JP4843587B2 - Information recording medium security method, information processing apparatus, program, and recording medium - Google Patents

Description

  The present invention relates to a technology for concealing information, and particularly to a technology for concealing and storing information in an information recording medium shared by a plurality of information processing apparatuses.

In a portable information recording medium such as a USB (universal serial bus) memory shared by multiple information processing devices, if the information recording medium was lost or stolen, it was stored in the information recording medium It is important to prevent data leaks.
In order to prevent such a situation, conventionally, a method of encrypting data by a common key encryption method and storing it in an information recording medium has been used (for example, see Non-Patent Document 1). In this case, a general method is to encrypt the data M to be stored in the information recording medium with the common key K of the common key cryptosystem and store only the ciphertext C in the information recording medium. Further, the common key K is generally stored in an information processing apparatus that reads and writes information from or on an information recording medium, or is stored in the form of a password by a user.

Patent Document 1 discloses a method of storing a first decryption key for decrypting an encrypted file in a removable memory.
"BUFFALO" homepage, [Search April 16, 2007], Internet <URL http://buffalo.jp/products/slw/keitai.html> JP 2006-67313 A

However, in the method of encrypting the data M to be stored in the information recording medium with the common key K of the common key encryption method and storing only the ciphertext C in the information processing device, a plurality of information processing devices are information recording media In order to decrypt data from the ciphertext C stored in, it is necessary to share the common key K used for the encryption among a plurality of information processing devices. However, the process of sharing the common key K, which is secret information, with a plurality of information processing devices in advance is complicated.
Further, in the method of creating the common key K using a password, the user must store the password and enter the password for each information processing apparatus. Such processing is also complicated. Furthermore, in general, the length of a password considering the convenience of the user is not sufficiently long in terms of cryptography. Therefore, the ciphertext C generated using such a common key K is easily deciphered and has a security problem.

Further, in the case of a method of storing a first decryption key for decrypting an encrypted file in a portable information recording medium such as a removable memory as in Patent Document 1, the information Anyone who acquires a recording medium or reads data from the information recording medium can decrypt the encrypted file.
These problems apply not only when a plurality of information processing apparatuses share a portable information recording medium but also when a plurality of information processing apparatuses share a non-portable information recording medium.

  The present invention has been made in view of these points, and an object of the present invention is to provide a technology that allows a plurality of information processing apparatuses to safely share an information recording medium without requiring complicated processing.

  In the present invention, n (n is an integer of 2 or more) information processing devices PC (i) (i = 1,..., N) share the information recording medium and store the ciphertext in the information recording medium. The plaintext is decrypted from the ciphertext stored in the information recording medium. In the present invention, in order to solve the above-described problem, the secret key SK (i) of the public key cryptosystem corresponding to each information processing device PC (i) is converted into information corresponding to the secret key SK (i). The common key KA of the common key encryption method using the public key PK (i) of the public key encryption method corresponding to each process of storing in the storage unit of the processing device PC (i) and each information processing device PC (i) Storing each ciphertext PE (PK (i), KA) encrypted in the information recording medium, and a registration process comprising the ciphertext PE (PK (p), KA) in the information recording medium. Is stored, and the external reading unit of any information processing device PC (p) (p∈ {1,..., N}) in which the private key SK (p) is stored in its own storage unit The process of reading the ciphertext PE (PK (p), KA) from the recording medium and the common key recovery unit of the information processing device PC (p) encrypts it using the secret key SK (p) stored in the storage unit. Decrypt the sentence PE (PK (p), KA) and extract the common key KA The encryption unit of the information processing apparatus PC (p) generates a ciphertext SE (KA, M (p)) obtained by encrypting the plaintext M (p) using the common key KA, and An external writing unit of the information processing device PC (p) storing the ciphertext SE (KA, M (p)) in the information recording medium, a writing process, and a ciphertext in the information recording medium. Any information processing device PC (q) (q∈ {1, ..., n} in which PE (PK (q), KA) is stored and the private key SK (q) is stored in its own storage unit ) External reading unit reads ciphertext PE (PK (q), KA) from the information recording medium, and the external reading unit of the information processing apparatus PC (q) reads ciphertext SE from the information recording medium. (KA, M (p)) and the common key recovery unit of the information processing device PC (q) uses the secret key SK (q) stored in the storage unit to encrypt the ciphertext PE (PK (q ), KA) to extract the common key KA and the decryption unit of the information processing device PC (q) A reading step comprising the steps of extracting a ciphertext SE (KA, M (p)) to decrypt the plaintext M (p) with KA, and to run.

  Thus, in the present invention, in the registration process, each secret key SK (i) (i = 1,..., N) is stored in the storage unit of each information processing device PC (i), and each public key PK is stored. Each ciphertext PE (PK (i), KA) obtained by encrypting the common key KA of the common key cryptosystem using (i) is stored in the information recording medium. As a result, the information processing apparatus PC (p) (p = 1,..., N) uses its own secret key SK (p) and uses the ciphertext PE (PK (p), The common key KA can be decrypted from KA). Similarly, the information processing apparatus PC (q) (q = 1,..., N) uses its own secret key SK (q) and uses the ciphertext PE (PK (q), The common key KA can be decrypted from KA). As a result, encryption and decryption can be performed between the information processing device PC (p) and the information processing device PC (q) by the common key cryptosystem using the common key KA.

  In this process, a complicated process for sharing the common key KA in advance between the information processing apparatus PC (p) and the information processing apparatus PC (q) is unnecessary. In the case of this processing, even if the data length of the common key KA is cryptographically safe, the convenience for the user is not lowered. Furthermore, in the present invention, instead of storing the common key KA for decrypting the plaintext ciphertext in the information recording medium, the ciphertext obtained by encrypting the common key KA with the public key is stored in the information recording medium. . Therefore, even when the younger brother acquires the information recording medium or reads data from the information recording medium, the third party cannot decrypt the plaintext ciphertext.

  Preferably, in the present invention, in the registration process, first, a process in which a common key generation unit of any one of the information processing devices PC (r) (r = 1,..., N) generates a common key KA The key pair generation unit of the information processing device PC (r) generates a secret key SK (r) and a public key PK (r) of the public key cryptosystem, and the information processing device PC (r) The internal writing unit stores the secret key SK (r) in the storage unit of the information processing device PC (r), and the key concealment unit of the information processing device PC (r) performs the public key PK (r) And a process of generating a ciphertext PE (PK (r), KA) obtained by encrypting the common key KA using the above, and an external writing unit of the information processing device PC (r) includes a ciphertext PE (PK (r), KA) is stored in the information recording medium.

  Next, the key pair generation unit of the information processing device PC (s) (s = 1,..., N, s ≠ r) other than the information processing device PC (r) performs the public key cryptography secret key SK ( s) and public key PK (s) generation process, and the internal writing unit of the information processing device PC (s) stores the secret key SK (s) in the storage unit of the information processing device PC (s). And a process in which the external writing unit of the information processing apparatus PC (s) stores the public key PK (s) in the information recording medium.

  Then, the ciphertext PE (PK (t), KA) (t = 1,..., N) is stored in the information recording medium, and the secret key SK (t) is stored in its own storage unit The external reading unit of the information processing device PC (t) reads the ciphertext PE (PK (t), KA) from the information recording medium, and the common key recovery unit of the information processing device PC (t) The process of decrypting the ciphertext PE (PK (t), KA) using the secret key SK (t) stored in the storage unit and extracting the common key KA, and external reading of the information processing device PC (t) The process of reading the public key PK (s) from the information recording medium, and the key concealment unit of the information processing apparatus PC (t) encrypted the common key KA using the public key PK (s) The process of generating the ciphertext PE (PK (s), KA) and the external writing unit of the information processing device PC (t) store the ciphertext PE (PK (s), KA) in the information recording medium Process.

  In the case of the preferred registration process, the information processing device PC (s) stores the public key PK (s) in the information recording medium, so that the ciphertext PE (PK (t), KA) is already stored in the information recording medium. The information processing device PC (t) having the secret key SK (t) stored in its own storage unit generates a ciphertext PE (PK (s), KA) obtained by encrypting the common key KA and records the information. It can be stored on a medium. That is, in the preferred registration process, the information processing apparatus registration process can be executed between the information processing apparatuses without using a special registration apparatus. Thereby, high convenience can be realized.

  In the registration process, more preferably, the key concealment unit of the information processing apparatus PC (r) encrypts the common key KA using the public key PK (r), and the ciphertext PE (PK (r), KA ) Is generated when the random number generator of the key concealment unit of the information processing device PC (r) generates the random number Z (r) and the key concealment unit of the information processing device PC (r). A process of generating a ciphertext C (r) = PE (PK (r), Z (r)) by encrypting a random number Z (r) using a public key PK (r) The random number dividing unit of the key concealment unit of the information processing apparatus PC (r) converts the random number Z (r) into Y (Y ≧ 2) random numbers Z (r 1, y) (y = 1,. Y) and the common key encryption unit of the key concealment unit of the information processing apparatus PC (r) is one of random numbers Z (r, y1) (y1 = 1, ..., Y) And the ciphertext SE (Z (r, y1), KA) obtained by encrypting the common key KA by the common key cryptosystem, and the ciphertext C (r) and ciphertext SE (Z (r, y1 ), KA) (C (r), SE (Z (r, y1), KA) ) As ciphertext PE (PK (r), KA) and the common key encryption unit of the key concealment unit of the information processing device PC (r) is divided into other random numbers Z (r, y2) (y2 = 1, ..., Y, y2 ≠ y1) as a key, and the ciphertext SE (Z (r, y2), K ') obtained by encrypting other information K' by the common key cryptosystem And a calculating process. Further, the common key restoration unit of the information processing device PC (t) (t = 1,..., N) uses the secret key SK (t) stored in the storage unit to generate the ciphertext PE (PK (t ), KA) to extract the common key KA, the public key decryption unit of the common key recovery unit decrypts the ciphertext C (t) using the secret key SK (t) and generates a random number. The process of extracting Z (t), the process of dividing the random number Z (t) into Y random numbers Z (t, y) by the random number dividing part of the common key restoring part, and the common of the common key restoring part The key decryption unit is divided into the process of extracting the common key KA by decrypting the ciphertext SE (Z (t, y1), KA) using the random number Z (t, y1) as a key and the common key cryptosystem. And decrypting the ciphertext SE (Z (t, y2), K ′) using a common key cryptosystem with the other random number Z (t, y2) as a key, and extracting other information K ′. To do. Furthermore, the process of generating the ciphertext PE (PK (s), KA) by encrypting the common key KA using the public key PK (s) by the key concealment unit of the information processing device PC (t) is as described above. The random number generator of the key concealment unit of the information processing device PC (t) generates the random number Z (s), and the public key encryption unit of the key concealment unit of the information processing device PC (t) The process of encrypting the random number Z (s) using the public key PK (s) to generate the ciphertext C (s) = PE (PK (s), Z (s)), and the information processing apparatus PC (t ) In which the random number dividing unit of the key concealing unit divides the random number Z (s) into Y (Y ≧ 2) random numbers Z (s, y) (y = 1,..., Y); The common key encryption unit of the key concealment unit of the information processing apparatus PC (t) uses one of the random numbers Z (s, y1) (y1 = 1,. The ciphertext SE (Z (s, y1), KA) obtained by encrypting the common key KA is calculated by using the information (C (s)) with C (s) and SE (Z (s, y1), KA). , SE (Z (s, y1), KA)) as ciphertext PE (PK (s), KA) and the above information processing The common key encryption unit of the key concealment unit of the physical device PC (t) uses the other divided random numbers Z (s, y2) (y2 = 1, ..., Y, y2 ≠ y1) as keys, And calculating a ciphertext SE (Z (s, y2), K ′) obtained by encrypting other information K ′ by a common key cryptosystem. Examples of other information K ′ include a key authentication key KC and a ciphertext authentication key KB.

