JP2007143091A - Key management apparatus, key management method, and program capable of causing computer to perform key management method, information processor, and program capable of causing information processor to perform key updating, and message transmission method, and program capable of causing computer to perform message transmission method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a key management apparatus or the like for reducing a transmission quantity required for key updating, and for improving reliability of key delivery. <P>SOLUTION: In a key information updating system 1, a key management server 3 for managing keys held by members M1-MQ connected to an information communication network comprises: a key superposing part 9 for superposing key updating information corresponding to updated and delivered keys on information to be transmitted to the members; and a communication part 11 for transmitting information superposed by the key superposing part 9 to the members. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention provides a key management device, a key management method, a program capable of causing a computer to execute the key management method, and an information processing device and the information processing device capable of executing key update processing. The present invention relates to a program, a message transmission method, and a program that allows a computer to execute the method, and more particularly, to a key management device that manages a key held by an information processing device connected to an information communication network.

  As home networks are becoming widespread, it is expected that not only personal computers and their peripheral devices but also many devices such as AV devices, housing facilities, and home appliances will be networked. In such an environment, the devices communicate with each other.

  As a method of performing encryption in such communication, first, there is a method of using an individual encryption key for each communication.

  Further, as disclosed in Non-Patent Document 1, for example, there is a group communication method using a group key for encryption. This group communication method is a method in which all devices connected to a network communicate using an encryption key called a group key.

  In the group communication method, when a device leaves the network or a new device is connected to the network, the group key is updated to ensure the security of the network. In updating the group key, the key information of all devices needs to be updated.

  In Non-Patent Document 1, M.M. Onen et al. Have proposed a group communication method based on a tree-structured key update approach that focuses on differences in the characteristics of members within a group. This approach subgroups all members in a group into members composed of members with a long duration staying in the group and members composed of short members, and encrypts members with a long duration staying in the group. When the key is delivered, error correction (FEC) and retransmission (ARQ) are performed.

  Hereinafter, the key distribution method of Non-Patent Document 1 will be described, including the general contents of tree structure key update. In this description, it is assumed that the group is composed of four members M1, M2, M3, and M4.

  First, all the members M1 to M4 are subgrouped into a member group composed of members who stay in the network for a long time and a member group composed of members who frequently enter and leave the network. Here, it is assumed that members M1 and M2 are members of a group of members who stay in the network for a long time, and members M3 and M4 are members of a group of members who frequently enter and leave the network.

FIG. 38 is a diagram showing the encryption key held by each member. In FIG. 38, the encryption key _K d ~K _g is the secret key of each member M1~M4. The encryption keys K _b and K _c are encryption keys that are shared by members in the group consisting of members who stay in the network for a long time and members in the group consisting of members who frequently enter and leave the network. the key K _a is the encryption key used when transmitting actual information in a group (group key). Then, the encryption key on a path leading to the encryption key K _a from the position of each member in Fig. 38 has its members, and the other encryption key shall not know member. (For example, member M1 has encryption keys K _a , K _b, and K _d and does not know any other keys.) There is also a key distribution server, which is responsible for all encryption keys. Suppose you have it.

Here, consider a case where the member M4 leaves the group. In this case, the encryption keys K _a and K _c are updated. Then, the updated encryption keys K _a and K _c are encrypted with respect to the member M3 by using the encryption key K _a or K _c before the update or the secret key K _f of the member M3 and transmitted to the member M3. The The encryption key K _a of the updated, to members M1 and M2, is broadcast encrypted using the encryption key K _b.

Next, consider a case where a member M4 is newly added from a state in which there is no member M4. In this case, the encryption keys K _a and K _c are updated, and a new encryption key K _g is shared between the key distribution server and the members. Here, the updated encryption keys K _a and K _c are encrypted and transmitted to the new member M4 using the encryption key K _g . The updated encryption keys K _a and K _c are encrypted and transmitted to the member M3 using the encryption key K _a or K _c before the update or the secret key K _f of the member M3. Then, the updated encryption key K _a is encrypted and broadcast to the members M1 and M2 using the encryption key K _b .

M.Onen, R.Molva, “Group Rekeying with a Customer Perspective”, International Conference on Parallel and Distributed Systems (ICPADS 2004)

  First, when performing communication encryption, it is not practical from the viewpoint of encryption key management and processing time to use an individual encryption key for each communication.

  Next, in the method described in Non-Patent Document 1, the encryption key is encrypted and delivered to all devices connected to the network when updating the key information. Therefore, a large amount of transmission is required for the key update process.

  However, the home network is characterized by a variety of connected devices. For example, some devices such as PDAs and notebook PCs frequently enter and leave the network, and other devices such as televisions that are connected to the network for a long time and require real-time characteristics. If a large amount of transmission is required for the key update processing as in the method described in Non-Patent Document 1, frequent key distribution is particularly necessary for communication that requires real-time performance, such as television image transmission. Service overhead is caused by the overhead due to. There is a high risk of key distribution failure in wireless or power lines with poor transmission characteristics, and there is a risk of interrupting subsequent communications.

  Therefore, if scalability is considered so that the influence on key management / distribution is small even if the number of devices connected to the network increases, it is necessary to update the group key efficiently and reliably. Is done.

  Further, in the delivery of group keys, the reliability of key delivery is also required. If key distribution fails, the member cannot decrypt the subsequent information. Many key distribution protocols have proposed a method in which members who have failed in key distribution contact the key management server individually for key renewal. In this case, there is a problem that a large-scale dynamic group is filled with individual key update messages due to the failure of the key update message. Therefore, it is very important that the reliability of the key distribution is high when the key distribution is to be performed efficiently. In particular, it is necessary to preferentially ensure high reliability for devices that require real-time performance, such as television images. Further, if a large number of message transmissions such as failure notification signal transmission and retransmission processing are performed individually in a large-scale dynamic group, overhead due to the transmission increases, resulting in service degradation. Therefore, it is important to reduce overhead when sending a message from the member side to the key distribution server side.

  In the method described in Non-Patent Document 1, FEC and ARQ are used together in order to increase the reliability of key distribution. If the coding rate is lowered, the reliability increases, but the amount of transmission required for the key update process increases.

  Such a problem is not limited to the transmission of the key update information for the encryption key, but can also occur in other key update processes.

  Therefore, an object of the present invention is to cause a computer to execute a key management device, a key management method, and a key management method that reduce the amount of transmission required for key update processing and improve the reliability of key distribution. An information processing apparatus, and a program capable of causing the information processing apparatus to execute key update processing are provided.

  The invention according to claim 1 is a key management device for managing a key held by an information processing device connected to an information communication network, wherein key update information corresponding to a key to be updated and distributed and the information processing device Key superimposing means for superimposing information to be transmitted, and communication means for transmitting information superimposed by the key superimposing means to the information processing apparatus.

  The invention according to claim 2 is the key management device according to claim 1, wherein the data area in which the key update information is superimposed among the information to be transmitted to the information processing device is data in the information processing device. It is a data area whose format can be grasped.

  In the invention according to claim 1 or 2, the information processing apparatus may have a table that defines a correspondence relationship between keys and key update information.

  Furthermore, in the invention according to claim 1 or 2, a table for defining the correspondence between the key and the key update information together with the information processing apparatus by the identification information, a control means for designating the identification information of the key to be updated and delivered, The key superimposing unit may superimpose key update information corresponding to the identification information designated by the control unit and information to be transmitted to the information processing apparatus.

  Furthermore, in the invention according to claim 1 or 2, the key update information may be orthogonal code data. If the key update information is orthogonal code data, it becomes possible to more clearly recognize the orthogonal code data on which the information processing apparatus that receives the information on which the key update information is superimposed is superimposed.

  Furthermore, in the invention according to claim 1 or 2, the key superimposing means superimposes by a logical operation of data in a data area where the key update information is superimposed and orthogonal code data which is the key update information. May be.

  Furthermore, in the invention according to claim 1 or 2, the key superimposing means calculates an exclusive OR of data in a data area on which the key update information is superimposed and orthogonal code data as the key update information. May be superposed.

  Further, as another key management device, a key management device that manages a key held by an information processing device connected to the information communication network, and that generates an identification number corresponding to a key to be updated and distributed A key generating unit that generates a key corresponding to the generated identification number, a key superimposing unit that superimposes key update information corresponding to the updated and delivered key and information to be transmitted to the information processing device, A communication unit for transmitting information to the information processing device, and for an information processing device capable of recognizing the correspondence between the key and the key update information, a key corresponding to the key delivered and updated by the key superimposing unit Update information and information to be transmitted to the information processing device are superimposed, and the communication unit transmits the information superimposed by the key superimposing unit to the information processing device, and the correspondence between the key and the key update information is not recognizable. For information processing equipment Te, the communication means may be one which transmits the key generated by the key generation unit (hereinafter referred to as sub-group key management system 1). With this subgroup key management device 1, it becomes possible to reduce the required transmission amount of key update information by using the difference in the characteristics of the information processing device. Management becomes possible.

  That is, the subgroup key management device 1 transmits the key update information to the information processing device at the time of key update, for example, in a state in which the correspondence relationship between the key and the key update information can be recognized for an information processing device that stays in the network for a long time. The key information is transmitted at the time of key updating, with the information being transmitted to the information processing apparatus that is to be performed and being transferred to / from the network, in a state where the correspondence between the key and the key update information is not recognizable. In this way, in the key update process for an information processing device that remains in the network for a long time, the apparent number of dedicated key distribution packets can be reduced to zero, and the difference in the characteristics of the information processing device can be used to It is possible to reduce the required transmission amount. In addition, even for information processing devices that frequently enter and leave the network, a change in the connection state of the information processing devices actually occurs instead of the key delivery at regular intervals as described in Non-Patent Document 1. Key distribution can be performed only when Further, for example, as a key management method, a star structure key management method in which a group key for an information processing device group staying in the network for a long time is root, and a group key for an information processing device group that frequently enters and exits the network is root. The key management using the difference in the characteristics of the information processing apparatus can be performed so that the tree structure key management method is used.

  Further, in the subgroup key management device 1, when the information processing device is in the first state, the control device sets the information processing device in a state where the correspondence relationship between the key and the key update information can be recognized. In the case of the second state different from the above state, the information processing device may be in a state in which the correspondence relationship between the key and the key update information is not recognizable (hereinafter referred to as subgroup key management device 2). .

  Furthermore, in the subgroup key management device 2, the first state can be expected to be a certain time or longer from when the information processing device is connected to the network until it leaves the network. It may be in a state (hereinafter referred to as subgroup key management device 3).

  Further, in the subgroup key management device 3, the information processing device in the first state may hold a key shared by all the information processing devices and a key possessed only by each information processing device. .

  Further, as another key management device, a key management device that manages a key held by an information processing device connected to an information communication network, and that is, key update information corresponding to a key that is updated and distributed, and the information processing device A key superimposing unit that superimposes information to be transmitted to the information processing device, and a communication unit that transmits information to the information processing device. The key update information corresponding to the key updated and delivered by the means is superimposed on the information to be transmitted to the information processing apparatus, and the communication means transmits the information superimposed by the key superposition means to the information processing apparatus. The key that is updated and distributed by the communication unit may be transmitted to an information processing apparatus that cannot recognize the correspondence between the key and the key update information. With this configuration, it is possible to reduce the required transmission amount of key update information by using the difference in the characteristics of the information processing apparatus, and it becomes possible to manage the key using the difference in the characteristics of the information processing apparatus. .

  Further, as another key management device, a key management device that manages a key held by an information terminal connected to the information communication network, and a control unit that generates an identification number corresponding to a key that is updated and delivered A key generating means for generating a key corresponding to the generated identification number, a key superimposing means for superimposing key update information corresponding to the updated and delivered key and information to be transmitted to the information terminal, and an information terminal For information terminals that can recognize the correspondence between the key and the key update information, and the key update information and information corresponding to the key that is updated and distributed by the key superimposing means. For information terminals that superimpose information to be transmitted to the terminal, the communication means transmits the information superimposed by the key superimposing means to the information terminal, and the correspondence between the key and the key update information is not recognizable Communication means is key generation means Which transmits the generated key may be (that the user key management apparatus 1 in the following). With this user key management device 1, it becomes possible to reduce the required transmission amount of key update information by using the difference in the characteristics of the user who uses the information terminal, and it is possible to reduce the key using the difference in the characteristics of the user. Management becomes possible.

