JP2002124940A - Multicast communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a multicast communication method to protect overall multicast communication safety even when various illegal attempts are made. SOLUTION: A transmitter 11 sends secret information regarding encoding to a key managing server 41, and transmits information regarding encoding to a router 21 or farther. When key request information (h) is first encoded and sent, routers 21 to 24 respectively add intrinsic value ak, sequentially sends and transmits to receives 31 to 34. A receiver delivers key request information to the server 41, and receives a different decoding key K at each route. Delivered information (m) is multiplied by ya0 by using a predetermined value (y) by the transmitter 11, multiplied by yak by using an intrinsic value ak to calculate the residue of q, and sequentially sent as an encode. Thus, different encoding is executed at each route. The receiver decodes the information decoded by the router by the acquired decoding key K in one time decoding process to acquire a plaintext (m).

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a multicast communication method for distributing encrypted information at a transmission source to a plurality of destinations.

[0002]

2. Description of the Related Art IP multicast for one-to-many or many-to-many communication on the Internet has been proposed.
It was 988. The feature of the multicast is that the sender transmits information only once to many recipients on the Internet. The transmitted information is copied at a relay point on the route and delivered to the next relay point or each receiver. Therefore, when one-to-one communication technology (unicast) is used, for example, 100 recipients are required for 100 recipients.
Compared to sending the same contents twice, the traffic sent by the sender is only 1/100. For this reason, great expectations have been placed on a communication technique for effectively utilizing the bandwidth of the sender and the network and minimizing traffic delay.

[0003] In fact, in 1992, an experimental IP multicast communication called MBone started. However, in contrast to the WWW developed at the same time, IP multicast has not yet been widely used.
This is because routers incorporating the function of IP multicast are not widely used. Also, I
It is still expensive to secure enough bandwidth to use applications such as real-time audio and video distribution that P multicast assumes, and standardization of routing technology to support global routing is required. It is also possible that things did not go smoothly.

However, these situations are changing recently. In the United States, always-on connections at home using ADSL and the like have been provided at low cost, and multimedia applications such as Internet radio have been enjoyed by individuals. Also, a content delivery service company that distributes WWW contents at high speed on a global scale is considering the application of multicasting.
A high-speed multicast-compatible backbone is being developed. Furthermore, the standardization and commercialization of interactive digital television involving the television broadcasting industry are being advanced at a rapid pace. With a series of these movements, a base for disseminating IP multicast communication is being prepared.

[0005] On the other hand, as the commercial use of multicast communication has progressed, attention has been paid to security in multicast communication. IRTF, an affiliate of the Internet Society that promotes research that will contribute to the future development of the Internet, has also launched a research group called SMuG to address various issues related to secure multicast communications. Discussions are underway on how to solve the problem. Also, some companies have commercialized security products for digital television broadcasting using tamper-free IC cards.

However, a scalable technology to which IP multicast can be generally applied has not been established yet. In particular, as for the technology against piracy by dispersing the decryption key of the encrypted communication, only the deterrence technology based on the tracking technology of the key owner has been proposed, and it is impossible to view with the disperse key. Few direct protection techniques exist.

In the conventional encryption technology, if only one key is distributed to the whole world, the multicast communication can be illegally eavesdropped anywhere in the world. That is,
Local breach immediately leads to the collapse of security of the entire communication system. In such a situation, it is difficult to estimate the extent of the damage and the amount of the damage, and it is doubtful whether the damages can be compensated for even if the culprit can be identified.
Therefore, even if the encryption system is locally broken, it is desirable that a mechanism for protecting most other security is incorporated in the encryption system for multicast communication.

[0008]

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and various fraudulent acts have been carried out, for example, when keys are scattered or plaintext and ciphertext are disclosed. It is an object of the present invention to provide a multicast communication method protected so that the security of the whole multicast communication is not threatened.

[0009]

SUMMARY OF THE INVENTION The present invention is a multicast communication method for distributing encrypted information from a source to a plurality of destinations via one or more relay points. the predetermined value y given from the transmission source by using the value a is calculated with a multiplication value y ^a was, the received encrypted information to multiply y ^a, the value given the results from the source q And encrypts the remainder.