This method uses a public key and encrypts multiple pieces of information (common key KA and other information K ') without performing multiple encryption / decryption processes using the public key encryption method with a large amount of computation. -It can be decrypted. This improves the processing speed when a plurality of pieces of information need to be encrypted / decrypted.
Preferably, in the present invention, each ciphertext obtained by encrypting the common key KA of the common key cryptosystem using the public key PK (i) of the public key cryptosystem corresponding to each of the information processing devices PC (i). The process of storing PE (PK (i), KA) in the information recording medium includes the public key PK (i) and ciphertext PE (PK (i), KA) corresponding to each information processing device PC (i). Are stored in the information recording medium in association with each other.

The ciphertext PE (PK (r), KA) (r∈ {1, ..., n}) is stored in the information recording medium, and the private key SK (r) is stored in its own storage unit. The process of reading the ciphertext PE (PK (r), KA) from the information recording medium by the external reading unit of any of the information processing devices PC (r) and the common key restoring unit of the information processing device PC (r) A process of decrypting the ciphertext PE (PK (r), KA) using the secret key SK (r) stored in the storage unit and extracting the common key KA, and the information processing apparatus PC (r) The common key generation unit generates a new common key KA _new, and the external reading unit of the information processing apparatus PC (r) performs any one of the information processing apparatuses PC (s) (s = 1, ..., n) and the decryption unit of the information processing apparatus PC (r) uses the common key KA to read the ciphertext SE (KA, M (s)). The process of decrypting (KA, M (s)) and extracting plaintext M (s) and the encryption unit of the information processing device PC (r) are a new common KA _{new new} ciphertext SE obtained by encrypting plaintext M (s) by using the process of generating _{(KA new, M (s)} ), external write unit of the information processing apparatus PC (r) is the ciphertext SE (KA _new , M (s)) is stored in the information recording medium, and a re-encryption process is executed.

Further, the external reading unit of the information processing device PC (r) reads the public key PK (s) corresponding to the information processing device PC (s) from the information recording medium, and the information processing device PC (r ) Key concealment unit generates a ciphertext PE (PK (s), KA _new ) obtained by encrypting a _new common key KA _new using the public key PK (s), and the information processing apparatus PC The external writing unit (r) executes a process of storing the ciphertext PE (PK (s), KA _new ) in the information recording medium and a re-registration process.

  Thereby, the common key can be updated. This update of the common key can be used for registration deletion processing, for example. In that case, the above re-registration process is executed for the information processing device PC (s) other than the information processing device PC (w) (w = 1,..., N) to be deleted, and stored in the information recording medium The encrypted ciphertext SE (KA, M (w)) is deleted from the information recording medium. In this case, even if the old common key KA remains in the information processing apparatus PC (w) whose registration has been deleted, the information processing apparatus PC (w) can read plaintext from the information stored in the information recording medium. M (p) cannot be decoded. As a result, safety is improved.

  Further, in the case of executing the re-encryption process and the re-registration process, preferably, in the registration process, each ciphertext PE () obtained by encrypting the key authentication key KC using each public key PK (i). PK (i), KC) is stored in the information recording medium, and the authenticator AU (KC) of the public key PK (i) generated using at least the key authentication key KC and the public key PK (i). , PK (i)) is stored in the information recording medium.

  The external reading unit of the information processing device PC (r) reads the ciphertext PE (PK (r), KC) from the information recording medium, and the common key recovery unit of the information processing device PC (r) Decrypting the ciphertext PE (PK (r), KC) using the secret key SK (r) stored in the storage unit and extracting the key authentication key KC, and the information processing apparatus PC (r ) Whether the public key PK (s) is valid using at least the key authentication key KC, the public key PK (s), and the authenticator AU (KC, PK (s)). The process of verifying is further executed. The re-registration process is executed only for the information processing device PC (s) for which the public key PK (s) is determined to be valid. The “authenticator” of the present invention means data for proving the validity of data, and is a concept that includes everything included in this definition.

  As a result, the public key PK (i) stored in the information recording medium before the re-registration process is executed is altered, and an unauthorized information processing apparatus is stored in the information recording medium by the re-registration process. It is possible to prevent a situation in which the encrypted ciphertext can be decrypted. As a result, safety is improved. In addition, the verification process of the public key PK (i) is performed by registering the information processing apparatus PC (r) [the private key SK (r) is stored in its own storage unit and the ciphertext PE (PK (r), KC Information processing apparatus PC (r)] capable of decrypting) is possible, and it is not necessary to prepare a special apparatus for the verification apparatus. Therefore, convenience is high.

  In the present invention, it is preferable that the registration process includes each ciphertext PE (PK (i), KB) obtained by encrypting the ciphertext authentication key KB using each public key PK (i). The process of storing in. In the writing process, the external reading unit of the information processing apparatus PC (p) reads the ciphertext PE (PK (p), KB) from the information recording medium, and the information processing apparatus PC (p) A process in which the common key recovery unit extracts the ciphertext authentication key KB by decrypting the ciphertext PE (PK (p), KB) using the secret key SK (p) stored in the storage unit; and The ciphertext authentication unit of the processing device PC (p) encrypts using at least the ciphertext authentication key KB, the random number E (p), and the ciphertext SE (KA, M (p)) generated by the encryption unit. The process of generating the authenticator AU (KB, E (p), SE (KA, M (p))) of the sentence SE (KA, M (p)) and the external writing unit of the information processing device PC (p) Comprises storing the authenticator AU (KB, E (p), SE (KA, M (p))) in the information recording medium.

  Thus, by generating the authenticator AU (KB, SE (KA, M (p))) of the ciphertext SE (KA, M (p)) and storing it in the information recording medium, the ciphertext SE ( Tampering of KA, M (p)) can be detected. Also in this case, if the information processing device is registered, it is possible to verify the authenticator AU (KB, SE (KA, M (p))), and it is necessary to prepare a special device for the verification device. Absent. Therefore, convenience is high.

  Preferably, in the present invention, the encryption unit of the information processing apparatus PC (p) generates a ciphertext SE (KA, M (p)) obtained by encrypting the plaintext M (p) using the common key KA. The process includes a process in which the block division unit of the encryption unit divides the plaintext M (p) into X (X ≧ 2) blocks MB (p, x) (x = 1,..., X). The random number generation unit of the encryption unit generates a random number E (p) for each plaintext M (p), and the external writing unit of the information processing device PC (p) In the process of storing in the information recording medium, the function calculation unit of the encryption unit substitutes at least the block number x of the block MB (p, x) and the random number E (p) into a predetermined function π. The process of calculating π (x, E (p)) and the block encryption unit of the encryption unit encrypts each block MB (p, x) using the common key KA and the function value IV as an initial vector. Ciphertext SE (KA, M (p)) from the ciphertext of all the calculated blocks MB (p, x) A process comprising the steps of forming a.

  In the preferred method, a random number E (p) is generated for each plaintext M (p), and a function value IV = π (x, E (p) in which a block number x and a random number E (p) are substituted into a predetermined function π. The ciphertext SE (KA, M (p)) is generated by block cipher using)). In this case, even if the values between blocks obtained by dividing a plaintext M (p) are the same, not only the ciphertext between the blocks is not the same, but also the plaintext M (p) is divided. The block MB (p, x) of the obtained block number x is the same as the block MB (p ′, x) of the same block number x obtained by dividing another plaintext M (p ′). However, their ciphertexts are not the same. As a result, it is possible to prevent the plaintext identity from being inferred from the identity of the ciphertext and the safety from being lowered. Such a block encryption method is particularly effective for an information recording medium in which a plurality of plaintexts are repeatedly encrypted with the same common key KA and a plurality of generated ciphertexts are stored.

  In addition, when performing encryption using the random number E (p), preferably, in the registration process, each ciphertext PE (encrypted ciphertext authentication key KB using each public key PK (i)) PK (i), KB) is stored in the information recording medium, and in the writing process, the external reading unit of the information processing device PC (p) reads the ciphertext PE (PK (pK ), KB), and the common key recovery unit of the information processing device PC (p) uses the secret key SK (p) stored in the storage unit to generate the ciphertext PE (PK (p), KB) And the ciphertext authentication unit of the information processing apparatus PC (p) generates at least the ciphertext authentication key KB, the random number E (p), and the encryption unit. Authenticator AU (KB, E (p), SE (KA, M (p))) of ciphertext SE (KA, M (p)) using the encrypted ciphertext SE (KA, M (p)) And the external writing unit of the information processing device PC (p) generates the authenticator AU (KB, E (p), SE (KA, M (p))). A process of storing the serial information recording medium, to run.

  In this way, the ciphertext SE (KA, M (p)) using the ciphertext authentication key KB, the random number E (p), and the ciphertext SE (KA, M (p)) generated by the encryption unit. Authenticator AU (KB, E (p), SE (KA, M (p))) Reliability can be improved. Furthermore, the random number E (p) used to generate the ciphertext SE (KA, M (p)) is diverted to the generation of the authenticator AU (KB, E (p), SE (KA, M (p))). Therefore, there is no need for an operation for generating a new random number for generating an authenticator or a process for storing a random number other than the random number E (p) for verifying the authenticator.

  As described above, according to the present invention, complicated processing is not required, and a plurality of information processing apparatuses can safely share an information recording medium.

The best mode for carrying out the present invention will be described below with reference to the drawings.
[First Embodiment]
First, a first embodiment of the present invention will be described.
<Configuration>
FIG. 1 is a conceptual diagram illustrating the overall configuration of an information recording medium sharing system 1 according to this embodiment.
As illustrated in FIG. 1, the information recording medium sharing system 1 includes n (n is an integer of 2 or more) personal computers (hereinafter referred to as “PC”) 10-1 to n (“information processing apparatus PC ( i) (corresponding to i = 1,..., n) ”) and a USB memory 20 (corresponding to“ information recording medium ”) shared between the PCs 10-1 to 10-n. The PCs 10-1 to 10-n store the ciphertext in the USB memory 20 and share information with each other by decrypting the plaintext from the ciphertext stored in the USB memory 20. In this embodiment, a personal computer is illustrated as an example of an information processing apparatus, and a USB memory is illustrated as an example of an information recording medium. However, the present invention is not limited to this.

FIG. 2A is a block diagram illustrating a functional configuration of the PC 10-i (i = 1,..., N) of the present embodiment, and FIG. 2B is a function of the USB memory 20 of the present embodiment. It is the block diagram which illustrated the composition.
As shown in FIG. 2A, the PC 10-i includes an external writing unit 11a, an external reading unit 11b, an internal writing unit 12a, an internal reading unit 12b, a storage unit 13, and a common key generation unit 14a. , Key pair generation unit 14b, key concealment unit 14c, common key restoration unit 14d, encryption unit 14e, decryption unit 14f, deletion unit 14g, application execution unit 14h, control unit 14i, temporary A memory 14j, an input unit 15, and an output unit 16 are provided. As shown in FIG. 2B, the USB memory 20 includes an interface unit 21, a storage unit 22, and a control unit 23. The storage unit 22 includes areas 22a to 22c. .

The PC 10-i of this embodiment is a Neumann computer including a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), and the like. When a predetermined program is read, the PC 10-i in FIG. ) Is realized.
Specifically, an OS (Operating System) and application software are installed in the PC 10-i in this example. When the USB memory 20 is mounted and mounted on the USB port of the PC 10-i, and the USB memory 20 is mounted on the PC 10-i, the security program is read from the area 22a of the storage unit 22 of the USB memory 20 into the PC 10-i. It is. Then, when the CPU of the PC 10-i executes a security program and application software on the OS, the functional configuration shown in FIG. Instead of the PC 10-i reading the security program from the USB memory 20, each PC 10-i may be configured to read the security program from another recording medium, or the security program may be downloaded and read via the Internet or the like. It may be a configuration. In such a case, the security program need not be stored in the USB memory 20.

