JPH08204696A - Authentication method in communication system having plural equipments - Google Patents

Abstract

PURPOSE: To provide a distributed authentication server having the same authentication function as that of a centralized management type authentication server and realizing high fault tolerance. CONSTITUTION: In the communication system including a device 14 being a distributed authentication server, a authentication receiver 15 requesting authentication sends a authentication request message including identifier of a authentication receiver and that of a authentication server to each device 14 of the distributed authentication server and each device 14 of the distributed authentication server generates a ciphered authentication identifier by a secret key relating to the authentication receiver based on the authentication request message in the common. Then the authentication message is generated by ciphering the authentication identifier with a secret key relating to the authentication receiver and each device 14 of the distributed authentication server sends the authentication message to the authentication receiver 15. Then the authentication receiver 15 receiving the authentication message decodes the authentication message and sends the obtained authentication identifier to the authentication server 15, and the authentication server 15 receiving the authentication identifier decodes the authentication identifier to verify the authentication receiver.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a communication system in which a plurality of devices are connected by a communication path, and more particularly to an authentication method in a communication system in which a plurality of devices distribute authentication.

[0002]

2. Description of the Related Art Conventionally, in many communication systems, information is transmitted in data block units called packets. Even when the packet is transmitted to the designated destination, all devices (users of the devices) included in the communication system can receive the packet. Moreover, since a plurality of devices are connected via the same communication path, it is difficult to specify the transmission source of the packet. Therefore, in such a communication system, it is easy to be exposed to "sniffing" that illegally obtains a packet to another destination and "spoofing" that makes one device appear to another device.

In order to mitigate this threat of eavesdropping and spoofing, public key cryptosystems (Ikeno, Koyama: "Modern cryptography")
, The Institute of Electronics and Communication Engineers, 1986) is known. Some public key cryptosystems include
Some RSA encryptions have an authentication function called "digital signature" in addition to the encryption function. By using this, encrypted communication with a signature can be performed to prevent eavesdropping and spoofing.

Further, as another countermeasure for mitigating the threat of eavesdropping and spoofing, Kerberos (co-authored by S. Garfinkel and G. Spafford by kerberos: S. Garfinkel and G. Spafford, translated by Hide Yamaguchi, "UNIX Security", ASCII, pp.349-357, pp.535-542, 1993) is a well-known network authentication method.

Below, the authentication protocol of Needham and Schroeder (RNNeedham and MDSchroeder: "Using Encr
yption for Authentication in Large Network of Comp
uters ", CACM 21, 12, pp.993-999. Dec. 1978))
Birrell's Secure RPC (Remote Procedure Call) Protocol (ADBirrell: "Secure Comunications Using Remo
te Procedure Calls ", ACM Trans.on Computer System
s, Vol.3. No.1, pp.1-14, Feb. 1985)).

Generally, in Kerberos, there is an authentication server that manages secret information (corresponding to a secret key) of all devices of the communication system. First, the authentication server is shown in FIG.
As shown in (a), each device i shares a secret key pki. Hereinafter, a person who requests proof is called a prover, and a person who authenticates the prover is called a certifier.

As shown in FIG. 16 (b), when the prover A requests the certifier B for proof, A sends data 161 in the format {A, B, R} to the authentication server. However, A and B are public identification information for identifying the prover A and the authenticator B, such as a device or user name, and R is a randomly selected number.

On the other hand, the authentication server is {authenticator,
The data 162 of R, B, CK} ^ pkA is returned to A. However, {M} ^ k indicates that the message M is data encrypted with the key k, and the authenticator is configured as {T, A, CK} ^ pkB using the time stamp T. The data 163 is CK, and CK is a common key generated by an authentication server used for common key cryptographic communication between A and B thereafter.

Hereinafter, a secret common key used for common key cryptographic communication between a prover and an authenticator will be referred to as a conversation key.
Therefore, the authentication server also serves as a conversation key delivery server. Finally, the prover A is the authenticator 163 described above.
To the authenticator B, and B authenticates A by compounding the authenticator with its own secret master key pkB, and thereafter performs encrypted communication using the common conversation key CK.

As described above, the authentication protocol using Kerberos can mitigate the threat of eavesdropping and spoofing.

[0011]

However, in the public key cryptosystem, it is necessary to carry out a modular exponentiation operation of a large integer of 512 bits or more, and there is a problem that the amount of calculation becomes enormous.

Further, in a protocol such as Kerberos in the common key system, the authentication server manages the secret information of all the devices constituting the communication system, so that the authentication server including the physical meaning is completely reliable. Is required (also in the case of the public key cryptosystem, a centralized management center that manages all public keys is required, and has the same problem). Therefore, in order to ensure the security, it is necessary to strictly manage the authentication server in a locked room or the like where unauthorized persons cannot enter. Further, when the authentication server becomes unreliable due to a failure or a crime, there is a problem that the fault tolerance is weak such that the safety of the entire system is destroyed.

Therefore, in order to solve the problem of the reliability of the authentication server, the present invention proposes a distributed authentication server in which secret information is distributed and managed by a plurality of devices.

The request to the distributed authentication server is as follows. (1) For certifiers and certifiers, the distributed authentication protocol is
It realizes the same authentication function as the conventional centralized authentication protocol. (2) For the prover and the certifier, the distributed authentication protocol is
Guarantees the same interface (data format) as the conventional centralized authentication protocol. (3) For certifiers and certifiers, the distributed authentication protocol is
It is realized with the same amount of calculation as the conventional centralized authentication protocol. (4) The above requirements are satisfied, except when the majority of the devices that make up the distributed authentication server are not reliable.

