JPH10276185A - Id base authentication and key delivery method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To simplify the management of a public key and to facilitate the operation and management of an entire system by using the public key that is easily understood by users in the method and system where users authenticate each other before communication via a network and a session key used for succeeding communication is delivered. SOLUTION: In the ID base authentication.key delivery method where a couple of clients being communication opposite parties authenticates with each other, an encryption key used in common by the clients is generated and the encryption key is used to encrypt a message for communication, a public key U and a secret key in a relation of U<d> =S, S<e> =(U<d> )<e> =U (where e.d=1(mod L),(p-1).(q-1):mod L, p, q are prime numbers) are assigned to the clients to allow mutual authentication and generation of an encryption key.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for performing pre-processing before performing actual communication in order to securely perform communication when users exchange information with each other via a network. In particular, ID-based authentication, which mutually authenticates the other party by using an ID such as a name to determine whether or not the other party really wants to perform communication, and communication that is to be performed thereafter after mutually confirming the other party The present invention relates to a key distribution method for distributing a session key for encrypting and decrypting a communication message and generating and verifying a message authenticator so that a third party can eavesdrop on it.

[0002]

2. Description of the Related Art In a network in which a communication network such as a computer as shown in FIG. 11 is connected, a plurality of users 12, 13, 14
Can deliver electronic messages such as electronic mail to each other via the network 11.

[0003] At this time, there is a problem that the users mutually authenticate each other. User (A) 12 is User (B)
When trying to exchange a message with 14, user (A) 12 must be able to confirm that the recipient of the message is indeed user (B) 14. In other words, there is a need for a means for preventing another user (C) 13 from impersonating another person such as the user (B) 14 (spoofing). Similarly, the message recipient (in this case, user (B) 14)
Must be able to confirm that the message sender is the user (A) 12.

One of the means for performing such authentication is as follows.
There is zero knowledge proof.

[0005] The zero knowledge proof is as follows. The prover tries to prove that he or she is who he claims to be, and the verifier is a person who verifies that the prover's proof is correct. Zero-knowledge proof is a method in which a prover proves to a verifier that he / she knows the secret while exchanging messages with the verifier without exposing secret information to others including the verifier. It is. If the verifier finds that the secret information is known to the prover, the verifier recognizes the prover as the principal.

The Fiat-Shamir method, which is a basic algorithm for performing zero knowledge proof, will be described with reference to FIG.

[0007] Let n be a large composite number. A composite number is a non-prime integer. Therefore, it can be represented by a product of prime numbers. The user (A) 12 is a prover and the user (B) 14 is a verifier. And user (B) 14
Is S (secret information, in which the user (A) 12 becomes the next “expression 1”
The user (A) 12 is authenticated by knowing the secret key).

[0008]

(Equation 1)

If n is a product of very large prime numbers, then n
Is known to be difficult to factor.
It is also known that it is difficult to find the square root in Zn if _n cannot be factored. Where Z _n
Is a set of integers from 0 to less than n, {0, 1, 2,..., N-1}. Therefore, it is very difficult to find S from T. Even if T is made public, S can be regarded as secret information.

It is assumed that the user (B) 14 knows T (public information and public key of the user A). First, the user (A) 12 generates a random number r ∈ Z _n (Step 12
1). Next, “Expression 2” is generated and X is sent to the user (B) 14 (step 122).

[0011]

(Equation 2)

The user (B) 14 (step 126) having received X selects b∈ {0,1} at random as an alternative (step 127), and sends b to the user (A) 12 (step 127). Step 128). User (A) 12 who received b
(Step 123) calculates “Equation 3” (Step 1)
24), send Y to user (B) 14 (step 12)
5).

[0013]

(Equation 3)

When b = 0, Y = RS, and the information of S does not leak. When b = 1, Y = RS. However, since it is difficult to obtain R, it is also difficult to obtain S.

The user (B) 14 receiving Y
(Step 129) verifies whether “Equation 4” holds (Step 130).

[0016]

(Equation 4)

If the above is one round and this is repeated k times (k rounds), if the user (A) 12 does not know S, the probability that the user (A) 12 can clear the verification is represented by "Equation 5". Become. That is, the user (A) 12 has k
The probability of being correctly authenticated after the round is “Equation 6”. Therefore, when the authentication is performed at a sufficiently large k, the user (B) 14 replaces the user (A) 12 with the user (A) 12.
You may admit that you are yourself.

