10, wherein: The key generation selection parameter storage unit includes:
12. The storage device according to claim 10, wherein any one of a parameter generated by the first management device and a parameter generated by the second management device is stored as the key generation selection parameter. Communication equipment. The key generation selection parameter storage unit includes:
Storing parameters used for elliptic curve calculation as the key generation selection parameters;
The communication unit is
Receiving the second partial key generated by performing an elliptic curve calculation using the key generation selection parameter in the shared communication device;
The computing unit is
An elliptic curve calculation is performed using a predetermined random number value and the key generation selection parameter to generate the first partial key,
Performing an elliptic curve calculation in the process of generating an ID-based electronic signature by the electronic signature generating unit;
Performing elliptic curve calculation in the verification process of the electronic signature by the electronic signature verification unit,
11. The encryption key is generated by performing an elliptic curve calculation using the random value used for generating the first partial key, the second partial key, and the key generation selection parameter. The communication apparatus in any one of -12.   Elliptic curve calculation processing at the time of generating the first partial key, elliptic curve calculation processing in the generation process of the ID-based electronic signature, elliptic curve calculation processing in the verification process of the electronic signature, and generation of the encryption key The communication apparatus according to claim 13, wherein the elliptic curve calculation process is realized by a common elliptic curve calculation program. A partial key used for generating a shared encryption key is generated as a first partial key, and the generated first partial key is transmitted to a shared communication device that is a shared destination of the encrypted key, An information processing method performed by a communication device that receives a partial key generated by a communication device as a second partial key from the shared communication device,
A secret key storage step in which the communication device stores a secret key generated in association with a public ID (Identification) of the communication device;
Using the first partial key, the second partial key, and the public ID of the communication device, an ID-based electronic signature capable of verifying in the shared communication device that the communication partner is the communication device; An electronic signature generating step generated by the apparatus using the first partial key, the second partial key, and the secret key;
An information processing method comprising: a communication step in which the communication device transmits an ID-based electronic signature generated in the electronic signature generation step to the shared communication device. A partial key used for generating a shared encryption key is generated as a first partial key, and the generated first partial key is transmitted to a shared communication device that is a shared destination of the encrypted key, A communication device that receives a partial key generated by a communication device as a second partial key from the shared communication device,
A secret key storage process for storing a secret key generated in association with a public ID (Identification) of the communication device;
Using the first partial key, the second partial key, and the public ID of the communication device, an ID-based electronic signature capable of verifying in the shared communication device that the communication partner is the communication device; An electronic signature generation process generated using one partial key, the second partial key, and the secret key;
A program for executing communication processing for transmitting an ID-based electronic signature generated by the electronic signature generation processing to the shared communication device.

Images