JP2001119387A - Key depositing device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To facilitate the change of a deposited cryptographic key in a star- shaped cipher communication system and to disable cipher communication without depositing the cryptographic key. SOLUTION: Master terminal equipment 3 generates a cryptographic key for cipher communication with slave terminal equipment 4 through a base station 2 and distributes it to the base station 2 and the slave terminal equipment 4. The cryptographic key is deposited from the master terminal equipment 3 to a deposit center 1. The deposit center 1 generates managing information from the cryptographic key and applies it to the base station 2. The base station 2 converts communication information to be repeated on the basis of the correspondent managing information. Since terminal equipment 3 and 4 are disabled in deciphering of received enciphered sentences without depositing the cryptographic keys, normal communication is disabled. When it is necessary to change the cryptographic key, the key can be freely changed and deposited online from the master terminal equipment 3.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a key escrow apparatus, and more particularly to a key escrow apparatus that makes it difficult to communicate when an encryption key is not escrowed.

[0002]

2. Description of the Related Art In many countries, it has been considered in many countries that laws and regulations restrict compulsory escrow of cryptographic keys so that cryptographic communication technologies are not used for serious crimes such as terrorism and drug trafficking. In other words, when it is found that the key has been used for a serious crime, a court warrant obtains an encryption key from an encryption key depository (hereinafter referred to as "the depository center") and attempts to intercept the communication.

A well-known key escrow device is the American clipper chip. In the clipper chip, by attaching a special encryption LSI to all communication devices,
An attempt is made to deposit an encryption key.

On the other hand, in a system for performing group communication with a large number of terminals by simultaneous command of wireless communication, when a terminal is lost, it is necessary to change an encryption key so that the lost terminal cannot receive the key.

[0005]

However, even if the above-mentioned clipper chip is forcibly attached in accordance with the law, it cannot physically disable communication when it is not attached. is there. In addition, when changing the encryption key, a clipper chip is ordered to change the encryption key of each terminal, so that there is a problem that it takes too much time and effort.

SUMMARY OF THE INVENTION It is an object of the present invention to solve the above-mentioned conventional problems and to make it possible to easily change a deposited encryption key and to make it impossible to perform encrypted communication without depositing the encryption key.

[0007]

According to the present invention, there is provided a key terminal of a key escrow device of a communication system including a deposit center, a base station, a parent terminal, and a child terminal. Means for generating an encryption key, means for distributing the encryption key to child terminals, means for depositing the encryption key to the trust center, means for encrypting / decrypting application information with the encryption key using a one-way function. A deposit center, storage means for the deposited encryption key, means for generating management information using the deposited encryption key, and means for providing the management information to the base station, Means for converting the encrypted application information to be relayed with management information using a one-way function, wherein the child terminal uses a one-way function to encrypt the application information with an encryption key;
Means for receiving and decoding the application information converted by the management information.

[0008] With this configuration, when the encryption key is not deposited, the communication can not be performed physically at the relaying base station or the like, and the encryption key can be deposited, and the encryption key can be deposited online. It is possible to change an encryption key in a short time and deposit a new encryption key after the change online.

[0009]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS.

(First Embodiment) In a first embodiment of the present invention, an encryption key is generated at a master terminal, distributed to a slave terminal, and deposited at a deposit center. The management information is generated from the encrypted encryption key and given to the base station. The base station converts the encrypted application information with the management information and relays the information. The terminal normally operates only when the encryption key is properly deposited. This is a key escrow apparatus that can receive / decrypt application information.

FIG. 1 is a configuration diagram of a communication system to which a key escrow device according to a first embodiment of the present invention is applied. This is a star-type wireless communication system including a deposit center, a base station, and a plurality of terminals. In FIG. 1, a deposit center 1 is a deposit destination of an encryption key such as a government agency or a third party that can keep the encryption key secret. The deposited encryption key stored in the deposit center 1 is to be kept secret. In the following description, the deposit center 1
Refers to the equipment at the deposit center.

The base station 2 is a base station for wireless communication. A high antenna and a high output transmission circuit are provided to relay communication between terminals so that communication between terminals can be performed smoothly.
It has a function to physically block communication for which an encryption key is not deposited. The base station 2 is freely installed by a private company. Although the information in the base station 2 is managed in good faith, there is a possibility that it will be leaked to a third party when an illegal operation is performed. Although the present embodiment has been described as a wireless communication base station, any device that can be used for communication, such as a telephone local exchange, a mobile phone base station, or an access point device of an Internet provider, may be used.