[0018]

(Equation 5)

[0019]

(Equation 6)

In the above description, the user (B) 14 only authenticates the user (A) 12. However, when the user (A) 12 authenticates the user (B) 14, an operation symmetrical to the above is performed. Just do it. In this way, communicating parties can authenticate each other.

The second problem is the security of the information to be transmitted. A person other than the communication party can steal (eavesdrop) the contents of the message on the network. Thus, it is necessary to encrypt the message, which requires an encryption key. An encryption key is also required for generating and verifying a message authenticator.

The public key distribution method is a method for sharing an encryption key using a public key, and using this method, an encryption key can be generated via an insecure communication path.

A specific algorithm for sharing an encryption key is the Diffie-Hellman public key distribution method. This D
Figure 1 shows a method of delivering an encryption key (hereinafter referred to as a session key) using the iffie-Hellman public key delivery method.
3 will be described.

First, p is a prime number, and a fixed primitive root having a finite field GF (p) is g. The finite field GF is a finite set in which the algebraic system GF is a finite set, elements of GF form an additive commutative group, elements excluding 0 from GF form a multiplicative commutative group, and G
If the element of F is a distribution law (ie, x, y, z∈GF, x · (y + z) = x · y + x · z and (y + z) · x
= Y · x + z · x holds). The primitive root g is g (∈GF) in which the minimum positive integer k that becomes “Equation 7” is p−1, where the unit element of GF is 1. p and g are open to all users in advance,
This is the public key.

[0025]

(Equation 7)

A method for sharing the session key between the user (A) 12 and the user (B) 14 will be described. User (A) 1
2 randomly selects X ₁ ∈Z _{p -1} and keeps it secret (step 131). Similarly, the user (B) 14 randomly selects an integer X ₂ ∈Z _p−1 and keeps it secret (step 136). Then, the user (A) 12 obtains “Equation 8”
The calculated (step 132), and sends the Y ₁ to the user (B) 14 (step 133). Similarly, the user (B) 14
Calculate the "Number 9" (Step 137), and sends the Y ₂ to the user (A) 12 (step 138).

[0027]

(Equation 8)

[0028]

(Equation 9)

After exchanging Y ₁ and Y ₂ (steps 134 and 139), a session key K is generated as follows. The user (A) 12
"Equation 10" is calculated and used as the session key (step 1
35). Similarly, the user (B) 14 also calculates “Equation 11” and uses it as a session key (step 140).

Using the session key K, the user (A) 12 and the user (B) 14 can communicate with each other by using mutually encrypted messages.

[0031]

(Equation 10)

[0032]

[Equation 11]

The present invention also partially applies the Diffie-Hellman public key distribution method.

[0034]

When performing authentication by the Fiat-Shamir method, the verifier must know "Equation 12" for each prover.

[0035]

(Equation 12)

T is normally meaningless to the user,
It is a number with a large number of digits (for example, 512 bits or hundreds or thousands of digits). Therefore, management information of T, that is, a table of each prover (user) and its public information T (hereinafter, referred to as a table) is used in the system. Must be incorporated into However, countermeasures against forgery and falsification must be applied to the table, and maintenance and management are difficult.

Therefore, if T is set to a value that can be easily remembered by a human, such as a user ID, a user name, an address, a street name, or a machine name, it is not necessary to use a table as long as the user can store the table. In this way, even when a table is used, its structure and element (T) are meaningful, so that it is easy to create, and since T is easy for the user to remember, it is assumed that the table has been forged or falsified. However, it is easy for the user to notice it. Even if the table is lost, the data can be easily recovered. As described above, if T is easy for the user to understand, various advantages occur for the operation of the system, and the user can easily use the system.

However, in the Fiat-Shamir method, if it is attempted to make T easy to understand, it is very difficult to generate a secret key S from T (if this is possible, the usefulness of this method will be lost). T cannot be easily understood information. Therefore, T must be a meaningless word (square of the user's secret key) for the user, and a table is absolutely necessary. Therefore, there is a problem that the cost of table management (delivery, counterfeiting, falsification prevention, etc.) is large.

According to the present invention, the public key T referred to in the Fiat-Shamir method is easy for the user to understand, and it is easy for the center (the place responsible for authentication) to create the secret key S from the public key T. , An outsider (an attacker against the system) uses public key T
It is an object of the present invention to provide an ID-based authentication and key distribution method that makes it difficult to obtain the secret key S from the public domain, and that the management of the table of the public key T is unnecessary or simple, and the system can be easily operated. is there.