  That is, for example, the user key management device 1 is configured so that, for a user who stays in the network for a long time, the key update information should be transmitted to the information terminal at the time of key update in a state where the correspondence between the key and the key update information can be recognized The key information is transmitted to the user who frequently enters and exits the network when the key is updated, assuming that the correspondence between the key and the key update information is not recognizable. In this way, in the key update process for a user who stays in the network for a long time, the apparent number of dedicated packet for key distribution can be made zero, and the required transmission amount of key update information can be reduced by utilizing the difference in user characteristics. Reduction can be achieved. In addition, for an information terminal used by a user who frequently enters and exits the network, instead of delivering a key at regular intervals as described in Non-Patent Document 1, the connection state of the user is actually changed. Key distribution can be performed only when it occurs. Further, for example, as a key management method, a star structure key management method in which a group key for an information terminal group used by a user who stays in the network for a long time is root, and a group key for an information terminal group that frequently enters and exits the network It is possible to manage keys using differences in the characteristics of users who use information terminals so that a tree-structured key management method with root is used together.

  Further, in the user key management apparatus 1, when the user who uses the information terminal is in the first state, the control means makes the information terminal capable of recognizing the correspondence between the key and the key update information. In the case of the second state different from the state 1, the information terminal may be in a state where the correspondence relationship between the key and the key update information is not recognizable (hereinafter referred to as the user key management device 2).

  Further, in the user key management device 2, the first state is a state in which the time from the user logging in to logging out is expected to be a certain time or more or a certain time or more (hereinafter referred to as “the first state”). User key management device 3).

  Furthermore, in the user key management device 3, the information terminal in the first state may hold a key shared by all users and a key owned only by each user.

  The invention according to claim 3 is a key management method for managing a key held by an information processing apparatus connected to an information communication network, wherein the key update information corresponding to the key delivered and updated by the key superimposing means, A superimposing step of superimposing information to be transmitted to the information processing device, and a transmitting step of transmitting information superimposed by the key superimposing unit to the information processing device by a communication unit.

  The invention according to claim 4 is a program capable of causing a computer to execute the key management method according to claim 3.

  An invention according to claim 5 is an information processing apparatus that receives information on which key update information is superimposed in claim 2, and includes a data area in which the key update information is superimposed on the received information and the reception possibility. Correlation processing means for performing correlation processing with each piece of key update information, and generating a key corresponding to the extracted correlation processing result by extracting a correlation processing result that satisfies a predetermined criterion A key information generation unit to be updated.

  The invention according to claim 6 is a communication means for receiving the information on which the key update information is superimposed in claim 2, a data area in which the key update information is superimposed on the received information, and a key update that can be received. A function that extracts a correlation processing result that satisfies a predetermined criterion from an information processing apparatus that includes a correlation processing unit that performs correlation processing with each piece of information, and a key corresponding to the extracted correlation processing result Is a program that realizes a function of generating a key and updating a key.

  A recording medium on which the computer can execute the program according to claim 4 or 6 may be recorded.

  The invention according to claim 7 is a key management device that manages keys held by a plurality of information processing devices each connected to an information communication network, and at least a part of the plurality of information processing devices is held in common. A key update information generating unit that generates key update information corresponding to each of the partial information processing devices based on a key to be multiplexed; and a plurality of key update information generated by the key update information generating unit A key management device comprising: multiplexing processing means for generating multicastable key distribution information; and communication means for transmitting key distribution information generated by the multiplexing processing means to the information processing apparatus. From the viewpoint of reliability, when the key to be held in common is a group key, the key distribution information is not transmitted to the information processing apparatus of the member leaving the group in order to invalidate the group key. Needed.

  According to an eighth aspect of the present invention, in the seventh aspect, the key update information generation means generates key update information using data having autocorrelation characteristics. Examples of data having autocorrelation characteristics include M-sequence data, Gold-sequence data, bulk-sequence data, and JPL-sequence data.

  The invention according to claim 9 is the invention according to claim 8, wherein the data having the autocorrelation characteristic is M-sequence data. The M-sequence data has a large peak and the others are flat data, and is suitable when, for example, key update information is generated using a shift amount and polarity. Examples of the shift amount include a cyclic shift amount, which corresponds to the secret key to be held by each information processing device on a one-to-one basis, and that the polarity should be held in common (for example, if grouped) Corresponding to the (group key) on a one-to-one basis. Further, as a method of associating each member's secret key with the shift amount of the cyclic shift M sequence on a one-to-one basis, for example, the secret key length is Ks bits, the sequence length of the cyclic shift M sequence is N bits, and the delivery information amount is As the Nr period of the cyclic shift M sequence, the Ks bits may be converted into Nr-digit N-ary numbers and mapped to each shift amount of the cyclic shift M sequence for the Nr period. At this time, it is assumed that the secret key of each member is set in advance so that the shift amount of the cyclic shift M sequence having the same period does not overlap. Further, as a method of making the group key have a one-to-one correspondence with the polarity of the cyclic shift M-sequence, for example, the group key GKr bits are cyclically set by the value of ID (= 0 to Nr−1) previously assigned to each member. The bits of the group key that has been shifted (shuffled instead of cyclically) and cyclically shifted may correspond to the polarity of each of the Nr (= GKr) cyclic shift M sequences.

  The invention according to claim 10 is characterized in that, in claim 8 or 9, the key to be held in common and the data having the autocorrelation characteristic are independent. The key to be held in common (for example, a group key if grouped) includes, for example, data in a data string in which -1 and 1 are random (ideally equal proportion). Is preferable in relation to M-sequence data as data having the above autocorrelation characteristics.

  The invention according to claim 11 is a key management device that manages keys held by a plurality of information processing devices each connected to an information communication network, and the key update of the plurality of information processing devices is performed at the same time. Of the information processing devices in the same subgroup based on a key that should be held in common by the information processing devices in the same group. Key update information generation means for generating key update information corresponding to each of the key update information and the key update information in the same subgroup generated by the key update information generation means are multiplexed and the key update information in the same group is multiplexed. Multiplex processing means for generating multicastable key distribution information, and key distribution information generated by the multiplex processing means The key management device and a communication means for transmitting to.

  According to a twelfth aspect of the present invention, in the eleventh aspect, the key update information generation unit generates key update information using M-sequence data, and the number of information processing devices in the subgroup is determined by M-sequence data. No more than the number of different data obtained.

  The invention according to claim 13 is the method according to any one of claims 7 to 12, wherein the key update information generation means rearranges a data string representing a key to be held in common corresponding to each information processing apparatus. Key update information is generated.

  The invention according to claim 14 is a key management method for managing keys held by a plurality of information processing apparatuses each connected to an information communication network, wherein the key update information generating means is at least one of the plurality of information processing apparatuses. Generating key update information corresponding to each of the partial information processing devices based on a key that should be held in common, and a plurality of key update information generation means generated by the key update information generation means Key management information including the steps of: generating key distribution information that can be multicast by multiplexing the key update information; and transmitting the key distribution information generated by the multiplexing processing means to the information processing apparatus. Is the method.

  The invention according to claim 15 is the key management apparatus according to claim 7, wherein the key update information generation unit is configured to perform the information processing based on key encryption information encrypted with a key held by the information processing apparatus. Key update information corresponding to the device is generated.

  The invention according to claim 16 is the key management apparatus according to claim 15, wherein the key update information generating means includes key encryption information dividing means for dividing the key encryption information into a predetermined number of divisions.

  The invention according to claim 17 is the key management apparatus according to claim 16, wherein the key update information generating means includes key encryption information division number adjusting means for adjusting the number of divisions for dividing the key encryption information. is there.

  The invention according to claim 18 is the key management apparatus according to claim 16 or 17, wherein the key update information generation means divides the key encryption information into the information processing apparatuses by the key encryption information division means. And a code length determining means for determining a code length of a code to be associated with each key cipher partitioning information in relation to a data length of each key cipher partitioning information.

  It is preferable that the data length of each key cipher partitioning information is constant and the corresponding code length is also constant, and the data length of the key update information is preferably constant, but at least the data length of the key update information is constant. In this case, the data length and code length of each key encryption division information need not be constant.

  The invention according to claim 19 is the key management apparatus according to claim 15 or 16, wherein the key update information generation means generates key update information using codes having orthogonality.

  The invention according to claim 20 is the key management apparatus according to claim 19, wherein the code having the orthogonality is a Walsh code.

  The invention according to claim 21 is the key management apparatus according to claim 19, wherein the key update information generating means generates key update information using a code having autocorrelation characteristics.

  The invention according to claim 22 is the key management apparatus according to claim 21, wherein the code having the orthogonality and autocorrelation characteristics is an orthogonalized cyclic shift M sequence.

  The invention according to claim 23 is an information processing apparatus each connected to an information communication network, wherein message information generating means for generating message information based on a message to be transmitted to the key management apparatus, and the message information generating means Message information transmission means for transmitting the message information generated by the key management apparatus to the key management apparatus, and the message information generation means includes message information division means for dividing a message to be transmitted to the key management apparatus into a predetermined number of divisions. It is a thing.

  The invention according to claim 24 is the key management apparatus according to claim 23, comprising synchronization means for synchronizing the message delivery information transmitting means of the information processing apparatus when transmitting the message delivery information.

  The invention according to claim 25 is the key management method according to claim 14, wherein the step of generating the key update information is performed by the key update information generation means encrypted with a key held by the information processing apparatus. The method includes a step of generating key update information corresponding to each information processing apparatus based on the key encryption information.

  The invention according to claim 26 is the key management method according to claim 25, wherein the step of generating the key update information includes a step of dividing the key encryption information into a predetermined number of divisions by the key encryption information dividing means. It is a waste.

  According to a twenty-seventh aspect of the present invention, there is provided a message transmission method in which a plurality of information processing apparatuses each connected to an information communication network transmit a message to be transmitted to the management apparatus. Generating message division information by dividing the message information into a predetermined number of divisions, a step in which message information generation means generates message information based on the message division information divided by the message information division means, and a message information transmission means Transmitting the message information generated and synchronized by the message information generating means to the management device.

  The invention according to claim 28 is a program capable of causing a computer to execute the method according to claim 14 or claims 25 to 27.

  According to the present invention, the key update information corresponding to the key updated and distributed by the key superimposing means is superimposed on the information to be delivered to the information processing apparatus, so that all the information processing apparatuses connected to the network have the key. Unlike the case of delivering the key, it is possible to reduce the transmission amount necessary for the key update process and improve the reliability of the key delivery. Further, based on a key that should be held in common by at least some of the plurality of information processing devices, key update information corresponding to each of the some information processing devices is generated, and the generated plurality of key update information is Multiplexed and multicastable key distribution information is generated, and the generated key distribution information is transmitted to the information processing device, so that scalability is efficiently ensured and the transmission amount required for key update processing is further reduced. At the same time, it is possible to ensure the reliability of key distribution.

  In addition, the key encryption information is divided, multiplexed and broadcasted by the direct spreading method, to improve efficiency and reliability, and the number of divisions is determined according to the characteristics of the information processing device. It is possible to flexibly cope with reliability and mounting resources that are requested differently for each processing apparatus. In addition, since the key encryption information already encrypted by the scheme of the conventional method is multiplexed and distributed without directly handling the key information in the key distribution, the M sequence and the orthogonal cyclic shift M used are used. Even when information about a sequence shift amount and a code such as a Walsh code is disclosed, the security of the key information is not lowered and can depend on the security of the conventional method.

  Furthermore, when the message is transmitted from the member side to the key distribution server, the message is divided and transmitted in synchronization, so that the amount of message transmission can be reduced. For example, in a large and dynamic group, if a large amount of message transmission such as failure notification signal transmission and retransmission processing is performed individually, overhead will increase and service will be reduced, but key distribution from the member side Such a problem can be solved by dividing the message and transmitting it in synchronization when transmitting the message to the server.

  The first embodiment of the present invention will be described below.

  FIG. 1 is a schematic block diagram of a key information update system according to the first embodiment of the present invention.

  The key information update system 1 includes members M1 to MQ constituting a group and a key management server 3 that manages keys held by the members M1 to MQ. The key management server 3 includes a control unit 5, a key generation unit 7, a key superposition unit 9, and a communication unit 11.