<Processing>
Next, the processing of this embodiment will be described.
The process of this embodiment is (1) a process of registering n PCs 10-i sharing the USB memory 20 in the USB memory 20 (registration process), and (2) a process of writing the ciphertext into the USB memory 20 by the PC 10-i. (Writing process), (3) a process in which the PC 10-i reads and decrypts a ciphertext from the USB memory 20 (reading process), and (4) a process of deleting registration from the USB memory 20 (deleting process). Hereinafter, each process will be described.

[Registration process]
First, the registration process will be described. It is assumed that the OS, security program, and application software are installed in the PC 10-i. Although not described below, each process is executed under the control of the control units 14i and 23, and each data obtained by each calculation in the PC 10-i is written to the temporary memory 14j one by one. In response, it is read for other operations. In addition, sending data from a certain calculation unit to another calculation unit means storing the calculation result calculated by a certain calculation unit in the temporary memory 14j, and the other calculation unit reading the calculation result from the temporary memory 14j. Means that.

3 to 5 are diagrams showing each functional block and data flow related to the registration process of this embodiment, and FIG. 11 is a sequence diagram for explaining the registration process of this embodiment. In the following, as an example, a process in which the PC 10-1 first registers, the PC 10-2 makes a registration application, and the PC 10-1 approves the registration process will be exemplified.
First, application software installed in the PC 10-1 as preprocessing acquires a host name and a user name (including a workgroup name (hereinafter the same)), generates an ID (1) indicating them, and then creates a PC 10- 1 storage unit 13 (FIG. 3A). If ID (1) has already been stored in the storage unit 13, the registration process is not executed.

  After that, when the USB memory 20 is mounted and mounted on the PC 10-1, the common key generation unit 14a (FIG. 3A) of the PC 10-1 generates (for example, randomly generates) and outputs the common key KA ( Step S1). Further, the key pair generation unit 14b of the PC 10-1 generates and outputs a public key cryptosystem secret key SK (1) and a public key PK (1) (step S2). Examples of public key cryptosystems include PSEC-KEM and RSA. The generated secret key SK (1) is sent to the internal writing unit 12a of the PC 10-1, and is then stored in the storage unit 13 of the PC 10-1 (step S3). The common key KA output from the common key generation unit 14a and the public key PK (1) output from the key pair generation unit 14b are sent to the key concealment unit 14c of the PC 10-1, and the key concealment is performed. The unit 14c generates and outputs a ciphertext PE (PK (1), KA) obtained by encrypting the common key KA using the public key PK (1) (step S4). Note that PE (α, β) means a ciphertext obtained by encrypting β using the public key α by a predetermined public key cryptosystem.

The public key PK (1), ciphertext PE (PK (1), KA) and ID (1) read from the internal reading unit 12b are interfaced with the USB memory 20 by the external writing unit 11a of the PC 10-1. Is sent to the unit 21 (FIG. 3B), and stored there in association with the area 22b of the storage unit 22 (step S5 / PC 10-1 registration completed).
Next, when the USB memory 20 is mounted and mounted on the PC 10-2, the application software installed on the PC 10-2 acquires the host name and user name, and generates an ID (2) indicating them. And is stored in the storage unit 13 (FIG. 4A) of the PC 10-2.

  Next, the key pair generation unit 14b (FIG. 4A) of the PC 10-2 generates and outputs the secret key SK (2) and the public key PK (2) of the public key cryptosystem (step S6). . The secret key SK (2) is written into the storage unit 13 by the internal writing unit 12a of the PC 10-2 (step S7). On the other hand, the public key PK (2) is sent from the external writing unit 11a to the interface unit 21 of the USB memory 20 (FIG. b)), and is stored in association with the area 22b of the storage unit 22 from there (step S8 / PC10-2 registration application).

  Next, when the USB memory 20 is mounted and mounted on the PC 10-1, the external reading unit 11b of the PC 10-1 is associated with the identifier ID (1) from the area 22b of the storage unit 22 of the USB memory 20. The encrypted ciphertext PE (PK (1), KA) is read and sent to the common key restoration unit 14d (FIG. 5A) of the PC 10-1 (step S9). Further, the secret key SK (1) is read from the storage unit 13 of the PC 10-1 into the common key restoration unit 14d of the PC 10-1 by the internal reading unit 12b of the PC 10-1. The common key restoration unit 14d of the PC 10-1 uses the secret key SK (1) to decrypt the ciphertext PE (PK (1), KA) [KA = PD (SK (1), PE (PK (1)) , KA))], and extracts the common key KA (step S10). PD (α, β) means a result value obtained by decrypting β using the secret key α by a predetermined public key cryptosystem.

  Further, the external reading unit 11b of the PC 10-1 reads the public key PK (2) from the area 22a (FIG. 5B) of the storage unit 22 of the USB memory 20 (step S11). The common key KA and the public key PK (2) are sent to the key concealment unit 14c of the PC 10-1, and the key concealment unit 14c uses the public key PK (2) and the common key KA by the public key cryptosystem. Ciphertext PE (PK (2), KA) is generated and output (step S12). The ciphertext PE (PK (2), KA) is sent to the interface unit 21 of the USB memory 20 by the external writing unit 11a, and from there, the identifier ID (2) is stored in the area 22b (FIG. 5B) of the storage unit 22. (In step S13 / approval completion by PC 10-1). Thereby, registration of PC10-2 is complete | finished.

  Thereafter, other PCs 10-i apply for registration (see steps S6 to S8) in the same manner as the PC 10-2, and registered PCs 10-t (t = 1,..., N) (USB) such as the PC 10-1 or the like (USB Any of the PCs 10-t in which the ciphertext PE (PK (t), KA) is stored in the memory 20 and the secret key SK (t) is stored in its own storage unit 13 approves as described above ( All the PCs 10-i (i = 1,..., N) are registered.

[Writing process / Reading process]
Next, the writing process and the reading process of this embodiment will be described. It is assumed that the OS, security program, and application software are installed in the PC 10-i.

  FIG. 6 is a diagram showing each functional block and data flow related to the writing process of this embodiment, and FIG. 7 shows each functional block and data flow related to the reading process of this embodiment. FIG. FIG. 12 is a sequence diagram for explaining the writing process and the reading process of the present embodiment. Here, an example is shown in which the PC 10-1 writes the ciphertext to the USB memory 20 (writing process), and the PC 10-2 reads the ciphertext from the USB memory 20 and decrypts it (reading process).

  First, it is assumed that the USB memory 20 is mounted and mounted on the PC 10-1. In this state, the application execution unit 14h (FIG. 6A) of the PC 10-1 that executes application software such as Word or Excel (registered trademark) writes the ciphertext of plaintext M (1) to the USB memory 20. A request is made to the control unit 14i. With this as a trigger, the internal reading unit 12b of the PC 10-1 reads the identifier ID (1) from the storage unit 13 and sends it to the external reading unit 11b of the PC 10-1. The external reading unit 11b reads the ciphertext PE (PK (1), KA) associated with the identifier ID (1) from the area 22b (FIG. 6B) of the storage unit 22 of the USB memory 20 (step) S21).

  The ciphertext PE (PK (1), KA) is sent to the common key restoration unit 14d (FIG. 6A) of the PC 10-1. Also, using this as a trigger, the internal reading unit 12b of the PC 10-1 reads the secret key SK (1) from the storage unit 13 and sends the secret key SK (1) to the common key restoration unit 14d. The common key restoration unit 14d decrypts the ciphertext PE (PK (1), KA) using the secret key SK (1) and uses the common key KA [KA = PD (SK (1), PE (PK (1)). , KA))] is extracted, and the common key KA is sent to the encryption unit 14e (step S22). Further, the application execution unit 14h of the PC 10-1 sends the plaintext M (1) to the encryption unit 14e, and the encryption unit 14e uses the common key KA and the plaintext M (1) by the common key encryption method. A ciphertext SE (KA, M (1)) is generated by encrypting (step S23). SE (α, β) means a ciphertext obtained by encrypting β using the common key α by a predetermined common key cryptosystem. Examples of the common key encryption method include Camellia and AES.

  The generated ciphertext SE (KA, M (1)) is sent to the interface unit 21 of the USB memory 20 by the external writing unit 11a, and stored in the area 22c (FIG. 6B) of the storage unit 22 therefrom. (Step S24 / End of writing process).

Next, the USB memory 20 is mounted and mounted on the PC 10-2. In this state, when the application execution unit 14h of the PC 10-2 makes a request to read the ciphertext SE (KA, M (1)) from the USB memory 20 to the control unit 14i, first, the external reading unit of the PC 10-2. 11b (FIG. 7A) reads the ciphertext SE (KA, M (1)) from the area 22c (FIG. 7B) of the storage unit 22 of the USB memory 20 (step S25), and further the area 22b. The ciphertext PE (PK (2), KA) is read from (step S26). Next, the internal reading unit 12b (FIG. 7A) of the PC 10-2 reads the secret key SK (2) from the storage unit 13. Then, the common key restoration unit 14d of the PC 10-2 decrypts the ciphertext PE (PK (2), KA) using the secret key SK (2) and uses the common key KA [KA = PD (SK (2)). , PE (PK (2), KA))] is extracted (step S27). After that, the decryption unit 14f of the PC 10-2 decrypts the ciphertext SE (KA, M (1)) using the common key KA to obtain plaintext M (1) [M (1) = SD (KA, SE (KA, M (1))] is extracted (step S28), where SD (α, β) means a result value obtained by decrypting β with the common key α by the common key cryptosystem.
The extracted plaintext M (1) is sent to the application execution unit 14h of the PC 10-2 (end of the reading process).

[Deleting process]
Next, the deletion process of this embodiment will be described. It is assumed that the OS, security program, and application software are installed in the PC 10-i.
8 to 10 are diagrams showing each functional block and data flow related to the deletion process of this embodiment. FIG. 13 is a sequence diagram for explaining the deletion process of this embodiment.

  In the deletion process of the present embodiment, the data of the PC 10-w to be registered and deleted is not only deleted from the USB memory 20, but the common key KA used for plaintext encryption is reset in association with this, and the USB memory 20 is reset. Regenerate the stored ciphertext. As a result, it is possible to prevent the PC 10-w whose registration has been deleted from decrypting the ciphertext stored in the USB memory 20 using the common key KA acquired in the past. In the following, an example in which the PC 10-1 deletes the registration of the PC 10-2 from the USB memory 20 is shown.

  First, it is assumed that the USB memory 20 is mounted and mounted on the PC 10-1. In this state, the user designates the registration deletion target as follows, for example. First, the external reading unit 11b reads all identifiers ID (i) from the area 22b of the storage unit 22 of the USB memory 20, and outputs the host name and user name indicated by them from the output unit 16 (for example, displayed on the screen). To do). The user inputs the host name and user name to be deleted from the input unit 15 while referring to the output host name and user name. In this example, it is assumed that the host name and user name corresponding to the identifier ID (2) are input. Based on the input result, the control unit 14i executes the deletion process as follows.

  First, the internal reading unit 12b of the PC 10-1 reads the identifier ID (1) from the storage unit 13 and sends it to the external reading unit 11b (FIG. 8A). The external reading unit 11b (FIG. 8A) reads the ciphertext PE (PK (1),) associated with the identifier ID (1) from the area 22b (FIG. 8B) of the storage unit 22 of the USB memory 20. KA) is read (step S31) and sent to the common key restoration unit 14d.

Next, the internal reading unit 12b of the PC 10-1 reads the secret key SK (1) from the storage unit 13 and sends it to the common key restoration unit 14d. Using the secret key SK (1), the common key restoration unit 14d decrypts the ciphertext PE (PK (1), KA) read from the USB memory 20 and decrypts the common key KA [KA = PD (SK (1 ), PE (PK (1), KA))] is extracted (step S32). Further, the common key generation unit 14a of the PC 10-1 generates a new common key KA _new (step S33).

  Further, the external reading unit 11b of the PC 10-1 reads the ciphertext SE (KA, M (i)) (i = 1,..., N) corresponding to the PC 10-i from the USB memory 20 (step S34). . The decryption unit 14f of the PC 10-1 uses the common key KA obtained by the common key restoration unit 14d to decrypt the ciphertext SE (KA, M (i)) to obtain plaintext M (i) [M (i ) = SD (KA, SE (KA, M (i))] is extracted (step S35).