[0040]

In order to achieve the above object, an ID-based authentication / key distribution method according to the present invention is provided. In the ID-based authentication and key distribution method for generating an encryption key shared by all clients and encrypting and communicating a message using the encryption key, each client is provided with U raised to the power of d = S, S e Power = (U of d
To the power of e = U (where e · d = 1 (mod L), (p−1) · (q−1) =
mod L, p and q are prime numbers) public key U and secret key S
, And mutual authentication and generation of an encryption key are performed.

By making the relationship of U raised to the power d = S, even if a user ID, address, device name, or the like that can be easily remembered by the user is used as the public key U, the public key is simply raised to the power d.
The secret key S can be easily created at a key distribution center or the like.

For the authentication, the Fiat-Shamir method is applied.
This is performed by replacing "S raised to the power of b" described in "2" with "S raised to the power of e". Further, the encryption key is generated by partially applying the Diffie-Hellman public key distribution method.

[0043]

Embodiments of the present invention will be described below in detail with reference to the drawings.

First, the entities of the system to which the present invention is applied include at least a center (or a program) responsible for authentication and key distribution, and at least a user who uses the system. Authentication and key distribution are performed between users. An example is a client / server system (CSS system)
Clients and servers, mobile terminals and hosts, information service centers and their users, and the like. Of course, there is also a case where it is performed between the user and the center.

First, the center performs the following operations. First,
Generate large prime numbers, p and q (both 256 bits or more). It is assumed that n = p × q and L = 1 cm (p−1, q−1). . Here, lcm (p-1, q-1) is p-1 and q
Least common multiple of -1. e and d satisfying e × d = 1 (mod L) are obtained. Let m be a prime number less than or equal to n, and g be the primitive root of the finite field GF (m).

Further, the center assigns "Equation 13" to each user U.
Distribute. Here, the subscript U is the index of the user, and is represented by “Equation 14”.

[0047]

(Equation 13)

[0048]

[Equation 14]

S _U is the secret key of user U. U _U is a unique name such as a user ID or a machine name related to the user U that is easy for the user to remember, and is a public key of the user U. Authentication is carried out on whether or not the user U knows the S _U.

The above information generated by the center can be classified as shown in FIG. 1 if communication is performed within a certain group.

The groups share information as indicated by reference numeral 100. The public information in the group is 10
1, m, n, g, e, U _U , U _V. Here, U _* is the public key of user *. The secret information of the center is represented by p, q, d, S _*.
... etc. S _* is a secret key of the user *, and is distributed only to the user * so as not to be known to anyone other than the user * (code 1
05 and 106). The information (private key) which the user U owns and keeps secret is denoted by reference numeral 103.
It is S _U as shown by. If this personal information is leaked, another person can impersonate the user U, so care must be taken.

Next, let i be the number of trials of authentication. Initially, k _U0 = 1 and R _U0 = 0 (hereinafter, the right side of the index is the number of trials). k _Ui and R _Ui are variables for generating a session key.

In the following description, there are three types of session key generation methods (type a, type b, and type, respectively).
ec). The generation method first selects an appropriate type, and the prover and the verifier use the type from the beginning to the end of authentication. The system does not need to implement all types, and it is sufficient that at least one of them is implemented. k _Ui is used for all types, but R _Ui is only used for type c.

FIG. 2 shows the overall flow of the algorithm of the present invention.
And will be described below. Here, user A and user B
Consider that they authenticate each other and deliver information needed to generate a session key.

First, a session key generation method is selected (step 201). As mentioned above, the generation method is 3
Since one is prepared, select one and use that one until the procedure is completed.

Next, user B authenticates user A (step 202). Further, user A authenticates user B (step 203). In steps 202 and 203, work for generating a session key is also performed in parallel. Further, in step 204, it is determined whether or not to continue the authentication work. The authentication is terminated after repeating an appropriate number of times.

Finally, a session key is generated with each other (step 205), and the procedure of authentication and key distribution ends (step 206).

Step 202 of FIG. 2 will be described in detail with reference to FIG.

First, the user A generates r _1i ∈Z _m-1 (step 301). Further, “Equation 15” is calculated (Step 302), and “Equation 16” is calculated (Step 303). Then, _X1i is transmitted to the user B (step 304).

[0060]

(Equation 15)

[0061]

(Equation 16)

User B receives X _1i from user A (step 311. User B also receives a random number r _2i ∈Z
_m-1 and check bits b _1i ∈ {0,1} are randomly generated (step 312). Then, “Expression 17” is calculated (Step 313), and “Expression 18” is further calculated (Step 3).
14). Next, X _2i and b _1i are sent to user A (step 315).

