JP2001268067A - Key recovery method and key management system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a key recovery method that can store a key issued for a user in a recovery possible way and can securely store the key against intrusion by a hacker or an illegal access by a manager itself. SOLUTION: In the key recovery method where 1st key information K used by a user is generated and the 1st key information K is decoded according to a request by the user, a key generating means 11 generating the 1st key information K stores 2nd key information Kg, a key decoding means 16 extracting required information from a key storage means 14 according to a decode request from the user stores 3rd key information Kr, a specific encryption algorithm using the 2nd key information Kg for encryption and using the 3rd key information Kr for decoding is used to generate encrypted key information resulting from using the 2nd key information Kg to encrypt the 1st key information K, the encrypted key information thus generated is transferred from the key generating means 11 to the key storage means 14 and the key storage means stores the encrypted key information.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a key recovery method and a key management system that can be used when managing an encryption key or a signature key used for encrypting and decrypting communication data and stored data on a network, for example. About.

[0002]

2. Description of the Related Art In a company or the like, encryption technology is used to enhance the security of an information system. Document files, databases, and the like are encrypted and stored. It is generally done. In order to access an information system employing such encryption technology, each authorized user must use a key or an electronic signature issued in advance. Therefore, it is necessary for each user to manage the issued key and electronic signature individually so as not to lose or destroy it.

However, there is a possibility that keys may be lost or destroyed due to an operation error of each user or a malfunction of the machine. Further, in the case where a key owner is absent in a company or an unexpected accident occurs in a key owner, the key cannot be used. If your key is lost or destroyed,
Since it becomes impossible to restore information such as a document file or a database which has already been encrypted to the information before encryption, it leads to a great loss. Therefore, it is necessary to configure the system so that the same key as the lost or destroyed key can be reissued to a specific authorized user. That is, in order to reissue a key, key recovery for restoring an already issued key is an important issue.

However, since the key recovery system is easily attacked by an outsider such as a hacker to decrypt confidential company information, it prevents unauthorized persons from obtaining the key. Countermeasures are needed. Several key recovery methods have been proposed as means for recovering keys. These methods can be broadly classified into a key deposit type and a key capsule type. With key escrow type key recovery method,
Keep the key with a trusted third party and retrieve it from the organization during recovery.

In the key recovery method of the key capsule type, key information is attached to a ciphertext. At the time of recovery, the key can be extracted by restoring the attached information using an appropriate function. In order to realize a key escrow type key recovery method, a highly reliable key storage device capable of strictly managing keys in a third party organization is required. Therefore, third parties store keys in tamper-resistant devices,
The key is stored in an encrypted state.

In practice, public keys and passphrases managed by a third party that stores keys are used for key encryption.

[0007]

However, even if a key is encrypted and stored, a third party that manages the key stores the encrypted key and information necessary for decrypting it. For example, if a bad guy such as a hacker enters the third-party management system via a network, or if the third-party administrator himself acts fraudulently, it is stored. Key security cannot always be guaranteed.

[0008] The present invention provides a key recovery method capable of restoring and storing a key issued to a user, and storing the key safely even if a hacker invades or an unauthorized access by an administrator. With the goal.

[0009]

A key recovery method for generating first key information K to be used by a user and restoring the first key information K in accordance with a request from the user. Key recovery means for storing the second key information Kg in a key generation means for generating the first key information K, and extracting necessary information from predetermined key storage means in accordance with a recovery request from a user Means for storing third key information Kr, using a specific encryption algorithm using the second key information Kg for encryption, and using the third key information Kr for decryption, Generating key information by encrypting key information K using second key information Kg, transferring the generated key information from the key generation means to the key storage means, Characterized in that the encryption key information is stored in the storage device.

In the first aspect, the key generation means, the key storage means, and the key restoration means can be realized as hardware independent of each other or as software independent of each other. For example, when the user loses the first key information K already issued to the user, the first key information K
Need to restore the same information. In the case of claim 1, by encrypting the first key information K with the second key information Kg and decrypting the encrypted key information using the third key information Kr, the original first key information K is decrypted. Key information K can be obtained.

However, the encryption key information is stored in the key storage means, and the third key information Kr is stored in the key recovery means. As long as there is no access, even if a hacker or an internal administrator has illegally accessed either the key storage means or the key recovery means, the possibility of recovering the original first key information K is extremely small. Become.

