JP4610169B2 - Communication method and communication system - Google Patents

Description

  The present invention relates to a communication method between a terminal belonging to a virtual group composed of a plurality of terminals connected via a general-purpose network and one terminal whose relationship with the group is not clear, The present invention relates to an authentication method for authentication performed with the terminal when the one terminal joins the group or obtains necessary information from a terminal belonging to the group.

  The number of user terminals that can connect to the Internet and enjoy various network services is rapidly increasing due to the reduction in the price of connection devices and connection charges, the diversification of connection devices and the improvement in communication speed. At the beginning of commercial use of the Internet, a one-way service in which the information provided by some information provider's servers was downloaded and used by ordinary users on their own terminals was the mainstream. In addition to some information providers, the number of users who want to transmit personally held information (for example, text data, still image data, audio data, moving image data, etc.) is increasing, mainly WWW (World Wide Web). There are many cases where one's own information is disclosed to the above server and other users are allowed to browse.

  The information provider can roughly divide the method of providing information. (1) The server is operated and provided by itself. (2) The information provider wants to provide it to a server that accepts information for a fee or free of charge. There are two ways to upload information.

  Furthermore, private information is not transmitted to an unspecified number of user terminals, but only between terminals (hereinafter referred to as “groups”) between specific users such as friends, family members, or persons having a common hobby. The demand for sharing is also increasing. As a method for realizing this request, a method mainly using an authentication server, that is, a combination of a user ID and a password (hereinafter referred to as “group list”) of a user who is permitted to participate in a group is referred to as an authentication server (information provider). The server determines the permission to share information in the group by checking the combination of the user ID and password input from the user terminal. .

  In addition, when a formed group is disclosed, information regarding the group, that is, group category and member information, conditions for participation, etc. are registered in the authentication server, and an unspecified number of users are invited to participate. There are many. By accessing the authentication server, the user knows the existence of the registered group and obtains information necessary for joining the group. Many groups that aim to communicate on networks such as chat, BBS, and mailing lists publish groups in this way.

As described above, the model (so-called client / server model) in which the information provider stores information in the server and the terminal of the information user accesses the server has the following problems. In other words, if you operate the server yourself,
(1) Advanced knowledge is required: Technical knowledge about servers and networks is required, and it is often difficult for general users to operate.
(2) Cost is high: In addition to the equipment and software, there is a problem that an operation cost for operating the information providing server at all times is necessary.
(3) Regardless of whether it is paid or free, there is a capacity limit on the server that provides information: in many cases, there is a limit on the capacity of information that can be stored in the server In the case of the provided server, it is possible to relax the capacity limit by placing most of the cost on the information user), and the information provider may be restricted.
(4) Privacy leakage: Even if the information provider is reliable, the information stored in the server may be leaked to a third party due to some kind of accident, and it is difficult to completely protect the privacy. is there.
There are problems such as
(5) Reliability as a common problem: When a server becomes inaccessible due to some trouble, it becomes impossible to provide information or share information at all.
There is also a problem.

  In addition, when the information provider collects all the costs required for providing information by obtaining revenue as consideration for providing information, there is no problem with the above capacity limitation, but a general user can The above-mentioned cost cannot be recovered when information is shared between user terminals.

  In order to solve the problem at the time of information sharing in the client / server model as described above, a peer-to-peer (hereinafter referred to as “P2P”) model has been attracting attention in recent years. . This is a communication method in which information is transmitted and received directly between an information provider and an information user when necessary without concentrating information on a server, and can solve the above problems (for example, Non-Patent Document 1).

  FIG. 30 is a conceptual diagram showing a flow of processing when information is transferred between user terminals participating in a P2P model network (hereinafter referred to as “P2P network”). Each user terminal (specifically, terminal A to terminal F) in FIG. 30 is assumed to know one or more of other user terminals participating in the P2P network. For example, terminal A is terminal B and terminal F, terminal B is terminal A, terminal C and terminal D, terminal D is terminal B and terminal E, terminal E is only terminal D, and terminal F is terminal A and terminal Each knows the existence of C. In this state, it is assumed that the user of terminal A desires to obtain certain information. In order for the user of terminal A to receive the desired information, it is first necessary to perform a search for specifying another user terminal having the information.

  Terminal A first transmits a request (hereinafter referred to as “search request”) to search for a user terminal having the above information to terminal B and terminal F in accordance with an instruction from the user. Next, the terminal B and the terminal F relay the search request received from the terminal A to the user terminals that they respectively know, and similarly relay the subsequent user terminal (S1501). Then, the user terminals (in this case, the terminal C and the terminal E) having information matching the search request directly notify the terminal A that the information is held (S1502, S1503). Terminal A selects terminal E based on some predetermined criterion, and finally the above information is directly transferred from terminal E to terminal A (S1504). Of course, both the terminal C and the terminal E may transfer the information to the terminal A.

Thereby, the problems (1) to (5) of the client / server model are solved as follows. That means
(1) Since no server operation is required, advanced knowledge required for server operation is not required.
(2) No cost for operating or using the server is required.
(3) Since the information receiver A directly receives information from the information sender E, the capacity of information that can be transferred is limited only by the local recording capacity of the terminal A and the terminal E, and there is virtually no capacity limitation. .
(4) Since the transferred information does not pass through a third party other than the terminal A and the terminal E, if the communication between the terminal A and the terminal E is encrypted using the existing technology, the privacy of the information is maintained. It is possible.
(5) Even if the terminal E is not participating in the network (offline), the terminal A can obtain necessary information from the terminal C.

In order to participate in a group on the P2P network and share private information within the group (since there is no authentication server in this case), the following requests (A) and (B) are made: It is necessary to satisfy.
(A) A user who wants to join a group needs to obtain information about the group by some method.
(B) In order to share information among group members, it is necessary to mutually authenticate whether each user terminal participates in the group by some method.

First, the requirement (A) will be examined.
In order to obtain information on the group, the search method in the P2P network described above can be used. By executing a search for obtaining information about groups on the P2P network, it is possible to obtain information on groups existing on the network without using an authentication server.

  The user first obtains (1) information for identifying a group existing on the network, and (2) information on attributes for classifying the group, and then (3) for joining the group. You need to get information about the connection destination.

  The information (1) is an ID given to the group, and is information that can uniquely identify the group. The information (2) includes the group category, activity purpose, group participation conditions, and the like. Further, the information (3) is the IP address and port number of the group member, and is information necessary for actually accessing the terminal of the group member.

  Hereinafter, the information (1) is referred to as “group identification information”, the information (2) is referred to as “group attribute information”, and the information (3) is referred to as “entry point information”. Further, the grouped information of (1) and (2) is referred to as “group information”.

  First, the user obtains group identification information and group attribute information by searching, and determines whether or not to join the group from the obtained group attribute information. When joining the group, the group entry point information is obtained by searching. At this time, it is specified which group entry point is required by the group identification information obtained in advance. The user who has obtained the entry point information performs a procedure for joining the group by accessing the corresponding entry point. When the above processing is performed using a search method in a P2P network, two problems can occur because group information is not managed by an authentication server or the like.

  The first problem is group information misrepresentation. As shown in FIG. 31, it is assumed that there are three groups G1, G2, and G3 on the network. Here, the terminal A of the user A designates the condition α of the group to which the user A wants to join, and searches the P2P network for group information (S3101).

  Next, when receiving a search request from the terminal A, the terminal B and the terminal F determine whether or not the group information of the group to which the terminal B and the terminal F meet the condition α specified by the terminal A. In the example of FIG. 31, since G2 does not meet the condition α, the terminal B and the terminal F transfer the search request to the terminal of the user that they know. Then, the terminal C and the terminal D of the group G1 that meet the condition α notify the terminal A of the group identification information DI1 and group attribute information AI1 that are held (S3102, S3103).

  Thereby, the user A of the terminal A can know the existence of a group that meets the designated condition α and can participate in the group.

  However, in the P2P network, it is easy to misrepresent group information as shown in FIG. In the same way as in FIG. 31, user A in FIG. 32 designates the condition α of the group that he / she wants to join via terminal A, and searches the P2P network for group information (S3201).

There is a possibility that the following incorrect response is returned as a response to this search.
(1) Misrepresenting group attribute information related to own group.
For example, as a response to the search request from the terminal A, the user B of the terminal B, among the group information of the group in which the user B participates, does not use the group attribute information AI2 but group attribute information of another group that meets the condition α It is assumed that data is transmitted to terminal A using AI1 (S3202). In this case, the user A may participate in the group G2 that does not meet the condition α specified by the user A.

(2) Using group identification information of another group and misrepresenting group attribute information regarding the group.
For example, it is assumed that the user E of the terminal E uses the group identification information DI1 of another group and forges the group attribute information AI4 that satisfies the condition α and transmits it to the terminal A (S3203). Then, there is a risk that the user A obtains incorrect group attribute information regarding the group G1 and spreads the incorrect group attribute information AI4 regarding the group G1. Similarly, when searching for entry point information, information can be misrepresented.

Here, the flow of processing when searching for entry point information using a search method in the P2P network will be described with reference to FIG.
First, the user A searching for entry point information specifies and searches the condition α and the group identification information of the group for which entry point information is desired. Users C and D belonging to the group specified by the specified group identification information return their entry point information as a response to the search via the terminal.

  Also in this case, since the correspondence between the group identification information and the entry point information is not managed by the server, a user who returns a response can easily return an invalid response. In this case, the following incorrect response can be assumed.

(3) Using group identification information of another group and spoofing entry point information regarding the group. For example, the terminal E can return and return the entry point information of the terminal B in response to the search for the entry point information of the group G1 from the terminal A. In this case, the terminal A may join G2 different from the group G1, and in this case, the member B of the group G2 has to process an erroneous access from the terminal A.

  Among the above, the incorrect response (1) is a problem that may occur in the client / server model, but the incorrect responses (2) and (3) are more likely to occur in the P2P environment. Since the server does not manage the association between the group identification information and the group attribute information and the association between the group identification information and the entry point information, a malicious user can easily manage the group attribute information and the entry point information. You can falsify, forge and respond.

  In the information retrieval by the conventional P2P network, it cannot be determined whether or not the above response is correct. This is because, in the conventional search method in the P2P network, an arbitrary responder can return a response to the searcher's search.

  The second problem is uniqueness regarding groups. When the groups are managed centrally by the authentication server, an identifier for identifying the two groups can be easily generated by the authentication server. By using this identifier as group identification information, the user can uniquely identify the group for which he wants to obtain information.

  However, in a P2P network, anyone can freely form a group, and it is not easy to determine an identifier for uniquely identifying each group. For example, the user A forms a group, and the identifier G1 is given to the group. Thereafter, user B also forms a different group, and G1 is given as the identifier of the group. At this time, another user C cannot distinguish the group formed by the user A and the group formed by the user B by the identifier G1. In particular, since a situation where the user B intentionally uses an identifier of the same group as the user A is assumed, the method of simply using the identifier cannot solve the second problem. Therefore, what is to be used as group identification information when operating a group in a P2P network is one of the major issues.

  In order to solve the first and second problems described above, it is possible to use an approach in which information related to groups and users is managed by an authentication server and actual data transfer or the like is performed by P2P. This method is called Hybrid P2P and is one of the countermeasures for the problems (3) and (4) of the client / server model described above, which can prevent the spoofing of information about the group and ensure the uniqueness of the group. It is also easy to do.

Next, the requirement (B) will be examined.
The conventional method and its problem will be described with reference to FIG.
As shown in FIG. 33, the first conventional method is a method in which each user terminal belonging to the group holds a group list held by the authentication server in the client / server model. In FIG. 33 (a), user terminal A, terminal B, and terminal C each hold a group list. In the group list, terminal A, terminal B, and terminal C are used as terminals of users (members) constituting the group. is described. For example, when terminal C informs other user terminals (terminal A and terminal B) of its user ID and password, terminal A and terminal B compare the user ID and password with the description in the group list held by itself. To do. If the comparison results match, terminal C is authenticated as a member of the group, and information sharing between terminal A, terminal B, and terminal C is permitted. Accordingly, since the user terminal X that is not a group member does not know the user ID and password included in the group list, information sharing between the terminal A, the terminal B, and the terminal C is not permitted, and the terminal A, the terminal B And privacy within a group composed of terminal C is maintained.

  This first conventional method has the following problems. That is, assume that terminal A or terminal B joins terminal D as a new member when terminal C is offline. In this case, as shown in FIG. 33 (b), the user ID and password of the newly added terminal D are added to the group list of terminal A, terminal B, and terminal D, and the group list having the same contents is displayed. Can be held. At this time, since the terminal C is offline, the group list cannot be updated. Next, when the terminal A and the terminal B are offline and only the terminal C and the terminal D are in the network participation state (online) (FIG. 33 (c)), the terminal C is included in the group list held by itself. Since there is no description of D, it is not possible to authenticate that the terminal D is a group member, and it is impossible to share group information between the terminal C and the terminal D even though they are both group members (terminal D). However, since there is a possibility that the terminal D has tampered and added the group list, the terminal C cannot trust it.) In other words, the first conventional method has a problem in that the synchronization of the group list held by each user terminal cannot be maintained.

In a second conventional method for solving this problem, only a specific member terminal holds a group list, and only this specific member performs group member change and user terminal group authentication.
Edited by Keiichi Koyanagi, "The New Century of P2P Internet", Ohm, 2002

  However, when the hybrid P2P is used in the request (A), the problems (1), (2), and (5) in the client / server model cannot be solved.

