KR20020045680A - An identity escrow method using blind techniques - Google Patents

Abstract

PURPOSE: An identity escrow scheme using a blind method is provided to improve security by using a blind decoding method. CONSTITUTION: A user generates a random value and sends the random value to a law enforcement agency(A1). The law enforcement agency assigns an encoded serial number to the random value of the user and sends the serial number with a message including authentification information to the user(B1). The user generates X used for identity information and blind signature and C used for blind decoding and sends the X and the C to a publisher(A2). The publisher signs the X by using a secret key and sends C2 including signed information and the blind decoding to the law enforcement agency(C1). The law enforcement agency confirms the C2 and sends authentification information to the user(B2). The user encodes the authentification information and sends the encoded authentification information to a service provider(A3). The service provider conforms the user authentification(D1).

Description

An identity escrow method using blind techniques

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an internet user authentication technology, and more particularly, to a method of consigning identity using blind technology that can provide an accurate security to an authorized user on the Internet, but can reveal an accurate identity of a user in case of illegal behavior.

Users on the Internet must prove themselves to access a service provider. Because this personal identification can bring invasion of the user's privacy, the user will want to receive the service without revealing himself, and the service provider will want to provide the service after confirming the user's identity. It is the Identity Escrow Scheme that can satisfy both conditions.

The identity consignment method includes a user who registers his / her exact identity with the issuer and receives the corresponding authentication information, a publisher who stores the user's identity and issues the authentication information, and checks the user's authentication information and provides a service on the Internet. It consists of a provider and a legal agency that, in the event of illegal behavior of the user, cooperates with the issuer in response to the request of the anonymity removal of the service provider.

The identity consignment method is composed of four processes as shown in FIG. First, a system initialization process is performed in which each participating entity (user, issuer, service provider, legal agency) publishes its parameters (public key or public key related information) to initialize the system. On the basis of these published symbols, the user registers in the identity referral method.

The user provides his / her exact identity to the issuer and is provided with authentication information about it. This authentication information is used to anonymously authenticate with the service provider.

The user provides his authentication information to the service provider in order to receive the service. If this is valid authentication information and the user knows the secret information accordingly, the user is anonymously authenticated to the service provider and the service is provided accordingly (step S13).

In order to punish users for illegal activities, the service provider finds out the exact identity by removing the anonymity of the user by providing the authentication information provided by the user to the legal authority. (S14 process)

Due to the nature of the method of identity referral, strong security is required and the requirements for satisfying it are as follows.

① Anonymity of the user must be provided while the user is authenticated by the service provider.

② In case of emergency, it should be possible to remove the anonymity of illegal users with the help of legal agencies.

③ Must not impersonate that the issuer or service provider is a user. In other words, only the user should have a secret value to prove that the authentication information is his or her, and the identity conferencing method must be able to prove it.

4. In order to clarify the various security issues that may arise in case of emergency and their responsibilities, each entity of a member shall clarify their role and authority.

⑤ The removal of anonymity of the user should be executed only with the permission of the legal authority. That is, the issuer or service provider should not know the user's identity only by looking at the user's authentication information.

The identity referral methods introduced so far are those using group signature techniques and zero-knowledge proof techniques, which were proposed in 1998 by Joe Kilian and Erex Petrank.

The method of using group signature technology is controlled by the group manager who oversees the group, which consists of publishers and law enforcement agencies. The group manager can allow new users to join the group and can verify messages signed by the group's organizers. This method may prove that the user is a member of a legitimate group that has maintained anonymity by using a group signature with the service provider. In addition, in case of emergency, the group manager can eliminate the anonymity by checking the signer. However, the weakness of this method is that there is no exact distinction between the issuer and the legal agency, so that the service provider provides the issuer with the value signed by the user to the issuer, thereby removing the anonymity of the user illegally without going through the legal agency. Have weaknesses

The method using zero-knowledge proof technology proves that the user has authentication information using the zero-knowledge proof technology to the service provider during the authentication process. At this time, a trace factor that can remove the anonymity of the user is provided by encrypting it with the public key of the legal institution. In case of emergency, the service provider can remove the anonymity of the user by providing the tracer to the law enforcement agency. However, this method has a security weakness to impersonate a user because the publisher has all the information of the user.