[0063]

[Equation 17]

[0064]

(Equation 18)

User A receives X _2i and b _1i from user B (step 305). Further, the user A randomly generates the check bits b _2i ∈ {0,1} (step 30).
6), "Equation 19" is calculated (step 307). Then, Y _1i and check bit b _2i are sent to user B (step 308).

[0066]

[Equation 19]

User B receives Y _1i and check bit b _2i from user A (step 316). Next, "Equation 2
It is confirmed that it is "0" (step 317). Here, U1 of “Equation 20” corresponds to the public key of the user A, and S1 corresponds to the secret key of the user A.

[0068]

(Equation 20)

By the way, when b _1i = 0, “ _Equation 21” is obtained. X _1i has been calculated on Z _m in step 302. This will be used later to generate the session key,
Y _1i when b _1i = 0 is described as “ _Equation 22” for convenience.

[0070]

(Equation 21)

[0071]

(Equation 22)

If “equation 23” and “equation 24” are mod
If they match on n, the authentication is continued (step 318), and if they do not match, the authentication is stopped and a denial notice is sent to user A (step 319). To continue (step 318), refer to FIG.
Move to step 203.

[0073]

(Equation 23)

[0074]

(Equation 24)

The details of step 203 in FIG. 2 will be described with reference to FIG. User B calculates “Equation 25” (step 411), and transmits Y _2i to user A (step 412). Then, the user B performs an operation for generating a session key (step 413).

[0076]

(Equation 25)

More specifically, the calculation is performed according to the procedure shown in FIG. That is, when b _1i = 1 or b _2i = 1, nothing is performed (steps 501 and 502 in FIG. 8). b _1i = b _2i =
At the time of 0, it is as follows. There are three types of session key generation methods ( type a, type b, and type c). First, the type determined to be used in this procedure is selected (step 503). In the case of type a, “equation 26” is calculated (step 504). In the case of type b, “expression 27” is calculated (step 505). ty
In the case of “pe c”, “Expression 28” is calculated (step 50).
6).

[0078]

(Equation 26)

[0079]

[Equation 27]

[0080]

[Equation 28]

Then, R _2i = R _{2, (i-1)} + r _2i (mod (m−
1)) is calculated (step 507).

Referring back to FIG. 4, the user A receives the Y _2i from the user B.
Is received (step 401 in FIG. 4). Next, "number 29"
(Step 402), if “expression 30” matches “expression 31” on mod n, the authentication is continued (step 403). If not, the authentication is stopped and the denial notification is sent to the user. B (step 404).

[0083]

(Equation 29)

[0084]

[Equation 30]

[0085]

(Equation 31)

By the way, when b _2i = 0, “expression 32” is obtained. x _2i is calculated on Z _m in step 313 of FIG. Since this is used later for generating a session key, Y _2i when b _2i = 0 is described as “ _Equation 33” for convenience.

[0087]

(Equation 32)

[0088]

[Equation 33]

To continue (step 403), refer to FIG.
Move to step 204.

Next, the details of step 204 in FIG. 2 will be described in detail with reference to FIG.

User A performs an operation for generating a session key (step 601).

Specifically, as shown in FIG. 8, b _1i = 1
Alternatively, nothing is performed when b _2i = 1 (step 8 in FIG. 8).
02).

However, when b _1i = b _2i = 0, the following is performed. As described above, there are three types of session key generation methods ( type a, type b, and type c). First, a type determined to be used in this procedure is selected (step 803). In the case of type a, “Expression 3
4 ”is calculated (step 804). In the case of type b, “expression 35” is calculated (step 805). type
In the case of ec, “Expression 36” is calculated (step 80)
6).

[0094]

(Equation 34)

[0095]

(Equation 35)

[0096]

[Equation 36]

Then, R _1i = R _{1, (i-1)} + r _1i (mod (m−
1)) is calculated (step 807).

To increase the accuracy of the authentication, the above processing is repeated an appropriate number of times. Then, it is determined whether or not to continue the trial (step 602 in FIG. 6). There are two criteria for the determination in this case. One is whether the authentication accuracy is sufficient. The other is whether or not such a case has been a trial since a useful session key cannot be generated unless b _1i = b _2i = 0. If not, authentication must continue.

If the authentication is to be continued, the process returns to step 202 in FIG. 2 (step 604). If the authentication is to be ended, the process proceeds to step 205 in FIG. 2 (step 603).