The slave terminal 4 is an ordinary wireless terminal. There are many terminals. The parent terminal 3 has a function of changing the encryption key in addition to the function of the child terminal 4. In a communication system as a whole, there are a plurality of parent terminals. Base station 2
There are wireless transmission paths between the base station 3 and the base station 2 and between the base station 2 and the child terminal 4. In this transmission path, there is a risk of eavesdropping, and the secret is protected by encryption. There is also a transmission path between the deposit center 1 and the base station 2. This transmission path is a wired transmission path.

FIG. 2 is a functional block diagram of the key escrow apparatus according to the first embodiment of the present invention. In FIG.
The deposit center 1 has a calculation unit 11, a memory 12, a random number generator 1
3, consisting of a key output 19 and the like. The calculation unit 11 is for storing the key sent from the parent terminal 3 for deposit in the memory 12 or for generating management information to be given to the base station 2 by calculation. Constitute.

The memory 12 stores all encryption keys sent from the parent terminal 3 for deposit, and stores a large number of encryption keys used in the entire communication system. The random number generator 13 is a device that generates a random number. As an example of the random number generator 13, there is a method of generating a random number by a random number generator based on the principle that thermal noise is generated randomly. Further, a pseudo-random number may be mathematically generated by a microcomputer. Key output 19, at the time of forced execution,
A device that outputs an encryption key.

The base station 2 includes a conversion unit 21 and the like. The conversion unit 21 is a device that converts (calculates) the encrypted application information to be relayed based on the management information given from the deposit center, and is usually configured by a microcomputer.

The parent terminal 3 comprises an encryption unit 31, a memory 32, a key generator 33, an input / output 39, and the like. Encryption unit 31
Receives the application information from the input / output 39, encrypts it, and sends it to the slave terminal 4 via the base station 2, or decrypts the application information received from the slave terminal 4 via the base station 2, When outputting to 39 or further generating / changing an encryption key, it generates an encryption key, sends the encryption key to the trust center via the base station 2, and distributes the encryption key to the child terminal 4. And is usually constituted by a microcomputer.

The memory 32 is a storage element for storing the encryption key generated by the key generator 33, and stores a plurality of encryption keys when communicating in a plurality of groups. Key generator 33
Is a device that generates an encryption key satisfying specific conditions,
Usually, it is constituted by a microcomputer. It uses a random number generator based on the principle that thermal noise is generated randomly, and uses a method of selecting an appropriate number as an encryption key from the random number or calculating the random number to obtain an encryption key. Good. The input / output 39 inputs and outputs application information to be transmitted and received.
There are images / videos. All are input and output as digital signals.

The child terminal 4 comprises an encryption unit 41, a memory 42, an input / output 49 and the like. The encryption unit 41 decrypts application information received from another terminal 4 via the base station 2 and outputs the decrypted application information to the input / output 49. Further, it receives the application information from the input / output 49, encrypts the application information, and transmits the encrypted information to another slave terminal 4 via the base station 2. Usually, it is constituted by a microcomputer.

The memory 42 is a storage element for storing an encryption key sent from the master terminal 3, and stores a plurality of encryption keys when communicating with a plurality of groups. The input / output 49 is for inputting / outputting application information to be transmitted / received, and the types of information include voice, character, image / video, and the like. All are input and output as digital signals.

The operation of the key escrow apparatus according to the first embodiment of the present invention configured as described above will be described. First, an outline of a method of transmitting and receiving application information will be described with reference to FIG. Child terminal 4 (or parent terminal 3)
Encrypts the application information and transmits it to another child terminal 4 (or parent terminal 3) via the base station 2.
The terminal 4 (or the parent terminal 3) that has received the decrypted ciphertext obtains plaintext application information. Since the communication is wireless communication, a plurality of child terminals 4 on the receiving side may be provided. During this time, the base station 2 converts the relayed application information based on the management information given from the deposit center 1. Details of the conversion will be described later. Therefore, when the encryption key is not properly deposited, the received encrypted text cannot be decrypted.