As described above, identity consignment methods using group signature technology and zero-knowledge proof technology have been proposed, but they do not satisfy all the requirements and thus cannot solve the security weakness. Therefore, the design of a more secure identity referral method is required.

An object of the present invention is to provide a service that can be provided by the Internet user in a state where anonymity is guaranteed, the service provider can identify the identity of the illegal user.

Another object of the present invention is to provide an identity consignment method with improved security.

It is another object of the present invention to provide an identity consignment method using blind technology (blind signature, blind decoding).

Another object of the present invention is to blind the contents of the message that the user signs through blind signature technology.

Another object of the present invention is to prevent a third party from impersonating a user without knowing the user's private key.

It is yet another object of the present invention to provide an identity consignment method in which the identity of the user can be known only by the collaboration of the publisher and the legal authority.

Another object of the present invention is to prevent the identity of the user from being revealed by collusion between the publisher and the service provider.

In order to achieve the above object, the present invention provides a first process in which a user generates a random value (r) and transmits it to a legal agency, and a serial number encrypted by a public key of a legal authority by recognizing the random value (r) in a legal agency. A second process of granting an Anonymity Control Number (DN) and transmitting the serial number (DN) to the user with a message (M) containing the authorization information (A), and the user blindly with his identity information Issuer that generates the symbol (X = M * r ^e ) necessary for the blind signature and the symbol (C = (C ₁ , C ₂ ) required for the blind decoding, and hides the message (M). The third process of sending X and C ₂ to the issuer for signature by the publisher, the publisher blindly signing X using the secret key (d), and signing the signed information (M ^d * r) and C ₂ to the law enforcement agency. The fourth process of transmission and the random agency (r) is removed from the data provided by the issuer in the law A fifth process of determining the legitimacy of the identity registration by checking the value (r) and the serial number (DN) in the message (M), and in case of normality, generating authentication information and transmitting it to the user; The sixth process of encrypting the authentication information and C ₂ and transmitting it to the service provider, and the service provider confirms the signature of the issuer and the signature and approval information (A) of the legal authority through the blind decryption process to verify the user's authentication. And a seventh process of confirming.

Another feature of the identity reconciliation method according to the present invention is that the service provider requests the legal authority to remove the anonymity of the user when the user acts illegally to remove the anonymity.

The detailed feature of the identity referencing method according to the present invention is that the anonymity removal process is the first step in which the service provider submits M ^d to the law enforcement agency to request anonymity removal, and if the anonymity removal request is reasonable, at a point formed by a third step of providing a second step and, the identity of the user a publisher on the basis of the serial number (DN) to send to the issuer by extracting the sequence number (DN) from the M ^d to the service provider .

1 is a flowchart illustrating a process of an identity referral method;

2 is a flowchart showing a blind signature technique;

3 is a flowchart showing a blind decoding technique;

4 is a flow chart showing the progress of the identity consignment method using the blind technology according to the present invention,

5 is a flowchart illustrating a process of removing anonymity according to the present invention.

Hereinafter, with reference to the accompanying drawings will be described the identity consignment method according to the present invention. Since the present invention is an identity consignment method using a blind signature technique and a blind decoding technique, the blind signature technique and the blind decoding technique will be described first with reference to FIGS. 2 and 3.

The blind signature technology is the first signature method proposed by D. Chaum in 1982 and is used to provide traceability of electronic cash. Recently, in order to solve the problem of misuse of electronic cash, such as money laundering by criminal groups, a fair blind signature method capable of tracking the identity of an electronic cash user when necessary is proposed.

The blind signature method is performed as shown in FIG. The signature requester creates the following to get the blind signature on the message and passes it to the signer.

X = M * r ^e mod n

Where M is the message to be signed, r is a random value, and e is the signer's public key. (S21 course)

The signer signs X received from the signing requester with his private key as follows and forwards it to the signing requester.

X ^d = (M * r ^e ) ^d = M ^d * r mod n

Where d is the signer's private key. The signer signs the message M without knowing the random value r. (S22 course)

The signature requester receives the signed message from the signer and generates a message from which the random value is removed using the random value r known to the signature requester.

