JP2004007512A - Public key certificate providing device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method for surely and efficiently issuing a disposable anonymous public key certificate to an IPv6 apparatus capable of IPv6 communication. <P>SOLUTION: A host 206 makes communication with a gateway 202 or a DHCP server 203 to determine an IPv6 address and receives a public key certificate from the gateway 202 or the DHCP server 203, and also transmits the public key certificate including the IPv6 address to a communication opposite party. The host 206 receives a new public key certificate from the gateway 202 or the DHCP server 203 to realize privacy protection and transmits the public key certificate including the IPv6 address to the communication opposite party to prevent impersonation. <P>COPYRIGHT: (C)2004,JPO

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a providing device that provides a public key certificate.
[0002]
[Prior art]
With the advent of IPv6, a situation has been considered in which a device that could not conventionally be considered to connect to a network connects to the network. For example, an end-user digital camera that can be directly connected to the Internet.
[0003]
In the case of a personal computer or a workstation corresponding to IPv6, Ethernet (R) is usually used as an interface for connection to a network, and an IPv6 address is configured based on an IEEE identifier (MAC address) of the personal computer or workstation. It has become.
[0004]
As will be described later, there are three types of IPv6 addresses: a link local address, a site local address, and (aggregatable) a global address.
[0005]
Address systems such as details and a configuration method thereof are described in RFC 2373 @ IP Version 6 Addressing Architecture, `` RFC 2374 @ An IPv6 Aggregatable Global Global Unicast Address Dictionary &lt;&lt;&apos;&gt; 2450 @ Proposed TLA and NLA Assignment Rule, "RFC 2461 @ Neighbor Discovery for IP Version 6 (IPv6)," RFC 2462 @ IPv6 State Audition, etc.
[0006]
By the way, when information corresponding to one-to-one is fixedly used in hardware such as IEEE identifier (MAC address), it is regarded as information corresponding to one-to-one with a device or a user of the device, and its address is considered. There is a strong possibility that privacy will be violated by monitoring communications that use.
[0007]
To solve this problem, a method of generating a random IPv6 address (accurately, an interface ID) has been proposed in RFC3041 {Privacy Extensions for Stateless Address Autoconfiguration in IPv6, ″, and the like.
[0008]
If the generated random value is already used, a protocol (extension) for detecting the random value, calculating / generating another random value, and defining a unique random value is also described.
[0009]
When the device uses a random IPv6 address generated by using the above-described solution, it is assumed that encrypted communication is performed using IPsec.
[0010]
IPsec is a protocol in which two devices on the Internet share secret data that no one else knows, and perform encryption and authentication based on the secret data. In communication, the secret data and each other's IPv6 address are secured. Need to share to. Data such as confidential data and each other's IPv6 address is called SA (Security Association).
[0011]
A protocol for securely sharing an SA is called IKE (Internet Key Exchange), and is defined in RFC2409 "The Internet Key Exchange (IKE)". Here, the meaning of safely sharing the SA means that the SA is securely shared only with the intended partner, and it is necessary to reliably authenticate the partner. IKE includes 1) a method using a pre-shared key, 2) a method using a digital signature, 3) a method using encryption using public key encryption, and 4) a method using a revised mode of encryption using public key encryption. Two authentication methods are specified.
[0012]
However, considering a situation in which privacy protection (information that does not reveal identity) is realized, for example, in a case where a user performs IPsec communication with a shopping site, it is predetermined from the viewpoint of the shopping site. Since it is actually impossible to share the pre-shared key with an unspecified number of communication partners prior to the IPsec communication, the method using the pre-shared key cannot be used.
[0013]
In the case of other methods, IKE can be executed between an unspecified number of communication partners if information necessary for using digital signatures or public key encryption (in many cases, a public key) can be reliably obtained. It is. The most promising for that purpose is an environment and mechanism called PKI (Public-Key Infrastructure), and a public key certificate plays a central role in the environment and mechanism.
[0014]
The public key certificate is used by a trusted third party to confirm the correspondence between an entity (communicating entity, computer or human) and the public key of the entity, and to publish the entity's ID information etc. A digital signature issued by a trusted third party to a key set. A trusted third party is called a CA (Certification Authority), and a public key for verifying the validity of a digital signature of the CA is widely and generally known.
[0015]
However, since the public key certificate currently in operation includes ID information indicating its owner (Subject), for example, FQDN (Fully Qualified Domain Name), privacy protection cannot be realized as it is.
[0016]
A method of not including the owner's ID information in the public key certificate is also considered, and is called an anonymous public key certificate.
[0017]
However, the anonymous public key certificate has the same problem as the above-mentioned IEEE identifier (MAC address). In other words, as long as the same anonymous public key certificate is used, it is possible to link a plurality of communications (such as IPsec based on the public key certificate), and the correspondence between the anonymous public key certificate and its owner even once. When privacy becomes evident, privacy is violated, so the degree of privacy protection is also weak.
[0018]
With respect to the above problem, for example, if it is possible to use different IPv6 addresses and anonymous public key certificates when communicating with different communication partners, it is considered that strong privacy protection can be realized. These are called disposable IPv6 addresses and disposable anonymous public key certificates. There are several possible disposable intervals, such as using a new disposable IPv6 address each time the communication partner changes, or changing it for each packet.
[0019]
[Problems to be solved by the invention]
However, regarding the disposable IPv6 address, the above-mentioned RFC3041 @ Privacy Extensions for Stateless Address Autoconfiguration in IPv6, '' is known, but it is to a device capable of IPv6 communication (hereinafter, referred to as an IPv6-compatible device). There is no known method for efficiently and reliably issuing disposable anonymous public key certificates.
[0020]
In addition, there are the following problems. That is, when the ID information of the communication partner is not known, the identification of the communication partner is performed only by the IP address. However, for example, packets transmitted and received on an Ethernet LAN can be accessed by all nodes on the LAN, so that the entity A and the entity B should originally communicate with each other. C with A can pretend to be A. That is, in order to perform IPsec communication based on a disposable anonymous public key certificate between A and B, when A's public key certificate is sent to B, A's public key certificate is replaced with C's. Then C can be impersonated as A.
[0021]
If a DNS (Domain Name System) server or router is subjected to a DoS (Denial of Services) attack on a server or router, and a fake DNS server or router gives false information during the attack, a broader range is not limited to the LAN. Impersonation is also possible. If the ID of the communication partner is known, it could be dealt with by confirming it, but a method of preventing this kind of attack in a situation of high anonymity as described above has not been known until now.
[0022]
Another object of the present invention is to enable a public key certificate issuer to easily confirm the uniqueness of an IPv6 address used by an IPv6-compatible device, and to issue a public key certificate on the basis thereof. is there.
[0023]
It is another object of the present invention to efficiently and reliably issue a disposable anonymous public key certificate including an IPv6 address in a certification target, that is, quickly issue a certification target without mistake.
[0024]
Another object of the present invention is to perform IKE and IPsec communication using a disposable anonymous public key certificate including an IPv6 address as a certification target.
[0025]
Another object of the present invention is to make it possible to efficiently realize IPsec communication including a random IPv6 address and using a different anonymous public key certificate each time, to realize strong privacy protection, and to prevent spoofing. It is to be.
[0026]
[Means for Solving the Problems]
In order to solve the above problem, the invention according to the present application is characterized in that an IPv6-compatible device existing in a local link where an IPv6-compatible device is located is operated as a public key certificate issuer.
[0027]
BEST MODE FOR CARRYING OUT THE INVENTION
(First Embodiment)
In the present embodiment, a case where a host connects to the Internet via an Ethernet LAN is described. First, the present situation will be described, and then this embodiment will be described.
[0028]
FIG. 2 schematically shows a connection environment to which the present invention is applied (an environment in which a host connects to the Internet via an Ethernet LAN).
[0029]
FIG. 2 shows an environment in which hosts 204, 205, and 206 connected to a LAN access the Internet 201 via a default gateway (gateway) 202. In the present embodiment, it is assumed that each host is connected by a link 207, and the link 207 is specifically an Ethernet (R). A link is a piece of equipment or media through which devices connected to it can communicate, and touches below the IP layer. In addition to Ethernet (R), PPP links, X. 25, frame relay and ATM networks.
