JP2004364188A - Encryption system and its encrypted message processing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption system and its encrypted message processing method in which encryption and key management can be easily performed while solving disadvantages in a conventional hybrid encryption scheme and further, it is enough for a user only to hold one key pair. <P>SOLUTION: In an encryption system 1 in which the encrypted message can be decrypted on the basis of a decryption request from the user, a key management database 6 is provided for managing a public key of each user. When transmission of a second encrypted message 14 which is generated by further encrypting a first encrypted message 13 encrypted with a private key of the other person with a private key of the user is received from the user as a decryption request, the second encrypted message 14 is decrypted by using a public key in the key management database 6 and the first encrypted message 13 is extracted. The extracted first encrypted message 13 is decrypted by using a public key of the other person in the key management database 6. The decrypted result is encrypted by using the public key of the relevant user to generate a third encrypted message 15, and it is transmitted to the user who requests the decryption. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a cryptosystem and a ciphertext processing method thereof.
[0002]
[Prior art]
As a conventional general encryption technique, there is a technique called a common key encryption method. In the common key cryptosystem, the same (common) key, that is, a common key is used when encrypting data and when decrypting the encrypted data (encrypted text) into plain text. For this reason, it is necessary for the data sender / receiver not to disclose the key to a third party. This method is suitable for encrypting large data because the processing amount required for encryption is small. However, since the same common key cannot be used for a plurality of parties, it is necessary to generate and manage a different common key for each transmission party. For this reason, key management becomes more difficult as the number of destinations increases. Further, the common key cryptosystem has a drawback that it is not suitable for an unspecified majority.
[0003]
As a technique for solving such a problem in the common key cryptosystem, there is a technique called a public key cryptosystem. In the public key cryptosystem, different keys are generated for encryption and decryption, and one is used as a public key and the other is used as a secret key. With the encryption algorithm in the case of the public key cryptosystem, a cipher text encrypted with one key can be decrypted only with the other key in the pair. In public key cryptography, a sender encrypts a plaintext with the recipient's public key, and the recipient decrypts the ciphertext into plaintext with his / her private key.
[0004]
In the public key cryptosystem, the cipher text cannot be decrypted with the public key, and the secret key cannot be generated from the public key. Further, it is not necessary to generate a key for each transmission partner, and the user only has to prepare a pair of keys (public key and secret key), which can be said to be suitable for an unspecified number of partners. However, if the bit length of the asymmetric key or the data to be encrypted increases, it takes time to perform encryption and decryption. Therefore, it can be said that it is not suitable for encrypting a large amount of data as compared with the common key encryption method.
[0005]
As a technique for solving such a problem in the public key cryptosystem, there is a technique called a hybrid cryptosystem. The hybrid encryption method is a technique for combining the two encryption methods and encrypting them in order to make use of the advantages of the common key encryption method and the public key encryption method and to compensate for their respective disadvantages. That is, in the hybrid encryption method, data is cipher text with a common key generated by the sender, and the cipher text is transmitted with the common key encrypted with the public key of the receiver attached thereto. The recipient decrypts the transmitted common key with the recipient's private key, and further decrypts the ciphertext with the decrypted common key. Typical technologies of the hybrid cryptosystem include PGP, S / MIME, and the like.
[0006]
However, in the hybrid encryption method, there is a problem that if a user loses his / her private key, the ciphertext encrypted with the original public key cannot be decrypted. That is, even if a new secret key and a public key (key pair) are generated when the secret key is lost, the encrypted text encrypted with the original public key cannot be decrypted with this new key pair. .
[0007]
In view of such a problem in the hybrid encryption method, an encryption system that can prevent a large problem from occurring even when a user loses his / her own key has been considered (for example, see Patent Document 1).
[0008]
Hereinafter, this encryption system will be described with reference to FIGS.
[0009]
As shown in FIG. 14, the cryptographic system includes a management server 100 and a user-side operation terminal 101 which are mutually connected via a network.
[0010]
In this encryption system, each user first registers his / her ID and public key in the management server 101. That is, for example, in order for the user A to register, first, a key pair of a secret key (A) and a public key (A) is generated, and the public key (A) is assigned an ID (A) as shown in FIG. ) And to the management server 100.
[0011]
Then, the management server 100 generates a unique key (A) corresponding to the public key (A). Here, the unique key (A) is a common key.
[0012]
This unique key (A) is associated with another unique key as desired. That is, as shown in FIG. 15, for the unique key (A), for example, the unique key (B) corresponding to the public key (B) of the user B and the public key (C) corresponding to the user C , Etc., and the unique key (B), for example, the unique key (A), the unique key (C),. In the attached state, it is registered in the key management database 100a provided in the management server 100.
[0013]
When another type of association is required, the user A generates new key bears (a secret key (A ′) and a public key (A ′)), and among them, the public key (A ′) Must be registered in the management server 100. Therefore, for example, as shown in FIG. 16, in the user-side operation terminal (A) 101, a plurality of key pairs (a secret key (A) and a public key (A), a secret key (A ′) and a public key ( A ′),... Must be held.
