JP2001285273A - Encryption communication method and encryption communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an encryption communication method and an encryption communication system that can securely distribute a signal in a multi-cast way against random distribution of decoded keys and attain charging by a meter rate. SOLUTION: A transmission section 11 transmits secret information with respect to encryption to a key management server 41 and delivers information with respect to the encryption to a router 21 and succeeding sections. First when encrypted key request information is transmitted, routers 21-24 conduct similar encryption by using a specific encryption key to transmit the encrypted key to reception sections 31-34. The reception sections give the encryption including key request information to the key management server 41. The key management server 41 uses the secret information to issue decoding keys different from paths and conducts charging processing. The transmission section 11 and each router encrypt distribution information, and the reception sections use a decoding key to decode the encrypted information and to acquire the information. Since the decoding keys different from the distribution paths are used, the security is enhanced. Since the key request information is changed by each prescribed time, the charging according to the meter rate is attained.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cryptographic communication system for encrypting distribution information and performing multicast distribution, and a cryptographic communication method therefor.

[0002]

2. Description of the Related Art In recent years, so-called multicast distribution, which distributes information such as moving images and audio to a plurality of destinations on the Internet in real time, has been actively studied. Information such as moving images and voices has a high added value, and may be distributed for a fee. When distributing such paid information, only the recipient who has paid the regular usage fee can receive the distribution information, and it is necessary to prevent other recipients from acquiring the content.
For this purpose, a configuration has been considered in which information is encrypted and distributed, and decrypted at the destination to obtain the content of the information.

[0003] As described above, several techniques have been proposed as a technique for encrypting distribution information so that only a specific recipient authorized by the distributor can receive the distribution information and eliminate eavesdropping by other persons. Has been made. All of the techniques proposed so far encrypt the information to be distributed and distribute the decryption key only to authorized recipients.

[0004] However, these techniques have several problems. One of the problems is that by redistributing the decrypted information by a legitimate recipient, recipients other than the legitimate recipient can also receive the information. To deal with this problem, redistribution of information originally distributed requires heavy processing and a large communication bandwidth,
It is difficult to do such fraud. further,
Measures have been proposed to allow a redistributor to be located by a digital watermark.

Another problem is that a legitimate recipient can distribute a decryption key to another recipient, and a recipient other than the legitimate recipient can decrypt the encrypted information to obtain the information. There is also. Such misconduct can be easily performed without any special large facilities. Also,
With current technology, if one of the groups receiving the information distributes the decryption key, anyone can easily tap it. On the other hand, a method has been proposed in which different decryption keys are distributed to individual recipients and the distributor of the decryption key is specified. However, this method only indirectly suppresses the distribution of an illegal decryption key.

As described above, conventionally, it is impossible to cope with illegal information acquisition due to scattering of decryption keys. For this reason, an encryption communication method and an encryption communication system that are secure against the dispersion of decryption keys are desired.

Further, when information is distributed, there is a problem in joining and leaving a group to receive the information. At the time of enrollment, a decryption key may be passed, but at the time of unsubscription, it is necessary to prevent subsequent distribution information from being obtained. For example, when information is distributed for a fee, if the distribution information can be acquired even after unsubscribing, there is no point in having the legitimate recipient pay the fee. As a method of charging a fee, for example, a pay-as-you-go system in which a fee is paid for viewing a program can be considered. When distributing information in this way, a system and a communication method that can prevent the acquisition of distribution information after unsubscribing and can accurately charge are required.

[0008] For example, when a withdrawal occurs, a new decryption key is delivered to a legitimate recipient by a secure method, and the legitimate recipient is thereafter encrypted using the new decryption key. It has been considered that information is decoded to obtain the content of the information. As a result, the unsubscriber cannot decrypt the encrypted information with the decryption key used so far, and can continue distributing the information only to the authorized recipient. However, the number of withdrawals is irregular, and it has not been possible to charge a pay-as-you-go system by delivering such a decryption key.

[0009]

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and enables information to be safely distributed to authorized recipients even when the decryption key is scattered. It is an object of the present invention to provide a cryptographic communication method and a cryptographic communication system that can charge a user for a fee.

[0010]

According to the first and ninth aspects of the present invention, there is provided an encrypted communication method and an encrypted communication system for encrypting distribution information and performing multicast distribution. Encrypted and transmitted, and the relay means in the distribution path are also encrypted with individual encryption keys, and the distribution information and key request information that have been subjected to encryption processing according to the path are distributed. Is what you do.

According to a third aspect of the present invention, there is provided an encrypted communication method and an encrypted communication system for encrypting distribution information and performing multicast distribution, wherein encryption processing according to a route transmitted is performed. The received distribution information and the key request information that has been similarly encrypted according to the path are received by the receiving unit, and based on the encrypted key request information, for example, a key management server , And obtains the distribution information by decrypting the encrypted distribution information with the decryption key. The key management server may be configured to issue a decryption key according to the distribution path of the encrypted key request information based on the encrypted key request information.

As described above, the information and the key request information distributed by the multicast are subjected to the encryption processing according to the distribution path. Further, a decryption key corresponding to the distribution path is issued based on the key request information that has been subjected to the encryption processing according to the distribution path. Therefore, even if the decryption key in one path is distributed, the information distributed through another path cannot be decrypted, and the information can be distributed safely with respect to the distribution of the decryption key. .

The above-mentioned key request information is defined in claim 2, 5, 1
It can be changed at predetermined time intervals as in the inventions described in 0 and 12. Along with this, the distribution information is also subjected to encryption processing corresponding to the immediately preceding key request information and distributed. The receiving means requests a new decryption key from the key management server every time the encrypted new key request information is received. At this time, the key management server requests the new decryption key based on the issuance of the new decryption key. You can charge for the original. As a result, it is possible to perform metered billing at predetermined time intervals. In addition, with respect to a withdrawn member, if a new decryption key is not issued after the withdrawal, the subsequent distribution information cannot be obtained. In this way, appropriate billing processing can be performed in information distribution. The distribution of the key request information may be performed at any timing other than the predetermined time interval.