[0030]
An IPv6-compatible device connected to the link is called a node.
[0031]
FIG. 3 shows a typical example of the internal configuration of the node.
[0032]
A node has a router and a host, and the router forwards packets not addressed to itself, but the host does not. As can be seen from FIG. 3, the node 300 includes a network interface 301, 302, CPU 303, ROM 304, RAM 305, HD (hard disk) 306, power supply 307, keyboard / pointing device interface 308, monitor interface 309, bus 310, and the like. Computer.
[0033]
A router often has one network interface 301 while a router has a plurality of network interfaces 301 and 302. The hosts 204, 205, and 206 communicate with other nodes connected to the link 207 via the network interface 301 via the link 207, or with a site on the Internet 201 via the gateway 202. The default gateway 202 communicates with another node connected to the link 207 via the network interface 301 and communicates via the Internet 201 via the network interface 302. Some nodes do not have an HD.
[0034]
The following processing contents (procedure) are realized as an apparatus or a program, and are executed by a node having the apparatus, or executed by a node in which the program is stored in the ROM 304 or the HD 306. For example, when implemented as a program, the CPU 303 reads the program and assigns an address to the interface 301 via the bus 310 while using the RAM 305 as a space for calculation as necessary. Such operation is performed.
[0035]
Here, the essence of the procedure will be described, such as the node 300 assigning an address to an interface.
[0036]
In this embodiment, a mechanism of a protocol in which each host acquires a prefix of an IPv6 global address and an address of a default gateway 202 in an Ethernet (R) LAN environment will be briefly described, and then a specific embodiment of the present invention will be described. An embodiment will be described.
[0037]
FIG. 8 shows a flowchart of an operation performed when the node 300 connected to the link 207 in FIG. 2 is powered on or rebooted. This operation is called DAD (Duplicate Address Detection). Hereinafter, the processing contents until the node 300 finishes the DAD will be described along the flow of FIG.
[0038]
After the power of the node 300 is turned on or rebooted in step S801, first, the interface ID (see FIG. 5) is obtained from the Ethernet (MAC) address (MAC address) (see FIG. 4) assigned to the interface 301. It is created and used as a tentative link-local address (see FIG. 6) (step S802).
[0039]
Next, the node (host) 300 performs the following processing to determine whether the tentative link-local address is unique on the link.
[0040]
First, the interface 301 is initialized. That is, an all-nodes multicast address (FF02 :: 1) and a solicited-node multicast address of the tentative link-local address are assigned to the interface 301 (see FIG. 7). As a result, when the interface 301 finds a packet addressed to the all-nodes multicast address or a packet addressed to the committed-node multicast address of the tentative link-local address, the interface 301 receives it as a packet addressed to its own interface.
[0041]
Assigning the former (all-nodes multicast address) makes it possible to receive data from other nodes that are already using that tentative link-local address. In addition, by allocating the latter (a solicited-node multicast address of the tentative link-local address), it is possible to detect the presence of another node that is trying to use the same tentative link-local address at the same time.
[0042]
The solicited-node multicast address of a certain tentative link-local address is defined as the page 91 of RFC2461 and the lower 24 bits of the tentative link-local address are prefixed with FF02: 0: 0 as defined in page 91 of RFC2461. This is data added to FF00 :: / 104, which is link-local scope multicast address. 6 and 7 show the relationship between them. The above address assignment is step S803 in FIG.
[0043]
Next, a Neighbor Solicitation message is created. The target address (target address) of the Neighbor Solicitation message is a tentative link-local address to be determined, the IP source (source address) is unspecified address (the address of all 128 bits is 0), and the unspecified address (all 128 bits are 0). Set the targeted-link multi-address of the tentative link-local address to be determined.
[0044]
This Neighbor Solicitation message is transmitted to the Ethernet (R) (link) 207 by DupAddrDetectTransmits at an interval of TransTimer milliseconds. Step S804 in FIG. 8 is this processing.
[0045]
If the source address is unspecified address, the node that has received the Neighbor Solicitation message determines that the message is data from a node performing DAD.
[0046]
In the case where a plurality of nodes are performing DAD for the same address at the same time, a plurality of nodes to which a tentative link-local address of the "solicited-node multicast address" is assigned include a plurality of Neighboring Neighborhoods including the same address in the Target Address. (The Neighbor Solicitation message sent by itself and the Neighbor Solicitation message sent by another node performing DAD for the address at the same time). In that case, no node uses that address.
[0047]
If the received Neighbor Solicitation message is sent by itself (because a multicast packet is looped back), it indicates that there is another node that uses or intends to use it. Absent. When receiving Neighbor Solicitation messages including the same address in the Target Address in addition to the Neighbor Solicitation message sent by itself, it is determined that a plurality of nodes are simultaneously performing DAD for the same address.
[0048]
On the other hand, if the node that has received the Neighbor Solicitation message has already used the address included in the Target Address of the message, the target address is set to the Target Address (target address). -Return to nodes multicast address. Therefore, the node that sent the Neighbor Solicitation message receives an a multicast Neighbor Advertisement addressed to the all-nodes multicast address, and in the case where the target address is 8 in the case of the target of step 8 in the case where the target address is "8", the target address is "8". ) Indicates that the tentative address to be determined is not unique (that is, overlaps).
[0049]
As a result of the above DAD, it is confirmed that the tentative link-local address to be determined is unique on the link (in the case of “No” in step S805 of FIG. 8), the address is set as the link local address and the interface is used. Assign to 301. This is step S806 in FIG. Thus, the DAD is completed.
[0050]
The above-described operation of FIG. 8 is performed in such a manner that the default gateway 202, the DHCP server 203, the host 204, the host 205, and the host 206, which are the nodes connected to the link 207 of FIG. For 301, it can be performed.
[0051]
After allocating the link local address to the interface 301, the host in FIG. 2, for example, obtains information (referred to as Router Advertisement) necessary for determining the site local address and the global address from the default gateway 202. Try. This operation is shown in FIG.
[0052]
The default gateway 202 is usually called a router, and will be referred to as a router 202 below. The router 202 is set as required by an administrator, and periodically sends a Router Advertisement to the link 207. If the host 206 wants to obtain the Router Advertisement early, the host 206 sends data called Router Solicitation to the router 202. Since the host 206 does not know the existence of the router 202 immediately after assigning the link local address, the Router Solicitation is actually sent as a multicast to all the routers on the link 207. Step S901 in FIG. 9 shows this processing.
[0053]
The router 202 that has received the Router Solicitation sends a Router Advertisement. As shown in the case of “Yes” in step S902 in FIG. 9, the host 206 that has received the Router Advertisement message that specifies only the Stateless address autoconfiguration receives the validity of the prefix in the received message (already used by the device). Is confirmed, and an address created by adding an appropriate interface ID to them is set as a site local address or a global address and assigned to the interface 301. Step S903 in FIG. 9 is this processing.
[0054]
As shown in the case of “No” in step S902 of FIG. 9, when the host 206 does not receive the Router Advertisement that specifies only the stateless address autoconfiguration, the following two cases are performed. If a Router Advertisement that specifies both Stateless address autoconfiguration and stateful address autoconfiguration is received (Yes in step S904), and if Router Advertisement is not received in step S904, then step S90 is not received. In the latter case, stateful address autoconfiguration, that is, only DHCPv6 is executed. This is step S906, the details of which are shown in FIG.
[0055]
Necessary settings are made for the DHCP server 203 by an administrator. Specifically, its own link local address is assigned to the network interface 301 as a node, and a prefix or the like for a site local address or a global address necessary for acting as a DHCP server is set.
[0056]
In step S1001 of FIG. 10, the host 206 sends a DHCP Solicit Message to the DHCP server. Since the host 206 does not know where the DHCP server 203 exists, the host 206 sends the multicast to the link 207 as a multicast to the DHCP server 203. When the DHCP server 203 is located on a link (not shown) different from the link 207 to which the host 206 is connected, the DHCP Solicit Message is actually relayed by a DHCP relay (not shown) and reaches the DHCP server 203. .
[0057]
The DHCP server 203 that has received the DHCP Solicit Message returns a DHCP Advertise Message to the host 206 as a response to the DHCP Solicit Message. This reaches the host 206 (relayed by a DHCP relay in the case of another link). This is step S1002. At this point, the host 206 knows the address of the DHCP server 203.