When changing the encryption key, the parent terminal 3
An encryption key is generated and transmitted to the child terminal 4 via the base station 2 and also transmitted to the deposit center 1 via the base station 2. In the process of key escrow and key distribution, it is assumed that the key is encrypted and the encryption key does not leak to third parties including the base station.

Second, an encryption key generation method and an encryption / decryption method will be described. The parent terminal 3 that generates the encryption key generates the encryption keys e, d, and p, stores them in its own memory 32, and sends it to the deposit center secretly and deposits it in the memory 12. In addition, another child terminal 4 (there may be more than one)
The secret keys e, d, and p are secretly transmitted and stored in the memory 42. Here, p is a sufficiently large prime number, e and d are sufficiently large integers, and e and d are
Let p-1 be a prime number. That is, a sufficiently large integer e, d, p such that GCD (e, p-1) = 1 and GCD (d, p-1) = 1 is selected. GCD means greatest common divisor. As described later, e and d are preferably prime numbers. Sufficiently large refers to a size that makes decoding difficult.

When transmitting application information,
The child terminal 4 (or the parent terminal 3) on the transmission side generates the ciphertext C from the plaintext M by calculation in the encryption process C = M ^e mod p and sends it to the base station for relaying. Note that M <p. The above equation means that the remainder obtained by dividing the integer M raised to the power e by the prime number p is C. In the representation of number theory, C or ^Me
mod p is a remainder of M ^e related to the law p.

On the other hand, the deposit center 1 provides the base station 2 with management information F (an integer, as will be described later) and p obtained by a computation method described later from the deposited encryption key.

The base station 2 transmits the encrypted application information C transmitted from the terminal for relay retransmission.
Is converted by the calculation formula C ₁ = C ^F mod p, and C ₁ is sent to the child terminal 4 (or the parent terminal 3) on the receiving side.

The child terminal 4 (or the parent terminal 3) receives the encrypted and converted application information and decrypts it by calculating M = C ₁ ^d mod p.

In generating the management information, the deposit center 1
Generates a random number f at random, and obtains integers a and b satisfying e × d × f × b = (p−1) × a + 1. Further, F is obtained by calculation of F = f × b. It is well known that when there are integers x and y which are relatively prime, there are a and b satisfying ax + by = 1, and there is a method of obtaining a and b by the extended Euclidean algorithm. See, for example, Shinichi Ikeno and Kenji Koyama, "Modern Cryptography Theory," IEICE, pp. 17-18.

From the mathematical viewpoint of the encryption calculation of the transmitting terminal, the conversion calculation of the base station, and the decryption calculation of the receiving terminal, (((M ^e mod p) ^F mod p) ^d mod p) = M ^{e × F × d} mod p = M ^{e × f × b × d} mod p = M ^{(p-1) × a + 1} mod p = M (∵M ^(p-1) mod p = 1) . The last calculation is Fermat's little theorem (eg,
Shinichi Ikeno and Kenji Koyama, "Modern Cryptography Theory", published by IEICE, p. 242).

Since e and d are symmetrical, they can be encrypted / decrypted in the same manner by encrypting with e and decrypting with d, or encrypting with d and decrypting with e. That is, the child terminal 4 can use the encryption key d for both reception and transmission, and the parent terminal 3 can use the encryption key e for both reception and transmission. Further, since e and d can be freely selected, it is possible to set e and d to numbers having the same number of digits, so that there is no difference in security regardless of which one is used for decoding.

Third, the operation of the key escrow apparatus shown in FIG. 2 will be described. When the encryption key is generated and distributed, the parent terminal 3
Generates the encryption keys e, d, and p and sends them to the trust center 1 in secret, and distributes the encryption keys e, d, and p to the child terminal 4 in secret. When the child terminal 4 has a function of receiving only, the distribution of e may be omitted. In addition, the deposit center 1 that has received the deposit requests the management information F in the manner described above, and transmits F and p to the base station 2 secretly.

The method of secretly sending to the deposit center 1 is outside the scope of the present invention, but as a well-known method, the public key of the public key cryptosystem is sent from the deposit center 1 to the parent terminal 3, and There is a method in which the terminal 3 encrypts with the public key and sends the entrusted encryption key to the entrustment center 1. Child terminal 4
The method of secretly delivering to is also out of the scope of the present invention,
As an example, there is a method using an encryption method for transmitting application information according to the present invention.

