JP2006270348A - Mutual authentication and key sharing system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a mutual authentication and key sharing system with which an attacker hardly observes and decodes communication, and key sharing is performed as well as authentication of an authorized apparatus. <P>SOLUTION: When a first information processing apparatus and a second information processing apparatus share a key to execute encryption communication, the first information processing apparatus transmits first authentication information in which the first information is encrypted, and the second information processing apparatus decrypts the first authentication information and re-encrypts the decrypted information to respond as second authentication information. If a first authentication means determines that the second information processing apparatus is an authorized apparatus, a fifth authentication information generating and transmitting means transmits fifth authentication information. If determining that the first information processing apparatus is an authorized apparatus, the second information processing apparatus considers the fifth key information as a session key, and the first information processing apparatus considers third key information as a session key, thereby sharing the encryption key, and encrypted communication is executed with this session keys. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a mutual authentication and key sharing system, and more particularly to a method of sharing keys used for cryptographic authentication and mutual authentication of devices in a system that performs cryptographic communication only between information processing devices that satisfy specific conditions.

  Today, various methods are known as methods for performing partner authentication or mutual authentication. Among them, a mutual authentication method based on a secret key encryption method is known (see, for example, Non-Patent Document 1). This mutual authentication method can perform mutual authentication with relatively light processing compared to a method based on public key cryptography or a method using an authentication center.

  In such an authentication method, a common encryption key and a common calculation means are set in advance for a legitimate device, and the verifier generates and sends a random number to the person to be verified. If it is a legitimate device, the verifier will calculate the random number with the correct encryption key and use the correct encryption key to send it back. By comparing the calculated result with the result calculated by itself, it is possible to determine that the person to be verified is a valid partner if they match.

Okamura Tatsuaki, Yamamoto Hiroshi, “Contemporary Cryptography”, Sangyo Tosho, Inc.

  However, in a mutual authentication method using common common key cryptography, an attacker sends a random number that is first transmitted from the verifier to the verifier and a value that is sent back by encrypting the random number with a key shared by the verifier. If you observe, you will know the input and output values of the cipher. Furthermore, if encryption is always performed with the same encryption key, there is a disadvantage that the encryption key is likely to be decrypted from the input value and output value obtained by observation. In addition, since the amount of information to be communicated is not constant each time, there may be a problem that one authentication signal cannot be communicated at a time, particularly on a communication path that can transfer only a limited amount of information at a time.

  The present invention has been made in view of the above points, and it is difficult for an attacker to observe and decode communication, and not only authenticates a legitimate device but also allows a key to be shared and a key sharing system. The purpose is to provide.

  Another object of the present invention is to provide a mutual authentication and key sharing system capable of realizing mutual authentication safely and sharing a key even if the communication path and the circuit scale of the device are limited. is there.

  Furthermore, another object of the present invention is to provide a mutual authentication and key sharing system capable of acquiring information unique to an information processing apparatus whose validity has been confirmed and reflecting it in encrypted communication.

In order to achieve the above object, in the mutual authentication and key sharing system according to the first aspect of the present invention, the first information generating means for generating the first information and the first information are encrypted based on the first key information. The first authentication information generating and transmitting means for generating one authentication information and transmitting the first authentication information to the second information processing apparatus, and the second information processing apparatus perform a predetermined calculation based on at least the first authentication information. Second authentication information receiving means for receiving the second authentication information output from the second information processing apparatus, second key information generating means for generating second key information based on at least the first information, and second authentication information Is decrypted based on the second key information and outputs the third authentication information, and the first information and the third authentication information obtained by the decryption by the second decryption means have a predetermined relationship. Verify the validity of the second information processing device based on whether or not it is satisfied First authentication means, third key information generation means for generating third key information based on at least first information and third authentication information, and fourth authentication information based on at least third authentication information. Fourth authentication information generating means, and fourth authentication information is encrypted based on the third key information to generate fifth authentication information, and the second authentication information is generated according to the verification result of the first authentication means. A first information processing apparatus comprising: fifth authentication information generating and transmitting means for transmitting to the processing apparatus;
Reception and decryption means for receiving first authentication information transmitted from the first information processing apparatus, decrypting the received first authentication information based on first key information prepared in advance, and outputting the first information And a third authentication information generating means for generating third authentication information based on at least the first information obtained by the receiving and decrypting means, and a fourth based on at least the first information obtained by the receiving and decrypting means. Fourth key information generating means for generating key information, second authentication information is generated by encrypting the third authentication information based on the fourth key information, and the second authentication information is transmitted to the first information processing apparatus. Second authentication information generation and transmission means, and fifth authentication information received from the first information processing apparatus for receiving the fifth authentication information output by the first information processing apparatus performing a predetermined calculation based on at least the second authentication information. Means and at least receiving and decoding A fifth key information generating means for generating fifth key information based on the first information and the third authentication information obtained in the step, and decrypting the received fifth authentication information based on the fifth key information A third decryption means for outputting information; and a second authentication means for verifying the validity of the first information processing device according to whether or not the third authentication information and the fourth authentication information satisfy a predetermined relationship. After determining whether or not the second information processing apparatus is a legitimate device, the encryption key is shared, and encrypted communication is performed based on the encryption key.

  In other words, in the first invention, when the first information processing apparatus determines that the second information processing apparatus is valid by the first authentication means, the fifth authentication information is transmitted from the fifth authentication information generation and transmission means. When the second information processing apparatus determines that the first information processing apparatus is valid by the second authentication means, the fifth key information is used as the session key, and the first information processing apparatus uses the third key information as the session key. Thus, the encryption key is shared, and encrypted communication is performed using the session key.

