JP2017183932A - Encrypted communication channel establishment system, method, program, and computer-readable program recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an encrypted communication channel establishment system 1 that, without requiring a public key and an authentication station of a third party, generates a common key to establish a communication channel encrypted using the common key.SOLUTION: An encrypted communication channel establishment system for establishing a communication channel encrypted using a common key k includes a first node 10 and a second node 20. The first node 10 comprises: a connection request unit 111 for transmitting identification information id to the second node 20; and a first common key generation unit 114 for generating, using a common function, the common key k on the basis of a password pwC corresponding to the identification information id and a disposable value r1 using a common function. The second node 20 comprises: a password acquisition unit 213 for acquiring a password pWC previously set on the basis of the identification information id received by the identification information reception unit 211; and a second common key generation unit 214 for generating, using the common function, the common key k on the basis of the password pwC corresponding to the identification information id and the disposable value r1.SELECTED DRAWING: Figure 1

Description

  The present invention generates a common key based on secret information such as a password when communicating between two parties that share secret information such as a password in advance. The present invention relates to an encrypted communication channel establishment system that authenticates a certain thing and establishes a communication channel encrypted with a common key.

When communicating between two parties via a network, it is authenticated that each other is a correct communication partner, and an encrypted communication channel for securely transmitting and receiving information is established. In order to establish an encrypted communication channel, it is known to use TLS (Transport Layer Security) and its predecessor SSL (Secure Socket Layer). Hereinafter, for simplicity, it is referred to as SSL / TLS.
When SSL / TLS is used, it is assumed that a public key cryptosystem is used. For this reason, in order to establish an encrypted communication channel for two parties, for example, it is required to trust the public key of the server. For this reason, a certificate authority which is a third party for authenticating the public key of the server is required.
When using SSL / TLS, after establishing a communication channel encrypted by SSL / TLS, the client transmits a password to the server via the communication channel, so that the server authenticates the client. There is a need. As described above, when SSL / TLS is used, a two-stage method in which an encrypted communication channel is established first, and then a client is authenticated by transmitting a password via the established communication channel. It becomes.
Further, Non-Patent Document 1 and Non-Patent Document 2 propose a method for establishing an encrypted communication channel.

  Non-Patent Document 1 proposes an improvement of the DH-EKE method (Diffie-Hellman Encrypted Key Exchange) based on the Diffie-Hellman password. However, the improved protocol described in Non-Patent Document 1 is based on the Diffie-Hellman key exchange method that can be integrated with TLS, and uses a more complicated protocol.

  Non-Patent Document 2 describes EAP-EKE (Extensible Authentication Protocol-Encrypted Key Exchange). EAP-EKE establishes a shared session key by HMAC (Hash-based Message Authentication Code) using the Diffie-Hellman key exchange method.

Steiner, Michael, et al. “Secure password-based cipher suite for TLS” ACM Transactions on Information and System Security 4.2 (2001): 134-157. RFC 6124 “An EAP Authentication Method Based on the Encrypted Key Exchange (EKE) Protocol.”

In the prior art (SSL / TLS), even if a user id and a password are set in advance in communication between the client and the server, the two-step procedure is performed as described above until the user is authenticated. There was a need. Also, in order to perform server authentication using a public key, a complicated process requiring a certificate issued by a third party certificate authority is required. Furthermore, in a server using SSL / TLS, for example, a handshake process is heavy in terms of processing performance, and it is necessary to prepare an accelerator in case a plurality of handshake processes occur at the same time.
For this reason, in the communication between the client and the server when the user is registered in advance, it is possible to establish an encrypted communication channel by a simple process that does not require a certificate issued by a third party certificate authority. It is desired to perform user authentication quickly.
The present invention provides a public key and a third party when identification information (id) and a password (pwC) for a user of a node (for example, a client) to access another node (for example, a server) are preset. Provides an encrypted communication channel establishment system that can generate a common key, establish a communication channel encrypted with the common key, and at the same time authenticate a node (for example, a client) without requiring a certificate authority The purpose is to do. In the present invention, establishing a communication channel encrypted with a common key means that the node has been successfully authenticated at the same time.
An object of the present invention is to provide a session key for establishing a short-time secure communication channel between independent entities that share a secret (for example, a password) without using a public key.

  The present invention provides the following solutions.

  In order to solve the above-described problem, the encrypted communication channel establishment system according to the present invention is configured so that the first node and the second node are connected to a network, and the first node accesses the second node. Identification information and password are set in advance, the first node and the second node share a common function in advance, and the first node and the second node mutually generate a common key An encrypted communication channel establishment system that establishes a communication channel encrypted by the first node, wherein the first node acquires a disposable value that is temporarily shared with the second node. A common key is generated by the common function based on a connection request unit that transmits the identification information to the second node, a password corresponding to the identification information, and the disposable value. A first common key generation unit, wherein the second node is a disposable value that is temporarily shared with the identification information receiving unit that receives the identification information from the first node and the first node. A second disposable shared value acquiring unit that acquires the password, a password acquiring unit that acquires a preset password based on the identification information received by the identification information receiving unit, a password corresponding to the identification information, and the disposable And a second common key generation unit that generates a common key using the common function based on the value of.

  The disposable value is a nonce generated randomly by the first node or the second node, and the second node or the first by the first node or the second node. The nonce transmitted to the other node may be used.

  The first node randomly generates a nonce, transmits the nonce or the encrypted data obtained by encrypting the nonce with the common key to the second node as challenge data, and receives the nonce from the second node A first authentication unit configured to authenticate the second node using response data, wherein the second node generates response data based on the challenge data received from the first node; Can be configured to include a second response unit that transmits to the first node.