According to a second aspect of the present invention, in the key recovery method of the first aspect, when a recovery request from a user is input to the key recovery unit, the key recovery unit extracts encryption key information from the key storage unit, The third key information K held by the restoration means
It is characterized in that the encryption key information is decrypted using r and the first key information K is restored. In the second aspect, since the key restoring unit performs extraction of the encryption key information from the key storage unit and decryption of the encryption key information, the user obtains the first key information K again from the key restoration unit. be able to.

According to a third aspect of the present invention, in the key recovery method of the first or second aspect, the second key information Kg and the third key information Kr are the same, and a common key cryptosystem is used as an encryption algorithm. It is characterized by. According to the third aspect, since the common key cryptosystem is used, the second key information Kg and the third key information Kr can be made the same. However, the second key information Kg and the third key information Kr are not disclosed,
The second key information Kg and the third key information Kr cannot be directly accessed except for the key generating means and the key restoring means.

According to a fourth aspect of the present invention, in the key recovery method of the first or second aspect, the second key information Kg is a public key, the third key information Kr is a secret key, and the public key is an encryption algorithm. It is characterized by using an encryption method.
In the fourth aspect, since the public key cryptosystem is used, the second key information Kg, which is a public key, can be made public.
The third key information Kr, which is a secret key, cannot be directly accessed by means other than the key recovery means.

A fifth aspect of the present invention is the key recovery method according to any one of the first, second, third, and fourth aspects.
The key generation means, the key storage means and the key restoration means are respectively arranged on different devices which are physically independent from each other. According to the fifth aspect, the key generation means, the key storage means, and the key restoration means are arranged on different devices which are physically independent from each other. Therefore, the key generation means, the key storage means, and the key restoration means are arranged at locations separated from each other. can do.

Therefore, it becomes more difficult for a hacker or an internal administrator to illegally access both the key storage unit and the key recovery unit. According to a sixth aspect, in the key recovery method according to any one of the first, second, third, fourth, and fifth aspects, when communication is performed between the key generation unit and the key storage unit, Further, when communication is performed between the key storage means and the key restoration means, the communication partner is authenticated, and communication is started only when the authentication is passed.

According to the present invention, the communication is performed after authentication is performed between the key generation means and the key storage means and between the key storage means and the key restoration means. Communication with anyone other than the communication partner can be prohibited. This increases safety. Claim 7
2. The key recovery method according to claim 1, wherein the key recovery unit is prohibited from extracting encryption key information from the key storage unit.

According to the seventh aspect, since it is prohibited that the encryption key information is fetched from the key storage unit except for the key recovery unit, for example, the key generation unit is illegally accessed, and the key storage unit is accessed via the key generation unit. However, even if an attempt is made to illegally extract encryption key information from a user, the encryption key information cannot be extracted. Claim 8 provides the key recovery method according to claim 1,
The storage means stores, for each of the encryption key information to be stored, at least an identifier for specifying a user and a used encryption algorithm or information for specifying the same in association with each other. .

According to the present invention, since the identifier for identifying the user and the encryption algorithm used are stored for each encryption key information, the encryption algorithm can be changed as required. . Claim 9
The key recovery method according to claim 8, wherein the key generation means includes, together with the generated encryption key information, an identifier for identifying a user who uses the encryption key information, and an encryption algorithm or a used encryption algorithm. The information to be specified is delivered to the storage means.

According to the ninth aspect, the identifier for identifying the user for each encryption key information and the encryption algorithm used are delivered from the key generation means to the storage means. The encryption algorithm used can be changed as needed. Claim 1
0 is the key recovery method according to claim 8, wherein the storage unit responds to the request from the restoring unit together with the encryption key information and an identifier for identifying a user who uses the encryption key information. The cipher algorithm or information specifying the cipher algorithm is sent to the restoring means as a set of information.

According to the tenth aspect, when the restoring unit retrieves the encryption key information from the storage unit, it is possible to obtain the user identifier and the encryption algorithm associated with the encryption key information. Even if the algorithm is changed, the restoration means can restore the first key information K. 12. A key management system for managing first key information K generated according to a request of a user, wherein the key generation unit generates first key information K according to a request of the user; An encryption unit that encrypts the first key information K using the second key information Kg that is a public key to generate encryption key information, and a delivery unit that delivers the encryption key information to a predetermined storage device. A user device, a storage device for storing the encryption key information delivered from the user device, and a restoration device for extracting the encryption key information stored in the storage device according to a key recovery request from the user. Are provided.