In order to achieve the above object, in the mutual authentication and key sharing system of the second invention, the first information processing apparatus stores at least one or more key information as first authentication information generation and transmission means. 1 memory, first key information selecting means for selecting at least one or more key information from the first memory as first key information, and first key information selected by the first key information selecting means. First encryption means for outputting the first authentication information after being encrypted, and first authentication information transmission means for transmitting the first authentication information to the second information processing apparatus, and further, the first key information Specific information transmitting means for transmitting specific information for specifying the first key information selected by the selecting means to the second information processing apparatus;
The second information processing apparatus includes specific information receiving means for receiving specific information transmitted from the first information processing apparatus, and stores at least one or more key information serving as first key information as receiving and decrypting means. Second key, first key information specifying means for specifying key information from the second memory and outputting at least one or more first key information based on the received specifying information, and transmission from the first information processing apparatus First authentication information receiving means for receiving the received first authentication information, and the received first authentication information based on the first key information specified by the first key information specifying means and outputting the first information 1 decoding means,
The first information processing apparatus selects the first key information from the plurality of key information and encrypts the first information, and the second information processing apparatus specifies the first key information selected by the first information processing apparatus. Thus, the decryption is performed. In the present invention, encryption of the first information in the first information processing apparatus is selected and encrypted from among the plurality of first key information, and specific information for specifying the selected first key information is provided. Send.

  In order to achieve the above object, the mutual authentication and key sharing system according to the third aspect of the present invention is such that the first information processing apparatus encrypts the first information by the first key information by the first authentication information generation and transmission means. The encryption method of the fourth authentication information by the third key information by the method and the fifth authentication information generation and transmission means is an encryption method based on the common key encryption, and the second authentication information by the second decryption means The second key information is decrypted based on the common key encryption, and the fourth authentication information generating means generates the fourth authentication information having the same amount of information as the first authentication information based on at least the third authentication information. The second information processing apparatus is configured to decrypt the first authentication information by the first key information by the reception and decryption means, and decrypt the fifth authentication information by the fifth key information by the third decryption means. Common key cryptography Encryption based on the fourth key information of the third authentication information by the second authentication information generation and transmission means is performed based on the common key encryption, and the third authentication information generation means The first authentication information and the second authentication are configured to generate the third authentication information having the same amount of information as the one authentication information based on at least the first information, and transmitted and received between the first information processing apparatus and the second information processing apparatus. The information and the fifth authentication information are all the same information amount.

  In the present invention, encryption and decryption in the first information processing apparatus and the second information processing apparatus are made common key encryption, so that the information amount before and after the encryption and decryption is made equal, and the third authentication information In addition, by making the fifth authentication information the same information amount as the first authentication information, the information amount of the authentication information communicated is made constant, and the information amount processed in the information processing apparatus is made constant. Can do.

In order to achieve the above object, in the mutual authentication and key sharing system according to the fourth aspect of the invention, the first information processing apparatus includes unique information storage means for storing information unique to the first information processing apparatus, The fourth authentication information generating means generates the fourth authentication information based on at least the third authentication information and the unique information of the device read from the unique information storage means;
The second information processing apparatus includes a unique information acquisition unit that acquires at least information unique to the first information processing apparatus from the fourth authentication information, and a communication control unit that controls communication processing from the acquired unique information. The validity of the first information processing apparatus is verified by the second authentication means depending on whether or not the information and the fourth authentication information satisfy a predetermined relationship. The unique information is acquired, and the communication processing is controlled by the communication control means based on the acquired unique information.

  In the present invention, the fourth authentication information generating means includes the fourth information including information unique to the apparatus only when the first authentication means of the first information processing apparatus determines that the second information processing apparatus is a valid communication partner. The first information processing device is generated based on the fifth authentication information generated by generating the authentication information, encrypting it with the third encryption means and transmitting it as the fifth authentication information to the second information processing device. Is verified by the second authentication means, and if it is valid, the unique information of the first information processing apparatus is further acquired by the specific information acquisition means, and the communication control means controls the communication processing by the acquired specific information. .

  According to the first invention, the first authentication information obtained by encrypting the first information is transmitted from the first information processing apparatus, and the second information processing apparatus decrypts the first authentication information, encrypts it again, and re-encrypts it. By responding as two authentication information, even if an attacker observes the first authentication information and the second authentication information, a so-called known plaintext attack that knows the input and output values of the cipher cannot be applied, and is safe. A mutual authentication system can be realized.

  Further, according to the first invention, communication is not performed by using key information generated based on the first information that cannot be known even if an attacker observes communication without using key information that is a fixed value. If the attacker who knew the default key and the encryption did not know the generation algorithm of the key information generation means that generates the key information from the first information, Therefore, it is possible to realize a secure mutual authentication system that cannot be authenticated. According to the first invention, the third key information generating means and the fifth key information generating means generate a key based on the third authentication information, making it difficult for the attacker to decrypt the fifth authentication information. A safer mutual authentication can be realized.

  Further, according to the first invention, when the first information processing apparatus determines that the second information processing apparatus is valid by the first authentication means, the fifth authentication information is transmitted from the fifth authentication information generation and transmission means. When the second information processing apparatus determines that the first information processing apparatus is valid by the second authentication means, the fifth key information is used as the session key, and the first information processing apparatus uses the third key information as the session key. Thus, the encryption key is shared, and encrypted communication can be performed using this session key.

  According to the second invention, the encryption of the first information of the first information processing apparatus using the fixed key information can be selected and encrypted from the plurality of key information, and the specific information Even if information for specifying is obtained for an attacker who observes communication by transmitting only to the second information processing device so that the second information processing device can decrypt it, the specific information and key information If you do not know the relationship between the key information, it will not help with decryption, and it will be more difficult to decrypt if the key information used and the first information to be encrypted are updated at every communication than when using a fixed key. Thus, a safer mutual authentication system can be realized.