As an encryption method in such an encryption communication method and an encryption communication system, for example, as in the inventions according to claims 6 and 13, information obtained by encrypting a number obtained by raising a predetermined number x to the power of a is used. , And the remainder of the multiplication result by the number p is used as a cipher.
For example, if such encryption is performed on the key request information by the transmission unit and the relay unit, and the calculation is performed based on the encryption including the key request information received by the reception unit and the original key request information, The function of the encryption process is known. By using this as a decryption key, a decryption key for each path can be issued to the receiving means.

As another encryption method, for example, as in the inventions according to claims 7 and 14, the distribution information is obtained by encrypting a predetermined number x to a number a. And the remainder of the multiplication result by the number p is ciphered. For the key request information, the number a
Can be added, and the remainder of the addition result by the number p can be ciphered. For example, if such encryption is performed on the key request information in the transmission unit and the relay unit, and an operation is performed based on the encryption including the key request information received in the reception unit and a predetermined number x, the encryption in the path will be performed. The function of the conversion process is understood. By using this as a decryption key, a decryption key for each path can be issued to the receiving means.

As still another encryption method, for example, as in the inventions according to claims 7 and 16, the key request information is obtained by encrypting a number obtained by raising a predetermined number x to the power a. , And the remainder of the multiplication result by the number p is ciphered.
The information to be encrypted is further multiplied by the number y raised to the power a, and the remainder of the multiplication result by the number p can be used as encryption. For example, if such encryption is performed on the key request information in the transmission unit and the relay unit, and an operation is performed based on the encryption including the key request information received by the reception unit and the predetermined numbers x and z, the encryption is performed in the path. The function of the encryption process of is understood. By using this as a decryption key, a decryption key for each path can be issued to the receiving means.

[0017]

FIG. 1 is a block diagram illustrating an embodiment of a cryptographic communication system according to the present invention. FIG. 1 is also an example of a system for realizing the encryption communication method of the present invention. In the figure, 11 is a transmitting unit, 21 to 28 are routers, 31 to 35 are receiving units, and 41 is a key management server. In the following description, it is assumed that multicast distribution of information is performed using the Internet. However, the present invention is not limited to the Internet, and can be applied to various types of communication in which information is relayed, for example, broadcast communication, and a closed network system connecting a plurality of LANs.

The transmitting section 11 encrypts and distributes distribution information such as contents of a program such as audio and video. In addition, in order to generate a decryption key corresponding to the path to each of the authorized receiving units, the key request information is encrypted and distributed. The key request information is distributed at regular intervals or at predetermined timings, and the encrypted key request information is referred to as a pulsating packet in the following description. Also, the encrypted distribution information is referred to as a multicast packet in the following description.

In the system shown in FIG. 1, a multicast packet or a pulsating packet transmitted from the transmitting unit 11
In accordance with the multicast distribution mechanism, distribution is performed via one or more routers. The receiving units 31 to 35 request at least the nearest router to receive the distribution information distributed by multicast, for example, the router 24 if the receiving units 31 to 34, and the router 28 if the receiving unit 35. You will receive packets and pulsating packets.

When receiving the distribution of these multicast packets and pulsating packets, for example, in the example shown in FIG.
, 23, 2
4 is delivered. The data is distributed to the receiving unit 35 via the routers 21, 22,..., 23, 28.
As described above, the distribution route of the multicast packet or the pulsating packet differs depending on the receiving unit. If the transmission path from the router at the last stage to each receiving unit is also a distribution path, the distribution path differs for each receiving unit. Although FIG. 1 shows an example in which the route passes through at least four routers, how many routers pass through is arbitrary. Even when the route passes through the same number of routers, the route on the way may be different. However, it is assumed that the pulsating packet and the subsequent multicast packet reach the receiving unit through the same route. If the route changes,
It is assumed that pulsating packets are always delivered.

The routers 21 to 28 send the following information to the next router or the receiving unit depending on the destination of the transmitted information.
The transmitted information is encrypted and transferred. For example, the router 21 further encrypts the multicast packet sent from the transmission unit 11 and transfers the packet to the routers 22 and 26 and the like. The router 22 is sent from the router 21,
The multicast packet and the pulsating packet encrypted by the router 21 are further encrypted and transferred to the router 27 or another router for transfer to the router 23. As will be described later, each of the routers 21 to 28 arbitrarily selects a parameter (encryption key) used for encryption. for that reason,
Even if the same information is transmitted from the transmission unit 11, different encryption processing is performed depending on which router the packet passes through. In this way, the transmitting unit 11 sends the receiving units 31 to
It is possible to realize encryption according to the path up to 35. It is assumed that the routers 21 to 28 are "reliable for the transmission unit 11". "Reliable to the transmission unit 11" means that the secret notified from the transmission unit 11 is not leaked to another node.

FIG. 1 shows an encryption process using the encryption key a as f (I, a). Here, I is the received data, such as a multicast packet or a pulsating packet. As described later, the encryption process f may be different between the case where the multicast packet is encrypted and the case where the pulsating packet is encrypted, or the same process may be performed. The encryption key a is unique to each router. Here, the parameter (encryption key a) used for encryption is set for each router, but the parameter used for encryption may be set for each communication path to be transmitted. For example, when a parameter (encryption key a) used for encryption is set for each communication path when a router at the last stage (such as the router 24) transfers the data to the receiving unit, a different encryption process is performed for each receiving unit. Can be applied.

The receiving units 31 to 35 receive the multicast packet and the pulsating packet by the transmitting unit 11 and the router on the route. When the pulsation packet is received, the pulsation packet is sent to the key management server 41, and the decryption key is received. Then, by using the decryption key received from the key management server 41, the received multicast packet is decrypted, and distribution information, for example, a program such as a moving image or an audio can be obtained.

In this example, the receiving units 31 to 34 are
Receive the same pulsating packet and multicast packet. Of course, when the router 24 performs encryption for each communication path as described above, different pulse packets and multicast packets will be received. Here, it is assumed that these receiving units 31 to 34 are legitimate recipients.
On the other hand, the receiving unit 35 receives a pulsating packet and a multicast packet from the router 28. Since the packet is received via a different path from the receiving units 31 to 34, the pulsating packet and the multicast packet have been subjected to different encryption processing.