Next, each extracted plaintext M (i) and a new common key KA _new are input to the encryption unit 14e of the PC 10-1, and the encryption unit 14e uses the new common key KA _new. A ciphertext SE (KA _new , M (i)) obtained by encrypting each plaintext M (i) is generated (step S36). Each ciphertext SE (KA _new , M (i)) is sent to the external writing unit 11a of the PC 10-1. The external writing unit 11a sends the ciphertext SE (KA _new , M (i)) to the interface unit 21 of the USB memory 20, and the interface unit 21 stores these in the area 22c of the storage unit 22 (FIG. 8B). (Step S37).

Also, the external reading unit 11b (FIG. 9A) of the PC 10-1 uses the public key PK (s) corresponding to each PC 10-s (s = 1,..., N, s ≠ 2) from the USB memory 20. ) Are read (step S38) and sent to the key concealment unit 14 of the PC 10-1. Then, the key concealment unit 14c encrypts the common key KA _new newly generated by the common key generation unit 14a by using the public key PK (s) read (step S33) by the public key cryptosystem. Then, the ciphertext PE (PK (s), KA _new ) is generated (step S39). Each ciphertext PE (PK (s), KA _new ) is sent to the interface unit 21 of the USB memory 20 by the external writing unit 11a of the PC 10-1. The interface unit 21 stores each ciphertext PE (PK (s), KA _new ) in the area 22b of the storage unit 22 of the USB memory 20 in association with the identifier ID (s) (FIG. 9B). (Step S40).

  Next, the deletion unit 14g (FIG. 10A) of the PC 10-1 issues a deletion command, and the external writing unit 11a that receives the deletion command receives the area 22c of the storage unit 22 of the USB memory 20 (FIG. 9B). The ciphertext SE (KA, M (i)) is deleted from the area 22 and PE (PK (i), KA), identifier ID (2), and public key PK (2) are deleted from the area 22b (FIG. 10B). (Step S41).

[Second Embodiment]
Next, a second embodiment of the present invention will be described.
The present embodiment is a modification of the first embodiment, in which an authenticator is attached to a public key or ciphertext stored in a USB memory to prevent forgery of the public key or ciphertext. The key for creating the authenticator is encrypted with the public key of each PC and stored in the USB memory, and the common key for encrypting plaintext, the public key, and the authenticator for ciphertext are created. The second embodiment is different from the first embodiment in that a device for efficiently encrypting the key is devised and a plaintext encryption method is devised. Below, it demonstrates centering around difference with 1st Embodiment, and simplifies description about the matter which is common in 1st Embodiment.

<Configuration>
The overall configuration of the information recording medium sharing system of the present embodiment is the same as that of the first embodiment except that the PCs 10-1 to n are replaced with the PCs 110-1 to n and the USB memory 120 is replaced with the USB memory 120.
FIG. 14 is a block diagram illustrating a functional configuration of the PC 110-i (i = 1,..., N) according to this embodiment. FIG. 15 is a block diagram illustrating the functional configuration of the USB memory 120 of this embodiment. In FIGS. 14 and 15, parts common to the first embodiment are denoted by the same reference numerals as in the first embodiment.

  As shown in FIG. 14, the PC 110-i includes an external writing unit 11a, an external reading unit 11b, an internal writing unit 12a, an internal reading unit 12b, a storage unit 13, a common key generation unit 114a, and a key pair. The generation unit 14b, the key concealment unit 114c, the common key restoration unit 114d, the encryption unit 114e, the decryption unit 114f, the deletion unit 14g, the application execution unit 14h, the control unit 14i, and the temporary memory 14j A public key authenticator generation unit 114k, a public key verification unit 114m, a ciphertext authenticator generation unit 114n, a ciphertext verification unit 114p, an input unit 15, and an output unit 16. The PC 110-i of the present embodiment is also a Neumann computer including a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), and the like, and when a predetermined program is read, FIG. The functional configuration shown in FIG.

As shown in FIG. 15, the functional configuration of the USB memory 120 of the present embodiment is the same as that of the first embodiment, but the data stored in the storage unit 22 is different from that of the first embodiment.
<Processing>
Next, the processing of this embodiment will be described.
The processing of this embodiment can also be broadly divided into (1) registration process, (2) writing process, (3) reading process, and (4) deletion process. Hereinafter, each process will be described.

[Registration process]
First, the registration process will be described. It is assumed that the OS, security program, and application software are installed on the PC 110-i. Although not described below, each process is executed under the control of the control units 14i and 23, and each data obtained by each calculation in the PC 110-i is written to the temporary memory 14j one by one. In response, it is read for other operations.

16 to 18 are diagrams showing each functional block and data flow related to the registration process of the present embodiment, and FIGS. 25 and 26 are sequence diagrams for explaining the registration process of the present embodiment. In the following, as an example, a process in which the PC 110-1 performs registration first, then the PC 110-2 makes a registration application, and the PC 110-1 approves it will register the PC 110-2.
First, application software installed in the PC 110-1 as preprocessing acquires a host name and a user name, generates an ID (1) indicating them, and stores the storage unit 13 of the PC 110-1 (FIG. 16A). ). If ID (1) has already been stored in the storage unit 13, the registration process is not executed.

When the USB memory 120 is mounted and mounted on the PC 110-1, the common key generation unit 114a (FIG. 16A) of the PC 110-1 generates three common keys KA, KB, KC (for example, randomly generated) Output (step S51). The common key KA is a key for encrypting the plaintext that is a message, the common key KB is a ciphertext authentication key for generating a ciphertext authenticator, and the common key KC is a public key authentication. This is a key authentication key KC for generating a child.
Further, the key pair generation unit 14b of the PC 110-1 generates and outputs a public key cryptosystem secret key SK (1) and a public key PK (1) (step S52). Examples of public key cryptosystems include PSEC-KEM and RSA. The generated secret key SK (1) is sent to the internal writing unit 12a of the PC 110-1, and is then stored in the storage unit 13 of the PC 110-1 (step S53).

  The common keys KA, KB, KC output from the common key generation unit 14a and the public key PK (1) output from the key pair generation unit 14b are sent to the key concealment unit 114c of the PC 110-1. The key concealment unit 114c encrypts the common keys KA, KB, and KC using the public key PK (1), and the ciphertexts PE (PK (1), KA), PE (PK (1), KB) , PE (PK (1), KC) is generated and output (step S54).

Further, the public key authenticator generation unit 114k of the PC 110-1 includes the common key KC generated by the common key generation unit 114a, the public key PK (1) generated by the key pair generation unit 14b, and the key concealment unit. The ciphertext PE (PK (1), KA), PE (PK (1), KB), PE (PK (1), KC) generated in 114c, and the identifier read from the storage unit 13 by the internal reading unit 12b ID (1) is entered. Then, the public key authenticator generation unit 114k generates a public key authenticator AU (KC, PK (1)) of the public key PK (1) using these (Step S55). The public key authenticator AU (KC, PK (1)) is, for example,
AU (KC, PK (1)) = HMAC (KC, PK (1), ID (1), PE (PK (1), KA), PE (PK (1), KB), PE (PK (1) , KC))… (1)
And so on. _{Incidentally, HMAC (α, β 1,} β 2, ..., β m) (m is an integer of 1 or more) _{is, β 1, β 2, ...} , bit concatenation of β _m β ₁ | β ₂ | ... | β When _m is β, γ (+) δ is an exclusive OR of γ and δ, opad and ipad are constant bit strings, and H (σ) is a hash value of σ,
H ((α (+) opad) | H ((α (+) ipad) | β))… (2)
(See “Mihir Bellare, Ran Canetti and Hugo Krawczyk,“ Keying Hash Functions for Message Authentication ”, CRYPTO'96, pp1-15, 1996.”, etc.) However, this is an example, and at least the public key authenticator AU (KC, PK (i)) of the public key PK (i) generated using the key authentication key KC and the public key PK (i). That's fine. For example, an electronic signature of the public key PK (i) using the HMAC (KC, PK (1)) or the key authentication key KC may be used as the public key authenticator AU (KC, PK (1)).

Public key PK (1) and ciphertext PE (PK (1), KA), PE (PK (1), KB), PE (PK (1), KC) and public key authenticator AU (KC, PK) (1)) and the ID (1) read from the internal reading unit 12b are sent to the interface unit 21 (FIG. 16 (b)) of the USB memory 120 by the external writing unit 11a of the PC 110-1, and stored from there. Stored in the area 22b of the unit 22 in association with each other (step S56 / PC 110-1 registration completed).
Next, when the USB memory 120 is mounted and mounted on the PC 110-2, the application software installed on the PC 110-2 acquires the host name and the user name, and generates an ID (2) indicating them. And stored in the storage unit 13 (FIG. 17A) of the PC 110-2.

Next, the key pair generation unit 14b (FIG. 17A) of the PC 110-2 generates and outputs the secret key SK (2) and the public key PK (2) of the public key cryptosystem (step S57). . The secret key SK (2) is written into the storage unit 13 by the internal writing unit 12a of the PC 110-2 (step S58).
On the other hand, the public key PK (2) is sent from the external writing unit 11a to the interface unit 21 of the USB memory 120 (FIG. 17 (FIG. 17) together with the identifier ID (2) read from the storage unit 13 by the internal reading unit 12b of the PC 110-2. b)) and from there is stored in association with the area 22b of the storage unit 22 (application for registration in step S59 / PC 110-2).

  Next, when the USB memory 120 is mounted and mounted on the PC 110-1, the external reading unit 11b of the PC 110-1 is associated with the identifier ID (1) from the area 22b of the storage unit 22 of the USB memory 120. The ciphertexts PE (PK (1), KA), PE (PK (1), KB), PE (PK (1), KC) are read, and these are read into the common key recovery unit 114d (FIG. 18 ( a)) (step S60). The secret key SK (1) is read from the storage unit 13 of the PC 110-1 into the common key restoration unit 114d of the PC 110-1 by the internal reading unit 12b of the PC 110-1. The common key restoration unit 14d of the PC 110-1 uses the secret key SK (1) to encrypt the ciphertexts PE (PK (1), KA), PE (PK (1), KB), PE (PK (1), KC ), And the common keys KA, KB, KC (KA = PD (SK (1), PE (PK (1), KA)), KB = PD (SK (1), PE (PK (1), KB) )), KC = PD (SK (1), PE (PK (1), KC))] is extracted (step S61). Further, the external reading unit 11b of the PC 110-1 reads the identifier ID (2) and the public key PK (2) from the area 22a (FIG. 18B) of the storage unit 22 of the USB memory 120 (step S62).

These common keys KA, KB, KC and public key PK (2) are sent to the key concealment unit 14c of the PC 110-1, and the key concealment unit 14c uses the public key PK (2) to public key. Generate ciphertexts PE (PK (2), KA), PE (PK (2), KB), PE (PK (2), KC) by encrypting the common keys KA, KB, KC by encryption method, Output (step S63).
Further, the public key authenticator generation unit 114k of the PC 110-2 is connected to the common key KC, the public key PK (2), and the ciphertext PE (PK (2), KA), PE (PK (2), KB), PE ( PK (2), KC) and identifier ID (2) are input. Then, the public key authenticator generation unit 114k generates a public key authenticator AU (KC, PK (2)) of the public key PK (2) using these as in step S55 (step S64).

  The ciphertext PE (PK (2), KA), PE (PK (2), KB), PE (PK (2), KC) and public key authenticator AU (KC, PK (2)) The data is sent to the interface unit 21 of the USB memory 120 by the writing unit 11a and stored in the area 22b (FIG. 18B) of the storage unit 22 in association with the identifier ID (2) (according to step S65 / PC 110-1). Approval completed). Thereby, registration of PC110-2 is complete | finished.