  The second node randomly generates a nonce, transmits the nonce or the encrypted data obtained by encrypting the nonce with the common key to the first node as challenge data, and receives the nonce from the first node A second authentication unit configured to authenticate the first node using response data, wherein the first node generates response data based on the challenge data received from the second node; Can be configured to include a first response unit that transmits to the second node.

  The common function may be a one-way function or an encryption function.

  The first node according to the present invention is a first node connected to a network, and identification information and a password for accessing the second node connected to the network are preset, and the second node A first disposable shared value acquisition unit having a common function shared with the second node and acquiring a disposable value temporarily shared with the second node, and a connection for transmitting the identification information to the second node A request unit; and a first common key generation unit configured to generate a common key by the common function based on a password corresponding to the identification information and the disposable value.

  The second node according to the present invention is a second node connected to the network, and the first node connected to the network has the identification information and password for accessing the second node in advance. A second disposable shared value acquisition unit that has a common function that is set and shared with the first node, and that acquires a disposable value that is temporarily shared with the first node; from the first node; Based on the identification information receiving unit that receives the identification information and the identification information received by the identification information receiving unit, the password acquisition unit that acquires a preset password, the password and the disposable value based on the A second common key generation unit that generates a common key using a common function.

  In the encrypted communication channel establishment method according to the present invention, a first node and a second node are connected to a network, and identification information and a password for the first node to access the second node are set in advance. The first node and the second node share a common function in advance, and establish a communication channel encrypted with a common key generated by the first node and the second node. A method for establishing an encrypted communication channel, wherein the first node acquires a disposable value that is temporarily shared with the second node, and obtains the identification information from the first node. A first common key generation step for generating a common key by the common function based on a connection request step transmitted to the second node, a password corresponding to the identification information, and the disposable value. The second node obtains, from the first node, an identification information receiving step for receiving the identification information and a second-time value that is temporarily shared with the first node. Based on the identification information received in the disposable shared value acquisition step, the identification information receiving step, the password acquisition step of acquiring a preset password, and the common function based on the password and the disposable value A second common key generation step of generating a common key.

  The program according to the present invention causes a computer to function as the first node or the second node.

  The computer-readable program recording medium according to the present invention records the program.

  According to the present invention, when identification information and a password for a first node (for example, a client terminal) to access a second node (for example, a server) are set in advance, the public key and third party authentication are set. It is possible to generate a common key without establishing a station, establish a communication channel encrypted with the common key, and simultaneously authenticate the node.

It is a whole block diagram in the encryption communication channel establishment system based on embodiment of this invention. It is a block diagram which shows the function structure of the 1st node which concerns on 1st Embodiment of this invention. It is a block diagram which shows the function structure of the 2nd node which concerns on 1st Embodiment of this invention. 6 is a flowchart for explaining establishment of an encrypted communication channel in a first node and a second node in the first embodiment of the present invention. It is a block diagram which shows the function structure of the 1st node which concerns on the modification of 1st Embodiment of this invention. It is a block diagram which shows the function structure of the 2nd node which concerns on the modification of 1st Embodiment of this invention.

The protocol for establishing an encrypted communication channel in the present invention is not a substitute for SSL / TLS. Rather, the protocol of the present invention serves to simultaneously establish and authenticate an encrypted communication channel at the application layer. Unless otherwise specified, “cipher” means a block cipher or a cipher in a stream.
The most important point is that the protocol of the present invention is based on the premise that the first node (for example, client) and the second node (for example, server) share secret information (for example, password) in advance. . In this case, it is the responsibility of the second node (eg, server) to securely manage the secret information (eg, password).
Note that it is not sufficient for the present invention to store the password hash, not the password itself, in the second node (for example, a server). In the present invention, the second node (e.g., server) needs the actual password value itself to establish an encrypted communication channel. Thus, in the present invention, it is assumed that the first node (for example, client) and the second node (for example, server) share the password (pwC) in advance.

<First Embodiment>
Hereinafter, a first embodiment which is an example of an embodiment of the present invention will be described. As illustrated in FIG. 1, the encrypted communication channel establishment system 1 according to the present embodiment includes a first node 10, a second node 20, and a communication network 30.

The first node 10 and the second node 20 are arbitrary electronic devices including control units 110 and 210 such as a CPU, storage units 120 and 220, and communication units 130 and 230, respectively. Typically, a known computer, for example, a mobile terminal such as a microcomputer, a smart phone, and a mobile phone, a tablet terminal, a notebook computer, a personal computer, a server, and a communication device such as a router are included.
It is assumed that identification information (id) and a password (pwC) for the first node 10 (node user) to access the second node 20 are set in advance.

For example, when the first node 10 is a client terminal and the second node 20 is a server, the node user identification information (id) and password (pwC) in the client terminal (first node 10) are stored in advance in the server (second The present invention can be applied to the node 20).
In particular, in a client server system including a Web browser (first node 10) and a Web server (second node 20), it is common to manage access using user identification information (id) and a password (pwC). Therefore, the present invention can be applied.

  Also, in communication between machines without an operator (user), for example, in order for a certain machine (first node 10) to access another machine (second node 20), in advance, The present invention can be applied as long as the identification information (id) and the password (pwC) are set.

  Further, when the first node 10 is a wireless terminal and the second node 20 is a wireless LAN router such as a WiFi (registered trademark) router, identification information (id of the first node 10 (wireless terminal)) ) And a password (pwC) are preset in the second node 20 (wireless LAN router), the present invention can be applied.

  Also in the Internet of Things (IOT), the present invention can be applied when access control is performed using identification information (id) and a password (pwC) when communicating with each other by connecting to the Internet.