The key management server 41 performs processes such as recipient authentication, issuance of a decryption key, and accounting. Key management server 4
1 has previously acquired information on the authentication of the recipient. In addition, it receives secret information regarding encryption from the transmission unit 11. When there is a request for receiving distribution information from the receiving units 31 to 35, the receiver authenticates the receiver and issues an address for receiving a pulsating packet and a multicast packet. When the pulsating packet is transmitted from the receiving units 31 to 35, a decryption key is generated from the transmitted pulsating packet and the secret information, and is issued to the receiving unit that transmitted the pulsating packet. I do.

As described above, since the pulsating packet has been subjected to encryption processing in each router, it includes the key request information sent from the transmission unit 11, but different encryption processing is performed depending on the path. Have been. Therefore, when the decryption key is generated by the key management server 41, a decryption key that can be decrypted including the encryption process performed by the router along the route is generated. As described later, the generation of the decryption key can be performed by calculation. The key management server 41 is also "reliable for the transmission unit 11".

Further, the key management server 41 charges a fee when a new decryption key is issued. As described above, since the key request information is distributed from the transmission unit 11 at, for example, a predetermined time interval or at a predetermined timing, a new decryption key is also issued at a predetermined time interval and at a predetermined timing. By performing the billing process in response to the issuance of the new decryption key, for example, a time-based billing can be performed for each time. In order to issue the decryption key and charge the authorized recipient accurately, it is preferable to authenticate the recipient, for example.

Note that the key management server 41 generates and returns the same decryption key for the same pulsating packet. For example, the key managing server 41 returns the decrypting key to the receiving unit corresponding to the scattered pulsating packet. However, information cannot be decrypted with the decryption key returned by a receiving unit having a different path. At this time, it is necessary to ensure that the receiver of the regular beat packet is not charged. Further, even if the decryption keys obtained from the key management server 41 are scattered, information cannot be decrypted with the scattered decryption keys by the receiving units having different routes.

Next, the procedure of encryption in the above configuration will be described. FIG. 2 is a flowchart illustrating an operation of the transmission unit according to the embodiment of the present invention. First, in S51, the encryption unit in the transmission unit 11 and the key management server 41 is initialized. At this time, the key management server 41 receives, from the transmission unit 11, secret information regarding encryption, which is required when generating a decryption key. At this point, information necessary for encryption is transmitted to the routers 21 and 25.

In step S52, the transmission unit 11 sends a pulsating packet obtained by encrypting the key request information to the information distribution destination. Each router starts routing to the destination of the information, and at the same time, generates a unique encryption key, obtains information necessary for encryption sent from the transmission unit 11, and uses these to convert a pulsating packet. It encrypts and sends it to the next router or receiver.

After the path is thus established and the pulsating packet is distributed, in step S53, the distribution information is actually encrypted and transmitted. Each time this multicast packet passes through each router, it is encrypted by the router and sent to the next router or receiver. At this time, S5
The distribution of information encrypted using the same encryption parameters as the pulse packet transmitted in step 2 must be performed via the same path as the pulse packet.

The transmission of the pulsation packet shown in S52 can be performed, for example, at a predetermined time or at a predetermined timing. Further, every time the beat packet is transmitted, the information is encrypted in S53 using the encryption parameter (encryption key) used at that time.
Of course, the initialization of the encryptor in S51 may also be executed after a predetermined time has elapsed or at a predetermined timing.

FIG. 3 is a flowchart showing the operation of the receiving unit according to the embodiment of the present invention. When the distributed information is received by the receiving unit, first, in S61, a request is made to the nearest router to receive the distributed information. At this time, for example, the presence / absence of subscription qualification may be checked with the key management server 41 in some cases.

When the reception request is accepted, a pulse packet is received from the nearest router. The receiving unit in S62,
Sends the received pulsation packet to the key management server 41,
Request a decryption key. The key management server 41 generates an individual decryption key for each receiving unit according to the pulsating packet received from the receiving unit (and secret information previously sent from the transmitting unit), and sends the decryption key to the receiving unit in a secure manner. I will send it back. At the same time, the receiver (or the receiver) is charged.

In step S63, the receiving unit that has received the decryption key can use the received decryption key to decrypt the delivered multicast packet and acquire the information content.

The request for the decryption key in S62 is made every time a beat packet is distributed. As described above, the pulsating packet is distributed at predetermined time intervals or at predetermined timings.
And a new decryption key is obtained.
The receiving unit decodes the multicast packet after the distribution of the corresponding beat packet using the latest decoding key. Further, since the key management server 41 charges each time a new decryption key is issued, a fee is charged for each interval at which a pulse packet is transmitted. As a result, for example, charging according to the time of viewing a program such as a moving image or a sound becomes possible.

Hereinafter, a specific encryption procedure will be described. FIG. 4 is an explanatory diagram of a first specific example of the encryption method. In the first specific example, information to be encrypted is multiplied by a number obtained by raising a predetermined number x to the power a, and the remainder of the multiplication result by the number p is ciphered. That is, if the information is I and the encryption is C, C = I · x ^a (mod p) (Equation 1). Here, the predetermined number x is transmitted from the transmission unit 11 to each router 21 as information necessary for encryption.
To 28. The number a may be a value unique to the transmission unit 11 and each of the routers 21 to 28. For example, each may be generated by a random number or the like. In the following description, the value of the number a in the transmitting unit 11 is a0,
Let the values of the number a in to 28 be a1 to a8. In the following description, the numbers a (a0 to a8) are respectively generated by random numbers. The number p is a large prime number, and this value may be made public.

