JP2007104118A - Protection method of secret information and communication apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method of securing and ensuring the protection of secret information such as a password and a key used by, e.g. the single sign-on. <P>SOLUTION: Both a client terminal 30 and a server 20 generate a shared key for information exchange through a secure channel on the basis of information generated by itself and information generated by the opposite party. The server 20 uses the shared key to encrypt the secret information. The server 20 generates new information for a next access when the server 20 uses the shared key to decrypt the encrypted data, stores part of the new information, encrypts the remaining new information by using its own shared key and transmits the encrypted information to the client terminal 30. The client terminal 30 decrypts the encrypted data received from the server 20 by using its own shared key, decrypts the remaining new information, and stores the remaining new information for the next access. The server 20 generates a new shared key on the basis of the new information for the next access, encrypts the secret information by using the new shared key and stores it for the next access together with part of the new information. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a method for securely protecting confidential information and an apparatus therefor. More specifically, for example, in a server-based computing environment, site access authority information for accessing a plurality of sites (servers) by single sign-on is registered on the server side, and this is securely accessed from the client terminal side. It is related with the technique used for.

Single sign-on techniques are known in server-based computing environments. Single sign-on can be used in the following procedure.
(1) Each time the client accesses the site access password registered on the server, the server generates a different password encryption key. The password for site access is encrypted with this password encryption key and registered on the server side.
(2) The password encryption key generated by the server is registered in a security medium such as an IC card on the client side.
(3) When a user uses a password for site access registered on the server side, the user uses a password encryption key registered on the client side, and a secure channel, that is, encrypted communication between the client terminal and the server. To establish a secure communication channel. In such a secure channel, both the server and the client terminal generate the same secure channel key using the password encryption key, and both the server and the client terminal share the secure channel key.
(4) Using the secure channel key, encrypt the password encryption key, user login ID and password registered on the client side, and notify the encrypted data from the client terminal to the server.
(5) The server decrypts the encrypted data received from the client terminal with the secure channel key and verifies the identity of the user with the login ID and password of the user. If the identity is confirmed, the server uses the password encryption key obtained by decrypting the encrypted data, decrypts and uses the site access password encrypted with this password encryption key, and uses the result. Notify the client terminal.

The method for accessing the server by single sign-on described above is introduced in detail in Patent Documents 1 and 2 below.
JP 2002-288139 A Japanese Patent Laid-Open No. 2000-259566

However, the conventional method has the following problems.
Two keys are required: a secure channel key used between the server and the client terminal, and a password encryption key for the server to encrypt the site access password. Since the server also holds the key, for example, the server administrator can use the server-side key illegally and use the site access password without permission. In order to prevent unauthorized use of the key set on the server side, for example, the secret sharing method may be used and the key may be distributed between the server side and the client side. In this case, since the encryption key is used in the communication path for notifying the server side of the distributed key, the fundamental problem is not solved. Furthermore, although it is conceivable to set the key itself in the token on the client side, it is necessary to use an expensive security medium such as an IC card.

A method for protecting passwords, keys, and other secret information that solves the above problems has not yet been realized. For example, in the server-based computing environment described above, in the form where the server side holds password information for site access for a client terminal to access multiple sites by single sign-on, there is no room for unauthorized use on the server side. The direction for is not shown.
The main object of the present invention is to provide a method for ensuring safe and secure protection of secret information such as passwords and keys used in single sign-on, for example.

The present invention solves the above problems by a method for protecting secret information and a communication device.
The secret information protection method provided by the present invention is the information (Wa / Wb) generated on the partner side and the information generated on the own side by both the first device and the second device connected via the communication path. Generating a shared key (SK1) for exchanging information by converting the communication path into a secure channel based on (C1 / S1), and the first device wishes to register with the second device Encrypting secret information with the shared key (SK1) and transmitting the encrypted data to the second device; and the second device receives the encrypted data received from the first device with the shared key (SK1). To obtain the secret information and generate new information (C2 * S2) for next access, save a part (S2) of the new information (C2 * S2), and store the remaining new information ( C2) is encrypted with the shared key (SK1) and the second Transmitting to the device (client terminal), and the first device decrypts the encrypted data received from the second device with the shared key (SK1) to obtain the new information (C2) of the remaining portion. Storing the new information (C2) for the next access, the second device generates a new shared key (SK2) based on the new information (C2 * S2) for the next access, and The secret information decrypted with the common key (SK1) is encrypted with the new shared key (SK2) and stored together with the partial new information (S2) for the next access.

  In the step of generating the shared key, for example, the first device generates first data (Wa) based on a random number (C1) generated by the first device, and the first data (Wa) is generated as the second device. And the second device generates second data (Wb) based on the first data (Wa) received from the first device and the random number (S1) generated by the second device. 2 data (Wb) is transmitted to the first device, and the hash value becomes a shared key (SK1) based on the first data (Wa) and the random number (S1) generated by itself. Kb) is generated, and the hash value is shared key (SK1) based on the second data (Wb) received by the first device from the second device and the random number (C1) generated by the first device. To generate shared data (Ka) Wherein the door is achieved by deriving the shared key (SK1) from each of these shared data.

In one embodiment of the present invention, the secret information is divided into two distributed data. Then, the first device holds a share for restoring the two shared data, and generates a hash value of the share on its own side, and the server uses one of the two shared data. By encrypting and holding with the shared key and generating the other shared data on its own side, the server can decrypt the secret information from the two shared data and the share.
In an embodiment of the present invention, the first device transmits access authority information to a predetermined site via the second device to the second device as the secret information. Then, the second device acquires the access authority information and registers the access authority information in the memory area, thereby enabling access to the site from the first apparatus accompanied with the access authority information. .