[0058]
Next, the host 206 sends a DHCP Request Message to the DHCP server 203 in step S1003. Upon receiving the DHCP Request Message, the DHCP server 203 sends a DHCP Reply Message to the host 206.
[0059]
The host 206, which has received the DHCP Reply Message in step S1004, determines a site local address or a global address therefrom, and performs processing necessary for the DAD processing in order to confirm whether or not the interface ID in the address is duplicated. Perform That is, similarly to step S803, a multicast address or the like is set to the interface 301. This is step S1005.
[0060]
Next, the same Neighbor Solicitation Message as in step S804 is sent in step S1006, and it is determined in step S1007 whether or not a Neighbor Advertisement Message is received. If received, the address is duplicated, so the process returns to step S1003 to receive another address from the DHCP server 203, and the same processing is repeated.
[0061]
If the host 206 does not receive the Neighbor Advertisement Message in step S1007 of FIG. 10, the address is not duplicated, and the host 206 assigns the site local address or global address determined from the DHCP Reply Message to the interface 301 in step S1008.
[0062]
This is the end of step S906 in FIG. If no Router Advertisement is received in step S904, the process ends normally.
[0063]
If a Router Advertisement message that specifies both stateless address autoconfiguration and stateful address autoconfiguration is received in step S904, stateless authentication in both step S905 is performed. The processing content is the same as steps S903 and S906.
[0064]
As described above, the host 206 having the Ethernet (R) 207 as an interface can apply the stateless address autoconfiguration and the stateful addressautoconfiguration (DHCPv6) in an arbitrary combination to form a link local address, a site local address, a global address, a default gateway, and the like. Can be set automatically.
[0065]
In the above protocol, using a random value for the interface ID, performing DAD on the value, and confirming the uniqueness of the link 207, the prefix of the global address obtained from the gateway 202 or the DHCP server 203 is obtained. A single use IPv6 global address can be used in combination. The details are described in RFC3041 {Privacy Extensions for Stateless Address Autoconfiguration in IPv6, ″.
[0066]
Next, an embodiment of the present invention will be described. A protocol for extending the above-described operation (protocol) to enable use of a disposable anonymous public key certificate will be described. First, an example of an anonymous public key certificate will be described, and then a protocol for efficiently issuing the certificate will be described.
[0067]
Anonymous public key certificate, the academic Kazuomi Oishi, Masahiro Mambo, Eiji Okamoto, `` Anonymous Public Key Certificates and their Applications '' IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E81-A, 1, pp . 56-64, 1998, the concept and a concrete realization method are proposed, and the basic realization method is also disclosed in US Pat. No. 6,154,841. In these schemes, the anonymity of the user of the certificate was kept computationally complex. As a method of providing stronger anonymity, a method of realizing an anonymous public key certificate having informational anonymity is described in Kazuomi Oishi, @Unconditionally anonymous public key certificates, '' The 2000 Symposium ryptography Society, SCIS2000-C32, 2000.
[0068]
In the present invention, any method described in the above-mentioned papers, Kazuomi Oishi, Masahiro Mambo, Eiji Okamoto, {Anonymous Public Key Certificates and their Applications} can be used. If the inefficiency can be tolerated, it is also possible to use Scheme 1, Scheme 2, and Scheme 3 in the above-mentioned paper, which are also included in the present invention. In the present embodiment, an embodiment using an anonymous public key certificate system having computational anonymity will be described. For details, reference is made to the above-mentioned document. The protocol of the present embodiment will be described after defining and introducing necessary symbols and the like for the sake of explanation.
[0069]
The entity CA that issues the anonymous public key certificate determines large prime numbers p and q as common parameters. q divides p-1. A generator g of the order q and a hash function H are determined. A secret random number s_ca (1 or more and q or less) is generated, and v_ca = g ＾ (s_ca) mod p is calculated. Here, A = (B) ＾ (C) mod D represents a calculation in which a value obtained by raising B to the power C is divided by D with respect to the integers A, B, C, and D, and the remainder is A. The entity CA publishes p, q, g, H, and v_ca. On the other hand, the entity i using the anonymous public key certificate generates a secret random number s_i (1 or more and q or less) and calculates v_i = g ＾ (s_i) mod p.
[0070]
s_ca and s_i are called a secret key, v_ca and v_i (and public parameters) are called a public key, and the secret key is managed so that it cannot be known to anyone except yourself.
[0071]
When starting using the anonymous public key certificate, the entity i registers its own entity name (user name), password, and public key v_i in the entity CA. The entity CA confirms the identity of the entity i by physical means or the like as necessary, and stores the presented entity name (user name), password, and public key v_i.
[0072]
When issuing an anonymous public key certificate, the entity CA generates a random number r (1 or more and q or less), and (g ′, v_i ′) = (g ＾ r mod p, (v_i) ＾ (r) mod p ) Is calculated. The above-mentioned public parameters, the expiration date of this anonymous public key certificate, and the management and attribute information of a certificate such as a public key certificate (described later) for the public key v_ca are X, and (g ′, v_i ′) Generate a digital signature for (the hash value of) the message containing X. A digital signature scheme based on the discrete logarithm problem, for example, a Schnorr signature scheme can be used. Here, a secret key s_ca is used. This digital signature is referred to as Sig_ca (g ′, v_i ′, X).
[0073]
The anonymous public key certificate APC_ca (i) issued by the entity CA to the entity i is APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)).
[0074]
The entity i to which the anonymous public key certificate APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)) is issued, (g ′, v_i ′, X) ) And compute its hash value (eg, H (g ′ | v_i ′ | X), where | indicates concatenation), and Sig_ca (g ′, v_i ′, X) is the correct digital signature for the hash value. Whether or not there is is confirmed using the public key v_ca. Also check v_i ′ = (g ′) ＾ (s_i) mod p. If they can be confirmed to be correct, public key cryptography or digital signature based on the discrete logarithm problem can be used with g ′ and v_i ′ (and common parameter p) as public keys and s_i as a secret key. As described above, the anonymous public key certificate APC_ca (i) includes an expiration date in the management / attribute information X, and the public keys g ′ and v_i ′ included in the anonymous public key certificate APC_ca (i) are the same. Is the public key of the entity i, which is changed over time.
[0075]
The entity which has received the anonymous public key certificate APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)) extracts (g ′, v_i ′, X) from the entity , And calculates the hash value, and confirms using the public key v_ca whether Sig_ca (g ′, v_i ′, X) is a correct digital signature for the hash value. If it is confirmed that it is correct, the public key encryption and the digital signature verification based on the discrete logarithm problem are performed using the public keys g ′ and v_i ′ (and the common parameter p).
[0076]
The validity of the public key v_ca itself is confirmed by submitting the public key v_ca to a higher or more widespread entity CA, for example, VeriSign providing a commercial authentication service, and checking the public key v_ca. If you have a public key certificate issued, you can use it to confirm. The management / attribute information X of the anonymous public key certificate includes the public key certificate for the public key v_ca. Using the public key certificate for the public key v_ca, the validity of the public key v_ca itself can be confirmed. This corresponds to constructing the entity CA hierarchically, and can configure a proper PKI (Public-key Infrastructure).
[0077]
In the above description, the signature scheme based on the difficulty of the discrete logarithm problem on the multiplicative group (mod p) has been described. However, a signature scheme based on the difficulty of the discrete logarithm problem on an elliptic curve can be applied. In that case, the same degree of security can be expected with a key having a smaller number of bits than in the case of the multiplicative group, so that the efficiency is higher.
[0078]
A case where the above anonymous public key certificate method is applied to the environment of FIG. 2 will be described.
[0079]
The default gateway 202 or the DHCP server 203 becomes the entity CA that issues the anonymous public key certificate, and the host 206 (or the user who uses it) becomes the entity i that uses the anonymous public key certificate. Alternatively, it is also possible to provide a dedicated CA server that is solely responsible for issuing certificates. In the following, an example will be described in which the default gateway 202 is an entity CA that issues an anonymous public key certificate, and a random IPv6 address is included in the certificate. May be used as the entity CA that issues the certificate, and a random IPv6 address may not be included in the certificate. Here, the default gateway 202 provides the host 206 with the prefix of the IPv6 global address. As described above, the default gateway 202 is often referred to as a router 202 because it is often a router.