In transmission of application information,
The child terminal 4 on the transmitting side encrypts the input application information with C = M ^e mod p and sends it to the base station 2. The base station 2 converts the received application information according to C ₁ = C ^F mod p and sends it to the slave terminal 4 on the receiving side. The child terminal 4 on the receiving side decodes the received application information into plaintext with M = C ₁ ^d mod p and outputs it. In this case, if e and d are not the predetermined numbers corresponding to F, decoding cannot be performed. That is, if the deposit is not correctly made, the encrypted application information cannot be decrypted.

At the time of forced execution, the enforcement officer obtains the encryption keys e, d, p, and F at the deposit center 1, intercepts the communication at the base station 2 and the like, and calculates the base station 2 and the terminal. In a way, it decrypts the intercepted communication. When the transmitting side of the terminal intercepts, d 'that satisfies e × d ′ = (p−1) × a + 1 is obtained, and then the intercepted communication is decoded with M = C ^{d ′} mod p.

Fourth, security will be described. Since no encryption key is disclosed to a third party, there is only a method of obtaining and analyzing a large number of ciphertexts (a method generally called a known ciphertext attack), and deciphering the encrypted application information Hard to do.

There is a possibility that the base station or a person concerned with the base station can obtain p and F as a part of the encryption key. Even if p and F are obtained, e and d cannot be mathematically determined from p and F because e and d are determined independently of p and F. Further, even if knowing p, when p is sufficiently large number, be analyzed to obtain the calculated value C of a few ciphertext M ^e mod p, it is difficult to calculate back the M.

A method of partially changing the encryption key at the parent terminal in order to easily recover security when the terminal is lost will be described. The parent terminal 3 uses the encryption keys e, d, p
Is generated and distributed. When the encryption key is dynamically changed, even if all three parameters of the encryption key are not changed at the same time, the confidentiality of the communication can be considerably protected. That is, there are a case where only e is changed, a case where only d is changed, a case where only p is changed, a case where e and d are changed, a case where d and p are changed, and a case where p and e are changed. Since the parameters e, d, and p are highly independent (the values can be selected independently of other parameters), when the encryption key is decrypted by a third party, only the value of one parameter is changed, and the original security is maintained. It is possible to recover from the nature to a device that does not extremely reduce safety. By making a partial change, the amount of information transferred when the encryption key is changed can be reduced, and the information transfer time can be reduced.

Fifth, the amount of calculation will be described. There is a well-known RSA encryption method as an encryption method using Fermat's theorem. Currently 512-bit keys are recommended,
It is said that longer keys are needed in the future. However, the present invention is not related to the difficulty of factoring large numbers like the RSA encryption, and is essentially a secret key cryptosystem, so that a key having a shorter bit length than the 512-bit key of the RSA encryption is used. Safe to use. Therefore, encryption and decryption can be performed with a smaller amount of calculation than RSA encryption.

Since d can be determined arbitrarily, the amount of calculation in the terminal can be predicted in advance. Further, when the number of digits of d is determined in the design, there is an advantage that security and the amount of calculation of the terminal can be traded off.

Sixth, measures against misconception and countermeasures will be described. For the master terminal, there may be a fraud that does not deposit the encryption key, and a fraud that deposits other information unrelated to communication. Here, this is called deception. If the deposited p is falsified, it cannot be decoded normally on the receiving side. e and d
Is simply deceived into another number, the value of F in the management information changes, so that the receiving side cannot decode normally.

There is a possibility that the parent terminal to be deposited will deposit another encryption key than the encryption key actually used. for that reason,
The deposit center verifies whether the deposited encryption key satisfies predetermined conditions. If p, e, and d specify that they are prime numbers, they are checked by a test. As a result of the test, when it is determined that the deposit is a misconduct, the deposit center gives the base station a number different from the number deposited as p.

It should be noted that even if e, d, and f are not prime numbers, p-
If it is relatively prime to 1, the calculation process of encryption, conversion, and decryption is mathematically established. That is, it is possible to protect the secret of the cipher text, and to prevent a terminal that is not deposited from communicating normally. However, there are various types of numbers that are not prime numbers (synthetic numbers), and it is necessary to consider whether there is a method of deceiving each number.