The communication device of the present invention is, for example, a first communication device that functions as the first device and a second communication device that functions as the second device.
The first communication device is a communication device that performs two-way communication with a second device connected via a communication channel, and the first communication device is used to exchange information by converting the communication channel into a secure channel. A key information generating means for generating a shared key (SK1) shared with the two devices, and transmitting encrypted data obtained by encrypting secret information with the shared key (SK1) of the device to the second device, and the second device Then, the partial new information (C2) of the new information (C2 * S2) for next access encrypted with the shared key (SK1) of the second device is decrypted with the shared key (SK1) next time. And encryption / decryption means for storing for access.

The second communication device is a communication device that performs bidirectional communication with the first device connected via a communication channel, and the second communication device is configured to exchange information by converting the communication channel into a secure channel. Key information generating means for generating a shared key (SK1) shared with one device, and decrypting the encrypted data received from the first device with the shared key encrypted with the shared key using the shared key (SK1) Thus, the encryption / decryption means for obtaining the secret information, and after the encryption / decryption means decrypts the secret information, new information (C2 * S2) for next access is generated, and the new information (C2 * S2) Information generation means for storing a part (S2) of the information and encrypting the remaining new information (C2) with the shared key (SK1) and transmitting the encrypted information to the first device.
The key information generating unit generates the shared key (SK1) based on the information (Wa) generated by the first device and the information (S1) generated by itself, while the information generating unit When new information for next access (C2 * S2) is generated, a new shared key (SK2) is generated based on the new information for next access (C2 * S2). The encryption / decryption means is configured to encrypt the decrypted secret information with the newly generated shared key (SK2) and store it for the next access together with the part of new information (S2). Yes.

  In the present invention, the first device and the second device are made the same for the secure channel between the first device and the second device and the key for encrypting the secret information in the second device. Since the shared key cannot be generated without the information of both, it is possible to reduce the key management burden, and to prevent fraud on the second device side managing the secret information.

[First Embodiment]
The present invention can be implemented as, for example, the password authentication key exchange system shown in FIG. The password authentication key exchange system of this embodiment is connected to a server 20 connected to a network 10 constituted by the Internet, a client terminal 30 connected to the server 20 via the network 10, and the server 20. The site 40 is configured. A site is an information processing system that has a group of Web pages that can be disclosed together, and is essentially a server. In FIG. 1, only one site 40 is shown for convenience, but any number of sites may be used.

  The server 20 needs to be distinguished from an interface (hereinafter abbreviated as “I / F”) 21 for performing communication via the network 10 and a control unit (hereinafter referred to as the client 30) that executes various processes described later. A server database (hereinafter referred to as “DB”) 23 and a server database (hereinafter referred to as “server control unit”) 22 are provided. The server control unit 22 is a kind of computer that reads and executes a computer program. The server control unit 22 executes the computer program to form functions of a key information generation unit, an encryption / decryption unit, and an information generation unit.

The client terminal 30 includes an I / F 31 for performing communication via the network 10 and a control unit (hereinafter referred to as “client control unit” when it is necessary to distinguish from the server 20). 32) and a memory 33 for storing a password and a random number to be described later. The client control unit 32 is a kind of computer that reads and executes a computer program. This computer program may be installed in an application downloaded from the server 20 or a token. The client control unit 32 executes the computer program to form functions of a key information generation unit and an encryption / decryption unit.
The site 40 includes an I / F 41 for performing communication via the network 10, a site control unit 42 that executes processing necessary for site operation, and a site DB 43. The site control unit 42 is also a kind of computer that reads and executes a computer program.

  The server 20 and the client terminal 30 establish a secure channel for performing encrypted communication on the network 10 using a shared key, and perform communication of encrypted data. In addition, the server 20 encrypts the site access password received from the client terminal 30 using the above-described shared key, and registers the encrypted site access password in the server DB 23.

As described above, the shared key used in the secure channel is a key generated using different information (for example, random numbers) held by both the server 20 and the client terminal 30. For generation of this shared key, for example, Diffie Hellman's A key exchange method is used.
For key exchange between the server 20 and the client terminal 30, a password authentication key exchange protocol described later is used. The key (shared key) shared by this password authentication key exchange protocol is used for encryption and decryption when notifying the server access password from the client terminal 30 to the server 20, and the site access password on the server 20 side. It is also used for encryption.

In addition, after using the site access password once, the server 20 generates a random number. This random number is used to generate a shared key for the next time used when the client terminal 30 accesses the site 40 next time. The server 20 arbitrarily divides the random number for the next time into two, encrypts one with the previous shared key, and notifies the client terminal 30 from the server 20 side. The server 20 holds the other of the two divided random numbers on the server 20 side.
Further, the server 20 encrypts the site access password with the next shared key and holds it. When this encryption is completed, the server 20 deletes the shared key for the next time.
Since the client terminal 30 and the server 20 respectively hold one and the other of the divided random numbers and generate the next shared key, the key for establishing the secure channel is also used in the next processing. It becomes the same key, and the site access password is encrypted using this shared key.

  If a plurality of site access passwords are encrypted and registered in the server DB 23 by the method as described above, the client terminal 30 can access a plurality of sites by single sign-on.

[Operation example]
Next, in the password authentication key exchange system according to this embodiment, an operation example when the server 20 and the client terminal 30 access a plurality of sites 40 that actually exist via the network 10 by single sign-on. Show.
This communication is roughly divided into a site access password registration process and a site access password use process.

<Site access password registration process>
FIG. 2 to FIG. 4 show a sequence of password registration processing for site access using a password authentication key exchange protocol in time series. In this site access password registration process, it is assumed that the user ID of the user and the password π are associated with each other and registered in the server DB 23 of the server 20 in advance.

Since all communication between the server control unit 22 and the client control unit 32 is performed through the I / F 21, the network 10, and the I / F 31, this description is omitted below. When the client control unit 32 performs communication by encrypting data using a shared key, the communication channel is a secure channel.
FIG. 5 shows a data structure in the server DB 23 of the server 20 and in the memory of the client terminal 30.
The processing (1) to (26) in FIGS. 2 to 4 is specifically performed in the functional block shown in FIG.