  In addition, according to the third aspect, by making the encryption and decryption in the first information processing apparatus and the second information processing apparatus into a common key encryption, the amount of information before and after the encryption and decryption is made equal. Further, by making the third authentication information and the fifth authentication information the same information amount as the first authentication information, the information amount of the authentication information communicated is made constant, and the information amount processed in the information processing apparatus Since it is designed to be constant, it is excellent for use in communication channels where the amount of information to be transmitted and received is limited, and the amount of information that can be observed by an attacker is always constant, which is useful for estimation. It is difficult to find information.

  Further, according to the third invention, since the amount of information handled in the information processing apparatus is constant, the processing can be made common, the circuit scale and the memory amount can be reduced, and the processing of the communication path and the information processing apparatus A secure mutual authentication system can be realized even when the capability is limited.

  Furthermore, according to the fourth invention, the first information processing apparatus encrypts the fourth authentication information including information unique to the apparatus only when the second information processing apparatus is determined to be a valid communication partner. If the authenticity of the first information processing apparatus can be verified based on the fifth authentication information transmitted to the second information processing apparatus and received by the second information processing apparatus, the unique information acquisition unit further performs the first information processing. Since the unique information of the device is acquired and the communication processing is controlled by the acquired unique information, the information unique to the first information processing device is transmitted to the second information processing device without being deciphered by an attacker. In the second information processing apparatus, it is possible to set encrypted communication based on the unique information of the legitimate information processing apparatus.

  Next, embodiments of the present invention will be described with reference to the drawings. The present invention is difficult for an attacker to observe and decipher the communication even if there is a limitation on the circuit scale of the communication path and the device, and not only authenticates a legitimate device but also shares a key, Furthermore, it is a mutual authentication and key sharing system that can acquire device-specific information and reflect it in encrypted communication.

  In the first embodiment of the mutual authentication and key sharing system according to the present invention, is the first information processing device in the block diagram of FIG. 1 and the second information processing device in the block diagram of FIG. 2 valid devices? After determining whether or not, encryption communication is performed based on the encryption key.

  First, the first information processing apparatus shown in the block diagram of FIG. 1 will be described. In FIG. 1, first, the first information generating means 11 generates, for example, 64-bit first information r0. The first information r0 is encrypted with the first key information Kd by the first encryption means 12, and is transmitted as the first authentication information by the first authentication information transmission means 14 to the second information processing apparatus shown in FIG. .

  For this reason, when a constant value or a regular value is always generated, the first information generation unit 11 is not able to communicate with the first key information Kd because it is weak against an attack that attempts to decrypt the first key information Kd by observing the transmission data. A generating means for changing the value every time is preferable. Specifically, a linear feedback shift register is used, or a constantly changing value such as thermal noise or date / time information is measured and used as it is, or a predetermined calculation is performed using the value as an initial value, and the result It is preferable to use the obtained value or obtain a random number or pseudo-random number. The information thus obtained is referred to as first information r0.

  The first information r0 is supplied to the first encryption means 12, where the first information r0 is encrypted by a known encryption method using, for example, 64-bit first key information Kd stored in advance in the first memory 13 as an encryption key. For example, 64-bit first authentication information E (Kdi, r0) is obtained. The first key information Kd stored in the first memory 13 is information that can be used as an encryption key as it is, for example, a bit string of 64 bits (of which 8 bits are parity) if the encryption method is DES (Data Encryption Standard). It may also be possible to store information that can be used as an encryption key by performing calculations such as storing information for generating a key, for example, storing an initial value of a linear feedback shift register.

  The first information r0 encrypted by the first encryption unit 12 is transmitted as first authentication information E (Kdi, r0) by the first authentication information transmission unit 14 to the second information processing apparatus shown in FIG. The The communication means used for transmitting and receiving the authentication information between the first information processing apparatus and the second information processing apparatus is a large-scale network such as the Internet (TCP / IP) or the American Institute of Electrical and Electronics Engineers ( Wireless LAN (Local Area) with specifications such as IEEE802.11b established by IEEE even if devices are directly connected to each other using a single cable with IEEE 1394 serial interface standard IEEE1394 or USB (Universal Serial Bus) Network), and the first authentication information E (Kdi, r0) is transmitted by processing according to the protocol of the communication means.

  Next, the first information processing apparatus receives second authentication information (described later) generated and transmitted from the second information processing apparatus of FIG. The communication method of the second authentication information receiving unit 15 is the same as that of the first authentication information transmitting unit 14. The second authentication information received by the second authentication information receiving means 15 is supplied to the second decryption means 16, where the second key information generating means 17 is generated based on the first information r0. For example, decryption is performed using the 64-bit second key information Pr0.

  The second key information generation unit 17 performs a predetermined calculation on the first information r0 input from the first information generation unit 11 to generate the second information Pr0. As a predetermined calculation, a correct device is a correct calculation such as a replacement for changing the order of bits of input information and outputting, or a remainder obtained by dividing a predetermined number p as key information. Although a method is set, it is preferable for an attacker who does not know the calculation method to generate the second key information Pr0 from the first information r0.

  Thus, for example, 64-bit third authentication information obtained by decrypting the received second authentication information by the second decryption means 16 is the second information processing apparatus that is the transmission source of the second authentication information. Is a legitimate device, the first authentication information transmitted by the first information processing device is received by the second information processing device and correctly decrypted using the first key information to obtain the first information, Based on the same calculation method as the generation method in the second key information generation unit, a key equivalent to the second key information Pr0 is generated, and the third authentication information is encrypted and transmitted as the second authentication information. The third authentication information decrypted by the second decryption means 16 has the same value as the third authentication information generated by the second information processing apparatus.