[0014]
When the user A is registered, as shown in FIG. 14, the public key (S) of the server encrypted with the public key (A) and the secret data for authentication are stored in the user who is the registrant. A is transmitted to the user-side operation terminal (A) of A.
[0015]
Next, a decryption request from a user will be described with reference to FIG.
[0016]
Here, for example, an example will be described in which a user B requests a decryption of an encrypted text encrypted by a user A.
[0017]
First, encryption by the user A will be described. To perform this encryption, first, the user A attaches ID (A) to the secret data encrypted with the public key (S) and transmits the encrypted data to the management server 100. The management server 100 extracts the secret data by decrypting using the secret key (S) paired with the public key (S), and checks the extracted secret data with the secret data held in the management server 100 side. Authentication is performed. If authenticated, the key (corresponding to the public key (A)) (corresponding to the public key (A)) corresponding to the ID (A) is assigned to the public key. The data encrypted in (A) is returned to the user operation terminal (A). Thereby, the user A obtains the unique key (A) used for the encryption.
[0018]
Next, the user A generates a session key, generates a ciphertext 110 by encrypting data with the session key, and further encrypts the session key with the unique key (A). A ciphertext 110 and 111 are transmitted to the user B.
[0019]
Next, the user B adds ID (B) to the secret data encrypted with the public key (S) and transmits the encrypted data to the management server 100. The management server 100 extracts the secret data by decrypting using the secret key (S), and performs authentication by comparing the extracted secret data with the secret data held on the management server 100 side. If authenticated, a key (a unique key (B), a unique key (A), a unique key (C),...) Corresponding to the ID (B) (corresponding to the public key (B)) is assigned to the public key. The data encrypted in (B) is returned to the user operation terminal (B). Thereby, the user B obtains the unique key (A) used for decrypting the ciphertext 111.
[0020]
Therefore, the user B can extract the session key by decrypting the cipher text 111 using the unique key (A), and can retrieve the data by decrypting the cipher text 110 using the session key. it can.
[0021]
Further, in this cryptographic system, since each unique key is managed by the management server, a remedy can be taken even if the user loses the secret key. That is, when the secret key is lost, new registration is performed, and a unique key newly generated by the registration is associated with the original secret key (the public key forming a pair with the original key). Thus, the encrypted text encrypted when the original secret key is used can be decrypted.
[0022]
[Patent Document 1]
JP-A-2002-314527
[0023]
[Problems to be solved by the invention]
However, in the technique of Patent Document 1, the encryption key (session key) is encrypted with the unique key held by the management server 100, and thus has the following problems.
[0024]
First, when encrypting data, the user needs to communicate with the management server 100 to obtain a unique key, so that encryption is troublesome.
[0025]
In addition, there is a problem that it is necessary to properly use a desired unique key from among many obtained keys (key bundles).
[0026]
In addition, when another type of association is required, the user can use a plurality of key pairs (for example, a secret key (A) and a public key (A), a secret key (A ′) and a public key (A ′)). ),...) Must be stored, and an appropriate key must be used. That is, for example, in a company organization, when associating unique keys separately for each organization, a user who also serves as a post over a plurality of organizations holds many key pairs. It is necessary and inconvenient.
[0027]
SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and can easily perform encryption and key management while eliminating the disadvantages of the conventional hybrid encryption method, and furthermore, the user has: It is an object of the present invention to provide an encryption system that only needs to hold one key pair and a ciphertext processing method thereof.
[0028]
[Means for Solving the Problems]
In order to solve the above problems, an encryption system according to the present invention is an encryption system including a management device capable of decrypting a cipher text based on a decryption request from a user, wherein the management device is registered as a user. A key management database that manages the public keys of the plurality of persons, and a control unit that can execute decryption and encryption using the public key in the key management database. When a second ciphertext generated by further encrypting the first ciphertext encrypted with the secret key of another user with the secret key of the user is transmitted from the user, A first ciphertext extracting step of extracting the first ciphertext by decrypting the second ciphertext using the user's public key in the key management database, and extracting the first ciphertext by the first ciphertext extracting step. First A third party key decryption step of decrypting a sentence using the third party's public key in the key management database; and a decryption result obtained by the third party key use decryption step using a public key of the user. And a third ciphertext generating step of generating a third ciphertext by converting the third ciphertext generated by the third ciphertext generating step into the third ciphertext. It is characterized by being configured to be transmitted to the user.
[0029]
In the cryptographic system of the present invention, it is preferable that the key management database manages each public key in a private manner.
[0030]
In the encryption system of the present invention, the key management database manages each of the public keys of a plurality of users in association with the identification information of each user. It is assumed that the identification information of the user is attached to the second ciphertext and transmitted, and the control unit, when a decryption request is made from the user, corresponds to the identification information transmitted from the user. It is preferable that a public key be obtained from the key management database and used for decryption in the first ciphertext extracting step.