[0015]

In order to solve the above problems, according to the authentication method of the present invention, an authentication is performed in a communication system in which a plurality of devices including a plurality of devices constituting a distributed authentication server are connected. Each device that constitutes the distributed authentication server, in which the certifier side device that is required to be authenticated by the certifier side device sends an authentication request message including the certifier and the identifier of the certifier to each device that constitutes the distributed authentication server. Jointly generate an authenticator encrypted with a private key related to the authenticator based on the authentication request message, generate an authentication message by encrypting the authenticator with a private key related to the prover, and perform distributed authentication. Each device constituting the server sends the authentication message to the certifier side device, each device constituting the distributed authentication server sends the authentication message to the certifier side device, The certifier side device that receives the certification message decrypts the authentication message, transmits the obtained certifier to the certifier side device, and the certifier side device that receives the certifier uses the certifier To authenticate the prover.

[0016]

Embodiments of the present invention will be described below in detail with reference to the drawings.

[First Embodiment] FIG. 1 is a diagram showing an information processing system having distributed information processing devices according to a first embodiment of the present invention.

In the figure, 14 is a device (hereinafter referred to as a member) constituting the distributed authentication server AS (1), ..., AS.
(k). Reference numeral 11 denotes a secret communication path that enables physically and securely secret communication between devices (such as designed so as not to be accessible from other communication paths).
Is a broadcast-type communication path that interconnects all members so that information can be disclosed. Here, the number of members is assumed to be a relatively small number of about 20 or less in terms of efficiency.

The number of all devices constituting the communication system may be considerably larger than that of the members, and they are connected to the members via the secret communication path 11. Further, the respective devices communicate with each other via a normal (insecure) communication path 13. After that, 1
When one device sends a request for a service (for example, file transfer, remote procedure call, etc.) to another device, the requesting device is called a "client", and the device that receives this request and provides the service is called a "server". I will. In FIG. 1, reference numeral 15 denotes the devices C / S (1), ..., C / S (n) which are such clients and servers. However, the member may be a client or a server.

In the present embodiment, mutual authentication and communication content authentication are realized by such a client and server. It also realizes sharing of a secret key for performing secret communication between the client and the server. Furthermore, since secret information is distributed and managed and calculated among members, there is an advantage that it is safer than the conventional impression server. In the following, when a client requests authentication from a server to request service, a client requesting authentication will be referred to as a "certifier", and a server providing authentication will be referred to as an "authenticater".

FIG. 2 is a diagram showing a block configuration of a device as a member. In the figure, 21 is a secret communication path 1.
2 is a communication unit for communicating with another device via the broadcast communication path 13. 22 is an arithmetic processing unit,
According to the program of the storage unit 24, various operations such as a one-way hash function, which will be described later, and determination processing are performed, and each unit of the apparatus is controlled. 23 is a random number generator such as a pseudo random number generator, and is used to generate a random value. A storage unit 24 stores programs to be executed by the arithmetic processing unit 22, information such as arithmetic results generated in the course of processing, information received from other devices, various parameters, and the like. Devices other than the members of the communication system also have the same hardware configuration as the members.

The basic part of the distributed authentication protocol is the VSS (verifiable Secret Sharing) protocol described below. According to VSS, one secret information is a technique in which less than a majority of the secret information cannot be guessed, and if the majority of the information is correct, the original secret information can be restored into a plurality of secret parts.

[VSS Protocol] Given finite field F
The procedure for distributing the above secret in a verifiable manner is described below.

FIG. 3 is a diagram showing the relationship between the secret s and the submatrix S.

In the present embodiment, the submatrix S = [s (i, j)] (i, j = for some secret element s
1 ,. ． ． , N) means that each row vector S_r (i) =
[S (i, 1) ,. ． ． , S (i, n)] (i =
1 ,. ． ． , N), each element of n is the value fi (il), ..., fi () for n different values il, ..., in of a polynomial fi of degree t with a secret s_r (i) as a constant term. in), and each column vector S_c (j)
= [s (1, j), ..., s (n, j)] (j = 1, ..., n) has a secret s_c (j)
N different values i of the polynomial gi of degree t, where is a constant term
The values for l, ..., in are gi (il), ..., gi (in), and the vectors [s_r (1), ..., s_r (n)] and [s_c (1), ..., s_
Both c (n)] are the values f (il, ..., in) and g (il, ..., in) of the polynomials f and g of degree t with the original secret s as a constant term. It is what As will be described below, the submatrix used in the secret-sharing scheme capable of verbal type confirmation further defines a secret part n × n matrix S = [s (i, j)] (i, j =
1, ..., n).

First, each row vector S_r (i) = [s (i, 1), ..., s
(i, n)] (i = 1, ..., n) is the secret part vector for some secret s_r (i) (vector j is the secret part of subscriber j in some secret sharing scheme) And each column vector S_c (j) = [s (1, j), ..., s (n, j)] (j = 1, ..., n) becomes
It becomes a secret subvector for a secret s_c (j).

However, the vectors [s_r (1), ..., s_r (n)] and [s_c (1), ..., s_c consisting of the above-mentioned secrets s_r (i) and s_c (j).
Both (n)] are secret subvectors of the original secret s. In the secret sharing process, the column vector i (i = 1, ..., n) of the submatrix constructed in this way and the secret s_r (i)
Is sent to each subscriber i as the confidential partial information of the subscriber i, so that the partial information broadcast by each subscriber can be provided if the subscriber who has distributed the partial information does not make any mistake during the secret restoration process. There is a very high probability that you can check if is correct.

