JP7435263B2 - Communication system, communication method, and program - Google Patents

Description

The present invention relates to a communication system, a communication method, and a program.

Conventionally, various techniques have been proposed for managing cryptographic keys using HSMs (Hardware Security Modules) and secure elements.

For example, Patent Document 1 listed below discloses a technique for generating and managing encryption keys and the like using HSM. Further, Patent Document 2 listed below discloses a technique for generating and managing encryption keys and the like using a secure element.

JP2015-61267A Japanese Patent Application Publication No. 2016-111440

However, since the HSM used in Patent Document 1 is expensive, it is not preferable to introduce it into IoT (Internet of Things) devices or the like. On the other hand, the secure element used in Patent Document 2 is cheaper than HSM. However, the secure element has a small storage capacity, and there is a limit to managing a large number of encryption keys with one secure element. It is conceivable to use multiple secure elements to manage a large number of encryption keys, but this requires an area in the device to accommodate the multiple secure elements, which poses a problem of increasing the size of the device.

In view of the above-mentioned problems, an object of the present invention is to provide a communication system, a communication method, and a program that can securely manage a plurality of encryption keys with an inexpensive device.

In order to solve the above problems, a communication system according to one aspect of the present invention includes a secure element that is tamper-resistant and stores a first encryption key, and a secure element that is tamper-resistant and stores a first encryption key. a first storage device that stores a second encryption key and a plurality of data keys encrypted with the second encryption key; a communication unit that communicates with a plurality of communication targets; and a communication unit that communicates with a plurality of communication targets; a key acquisition unit that acquires the second encryption key and a data key corresponding to each of the plurality of communication targets from the first storage device, and the key acquisition unit, based on target information that differs for each communication target; a first decryption unit that decrypts the second encryption key obtained by using the first encryption key; and a first decryption unit that decrypts the second encryption key obtained by the first encryption key; a second decryption unit that decrypts with a second encryption key; and a first key generation unit that generates a different encryption key for each of the plurality of communication targets based on the data key decrypted by the second decryption unit. and has.

In the communication method according to one aspect of the present invention, the secure element has tamper resistance and stores a first encryption key, and the first storage device is encrypted with the first encryption key. storing a second encryption key encrypted with the second encryption key and a plurality of data keys encrypted with the second encryption key; a communication unit communicating with a plurality of communication targets; and a key acquisition unit: acquiring the second encryption key and a data key corresponding to each of the plurality of communication targets from the first storage device based on target information different for each of the plurality of communication targets; A decryption unit decrypts the second encryption key obtained by the key acquisition unit using the first encryption key; and a second decryption unit decrypts the second encryption key obtained by the key acquisition unit. , using the second encryption key decrypted by the first decryption unit; and a first key generation unit decrypts the plurality of data keys based on the data key decrypted by the second decryption unit. generating a different encryption key for each communication target.

A program according to one aspect of the present invention includes: a secure element having tamper resistance and storing a first encryption key; and a second encryption key encrypted with the first encryption key; a first storage device that stores a plurality of data keys encrypted with the second encryption key; a communication unit that communicates with a plurality of communication targets; and a communication unit that stores a plurality of data keys encrypted with the second encryption key; , a key acquisition unit that acquires the second encryption key and a data key corresponding to each of the plurality of communication targets from the first storage device; and the second encryption key acquired by the key acquisition unit. a first decryption unit that decrypts a key with the first encryption key; and a first decryption unit that decrypts the data key obtained by the key acquisition unit with the second encryption key that was decrypted by the first decryption unit. and a first key generation unit that generates a different encryption key for each of the plurality of communication targets based on the data key decrypted by the second decryption unit.

According to the present invention, a plurality of encryption keys can be managed securely with an inexpensive device.

FIG. 1 is a block diagram showing an example of the configuration of a communication system according to a first embodiment. FIG. 2 is a block diagram showing an example of the configuration of a server according to the first embodiment. FIG. 1 is a block diagram showing an example of the configuration of a device according to a first embodiment. FIG. 2 is a sequence diagram illustrating an example of the flow of device authentication by the server in mutual authentication between the server and the device according to the first embodiment. FIG. 2 is a sequence diagram illustrating an example of the flow of server authentication by a device in mutual authentication between a server and a device according to the first embodiment. FIG. 2 is a block diagram illustrating an example of the configuration of a communication system according to a second embodiment. FIG. 2 is a block diagram illustrating an example of the configuration of a communication system according to a third embodiment. FIG. 3 is a block diagram illustrating an example of the configuration of an IoT device according to a third embodiment. FIG. 3 is a block diagram illustrating an example of the configuration of a communication system according to a fourth embodiment. FIG. 3 is a sequence diagram showing the flow of processing related to msk at the time of starting an application according to each embodiment. FIG. 7 is a sequence diagram showing a modified example of the flow of device authentication by the server in mutual authentication between the server and the device according to each embodiment.

Embodiments of the present invention will be described in detail below with reference to the drawings.

<<1. First embodiment >>
A first embodiment of the present invention will be described with reference to FIGS. 1 to 5. In the first embodiment, an example will be described in which mutual authentication is performed between a device and a plurality of servers.

<1-1. Communication system configuration>
With reference to FIG. 1, the configuration of a communication system according to a first embodiment will be described. FIG. 1 is a block diagram showing an example of the configuration of a communication system according to the first embodiment.
As shown in FIG. 1, the communication system 1 includes servers 10 (10-1 to 10-N) and devices 20.

The server 10 and the device 20 are communicably connected to each other via the network NW. For example, the server 10 and the device 20 are connected via a wide area network (WAN). WAN is realized by, for example, an Internet connection.

The server 10 includes a plurality of servers 10-1 to 10-N (N is a natural number). The plurality of servers 10-1 to 10-N are communication targets of the device 20. The server 10 communicates with the device 20 via the network NW and authenticates the device 20. For example, the server 10 performs challenge-and-response authentication.

Here, challenge-and-response authentication will be explained. The challenge side (eg, server 10) transmits a challenge code (cc, which will be described later) to the response side (eg, device 20). The response side encrypts the challenge code using an encryption key (DDK described later) and notifies the challenge code of the encrypted challenge code. The challenge side decrypts the encrypted challenge code using an encryption key, and if the decrypted challenge code matches the transmitted challenge code, the response side authenticates the device as a valid communication destination.

Specifically, the server 10 transmits a challenge code (ChallengeCode) to the device 20. Hereinafter, the challenge code will also be referred to as "cc". cc is, for example, a character string generated based on random numbers, and a different character string is generated each time authentication is performed.