(1) When the user operates the client terminal 30 to access the server 20, the client control unit 32 secures a token through the I / F 31. The user inputs the user ID and password π to the client terminal 30. At this time, the user inputs site information (for example, URL (Uniform Resource Locator)) to be accessed to the client terminal 30.

(2) The client control unit 32 generates a random number C1 for generating a shared key described later.
(3) The client control unit 32 notifies the server control unit 22 of the site information that the user desires to access and the user ID.

(4) The server control unit 22 confirms whether the user ID notified from the client control unit 32 is registered in the server DB 23.
(5) When the server control unit 22 confirms that the user ID is registered in the server DB 23 in the process (4), the server control unit 22 generates a random number S1 for generating a shared key. At this time, the server control unit 22 registers the site information notified in the process (3) in the server DB 23 in association with the user ID.
(6) When the server control unit 22 confirms that the user ID is not registered in the server DB 23 in the process (4), the server control unit 22 notifies the client terminal 30 of an error.

(7) When the password π is input by the user in the process (1), the client control unit 32 generates a hash value H (π) of the password π, and the hash value H (π), (2) The client data Wa is generated using the random number C1 generated by the above process.
(8) The client control unit 32 notifies the server control unit 22 of the client data Wa generated in the process (7).

Here, the client data Wa can be obtained by the following equation, where H (π) is a hash value of the password π and k and q are domain parameters of discrete logarithm.
g1 = H (π) ^ k mod q
Wa = g1 ^ C1 mod q

(9) The server control unit 22 confirms whether the client data Wa generated in the client control unit 32 in the process (8) is correctly calculated. For example, in the case of calculation by mod q, it is confirmed whether the obtained value is a value equal to or less than q-1.
(10) If the server control unit 22 confirms that the client data Wa is correctly calculated in the process (9), the password corresponding to the user ID received from the client terminal 30 in the process (4) π is read from the server DB 23, and server data Wb is generated using the hash value H (π) and the random number S1 generated in the process (5). Further, the server control unit 22 notifies the server control unit 32 of the server data Wb.

The server data Wb can be obtained by the following equation, for example.
g1 = H (π) ^ k mod q
Wb = g1 ^ S1 mod q

(11) When the server control unit 22 confirms that the client data Wa is not correctly calculated in the process of (9), the server control unit 22 notifies the client control unit 32 of an error. At this time, the server control unit 22 deletes the random number S1.
(12) The server control unit 22 generates the key exchange shared data Kb using the client data Wa whose accuracy has been confirmed by the process (9) and the random number S1 generated by the process (5).
The hash value of the key exchange shared data Kb becomes the shared key SK1. That is, the shared key SK1 generated by the server control unit 22 is as follows. H is a hash function.
SK1 = H (Kb || Pi)

(13) The client control unit 32 confirms whether the server data Wb is correctly calculated. For example, in the case of calculation by mod q, it is confirmed whether the obtained value is a value equal to or less than q-1.
(14) When the client control unit 32 confirms that the confirmation data is not correctly calculated in the process (13), the client control unit 32 notifies the server control unit 22 of an error, and generates the random number C1 generated in the process (2). And the server data Wb notified from the server control unit 22 are deleted.
(15) The client control unit 32 generates key exchange shared data Ka using the server data Wb notified from the server control unit 22 in the process (12) and the random number C1 generated in the process (2). . The hash value of this key exchange shared data Ka becomes a shared key. That is, the shared key SK1 generated by the client control unit 32 is as follows.
SK1 = H (Ka || Pi)

(16) The client control unit 32 receives the confirmation data (H (| parameter | Wa | Wb | Ka | g)) that concatenates key exchange shared data Ka, client data Wa, server data Wb, and other necessary information. The server control unit 22 is notified.

Here, the key exchange shared data Kb generated by the server control unit 22 and the key exchange shared data Ka generated by the client control unit 32 match as follows according to the Diffie Hellman key exchange method.
For any prime number a (1 <= a <= q-1), there exists a prime number b such that a = g ^ b mod q (q is an arbitrary prime number that satisfies this condition).
Ka = b ^ C1 mod q
= (G1 ^ S1 mod q) ^ C1 mod q
= (G1 ^ S1) ^ C1 mod q = g1 ^ S1 · C1 mod q
Kb = a ^ C1 mod q = g1 ^ C1 mod p) ^ S1 mod q
= (G1 ^ C1) ^ S1 mod q
= G1 ^ C1 · S1 mod q
It is. In this way, Ka and Kb match.

(17) The server control unit 22 confirms the confirmation data (H (| parameter | Wa | Wb | Ka | g)) notified from the client control unit 32 and the corresponding server-side confirmation data (H (| parameter) | Wa | Wb | Kb | g)) is matched. If the confirmation data match is confirmed, the client control unit 32 is notified accordingly.
(18) When the server control unit 22 confirms that the server-side confirmation data and the client-side confirmation data do not match in the processing of (17), the server control unit 22 notifies the client control unit 32 of an error. At the same time, the random number S1 and the confirmation data are deleted.

(19) The client control unit 32 encrypts the site access password that the user desires to register with the server 20 with the shared key SK1 generated in the process (15), and transmits this encrypted data to the server control unit through the secure channel. 22 is notified.

(20) The server control unit 22 obtains a site access password by decrypting the encrypted data notified from the client control unit 32 using the shared key SK1 generated in the process of (12).
(21) The server control unit 22 logs in to the site 40 using the site access password acquired in the process of (20), and whether or not the site access password notified from the client control unit 32 is correct. Confirm.
(22) In the process of (21), the server control unit 22 notifies the client control unit 32 that an error has occurred if the login to the site 40 corresponding to the site access password is not successful, and for site access. Require password re-entry.
(23) The server control unit 22 generates a random number (C2 * S2) when successfully logging in to the site 40 corresponding to the site access password. The server control unit 22 arbitrarily divides the random number (C2 * S2) into two, registers one random number S2 in the server DB 23, and encrypts the other random number C2 with the shared key SK1 generated in the process of (12). The client control unit 32 is notified through the secure channel.