For example, it is possible to make the key e a product of large prime numbers for the sake of deception. That is, e = e ₁ × e ₂ . e ₁ and e ₂ are large prime numbers. In this case, the formula for calculating the management information is as follows: e × d × f × b = (p−1) × a + 1 e ₁ × e ₂ × d × f × b = (p−1) × a + 1 As can be seen from this equation, the result is the same and can be normally decrypted even if the data is encrypted with e ₁ × e ₂ and decrypted with d, or the data is encrypted with e ₁ and decrypted with e ₂ × d.

The terminal trying to masquerade as e (=
e ₁ × e ₂ ), d, and n are deposited as keys. When actually communicating, the data is encrypted with e ₁ and decrypted with e ₂ × d. Even if the forced execution side intercepts e, e cannot be factored in terms of computational complexity into e ₁ × e ₂ , so it cannot be decoded.

The deposit center counters this misconception by limiting the key to a prime number and performing a verification of the prime number at the time of deposit. By defining that p, e, and d are prime numbers, there is a merit that misconduct can be easily checked.

It is well known that double encryption can falsify key escrow. That is, a message encrypted by another second encryption method is encrypted by the first encryption key in a state where the master terminal deposits the first encryption key and can correctly perform encrypted communication (double encryption). If it is transmitted (encrypted), it can be decrypted correctly on the receiving side, but cannot be decrypted without the encryption key of the second encryption method even if it is forcibly executed. In order to avoid this, it is necessary to add a mechanism that can verify that the application information is not encrypted, but this point is outside the scope of the present invention.

Changing the management information F as a countermeasure against misconception will be described. The parent terminal 3 and the child terminal 4 do not directly know what management information F is used. Since the base station 2 is usually installed and operated by a communication company, the management information F is not easily leaked. It is impossible that the management information F in the base station 2 is stolen and passed to the parent terminal.
However, if a user of the terminal and a person involved in the base station attempt to steal by collusion, it does not necessarily have to be leaked. That is, the user of the terminal illegally transmits the management information F from the base station 2.
May be stolen, and the management information F may be known to be deceived. As a countermeasure against the case where the master terminal steals the management information F, the management information F is changed regularly or irregularly. In this case, the deposit center 1 generates another prime number f, obtains integers a and b that satisfy e × d × f × b = (p−1) × a + 1, and obtains a new F (= f × b). And gives it to the base station 2. When the management information F is changed,
Not only the terminal on the transmitting side but also the terminal on the receiving side cannot know that a change has been made apart from obtaining illegal information.

As described above, in the first embodiment of the present invention, the key escrow device generates an encryption key at the parent terminal, distributes the key to the terminal, and deposits the key with the deposit center. The management information is generated from the deposited encryption key and given to the base station. The base station converts the encrypted application information with the management information and relays the information. The terminal uses only when the encryption key is properly deposited. Since the application information can be normally received / decrypted, communication cannot be physically performed when the encryption key is not deposited, and the encryption key can be deposited. Furthermore, the encryption key can be changed online in a short time, and the new encryption key after the change can be deposited online.

(Second Embodiment) A second embodiment of the present invention is a key escrow apparatus that performs encryption, conversion, and decryption by an operation modulo the product of two prime numbers. Second embodiment of the present invention
The configuration of the key escrow device in the second embodiment is the same as that in the first embodiment.

The operation of the key escrow device according to the second embodiment of the present invention will be described. Parent terminal 3 that generates an encryption key
Generates encryption keys e, d, p, q, and n and generates
At the same time, it is stored in the storage 32 and sent to the deposit center 1 in secret, and deposited in the memory 12. Further, the generated encryption keys e, d, and n are secretly transmitted to the other child terminals 4 and stored in the memory 42. Here, p and q are sufficiently large prime numbers such that p ≠ q, and n is p × q. e and d are sufficiently large integers and are prime numbers relatively to p-1 and q-1. That is, GCD (e, p-1) = 1, GCD (d, p-1) = 1, GCD (e, q-1) = 1, and GCD (d, q-1) = 1 . Preferably, e and d are prime numbers.