  The first authentication unit 18 verifies the validity of the second information processing apparatus depending on whether or not the third authentication information satisfies a predetermined relationship with the first information r0 output from the first information generation unit 11. . For example, the amount of information of the first information r0 is set to 64 bits, a hash function for setting this to 32 bits is set, and a 32-bit random number r1 is combined with the higher order of the information hr0 that has become 32 bits, and again the 64-bit information And

  If the second information processing apparatus is set to generate the third authentication information in this way, the first authentication means 18 uses the first information r0 generated by the first information generation means 11 as the second information. The hash value hr0 is obtained by the same hash function used by the information processing apparatus for generating the third authentication information, and the lower 32 bits of the third authentication information decrypted by the second decryption means 16 match. In this case, the second information processing apparatus recognizes that it is valid.

  Here, if the second information processing apparatus is an unauthorized device, the first authentication information E (Kdi, r0) transmitted by the first information processing apparatus cannot be correctly decrypted, or the third authentication information cannot be correctly set. The predetermined relationship in the first authenticating means 18 is not satisfied because either or all of the encryption keys for encrypting the third authentication information cannot be correctly generated.

  Next, when the validity of the second information processing apparatus is authenticated by the first authentication means 18, the first information processing apparatus uses the third authentication information to obtain the fourth authentication information by the fourth authentication information generation means 19. At the same time, the third key information generation means 20 generates the third key information. At this time, if the third authentication information is 64-bit information in which the hash value hr0 of the first information r0 is set to the lower 32 bits and the random number r1 is set to the upper 32 bits, the fourth authentication information generating means 19 The value generated and set by the second information processing apparatus, that is, in this case, the upper 32-bit random number r1 is left as it is, and the lower 32-bit hash value hr0 is used as the fourth authentication of the first information processing apparatus. The information generation means 19 replaces the newly generated 32-bit random number r2.

  This is similar to the fact that the first information processing apparatus authenticates the second information processing apparatus as a legitimate device because the hash value hr0 of the first information is included in the third authentication information. In addition, the value set by the second information processing apparatus for the second information processing apparatus, that is, by replacing only the lower 32 bits without changing the upper 32 bits, the validity of the first information processing apparatus itself can be confirmed. This is to show the second information processing apparatus.

  Further, the third key information generation unit 20 performs, for example, a second decryption key which is a key obtained by performing a predetermined calculation on the first information r0 output from the first information generation unit 11 and the third authentication information. 2 The value set by the information processing apparatus, that is, the upper 32 bits of random number r2 is calculated to obtain third key information r3. The calculation is a calculation method set in advance only for legitimate devices such as substitution, hash function, exclusive OR, and the third key information even if the attacker knows the first information r0 and the upper 32 bits of random number r2 as input. An arithmetic method that cannot generate r3 is preferable.

  In this way, the fourth authentication information generated by the fourth authentication information generation means 19 is encrypted by the third encryption means 21 using the third key information r3 generated by the third key information generation means 20. 5th authentication information is produced | generated by this, This 5th authentication information is transmitted to the 2nd information processing apparatus of FIG. The fifth authentication information transmitting unit 22 has the same configuration as the first authentication information transmitting unit 14.

  Next, the configuration and operation of the second information processing apparatus will be described with reference to FIG. First, the first authentication information receiving means 26 receives the first authentication information E (Kdi, r0) transmitted from the first information processing apparatus. The first authentication information receiving unit 26 of the second information processing apparatus is configured to receive the transmission information of the first authentication information transmitting unit 14 of the first information processing apparatus.

  The first authentication information received by the first authentication information receiving means 26 is supplied to the first decryption means 27, where it is decrypted using the first key information Kd stored in advance in the second memory 28. Is done. At this time, the first key information stored in the second memory 28 may be information that can be directly used as an encryption key, like the first key information in the first memory 13 of the first information processing apparatus. The information used as the initial value of the calculation, and the calculation result may be information used as the encryption key.

  Further, even if the key information stored in the first memory 13 is information that can be directly used as an encryption key, the information stored in the second memory 28 is information that becomes an initial value of a predetermined calculation. Any information can be used as long as the key is equivalent to the encryption key stored in the first memory 13 as a result of the calculation. Further, it is assumed that the information in the first memory 13 and the second memory 28 may be stored in the reverse manner.

  When the first authentication information is decrypted by the first decryption means 27 using the first key information, the second memory 28 stores the same first information processing apparatus as the first information processing apparatus when the second information processing apparatus is a legitimate device. Since the one key information Kd is stored, the first information r0 is restored. Using this first information r0, the third authentication information generating means 29 generates third authentication information. Here, as described in the operation of the first authentication unit 18 of the first information processing apparatus, if the first information r0 is 64-bit information, the 32-bit information hr0 is obtained by a hash function, and the 32-bit information A new random number r1 may be generated and combined with the upper 32 bits of the hash value hr0 to obtain 64-bit information.

  The random number r1 to be combined at this time can be generated by using the linear feedback shift register described in the first information generating unit 11. In addition to the hash value, a value based on the first information r0 generated by the first information processing apparatus may be a part of the third authentication information, and a part of 32 bits of the first information r0 may be used as it is. When a certain value is determined, a list that outputs a value corresponding to the value may be stored in advance, and a value corresponding to the first information r0 may be selected from the list and used as part of the third authentication information. .