As described above, in the present invention, encryption using a value a independently generated at a relay point is performed by utilizing the property that multicast communication transmits a communication packet in a bucket brigade manner. As a result, different encryption is performed for each distribution path, and even if the keys are scattered, it is impossible to perform decryption other than on the same distribution path.
Further, by performing encryption at a relay point as in the present invention, it is difficult to generate a decryption key from plaintext and ciphertext even if they are made public. Therefore, even if a key is scattered or an illegal act such as disclosure of plaintext and ciphertext is performed, the security of the entire multicast communication is not threatened.

Further, the key request information is transmitted in advance from the transmission source, and the relay point adds the value a to the key request information and transmits the key request information. The receiver that receives the key request information that has undergone such an operation must obtain a decryption key from the received key request information, and obtain plaintext by a single decryption process using the decryption key that has obtained the encrypted information. Can be. Therefore,
Even if the number of relay points increases, the plaintext can be obtained without any trouble at the receiving destination.

Further, when the information is not to be delivered to at least one of the receiving destinations, at least one of the relay points to which the receiving destination that does not deliver the information is connected receives the independently generated value a. Then, the key request information may be changed and distributed to the relay point and thereafter. In this way, even if a non-delivery destination appears, the key can be locally changed, so that the influence can be minimized.

Further, when the key request information is changed due to a route change, an encryption key based on a difference between the key request information before and after the change is obtained at a downstream relay point, and the information received by the encryption key is obtained. to multiply y ^a from to encrypt,
Further, the remainder operation is performed for encryption. As a result, after the relay point, the path can be encrypted with the same encryption key as before the path change, and the destination can also decrypt with the same decryption key, so that there is no need to change the key.

[0014]

FIG. 1 is a block diagram showing an example of a communication system for implementing an embodiment of a multicast communication method according to the present invention. In the figure, 11 is a transmitting unit, 21 to 21
28 is a router, 31 to 35 are receiving units, and 41 is a key management server. In the following description, among multicast communication on the Internet in which autonomous networks are connected to each other via a router, broadcast-type communication will be particularly considered. However, the present invention is not limited to the Internet, and can be applied to various types of communication in which information is relayed, for example, broadcast communication, and a closed network system connecting a plurality of LANs.

Further, it is assumed that the receiving units 31 to 35 exist at various places on the Internet, and the multicast communication traffic is transmitted from the transmitting unit 11 to the Internet via a plurality of routers which are "reliable for the transmitting unit 11". It is delivered in a formula and delivered to the receiving unit.

The transmitting section 11 encrypts and distributes information to be distributed, for example, program contents such as audio and moving images. In addition, in order to generate a decryption key corresponding to the path to each of the authorized receiving units, the key request information is encrypted and distributed. Note that this key request information is distributed at regular time intervals or at predetermined timings, and a cipher including this key request information will be referred to as a pulsating packet in the following description.

In the system shown in FIG. 1, the encrypted information and the pulsating packet transmitted from the transmitting unit 11 are distributed to the receiving units 31 to 35 via one or a plurality of routers. For example, the routers 21, 22, 22
, 23 and 24, information is distributed. Information is distributed to the receiving unit 35 via the routers 21, 22,..., 23, 28. Here, an example is shown in which at least four routers are used. However, how many routers are used is arbitrary. Even when the same number of routers are used, the route on the way may be different.

The routers 21 to 28 send the following information to the next router or the receiving unit according to the destination of the transmitted information.
The transmitted information is encrypted and transferred. For example, the router 21 further encrypts the encrypted information sent from the transmission unit 11 and transfers the encrypted information to the routers 22 and 26 and the like. The router 22 further encrypts the information encrypted by the router 21 sent from the router 21 and transfers the information to the router 27 or another router for transfer to the router 23. As will be described later, each of the routers 21 to 28 independently and arbitrarily selects a parameter used for encryption. For this reason, even if the same information is sent, different encryption processing is performed depending on which router passes. In this way, the transmitting unit 11 changes to the receiving unit 3
It is possible to realize encryption according to the paths from 1 to 35. It is assumed that the routers 21 to 28 are "reliable for the transmission unit 11". "Reliable to the transmission unit 11" means that the secret notified from the transmission unit 11 is not leaked to another node.