  Further, the second conventional method in the above request (B) has a problem that the other members cannot authenticate each other while the terminal of the specific member is offline. For example, in FIG. 33 (d), it is assumed that terminal A is this specific member, and terminals B and C are group members. If terminal A is online, terminal B can authenticate that terminal C is a group member by inquiring terminal A. However, as shown in FIG. 33 (e), when the terminal A is offline, the terminal B fails to authenticate the terminal C because the inquiry to the terminal A fails, and although both are group members, the terminal B cannot be authenticated. It becomes impossible to share information between B and terminal C.

As described above, when sharing information within a group in a P2P network for solving the problems of the client / server model,
(1) In a method in which each user terminal holds a group list, there is a possibility that the group list between members may not be synchronized, and in this case, even between group members cannot be mutually authenticated.
(2) In the method in which only a specific member holds the group list, it is impossible to mutually authenticate that other members are group members while the specific member is in an offline state.
There is a problem.

  In general, in a public key cryptosystem such as PKI, authentication between terminals is performed by using a revocation list distributed by a specific server. Through the terminal, the user accesses a server that distributes the revoked person list at the time of authentication or on a designated date, and updates the revoked person list held by the user's own terminal.

  However, since the P2P network does not assume a server that is always running, the above-described method cannot acquire the revoked person list when the administrator's terminal is offline.

  Therefore, as shown in FIG. 34A, a method in which the administrator A who has created the revoker list broadcasts a new revoker list to the terminals of all group members via the terminal A can be considered. However, since the terminals of all the members of the group are not always online in this case as well, the terminal X of the offline member X may acquire the revoked person list as shown in FIG. Can not.

Further, after that, as shown in FIGS. 34 (c) and (d), when the terminal A that has not been able to acquire the revoked person list has shifted to the online state, the terminal A has shifted to the offline state. Cannot access the terminal A from the terminal X that has subsequently entered the online state, and as shown in FIG. 34 (d), the revoker list cannot be obtained.
Therefore, the present invention has been made in view of the above problems, and even when information is to be shared within a group on a network, search for desired information can be performed without requiring server operation. An object of the present invention is to provide a communication method or the like that can be authenticated and can always be a member of a group between arbitrary members.

To achieve the above object, a terminal device in a communication system according to the present invention is a terminal device that communicates with another terminal device on a network, and the terminal device is a group of devices formed on the network. An inquiry information transmission unit that holds a public key and transmits inquiry information including an inquiry as to whether or not the other terminal device is a valid member of the group, and the inquiry from the other terminal device. Encrypted information receiving means for receiving predetermined encrypted information as a response corresponding to the information; decryption trial means for trying to decrypt the received encrypted information with the public key of the group; and When decryption is successful in the decryption trial means, information determination means for determining the appropriateness of the decrypted information, and when it is determined that the decrypted information is appropriate It said other terminal device, and a determining device determining means that the terminal legitimate members of the group.

As a result, the terminal device in the communication system according to the present invention decrypts the information received from the authentication target terminal device that has transmitted the inquiry information for authentication with the group public key and determines whether the content is appropriate or not. Since it is determined whether or not the authentication target terminal is valid, it is possible to always authenticate whether or not the authentication target terminal is a terminal related to a member of the group without requiring operation of the server. .

In order to achieve the above object, the terminal device in the communication system according to the present invention includes a message that the other terminal device wants to obtain group information including a public key of the group formed on the network. Inquiry information sending means for sending inquiry information, and from the other terminal device, as a response to the inquiry information, group information receiving means for receiving the electronically signed group information, and for the received group information, In the group information verification unit that verifies the validity with the public key included in the group information, and when the group information verification unit confirms the validity of the group information, the group information is valid for the group. Group information judging means for judging that the information is obtained from the member terminal device.

As a result, the terminal device in the communication system according to the present invention transmits the information indicating that the group information is desired to be transmitted to the other terminal device, and received from the terminal device, the group information signed with the group secret key. Is verified with the public key of the group and the validity of the content is judged to determine whether or not the terminal device providing the group information is a terminal device belonging to the group. The group information can always be obtained from the terminal device related to the legitimate member of the group without need.

  In addition, in order to achieve the said objective, this invention can also be implement | achieved as a communication method which uses the characteristic structure means of the said terminal device as a step, or a program including all those steps. The program is not only stored in a ROM or the like provided in the terminal device, but can also be distributed via a recording medium such as a CD-ROM or a transmission medium such as a communication network. Furthermore, the present invention can also be realized as a communication system including a plurality of the terminal devices.

  According to the present invention, group management on the network having the following advantages becomes possible. That is, (1) it is not necessary to operate a server that is always in operation, and (2) authentication that group members are mutually group members regardless of the online / offline status of each group member including the group administrator. Is always possible. As a result, it is possible to avoid leaking information shared only by the group to members other than the group and to safely share the information.

Further, according to the present invention, it is possible to search for groups on the network having the following advantages. (1) There is no need to operate a server that is always in operation,
(2) By generating the search result from the responder's private key, group participation certificate, etc., it is possible to avoid an illegal response to the search from a person other than the group member. That is, it is possible to prevent a group other than a group from spoofing group information, and a reliable search can be executed even in a situation where there is no server.

Hereinafter, embodiments according to the present invention will be described in detail with reference to the drawings.
First, an outline of the present invention will be described. The present invention relates to communication between a plurality of terminals connected to each other via a network.
The present invention assumes a network using Ethernet (R), an analog or digital public line or dedicated line, an ADSL (Asymmetric Digital Subscriber line), a wireless LAN (Local Area Network), and the like. It is not limited. In the Internet, TCP / IP (Transmission Control Protocol / Internet Protocol) is widely used as a lower protocol of the network, and the present invention assumes its use, but the present invention is not limited to this.

  Each of the terminals includes a communication interface corresponding to the form of the network, and performs communication processing by a CPU in the terminal executing a program for controlling the communication interface and performing communication. The program is stored in a ROM (Read Only Memory) in the terminal or a non-volatile storage device such as a hard disk or a removable disk of the terminal, and is read from there as necessary, and the main memory of the terminal It is executed on a RAM (Random Access Memory) or a combination thereof.

The terminal is also provided with input means for receiving input from the user. As the input means, a keyboard, mouse, tablet or the like is usually used. Note that these configurations are generally known in personal computers and the like, and are not the main points of the present invention, so detailed description thereof will be omitted.
The “user” used below refers to a user of the terminal. In the network assumed by the present invention, each user terminal is not always connected to the network, and address information (IP address, port number, etc.) of each user terminal necessary for communication is also fixed. Instead, it may change every time you connect to the network.

  In the following embodiments, as shown in FIG. 1, a P2P network is taken as an example of the network, and each example will be described with the P2P network in mind. A communication system 100 illustrated in FIG. 1 is a virtual group including terminals 10 to 50 that are formed on the P2P network 5 and have an equal relationship.

(Embodiment 1)
First, an outline of the public key cryptosystem used in this embodiment will be described. The public key encryption method is an encryption method using a “public key” and a “secret key”, and has the following properties. (1) It is impossible to calculate the public key and the secret key from one to the other in a realistic time. (2) Information encrypted with the public key can be decrypted only with the corresponding private key, and information encrypted with the private key can be decrypted only with the corresponding public key.

  Due to the nature of (1) above, if the user of this encryption method keeps the secret key secretly, there is no problem even if the public key is known to a third party (the public key is made public). be able to). Therefore, on the sender side who wants to transmit certain information in a secret manner, the recipient's public key is obtained in advance, the above information is encrypted with the recipient's public key, and this encrypted information is sent to the recipient's terminal. Send. On the receiver side, the received encrypted information is decrypted with a private key held only by the user. Even if a third party intercepts the encrypted information, the information cannot be leaked to the third party because it cannot be decrypted except by the private key of the recipient. In the following, information obtained by encrypting the information M to be encrypted with the key K will be expressed as “e (M, K)”.

  In addition, using the public key cryptosystem, the information itself is not encrypted, but it is also possible to perform an “electronic signature” (hereinafter simply referred to as “signature”) to prove that the information has not been tampered with. . That is, the derived information “H” uniquely derived from the information to be signed “M” by the predetermined algorithm “f” is H = f (M), and this derived information H is the sender's private key “K_S”. Assuming that the signature information encrypted by “Sgn” is “Sgn”, this Sgn = e (H, K_S) is added to the information M and transmitted to the receiver's terminal.

  The receiver's terminal receives the information M and the signature information Sgn, decrypts the signature information Sgn with the sender's public key “K_P”, obtains derivative information H, and H = f (M) is established. By confirming that the information M has been confirmed, it can be confirmed that the information M has not been tampered with by a third party. This is because if information M has been tampered with by a third party, H = f (M) does not hold, and if there is no sender's private key K_S, it can be successfully decrypted with the sender's public key K_P. This is because it is impossible to create the signature information Sgn.

  A public key cryptosystem and a signature scheme using the same are widely used for communications requiring security over the Internet. In the following, a public key and a secret key of a certain user A are expressed as “KA_P” and “KA_S”, respectively.

  In the present embodiment, the “group” is defined as follows. (1) A group is composed of one or more group participants (hereinafter also simply referred to as “participants”). (2) Each participant can join a plurality of groups. (3) Each group has shared information unique to the group. (4) Users who mutually authenticate that they belong to the same group (hereinafter referred to as “members”) can transmit and receive shared information of the group. Note that the above group is composed of one or more participants such as friends, family members, owners of the same hobby, and persons with similar addresses.

  In the present embodiment, the participants who make up the group are divided into two parties: an administrator who has the authority to issue a group participation certificate (also simply referred to as “participation certificate”) and other participants. Classify. A general user on the network is permitted to participate in the group by issuing a group participation certificate from the administrator. Here, the “group participation certificate” is defined as information for performing group authentication. In addition, “group authentication” means that one user of a group proves to other users that he / she is participating in the group, and the other user makes the above-mentioned To prove that you are participating in the group.

In order to manage the above groups, the following processing is required.
(1) Formation of group (2) Notification of group (3) Acquisition of group information (4) Acquisition of entry point information (5) Request for new membership to group (6) Authentication between group members (7) Between group members (8) Update of group participation certificate (9) Delete group member (10) Add group manager (11) Update group public key Each process will be described below.

1. Group formation User A who wants to form a group virtually on the network for the purpose of sharing information, etc. generates a pair of public key “KG_P” and private key “KG_S” for the group to be formed, Stored in a terminal (hereinafter referred to as “terminal A”) or held by user A itself. These keys may be generated based on information (passphrase) designated by the user A via the input means, or generated by the function of the terminal A (including the function based on the application program; the same applies hereinafter). It may be generated based on information such as a random number.

2. Group Notification The generated group public key KG_P is duplicated by another method from the participant's terminal (for example, terminal A) to another user's terminal for identifying the group (for example, another group). Group information etc. as part of the group ID etc. As this notification method, the following method can be considered.

(1) The terminal A transmits the group information to all or some users of the P2P network as shown in FIG. As a result, the group information is sequentially transferred from the user terminal to the user terminal, and finally received by the target destination terminal.

(2) The terminal A broadcasts the group information to other user terminals connected to the same local area network (LAN) or virtual private network (VPN).

(3) The terminal A directly sends the group information (at least the group public key KG_P) to other user terminals by e-mail or the like, that is, by some method other than transfer via the P2P network.

(4) For example, there is a group information index server for registering group information, terminal A registers information in the group information index server, and other user terminals freely obtain group information including group public key KG_P. It can be so.

(5) The above methods (1) to (4) are combined.

  The group information includes group identification information that can identify the group together with group attribute information that represents the contents of the group, such as the group name, information that identifies the originator of the group, formation, purpose, and participation conditions. It is. This group identification information includes at least the group public key KG_P.

3. Acquisition of group information The user X on the P2P network searches the group information of a group to be joined by one of the following methods via the terminal (hereinafter referred to as “terminal X”), and from the searched group information, Get group identification information.

(1) Explanation of group identification information or a group for identifying a group from group information received in the past (including group information received directly from terminal A of user A who formed the group) held by terminal X A desired group is found based on the group attribute information.

(2) Using the P2P network information search mechanism illustrated in FIG. 30 above, a part or all of the group attribute information is searched for other users as a search key (also referred to as “keyword”). The group identification information is obtained from the retrieved group information.

(3) When the above group information index server is operated, the group information index server is searched using a part or all of the group attribute information as a key, and the group identification information is obtained in the same manner.

(4) When the terminal A of the group originator is known to the terminal X, the group information and the group identification information are directly obtained by some method (for example, e-mail or the like).

4). Acquisition of entry point information When the user X wishes to newly join a specific group, entry point information (for example, IP address, communication) for specifying a group manager and connecting to the terminal of the manager Port number used for Here, the group manager is a user who has authority such as addition and deletion of group members, and more specifically, a user who holds the group secret key KG_S. In this case, the user X obtains the entry point information of the group manager by one of the following methods.

(1) The user X performs a search using part or all of the group identification information as a key using the P2P network information search mechanism illustrated in FIG. The group administrator responds. In response to the response from the group manager, the terminal X is notified of the entry point information of the group manager's terminal.

(2) A method using a peer information server. Here, the “peer information server” is a server that can retrieve at least entry point information for all users connected to the P2P network online or for all users who are subscribed to at least one group. And holds group identification information and group attribute information of each group. The user X searches the peer information server using the group identification information or the like as a key, and obtains the entry point information of the group manager's terminal based on the search result, as in (1) above.