  The third authentication information generated by the third authentication information generation means 29 in this way (assuming that the upper 32 bits are the random number r1 and the lower 32 bits are the hash function value hr0, (r1‖ | hr0) Is supplied to the second encryption unit 30, and is encrypted using the fourth key information generated by the fourth key information generation unit 31. The fourth key information generation means 31 is based on the second key information generated by the second key information generation means 17 of the first information processing device based on the first information r0 decrypted by the first decryption means 27. The same fourth key information Pr0 is generated.

  As a result, the second encryption unit 30 obtains the authentication information E (Pr0, r1‖hr0) obtained by encrypting the third authentication information using the fourth key information from the second encryption unit 30. Obtained as the second authentication information and transmitted to the first information processing apparatus by the second authentication information transmitting means 32.

  Next, when the validity of the second information processing apparatus is authenticated by the authentication process based on the second authentication information transmitted from the second information processing apparatus side on the first information processing apparatus side, the first information processing apparatus is authenticated. The fifth authentication information receiving means 33 in FIG. 2 receives the fifth authentication information transmitted from the apparatus by the fifth authentication information transmitting means 22.

  The received fifth authentication information is generated by the fifth key information generation means 35 of FIG. 2 in which the third decryption means 34 generates the same key as the third key generation means 20 shown in FIG. The fourth authentication information is obtained by decrypting using the key information. The fifth key information generation unit 35 generates the fifth key information r3 based on the first information r0 obtained by the first decryption unit 27 and the third authentication information obtained by the third authentication information generation unit 29. obtain.

  The fourth authentication information obtained by decryption by the third decryption means 34 is generated as described in the fourth authentication information generation means 19 of the first information processing apparatus, and is encrypted and correctly encrypted by a legitimate device. If decryption and key generation are performed, information generated by the second information processing apparatus itself with the third authentication information is included in a part thereof.

  In the second authentication means 36, if the third authentication information generated by the second information processing device and the fourth authentication information received and decrypted from the first information processing device satisfy a predetermined relationship, the first information processing Accept the device as legitimate. If the first information processing apparatus is valid and performs processing such as the above-described fourth authentication information generation means 19, the upper 32 bits of the fourth authentication information are the third authentication information generation means by the second information processing apparatus itself. This is the random number r1 generated and added at 29, and the lower 32 bits are the 32-bit random number r2 newly set by the fourth authentication information generating means 19 of the first information processing apparatus.

  In this way, in the present embodiment, even in the second information processing device, if the validity of the first information processing device is recognized, it is assumed that the devices are mutually valid devices, and the first information processing device receives the third key information, The second information processing apparatus performs encrypted communication using the fifth key information as a session key. At this time, the fourth authentication information encrypted by the third encryption means 21 in the first information processing apparatus and decrypted by the third decryption means 34 in the second information processing apparatus is the second authentication means 36. Therefore, the third key information and the fifth key information are guaranteed to be the same encryption key.

  Further, the key information is generated by the information generated by the first information processing apparatus and the information generated by the second information processing apparatus by the key information generation method in the third key information generation means 20 and the fifth key information generation means 35. Is generated.

  Thus, according to the present embodiment, the first authentication information obtained by encrypting the first information r0 is transmitted from the first information processing apparatus, and the second information processing apparatus decrypts the first authentication information, and again By encrypting and responding as the second authentication information, even if the attacker observes the first authentication information and the second authentication information, a so-called known plaintext attack in which the input value and output value of the encryption are known can be applied. It is impossible, and a secure mutual authentication system can be realized.

  In addition, the second encryption unit 30 and the second decryption unit 16 do not use key information that is a fixed value, and are generated based on the first information r0 that cannot be known even if an attacker observes communication. By using key information, observation by communication becomes more difficult, and even if an attacker knows the default key and encryption, second key information generation means for generating key information from the first information r0 17 and the fourth key information generation means 31 can realize a secure mutual authentication system that cannot be decrypted or illegally authenticated without knowing the generation algorithm.

  Further, the third key information generating means 20 and the fifth key information generating means 35 generate a key based on the third authentication information, making it difficult to decipher the fifth authentication information for the attacker, and more secure mutual authentication. Can be realized.

  According to the present embodiment, the first information processing apparatus uses the first authentication unit 18 to verify the validity of the second information processing apparatus and the first information r0 generated by the first information generation unit 11 itself. The third authentication information obtained by decrypting the second authentication information received from the second information processing apparatus can be verified based on whether or not the predetermined relationship is satisfied, and the fifth authentication is performed only when authenticated. The information is transmitted to the second information processing apparatus, and the second information processing apparatus uses the second authentication means 36 to verify the validity of the first information processing apparatus by the third authentication information generating means. When the information and the fourth authentication information obtained by decrypting the fifth authentication information received from the first information processing apparatus satisfy a predetermined relationship and are mutually authenticated, the session key can be shared at the same time. , Key sharing can be performed along with authentication, It is possible to realize a 互認 certificate and key sharing system.

  Next, a second embodiment of the mutual authentication and key sharing system according to the present invention will be described. In this embodiment, after determining whether or not the first information processing apparatus in the block diagram of FIG. 3 and the second information processing apparatus in the block diagram of FIG. Perform encrypted communication. 3 and 4, the same components as those in FIGS. 1 and 2 are denoted by the same reference numerals, and the description thereof is omitted.

  First, the first information processing apparatus shown in the block diagram of FIG. 3 will be described. In FIG. 3, the first memory 23 of the first information processing apparatus has a storage capacity capable of storing a plurality of key information, and can store or add a plurality of key information in advance. ing. The key information may be information that can be directly used as an encryption key, as in the first memory 13 in the first embodiment, or may be information that can be obtained as an initial value of an operation to obtain an encryption key.