FIG. 1 shows an encryption process using an encryption key a as f (I, a). Here, I is the received data, such as encrypted information or a beat packet. As will be described later, the encryption process f differs between the case of encrypting the encrypted information and the case of encrypting the beat packet. The encryption key a is unique to each router. Here, the parameters used for encryption are set for each router, but the parameters used for encryption may be set for each communication path to be transmitted. For example, if a parameter used for encryption is set for each communication channel when a router at the last stage (such as the router 24) transfers the data to the receiving unit, different encryption processing can be performed for each receiving unit. is there.

The receiving units 31 to 35 receive the information and pulse packets encrypted by the transmitting unit 11 and the router on the route. When the pulsation packet is received, the pulsation packet is sent to the key management server 41, and the decryption key is received. Then, using the decryption key received from the key management server 41,
Encrypted information received by one decryption process can be decrypted to obtain the content of the information.

In this example, the receiving units 31 to 34 are
Receive the same beat packet and the encrypted information from. Of course, when the router 24 performs encryption for each communication path as described above, different pulse packets and encrypted information will be received. Here, these receiving units 3
Assume that 1-34 are legitimate recipients. On the other hand, the receiving unit 35 receives a beat packet and encrypted information from the router 28. Since reception is performed via a different path from the receiving units 31 to 34, the beat packet and the encrypted information are subjected to different encryption processing.

The key management server 41 receives secret information related to encryption from the transmitting unit 11, generates a decryption key from the pulsating packet transmitted from the receiving units 31 to 35 and the secret information, and generates a decryption key of the pulsating packet. Reply to the sender's receiver. Since the pulsating packet has been subjected to encryption processing in each router, it includes the key request information sent from the transmission unit 11, but is subjected to different encryption processing depending on the route. Therefore, a decryption key that can be decrypted including the encryption processing performed by the router in the middle of the route is generated. As described later, the generation of the decryption key can be performed by calculation. This key management server 41 also
It is assumed to be "reliable for the transmission unit 11". Also,
A plurality of key management servers 41 may be provided.

The key management server 41 generates and returns the same decryption key for the same beat packet. For example, the key management server 41 returns the decryption key to the receiving unit corresponding to the disseminated beat packet. However, information cannot be decrypted with the decryption key returned by a receiving unit having a different path. Further, even if the decryption keys obtained from the key management server 41 are scattered, information cannot be decrypted with the scattered decryption keys by the receiving units having different routes.

With such a configuration, the information to be distributed is encrypted by the transmission unit 11. Each time the encrypted information passes through each router on the route, it is encrypted with an encryption key unique to the router. As a result, the receiving units distributed on the Internet cannot be decrypted without using separate decryption keys depending on the path to the transmitting unit. Therefore, security against eavesdropping due to scattering of decryption keys across routers is maintained. Also, each router does not need to leak its own secret to other routers, and even if the secret of any particular router is revealed, the encryption is not broken except under the router. Further, no matter how many routers are on the route, the decoding process performed by the receiving unit only needs to be performed once. That is, since the decoding process does not change depending on the number of hops from the transmission unit 11, there is a feature that fairness among receivers is maintained.

Next, the encryption procedure in the above configuration will be described. FIG. 2 is a flowchart illustrating an operation of the transmission unit according to the embodiment of the present invention. First, in S51, the encryption unit in the transmission unit 11 and the key management server 41 is initialized. At this time, the key management server 41 receives, from the transmission unit 11, secret information regarding encryption, which is required when generating a decryption key. At this point, information necessary for encryption is transmitted to the routers 21 and 25.

In step S52, the transmitting unit 11 sends a pulsating packet obtained by encrypting the key request information to the information distribution destination. Each router starts routing to the destination of the information, and at the same time, generates a unique encryption key, obtains information necessary for encryption sent from the transmission unit 11, and uses these to convert a pulsating packet. It encrypts and sends it to the next router or receiver.

After the path is established and the pulsating packet is distributed in this way, in S53, the information to be actually distributed is encrypted and transmitted. This encrypted information is also encrypted by the router each time it passes through each router, and is sent to the next router or receiving unit. At this time, S5
The distribution of information encrypted using the same encryption parameters as the pulse packet transmitted in step 2 must be performed via the same path as the pulse packet.

The pulsation packet shown in S52 can be transmitted, for example, at a predetermined time or at a predetermined timing. Further, every time the pulsating packet is transmitted, the information is encrypted in S53 using the encryption parameter used at that time. Of course S
The initialization of the encryptor in 51 may also be executed at a predetermined time elapse or at a predetermined timing.