  The control unit 5 sends the members M1 to MQ to a group (hereinafter, referred to as P group) composed of members M1 to MP that stay in the network for a long time, such as a television, and to the network, for example, a PDA or a notebook PC. Are sub-grouped into groups (hereinafter referred to as V sets) composed of members M (P + 1) to MQ that frequently come and go. For the P group members M1 to MP, the correspondence between the identification number (hereinafter referred to as the serial number), the key, and the key update information can be known, and for the V group members M (P + 1) to MQ, It is assumed that these correspondences cannot be known.

  Further, when updating the keys held by the members M1 to MQ, the control unit 5 performs key distribution processing by the key superimposing unit 9 on the P set members M1 to MP, and assigns them to the V set members M (P + 1) to MQ. On the other hand, key distribution processing by the key generation unit 7 is performed.

  The key generation unit 7 generates a key when updating the key, and encrypts the delivered key.

  The key superimposing unit 9 superimposes key update information corresponding to the key to be updated and information to be transmitted to the P set members M1 to MP.

  The communication unit 11 transmits and receives information with the members M1 to MQ.

  Here, in the first embodiment of the present invention, M-ary encoding is used in encoding for key distribution to P group members. This M-ary encoding is used as a technique for improving frequency utilization in the field of wireless communication and the like (for example, Shinichi Tachikawa, 1 other author, “M-ary / SSMA and FDMA in mobile satellite communication”). "Comparison of frequency efficiency", IEICE Transactions B-2, vol. J74-B2, no. 5, pp. 270-275). First, this M-ary encoding will be described with reference to FIG.

(A) of FIG. 2 is a figure which shows the structure of M-ary encoding. First, since the transmission data is present the number of states of the 2 ^k as in the case of k bits, are prepared in advance code 1 to 2 ^k. Then, codes 1 to 2 ^k are associated with each state of transmission data k bits in advance, and a corresponding code is transmitted according to the state of transmission data k bits at the time of actual transmission.

Next, (B) of FIG. 2 is a figure which shows the structure of M-ary decoding. The received first signal is input to the ^{2 k} correlators 21 to 25 for the code 1 to 2 ^k, which had been prepared in advance. In this case, since the correlator output for the same code as the actually transmitted code is maximized, the outputs of all correlators are compared by the maximum likelihood determination unit 27, and the code with the maximum correlator output is determined. Extract. Then, based on the correspondence determined in advance, the corresponding k-bit data string is decoded.

  Next, the operation of the key information update system 1 in FIG. 1 will be described. In the following description, it is assumed that the members constituting the group are four members M1, M2, M3, and M4. Further, it is assumed that members M1 and M2 are P group members, and members M3 and M4 are V group members. Further, it is assumed that the key is an encryption key. Further, it is assumed that the key update information is data represented by orthogonal codes (hereinafter referred to as orthogonal codes). Further, it is assumed that the data area in which the orthogonal code is superimposed among the information to be transmitted to the P group members is a preamble portion of a normal packet frame.

FIG. 3 is a diagram illustrating keys held by each member. 3, the key _{K a} is a group key, the key _{K c} is the spare key, the key _{K d} and _{K e} and _{K f} and _{K g} is a member M1 respectively M2 and M3 and the private key of M4. 3, each member owns a key on a path leading from the place where its position on the key K _a, and the other key is not known. For example, member M1 has keys K _a and K _d and no other keys. It is assumed that the key management server 3 has all keys.

As shown in FIG. 3, the key update method in the present embodiment is a combination of a star structure and a tree structure. In other words, for members M1 to stay longer in the network and M2 is a key update method of the star structure to the root of the group key K _a, and root the group key K _a is about and out of the network is a frequent member M3 M4 This is a tree-structured key update method.

  FIG. 4 is a diagram showing a table (hereinafter referred to as a key table) that defines the correspondence between serial numbers, keys, and orthogonal codes. The key management server 3 and the P group members M1 and M2 can know the correspondence between the serial number, the key, and the orthogonal code by, for example, possessing this key table or allowing access to the key table. Shall.

  5 and 6 are flowcharts showing the operation of the key management server 3.

  First, the control unit 5 determines whether or not there is a request for participation from a new member (step ST1 in FIG. 5). If there is a request for participation, the process of step ST2 in FIG. 5 is performed, and if there is no request for participation, the process of step ST9 in FIG. 5 is performed.

  In step ST <b> 2 of FIG. 5, the control unit 5 assigns a position in the tree structure to the member according to the characteristics of the member. For example, when the time that the member stays in the network is longer than a certain time or is expected to be longer than a certain time, the control unit 5 determines that the member is a P group member or the member M1 in FIG. Assign M2, otherwise assign the member M3 or M4 of FIG. When all the members M1 to M4 are allocated, a branch and a leaf are newly added and allocated.

  Subsequently, the control unit 5 determines whether or not the new member is a P group member (step ST3 in FIG. 5). If the new member is a P group member, the process of step ST4 in FIG. 5 is performed. If not (that is, the new member is a V group member), the process of step ST7 in FIG. 5 is performed.

  In step ST4 of FIG. 5, the control unit 5 distributes the key table (see FIG. 4) to the new member or permits access to this table. As a result, the new member is in a state where the correspondence between the serial number, the key, and the key update information can be known.

Subsequently, the control unit 5 updates the group key _{K a} (step ST5 in FIG. 5).

Subsequently, the key management server 3 performs a key distribution process to members (step ST6 in FIG. 5). That is, for the P group member, the key superimposing unit 9 converts the orthogonal code corresponding to the updated group key based on the key table of FIG. 4 into information known to the member side (in this example, the preamble). The communication unit 11 transmits the superimposed information and the orthogonal code to the member, and performs key distribution processing. On the other hand, for the V group member, the key generation unit 7 encrypts the updated group key K _a with the spare key K _c , and the communication unit 11 transmits the encrypted key to the V group member for key distribution. Process. Then, the processes shown in FIGS. 5 and 6 are terminated.

In step ST7 of FIG. 5, the control unit 5 updates the group key _{K a} and the spare key _{K c.}

Subsequently, the key management server 3 performs a key distribution process to the members (step ST8 in FIG. 5). That is, for the P group members, key superimposing section 9 is superimposed on the known information also orthogonal code member side corresponding to the group key K _a updated based on the key table in FIG. 4 (e.g., preamble) The communication unit 11 transmits the superimposed information and performs key distribution processing. Further, with respect to the members from the conventional one of V group members, encrypts the group key K _a to the key generation unit 7 is updated before the update at the spare key K _c, the spare key K _c the updated Members Encryption is performed using a secret key, and the communication unit 11 transmits the encrypted key and performs key distribution processing. Further, in the key distribution to the new member, the updated group key K _a and the updated spare key K _c are encrypted with the new member's private key, and the communication unit 11 transmits the encrypted key to the member to generate the key. Perform delivery processing. Then, the processes shown in FIGS. 5 and 6 are terminated.

  In step ST9 of FIG. 5, the control unit 5 determines whether or not there is a request for withdrawal from the existing member. If there is a request for withdrawal, the process of step ST10 in FIG. 6 is performed, and if not, the process returns to step ST1 in FIG.

  In step ST10 of FIG. 6, the control unit 5 determines whether or not the member who has requested to leave (hereinafter referred to as a leaving member) is the P group. If the leaving member is the P group, the process of step ST11 in FIG. 6 is performed. If not (that is, the leaving member is the V group), the process of step ST14 in FIG. 6 is performed.

In step ST11 of FIG. 6, the control unit 3 updates the key table. Subsequently, the control unit 3 updates the group key _{K a} (step ST12 in FIG. 6).

Subsequently, the key management server 3 performs a key distribution process to members (step ST13 in FIG. 6). That is, for the P group member, the key superimposing unit 9 superimposes the orthogonal code corresponding to the group key updated based on the key table on the information (preamble in this example) also known on the member side, and performs communication. The unit 11 transmits the superimposed information to the member and performs key distribution processing. On the other hand, for the V group member, the key generation unit 7 encrypts the updated group key K _a with the backup key K _c , and the communication unit 11 transmits the encrypted key to perform key distribution processing. Then, the processes shown in FIGS. 5 and 6 are terminated.

In step ST14 of FIG. 6, the control unit 5 updates the group key K _a and the spare key K _c .

Subsequently, the key management server 3 performs a key distribution process to members (step ST15 in FIG. 6). That is, for the P group member, the key superimposing unit 9 superimposes the orthogonal code corresponding to the updated group key on the member side based on the key table on information (eg, preamble) known to the member side, and the communication unit 11 The superimposed information is transmitted to the members to perform key distribution processing. On the other hand, for the V group member, the key generation unit 7 encrypts the updated group key K _a with the spare key K _c , encrypts the updated spare key K _c with the member's private key, and communicates the communication unit 11. Transmits the encrypted key and performs key distribution processing. Then, the processes shown in FIGS. 5 and 6 are terminated.

  As described above, as shown in FIGS. 5 and 6, the key management server 3 performs an updated key distribution process for the members.

  FIG. 7 is a diagram illustrating an example in which the key superimposing unit 9 superimposes the orthogonal code to be delivered on the preamble part of a normal packet frame. In FIG. 7, the preamble is 4 bits and the orthogonal code is 4 bits.

  The key superimposing unit 9 calculates the exclusive OR of the delivered orthogonal code and the preamble unit in units of bits. Then, the output is delivered at the same position on the packet frame instead of the preamble portion of this place.

  Next, a process in which each member extracts key update information will be described. First, the P group member will be described.

  FIG. 8 is a schematic block diagram showing the key information extraction unit 41 included in the P group member. In FIG. 8, the key information extraction unit 41 includes a communication unit 43, an orthogonal code correlation processing unit 45, and a determination unit 47. The orthogonal code correlation processing unit 45 includes orthogonal code correlators 51 to 5N, and the determination unit 47 includes a maximum likelihood determination unit 61 and a key information generation unit 63.

  The communication unit 43 transmits and receives signals to and from the key management server 3. In the following, it is assumed that a link has already been established for the communication circuit between the key management server 3 and each member.

  The orthogonal code correlation processing unit 45 performs correlation processing between a signal received by the communication unit 43 (hereinafter referred to as a reception signal) and the orthogonal codes 1 to N in the key table of FIG. That is, the received signal is branched into N pieces. Orthogonal code correlators 51 to 5N are respectively arranged between a part on the frame (the original preamble part in this example) superimposed on the branched received signal and the orthogonal codes 1 to N in FIG. Perform correlation processing. For example, the orthogonal code correlator 51 performs a correlation process between the first signal of the branched received signal and the orthogonal code 1, and the orthogonal code correlator 52 performs an orthogonal code 2 between the branched received signal. Correlation processing is performed, and thereafter the orthogonal code correlator 5N performs correlation processing with the orthogonal code N on the Nth signal of the branched received signal. For each correlation process, as shown in FIG. 9, an exclusive OR is performed in bit units between the superimposed portion of the received frame and the orthogonal code. The correlator output is obtained by adding the outputs.

  The determination unit 47 determines that the key update information corresponding to the output satisfying the predetermined criterion among the outputs of the orthogonal code correlation processing unit 45 is the key update information transmitted on the transmission side, and determines the key corresponding to this key update information. Is to be generated. That is, the maximum likelihood determination unit 61 determines that the key update information corresponding to the output satisfying a predetermined criterion among the outputs of the orthogonal code correlation processing unit 45 is the key update information sent on the transmission side, and the key information generation unit 63 A key corresponding to the key update information determined by the maximum likelihood determination unit 61 is generated.

  FIG. 10 is a flowchart showing the operation of the determination unit 47 of FIG. It is assumed that the part to be superimposed is a preamble part and the preamble pattern is fixed at “0”.

  First, the maximum likelihood determination unit 61 compares the outputs of the orthogonal code correlators 51 to 5N (hereinafter referred to as correlation outputs) to extract the correlator having the maximum output (step STT3 in FIG. 10). The correlation output that maximizes this output is described below.

For example, if the portion to be superimposed is a preamble, the preamble pattern is generally fixed at “0” or “1” (for example, Hideaki Matsue, supervised by one person, “802.11 high-speed wireless LAN textbook”, IDG Japan, 2003). Therefore, assuming that the preamble pattern is fixed at “0” and there is no transmission error in the received signal, the correlation output for the same orthogonal code as the actually distributed orthogonal code is equal to the orthogonal code length. (Conversely, if the preamble pattern is fixed at “1”, the output for the orthogonal code for the same orthogonal code as the actually delivered orthogonal code is zero.) On the other hand, between the different orthogonal codes, The number that matches and the number that does not match are equal (see FIG. 11). Therefore, the correlation output for an orthogonal code different from the actually delivered orthogonal code is obtained by calculating the following equation (1) for the received signal R _i and the orthogonal code C _i when the orthogonal code length is L. The correlator output that compares the resulting value and maximizes it can be the actually delivered orthogonal code. In this way, the superimposed key update information can be extracted based on a predetermined standard based on the key update information to be used, the data format of the area on which the key update information is superimposed, and the like.