[0031]
In this case, it is preferable that the control unit authenticates a user based on whether or not decryption can be performed in the first ciphertext extracting step.
[0032]
In the cryptographic system of the present invention, the user shall obtain the first ciphertext and the identification information of the other person before the decryption request, and generate the second ciphertext, The first cipher text and the identification information of the other person are collectively encrypted by using the secret key of the user, and the control unit performs the first cipher text in the first cipher text extracting step. Preferably, the identification information of the other person is extracted, a public key corresponding to the extracted identification information is obtained from the key management database, and is used for the decryption in the decryption process using the other person's key.
[0033]
In the cryptographic system of the present invention, the identification information is recorded with a record of the last decryption request date and time, and the management device is configured to manage the last decryption request date and time of each user. The control unit, when there is a decryption request, performs a comparison between the final decryption request date and time attached to the transmitted identification information and the corresponding final decryption request date and time managed by the management device, When these dates and times are different, it is preferable to notify the user who made the decryption request of the difference.
[0034]
In the cryptographic system according to the present invention, the management device is configured to be able to set authority for decryption for each user, and the control unit generates and uses the third ciphertext when a decryption request is issued. It is preferable to determine whether or not to transmit to a user according to the set authority.
[0035]
In this case, it is preferable that the management device further includes an authority management database that manages association between the authority related to decryption and each user.
[0036]
In the cryptographic system of the present invention, the management device can set a plurality of types of association as the association between the authority and each user. It is preferable to determine whether to generate and transmit the third ciphertext to the user according to the association.
[0037]
In this case, it is preferable that the plurality of types of association include at least association according to the organization and association according to the confidentiality.
[0038]
In the cryptographic system of the present invention, it is preferable that the expiration date of the authority for decryption can be set.
[0039]
In the cryptographic system of the present invention, it is preferable that the usage policy of the cryptographic system can be created in a question-and-answer format.
[0040]
In this case, it is preferable that the created usage policy can be output or transmitted to each user.
[0041]
Further, the ciphertext processing method of the present invention is a ciphertext processing method using the cryptographic system of the present invention, wherein the first user as the other person uses the first ciphertext using his / her private key. Is generated, and the generated first ciphertext is made to be obtainable by the second user, which is the user. Subsequently, the second user makes the obtainable first ciphertext A second encrypted text is generated by further encrypting the first encrypted text with its own secret key, and transmitting the generated second encrypted text to the management device. Executing the first ciphertext extraction step, the third party key use decryption step, and the third ciphertext generation step in this order, and further, the third ciphertext generated by the third ciphertext generation step (2) the second ciphertext is acquired by the second user, and then the second user acquires the third ciphertext The third ciphertext by decoding by its own secret key, is characterized by obtaining the decoded result.
[0042]
Further, the ciphertext processing method of the present invention is a ciphertext processing method using the cryptographic system of the present invention, wherein the first user as the other person uses the first ciphertext using his / her private key. Is generated, and the generated first ciphertext is made to be obtainable by the second user, which is the user. Subsequently, the second user makes the obtainable first ciphertext The first ciphertext is further encrypted with its own secret key to generate a second ciphertext, and the generated second ciphertext is attached to its own identification information and transmitted to the management device. Then, the control unit obtains a public key corresponding to the identification information transmitted from the second user from the key management database, and decrypts the second ciphertext using the obtained public key. After performing the first ciphertext extraction step, the third party key use decryption step and the second The ciphertext generation step is executed in this order, and further, the third ciphertext generated in the third ciphertext generation step is set to a state in which the third user can obtain the third ciphertext. , The third ciphertext is obtained, and the third ciphertext is decrypted with its own secret key to obtain the decryption result.
[0043]
In this case, the first user causes the second ciphertext and the identification information of the first ciphertext to be acquired by the second user, and the second user acquires the acquired first ciphertext and the second ciphertext. (1) The second ciphertext is generated by collectively encrypting the identification information of the user with its own secret key, and the control unit controls the first ciphertext and the other ciphertext in the first ciphertext extracting step. It is preferable that the identification information of the third party is extracted, a public key corresponding to the extracted identification information is obtained from the key management database, and used for the decryption in the third party key use decryption step.
[0044]
Further, in the ciphertext processing method of the present invention, the first user generates a disposable key and encrypts the data with the disposable key to generate encrypted data, while generating the secret key of the user. The first ciphertext is generated by encrypting the disposable key using the first ciphertext, and the generated first ciphertext and encrypted data are made to be obtainable by the second user. (2) The user obtains the first ciphertext and the encrypted data in the obtainable state, and further encrypts the first ciphertext with its own secret key to generate a second ciphertext. Transmitting the generated second ciphertext to the management device, subsequently, the control unit extracts the disposable key by executing the first ciphertext extraction step and the other party key use decryption step in this order, Take this disposable key out The third ciphertext is generated by encrypting in the third ciphertext generation step, and the third ciphertext is made available for acquisition by the second user. Obtains the third ciphertext, retrieves the disposable key by decrypting the third ciphertext with its own secret key, and decrypts the encrypted data using the disposable key, It is preferable to retrieve the data.