Further, in this embodiment, in order to confirm whether or not the partial information broadcast during the secret restoration processing is correct even if the subscriber who has the original confidential information and distributes the confidential partial information makes an illegal act. , Each subscriber in distributing secret information
A one-way hash function (Ikeno, Koyama: "Modern Cryptography", pp.224) is used as the authenticator value of the secret s_r (i) corresponding to i (i = 1, ..., n). -225, IEICE, 1986, see).

Next, the one-way hash function will be described.

The one-way hash function is a function for performing data compression type scrambling. It is easy to calculate an output value from an input value, but it is difficult to perform an inverse calculation to calculate an input value from an output value. is there. However, in this embodiment,
Compared with the conventional one-way function used in the non-interactive confirmable secret sharing scheme, it does not need to have a special algebraic property, and a one-way hash function with high-speed calculation processing can be used.

As a specific example of the one-way hash function, R.
Merkle ("One Way Hash Functions and DES", Advance
s in Cryptology −Crypto'89, Lecture Notes in Comp
uterScience, Vol. 435, Springer-Verlag, 1990) has proposed a one-way hash function using a block cipher such as DES (Data Encryption Standard).

FIG. 8 is a diagram for explaining a specific configuration of the one-way hash function.

In the figure, (a) shows block encryption by DES, and 81 is a 64-bit input and 56 bits.
This is an encryption circuit (DES is represented by E in FIG. 8) that can obtain a 64-bit output from a bit key.

(B) shows the processing of the function F in which the input length is 119 bits and the output length is 112 bits by using this DES as a partial process, and 82 is a function operation circuit. is there. This process is defined as follows.

First, the input is divided into two parts k and x (however, the length of one part k is 55 bits, and the length of the remaining part x is 64 bits). Then DE that part x
The input of S, the remaining k and '0' are consecutive values '0', k
Let the result of XORing the output obtained with x as the 56-bit key and x be the left 64 bits at the output of the function F. Similarly, the same part x is input, and the remaining parts k and '
The value obtained by using 1's as a continuous value '1', k as a key and x
48 bits from the result of XOR calculation (64 bits) to function F
And the rest (48 bits on the right). The output of the 112-bit F-function is the result of successive two outputs.

(C) shows a process of inputting a given message and outputting a hash value of a one-way hash function, and 83 is a hash function processing section.
This process is executed as follows.

First, the first 119 of the given message
Take the bits as input to the function F above and get the output of the first 112 bits. Next, the output is again used as the input 112 bits, and thereafter, the remaining 7 bits from the message are continuously input to the repeating function F. Finally, when you type the entire message (add a '0' if there are missing bits to fill the last 7 bits of the message)
The obtained 112-bit output is used as the hash value for the message.

The one-way property of the hash function calculated as described above (when one hash value is given, it is extremely difficult to obtain messages having different inputs so that the same hash value is obtained) , The security of block ciphers such as DES used (the output is a random variable with the key when the input is given, the input is a random variable with the key when the output is given). , R. Merkle (see above paper).

Further, in the same paper, a one-way hash function which is more efficient than the above-mentioned hash function is also proposed,
An efficient one-way hash function that does not use block cipher is R. Rivest ("The MD4 message digest algorithm",
Advances in Cryptology ー Crypto'90, Lecture Notes i
n Computer Science, Vol. 537, Springer-Verlag, 199
1. NIST Federal Information Processing Standard fo
r Secure Hash, American National Standard X9.30-19
9x).

Next, the Cut and Choose process in this embodiment will be described.

Like Cut and Choose performed by the conventional interactive confirmable secret sharing method, the secret partial information received by all subscribers at the time of secret sharing processing is the secret partial information that can be confirmed and distributed. We then distribute the submatrices and hash values for the original secret s and at the same time k random secrets l1, ..., lk
Distribute the submatrix and the hash value for and have a secret of k / 2 (li (1), ..., li randomly determined by all subscribers.
(k / 2)) broadcast all confidential information about
For the secret (lj (1), ..., lj (k / 2)) of lj (1) + s, ..., lj
If all the secret information about (k / 2) + s is broadcast and the number of errored parts in all the broadcast information is larger than t, it is judged that the secret sharing process is not correct.

As described above, instead of the conditions (c) and (d) of the conventional identifiable secret sharing system, a secret sharing system satisfying the following conditions (c ') and (d') can be realized. A method and a communication system for safely executing distributed calculation can be realized.

(C ') When incorrect partial information is mixed with correct partial information, the original secret information may not be restored even if there are t + 1 correct partial information. Can be identified.

(D ') When all the subscribers receive the secret partial information, if the partial information is not correct information for restoring the secret information x, the subscriber who made an illegal act during the restoration process It is possible to identify the person.

Under these conditions, the secret cannot be restored, that is, error correction cannot be performed even if there is an unauthorized subscriber as in the conventional method, but an unauthorized subscriber can be identified, that is, an error can be detected. . If there are conditions (c) and (d), distributed computing can be executed correctly even if there is an unauthorized subscriber (fault tolerance for correctness can be realized), but conditions (c '),
Even if changed to (d '), an unauthorized subscriber can be detected, so a correct output can be obtained by issuing a warning and re-executing, and fault tolerance to the correctness can be realized.