  After that, the other PC 110-i applies for registration in the same manner as the PC 110-2 (see steps S57 to S59), and the registered PC 110-t (t = 1,..., N) such as the PC 110-1 (USB) The ciphertext PE (PK (2), KA), PE (PK (2), KB), PE (PK (2), KC) is stored in the memory 120, and the secret key SK (t) is stored in its own storage unit 13. Any PC 110-t in which is stored approves as described above (see steps S60 to S65), and all PCs 110-i (i = 1,..., N) are registered.

[Writing process / Reading process]
Next, the writing process and the reading process of this embodiment will be described. It is assumed that the OS, security program, and application software are installed on the PC 110-i.
FIG. 19 is a diagram showing each functional block and data flow related to the writing process of this embodiment, and FIG. 20 shows each functional block and data flow related to the reading process of this embodiment. FIG. FIG. 27 is a sequence diagram for explaining a writing process and a reading process of the present embodiment. Here, an example is shown in which the PC 110-1 writes the ciphertext to the USB memory 120 (writing process), and the PC 110-2 reads the ciphertext from the USB memory 120 and decrypts it (reading process).

  First, it is assumed that the USB memory 120 is mounted and mounted on the PC 110-1. In this state, the application execution unit 14h (FIG. 19A) of the PC 110-1 issues a request to write the ciphertext of plaintext M (1) to the USB memory 120 to the control unit 14i. With this as a trigger, the internal reading unit 12b of the PC 110-1 reads the identifier ID (1) from the storage unit 13 and sends it to the external reading unit 11b of the PC 110-1. The external reading unit 11b transmits the ciphertexts PE (PK (1), KA), PE (PK) associated with the identifier ID (1) from the area 22b (FIG. 19B) of the storage unit 22 of the USB memory 120. (1), KB) is read (step S71).

  The ciphertexts PE (PK (1), KA) and PE (PK (1), KB) are sent to the common key restoration unit 114d (FIG. 19A) of the PC 110-1. Also, using this as a trigger, the internal reading unit 12b of the PC 110-1 reads the secret key SK (1) from the storage unit 13, and sends the secret key SK (1) to the common key restoration unit 114d. The common key restoration unit 114d decrypts the ciphertext PE (PK (1), KA), PE (PK (1), KB) by using the secret key SK (1) and decrypts the common key KA [KA = PD (SK (1), PE (PK (1), KA))], KB [KB = PD (SK (1), PE (PK (1), KB))] is extracted (step S72). The common key KA is sent to the encryption unit 114e of the PC 110-1, and the common key KB is sent to the ciphertext authenticator generation unit 114n. Further, the application execution unit 14h of the PC 110-1 sends the plaintext M (1) to the encryption unit 114e, and the encryption unit 114e uses the common key KA and the plaintext M (1) by the common key encryption method. A ciphertext SE (KA, M (1)) is generated by encrypting (step S73).

The generated ciphertext SE (KA, M (1)) is sent to the ciphertext authenticator generation unit 114n, and the ciphertext authenticator generation unit 114n includes at least the common key KB and the ciphertext SE (KA, M (1)). ) Is used to generate a ciphertext authenticator AU (KB, SE (KA, M (1))) for the ciphertext SE (KA, M (1)) (step S74). The ciphertext authenticator AU (KB, SE (KA, M (1))) is generated as follows, for example.
AU (KB, SE (KA, M (1))) = HMAC (KB, SE (KA, M (1)))… (3)
Note that the ciphertext authenticator AU (KB, SE (KA, M (1))) is not limited to the expression (3), but the ciphertext SE (KA, M (1)) using the common key KB. As long as the information can prove the validity of (), any information such as an electronic signature may be used.

  The ciphertext SE (KA, M (1)) and the ciphertext authenticator AU (KB, SE (KA, M (1))) generated in this way are stored in the USB memory 120 by the external writing unit 11a. The data is sent to the interface unit 21 and stored in the area 22c (FIG. 19B) of the storage unit 22 (step S75 / end of writing process).

  Next, the USB memory 120 is mounted and mounted on the PC 110-2. In this state, the application execution unit 14h of the PC 110-2 receives the ciphertext SE (KA, M (1)) and the ciphertext authenticator AU (KB, SE (KA, M (1))) from the USB memory 120. When a read request is made to the control unit 14i, first, the external reading unit 11b (FIG. 20A) of the PC 110-2 makes a ciphertext SE from the area 22c (FIG. 20B) of the storage unit 22 of the USB memory 120. (KA, M (1)) and ciphertext authenticator AU (KB, SE (KA, M (1))) are read (step S76), and ciphertext PE (PK (2), KA) is further read from area 22b. , PE (PK (2), KB) is read (step S77). Next, the internal reading unit 12b (FIG. 20A) of the PC 110-2 reads the secret key SK (2) from the storage unit 13. Then, the common key restoration unit 114d of the PC 110-2 uses the secret key SK (2) to decrypt the ciphertexts PE (PK (2), KA) and PE (PK (2), KB), respectively. Extract the keys KA [KA = PD (SK (2), PE (PK (2), KA))], KB [KB = PD (SK (2), PE (PK (2), KB))] ( Step S78).

  Thereafter, the common key KB, the ciphertext SE (KA, M (1)), and the ciphertext authenticator AU (KB, SE (KA, M (1))) are input to the ciphertext verification unit 114p of the PC 110-2. The ciphertext verification unit 114p uses the common key KB and the ciphertext authenticator AU (KB, SE (KA, M (1))), and the ciphertext SE (KA, M (1)) is valid. It is verified whether or not (step S79). For example, in the example in which the certifier AU (KB, SE (KA, M (1))) is generated by the above-described equation (3) in step S73, the ciphertext verification unit 114p of the PC 110-2 is input. HMAC (KB, SE (KA, M (1))) is calculated using the common key KB and the ciphertext SE (KA, M (1)), and the operation result and the input HMAC (KB, SE ( KA, M (1))).

  Here, if they are not equal, it is determined that the ciphertext SE (KA, M (1)) is invalid, and the control unit 14i ends the process with an error. On the other hand, if they are equal, it is assumed that the ciphertext SE (KA, M (1)) is valid, and the decryption unit 114f of the PC 110-2 uses the common key KA to encrypt the ciphertext SE (KA, M ( 1)) is decrypted to extract plaintext M (1) [M (1) = SD (KA, SE (KA, M (1))] (step S80). The data is sent to the application execution unit 14h of the PC 110-2 (end of the reading process).

[Deleting process]
Next, the deletion process of this embodiment will be described. It is assumed that the OS, security program, and application software are installed on the PC 110-i.
21 to 24 are diagrams showing each functional block and data flow related to the deletion process of this embodiment. 28 and 29 are sequence diagrams for explaining the deletion process of this embodiment.
It is assumed that the USB memory 120 is mounted and mounted on the PC 110-1. Also in this embodiment, the registration of the PC 110-2 is deleted as in the first embodiment.

  First, the internal reading unit 12b of the PC 110-1 reads the identifier ID (1) from the storage unit 13 and sends it to the external reading unit 11b (FIG. 21). The external reading unit 11b transmits the ciphertexts PE (PK (1), KA), PE (PK (1), PE) associated with the identifier ID (1) from the area 22b (FIG. 22) of the storage unit 22 of the USB memory 120. KC) is read (step S91).

  Next, the internal reading unit 12b (FIG. 21) of the PC 110-1 reads the secret key SK (1) from the storage unit 13 and sends it to the common key restoration unit 14d. The common key restoration unit 14d uses the secret key SK (1) to decrypt the ciphertexts PE (PK (1), KA) and PE (PK (1), KC) read from the USB memory 120 and share them. Extract the keys KA [KA = PD (SK (1), PE (PK (1), KA))], KC [KC = PD (SK (1), PE (PK (1), KC))] ( Step S92).

  Next, the external reading unit 11b of the PC 110-1 uses the identifier ID (s) (s = 1,..., N, s ≠ 2) other than the PC 110-2 to be deleted from the USB memory 120 and the public key PK ( s), public key authenticator AU (KC, PK (s)) and ciphertext PE (PK (s), KA), PE (PK (s), KB), PE (PK (s), KC) (Step S93), these are sent to the public key verification unit 114m. The public key verification unit 114m further receives the common key KC, and the public key verification unit 114m verifies the validity of the public key PK (s) using these pieces of information (step S94). For example, the public key authenticator AU (KC, PK (s)) is AU (KC, PK (s)) = HMAC (KC, PK (s), ID (s), PE (PK (s), KA), When generated as PE (PK (s), KB), PE (PK (s), KC)), the public key verification unit 114m uses the input information to generate HMAC (KC, PK (s) , ID (s), PE (PK (s), KA), PE (PK (s), KB), PE (PK (s), KC)), and the calculation result and the input public key It is determined whether or not the authenticator AU (KC, PK (s)) is equal.

Here, all the PCs 110-s ′ corresponding to the public key PK (s ′) determined to be invalid are added to the registration deletion target. That is, after step S94, s = 1,..., N, s ≠ 2, and s ≠ s ′.
Then, the common key generation unit 114a of the PC110-1 is a new common key KA _{new new,} KB _{new new,} to produce a KC _{new new} (step S95).
Further, the external reading unit 11b of the PC 110-1 reads the ciphertext SE (KA, M (i)) (i = 1,..., N) corresponding to the PC 110-i from the USB memory 120 (step S96). And sent to the decoding unit 114f. The decryption unit 114f decrypts the ciphertext SE (KA, M (i)) using the common key KA obtained by the common key restoration unit 114d, and plaintext M (i) [M (i) = SD (KA, SE (KA, M (i))] is extracted (step S97).

Next, each extracted plaintext M (i) and a new common key KA _new are input to the encryption unit 114e of the PC 110-1, and the encryption unit 114e uses the new common key KA _new. A ciphertext SE (KA _new , M (i)) obtained by encrypting each plaintext M (i) is generated (step S98). Furthermore, the ciphertext authentication code generation unit 114n, the ciphertext _{SE (KA new, M (i} )) and a new common key KA _{new new,} and KB _{new new} is inputted, the ciphertext authentication code generation unit 114n, Step S74 and similarly, the ciphertext SE ciphertext authenticator for AU _{(KA new, M (i)} ) (KB new, SE (KA new, M (i))) for generating a (step S99).

The generated ciphertexts SE (KA _new , M (i)) and their ciphertext authenticators AU (KB _new , SE (KA _new , M (i))) are the external writing unit 11a of the PC 110-1. Sent to. The external writing unit 11a stores the ciphertext SE (KA _new , M (i)) and the ciphertext authenticator AU (KB _new , SE (KA _new , M (i))) in the USB memory 120. The interface unit 21 stores these in the area 22c (FIG. 22) of the storage unit 22 (step S100).

Next, the external reading unit 11b (FIG. 23A) of the PC 110-1 reads the public key PK (s) and identifier ID (s) corresponding to each PC 110-s from the USB memory 120 (step S101). These are sent to the key concealment unit 114c. The key concealment unit 114c encrypts the common keys KA _new , KB _new , KC _new newly generated by the common key generation unit 114a by using the public key encryption method using each read public key PK (s). Then, ciphertexts PE (PK (s), KA _new ), PE (PK (s), KB _new ), and PE (PK (s), KC _new ) are generated (step S102).
Further, the public key authenticator generation unit 114k receives the newly generated common key KC _new and ciphertext PE (PK (s), KA _new ), PE (PK (s), KB _new ), PE (PK (s ), KC _new ), public key PK (s), and identifier ID (s) are input, and the public key authenticator AU (KC, PK (s)) of each public key PK (s) is entered in the same manner as in step S55. Generate (step S103).

Each ciphertext PE (PK (s), KA _new ), PE (PK (s), KB _new ), PE (PK (s), KC _new ) and public key authenticator AU (KC, PK (s)) Is sent to the interface unit 21 (FIG. 23B) of the USB memory 120 by the external writing unit 11a of the PC 110-1. Then, the interface unit 21 includes each ciphertext PE (PK (s), KA _new ), PE (PK (s), KB _new ), PE (PK (s), KC _new ) and public key authenticator AU ( KC, PK (s)) are stored in the area 22b of the storage unit 22 of the USB memory 120 in association with the identifier ID (s) (FIG. 23B) (step S104).