[0045]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[0046]
[First Embodiment]
As shown in FIG. 1, an encryption system 1 according to the first embodiment includes a management server (management device) 2 capable of decrypting a cipher text based on a decryption request from a user, and each user (use ..) Are assigned to the user A, the user B, the user C,...), And the user operation terminal 3 and the management server 2 are connected via the network 4. They can be connected to each other.
[0047]
As shown in FIG. 2, the management server 2 includes a control unit 5 that executes various processes, and a key management database 6 that manages the public key of each user.
[0048]
The control unit 5 includes, for example, a CPU (Central Processing Unit), a ROM (Read Only Memory), and a RAM (Random Access Memory). The ROM stores a program (software) for the management server 2 in the encryption system 1. The CPU performs various processes by executing the programs stored in the ROM. The RAM includes a temporary storage area for various data in addition to a work area for the CPU.
[0049]
The control unit 5 generates and stores a key pair of the public key (S) and the secret key (S) of the management server 2 in advance.
[0050]
On the other hand, as shown in FIG. 3, the key management database 6 stores the public key of each user with the ID (identification information) of each user (user A, user B, user C,...). It is stored (managed) in a non-disclosed state in a one-to-one correspondence. That is, each user publishes the public key generated by himself / herself only to the management server 2 and keeps it private to the other (other users).
[0051]
Further, each user-side operation terminal 3 includes, for example, a CPU (Central Processing Unit), a ROM (Read Only Memory), and a RAM (Random Access Memory). The ROM stores a program (software) for the user-side operation terminal 3 in the encryption system 1. The CPU performs various processes by executing the programs stored in the ROM. The RAM includes a temporary storage area for various data in addition to a work area for the CPU.
[0052]
Also, as shown in FIG. 4, it is assumed that, for example, the public key (S) of the management server 2 is given to and stored in each user-side operation terminal 3 in advance.
[0053]
Next, registration of a user (public key) will be described with reference to FIG.
[0054]
When a user (for example, user A) registers, first, a key pair of a public key (A) and a secret key (A) is generated at the user operation terminal (A) 3 of the user A. And save (FIG. 4). Then, a copy of the public key (A) is registered in the management server 2. At the time of this registration, as shown in FIG. 5, the cipher text 11 obtained by encrypting the ID (A) and the public key (A) of the user A together with the public key (S) of the management server 2 is The information is transmitted from the user operation terminal (A) 3 to the management server 2.
[0055]
Then, the control unit 5 of the management server 2 accepts the transmission of the ciphertext 11 as a registration request, and decrypts the ciphertext 11 with the secret key (S) of the management server 2 to obtain the ID (A) and the public key (A). ) Is taken out (in plain text), and the taken out ID (A) and public key (A) are stored (registered) in the key management database 6 in a state of being associated one-to-one as shown in FIG.
[0056]
That is, as each user performs the same registration work, the public key of the user is gradually accumulated in the key management database 6.
[0057]
Next, a decryption request from a user will be described with reference to FIGS.
[0058]
Here, for example, an example in which a user B (a second user, a user) requests a decryption of a ciphertext encrypted by a user A (a first user, another person) with his own secret key (A). Will be described.
[0059]
In this case, the operation of the user A on the user operation terminal (A) 3 (step S1) → the user on the user operation terminal (B) 3 is schematically shown in FIG. Work B (step S2) → processing by (the control unit 5 of) the management server 2 (step S3) → work of the user B on the user-side operation terminal (B) 3 (step S4). In addition, it can be said that step S1 is processing of the user-side operation terminal (A) 3 according to the work of the user A. Similarly, it can be said that steps S2 and S4 are processes of the user-side operation terminal (B) 3 according to the work of the user B.
[0060]
Next, steps S1 to S4 will be described in detail.
[0061]
First, step S1 is a process in which the user A (first user) encrypts data.
[0062]
In this step S1, as shown in FIG. 7, first, in step S11, a session key 10 (disposable key) is generated. The session key 10 is generated separately each time data is encrypted.
[0063]
In step S12 following step S11, encrypted data 12 is generated by encrypting data using the session key 10 generated in step S11.
[0064]
In step S13 following step S12, the first cipher text 13 is generated by encrypting the session key 10 generated in step S11 with the secret key (A) of the user A. In the user operation terminal (A), the first cipher text 13 and the encrypted data 12 are collectively stored.