  Subsequently, the key information generating unit 63 determines whether or not the maximum value in each correlation output is equal to or greater than a threshold value (step STT2 in FIG. 10). If it is equal to or greater than the threshold value, the process of step STT3 in FIG. 10 is performed, and if not greater than the threshold value, the process returns to the process of step STT1 in FIG. Even if a reception signal error due to noise or the like in the transmission path occurs, if the correlation output is within the rules relating to the threshold value, the processing in FIG. 10 is performed correctly.

  In step STT3 of FIG. 10, the key information generation unit 63 extracts the corresponding group key from the orthogonal code corresponding to the correlator having the maximum output based on the key table of FIG. Then, the process of FIG.

  The P group member updates the held group key based on the group key extracted by the process of FIG.

  On the other hand, the V group member decrypts the key information sent after being encrypted, and updates the held key information.

  Next, update of the key table in FIG. 4 will be described. In this embodiment, for example, in the process of FIGS. 5 and 6 and FIG. 10, the key table is updated when the P group member leaves the group. The indicated key table is updated. Here, it is assumed that the key and the orthogonal code are updated.

First, with respect to the key, the key K _i corresponding to the serial number i requested to be updated uses the one-way function F, and the output obtained by the following equation 2 is used as a new key in the table of FIG. To replace K _i with K ′ _i . By this processing, the key information in the table is gradually updated as time passes.

Next, the orthogonal codes, given a matrix for each orthogonal code in the table row, depending on the serial number in the corresponding table in the group key K _a of the updated row direction and column direction that matrix This is done by shifting to.

That is, for example, the case where N = 4 in the key table of FIG. 4 will be described with reference to FIG. Every update period T _p of P set members, for example, when the serial number in the table corresponding to the group key K _a updated in FIG. 3 is an even number of (e.g., 2 bits), in FIG. 12 (A) As shown, all orthogonal codes in the table are uniformly shifted leftward by the number of serial numbers (for example, 2). The number of serial numbers in the table corresponding to the group key K _a of the updated odd (for example, 1 bit) When, as shown in (B) of FIG. 12, the number of the serial number (e.g. Only 1) shift all the orthogonal codes in the table uniformly upward. This processing member is repeated every period T _p.

  In this case, it is considered very difficult for a member who newly joins the group to break the backward secrecy unless the member obtains a table at a certain point in time and continues to update thereafter. On the other hand, for members who leave the group, it is difficult to break forward secrecy unless an approach such as storing received data and analyzing it is performed unless it is updated once after leaving. Conceivable.

  Next, the required transmission amount of the key update information is compared with the method described in Non-Patent Document 1.

First, the required transmission amount of the key update information in the case of Non-Patent Document 1 can be calculated as follows. However, the group key update is performed in batches at regular intervals, and the group update cycle T _p composed of members who stay in the network for a long time is the group update cycle composed of members who frequently enter and leave the network. It is sufficiently longer than the T _v. Regarding key renewal of members who remain in the network for a long time, first, the key delivery sound reliability is improved by performing FEC and ARQ at the time of key renewal due to a change of members who remain in the network for a long time. On the other hand, when the group key change by and out of the network changes frequently members for each update period T _v are set in advance, the members remain longer in the network to calculate the respective group key using a pseudo random function Suppose that key updating is performed without key distribution.

First, consider members who stay in the network for a long time. As for key update by changing members who stay in the network for a long time, assuming that there is no ARQ for the sake of simplicity, the required transmission amount B ′ _pp per unit time is given by the following equation (3). Note that k is the key length, C _pp is the average number of key transmissions per key update period T _{p of} members who stay in the network for a long time, and r is the FEC coding rate.

  In addition, since the key distribution is not accompanied when the key is updated by changing the member who frequently enters and leaves the network, the required transmission amount is zero.

Next, consider members who frequently enter and leave the network. For key update due out to change the frequent members to the network, actually since the key information without the member changes are updated delivered in the period T _v, C _vv is out frequent members of key update to the network Assuming that the average number of times of key transmission per period T _v is, the required transmission amount B ′ _vv per unit time is given by the following equation (4).

For key update by members changes that last longer on the network, update only the group key K _a, it, because it suffices broadcast to members encrypted using a key K _c, required transmission amount per unit time B ′ _vp is expressed by the following equation (5).

  Therefore, the required transmission amount B ′ per unit time as a whole is given by the following equation (6).

  In contrast, the required transmission amount of the key update information in the first embodiment of the present invention can be calculated as follows.

First, consider members who stay in the network for a long time. With regard to this member, as described above, since the key update information is transmitted by being superimposed on another normal signal, a packet is not generated and delivered exclusively for the key update information. Therefore, the required transmission amount _Bp is zero.

Next, consider members who frequently enter and leave the network. For key update due out to change the frequent members to the network, only when the actual members change occurs, the key information is updated delivered in the period T _v, required transmission amount B _w per unit time The following formula 7 is obtained.

As for the key update by changing the member who stays in the network for a long time, it is only necessary to update the group key K _a , encrypt the key K _c and broadcast it to the members, so the required transmission amount B _vp per unit time is The following equation 8 is obtained.

  Therefore, the required transmission amount B per unit time as a whole is expressed by the following equation (9).

Therefore, the required transmission rate reduction ratio η with respect to the conventional method of the present invention is expressed by the following equation (10) from equations (6) and (9). In the number 10 formula _{is r1 = T v / T p,} r2 = C pp / C vv.

Here, for the sake of simplicity, it is assumed that the term (r1 / C _vv ) in Equation 10 is sufficiently smaller than the other terms, and calculation is performed as in Equation 11 below. However, C _p = C _pp / T _p (average number of key transmissions per unit time in the P group member) and C _v = C _vv / T _v (average number of key transmissions per unit time in the V group member) ).

From the above equation, for example, if the number of members of the P group members is set to about C _p / C _v ≈1, when the coding rate r is 0.5, the effect is 1/3 compared to the conventional method I can expect.

  Next, the reliability of key distribution is compared with the method described in Non-Patent Document 1. In the method described in Non-Patent Document 1, FEC and ARQ are used together in order to increase the reliability of key distribution, but only FEC is considered for simplicity. In this case, the FEC coding rate r determines the reliability of key distribution. Here, assuming that r = 0.5, for example, when the FEC method is convolutional coding and Viterbi decoding hard decision reception, a reliability of about 3 dB is obtained as a required S / N ratio for obtaining a constant transmission channel error rate. Effect (encoding gain) can be obtained.

  Next, the reliability improvement effect of key distribution in the first embodiment of the present invention will be considered. In the first embodiment of the present invention, the orthogonal code length used determines the reliability of key distribution. Here, since the preamble bits on which the orthogonal code is superimposed are generally 12 bits in wireless LAN, for example, the orthogonal code length is 12 bits. Here, for the sake of simplicity, assuming that the preamble pattern in which the orthogonal code is superimposed at the time of delivery is a fixed pattern of 0 or 1, the required S / N ratio for obtaining a constant transmission path error rate is 10 · log (12) ≈11 A reliability improvement effect of (dB) can be obtained.

  However, although the reliability further increases if the coding rate is lowered in the conventional method, the required transmission amount of the key update information is larger than that in the first embodiment of the present invention from the equation (10).

  In addition to the orthogonal code, the key update information may be, for example, an M series or a Gray code. The number of codes that can be used can be increased by using an M series or a Gray code. However, by using the orthogonal code, the distinction between the superimposed orthogonal code and the non-superimposed orthogonal code becomes clear.

  The data area on which the key update information is superimposed may be in a data format in which the signal pattern can be grasped in advance on the receiving side, and may be a CRC (Cyclic Redundancy Checksum), for example.

  Furthermore, the key superimposing unit 9 of FIG. 1 may use, for example, an operation such as multiplication when superimposing the key update information on the data in the data area on which the key update information is superimposed.

  Furthermore, the key to be updated may be specified by a serial number. That is, in FIG. 1, the control unit 5 generates an identification number corresponding to the updated and distributed key, and the key generation unit 7 generates a key corresponding to the generated identification number for the V group member. The communication unit 11 transmits the key generated by the key generation unit 7, and the key superimposing unit 9 updates the key set information corresponding to the key to be distributed and transmitted to the P set member and the information processing apparatus. The communication unit 11 may transmit the information superimposed by the key superimposing unit 9 by superimposing power information.

  Furthermore, the key managed by the key management server 3 in FIG. 1 may be an access key, for example.

  Furthermore, the key managed by the key management server 3 in FIG. 1 may be assigned to a user who uses an information terminal connected to the network. For example, the key management server 3 performs subgrouping of members based on login and logout times of members who use the information terminal, and manages key information held by the information terminal. With such a configuration, for example, user key management in grid computing can be performed.

  By the way, the processing shown in the first embodiment has the following problems. That is, as the member size (number of members) increases, the delivery amount of the key update information also increases. Specifically, in the case of GKMP (Group Key Management Protocol), the delivery of key update information is proportional to the number of group members, and in the case of LKH (Logical Key Hierarchy protocol), the key update information is proportional to the logarithm of the number of group members. The amount increases. Particularly in a system where communication resources (bandwidth) such as wireless communication or power line communication are limited as the assumed communication means, an increase in the required transmission amount of key update information becomes a heavy load. When a member who tends to be more complicated than when a member newly joins the group leaves the group, the updated group key is invalidated for the member who leaves. There is also a need to do this efficiently.

  As home networks become more widespread with the spread of the ubiquitous society, it is also important to improve the efficiency of encryption key transmission and ensure security when the number of connected devices increases dramatically. It is. Therefore, even in such an environment, the group key revocation technique is necessary.

  Further, for an AV device that requires real-time performance for information transmission such as image transmission on a television or the like, the group key is invalid so that the real-time performance is not impaired even if the encryption key is updated. Technology is also needed.

  In order to improve the above points, other embodiments that enable the revocation of a group key while ensuring high reliability without depending on the group scale and the amount of key update information delivered will be described below. Explained.

  An outline of the second embodiment of the present invention will be described.

  In the second embodiment of the present invention, when a large number of members on the information communication network leave the group, the key distribution information to the member is invalidated when the key of the member leaving the group is invalidated. This is an encryption key invalidation method in which the required transmission amount does not depend on the number of members of the group without impairing the security of the encryption key. For this purpose, the same M sequence is repeatedly broadcast from the key distribution server by the number equal to the length of the group key to be distributed. At that time, each bit of the group key is mapped to the polarity of each M series. If the number of members exceeds the M-sequence length, the same processing is performed using different M-sequences, and the data is multiplexed and delivered to the M-sequence.

  In preparation for implementing the second embodiment of the present invention, the key distribution server first distributes a secret key (N-decimal number Nr digits) to each member in the group (the maximum number of members in the group is N). To do. However, each secret key is selected so that the value of each digit does not overlap. This is shared only between the key distribution server and individual members and unknown to other members. Next, the M series and ID (= 0 to Nr) are distributed to all members. When the number of members exceeds N, another M series and ID (= 0 to Nr) are distributed to the excess members. That is, all members are divided into subgroups having a maximum number of members of N. Here, the M sequences differ between subgroups, but the same M sequences are used within the subgroups. The ID is only required to be unique within a subgroup, and may be duplicated among members between different subgroups.

  Here, the M sequence used in the second embodiment of the present invention will be described.

The M sequence is a sequence in which the cycle N has a maximum value N = 2 ^k −1 among sequences generated by a k-stage linear feedback shift register. This is excellent in autocorrelation characteristics, takes a maximum value N during synchronization, and is -1 otherwise.

For the M sequence (u ₀ , u ₁ ,..., U _N-1 ), when cyclically shifted by i, the following cyclic shift M sequence (Edited by Naoshi Iida, “Satellite Communications”, Ohmsha, 1997) U _i is generated. Here, N is a sequence length and u ₁ = + 1 or −1. In this case, N cyclic shift M sequences are generated from one type of M sequence.

  FIG. 13 is a diagram illustrating a three-stage shift register that generates an M sequence having a sequence length of 7.