Therefore, in this embodiment, if there is an unauthorized subscriber when restoring the distributed secrets, it may not be possible to restore, but it is confirmed that the unauthorized subscriber can be identified. We propose a possible secret sharing scheme. This enables the interactive method (1) and the cryptographic method described above.
It is possible to realize a secret sharing scheme that can be confirmed in the middle of (2), in which both the required calculation amount and communication amount are in a practical order.

The method for realizing the secret identifiable distribution on the given finite field F will be specifically described below.

First, the submatrix S for the secret s will be specifically described.

The submatrix S = [s (i, j)] (i, j = 1, ..., n) for a given secret element s on a given finite field is the row vector S_r (i). = [s (i, 1), ..., s (i, n)] (i = 1, ..., n) is a polynomial fi of degree t with s_r (i) as the constant term The values fi (i1), ..., fi (in) for n different values i1, ..., in,
Each column vector S_c (j) = [s (1, j), ..., s (n, j)] (j = 1, ..., n)
Becomes the value gj (j1), ..., gj (jn) for n different values j1, ..., jn of the polynomial gj of degree t with s_c (j) as a constant term, and , Vector of the above values [s_r (1), ..., s_r (n)]
And [s_c (1), ..., s_c (n)] are the values f (i1, ..., in) and g of polynomials f and g of degree t with the original secret s as a constant term.
It is (j1, ..., jn).

Next, the processing of the present embodiment is carried out by secret sharing processing for distributing a secret part so that a given secret on a finite field is secretly distributed and held among all subscribers, and all subscribers. The secret distributed process or the secret restoration process for clarifying the subscriber who has committed fraud (when there is fraud) will be described separately.

(1) Secret sharing processing Secret sharing processing means that a subscriber d having a secret element s
This is the process of distributing the secret part for s. FIG. 5 shows the processing procedure. In the figure, the process Rj, i is the process executed by the subscriber i in round j.

In the following, h represents an efficient one-way hash function (with a fast calculation scheme). For example, a hash function constituted by a high-speed block encryption function (see the above "modern cryptographic theory") is used. The safety parameter k satisfies k = nk 'for some constant k'. In this case, the probability of incorrect confirmation of secret sharing processing is Cut and Cho
By ose processing, it becomes 2 ^ (-k '(t + 1)) (T. Rabin, M.
Ben-Or "Verifiable Secret Sharing and Multiparty Pr
otocols with Honest Majority ").

(Round 1) Subscriber d uses random number generator 2
Using 3, the sub-matrix S, for the original secret s and the randomly chosen secret elements l1, ..., lk over a given finite field
Generate L1, ..., Lk. Then, as shown in FIG. 4, secret values s_r (1), ..., s_r (n), l1_r (1), ..., l1_r (n), ..., lk_r
One-way hash function value s * for (1), ..., lk_r (n)
Is calculated by the arithmetic processing unit 22.

The subscriber d is a column vector S_c (i), L1_c (i) of each generated submatrix for each subscriber i (i = 1, ..., n, except for himself). , ..., Lk_c (i) and secret s_r (i), l1_
r (i), ..., lk_r (i) (information B1.i) is transmitted using the secret communication channel 11, and hash value s * (information B1.d) is sent among all subscribers.
Is broadcast using the broadcast communication path 12 (processing R1.d).

(Round 2) Each subscriber i (i = 1, ..., n)
Broadcasts k ′ randomly selected bits (information B2.i) using the random number generator 23 (process R2.i). Let these randomly selected k'bits be Bi_1, .., Bi_k ',
All bits for all n subscribers are called B1, ..., Bk.

(Round 3) Subscriber d sets Bj to 1 for each bit Bj (j = 1, ..., k) broadcast in Round 2.
If so, the submatrix Lj generated by the subscriber d is broadcast in round 1, and if Bj is 0, the addition result on the finite field for each element of the submatrix S and Lj generated by the subscriber d in round 1 ( S + Lj
Broadcast) (process R3.d). The information broadcast by subscriber d is labeled B3.d in FIG.

(Round 4) Each subscriber i (i = 1, ..., n)
In the information B1.i that was secretly received in round 1,
Column vectors Lj_c (i) and lj for j (j = 1, ..., k)
_r (i) (when bit Bj broadcast in Round 2 is 1)
Or Lj_c (i) + S_c (i) and lj_r (i) + s_r (i) (Bj is 0
Is equal to the column vector corresponding to the submatrix broadcast in round 3 and the secret value, and if not equal to some value j, then the decision message of subscriber d (information B4.i ) Is broadcast (process R4.i).

(Round 5) When the judgment message (information B4.i) is broadcast in Round 4, the subscriber d secretly transmits it in Round 1 for each subscriber j who broadcast the judgment message. Information B1.j (here, information B
5.d) is broadcast (process R5.d).

(Post-processing) Each subscriber i (i = 1, ..., n) is
If the information broadcast in Round 5 is incorrect, or if the number of determination messages broadcast in Round 4 is greater than the threshold value t, it is determined that the subscriber d has made an illegal act (process Pi).

In the above rounds 1 to 5, each subscriber i
Let s_i be all information received by.

(2) Secret Restoration Process The secret restoration process is a process for calculating the original secret s by all subscribers from the information s_i held by each subscriber by the secret sharing process described above. FIG. 6 shows the procedure.

(Round 1) Each subscriber i (i = 1, ..., n)
Is the secret value s_c (i) and s_r (i) containing the partial information s_i
Broadcast (Information B1.i) (Process R1.i).