  In addition, when adding a key, it has an interface for accessing the first memory 23. When inputting manually from the outside, when an input device such as a keyboard is supplied from another device by communication. When the communication device is supplied as an IC card using a semiconductor memory or the like, it is necessary to prepare an interface for the IC card.

  The first key information selection unit 24 selects one or a plurality of key information from the plurality of key information in the first memory 23 and supplies the selected key information to the first encryption unit 12 as the first key information. When selecting a plurality of key information, when the first encryption unit 12 uses triple DES, two or three keys may be selected. In the selection method, a key number starting from 1 is set in advance in each of a plurality of key information stored in the first memory 23, and the key number is stored as 1 → 2 while the key number is stored every time encryption is performed. → 3 may be switched in order and the corresponding key information may be switched and used, or a random number may be generated by a linear feedback shift register, and a key number may be designated from the generated random number.

  The designated key number is transmitted as specific information from the specific information transmitting means 25 to the second information processing apparatus. The transmission means at this time is the same as the first authentication information transmission means 14. Further, the specific information transmitting unit 25 and the first authentication information transmitting unit 14 may be combined, and the specific information may be added to the first authentication information and transmitted to the second information processing apparatus at a time.

  Next, a second information processing apparatus according to the second embodiment will be described with reference to FIG. In FIG. 4, the second information processing apparatus has a memory area capable of storing a plurality of key information in the second memory 39, and can store or add a plurality of key information in advance. When adding, it is necessary to provide an interface similar to the first memory 23.

  When the second information processing apparatus receives the specific information from the first information processing apparatus by the specific information receiving means 37, the first key information specifying means 38 receives the key information from the second memory 39 based on the specific information. One or more are identified and provided to the first decoding means 27. At this time, as described in the first information processing apparatus, if the key information and the key number are set to correspond to each other, the key information of the key number indicated by the specific information is read from the second memory 39 and the first decryption is performed. Supply to means 27.

  Further, the correspondence between the key information and the key number does not have to be the same as that of the first memory 23. For example, the first key information in the first memory 23 is the second key in the second memory 39, Even if the second key information in the first memory 23 is defined as third in the second memory 39, at least one of the first key information selecting means 24 or the first key information specifying means 38 is Assume that the correspondence relationship is stored and the first encryption unit 12 and the first decryption unit 27 are set to use the same key.

  According to the second embodiment, the encryption of the first information of the first information processing apparatus can be performed by selecting from a plurality of key information, and only the specific information is transmitted to the second information processing apparatus. By enabling decryption by the second information processing apparatus, an attacker who observes communication can assist in decryption if he / she obtains information for identification but does not know the relationship between the specific information and the key information. In addition, since the key information to be used and the first information to be encrypted are also updated every time communication is performed as compared with the case of using a fixed key, the decryption becomes more difficult, and compared with the first embodiment. A secure mutual authentication system can be realized.

  Next, a third embodiment of the mutual authentication and key sharing system according to the present invention will be described. In this embodiment, after determining whether or not the first information processing apparatus in the block diagram of FIG. 5 and the second information processing apparatus in the block diagram of FIG. Perform encrypted communication. 5 and 6, the same components as those in FIGS. 1 and 2 are denoted by the same reference numerals, and the description thereof is omitted.

  First, the first information processing apparatus shown in the block diagram of FIG. 5 will be described. In FIG. 5, the first common key encryption / encryption means 41, the first common key encryption / decryption means 42, and the third common key encryption / encryption means 44 in the first information processing apparatus are all realized by a common key encryption method. Therefore, the information amount of the input value and the output value is the same. For example, when the first common key encryption means 41 is realized by public key cryptography, the information amount is changed depending on the public key cryptosystem regardless of the input information amount. However, if DES of the common key encryption is used, a 64-bit output can be obtained with respect to the input 64 bits, and a 128-bit output can be obtained with respect to the input 128 bits using AES.

  Further, the fourth authentication information generating means 43 is configured as shown in FIG. 7, for example. In the figure, the third authentication information obtained by the second common key encryption / decryption means 42 in FIG. 5, that is, 128 bits of information obtained from the second information processing apparatus 51 shown in FIG. 7 and decrypted. On the other hand, a 64-bit hash value 55 is obtained by the hash function 52 provided in the fourth authentication information generation means 43, and the random number generation shown in FIG. The means 53 generates a 64-bit random number 54, adds this to the hash value 55, and outputs the same 128-bit authentication information 56 as the input.

  Here, it is conceivable that the same hash value is obtained with different inputs by obtaining a 64-bit hash value from 128 bits of the input. Therefore, a valid hash value may be obtained even though the authentication information is not correct. However, also in this case, as described in the first embodiment, the third key information generation unit 20 generates a key from the 128-bit third authentication information, so that the encrypted fifth authentication information is a valid value. Can be prevented.

  Next, the second information processing apparatus according to the third embodiment illustrated in FIG. 6 will be described. The encryption and decryption means in the second information processing apparatus of FIG. 6 are all realized by the common key cryptosystem. That is, a first common key encryption / decryption unit 45, a second common key encryption / encryption unit 46, and a third common key encryption / decryption unit 47 are provided, which is the same as the first information processing apparatus shown in FIG. In addition, the information amount of the input value and the output value is configured to be the same.

  Further, the third authentication information generation means 48 to which the first information obtained by the first common key decryption means 45 is input is the same as the fourth authentication information generation means 43 of the first information processing apparatus in FIG. Similarly, the configuration shown in FIG. 7 is adopted so that the input and output information amounts are the same.