FIG. 3 is a flowchart showing the operation of the receiving unit according to one embodiment of the present invention. When the distributed information is received by the receiving unit, first, in S61, a request is made to the nearest router to receive the distributed information. At this time, for example, the presence / absence of subscription qualification may be checked with the key management server 41 in some cases.

When the reception request is accepted, a pulsating packet is received from the nearest router. The receiving unit in S62,
Sends the received pulsation packet to the key management server 41,
Request a decryption key. The key management server 41 generates an individual decryption key for each receiving unit according to the pulsating packet received from the receiving unit (and secret information previously sent from the transmitting unit), and sends the decryption key to the receiving unit in a secure manner. I will send it back.

In step S63, the receiving unit that has received the decryption key can use the received decryption key to decrypt the distributed encrypted information and acquire the content of the information. The request for the decryption key in S62 is made every time the pulsation packet is distributed, and the encrypted information after the pulsation packet distribution is decrypted using the decryption key received at that time.

Hereinafter, a specific encryption procedure will be described. FIG. 4 is an explanatory diagram of a specific example of the encryption method.
In this specific example, a value ya is calculated by raising ^a predetermined value y to the power ^a .
The received encrypted information to multiply y ^a, in the power result transmitting unit 11, the value p, and in the router is to encrypt by remainder operation with a value q. That is, if the information m, the encryption C, and Y = y ^a, and requests the C = m ^Y (mod p or q) (Equation 1). Here, the predetermined value y and the value q
Is transmitted from the transmission unit 11 to each of the routers 21 to 28 as information necessary for encryption. The number a may be a unique value independent of each other in the transmission unit 11 and each of the routers 21 to 28. For example, each may be generated by a random number or the like. In the following description, the number a in the transmitting unit 11
Is a0, and the value of the number a in the routers 21 to 28 is a1
To a8. The numbers a (a0 to a8) are each generated by random numbers. The number q is a large prime number, and this value may be made public.

The operation for performing such an encryption process will be described with reference to FIGS. 2 and 3 together with FIG. First, at the stage of initialization in S51, the transmission unit 11 prepares a random number h and a large prime number q (q> 2). Also, p = λ (q) = q−1 is prepared. Where λ
(•) is a Carmichael function. Also gcd
An appropriate integer y satisfying (p, y) = 1, 1 <y <p is prepared. After the transmission unit 11 is thus initialized, the transmission unit 11 transmits p, q, and y to the nearest router (the routers 21 and 25 in FIG. 1). Also, the key management server 4
1 tell h, p, q, y in a secure way.

Here, assuming that p is a product of 2 and a large prime number, a set of integers Z ^* _p = {y∈Z | gcd
Since the number of elements satisfying (p, y) = 1, 1 ≦ y <p} becomes large, it is difficult to estimate y. Therefore, it is preferable to select q ′ such that the two integers q ′ and 2q ′ + 1 are both prime numbers, and set p = 2q ′ and q = 2q ′ + 1.

When such a preparation is completed, next, S in FIG.
At 52, the transmitting unit 11 sends out a beat packet.
The transmission unit 11 converts the random number h (h∈Z) into the key request information h
And encrypted as h0 = h + a0. Here, the key request information h may be any information such as a character string, but is used as an integer value during the encryption process. The key request information h0 (pulse packet) encrypted in this manner is transmitted over the network to the destination of the multicast address.

At each router receiving the pulsation packet,
Perform routing to distribution destinations, as well as unique ak
Generate For example, the router 21 generates the number a1, and the router 22 generates the number a2. Also, in routers other than the router closest to the transmitting unit 11, several p, q,
Also obtain y. Then, ak is added to the transmitted pulsation packet to calculate hk = h (k-1) + ak, and the pulsation packet is encrypted. That is, the router 21 calculates (h + a0) + a1 = h + a0 + a1. Similarly, the router 22 calculates (h + a0 + a1) + a2 = h + a0 + a1 + a2. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiver, hn = h + a0 + a1 + a2 +. . . + An (Equation 2).