  In the feedback shift register as shown in FIG. 13, when the possible value is +1 or −1, if the initial value of the shift register is −1, −1, −1, 7 bits (−1, −1, −1, +1, −1, +1, +1,) are periodically generated. The sequence of bits generated in this way is an M series.

  FIG. 14 is a diagram showing the correlation of the M series generated in FIG.

  (A) of FIG. 14 is a correlation diagram when the self M-sequence is multiplied by the same M-sequence (shift amount 0). When multiplication is performed for each bit and the results are added by an adder, the correlation output becomes +7. FIG. 14B is a correlation diagram in the case where the self M-sequence is multiplied by the M sequence that is the same M-sequence but shifted to the left by 1 bit. As in the case of (a), when the multiplication is performed for each bit and the results are added, the correlation output becomes -1. Similarly, even when shifting by 2 bits or more, the result is −1 (except when the shift amount is a sequence length bit). That is, the autocorrelation characteristics as shown in FIG.

  FIG. 15 is a graph showing the autocorrelation characteristics of the M sequence.

As shown in FIG. 15, the M sequence has a characteristic that has a sharp peak value when the shift amount is 0 or ± sequence length bit shift is performed. The cross-correlation value between U _i and U _{j is} a maximum value (= 7) when i = j, and is −1 otherwise. By utilizing such autocorrelation characteristics, the second embodiment of the present invention can be realized.

  Next, a description will be given of processing on the server side for delivering key delivery information of the key management apparatus according to the second embodiment of the present invention.

First, the secret key information of each member is mapped to the cyclic shift M sequence. Each member's secret key (N base Nr digits) is mapped to the shift amount i of each of the Nr cyclic shift M sequences U _i transmitted serially. Specifically, the k-th N-digit number of the secret key (N-ary number Nr digits) is mapped to the shift amount i of the k-th cyclic shift M sequence U _i .

Next, mapping to the group key information cyclic shift M sequence is performed. The updated group key (key length GK bits) is mapped to the polarity (+ U _i or−U _i ) of each of the Nr cyclic shift M sequences U _i transmitted serially. Specifically, the group key GK bits are cyclically shifted by the ID value distributed in advance to each member. Then, for example, the k-th value of the group key GK bit after the cyclic shift is mapped to the polarity of the cyclic shift M sequence U _i .

Next, the key is delivered. Delivery of group key delivery information from the key delivery server to each member is performed by broadcasting to all members. The signal B to be broadcast is serially formed in the form shown in FIG. 16 by multiplexing the Nr number of cyclic shift M sequences to which each member's secret key and group key are mapped as described above. Delivered. A detailed description of FIG. 16 will be given later. Multi-M-seq. k (k = 1 to Nr) is a sequence in which the cyclic shift M sequence of each member is multiplexed, and the i-th element Multi-M-seq. k (i) is expressed by equation (2). In Equation (2), GK _ik is the k-th value of the group key GK that is cyclically shifted by the ID of the member of the corresponding shift amount i.

When the number of members exceeds N, Nr M sequences between different subgroups as described above are further multiplexed and transmitted at the same frame timing as shown in FIG. A detailed description of FIG. 17 will be described later. In this case, Expression (2) is expressed as follows using an M sequence U ′ _ij different from U _ij .

  In the above key distribution, it is assumed that the M sequence having the shift amount corresponding to the secret key of the member to be invalidated is multiplexed and not distributed.

  Next, a description will be given of processing on the server side for delivering key delivery information of the key management apparatus according to the second embodiment of the present invention.

  FIG. 18 is a schematic block diagram of a key management apparatus according to the second embodiment of the present invention.

  The key management apparatus 100 includes subgroups # 1 to #N, each subgroup, and a key distribution server 102 as a key management apparatus that manages the keys of the members in each subgroup. Subgroup # 1 is composed of members M1 to MNr. The key distribution server 102 includes a control unit 104, a key distribution information generation unit 106, and a communication unit 108. Each member in the group is assigned a secret key (Nr-digit N-ary number) and an ID, and the secret key does not overlap among the members. In addition, subgroups # 1 to #N are assigned data having autocorrelation characteristics (the M-sequence is used in the second embodiment of the present invention), and the M-sequence differs between the subgroups. The ID may be duplicated.

  As data having autocorrelation characteristics, there are Gold series, bulk series, JPL series, etc. in addition to M series. In the second embodiment of the present invention, the same result can be obtained regardless of which data is used as long as the data shows autocorrelation characteristics. However, the data must be independent of the group key.

  When the member is replaced, the control unit 104 determines whether it is a request to join a new member or a request to leave an existing member. If it is a request to join a new member, a secret key and ID are assigned to the newly added member.

  FIG. 19 is a schematic block diagram showing the configuration of the key distribution server 102 and the information processing apparatus on the member side in FIG.

  The key distribution information generation unit 106 includes a serial sequence generation processing unit 112, a group key mapping processing unit 114, and a multiplexing processing unit 116. The serial sequence generation processing unit 112 and the group key mapping processing unit 114 constitute a key update information generation unit 113. When the control unit 104 requests to join a new member or leave an existing member, the serial sequence generation processing unit 112, the group key mapping processing unit 114, and the multiplexing processing unit 116 of the key distribution information generation unit 106 perform each process. In this way, key distribution information is generated. The information processing apparatus 110 includes a reception unit 118 and a key extraction processing unit 120, and the generated key distribution information is transmitted from the communication unit 108 to the reception unit 118 of the information processing apparatus 110 connected to the network. Based on the transmitted key distribution information, the key extraction processing unit 120 extracts a group key.

  FIG. 20 is a flowchart showing processing of the key distribution server 102 according to the second embodiment of the present invention.

  First, the control unit 104 in FIG. 19 determines whether there is a request for withdrawal from an existing member or a request for participation of a new member (step ST202 in FIG. 16). If there is a request to leave or a new member to join from an existing member, the process proceeds to step ST204 in FIG. If there is no request, it will be in a standby state as it is.

  In step ST204 in FIG. 20, the serial sequence generation processing unit 112 in FIG. 19 generates a serial sequence of cyclic shift sequences corresponding to each member. A serial sequence of cyclic shift sequences will be described with reference to FIG.

FIG. 21 is a schematic diagram in the case where serially shifted series corresponding to each member's secret key are serially arranged. For example, when the value of the secret key K-th digit of the members M1 is _{i k,} the sub-group # 1 assigned to the M-sequence _{(U 0, U 1, ···} , U N-1) only _{i k} cyclic shift The generated sequences (U _ik , U _{ik + 1} ,..., U _N−1 , U ₀ ,..., Ui _Nr−1 ) are generated for the number of digits, and these are serially arranged.

  In order to explain in more detail, specific numbers will be exemplified and described.

Assume that 14 members are M0 to M13, members M0 to M6 are subgroup # 1, and members M7 to M13 are subgroup # 2. Assume that the M sequence assigned to subgroup # 1 is U ¹ , and the M sequence assigned to subgroup # 2 is U ² . In addition, the following (Table 1) is prepared as the M series.

  In addition, the secret keys and IDs of the members M0 to M13 are assigned as shown below (Tables 2 and 3).

The group key is GK = (+ 1, -1, + 1, -1, + 1, -1, + 1).

  The results of processing in step ST204 of FIG. 20 under the conditions of Tables 1 to 3 are shown below (Tables 4 and 5).

  For member M0 of subgroup # 1 in Table 4, with reference to the secret key of M0 in Table 2, it is (0000000), so the M series with a shift amount of 0 bits from the first digit to the seventh digit is serial. Placed in. Further, for member M7 of subgroup # 2 in Table 5, with reference to the secret key of M7 in Table 3, it is (0000001), so that the M sequence with 0-bit shift amount from the first digit to the sixth digit Are arranged serially, and an M-sequence with a shift amount of 1 bit is arranged in the seventh digit. Similarly, for other members, M sequences shifted according to the value of each secret key are serially arranged as many as the number of M sequences.

  Next, the process proceeds to step ST206 in FIG. The group key mapping processing unit 114 in FIG. 19 maps each bit of the group key cyclically shifted corresponding to the ID assigned to each member to each of the generated serial sequences. This mapping will be described with reference to FIG.

  FIG. 22 is a schematic diagram when a group key is mapped to the serial sequence generated in step ST204 in FIG.

The group key GK (key length Nr) is shifted by id bits in accordance with the ID (value is set to id), and the K-th value (K + 1) of the generated serial sequence GK _idk (= + 1or-1) ( U _ik , U _{ik + 1} ,..., U _N−1 , U ₀ ,..., U _ik−1 ) are used to perform group key mapping.

  In order to explain in more detail, specific numbers will be exemplified and described.

For example, for member M8 of subgroup # 2, the ID is 1, so id = 1. Therefore, when GK is shifted by 1 bit, GK _id = (+ 1, +1, -1, +1, -1, +1, -1). Then, the K-th GK _idk of the group key GK _id shifted according to the ID is multiplied by the K-th sequence of the serial sequence. Specific examples of member M8 are shown in Table 6 below.

As shown in Table 6 above, the first bit (U ² ₁ ) of the serial sequence of the member M8 is multiplied by the first bit (+1) of the group key GK _id shifted according to the ID. The same processing is performed for the second and subsequent bits, and the seventh bit is multiplied by the seventh bit (-1) of the GK _{id and} the seventh sequence (U ² ₂ ) of the serial sequence of the member M8, whereby the step of FIG. The group key mapping process of ST206 is terminated. The key update information for each member is generated by the processing so far.

  In the second embodiment of the present invention, as a method for generating unique key update information for each member, the group key is generated by shifting according to the ID for each member and mapping it to a serial sequence. It is sufficient that information unique to the member can be generated by shuffling.

  Next, the process proceeds to step ST208 in FIG. The multiplexing processing unit 116 in FIG. 19 generates key distribution information by multiplexing the key update information of all members in the subgroup. Further, in step ST210, the key distribution information of all subgroups multiplexed in step ST208 is multiplexed. This multiplexing process will be described with reference to FIGS. 16 and 17.

  FIG. 16 is a schematic diagram when key update information of each member is multiplexed.

In step ST206, a sequence GK _idk × (U _ik , U _{ik + 1} ,..., U _N−1 , U ₀ ,..., U _ik−1 ) multiplied by each bit of the group key is set as one sequence, The serial series of member a is series a1,..., Series aNr, and the serial series of member b is series b1,. Then, multiplexing is performed by adding the sequences of all members in the subgroup as shown in FIG.

  FIG. 17 is a schematic diagram when key distribution information of each subgroup is multiplexed.

  As in the case of FIG. 16, multiplexing is performed by adding key distribution information for each series between subgroups.

  In order to explain in more detail, specific numbers will be exemplified and described.

  Tables 7 to 9 show the results of multiplexing. The second and subsequent digits are omitted because of the same processing.

  Table 7 shows the result of multiplexing the key update information of all members (M0 to M7) in subgroup # 1, and Table 8 shows the result of multiplexing the key update information of all members (M8 to M13) in subgroup # 2. This is the result. Table 9 shows the result of further multiplexing the key distribution information multiplexed in subgroup # 1 and subgroup # 2. In this way, the key update information of all members is multiplexed in steps ST208 and ST210 of FIG. 20, and the multiplexed data is broadcast to all members in step ST212.

  Next, processing in the information processing apparatus 110 in FIG. 19 according to the second embodiment of the present invention will be described.

The extraction of the value GK _k of the k-th bit of the group key GK mapped to the polarity of each M-sequence in FIG. 17 is performed on the member side where the secret key is mapped to the shift amount i ′ of the M-sequence U _{i ′.} This can be easily realized by the integral output GK _k between the signal received on the member side and the cyclic shift M sequence of the member as in the equation.

Here, the third term of the last equation of equation (3) is a correlation value between sequences having the same M sequence and the same shift amount, but the peak value is GK _ik × N due to the characteristics of the M sequence. On the other hand, the first term represents the cross-correlation between different M sequences, but it is known from the characteristics of M sequences that the cross-correlation values between several M sequences are much smaller than the peak values (Mitsuo Yokoyama). "Spread spectrum communication system", Science and Technology Publishers, 1988). The second term represents the cross-correlation between the same M sequences with different shift amounts, but it becomes SUB {GK _ik × (−1)} from the characteristics of the M sequences, and the appearance probabilities of two polarities of GK _ik are If the ID of each member is set so as to be close to each other, it is considerably smaller than the peak value, and as a result, the following equation (4) is obtained. The integral output is equal to the polarity of the group key GK _ik and the magnitude is close to the peak value N.