By using the key management system according to the eleventh aspect, the key recovery method according to the first aspect can be implemented. According to the eleventh aspect, the first key information K generated by the key generation means in the user device is encrypted using the second key information Kg which is a public key, and is delivered to the storage device as encrypted key information by the delivery means. Will be delivered. The storage device stores the delivered encryption key information. The restoration device retrieves the encryption key information stored in the storage device according to a key recovery request from the user.

According to a twelfth aspect of the present invention, in the key management system according to the eleventh aspect, a secret key holding means for holding the third key information Kr, which is a secret key used for decrypting the encrypted key information, in the restoration device. And decryption means for decrypting the encrypted key information retrieved from the storage device using the third key information Kr in accordance with a key recovery request from a user and restoring the first key information K. It is characterized by.

In the twelfth aspect, the secret key holding means provided in the decompression device holds the third key information Kr, which is a secret key. Decryption can be performed using the third key information Kr. According to a thirteenth aspect of the present invention, in the key management system according to the eleventh aspect, the user device, the storage device, and the restoration device are arranged at positions physically separated from each other, between the user device and the storage device, and the storage device. The apparatus and the restoration apparatus are connected by a communication line.

According to the thirteenth aspect, since the user device, the storage device, and the restoration device are arranged at positions physically separated from each other, even if a hacker or an internal administrator attempts unauthorized access, It is difficult to illegally access both the storage device and the restoration device, and high security can be ensured. According to a fourteenth aspect, in the key management system according to the eleventh aspect, when communication is started between the user device and the storage device, and between the storage device and the restoration device, authentication of the partner device is performed. An authentication unit for performing communication only when authentication is passed is provided in each of the user device, the storage device, and the restoration device.

In the fourteenth aspect, authentication is performed when communication is performed between the user device and the storage device, and when communication is performed between the storage device and the restoration device. Can be denied. Therefore, it is effective to prevent unauthorized access. Claim 15
In the key management system according to the fourteenth aspect of the present invention, the storage device further comprises a retrieval rejection unit for prohibiting a device other than the restoration device from retrieving the encryption key information stored in the storage device. .

According to a fifteenth aspect, the device for extracting the encryption key information is limited to the restoring device only by the function of the extraction rejecting means provided in the storage device. Therefore,
Even if a hacker or the like illegally obtains the third key information Kr, the first key information K cannot be obtained because the encrypted key information cannot be extracted. According to a sixteenth aspect, in the key management system according to the eleventh aspect, the storage device specifies at least an identifier for identifying a user and an encryption algorithm or a used encryption algorithm for each of the encryption key information to be stored. The information is stored in association with each other.

In the present invention, since the identifier for identifying the user and the encryption algorithm are stored in the storage device for each encryption key information, it is possible to change the encryption algorithm to be used as needed. it can.
Claim 17 is the key management system according to claim 16,
The user device, together with the generated encryption key information, an identifier for identifying a user who uses the encryption key information,
The cipher algorithm used or information specifying the cipher algorithm is delivered to the storage device.

In the present invention, since the information of the used encryption algorithm is transmitted from the user device to the storage device, even if the encryption algorithm is changed by the processing of the user device, the storage device is used. The encryption algorithm can be specified by the information stored above.
Claim 18 is the key management system according to claim 16,
The storage device, in response to a request from the restoration device, together with the encryption key information, an identifier for identifying a user who uses the encryption key information, and an encryption algorithm or information for identifying the same. Is transmitted to the restoration device as a set of information.

According to the eighteenth aspect, the restoring device can specify the encryption algorithm used for encrypting the encryption key information based on the information retrieved from the storage device. Therefore, even if the encryption algorithm used is changed, The first key information K can be restored from the encrypted key information. A nineteenth aspect is the key management system according to the sixteenth aspect, wherein one user owns a plurality of pieces of first key information K,
For each of the encryption key information stored by the storage device, a key identifier for specifying any one of the plurality of first key information K assigned to the same user corresponds to the encryption key information. It is characterized by being attached and stored.

According to the nineteenth aspect, the plurality of first key information K assigned to the same user can be distinguished by the key identifier stored in the storage device. One key information K can be assigned. According to a twentieth aspect, in the key management system according to the sixteenth aspect, when a plurality of pieces of the second key information Kg exist, the storage device stores a plurality of pieces of second key information for each of the encryption key information to be stored. A key identifier for specifying any one of Kg is stored in association with encryption key information.