The operation for performing such encryption processing will be described with reference to FIGS. 2 and 3 together with FIG. First, at the initialization stage in S51, the transmission unit 11 prepares a random number generation system R and a large prime number p. Next, the primitive element x of the set of integers Z ^* _p consisting of the remainder by the number p
∈ Choose Z ^* _p appropriately. The number a is calculated using the random number generation system R.
Make 0. After the transmission unit 11 is initialized in this way, the numbers p and x are changed to the nearest router (the routers 21 and 22 in FIG. 1).
Send to 5). Further, the random number generation system R and the number p are transmitted to the key management server 41 in advance. Alternatively, the key request information h and the number p generated from the random number generation system R may be sent to the key management server 41.

When such a preparation is completed, next, S in FIG.
At 52, the transmitting unit 11 sends out a beat packet.
At this time, the pseudo-random number sequence {h _i } using the random number generation system R
_{{i = 0}} ^∽ the generated for each predetermined time interval or a predetermined timing. The following is a description taking the point in time of this shows the pseudo random number h _i being generated at that time as a key request information h. The key request information h is encrypted in the transmission unit 11 according to the above-described equation (1). That is, h
x ^a0 (mod p) is calculated and sent out as a beat packet.

At each router receiving the pulsation packet,
Routing to the distribution destination is performed, and a unique number ak corresponding to the number a is generated. For example, the router 21 generates the number a1, and the router 22 generates the number a2. In addition, routers other than the nearest router of the transmission unit 11 also acquire the numbers x and p from the immediately preceding router. Then, the transmitted beat packet is subjected to the encryption shown in Expression 1 and output. That is, in the router 21, (h · x ^a0 ) · x ^a1 (mod p) = h · x ^{a0 + a1} (m
od p) is calculated. Similarly, in the router 22, (h · x ^{a0 + a1} ) · x ^a2 (mod p) = h · x
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiving unit, H = h × ^{a0 + a1 + a2 +... + An} (mod p) (Equation 2).

After transmitting the pulsating packet in this manner, the transmitting unit 11 encrypts and transmits the information to be distributed in S53 of FIG. Assuming that the distribution information is m, mx
^a0 (mod p) is calculated and transmitted as a multicast packet. Here, the distribution information m may be any information such as a character string, but is used as an integer value during the encryption process. Each router also performs the same encryption processing as in the case of a pulsating packet. That is, the router 21
Then, ( ^mxa0 ) ^xa1 (mod p) = ^{mxa0 + a1} (m
od p) is calculated. Similarly, in the router 22, ( ^{mxa0 + a1} ) ^xa2 (mod p) = mx
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiver, M = ^{mxa0 + a1 + a2 + ... + an} (mod p) (Equation 3).

On the side of the receiving unit (the receiving unit 31 in FIG. 4), the key management server 41
Request the address to which the information will be delivered. The key management server 41 confirms whether or not the receiving unit 31 that has requested the distribution is eligible to join the group, and returns the address of the information to be distributed. Of course, in some cases, the address of the information to be distributed can be obtained without performing such authentication.
The receiving unit 31 requests the nearest router (the router 2n in FIG. 4) to distribute the information based on the address of the information to be distributed. In response to this request, the router starts to deliver the delivered pulsating packet and multicast packet to the receiving unit (or a router serving as a route to the receiving unit).

When distribution of information from the router starts, first, a pulsating packet is received. The pulsation packet received by the receiving unit 31 is the pulsation packet H represented by the above equation (2). When the pulsation packet H is received, S62 in FIG.
As shown by, the pulsating packet H is sent to the key management server 41 to request a decryption key.

Since the key management server 41 receives the random number generation system R from the transmission unit 11 in advance, the key request information h generated from the random number generation system R can be obtained. Alternatively, the key request information h is directly received from the transmission unit 11. When the key request information h is generated from the random number generation system R, the key request information h can be generated without performing communication with the transmission unit 11.

The key management server 41 obtains the decryption key K from the key request information h and the pulsation packet H sent from the receiving unit 31 as follows. That is, the calculation of K = ^{h.H -1} = x- ^{ao-a1 -...- an} (mod p) (Equation 4) may be performed. At this time, a
0, a1,. . . , An are unnecessary, and the key management server 4
One does not need to know these. The obtained decryption key K is transmitted to the receiving unit 31 in a secure manner. When issuing a new decryption key in this way, the key management server 41
Perform billing processing.

The receiving unit 31 decodes the multicast packet M using the decoding key K received from the key management server 41. Between the received multicast packet M, decryption key K, and plaintext data (distribution information) m, ^MK = ^{mxa0 + a1 + ... + anx-a0-a1 -...- an} = m ( mod p) (Equation 5) holds. Therefore, the receiving unit 31 can obtain the original distribution information m by multiplying the received multicast packet M by the decryption key K.

In this way, it is possible to obtain a decryption key corresponding to the information distribution route, use the decryption key to decrypt the distributed multicast packet, and obtain the content of the information. Further, by distributing the key request information at predetermined time intervals, it is necessary to obtain a decryption key each time, and billing can be performed at that timing. Further, with respect to the withdrawn member, the distribution of the information can be stopped by not issuing the decryption key after the next change of the key request information.

In this example, since the number "a" is generated for each router and encryption is performed, a receiving unit (for example, the receiving unit shown in FIG. 1) which receives information distribution from the same last stage router via the same route is used. The units 31 to 34) use the same decryption key. However, in a receiving unit that receives information via different routes (for example, the receiving unit 35 in FIG. 1),
Even if the pulsating packet or the decryption key is leaked, the encryption process for each router cannot be decrypted, so that the content of the information cannot be obtained. In this way, security can be maintained for the distribution of the decryption key to the receiving units having different paths.

For example, it is conceivable that the receiver alone estimates the decryption key K. However, the transmission unit 11, the key management server 41, and the routers 21 to 2n are respectively configured by the random number generation system R, the number x, and the number ak.
It is difficult for the receiver to estimate the key K alone as long as the key K is kept secret from the receiver.

On the other hand, if the pulsating packet flowing in the network one upstream is available, the encryption processing in the router 2n at the final stage can be estimated. That is, the beat packet input to the router 2n is h · x ^{a0 + a1 + a2 +... + A (n−1)} (mod p), and x ^an is estimated from the above (Equation 2). it can. A decryption key K received from the key management server 41 by the receiving section, the use of x ^an, estimated as described above, the decryption key-class on top of the network and the adjacent branches of the network would be easily estimated. Therefore, it is necessary to minimize collusion of recipients across the network. In order to counter such collusion, the router becomes strong against collusion if, for example, the encryption key an is set separately for each output destination.