The server 10 receives the response generated by the device 20 based on the cc. The response is, for example, information obtained by encrypting cc with an encryption key (third encryption key).

In this embodiment, the encryption key is information (DerivedDataKey) obtained by encrypting a data key (DataKey) using Seed (target information). Hereinafter, the encryption key is also referred to as "ddk". Examples of ddk include authentication keys, tokens, API (Application Programming Interface) keys, one-time passwords, and the like.

The data key is secret information for generating the ddk. An example of a data key is an encryption key. Hereinafter, the data key will also be referred to as "dk".

Seed is information that differs for each server 10. Examples of Seed include unique information such as device serial number, random number, and time stamp.

Hereinafter, ddk will be indicated according to the combination of dk1 to N and Seed. For example, if SeedA is encrypted with dk1, ddk is indicated as ddk1-A. Further, information obtained by encrypting cc with ddk is indicated as "enc[cc]ddk". For example, information obtained by encrypting ccA with ddk1-A is indicated as enc[ccA]ddk1-A.

Note that the method for generating ddk is not limited to the method of encrypting dk using Seed. For example, ddk may be generated based on a Hash function. As an example, ddk may be a value generated by applying a Hash function to a concatenated character of Seed and dk.

The server 10 authenticates the device 20 based on enc[cc]ddk received as a response. For example, the server 10 compares the cc obtained by decoding the received enc[cc]ddk with a previously stored ddk and the cc transmitted to the device 20. As a result of the comparison, if the respective CCs match, the authentication of the device 20 by the server 10 is successful. By successfully authenticating the device 20, the server 10 can securely transmit and receive information to and from the device 20.

The device 20 is an apparatus that generates and manages various keys. Examples of the device 20 include a PC (Personal Computer), a smartphone, a server, and the like. The device 20 communicates with a plurality of servers 10 via the network NW and authenticates each server 10. For example, the device 20 performs challenge-and-response authentication similarly to the server 10.

Specifically, the device 20 transmits cc to the server 10. Further, the device 20 generates a Seed based on communication with the server 10. Further, the device 20 obtains the dk corresponding to the server 10, encrypts the Seed with the dk, and generates a ddk.

The device 20 receives the response generated by the server 10 based on the cc. The response is, for example, enc[cc]ddk in which cc is encrypted using a ddk that the server 10 holds in advance.

The device 20 authenticates the server 10 based on enc[cc]ddk received as a response. For example, the device 20 compares the cc obtained by decoding the received enc[cc]ddk with the generated ddk and the cc transmitted to the server 10. As a result of the comparison, if the respective CCs match, the authentication of the server 10 by the device 20 is successful. By successfully authenticating the server 10, the device 20 can safely transmit and receive information to and from the server 10.

<1-2. Server configuration>
With reference to FIG. 2, the configuration of the server 10 according to the first embodiment will be described. FIG. 2 is a block diagram showing an example of the configuration of the server 10 according to the first embodiment.
As shown in FIG. 2, the server 10 includes a communication section 100, a control section 110, and a storage section 120.

(1) Communication department 100
The communication unit 100 communicates with the device 20 via the network NW. The communication unit 100 transmits and receives various information through the communication. For example, when the server 10 authenticates the device 20, the communication unit 100 transmits cc to the device 20, and receives enc[cc]ddk from the device 20 as a response. On the other hand, when the device 20 authenticates the server 10, the communication unit 100 receives cc from the device 20 and transmits enc[cc]ddk to the device 20 as a response.

(2) Control unit 110
The control unit 110 has a function of controlling the entire operation of the server 10. The control unit 110 is realized by causing a CPU (Central Processing Unit) included in the server 10 as hardware to execute a program.
As shown in FIG. 2, the control unit 110 includes an authentication unit 112, a decryption unit 114, and an encryption unit 116.

(2-1) Authentication section 112
The authentication unit 112 performs processing related to authentication. For example, when the server 10 authenticates the device 20, the authentication unit 112 generates a cc and causes the communication unit 100 to transmit it to the device 20. The authentication unit 112 authenticates the device 20 based on enc[cc]ddk received as a response from the device 20. Specifically, the authentication unit 112 compares the cc obtained by decoding the enc[cc]ddk received by the communication unit 100 with the ddk held in advance and the cc transmitted to the device 20. As a result of the comparison, if the ccs match, the authentication unit 112 determines that the authentication of the device 20 by the server 10 has been successful.

(2-2) Decoding unit 114
The decryption unit 114 decrypts various types of encrypted information. For example, the decoding unit 114 decodes enc[cc]ddk that the communication unit 100 receives from the device 20 using a ddk held in advance. The decryption unit 114 inputs the decrypted cc to the authentication unit 112.

(2-3) Encryption unit 116
The encryption unit 116 encrypts various information. For example, the encryption unit 116 encrypts the cc that the communication unit 100 receives from the device 20 using the ddk held in advance. The encryption unit 116 causes the communication unit 100 to transmit enc[cc]ddk obtained by encryption to the device 20 as a response.

(3) Storage unit 120
The storage unit 120 has a function of storing various information. The storage unit 120 includes a storage medium such as a HDD (Hard Disk Drive), a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), and a RAM (Random Access read/write). e Memory), ROM (Read Only Memory), or these Constructed by any combination of storage media. For example, a nonvolatile memory can be used for the storage unit 120.
The storage unit 120 holds, for example, ddk used for decryption of enc[cc]ddk by the decryption unit 114 and encryption of cc by the encryption unit 116.

<1-3. Device configuration>
The configuration of the device 20 according to the first embodiment will be described with reference to FIG. 3. FIG. 3 is a block diagram showing an example of the configuration of the device 20 according to the first embodiment.
As shown in FIG. 3, the device 20 includes a communication section 200, a control section 210, a storage 220, an SE (secure element) 230, and a RAM 240. Note that the storage 220 is a first storage device. Further, the RAM 240 is a second storage device.

(1) Communication department 200
The communication unit 200 communicates with a plurality of servers 10 via the network NW. The communication unit 200 transmits and receives various information through the communication. For example, when the server 10 authenticates the device 20, the communication unit 200 receives cc from the server 10 and transmits enc[cc]ddk to the server 10 as a response. On the other hand, when the device 20 authenticates the server 10, the communication unit 200 transmits cc to the server 10 and receives enc[cc]ddk from the server 10 as a response.

(2) Control unit 210
The control unit 210 has a function of controlling the entire operation of the device 20. The control unit 210 is realized by causing a CPU included in the device 20 as hardware to execute a program.
As shown in FIG. 3, the control unit 210 includes a key usage unit 212 and a key management unit 214.