  As described above, in the first embodiment, the identification information (id) and the password (pwC) for the first node 10 (the node user) to access the second node 20 are set in advance. Assumption. Hereinafter, for the sake of simplicity, the identification information (id) and password (pwC) for the first node 10 (node user) to access the second node 20 are supplied from the first node 10 to the second node 20. Also referred to as identification information (id) and password (pwC) for accessing.

<About Nonce>
Prior to the description of the first node 10 and the second node 20, a nonce will be described.
Nonce means a single use random value used in cryptographic communication or the like. Therefore, when the first node 10 or the second node 20 generates a nonce, the value of the generated nonce becomes “one time only” that is different every time it is generated.
In order to guarantee that it is “one-time”, for example, as a nonce generation means, a random number generation means that generates random numbers with sufficient entropy is used, and the possibility that the generated random numbers overlap is unrealistic. It is preferable to configure so as to be lowered. Further, the nonce may be generated from a time stamp having as fine a granularity as possible, for example, so that the possibility of duplication is lowered unrealistically.

<About the first node 10>
The first node 10 will be described with reference to FIG.
FIG. 2 is a block diagram showing a functional configuration of the first node 10 according to the present embodiment.
The first node 10 includes a control unit 110 (for example, a CPU), a storage unit 120, and a communication unit 130.
The control unit 110 is a functional unit that controls the entire hardware group including the storage unit 120 and the communication unit 130.

  The control unit 110 includes a connection request unit 111, a first disposable shared value acquisition unit 112, a password acquisition unit 113, a first common key generation unit 114, and a first authentication unit 115. Each of these units can be configured to function when the control unit 110 executes an application stored in the storage unit 120 of the first node 10, for example.

When the connection request unit 111 establishes an encrypted communication channel with the second node 20, the connection request unit 111 receives the identification information (id) of the node user of the first node 10 via the communication unit 130. Transmit to node 20.
The identification information (id) may be input by a node user via an input unit (not shown) of the first node 10. Further, when a user (operator) does not intervene or performs automatic processing, the identification information (id) is stored in the storage unit 120 in advance, and the identification information (id) is input from the storage unit 120. May be.

The first disposable shared value acquisition unit 112 acquires a disposable value (r1) that is temporarily shared with the second node 20.
Specifically, the first disposable shared value acquisition unit 112 sets the communication unit 130 as a disposable value (r1) that temporarily shares the nonce generated by the second disposable shared value acquisition unit 212 of the second node 20. To get through.

  The password acquisition unit 113 acquires a password (pwC) corresponding to the identification information (id). Specifically, the password acquisition unit 113 may be configured to acquire a password input by a node user via an input unit (not shown) of the first node 10. Further, when no user (operator) is present or when automatic processing is performed, a password corresponding to the identification information is stored in the storage unit 120 in advance, and the password acquisition unit 113 inputs the password from the storage unit 120. You may comprise as follows.

  The first common key generation unit 114 includes the password (pwC) corresponding to the identification information (id) of the node user of the first node 10 and the disposable value (r1) acquired by the first disposable shared value acquisition unit 112. Based on the above, a common key (k) is generated by a common function shared by the first node 10 and the second node 20.

[About common functions]
A common function shared by the first node 10 and the second node 20 will be described.
As the common function, for example, a one-way function such as an RBKDF2 (Password-Based Key Derivation Function 2) function can be applied. For example, when the RBKDF2 function is applied, the common key (k) can be generated by setting the password input to the RBKDF2 function to pwC and the salt (Salt) to r1.
That is, when the password is pwC, the disposable value is r1, the RBKDF2 function is H (), and the generated common key is k, the common key (k) is calculated by Equation 1.
k = H (pwC, r1) (Formula 1)

Moreover, you may apply the common encryption function Enc () with which the 1st node 10 and the 2nd node 20 are provided as a common function. For example, when applying the encryption function Enc (), the encryption key input to the encryption function Enc () is set to pwC and the plaintext is set to r1, thereby generating the common key (k). it can.
That is, when the password is pwC and the disposable value is r1, the common key (k) is calculated by Equation 2.
k = Enc (r1, pwC) (Formula 2)
When the encryption function is used as the common function, the first node 10 and the second node 20 do not need to install a common function other than the encryption function, and perform the initial setting of the first node and the second node. Can be done efficiently.
The common function is not limited to the above example. For example, any one-way function or encryption function can be selected.

The first authentication unit 115 randomly generates a nonce, and transmits the nonce encrypted with the common key generated by the first common key generation unit 114 to the second node 20 via the communication unit 130 as challenge data. The second node 20 is authenticated using the response data received from the second node 20.
More specifically, the first authentication unit 115 generates challenge data by encrypting the randomly generated nonce (r2) with the common key (k) generated by the first common key generation unit 114. . The first authentication unit 115 transmits the generated challenge data to the second node 20 via the communication unit 130. As will be described later, the second node 20 generates response data obtained by decrypting the received challenge data with the common key (k) generated by the second common key generation unit 214 of the second node 20, and the response data Is returned to the first node 10 (first authentication unit 115). The first authentication unit 115 determines whether or not the response data received from the second node 20 has the same value as the original data (randomly generated nonce) of the challenge data. If the response data has the same value as the original data of the challenge data (randomly generated nonce), the first authentication unit 115 determines that the second node 20 knows the correct password (pwC), and Authenticate the second node 20 as trustworthy.

  The storage unit 120 includes a semiconductor memory, a hard disk drive, and the like, and stores software called an operating system (OS) and applications.

  The communication unit 130 is connected to an arbitrary communication network 30 such as a LAN (Local Area Network), a WAN (Wide Area Network), an Internet line, a wired line, a wireless line, etc., and transmits and receives packet data and the like (data communication). ) Implement communication protocol etc.