FIG. 5 is an explanatory diagram of a second specific example of the encryption method. In the second specific example, the same encryption processing as that in the first specific example is performed on the information to be distributed, but the key request information (pulse packet) includes a number a in the information to be encrypted. Is added, and the remainder of the addition result by the number p is ciphered. That is, if the key request information (pulse packet) is I and the encryption is C, C = I + a (mod p) (Equation 6). Here, the numbers a and p are the same as those in the first specific example described above.

The operation when such an encryption process is performed will be described with reference to FIG. 5 and FIGS. 2 and 3 described above. First, at the initialization stage in S51, the transmission unit 11 prepares a random number generation system R and a large prime number p. Next, the primitive element x of the set of integers Z ^* _p consisting of the remainder by the number p
∈ Choose Z ^* _p appropriately. The number a is calculated using the random number generation system R.
Make 0. After the transmission unit 11 is initialized in this way, the numbers p and x are changed to the nearest router (the routers 21 and 22 in FIG. 1).
Send to 5). Further, the random number generation system R and the numbers p and x are transmitted to the key management server 41. Alternatively, the random number generation system R
May be sent to the key management server 41.

When such a preparation is completed, next, S in FIG.
At 52, the transmitting unit 11 sends out a beat packet.
At this time, the pseudo-random number sequence {h _i } using the random number generation system R
_{{i = 0}} ^∽ the generated for each predetermined time interval or a predetermined timing. The following is a description taking the point in time of this shows the pseudo random number h _i being generated at that time as a key request information h. The key request information h is encrypted in the transmitting unit 11 according to the above equation (6). That is, h +
a0 (mod p) is calculated and transmitted as a beat packet.

At each router receiving the pulsation packet,
Routing to the distribution destination is performed, and a unique number ak corresponding to the number a is generated. For example, the router 21 generates the number a1, and the router 22 generates the number a2. In addition, routers other than the nearest router of the transmission unit 11 also acquire the numbers x and p from the immediately preceding router. (The number x is used when encrypting the distributed information.)
The transmitted pulsation packet is subjected to encryption shown in Expression 6 and output. That is, the router 21 calculates (h + a0) + a1 = h + a0 + a1 (mod p). Similarly, in the router 22, (h + a0 + a1) + a2 = h + a0 + a1 + a2 (m
od p). Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiver, H = h + a0 + a1 + a2 +... + An (mod p) (Equation 7).

After transmitting the pulsating packet in this manner, the transmitting section 11 encrypts and transmits the distribution information in S53 of FIG. Assuming that the distribution information is m, m · x ^a0 according to the above-described equation 1 in the same manner as in the first specific example.
(Mod p) is calculated and transmitted as a multicast packet. Here, the distribution information m may be any information such as a character string, but is used as an integer value during the encryption process. Similar encryption processing is performed in each router. That is, in the router 21, ( ^mxa0 ) ^xa1 (mod p) = ^{mxa0 + a1} (m
od p) is calculated. Similarly, in the router 22, ( ^{mxa0 + a1} ) ^xa2 (mod p) = mx
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiving unit, becomes M = ^{mxa0 + a1 + a2 + ... + an} (mod p) (Equation 8).

On the side of the receiving unit (the receiving unit 31 in FIG. 5), when receiving the information distribution, the key management server 41
Request the address to which the information will be delivered. The key management server 41 confirms whether or not the receiving unit 31 that has requested the distribution is eligible to join the group, and returns the address of the information to be distributed. Of course, in some cases, the address of the information to be distributed can be obtained without performing such authentication.
The receiving unit 31 requests the nearest router (router 2n in FIG. 5) to distribute the information based on the address of the information to be distributed. In response to this request, the router starts to deliver the delivered pulsating packet and multicast packet to the receiving unit (or a router serving as a route to the receiving unit).

When distribution of information from the router starts, first, a pulsating packet is received. The pulsation packet received by the receiving unit 31 is the pulsation packet H represented by the above equation (7). When the pulsation packet H is received, S62 in FIG.
As shown by, the pulsating packet H is sent to the key management server 41 to request a decryption key.

Since the key management server 41 has received the random number generation system R from the transmission unit 11 in advance, the key request information h generated from the random number generation system R can be obtained. Alternatively, the key request information h is directly received from the transmission unit 11. When the key request information h is generated from the random number generation system R, the key request information h can be generated without performing communication with the transmission unit 11.

The key management server 41 decodes the key request information h, the numbers p and x sent from the transmission section 11 and the pulsation packet H sent from the reception section 31 from the decryption. The key K is obtained as follows. That is, the ^{calculation of} K = x ^(hH) = x ^{-a0-a1 -...- an} (mod p) (Equation 9) may be performed. At this time, a
0, a1,. . . , An are unnecessary, and the key management server 4
One does not need to know these. The obtained decryption key K is transmitted to the receiving unit 31 in a secure manner. When issuing a new decryption key in this way, the key management server 41
Perform billing processing.

The receiving unit 31 decodes the multicast packet M using the decoding key K received from the key management server 41. Between the received multicast packet M, decryption key K, and plaintext data (distribution information) m, ^MK = ^{mxa0 + a1 + ... + anx-a0-a1 -...- an} = m ( mod p) (Equation 10) holds. Therefore, the receiving unit 31 can obtain the original distribution information m by multiplying the received multicast packet M by the decryption key K.

As described above, it is possible to obtain a decryption key corresponding to the information distribution path, use the decryption key to decrypt the distributed multicast packet, and obtain the content of the information. Further, by distributing the key request information at predetermined time intervals, it is necessary to obtain a decryption key each time, and billing can be performed at that timing. Further, with respect to the withdrawn member, the distribution of the information can be stopped by not issuing the decryption key after the next change of the key request information.