In the twentieth aspect, the plurality of second key information Kg can be distinguished by the key identifier stored in the storage device, so that the plurality of second key information Kg can be properly used as needed. it can.

[0033]

DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of a key recovery method and a key management system according to the present invention will be described with reference to FIGS. This form corresponds to all claims. FIG. 1 is a block diagram showing the configuration of the system of this embodiment. FIG. 2 is a flowchart showing a processing flow at the time of key generation in this embodiment. FIG. 3 is a flowchart showing a processing flow at the time of key restoration in this embodiment.

In this embodiment, the key generation means, the key storage means, and the key restoration means of the first aspect are each provided with a key generation server 1
1, corresponding to the key storage server 14 and the key recovery server 16. Further, the user device, the storage device, and the restoration device of claim 11 correspond to the key generation server 11, the key storage server 14, and the key recovery server 16, respectively. Step S2
2, S25 and S27.

The secret key holding means and the decrypting means in claim 12 correspond to the storage device 31 and step S58, respectively. The communication line of claim 13 corresponds to the LAN 12. The authentication means according to claim 14 performs steps S26, S31, S5
4, S61. The take-out refusal means of claim 15 corresponds to step S61. The key identifier of claim 19 corresponds to the key ID 22. 20. The key identifier according to claim 20, wherein
Corresponds to D23.

In this embodiment, keys are managed using the system shown in FIG. Referring to FIG. 1, the system includes clients 10 (1) and 10 (2), a key generation server 1
1, a firewall 13, a key storage server 14, and a key recovery server 16 (1), 16 (2). Clients 10 (1), 10 (2), key generation server 11, key recovery server 1
6 (1) and 16 (2) are connected to each other via a LAN (local area network) 12. The key storage server 14 is connected to the LAN 12 via the firewall 13.
Is connected to

Of course, the configuration of the network may be changed as needed. For example, LA through a router
N12 can be connected to the Internet, and any terminal connected to the Internet can be used as a client. The storage device 31 of the key generation server 11 holds keys Kg (1) and Kg (2) used for managing the user's key K. Further, the key recovery server 16 (1) holds the key Kr (1) used for managing the user's key K, and the key recovery server 16 (2) stores the key Kr ( 2) holding.

The keys Kg (1) and Kg (2) are used when encrypting the key K in order to prevent the key K from being used by unauthorized persons. The keys Kr (1) and Kr (2) are used to decrypt the encrypted key K. In this example, the key Kg (1) and the key Kr (1) make a pair, and the key Kg (2) and the key Kr
(2) is paired. That is, the key Kr (1) is used to decrypt information encrypted with the key Kg (1),
Key K for decrypting information encrypted with key Kg (2)
r (2) is used. Information encrypted with the key Kg (1) cannot be decrypted with a key other than the key Kr (1). Further, information encrypted with the key Kg (2) cannot be decrypted with a key other than the key Kr (2).

In a company, a plurality of keys Kg (1), Kg
(2) can be used for each department. For example, the key K
g (1) is used only by the general affairs department, and the key Kg (2) is used only by the accounting department. In the system shown in FIG. 1, any of a common key cryptosystem and a public key cryptosystem can be used as a cryptographic algorithm.

However, when the common key cryptosystem is used, the key Kg and the key Kr are the same and the keys Kg and Kr are private, so that the keys Kg and Kr are protected from being seen from outside. There is a need to. In the case of the public key cryptosystem, the key Kg and the key Kr are different. In this case, the key Kg is assigned as a public key, and the key Kr is assigned as a secret key. It is not necessary to protect the key Kg, which is a public key, but it is necessary to protect the key Kr, which is a secret key, so that it cannot be seen from the outside.

The firewall 13 is a key storage server 1
4 limit the communication partners who can access. In this example, when registering new information in the key storage DB 15 connected to the key storage server 14, the key generation server 1
Only one access is allowed. Also, the key storage server 14
When the information stored in the key storage DB 15 connected to the server is retrieved, access is permitted only to the key recovery servers 16 (1) and 16 (2).

In the key storage DB 15, for each key to be stored, information of a user ID 21, a key ID 22, an encryption ID 23, encryption key information (eKg (K)) 24, and an encryption algorithm 25 is registered as a set of information. You. A different value for each user is assigned to each user in advance as a user ID 21. However, one user can obtain a plurality of types of keys K. The key ID 22 is information for specifying one of a plurality of keys K assigned to the same user.