Here, the description will proceed assuming that the authentication is normally completed after the trial is repeated k times, and the process proceeds to step 205 in FIG.

FIG. 1 shows the details of step 205 in FIG.
1 will be described in detail.

First, the user A notifies the user B that the authentication has been successfully completed (step 701). User B
Receives the notification of the end of the authentication from the user A (step 7)
11) Then, a notice of termination approval is sent to user A (step 712). User A receives the authentication end notification from user B (step 702).

Here, the user A sends an authentication end notification and the user B acknowledges the end of the authentication. However, if the user B is still unsatisfied with the authentication procedure, the user A is asked to continue the authentication. You can send a notification and let the authentication continue. In that case, the process proceeds to step 301 in FIG.

When sending an authentication end notification from user B,
At step 412 in FIG. 4, the notification is transmitted to the user A together with Y _2i . If the user A agrees with the end, a notice of the end approval is sent to the user B. At this time, it may be before or after the verification of Y _2i (step 402 in FIG. 4).
If it is not done yet, it must send back a continuation notification. In any case, if mutual approval of the authentication is obtained, the user A and the user B respectively generate the session key K _S (steps 703 and 7 in FIG. 7).
13).

Specifically, the user A generates a session key K _{S according} to the procedure shown in FIG. As described above, three types of session key generation methods are prepared. First, a type determined to be used in this procedure is selected (step 901 in FIG. 9).

In the case of type a, “expression 37” is calculated (step 902). In the case of type b, “Expression 3
8 ”(step 903). In the case of type c, “expression 39” is calculated (step 904).

[0107]

(37)

[0108]

(38)

[0109]

[Equation 39]

Here, Π and Σ are products and sums for all cases where b _1i = b _2i = 0.

The user B specifically generates a session key K _{S according} to the procedure shown in FIG. As described above, three types of session key generation methods are prepared. First, a type determined to be used in this procedure is selected (step 1001 in FIG. 10).

In the case of type a, “expression 40” is calculated (step 1002). In the case of type b, “Expression 4
"1" is calculated (step 1003). In the case of type c, “expression 42” is calculated (step 1004).

[0113]

(Equation 40)

[0114]

[Equation 41]

[0115]

(Equation 42)

Here, Π and Σ are products and sums for all cases where b _1i = b _2i = 0.

At this point, the authentication of the user and the delivery of the session key are completed (steps 704 and 714 in FIG. 7).

[0118] Incidentally, r _1i when the b _1i = b _2i = 0 in the above description, but by performing calculation using all the set of r _2i, first and last b _1i = b _2i = 0 In this case, only the combination of r _1i and r _2i may be used. When the set of r _1i and r _2i is one set, type, type b, type
The result of c is the same. Also, r where b _1i = b _2i = 0
_{A set of 1i} and r _2i may be selectively used a certain number of times. That is, r used by user A and user B
_If the pair of _1i and r _2i is the same, the session key may be generated by any combination of r _1i and r _2i .

In the description, the number of random numbers r _1i and r _2i generated by the user for one trial is one, but a plurality of random numbers may be generated. In that case, check bits b _1i ,
b _2i and its responses Y _1i , Y _2i, etc. are also calculated according to the number of random numbers and used for authentication and key distribution.

For example, when the user generates a random number s times, the check bits are simultaneously transmitted by s bits. If correct responses are returned for all the check bits, the probability that an unauthorized user returns a correct response for one authentication procedure is “Equation 43”.

[0121]

[Equation 43]

Further, even when the check bits are transmitted simultaneously with s bits, there is a method of viewing the entire bits as one number.
In this case as well, the probability that an unauthorized user returns a correct response is the above-mentioned “Equation 43”, but there is an advantage that only one random number is used. However, in this method, the probability that the check bit becomes 0 decreases as the number of digits of the check bit increases. Therefore, although authentication can be performed, key distribution may not be performed in reality. However, as described later, when m = n, key distribution can also be performed.

In the above description, m <n.
Even if m = n, basically it does not matter. At this time, g is expressed by “Equation 4
If “4” is a set of integers that are relatively prime to m from 0 to less than m, then g is selected to be a generator of “Equation 44”.
Further, in order to maintain the consistency of the entire algorithm, it is necessary to appropriately change the detailed calculation method. For efficiency, there are some places where it is desirable to make changes.