After transmitting the pulsating packet in this manner, in S53 of FIG. 2, the transmitting section 11 encrypts and transmits the information to be distributed. In this case, a transmission unit 11 each router in advance ^{yk = y ak (mod p)} (k = 0,1, ...,
n) is calculated and prepared. When the information to be distributed is m, the transmission unit 11 calculates ^my0 (mod p), and determines the encryption of the information to be distributed as the nearest router (routers 21 and 25).
Etc.). Here, the distribution information m is also a character string.
Any information may be used, but in the case of encryption, it is regarded as an integer value and used for calculation.

Each router performs an encryption process in accordance with the above equation (1). That is, in the router 21, (m ^y0 ) ^y1 (mod q) = m ^y0y1 (mod q) = m
1 is calculated. Similarly, in the router 22, ( ^my0y1 ) ^y2 (mod q) = ^my0y1y2 (mod q)
= M2. Therefore, the routers 21, 22, 2
3,. . . , 2n, when it arrives at the receiving unit, ^{becomes my0y1y2 ... yn} (mod q) (Equation 3).

The receiving unit (the receiving unit 31 in FIG. 4) finds the address of the multicast communication by some method, and requests information of the multicast address from the router (router 2n). In response to this request, the router obtains p, q, y from the upstream router, generates an, and then starts delivering the distributed information to the receiving unit. In some cases, the recipient is authenticated before delivery starts.

When distribution of information from the router starts, first, a pulsating packet is received. The pulsation packet received by the receiving unit 31 is a pulsation packet hn represented by the above equation (2).
It is. When the pulsation packet hn is received, S in FIG.
As indicated by 62, a key request packet including a pulsation packet hn is sent to the key management server 41 to request a decryption key.

The key management server 41 receives h, p, q, and y from the transmission unit 11 in advance, and obtains the decryption key K together with the pulsation packet hn transmitted from the reception unit 31 as follows. . That is, if k is an integer, mn ^{1 -kλ (q)} = mn (mod q) from mn ^{λ (q)} ≡1 (mod q) for an arbitrary integer mn. Therefore, if (d, k) that satisfies y0 · y1 ··· yn · d + kλ (q) = 1 (Equation 4) is obtained, d becomes the decryption key. On the other hand, Y = y ^hn-h (mod p) = y ^{a0 + a1 +... + An} (mod p) (Equation 5) In this case, Y ・ y0 · y1 ···· yn (mod p) .. Yn + μp (Equation 6) holds. Therefore, when Y is obtained in accordance with Expression 5, and this is substituted into Expression 4, (y-μp) d + kλ (q) = 1 (Expression 7). Here, p = λ (q) is substituted, and k ′ = k−μd
Yd + k′λ (q) = 1 (= gcd (p, y)) (Equation 8) Solving this with the extended Euclidean algorithm,
(D, k ') is obtained. For any integer k ', k' =
Since there is always k that satisfies k-μd, a decryption key K = d can be obtained by taking any value of d obtained here. The key management server transmits the decryption key K thus obtained to the receiving unit 31 by a secure method. For example, a key distribution method using public key encryption can be used.

The receiving unit 31 uses the decryption key K received from the key management server 41 to decrypt the encrypted information mn. Received encrypted data mn, key K, mn between the plain data ^{m K = {m y0y1 ... yn} } K = m (1-kλ (q)) of ≡m (mod q) (Equation 9) The relationship holds. Therefore, the receiving unit 31 can decrypt the received encrypted information mn by raising it to the K-th power on Z ^* _q to obtain the original information m.

As described above, it is possible to obtain the decryption key corresponding to the information distribution route, to decrypt the distributed encrypted information using the decryption key, and to obtain the content of the information. become. In this example, since the number a is independently generated and encrypted for each router, the receiving unit (for example, the receiving unit shown in FIG. 1) that receives information distribution from the same final stage router via the same path The units 31 to 34) use the same decryption key. However, in a receiving unit (for example, the receiving unit 35 in FIG. 1) that receives information via a different path, even if a pulsating packet or a decryption key leaks, the encryption processing for each router cannot be decrypted. Can not get. In this way, security can be maintained for the distribution of the decryption key to the receiving units having different paths.

Here, h (n-1) and hn can be obtained by monitoring the pulse packet one upstream.
Can be easily estimated. However, y is because it is secret to all of the ^recipients, y ^an do not know. Therefore, even if the key holder of the upstream network and the key holder of the adjacent network are collaborated, a decryption key is not generated. In addition, it is as safe because there is y ^-an do not know even if collusion with the key holder of the downstream of the network.