When transmitting application information,
The child terminal 4 (or the parent terminal 3) on the transmitting side calculates the ciphertext C from the plaintext M by the encryption process C = M ^e mod n and sends it to the base station. However, it is assumed that M <n.

On the other hand, the deposit center gives the base station 2 management information F and n obtained by a calculation method described later from the deposited encryption key.

The base station 2 converts the encrypted application information C to be relayed and retransmitted from the terminal by C ₁ = C ^F mod n, and transfers the calculated result C ₁ to the slave terminal 4 on the receiving side. send.

The child terminal 4 decrypts the encrypted and converted application information according to M = C ₁ ^d mod p.

In generating the management information F, the deposit center 1 first finds L such that L = LCM ((p−1), (q−1)) from the deposited p and q. This equation means that L is the least common multiple of (p-1) and (q-1). Next, a prime number f is randomly generated. Subsequently, integers a and b satisfying e × d × f × b = L × a + 1 are obtained. Further, F is obtained by calculation of F = f × b.

From the mathematical viewpoint of the encryption calculation of the transmitting terminal, the conversion calculation of the base station, and the decryption calculation of the receiving terminal, (((M ^e mod n) ^F mod n) ^d mod n) = ^{Me × F × d} mod n = ^{Me × f × b × d} mod n = ML ^{× a + 1} mod n = M Regarding M ^{L × a + 1} mod n = M, see, for example, Shinichi Ikeno and Kenji Koyama, “Modern Cryptography Theory”, published by the Institute of Electronics, Information and Communication Engineers, pp. 106-108.

This embodiment is similar to the RSA cryptosystem, but differs from the RSA cryptosystem in that an integer (preferably a prime number) generated in advance is used as d. By selecting d to a numerical value of a desirable size, the security can be increased. Also, RSA does not disclose the encryption key e.
Different from encryption method. Even when a product of three or more prime numbers is used as n, a similar key escrow device can be configured. p ² × q
The product of three or more prime numbers may include the same prime number. The security when the calculation method described here is used is not much different from that of the first embodiment, except for small points.

In general, the one-way function f (u, x), g
When (u, x) and h (u, x) are satisfied and C = f (e, M) C ₁ = g (F, C) M = h (d, C ₁ ), use the function. it can. The one-way function means a function which is relatively easy to determine y by giving u and x, but difficult (computationally impossible) to determine x by giving u and y. .

As described above, in the second embodiment of the present invention, the key escrow apparatus is configured to perform encryption, conversion, and decryption by an operation modulo the product of two prime numbers. Decryption by a person can be made more difficult.

(Third Embodiment) A third embodiment of the present invention is a key escrow apparatus for relaying a part of a cipher text without conversion at a base station. The basic configuration of the key escrow device according to the third embodiment of the present invention is the same as that of the first embodiment.

FIG. 3 is a block diagram of a conversion unit of the key escrow apparatus according to the third embodiment of the present invention. In FIG. 3, switches 27a and 27b are matrix switches for connecting an arbitrary transmission / reception channel and an arbitrary conversion unit or direct communication unit. The direct communication sections 28a and 28b are circuits that pass application information from the terminal without conversion. The conversion units 21a, 21b, 21c are circuits for converting application information from the terminal.

The function of relaying the ciphertext without converting it in the key escrow apparatus according to the third embodiment of the present invention configured as described above will be described. In order to reduce the calculation load of the base station 2 when the deposit center 1 breaks down, the base station 2 can relay some of the communication information without converting the encrypted application information. is there. In this case, the base station relays the packet with information indicating that the conversion has not been performed (the bit may be "1" or "0").

In the case where the conversion is not performed,
The parent terminal 3 obtains an integer b ′ satisfying e × d × b ′ = (p−1) × a + 1, further obtains d ′ (= d × b ′), and uses the child terminal as a decryption key. 4

When the terminals 3 and 4 receive information indicating that the base station 2 has not converted the application information, instead of M = C ₁ ^d mod p, M = C ₁ ^{d '} mod p. Use the formula to decrypt the application information.

FIG. 3 shows a case where the number of converters 21 of the base station 2 is smaller than the number of channels. When there are many terminals,
Originally, conversion units for the number of channels used simultaneously are required. However, since the terminal that has correctly deposited the encryption key does not need to stop the communication, the terminal may communicate directly without passing through the conversion unit 21. In other words, sampling inspections can significantly prevent omissions without having to perform a 100% inspection.