(2-1) Key usage unit 212
The key usage unit 212 performs processing related to the usage of various keys.
As shown in FIG. 3, the key utilization section 212 includes a target information generation section 2120, a key acquisition section 2122, a decryption section 2124, an encryption section 2126, and an authentication section 2128.

(2-1-1) Target information generation unit 2120
The target information generation unit 2120 generates target information. For example, the target information generation unit 2120 generates a KeySelectParameter indicating the dk corresponding to the server 10 that communicated with the communication unit 200 based on the communication with the server 10. Further, the target information generation unit 2120 generates Seed in order to generate ddk. The target information generation unit 2120 inputs the generated KeySelectParameter to the key acquisition unit 2122.

(2-1-2) Key acquisition unit 2122
The key acquisition unit 2122 acquires dk or ddk. For example, the key acquisition unit 2122 determines the dk to acquire based on the KeySelectParameter input from the target information generation unit 2120. When acquiring a dk, the key acquisition unit 2122 inputs a request including a KeySelectParameter (target information) that specifies the dk to be acquired as a parameter to the key management unit 214, and acquires the dk. Hereinafter, KeySelectParameter is also referred to as "ksp". When acquiring the ddk, the key acquisition unit 2122 inputs a request including Seed and ksp as parameters to the key management unit 214, and acquires the ddk.

(2-1-3) Decoding unit 2124
The decryption unit 2124 decrypts various types of encrypted information. For example, the decoding unit 2124 decodes enc[cc]ddk that the communication unit 200 receives from the server 10 using a ddk held in advance. The decryption unit 2124 inputs the decrypted cc to the authentication unit 2128.

(2-1-4) Encryption section 2126
The encryption unit 2126 encrypts various information. For example, the encryption unit 2126 encrypts the cc received from the server 10 using ddk input from the encryption unit 2146, which will be described later. The encryption unit 2126 causes the communication unit 200 to transmit enc[cc]ddk obtained by encryption to the server 10 as a response.

(2-1-5) Authentication section 2128
The authentication unit 2128 performs processing related to authentication. For example, when the device 20 authenticates the server 10, the authentication unit 2128 generates a cc and causes the communication unit 200 to transmit it to the server 10. The authentication unit 2128 authenticates the server 10 based on enc[cc]ddk received as a response from the device 20. Specifically, the authentication unit 2128 compares the cc obtained by decoding the enc[cc]ddk received by the communication unit 200 with the ddk held in advance and the cc transmitted to the server 10. As a result of the comparison, if the ccs match, the authentication unit 2128 determines that the authentication of the server 10 by the device 20 has been successful.

(2-2) Key management unit 214
The key management unit 214 performs processing related to management of various keys.
As shown in FIG. 3, the key management section 214 includes a key acquisition section 2140, a first key generation section 2142, a second key generation section 2143, a decryption section 2144, and an encryption section 2146. Note that the decoding unit 2144 is a second decoding unit.

(2-2-1) Key acquisition unit 2140
The key acquisition unit 2140 acquires various keys based on target information that differs for each of the plurality of servers 10. The key acquisition unit 2140 acquires the encryption key (second encryption key) for encrypting dk and the dk indicated by the ksp input from the key acquisition unit 2122 from the storage 220. The encryption key (KeyEncryptionKey) for encrypting dk is hereinafter also referred to as "kek". Hereinafter, information obtained by encrypting dk with kek will be indicated as "enc[dk]kek". For example, information obtained by encrypting dk1 with kek is indicated as enc[dk1]kek. Note that the dk that the key acquisition unit 2140 acquires from the storage 220 is enc[dk1]kek encrypted by kek. Further, the kek that the key acquisition unit 2140 acquires from the storage 220 is encrypted with an encryption key (first encryption key). The encryption key for encrypting the kek is a master key, hereinafter also referred to as "mk". Hereinafter, information obtained by encrypting kek with mk will be indicated as "enc[kek]mk."

(2-2-2) First key generation unit 2142
The first key generation unit 2142 generates ddk using a key derivation function. For example, the first key generation unit 2142 generates ddk by applying a key derivation function to dk and Seed. Specifically, the first key generation unit 2142 generates ddk using a key derivation function that encrypts Seed with dk decrypted by the decryption unit 2144. Note that when generating the ddk by encryption, the first key generation unit 2142 may perform the encryption, or the encryption unit 2146 may perform the encryption.

Further, the first key generation unit 2142 may generate ddk using a key derivation function that applies a hash function to the concatenated value of Seed and dk. Specifically, the first key generation unit 2142 treats the hash value output by inputting the concatenated value to a hash function as ddk. Examples of hash functions include SHA (Secure Hash Algorithm)-2, SHA-256, and MD (Message Digest Algorithm) 5.

Further, the first key generation unit 2142 uses algorithms such as PBKDF (Password-Based Key Derivation Function) 1, PBKDF2, PBES (Password-Based Encryption Scheme) 1, and PBES2 as a key derivation function. and generate ddk It's fine. By using the algorithm, the first key generation unit 2142 can generate a more secure ddk that is less likely to be guessed.

Note that the Seed used to generate the ddk differs for each of the multiple servers 10. Therefore, the first key generation unit 2142 can generate a different ddk for each of the plurality of servers 10.

(2-2-3) Second key generation unit 2143
The second key generation unit 2143 generates an encryption key (fourth encryption key) that encrypts kek decrypted by the decryption unit 232 of the SE 230, which will be described later. The encryption key (MaskKey) for encrypting kek is hereinafter also referred to as "msk". Hereinafter, information obtained by encrypting kek with msk will be indicated as "enc[kek]msk". The second key generation unit 2143 stores the generated msk in the RAM 240.

The method by which the second key generation unit 2143 generates msk is not particularly limited. For example, the second key generation unit 2143 generates msk using a key generation function that differs depending on the cryptographic algorithm. When the encryption algorithm is AES (Advanced Encryption Standard), the second key generation unit 2143 generates a random number and sets the random number as msk. When the encryption algorithm is RSA (Rivest-Shamir-Adleman), the second key generation unit 2143 generates a prime number and sets the prime number as msk.
Further, the second key generation unit 2143 may calculate a hash of the timestamp and set a value indicating the calculation result as msk.

(2-2-4) Decoding unit 2144
The decryption unit 2144 decrypts various types of encrypted information. For example, the decryption unit 2144 decrypts enc[dk]kek obtained by the key acquisition unit 2140 from the storage 220 using kek decrypted by the decryption unit 232 of the SE 230, which will be described later. The decryption unit 2144 inputs the decrypted dk to the encryption unit 2146. Note that if the purpose is to obtain dk, the decryption unit 2144 inputs the decrypted dk to the key acquisition unit 2122.