(3) When the group manager's terminal A is known to the terminal X, the terminal A is always online, and it is known that the entry point information does not change, the entry point information is notified.

5. Request to join a group A user X who wants to join a group communicates with the terminal A of the group manager A using the above entry point information via the terminal X and issues a “group participation certificate”. Ask. Details of this processing will be described later.

6). Authentication between group members It is possible to authenticate each other that belongs to the same group between group members holding the group participation certificate obtained as described above. Details of this process will be described later.

7). Sharing of information among group members As described above, shared information within a group between a plurality of group members authenticated as belonging to the same group, for example, between the terminal X of the user X and the terminal Y of the user Y Can be transferred to each other. This can be realized, for example, by the following processing ((7-1) and (7-2)).

(7-1) Setting of Encryption Key Used for Communication After authenticating that they belong to the same group, for example, user X creates a common encryption key “K_XY” for user X and user Y, and user X The encryption key is encrypted with the private key of the user Y and the public key of the user Y and sent to the terminal Y of the user Y. User Y decrypts this using his private key and user X's public key. In this case, only user Y can decrypt this. Thereby, the encryption key K_XY can be safely notified from the terminal X of the user X to the terminal Y of the user Y.

(7-2) Encryption of information to be transferred After the above (7-1), when information is transferred between the terminal X and the terminal Y, encryption is performed with the common encryption key K_XY. Since the third party cannot know the encryption key K_XY, the contents cannot be decrypted even if the communication between the terminal X and the terminal Y is intercepted, and false information is impersonated by the user X or the user Y. Cannot be transferred to the terminal Y or the terminal X, and the terminal X and the terminal Y can communicate safely. This makes it possible to share group information between group members safely.

  When three or more members are mutually authenticated, the following forms can be considered for the encryption key used for information transfer between the terminals of these members.

(1) Different encryption keys are used for communication between two different parties. For example, when the terminal A, the terminal B, and the terminal C are mutually authenticated, the encryption key K_AB is used for the communication between the terminal A and the terminal B, the encryption key K_BC is used for the communication between the terminal B and the terminal C, and the terminal C -A method of using K_CA for communication between terminals A.

(2) A common single encryption key is used between the above members who are mutually authenticated. For example, when the terminal A and the terminal B are authenticated to each other, and the terminal C is newly authenticated to the terminal A or the terminal B in the state where the communication is performed using the encryption key K_AB, the terminal A or the terminal B In this method, K_AB encrypted using the public key of terminal C is sent to terminal C, and thereafter, encryption key K_AB is used between any one of terminal A, terminal B, and terminal C.

8). Renewal of group participation certificate If the group participation certificate issued as described above contains expiration date information, after the expiration date, the user who has the group participation certificate joins the group (between group members The group participation certificate needs to be updated. Details of this processing will be described later.

9. Deletion of group members In the method described above, a user with a group participation certificate can join the group until the expiration date of the group participation certificate. When it is desired to exclude a user from a group member (to prevent the user from being authenticated as a group member), for example, the following process is executed. In the following, with respect to a method for deleting a group member, a method for deleting a group participation certificate (below (9-1)) and a method for creating revoked person information (below (9-2-1) (9-2) -4)).

(9-1) Deletion of Group Participation Certificate If the group participation certificate held by a member to be excluded is erased, the member cannot subsequently authenticate between group members. For this purpose, it is necessary to execute the following processing in each member terminal.

(9-1-1) Deletion Instruction for Group Participation Certificate The group manager notifies the terminal of the member to be excluded via the terminal of the instruction to delete the participation certificate instructing to be excluded from the group. .

(9-1-2) Deletion of Group Participation Card The member terminal that has received the instruction to delete the participation certificate deletes the group participation certificate held therein. In this case, the terminal that has received the instruction to delete the participation certificate forcibly deletes it.

(9-2-1) Creation of Revoker Information One of the group members (including the group manager) creates revoker information including information (for example, the public key of the member) that identifies the excluded member.

(9-2-2) Sharing Revoker Information When authenticating between the group members, the revoker list of revoker information held by one terminal and the revoker list of revoker information held by the authentication partner If there is a loss of the revoked person list on one side, the revoked person list of the revoked person information is made consistent with all the group members by using the other revoked person list.

(9-2-3) Exclusion of revoker During authentication between the group members, it is checked whether the authentication partner is included in the list of revokers held by himself / herself. The other party is not authenticated as a group member. For example, when the public key of the user is used as a description item in the revoker list, if the public key of the authentication partner is included in the revoker list, authentication with the partner is rejected.

(9-2-4) Rejection of renewal of participation qualification of revoked person The administrator specifies the user who has received a request for renewal of the participation certificate when updating the group participation certificate via the terminal. Check whether the information (for example, public key) matches any of the information included in the revocation list, and if there is a match, reject the update of the participation certificate.

  In addition, when the non-erasable deadline is added to the revoked person information, the revoked person information that has passed the non-erasable deadline is deleted. For example, if you give a point a little later than the expiry date of the group participation certificate as a non-erasable expiry date, you can delete the revoked person information that is no longer needed, and the list of revoked person information will grow infinitely Can be prevented.

  Further, the revoker information may be created only by the group administrator, and the group administrator may share the information within the group in an encrypted state using the group secret key KG_S. The group member can decrypt the revoked person information using the public group public key KG_P, and can confirm that this revoked person information has not been tampered with. Thereby, sharing of the invalid revoker information created by a malicious user can be prevented.

In addition, it is necessary to have a method of deleting the group participation certificate (above (9-1)) and a method of creating revoked person information (above (9-2-1) to (9-2-4)). The target member may be deleted by combining them accordingly.
Next, a method for deleting a group member using the revoker information will be described in detail. As a specific example of the revoked person information, a “revoked person list” in which information of members deleted from the group is listed is used.

  FIG. 2 is an example of a format of a revocation list created by the group manager. The following data is stored in each field of the revoker list.

(1) Revocation list ID
An identifier for uniquely identifying the revocation list.
(2) Effective date Indicates the date and time when the revocation list was created.
(3) Expiration date Indicates the expiration date for which the revocation list must be maintained.
(4) Creator ID
An identifier for uniquely identifying the administrator who created the revocation list. For example, the administrator's public key or the like is used as the creator ID.
When there are a plurality of persons called managers in addition to the manager in the group, this field is referenced to identify which person is the revoker list issued.
(5) Revoker ID list This represents a list of IDs of old participants deleted from the group.
(6) Revoker ID
An identifier for uniquely identifying the old participant deleted from the group.
(7) Signature

Represents a signature with a group private key. Ensure that only the administrator can create a revocation list.
Each time an administrator removes a member from a group, the administrator creates / updates a revoker list. All group members maintain the same revoker list.

10. Addition of Group Manager As described above, a request for newly joining a group is limited to the case where the terminal of the group manager is in an online state, and the above request cannot be made when the terminal is in an offline state. Therefore, in order to increase the opportunity to make the above request to users who wish to join the group, the number of terminals of the group manager is increased. In this case, the group secret key KG_S is transferred from the group manager's terminal to the newly added group manager's terminal by some secure technique (for example, an encryption communication method).

11. Updating the group public key If the group secret key KG_S is leaked to a user other than the group administrator due to some accident, the user who obtained the group secret key can issue a group participation certificate or revoker list illegally. Become. In this case, the group member cannot distinguish between a group participation certificate issued by a legitimate group manager and an illegally issued group participation certificate. In order to prevent such a situation, the group manager needs to update the group public / private key pair. Also, as described above, when it is desired to remove the authority as a group manager from among the added group managers, it is necessary to update the group public key / private key pair. On the other hand, even if the group manager updates the pair of the group public key / private key to “KG_P ′” / “KG_S ′”, the group having the conventional group public key KG_P and the group participation certificate created based thereon Group authentication between members continues to be possible. Therefore, all the members of the group need to always hold the latest group public key and obtain a group participation certificate corresponding to the latest group public key.

The group public key can be updated by, for example, one of the following methods.
(1) When the group manager updates the group public / private key pair, a new group public key is sent to the terminals of all the group members via the P2P network illustrated in FIG. The terminal of each member that has received this transmission replaces the old group public key with this new group public key.

(2) Information related to the update time of the group public key is included in the group information, and each group member terminal holds information related to the update time of the group public key in addition to the group public key. Then, at the time of authentication between members, the group public key held by both terminals is compared with the information related to the update time, and if one member's terminal holds a valid old group public key, the other Replace the old group public key with the new group public key.

(3) When the group manager operates the above group information index server, information on the update time of the group public key is included in the group information as in the above (2). Furthermore, when the group member comes online, the group member accesses the group information index server at a certain time interval or immediately before performing group authentication, and obtains the latest group public key of the group.

  In order to obtain a group participation certificate corresponding to the latest group public key, when detecting the fact that the group public key has been updated, the terminal of the user who detected this is the group administrator's terminal. You can request a reissue of your participation certificate.

  Next, the operation of the communication system 100 configured as described above will be described. FIG. 4 is a flowchart showing a flow of the above-mentioned “5. Request for new subscription to group” processing. FIG. 4 shows the flow of each process executed at the terminal X of the requester X who desires to newly join the group and the terminal A of the group manager A. FIG. 5 shows information held in the terminal X after the processing of FIG. 4 is executed.

  In advance, the terminal A stores the newly created group public key KG_P / private key KG_S pair according to an instruction from the group manager A, and the group public key KG_P is made public (S101) (above) (See “1. Formation of group” and “2. Notification of group”).

  Similarly, the terminal X of the subscription requester X stores the created public key KX_P / private key KX_S pair in accordance with an instruction from the subscription requester X in advance (S102). These keys may be generated based on information (passphrase) specified by the requester X, or generated based on the function of the program or the terminal X (for example, a random number). May be generated based on the above).

  Next, the terminal X obtains the public key KG_P of the group desired to participate in accordance with an instruction from the subscription requester X (see “3. Acquisition of group information” above), and the terminal A of the group manager A (See “4. Acquisition of entry point information”) (S103).

  Furthermore, the terminal X creates an arbitrary character string S according to the instruction from the subscription requester X (S104). The character string S may be the character string itself input by the subscription requester X, or a character string generated based on the function of the program or the terminal X (for example, a character string generated based on a random number). ).

  Thereafter, the terminal X transmits a character string S and information (for example, name, address, etc.) that can identify the requester X to the terminal A according to an instruction from the requester X, and newly joins the group. A request to do so is made (S105).

  Accordingly, the terminal A determines whether to approve the subscription of the subscription requester X based on the information that can identify the subscription requester X received from the terminal X (S106). If it is determined that the subscription requester X is not allowed to join (S106: No), the terminal A ends this process without the terminal X being able to newly join the group.

  When approving the subscription of the requester X (S106: Yes), the terminal A uses the character string S ′ = e (S, KG_S) obtained by encrypting the character string S received from the terminal X with the group secret key KG_S. It is created and transmitted to the terminal X (S107).

  Then, the terminal X decrypts the encrypted character string S ′ received from the terminal A with the group public key KG_P (S108). At this time, the terminal X confirms whether or not the character string S ′ is normally decrypted by the public key KG_P and the result is equal to the original character string S (S109). As a result, the character string S ′ is encrypted with the secret key KG_S corresponding to the group public key KG_P, that is, whether or not the terminal A is the terminal of the group manager A who certainly holds the group secret key KG_S. Can be confirmed. If the decryption fails or the decryption result is not equal to the character string S (S109: No), it is not possible to confirm that the user of the terminal A is a group manager, so this process is performed while the terminal X cannot newly join the group. Exit.

  Next, the terminal X transmits the public key KX_P of the requester X to the terminal A (S110). Accordingly, the terminal A creates a group participation certificate C_X of the subscription requester X and sends it to the terminal X (S111). This group participation certificate C_X is created by encrypting the public key KX_P of the terminal X with an expiration date T_X indicating the date and time when the effect of the participation certificate disappears (KX_P + T_X) with the group secret key KG_S. = E (KX_P + T_X, KG_S). In this case, as a method of attaching the expiration date T_X to the public key KX_P, any method may be used as long as it cannot be separated before decryption and can be separated by decryption. For example, a combination of a public key KX_P and an expiration date T_X, each represented as a character string, via a predetermined symbol character (for example, a hyphen "-") is conceivable.

  Further, when the terminal X receives the group participation certificate C_X (S112), the group new subscription request process is completed. An example of information (that is, three types of key information and a participation certificate) held in the terminal X at the time when the above processing is completed is shown in FIG.

  In the present embodiment, as shown in FIG. 4, the terminal X transmits information that can identify the subscription requester X and the public key KX_P of the subscription requester X to the terminal A, respectively ( S105, S110) and the transmission order are not particularly limited, and the transmission order may be reversed.

  Next, the “6. Authentication between group members” process will be described in detail with reference to FIG. FIG. 6 is a flowchart showing the flow of each processing in the terminal X of the participant X and the terminal Y of the participant Y who have already obtained the group participation certificate. It is assumed that terminal X already holds the three types of key information and participation certificate shown in FIG.

  First, the terminal X of the participant X specifies entry point information of the terminal Y of another participant Y belonging to the group (S301). For example, the identification is performed by one of the following methods.

(1) The terminal X performs a search using a part or all of the group identification information as a key by using the information search mechanism of the P2P network as illustrated in FIG. respond. In response to the response from the group participant, the terminal X is notified of the entry point information of the terminal Y of the group participant Y.