  The above processing is a group key 1-bit extraction process. A matched filter output having a length twice the M-sequence length as shown in FIG. 23 is continuously output at the timing of the shift amount mapped to the secret key. If the extracted output is shifted in the direction opposite to the shift direction at the time of group key mapping on the key server side, the group key can be obtained with all bits prepared.

As a calculation example, Table 10 shows a calculation result example of the group key GK _k .

  The calculation was performed with GK = Nr = 128 bits and M sequence length N = 127. In Table 10, multiplexed M-sequence No. Indicates different M-sequences in the third term of Equation (3). And No. 5, 10, and 15 indicate that the polarities were correctly extracted in the integral output of Equation (3), and the values in the table are the output values. Multiplexed M sequence No. Is 5 + 15 in the third term of equation (3). This is the case where 5 and 15 are multiplexed at the same time, and the number of subgroups is 3. In this case as well, the polarity is correctly extracted in the integral output of equation (3), and the values in the table are the output values. Finally, the multiplexed M sequence No. Is 5 + 10 + 15 in the third term of formula (3). This is the case where 5 and 10 and 15 are multiplexed simultaneously, and the number of subgroups is 4. In this case as well, the polarity is correctly extracted in the integral output of equation (3), and the values in the table are the output values.

  The 1-bit quantization in the table is a case where the output of Expression (3) is 1-bit quantized. In this case, the server side and the member side can be significantly reduced in weight. As shown in Table 10, no. If 5 and 10 M sequences are used, subgroup 3 can be supported.

  For example, from the results obtained in Table 9, when 1-bit quantization is performed with a positive number being +1, a negative number being -1, and 0 being -1 (arbitrary), (-1, +1, -1, +1, -1, +1,- 1), the amount of data can be reduced by delivering in this state, and both the matched filter in FIG. 23 on the reception side and the communication unit 108 in FIGS. 18 and 19 on the transmission side are greatly simplified. can do. Also, reliability is ensured from the autocorrelation characteristics.

  Next, the configuration of the key extraction processing unit 120 in FIG. 19 according to the second embodiment of the present invention will be described. FIG. 23 is a schematic diagram showing the configuration of the key extraction processing unit 120 in FIG.

  The key extraction processing unit 120 performs correlation processing between the received signal (2N stage shift register) and the group key distribution information (2N stage reference shift register) generated by the key extraction processing unit 120 to extract the group key. .

  Next, processing of the key extraction processing unit 120 will be described with reference to FIG. FIG. 24 is a flowchart showing processing of the information processing apparatus 110 according to the second exemplary embodiment of the present invention.

  In step ST302, the key extraction processing unit 120 generates group key distribution information from the secret key assigned by the key distribution server in the same manner as the process on the key distribution server side. At this time, there is no group key mapping, and two M sequence lengths (sequence length N × 2) are generated and input to the reference register shown in FIG.

  In steps ST304 and ST306, the sampler monitors the output of the adder of the matched filter at a point corresponding to the shift amount of its own M sequence, and extracts the polarity of the matched filter output. That is, correlation processing is performed between the group key distribution information generated by the key extraction processing unit 120 and the received signal as shown in FIG. 23, and the polarity of the matched filter output at the timing of the shift amount mapped to the secret key. To extract.

  In step ST308, it is determined whether or not the group key length has been extracted. If the group key length has not been extracted, the process is repeated until the group key length is extracted by returning to step ST304. If the group key length is extracted, the process proceeds to the next step ST310.

  In step ST310, if the polarity for the extracted group key length is shifted by the same number of bits in the direction opposite to the shift direction during the group key mapping process performed on the key distribution server side, the group key can be easily all bits. Obtainable. That is, a group key is obtained by shifting the extracted output in the reverse direction (-id bits) according to ID (= id).

  As described above, by performing the process of the key management apparatus according to the second embodiment of the present invention, the M sequence of the shift amount corresponding to the secret key of the member to be invalidated is not included in the received signal. Even if the M sequence is known to the member to be invalidated, the updated group key cannot be obtained because the shift amount corresponding to the secret key of the other member is not known.

The security in the system of the second embodiment of the present invention is based on the fact that the member to be invalidated does not know the shift amount corresponding to the secret key of the other member. This shift amount is expressed in Nr-digit N-ary numbers. For example, if the following equation (5) is set, this is achieved by setting the group key length to 128 bits and the M sequence length to 128 bits. This can be realized, but this is sufficiently practical at present, and the size of the shift amount space is 128 ¹²⁸ , so that it is considered that sufficient safety can be secured at a practical level for mounting at present.

  Furthermore, the method of the second embodiment of the present invention does not compete with the conventional GKMP method and tree structure method, and is applied to each method to reduce the key distribution amount and improve the reliability. be able to.

  In the GKMP method, the group key distribution information amount MSg is expressed by the following equation (6) when the total number of members is TN. In the method of the second embodiment of the present invention, for example, the parameters in Table 10 are selected. For example, the key distribution information MSp can correspond to the number of members of 4 × N or less in the state of the following equation (7). That is, it is possible to cope with a group size of up to four times with the same group key distribution information.

  Further, in the expression (3), if the output polarity can be extracted correctly, the group key can be correctly extracted. That is, as the value of N increases, the resistance to noise on the transmission path increases, and the reliability of group key update increases. When FEC is used to improve reliability, a reliability improvement effect (coding gain) of about 3 dB can be obtained as a required S / N (signal power to noise power ratio) for obtaining a constant transmission path error rate. (Edited by Naoshi Iida, “Satellite Communication”, Ohmsha, 1997). On the other hand, in the case of the method of the second embodiment of the present invention, in the calculation example shown in Table 10, No. This indicates that there is a reliability improvement effect of about 16 dB (= 10 × log (44)) when the number of subgroups is 5, 10, and 15, and a greater effect than when FEC is used can be expected.

  Furthermore, in the system of the second embodiment of the present invention, the secret key of the member is made to correspond to the shift amount of the cyclic shift M sequence, but not only the secret key of the member but also the encryption key in the tree structure system is encrypted. The same improvement effect as that for the GKMP method can be obtained by making the key for performing the shift correspond to the shift amount of the cyclic shift M sequence.

  In the second embodiment of the present invention, all the members of the information processing apparatus are subgrouped. However, it is not always necessary to subgroup all of them, and some of them may be subgrouped. Further, even when the number of subgroups is 0, the method of the second embodiment of the present invention may be applied.

  In the second embodiment of the present invention, the number of members in the subgroup is equal to the M sequence length, but the number of members in the subgroup may be equal to or less than the M sequence length, and preferably the M sequence length is the subsequence. It may be an integer multiple of the number of members in the group.

  Incidentally, the processing described in the second embodiment has the following problems. That is, the amount of group key distribution information does not increase with the increase in the number of members, but conversely the communication overhead increases when the number of members is small. Specifically, since key update information is generated using data indicating autocorrelation characteristics, and multiplexed and transmitted as key distribution information, the amount of data in the key distribution information is not affected even if the number of members increases. However, if the number of members is equal to or less than the predetermined number, the data amount of the key distribution information increases as compared with the conventional technique. Furthermore, in the process of delivering the group key distribution information, since the group key in an unencrypted state and the secret key of the group member are handled, there is a possibility that they will be leaked.

  In addition, the basic performance of AV devices such as TVs and telephones is QoS and real-time performance, and high reliability is given to these devices preferentially so that this performance is not impaired in the distribution of group keys. It is necessary to ensure.

  Furthermore, in a large-scale dynamic group, if a large amount of message transmission such as failure notification signal transmission and retransmission processing is performed individually, the overhead increases and the service deteriorates. Therefore, it is important to reduce the amount of messages transmitted from the member side to the key distribution server side.

  Therefore, in order to solve the above problems, even when the number of group members is small, the overhead of communication is reduced, the reliability of key distribution can be set in advance according to each member, and the group key and member A group key distribution method capable of preventing the leakage of a secret key and a message transmission method capable of reducing the amount of messages transmitted from the member side to the key distribution server side will be described below.

  An outline of the third embodiment of the present invention will be described.

  First, each member (information processing apparatus) is associated with the shift amount of the orthogonalized cyclic shift M sequence having orthogonality and autocorrelation characteristics on a one-to-one basis. Then, the updated and encrypted key encryption information to be delivered to each member is divided, and the divided key encryption division information is numbered. For example, when dividing into four, numbers 1 to 4 are assigned. When the number of divisions of key encryption information for all members is 4, numbers 1 to 4 are assigned to the key encryption division information. Then, the M sequence that is the basis of the orthogonalized cyclic shift M sequence is associated with these numbers on a one-to-one basis. At that time, each bit of the key encryption division information is made to correspond to the polarity of each orthogonal cyclic shift M sequence. And the output of the process corresponding to each of those members is multiplexed and broadcast.

Here, the key encryption information MS _i to members _{M i} is divided from _{MS i1} to M _{MS iM,} orthogonalization cyclic shift M-sequence shift amount k that is generated from the M-sequence MC _j when the _{MC jk} FIG. 25 shows the correspondence between the key cipher partitioning information and the M series in specific processing.

  As shown in FIG. 25, in the third embodiment of the present invention, M sequences are made to correspond to key cipher partitioning information on a one-to-one basis in consideration of the case of implementation. The other members are made to correspond by shifting the orthogonalized cyclic shift M sequence corresponding to each of the key encryption division information. Note that it is not always necessary to correspond the M sequence to the key encryption division information on a one-to-one basis.

  FIG. 26 shows a block diagram for performing the processing of the third embodiment of the present invention. The key encryption information encrypted by the conventional method is divided, and the divided key encryption division information is associated with the orthogonal cyclic shift M sequence, multiplexed and output.

  Here, in order to describe the processing of FIG. 26 in detail, the configuration of the key management apparatus according to the third embodiment of the present invention will be described. FIG. 27 is a block diagram showing a configuration of a key management apparatus according to the third embodiment of the present invention.

  In FIG. 27, the key management device 500 includes a control unit 502, a key distribution information generation unit 504, and a communication unit 506. The key distribution information generation unit 504 includes a key update information generation unit 508 and a multiplexing processing unit 510. The key update information generation unit 508 includes a key encryption information generation unit 512, a key encryption information division number adjustment unit 514, and a key. The encryption information dividing unit 516 and the code length determining unit 518 are configured. The information processing apparatus 520 includes a receiving unit 522 and a key extraction processing unit 524. When the control unit 502 receives a request to join a new member or leave an existing member, the key distribution information generation unit 504 generates key distribution information. The generated key distribution information is broadcast to all members (information processing apparatus 520) by the communication unit 506, and the information processing apparatus 520 decrypts the key distribution information.

  FIG. 28 is a processing flowchart of the key management device 500.

  First, when the control unit 502 receives a request to join a new member or leave an existing member, in step ST600, the key encryption information generation unit 512 encrypts the group key and the secret key using the conventional LKH method and obtains the key encryption information. Generate. Next, in step ST602, the key encryption information division number adjustment unit 514 adjusts the number of key encryption information divisions, and the key encryption information division unit 516 divides the key encryption information according to the division number adjusted in step ST604. In step ST606, the code length determination unit 518 determines an appropriate code length for each member. At this time, for example, when a member is required to have real-time performance like a television and it is necessary to prioritize reliability, the code length is increased to increase resistance to noise in the transmission path. Further, by adjusting the length of the code length in consideration of the reliability of key delivery and the delivery amount of the key update information, the data length of the entire key update information is also adjusted at the same time. Since this can also be realized by changing the number of divisions of the key encryption information, the key encryption information division number adjustment unit 514 and the code length determination unit 518 perform adjustment while maintaining a close relationship.

  In step ST608, the key encryption division information divided in step ST604 is associated with a code (orthogonalized cyclic shift M-sequence or Walsh code (details of each code will be described later)) to generate key update information. Next, each key update information is multiplexed by the multiplexing process part 510 by step ST610, and key distribution information is produced | generated. In step ST612, the communication unit 506 broadcasts key distribution information to all members. Subsequent decoding processing is performed in the same manner as in the second embodiment of the present invention.

Returning to FIG. 26, the value of b-th bit of the output signal when the S _b in the process shown in FIG. 26, S _b is expressed by the following equation.

Also shows a conceptual diagram multiplexed signal S _b shown in the equation 20 is broadcast serially Figure 29.