  According to the present embodiment, encryption and decryption in the first information processing apparatus and the second information processing apparatus are made common key encryption, so that the information amount before and after encryption and decryption is equalized, and By making the authentication information generated by the 3 authentication information generating means 48 and the fourth authentication information generating means 43 the same information amount as the first authentication information, the information amount of the authentication information to be communicated is made constant, and the information Since the amount of information processed in the processing device can be made constant, it is excellent for use in communication channels where the amount of information transmitted and received is limited, and the amount of information that can be observed by attackers is always It is constant and it becomes difficult to find characteristic information useful for guessing.

  In addition, according to the present embodiment, the fact that the amount of information handled in the information processing apparatus is constant can make the processing common and reduce the circuit scale and the amount of memory. A secure mutual authentication system can be realized even when the capability is limited.

  Next, a description will be given of a fourth embodiment of the mutual authentication and key sharing system according to the present invention. In this embodiment, it is determined whether or not the first information processing device in the block diagram of FIG. 1, FIG. 3, or FIG. 5 and the second information processing device in the block diagram of FIG. Thereafter, encryption communication is performed based on the encryption key. 9, the same components as those in FIG. 2 are denoted by the same reference numerals, and the description thereof is omitted.

  The first information processing apparatus according to the fourth embodiment is represented by the block diagram of FIG. 1, FIG. 3, or FIG. 5. Of these, the fourth authentication information generating means 19 or 43 is configured as shown in the block diagram of FIG. There is a feature in that. As shown in FIG. 8, the fourth authentication information generation means 19 or 43 has a random number as described in FIG. 7 on the upper side of the 64-bit hash value 63 obtained from the third authentication information 61 by the hash function 62. Instead of generating and adding 54, a device-specific 64-bit ID 65 read from the device-specific ID memory 64 is added. As a result, a total of 128 bits of fourth authentication information 66 having ID 65 as the upper 64 bits and hash value 63 as the lower 64 is obtained.

  Next, the configuration and operation of the second information processing apparatus according to the fourth embodiment will be described with reference to FIG. 9 is based on the second information processing apparatus of the first embodiment, but may be based on any second information processing apparatus of the first to third embodiments. When the ID is added by the first information processing apparatus, the second information processing apparatus in FIG. 9 obtains the ID 65 of the first information processing apparatus by the third decryption unit 34 if the fifth authentication information is valid information. Obtainable.

  The ID 65 is supplied to the encryption communication control means 71 after being authenticated by the second authentication means 36 of FIG. In the encryption communication control means 71, there is a memory that stores information for designating a specific operation for the ID in advance. The operation is determined based on the device ID input from the second authentication means 36, and the encryption communication control means 71 The control means 72 is controlled.

  According to the present embodiment, the first information processing apparatus, when the first authentication means determines that the second information processing apparatus is a valid communication partner, the fourth authentication information generation means assigns the unique ID of the apparatus. Since the included fourth authentication information 66 is generated, encrypted by the third encryption means, and transmitted to the second information processing apparatus as the fifth authentication information, the second information is not decrypted by the attacker. An apparatus-specific ID is transmitted to the processing apparatus, and the second information processing apparatus verifies the validity of the first information processing apparatus by the second authentication means 36. It is possible to set encryption communication based on the unique information.

  Therefore, according to the present embodiment, it is possible to communicate with a device having a specific ID without encryption, or to encrypt predetermined key information instead of the session key obtained in this session. 72, information can be received only from the first information processing apparatus, and information on encrypted communication can be received only from the opposite second information processing apparatus. .

  Although not shown in the block diagram of the above embodiment, both the first information processing apparatus and the second information processing apparatus have both encryption means and decryption means for performing encrypted communication after authentication. It is assumed that it has a means for transmitting encrypted information and a means for receiving encrypted information. In addition, for the encryption key, the first information processing device uses the third key information, and the second information processing device uses the fifth key information.

It is a block diagram of the 1st information processor of Example 1 of the present invention. It is a block diagram of the 2nd information processor of Example 1 of the present invention. It is a block diagram of the 1st information processor of Example 2 of the present invention. It is a block diagram of the 2nd information processor of Example 2 of the present invention. It is a block diagram of the 1st information processor of Example 3 of the present invention. It is a block diagram of the 2nd information processor of Example 3 of the present invention. It is a block diagram of the authentication information production | generation means in the 1st information processing apparatus of Example 3 of this invention. It is a block diagram of the 4th authentication information generation means in the 1st information processor of Example 4 of the present invention. It is a block diagram of the 2nd information processor of Example 4 of the present invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 11 1st information production | generation means 12 1st encryption means 13 1st memory 14 1st authentication information transmission means 15 2nd authentication information reception means 16 2nd decryption means 17 2nd key information generation means 18 1st authentication means 19, 43 4th authentication information generation means 20 3rd key information generation means 21 3rd encryption means 22 5th authentication information transmission means 26 1st authentication information reception means 27 1st decryption means 28, 39 2nd memory 29, 48 1st 3 Authentication information generation means 30 2nd encryption means 31 4th key information generation means 32 2nd authentication information transmission means 33 5th authentication information reception means 34 3rd decryption means 35 5th key information generation means 36 2nd authentication means 37 specific information receiving means 38 first key information specifying means 41 first common key encryption / encryption means 42 second common key encryption / decryption means 44 third common key encryption / encryption means 45 first common key encryption / decryption means 45 Decryption means 46 Second common key encryption / encryption means 47 Third common key encryption / decryption means 51 Information received from other machine and decrypted 53 Random number generation means 56 New authentication information 61 Third authentication information 64 Device unique ID memory 66 Fourth authentication information 71 Encryption communication control means 72 Encryption means

Claims (4)