(2) When the peer information server is operated, the terminal X searches the peer information server using the group identification information as a key, and on the basis of the search result, other participants who are online Get entry point information.

(3) If the terminal Y of another participant Y is known to the terminal X and it is also known that the terminal Y is always online and the entry point information does not change, the entry point information is used.

Next, the terminal X requests the terminal Y to perform authentication (S302). Then, the terminal Y creates an arbitrary character string S and transmits it to the terminal X as in the case of FIG. 4 (S303).
Accordingly, the terminal X creates a character string S ′ = e (S, KX_S) obtained by encrypting the received character string S with its own secret key KX_S according to the instruction of the participant X. The group participation certificate C_X held by itself is transmitted to the terminal Y (S304).

  Thereafter, the terminal Y decrypts the participation certificate C_X received from the terminal X with the group public key KG_P, and obtains the public key KX_P and the expiration date T_X of the participant X (S305). Here, the terminal Y confirms whether or not the above-described decoding is successful (S306). If the decryption fails (that is, if the participation certificate C_X is not encrypted with the valid group secret key KG_S), the terminal X is regarded as not belonging to the group, and this process ends (S306: No). .

  Furthermore, the terminal Y checks whether or not the expiration date T_X obtained by the above decoding is valid (S307). If the expiration date T_X is invalid (S307: No), it means that the participation certificate is invalid, so that the terminal X is regarded as not belonging to the group, and this process is terminated.

  Furthermore, the terminal Y decrypts the encrypted character string S ′ received from the terminal X with the public key KX_P of the terminal X obtained by the above decryption (S308). Thereby, the terminal Y confirms that the decoding of the character string S ′ is successful and the decoding result matches the character string S (S309). If they do not match (S309: No), it means that the terminal X does not hold the secret key KX_S corresponding to the public key KX_P, so that the terminal X is regarded as a possibility of impersonation of a third party. This process is terminated.

When all the following contents can be confirmed as in the above processing, the terminal Y authenticates the terminal X as a group participant (S310).
(1) The terminal X holds the group participation certificate encrypted with the group secret key KG_S.
(2) The validity period T_X of the group participation certificate is valid.
(3) The terminal X holds the secret key KX_S corresponding to the encrypted public key KX_P in the group participation certificate.

Next, the above processing (S301 to S310) is executed by switching the positions of the terminal X and the terminal Y. If this processing is successful, the terminal X is authenticated as a terminal participant of the terminal Y, and mutual authentication is completed.

Next, the “8. Update of group participation certificate” process will be described in detail with reference to FIG. FIG. 7 is a flowchart showing the flow of each processing in the terminal X of the update requester X who requests the update of the group participation certificate and the terminal A of the group manager A. It is assumed that terminal X already holds the three types of key information and participation certificate shown in FIG.

  First, the terminal X specifies the entry point information of the terminal A according to the instruction from the update requester X (S401) (see “4. Acquisition of entry point information” above). Then, the terminal X creates an arbitrary character string S according to an instruction from the update requester X, and transmits it to the terminal A to request an update of the group participation certificate (S402). This character string S may be the character string itself input by the update requester X, or a character string generated based on the function of the program or the terminal X (for example, a character string generated using a random number). ).

  Next, the terminal A encrypts the character string S with the group secret key KG_S to create a character string S ′ = e (S, KG_S), and transmits it to the terminal X (S403). Thereby, the terminal X decrypts the encrypted character string S ′ with the group public key KG_P (S404).

  Furthermore, the terminal X confirms that the character string S ′ is normally decrypted with the group public key KG_P and the result is equal to the original character string S (S405). As a result, the character string S ′ is encrypted with the secret key KG_S corresponding to the group public key KG_P, that is, the terminal A is indeed the terminal of the group manager A who holds the group secret key KG_S. I can confirm. If the decryption fails or the decryption result is not equal to the character string S (S405: No), it is considered that the terminal A is not the terminal of the group manager A, and the terminal X does not update the group participation certificate and performs this processing. Exit.

  When the decryption is successful and the decryption result is equal to the character string S (S405: Yes), the terminal X transmits its participation certificate C_X = e (KX_P + T_X, KG_S) to the terminal A (S406). Thereby, the terminal A decrypts the received participation certificate C_X with the group public key KG_P and obtains the public key KX_P of the update requester X (S407).

  Furthermore, the terminal A confirms whether or not the above decoding has been successful (S408). If the decryption fails (S408: No), the terminal A is a terminal that does not have the group participation certificate encrypted with the group secret key KG_S, that is, the terminal X is a group participant. This processing is terminated without updating the group participation certificate of the terminal X.

On the other hand, if the above decryption is successful (S408: Yes), the terminal A encrypts the public key KX_P of the terminal X with the new expiration date T_X ′ attached thereto with the group secret key KG_S and creates a new participation certificate C_X '= E (KX_P + T_X', KG_S) is created and transmitted to the terminal X (S409).
Thereby, the terminal X receives the new participation certificate C_X ′ (S410).

  As a result of the above processing, the renewal requester X's participation certificate is attached with a new validity period, so that the renewal requester X can join the group until the new validity period via the terminal X. .

Next, a procedure for sharing revoked person information in the “9. group member deletion” process will be described in detail with reference to the drawings.
In order to solve the above problem, in addition to the broadcast to the member's terminal in the online state by the administrator's terminal, the member terminals hold each other immediately after the above-described authentication as the member terminal is completed. A method of exchanging revocation lists will be introduced.

  First, as shown in FIG. 3A, consider a case where the member terminals Y and Z in the online state and the member terminals X in the offline state hold different revocation list. Next, as shown in FIG. 3B, the member terminal X in the offline state goes online and executes group authentication with the member terminal Y in the online state. At this time, if the group authentication is successful, as shown in FIG. 3C, the member terminal X and the member terminal Y exchange the revoked person list held by each other.

  FIG. 3C shows a state in which the member terminal X has acquired the revoker lists α and β from the member terminal Y. Further, as shown in FIG. 3 (d), the member terminal Y that has newly acquired the revoked person list from the member terminal X in the offline state also provides a new revoker list to the member terminal Z in the known online state. Propagate.

  With the above method, it becomes possible to obtain revoker information from other group members even when the administrator is absent, even for a member terminal that has been offline when the revocation list is notified from the administrator. .

FIG. 19 is a flowchart showing a flow of processing for exchanging and sharing a revoker list between the terminal X of the participant X and the terminal Y of the participant Y. The meanings of terms used in FIG. 19 are shown in FIG.
Here, it is assumed that the terminal X and the terminal Y have mutually authenticated that they are terminals of group members by the above-described “6. Authentication between group members” process.

  First, the terminal X of the participant X who newly joins the group has a revoker list set (a list of all revoker IDs held by the terminal: RLT_X) of the participant Y's terminal. Y is transmitted (S2001). Here, it is assumed that the revocation list held by the terminal X is CRL (a) and CRL (b). In this case, the RLT_X is expressed as “(a, b)” by collecting the IDs of the revoked persons.

  Thereby, the terminal Y compares the revoker list set (RLT_X) acquired from the terminal X with the revoker list set (RLT_Y) held by itself (S2002). X creates a differential revocation list (DRL_X) representing a revocation list that is not held and a differential revocation list (DRL_Y) that represents a revocation list that is held by the terminal X but is not held by itself (DRL_Y). S2003).

In FIG. 19, since RLT_X is (a, b) and RLT_Y is (a, c, d), DRL_X = (c, d) and DRL_Y = (b). Next, the terminal Y transmits DRL_Y to the terminal X (S2004).
As a result, the terminal X creates an additional revoker list ARL_Y in which the revocation list that the terminal X holds and the terminal Y does not hold is created from the difference list DRL_Y received from the terminal Y, and the terminal Y (S2005).

Next, in FIG. 19, since DRL_Y is (b), the content of the additional revoker list ARL_Y is the revoker list CRL (b) whose revoker ID is “b”.
Further, the terminal Y extracts the revoked person's ID from the additional revoked person list ARL_Y received from the terminal X, and adds and updates it to the revoker list set RLT_Y held by the terminal Y (S2006). In FIG. 19, the contents of RLT_Y at this time are (a, b, c, d).

  Thereafter, the terminal Y creates an additional revoker list ARL_X in which the revoker lists held by itself and not held by the terminal X are compiled based on the differential revoker list DRL_X (S2007). In FIG. 19, since DRL_X is (c, d), the additional revoker list ARL_X has the revoker list CRL (c) whose revoker ID is “c” and the revocation whose revoker ID is “d”. From the user list CRL (d), (CRL (c), CRL (d)).

Furthermore, the terminal Y transmits the revoker list set RLT_Y and the additional revoker list ARL_X to the terminal X (S2008).
Thereby, the terminal X takes out the ID of the revoked person from the additional revoked person list ARL_X received from the terminal Y, and updates the revoker list set RLT_X held by itself (S2009).

Finally, the terminal X compares the RLT_Y acquired from the terminal Y with the updated RLT_X (S2010). If the two match (S2010: Yes), the terminal X and the terminal Y are normally synchronized with respect to the revocation list.
In the above method, since the revoked person list is obtained from other than the administrator, it is necessary to separately verify whether or not the obtained revoked person list is valid.

Since the revocation list created by the administrator is signed with the group private key, the validity of the revocation list can be verified with the group public key.
The revoked person list whose validity has been confirmed is held in each member's terminal until the expiration date expires. However, when there are a plurality of revoker lists having the same creator ID, the revoker lists having the same creator ID may be discarded except for those with the latest issue date.

  In other words, when there are persons who issue multiple participation certificates in a group, each group member must maintain the number of revoker lists as many as that person, but with regard to the revocation list issued by the same administrator, Only keep the latest.

  Each group member rejects authentication when other group members are authenticated and the ID or public key described in the authentication partner's participation certificate is included in the revoker list held by the group member. I will do it.

  As described above, according to the communication system according to the first or second embodiment, even if the group manager's terminal is not present (even if the group manager's terminal is offline), the group manager It is possible to authenticate that the group participants who have been issued group participation certificates from each other are members of the group.

  In addition, even if a situation arises in which a user wants to be excluded from the group, the user must not be authenticated as a member of the group at least after the expiration date because the group participation certificate includes the expiration date. Is possible. Further, until the expiration date, the user can be excluded from the group authentication by referring to the revoked person list.

(Embodiment 2)
In the first embodiment, the example in which the group on the network is composed of two types of users, that is, an administrator and a general user has been described. However, in this embodiment, a person who has the authority of the group administrator A plurality of embodiments will be described.

  As described above, when the number of managers is increased in order to increase the opportunities for new group members to join, it is necessary to duplicate the group secret key, but by holding the group secret key to a plurality of users, The possibility of leakage increases.

  In this embodiment, this is improved. The members constituting the group are designated as a single group administrator (also simply referred to as “administrator”), and a group participation certificate issuance permit is held. There are three types of users: group issuers who have authority to issue (also simply referred to as “issuers”) and participants (also referred to as “group members”). Here, a participant who has issued a group participation certificate issuance permit is called a “group issuer”. Only the administrator can give authority to the issuer, and the group administrator and the group issuer can issue the group participation certificate to general users.

In this way, if the administrator provides a plurality of issuers, it is possible to increase the chances of newly joining the group without duplicating the group secret key.
In order to manage the groups as described above, the following processing is required.
(1) Formation of group (2) Notification of group (3) Addition of group issuer (4) Acquisition of group information (5) Acquisition of entry point information (6) Request for new membership to group (7) Between group members (8) Sharing information among group members (9) Updating group participation certificates (10) Updating group participation certificate issuance permits (11) Deleting group members (12) Updating group public keys

Hereinafter, each process will be described. However, the description of the same processing as that of the first embodiment will be omitted.
1. Formation of group Since this is the same as “1. Formation of group” in the first embodiment, description thereof is omitted.
2. Announcement of group Since this is the same as “2.
3. Add Group Issuer As described above, the group administrator on the network that forms the group issues a group participation certificate issuance permit to some of the participants, creates a group issuer, and adds members of the group Give authority. That is, a group issuer who has been issued a group participation certificate issuance permit can issue a group participation certificate to other users. Details of this processing will be described later.

4). Acquisition of group information Since this is the same as “3. Acquisition of group information” in the first embodiment, a description thereof will be omitted.
5. Acquisition of entry point information A user X who wishes to newly join a group needs to communicate with at least the group issuer via the terminal X. For this purpose, the entry point information of the group issuer needs to be specified. There is. For example, it is performed by one of the following methods.

(1) The terminal X uses the P2P network information search mechanism illustrated in FIG. 30 as described above to search using part or all of the group identification information as a key. In response to this, the group issuer notifies the terminal X of its entry point information.

(2) When the above-described peer information server is operated, the terminal X searches the peer information server using the group identification information or the like as a key, and the entry point information of the group issuer based on the search result Get

(3) When the group issuer is known to the terminal X and it is also known that the group issuer is always online and the entry point information does not change, the entry point information is used.

6). Request to join a group User X who wants to join a group communicates with the group issuer using the entry point information specified as described above and issues a group participation certificate via the terminal X. Request. Details of this processing will be described later.

7). Authentication between group members It is possible to authenticate that group members having a group participation certificate obtained by the above-mentioned “6. Request to join a group” belong to the same group. Details of this processing will be described later.

8). Information Sharing Between Group Members Since this is the same as “7. Information Sharing Between Group Members” in Embodiment 1, it is omitted here.