<About the second node 20>
The second node 10 will be described with reference to FIG.
FIG. 3 is a block diagram showing a functional configuration of the second node 20 according to the present embodiment.
Similar to the first node 10, the second node 20 includes a control unit 210 (for example, a CPU), a storage unit 220, and a communication unit 230.
The control unit 210 is a functional unit that controls the entire hardware group including the storage unit 220 and the communication unit 230.

  The control unit 210 includes an identification information reception unit 211, a second disposable shared value acquisition unit 212, a password acquisition unit 213, a second common key generation unit 214, and a second response unit 216. Each of these units can be configured to function when the control unit 210 executes an application stored in the storage unit 220 of the second node 20, for example.

  The identification information receiving unit 211 receives the identification information (id) from the first node 10 via the communication unit 230.

The second disposable shared value acquisition unit 212 generates a nonce (r1) at random, and sets the generated nonce as a disposable value.
The second disposable shared value acquisition unit 212 transmits the generated nonce (r1) to the first node 10 (first disposable shared value acquisition unit 112) via the communication unit 230. By doing so, the first node 10 and the second node 20 can share the disposable value (r1) that is temporarily shared.

  The password acquisition unit 213 acquires a preset password (pwC) based on the identification information (id) received from the first node 10. Specifically, a preset password (pwC) is acquired based on the identification information (id) received from the first node 10 from a secure storage unit (not shown). The secure storage unit may be provided in the second node. Further, a file server different from the second node may be provided.

The second common key generation unit 214 generates a common key using a common function based on the password (pwC) acquired by the password acquisition unit 213 and the disposable value (r1) generated by the second disposable shared value acquisition unit. Generate. Here, as described above, the common function is a function shared in advance by the first node 10 and the second node 20.
Thus, when the password (pwC) for accessing the second node 20 from the first node 10 is set in advance, the common key (k) generated by the second common key generation unit 214 and The common key (k) generated by the first common key generation unit 114 has the same value.

The second response unit 216 decrypts the encrypted nonce (challenge data) received from the first node 10 via the communication unit 230 with the common key (k) generated by the second common key generation unit 214. Response data is generated, and the response data is transmitted to the first node 10.
By doing so, the first node 10 can authenticate whether or not the second node 20 is reliable.

  The storage unit 220 includes a semiconductor memory, a hard disk drive, and the like, and stores software called an operating system (OS) and applications.

The communication unit 130 is connected to an arbitrary communication network 30 such as a LAN (Local Area Network), a WAN (Wide Area Network), an Internet line, a wired line, a wireless line, etc., and transmits and receives packet data and the like (data communication). ) Implement communication protocol etc.
The functional configurations of the first node 10 and the second node 20 have been described above.

<Explanation of operation by flowchart>
Next, the flow of processing between the first node 10 and the second node 20 according to an embodiment of the present invention will be described with reference to FIG. FIG. 4 is a flowchart illustrating an example of processing.
Here, the RBKDF2 function is applied as the common function.
In addition, for the disposable value temporarily shared by the first node 10 and the second node 20, the nonce (r1) randomly generated by the second disposable shared value acquisition unit 212 is set to the first node's first value. A method of transmitting to one disposable shared value acquisition unit 112 was applied.
Note that the first node 10 (for example, a client) and the second node 20 (for example, a server) share in advance identification information (id) and a password (pwC).

[Generate common key]
In step ST <b> 101, the first node 10 (connection request unit 111) transmits the node user identification information (id) of the first node 10 to the second node 20.

  In step ST201, the second node 20 (identification information receiving unit 211) receives the identification information (id) from the first node 10.

  In Step ST202, the second node 20 (second disposable shared value acquisition unit 212) generates a nonce (r1) at random, sets it as a disposable value, and transmits it to the first node 10.

  In Step ST203, the second node 20 (password acquisition unit 213) acquires a preset password (pwC) based on the received identification information (id).

  In Step ST204, the second node 20 (second common key generation unit 214) is based on the preset password (pwC) and the disposable value (r1) generated by the second disposable shared value acquisition unit 212. Thus, the common key (k) (= H (pwC, r1)) is generated by the common function (H).

  In step ST102, the first node 10 (first disposable shared value acquisition unit 112) receives the disposable value (r1) transmitted from the second node 20 (second disposable shared value acquisition unit 212). And get it.

  In step ST103, the first node 10 (first common key generation unit 114) uses the password (pwC) corresponding to the identification information (id) and the disposable value (r1) acquired by the first disposable shared value acquisition unit 112. ) And a common function (H) to generate a common key (k) (= H (pwC, r1)).

[Authentication of the second node 20 by the first node 10]
In Step ST104, the first node 10 (first authentication unit 115) randomly generates a nonce (r2).

  In step ST105, the first node 10 (first authentication unit 115) uses the nonce encrypted with the common key (k) as challenge data (c1) (= Enc (r2, k)), and the second node 20 Send to.

  In step ST205, the second node 20 (second response unit 216) responds by decrypting the challenge data (c1) received from the first node 10 with the common key (k) (Dec (c1, k)). Is transmitted to the first node 10.

  In step ST106, in the first node 10 (first authentication unit 115), the response data (Dec (c1, k)) received from the second node 20 has the same value as the original data (r2) of the challenge data. It is determined whether or not. When the response data (Dec (c1, k)) is the same value as the original data (r2) of the challenge data (in the case of Yes), the process proceeds to step ST107. When the response data has a value different from the original data of the challenge data (randomly generated nonce r2) (in the case of No), the process returns to step ST101.