In this example, since the number a is generated for each router and encryption is performed, the receiving unit (for example, the receiving unit shown in FIG. 1) which receives information distribution from the same last stage router via the same route is used. The units 31 to 34) use the same decryption key. However, in a receiving unit that receives information via different routes (for example, the receiving unit 35 in FIG. 1),
Even if the pulsating packet or the decryption key is leaked, the encryption process for each router cannot be decrypted, so that the content of the information cannot be obtained. In this way, security can be maintained for the distribution of the decryption key to the receiving units having different paths. Of course, if the router performs encryption by making the value a different for each output, the security can be further improved.

For example, it is conceivable that the receiver alone estimates the decryption key K. However, the transmission unit 11, the key management server 41, and the routers 21 to 2n are respectively used by the random number generation system R, the number x, and the number ak.
It is difficult for the receiver to estimate the key K alone as long as the key K is kept secret from the receiver.

Further, an can be easily estimated by monitoring the pulsating packets flowing in the network one upstream. However, since the number x is secret to all receivers, x ^an is unknown. Therefore, a decryption key is not generated even if the key holder of the upstream network and the key holder of the adjacent network are colluded. Also,
It is as safe because there is x ^-an do not know even if collusion with the key holder of the downstream of the network.

Further, it is examined whether a malicious receiver can know the key request information h. The receiver receives the number p, the decryption key K, the pulsating packet h + a0 + a1 +... + An (mo
dp). To find the key request information h from the decryption key K, a0 + a1 +... + An must be found. However, in order to obtain a0 + a1 +... + An from the decryption key K, the receiver must obtain the secret number x by some method and then solve the discrete logarithm problem. This is very difficult. Therefore, it is possible to prevent the receiver having the decryption key K from spreading the key request information h.

Also, by monitoring the pulse packet one upstream, an can be easily estimated, but since the number x is secret to the receiver, it is necessary to collaborate with the key holder of the upstream network. No decryption key can be created.

FIG. 6 is an explanatory diagram of a third specific example of the encryption method. In the third specific example, the pulsation packet is subjected to the same encryption processing as in the first specific example, but the information to be distributed is obtained by encrypting the number x raised to the z-th power and the number a raised to the a-th power. The information to be converted is multiplied, and the remainder of the multiplication result by the number p is ciphered. That is, if the information to be encrypted I, the encryption C, the those obtained as ^{C = I · y a (mod} p) ( Equation 11) y = x ^z. Here, the numbers x, a, and p are the same as those in the first specific example. The number z is an arbitrary number larger than 1, and may be a random number, for example. Numbers y, z
Is also secret information.

The operation for performing such an encryption process will be described with reference to FIGS. 2 and 3 together with FIG. First, at the initialization stage in S51, the transmission unit 11 prepares a random number generation system R and a large prime number p. Next, the primitive element x of the set of integers Z ^* _p consisting of the remainder by the number p
∈ Choose Z ^* _p appropriately. The number z is calculated using the random number generation system R.
(> 1), a0 is created, and y = ^xz is stored. After the transmission unit 11 is initialized in this way, the numbers p, x, and y are transmitted to the nearest router (the routers 21 and 25 in FIG. 1). The random number generation system R and the numbers p, x, and z are transmitted to the key management server 41. Alternatively, the key request information h and the numbers p, x, and z generated from the random number generation system R are stored in the key management server 41.
May be sent to

When such a preparation is completed, next, S in FIG.
At 52, the transmitting unit 11 sends out a beat packet.
At this time, the pseudo-random number sequence {h _i } using the random number generation system R
_{{i = 0}} ^∽ the generated for each predetermined time interval or a predetermined timing. The following is a description taking the point in time of this shows the pseudo random number h _i being generated at that time as a key request information h. The key request information h is encrypted in the transmission unit 11 according to the above-described expression 1 in the first specific example. That is, h · x ^a0 (mod p) is calculated,
It is transmitted as a beat packet.

At each router receiving the pulsation packet,
Routing to the distribution destination is performed, and a unique number ak corresponding to the number a is generated. For example, the router 21 generates the number a1, and the router 22 generates the number a2. In addition, routers other than the nearest router of the transmission unit 11 also acquire the numbers p, x, and y from the immediately preceding router. (The number y is used when performing encryption processing on the information to be distributed.) Then, the transmitted pulsating packet is subjected to the encryption shown in Expression 1 and output. That is, the router 21 calculates ( ^{h.x a0} ) ^{.x a1} = ^{h.x a0 + a1} (mod p). Similarly, in the router 22, (h · x ^{a0 + a1} ) · x ^a2 = h · x ^{a0 + a1 + a2} (mod
p) will be calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiver, H = h × ^{a0 + a1 + a2 +... + An} (mod p) (Equation 12).

After transmitting the beat packet in this manner, in S53 of FIG. 2, the transmitting section 11 encrypts and transmits the information to be distributed. When the information to be distributed is m,
This time, m · ^ya0 (mod p) is calculated according to the above equation 11, and is transmitted as encryption of information to be distributed. Here, the distribution information m may be any information such as a character string,
At the time of encryption, it is regarded as an integer value and used for calculation. Similar encryption processing is performed in each router. That is, in the router 21, (m · ^ya0 ) · ^ya1 (mod p) = ^{mya0 + a1} (m
od p) is calculated. Similarly, in the router 22, (m · ^{ya0 + a1} ) · ^ya2 (mod p) = my
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when it arrives at the receiver, M = m · ^{ya0 + a1 + a2 +... + An} (mod p) (Equation 13).

On the side of the receiving unit (the receiving unit 31 in FIG. 6), when the information is to be distributed, the key management server 41
Request the address to which the information will be delivered. The key management server 41 confirms whether or not the receiving unit 31 that has requested the distribution is eligible to join the group, and returns the address of the information to be distributed. Of course, in some cases, the address of the information to be distributed can be obtained without performing such authentication.
The receiving unit 31 requests the nearest router (the router 2n in FIG. 6) to distribute the information based on the address of the information to be distributed. In response to this request, the router starts to deliver the delivered pulsating packet and multicast packet to the receiving unit (or a router serving as a route to the receiving unit).