9. Renewal of group participation certificate When the expiration date information is included in the group participation certificate issued in “6. Request for new membership to group”, participation in the group (between group members) after the expiration date. Authentication) becomes impossible, and the participant needs to update the group participation certificate via the terminal. Details of this processing will be described later.

10. Renewal of group participation certificate issuance When the expiration date information is included in the group participation certificate issuance permit issued in “3. Addition of group issuer”, the group participation certificate is issued after the expiration date. Therefore, the issuer needs to renew the group participation certificate issuance permit via the terminal. Details of this processing will be described later.

11. Deletion of Group Member Similar to the first embodiment, there may be a case where a specific member has left before the expiration date of the group participation certificate or a specific participant is desired to be excluded from the group member for some reason. In this case, the method for deleting / invalidating the group participation certificate of the participant is that “group administrator” or “group issuer” is changed from “group administrator” in “9. Since this is the same as the case of replacing with, detailed description is omitted.

  Note that, as in the first embodiment, it is possible to create and share invalid person information. For example, the following processing is executed.

(11-1) Creation of revoked person information The administrator's terminal, in response to an instruction from the administrator, specifies information (for example, the group administrator and the group issuer) that is one of the excluded group members. Create revoker information including member's public key.

(11-2) Sharing of revocation list When the above-mentioned “7. Authentication between group members” is performed, the administrator or issuer terminal lists and authenticates the list of revocation information held by the terminal owned by the participant. Compare with the list of revoked information held by the other party, and if there is revoked information that is not included in one list, add the revoked person list to the list of the revoked person information. Is matched for all group members.

(11-3) Exclusion of revoker When the administrator or issuer terminal performs the above-mentioned “7. Authentication between group members”, the information specifying the authentication partner is included in the list of revoked person information held by the administrator or issuer. If it is included, authentication as a group member with the other party is rejected. For example, when a user's public key is used as revoker information, if the authentication partner's public key matches any of the revoker information included in the list, authentication with the other party is rejected.

(11-4) Refusal of renewal of participation qualification of revoked person The administrator or the issuer's terminal determines that the participant who requested the renewal of the participation certificate at the time of “9. Check whether it is included in the list of information, and if there is a match, refuse to update the participation certificate.
It is to be noted that, in the same manner as in the first embodiment, it is possible to delete the revoked person information that has exceeded the non-erasable period by including the non-erasable period in the revoked person information.

  Further, as in the first embodiment, the revoker information may be created only by the group issuer, and the group issuer may share the encrypted information using his / her private key. The group member obtains the revoker information by using the public key of the group issuer included in the participation certificate issuance certificate by simultaneously obtaining the revoker information and the participation certificate issuance permit of the group issuer who issued it. Decryption is possible, and it is possible to confirm that this revoked person information has not been tampered with. As a result, it is possible to prevent unauthorized revoker information created by a malicious user from being shared.

  Next, a method for deleting a group member using the revoker information will be described in detail. Here, as a specific example of the revoked person information, a “revoked person list” in which information of members deleted from the group is listed is used.

  FIG. 8 is a format example of a revoker list created by the group issuer. The following data is stored in each field in the revoker list.

(1) Revocation list ID
Represents an identifier for uniquely specifying the revocation list.
(2) Effective date Indicates the date and time when the revocation list was created.
(3) Expiration date Indicates the expiration date for which the revocation list must be maintained.
(4) Creator ID
Represents an identifier for uniquely identifying the issuer who created the revocation list. For example, the issuer's public key is used as the ID.
When there are a plurality of issuers in the group, this field is referenced to identify which issuer has issued a revocation list.
(5) Revoker List This represents a list of participant IDs deleted from the group.
(6) Revoker ID
An identifier for uniquely identifying a participant deleted from the group. The public key of the participant to be deleted is used as the ID. This ID is included in the group participation certificate described above.
(7) Participation certificate issuance permit This is a participation certificate issuance permit held by the terminal of the issuer who created the revocation list.
(8) Signature

Represents the signature by the private key of the issuer who created the revocation list. Ensure that only the issuer can create a revocation list.
Since the method for distributing the revocation list created by the issuer is the same as the method for distributing the revocation list created by the administrator, the details are omitted.
The method of synchronizing the revoked person list between the terminals X and Y of the two participants X and Y is the same as in the case of the first embodiment, and the description thereof is omitted here.

  In this method, since the revoked person list is acquired from a person other than the administrator or the issuer, it is necessary to verify whether or not the acquired revoker list is valid.

The validity of the revoker list created by the issuer can be confirmed by executing the following two means.
1. 1. Verification of participation certificate issuance permit in the revoker list by group public key Confirm signature of revocation list by the public key of the issuer included in the participation certificate issuance permit in the revocation list.

In “1.” above, it is confirmed that the creator of the revoker list is a valid issuer. In “2.” above, the revoker list itself is created by the valid issuer itself. Confirm.
The revoked person list whose validity has been confirmed is held in each member's terminal until the expiration date expires. However, when there are a plurality of revoker lists having the same generator ID, the revoker list having the same generator ID may be discarded except for the latest issue date.

  In other words, if there are multiple issuers in a group, each group member must maintain the number of revoker lists for that number of members, but the list of revokers issued by the same issuer is the latest. Only hold.

12 Updating the group public key If the group secret key KG_S is leaked to a user other than the group administrator due to some accident, the user who obtained this group secret key can issue a group participation certificate issuance permit As a result, it becomes possible to illegally issue a group participation certificate. At this time, the group member cannot determine whether it is a participation certificate issued by an unauthorized group participation certificate issuance permit or a regular participation certificate. In such a case, there is no way to prevent the issuance of unauthorized participation certificates other than updating the group public / private key pair. On the other hand, even if the group administrator updates the group public key / private key from (KG_P · KG_S) to (KG_P ′ · KG_S ′), the conventional group public key KG_P and the group participation certificate created based thereon are retained. Since the above-mentioned “6. Authentication between group members” remains possible, the group members need to keep the latest group public key at the same time and support the latest group public key. It is necessary to obtain a group participation certificate. In addition to this, the issuer needs to obtain a group participation certificate issuance permit corresponding to the latest group public key.

The latest group public key can be held by one of the following methods, as in the first embodiment.
(1) When the group administrator updates the group public key / private key, a new group public key is sent to all the network participants via the P2P network illustrated in FIG. The corresponding group member replaces the group public key held by the new group public key.

(2) Information related to the update time of the group public key is included in the group information notified in the above “2. Notification of group”, and each group member can update the update time of the group public key in addition to the group public key. Also keep information about. In the case of “6. Authentication between group members”, the group public key held by both parties is compared with the update time, and the old group public key is replaced with the new group public key.

(3) When operating the group information index server in (4) of “2. Notice of group” above, information on the update time of the group public key is included in the group information as in (1). A group member accesses the group information index server and obtains the latest group public key of the group at a certain time when it comes online or at a timing just before performing group authentication.

  In order to obtain a group participation certificate issuance permit corresponding to the latest group public key, a reissue request for the group participation certificate issuance may be executed when the update of the group public key is detected. Further, in order to obtain a group participation certificate corresponding to the latest group public key, a reissue request for the participation certificate may be executed when the update of the group public key is detected.

Next, the operation of the communication system 200 (not shown) configured as described above will be described. FIG. 9 is a flowchart showing the process flow of “3. Add group issuer”. FIG. 9 shows the contents of each processing executed on the terminal A of the group manager A and the terminal B of the issuer candidate B. Here, a user selected by the group manager as a candidate for the originating group issuer is referred to as an “issuer candidate”.
FIG. 10 shows information held in the terminal B after the process of FIG. 9 is completed.

  In advance, the terminal A of the group manager A creates a group public key KG_P / private key KG_S pair according to an instruction from the group manager A, and the group public key KG_P is made public (S501).

  Similarly, terminal B of issuer candidate B creates a public key KB_P / private key KB_S pair in accordance with instructions from issuer candidate B (S502). This may be generated based on information (passphrase) designated by the terminal B, or may be generated based on a program or a function included in the terminal B (for example, generated based on a random number).

  The terminal A selects the user terminal B as a group issuer to be added according to an instruction from the administrator A, and specifies entry point information of the terminal B (S503). For example, the following method is used.

(1) The terminal A searches for users participating in the group using the information search mechanism of the P2P network shown in FIG. The user who responds to this search returns information identifying himself / herself and his / her entry point information to terminal A via the terminal. Thereby, the terminal A selects the user B judged to be appropriate from the received information.

(2) Furthermore, the terminal A notifies the issuer candidate B's terminal B that it has been determined as a group issuer candidate by some means including means other than the P2P network such as e-mail. When the terminal B accepts the request relating to this group issuer, it returns its entry point information to the terminal A.

  Next, the terminal A requests the terminal B to transmit the issuer candidate B's public key (S504). Thereby, the terminal B transmits the public key KB_P of the issuer candidate B to the terminal A (S505).

  Further, the terminal A creates a group participation certificate issuance permit I_B = e (KB_P + T_B, KG_S) by encrypting the public key KB_P of the issuer candidate B with the expiration date information T_B attached thereto with the group private key. It transmits to the terminal B (S506).

Terminal B receives group participation certificate issuance permit I_B from terminal A (S507).
Through the above processing, terminal B can issue a group participation certificate to other users. FIG. 10 shows information (ie, three types of key information and a participation certificate issuance permit) held in the terminal B when the above processing is completed.

  In this embodiment, as shown in FIG. 9, terminal A makes a request for the above group issuer to terminal B (S503). Conversely, from terminal B to terminal A, It may be requested to grant the authority of the group issuer, and the process may proceed in such a manner that terminal A approves it.

  Next, the above “6. Request for new subscription to group” process will be described in detail with reference to FIG. FIG. 11 is a flowchart showing the flow of each process executed at the terminal of the subscription requester X requesting a new subscription to the group and the terminal B of the group issuer B. FIG. 12 shows the information held by the terminal X at the time when the new membership request processing for the group is completed. Terminal B is assumed to hold the information shown in FIG.

  First, the terminal X obtains the public key KG_P of the group desired to participate (see “4. Acquisition of group information”) and specifies the terminal B of the group issuer B (S701) (see “ (See 5. Obtaining Entry Point Information).

  Next, the terminal X creates an arbitrary character string S according to an instruction from the subscription requester X and transmits it to the terminal B to request a new subscription to the group (S702). This character string S may be the character string itself input by the subscription requester X, or a character string generated based on the function of the program or the terminal X (for example, a character string generated based on a random number). There may be.

The terminal B transmits the character string S ′ = e (S, KB_S) obtained by encrypting the character string S with the secret key KB_S of the issuer B and the group participation certificate issuance permit I_B to the terminal X (S703).
Thereby, the terminal X decrypts the participation certificate issuance permit I_B with the group public key KG_P, and obtains the public key KB_P of the issuer B and the expiration date T_B (S704).

  Furthermore, the terminal X confirms whether or not the participation certificate issuance permit I_B is normally decrypted with the group public key KG_P and the expiration date T_X is valid. If decryption is not successful or the expiration date has passed, the participation certificate issuance permit I_B held by the terminal B is encrypted with the group secret key KG_S of the group administrator, that is, the terminal Since it is not possible to confirm that B is the terminal of the group issuer B, this processing is terminated without newly joining the group for the requester X.

Next, the terminal X decrypts the encrypted character string S ′ with the public key KB_P of the requester B (S706).
Further, the terminal X confirms whether or not the character string S ′ is normally decrypted with the group public key KB_P and the result is equal to the original character string S (S707). As a result, the character string S ′ is encrypted with the secret key KB_S corresponding to the public key KB_P of the issuer B, that is, the terminal of the group manager B that the terminal B surely holds the secret key KB_S. It can be confirmed that there is. If the decryption fails or the decryption result is not equal to the character string S (S707: No), it cannot be confirmed that the terminal B is the terminal of the group issuer B. This process is terminated without joining.

On the other hand, when the decryption is successful and the decryption result is equal to the character string S (S707: Yes), the terminal X transmits the public key KX_P of the subscription requester X to the terminal B (S708).
Then, the terminal B creates a group participation certificate C_X of the subscription requester X and sends it to the terminal X (S709). This participation certificate is created by encrypting the public key KX_P of the requester X with an expiration date T_X indicating the date and time when the effect of the participation certificate disappears (KX_P + T_X) with the secret key KB_S of the issuer B And
C_X = e (KX_P + T_X, KB_S)
It can be expressed. As a method of attaching the expiration date T_X to the public key KX_P of the requester X, any method may be used as long as it cannot be separated before decryption and can be separated by decryption. For example, a combination of the public key KX_P and the expiration date T_X represented as character strings via a predetermined symbol character (for example, a hyphen “-”) may be considered.

  Finally, the terminal X receives the group participation certificate C_X from the terminal B, and the new joining process for the subscription requester X to the group is completed (S710). FIG. 12 shows information held by the terminal X when the new membership to the group is completed.

  In the present embodiment, the public key KX_P of the subscription requester X is transmitted to the terminal B (S708). However, even when a previous participation certificate issuance request is made (S702), it is transmitted. Good.

  Similarly to the request for new subscription to the group in the first embodiment, the requester X also transmits information that can identify itself to the terminal B (S105 in FIG. 4). Whether or not the subscription requester X is to be subscribed is determined based on the identifiable information. If the subscription requester X is not to be subscribed, the processing may be terminated without joining the subscription requester X.