(24) The client control unit 32 uses the shared key SK1 generated in the process (15) to decrypt the encrypted data received from the server control unit 22, and one of the random numbers divided into two in the process (23) To obtain a random number C2. The client control unit 32 sets this random number C2 as a token.
(25) The client control unit 32 sets the random number C2 in the token and notifies the server control unit 22 of it. After notifying the server control unit 22 of the random number C2, the client control unit 32 removes the random number C2 from the token and registers it in the client memory 33 in order to return the token. When the token user uses a plurality of client terminals, the random number is held only in the token and may not be registered in the client memory 33.
The data structure in the client memory 33 at this time is as shown in FIG.

(26) Upon receiving notification from the client control 32 that the random number C2 has been set as a token, the server control unit 22 generates the shared key SK2 using the next random number (C2 * S2). Furthermore, the server control unit 22 encrypts the site access password with the shared key SK2, and registers it in the server DB 23 together with the random number S2. Further, the server control unit 22 deletes the generated next-time shared key SK2. The data structure in the server DB 23 at this time is as shown in FIG.

  As described above, according to the registration process of the site access password using the password authentication key exchange protocol, the shared key used in the secure channel established between the server 20 and the client terminal 30 and the site access password are encrypted. Since the random number necessary to generate this shared key is divided and held on the server 20 side and the client terminal 30 side while the same key is used as an encryption key, an unauthorized person accesses the server 20 In addition, a highly secure password authentication key exchange system that cannot generate a shared key can be provided.

<Password access processing for site access>
6 to 9 are explanatory diagrams of procedures for site access password use processing. The processing (31) to (58) in FIGS. 6 to 9 is specifically performed in the functional block shown in FIG. The site access password use process is basically a process similar to the site access password registration process. In addition, since all communication between the server control unit 22 and the client control unit 32 is performed through the I / F 21, the network 10, and the I / F 31, this description is omitted below.
Note that the site access password utilization process is a process repeatedly performed by the server 20 and the client terminal 30, and here, in order to generalize the description, the random number C1, the random number S1, Values corresponding to the client data Wa, the server data Wb, the shared key key exchange shared data Ka, Kb, and the shared key SK1, respectively, are the random number Cx, the random number Sx, the client data Wax, the server data Wbx, and the shared key key exchange shared. It is assumed that data Kax, Kbx, and shared key SKx. x represents the number of generations. For example, the random number S (x + 1) means a random number after one generation generated in the next process of the process of generating the random number Sx.

(31) When the user operates the client terminal 30 to access the server 20, the client control unit 32 secures a token. The user inputs the user ID and password π to the client terminal 30. At this time, the user inputs site information (for example, URL (Uniform Resource Locator)) desired to be accessed to the client terminal 30.
(32) The client control unit 32 sets the random number Cx registered in the client memory 33 as a token. If the random number Cx is registered in advance in the token, it may be omitted.
(33) The client control unit 32 notifies the server control unit 22 of the site information that the user desires to access and the user ID.

(34) The server control unit 22 confirms whether or not the user ID notified from the client control unit 32 is registered in the server DB 23.
(35) When the server control unit 22 confirms that the user ID is registered in the server DB 23 in the process (34), the server control unit 22 reads the random number Sx corresponding to the user ID from the server DB 23.
(36) The server control unit 22 notifies the client terminal 30 of an error when confirming that the user ID is not registered in the server DB 23 in the process of (34).

(37) The client control unit 32 generates the hash value H (π) of the password π input by the user in the process of (31), and sets this H (π) and the token in the process of (32). Client data Wax is generated using the random number Cx.
(38) The client control unit 32 notifies the server control unit 22 of the client data Wax generated in the process of (37).

The client data Wax can be obtained by the following formula.
g1 ′ = H (π) ^ k mod q
Wax = g1 '^ Cx mod q

(39) The server control unit 22 confirms whether the client data Wax generated in the client control unit 32 in the process of (38) is correctly calculated. For example, when an operation is performed using mod q, it is confirmed whether the obtained value is a value equal to or less than q-1.
(40) When the server control unit 22 confirms that the client data Wax is correctly calculated in the process of (39), the password corresponding to the user ID received from the client terminal 30 in the process of (34) π is read from the server DB 23, and server data Wbx is generated using the hash value H (π) of the password π and the random number Sx used in the process (35). Further, the server control unit 22 notifies the server control unit 32 of the server data Wbx.

Server data Wbx can be obtained by the following equation.
g1 ′ = H (π) ^ k mod q
Wbx = g1 ′ ^ Sx mod q

(41) When the server control unit 22 confirms that the client data Wax is not correctly calculated in the processing of (39), the server control unit 22 notifies the client control unit 32 of an error. At this time, the server control unit 22 deletes the random number Sx.
(42) The server control unit 22 generates the key exchange shared data Kbx using the client data Wax confirmed to be correctly calculated in the process (39) and the random number Sx read in the process (35). . The hash value of this key exchange shared data Kbx becomes a shared key. That is, the shared key SKx generated by the server control unit 22 is as follows.
SKx = Hash (Kbx || Pi)

(43) The client control unit 32 confirms whether the server data Wbx is correctly calculated. For example, in the case of calculation by mod q, it is confirmed whether the value is q−1 or less.
(44) When the client control unit 32 confirms that the confirmation data is not correctly calculated in the process of (43), the client control unit 32 notifies the server control unit 22 of an error, and reads the random number Sx read in the process of (35). And the server data Wbx notified from the server control unit 22 are deleted.
(45) The client control unit 32 generates key exchange shared data Kax using the server data Wbx notified from the server control unit 22 in the process (42) and the random number Sx read in the process (35). The hash value of this key exchange shared data Kax becomes a shared key. That is, the shared key SKx generated by the client control unit 32 is as follows.
SKx = H (Kax || Pi)

Note that the identity between the key exchange shared data Kax and Kbx is omitted because it will be explained for the same reason that the key exchange shared data Ka and Kb in the site access password registration process are identical.
(46) The client control unit 32 receives the key exchange shared data Kax, the client data Wax, the server data Wbx, and confirmation data (H (| parameter | Wax | Wbx | Kax | g)) concatenated with other necessary information. The server control unit 22 is notified.