In FIG. 3, the base station 2 has a switch 27
a and 27b, and direct parts 28a and 28b are added. Also, the conversion unit
21 is the same as that described in FIG. 2 except that 21a, 21b, 21
There are three of c. The switches 27a and 27b are matrix switches, and are connected to an arbitrary transmission / reception channel and an arbitrary conversion unit 21a, 21b, 21c or a direct communication unit 28a, 28b on condition that there is no overlapping connection. In FIG. 3, the black circles indicate that they are connected. That is, in FIG.
~ Between direct through portion 28b ~ switch 27b ~ A 'and B ~ switch
27a to the converter 21b and the switches 27b to B 'are connected.

The direct communication sections 28a and 28b pass the encrypted application information sent from the child terminal 4 without conversion, and pass the information (one bit may be used) indicating that the application information has been passed as it is. Add and send.

In FIG. 3, the channel to the child terminal 4 is 5
Despite the presence, there are only three converters 21 and, instead, two direct units 28. When the application information is converted by the conversion unit 21, the parent terminal 3 performs normal encryption / decryption, and when the application information is passed through the direct communication unit 28, the parent terminal 3 performs encryption / decryption in the case of no conversion.

As described above, in the third embodiment of the present invention, the key escrow apparatus is configured to relay the ciphertext without converting part of the ciphertext at the base station, so that the base station provides services. Partial conversion of the communication channel can be performed by a smaller number of conversion units than the number of channels. Furthermore, if a channel to be converted is selected at random, the omission of deposit can be economically prevented.

[0070]

As is apparent from the above description, according to the present invention, an encryption key is generated in a parent terminal of a key escrow device of a communication system including a escrow center, a base station, a parent terminal and a child terminal. Means for distributing the encryption key to the child terminal, means for depositing the encryption key to the deposit center, and means for encrypting / decrypting the application information with the encryption key using a one-way function. The center is provided with storage means for the deposited encryption key, means for generating management information using the deposited encryption key, and means for providing the management information to the base station. Means for converting the application information into management information using a one-way function, wherein the child terminal uses a one-way function to encrypt the application information with an encryption key; Apricot And a means for receiving and decrypting the application information, so that when the deposit is not deposited or the deposit is misleading, the terminal cannot be received normally and the encryption key is dynamically and frequently transmitted. Even when changing, it is possible to obtain the effect that the encryption key can be deposited without omission.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a communication system to which a key escrow device according to first, second, and third embodiments of the present invention is applied;

FIG. 2 is a functional block diagram of a key escrow device according to the first, second, and third embodiments of the present invention;

FIG. 3 is a functional block diagram of a conversion unit of a key escrow apparatus according to a third embodiment of the present invention.

[Explanation of symbols]

 1 Deposit center 2 Base station 3 Parent terminal 4 Child terminal 11 Calculation unit 12,32,42 Memory 13 Random number generator 19 Key output 21,21a, 21b, 21c Conversion unit 27a, 27b Switch 28a, 28b Direct communication unit 31, 41 Encryption unit 33 Key generator 39,49 Input / output

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5J104 AA16 EA06 EA16 EA19 FA10 GA01 JA01 JA03 JA27 MA05 NA02 NA11 NA17 NA27 PA01 5K067 AA32 BB02 BB04 EE02 EE10 HH36

Claims (10)