In the mutual authentication and key sharing system in which the first information processing apparatus and the second information processing apparatus determine whether or not they are legitimate devices, share an encryption key, and perform encryption communication based on the encryption key.
The first information processing apparatus
First information generating means for generating first information;
First authentication information generating and transmitting means for encrypting the first information based on first key information to generate first authentication information, and transmitting the first authentication information to the second information processing apparatus;
Second authentication information receiving means for receiving, from the second information processing apparatus, second authentication information output by the second information processing apparatus performing a predetermined calculation based on at least the first authentication information;
Second key information generating means for generating second key information based on at least the first information;
Second decryption means for decrypting the second authentication information based on the second key information and outputting third authentication information;
First authentication for verifying the validity of the second information processing apparatus based on whether or not the first information and the third authentication information obtained by decryption by the second decryption means satisfy a predetermined relationship Means,
Third key information generating means for generating third key information based on at least the first information and the third authentication information;
Fourth authentication information generating means for generating fourth authentication information based on at least the third authentication information;
The fourth authentication information is encrypted based on the third key information to generate fifth authentication information, and the fifth authentication information is transmitted to the second information processing apparatus according to the verification result of the first authentication means. And a fifth authentication information generation and transmission means.
The second information processing apparatus
Reception that receives the first authentication information transmitted from the first information processing apparatus, decrypts the received first authentication information based on the first key information prepared in advance, and outputs the first information And decryption means;
Third authentication information generating means for generating third authentication information based on at least the first information obtained by the receiving and decoding means;
Fourth key information generating means for generating fourth key information based on at least the first information obtained by the receiving and decoding means;
Second authentication information generating and transmitting means for encrypting the third authentication information based on the fourth key information to generate second authentication information and transmitting the second authentication information to the first information processing apparatus;
Fifth authentication information receiving means for receiving, from the first information processing apparatus, fifth authentication information output by the first information processing apparatus performing a predetermined calculation based on at least the second authentication information;
Fifth key information generating means for generating fifth key information based on at least the first information obtained by the receiving and decrypting means and the third authentication information;
Third decryption means for decrypting the received fifth authentication information based on the fifth key information and outputting fourth authentication information;
Second authentication means for verifying the validity of the first information processing device depending on whether or not the third authentication information and the fourth authentication information satisfy a predetermined relationship;
When the first information processing apparatus determines that the second information processing apparatus is valid by the first authentication means, the first information processing apparatus transmits the fifth authentication information from the fifth authentication information generation and transmission means, When the information processing apparatus determines that the first information processing apparatus is valid by the second authentication means, the fifth key information is used as a session key, and the first information processing apparatus uses the third key information as a session key. A mutual authentication and key sharing system characterized in that the encryption key is shared by performing the encrypted communication using the session key. The first information processing apparatus
As the first authentication information generation and transmission means,
A first memory storing at least one key information;
First key information selection means for selecting at least one or more pieces of key information from the first memory as the first key information;
First encryption means for encrypting the first information based on the first key information selected by the first key information selection means and outputting the first authentication information;
First authentication information transmitting means for transmitting the first authentication information to the second information processing apparatus;
Further, the information processing device further comprises specific information transmitting means for transmitting specific information for specifying the first key information selected by the first key information selecting means to the second information processing apparatus,
The second information processing apparatus
A specific information receiving means for receiving the specific information transmitted from the first information processing apparatus;
As the receiving and decoding means,
A second memory storing at least one or more key information as the first key information;
First key information specifying means for specifying key information from the second memory based on the received specifying information and outputting at least one or more first key information;
First authentication information receiving means for receiving the first authentication information transmitted from the first information processing apparatus;
First decryption means for decrypting the received first authentication information based on the first key information identified by the first key information identification means, and outputting the first information;
In the first information processing apparatus, the first key information is selected from a plurality of key information to encrypt the first information, and in the second information processing apparatus, the first information processing apparatus selects the first information. 2. The mutual authentication and key sharing system according to claim 1, wherein the first key information is identified and decrypted. The first information processing apparatus
The first authentication information generation and transmission means encrypts the first information with the first key information, and the fifth authentication information generation and transmission means encrypts the fourth authentication information with the third key information. Each of the methods is an encryption method based on a common key cipher, and the second key information of the second authentication information is decrypted by the second decryption means based on a common key cipher. The authentication information generating means is configured to generate the fourth authentication information having the same amount of information as the first authentication information based on at least the third authentication information,
The second information processing apparatus
The decryption method using the first key information for the first authentication information by the reception and decryption unit and the decryption method using the fifth key information for the fifth authentication information by the third decryption unit are respectively used as a common key. In addition to a decryption method based on encryption, encryption based on the fourth key information of the third authentication information by the second authentication information generation and transmission means is performed based on common key encryption, and the third authentication is performed. The information generating means is configured to generate the third authentication information having the same information amount as the first authentication information based on at least the first information,
2. The first authentication information, the second authentication information, and the fifth authentication information transmitted and received by the first information processing apparatus and the second information processing apparatus all have the same information amount. Mutual authentication and key sharing system. The first information processing apparatus
A unique information storage means for storing information unique to the first information processing apparatus; and the fourth authentication information generating means includes at least the third authentication information and the unique information of the apparatus read from the unique information storage means; And generating the fourth authentication information based on
The second information processing apparatus
Specific information acquisition means for acquiring at least information specific to the first information processing apparatus from the fourth authentication information; and communication control means for controlling communication processing based on the acquired specific information, the third authentication information and the The validity of the first information processing apparatus is verified by the second authentication means depending on whether or not the fourth authentication information satisfies a predetermined relationship. If it is valid, the first information is further obtained by the unique information acquisition means. 4. The mutual authentication and key sharing system according to claim 1, wherein unique information of a processing device is acquired, and communication processing is controlled by the communication control unit based on the acquired unique information. 5.

Images