(47) The server control unit 22 confirms the notification data (H (| parameter | Wax | Wbx | Kax | g)) notified from the client control unit 32 and the corresponding server-side confirmation data (H (| parameter) | Wax | Wbx | Kbx | g)) is matched. When the server control unit 22 confirms the coincidence of these confirmation data, the server control unit 22 notifies the client control unit 32 to that effect.
(48) When the server control unit 22 confirms inconsistency between the server side confirmation data and the client side confirmation data in the processing of (47), the server control unit 22 notifies the client control unit 32 of an error. The random number Cx and the confirmation data are erased.

(49) When the server control unit 22 confirms that the server side confirmation data matches the client side confirmation data in the process of (47), the server control unit 22 uses the shared key SKx for site access. Decrypt the password.
(50) The server control unit 22 reads site information corresponding to the user ID from the server DB 23 and notifies the client control unit 32 of connection data (address, etc.) used to connect to the site 40.

(51) The client control unit 32 accesses the site 40 via the server 20. The user can use the service provided by the site 40.
(52) The client control unit 32 repeatedly confirms whether to end the access to the site 40. This process is repeatedly executed by the client control unit 32 until the user inputs an end message to the client terminal 30.
(53) When the user inputs to the client terminal 30 that the access to the site 40 is terminated, the client control unit 32 notifies the server control unit 22 that the site is to be logged off.
(54) The server control unit 22 logs off from the site 40.

(55) The server control unit 22 generates a random number C (x + 1) * S (x + 1). The server control unit 22 arbitrarily divides the random number C (x + 1) * S (x + 1) into two, registers one random number S (x + 1) in the server DB 23, and the other random number C (x + 1) with the shared key SKx. It encrypts and notifies the client control part 32 through a secure channel.
(56) The client control unit 32 decrypts the encrypted data received from the server control unit 22 using the shared key SKx, and obtains one random number C (x + 1) of the two divided random numbers. The client control unit 32 sets this random number C (x + 1) as a token.

(57) The client control unit 32 sets a random number C (x + 1) in the token and notifies the server control unit 22 of it. The client control unit 32 notifies the server control unit 22 of the random number C (x + 1), and then removes the random number C (x + 1) from the token and registers it in the client memory 33 in order to return the token. When the token user uses a plurality of client terminals, the random number is held only in the token and does not have to be registered in the client memory 33.
(58) Upon receiving notification from the client control 32 that the random number C (x + 1) has been set as a token, the server control unit 22 uses the next random number C (x + 1) * S (x + 1) to share the key SK ( x + 1) is generated. Further, the server control unit 22 encrypts the site access password with the shared key SK (x + 1) and registers it in the server DB 23 together with the random number S (x + 1). Further, the server control unit 22 deletes the generated next-time shared key SK (x + 1).

  As described above, according to the process for using the password for site access using the password authentication key exchange protocol according to the first embodiment, the shared key used in the secure channel established between the server 20 and the client terminal 30, the site While the same key is used as the key for encrypting the access password, the random number necessary for generating this shared key is divided and held on the server 20 side and the client terminal 30 side, so that an unauthorized person can Therefore, it is possible to provide a highly secure password authentication key exchange system in which the shared key cannot be generated even if the access to the access key 20 is performed.

  In the above description, the method of protecting the site access password on the server 20 by encrypting with the shared key has been described. However, the object to be protected using the shared key is limited to the site access password. In addition, it is possible to protect personal information such as a secret key and authority information used only by an individual, as well as an application including the personal information and a ticket setting used for one time as secret information.

  Since the client terminal 30 is only notified and set a different random number every time it is used, a memory card or the like can be used as a token, and personal information such as a password set remotely can be protected at the server. This can be achieved while reducing the key management burden.

[Second Embodiment]
Next, a second embodiment of the present invention will be described. In the second embodiment, at the site 40 shown in FIG. 1, two shared data are generated from the site access password and the share using the secret sharing method. The client terminal 30 holds a share for restoring the two shared data, and uses the hash value of the share as a random number used by the client terminal 30. The server 20 encrypts and holds one of the distributed data with a shared key, and uses the other distributed data as a random number.
The shared key for encryption used in the secure channel formed between the server 20 and the client terminal 30 is a shared key generated by using the random number that the server 20 has and the random number that the client terminal 30 has.

  When the client terminal 30 accesses the site 40, a shared key is generated on the secure channel, and the server 20 decrypts the distributed data encrypted using the shared key. The server 20 generates a site access password using the two further distributed data and shares. In this manner, the client terminal 30 can actually single-sign on to a plurality of sites 40 via the server 20.

[Operation example]
Next, in the second embodiment, an example of operation when the server 20 and the client terminal 30 communicate via the network 10 and actually access a plurality of sites 40 by single sign-on will be described. This communication is roughly divided into a site access password registration process and a site access password use process.