[0065]
Here, the first ciphertext 13 and the encrypted data 12 obtained as a result of performing the encryption can be sequentially decrypted by using the public key (A). That is, the session key 10 can be extracted by decrypting the first ciphertext 13 with the public key (A), and the data 16 can be extracted by decrypting the encrypted data 12 using the session key 10. . That is, it can be said that the encryption key here is the secret key (A) of the user A.
[0066]
Further, when the first cipher text 13 and the encrypted data 12 are generated as described above, there is no need to perform communication between the user-side operation terminal (A) and the management server 2. That is, in the case of the present embodiment, the user does not need to communicate with the management server 2 at the time of encryption.
[0067]
In step S14 following step S13, the first ciphertext 13 generated in step S13, the encrypted data 12 generated in step S12, and the ID (A) of user A are used by the user of user B. It is transmitted to the operation terminal (B) 3 by e-mail, for example.
[0068]
Next, in step S2, as shown in FIG. 8, first, in step S21, the user-side operation terminal (B) receives (acquires) the first ciphertext 13, the encrypted data 12, and the ID (A). ).
[0069]
Here, an example will be described in which the first ciphertext 13, the encrypted data 12, and the ID (A) are moved from the user operation terminal (A) to the user operation terminal (B) by mail transmission. In addition to the mail transmission, for example, the information once registered (up) in the management server 2 may be acquired by the user operation terminal (A).
[0070]
In step S22 following step S21, the first ciphertext 13 and the ID (A) of the first ciphertext 13, the encrypted data 12, and the ID (A) are collectively encrypted with the secret key (B). Thereby, the second ciphertext 14 is generated. Here, the session key 10 is doubly encrypted with the secret key (A) and the secret key (B).
[0071]
In step S23 following step S22, the ID (B) of the user B is attached to the second ciphertext 14 generated in step S21 and transmitted to the management server 2. In the case of the present embodiment, the transmission of the second ciphertext 14 to the management server 2 with its own ID (B) added thereto is referred to as a “decryption request”.
[0072]
Next, in step S3, as shown in FIG. 9, first, in step S31, the management server 2 receives the second ciphertext 14 and the ID (B), and receives the decryption request by receiving the second ciphertext 14 and the ID (B).
[0073]
In step S32 following step S31, the control unit 5 acquires a key corresponding to the ID (B), that is, a public key (B) from the key management database 6.
[0074]
In step S33 following step S32, the control unit 5 extracts the first ciphertext 13 and the ID (A) by decrypting the second ciphertext 14 with the public key (B) obtained in step S32 (first). Ciphertext extraction process). Here, the control unit 5 authenticates the user based on whether or not the decryption can be executed in the first ciphertext extraction step. The determination as to whether or not the decoding has been performed is performed by determining whether or not data has changed before and after the decoding.
[0075]
In step S34 following step S33, the control unit 5 acquires a key corresponding to the extracted ID, that is, ID (A), that is, a public key (A) from the key management database 6.
[0076]
In step S35 following step S34, the control unit 5 extracts the session key 10 by decrypting the first ciphertext 13 with the public key (A) acquired in step S34 (other-key use decryption step). That is, by sequentially performing decryption using the public key (B) and decryption using the public key (A), the session key 10 double-encrypted with the secret key (A) and the secret key (B) is extracted. be able to.
[0077]
In step S36 following step S35, the control unit 5 generates the third ciphertext 15 by encrypting the session key 10 extracted in step S35 with the public key (B) of the user B who is the decryption requester. (Third ciphertext generation step).
[0078]
In step S37 following step S36, the control unit 5 transmits the third ciphertext 15 generated in step S36 to the user-side operation terminal (B) 3 of the user B who is the decryption requester.
[0079]
Next, in step S4, as shown in FIG. 10, first, in step S41, the user-side operation terminal (B) receives the third ciphertext 15.
[0080]
In step S42 following step S41, the session key 10 is extracted by decrypting the third ciphertext 15 with the secret key (B).
[0081]
In step S43 following step S42, the data 16 can be extracted by decrypting the encrypted data 12 received in step S21 with the session key 10 extracted in step S42.
[0082]
According to the first embodiment as described above, since the user's private key is used as the encryption key and the management server 2 manages the user's public key, the user loses the secret key. Even if it does, the management server 2 can decrypt it. Therefore, if the user generates and registers a new key pair (private key and public key), the encrypted text encrypted before the key is lost can be taken out without any problem. That is, the disadvantage of the conventional hybrid encryption method can be solved.
[0083]
Further, since there is no need to use a unique key as in the related art, there is no need to go through a complicated procedure as shown in FIG. 17, and encryption and decryption can be performed in a simple procedure as shown in FIG. it can. In particular, at the time of encryption, there is no need to communicate with the management server 2. In addition, the user only needs to have his / her own private key.
[0084]
The encryption system according to the present embodiment can be applied to, for example, information management in a company. In this case, the user corresponds to an individual employee.
[0085]
[Second embodiment]
Next, a second embodiment according to the present invention will be described.