In the receiving section, q, K, h + a0
+ A1 + ‥‥ + an. From this condition,
Consider whether the malicious recipient can know the plaintext h. To find the plaintext h from the decryption key K, a0 + a1 +.
It is necessary to find + an. However, from the decryption key K to a0
To find + a1 +... + An, it is very difficult for the receiver to solve the discrete logarithm problem after obtaining y which is kept secret in some way. Therefore, it is possible to prevent the receiver having the decryption key K from spreading the plaintext h. Further, as described above, an is easily estimated by monitoring the pulse packet one upstream, but since y is secret to the receiver, it can be collated with the key holder of the upstream network. No decryption key can be created.

Further, consider a case in which key holders of different networks collude. For simplicity, 1,
.., N−1, the same route is taken, and a case is considered in which the n-th router is a collusion of key holders on two different networks. In the following, parenthesized subscripts are added to the right shoulder to distinguish the parameters of the two routers in the n-th stage. For example, when the random numbers generated by the two n-th routers are an ⁽¹⁾ and an ⁽²⁾ , hn ⁽¹⁾ = h + a0 + a1 + ‥‥ + a (n−1) + an ⁽¹⁾ (Equation 10) hn ⁽²⁾ = h + a0 + a1 + ‥‥ + a (n−1) + an ^{(2) From} (Equation 11), hn ^(1,2) = hn ⁽¹⁾ −hn ⁽²⁾ = an ⁽¹⁾ −an ⁽²⁾ I get it. Also, assuming that the respective decryption keys are K ⁽¹⁾ and K ⁽²⁾ , K ⁽¹⁾ = 1 / (y0y1... Yn ⁽¹⁾ -μ ⁽¹⁾ p) (mod q) (Equation 12) K ^{( 2)} = 1 / (y0y1... Yn ⁽²⁾ -μ ⁽²⁾ p) (mod q) (Equation 13), K ⁽²⁾ / K ⁽¹⁾ = (y0y1... Yn ⁽¹⁾ −μ ^{( 1)} p) / (y0y1... Yn ^{(2 )} -μ ⁽²⁾ p) (mod q) (Equation 13). However. μ ⁽¹⁾ and μ ⁽²⁾ are unknown and hn
Even if it is simultaneous with ^(1,2) , it is not possible to solve algebraically for h and y. Thus, collusion between key holders on different networks does not create a decryption key for a third party under another router.

Further, consider a case where contents are scattered. If a part of the content is scattered across the network, a receiver without a decryption key can obtain a ciphertext / plaintext pair. Also in this case, it is difficult to obtain y0y1... Yn from the set of the ciphertext mn and the plaintext m because of the discrete logarithm problem. The decryption key is y0y1
.. Yn, it is difficult to find the decryption key K from the ciphertext mn and the plaintext m.

As described above, according to the multicast communication method of the present invention, even if various types of fraud are performed, the security of the entire multicast communication is not threatened and information can be safely distributed.

In the above description, it has been described that the distribution route is specified. However, the transfer route of information on the Internet is changed autonomously and dynamically by a router. As described above, in the multicast communication method of the present invention, when the route of information to be distributed changes, the encryption key depending on the route also changes. So, in order for the receiver to continue decoding multicast traffic even if there is a route change,
Key update work is required simultaneously with route change. However, as described below, the multicast communication method of the present invention as described above can easily cope with a case where the distribution route is changed.

FIG. 5 is an explanatory diagram of a case where the receiving unit responds to the change of the distribution route. In the figure, 71 is a transmitting unit, 7
2 to 76 are routers, 77 is a receiving unit, and 78 is a key management server. Each function is the same as in FIG. In FIG. 5, the routers 74 and 76 and the receiving unit 77 are connected to the same subnet, and as shown in FIG.
Is distributing multicast information. here,
As shown in FIG. 5B, a router that distributes multicast information to this subnet is
An example in which the receiving unit 77 responds to the case of changing to will be described.

First, it is necessary to detect that the distribution route has been changed. The router 76 independently generates an 'before transmitting information to the subnet, and sends the pulsation packet h + a0 + ‥‥ + an' to the receiving unit 77. On the other hand, the receiving unit 77 outputs the latest beat packet h + a0
By storing + ‥‥ + an and comparing it every time a pulsation packet is received, a router change can be detected.