<Site access password registration process>
10 to 11 are explanatory diagrams of procedures for password registration processing for site access using the password authentication key exchange protocol. In this site access password registration process, it is assumed that the user ID of the user and the password φ are associated with each other and registered in the server DB 23 of the server 20 in advance. In addition, since communication among the server control unit 22, the client control unit 32, and the site control unit 42 is all performed through the I / F 21, the network 10, the I / F 31 and the I / F 41, this description is omitted below. . FIG. 12 is an explanatory diagram of the data structure in the server DB 23 of the server 20 and in the memory of the client terminal 30.
Note that the processing (101) to (118) in FIGS. 10 and 11 is specifically performed in the functional block shown in FIG.

(101) When the user operates the client terminal 30 to access the server 20, the client control unit 32 secures a token through the I / F 31. The user inputs the user ID and password φ into the client terminal 30.
(102) The client control unit 32 reads the data in the client memory 33 corresponding to the user ID, and confirms whether the site access password has been registered in the site 40. Specifically, it is confirmed whether or not a share exists in the data in the client memory 33 corresponding to the user ID.
(103) When the client control unit 32 confirms that there is no share in the data in the client memory 33 corresponding to the user ID in the process of (102), it passes through the server 20 via the I / F 31 and the network 10. The site is notified of the site access password that the user desires to register.

(104) The site control unit 42 registers the site access password notified from the client control unit 32 in the site DB 43 in association with the user ID.
(105) The site control unit 42 arbitrarily generates a setting code necessary for setting the distributed data of the password for site access in the server DB 23 of the server 20 and a share to be set in the token used by the client terminal 30. And notifies the client control unit 32 of the client terminal 30 through the network 10.

(106) The client control unit 32 registers the setting code and the share notified from the site control unit 42 in the process of (105) in the client memory 33. The data structure in the memory 33 at this time is as shown in FIG.
(107) The client control unit 32 substitutes the server access password φ into the following equation to generate a g2 value.
g2 = H (φ) ^ k mod q

(108) The client control unit 32 generates the client data Wa ′ by substituting the share saved in the client memory 33 in the process (106) and the value g2 generated in the process (107) into the following expression. . The client control unit 32 notifies the site control unit 42 of the client data Wa ′.
Wa ′ = g2 ^ H (share) mod q

(109) The site control unit 42 saves the site access password, the share, and the client data Wa ′ in the site DB 43 using the setting code generated in the process (105) as key information.
(110) A shared key is generated between the server control unit 22 and the client control unit 32. That is, using the client data Wa ′ generated in (108) and the server data Wb ′ generated based on the random number, processing similar to the processing from (9) to (18) in the first embodiment is executed. As a result, the server control unit 22 and the client control unit 32 generate the shared key SK1 ′, respectively.
As a result, the server 20 and the client terminal 30 share the shared key SK1 ′.

(111) The client control unit 32 encrypts the setting code registered in the client memory 33 with the shared key SK1 ′ and notifies the server control unit 22 through the secure channel.
(112) The server control unit 22 uses the shared key SK1 ′ to decrypt the encrypted setting code and generate a shared key for the next process for encrypting the distributed data 1 to be described later The site control unit 42 is notified of the shared key generation parameter Pi ′ used for the setting and the setting code.

(113) The site control unit 42 confirms whether the setting code notified from the server control unit 22 is the same as the setting code generated in the process (105).
(114) When the site control unit 42 confirms that the setting code notified from the server control unit 22 is not the same as the setting code generated in the process (105), the site control unit 42 sends the setting code to the client control unit 32 through the network 10. Notify that there is an error.
(115) When the site control unit 42 confirms that the setting code notified from the server control unit 22 is the same as the setting code generated in the process (105), the site control unit 42 generates the process in the process (105). The setting code is deleted from the site DB 43, the site access password and the share corresponding to the setting code are read in the site DB 43, and the distributed data 1 and the distributed data 2 are generated from the site access password and the share.
Distributed data 2 = p + x * a + x * b
Distributed data 1 = p + y * a + y * b
Here, P = site password, [a, b] is a share, and [x, y] is an arbitrary random number.
Note that the method of dispersion is not limited to this method. The size of the share may be changed according to the usage frequency of the user.

(116) The site control unit 42 reads the client data Wa ′ corresponding to the setting code from the site DB 43, and generates the key exchange shared data Z by substituting the client data Wa ′ and the distributed data 2 into the following equation.
Z = Wa '^ distributed data 2 mod q

(117) The site control unit 42 generates the shared key SKx ′ using the key exchange shared data Z and the shared key generation parameter Pi ′ received from the server 20, and the distributed data 1 generated by the process of (115) Is encrypted, the encrypted distributed data 1 and the unencrypted distributed data 2 are notified to the server 20 through the network 10. The shared key SKx ′ generated by the site control unit 42 is as follows.
SKx ′ = Hash (Z || Pi ′)
(118) The server control unit 22 registers the encrypted distributed data 1 and the unencrypted distributed data 2 notified from the site control unit 42 in the server DB 23 in association with the user ID. The data structure in the server DB 23 at this time is as shown in FIG.

  Thus, the site access password registration process ends. The server 20 has no registered site access password.

<Password access processing for site access>
FIG. 13 to FIG. 16 are explanatory diagrams of procedures for the password access processing for site access. In addition, since communication among the server control unit 22, the client control unit 32, and the site control unit 42 is all performed through the I / F 21, the network 10, the I / F 31 and the I / F 41, this description is omitted below. . Note that the processes (131) to (158) in FIGS. 13 to 16 are specifically performed in the functional blocks shown in FIG.
The site access password use process is basically a process similar to the site access password registration process.

(131) When the user operates the client terminal 30 to access the server 20, the client control unit 32 secures a token. The user inputs the user ID and password φ into the client terminal 30. At this time, the user inputs site information (for example, URL (Uniform Resource Locator)) desired to be accessed to the client terminal 30.
(132) The client control unit 32 sets the hash value of the share registered in the client memory 33 in the token. If a share hash value is set in advance in the token, it may be omitted.
(133) The client control unit 32 notifies the server control unit 22 of the site information that the user desires to access and the user ID.