[Claims] 1. A deposit center to which an encryption key is deposited,
A base station that relays communication, a master terminal that performs encryption key generation and communication, and a key escrow device of a communication system including a slave terminal that performs communication, wherein the master terminal includes an encryption key generation unit, Means for distributing the encryption key to the slave terminal, means for depositing the encryption key to the trust center, means for encrypting / decrypting the application information with the encryption key using a one-way function, The deposit center includes storage means for the deposited encryption key, means for generating management information using the deposited encryption key, and means for providing the management information to the base station. Means for converting the encrypted application information to be relayed with the management information using a one-way function, wherein the child terminal encrypts the application information with an encryption key using a one-way function. Means Key escrow apparatus characterized by comprising a means for receiving and decoding the converted application information in the management information. 2. A deposit center to which an encryption key is deposited,
In a key escrow apparatus for a communication system including a base station that relays communication, a master terminal that performs encryption key generation and communication, and a slave terminal that performs communication, the master terminal uses a prime number p and ( means for generating integers e and d which are relatively prime to p-1), means for secretly distributing the p, e, d to the slave terminal using the p, e, d as an encryption key, and means for encrypting the p, e, d Means for confidentially depositing as a key to the deposit center, wherein the deposit center stores means for storing the p, e, and d, means for generating a prime number f, and a formula e × d × f × b = means for obtaining management information F (= f × b) by obtaining integers a and b satisfying (p−1) × a + 1, and providing the management information F and a prime number p to a base station; machine or the parent terminal, a total application information M to enter the formula C = M ^e mod p And comprises means for encrypting the ciphertext C, the base station that relays the ciphertext C is a means for converting calculated by Equation C ₁ = C ^F mod p, the ciphertext to relay to C ₁ The provided or receiving child terminal or parent terminal receives the encrypted / converted application information C _1.
The key escrow apparatus is provided with means for calculating and decrypting with the formula M = C ₁ ^d mod p and outputting the result as plaintext application information. 3. A deposit center to which an encryption key is deposited,
In a key escrow apparatus of a communication system including a base station that relays communication, a master terminal that performs encryption key generation and communication, and a slave terminal that performs communication, the master terminal uses p as an encryption key.
Means for generating prime numbers p and q of ≠ q, generating integers n (= p × q), and generating integers e and d which are relatively prime to (p-1) and (q-1); Means for secretly delivering the e, d, and n as encryption keys to the child terminal;
means for secretly depositing d, p, q, n as an encryption key to a deposit center, wherein the deposit center generates means for storing the e, d, p, q, n and a prime number f Means for calculating the least common multiple L of (p-1) and (q-1), and obtaining the integers a and b satisfying the following equation: ed × d × f × b = L × a + 1 to obtain the management information F (= f × b), and a means for providing management information F and an integer n to the base station. The transmitting child terminal or parent terminal calculates the input application information M by the equation C = M ^e mod n. The base station relaying the ciphertext C includes means for encrypting to the ciphertext C, and the base station calculating the equation C ₁ = C ^F mod n to convert the relayed ciphertext into C ₁ . The child terminal or the parent terminal that has and receives the received encrypted and converted application information C ₁ The key escrow apparatus is provided with means for calculating and decrypting with the formula M = C ₁ ^d mod n and outputting the result as plaintext application information. Wherein said master terminal, three or more prime numbers r ₁ as the encryption key, r _2, · · ·, to generate a r _m, an integer n (= r ₁
× r ₂ × generate _{··· × r m), (r} 1 -1), (r 2 -
1), · · ·, (r _m and means for generating an integer e and d are relatively prime to all -1), wherein e, d, means for distributing the secret to n to the slave terminal as an encryption key And the e,
_{d, r 1, r 2,} ···, and means for deposit in secret r _m, the n to deposit center as an encryption key, said escrow center, the _{e, d, r 1, r} 2, .., R _m , n, a means for generating a prime number f, and (r ₁ −
_{1), (r 2 -1)} , ···, seeking integer a, b satisfying a means for obtaining a least common multiple L, and Equation e × d × f × b = L × a + 1 of the (r _m -1) 4. The key escrow apparatus according to claim 3, further comprising means for obtaining management information F (= f × b) and providing the management information F and an integer n to a base station. 5. The key escrow apparatus according to claim 2, wherein at least one of said e and d is a prime number. 6. The key escrow apparatus according to claim 2, wherein said e and d are prime numbers, and said deposit center is provided with means for verifying that said p, e, d are prime numbers. . 7. The key according to claim 3, wherein said e and d are prime numbers, and said deposit center is provided with means for verifying that said p, q, e, d are prime numbers. Deposit equipment. 8. A method according to claim 2, wherein said depositing center is provided with means for changing said management information F.
4. The key escrow apparatus according to any one of 4. 9. The key escrow apparatus according to claim 2, further comprising means for switching so as not to convert application information relayed by said base station. 10. The apparatus according to claim 2, wherein said master terminal has means for changing / distributing / depositing only a part of the encryption keys e, d and p when changing the encryption key. Key escrow device described.