  In step ST107, the communication channel encrypted with the common key (k) is established between the first node 10 and the second node 20, and it is authenticated that the second node is reliable. Become.

[Authentication of the first node 10 by the second node 20]
Since the first node 10 (first authentication unit 115) can authenticate the second node 20 as being reliable, a communication channel encrypted with the common key (k) can be established. It can be considered that the authentication of the first node 10 by the second node 20 is also substantially completed.
This is based on the fact that the common key (k) is generated by the password (pwC) that only the first node 10 and the second node 20 know.

As described above, transmission / reception of data between the application of the first node 10 and the application of the second node 20 after the communication channel encrypted by the common key (k) is established in the application layer, It is configured to be performed via a communication channel (referred to as an “encrypted communication channel”) encrypted with the common key (k).
Specifically, when the application of the first node 10 (or the application of the second node 20) transmits a plaintext with the application of the second node 20 (or the application of the first node 10) as the destination, encryption is performed. In the communication channel, the plaintext is encrypted with the common key (k) and transmitted over the communication network. Thereafter, in the encrypted communication channel, the ciphertext is decrypted with the common key (k), and the plaintext is delivered to the application of the second node 20 (or the application of the first node 10).
The communication channel encrypted with the common key (k) of the present invention is transmitted from the first node 10 or the second node 20 to the other party (second) in the application layer in the first node 10 and the second node 20. The message transmitted to the node 10 or the first node 20) is encrypted, and the first node 10 or the second node 20 is sent from the other party (the second node 10 or the first node 20). The received message is decrypted.
In this way, the application data is encrypted with the common key (k) in the application layer without replacing the SSL / TLS in the transport layer between the first node 10 and the second node 20. Can be sent and received.

  The first embodiment which is an example of the embodiment of the present invention has been described above, but the present invention is not limited to the above-described embodiment. Next, another implementation example of the first disposable shared value acquisition unit 112 and the second disposable shared value acquisition unit 212 will be described.

<Modification 1 of the 1st disposable shared value acquisition part 112 and the 2nd disposable shared value acquisition part 212>
In the first embodiment, the nonce (r1) randomly generated by the second disposable shared value acquisition unit 212 of the second node is transmitted to the first disposable shared value acquisition unit 112 of the first node, whereby the nonce (R1) is a disposable value temporarily shared between the first node 10 and the second node 20.

  On the other hand, by transmitting the nonce randomly generated by the first disposable shared value acquisition unit 112 of the first node 10 to the second node 20, the nonce is transmitted to the first node 10 and the second node 20. It may be a disposable value that is shared temporarily.

<Modification 2 of the 1st disposable shared value acquisition part 112 and the 2nd disposable shared value acquisition part 212>
[About disposable values temporarily shared by counter values]
Instead of generating a nonce, a disposable value that is temporarily shared may be generated using a counter value. In this case, the first node 10 includes a first counter (not shown), the second node 20 includes a second counter (not shown), and the first counter and the second counter are synchronized. Thus, the first counter value (first counter value) and the second counter value (second counter value) are always set to the same value. By doing so, it is possible to obtain a disposable value that the first node 10 and the second node 20 share “one-time” temporarily with the first counter value and the second counter value, respectively. .

  Specifically, in the initial setting of the first counter and the second counter, the values of the first counter and the second counter are initialized so as to be 1, for example. After that, for example, every time the common key is generated (or every time the common key (k) is reset), the first node and the second node increment the first counter and the second counter, respectively, so that the first counter And the second counter is configured to be synchronized. The increment timing is preferably unified before the common key (k) is generated or after the common key is generated.

[Common key generation]
When the first disposable shared value acquisition unit 112 and the second disposable shared value acquisition unit 212 are configured using a counter, the common key (k) is generated by the first common key generation unit 114 and the second common key generation unit 214. explain.

When the RBKDF2 function is applied as a common function, when the values of the first counter and the second counter indicate the i-th (i ≧ 1) value (i), the password is pwC and the RBKDF2 function is H (). Then, the common key generated by the first common key generation unit 114 and the second common key generation unit 214 (k _i) is calculated by equation 3.
k _i = H (pwC, i) (Formula 3)

When the encryption function is applied as a common function, when the values of the first counter and the second counter indicate the i-th (i ≧ 1) value (i), the password is pwC, and the encryption function is If Enc (), the common key (k _i ) generated by the first common key generation unit 114 and the second common key generation unit 214 is calculated by Expression 4 with the encryption key pwC and the plaintext i. Is done.
k _i = Enc (i, pwC) (Formula 4)

  As described above, the first disposable shared value acquisition unit 112 of the first node and the second disposable shared value acquisition unit 212 of the second node do not send the nonce to each other, and the count value indicated by the first counter and the second counter The first node 10 and the second node 20 can be configured to be disposable values that are temporarily shared by the first node 10 and the second node 20, respectively.

<Another implementation example of the first authentication unit 115>
Next, another implementation example of the first authentication unit 115 will be described.
In the first embodiment, the first authentication unit 115 randomly generates a nonce, transmits the nonce encrypted with the common key (k) to the second node 20 as challenge data, and the second node 20 The second node 20 is authenticated using the response data received from.

On the other hand, the first authentication unit 115 randomly generates a nonce, transmits the generated nonce as challenge data as plain text to the second node 20, and receives the response data received from the second node 20. It may be used to authenticate the second node 20.
More specifically, the first authentication unit 115 transmits the randomly generated nonce to the second node 20 as challenge data in plain text. In response to this, the second node 20 (second response unit 216) generates response data obtained by encrypting the received challenge data with the common key (k), and returns the response data to the first node 10.
By doing so, the first authentication unit 115 generates the challenge data (randomly generated) as the data value obtained by decrypting the response data received from the second node 20 (second response unit 216) with the common key (k). It is determined whether or not the value is the same as the nonce value. When the value of the data obtained by decrypting the response data with the common key (k) is the same value as the value of the challenge data (randomly generated nonce), the first authentication unit 115 determines that the second node 20 has the correct password ( pwC) can be determined to authenticate the second node 20 as trustworthy.