[0124]

[Equation 44]

For example, when using type c, the algorithm is changed as follows. Now, let the minimum integer that becomes “Equation 45” be k (this is called the order of g). k must be large enough. At this time, r _1i , r _2i ∈Z
_n or r _1i , r _2i ∈Z _k may be used.

[0126]

[Equation 45]

In step 507 of FIG. 5, R _2i = R _{2, (i-1)}
+ R _2i (mod (k-1)). Similarly, step 807 in FIG. 8 is changed to R _1i = R _{1, (i-1)} + r _1i (mod (k-1)). Especially without the k, the step 507 of FIG. 5 R _2i
= R _2, the _{(i-1) + r 2i} , the step 807 of FIG. 8 R _1i =
There is also a method of changing to R1 _{, (i-1)} + _r1i . This method
There is a drawback that R _1i and R _2i become large, but if there are not so many pairs of r _1i and r _2i used for generation in actual operation, there is no problem. This is also true for m <n.

When m = n, the restriction on the session key generation method by the check bits b _1i and b _2i can be removed.
In FIGS. 5 and 8, by using X _1i and X _2i instead of y _1i and y _2i , not only when b _1i = b _2i = 0, but also
The combination of r _1i and r _{2i in} all cases can be used. Therefore, step 501 in FIG. 5 and step 801 in FIG. 8 are not required. This change also changes the finally generated session key, which is shown in FIGS.
In the case of 0, g is changed to “Equation 46”.

[0129]

[Equation 46]

Also, the key distribution can be performed by a method of simultaneously transmitting a plurality of check bits and performing authentication using the check bits as one integer.

[0131]

As is apparent from the above description, according to the ID-based authentication / key distribution method of the present invention, after a pair of clients as communication partners have mutually authenticated each other, the pair of clients has been authenticated. In the ID-based authentication and key distribution method for generating a shared encryption key and encrypting and communicating a message using the encryption key, each client is provided with U raised to the power of d = S, S raised to the power of e = (U d
To the power of e = U (where ed = 1 (mod L)), and a public key U and a secret key S are assigned to perform mutual authentication and generation of an encryption key. By making the relation of the power = S, the user I can easily remember as the public key U
Even if D, address, device name, etc. are used, the public key is d.
Just by riding, the secret key S can be easily created at a key distribution center or the like.

Therefore, as the public information (public key) in the same communication group, information unique to the user or machine (user ID, name, address, street name, machine name, etc.) or a user listed in the dictionary is easily used. Words (geographic words such as rivers, country and city names, person names and constellation names, etc.) can be used. Because these words are easy for users to remember,
A table of public information is not required, or its creation, maintenance, and recovery are facilitated, and the operation and maintenance of the entire system can be facilitated.

[Brief description of the drawings]

FIG. 1 is a classification diagram of parameters used in an embodiment of the present invention.

FIG. 2 is a flowchart showing an overall flow in an embodiment of an authentication / key distribution method to which the present invention is applied.

FIG. 3 is a detailed flowchart of step 202 in FIG. 2;

FIG. 4 is a detailed flowchart of step 203 in FIG. 2;

FIG. 5 is a flowchart illustrating an intermediate process for generating a session key by a user B;

FIG. 6 is a detailed flowchart of step 204 in FIG. 2;

FIG. 7 is a detailed flowchart of step 205 in FIG. 2;

FIG. 8 is a flowchart illustrating an intermediate process for generating a session key by a user A.

FIG. 9 is a flowchart illustrating a final process for generating a session key by a user A.

FIG. 10 is a flowchart illustrating a final process for generating a session key by a user B.

FIG. 11 is a conceptual diagram of a network to which the present invention is applied and its users.

FIG. 12 is a flowchart of the Fiat-Shamir method.

FIG. 13 is a flowchart of a Diffie-Shamir public key distribution method.

[Explanation of symbols]

11 network, 12 user A, 13 user B, 14 user C, 101 information common to the group, 1
02: secret information of the center, 103: secret information of the user U, 104: secret information of the user V.

Claims (1)

[Claims] After a pair of clients as communication partners authenticate each other, an encryption key shared by the pair of clients is generated, and a message is encrypted by using the encryption key to perform communication. ID-based authentication and key distribution method for each client, wherein each client is provided with the power of d = S, the power of S e = (the power of d), the power of e = U (where e · d = 1 ( mod L), (p−1) · (q−1) = mod L, where p and q are prime numbers) assigning a public key U and a secret key S to perform mutual authentication and generation of an encryption key. Characteristic ID-based authentication and key distribution method.