[0086]
In the second embodiment, the management server 2 is configured to be able to set the authority for decryption for each user, and the control unit 5 generates the third ciphertext 15 and generates the third ciphertext 15 when there is a decryption request. (Decryption requester) Whether or not to transmit is determined according to the set authority.
[0087]
In the case of the present embodiment, the management server 2 further includes an authority management database 7, as shown in FIG. 11, in order to manage the association between the authority related to decryption and each user. That is, the right management database 7 stores and holds the correspondence between the right relating to decryption and each user.
[0088]
In addition, the management server 2 can set a plurality of types of associations as the association between the authority related to decryption and each user, and the control unit 5 determines one of the associations according to the type of the decryption request. Then, it is determined whether or not the third ciphertext 15 is generated and transmitted to the user.
[0089]
Here, in the case of the present embodiment, the plurality of types of association between the authority related to decryption and each user include association according to the organization and association according to the confidentiality. Here, the confidentiality means a confidentiality corresponding to the degree of confidentiality or confidential range, such as confidential, confidential ○, confidential or ○ project confidential. That is, for example, as shown in FIG. 12, the authority management database 7 holds the association so that the presence or absence of the decryption authority of each user (managed by each ID) can be confirmed for each security level. are doing.
[0090]
In the case where the association according to the confidentiality is performed as described above, information (label) for specifying the confidentiality is attached to, for example, the session key 10 at the time of encryption. Therefore, when there is a decryption request, the control unit 5 refers to the association held in the authority management database 7 based on the label attached to the session key 10 so that the decryption requester has the decryption authority. Is determined.
[0091]
Specifically, for example, when a user outside the XX project makes a decryption request and the label attached to the session key 10 is confidential to the XX project, the control unit 5 The process of generating the 3 ciphertext 15 and transmitting it to the user (decryption requester) is not executed. I do not have it. "
[0092]
As described above, in the second embodiment, key management (related to the key management database 6) and decryption authority management (related to the authority management database 7) are performed separately.
[0093]
Also, for example, if the affiliation of the organization changes due to a personnel change or the affiliation does not change, but the association between the decryption authority and each user changes, such as when a new project member is selected, Each time, the administrator of the cryptographic system 1 only needs to update the stored contents of the authority management database 7 (change the setting), and the user does not need to generate a new key pair.
[0094]
Further, in the present embodiment, for example, the expiration date of the authority for decryption can be set. That is, if the expiration date is set to, for example, 6 months at the time of setting by the administrator, the setting is automatically performed by the control of the control unit 5 without the administrator changing the setting when 6 months have elapsed from the setting. Update the content to invalidate the authority.
[0095]
Further, for example, in the case of retirement, it is only necessary to invalidate the retiree's authority while the public key of the retiree is kept stored in the key management database 6. To invalidate, for example, a bit indicating invalidity may be set in the column of the corresponding user in the authority management database 7. In this case, when there is a decryption request, the control unit 5 determines whether or not an invalid bit is set, thereby determining whether to generate the third ciphertext 15 and transmit it to the user. Make a decision. That is, for example, if an invalid bit is set, the process of generating the third ciphertext 15 and transmitting it to the user is not executed.
[0096]
It is preferable to manage not only the decryption authority but also the encryption authority in the same manner. By managing the encryption authority in this way, it is possible to prevent each user from performing encryption without permission based on the authority rule.
[0097]
Here, in the encryption system of the present embodiment, the settings (decryption authority, encryption authority, and the like) by the administrator themselves are the usage policies of the encryption system. Therefore, as shown in FIG. 13, the management server 2 can output (print out) the set specification policy 8 in a predetermined format or transmit (distribute) it to each user-side operation terminal 3. It has become.
[0098]
Further, it is preferable that the setting of the specification policy is configured so that at least some of the items can be executed in a question-and-answer format. Specifically, for example, when a setting button is selected and operated on the mode selection screen, a wizard is activated to shift to a settable mode. In this configurable mode, for example, “Q. To which organization do you apply?”, “Q. Who is responsible?”, “Q. What does confidential mean?” Or “Q. In response to the question from the management server 2, "What does XX project confidential mean?", The administrator inputs necessary items in the corresponding input fields, Setting (setting of specification policy) can be performed.
[0099]
Here, the secret key of the manager (the manager is also a user) is different from, for example, the secret key of a general user, and can directly operate the management server 2. The user side operation terminal 3 connects to the management server 2 and functions as an administrator key capable of performing setting operations in the management server 2.
[0100]
Further, when the secret key of the administrator is used as the administrator key, the security can be improved by applying the so-called double lock method.