  As described above, the second response unit 216 is configured to transmit the challenge data received from the first node 10 to the first node 10 as response data obtained by encrypting the challenge data received with the common key (k). The

The first authentication unit 115 can selectively make the challenge data available as plain text or encrypted with a common key.
For this purpose, the first authenticating unit 115 transmits, to the second node 20, data in which an identifier for identifying whether the challenge data remains in plain text or is encrypted with the common key is added to the challenge data. You may comprise.
In this case, the second response unit 216 is configured to generate response data based on the identifier.

<Authentication of the first node by the second node (part 1)>
In the first embodiment, since the first node 10 (first authentication unit 115) can authenticate the second node 20 as being reliable, a communication channel encrypted with the common key (k) is obtained. Established, omitting authentication of the first node by the second node.
On the other hand, the first node may be authenticated by the second node.
In this case, as a method for authenticating the first node 10 by the second node 20, for example, the nonce (r1) generated by the second disposable shared value acquisition unit 212 and sent to the first node 10 is reused. May be.
Specifically, the first node 10 encrypts the nonce (r1) with the common key (k) and transmits it to the second node 20. The second node 20 decrypts the data received from the first node 10 with the common key (k) (Dec (c2, k)), and the decrypted data (Dec (c2, k)) is a nonce (r1 ) Is the same value as the above. When the decrypted data (Dec (c2, k)) has the same value as the nonce (r1), the second node 20 has the identification information and password in which the first node 10 (node user) is set in advance. You can authenticate that you are the owner.

<Authentication of the first node by the second node (part 2)>
In the first embodiment, after the first node 10 and the second node 20 each generate the common key (k), the first node 10 (first authentication unit 115) creates challenge data, The second node 20 is authenticated by receiving a response from the second node 20.

On the other hand, after the first node 10 and the second node 20 each generate a common key (k), the second node 10 creates challenge data and receives a response from the first node 10. Thus, the first node 10 may be authenticated.
In particular, the first node 10 (the first disposable shared value acquisition unit 112) generates a disposable value (r1) to be temporarily shared, and the first node 10 and the second node 20 are each the temporary node. The second node 20 may be configured to authenticate the first node 10 when generating the common key (k) based on the disposable value (r1) and password (pwC) shared with each other. preferable.

  More specifically, as shown in FIGS. 5 and 6, the second node 20 includes a second authentication unit 215 for authenticating the first node 10. The first node includes a first response unit 116.

  The second authentication unit 215 generates a nonce at random, and transmits the nonce encrypted with the common key (k) as challenge data to the first node 10 (first response unit 116) via the communication unit 230. .

  The first response unit 116 receives response data obtained by decrypting the encrypted nonce (challenge data) received from the second node 20 (second authentication unit 215) via the communication unit 130 with the common key (k). It is generated and transmitted to the second node 20 (second authentication unit 215).

The second authentication unit 215 authenticates the first node 10 using the response data received from the first node 20 (first response unit 116).
By doing so, the second authentication unit 215 can authenticate whether or not the first node 10 is reliable.
Note that the second authentication unit 215 generates a nonce at random, as in the other implementation example of the first authentication unit 115 described above, and uses the generated nonce as challenge data in plain text as the first node 10 (first The first node 10 may be configured to be authenticated using response data transmitted to the response unit 116) and received from the first node 10 (first response unit 116).

  The function of the second authentication unit 215 can be explained by replacing “first” with “second” and “second” with “first” in the function description of the first authentication unit 115 described above. Detailed description will be omitted.

  Similarly, the function of the first response unit 116 is obtained by replacing “second” with “first” and “first” with “second” in the function description of the second response unit 216 described above. Detailed explanation is omitted because it can be explained.

<Initial setting of identification information and password using SSL / TLS protocol>
In the first embodiment, it is assumed that the first node 10 and the second node 20 share a password in advance. On the other hand, an example in which the first node 10 and the second node 20 initialize the identification information and the password using the SSL / TLS protocol will be described.

[First time access]
When the node user of the first node 10 accesses the second node 20 for the first time, the second node 20 is connected between the first node and the second node using the SSL / TLS protocol. The public key is used to authenticate the second node 20 and establish an encrypted communication channel.

After the encrypted communication channel is established between the first node 10 and the second node 20, the first node 10 and the second node 20 are connected to each other using the communication channel. The node user identification information (id) and password (pwC) of the node 10 are initialized, and the second node 20 stores the identification information (id) and password (pwC) securely, for example.
By doing so, the identification information (id) and password (pwC) of the node user of the first node 10 are set in the second node 20.

  For the connection from the first node 10 to the second node 20 after the identification information (id) and password (pwC) of the node user of the first node 10 are set in the second node 20, An encrypted communication channel establishment system 1 based on (pwC) can be applied.

  As described above, when the identification information (id) and the password (pwC) are not set between the first node 10 and the second node 20, first, the identification information (using SSL / TLS) ( id) and password (pwC) are set so that the second and subsequent connections from the first node 10 to the second node 20 do not require a public key and a third-party certificate authority, and the password ( pwC) is generated, a communication channel encrypted with the common key is established, and at the same time, the node can be authenticated.