[0080]
The administrator of the router 202 determines and publishes the public parameters p and g described above. A public key v_ca as an entity CA that issues an anonymous public key certificate is determined and submitted to a higher-ranking or more widespread CA (209 in FIG. 2), such as VeriSign, which provides a commercial authentication service. Then, a public key certificate for the public key v_ca is issued.
[0081]
The router (gateway) 202 has a role of controlling the transfer of packets, and is operated under the responsibility of an administrator so that inappropriate packets do not enter and exit between the subnet under the control of the router and the outside. In order for a subnet to be connected to the Internet, the administrator of the subnet registers his / her identity with JPNIC (in the case of Japan) and receives an IP address. Therefore, routers in the subnet are expected to have clear management responsibilities and to be costly to operate and manage while taking security into consideration, so they are responsible for the function of the entity CA that issues anonymous public key certificates. It is thought to be suitable to make.
[0082]
When the user i applies for access to the LAN, the user i generates his / her private key s_i using the publicly available parameters p, g, and the like, calculates the corresponding public key v_i, and obtains a user name and a password. The public key v_i is submitted to the LAN administrator (the administrator of the router 202). The LAN administrator (the administrator of the router 202) confirms the identity of the user i, checks the password, and the like in accordance with the operation policy, and permits access. The administrator registers the public key v_i in the RAM 304 or the HD 306 so that the corresponding public key v_i can be searched based on the entity name. It is assumed that the user i manages the public parameters p, g, and the like, and the public key v_i, particularly the secret key s_i, and makes it available to the host 206 safely.
[0083]
FIG. 1 shows a protocol according to the present embodiment, which is executed after the above preparations are made. FIG. 1 shows an entity using an anonymous public key certificate (an IPv6 terminal used by a user i) as a host 206 and a CA issuing an anonymous public key certificate as a router 202, and an anonymous public key certificate performed between them. Is an issuance protocol. That is, the IPv6-capable device 202 existing in the local link 207 where the IPv6-capable device 206 is located is operated as a public key certificate issuer.
[0084]
Since it is necessary to identify an entity in order to issue an anonymous public key certificate, some identification (authentication) protocol is executed between the router 202 and the entity (in this case, the host 206). In the present embodiment, a method based on the following public key cryptosystem will be described as an example. The operation will be described along the flow of FIG.
[0085]
The host 206 generates a Certificate Solicitation in step S101. The Certificate Solicitation is a message requesting an anonymous public key certificate, and is generated in a format that allows the router 202 to understand that the request is for an anonymous public key certificate and that the data includes an interface ID of the host 206. The content is calculated from the entity name (user name), password and serial number. The serial number is, for example, a value obtained by concatenating the IPv6 link local address of the host 206, the IPv6 link local address of the default gateway 202, and the time at that time into one data. In order to prevent a retransmission attack and spoofing, a digital signature (authentication signature) (Sig_i (hash ( Entity name, password, serial number))) are included in Certificate Solicitation.
[0086]
Next, the host 206 sends the Certificate Solicitation to the router 202 via the link 207 in step S102.
[0087]
In step S103, the router 202 searches the RAM 305 or the HD 306 for the public key v_i registered from the entity name (identifier of the communication device (host) 206) included in the Certificate Solicitation received in step S102, and performs authentication using the public key v_i. Confirm the validity of the signature for use. Specifically, an entity name (user name), a password, and a serial number are input to a hash function, a hash value thereof is obtained, and it is confirmed by the public key v_i that the authentication signature is a correct digital signature for the signature.
[0088]
If the authentication is successful, an IPv6 global address is generated from the prefix of the IPv6 global address assigned to the router 202 and the interface ID of the host 206, and an anonymous public key certificate including its lifetime (expiration date, for example, 24 hours). A letter APC_ca (i) is created. Specifically, the certificate management / attribute information X in APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)) described above contains an IPv6 global address or Lifetime etc. are included. The lifetime (expiration date) of the IPv6 global address and the expiration date of the anonymous public key certificate are not always the same.
[0089]
Then, in step S104, the router 202 sends a Certificate Advertisement including the prefix of the IPv6 global address, the address of the default router 202, and the anonymous public key certificate APC_ca (i) to the authenticated host 206 via the link 207. In one embodiment of the present invention, the certificate advertisement is encrypted using a registered public key and transmitted.
[0090]
In step S105, the host 206 extracts the prefix from the received Certificate Advertisement, adds an interface ID, generates an IPv6 global address, and checks the validity of the anonymous public key certificate APC_ca (i). As described above, the anonymous public key certificate APC_ca (i) includes an expiration date in the management / attribute information X, and the public keys g ′ and v_i ′ included in the anonymous public key certificate APC_ca (i) are the same. Is the public key of the entity i (host 206), but is changed over time. The host 206 executes the anonymous public key issuance protocol of FIG. 1 every time the communication partner changes, each time the session changes, or each time a communication packet is transmitted, and obtains the public keys g ′ and v_i ′ to be used. change.
[0091]
FIG. 11 shows an operation flowchart of a host of an extended protocol in which the above protocol is combined with the existing transmission and reception protocols of Router Solicitation and Router Advertisement.
[0092]
In step S1101 of FIG. 11, the host 206 transmits a Router Certificate Solicitation Message, which is data including both the Router Solicitation Message sent in step 901 of FIG. 9 and the Certificate Solicitation sent in step S102 of FIG. Send.
[0093]
Also, in step S1102, a Router AdvertisementMessage, which is data containing both Router Advertisement Message received in step S902 in FIG. 9 and Certificate Advertisement received in step S104 in FIG. 1, is received.
[0094]
If the Router Certificate Advertisement Message is received via the link 207, that is, if “Yes” in step S1102, the host 206 proceeds to step S1103, similar to step S903 in FIG. 9, in the Router Advertisement Message in the Router Advertisement Message. Is assigned to the interface 301 as a site-local address or a global address, and an anonymous public key certificate APC_ca including the public keys g ′ and v_i ′ is performed by performing step S105 in FIG. Obtain (i).
[0095]
According to the above protocol, a disposable anonymous public key certificate corresponding to a disposable IPv6 address can be issued to the host 206 simply by increasing data without changing the number of steps of the conventional protocol.
[0096]
When the DHCP server 203 plays the role of the entity CA that issues the anonymous public key certificate instead of the router 202, the same protocol as that in FIG. 1 is executed in step S1106 in FIG. Here, the DHCP server 203 provides the host 206 with the prefix of the global address. In this case, in step S1106 in FIG. 11, the host executes an extended protocol of stateful address autoconfiguration, that is, a protocol for acquiring an address and a certificate from a DHCP server. FIG. 12 shows a flowchart of the operation.
[0097]
The difference from the protocol of FIG. 10 lies in two places: step S1203 and step S1204.
[0098]
In step S1203, data including both the DHCP Request Message sent in step S1003 in FIG. 10 and the data corresponding to the Certificate Solicitation sent in step S102 in FIG. 1 (except that the CA is the DHCP server 203 instead of the router 202) is used. Send a DHCP Certificate Request Message via link 207.
[0099]
Upon receiving the DHCP Certificate Request Message, the DHCP server 203 generates a DHCP Certificate Reply Message, and sends the generated DHCP Certificate Reply Message via the link 207. Here, the DHCP server 203 generates the anonymous public key certificate APC_ca (i) as in S103 of FIG. 1, and prefixes the global address of the DHCP server 203, the address of the DHCP server 203, and the anonymous public key certificate APC_ca. The data corresponding to the Certificate Advertisement (i) and the DHCP Reply Message of step S1004 in FIG. 1 are included in the DHCP Certificate Reply Message.
[0100]
In step S1204, the host 206 receives the DHCP Certificate Reply Message. This DHCP Certificate Reply Message is the DHCP Reply Message received in step S1004 in FIG. 10 and the data corresponding to the Certificate Advertisement received in step S104 in FIG. 1 (the difference is that the CA is not a router but a DHCP server). is there. Therefore, the site local address or the global address is determined from the DHCP Reply Message, and the anonymous public key certificate APC_ca (i) including the public keys g ′ and v_i ′ is obtained.