M ^d * r / r = M ^d mod n

That is, the signature requester multiplies the message by a random value so that the signer signs the message as unknown, and the signature requester who knows the random value can see the message signed (step S23).

On the other hand, the blind decoding technique was introduced by S.Micali in 1992, and the basic concept is that the decryptor decrypts the message using its own private key without knowing the contents of the message it decrypted, and the decryption requester is the secret key of the decryptor. This is a way to know the message without knowing. 3 is a flowchart illustrating a general blind decoding technique.

The decoder generates its own key pair P _u = g ^s mod p (s: secret key, P _u : public key) (step S31).

The decoder selects the message to be blinded, generates C = (C ₁ , C ₂ ) and passes C to the decoding requester as follows to perform the blind decoding technique.

C ₁ = g ^r mod p, C ₂ = P _u ^r * M mod p (M: message, r: random value) (S32 process)

The decoding requester generates a random value (a) for blind decoding, calculates X, and passes X to the decoder. The decoder cannot know the random value (a) of the decryption requester and cannot know which message the decryption requester needs to decode.

X = C ₁ ^a mod p (S33 course)

The decoder computes Y = X ^s mod p with its secret key and passes Y to the decryption requester. The decryptor multiplies the X value with its own secret key, so through the difficulty of discrete algebra, the decryptor cannot know the secret key of the decoder. Through this technique, the decryption requester can obtain the message M without the decoder knowing it (step S34).

Since the decryption requester knows a, it computes (Y) ^-a = (C ₁ ^as ) ^-a mod p and extracts the message as follows:

C ₂ / C ₁ ^s = M mod p (S35 course)

The present invention is an identity delegation method based on the blind technology, the process is carried out as shown in the flow chart of FIG. The symbols shown in the process are defined as follows.

P: decimal (p ≥512)

Q: decimal (q | p-1)

N: p * q

G: primitive element on Z _p with order q

E, d: public key (e) and secret key (d) of the issuer's RSA encryption method based on p and q

KP _E, KR _E : Public key (KP _E ) and secret key (KR _E ) of law

KP _S, KR _S : Service provider's public key (KP _S ) and secret key (KR _S )

R: User generated random value

DN: A serial number generated by a legal authority per user and used as a symbol to control anonymity of a user.

A: Acknowledgment information (random bit string) known to all members, indicating that the user has registered for the identity referral method.

M: It is composed of and provided by the legal agency to the user.

X: Symbol for blind signature technology consisting of M * r ^e mod n

C: symbol for blind decoding technique consisting of (C ₁ , C ₂ )

S _x (·): an agreed signature algorithm for signing messages with key X

H (·): agreed hash algorithm to hash message

E _x (·): an agreed encryption algorithm for encrypting messages with key X

D _x (·): A negotiated decryption algorithm for decrypting a message with key X

First, the issuer and the law agency are premised on the preprocessing process of exposing their public key (e, KP _E ) and information corresponding to the public key (n, g) to all components.

The user generates a random value r∈Z _n and transmits it to the legal institution. (A1)

The legal authority recognizes the random value r, gives anonymity control number (hereinafter referred to as serial number) (DN) encrypted with the public key of the legal authority, and the message (M) including the authorization information (A) and Send the serial number (DN) to the user. The random value r is used to confirm that the user properly uses the message M provided to the user. And the serial number (DN) is an anonymity controller code provided to the issuer when anonymity is removed. Since the anonymity controller code is encrypted with the public key of the legal authority, anonymity can be removed only with the permission of the legal authority.

M = , DN. … … … (B1)

The user creates X for the blind signature technique and C for the blind decryption technique, hiding M to be signed by the issuer.

X = M * r ^e mod n, C = (C ₁ , C ₂ ). … … … (A2)

In order to register their identity information and receive authentication information, DN, X, identity information, and C ₂ are sent to the issuer.

The issuer blindly signs X provided by the user using the secret key (d) without knowing M. The issuer cannot know the information of M because the issuer does not know the user's random value r. The issuer has a serial number (DN) and identity information corresponding to each user. In the process of anonymity removal, if a lawyer provides a serial number (DN), it will reveal its identity information. After the blind signature is issued, the issuer sends the signature information (M ^d r) and C ₂ necessary for the decoding technique.