<Effects of First Embodiment>
As described above, according to the present embodiment, the first node 10 and the second node 20 transmit and receive the disposable value (r1) that is temporarily shared with the identification information (id) on the communication path. A first common key generation unit 114 and a second common key generation unit 214 that generate a common key based on a password that is secret information shared in advance and a one-time temporarily shared disposable value, respectively. .
This eliminates the need for public keys and third-party certificate authorities, eliminates the cost of issuing certificates, reduces the communication load associated with certificates, and reduces the cost of communication channels encrypted with a common key. Can be easily established.

  Even if it is assumed that the third party can eavesdrop on the data (identification information (id) and the disposable value (r1) temporarily shared) transmitted / received on the communication path, the third party has the password (pwC). The common key (k) cannot be generated unless the password is known, and a different common key is generated each time an encrypted communication channel is established. it can.

  In addition, when there are a plurality of node users of the first node 10, even if the password of a certain node user is broken, between the other node user other than the node user and the second node 20. Since it does not threaten the established, encrypted communication channel, security can be secured independently.

  In addition, since the present embodiment can be applied to any system in which the first node 10 and the second node 20 share a password, not only a client server type system but also a Web browser and a Web server type system, machine It can be widely applied to machine-type systems, connections between wireless terminals and wireless LAN devices, and IOT (Internet Of Things), and can be widely provided as a social infrastructure.

Also, the first node 10 encrypts the challenge data (r2) with the common key (k), transmits it to the second node 20, and the response data decrypted with the common key (k) in the second node 20 The second node 20 is authenticated by receiving (r2).
As a result, the communication channel encrypted by the common key generated based on the password can be established between the first node 10 and the second node 20, which substantially succeeds in the authentication of each node. Including. Thereby, the establishment of the encrypted communication channel and the node authentication can be executed in one stage.

Moreover, since the encryption communication channel establishment system 1 can use a general-purpose one-way function or an encryption function as a common function, a general-purpose that can use any common function according to the application. Have sex.
As mentioned above, although embodiment of this invention was described including the modification of the component, this invention is not restricted to embodiment mentioned above.

Second Embodiment
In the first embodiment, the first common key generation unit 114 and the second common key generation unit 214 have one common key (k) based on a password (pwC) and a temporary shared value (r1). ) Was generated (Formula 1 to Formula 4).
In contrast, the first common key generation unit 114 and the second common key generation unit 214 may be configured to generate another common key (k ′) based on the common key (k). Good.
For example, the password input to the RBKDF2 function by acquiring a temporary shared value (r1 ′) different from r1 by the first disposable shared value acquiring unit 112 and the second disposable shared value acquiring unit 212 Can be configured to generate another common key (k ′) from the common key (k) according to the equation (5) by setting the common key (k) and the salt (Salt) as r1 ′.
k ′ = H (k, r1 ′) (Formula 5)
By doing so, the first common key generation unit 114 and the second common key generation unit 214 can generate two common keys k = H (pwC, r1) and k ′ = H (k, r1 ′). it can.
Here, as r1 ′, for example, a nonce (r2) serving as challenge data generated by the first node 10 (first authentication unit 115) may be used.

Similarly, when the counter values represented by the first counter and the second counter are applied as “one-time” temporarily shared disposable values, the first counter and the second counter are incremented, respectively. The common key (k ′) can be generated.
For example, after generating the common key (k), the first counter and the second counter are incremented, respectively, and when the values of the first counter and the second counter become 2, for example, the common key (k ) To generate another common key (k ′).
k ′ = H (k, 2) (Formula 6)

In addition, when the counter values represented by the first counter and the second counter are applied as disposable values that are temporarily shared “one-time”, the first counter and the second counter each time a common key is generated. By incrementing, two common keys (k1, k2) can be generated.
Specifically, for example, when the password input to the RBKDF2 function is the common key (k) and the salt (Salt) is “i” and “i + 1”, as shown in Expression 7 and Expression 8, One common key (k1, k2) can be generated.
k1 = H (k, i) (Formula 7)
k2 = H (k, i + 1) (Formula 8)

As described above, the first common key generation unit 114 and the second common key generation unit 214 have two keys (k, k ′) or two keys (k1, k2) based on the previously generated common key (k). Can be generated.
The method in which the first common key generation unit 114 and the second common key generation unit 214 generate two keys based on the previously generated common key (k) is not limited to the above-described embodiment. Absent.
For example, when the encryption function Enc () is applied as the common function, two common keys can be generated as in the case of the RBKDF2 function.

Of the two common keys created in the second embodiment, one is a session key (common key) used for encryption, and the other is a MAC (Message Authentication Code) key used for confirmation of integrity, and SSL / TLS (record protocol) Can be handed over.
That is, of the two common keys created in the second embodiment, one is a session key (common key) used for encryption, and the other is a MAC key used for confirmation of integrity, and SSL / TLS (record protocol) security. It can be set as a cipher.
By doing this, instead of the SSL / TLS handshake protocol, the second embodiment prepares for encrypted communication such as establishment of an encrypted communication channel and authentication of the communication partner, and the record protocol is Using the two common keys generated in the second embodiment, it is possible to perform encryption and integrity check of data to be transmitted and received (that data to be exchanged has not been tampered with).

<Effects of Second Embodiment>
According to the second embodiment, identification information (id) and a password (pwC) for a node user of a first node (for example, a client terminal) to access a second node (for example, a server) are preset. In this case, a public key and a third-party certificate authority are not required, and a session key (common key) used for message encryption and a MAC key used for confirmation of integrity can be easily generated.
As a result, a communication channel encrypted with the session key is established between the first node and the second node, and the message can be prevented from being tampered with by the MAC key. A communication channel that is reduced and encrypted with a common key can be easily established at low cost.