  Next, the “7. Authentication between group members” process will be described in detail with reference to FIG. FIG. 14 is a flowchart showing the flow of each process executed by the terminal X of the two group participants X and the terminal Y of the group participant Y who have already obtained the group participation certificate. Note that terminal X and terminal Y hold the information shown in FIGS. 12 and 13, respectively.

Note that the description of the same processing as in FIG. 6 in the first embodiment will be omitted.
When the terminal X receives the character string S from the terminal Y, the terminal X creates a character string S ′ = e (S, KX_S) obtained by encrypting the character string S with the secret key KX_S of the participant X, and S ′, the group issuer The group participation certificate issuance certificate I_B and the group participation certificate C_X received from the terminal Y are transmitted to the terminal Y (S1003).

  Thereby, the terminal Y decrypts the group participation certificate issuance certificate I_B with the group public key KG_P, and obtains the group issuer's public key KB_P and the expiration date T_B of the group participation certificate issuance certificate (S1004).

  Furthermore, the terminal Y confirms whether or not the decoding is successful and whether or not the obtained expiration date T_B is valid (S1005). If decryption fails, it means that the group participation certificate issuance permit is not correctly encrypted with the group secret key KG_S, and if the expiration date has passed, the group participation certificate issuance permit is invalid. Therefore, in any case (S1005: No), the terminal X is regarded as not belonging to the group, and this process is terminated.

  When the decryption is successful and the expiration date has not passed, the terminal Y decrypts the group participation certificate C_X of the terminal X with the group issuer's public key KB_P, and the participant X's public key KX_P and the participant X's An expiration date T_X of the group participation certificate is obtained (S1006). Then, the terminal Y confirms whether or not the decoding is successful and whether or not the obtained expiration date T_X is exceeded (S1007). If decryption fails, it means that the group participation certificate is not encrypted with the group issuer's private key KB_S, and if the expiration date has passed, it means that the group participation certificate is invalid. Therefore, in any case (S1007: No), it is considered that the participant X does not belong to the group, and this process is terminated.

  Next, the terminal Y decrypts the encrypted character string S ′ with the public key KX_P of the participant X (S1008). Furthermore, the terminal Y checks whether or not the character string S ′ has been successfully decoded and whether or not the decoding result matches S (S1009). If the decryption fails or the decryption result does not match S (S1009: No), the terminal Y means that the participant X does not have the secret key KX_S corresponding to the public key KX_P. Considers that there is a possibility of impersonation by a third party, and ends this processing.

Through the above processing, if the terminal Y confirms all of the following, it authenticates the terminal X as a group participant (S1010).
(1) The group participation certificate has not expired.
(2) X holds a secret key KX_S corresponding to the public key KX_P encrypted in the group participation certificate.
(3) The group issuer certificate issued by the group issuer who has issued the group participation certificate has not expired.
(4) The group issuer who has issued the group participation certificate holds the secret key KB_S corresponding to the public key KB_P encrypted in the group participation certificate issuance certificate.
(5) The group participation certificate issuance certificate is encrypted with the group secret key KG_S by the group administrator.

  Furthermore, the terminal X and the terminal Y execute the above processes (S1001 to S1010) by switching their positions. If this process is successful, terminal X recognizes terminal Y as a group participant, and mutual recognition is completed.

  Next, the “9. Update of group participation certificate” process will be described in detail with reference to FIG. FIG. 15 is a flowchart showing the flow of processing executed by the terminal X of the participation certificate renewal requester X who requests the renewal of the group participation certificate and the terminal B of the group issuer B. FIG. 16 illustrates information held by the terminal X at the time when the group participation certificate update process is completed. Further, it is assumed that the terminal X holds information shown in FIG. 12 in advance, and the terminal B holds information shown in FIG.

  In the following description, description of processing similar to that in FIG. 11 is omitted.

  First, the terminal X specifies the terminal B of the group issuer B (S1101) (see “5. Acquisition of entry point information”). Here, although issuer B is specified as the group issuer, the subsequent processing is established for any group issuer of the same group.

Next, as in the case of FIG. 11, the terminal X creates an arbitrary character string S according to the instruction from the participant certificate update requester X and transmits it to the terminal B to request an update of the participation certificate (S1102). ).
Upon receiving the public key KX_P of the participation certificate update requester X from the terminal X (S1108), the terminal B creates a new group participation certificate for the participation certificate update requester X and sends it to the terminal X (S1109). That is, C_X ′ = e (KX_P + T_X ′, KB_S), which is created by encrypting the public key KX_P of the participation certificate renewal requester X attached with the new expiration date T_X ′ with the secret key KB_S of the terminal B, is a new group. It becomes a participation certificate.

  Thereby, the terminal X receives the updated group participation certificate C_X ′, and the update process of the group participation certificate is completed (S1110). FIG. 16 shows information held by the terminal X when the group participation certificate update process is completed.

  Next, the “10. Update of group participation certificate issuance permit” process will be described in detail with reference to FIG. FIG. 17 is a flowchart showing the flow of each process executed on the terminal B of the group issuer B and the terminal A of the group manager A who requests updating of the group participation certificate issuance permit. FIG. 18 shows information held by the terminal B when the update of the group participation certificate issuance permit is completed.

  First, the terminal B of the group issuer B specifies the group manager A (S1301). This specification is performed by the same method as “4. Acquisition of entry point information” in the first embodiment.

Next, similarly to the above, the terminal B creates an arbitrary character string S and sends it to the terminal A to request an update of the participation certificate issuance permit (S1302).
Thereby, the terminal A encrypts the character string S with the group secret key KG_S to create a character string S ′ = e (S, KG_S), and transmits it to the terminal B (S1303).
Then, the terminal B decrypts the encrypted character string S ′ with the group public key KG_P (S1304). Furthermore, the terminal B confirms that the character string S ′ is normally decrypted with the group public key KG_P and the result is equal to the original character string S. Thereby, it can be confirmed that the character string S ′ is encrypted by the secret key KG_S corresponding to the group public key KG_P, that is, the administrator A is indeed the group administrator who holds the group secret key KG_S. If the decryption fails or the decryption result is not equal to the character string S (S1305: No), since it is not possible to confirm that the administrator A is a group administrator, the terminal B updates the group participation certificate issuance permit. This process is terminated.

If the decryption is successful and the decryption result is equal to the character string S (S1305: Yes), the terminal B transmits the group participation certificate issuance permit I_B of the issuer B to the terminal A (S1306).
Then, the terminal A decrypts the group participation certificate issuance permit I_B with the group public key KG_P and obtains the public key KB_P of the issuer B (S1307).

  Further, the terminal A confirms whether or not the decryption of the group participation certificate issuance permit I_B is successful. If the decryption is successful (S1308: Yes), the group participation certificate issuance permit held by the terminal B is encrypted with the group secret key KG_S, that is, the terminal B is a valid group issuer's terminal It can be confirmed that If the decryption fails (S1308: No), since it is not possible to confirm that the terminal B is a valid group issuer's terminal, this process ends without updating the group B certificate of terminal B's group participation certificate.

  Subsequently, the terminal A encrypts the public key KB_P of the issuer B together with the new expiration date T_B ′ with the group secret key KG_S and updates the group participation certificate issuance permit I_B ′ = e (KB_P + T_B ′, KG_S). It is created and transmitted to terminal B (S1309).

  The terminal B receives the updated group participation certificate issuance permit I_B ′ from the terminal A (S1310). FIG. 18 shows information held by the terminal B at the time when the above update process of the group participation certificate issuance permit is completed.

  Similar to the revoked person information in the above-mentioned “11. Group member deletion” process, for the group issuer, the revoker information is created, shared and deleted, and the participation certificate issuance permission is refused to be updated. It is also possible to control the group issuer's authority to issue participation certificates.

  As a unique effect of the second embodiment, a group issuer who can issue a group participation certificate is provided only by the group administrator as necessary, so that the user can reproduce the highly confidential group secret key without duplication. It is possible to increase the opportunities for new members to join.

  In Embodiments 1 and 2, the group participation certificate, the group participation certificate issuance permit, or the revoker list is encrypted with the group administrator or the group issuer's private key. The contents are a public key and expiration date information that are made public, and are not necessarily concealed contents. Therefore, the signature may be made with the secret key instead of encryption. Also by performing this signature, since the participant who has received the group participation certificate or the like can detect falsification or unauthorized issuance of the contents, the effect of the present invention is not affected.

  In the first and second embodiments, the expiration date attached to the participation certificate is an example indicating the date and time when the effect of the participation certificate disappears. Alternatively, the difference between the date and time when the participation certificate is confirmed and the issue date and time are calculated, and it may be determined that the expiration date is within a predetermined period (for example, one month).

  In addition, the current date and time used to determine the expiration date are usually obtained from the clock of the terminal, but if the clocks of both participants performing group authentication are significantly different, group authentication may not be performed correctly. Therefore, it is not desirable to perform the group authentication process in a state where both clocks are greatly shifted. For this reason, the clocks of each other are compared before performing group authentication, and if it deviates more than a predetermined standard, a warning is issued from the participant who detected this deviation to the other participant. It is conceivable to deal with this by a method that does not perform the above, a method that forcibly matches one of the clocks with the other clock, or a method that takes the average value of both clocks and adjusts both of them. .

  Further, except for the “7. Authentication between group members” process of the first embodiment and the “8. Information sharing between group members” of the second embodiment, there is no mention of encryption of the communication path. However, as with other processes, the information transfer encryption process may be performed. Even if a group participation certificate or group participation certificate issuance permit exchanged between group members is obtained by a third party, it cannot be used improperly as long as the member or group issuer's private key is not obtained. This encryption process is not essential because it cannot be performed, but it is possible to introduce communication path encryption in order to further enhance security.

  Furthermore, it goes without saying that the same user can be an administrator of a plurality of groups by creating and holding a plurality of group public / private key pairs. Similarly, by holding a participation certificate or a participation certificate issuance permit for a plurality of groups, the same user can be a member or an issuer of each of the plurality of groups. It is also possible to belong as a member having different authority, that is, an administrator, an issuer, or a general participant.

(Embodiment 3)
In the present embodiment, an example of performing a search for finding the above group on the P2P network will be described. In this case, in order to access the members of the group, the following processing is premised or necessary.
(1) Formation of group (2) Notification of group (3) Acquisition of group information (4) Acquisition of entry point information (5) Request for new membership to group (6) Authentication between group members (7) Between group members (8) Update group participation certificate (9) Delete group members (10) Add group manager (11) Update group public key

Since these processes are the same as those in the first embodiment, description thereof is omitted.
As in (2) of “3. Acquisition of group information” in the first embodiment or “4. Acquisition of entry point information” (1), a user who searches for group information is connected via the terminal. When searching for group information or entry point information using the information search mechanism of the P2P network, the latest group public key is notified as a response from other members of the group. Further, the searcher adds “request for notification of group public key” to the message at the time of search. A member of the group stores the history of the group public key, and when the above message is received, when the group public key included in the message is included in the history of the group public key, Send the latest group public key. Details of the method of notifying the latest group public key for the entry point information search will be described later.

  Next, the process of acquiring group information using the P2P network information search mechanism described in “3. Acquisition of Group Information” will be described in detail with reference to FIG. FIG. 21 is a flowchart showing the flow of each process executed on the terminal X of the searcher X and the terminal A of the group manager A who search for a group. Note that FIG. 22 illustrates information held by the terminal X at the time when the above group information acquisition processing is completed.

In advance, the terminal A generates a group public key KG_P / private key KG_S pair and group information IG according to an instruction from the group manager A (S2101). The group public key KG_P and the group information IG may be disclosed. (Refer to “1. Formation of group” and “2. Notification of group”).
The terminal X creates a condition CG for a group to be searched according to an instruction from the searcher X (S2102). The search condition in this case may be a group category or the like, but is not particularly limited. Further, the description format of the search condition is not particularly limited.

  The terminal X generates and transmits a group search message MG_Q including the created group condition CG (S2103). The group search message MG_Q can be transmitted by, for example, broadcast, multicast, message propagation through a P2P network, or the like, but the transmission method is not particularly limited.

  Thereby, the terminal A receives the group search message MG_Q, compares the group condition CG included in the MG_Q with the group information IG of the group stored in the terminal A, and whether these conditions are met. It is determined whether or not (S2104). This determination may be made automatically by a program or the like. When the group condition CG and the group information IG do not match (S2104: No), the terminal A discards MG_Q and ends the process, or transmits MG_Q to another user and ends the process.

If the group condition CG matches the group information IG (S2104: Yes), the terminal A creates a group information response message MG_A from the group information IG including the group public key KG_P, and uses the group secret key KG_S. MG_A is signed, and then transmitted to terminal X (S2105).
Upon receiving the group information response message MG_A from the terminal A, the terminal X acquires the group public key KG_P included in the MG_A (S2106).

Further, the terminal X confirms the validity of the signature of MG_A using the group public key KG_P (S2107). If the validity of the signature is not confirmed (S2107: No), since MG_A may be falsified by a third party, terminal X discards MG_A and ends the process.
When the validity of the signature is confirmed (S2107: Yes), the terminal X obtains the group information IG from the group information response message MG_A (S2108).

After that, the terminal X compares the group information IG with the group condition CG, and determines whether or not they match (S2109).
If it is determined that they do not match (S2109: No), the terminal X discards the group information response message MG_A and ends the process.