Furthermore, the decryption unit 2144 decrypts enc[kek]msk, which is kek encrypted with msk, using msk.

(2-2-5) Encryption section 2146
The encryption unit 2146 encrypts various information. For example, the encryption unit 2146 encrypts the Seed input from the key acquisition unit 2122 with dk obtained by decoding by the decryption unit 2144, and generates ddk. The encryption unit 2146 inputs the generated ddk to the encryption unit 2126.

The encryption unit 2146 encrypts kek decrypted by the decryption unit 232 of the SE 230, which will be described later, using msk. The encryption unit 2146 stores enc[kek]msk obtained by encryption in the RAM 240. By storing enc[kek]msk in the RAM 240, there is no need to access the SE 230, which will be described later, each time kek is used. Thereby, the processing speed in the device 20 can be increased. Furthermore, by encrypting the kek stored in the RAM 240 using msk, security in kek management can be improved.

(3) Storage 220
Storage 220 has a function of storing various information. The storage 220 is configured by a storage medium, such as an HDD, an SSD (Solid State Drive), a flash memory, or any combination of these storage media.

The storage 220 stores kek encrypted with mk and a plurality of dk encrypted with kek. Note that the storage 220 stores kek and dk in different areas. Thereby, security in managing kek and dk can be improved.
As shown in FIG. 3, the storage 220 includes a data key storage section 222 and a data key encryption key storage section 224.

(3-1) Data key storage unit 222
The data key storage unit 222 stores a plurality of dk's encrypted with kek. For example, as shown in FIG. 3, the data key storage unit 222 stores enc[dk1]kek2220-1, enc[dk2]kek2220-2, ..., enc[dkN]kek2220-N.

(3-2) Data key encryption key storage unit 224
The data key encryption key storage unit 224 stores kek encrypted with mk. For example, as shown in FIG. 3, the data key encryption key storage unit 224 stores one enc[kek]mk 2240.

(4) SE230
SE230 is a secure element with tamper resistance. The SE 230 is, for example, an IC (Integrated Circuit) card, a SIM (Subscriber Identity Module Card) card, etc., in which the functions of the SE 230 are mounted on a card material such as plastic. In this case, the SE 230 is removably attached to the device 20 via a contact portion (not shown) of an IC card or SIM card.

SE230 performs processing related to mk. As shown in FIG. 3, SE 230 includes a decryption unit 232 and a master key storage unit 234. Note that the decoding unit 232 is a first decoding unit.

(4-1) Decoding unit 232
The decryption unit 232 decrypts various types of encrypted information. For example, the decryption unit 232 decrypts enc[kek]mk acquired by the key acquisition unit 2140 using mk. The decoding unit 232 inputs the kek obtained by decoding to the decoding unit 2144.

(4-2) Master key storage section 234
Master key storage unit 234 stores mk. For example, as shown in FIG. 3, the master key storage unit 234 stores one mk2340.

(5) RAM240
RAM 240 stores kek decoded by decoding section 232.
As shown in FIG. 3, the RAM 240 includes a data key encryption key storage section 242.

(5-1) Data key encryption key storage unit 242
The data key encryption key storage unit 242 temporarily stores, for example, kek decrypted by the decryption unit 232 and encrypted by the encryption unit 2146 using msk. For example, as shown in FIG. 3, the data key encryption key storage unit 242 stores enc[kek]msk 2420. In this way, the data key encryption key storage unit 242 stores the kek encrypted with the msk, so that the security in managing the kek can be improved.

<1-4. Flow of mutual authentication＞
The flow of mutual authentication between the server 10 and the device 20 according to the first embodiment will be described with reference to FIGS. 4 and 5. Note that an example in which the server 10-1 among the plurality of servers 10 performs mutual authentication with the device 20 will be described below.

(1) Flow of device authentication by server The flow of authentication of device 20 by server 10 will be described with reference to FIG. FIG. 4 is a sequence diagram showing an example of the flow of authentication of the device 20 by the server 10-1 in mutual authentication between the server 10-1 and the device 20 according to the first embodiment.

As shown in FIG. 4, the server 10-1 causes the device 20 to transmit a challenge with ccA as the parameter P (S100).

The key usage unit 212 of the device 20 that has received the challenge requests the key management unit 214 for ddk with SeedA as parameter P1 and ksp1 as parameter P2 (S102).

Upon receiving the request for ddk, the key management unit 214 makes a request for kek to the data key encryption key storage unit 242 (S104). Upon receiving the request for kek, the data key encryption key storage unit 242 inputs enc[kek]mk to the key management unit 214 (S106).

The key management unit 214, which has received enc[kek]mk, requests the master key storage unit 234 to decrypt kek with enc[kek]mk as parameter P (S108). Upon receiving the kek decryption request, the master key storage unit 234 decrypts enc[kek]mk using mk (S110). The master key storage unit 234 inputs the kek obtained by decryption to the key management unit 214 (S112).

The key management unit 214 requests the data key storage unit 222 for dk1 with ksp1 as the parameter P (S114). Upon receiving the request for dk1, the data key storage unit 222 inputs enc[dk1]kek to the key management unit 214 (S116).

The key management unit 214 decrypts enc[dk1]kek with kek and obtains dk1 (S118). The key management unit 214 encrypts SeedA with dk1 and generates ddk1-A (S120). The key management unit 214 inputs the generated ddk1-A to the key usage unit 212 (S122).

The key management unit 214 generates msk (S124). The key management unit 214 inputs the generated msk to the data key encryption key storage unit 242 (S126). The data key encryption key storage unit 242 stores the input msk (S128). The key management unit 214 encrypts kek with msk and generates enc[kek]msk (S130). The key management unit 214 inputs the generated enc[kek]msk to the data key encryption key storage unit 242 (S132). The data key encryption key storage unit 242 stores the input enc[kek]msk (S134).

The key utilization unit 212 encrypts ccA received from the server 10-1 using ddk1-A input from the key management unit 214, and generates enc[ccA]ddk1-A (S136). The key usage unit 212 causes the server 10-1 to transmit a response with enc[ccA]ddk1-A as the parameter P (S138).

The server 10-1 decrypts enc[ccA]ddk1-A received from the device 20 using ddk1-A stored in advance, and obtains ccA (S140). The server 10-1 compares the ccA sent to the device 20 in S100 and the ccA acquired in S140, and if they match, determines that the authentication has been successful (S142).

(2) Flow of server authentication by device The flow of authentication of server 10 by device 20 will be described with reference to FIG. FIG. 5 is a sequence diagram showing an example of the flow of authentication of the server 10-1 by the device 20 in mutual authentication between the server 10-1 and the device 20 according to the first embodiment.