[0101]
According to the above protocol, a disposable anonymous public key certificate corresponding to a disposable IPv6 address can be issued to the host 206 simply by increasing data without changing the number of steps of the conventional protocol.
[0102]
In the case where both the router 202 and the DHCP server 203 perform the role of CA, this corresponds to the case where a Router Certificate Advertisement Message specifying both stateless and stateful is received in step S1104 in FIG. 11 (in the case of “Yes”), Automatic setting and acquisition of link local address, site local address, disposable IPv6 global address and corresponding disposable anonymous public key certificate, default gateway, etc. by applying the above two extended protocols in any combination. Can be. In this case, the router 202 and the DHCP server 203 correspond to a communication device group that provides a public key certificate.
[0103]
The host 206 executes the protocol for receiving the anonymous public key certificate shown in FIG. 11 every time the communication partner changes, each time the session changes, or each time a communication packet is transmitted, and uses the public key g to be used. 'And v_i' are changed.
[0104]
Although the DHCP server 203 provides a form in which the IPv6 address prefix is provided to the host 206, the form in which the IPv6 address itself is provided eliminates the point that the address is sent instead of the prefix and the host does not need to generate the address. Others are realized by the same protocol except for the following.
[0105]
(Second embodiment)
In the first embodiment, a default gateway (router) / CA authenticates the host, and then sends a Certificate Advertisement including an anonymous public key certificate and a prefix to the host. In the present embodiment, an example will be described in which the transmission of the prefix and the issuance of the anonymous public key certificate are independent.
[0106]
As in the first embodiment, the default gateway 202 or the DHCP server 203 is an entity CA that issues an anonymous public key certificate, and the host 206 (or a user using the same) uses the anonymous public key certificate. Let it be entity i. Alternatively, it is also possible to provide a dedicated CA server that is solely responsible for issuing certificates. In the following, an example will be described in which the default gateway 202 is an entity CA that issues an anonymous public key certificate, and a random IPv6 address is included in the certificate. May be used as the entity CA that issues the certificate, and a random IPv6 address may not be included in the certificate. Here, the default gateway 202 provides the host 206 with the prefix of the IPv6 global address. As described above, the default gateway 202 is often referred to as a router 202 because it is often a router.
[0107]
The administrator of the router 202 determines and publishes the public parameters p and g described above. A public key v_ca as an entity CA that issues an anonymous public key certificate is determined and submitted to a higher-ranking or more widespread CA (209 in FIG. 2), such as VeriSign, which provides a commercial authentication service. Then, a public key certificate for the public key v_ca is issued.
[0108]
When the user i applies for access to the LAN, the user i generates his / her private key s_i using the publicly available parameters p, g, and the like, calculates the corresponding public key v_i, and obtains a user name and a password. The public key v_i is submitted to the LAN administrator (the administrator of the router 202). The LAN administrator (the administrator of the router 202) confirms the identity of the user i, checks the password, and the like in accordance with the operation policy, and permits access. The administrator registers the public key v_i in the RAM 304 or the HD 306 so that the corresponding public key v_i can be searched based on the entity name. It is assumed that the user i manages the public parameters p, g, and the like, and the public key v_i, particularly the secret key s_i, and the host i can safely use it.
[0109]
FIG. 15 shows a protocol according to the present embodiment, which is executed after the above preparations are made. FIG. 15 shows an entity using an anonymous public key certificate (IPv6 terminal used by user i) as a host 206 and a CA that is an IPv6 terminal providing a prefix and issuing an anonymous public key certificate as a default gateway 202. 2 shows an operation flow of an anonymous public key certificate issuance protocol performed between the two. That is, the IPv6-capable device 202 existing in the local link 207 where the IPv6-capable device 206 is located is operated as a public key certificate issuer.
[0110]
Since it is necessary to identify an entity in order to issue an anonymous public key certificate, some identification (authentication) protocol is executed between the router 202 and the entity (in this case, the host 206). In the present embodiment, a method based on the following public key cryptosystem will be described as an example. The operation will be described with reference to FIG.
[0111]
When the host 206 is powered on or rebooted, it generates an interface ID from the MAC address of the network interface (301 in FIG. 3). Further, the host 206 generates a random interface ID by, for example, an algorithm of RFC3041. Then, it generates a link local address in which a predetermined prefix is added to the interface ID generated from the MAC address, and sends a Router Solicitation (RS) to the router (step S1501). The RS is a multicast for all routers on the link as described above.
[0112]
Upon receiving the RS, the router 202 sends a Router Advertisement (RA) (step S1502).
[0113]
The host 206 that has received the RA extracts a prefix included in the RA, and generates a global address (called a public address) from the interface ID generated from the MAC address and the extracted prefix. Also, a disposable IPv6 address (referred to as temporary address) is created from the random interface ID and the extracted prefix. Then, a duplicate address DAD (Duplicate Address Detection) of the public address and the temporary address is performed, the uniqueness of the address in the link is confirmed, and the address is assigned to the interface (step S1503).
[0114]
Next, the host 206 generates a Certificate Solicitation (step S1504). The Certificate Solicitation is a message requesting an anonymous public key certificate, and is generated in a format that allows the router 202 to understand that the host 206 requests the anonymous public key certificate. For example, PKCS # 10 defined in RFC 2986, @PKCS # 10: Certification Request Syntax Specification Version 1.7, '' and RFC2511, @Internet X. 509 Certificate Request Message Format '' and the like define their formats. Although the detailed description of the format is omitted, it is assumed that the Certificate Solicitation is data including a certificate request message and a signature (of the host) for the message.
[0115]
Next, the host 206 sends the Certificate Solicitation to the router 202 via the link 207 (step S1505). At this time, since the host 206 knows the (unicast) address of the router 202, it is possible to perform a unicast.
[0116]
The router 202 searches the RAM 305 or the HD 306 for the public key v_i registered from the entity name (identifier of the host 206 or the name of the user using the host 206) included in the Certificate Solicitation received in step S1505, and uses it. To confirm the validity of the signature. If the confirmation is successful, an anonymous public key certificate APC_ca (i) of the host 206 is created. Specifically, the certificate management / attribute information X in APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)) described above contains an IPv6 global address or A life time and the like are included (step S1506).
[0117]
Then, the router 202 sends a Certificate Advertisement including the anonymous public key certificate APC_ca (i) to the authenticated host 206 via the link 207 (step S1507). In one embodiment of the present invention, the certificate advertisement is encrypted using a registered public key and transmitted. At this time, it can be sent as a unicast addressed to the temporary address.
[0118]
The host 206 confirms the validity of the anonymous public key certificate APC_ca (i) from the received Certificate Advertisement (step S1508).
[0119]
FIG. 17 shows an operation flowchart of the host of the extended protocol in which the above-described protocol is combined with the existing stateless address autoconfiguration and stateful address autoconfiguration.
[0120]
When the host 206 is powered on or rebooted, it generates an interface ID from the MAC address of the network interface (301 in FIG. 3). Further, the host 206 generates a random interface ID by, for example, an algorithm of RFC3041. Then, it generates a link local address in which a predetermined prefix is added to the interface ID generated from the MAC address, and sends a Router Solicitation (RS) to the router (step S1701). The RS is a multicast for all routers on the link as described above.
[0121]
As shown in the case of “Yes” in step S1702, the host 206 that has received the Router Advertisement message (RA) that specifies only the Stateless address autoconfiguration extracts the prefix included in the RA, and extracts the interface ID and the interface ID generated from the MAC address. A global address (called a public address) is generated from the extracted prefix. Also, a disposable IPv6 address (referred to as temporary address) is created from the random interface ID and the extracted prefix.
[0122]
Then, a duplicate address DAD (Duplicate Address Detection) of the public address and the temporary address is performed, the uniqueness of the address on the link is confirmed, and those addresses are assigned to the interface (step S1703).
[0123]
Next, the host 206 executes a certificate request and a certificate issuing protocol (step S1707). In other words, the host 206 generates Certificate Solicitation and sends it to the router 202 as shown in steps S1504 and S1505 in FIG. The host 206 receives the Certificate Advertisement from the router 202 and checks the validity of the anonymous public key certificate APC_ca (i) included therein.