(134) The server control unit 22 confirms whether or not the user ID notified from the client control unit 32 is registered in the server DB 23.
(135) When the server control unit 22 confirms that the user ID is registered in the server DB 23 in the process (134), the server control unit 22 reads the distributed data 2 corresponding to the user ID from the server DB 23.
(136) When the server control unit 22 confirms that the user ID is not registered in the server DB 23 in the process of (134), the server control unit 22 notifies the client terminal 30 of an error.

(137) The client control unit 32 generates the hash value Hash (φ) of the password φ input by the user in the process of (131), the hash value Hash (φ) of this password φ, and the process of (132) The client data Wax ′ is generated using the random number (share hash value H (share)) set in the token.
(138) The client control unit 32 notifies the server control unit 22 of the client data Wax ′ generated by the processing of (137).

Here, the client data Wax ′ can be calculated as follows, for example.
Using the hash value H (φ) of the password φ, g2 is obtained by the following formula.
g2 = H (φ) ^ k mod q
Wax '= g2 ^ H (share) mod q

(139) The server control unit 22 confirms whether the client data Wax ′ generated in the client control unit 32 in the process (138) is correctly calculated. For example, when a mod q operation is performed, it is confirmed whether the obtained value is a value equal to or less than q-1.
(140) When the server control unit 22 confirms that the client data Wax ′ is correctly calculated in the process of (139), the server control unit 22 corresponds to the user ID received from the client terminal 30 in the process of (134). The password φ is read from the server DB 23, and server data Wbx ′ is generated using the hash value Hash (φ) of the password φ and the distributed data 2 used in the process of (135). Further, the server control unit 22 notifies the server control unit 32 of the server data Wbx ′.

Server data Wbx ′ can be obtained by the following equation.
g2 = H (φ) ^ k mod q
Wbx ′ = g2 ^ distributed data 2 mod q

(141) If the server control unit 22 confirms that the client data Wax ′ has not been correctly calculated in the process of (139), the server control unit 22 notifies the client control unit 32 of an error. At this time, the server control unit 22 deletes the distributed data 2.
(142) The server control unit 22 generates key exchange shared data Kbx ′ by using the client data Wax ′ whose accuracy has been confirmed by the process (139) and the distributed data 2 read by the process (135). The hash value of this key exchange shared data Kbx becomes a shared key. That is, the shared key SKx ′ generated by the server control unit 22 is as follows.
SKx ′ = H (Kbx ′ || Pi)

(143) The client control unit 32 confirms whether the server data Wbx ′ is correctly calculated. For example, when a mod q operation is performed, it is confirmed whether the obtained value is a value equal to or less than q-1.
(144) If the client control unit 32 confirms that the confirmation data is not correctly calculated in the processing of (143), the client control unit 32 notifies the server control unit 22 of an error and reads the distributed data read out in the processing of (135). 2 and server data Wbx ′ notified from the server control unit 22 are deleted.
(145) The client control unit 32 uses the server data Wbx ′ notified from the server control unit 22 in the process (142) and the shared data 2 read out in the process (135) to obtain the key exchange shared data Kax ′. Generate. The hash value of this key exchange shared data Kax ′ becomes the shared key. That is, the shared key SKx ′ generated by the client control unit 32 is as follows.
SKx '= H (Kax' || Pi)
(146) The client control unit 32 confirms the key exchange shared data Kax, client data Wax ′, server data Wbx ′, and other necessary information (H (| parameter | Wax ′ | Wbx ′ | Kax | g)) is notified to the server control unit 22.

(147) The server control unit 22 confirms the confirmation data (H (| parameter | Wax ′ | Wbx ′ | Kax | g)) notified from the client control unit 32 and the corresponding confirmation data (H ( | Parameter | Wax ′ | Wbx ′ | Kbx | g)) is confirmed to match. When the server control unit 22 confirms the coincidence of these confirmation data, the server control unit 22 notifies the client control unit 32 to that effect.
(148) In the process of (147), the server control unit 22 notifies the client control unit 32 of an error when confirming a mismatch between the server-side confirmation data and the client-side confirmation data. The distributed data 2 and the confirmation data are deleted.

(149) The server control unit 22 decrypts the distributed data 1 encrypted with the shared key SKx ′.
(150) The server control unit 22 notifies the client control unit 32 of the distributed data 1 and the distributed data 2.

(151) The client control unit 32 restores the site access password using the share and the distributed data 1 and the distributed data 2, and accesses the site 40 via the server 20. The user can use the service provided by the site 40.
(152) The client control unit 32 repeatedly confirms whether to end the access to the site 40. This process is repeatedly executed until the user inputs an end message to the client terminal 30.
(153) When the user inputs to the client terminal 30 that the access to the site 40 is terminated, the client control unit 32 notifies the server control unit 22 that the site is to be logged off.
(154) The server control unit 22 logs off from the site 40.

(155) The site control unit 42 arbitrarily generates a setting code necessary for setting the distributed data of the site access password in the server DB 23 of the server 20 and a share to be set in the token used by the client terminal 30. And notifies the client control unit 32 of the client terminal 30 through the network 10. These setting codes and shares have different values from those of the previous process.
(156) The client control unit 32 decrypts the encrypted data received from the server control unit 22 using the shared key SK (x + 1) ′ to obtain a share for the next processing. The client control unit 32 sets the hash value of the share for next processing in the token.

(157) The client control unit 32 sets the hash value of the share for next processing in the token and notifies the server control unit 22 of it. The client control unit 32 notifies the server control unit 22 of the next processing share, and then removes the next processing share from the token and registers it in the client memory 33 in order to return the token. When the token user uses a plurality of client terminals, the token need not be stored in the client memory 33 and held only in the token.
(158) When the server control unit 22 receives notification from the client control 32 that the share for the next processing has been set in the token, it uses the hash value of the next share and the shared data 2 for the next time to use the shared key SK. (x + 1) ′ is generated. Further, the server control unit 22 encrypts the distributed data 1 with the shared key SK (x + 1) ′ and registers it in the server DB 23 together with the unencrypted distributed data 2. Also, the server control unit 22 deletes the generated next-time shared key SK (x + 1) ′.