As shown in FIG. 5, the key usage unit 212 of the device 20 generates ccB (S200). The key usage unit 212 causes the server 10-1 to transmit a challenge with the generated ccB as the parameter P (S202).

The key usage unit 212 requests the key management unit 214 for ddk with SeedB as the parameter P1 and ksp1 as the parameter P2 (S204).

Upon receiving the request for ddk, the key management unit 214 makes a request for kek to the data key encryption key storage unit 242 (S206). Upon receiving the request for kek, the data key encryption key storage unit 242 inputs enc[kek]msk and msk to the key management unit 214 (S208).

The key management unit 214 that receives enc[kek]msk and msk decrypts enc[kek]msk using msk (S210).

The key management unit 214 requests the data key storage unit 222 for dk1 with ksp1 as the parameter P (S212). Upon receiving the request for dk1, the data key storage unit 222 inputs enc[dk1]kek to the key management unit 214 (S214).

The key management unit 214 decrypts enc[dk1]kek with kek and obtains dk1 (S216). The key management unit 214 requests the data key encryption key storage unit 242 to delete kek (S218). Upon receiving the request to delete kek, the data key encryption key storage unit 242 deletes enc[kek]msk (S220).

The key management unit 214 encrypts SeedB with dk1 and generates ddk1-B (S222). The key management unit 214 inputs the generated ddk1-B to the key usage unit 212 (S224).

The server 10-1, which received the challenge in S202, encrypts the ccB received from the device 20 using ddk1-B held in advance, and generates enc[ccB]ddk1-B (S226). The server 10-1 transmits a response with the generated enc[ccB]ddk1-B as the parameter P to the device 20 (S228).

The key utilization unit 212 decrypts enc[ccB]ddk1-B received from the server 10-1 using ddk1-B input from the key management unit 214, and obtains ccB (S230). The key usage unit 212 compares the ccB generated in S200 and the ccB acquired in S230, and if they match, determines that the authentication has been successful (S232).

<<2. Second embodiment >>
A second embodiment of the present invention will be described with reference to FIG. In the second embodiment, an example will be described in which the device 20 in the first embodiment is an IoT gateway, and mutual authentication is performed between the IoT gateway and a plurality of servers. Note that, in the following, explanations that overlap with those of the first embodiment described above will be omitted.

<2-1. Communication system configuration>
With reference to FIG. 6, the configuration of a communication system according to the second embodiment will be described. FIG. 6 is a block diagram showing an example of the configuration of a communication system according to the second embodiment.
As shown in FIG. 6, the communication system 2 includes a server 10 (10-1 to 10-N), an IoT gateway 20A, and an IoT device 30.

The server 10 and the IoT gateway 20A are communicably connected to each other via the network NW. The server 10 and the IoT gateway 20A are connected by, for example, a WAN. WAN is realized by, for example, an Internet connection.
The IoT gateway 20A and the IoT device 30 are connected, for example, by a local area network (LAN). The LAN may be realized by a wired connection, or may be connected by a wireless connection such as Bluetooth (registered trademark), Wi-Fi (registered trademark), Zigbee (registered trademark), MQTT, or the like.

The server 10 according to the second embodiment receives the information acquired by the IoT device 30 via the IoT gateway 20A. The server 10 authenticates the IoT gateway 20A before receiving information from the IoT device 30. If the authentication is successful, the server 10 can safely receive information from the IoT device 30.

The IoT gateway 20A is a specific example of the device 20 according to the first embodiment described above. The IoT gateway 20A has a so-called relay function that mediates communication between the plurality of servers 10 and the IoT devices 30. The IoT gateway 20A authenticates the server 10 before transmitting the information about the IoT device 30 to the server 10. If the authentication is successful, the IoT gateway 20A can safely transmit information about the IoT device 30 to the server 10.

The IoT device 30 transmits various information to the server 10 via the IoT gateway 20A. The various types of information include, for example, information acquired by a sensor device included in the IoT device 30, information generated by processing in the IoT device 30, and the like.

<2-2. Server configuration>
The configuration of the server 10 according to the second embodiment is the same as the configuration of the server 10 according to the first embodiment described above, so detailed explanation will be omitted.

<2-3. IoT gateway configuration>
The IoT gateway 20A according to the second embodiment has a configuration in which a communication unit can communicate with the IoT device 30. The configuration other than this configuration is the same as the configuration of the device 20 according to the first embodiment described above, so detailed explanation will be omitted.

<2-4. Flow of mutual authentication＞
The flow of mutual authentication between the server 10 and the IoT gateway 20A according to the second embodiment is similar to the flow of mutual authentication between the server 10 and the device 20 according to the first embodiment described above, so a detailed explanation will be provided. omitted. Note that the device 20 in FIGS. 4 and 5 may be replaced with the IoT gateway 20A.

<<3. Third embodiment >>
A third embodiment of the present invention will be described with reference to FIGS. 7 and 8. In the third embodiment, an example will be described in which mutual authentication is performed between an IoT gateway 20A and a plurality of IoT devices 30. Note that, in the following, explanations that overlap with those of the first embodiment and the second embodiment described above will be omitted.

<3-1. Communication system configuration>
With reference to FIG. 7, the configuration of a communication system according to a third embodiment will be described. FIG. 7 is a block diagram showing an example of the configuration of a communication system according to the third embodiment.
As shown in FIG. 7, the communication system 3 includes a server 10, an IoT gateway 20A, and IoT devices 30 (30-1 to 30-N).

The server 10 and the IoT gateway 20A are communicably connected to each other via the network NW. The server 10 and the IoT gateway 20A are connected by, for example, a WAN. WAN is realized by, for example, an Internet connection.
The IoT gateway 20A and the IoT device 30 are connected, for example, by a LAN. The LAN may be realized by a wired connection, or may be connected by a wireless connection such as Bluetooth, Wi-Fi, Zigbee, or MQTT.

The server 10 according to the third embodiment receives the information acquired by the IoT device 30 via the IoT gateway 20A. The server 10 according to the third embodiment may or may not perform authentication with the IoT gateway 20A. If authentication with the IoT gateway 20A is not performed, the configuration of the server 10 is not particularly limited. On the other hand, when performing authentication with the IoT gateway 20A, the configuration of the server 10 is assumed to be similar to the configuration of the server 10 according to the first embodiment and the second embodiment described above. Note that when the server 10 authenticates with the IoT gateway 20A, the server 10 authenticates the IoT gateway 20A before receiving information from the IoT device 30. If the authentication is successful, the server 10 can safely receive information from the IoT device 30.