In this example, two types of keys Kg (1) and Kg (2) are provided as keys for use in encrypting the key K. Therefore, two keys Kg (1) and Kg (1) are used for encryption. It is necessary to select one of (2). The value of the encryption ID 23 indicates which of the two keys Kg (1) and Kg (2) was used at the time of encryption. Encrypted key information 2 obtained by encrypting key K with key Kg
4 is represented here by (eKg (K)). The encryption algorithm 25 is the content of the algorithm actually used when encrypting the key K with the key Kg.

For example, a plurality of available encryption algorithms are prepared in advance, and information specifying one of the prepared plurality of encryption algorithms is registered in the key storage DB 15 instead of the encryption algorithm 25. Is also good.
The operation of each unit when the user acquires a new key K using the system of FIG. 1 will be described with reference to FIG.

The user can request the system to generate a new key K by operating the client 10 (1) or 10 (2) in FIG. In this case, step S11 in FIG. 2 is executed, and the key generation request is sent to the key generation server 1
1 is input. When a key generation request is input to the key generation server 11, the key generation server 11 authenticates the user with the client 10 that has generated the request (S21). In this case, the user is the user ID assigned to the user in advance.
21 and its password are input in step S12.

The key generation server 11 checks whether the user ID 21 and the password input by the user match those registered in the key generation server 11 in advance, and if they match, the process proceeds from step S21 to S22. In step S22, unique information is generated as a key K. The key K generated in step S22 is transmitted to the user in step S23. The user can use the new key K received from the key generation server 11 in step S13 as an encryption key when, for example, encrypting a document file.

The document file or the like encrypted by the user is
If the key K used for encryption cannot be used without the key K, a serious problem occurs if the user loses or destroys the key K, for example. Therefore, even if the user loses or destroys the key K, the key K is re-issued so that the key K can be reissued.
Need to be safely stored and managed. In step S14, a key ID 22 is input to specify one key K to be stored. Also, a plurality of keys K that can be used to encrypt the key K
encryption ID2 to select either g (1) or Kg (2)
Enter 3. The key generation server 11 receives the key ID 22 and the encryption ID 23 input by the user in step S24.

The key generation server 11 encrypts the key K in step S25. In this encryption, step S2
One key Kg (1) corresponding to the encryption ID 23 received in Step 4
Alternatively, use Kg (2). When encrypting with the key Kg (1), use an encryption algorithm that can be decrypted with the key Kr (1). When encrypting with the key Kg (2), use an encryption algorithm that can be decrypted with the key Kr (2). Use an algorithm. When step S25 is executed, encryption key information (eKg (K)) 24 is generated.

In order to store the encryption key information (eKg (K)) 24 generated by the key generation server 11 in the key storage DB 15, it is necessary to communicate between the key generation server 11 and the key storage server 14. However, since the firewall 13 is disposed in front of the key storage server 14, first, mutual authentication is performed between the key generation server 11 and the firewall 13.

In the mutual authentication in steps S26 and S31, it is recognized that the communication partner of the key generation server 11 is the firewall 13.
Only when it is recognized that the other party of communication is the key generation server 11, the communication is considered to be permitted. If the communication is permitted, the process proceeds to step S27, in which the key generation server 11 sets the user ID 21, the key ID 22, the encryption ID 23, the encryption key information (eKg (K)) 24, and the encryption algorithm 25 as a set of keys. Delivery to the storage server 14.

The key storage server 14 has a set of information input from the key generation server 11, that is, a user ID 21, a key ID 22, an encryption ID 23, and encryption key information (eKg
(K)) 24 and the encryption algorithm 25 are registered and stored in the key storage DB 15 as a set of information associated with each other.
If the user who has already obtained the key K by the process of FIG. 2 loses or destroys the key K, the same key K can be obtained again by using the system of FIG. The operation of each unit in that case will be described with reference to FIG.

The user is the client 10 (1) or 10 (2)
To generate a key recovery request. In this case, step S
The key recovery request generated in 41 is input to the key recovery server 16 (1) or 16 (2). The configuration and operation of the two key recovery servers 16 (1) and 16 (2) are the same, but the keys Kr (1) and Kr (2) held in the storage device 32
Is different.

When a key recovery request is input, the key recovery server 16 authenticates the user in step S51. That is, it is checked whether the user who has requested the key recovery matches the user who has authority and is registered in the key recovery server 16 in advance. In order to receive this authentication, the user needs to perform step S42.
To enter the user ID 21 and its password. When the user ID 21 and the password input by the user match the information registered in the key recovery server 16 in advance, the key recovery server 16 permits the user's request, and proceeds to step S52.