[0101]
Further, for example, when a person who has illegally obtained a user's secret key and ID makes a decryption request, it is also preferable to be configured to be able to notify the authorized user of the request. To realize this configuration, a record of the last decryption request date and time (last login date and time) is added to the ID, and the management server 2 manages the last decryption request date and time of each user. It is only necessary to be configured to (save). That is, when there is a decryption request, the control unit 5 updates the last decryption request date and time of the received ID. Then, when transmitting the third ciphertext 15 to the decryption requester, an ID whose last decryption request date and time has been updated is attached to the third ciphertext 15. Further, the user-side operation terminal 3 updates the existing ID held by itself to a new ID transmitted from the management server 2. Further, when there is a decryption request, the control unit 5 collates the final decryption request date and time attached to the transmitted ID with the corresponding final decryption request date and time managed by the management server 2, When these dates and times are different, the user who has made the decryption request is configured to be notified of the difference. In addition, as this notification, for example, "The last time recorded in the server and the last time described in the ID file are different. Please report to the administrator because there is a possibility that it was used illegally." Make a notification.
[0102]
The encryption system 1 according to the present embodiment can be suitably applied not only to information management in a company but also to, for example, an electronic government, an electronic local government, a financial institution, and the like.
[0103]
Further, the user-side operation terminal 3 is preferably made of, for example, a PC (Personal Computer), but is not limited to this. For example, the user-side operation terminal 3 may be made of a portable information terminal such as a PDA (Personal Digital Assistant). good.
[0104]
Further, the key management database 6 or the authority management database 7 of the management server 2 may be constituted by a storage medium attached to the management server 2, but is constituted by a storage medium detachable from the management server 2. It is also preferable that such a detachable configuration allows the database to be removed and stored in a safe, for example, and security management can be performed more strictly.
[0105]
【The invention's effect】
According to the present invention, the user's private key is used for the encryption key, and the management server manages the user's public key, so even if the user loses the secret key, the management server does It is possible to decrypt. That is, the disadvantage of the conventional hybrid encryption method can be solved. Further, at the time of encryption, there is no need to communicate with the management server. In addition, the user only needs to have his / her own private key.
[Brief description of the drawings]
FIG. 1 is a block diagram showing an encryption system according to an embodiment of the present invention.
FIG. 2 is a block diagram illustrating a management server (management device).
FIG. 3 is a diagram showing a key management database.
FIG. 4 is a diagram showing a user-side operation terminal.
FIG. 5 is a block diagram for explaining an operation at the time of registration of a user.
FIG. 6 is a block diagram for explaining a flow of a decryption request.
FIG. 7 is a flowchart illustrating the flow of a decryption request.
FIG. 8 is a flowchart illustrating the flow of a decryption request.
FIG. 9 is a flowchart illustrating the flow of a decryption request.
FIG. 10 is a flowchart illustrating the flow of a decryption request.
FIG. 11 is a block diagram illustrating another aspect of the management server (management device).
FIG. 12 is a diagram showing an authority management database.
FIG. 13 is a block diagram for explaining output and distribution of a specification policy.
FIG. 14 is a block diagram for explaining a conventional technique.
FIG. 15 is a diagram illustrating a key management database according to the related art.
FIG. 16 is a diagram for explaining a conventional user-side operation terminal.
FIG. 17 is a block diagram illustrating a flow of a decryption request according to the related art.
[Explanation of symbols]
1 Cryptographic system
2 Management server (management device)
5 control part
6 key management database
13 First ciphertext
14 Second ciphertext
15 Third ciphertext
S33 First ciphertext extraction process
S35 Decryption process using other key
S36 Third ciphertext generation step
7 Authority management database
10. Session key (disposable key)

Claims (17)

An encryption system including a management device capable of decrypting cipher text based on a decryption request from a user,
The management device,
A key management database that manages the public keys of multiple users registered as users,
A control unit capable of executing decryption and encryption using a public key in the key management database,
With
The control unit includes:
As a decryption request from the user, a second ciphertext generated by further encrypting the first ciphertext encrypted with the secret key of another user with the secret key of the user is transmitted from the user. If
A first ciphertext extracting step of extracting the first ciphertext by decrypting the second ciphertext using the user's public key in the key management database;
A third party key use decryption step of decrypting the first ciphertext extracted in the first ciphertext extraction step using the other party's public key in the key management database;
A third ciphertext generating step of generating a third ciphertext by encrypting a decryption result obtained by using the other party's key using the public key of the user;
In this order,
Further, the cryptographic system is configured to transmit the third ciphertext generated in the third ciphertext generation step to the user who made the decryption request. The encryption system according to claim 1, wherein the key management database manages each public key in a private manner. The key management database manages each of the public keys of a plurality of users in association with the identification information of each user,
The user shall transmit the identification information of the user attached to the second ciphertext at the time of the decryption request,
The control unit includes:
When a decryption request is made by a user, the public key corresponding to the identification information transmitted from the user is acquired from the key management database and used for decryption in the first ciphertext extracting step. The cryptographic system according to claim 1 or 2, wherein 4. The encryption system according to claim 3, wherein the control unit authenticates a user based on whether or not decryption can be performed in the first ciphertext extraction step. 5. The user shall obtain the first ciphertext and the identification information of the other person in advance before the decryption request, and generate the second ciphertext using the secret key of the user. The first cipher text and the identification information of the other person are collectively encrypted,