The IoT gateway 20A according to the third embodiment has a so-called relay function that mediates communication between the server 10 and the plurality of IoT devices 30. The IoT gateway 20A authenticates the IoT device 30 before transmitting the information about the IoT device 30 to the server 10. If the authentication is successful, the IoT gateway 20A can safely transmit the information of the IoT device 30 to the server 10.

The IoT device 30 according to the third embodiment includes a plurality of IoT devices 30-1 to 30-N (N is a natural number). The IoT device 30 according to the third embodiment authenticates the IoT gateway 20A before transmitting the information about the IoT device 30 to the server 10. If the authentication is successful, the IoT device 30 can safely transmit information about the IoT device 30 to the server 10.

<3-2. Server configuration>
The configuration of the server 10 according to the third embodiment is the same as the configuration of the server 10 according to the first and second embodiments described above, so detailed description thereof will be omitted.

<3-3. IoT gateway configuration>
The IoT gateway 20A according to the third embodiment has the same configuration as the IoT gateway 20A according to the second embodiment described above, so a detailed explanation will be omitted.

<3-4. Configuration of IoT devices>
With reference to FIG. 8, the configuration of the IoT device 30 according to the third embodiment will be described. FIG. 8 is a block diagram showing an example of the configuration of the IoT device 30 according to the third embodiment.
As shown in FIG. 8, the IoT device 30 includes a communication section 300, a control section 310, and a storage section 320.

(1) Communication department 300
The communication unit 300 communicates with the IoT gateway 20A. The communication unit 300 transmits and receives various information through the communication. For example, when the IoT device 30 authenticates the IoT gateway 20A, the communication unit 300 transmits cc to the IoT gateway 20A, and receives enc[cc]ddk from the IoT gateway 20A as a response. On the other hand, when the IoT gateway 20A authenticates the IoT device 30, the communication unit 300 receives cc from the IoT gateway 20A and transmits enc[cc]ddk to the IoT gateway 20A as a response.

(2) Control unit 310
The control unit 310 has a function of controlling the entire operation of the IoT device 30. The control unit 310 is realized by causing a CPU (Central Processing Unit) included in the IoT device 30 as hardware to execute a program.
As shown in FIG. 8, the control section 310 includes an authentication section 312, a decryption section 314, and an encryption section 316.

(2-1) Authentication section 312
The authentication unit 312 performs processing related to authentication. For example, when the IoT device 30 authenticates the IoT gateway 20A, the authentication unit 312 generates a cc and causes the communication unit 300 to transmit it to the IoT gateway 20A. The authentication unit 312 authenticates the IoT gateway 20A based on enc[cc]ddk received as a response from the IoT gateway 20A. Specifically, the authentication unit 312 compares the cc obtained by decoding the enc[cc]ddk received by the communication unit 300 with the ddk held in advance and the cc transmitted to the IoT gateway 20A. As a result of the comparison, if the ccs match, the authentication unit 312 determines that the IoT device 30 has successfully authenticated the IoT gateway 20A.

(2-2) Decoding unit 314
The decryption unit 314 decrypts various types of encrypted information. For example, the decoding unit 314 decodes enc[cc]ddk that the communication unit 300 receives from the IoT gateway 20A using a ddk held in advance. The decryption unit 314 inputs the decrypted cc to the authentication unit 312.

(2-3) Encryption unit 316
The encryption unit 316 encrypts various information. For example, the encryption unit 316 encrypts the cc that the communication unit 300 receives from the IoT gateway 20A using the ddk held in advance. The encryption unit 316 causes the communication unit 300 to transmit enc[cc]ddk obtained by encryption as a response to the IoT gateway 20A.

(3) Storage unit 320
The storage unit 320 has a function of storing various information. The storage unit 320 includes a storage medium such as a hard disk drive (HDD), a flash memory, an electrically erasable programmable read only memory (EEPROM), or a random access read/write memory (RAM). e Memory), ROM (Read Only Memory), or these Constructed by any combination of storage media. For example, a nonvolatile memory can be used as the storage unit 320.
The storage unit 320 holds, for example, ddk used for decryption of enc[cc]ddk by the decryption unit 314 and encryption of cc by the encryption unit 316.

<3-5. Flow of mutual authentication＞
The flow of mutual authentication between the IoT device 30 and the IoT gateway 20A according to the third embodiment is similar to the flow of mutual authentication between the server 10 and the IoT gateway 20A according to the second embodiment described above, so the details will be explained below. Further explanations will be omitted. Note that the server 10-1 in FIGS. 4 and 5 may be replaced with the IoT device 30-1, and the device 20 may be replaced with the IoT gateway 20A.

<<4. Fourth embodiment >>
A fourth embodiment of the present invention will be described with reference to FIG. The fourth embodiment shows a specific example to which the present invention is applied. As a specific example, an example in which the present invention is applied to an automobile will be shown. An example in which mutual authentication is performed between an in-vehicle gateway provided inside an automobile and a plurality of devices provided inside the vehicle, or between the in-vehicle gateway and a plurality of devices outside the vehicle will be described below. Note that, in the following, explanations that overlap with those of the first to third embodiments described above will be omitted.

<4-1. Communication system configuration>
With reference to FIG. 9, the configuration of a communication system according to the fourth embodiment will be described. FIG. 9 is a block diagram showing an example of the configuration of a communication system according to the fourth embodiment.
As shown in FIG. 9, the communication system 4 includes an in-vehicle gateway 20B provided inside an automobile 40, in-vehicle devices 50 (50-1 to 50-N), and external devices 60. The external devices 60 include a cloud 61, a server 62, a traffic light device 63, a bridge device 64, and a parking lot device 65.

The in-vehicle gateway 20B and the external device 60 are communicably connected to each other via the network NW. The in-vehicle gateway 20B and the external device 60 are connected by, for example, a WAN. WAN is realized by, for example, an Internet connection.
The in-vehicle gateway 20B and the in-vehicle device 50 are connected, for example, by a LAN. The LAN may be realized by a wired connection, or may be connected by a wireless connection such as Bluetooth, Wi-Fi, Zigbee, or MQTT.

The in-vehicle gateway 20B corresponds to the IoT gateway 20A according to the second embodiment and the third embodiment. The in-vehicle gateway 20B has a so-called relay function that mediates communication between the plurality of in-vehicle devices 50 and the plurality of external devices 60. The in-vehicle gateway 20B authenticates the in-vehicle device 50 before transmitting the information of the in-vehicle device 50 to the external device 60. Further, the in-vehicle gateway 20B authenticates the external device 60 before transmitting the information of the external device 60 to the in-vehicle device 50. When each authentication is successful, the in-vehicle gateway 20B can safely transmit and receive information between the in-vehicle device 50 and the external device 60.