  Next, the deletion unit 14g (FIG. 24A) of the PC 110-1 issues a deletion command, and the external writing unit 11a receiving the command issues the area 22c of the storage unit 22 of the USB memory 120 (FIG. 23B). Ciphertext SE (KA, M (i)) and ciphertext authenticator AU (KB, SE (KA, M (i))) are deleted from the ciphertext PE (PK (i), KA), PE (PK (i), KB), PE (PK (i), KC), public key authenticator AU (KC, PK (i)), identifier ID (2), ID (s') and public key PK ( 2) PK (s ′) is deleted (FIG. 24B) (step S105). The identifier ID (s ′) and the public key PK (s ′) correspond to the PC 110-s ′ that has been determined that the public key PK (s ′) is not valid in step S94.

[Third Embodiment]
Next, a third embodiment of the present invention will be described. This embodiment is a modification of the second embodiment. The only difference from the second embodiment is that the configuration of the key concealment unit 114c and the common key restoration unit 114d that conceal and decrypt a plurality of common keys is devised to reduce the amount of calculation. Hereinafter, only the key concealment unit 114c and the common key restoration unit 114d of this embodiment will be described.

<Key concealment unit 114c>
FIG. 30A is a block diagram showing the configuration of the key concealment unit 114c of this embodiment. FIG. 31 is a flowchart for explaining the key concealment processing of this embodiment. Hereinafter, using these figures, the secret key KA. KB, KC and the public key PK (1) are input to the key concealment unit 114c of the present embodiment, and the key concealment unit 114c transmits the ciphertext PE (PK (1 ), KA), PE (PK (1), KB), and PE (PK (1), KC) will be described as an example.

First, the random number generation unit 114ca of the key concealment unit 114c generates a random number Z (1) (for example, a bit length of 384 bits) (step S121). To 114 cc. The public key encryption unit 114cb encrypts the random number Z (1) using the input public key PK (1) by the public key cryptosystem, and the ciphertext C (1) = PE (PK (1), Z (1)) is generated (step S122). Further, the random number dividing unit 114cc divides the random number Z (1) into 3 (example of Y = 3) random numbers Z (1, y) (y = 1, 2, 3) (for example, bit length 128 bits). (Step S123). Each divided random number Z (1, y) is sent to the common key encryption unit 114cd of the key concealment unit 114c. The common key encryption unit 114cd uses the random number Z (1, 1) as a key and a ciphertext SE (Z (1, 1), KA) obtained by encrypting the common key KA by a common key encryption method (Camellia, AES, etc.). And the ciphertext SE (Z (1, 2), KB) encrypted with the common key cryptosystem and the random number Z (1, 2) as the key and the random number Z (1, 3) as the key. Then, the ciphertext SE (Z (1, 3), KC) obtained by encrypting the common key KC by the common key cryptosystem is calculated (steps S124 to S126). Then, the key concealment unit 114c
PE (PK (1), KA) = (C (1), SE (Z (1, 1), KA))
PE (PK (1), KB) = (C (1), SE (Z (1, 2), KB))
PE (PK (1), KC) = (C (1), SE (Z (1, 3), KC))
Is output (step S127). Note that (C (1), SE (Z (1, 1), KA)) means information having C (1) and SE (Z (1, 1), KA), and (C (1 ), SE (Z (1, 2), KB)) means information having C (1) and SE (Z (1, 2), KB), and (C (1), SE (Z ( 1, 3), KC)) means information having C (1) and SE (Z (1, 3), KC). Further, specific examples of “information having α and β” include bit combination between α and β, bit combination between the bit combination and other data, and the like.

<Common key restoration unit 114d>
FIG. 30B is a block diagram showing the configuration of the common key restoration unit 114d of this embodiment. FIG. 32 is a flowchart for explaining the key restoration processing of this embodiment. Hereafter, using these figures, the ciphertexts PE (PK (1), KA), PE (PK (1), KB), PE (PK (1), KC) and the private key SK (1) are in this form. The common key restoration unit 114d decrypts the ciphertext PE (PK (1), KA), PE (PK (1), KB), PE (PK (1), KC). An example of this process will be described.
First, the public key decryption unit 114da of the common key restoration unit 114d decrypts the ciphertext C (1) = PE (PK (1), Z (1)) using the input secret key SK (1). Then, the random number Z (1) [Z (1) = PD (SK (1), C (1))] is extracted (step S131). The random number Z (1) is input to the random number dividing unit 114db of the common key restoration unit 114d. The random number dividing unit 114db converts the random number Z (1) into 3 (example of Y = 3) random numbers Z (1, y) (y = 1, 2, 3) (for example, bit length 128 bits) is divided (step S132). Next, the random number Z (1, y) (y = 1, 2, 3) and the ciphertext SE (Z (1, 1), KA), SE ( Z (1, 2), KB) and SE (Z (1, 3), KC) are input. The common key decryption unit 114 dc uses the random number Z (1, 1) as a key, decrypts the ciphertext SE (Z (1, 1), KA) by the common key cryptosystem, and the random number Z (1, 2). Key and the decrypted ciphertext SE (Z (1, 2), KB) by the common key cryptosystem and the random number Z (1, 3) as the key, and the ciphertext SE (Z ( 1, 3), KC obtained by decoding KC) is calculated (steps S133 to S135). Then, the common key restoration unit 114d outputs the common keys KA, KB, KC (step S136).

  As described above, the key concealment unit 114c according to the present embodiment uses the secret key SK (1) by one encryption process using the public key encryption method and three encryption processes using the common key encryption method. The ciphertexts PE (PK (1), KA), PE (PK (1), KB), and PE (PK (1), KC) of the private keys KA, KB, and KC that can be decrypted can be created. The amount of computation required for this is smaller than the amount of computation when each of the secret keys KA, KB, and KC is encrypted by three encryption processes using the public key cryptosystem. Such an effect of reducing the amount of calculation can be obtained at the time of decoding.

[Fourth Embodiment]
Next, a fourth embodiment of the present invention will be described. This embodiment is also a modification of the second embodiment. While improving the security by devising the processing of the encryption unit 114e and the decryption unit 114f, and using the random numbers used for the processing to generate a ciphertext authenticator, while suppressing an increase in the amount of computation The point that the security of the ciphertext authenticator is improved is different from the second embodiment. Only the differences from the second embodiment will be described below.

<Writing process of this embodiment>
FIG. 33 is a diagram showing each functional block and data flow related to the writing process of this embodiment. Here, an example in which the PC 110-1 writes the ciphertext to the USB memory 120 is shown.
It is assumed that the USB memory 120 is mounted and mounted on the PC 110-1. First, the application execution unit 14h of the PC 110-1 designates the sector number se (1 sector = 512 bytes) and issues a request for writing the ciphertext of plaintext M (1) to the USB memory 120 to the control unit 14i. With this as a trigger, the same processing as steps S71 and 72 (FIG. 27) of the second embodiment is executed.
Next, the common key KA, the designated sector number se, and plaintext M (1) are input to the encryption unit 114e, and the encryption unit 114e encrypts the plaintext M (1) using the common key KA. The encrypted ciphertext SE (KA, M (1)) is generated, and the random number E (1) and the ciphertext SE (KA, M (1)) are output. Details of the encryption unit 114e will be described below.

[Details of Encryption Unit 114e of this Embodiment]
FIG. 35A is a block diagram showing details of the encryption unit 114e of this embodiment. FIG. 36A is a flowchart for explaining the encryption processing of this embodiment.
First, the block division unit 114ea of the encryption unit 114e receives X (X ≧ 2) (for example, X = 32) blocks MB (p, x) (x = 1,...) Of the input plaintext M (1). ., X) (step S141). Each block MB (p, x) is sent to the block encryption unit 114ed, and the block number x is sent to the function calculation unit 114ec.

  Further, the random number generation unit 114eb of the encryption unit 114e generates and outputs a random number E (1) for each plaintext M (1) (step S142). Next, the sector number se, the random number E (1), and the block number x of the storage unit 22 of the USB memory 120 that stores the ciphertext of the plaintext M (1) are input to the function calculation unit 114ec of the encryption unit 114e. The function calculation unit 114ec calculates a function value IV = π (x, E (1), se) obtained by substituting these into a predetermined function π for each block number x (for example, x, E (1), se). The bit concatenation of these is IV) (step S143).

Further, the function value IV, the block MB (1, x), and the common key KA are input to the block encryption unit 114ed of the encryption unit 114e. The block encryption unit 114ed encrypts each block MB (1, x) by a block encryption method (counter mode or the like) using the common key KA and the function value IV as an initial vector. Then, the block encryption unit 114ed generates a ciphertext SE (KA, M (1)) from the ciphertext of the calculated all blocks MB (1, x) (for example, all the blocks MB (1, x) The bit concatenated value of the ciphertext is output as ciphertext SE (KA, M (1)) (step S144).
The generated ciphertext SE (KA, M (1)) is sent to the ciphertext authenticator generation unit 114n together with the random number E (1), and the ciphertext authenticator generation unit 114n includes at least the common key KB and the ciphertext SE ( Ciphertext authenticator AU (KB, E (1), SE (KA, M (1)) of ciphertext SE (KA, M (1)) using KA, M (1)) and random number E (1) )) Is generated.

  From the ciphertext SE (KA, M (1)), ciphertext authenticator AU (KB, SE (KA, M (1))), random number E (1), and application execution unit 14h generated as described above. The sent sector number se is sent to the interface unit 21 of the USB memory 120 by the external writing unit 11a. The interface unit 21 adds the ciphertext SE (KA, M (1)) and the ciphertext authenticator AU (KB, SE (KA, M (1)) to the sector in the area 22c of the storage unit 22 specified by the sector number se. ))) And random number E (1) are stored (step S145) (end of description of [details of encryption unit 114e of this embodiment]).

<Reading process of this embodiment>
FIG. 34 is a diagram showing each functional block and data flow related to the reading process of this embodiment. In this example, the PC 110-2 reads the ciphertext from the USB memory 120 and decrypts it.
First, the USB memory 120 is mounted and mounted on the PC 110-2. Then, the application execution unit 14h of the PC 110-2 designates the sector number se and requests the control unit 14i to read and decrypt the ciphertext from the USB memory 120. Using this as a trigger, first, the external reading unit 11b of the PC 110-2 designates the sector number se, and from the area 22c of the storage unit 22 of the USB memory 120, the ciphertext SE (KA, M (1)) and The ciphertext authenticator AU (KB, E (1), SE (KA, M (1))) and the random number E (1) are read, and the ciphertext PE (PK (2), KA), Read PE (PK (2), KB).

  Next, the internal reading unit 12b (FIG. 20A) of the PC 110-2 reads the secret key SK (2) from the storage unit 13. Then, the common key restoration unit 114d of the PC 110-2 uses the secret key SK (2) to decrypt the ciphertexts PE (PK (2), KA) and PE (PK (2), KB), respectively. The keys KA [KA = PD (SK (2), PE (PK (2), KA))], KB [KB = PD (SK (2), PE (PK (2), KB))] are extracted.

  Thereafter, the ciphertext verification unit 114p of the PC 110-2 receives the common key KB, the ciphertext SE (KA, M (1)), and the ciphertext authenticator AU (KB, E (1), SE (KA, M (1)). )), A random number E (1), and a sector number se are input, and the ciphertext verification unit 114p verifies whether or not the ciphertext SE (KA, M (1)) is valid. To do. If the ciphertext SE (KA, M (1)) is valid, the decryption unit 114f of the PC 110-2 uses the common key KA, the random number E (1), and the sector number se to encrypt the ciphertext SE (KA, M (1)) is decrypted to extract plain text M (1) [M (1) = SD (KA, SE (KA, M (1))]. Hereinafter, details of the decryption unit 114f of this embodiment will be described. explain.