  As described above, according to the second embodiment, since the site access password can be used only via the client terminal 30, fraud on the server 20 side can be prevented more strictly.

1 is an overall configuration diagram of a password authentication key exchange system according to a first embodiment of the present invention. Explanatory drawing of the procedure of the password registration process for site access by 1st Embodiment. Explanatory drawing of the procedure of the password registration process for site access by 1st Embodiment. Explanatory drawing of the procedure of the password registration process for site access by 1st Embodiment. The figure which shows the structural example of the data used by 1st Embodiment. Explanatory drawing of the procedure of the site access password utilization process by 1st Embodiment. Explanatory drawing of the procedure of the site access password utilization process by 1st Embodiment. Explanatory drawing of the procedure of the site access password utilization process by 1st Embodiment. Explanatory drawing of the procedure of the site access password utilization process by 1st Embodiment. Explanatory drawing of the procedure of the password registration process for site access by 2nd Embodiment. Explanatory drawing of the procedure of the password registration process for site access by 2nd Embodiment. The figure which shows the structural example of the data used by 2nd Embodiment. Explanatory drawing of the procedure of the password use process for site access by 2nd Embodiment. Explanatory drawing of the procedure of the password use process for site access by 2nd Embodiment. Explanatory drawing of the procedure of the password use process for site access by 2nd Embodiment. Explanatory drawing of the procedure of the password use process for site access by 2nd Embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Network, 20 ... Server, 21, 31, 41 ... I / F, 22 ... Server control part, 23 ... Server DB, 30 ... Client terminal, 31 ... I / F, 32 ... client control unit, 33 ... client memory, 40 ... site, 42 ... site control unit.

Claims (6)

Both the first device and the second device connected via the communication channel are configured to communicate with each other based on information (Wa / Wb) generated on the partner side and information (C1 / S1) generated on the own side. Generating a shared key (SK1) for exchanging information using a secure channel;
The first device encrypts secret information desired to be registered in the second device with the shared key (SK1), and transmits the encrypted data to the second device;
After the second device decrypts the encrypted data received from the first device with the shared key (SK1) and obtains the secret information, it generates new information (C2 * S2) for next access, Storing a part (S2) of the new information (C2 * S2), encrypting the remaining new information (C2) with the shared key (SK1), and transmitting the encrypted information to the first device (client terminal);
The first device decrypts the encrypted data received from the second device with the shared key (SK1) to obtain the remaining new information (C2), and uses the remaining new information (C2) for next access. Saving, and
The second device generates a new shared key (SK2) based on the new information (C2 * S2) for next access, and the secret information decrypted with the common key (SK1) is added to the new shared key. A method of protecting encrypted secret information, comprising: encrypting with (SK2), and storing the information for the next access together with the partial new information (S2). Generating the shared key comprises:
The first device generates first data (Wa) based on a random number (C1) generated by the first device, and transmits the first data (Wa) to the second device;
The second device generates second data (Wb) based on the first data (Wa) received from the first device and the random number (S1) generated by the second device, and the second data (Wb) is generated. A step of generating shared data (Kb) whose hash value becomes a shared key (SK1) based on the first data (Wa) and the random number (S1) generated by the self, as well as being transmitted to the first device. When,
Based on the second data (Wb) received by the first device from the second device and the random number (C1) generated by the first device, shared data (Ka) whose hash value becomes the shared key (SK1) is obtained. Including a stage of generating,
Deriving the shared key (SK1) from each of these shared data,
The protection method according to claim 1. Dividing the secret information into two distributed data,
The first device holds a share for restoring the two distributed data, and generates a hash value of this share on its own side (C1),
The second device encrypts and holds one of the two shared data with the shared key (SK1), and sets the other shared data as information (S1) generated on its own side, whereby the second device Makes it possible to decrypt the secret information from the two distributed data and the share.
The protection method according to claim 2. The first device transmits access authority information to a predetermined site via the second device as the secret information to the second device,
The second device obtains the access authority information and registers the access authority information in the memory area, thereby enabling access to the site from the first apparatus with the access authority information.
The protection method according to claim 1 or 2. A communication device that performs bidirectional communication with a second device connected via a communication path,
Key information generating means for generating a shared key (SK1) shared with the second device in order to exchange information by making the communication channel a secure channel;
The encrypted data obtained by encrypting secret information with the shared key (SK1) of itself is transmitted to the second device, and the next time the second device is encrypted with the shared key (SK1) of the second device. A communication apparatus comprising: encryption / decryption means for decrypting partial new information (C2) of new information for access (C2 * S2) with the shared key (SK1) and storing it for next access. A communication device that performs bidirectional communication with a first device connected via a communication path,
Key information generating means for generating a shared key (SK1) shared with the first device in order to exchange information by converting the communication path into a secure channel;
Encryption / decryption means for obtaining the secret information by decrypting the encrypted data obtained by encrypting the secret information with the shared key received from the first device with the shared key (SK1);
After the encryption / decryption means decrypts the secret information, it generates new information (C2 * S2) for next access, stores a part (S2) of the new information (C2 * S2), and stores the remaining new information. Information generating means for encrypting information (C2) with the shared key (SK1) and transmitting it to the first device;
The key information generating unit generates the shared key (SK1) based on the information (Wa) generated by the first device and the information (S1) generated by itself, while the information generating unit When new information for next access (C2 * S2) is generated, a new shared key (SK2) is generated based on the new information for next access (C2 * S2). The encryption / decryption means is configured to encrypt the decrypted secret information with the newly generated shared key (SK2) and store it for the next access together with the part of new information (S2). Communication equipment.

Images