The in-vehicle device 50 corresponds to the IoT device 30 according to the third embodiment. The in-vehicle device 50 includes a plurality of in-vehicle devices 50-1 to 50-N (N is a natural number). Examples of the in-vehicle equipment 50 include a car navigation system, an acceleration sensor, a gyro sensor, a distance sensor, a GPS (Global Positioning System) sensor, an imaging device, and the like. For example, the in-vehicle device 50 acquires information regarding the automobile 40 and transmits it to the out-of-vehicle device 60 via the in-vehicle gateway 20B.

The external device 60 corresponds to the server 10 according to the first embodiment and the second embodiment. Examples of the external device 60 include a cloud 61, a server 62, a traffic light device 63, a bridge device 64, a parking lot device 65, and the like. The external device 60 acquires information related to the outside of the vehicle, such as traffic information, for example, and transmits it to the in-vehicle device 50 via the in-vehicle gateway 20B.

<4-2. In-vehicle gateway configuration>
The configuration of the in-vehicle gateway 20B according to the fourth embodiment is similar to the configuration of the IoT gateway 20A according to the second and third embodiments described above, and therefore detailed explanation will be omitted.

<4-3. Configuration of in-vehicle equipment>
The configuration of the in-vehicle device 50 according to the fourth embodiment is the same as the configuration of the IoT device 30 according to the third embodiment described above, so detailed explanation will be omitted.

<4-4. Configuration of external equipment>
The configuration of the external device 60 according to the fourth embodiment is the same as the configuration of the server 10 according to the first and second embodiments described above, so a detailed explanation will be omitted.

<4-5. Flow of mutual authentication＞
The flow of mutual authentication between the in-vehicle device 50 and the in-vehicle gateway 20B according to the fourth embodiment is similar to the flow of mutual authentication between the IoT device 30 and the IoT gateway 20A according to the third embodiment described above. Detailed explanation will be omitted. Furthermore, the flow of mutual authentication between the external device 60 and the in-vehicle gateway 20B according to the fourth embodiment is the same as the flow of mutual authentication between the server 10 and the IoT gateway 20A according to the second embodiment described above. , detailed explanation will be omitted.

<<5. Modified example >>
Each embodiment of the present invention has been described above. Next, modifications of each embodiment of the present invention will be described with reference to FIGS. 10 and 11. Note that the modified examples described below may be applied instead of the configurations described in each embodiment of the present invention, or may be applied in addition to the configurations described in each embodiment of the present invention. good.

In the embodiment described above, an example has been described in which processing related to msk, including creation of msk, encryption of kek, and storage of msk and enc[kek]msk in the RAM 240, is performed after generation of ddk1-A. but not limited to. Processing regarding msk may be performed when the application is started.

(1) Flow of processing related to msk when starting an application The flow of processing related to msk when starting an application will be described with reference to FIG. FIG. 10 is a sequence diagram showing the flow of processing related to msk when starting an application according to each embodiment.

As shown in FIG. 10, the key usage unit 212 of the device 20 notifies the key management unit 214 that the application has been started when the application (app) is started (S300).

The key management unit 214 that has received the notification generates msk (S302). The key management unit 214 inputs the generated msk to the data key encryption key storage unit 242 (S304). The data key encryption key storage unit 242 stores the input msk (S306).

The key management unit 214 requests kek from the data key encryption key storage unit 224 (S308). Upon receiving the request for kek, the data key encryption key storage unit 224 inputs enc[kek]mk to the key management unit 214 (S310).

The key management unit 214, which has received enc[kek]mk, requests the master key storage unit 234 to decrypt kek with enc[kek]mk as parameter P (S312). Upon receiving the kek decryption request, the master key storage unit 234 decrypts enc[kek]mk using mk (S314). The master key storage unit 234 inputs the kek obtained by decryption to the key management unit 214 (S316).

The key management unit 214 encrypts kek with msk and generates enc[kek]msk (S318). The key management unit 214 inputs the generated enc[kek]msk to the data key encryption key storage unit 242 (S320). The data key encryption key storage unit 242 stores the input enc[kek]msk (S322).

(2) Flow of device authentication by server Referring to FIG. 11, the flow of authentication of device 20 by server 10 when msk-related processing is performed at application startup will be described. FIG. 11 is a sequence diagram showing a modified example of the flow of authentication of the device 20 by the server 10 in mutual authentication between the server 10 and the device 20 according to each embodiment.

As shown in FIG. 11, the server 10-1 causes the device 20 to transmit a challenge with ccA as the parameter P (S400).

The key usage unit 212 of the device 20 that has received the challenge requests the key management unit 214 for ddk with SeedA as parameter P1 and ksp1 as parameter P2 (S402).

Upon receiving the request for ddk, the key management unit 214 makes a request for kek to the data key encryption key storage unit 242 (S404). Upon receiving the request for kek, the data key encryption key storage unit 242 inputs enc[kek]msk and msk to the key management unit 214 (S406).

The key management unit 214 that receives enc[kek]msk and msk decrypts enc[kek]msk using msk (S408).

The key management unit 214 requests the data key storage unit 222 for dk1 with ksp1 as the parameter P (S410). Upon receiving the request for dk1, the data key storage unit 222 inputs enc[dk1]kek to the key management unit 214 (S412).

The key management unit 214 decrypts enc[dk1]kek with kek and obtains dk1 (S414). The key management unit 214 encrypts SeedA with dk1 and generates ddk1-A (S416). The key management unit 214 inputs the generated ddk1-A to the key usage unit 212 (S418).

The key utilization unit 212 encrypts ccA received from the server 10-1 using ddk1-A input from the key management unit 214, and generates enc[ccA]ddk1-A (S420). The key usage unit 212 causes the server 10-1 to transmit a response with enc[ccA]ddk1-A as the parameter P (S422).

The server 10-1 decrypts enc[ccA]ddk1-A received from the device 20 using ddk1-A stored in advance, and obtains ccA (S424). The server 10-1 compares the ccA sent to the device 20 in S400 and the ccA acquired in S424, and if they match, determines that the authentication has been successful (S426).

(3) Flow of server authentication by device The flow of authentication of server 10 by device 20 when msk-related processing is performed at the time of application startup is similar to the authentication flow shown in FIG. 5, so a detailed explanation will be given below. Omitted.