If the same user has obtained a plurality of keys K, the user inputs the key ID 22 in step S43 to specify one key K to be restored. The key recovery server 16 acquires the key ID 22 in step S52. In step S53, the key recovery server 16 requests the key storage server 14 to transmit storage information. However,
Since the firewall 13 exists in front of the key storage server 14, first, the key recovery server 16 and the firewall 1
3 is mutually authenticated.

In the mutual authentication in steps S54 and S61,
The communication is permitted when the communication partner of the key recovery server 16 is the firewall 13 and the communication partner of the firewall 13 is the key recovery server 16. In this example, the firewall 13 is the key recovery server 16 (1), 1
6 (2) is permitted to communicate with the key storage server 14.

Communication for reading information stored in the key storage server 14 is not permitted to the key generation server 11. Therefore, the key recovery servers 16 (1) and 16 (2)
Can extract information from the key storage server 14.

If the communication is permitted by the mutual authentication in steps S54 and S61, the key recovery server 16 proceeds to step S54.
55 stores the user ID 21 and the key ID 22 in the key storage server 1
Send to 4. In step S62, the key storage server 14
Is a set of information that matches the user ID 21 and the key ID 22 input from the key recovery server 16, that is, one key K
ID21, key ID22, encryption I
D23, encryption key information (eKg (K)) 24, and encryption algorithm 25 are extracted from the key storage DB 15, and are transmitted to the key recovery server 16.

Therefore, the key recovery server 16 proceeds to step S5
6, the user ID 21 and key I associated with one key K
D22, encryption ID23, encryption key information (eKg (K))
24, receiving the information of the encryption algorithm 25; In step S57, the key recovery server 16 sets the key Kr (1) corresponding to the encryption ID 23 of the information input from the key storage server 14.
Alternatively, it is checked whether or not Kr (2) is held in its own storage device 31. If the key Kr (1) or Kr (2) corresponding to the encryption ID 23 exists, the process proceeds to step S58.

In step S58, the key recovery server 16 uses the Kr held in the storage device 32 and
Decrypts the encryption key information (eKg (K)) 24 in accordance with the encryption algorithm 25 extracted from. as a result,
The key K is reproduced. For example, when the user accesses the key recovery server 16 (1) for reissuing the key K, the key Kr (1) held in the storage device 32 (1) can be used.
Key Kr (2) cannot be used. In this case, the key storage server 1
If the encryption ID 23 of the information extracted from No. 4 is associated with the key Kr (1), the process proceeds to step S58. However, the encryption ID 2 of the information retrieved from the key storage server 14
When the key 3 is associated with the key Kr (2), the key Kg (1) used in the encryption does not match the key Kr (2), so the encryption key information (eKg (K)) 24 Cannot be decoded.

The key K reproduced in step S58 is transmitted from the key recovery server 16 to the requesting client 10 in step S59. Therefore, the user proceeds to step S44.
Can obtain the key K again. When the system shown in FIG. 1 is used, for example, when an attempt is made to directly access the key storage server 14 from the client 10, the access is denied by the authentication of the firewall 13, so the information stored in the key storage DB 15 is extracted. It is not possible.

Further, for example, even if the unauthorized access to the key generation server 11 succeeds, the retrieval of the storage information from the key storage server 14 is stored in the key storage DB 15 because the key generation server 11 has no authority. Information cannot be retrieved. Further, even if the unauthorized access to the key recovery server 16 is successful and the key Kr is obtained illegally, the information cannot be extracted from the key storage server 14 except for a predetermined procedure. Not available.

Further, even if the administrator of the key storage server 14 illegally obtains the information on the key storage DB 15, the encrypted key information (eKg) is obtained unless the key Kr on the key recovery server 16 is obtained. (K)) cannot be decrypted, so the key K
Cannot be obtained. The above embodiment is an example, and the present invention can be implemented in various modified examples described below.

(1) In the above embodiment, the “key generation function”, “key recovery function”, and “key storage function” are arranged on physically independent devices, respectively. A “key generation function”, a “key recovery function”, and a “key storage function” may be provided as independent software. Of course, even in this case, when communication is performed among the “key generation function”, “key recovery function”, and “key storage function”, it is necessary to perform the authentication processing as in the embodiment.