  On the other hand, if it is determined that they match (S2109: Yes), the terminal X stores the group information IG and the group public key KG_P included in the group information response message MG_A received from the terminal A. Note that an embodiment in which the administrator does not necessarily generate a message but another user caches a response message previously generated by the administrator and uses it for the response is also conceivable.

  By using the above method, the searcher X can confirm that the group information obtained as a response is created by the manager of the group having the group public key KG_P.

  In other words, by using a group public key as an identifier for uniquely identifying a group and adding a signature with the group secret key to the group information, information other than the group administrator can be prevented from being spoofed. be able to.

In addition, even if the administrator of another group G2 uses the group public key of the group G1 as its own group identifier, it is actually the case that the secret key is calculated from the public key having a sufficient length at present. Since it is difficult, even the group secret key of G1 cannot be spoofed.
By this method, it is possible to solve the problems of group information misrepresentation and group uniqueness confirmation.

  However, when the group public key is updated occasionally to ensure security, a single group public key cannot be used as an identifier for confirming the uniqueness of the group. In this case, as described later, it is necessary to ensure the uniqueness of the group using the history of the public key of the group.

  Next, the process of acquiring the entry point information of the group using the information search mechanism of the P2P network described in “4. Acquisition of entry point information” will be described in detail with reference to FIG. FIG. 23 is a flowchart showing the flow of each process executed by the terminal X of the searcher X and the terminal Y of the group participant Y. FIG. 24 shows information held by the terminal X at the time when the entry point information acquisition process is completed.

  In response to an instruction from the searcher X, the terminal X generates an entry point search message ME_Q including the group public key KG_P of the group for which entry point information is desired to be transmitted (S2301). Various transmission methods such as broadcast, multicast, unicast, and message propagation through a P2P network can be considered, but the transmission method is not limited to a specific transmission method.

The terminal Y of the participant Y who has received ME_Q obtains KG_P included in ME_Q and compares it with the public key KG_P ′ of the group in which Y participates (S2302).
If the two public keys do not match (S2303: No), the terminal Y discards ME_Q and ends the process, or transmits ME_Q to another user and ends the process.
If the two public keys match (S2303: Yes), the terminal Y sends an entry point search response message ME_A including the held group participation certificate C_Y and its own entry point information EY according to the instruction from the participant Y. create. Furthermore, the terminal Y signs the ME_A with the participant Y's private key KY_S, and transmits the signed ME_A to the terminal X (S2304).

Thereby, the terminal X acquires C_Y from the received ME_A (S2305). Furthermore, the terminal X confirms the validity of C_Y using the group public key KG_P (S2306). For confirmation,
(1) Can KG_P successfully decrypt or check signature?
(2) Has the expiration date expired?
The validity of C_Y is confirmed by these two points (S2307). If the validity of C_Y cannot be confirmed (S2306: No), terminal X discards ME_A and ends the process.

The terminal X acquires the public key KY_P of the participant Y from C_Y, and further confirms the validity of the signature of ME_A using KY_P (S2307).
When the validity of the signature of ME_A cannot be confirmed (S2308: No), terminal X considers that ME_A may have been tampered with by a third party, discards ME_A, and ends the process.

  When the validity of the signature of ME_A is confirmed (S2308: Yes), terminal X authenticates terminal Y as a member of the group specified by KG_P, and stores EY as the entry point of the group (S2309). .

  As in the above method, by using the group public key as information that uniquely identifies the group and including information that proves that it is a member of the group specified by the group public key in the response, It is possible to prevent a user from spoofing entry point information.

  Next, the group public key update method described in “11. Update of Group Public Key” (4) will be described in detail with reference to FIG. FIG. 25 is a flowchart showing the flow of each process executed by the terminal X of the entry point searcher X and the terminal Y of the participant Y of the group corresponding to the group public key. FIG. 26 shows information held by the terminal X at the end of the group public key update process.

  The terminal X of the searcher X generates an entry point search message ME_Q including the group public key KG_P of the group for which entry point information is desired according to the searcher X instruction, and transmits it to the network (S2501). As a transmission method at this time, broadcast, multicast, unicast, message propagation by a P2P network, or the like is used, but the transmission method is not limited to a specific transmission method here.

Then, the terminal Y which received ME_Q acquires KG_P contained in ME_Q. Furthermore, the terminal Y compares the public keys KG_P ′ and KG_P of the group in which it participates. (S2502).
If the two public keys do not match (S2503: No), the terminal Y determines whether KG_P is included in the group public key history HG of the group to which the participant Y belongs (S2504).
When KG_P is not included in HG (S2505: No), terminal Y discards ME_Q and ends the process, or transmits ME_Q to another user and ends the process.

  It is assumed that the terminal Y possesses a group public key change message MC_K corresponding to the history together with the group public key history HG in advance. Further, when the group public key is changed from KG_P (I) to KG_P (I + 1), a group public key change message MC_K (I) is notified to all group members. MC_K (I) includes KG_P (I + 1), the signature is confirmed with KG_P (I) and KG_P (I + 1), and the previous group private key and the latest group private key are owned. Can be confirmed.

When KG_P is the I-th key of the group and KG_P ′ is the I + J-th key of the group, the terminal Y transmits the group public key including J group public key change messages from MC_K (I + 1) to MC_K (I + J). A notification message MU_K is created and transmitted to the terminal X (S2506).
Thereby, the terminal X receives MU_K, sets K = 1, and performs subsequent processing (S2507).

The terminal X acquires MC_K (I + K) from the received MU_K (S2508). Further, the terminal X checks the validity of the signature of MC_K (I + K) using KG_P (I + K-1) (S2509).
If the validity of the signature is not confirmed (S2510: No), MU_K is discarded and the process is terminated.
If the validity of the signature is confirmed (S2510: Yes), the terminal X acquires KG_P (I + K) from MC_K (I + K) (S2511).

  Furthermore, the terminal X determines whether K and J are equal (S2512). If K is not equal to J (S2512: No), K = K + 1 is set (S2513), and the above processing is continued (S2508 to S2512).

On the other hand, when K is equal to J (S2512: Yes), the terminal X replaces KG_P ′ = KG_P (I + J) with KG_P as the latest group public key (S2514).
By determining the uniqueness of a group based on the history of the group public key as in the above method, even information that is updated like a group public key can be used as a group identifier.

In addition, by using the above method, even a user who owns only the old group public key can be notified of the latest group public key. Can be confirmed by the previous group public key.
As described above, setting a unique group public key for a group can solve the problem of checking the uniqueness of the group and the problem of misrepresentation of information for the group.

(Embodiment 4)
In the third embodiment, the members constituting the group are only the administrator and the general participants. However, as described in the first embodiment, in order to increase the opportunities for new members to join the group. It is necessary to increase the number of persons who have administrator authority, that is, increase the number of persons who can issue a group participation certificate (for this reason, the group private key is duplicated). By being held, there is an adverse effect that the possibility of leakage increases.

  Therefore, in the present embodiment, the members constituting the group are classified into a single administrator, an issuer who holds a group participation certificate issuance permit and has the authority to issue a group participation certificate, and a general participant. I will do it. Only the administrator can give the authority to the issuer, and the administrator and the issuer can issue the group participation certificate to general participants. In this way, by providing a plurality of issuers by the administrator, it becomes possible to increase the opportunities for new group members to join without duplicating the group secret key.

In order to manage groups as described above, the following processing is required.
(1) Formation of group (2) Notification of group (3) Addition of group issuer (4) Acquisition of group information (5) Acquisition of entry point information (6) Request for new membership to group (7) Between group members (8) Information sharing among group members (9) Updating group participation certificate (10) Updating group participation certificate issuance permit (11) Deleting group members (12) Updating group public key Is the same as the processing in the first or second embodiment, and the description thereof is omitted.

    Next, group information acquisition processing using the P2P network information search mechanism described in “4. Acquisition of Group Information” will be described in detail with reference to FIG. FIG. 27 is a flowchart showing the flow of each process executed by the terminal X of the searcher X and the terminal B of the group issuer B that perform a group search. Note that the information held by the terminal X at the time when the group information acquisition process is completed is the same as that in FIG.

The terminal B obtains group information IG including the group participation certificate issuance permit I_B and the group public key KG_P from the group manager according to the instruction from the issuer B (S2701).
The terminal X creates a condition CG for a group to be searched according to an instruction from the searcher X (S2702). The condition specified at this time may be a group category or the like, but is not particularly defined. The format of the condition description is not particularly limited.

The terminal X generates a group search message MG_Q including the created CG and transmits it to the network (S2703). The transmission method at this time is transmitted using broadcast, multicast, message propagation through a P2P network, or the like, but is not limited to a specific transmission method.
The terminal B receives the group search message MG_Q, compares the CG included in the MG_Q with the group information IG of the group to which the issuer B belongs, and determines whether the group managed by the terminal B meets the condition specified by the CG. Is determined (S2704). This determination may be made automatically by a program or the like. If CG and IG do not match (S2704: No), terminal B discards MG_Q and ends the process, or transmits MG_Q to another user and ends the process.

  The terminal B creates a group information response message MG_A including the IG including the group public key KG_P and the group participation certificate issuance permit I_B of the issuer B. Thereafter, MG_A is signed using issuer B's private key KB_S, and then sent to terminal X (S2705).

Upon receiving the group information response message MG_A from terminal B, terminal X obtains KG_P and I_B included in MG_A (S2706).
The terminal X confirms the validity of I_B using KG_P (S2707). For this confirmation, using KG_P, (1) I_B is successfully decrypted, or the signature of I_B can be confirmed.
(2) I_B has not expired.
The validity of I_B can be confirmed by confirming these two points. When the validity of I_B is not confirmed, since MG_A may be generated by a person other than the authorized issuer, X discards MG_A and ends the process.

Terminal X obtains B's public key KB_P from I_B, and further checks the validity of the signature of MG_A using KB_P (S2708). When the validity of the signature is not confirmed (S2709: No), since the MG_A may be falsified by a third party, the terminal discards the MG_A and ends the process.
The terminal X stores the IG included in MG_A received from the terminal A (S710).

By using the above method, it is possible to prevent falsification of the group information by anyone other than the group issuer and the group manager.
In addition, as described in the example of group information acquisition in the first embodiment, the group public key can be used as information for uniquely identifying a group. It should be noted that an embodiment in which the administrator does not necessarily generate a message but another user caches a response message previously generated by the administrator and uses it for the response is also conceivable.

  Next, the entry point information acquisition process using the P2P network information search mechanism described in “5. Acquisition of entry point information” will be described in detail with reference to FIG. FIG. 28 is a flowchart showing the flow of each process executed by the terminal X of the searcher X and the terminal Y of the participant Y of the group. In FIG. 28, it is assumed that the group participation certificate for participant Y is issued by group issuer B. FIG. 29 shows information held by the terminal X at the time when the entry point information acquisition process is completed.

  In response to an instruction from the searcher X, the terminal X generates an entry point search message ME_Q including the group public key KG_P of the group for which entry point information is desired to be transmitted and transmits it to the network (S2801). The transmission method at this time is transmitted by broadcast, multicast, unicast, message propagation through a P2P network, or the like, but is not limited to a specific transmission method here.

The terminal Y that has received ME_Q obtains KG_P included in ME_Q (S2802).
The terminal Y compares the public keys KG_P ′ and KG_P of the group in which the participant Y is participating (S2803). If the two public keys do not match (S2803: No), the terminal Y discards ME_Q and ends the process, or transmits ME_Q to another user and ends the process.

  In response to an instruction from the participant Y, the terminal Y sends an entry point search response including a group participation certificate C_Y of the participant Y, a group participation certificate issuance permit I_B of the group issuer B that issued the C_Y, and entry point information EY of Y. Create a message ME_A. Furthermore, terminal Y signs ME_A with participant Y's private key KY_S, and sends the signed ME_A to terminal X (S2804).

Then, the terminal X acquires I_B from the received ME_A, and verifies the validity of I_B using KG_P (S2805).
When the validity of I_B cannot be confirmed (S2806: No), the terminal X considers that the participant Y does not belong to the group, discards ME_A, and ends the process.
When the validity of the I_B is confirmed (S2806: Yes), the terminal X acquires the issuer B's public key KB_P from the I_B. Further, C_Y is obtained from ME_A, and the validity of C_Y is verified using KB_P (S2807).

If the validity of C_Y cannot be confirmed (S2808: No), terminal Y is regarded as not belonging to the group, and terminal X discards ME_A and ends the process.
If the validity of C_Y can be confirmed (S2808: Yes), terminal X acquires participant Y's public key KY_P from C_Y and confirms the signature of ME_Q (S2809).
When the validity of the signature is not confirmed (S2810: No), it is considered that ME_Q may have been tampered with by a third party, and terminal X discards ME_Q and ends the process.

When the validity of the signature is confirmed (S2810: Yes), the terminal X authenticates that the terminal Y is a member of the group specified by KG_P, acquires EY from ME_A, and stores it as the entry point of the group (S2811).
By using the above method, it is possible to confirm that the user who created the entry point information is a member of the group.

  As described above, according to the communication system according to the third or fourth embodiment, it is not necessary to operate a server that must be always operated. In addition, by obtaining the search result using the responder's private key or group participation certificate, etc., the adverse effect of responding by a person other than the group member, that is, these persons respond by spoofing the group information. Can be avoided.

  INDUSTRIAL APPLICABILITY The present invention is useful as a communication method when communicating with one terminal belonging to a virtual group on a general-purpose network, and particularly, when obtaining information about the group or a member of the group. It can be applied to networks that want to ensure safety when sharing information between them.