X ^d = (M * r ^e ) ^d = M ^d * r mod n. … … … (C1)

The legal authority removes the random value r from the M ^d * r provided by the issuer and determines the validity of the identity registration by checking the random value r and the serial number DN. If the random value (r) and the serial number (DN) do not match, it starts over from the beginning of the identity registration process. Normally, authentication information is generated and sent to the user. The authentication information is authentication information used for the user to be authenticated by the service provider. This authentication information allows the user to authenticate anonymously to the service provider during the authentication process.

Authentication information = C ₂ * M ^d , … … … … (B2)

The user encrypts the authentication information and the blind decryption symbol (C ₁ ) provided by the legal authority to the service provider in order to receive the service anonymously from the service provider.

[C_1, authentication information]. … … … (A3)

The service provider goes through the blind decryption process to obtain M ^d and verify the signatures of the issuer and the law enforcement agency. Then verify A to authenticate the user. The secret key (r: symbol used for blind decoding technology) constituting C1 and C2 is known only by the user, so no one can impersonate the user, and there is no information in M that can identify the user. Cannot identify the user.

(M ^d ) ^e mod n (confirm signature of issuer)

((H (C ₂ * M ^d )) (Signed by Legal Authority)

A Verification. … … … (D1)

If the user acts illegally, the service provider submits M ^d to the law enforcement agency to remove the user's anonymity. The law enforcement agency examines the service provider's request and extracts the serial number (DN) from M ^d if appropriate.

= DN

The legal authority sends the serial number (DN) to the issuer to identify the user, and the issuer extracts and discloses the identity of the user corresponding to the serial number (DN) so that the service provider can take legal action through the disclosed identity. Can be.

The technical spirit of the present invention has been described above with reference to the accompanying drawings. In addition, it is obvious that any person skilled in the art may make various modifications and imitations without departing from the scope of the technical idea of the present invention.

As described above, the present invention proposes a new identity referencing method using blind technology to solve the security problems of identity referencing methods using existing group signature and zero-knowledge proof technology. The convenience of users has been increased due to the development of communication networks such as the Internet, but the security threats are also increasing. To address these threats, various cryptographic technologies have been introduced, and many cryptographic products adopting these technologies have been developed and used. Therefore, when developing a cryptographic technology or cryptographic product to which the present invention is applied, it will enable more secure commerce and information exchange on the Internet.

Claims (4)

A first step in which a user generates a random value r and transmits it to a legal institution; The legal agency recognizes the random value r, assigns a serial number (anonymity control number) (DN) encrypted with the public key of the legal authority, and the serial number together with the message (M) containing the authorization information (A). A second process of sending (DN) to the user, A third step in which a user generates an X necessary for his identity information and a blind signature, and a C necessary for a blind decoding technology, and transmits the M to a publisher having hidden M; The fourth process of the issuer blindly signing X using the secret key (d) and transmitting the signed information and C ₂ necessary for the decryption technique to the law enforcement agency, The legal agency removes the random value (r) from the data provided by the issuer, determines the validity of the identity registration by checking the random value (r) and the serial number (DN), and generates authentication information in normal cases and sends it to the user. The fifth process, A sixth process in which the user encrypts the authentication information using the service provider's public key and transmits the authentication information to the service provider; And a seventh step of the service provider confirming the user's certification by checking the signature of the issuer and the signature and approval information (A) of the issuer through the blind decryption process. The method of claim 1; And a process of removing anonymity by a service provider requesting a legal authority to remove the anonymity of a user when the user acts illegally. The method of claim 2; The anonymity removal process, The first step, where the service provider submits M ^d to law enforcement to request anonymity removal; A second step of extracting a serial number (DN) from the M ^d and sending it to the issuer if it is determined that the anonymity removal request is valid; Method of entrusting identity using blind technology, characterized in that the issuer is made through a third step of providing the service provider with the identity information of the user based on the serial number (DN). The method of claim 1; And the signature of the issuer and the legal authority is included in the authentication information in the fifth process.