[0124]
If no Router Advertisement is received (No in step S1704), only stateful address autoconfiguration, that is, only DHCPv6 is executed. This is step S1706, the details of which are the same as in the protocol of FIG.
[0125]
In step S1704, if a Router Advertisement message that specifies both status address autoconfiguration and stateful address autoconfiguration is received, both step S1705 and stateless authorization coordination are performed in step S1705. The processing contents are the same as those in steps S1703 and S1706.
[0126]
In the above description, the default gateway 202 (router) also serves as the CA. However, in general, the default gateway (router) and the CA are not necessarily the same as the IPv6 device. FIG. 16 shows an operation flow in the case where the default gateway (router) and the CA are different IPv6 devices.
[0127]
The administrator of the CA determines and publishes the public parameters p, g, and the like described above. A public key v_ca as an entity CA that issues an anonymous public key certificate is determined and submitted to a higher-ranking or more widespread CA (209 in FIG. 2), such as VeriSign, which provides a commercial authentication service. Then, a public key certificate for the public key v_ca is issued.
[0128]
When the user i applies for access to the LAN, the user i generates his / her private key s_i using the publicly available parameters p, g, and the like, calculates the corresponding public key v_i, and obtains a user name and a password. Submit the public key v_i to the CA administrator. The CA administrator confirms the identity of the user i, checks the password, and the like according to the operation policy, and permits access. The administrator registers the public key v_i in the RAM 304 or the HD 306 so that the corresponding public key v_i can be searched based on the entity name. It is assumed that the user i manages the public parameters p, g, and the like, and the public key v_i, particularly the secret key s_i, and the host i can safely use it.
[0129]
Note that the administrator of the default gateway (router) 202 and the administrator of the CA may or may not be the same. In FIG. 16, it is assumed that the default gateway 202 (router) and the CA are different IPv6 devices, and the default gateway 202 is set to the IPv6 address of the CA.
[0130]
When the host 206 is powered on or rebooted, it generates an interface ID from the MAC address of the network interface (301 in FIG. 3). Further, the host 206 generates a random interface ID by, for example, an algorithm of RFC3041. As described above, a link local address is generated, and a Router Solicitation extension (RS extension) is sent to the router (step S1601). The RS extension is information in which a message requesting the address of the CA is added to the Router Solicitation, and is a multicast that is addressed to all routers on the link as in the case of the RA.
[0131]
Upon receiving the RS extension, the router 202 sends a Router Advertisement extension (RA extension) (step S1602). RA extension is information in which the address of a CA is added to Router Advertisement.
[0132]
The host 206 that has received the RA extension extracts the prefix included in the RA, and generates a global address (public address) from the interface ID and the prefix generated from the MAC address. Further, a disposable IPv6 address (referred to as a temporary address) is created from the random interface ID and the prefix. Then, a duplicate address DAD (Duplicate Address Detection) of the public address and the temporary address is performed, the uniqueness of the address in the link is confirmed, and those addresses are assigned to the interface. The address of the CA is extracted from the RA extension (step S1603).
[0133]
Next, the host 206 generates a Certificate Solicitation (step S1604), and sends the Certificate Solicitation to the CA (step S1605).
[0134]
The CA searches the RAM 305 or the HD 306 for the registered public key v_i from the entity name (identifier of the communication device (host) 206) included in the Certificate Solicitation received in step S1605, and uses it to confirm the validity of the signature. . If the confirmation is successful, an anonymous public key certificate APC_ca (i) of the host 206 is created. Specifically, the certificate management / attribute information X in APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)) described above contains an IPv6 global address or A life time and the like are included (step S1606).
[0135]
Then, the CA sends a Certificate Advertisement including the anonymous public key certificate APC_ca (i) to the host 206 (Step S1607). In one embodiment of the present invention, the certificate advertisement is encrypted using a registered public key and transmitted.
[0136]
The host 206 checks the validity of the anonymous public key certificate APC_ca (i) from the received Certificate Advertisement (step S1608).
[0137]
The operation flowchart of the host of the extended protocol in which the above protocol is combined with the existing stateless address autoconfiguration and stateful address autoconfiguration is almost the same as that of FIG. 17, but differs in the following two points. That is, in step S1701, a Router Solicitation extension message is sent instead of the Router Solicitation Message. Also, in step S1707, the protocol shown in FIG. 16 is executed as the protocol for the certificate request and the certificate issuance.
[0138]
(Third embodiment)
In this embodiment, a mode in which a host connects to the Internet by a method such as dial-up or ADSL will be described. First, the present situation will be described, and then embodiments of the present invention will be described.
[0139]
FIG. 14 schematically shows a connection environment to which the present invention is applied. FIG. 14 illustrates an environment in which the host 1406 accesses the Internet 1401 provided by an ISP (Internet Service Provider) via a PSTN (Public Switched Telephone Network). In this embodiment, the ISP and the host 1401 are connected by a PPP link.
[0140]
In FIG. 14, a PPP peer 1402 of the ISP is a node, and accepts a request for a PPP connection from the host 1406 via the PSTN 1404 using the modem 1403. The host 1406 uses the mode 1405 to access the PPP peer 1402 via a PPP connection. The configuration of the host 1406 is the same as that of FIG. 3, and a modem 1405 is connected via the network interface 301. Also, the configuration of the PPP peer 1402 is the same as that of FIG. 3. The modem 1403 is connected via the network interface 301, and the Internet 1401 is connected via the network interface 302. As shown in FIG. 14, the PPP peer 1402 functions as a default gateway module 14021, a DHCP module 14022, and an Authentication module 14023. When the host 1406 communicates with the PPP peer 1402, the host 1406 performs communication via the modem 1405, and the PPP peer 1402 performs communication via the modem 1403.
[0141]
In the present embodiment, description will be made taking modem and PSTN as an example, but TA (Terminal Adapter) and ISDN (Integrated Services Digital Network), PHS communication adapter and PHS communication network, dedicated line connection device and dedicated line, and the like. This is essentially the same as long as it is an environment where a PPP connection can be established even if the communication mode is the above. Details of the PPP connection are described in RFC 1661 {The Point-to-Point Protocol (PPP) ″.
[0142]
The host 1406 transmits a PPP connection request to the PPP peer 1402 via the modem 1405, PSTN 1404, and modem 1403. The PPP peer 1402 receives the connection request, and the Authentication module 14023 authenticates the host. A typical authentication method is an authentication protocol CHAP based on a user name and a password, which is described in detail in RFC 1994 {PPP Challenge Handshake Authentication Protocol}.
[0143]
When the authentication is completed, the DHCP module 14022 transmits the prefix of the IPv6 global address, the IPv6 address of the default gateway, and the like to the host 1406 according to the setting. In the DHCP module 14022, the administrator of the ISP makes settings according to the operation policy.
[0144]
In FIG. 14, for simplicity of explanation, the default gateway, the DHCP server, and the Authentication server are respectively the default gateway module 14021, the DHCP module 14022, and the Authentication module 14023. There may be different nodes on 1407 respectively. In any of the embodiments, the modules or nodes may be operated safely under the control of the administrator of the ISP. Therefore, the host 1406 and the PPP peer 1402 in the form of FIG. The description will be made assuming that the PPP link between them has been established.
[0145]
When the host 1406 receives the prefix of the IPv6 global address, the IPv6 address of the default gateway, and the like from the DHCP module 14022, the host 1406 combines the prefix of the IPv6 global address with its own random interface ID (generated by a method such as RFC3041). Then, it generates a random IPv6 global address, confirms that it is not duplicated on the link, assigns it to the interface 301, and stores the default gateway IPv6 address.
[0146]
With the above operation, the host 1406 can communicate with any other party on the Internet using the disposable IPv6 address.
[0147]
Next, an embodiment of the present invention will be described. A protocol for extending the above-described operation (protocol) to enable use of a disposable anonymous public key certificate will be described.
[0148]
Hereinafter, a case will be described in which the anonymous public key certificate method is applied to the environment of FIG. The CA that the PPP peer 1402 issues the anonymous public key certificate becomes, and the host 1406 (or a user using it) becomes the entity i that uses the anonymous public key certificate. In the following, a form in which a random IPv6 address is included in the certificate will be described, but it is also possible to exclude a random IPv6 address.