(Round 2) Each subscriber i (i = 1, ..., n)
Are the t + 1 values s_c (i,
1), ..., s_c (i, t + 1) and s_r (i, 1), ..., s_r (i, t + 1), and select s (c) and s ( r) and both are equal, and the remaining broadcasted value is its value s (c) = s
Check if it is the correct value of the same polynomial corresponding to (r). If all values are correct, the original secret s is s (c) = s
The restoration process ends, judging that it is equal to (r). On the other hand, if a value that does not correspond to the same polynomial is broadcast, the partial information s_
The column vector S_c (i) (information B2.i) included in i is broadcast (above, processing R2.i).

(Round 3) Each subscriber i (i = 1, ..., n)
Is the column vector S_c (j) (j =
Generate a submatrix S'from 1, ..., n) and all sets t1, ..., tm (1, m = _{n in} total) containing t + 1 values different from 1, ..., _n C
Select a set of column vectors T1, ..., Tm for _{t + 1} = n! / ((t + 1)! (nt-1)!) sets and perform polynomial interpolation for each row and column. The result of processing s'_r (1), ..., s'_r (n) and
s'_c (1), ..., s'_c (n) is obtained, and the results s '(r) and s' (c) of the polynomial interpolation processing of these values are obtained, and both are equal, and All elements of those column vectors are the same, corresponding to their respective values s'_c (1), ..., s'_c (n) and s'_r (1), .., s'_r (n) Check if the polynomial value is correct.

The number of sets corresponding to different correct submatrices in the sets T1, .., Tm including t + 1 column vectors confirmed in this way is t + 1 at the maximum, and The submatrix is called S_1, ..., S_T (where T <t + 1). If there is only one correct submatrix (T = 1), then the secret s for that matrix is determined to be equal to the original secret, and the uncorresponding column vector represents the fraudulent subscriber. If there are two or more correct submatrices, each subscriber i (i = 1, ..., n) broadcasts all the partial information s_i (information B3.i) that it has (above, processing
R3.i).

(Post-processing) Each subscriber i (i = 1, ..., n) is
Correct submatrix S_1, ..., S_T calculated in round 4 using information s_j (j = 1, ..., n) broadcast in round 3
For (where T <t + 1), the same one-way hash function as in the secret sharing process described above is calculated, and all broadcasted information is correct, and the value s broadcast in round 1 of the distributed process is calculated. *
Check whether it corresponds to. It is judged that the secret s'corresponding to the submatrix correct for these confirmations (there is only one at most) is equal to the original secret s. If, on the other hand, there was no correct submatrix for the above check,
It is judged that the secret is deviated by the distributed subscriber d (process Pi).

[Linear Combined Process of Distributed Secrets] By the above-mentioned verifiable secret sharing process, two secrets in the given elements {1, ..., p-1} on the finite field are given. When the elements x and y are distributed (where each subscriber i has a secret element x and y)
Has a secret part corresponding to x_i and y_i), and a secret part corresponding to the sum x + y on a given finite field without communication.
Calculate (x + y) _i as follows.

First, the column vectors X_c (i) and Y_c (i) of the submatrix held by each subscriber and the secret values x_r (i) and y_r (i).
Is added element by element, the addition result X_c (i) + Y_c (i) and x_r (i) + y_r (i) become the column vector and secret value of the submatrix for x + y. It is obvious from the definition of (row and column elements are polynomial values).

Further, both the values x * and y * of the one-way hash function used for confirming the partial information in the secret restoration process are stored, and the result x + y of the addition is restored in the restoration process. Secret x + by using both if necessary
Check the submatrix X + Y corresponding to y.

In order to calculate the distributed multiplication of one secret element x and the public element a in a distributed manner, each element of the submatrix possessed by each subscriber is multiplied by a. The result is an element of the submatrix for x * a. Therefore, by the above process, as shown in FIG. 7, a linear combination a * using two distributed secret elements x and y and public elements a and b.
x + b * y can be distributed and calculated without interaction among the subscribers participating in the group.

As described above, the secrets can be distributed among the members in a confirmable manner.

Next, a shared pseudo-random secret is generated by distributing pseudo random numbers among members.
Generation) protocol is explained.

[Distributed Pseudo Random Number Generation Protocol] The members AS (1), ..., AS (k) constituting the distributed authentication server have r for the member AS (i) in order to control the distributed pseudo random number r. Output the secret part r (i) (i = 1,…, k) of. This protocol is realized as shown in FIG.

Each member AS (i) generates a secret pseudo random number ri expressed as an element on a finite field (process 81).

Each member AS (i) secretly distributes the secret pseudo random number ri by using the above-mentioned confirmable secret sharing process. When each member does this, each member AS
(j) (j = 1, ..., k) is the secret part r1 (j), ..., rm (j) of each member
Will have. However, m (≦ k) is the number of members for which it has been confirmed that the secret sharing has been correctly performed (process 8).
2).

Each member AS (j) is the secret part of AS (j) of the secret pseudo-random number r by adding the above-mentioned secret part r (j) = r1 (j) + ... + rm (j) Is generated (Process 8
3).

This secret pseudo random number r is a number that no one can know unless the majority of the members collude.
As described above, the pseudo random numbers are generated in a distributed manner, and the pseudo random numbers can be used as the conversation key between the prover and the authenticator.

Next, a protocol for distributing and executing secret key cryptographic processing among members will be shown. This is different depending on whether the data to be encrypted with the private key is distributed secret data or open data.