It is a figure which shows an example of a structure of the communication system which concerns on this invention. 3 is an example of a format of a revoked person list in the first embodiment. (A) is a figure which shows the case where the terminal in an on-line state and the terminal in an off-line state hold | maintain different revoker lists in Embodiment 1. FIG. (B) is a figure which shows a mode that the terminal which shifted to the online state performs group authentication with the terminal in an online state in Embodiment 1. FIG. (C) is a figure which shows a mode that the revocation list | wrist which each hold | maintains is exchanged between the terminals which finished group authentication in Embodiment 1. FIG. (D) is a diagram illustrating a state in which a new revocation list for a known online terminal is propagated from a terminal that has newly acquired a revocation list in the first embodiment. 6 is a flowchart showing a flow of a “request for new subscription to group” process in the first embodiment. 6 is an example of information held in a terminal of a requester after “new group request for group” processing in the first embodiment. 4 is a flowchart showing a flow of “authentication between group members” processing in the first embodiment. 4 is a flowchart showing a flow of “update group participation certificate” processing in the first embodiment. 10 is an example of a format of a revoked person list in the second embodiment. 10 is a flowchart showing a flow of “add group issuer” processing in the second embodiment. FIG. 10 is an example of information held in issuer candidate terminals after “add group issuer” processing in the second embodiment. FIG. 10 is a flowchart showing a flow of a “request for new subscription to group” process in the second embodiment. FIG. 10 is an example of information held in a terminal of a requesting subscriber after the “new group request for group” processing in the second embodiment. It is an example of information held in the terminal of one participant after the “authentication between group members” process in the second embodiment. 10 is a flowchart showing a flow of “authentication between group members” processing in the second embodiment. 10 is a flowchart showing a flow of “update group participation certificate” processing in the second embodiment. FIG. 10 is an example of information held in the participation certificate update requester's terminal after the “update group participation certificate” process in the second embodiment. FIG. 10 is a flowchart showing a flow of “update group participation certificate issuance permit” processing in the second embodiment. FIG. 10 is an example of information held in the issuer's terminal after the “update of group participation certificate issuance permit” processing in the second embodiment. 5 is a flowchart showing a flow of “revocation list exchange” processing in the first embodiment. The meaning of each term used in FIG. 15 is a flowchart illustrating a flow of “group information acquisition” processing according to the third embodiment. FIG. 20 is a diagram illustrating information held in a searcher's terminal after “group information acquisition” processing in the third embodiment. 12 is a flowchart showing a flow of “entry point information acquisition” processing in the third embodiment. 14 is an example of information held in a searcher's terminal after “entry point information acquisition” processing in the third embodiment. 15 is a flowchart showing a flow of “update group public key” processing in the third embodiment. 14 is an example of information held in a searcher's terminal after “update group public key” processing in the third embodiment. 15 is a flowchart showing a flow of “group information acquisition” processing in the fourth embodiment. 18 is a flowchart showing a flow of “entry point information acquisition” processing in the fourth embodiment. 14 is an example of information held in a searcher's terminal after “entry point information acquisition” processing in the fourth embodiment. It is the conceptual diagram which showed the flow of the information between the user terminals which have participated in the P2P network. It is a conceptual diagram showing the flow of information when searching group information for three groups G1, G2, and G3 existing on a P2P network. It is a conceptual diagram for demonstrating the problem at the time of searching the group information in a P2P network. (A) is a figure for demonstrating the method of performing the mutual authentication between terminals by each user terminal which belongs to a group in the said 1st conventional method holding a group list | wrist. (B) is a figure for demonstrating the problem which arises when there exists an offline terminal when the terminal D is newly added in the said 1st conventional method. (C) is a figure for demonstrating the problem which arises by the mismatch of a group list | wrist when the terminal D is newly added in the said 1st conventional method. (D) is a figure for demonstrating the method of performing the mutual authentication between terminals by only a specific member's terminal holding a group list in the said 2nd conventional method. (E) is a figure for demonstrating the problem which arises when the terminal of a specific member transfers to an offline state in the said 2nd conventional method. (A) is a figure for demonstrating the conventional method which authenticates between terminals by broadcasting a new revoker list from the terminal of an administrator with respect to the terminal of a group member. (B) is a figure for demonstrating the problem which arises when there exists an offline member terminal in the conventional method of said (a). (C) is a figure which shows a mode when the terminal of an administrator transfers to an offline state in the conventional method of said (a). (D) is a figure for demonstrating the problem which arises in the conventional method of said (a), when an administrator's terminal shifted to an offline state.

Explanation of symbols

10 to 50 terminals 100, 200 communication system A to F terminals X to Z terminals

Claims (8)

A communication method for performing communication between a first terminal and a second terminal on a network,
The first terminal holds a public key of a group formed on the network and a private key / public key pair of the first user, and the second terminal has a private key of the group and Holds a public key pair,
In the first terminal,
An inquiry information transmission step of transmitting inquiry information including an inquiry as to whether or not the other second terminal is a valid member of the group;
An encrypted information receiving step for receiving predetermined encrypted information as a response to the inquiry information from the second terminal;
A decryption attempt step that attempts to decrypt the received encrypted information with the public key of the group;
An information determination step for determining the suitability of the decoded information when the decoding is successful in the decoding trial step;
An administrator determination step for determining that the second terminal is a legitimate administrator terminal of the group when the decrypted information is determined to be appropriate;
Subscription request transmission for transmitting subscription request information including information indicating the desire to join the group and the public key of the first user to the second terminal determined to be the authorized manager. Steps,
A participation certificate receiving step of receiving a participation certificate indicating that joining of the group is permitted from the second terminal,
In the second terminal,
An inquiry information receiving step for receiving inquiry information from the first terminal;
Generating encrypted information based on the received inquiry information and transmitting it to the first terminal; and
A subscription request receiving step of receiving the subscription request information from the first terminal;
A participation certificate generating step for generating a participation certificate representing permission to join the group based on the received subscription request information;
And a participation certificate transmitting step of transmitting the generated participation certificate to the first terminal. In the second terminal,
A request date specifying step for specifying the date of reception of the subscription request information;
An expiration date determining step for determining an expiration date of the participation certificate based on the specified date.
In the participation certificate generation step,
On the basis of the subscription request information and the expiration date, the method of communication according to claim 1, wherein the generating the participation certificate. A communication method for performing communication between a first terminal and a second terminal on a network,
The first terminal holds a private key / public key pair of the group formed on the network and the public key of the second user, and the second terminal holds the public key of the group. Hold
In the first terminal,
An inquiry information transmission step of transmitting inquiry information including an inquiry as to whether or not the other second terminal is a valid member of the group;
An encrypted information receiving step for receiving predetermined encrypted information as a response to the inquiry information from the second terminal;
A decryption attempt step of attempting to decrypt the received encrypted information with the public key of the second user;
An information determination step for determining the suitability of the decoded information when the decoding is successful in the decoding trial step;
A participant determination step for determining that the second terminal is a legitimate participant's terminal of the group when it is determined that the decrypted information is appropriate;
An appointment information transmitting step of transmitting, to the second terminal determined to be a legitimate participant, appointment information indicating that it is desired to appoint an issuer of the group;
A public key receiving step of receiving the public key of the second user from the second terminal;
A public key determination step for determining whether or not the received public key matches the held public key;
A license generation step of creating a participation certificate issuance permit indicating that the authority to issue the participation certificate is granted based on the information including the public key when it is determined that the two public keys match; ,
Sending the created participation certificate issuance permit to the second terminal; and
In the second terminal,
An inquiry information receiving step for receiving inquiry information from the first terminal;
A public key transmitting step of transmitting the second user's public key to the first terminal;
And a permit receiving step of receiving the participation certificate issuance permit from the first terminal. A communication method for performing communication between a first terminal and a second terminal on a network,
The first terminal holds a public key of a group formed on the network and a private key / public key pair of the first user, and the second terminal holds the public key of the group. Hold
In the first terminal,
An inquiry information transmission step of transmitting inquiry information including an inquiry as to whether or not the other second terminal is an authorized issuer of the group;
A license receiving step of receiving an encrypted participation certificate issuance permit from the second terminal;
A decryption trial step of attempting to decrypt the received participation certificate issuance permit with the public key of the group;
An information determination step for determining the suitability of the decoded information when the decoding is successful in the decoding trial step;
When it is determined that the decrypted information is appropriate, the second terminal determines that the second terminal is a legitimate issuer terminal of the group; and
Subscription request transmission for transmitting subscription request information including information indicating that subscription to the group is desired and the public key of the first user to the second terminal determined to be the valid issuer. Steps,
A participation certificate receiving step of receiving a participation certificate indicating that joining of the group is permitted from the second terminal,
In the second terminal,
An inquiry information receiving step for receiving inquiry information from the first terminal;
After receiving the inquiry information, an encrypted information transmission step of transmitting a participation certificate issuance permit to the first terminal;
A subscription request receiving step of receiving the subscription request information from the first terminal;
A participation certificate generating step for generating a participation certificate representing permission to join the group based on the received subscription request information;
And a participation certificate transmitting step of transmitting the generated participation certificate to the first terminal. The communication method according to claim 1, 3 or 4 , wherein the network is a P2P network. A communication system for performing communication between a first terminal and a second terminal on a network,
The first terminal holds a public key of a group formed on the network and a private key / public key pair of the first user, and the second terminal has a private key of the group and Holds a public key pair,
The first terminal is
Inquiry information transmitting means for transmitting inquiry information including an inquiry as to whether or not the other second terminal is a valid member of the group;
Encrypted information receiving means for receiving predetermined encrypted information as a response to the inquiry information from the second terminal;
Decryption trial means for attempting to decrypt the received encrypted information with the public key of the group;
An information determination unit that determines whether the decoded information is appropriate when decoding is successful in the decoding trial unit;
When it is determined that the decrypted information is appropriate, the second terminal is an administrator determination unit that determines that the terminal is a legitimate administrator terminal of the group;
Subscription request transmission for transmitting subscription request information including information indicating the desire to join the group and the public key of the first user to the second terminal determined to be the authorized manager. Means,
A participation certificate receiving means for receiving from the second terminal a participation certificate indicating that the joining of the group is permitted,
The second terminal is
Inquiry information receiving means for receiving inquiry information from the first terminal;
Generating encrypted information based on the received inquiry information and transmitting the encrypted information to the first terminal;
Subscription request receiving means for receiving the subscription request information from the first terminal;
Based on the received subscription request information, a participation certificate generating means for generating a participation certificate representing permission to join the group;
A participation certificate transmitting means for transmitting the generated participation certificate to the first terminal. A communication system for performing communication between a first terminal and a second terminal on a network,
The first terminal holds a private key / public key pair of the group formed on the network and the public key of the second user, and the second terminal holds the public key of the group. Hold
The first terminal is
Inquiry information transmitting means for transmitting inquiry information including an inquiry as to whether or not the other second terminal is a valid member of the group;
Encrypted information receiving means for receiving predetermined encrypted information as a response to the inquiry information from the second terminal;
Decryption trial means for attempting to decrypt the received encrypted information with the public key of the second user;
An information determination unit that determines whether the decoded information is appropriate when decoding is successful in the decoding trial unit;
Participant determination means for determining that the second terminal is a legitimate participant terminal of the group when it is determined that the decrypted information is appropriate;
Appointment information transmitting means for transmitting, to the second terminal determined to be a legitimate participant, appointment information indicating that it is desired to appoint an issuer of the group;
Public key receiving means for receiving the public key of the second user from the second terminal;
Public key determination means for determining whether or not the received public key matches the held public key;
Permission generation means for creating a participation certificate issuance permit indicating that the authority to issue the participation certificate is granted based on the information including the public key when it is determined that the two public keys match. ,
A permit transmission means for transmitting the created participation certificate issuance permit to the second terminal;
The second terminal is
Inquiry information receiving means for receiving inquiry information from the first terminal;
Public key transmission means for transmitting the second user's public key to the first terminal;
A communication system comprising: a certificate receiving means for receiving the participation certificate issuance permit from the first terminal. A communication system for performing communication between a first terminal and a second terminal on a network,
The first terminal holds a public key of a group formed on the network and a private key / public key pair of the first user, and the second terminal holds the public key of the group. Hold
The first terminal is
Inquiry information transmission means for transmitting inquiry information including an inquiry as to whether or not the other second terminal is an authorized issuer of the group;
A license receiving means for receiving an encrypted participation certificate issuance permit from the second terminal;
Decryption trial means for trying to decrypt the received participation certificate issuance permit with the public key of the group;
An information determination unit that determines whether the decoded information is appropriate when decoding is successful in the decoding trial unit;
When it is determined that the decrypted information is appropriate, the second terminal determines that the second terminal is a valid issuer terminal of the group;
Subscription request transmission for transmitting subscription request information including information indicating that subscription to the group is desired and the public key of the first user to the second terminal determined to be the valid issuer. Means,
A participation certificate receiving means for receiving from the second terminal a participation certificate indicating that the joining of the group is permitted,
The second terminal is
Inquiry information receiving means for receiving inquiry information from the first terminal;
Encrypted information transmitting means for transmitting a participation certificate issuance permit to the first terminal after receiving the inquiry information;
Subscription request receiving means for receiving the subscription request information from the first terminal;
Based on the received subscription request information, a participation certificate generating means for generating a participation certificate representing permission to join the group;
A participation certificate transmitting means for transmitting the generated participation certificate to the first terminal.

Images