  Here, multiplication and multiplexing in Expression 20 are performed by a direct spreading method. FIG. 30 shows the timing relationship between the encrypted key encryption information and the orthogonalized cyclic shift M sequence. As shown in FIG. 30, the timing relationship between the encrypted key cipher information MS and the orthogonalized cyclic shift M sequence MC is such that one bit of MS corresponds to one cycle of MC, and the orthogonal cyclic shift M sequence used as a spreading code. Multiplexing is performed using orthogonality between MCs.

  As conventional methods, there are GKMP (Group Key Management Protocol), LKH (Logical Key Hierarchy protocol), etc., but in the third embodiment of the present invention, they do not compete directly with them. It focuses on the part of key distribution, and is applied to those systems as a distribution system to improve the efficiency and reliability of key distribution.

  Next, the key encryption information will be described.

ここで、Ｋ’_ａ，Ｋ’_ｂ，Ｋ’_ｃは更新された鍵であり、｛Ｋ’_ａ，Ｋ’_ｂ｝_Ｋａは鍵Ｋ_ａで暗号鍵｛Ｋ’_ａ，Ｋ’_ｂ｝を暗号化した情報であることを示す。 When the third embodiment of the present invention is applied to LKH, the literature (H. Harney, C. Muckerhirn, “Group Key Management Protocol (GKMP)”, RFC-2093 and RFC 2094, 1997.) Three types of oriented rekeying, key-oriented rekeying, and group-oriented rekeying have been introduced. This time, user-oriented rekeying is used to distribute key information considering the characteristics of members. Specifically, for example, when a member M4 is newly added in FIG. 38, the following three pieces of key update information are broadcast from the key management server s to each member.

_{Here, K 'a, K' b} , K 'c is a key that is _{updated, {K' a, K '} b} Ka is the key _{K a} with the encryption key _{{K' a, K 'b} } encryption Indicates that the information is converted into information.

  Next, the orthogonalized cyclic shift M sequence will be described.

The M sequence has been described in the second embodiment of the present invention, but here, the orthogonalized cyclic shift M sequence will be described. The orthogonalized cyclic shift M sequence is obtained by orthogonalizing the M sequence by adding +1. That is, the orthogonalized cyclic shift M-sequence MC is expressed by the following equation, and the cross-correlation is zero.

  Unlike the cyclic shift M sequence used in the second embodiment of the present invention, the orthogonalized cyclic shift M sequence is orthogonalized, so that the number of orthogonal points increases to increase the second embodiment of the present invention. Noise can be reduced in the 1-bit quantization performed in (1). Therefore, the signal width of a wireless LAN or the like is narrow, and it is possible to efficiently cope with a poor environment. Further, the effect will be described with reference to FIG.

  FIG. 31 is a graph showing the effect of using an orthogonalized cyclic shift M sequence as compared with a cyclic shift M sequence.

  In FIG. 31 (a), when the cyclic shift M sequence is used, the number of members can correspond to only N with respect to a predetermined amount of key update information, but when the orthogonalized cyclic shift M sequence is used, the number of members. This indicates that up to 5N can be handled. Further, in FIG. 31B, when the cyclic shift M sequence is used, the key update information amount is 5M in order to correspond to the number of members N. However, when the orthogonalized cyclic shift M sequence is used, the key update information is used. The quantity indicates that it can be handled by M. Therefore, by using an orthogonalized cyclic shift M sequence having orthogonality between sequences, it is possible to deal with a large number of members with a small amount of information compared to the cyclic shift M sequence.

  Although the orthogonalized cyclic shift M sequence is used in the third embodiment of the present invention, the orthogonal cyclic shift M sequence is not necessarily required. Further, a code having orthogonality is preferable, and a code having orthogonality and autocorrelation characteristics is more preferably used.

  Next, decryption of key distribution information on the member side will be described. Each member receives a signal broadcast from the key management server expressed by Equation 20. From this received signal, the key distribution information is decrypted by the key distribution information decryption block having the matched filter configuration shown in FIG.

となる。 MC _jik is the k-th value of the orthogonalized cyclic shift M-sequence MC _ji of the shift amount i generated from the M-sequence MC _j, and the b-th bit of the divided j-th key encryption information MS _ij for the member M _i the value _{MS ijB,} and, when the reference shift register for storing to series MC _J'i'k in FIG. 23, a noise applied in the transmission path and _{n k,} decoded output of key distribution information decoding block shown in FIG. 23 The value DS _b of the b-th bit is

It becomes.

となり、数２３の積分出力ＤＳ_ｂは鍵暗号情報ＭＳ_ｉｊｂの極性と等しくなり、大きさはピーク値Ｎに近い値となる。ここで、ｓｉｇｎ（ｎ）はｎの極性（＋１又は−１）を表す。 Here, the first term of _Equation 23 is a correlation value between sequences having the same M sequence and the same shift amount, but is a peak value MS _ijb * N due to the characteristics of the orthogonalized cyclic shift M sequence. On the other hand, the second term represents the cross-correlation between the same M sequences with different shift amounts, but is a value close to zero than the characteristic of the orthogonalized cyclic shift M sequence. The third term represents the cross-correlation between different M sequences, but it is known from the characteristics between M sequences that the cross-correlation values between several M sequences are much smaller than the peak values (Mitsuo Yokoyama). "Spread spectrum communication system", Science and Technology Publishers, 1988). Also, if the noise _nk added in the transmission line is thermal noise, the fourth term is added not at the voltage level but at the power level, so the noise bandwidth is the signal bandwidth with n ² being the average noise power. As a result, if M sequence length is N

Next, the integration output DS _b number 23 equal to the polarity of the key encryption information _{MS ijB,} size is a value close to the peak value N. Here, sign (n) represents the polarity of n (+1 or −1).

Therefore, by monitoring the polarity of the output of the adder of FIG. 23, the equation (24) shows that the noise component sign (n) * √ (n ² * N) has the opposite polarity to the key encryption information MS _ij and the amplitude of the noise component There unless no greater than the amplitude of the key encryption information MS _ij, can correctly decode determine key encryption information MS _ij.

In _Equation 24, as the value of N increases, the value of the amplitude √ (n ² * N) of the noise component becomes smaller than the key encryption information component MS _ijb * N, and the resistance to noise in the transmission path increases. It is shown that.

  The above processing is decryption processing of 1 bit of key encryption information. By decrypting with a matched filter having a length twice as long as the M sequence length as shown in FIG. Can be decrypted.

  Next, expandability will be described.

  FIG. 32 shows an example of a calculation result when the key distribution information is decrypted in the second embodiment of the present invention.

  FIG. 32 shows a calculation using 128-bit key encryption information and 127-bit M sequence length. If the number of divisions is M by dividing the key encryption information, the group key distribution information amount on the vertical axis in FIG. 32 is reduced to 1 / M, but the number of members that can be supported is also reduced to 1 / M. End up. Therefore, according to the third embodiment of the present invention, it is possible to optimize the amount of group key distribution information by adaptively changing the division number M in accordance with the change in the number of members of the group. .

  If it is desired to maximize the number of members that can be supported, the division number M may be set to 1, and if it is desired to minimize the delivery amount of the key distribution information, M may be maximized. The maximization of M depends on the number of orthogonal codes that can be secured. In the example of the calculation result in the second embodiment of the present invention, there is an example that can cope with the number of members of 3 × 127 even if the output of Expression 23 is 1-bit quantized. In this case, the key server side, member Both sides can be significantly reduced in terms of mounting.

  Next, division of key encryption information considering characteristics for each member will be described.

  For devices that require real-time performance, such as AV devices such as TV signals, if key distribution information is lost on a poor transmission path such as wireless or power line communication, it takes time to retransmit the key distribution information. To lower the QoS. On the other hand, although the real-time property is not particularly required for the monitor signal of the refrigerator, it is considered that reduction of resources such as the memory of the device is required.

Therefore, using the characteristic that the longer the M sequence length, the greater the resistance to noise in the transmission path,
Consider changing the sequence length according to the characteristics of the member (information processing device). Specifically, in order to simplify the processing, the sequence length is changed while keeping the product of the divided key encryption division information size and the sequence length of the orthogonalized cyclic shift M sequence constant. In this case, the same processing can be performed by changing the number of divisions according to the member characteristics.

  However, in this case, orthogonality must be ensured even between different sequence lengths, but the orthogonalized cyclic shift M sequence does not have such characteristics, and orthogonality is not ensured if the sequence lengths are different. That is, if the number of divisions of the key encryption information is different, the sequence length is also different accordingly, so that orthogonality is not secured and decryption cannot be performed. Therefore, when the number of divisions of the key encryption information is changed according to the member characteristics and the sequence length also changes, the Walsh code is used instead of the orthogonal cyclic shift M sequence.

  Until now, the shift amount of the orthogonalized cyclic shift M-sequence is made to correspond to the members on a one-to-one basis, and the base M-sequence is made to correspond to the key encryption division information divided according to the difference, thereby making the sequence Although they are used properly, such use is not performed when using the Walsh code.

  In the Walsh code, even if the sequence length is different, even if integration is performed for one period in synchronization with the Walsh code having a short sequence length, the inner product between them becomes zero and the orthogonality is ensured. In addition, since the orthogonalized cyclic shift M-sequence and Walsh code both have a sequence length that is a power of 2, the code to be used varies, but the key distribution information generation structure on the key management server side and the key on the information processing device side The delivery information decoding structure can be used as it is.

  FIG. 33 is a conceptual diagram in the case where a Walsh code is associated with key encryption division information having different division numbers.

  A1 to A4 are key encryption division information divided into the division number of 4, and each correspond to a Walsh code having a code length of 2N. B1 and B2 are key encryption division information divided into two divisions, and each corresponds to a Walsh code having a code length of N.

  Here, the Walsh code will be described.

例えば、上記行列同士のクロネッカー積をとると、

となり、各行間、各列間の系列同士は互いに直交している。これは数２５においても同様であり、系列長が異なっても、短い系列長のＷａｌｓｈ符号に同期して１周期分積分しても、それらの間の内積はゼロとなり直交性が確保されることがわかる。 The result of taking the Kronecker product of the following 2 × 2 matrix multiple times is a symmetric matrix, and the code sequence of the row and column is generally called a Walsh code.

For example, taking the Kronecker product between the above matrices,

Thus, the series between the rows and the columns are orthogonal to each other. This is the same in Formula 25. Even if the sequence length is different, even if integration is performed for one period in synchronization with the Walsh code having a short sequence length, the inner product between them is zero, and orthogonality is ensured. I understand.

  Next, the reliability of key distribution will be described.

  If key distribution fails, members will not be able to decrypt further information. Many key distribution protocols have proposed a method in which members who have failed in key distribution contact the key management server individually for key renewal (CKWong, M. Gouda, and SSLam, "Secure Group Communications using Key Graphs ", Vol.8, No.1, IEEE Trans. on Networking, Feb 2000, pp.16-30). In this case, there is a problem that a large-scale dynamic group is filled with individual key update messages due to the failure of the key update message. Therefore, when performing key distribution efficiently, it is very important that the reliability is high.

  Here, the reliability in key distribution of the key management apparatus according to the third embodiment of the present invention will be considered in comparison with the conventional method. In the conventional method, FEC and ARQ are used together to increase the reliability of key distribution, but only FEC is considered for simplicity. In this case, the FEC coding rate r determines the reliability of key distribution. If r = 0.5, for example, when the FEC method is convolutional coding and Viterbi decoding hard decision reception, the required S / N ratio for obtaining a constant transmission channel error rate is about 3 dB. Reliability improvement effect (encoding gain) can be obtained (edited by Naoshi Iida, “Satellite Communication”, Ohmsha, 1997).

  Next, the reliability improvement effect of key distribution in the key management apparatus according to the third embodiment of the present invention will be described. In the system according to the third embodiment of the present invention, the orthogonal code length used determines the reliability of key distribution. Here, when the orthogonal code length, which is common in wireless LANs (supervised by Hideaki Matsue and Masahiro Morikura, “802.11 high-speed wireless LAN textbook”, IDG Japan, 2003), is 11 bits, a certain transmission line error occurs. As a required S / N ratio for obtaining a rate, a reliability improvement effect of 10 · log (12) ≈11 (dB) is obtained. Of course, if the coding rate is lowered even in the conventional method, the reliability further increases, but the required transmission amount of the key distribution information becomes larger than that in the method of the third embodiment of the present invention.

  Next, safety will be described.