[Distributed Secret Key Encryption / Decryption of Distributed Secret Data] FIG. 9A is a diagram for explaining this protocol. Let m be a message composed of N blocks m1, ..., MN of length L. However, the VSS protocol is executed on the finite field GF (2 ^L ). It is assumed that the secret parts m1 (i), ..., MN (i) are secretly distributed to the member AS (i). Also, a secret key pk having the same length as the message m
Is also divided into N blocks pk1, ..., pkN of length L, secretly distributed among the same members, and
(i) has respective secret parts pk1 (i), ..., pkN (i).

In order to perform the secret key cryptographic processing of the message m using the secret key pk, each member AS (i) performs addition on a given finite field for each block as follows.

C1 (i) = m1 (i) + pk1 (i), ..., cN (i) = mN (i) + pkN (i) Since the VSS protocol is homomorphic, c1 (i) ,. , cN
(i) corresponds to the secret part of c1, ..., CN obtained by dividing the ciphertext c into N blocks for each length L. Therefore, the ciphertext c is restored and published by executing the above secret restoration process.

As a result, the device in the communication system having the secret key pk can decrypt the original message m from the published ciphertext c. However, the private key pk is disposable and will not be used again.

[Distributed Private Key Encryption / Decryption of Public Data]
In the case where the message m is open to the public, the above-mentioned cryptographic protocol causes a problem that the secret key pk is known by subtracting the message m from the publicized cipher c. Therefore, regarding the public data, (b) in FIG.
The protocol shown in is used.

As in the above case, it is assumed that the message m is composed of N blocks m 1, ..., MN of length L. However, it is assumed that the contents are public data known to members. The secret key pk has a length twice that of the message m, and 2N blocks pk1 having a length L. 1, pk1 2,
... pkN 1, pkN Divided into two. This pk is secretly distributed among the members, and the member AS (i) is the secret part pk of each member.
1 1 (i), pk1 2 (i), ... pkN 1 (i), pkN Has 2 (i).

In order to realize the private key pk cryptographic processing of the message m using the private key pkpk, each member AS (i)
Performs the following operation on the given finite field for each block. However, in the equations below, · represents multiplication and + represents addition.

C1 (i) = m1 · pk1 1 (i) + pk1 2 (i),…, cN (i) =
mN ・ pkN 1 (i) + pkN Since the 2 (i) VSS protocol is homomorphic even for linear combinations, c1 (i), ..., cN (i) divides the ciphertext c into N blocks for each length L. Corresponds to the secret part of c1,…, cN. Therefore, the ciphertext c is restored and published by executing the above secret restoration process.

As described above, this protocol uses pkj 1 and pk
j Since two types of keys of 2 (j = 1, ..., N) are used, even if the message m is public data, there is no known secret key pk. Here, the shorter the length L is, the easier the encryption operation is, but the probability that the tamperer can change the ciphertext c into the fake ciphertext c ′ and obtain the fake message m ′ Is 2 ^-L , so L cannot be made too small for safety reasons. Therefore, about 32 is suitable for L.

Regarding the decryption, the devices in the communication system sharing the secret key pk share the secret key pk and the ciphertext c with the length L.
Disassemble for each, pkj 1, pkj 2 and cj (cj-pkj 2) / pkj By executing the operation of 1, mj can be obtained. This allows the original message m to be decrypted.
However, in this case as well, the private key pk is disposable and will not be used again.

[Authentication Protocol] Using the above protocol, authentication using a common key is realized by the distributed authentication server instead of the conventional centralized authentication server as follows.

The authentication protocol includes communication for the prover to receive the authentication message from the distributed authentication server and communication for the prover to show the authentication data to the authentication company. This is called "online processing". By the way, as a premise of performing this online processing, a shared key sharing process between the distributed authentication server and a device that is a certifier or an authenticator, and a conversation key generation process by the distributed authentication server are required. This is called "offline processing". This off-line processing may be executed every time a secret key or a conversation key is required during online processing, but this will increase the processing time and communication time of online processing.

Therefore, by executing the offline processing prior to the online processing, the online processing can be efficiently performed. Below, "offline processing" for (a) and "online processing" for (b) in FIG.
Will be explained.

[Offline Processing] The information that needs to be shared in advance among the members constituting the distributed authentication server is the information regarding the secret keys of all the devices. However, as described with respect to the distributed secret key encryption / decryption protocol, the secret key used between the prover and the distributed authentication server is disposable after the message, and therefore it is necessary to generate a large number of keys. This processing is executed by the following private key delivery processing. Also, the distributed pseudo-random number generation process used as a conversation key between the prover and the authenticator is
It is executed offline as follows.

[Private Key Distribution Processing] In the communication system, the device j to be authenticated is a sufficiently large number M of pseudo-random numbers pkj arbitrarily selected in advance by the secret sharing processing described above. 1,
…, Pkj Distribute M to each member. As a result, the member AS (i) has the secret part pkj of the pseudo-random number. 1 (i),…, pkj M
Receive (i). However, if j does not correctly distribute secrets, j will not be able to receive the authentication service by using his own secret key pkj. Therefore, the post-processing for confirming whether the distributed information is correct is It may be omitted. Further, there is no need to have a broadcast communication channel between j and the member to confirm that j is not lying.