(2) When only a single key K is assigned to one user, it is not necessary to store the key ID 22 in the key storage DB 15. When a plurality of keys Kg are not provided, there is no need to store the encryption ID 23 in the key storage DB 15. (3) In the above embodiment, the encryption algorithm 25 is transferred from the key generation server 11 to the key storage server 14.
One or more encryption algorithms 25 are stored in a key storage DB in advance.
15, there is no need to transmit from the key generation server 11.

(4) In the above embodiment, step S4
3 shows a case where the key recovery server 16 retrieves only one set of information corresponding to the key ID 22 input by the user from the key storage server 14. For example, all the information corresponding to the user ID 21 is extracted from the key storage server. 14 may be taken out. In this case, information on a plurality of keys as restoration candidates may be displayed on the screen of the user, and restoration may be performed on one key selected by the user.

As a specific modification, FIG. 4 shows a modification of the processing flow at the time of key generation, and FIG. 5 shows a modification of the processing flow at the time of key restoration. 4 and 5, FIGS.
The same processes as those described above are denoted by the same step numbers. The processing changed in FIGS. 4 and 5 will be described below. In the example of FIG. 4, the key generation server acquires the encryption ID from the initialization file provided in itself at the first step S20. Therefore, in this example, the user
You do not need to enter D. When generating the key K in step S22B, the key generation server assigns a key ID to the key K.

Further, in the user authentication in steps S12B and S21, the user is authenticated using the electronic signature, and a key for encrypting and using the communication path between the key generation server and the client is used. Perform the conversion. For this reason, since the key K transmitted by the key generation server in step S23 is encrypted on the communication path, there is no fear that the key K is stolen by a third party on the communication path.

In FIG. 5, steps S42B, S5
In the first user authentication, the user is authenticated using an electronic signature as in the case of FIG. In addition, a key for encrypting a communication path is shared.

For this reason, the client determines in step S43
The key ID transmitted to the communication path is encrypted and transmitted.
Further, the key K transmitted by the key recovery server to the communication path in step S59 is also encrypted and transmitted. Needless to say, the client can automatically obtain the key K by decrypting the encrypted and delivered key K.

[0070]

As described above, according to the present invention, the key K
Key information (eKg
Both (K)) and the key Kr used for decryption are required. Since the encrypted key information (eKg (K)) and the key Kr used for decryption are arranged on independent functions or physically independent devices, the encryption key is used in the case of unauthorized access. It is extremely difficult for the same person to obtain both the information (eKg (K)) and the key Kr, and the possibility of unauthorized access to the stored key information can be minimized.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of a system according to an embodiment.

FIG. 2 is a flowchart illustrating a processing flow at the time of key generation according to the embodiment;

FIG. 3 is a flowchart illustrating a processing flow at the time of key restoration according to the embodiment;

FIG. 4 is a flowchart illustrating a modification of the processing flow at the time of key generation.

FIG. 5 is a flowchart illustrating a modification of the processing flow at the time of key restoration.

[Explanation of symbols]

 Reference Signs List 10 client 11 key generation server 12 LAN 13 firewall 14 key storage server 15 key storage DB 16 key recovery server 21 user ID 22 key ID 23 encryption ID 24 encryption key information (eKg (K)) 25 encryption algorithm 31, 32 storage apparatus

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Hiroki Ueda 2-3-1 Otemachi, Chiyoda-ku, Tokyo Within Nippon Telegraph and Telephone Corporation (72) Inventor Kimihiko Sekino 2-1-1 Nagatacho, Chiyoda-ku, Tokyo No. Sanno Park Tower 41F NTT Mobile Communications Network Co., Ltd. F-term (reference) 5J104 AA01 AA07 AA16 EA12 EA13 EA17 NA02 NA05

Claims (20)