Modifications of each embodiment of the present invention have been described above.
As explained above, in the communication system according to each embodiment, the SE 230 has tamper resistance and stores msk. The storage 220 stores kek encrypted with msk and a plurality of data keys encrypted with kek.
The communication unit 200 communicates with a plurality of communication targets. The key acquisition unit 2140 acquires the kek and the data key corresponding to the communication target that communicated with the communication unit 200 from the storage 220 based on target information that differs for each of the plurality of communication targets.
The decryption unit 232 of the SE 230 decrypts the kek acquired by the key acquisition unit 2140 using msk. The decryption unit 2144 of the key management unit 214 decrypts the data key acquired by the key acquisition unit 2140 using the kek decrypted by the decryption unit 232.
The first key generation unit 2142 generates a different ddk for each of the plurality of communication targets based on the data key decrypted by the decryption unit 2144.

With this configuration, the communication system according to each embodiment can securely manage encryption keys without making a large investment in equipment by using the SE 230, which is cheaper than the HSM. Further, the communication system can securely manage as many keys as the resources of the storage 220 allow by storing one msk in the SE 230 and encrypting and storing information other than the msk in the storage 220. Furthermore, by including one SE 230 that can store msk and storage 220 that can store information other than msk, the communication system can manage keys without providing multiple SEs in the device.

Therefore, the communication system of the present invention can securely manage multiple encryption keys with an inexpensive device.

Note that the communication system in each of the embodiments described above may be implemented by a computer. In that case, a program for realizing this function may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read into a computer system and executed. Note that the "computer system" herein includes hardware such as an OS and peripheral devices. Furthermore, the term "computer-readable recording medium" refers to portable media such as flexible disks, magneto-optical disks, ROMs, and CD-ROMs, and storage devices such as hard disks built into computer systems. Furthermore, a "computer-readable recording medium" refers to a storage medium that dynamically stores a program for a short period of time, such as a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. It may also include a device that retains a program for a certain period of time, such as a volatile memory inside a computer system that is a server or client in that case. Further, the above-mentioned program may be one for realizing a part of the above-mentioned functions, or may be one that can realize the above-mentioned functions in combination with a program already recorded in the computer system. It may be realized using a programmable logic device such as an FPGA (Field Programmable Gate Array).

Although the embodiments of this invention have been described above in detail with reference to the drawings, the specific configuration is not limited to that described above, and various design changes may be made without departing from the gist of this invention. It is possible to do so.

1... Communication system, 10... Server, 20... Device, 20A... IoT gateway, 20B... In-vehicle gateway, 30... IoT device, 40... Car, 50... In-vehicle device, 60... External device, 61... Cloud, 62... Server, 63...Traffic light equipment, 64...Bridge equipment, 65...Parking lot equipment, 100...Communication unit, 110...Control unit, 112...Authentication unit, 114...Decryption unit, 116...Encryption unit, 120...Storage unit, 200...Communication unit, 210...Control unit, 212...Key usage unit, 214...Key management unit, 220...Storage, 222...Data key storage unit, 224...Data key encryption key storage unit, 230...SE, 232...Decryption unit , 234... Master key storage section, 240... RAM, 242... Data key encryption key storage section, 300... Communication section, 310... Control section, 312... Authentication section, 314... Decryption section, 316... Encryption section, 320... Storage section, 2120...Target information generation section, 2122...Key acquisition section, 2124...Decryption section, 2126...Encryption section, 2128...Authentication section, 2140...Key acquisition section, 2142...First key generation section, 2143...Second key generation unit, 2144...decryption unit, 2146...encryption unit, NW...network

Claims (9)

a secure element having tamper resistance and storing a first encryption key;
a first storage device that stores a second encryption key encrypted with the first encryption key and a plurality of data keys encrypted with the second encryption key;
a communication unit that communicates with multiple communication targets;
a key acquisition unit that acquires the second encryption key and a data key corresponding to each of the plurality of communication targets from the first storage device based on target information different for each of the plurality of communication targets;
a first decryption unit that decrypts the second encryption key acquired by the key acquisition unit with the first encryption key;
a second decryption unit that decrypts the data key acquired by the key acquisition unit using the second encryption key decrypted by the first decryption unit;
a first key generation unit that generates a third encryption key that is different for each of the plurality of communication targets based on the data key decrypted by the second decryption unit;
A communication system with the first key generation unit generates the third encryption key using a key derivation function;
The communication system according to claim 1. The first key generation unit generates the third encryption key using the key derivation function that encrypts the target information with the data key decrypted by the second decryption unit.
The communication system according to claim 2. The first key generation unit generates the third encryption key using the key derivation function that applies a hash function to a concatenated value of the target information and the data key.
The communication system according to claim 2. a second storage device that stores the second encryption key decrypted by the first decryption unit;
further having,
The communication system according to any one of claims 1 to 4. an encryption unit that encrypts the second encryption key decrypted by the first decryption unit with a fourth encryption key;
a second key generation unit that generates the fourth encryption key;
It further has
the second storage device temporarily stores the second encryption key encrypted with the fourth encryption key by the encryption unit;
The communication system according to claim 5. a target information generation unit that generates the target information indicating the data key corresponding to the communication target that communicated with the communication unit based on the communication with the communication target;
The communication system according to any one of claims 1 to 6, further comprising: the secure element has tamper resistance and stores the first encryption key;
a first storage device stores a second encryption key encrypted with the first encryption key and a plurality of data keys encrypted with the second encryption key;
The communication department communicates with multiple communication targets,
A key acquisition unit acquires the second encryption key and a data key corresponding to each of the plurality of communication targets from the first storage device based on target information different for each of the plurality of communication targets. and,
a first decryption unit decrypts the second encryption key acquired by the key acquisition unit with the first encryption key;
a second decryption unit decrypts the data key acquired by the key acquisition unit with the second encryption key decrypted by the first decryption unit;
a first key generation unit generates a different encryption key for each of the plurality of communication targets based on the data key decrypted by the second decryption unit;
methods of communication, including; computer,
a secure element having tamper resistance and storing a first encryption key;
a first storage device that stores a second encryption key encrypted with the first encryption key and a plurality of data keys encrypted with the second encryption key;
a communication unit that communicates with multiple communication targets;
a key acquisition unit that acquires the second encryption key and a data key corresponding to each of the plurality of communication targets from the first storage device based on target information different for each of the plurality of communication targets;
a first decryption unit that decrypts the second encryption key acquired by the key acquisition unit with the first encryption key;
a second decryption unit that decrypts the data key acquired by the key acquisition unit using the second encryption key decrypted by the first decryption unit;
a first key generation unit that generates a different encryption key for each of the plurality of communication targets based on the data key decrypted by the second decryption unit;
A program that functions as

Images