In this processing, j is a sufficiently large number of secret keys.
pkj i (i = 1, ..., M) and each member h (h = 1, ..., k) is a secret part of pkj i (h) (i = 1, ..., M) is held as a list. As described above, since the private key is disposable, j and each member h hold the indexes pkj and pkj (h) indicating the position on the list of the key to be used next, respectively. Then, j generates a secret key when there is enough processing capacity, and disperses this secret when the communication system is idle, and continues updating.

[Pseudo-random number generation process] As shown in FIG. 11, the distributed pseudo-random number r1, ..., RQ which is a conversation key used between the prover and the authenticator is also offline as in the secret key distribution process. It is generated by processing and is retained as a list. As described in the distributed pseudo random number generation protocol above, all members need to perform distributed processing of pseudo random numbers, but not all members need to perform distributed pseudo random number generation at the same time. If the processing and communication system have a margin, this processing may be executed and distributed to other members. As a result, each member holds the distributed pseudo-random number r1 (j), ..., RQ (j) as a list together with an index indicating its use position.

[Online Processing] The online authentication protocol for obtaining an authenticator for the client P (certifier) in the communication system to send to the server V (certifier) from the distributed authentication server is as follows. Done.

(Step S1) The client P uses the normal communication path to AUTH Information shown as REQUEST {id
P, id A request message 101 including V, s} is sent to the members constituting the distributed authentication server. However, id P is the client P, id V is data that identifies the server V, and s is a randomly selected random number.

(Step S2) AUTH The member receiving the REQUEST performs the following processing steps S21 to S26.

(Step S21) A time stamp showing the current time is broadcast to confirm the common time.

(Step S22) A distributed pseudo-random number rz, which is used as a conversation key ck1, ..., cka between the prover and the authenticator by using the distributed secret key encryption protocol of the distributed secret data.
…, Rz + a-1 to pkV x,…, pkV Encrypt x + a-1 as a secret encryption key. Where a is the number of pseudo-random numbers, z and x
Are indexes that represent the beginnings of the pseudo random number list and the secret key pk list, respectively. Then z and x are
They are updated as z = z + a and x = x + a respectively. The result encrypted in this way is CT 1,…, CT Let a.

(Step S23) Using the distributed secret key encryption protocol for public data, the public time stamp and the identifier of the prover, id Let P be 2b secret keys pkV from the same secret key pk list as in step S22. x,…, pkV Encrypt with x + 2b. Then update x = x + 2b + 1. The result of this encryption is CT a + 1,…, CT a + b, step S
CT with 22 results 1,…, CT It is set to a + b, and is used as an authenticator together with the index x before update in step S22.

(Step S24) Using the distributed secret key encryption protocol of the distributed secret data, the ciphertext CT for the authenticator obtained in step S23 1,…, CT a + b and the common keys ck1, ..., cka used in step S22 are 2a + b secret keys pkP y,…, pkP Encrypt with y + 2a + b as the encryption key. However, y is an index indicating the beginning of the private key list with the prover, and is updated as y = y + 2a + b + 1. The result encrypted in this way is CCT 1,…, CCT 2a + b.

(Step S25) Using the distributed secret key encryption protocol for public data, the pseudo random number s publicized in step S1 and the identifier of the authenticator, id 2c secret keys pkP from the same secret key list as in step S24 y,…, p
kP Encrypt with y + 2c. Then, it is updated as y = y + 2c + 1. The result encrypted in this way is CCT 2a +
b + 1,…, CCT 2a + b + c and CCT together with the result of step S24 1,…, CCT 2a + b + c.

(Step S26) Secretly-distributed CCTs are secretly distributed using the secret restoration processing. 1,…, CCT 2a + b + c is restored, and the client P, who is the prover, performs the step S
Along with the index y before being updated in 24, the authentication message 102 is transmitted using a normal communication path.

(Step S3) The prover P receives the index y and the secret key pk from his own secret key list.
P y,…, pkP Data CC received by y + 2a + b + 2c
T 1,…, CCT The pseudo random number ck is decrypted from 2a + b + c by using the distributed secret key decryption protocol of public data. And the decrypted s and id Make sure V is correct. If it is confirmed to be correct, the decrypted pseudo random number c
k is stored as a common key with the authenticator, and the decrypted authenticator 103 is transmitted to the authenticator V.

(Step S4) The authenticator V uses the index x that can be included in the authenticator and pk from his own private key list.
V x,…, pkV With x + a + 2b, from the received authenticator, using the distributed private key decryption protocol of public data, the time stamp and the identifier id of the prover Decrypt P and
The pseudo random number ck is decrypted using the shared secret key decryption protocol of the shared secret data. And the decrypted time stamp and identifier id Make sure that P and are correct. If it is confirmed to be correct, the prover P is authenticated and the decrypted pseudo random number ck is stored as a common key with the authenticator.

[Embodiment 2] In Embodiment 1 described above, if the attacker eavesdrops and stores the authenticator sent by the prover to the authenticator, the attacker shows the authenticator to the authenticator. With this, the certifier can request a service that the certifier does not intend, and the certifier can be confused. This attack is called a replay attack.

Therefore, in this embodiment, in order to mitigate this replay attack, the time information communicated is further added to the authenticator sent by the prover to the authenticator in step S3 of the online processing of the first embodiment. This procedure is shown in FIG. The present embodiment is different from the first embodiment only in that steps S3 ′ and 4 ′ are performed in addition to the steps S3 and 4 of the online processing, and the other points are the same. Therefore, only steps S3 ′ and 4 ′ will be described. To do.