Next, the decryption key is changed. For this purpose, the receiving unit 77 outputs the newly received h + a0 + ‥‥ + an ′
Is sent to the key management server 78 to request the decryption key K ′. The key management server 78 performs the above calculation, and immediately sends the decryption key K ′ corresponding to a0 + ‥‥ + an ′ back to the receiving unit 77. In this way, the receiving unit 77 can obtain the decryption key K ′ corresponding to the new distribution route, decrypt the cipher text mn ′ sent from the router 76, and obtain the distributed content.

As described above, when the distribution route is changed, a new pulsation packet is sent to the receiving unit using the route, and the receiving unit obtains a new decryption key. Thereafter, the distribution of information can be continuously received.

FIG. 6 is an explanatory diagram of a case where a router responds to a change in the distribution route. In the figure, 81 is a transmission unit, 8
2 to 87 are routers, and 88 is a key management server. Each function is the same as in FIG. In FIG. 6, the router 84,
It is assumed that the routers 86 and 87 are connected to each other, and the router 84 distributes multicast information to the router 87 as shown in FIG. Here, a case where the router that distributes the multicast information to the router 87 is changed from the router 84 to the router 86 as shown in FIG. 6B will be described.

First, a change in the distribution route is detected. Before distributing the information to the subnet, the router 86 independently generates a'n 'unique to the router 86, and outputs the pulsating packet h
+ A0 + ‥‥ + a'n 'is sent out. On the other hand, the router 87
Stores the latest beat packet h + a0 + ‥‥ + an, and can detect a router change by comparing it with each beat packet.

The router 87 which has detected the change of the distribution route,
A (n, n ') = (h + a0 +... + An)-(h + a0)
+ ... + a'n '), and sends an encryption key request packet to the key management server 88 together with a (n, n'). The key management server 88 immediately returns ^{ya (n, n ')} as an encryption key. After this,
The router 87 distributes mn ′ ^{y (a (n, n ′)) y (n + 1)} downstream. Here, y (a (n, n ')) = ya ^{(n, n')} , y
(N + 1) = ya ^{(n + 1)} . This allows the router 8
7, the update of the decryption key becomes unnecessary.

Because, on the route from the transmission unit 81 to the router 87, if the router 82 corresponding to the branch point where the distribution route is changed is the j-th router, a (n, n ′) = ｛hj + (A (j + 1) + ... + a
n) {-{hj + (a '(j + 1) + ... + a'n')}
= (A (j + 1) + ... + an)-(a '(j + 1) + ...
+ A'n '). On the other hand, ^{mn'y (a (n, n '))} = ( ^{mjy' (j + 1) '... y'n'} )
^{y (a (n, n 'from)),} by substituting ^{mn' y (a (n,} n ')) = mj y (j + 1) ... is ^yn = mn. Therefore, mn'y ^{(a (n, n ')) y (n + 1)} = mny ^{(n + 1)} = m (n + 1). Thus, downstream of the router 87, even after the path is switched, decryption can be performed using the same decryption key as before the switching. For this reason, the receiving unit can receive the distribution information as it is even when the distribution path is switched.

In the multicast communication, when a member of the multicast group leaves, the decryption key of the traffic must be updated. This is to prevent the withdrawal member from intercepting the multicast communication of the group thereafter. Conventionally, there has been proposed a method of delivering an updated group key to all remaining members of a multicast group by unicast communication. However, with this approach, as the size of the network grows,
Increased delay and traffic between recipients in key distribution.
On the other hand, by using the above-described multicast communication method of the present invention, such a key update can be limited to a receiver belonging directly to the network to which the member who has withdrawn. Therefore, the delay of the updated key distribution and the increase in traffic can be reduced.

A method for locally updating a group key will be described below by taking the configuration shown in FIG. 1 as an example. Here, it is assumed that the receiving unit 34 immediately below the router 24 has left the multicast group. It is assumed that the router 24 has performed encryption using the unique value an.

First, the key management server 41 knows that there has been an unsubscription. Then, the key management server 41 sends a key update request to the router 24. On the other hand, the router 24 updates the unique secret value an to a'n. Upon updating, a new beat packet h (n-1) + a'n is immediately sent downstream.