When distribution of information from the router starts, first, a pulsating packet is received. The pulsation packet received by the receiving unit 31 is a pulsation packet H represented by the above equation (12).
It is. When the pulsation packet H is received, S6 in FIG.
2, the pulsating packet H is transferred to the key management server 41.
To request a decryption key.

Since the key management server 41 has received the random number generation system R from the transmission unit 11 in advance, the key request information h generated from the random number generation system R can be obtained. Alternatively, the key request information h is directly received from the transmission unit 11. When the key request information h is generated from the random number generation system R, the key request information h can be generated without performing communication with the transmission unit 11.

The key management server 41 stores the key request information h and the numbers p, x,
From z and the pulsating packet H sent from the receiving unit 31, a decryption key K is obtained as follows. That is, K = (h · H ⁻¹ ) ^z = (x ^{−a0−a1 −...− an} ) ^z (mod p) = y ^{−a0−a1 −...− an} (mod p) (Equation 14) ) May be performed. At this time, a
0, a1,. . . , An are unnecessary, and the key management server 4
One does not need to know these. The obtained decryption key K is transmitted to the receiving unit 31 in a secure manner. When issuing a new decryption key in this way, the key management server 41
Perform billing processing.

The receiving unit 31 decrypts the multicast packet M using the decryption key K received from the key management server 41. Between the received multicast packet M, decryption key K, and plaintext data (distribution information) m, ^MK = ^{mya0 + a1 + ... + any-a0-a1 -...- an} = m ( mod p) (Equation 15) holds. Therefore, the receiving unit 31 can obtain the original distribution information m by multiplying the received multicast packet M by the decryption key K.

In this way, it is possible to obtain a decryption key corresponding to the information distribution path, use the decryption key to decrypt the distributed multicast packet, and obtain the content of the information. Further, by distributing the key request information at predetermined time intervals, it is necessary to obtain a decryption key each time, and billing can be performed at that timing. Further, with respect to the withdrawn member, the distribution of the information can be stopped by not issuing the decryption key after the next change of the key request information.

In this example, since the number a is generated for each router and encryption is performed, the receiving unit (for example, the receiving unit shown in FIG. 1) which receives information distribution from the same last stage router via the same route is used. The units 31 to 34) use the same decryption key. However, in a receiving unit that receives information via different routes (for example, the receiving unit 35 in FIG. 1),
Even if the pulsating packet or the decryption key is leaked, the encryption process for each router cannot be decrypted, so that the content of the information cannot be obtained. In this way, security can be maintained for the distribution of the decryption key to the receiving units having different paths. Of course, if the router performs encryption by making the value a different for each output, the security can be further improved.

For example, it is conceivable that the receiver alone estimates the decryption key K. However, the transmission unit 11, the key management server 41, and the routers 21 to 2n are each provided with a random number generation system R, a number x, y,
As long as z and the number ak are kept secret from the recipient, it is difficult for the recipient to estimate the key K alone.

Further, an can be easily estimated by monitoring the pulsating packets flowing in the network one upstream. However, since the number z is secret to all receivers, y ^an is unknown. Therefore, a decryption key is not generated even if the key holder of the upstream network and the key holder of the adjacent network are colluded.

Further, it is examined whether a malicious receiver can know the key request information h. The recipient is the number p, the decryption key K, the beat packet h · x ^{a0 + a1 + ... + an} (mod
Know p). To find the key request information h from the decryption key K,
a0 + a1 +... + an must be obtained. However, it is very difficult to obtain a0 + a1 +... + An from the decryption key K because it is necessary to obtain the number z which is kept secret for all the recipients by some method. For this reason, the receiver having the decryption key K is able to obtain the key request information h.
Can be prevented.

Also, by monitoring the pulse packet one upstream, x ^an can be easily estimated, but since the number z is secret to the receiver, it is concluded with the key holder of the upstream network. No decryption key can be created.

Further, it is examined whether the key holders of the adjacent networks collude with each other and the number y is revealed. Now
Beat packet H1 = h · x ^{a0 + a1 + a2 + ... + a (n-1) + an1} (mod p) H2 = h · x ^{a0 + a1 + a2 + ... + a (n-1) + It is assumed that an2} (mod p) is obtained. From these two beat packets, H12 = H1 / H2 = x ^an1-an2 is obtained. From K1 = y ^{-a0-a1-a2 -...- an1} (mod p) K2 = y ^{-a0-a1-a2 -...- an2} (mod p), K1 / K2 = y- ^{(an1) -an2)} (mod p) is obtained. An1-an after knowing the number z or the number y
The problem of finding 2 directly is a discrete logarithm problem and difficult,
Since all recipients do not know the numbers x, y, an1-an
It is more difficult to ask for 2. Also, the problem of finding the number z from these is a discrete logarithm problem, which is also difficult. Therefore, even if key holders of adjacent networks collude, it is difficult to obtain information illegally, and security is ensured.

As described above, three methods have been shown as methods of the encryption processing. In the above three specific examples, it is described that encryption is performed in each router from the transmission unit to the reception unit. However, a router that does not perform encryption may exist in the middle of course. As an extreme example,
Some degree of confidentiality can be maintained even if different encryption processes are performed only by the final stage router that distributes to the transmission unit and the reception unit.

The present invention is not limited to the encryption schemes shown in the above three specific examples, but includes various means which can be decrypted with different decryption keys according to the path from the transmission unit to the reception unit. To provide. For example, even when encryption is performed in a router, the present invention is not limited to the above-described encryption method, and various methods can be applied.

[0086]

As is apparent from the above description, according to the present invention, when performing multicast distribution, different decryption keys can be set according to the distribution route, so that it is possible to assign Even if the decryption key is scattered, the encrypted distribution information cannot be decrypted. Therefore, there is an effect that the security of the information against the illegality of dispersing the decryption key can be ensured.