[Claims] 1. A key recovery method for generating first key information K to be used by a user and restoring the first key information K in accordance with a request from the user, wherein the first key information The second key information Kg is held in the key generation means for generating the information K, and the third key information Kr is stored in the key recovery means for extracting necessary information from a predetermined key storage means in accordance with a recovery request from the user. The second key information Kg is used for encryption and the third key information is used for decryption.
Using a specific encryption algorithm that uses the key information Kr, generates the encryption key information obtained by encrypting the first key information K using the second key information Kg, and generates the generated encryption key information. And transferring the data from the key generation unit to the key storage unit and storing the encryption key information in the key storage unit. 2. The key recovery method according to claim 1, wherein when a recovery request from a user is input to said key recovery means, said key recovery means fetches the encryption key information from said key storage means. A key recovery method, wherein the encrypted key information is decrypted by using the held third key information Kr, and the first key information K is restored. 3. The key recovery method according to claim 1, wherein the second key information Kg and the third key information Kr are the same, and a common key cryptosystem is used as a cryptographic algorithm. Key recovery method to do. 4. The key recovery method according to claim 1, wherein the second key information Kg is a public key, the third key information Kr is a secret key, and a public key cryptosystem is used as an encryption algorithm. A key recovery method characterized by using: 5. A key recovery method according to claim 1, wherein said key generation means, key storage means and key recovery means are physically different from each other. A key recovery method, characterized in that the key recovery methods are respectively arranged above. 6. The key recovery method according to claim 1, wherein:
When communication is performed between the key generation unit and the key storage unit,
A key recovery method comprising: performing communication between the key storage unit and the key restoration unit; authenticating a communication partner; and starting communication only when the authentication is successful. 7. The key recovery method according to claim 1, wherein the key recovery unit is prohibited from extracting encryption key information from the key storage unit. 8. The key recovery method according to claim 1, wherein the storage unit specifies, for each of the encryption key information to be stored, at least an identifier for identifying a user, and an encryption algorithm or a used encryption algorithm. A key recovery method characterized by storing information in association with each other. 9. The key recovery method according to claim 8, wherein said key generation means generates the encryption key information, an identifier for identifying a user who uses the encryption key information, and an encryption algorithm used. Alternatively, a key recovery method comprising delivering information specifying the key information to the storage means. 10. The key recovery method according to claim 8, wherein
The storage unit, in response to the request from the restoration unit, together with the encryption key information, an identifier that specifies a user who uses the encryption key information, and an encryption algorithm that is being used or information that specifies the encryption algorithm. Is transmitted to the restoration means as a set of information. 11. A first file generated according to a user's request.
A key management system that manages key information K of the first key information, wherein the key generation means generates the first key information K according to a request of a user, and the second key information is a public key. A user device comprising: an encrypting unit that encrypts using Kg to generate encryption key information; and a delivery unit that delivers the encryption key information to a predetermined storage device. A key management system comprising: a storage device for storing encryption key information; and a restoration device for extracting encryption key information stored in the storage device in accordance with a key recovery request from a user. 12. The key management system according to claim 11, wherein the recovery device stores third key information Kr, which is a secret key used for decrypting the encryption key information, and a user. And decryption means for decrypting the encrypted key information retrieved from the storage device using the third key information Kr and restoring the first key information K in accordance with the key recovery request from the storage device. Key management system. 13. The key management system according to claim 11, wherein the user device, the storage device, and the restoration device are arranged at positions physically separated from each other, and between the user device and the storage device, and the storage device. A key management system, wherein a device and a restoration device are connected by a communication line. 14. The key management system according to claim 11, wherein when communication is started between said user device and a storage device and between said storage device and a restoration device, authentication of a partner device is performed. A key management system, wherein authentication means for performing communication only when authentication is passed is provided in each of the user device, the storage device, and the restoration device. 15. The key management system according to claim 14, wherein the storage device includes a retrieval rejection unit for prohibiting a device other than the restoration device from retrieving the encryption key information stored in the storage device. Characterized key management system. 16. The key management system according to claim 11, wherein the storage device specifies, for each of the encryption key information to be stored, at least an identifier for identifying a user and an encryption algorithm or a used encryption algorithm. A key management system for storing information in association with each other. 17. The key management system according to claim 16, wherein the user device generates the encryption key information, an identifier for identifying a user who uses the encryption key information, and an encryption algorithm used. Alternatively, a key management system for delivering information specifying the key management information to the storage device. 18. The key management system according to claim 16, wherein the storage device responds to the request from the restoring device together with the encryption key information and an identifier for identifying a user who uses the encryption key information. A key management system, wherein a cipher algorithm used or information specifying the cipher algorithm is sent to the restoration device as a set of information. 19. The key management system according to claim 16, wherein when one user owns a plurality of pieces of first key information K, the storage device uses the same encryption key information for each of the stored encryption key information. Multiple firsts assigned to the user
A key management system for storing a key identifier for specifying any one of the key information K in association with the encryption key information. 20. The key management system according to claim 16, wherein, when a plurality of the second key information Kg exist, the storage device stores a plurality of second key information for each of the encryption key information to be stored. A key management system for storing a key identifier for specifying any one of Kg in association with encryption key information.