The control unit includes:
Extracting the first ciphertext and the identification information of the other person in the first ciphertext extraction step, obtaining a public key corresponding to the extracted identification information from the key management database, and decrypting the other party key using 5. The encryption system according to claim 3, wherein the encryption system is used for decryption. The identification information includes a record of the date and time of the last decryption request,
The management device is configured to manage the last decryption request date and time of each user,
The control unit, when there is a decryption request, performs a comparison between the final decryption request date and time attached to the transmitted identification information and the corresponding final decryption request date and time managed by the management device. The cryptosystem according to any one of claims 3 to 5, wherein when the date and time are different, the user who made the decryption request is notified of the difference. . The management device is configured to be able to set authority for decryption for each user,
2. The control unit according to claim 1, wherein when a decryption request is issued, the control unit determines whether to generate and transmit the third ciphertext to a user according to a set authority. The encryption system according to any one of claims 1 to 6. The encryption system according to claim 7, wherein the management device further includes an authority management database that manages the association between the authority related to decryption and each user. The management device can set a plurality of types of association as the association between the authority and each user,
8. The method according to claim 7, wherein the control unit determines whether to generate the third ciphertext and transmit the generated third ciphertext to a user in accordance with one of the types of the decryption requests. 9. The encryption system according to 8. The encryption system according to claim 9, wherein the plurality of types of association include at least association according to an organization and association according to confidentiality. The encryption system according to any one of claims 7 to 10, wherein an expiration date of authority for decryption can be set. The encryption system according to any one of claims 1 to 11, wherein a usage policy of the encryption system can be created in a question-and-answer format. 13. The encryption system according to claim 12, wherein the created usage policy can be output or transmitted to each user. A ciphertext processing method using the cryptographic system according to claim 1, wherein:
The first user, which is the other person, generates the first ciphertext using its own secret key, and obtains the generated first ciphertext by the second user, which is the user. Let
Subsequently, the second user obtains the first ciphertext in the obtainable state, further encrypts the first ciphertext with its own secret key to generate a second ciphertext, Transmitting the generated second ciphertext to the management device;
Subsequently, the control unit executes the first ciphertext extraction step, the third party key use decryption step, and the third ciphertext generation step in this order, and further executes the third ciphertext generation step. (3) causing the second ciphertext to be obtainable by the second user;
Subsequently, the second user obtains the third ciphertext, and obtains the decryption result by decrypting the third ciphertext with its own secret key. A ciphertext processing method using the cryptographic system according to claim 3, wherein:
The first user, which is the other person, generates the first ciphertext using its own secret key, and obtains the generated first ciphertext by the second user, which is the user. Let
Subsequently, the second user obtains the first ciphertext in the obtainable state, further encrypts the first ciphertext with its own secret key to generate a second ciphertext, Transmitting the generated second ciphertext to the management device with its own identification information;
Subsequently, the control unit acquires a public key corresponding to the identification information transmitted from the second user from the key management database, and decrypts the second ciphertext using the acquired public key. After performing the first ciphertext extraction step in
The third-party key use decryption step and the third ciphertext generation step are executed in this order, and the third ciphertext generated by the third ciphertext generation step can be obtained by the second user. Let
Subsequently, the second user obtains the third ciphertext, and obtains the decryption result by decrypting the third ciphertext with its own secret key. The first user causes the second ciphertext and the identification information of the first user to be obtainable by a second user,
The second user generates the second ciphertext by collectively encrypting the obtained first ciphertext and the identification information of the first user with its own secret key,
The control unit retrieves the first ciphertext and the identification information of the other person in the first ciphertext retrieval step, acquires a public key corresponding to the retrieved identification information from the key management database, and The ciphertext processing method according to claim 15, wherein the ciphertext processing method is used for decryption in a decryption process using a private key. The first user generates a disposable key and encrypts data by using the disposable key to generate encrypted data, while encrypting the disposable key using its own private key to generate the disposable key. A first ciphertext is generated, and the generated first ciphertext and encrypted data are made available to the second user.
Subsequently, the second user obtains the first ciphertext and the encrypted data in the obtainable state, and further encrypts the first ciphertext with its own secret key to obtain the second ciphertext. And transmits the generated second ciphertext to the management device.
Subsequently, the control unit extracts the disposable key by executing the first ciphertext extracting step and the third party key using / decrypting step in this order, and transfers the disposable key to the third ciphertext generating step. The third ciphertext is generated by encrypting the third ciphertext, and the third ciphertext is made to be obtainable by the second user.
Subsequently, the second user obtains the third ciphertext, extracts the disposable key by decrypting the third ciphertext with its own secret key, and uses the disposable key to extract the encrypted data. The ciphertext processing method according to any one of claims 14 to 16, wherein the data is extracted by decrypting the data.

Images