The key request information for issuing the decryption key is distributed from the transmitting means at a predetermined time interval or at a predetermined timing, and every time the key request information is distributed, the receiving means transmits a new decryption signal from the key management server. Since the key is acquired, the key management server charges each time a new decryption key is issued, thereby making it possible to perform metered billing at predetermined time intervals or at predetermined timings. Further, a new decryption key only needs to be issued to the withdrawn member, and the distribution information cannot be obtained after the key request information is changed.
As described above, there is an effect that the management of the recipient who receives the distribution information and the accounting management can be easily performed.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an embodiment of a cryptographic communication system according to the present invention.

FIG. 2 is a flowchart illustrating an operation of a transmission unit according to the embodiment of the present invention.

FIG. 3 is a flowchart illustrating an operation of a receiving unit according to the embodiment of the present invention.

FIG. 4 is an explanatory diagram of a first specific example of an encryption method.

FIG. 5 is an explanatory diagram of a second specific example of the encryption method.

FIG. 6 is an explanatory diagram of a third specific example of the encryption method.

[Explanation of symbols]

11: transmission unit, 21 to 28, 2n: router, 31 to 35
... Receiving unit, 41 ... Key management server.

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification FI theme coat ゛ (reference) H04L 12/18 H04L 11/26 12/22 F term (reference) 5J104 AA01 AA16 DA00 EA04 EA19 JA23 NA02 NA18 PA07 PA11 5K030 GA15 HD03 LA19 LD02 5K033 CB13 DB18 9A001 BB02 BB04 CC05 CC08 EE03 GG21 JJ27 JJ57 KK56 KK60 LL03 LL09

Claims (15)

[Claims] 1. An encryption communication method for encrypting distribution information and performing multicast distribution, wherein the transmission source encrypts key request information together with the distribution information and transmits the encrypted key request information. And transmitting the distribution information and the key request information that have been encrypted according to a path and that have been encrypted according to a path. 2. The key request information is changed and transmitted at predetermined time intervals, and the distribution information is subjected to an encryption process corresponding to the immediately preceding key request information. Item 2. An encrypted communication method according to Item 1. 3. An encryption communication method for encrypting distribution information and performing multicast distribution, wherein the distribution information that has been subjected to encryption processing according to the distribution path is subjected to encryption processing according to the distribution path in the same manner. Receiving the key request information at the receiving end, obtaining a decryption key based on the encrypted key request information, decrypting the encrypted distribution information with the decryption key, and A cryptographic communication method characterized by acquiring 4. The key request information received at the receiving end and subjected to the encryption processing is transmitted to a key management server to request a decryption key, and the key management server requests the decryption key. 4. The encryption communication method according to claim 3, wherein a decryption key corresponding to the distribution route is issued based on the information. 5. The key request information subjected to the encryption processing is distributed at predetermined time intervals, and the key management server charges the request source based on the issuance of a new decryption key. The encryption communication method according to claim 4, wherein: 6. An encryption process for the distribution information and the key request information is performed by multiplying information to be encrypted by a number obtained by multiplying a predetermined number x to the power of a and encrypting a remainder of the multiplication result by the number p. The cryptographic communication method according to any one of claims 1 to 5, wherein 7. The encryption process for the distribution information is performed by multiplying information to be encrypted by a predetermined number x raised to the power of a and encrypting the remainder of the multiplication result by the number p. 6. The encryption process for request information, wherein the number a is added to the information to be encrypted, and the remainder of the addition result by the number p is ciphered. Item 2. The encryption communication method according to Item 1. 8. An encryption process for the key request information,
The information to be encrypted is multiplied by a number obtained by multiplying a predetermined number x to the power a, and the remainder of the multiplication result by the number p is ciphered. 6. The method according to claim 1, wherein the information to be encrypted is multiplied by a number obtained by further raising the calculated number y to the power a, and the remainder of the multiplication result by the number p is ciphered. The cryptographic communication method described in 1. 9. A cryptographic communication system for encrypting distribution information and performing multicast distribution, wherein a transmitting means for encrypting and transmitting key request information together with the distribution information, and an encrypted data received from the transmitting means or another relay means. Relay means for encrypting the distribution information and the key request information using an individual encryption key, and distributing the distribution information and the key request information that have been subjected to the encryption processing according to the path. An encryption communication system characterized by the above-mentioned. 10. The transmitting means changes and transmits the key request information at predetermined time intervals, and transmits the distribution information by performing an encryption process corresponding to the immediately preceding key request information. The cryptographic communication system according to claim 9, wherein: 11. An encryption communication system for encrypting distribution information and performing multicast distribution, wherein said distribution information that has been subjected to encryption processing according to a distribution path and encryption processing that has been similarly performed according to a distribution path have been performed. Receiving means for receiving the key request information, and a key management server for issuing a decryption key according to the distribution path of the encrypted key request information based on the encrypted key request information, the receiving means comprising: Sending the encrypted key request information to the key management server, receiving a decryption key, and decrypting the encrypted distribution information using the decryption key to obtain the distribution information An encryption communication system characterized by the above-mentioned. 12. The receiving means receives the key request information subjected to the encryption processing at predetermined time intervals, receives a new decryption key from the key management server, and the key management server 12. The cryptographic communication system according to claim 11, wherein charging is performed on the receiving unit based on issuance of a new decryption key. 13. The encrypting process for the distribution information and the key request information is performed by multiplying information to be encrypted by a predetermined number x raised to the power a, and encrypting the remainder of the multiplication result by the number p. The cryptographic communication system according to any one of claims 9 to 12, wherein 14. An encryption process for the distribution information,
The information to be encrypted is multiplied by a number obtained by raising a predetermined number x to the power a, and the remainder of the multiplication result by the number p is encrypted. 13. The cryptographic communication system according to claim 9, wherein a number a is added, and a remainder obtained by adding the number p to the number p is ciphered. 15. The encrypting process for the key request information comprises multiplying information to be encrypted by a number obtained by raising a predetermined number x to the power a, and ciphering a remainder of the multiplication result by the number p. The encryption process for the distribution information is to multiply the information to be encrypted by the number a raised to the number a raised to the z-th power of the predetermined number x, and to encrypt the remainder of the multiplication result by the number p. Claim 9 to Claim 12
The cryptographic communication system according to any one of the above.