The encrypted communication channel establishment system 1 that establishes a communication channel encrypted with the common key of the present invention can be realized using a normal computer system, not a dedicated system. For example, a computer-readable recording medium (a removable medium such as a CD, DVD, or Blu-ray disc) storing a program for executing the above-described operation may be distributed to the computer, or the server may be distributed via a network. Or you may distribute by downloading to a computer from a cloud.
The first node 10 or the second node 20 can be configured by installing the distributed program on the computer.
Then, by starting the program and executing it under the control of the OS, the computer can function as a functional unit included in the first node 10 or the second node 20.

  In particular, by installing the program (a program that functions as a first node) in a browser mounted on a computer and installing the program (a program that functions as a second node) on a WEB server, the browser and the Web server The encrypted communication channel establishment system 1 that establishes the communication channel encrypted with the common key of the present invention can be installed in the browser-based client server system configured by the above.

  An encrypted communication channel establishment method for establishing a communication channel encrypted with a common key is also realized by software. When realized by software, a program constituting the software is installed in a computer (first node 10 or second node 20). These programs may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network. Furthermore, these programs may be provided to the user's computer as a Web service via a network without being downloaded.

DESCRIPTION OF SYMBOLS 1 Encrypted communication channel establishment system 10 1st node 110 Control part 111 Connection request part 112 1st disposable shared value acquisition part 113 Password acquisition part 114 1st common key production | generation part 115 1st authentication part 116 1st response part 120 Storage Unit 130 communication unit 20 second node 210 control unit 211 identification information reception unit 212 second disposable shared value acquisition unit 213 password acquisition unit 214 second common key generation unit 215 second authentication unit 216 second response unit 220 storage unit 230 Communication unit 30 Communication network

Claims (10)

A first node and a second node are connected to the network;
Identification information and a password for the first node to access the second node are preset,
The first node and the second node share a common function in advance,
An encrypted communication channel establishment system for establishing a communication channel encrypted with a common key generated by the first node and the second node,
The first node is:
A first disposable shared value acquisition unit that acquires a disposable value temporarily shared with the second node;
A connection request unit that transmits the identification information to the second node;
A first common key generation unit that generates a common key using the common function based on the password corresponding to the identification information and the disposable value;
With
The second node is
An identification information receiving unit that receives the identification information from the first node; a second disposable shared value acquisition unit that acquires a disposable value temporarily shared with the first node;
Based on the identification information received by the identification information receiving unit, a password acquisition unit that acquires a preset password;
A second common key generation unit that generates a common key by the common function based on the password corresponding to the identification information and the disposable value;
An encrypted communication channel establishment system comprising:   The disposable value is a nonce generated randomly by the first node or the second node, and the second node or the first node by the first node or the second node. The encrypted communication channel establishment system according to claim 1, wherein the nonce is transmitted to the network. The first node is:
A nonce is generated at random, and the nonce or encrypted data obtained by encrypting the nonce with the common key is transmitted as challenge data to the second node, and the response data received from the second node is used to send the nonce. A first authentication unit that authenticates the two nodes;
The second node is
The encryption according to claim 1 or 2, further comprising: a second response unit that generates response data based on the challenge data received from the first node and transmits the response data to the first node. Communication channel establishment system. The second node is
A nonce is generated at random, and the nonce or encrypted data obtained by encrypting the nonce with the common key is transmitted as challenge data to the first node, and the response data received from the first node is used to send the nonce. A second authentication unit for authenticating one node;
The first node is:
4. The apparatus according to claim 1, further comprising: a first response unit that generates response data based on the challenge data received from the second node and transmits the response data to the second node. The encrypted communication channel establishment system according to item.   The encrypted communication channel establishment system according to any one of claims 1 to 4, wherein the common function is a one-way function or an encryption function. A first node connected to the network,
Identification information and a password for accessing the second node connected to the network are preset,
Having a common function shared with the second node;
A first disposable shared value acquisition unit that acquires a disposable value temporarily shared with the second node;
A connection request unit that transmits the identification information to the second node;
A first common key generation unit that generates a common key using the common function based on the password corresponding to the identification information and the disposable value;
A first node comprising: A second node connected to the network,
Identification information and a password for the first node connected to the network to access the second node are preset,
Having a common function shared with the first node;
A second disposable shared value acquisition unit that acquires a disposable value that is temporarily shared with the first node;
An identification information receiving unit that receives the identification information from the first node; a password acquisition unit that acquires a preset password based on the identification information received by the identification information receiving unit;
A second common key generation unit that generates a common key by the common function based on the password and the disposable value;
A second node comprising: A first node and a second node are connected to the network;
Identification information and a password for the first node to access the second node are preset,
The first node and the second node share a common function in advance,
An encrypted communication channel establishment method for establishing a communication channel encrypted with a common key generated by the first node and the second node,
The first node is
A first disposable shared value acquisition step of acquiring a disposable value temporarily shared with the second node;
A connection requesting step for transmitting the identification information to the second node;
A first common key generation step of generating a common key by the common function based on the password corresponding to the identification information and the disposable value;
With
The second node is
An identification information receiving step of receiving the identification information from the first node; a second disposable shared value acquisition step of acquiring a disposable value temporarily shared with the first node;
Based on the identification information received by the identification information receiving step, a password acquisition step for acquiring a preset password;
A second common key generation step of generating a common key by the common function based on the password and the disposable value;
An encrypted communication channel establishment method comprising:   A program that causes a computer to function as the first node or the second node according to any one of claims 1 to 7.   A computer-readable program recording medium on which the program according to claim 9 is recorded.

Images