[0149]
The ISP determines and publishes the public parameters p and g described above. Determines its own public key v_ca and submits it to a higher or more widespread CA (1408 in FIG. 14), such as VeriSign, which provides a commercial authentication service, and issues a public key certificate for v_ca do that for me.
[0150]
When a user i applies for a subscription to the ISP, his / her own secret key s_i is generated using the parameters p, g, etc. published by the ISP, a corresponding public key v_i is calculated, and a user name and a password are obtained. , Submit the public key v_i to the ISP. The administrator of the ISP (the administrator of the PPP peer 1402) confirms the identity of the user i, checks the password, and the like according to the operation policy, and permits access. The administrator registers the public key v_i in the RAM 305 or the HD 306 so that the public key v_i can be searched for in correspondence with the user name. It is assumed that the public parameter and the public key v_i, particularly the secret key s_i, are managed by the user i and can be used safely by the host 1406.
[0151]
FIG. 13 shows the protocol of the present embodiment, which is executed after the above preparations have been made. FIG. 13 shows a protocol for issuing an anonymous public key certificate performed between an entity (an IPv6 terminal used by a user i) as a host 1406 and a CA for issuing an anonymous public key certificate as a PPP peer 1402.
[0152]
After the processing of the data link layer in the PPP connection is completed, as described above, the PPP peer 1402 that has received the request for the PPP connection from the host 1406 uses the Authentication module 14023 to perform authentication based on the user name (identifier) and the password. The host is authenticated by the protocol CHAP.
[0153]
That is, the host 1406 sends the entity name (user name) to the PPP peer 1402 in step S1301. In step S1302, the PPP peer 1402 generates a CHAP-challenge, and sends it to the host 1406 in step S1303.
[0154]
In step S1304, the host 1406 inputs the entity name, the password, and the CHAP-challenge into the hash function to obtain a CHAP-response, and sends the value of the CHAP-response obtained in step S1305 to the PPP peer 1402.
[0155]
In step S1306, the PPP peer 1402 checks the validity of the CHAP-response. If it can be confirmed, the authentication is successful, so the prefix of the IPv6 global address and the address of the default gateway are transmitted to the authenticated host 1406 in step S1307.
[0156]
The host 1406 generates an IPv6 global address from the prefix of the IPv6 global address and the random interface ID in step S1308, confirms that it is not duplicated, assigns it to the network interface 301, and assigns the default gateway to the default gateway. Is also stored. Next, Certificate Solicitation is sent as a message requesting an anonymous public key certificate in step S1309 to the PPP peer.
Send to 1402.
[0157]
Similar to the first embodiment, the Certificate Solicitation is generated in a format that allows the PPP peer 1402 to understand that the request includes the request for the anonymous public key certificate and the interface ID. The content is calculated from the entity name (user name), the password, and the serial number. The serial number is, for example, a link between the IPv6 link local address of the host 206, the IPv6 link local address of the default gateway, and the time at that time. It is a value that is converted into one data. The Certificate Solicitation includes a digital signature (authentication signature) generated for a value obtained by inputting an entity name (user name), a password, and a serial number to a hash function.
[0158]
The PPP peer 1402 searches the RAM 305 or the HD 306 for a registered public key v_i corresponding to the entity name (user name of the communication device (host) 206), and retrieves the anonymous public key certificate described in S103 of FIG. Is generated in step S1310. That is, an IPv6 global address is generated from the prefix of the IPv6 global address assigned to the PPP peer 1402 and the interface ID of the host 1406, and an anonymous public key certificate APC_ca (i) including its lifetime is created. Specifically, the certificate management / attribute information X in APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)) described above contains an IPv6 global address or Lifetime etc. are included.
[0159]
Then, similar to S104 in FIG. 1, the certificate advertisement including the generated anonymous public key certificate APC_ca (i) and the like is sent to the host 1406 in step S1311. The host 1406 checks the validity of the received anonymous public key certificate APC_ca (i) in step S1312. As described above, the anonymous public key certificate APC_ca (i) includes an expiration date in the management / attribute information X, and the public keys g ′ and v_i ′ included in the anonymous public key certificate APC_ca (i) are the same. Is the public key of the entity i (host 1406), but is changed over time.
[0160]
In the above protocol, the data transmitted and received in steps S1305 and S1309 can be combined and transmitted in step S1305. Although not shown, in this case, the host 1406 sends the random interface ID, the CHAP-response in step S1305 in FIG. 13, and the Certificate Solicitation in step S1309 (similar to the first embodiment) to the PPP peer 1402 in step S1305 ′.
[0161]
Then, in step S1306 ′, the PPP peer 1402 confirms the validity of the CHAP-response, searches for the registered public key v_i, generates an IPv6 global address from the IPv6 prefix and the interface ID, and generates the IPv6 global address and its lifetime. Data including the expiration date (for example, 24 hours) is generated, and the anonymous public key certificate APC_ca (i) is generated. A Certificate Advertisement including the generated anonymous public key certificate APC_ca (i) is sent to the host 1406 in step S1307 ′.
[0162]
The host 1406 checks the validity of the received anonymous public key certificate APC_ca (i) in step S1308 '. In this step S1308 ', the processing up to the processing corresponding to step S1312 in FIG. 13 is completed, so that there are no subsequent steps.
[0163]
With the above protocol, the PPP peer 1402 issues the disposable anonymous public key certificate corresponding to the disposable IPv6 address to the host 1406.
[0164]
The host 1406 executes the anonymous public key certificate issuing protocol of FIG. 13 every time the communication partner changes, every time the session changes, or each time a communication packet is transmitted, and uses the public keys g ′ and v_i to be used. 'To change.
[0165]
In the above description, the case where the PPP Peer 1402 transmits the IPv6 prefix to the host 1406 and the host 1406 generates an IPv6 address from the IPv6 prefix and the interface ID has been described. However, the PPP Peer 1402 transmits the IPv6 address to the host 1406, and the host 1406 transmits the IPv6 address to the host 1406. The same protocol is used when is used. In this case, the same protocol is used except that an IPv6 address is sent instead of the IPv6 prefix in step S1307 of FIG. 3 and that the process of generating an IPv6 address from the prefix is not required in step S1308.
[0166]
(Fourth embodiment)
A mode in which IPsec communication is performed using the disposable IPv6 address and the disposable anonymous public key certificate issued in the first embodiment, the second embodiment, and the third embodiment will be described.
[0167]
First, a brief description will be given of an authentication method in a revised mode of encryption using public key cryptography of IKE (Internet Key Exchange) which is a protocol for securely sharing SA (Security Association) which is data such as secret data and mutual IPv6 addresses. Then, a method using an anonymous public key certificate will be described.
[0168]
The IKE is composed of two phases, and establishes a secure communication path in Phase 1, and in Phase 2, an SA used for communication such as IPsec is agreed using the secure communication path. Hereinafter, only Phase 1 will be described. Main mode and Aggressive mode exist in Phase 1 of IKE, but the description below is based on the pp. Of RFC2409 {The Internet Key Exchange (IKE) ″. 13-15, 5.3 Phase 1 Authenticated with a Revised mode of Public Key Encryption Main mode.
[0169]
In IKE, two communicating entities are called an Initiator and a Responder. The initiator starts communication. First, the initiator sends a plurality of SAs to the responder, and sends one SA determined to be usable by the responder to the initiator, thereby determining an SA for phase 1.
[0170]
The initiator generates a random number (called Nonce) and sends data encrypted with the responder's public key to the responder. The responder generates a random number, and sends data encrypted with the public key of the initiator to the initiator. As a result, each generated nonce can be shared, and an encryption key used in another communication is generated from the shared nonce. The details are described in RFC2409 “The Internet Key Exchange (IKE)”. As is apparent from the above description, it is necessary to know the public key of the communication partner prior to the IPsec communication.
[0171]
Consider the following situation. A user accesses a site on the Internet such as a shopping site. The user is, for example, the host 206 in the embodiment of FIG. 2, and is the host 1406 in the embodiment of FIG. In the embodiment of FIG. 2, the shopping site is connected to the user host 206 via the Internet 201 and the gateway 202. In the embodiment of FIG. 14, the shopping site is connected to the user host 1406 via the Internet 1401 and the PPP peer 1402. Connected. Before starting communication with a site such as the shopping site as a communication partner, the hosts 206 and 1406 obtain an Ipv6 address and a public key certificate including a public key by the above-described protocol. In this embodiment, a procedure for executing a key exchange / update / change protocol based on the above-mentioned public key certificate and performing encryption / authentication communication is performed.