[Details of Decoding Unit 114f of this Embodiment]
FIG. 35B is a block diagram showing details of the decoding unit 114f of this embodiment. FIG. 36B is a flowchart for explaining the decoding processing of this embodiment.
First, the block division unit 114fa of the decryption unit 114f converts the ciphertext SE (KA, M (1)) into X (X ≧ 2) (for example, X = 32) blocks SEB (KA, M (1), x ) (X = 1,..., X) (step S151). This process is a reverse process of the process in which the block encryption unit 114ed in FIG. 35A generates the ciphertext SE (KA, M (1)) from the ciphertext of all blocks MB (1, x). Each block SEB (KA, M (1), x) is sent to the block decoder 114fd, and the block number x is sent to the function calculator 114fc.

  Next, the sector number se, the random number E (1), and the block number x are input to the function calculation unit 114fc of the decryption unit 114f, and the function calculation unit 114fc substitutes a function value IV = π (x, E (1), se) is calculated for each block number x (eg, bit concatenation of x, E (1), se is IV) (step S152).

  The function value IV, the block SEB (KA, M (1), x), and the common key KA are input to the block decryption unit 114fd of the encryption unit 114e. The block decryption unit 114fd decrypts the block SEB (KA, M (1), x) by using the common key KA and the block decryption method (counter mode or the like) using the function value IV as an initial vector, and each block MB. Extract (1, x). This process is a reverse process of the process of the block encryption unit 114ed in FIG. Then, the block decryption unit 114fd generates and outputs plaintext M (1) from all the calculated blocks MB (1, x) (step S153). The output plaintext M (1) is sent to the application execution unit 14h of the PC 110-2 (end of description of [Details of the decryption unit 114f of this embodiment]).

  The encryption unit 114e and the decryption unit 114f of the present embodiment described above are similarly executed in the [deletion process], but description thereof is omitted here. Further, the configuration may be such that the sector number se is not used for the encryption processing and the decryption processing of the encryption unit 114e and the decryption unit 114f, or other information is used to generate the function value IV. There may be.

[Other variations, etc.]
The present invention is not limited to the above-described embodiment. For example, in the first embodiment, the common key is regenerated and the information in the USB memory is rewritten in the deletion process of deleting a specific PC from the registration, but the common key is not deleted from the registration. May be regenerated to rewrite the information in the USB memory. Such processing is effective, for example, when the common key is leaked to a third party.

  Further, each information processing apparatus does not necessarily have to be configured in one housing. For example, a key pair generation unit that generates a key pair of a public key and a private key and other components may be configured in separate cases, and the key pair generation units of a plurality of information processing apparatuses are included in one case. The body may be configured as a whole. In this case, the configuration may be such that a plurality of information processing apparatuses share one key pair generation unit.

  In each of the above-described embodiments, a personal computer is illustrated as an example of an information processing apparatus, and a USB memory is illustrated as an example of an information recording medium. However, the present invention is not limited to these. For example, a mobile phone, a personal digital assistant (PDA), or the like may be used as the information processing apparatus. As an information recording medium, a DVD-RAM (Random Access Memory), a CD-R (Recordable) / RW (ReWritable), an MO (Magneto-Optical disc), or the like may be used, or a non-portable type such as a hard disk device. These recording media may be used. Furthermore, as an information recording medium, a memory of a device including a calculation device such as a mobile phone, a personal digital assistant (PDA), or a personal computer may be used.

FIG. 37 is a conceptual diagram illustrating an information recording medium sharing system 201 using a non-portable recording medium as an information recording medium.
The example of FIG. 37 is an example in which the hard disk device 221 included in the server device 220 is an information recording medium. The server device 220 and the plurality of PCs 10-1 to 10 -n described above are communicably connected, and the external writing unit 11 a (FIG. 2A) of each PC 10-i writes various data to the hard disk device 221. The external reading unit 11b of each PC 10-i is configured to be able to read various data from the hard disk device 221. The server device 221 and the PCs 10-1 to 10-n may be connected through a local network or may be connected through a global network. Then, not the USB memory 20 or the USB memory 120 but the hard disk device 221 is used as the information recording medium, and the same processing as in each of the above embodiments is executed. Other configurations and processes are the same as those in the above-described embodiments.

Further, a plurality of information recording media may be used, and information stored in the information recording media may be distributed and stored.
FIG. 38 is a conceptual diagram illustrating an information recording medium sharing system 301 using a plurality of information recording media. FIG. 39 is a block diagram illustrating the USB memories 320 and 330 of FIG.
38 and 39, the present invention is implemented using two USB memories 320 and 330 as information recording media. As illustrated in FIG. 39A, the USB memories 320 and 330 are configured in the same manner as the USB memory 20 described above. However, the storage unit 22 of the USB memory 320 has {ID (1), PK (1), PE (PK (1), KA)}... {ID (n), PK (n), PE (PK (n), KA)} and only the security program are stored, and {SE (KA, M (1))}... {SE (KA, M (n))} is not stored. On the other hand, the storage unit 22 of the USB memory 330 stores only {SE (KA, M (1))}... {SE (KA, M (n))}, and {ID (1), PK ( 1), PE (PK (1), KA)} ... {ID (n), PK (n), PE (PK (n), KA)} and security programs are not stored. The procedure for storing each information is as described above. In addition, when configuring an information recording medium sharing system using a plurality of information recording media, the information recording media may be different from each other, and a part of the plurality of information recording media may be used. A portable information recording medium may be used, and another information recording medium may be a non-portable recording medium. For example, the present invention may be implemented using a USB memory removable from a PC and a hard disk provided in a server device connected through a network as an information recording medium.

In addition, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Needless to say, other modifications are possible without departing from the spirit of the present invention.
The program describing the processing contents executed by the PC can be recorded on a computer-readable recording medium. As the computer-readable recording medium, any of the above-described USB memory, for example, a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like may be used. As a device, a hard disk device, a flexible disk, a magnetic tape or the like, and an optical disk such as a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only Memory), a CD-R (Recordable) / RW (ReWritable) or the like can be used as a magneto-optical recording medium, an MO (Magneto-Optical disc) or the like as a semiconductor memory, or an EEP-ROM (Electronically Erasable and Programmable-Read Only Memory) or the like.

The program is distributed by selling, transferring, or lending a portable recording medium such as a USB memory, DVD, or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, a computer may read the program directly from a portable recording medium and execute processing according to the program.

Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).
In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  As a field of use of the present invention, for example, concealment of data stored in a USB memory can be exemplified.

FIG. 1 is a conceptual diagram illustrating the overall configuration of the information recording medium sharing system according to the first embodiment. FIG. 2A is a block diagram illustrating the functional configuration of the PC according to the first embodiment, and FIG. 2B is a block diagram illustrating the functional configuration of the USB memory according to the present embodiment. FIG. 3 is a diagram showing each functional block and data flow related to the registration process of the first embodiment. FIG. 4 is a diagram illustrating each functional block and data flow related to the registration process of the first embodiment. FIG. 5 is a diagram showing each functional block and data flow related to the registration process of the first embodiment. FIG. 6 is a diagram showing each functional block and data flow related to the writing process of the first embodiment. FIG. 7 is a diagram showing each functional block and data flow related to the reading process of the first embodiment. FIG. 8 is a diagram illustrating each functional block and data flow related to the deletion process of the first embodiment. FIG. 9 is a diagram illustrating each functional block and data flow related to the deletion process of the first embodiment. FIG. 10 is a diagram illustrating each functional block and data flow related to the deletion process of the first embodiment. FIG. 11 is a sequence diagram for explaining a registration process according to the first embodiment. FIG. 12 is a sequence diagram for explaining a writing process and a reading process according to the first embodiment. FIG. 13 is a sequence diagram for explaining the deletion process of the first embodiment. FIG. 14 is a block diagram illustrating a functional configuration of a PC according to the second embodiment. FIG. 15 is a block diagram illustrating a functional configuration of the USB memory according to the second embodiment. FIG. 16 is a diagram illustrating each functional block and data flow related to the registration process of the second embodiment. FIG. 17 is a diagram illustrating each functional block and data flow related to the registration process of the second embodiment. FIG. 18 is a diagram illustrating each functional block and data flow related to the registration process of the second embodiment. FIG. 19 is a diagram illustrating each functional block and data flow related to the writing process of the second embodiment. FIG. 20 is a diagram illustrating each functional block and data flow related to the reading process of the second embodiment. FIG. 21 is a diagram illustrating each functional block and data flow related to the deletion process of the second embodiment. FIG. 22 is a diagram illustrating each functional block and data flow related to the deletion process of the second embodiment. FIG. 23 is a diagram illustrating each functional block and data flow related to the deletion process of the second embodiment. FIG. 24 is a diagram illustrating each functional block and data flow related to the deletion process of the second embodiment. FIG. 25 is a sequence diagram for explaining a registration process according to the second embodiment. FIG. 26 is a sequence diagram for explaining a registration process according to the second embodiment. FIG. 27 is a sequence diagram for explaining a writing process and a reading process according to the second embodiment. FIG. 28 is a sequence diagram for explaining a deletion process according to the second embodiment. FIG. 29 is a sequence diagram for explaining a deletion process according to the second embodiment. FIG. 30A is a block diagram illustrating a configuration of a key concealment unit according to the third embodiment. FIG. 30B is a block diagram illustrating a configuration of the common key restoration unit according to the third embodiment. FIG. 31 is a flowchart for explaining the key concealment processing of the third embodiment. FIG. 32 is a flowchart for explaining a key restoration process according to the third embodiment. FIG. 33 is a diagram illustrating each functional block and data flow related to the writing process of the fourth embodiment. FIG. 34 is a diagram showing each functional block and data flow related to the reading process of the fourth embodiment. FIG. 35A is a block diagram illustrating details of the encryption unit according to the fourth embodiment. FIG. 35B is a block diagram showing details of the decoding unit of this embodiment. FIG. 36A is a flowchart for explaining the encryption processing of the fourth embodiment. FIG. 36B is a flowchart for explaining the decoding processing of this embodiment. FIG. 37 is a conceptual diagram illustrating an information recording medium sharing system using a non-portable recording medium as an information recording medium. FIG. 38 is a conceptual diagram illustrating an information recording medium sharing system using a plurality of information recording media. FIG. 39 is a block diagram illustrating each information recording medium of FIG.