(Step S3 ') After performing step S3 of the first embodiment, the prover uses the obtained conversation key ck to obtain a new time stamp T2 and the identifier id of the prover. P encrypted {T2, id Send P} ^ ck to the authenticator together with the authenticator.

(Step S4 ') The authenticator executes step S4 of the first embodiment to combine the authenticators, and then uses the obtained conversation key ck to attach the attached message {T2, id P} ^
ck is decrypted, the time stamp T2 and the certifier identifier id
If P is confirmed and T2 is old, the service request cannot be accepted.

[0111]

As described above, according to the present invention,
The following effects can be obtained if the server is superior in reliability and security to the conventional centralized management type authentication server and if a majority of the devices constituting the distributed authentication server can be trusted.

The distributed authentication protocol fulfills the same authentication function as the authentication protocol by the conventional centralized management for the prover and the authenticator, and realizes high fault tolerance.

The online processing of the distributed authentication protocol guarantees the same interface (data format) as the conventional authentication protocol to the prover and the authenticator, and thus can be easily replaced with the conventional authentication server.

For the prover and the authenticator, the online processing of the distributed authentication protocol is realized with the same calculation amount as the conventional authentication protocol.

[Brief description of drawings]

FIG. 1 is a diagram showing a block configuration of a communication system in an embodiment of the present invention.

FIG. 2 is a diagram showing a block configuration of each device of the system.

FIG. 3 is a diagram showing a relationship between a secret and a submatrix.

FIG. 4 is a diagram showing processing by a one-way hash function.

FIG. 5 is a diagram showing a procedure of secret sharing processing.

FIG. 6 is a diagram showing a procedure of a secret restoration process.

FIG. 7 is a diagram illustrating distributed secret linear combination processing.

FIG. 8 is a diagram showing a procedure of a pseudo random number distributed generation process.

FIG. 9 is a diagram showing a procedure of distributed secret key encryption processing.

FIG. 10 is a diagram showing a procedure of a distributed authentication protocol.

FIG. 11 is a diagram showing a procedure of offline pseudo-random number generation processing.

FIG. 12 is a diagram showing a procedure of offline secret key distribution processing.

FIG. 13 is a diagram showing a procedure of a distributed authentication protocol.

FIG. 14 is a diagram showing a procedure of a distributed authentication protocol.

FIG. 15 is a diagram illustrating a procedure of a distributed authentication protocol according to the second embodiment.

FIG. 16 is a diagram showing a procedure of a conventional authentication protocol.

[Explanation of symbols]

 11 secret communication channel 12 broadcast communication channel 13 ordinary communication channel 14 device constituting distributed authentication server 15 device serving as client or server 21 communication unit 22 arithmetic processing unit 23 random number generation unit 24 storage unit 101 request message 102 authentication message 103 authentication Child 161 Certifier 162 Authenticator 163 Authentication Center 164, 165, 166 Data

─────────────────────────────────────────────────── ─── Continuation of the front page (51) Int.Cl. ⁶ Identification code Internal reference number FI Technical display location G06F 15/00 330 C 9364-5L G09C 1/00 7259-5J H04L 29/06

Claims (9)

[Claims] 1. In a communication system to which a plurality of devices including a plurality of devices forming a distributed authentication server are connected, a certifier side device that is required to be authenticated by a certifier side device constitutes a distributed authentication server. An authentication request message containing the identifiers of the certifier and the certifier is sent to each device, and each device that constitutes the distributed authentication server jointly encrypts with the secret key for the certifier based on the authentication request message. Generating an authenticator, encrypting the authenticator with a secret key relating to a prover to generate an authentication message, each device constituting the distributed authentication server transmits the authentication message to the prover side device, and The certifier side device that receives the authentication message decrypts the authentication message, transmits the obtained certifier to the certifier side device, and the certifier side that receives the certifier Authentication method location, characterized in that to authenticate the prover decodes the 該認 Akashiko. 2. The respective devices constituting the distributed authentication server jointly cooperate with the certifier side device and the certifier side device,
The authentication method according to claim 1, wherein a common key used for encrypted communication between the two devices is transmitted. 3. The authentication method according to claim 2, wherein each device constituting the distributed authentication server transmits the common key included in the authentication message to the certifier side device. 4. The authentication method according to claim 2, wherein each device constituting the distributed authentication server transmits the common key included in the authenticator to the authenticator side device. 5. A distributed authentication server is configured by using a common key used for encrypted communication between the certifier side device and the certifier side device as a pseudo-random number distributed using a secret sharing process that can be confirmed. The authentication method according to claim 1, wherein the devices are jointly generated. 6. In each device constituting the distributed authentication server, encryption by a secret key is performed by dividing data to be encrypted into a plurality of blocks, and each of the divided blocks is provided with a different finite secret key. The authentication method according to claim 1, wherein the authentication method is performed by performing addition on the body. 7. In each device constituting the distributed authentication server, encryption with a secret key is performed by dividing the data to be encrypted into a plurality of blocks, and each divided block is provided with a different finite secret key. The authentication method according to claim 1, wherein the authentication is performed by multiplying on the body and further adding different secret keys to each multiplication result. 8. The device according to claim 1, wherein each device forming the communication system distributes and distributes a secret key related to the device to each device forming the distributed authentication server by a secret sharing process. Authentication method. 9. When the certifier side device transmits the certifier to the certifier side device, the certifier and the certifier side device are common to the certifier side device and the certifier side device together with a time stamp. The encryption is transmitted using a key, and the authenticator side device decrypts the received information from the prover side device using the common key to confirm the time stamp. The listed authentication method.