Members other than the withdrawal member (receiving units 31 to 3)
3), upon receiving the beat packet h = h (n-1) + a'n, detects that the encryption key has been changed. Then, the pulsation packet h (n-n-
1) Send a new decryption key request containing + a'n. The key management server 41 immediately calculates and returns a new decryption key K ′.

The router 24 uses the new unique value a'n to encrypt and distribute the multicast information as m (n-1) ^{y (a'n)} . The receiving units 31 to 33 may decrypt the distributed information using the new decryption key K ′. It should be noted that the receiving unit 34 cannot receive the new pulsating packet or receives it and sends a new decryption key to the key management server 4.
Since a new decryption key is not issued even if request is made to 1, the distribution of information cannot be received thereafter.

In this method, even if there is an unsubscribe immediately below the router 24, it is not necessary to update the key of the entire multicast traffic. Also, in this example, there is no router downstream of the router 24 that performed the key update, but if it exists, the router n + 1 downstream may or may not perform the key update. . In this case, if the encryption key is updated in the same procedure as when the route is changed by the router, the key update is unnecessary downstream of the router n + 1. If the encryption key is not updated by the router n + 1, the above-described decryption key update may be performed downstream.

As described above, when the multicast communication method of the present invention is used, multicast group key management can be performed independently for each segment divided by the router. Therefore, the key management over the entire group becomes unnecessary, and the group key distribution problem over a wide area can be solved.

[0065]

As is apparent from the above description, according to the present invention, since each relay point on the route independently encrypts using a different key, it is possible to disperse keys and to disclose plaintext and ciphertext. Can limit the damage caused by fraudulent activities locally,
This has a special effect that the security of the entire multicast communication is not threatened. Also, the receiver does not need to perform the decryption process corresponding to the encryption by each relay point,
A plaintext can be obtained by one decryption process. Further, the key update may be performed locally when the member leaves, and the traffic volume associated with the key update can be significantly reduced. Furthermore, when a change in the distribution route occurs, it is possible to easily cope with the change at the relay point, and there is no need to change the encryption key and the decryption key downstream from the relay point. Can be continued.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an example of a communication system that realizes an embodiment of a multicast communication method according to the present invention.

FIG. 2 is a flowchart illustrating an operation of a transmission unit according to the embodiment of the present invention.

FIG. 3 is a flowchart illustrating an operation of a receiving unit according to the embodiment of the present invention.

FIG. 4 is an explanatory diagram of a specific example of an encryption method.

FIG. 5 is an explanatory diagram of a case where a change in a distribution route is handled by a receiving unit.

FIG. 6 is an explanatory diagram of a case where a router responds to a change in a distribution route.

[Explanation of symbols]

11: transmission unit, 21 to 28: router, 31 to 35: reception unit, 41: key management server, 71: transmission unit, 72 to 76 ...
Router, 77: receiving unit, 78: key management server, 81: transmitting unit, 82 to 87: router, 88: key management server.

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04L 12/56 H04L 11/20 102A 12/22 11/26

Claims (4)

[Claims] 1. A multicast communication method for distributing encrypted information from a transmission source to a plurality of reception destinations via one or more relay points, wherein the transmission point uses an independently generated value a at the transmission point. the predetermined value y given by the original computes a squared value y ^a, the received encrypted information to multiply y ^a, encrypted by modulo operation with the result given from the source value q A multicast communication method, comprising: 2. The transmission source transmits key request information in advance, the relay point adds the value a to the key request information and transmits the key request information, and the reception destination decrypts the key request information from the received key request information. 2. The multicast communication method according to claim 1, wherein a plaintext is obtained by a single decryption process using the decryption key that has obtained a key and encrypted information. 3. When the information is not delivered to at least one of the receiving destinations, at least one of the relay points to which the receiving destination that does not deliver the information is connected receives the independently generated value a. 3. The multicast communication method according to claim 2, wherein the key request information is changed and distributed to the relay point and thereafter. 4. The relay point, when the key request information is changed due to a route change, acquires an encryption key based on a difference between the key request information before and after the change and encrypts the received information with the encryption key. 4. The multicast communication method according to claim 1, further comprising raising to y ^a , and performing a remainder operation for encryption.