[0172]
At this time, the user knows the IPv6 address (identifier) of the shopping site (whether explicit or implicit). When the user actually accesses the site and finds that the site is correct for the user, the user can explicitly know the address by confirming the IPv6 address of the communication partner. During communication, the shopping site knows the address (identifier) of the communication partner. The above communication can be performed using a disposable IPv6 address.
[0173]
In this embodiment, it is assumed that the disposable IPv6 address uses the same address (not updated) when the sender and receiver are determined. At this point, the disposable anonymous public key certificate APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)) is sent to each other. Then, since the management / attribute information X in the disposable anonymous public key certificate APC_ca (i) includes the IPv6 global address, does the IPv6 address match the IPv6 address of the other party with whom communication is actually being performed? Confirming the validity of the disposable anonymous public key certificate and confirming the validity of the disposable anonymous public key certificate, it is possible to determine whether or not it is truly the disposable anonymous public key certificate of the communication partner, and the public key (g ′, v_i ′) can be confirmed whether it is really the public key of the communication partner.
[0174]
The validity of the disposable anonymous public key certificate can be confirmed as follows. The certificate management / attribute information X includes a public key v_ca of a CA (the router 202, the DHCP server 203, or the PPP peer 1402 described above) and a public key certificate corresponding to the public key v_ca (VeriSign, which provides a commercial authentication service, etc.). Issued by the company). The site can confirm whether or not the correspondence is correct by using a public key such as VeriSign, which provides a commercial authentication service (it is widely known and can be easily obtained). Using the verified validity v_ca, the validity of the disposable anonymous public key certificate APC_ca (i) = (g ′, v_i ′, X, Sig_ca (g ′, v_i ′, X)), that is, (g ', V_i') and Sig_ca (g ', v_i', X). The anonymous public key certificate APC_ca (i) includes an expiration date in its management / attribute information X, and the public keys g ′ and v_i ′ included in the anonymous public key certificate APC_ca (i) are associated with the same entity i. The public key is a public key that changes over time.
[0175]
The hosts 206 and 1406 execute the protocol of FIGS. 11 and 13 each time the communication partner changes (that is, each time a new connection is made to the site) or each time the session changes, and Update / change public keys g ′ and v_i ′. Note that the public keys g ′ and v_i ′ may be updated or changed every time a communication packet is transmitted.
[0176]
As described above, using the disposable IPv6 address and the disposable anonymous public key certificate including the same, the public key of the communication partner defined by the IPv6 address can be reliably obtained. By performing the IKE phase 1 Main mode using the public key thus exchanged, IPsec communication with the communication partner having the IPv6 address can be executed.
[0177]
That is, in the present embodiment, an IPv6-compatible device existing in a local link where an IPv6-compatible device is located is operated as a public key certificate issuer, and the IPv6 address is included in the disposable anonymous public key certificate, and the IPv6 address is used on the Internet. Two devices share secret data that no one else knows, and perform IPsec communication, which is a protocol for performing encryption and authentication based on the secret data. In IPsec, SA (such as secret data and each other's IPv6 address) is used. IKE (Internet Key Exchange), which is a protocol for securely sharing Security Association, is performed.
[0178]
Therefore, impersonation of the communication partner as described in the problem is prevented.
[0179]
【The invention's effect】
As described above, according to the invention relating to the present application, a disposable IPv6 address and a disposable anonymous public key certificate including the same can be realized.
[0180]
In addition, the load on the host for generating the anonymous public key can be reduced.
[0181]
Further, the degree of privacy protection is high, it can be realized at low cost, and a disposable anonymous public key certificate with a small load at the time of execution can be efficiently realized.
[0182]
In addition, strong privacy protection can be realized, and IPsec communication by IKE can be performed while preventing spoofing.
[Brief description of the drawings]
FIG. 1 is a diagram of an anonymous public key certificate issuing protocol (in the case of an Ethernet® LAN) according to a first embodiment.
FIG. 2 is a schematic diagram of an Ethernet® LAN.
FIG. 3 is a configuration diagram of a node.
FIG. 4 is a configuration diagram of a MAC address of Ethernet (R).
FIG. 5 is a configuration diagram of an interface ID.
FIG. 6 is a configuration diagram of a tentative link-local address.
FIG. 7 is a configuration diagram of a solicited-node multicast address of a certain tentative link-local address.
FIG. 8 is a flowchart illustrating an operation until the host finishes DAD.
FIG. 9 is a flowchart illustrating an operation until the host finishes automatic address setting.
FIG. 10 is an operation flowchart diagram until a host acquires an address by DHCP.
FIG. 11 is an operation flowchart from when a host performs automatic address setting to when an anonymous public key certificate is received.
FIG. 12 is an operation flowchart diagram until a host receives an address and an anonymous public key certificate by DHCP.
FIG. 13 is a diagram of an anonymous public key certificate issuing protocol (in the case of PPP) in the third embodiment.
FIG. 14 is a schematic diagram of a dial-up / ADSL connection.
FIG. 15 is a diagram of an anonymous public key certificate issuance protocol (in the case of an Ethernet (R) LAN) according to the second embodiment.
FIG. 16 is a diagram of a general form of an anonymous public key certificate issuing protocol.
FIG. 17 is an operation flowchart diagram until a host acquires a certificate.
[Explanation of symbols]
300 nodes
301 Network Interface
302 Network Interface
306 HD (hard disk)
308 Keyboard / Pointing Device Interface
309 Monitor interface
1402 ISP PPP peer
1404 PSTN (Public Switched Telephone Network)

Claims (12)

Generating means for generating a certificate of a first public key;
Providing means for providing a certificate of the first public key generated by the generating means,
The certificate of the first public key generated by the generation unit is a certificate of the second public key issued by the authentication service provider, and the validity can be confirmed using the second public key. A public key certificate providing device including a digital signature. 2. The public key certificate providing apparatus according to claim 1, wherein said providing means provides the first public key certificate to a host in a subnet. 2. The public key certificate providing apparatus according to claim 1, wherein said providing means provides the host with a first public key certificate and information for determining an address of the host. Document providing device. 2. The public key certificate providing apparatus according to claim 1, further comprising a connection unit that connects a host to which the first public key certificate is provided by the providing unit to the Internet. Providing device. Generate a certificate for the first public key,
A public key certificate providing program that provides a certificate of the generated first public key,
The certificate of the first public key generated in the generation step is a certificate of the second public key issued by the authentication service provider, and the validity can be confirmed using the second public key. A public key certificate providing program including a digital signature. 6. The public key certificate providing program according to claim 5, wherein said providing step provides a first public key certificate to a host in a subnet. 6. The public key certificate providing program according to claim 5, wherein the providing step provides the host with a first public key certificate and information for determining an address of the host. Letter providing program. 6. The public key certificate providing program according to claim 5, further comprising a connection step of connecting a host to which the first public key certificate is provided by the providing step to the Internet. Provided program. A public key certificate providing apparatus provided in a subnet, comprising: a providing unit that provides information for determining an address, and a certificate of a first public key to a host in the subnet,
Generating means for generating a certificate of the first public key,
The certificate of the first public key generated by the generation unit is a certificate of the second public key issued by the authentication service provider, and the validity can be confirmed using the second public key. A public key certificate providing device including a digital signature. Internet connection means for connecting the Internet,
Host connection means for connecting to the host;
Providing means for providing a certificate of a first public key,
The certificate of the first public key provided by the providing unit is a certificate of the second public key issued by the authentication service provider, and the validity can be confirmed using the second public key. A connection device comprising a digital signature. Communication means;
Determining means for determining its own address based on the result of communication with the first partner,
The communication device, wherein the communication unit notifies the second party of the public key certificate received from the first party in order to perform encrypted communication with the second party. According to the result of communication with the first partner, determine your own address,
A communication program for notifying a second party of a public key certificate received from a first party in order to perform cryptographic communication with a second party.

Images