Explanation of symbols

1,200,300 Information recording medium sharing system 10,110 PC (equivalent to “information processing device”)
20,120 USB memory (equivalent to “information recording medium”)
220 Hard disk device (equivalent to “information recording medium”)

Claims (9)

n (n is an integer of 2 or more) information processing devices PC (i) (i = 1,..., n) share the information recording medium, store the ciphertext in the information recording medium, and An information recording medium security method for decrypting plaintext from ciphertext stored in a recording medium,
The process of storing the public key cryptography secret key SK (i) corresponding to each information processing device PC (i) in the storage unit of the information processing device PC (i) corresponding to the secret key SK (i), respectively And each ciphertext PE (PK (i),) obtained by encrypting the common key KA of the common key cryptosystem using the public key PK (i) of the public key cryptosystem corresponding to each information processing device PC (i) KA) and a public key PK (i) corresponding to each of the information processing devices PC (i) are stored in the information recording medium in association with each other , a registration process comprising:
Any of the information processing devices PC (p) (p∈ {1) in which the ciphertext PE (PK (p), KA) is stored in the information recording medium and the secret key SK (p) is stored in its own storage unit , ..., n}) the external reading unit reads the ciphertext PE (PK (p), KA) from the information recording medium, and the common key restoration unit of the information processing device PC (p) The process of decrypting the ciphertext PE (PK (p), KA) using the secret key SK (p) stored in the storage unit and extracting the common key KA, and the encryption of the information processing device PC (p) A process of generating a ciphertext SE (KA, M (p)) obtained by encrypting plaintext M (p) using a common key KA, and an external writing unit of the information processing apparatus PC (p) Storing the ciphertext SE (KA, M (p)) in the information recording medium, and a writing process comprising:
Any of the information processing apparatuses PC (q) (q∈ {1) in which the ciphertext PE (PK (q), KA) is stored in the information recording medium and the secret key SK (q) is stored in its own storage unit , ..., n}) the external reading unit reads the ciphertext PE (PK (q), KA) from the information recording medium, and the external reading unit of the information processing apparatus PC (q) The process of reading the ciphertext SE (KA, M (p)) from the information recording medium and the common key recovery unit of the information processing apparatus PC (q) using the secret key SK (q) stored in the storage unit The process of decrypting the ciphertext PE (PK (q), KA) and extracting the common key KA, and the decryption unit of the information processing device PC (q) uses the common key KA to encrypt the ciphertext SE (KA, Decrypting M (p)) and extracting plaintext M (p), and a reading process comprising:
Any of the information processing devices PC (r) (r∈ {1) in which the ciphertext PE (PK (r), KA) is stored in the information recording medium and the secret key SK (r) is stored in its own storage unit , ..., n}) the external reading unit reads the ciphertext PE (PK (r), KA) from the information recording medium, and the common key restoration unit of the information processing device PC (r) The process of decrypting the ciphertext PE (PK (r), KA) using the secret key SK (r) stored in the storage unit and extracting the common key KA, and the common key of the information processing apparatus PC (r) The generation unit generates a new common key KA _new, and the external reading unit of the information processing device PC (r) performs any one of the information processing devices PC (s) (s = 1, ..., n) and the decryption unit of the information processing apparatus PC (r) reads the ciphertext SE (KA using the common key KA. , a process of extracting the M (s)) plaintext M (s) to decrypt the encrypted portion of the information processing apparatus PC (r) is a new common key KA _{new new} There are ciphertext SE obtained by encrypting plaintext M (s) and generating a _{(KA new, M (s)} ), external write unit of the information processing apparatus PC (r) is the ciphertext SE (KA _{new new,} M (s)) in the information recording medium, and a re-encryption process comprising:
The external reading unit of the information processing device PC (r) reads the public key PK (s) corresponding to the information processing device PC (s) from the information recording medium, and the information processing device PC (r) The key concealing unit generates a ciphertext PE (PK (s), KA _new ) obtained by encrypting a _new common key KA _new using the public key PK (s), and the information processing apparatus PC (r ) External writing unit storing the ciphertext PE (PK (s), KA _new ) in the information recording medium, and a re-registration process comprising:
A deletion process in which the deletion unit of the information processing apparatus PC (r) deletes the ciphertext SE (KA, M (s)) stored in the information recording medium from the information recording medium;
A security method for an information recording medium, comprising: The information recording medium security method according to claim 1 ,
In the re-registration process, information other than the information processing device PC (w) (w = 1,..., N) to be deleted from the information recording medium is read by the external reading unit of the information processing device PC (r). The process of reading the public key PK (s) corresponding to the processing device PC (s) and the key concealment unit of the information processing device PC (r) use the public key PK (s) to create a new common key KA. _The process of generating the ciphertext PE (PK (s), KA _new ) encrypted with _new and the external writing unit of the information processing device PC (r) converts the ciphertext PE (PK (s), KA _new ) Storing in the information recording medium, and a process comprising :
The security method of the information recording medium is as follows:
A method for security of an information recording medium, wherein when the information processing apparatus PC (w) is registered and deleted, the re-encryption process, the re-registration process, and the deletion process are executed in order . n (n is an integer of 2 or more) information processing devices PC (i) (i = 1,..., n) share the information recording medium, store the ciphertext in the information recording medium, and An information recording medium security method for decrypting plaintext from ciphertext stored in a recording medium,
The process of storing the public key cryptography secret key SK (i) corresponding to each information processing device PC (i) in the storage unit of the information processing device PC (i) corresponding to the secret key SK (i), respectively And each ciphertext PE (PK (i),) obtained by encrypting the common key KA of the common key cryptosystem using the public key PK (i) of the public key cryptosystem corresponding to each information processing device PC (i) comprising a KA), and a process of storing the (ciphertext each ciphertext PE of the authentication key KB encrypted (PK (i using i)), KB) on the information recording medium the public key PK Registration process ,
Either the ciphertext PE (PK (p), KA) and the ciphertext PE (PK (p), KB) are stored in the information recording medium, and the private key SK (p) is stored in its own storage unit. The external reading unit of the information processing device PC (p) (p∈ {1, ..., n}) reads the ciphertext PE (PK (p), KA) and ciphertext PE (PK (p) from the information recording medium. ), KB), and the common key recovery unit of the information processing apparatus PC (p) uses the secret key SK (p) stored in the storage unit to encrypt the ciphertext PE (PK (p), KA). And extracting the common key KA, decrypting the ciphertext PE (PK (p), KB) using the secret key SK (p) and extracting the ciphertext authentication key KB, and the information The block division unit of the encryption unit of the processing device PC (p) divides the plaintext M (p) into X (X ≧ 2) blocks MB (p, x) (x = 1, ..., X) And the random number generator of the encryption unit generates a random number E (p) for each plaintext M (p) and the function calculator of the encryption unit is at least a block MB (p, x) Block number x and random number E The function value IV = π (x, E (p)) is calculated by substituting (p) into a predetermined function π, and the block encryption unit of the encryption unit uses the common key KA to calculate the function value. Encrypting each block MB (p, x) using IV as an initial vector, and generating ciphertext SE (KA, M (p)) from the ciphertext of all the calculated blocks MB (p, x), and The ciphertext authentication unit of the information processing device PC (p) includes at least the ciphertext authentication key KB, the random number E (p) generated by the random number generation unit of the encryption unit, and the ciphertext SE generated by the encryption unit. Using (KA, M (p)) and generating the authenticator AU (KB, E (p), SE (KA, M (p))) for the ciphertext SE (KA, M (p)) The external writing unit of the information processing apparatus PC (p) performs the ciphertext SE (KA, M (p)), the random number E (p), and the authenticator AU (KB, E (p), SE (KA , M (p))) in the information recording medium, and a writing process comprising:
Either the ciphertext PE (PK (q), KA) and the ciphertext PE (PK (q), KB) are stored in the information recording medium, and the secret key SK (q) is stored in its own storage unit. The external reading unit of the information processing device PC (q) (q∈ {1, ..., n}) reads the ciphertext PE (PK (q), KA) and ciphertext SE (KA, M) from the information recording medium. (p)), random number E (p) and authenticator AU (KB, E (p), SE (KA, M (p))), and common key recovery of the information processing device PC (q) Unit decrypts the ciphertext PE (PK (q), KA) using the secret key SK (q) stored in the storage unit, extracts the common key KA, and uses the secret key SK (q) The process of decrypting the ciphertext PE (PK (q), KB) and extracting the ciphertext authentication key KB, and the ciphertext verification unit of the information processing device PC (q) at least the ciphertext authentication key KB And the above-mentioned ciphertext SE (KA, M (p)) using the above-mentioned random number E (p) and the above authenticator AU (KB, E (p), SE (KA, M (p))) And the block of the decoding unit of the information processing device PC (q) The segmentation unit divides the ciphertext SE (KA, M (p)) into X (X ≧ 2) blocks SEB (KA, M (p), x) (x = 1, ..., X) And the function calculation unit of the decoding unit substitutes at least the block number x of block SEB (KA, M (p), x) and the random number E (p) into a predetermined function π The process of calculating π (x, E (p)) and the block decryption unit of the decryption unit, using the common key KA and the function value IV as an initial vector, each block SEB (KA, M (p), decrypting x) and extracting plaintext M (p) from all the calculated blocks MB (p, x), and a reading process comprising:
Security method for an information recording medium characterized by having a. Information processing device PC (p) (p = 1, ..., n) that stores ciphertext on an information recording medium shared with other information processing devices PC (q) (q = 1, ..., n) Q ≠ p), and
A storage unit for storing a secret key SK (p) of its own public key cryptosystem;
The ciphertext PE (PK (p), KA)) obtained by encrypting the common key KA of the common key cryptosystem using the public key PK (p) corresponding to the secret key SK (p) and the public key PK (p ) encrypts the key KB for ciphertext authentication using the ciphertext PE (PK (p), KB) and from at least the stored the information recording medium, the ciphertext PE (PK (p), KA ) and An external reading unit for reading the ciphertext PE (PK (p), KB) ,
Using the secret key SK stored in the storage unit (p) ciphertext PE (PK (p), KA ) decoded by the extracting the common key KA, the ciphertext by using the private key SK (p) A common key recovery unit that decrypts PE (PK (p), KB) and extracts a ciphertext authentication key KB ;
A block division unit that divides plaintext M (p) into X (X ≧ 2) blocks MB (p, x) (x = 1,..., X), and a random number E (for each plaintext M (p) a function value IV = π (x, E (p) obtained by substituting at least the block number x of the block MB (p, x) and the random number E (p) into a predetermined function π. ) And a common key KA are used to encrypt each block MB (p, x) using the function value IV as an initial vector, and the ciphertext of all the calculated blocks MB (p, x) is encrypted. A block encryption unit for generating a sentence SE (KA, M (p)) , and an encryption unit comprising :
The authenticator AU (KB) of the ciphertext SE (KA, M (p)) using at least the ciphertext authentication key KB, the random number E (p), and the ciphertext SE (KA, M (p)). , E (p), SE (KA, M (p))),
The ciphertext SE (KA, M (p)) , the random number E (p), and the authenticator AU (KB, E (p), SE (KA, M (p))) are stored in the information recording medium. An external writer,
An information processing apparatus comprising: Information processing apparatus PC (q) (q = 1, decrypting plaintext from ciphertext stored in an information recording medium shared with other information processing apparatuses PC (p) (p = 1,..., N) ..., n, q ≠ p)
A storage unit for storing a secret key SK (q) of its own public key cryptosystem;
The ciphertext PE (PK (q), KA) obtained by encrypting the common key KA of the common key cryptosystem using the public key PK (q) corresponding to the secret key SK (q), and the public key PK (q ) Is used to encrypt the ciphertext PE (PK (q), KB) using the ciphertext authentication key KB and the ciphertext SE (KA, M () using the common key KA to encrypt the plaintext M (p). p)) , a random number E (p), the ciphertext authentication key KB, the random number E (p), and the ciphertext SE (KA, M (p)). authenticator for AU (KA, M (p)) (KB, E (p), SE (KA, M (p))) and, but from the information recording medium which is at least stored, the ciphertext PE (PK ( q), KA), the ciphertext PE (PK (q), KB), the ciphertext SE (KA, M (p)), the random number E (p), and the authenticator AU (KB, E (p), SE (KA, M (p))) ,
Using the secret key SK stored in the storage unit (q) ciphertext PE (PK (q), KA ) decoded by the extracting the common key KA, the ciphertext by using the private key SK (q) A common key recovery unit that decrypts PE (PK (q), KB) and extracts the ciphertext authentication key KB ;
Using at least the ciphertext authentication key KB, the random number E (p), and the authenticator AU (KB, E (p), SE (KA, M (p))), the ciphertext SE (KA, M a ciphertext verification unit that verifies whether (p)) is valid;
Block division unit for dividing the ciphertext SE (KA, M (p)) into X (X ≧ 2) blocks SEB (KA, M (p), x) (x = 1,..., X) And a function value IV = π (x, E (p)) is calculated by substituting at least the block number x of the block SEB (KA, M (p), x) and the random number E (p) into a predetermined function π. Using the common key KA and the function value IV as an initial vector, each block SEB (KA, M (p), x) is decrypted, and the plaintext M is calculated from all the calculated blocks MB (p, x). a block decoding unit for extracting (p) , and a decoding unit comprising :
An information processing apparatus comprising: The program for making a computer perform each process of the security method of the information recording medium described in any one of Claim 1 to 3 . Program for causing a computer to function as an information processing apparatus according to claim 4 or 5. A computer-readable recording medium storing the program according to claim 6 . A computer-readable recording medium storing the program according to claim 7 .

Images