  In the first embodiment of the present invention, since a certain set of members share key information, there is a problem in terms of forward safety. Further, in the second embodiment of the present invention, multiplexing by the direct spreading method is performed as in the third embodiment of the present invention, but the secret key of the member is used to generate the spreading code. Therefore, there was a risk of the leakage.

  Therefore, in the third embodiment of the present invention, the key encryption information already encrypted by the scheme of the conventional system is multiplexed and distributed without directly handling the key information in the key distribution. Therefore, even if the shift amount of the M sequence used, the orthogonalized cyclic shift M sequence, and the Walsh code are disclosed, the security of the key information is not lowered, and the third embodiment of the present invention is used. Is based on the safety of the conventional system using GKMP or a tree structure.

  Up to this point, the transmission of key distribution information from the key management apparatus to the information processing apparatus has been described. Hereinafter, transmission of a message from the information processing apparatus to the key management apparatus will be described.

  FIG. 34 is a diagram showing how each member transmits a message signal to the key management server. Each member returns a NAK (Negative Acknowledgment) signal in synchronization with the beacon signal periodically broadcast by the key management server.

  FIG. 35 is a block diagram showing a configuration when a message is transmitted from the information processing apparatus to the key management apparatus.

  The key management device 500 is the same as the key management device 500 shown in FIG. 27, and includes a control unit 502, a key distribution information generation unit 504, a communication unit 506, and a synchronization unit 505. The information processing device 520 is the same as the information processing device 520 shown in FIG. 27, and includes a reception unit 522, a key extraction processing unit 524, a message information generation unit 526, and a message information transmission unit 528.

  Next, an operation when a message is transmitted from the information processing apparatus 520 to the key management apparatus 500 will be described.

  FIG. 36 is a processing flowchart when a message is transmitted from the information processing apparatus to the key management apparatus.

  First, in step ST700, the message information generation unit 526 in FIG. 35 divides a message to be transmitted to the key management device 500 according to the number of divisions negotiated with the key management device 500 in advance, and in step ST702, the division. A message (orthogonalized cyclic shift M sequence or Walsh code) is made to correspond to each message thus generated to generate message information.

  On the other hand, the synchronization unit 505 and the communication unit 506 in FIG. 35 regularly broadcast a beacon signal, and each information processing apparatus synchronizes with the beacon signal in step ST704. In step ST706, the message information transmission unit 528 transmits the message information to the key management apparatus 500.

  When message information is transmitted by the message information transmission unit 528, it is not necessary to perform the same processing as when key update information is multiplexed. As shown in FIG. 37, when a signal of amplitude A is transmitted on each information processing apparatus side, the amplitude of the synthesized wave received by the key management server is MA (M is the number of members) by synchronizing between the information processing apparatuses. ).

  It is possible to reduce the amount of messages transmitted from the information processing apparatus to the key management apparatus by using the above method.

  Note that the code used when generating the message information is not necessarily an orthogonal cyclic shift M-sequence as in the case of generating the key update information, preferably a code having orthogonality, more preferably Should use codes with orthogonality and autocorrelation properties.

  In FIG. 34, the message to be transmitted is a NAK signal. However, the message is not limited to a NAK signal, and any message may be used.

  Further, although the beacon signal is used as a signal for synchronization, it is not necessary to limit the beacon signal, and any signal that can be synchronized may be used.

It is a schematic block diagram of the key information update system which concerns on the 1st Embodiment of this invention. It is a figure which shows the structure of M-ary encoding and decoding. It is a figure which shows the example of the key which each member hold | maintains when the member of FIG. 1 is 4 members M1-M4. It is a figure which shows the key table which prescribes | regulates the correspondence of a serial number, a key, and an orthogonal code. FIG. 3 is a first flowchart showing the operation of the key management server 3 of FIG. 1. FIG. 6 is a second flowchart showing the operation of the key management server 3 in FIG. 1. It is a figure which shows the example of a structure which superimposes the orthogonal code which the key superimposition part 9 of FIG. 1 delivers on the preamble part of a normal packet frame. It is a schematic block diagram which shows the key information extraction part which P group member has. It is a figure which shows the example of a structure which the orthogonal code correlators 51-5N of FIG. It is a flowchart which shows operation | movement of the determination part 47 of FIG. It is a figure which shows the output example of what does not respond | correspond with the orthogonal code used by the transmission side among the orthogonal code correlators 51-5N of FIG. It is a figure which shows the update of the orthogonal code of the key table of FIG. It is the figure which showed the 3 step | paragraph shift register which produces | generates M series with a sequence length of 7. It is the figure which showed the correlation of the M series produced | generated in FIG. It is the graph which showed the autocorrelation characteristic of M series. It is a schematic diagram at the time of multiplexing the key delivery information of each member. It is a schematic diagram at the time of multiplexing the key distribution information of each subgroup. It is a schematic block diagram of the key management apparatus which concerns on the 2nd Embodiment of this invention. FIG. 19 is a schematic block diagram illustrating configurations of a key distribution server 102 and a member side information processing apparatus in FIG. 18. It is a flowchart which shows the process of the key distribution server 102 which concerns on the 2nd Embodiment of this invention. It is a schematic diagram at the time of arrange | positioning the series shifted cyclically corresponding to the secret key of each member. It is a schematic diagram at the time of mapping a group key to the serial series produced | generated by step ST204 in FIG. It is the schematic which showed the structure of the key extraction process part 120 in FIG. It is a flowchart which shows the process of the information processing apparatus 110 which concerns on the form of 2nd Example of this invention. It is the figure which showed the response | compatibility with the divided | segmented key encryption information and M series. It is a block diagram which performs the process of the 3rd Embodiment of this invention. It is the block diagram which showed the structure of the key management apparatus which concerns on the 3rd Embodiment of this invention. It is a processing flowchart of the key management apparatus which concerns on the 3rd Embodiment of this invention. It is a conceptual diagram by which a multiplexed signal is broadcast serially. It is the figure which showed the timing relationship of the encryption key encryption information and orthogonalization cyclic shift M series. It is the figure which showed the effect at the time of using the orthogonalization cyclic shift M series compared with the cyclic shift M series. It is a figure which shows an example of the calculation result at the time of decrypting key distribution information in the 2nd Embodiment of this invention. It is a conceptual diagram at the time of making a Walsh code correspond to key encryption information from which the number of divisions differs. It is the figure which showed a mode that each member transmitted a message signal to a key management server. It is the block diagram which showed the structure at the time of transmitting a message from an information processing apparatus to a key management apparatus. It is a processing flow figure at the time of transmitting a message from an information processor to a key management device. It is the figure which showed the multiplexing process at the time of transmitting a message from an information processing apparatus to a key management apparatus. It is a figure which shows the example of the key which each member of a prior art hold | maintains.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Key information update system 3 Key management server 5 Control part 7 Key generation part 9 Key superimposition part 11 Communication part 41 Key information extraction part 43 Communication part 45 Orthogonal code correlation process part 47 Judgment part 51-5N Orthogonal code correlator 61 Maximum likelihood Determination unit 63 Key information generation unit

Claims (28)

A key management device for managing a key held by an information processing device connected to an information communication network,
Key superimposing means for superimposing key update information corresponding to a key to be updated and delivered and information to be transmitted to the information processing apparatus;
A key management apparatus comprising: communication means for transmitting information superimposed by the key superimposing means to the information processing apparatus.   The key management apparatus according to claim 1, wherein a data area in which the key update information is superimposed in information to be transmitted to the information processing apparatus is a data area in which a data format can be grasped by the information processing apparatus. A key management method for managing a key held by an information processing apparatus connected to an information communication network,
A superimposing step of superimposing key update information corresponding to a key to be updated and delivered by the key superimposing means and information to be transmitted to the information processing apparatus;
A key management method including: a transmission unit that transmits information superimposed by the key superimposing unit to the information processing apparatus.   A program capable of causing a computer to execute the key management method according to claim 3. An information processing apparatus for receiving information on which key update information is superimposed according to claim 2,
Correlation processing means for performing correlation processing between each of the received data update data area on which the key update information is superimposed and key update information that may be received;
An information processing apparatus comprising: a key information generation unit that extracts a key satisfying a predetermined criterion from among correlation processing results, generates a key corresponding to the extracted correlation processing result, and updates the key. Correlation between communication means for receiving information on which key update information is superimposed in claim 2 and each of the data areas in which the key update information is superposed on the received information and key update information that may be received. An information processing apparatus comprising correlation processing means for performing processing,
A function of extracting a correlation processing result satisfying a predetermined criterion;
A program that realizes a function of generating a key corresponding to the extracted correlation processing result and updating the key. A key management device that manages keys held by a plurality of information processing devices each connected to an information communication network,
Key update information generating means for generating key update information corresponding to each of the partial information processing devices based on a key that should be held in common by at least some of the plurality of information processing devices;
Multiplexing processing means for multiplexing a plurality of key update information generated by the key update information generating means to generate multicast key distribution information;
A key management apparatus comprising: communication means for transmitting the key distribution information generated by the multiplexing processing means to the information processing apparatus.   The key management apparatus according to claim 7, wherein the key update information generation unit generates key update information using data having autocorrelation characteristics.   The key management apparatus according to claim 8, wherein the data having the autocorrelation characteristic is M-sequence data.   The key management apparatus according to claim 8 or 9, wherein the key to be held in common and the data having the autocorrelation characteristic are independent. A key management device that manages keys held by a plurality of information processing devices each connected to an information communication network,
Among the plurality of information processing devices, those that are updated at the same time are in the same group, and can be subgrouped in the same group,
Key update information generating means for generating key update information corresponding to each of the information processing devices in the same subgroup based on a key to be commonly held by the information processing devices in the same group;
Multiplexing processing means for multiplexing key update information in the same subgroup generated by the key update information generation means and multiplexing key update information in the same group to generate multicastable key distribution information;
A key management apparatus comprising: communication means for transmitting the key distribution information generated by the multiplexing processing means to the information processing apparatus.   12. The key update information generation unit generates key update information using M-sequence data, and the number of information processing devices in the subgroup is equal to or less than the number of different data obtained by M-sequence data. The key management device described.   13. The key update information generation unit generates key update information by rearranging a data string representing a key to be held in common corresponding to each information processing apparatus. The key management device according to any one of the above. A key management method for managing keys held by a plurality of information processing devices each connected to an information communication network,
A key update information generating unit generating key update information corresponding to each of the some information processing devices based on a key that should be held in common by at least some of the plurality of information processing devices;
A step of multiplexing a plurality of pieces of key update information generated by the key update information generation unit to generate multicastable key distribution information;
A key management method including: a communication unit transmitting key distribution information generated by the multiplexing processing unit to the information processing apparatus.   The key management apparatus according to claim 7, wherein the key update information generation unit generates key update information corresponding to each information processing apparatus based on key encryption information encrypted with a key held by the information processing apparatus.   The key management apparatus according to claim 15, wherein the key update information generation unit includes a key encryption information division unit that divides the key encryption information into a predetermined number of divisions.   The key management apparatus according to claim 16, wherein the key update information generation unit includes a key encryption information division number adjustment unit that adjusts a division number for dividing the key encryption information.   The key update information generating means causes each information processing apparatus to correspond to each key encryption division information in relation to a data length of each key encryption division information obtained by dividing the key encryption information by the key encryption information division means. The key management apparatus according to claim 16 or 17, further comprising code length determination means for determining a code length of a power code.   The key management apparatus according to claim 15 or 16, wherein the key update information generation unit generates key update information using a code having orthogonality.   The key management apparatus according to claim 19, wherein the code having orthogonality is a Walsh code.   The key management apparatus according to claim 19, wherein the key update information generation unit generates key update information using a code having autocorrelation characteristics.   The key management apparatus according to claim 21, wherein the code having orthogonality and autocorrelation characteristics is an orthogonalized cyclic shift M sequence. Each of the information processing devices connected to the information communication network,
Message information generating means for generating message information based on a message to be transmitted to the key management device;
Message information transmitting means for transmitting the message information generated by the message information generating means to the key management device,
The information processing apparatus includes a message information dividing unit that divides a message to be transmitted to the key management apparatus into a predetermined number of divisions. A key management device according to claim 23,
A key management apparatus comprising synchronization means for synchronizing when message information transmission means of the information processing apparatus transmits message information.   The step of generating the key update information is a step of generating key update information corresponding to each information processing device based on key encryption information encrypted by the key held by the information processing device by the key update information generation means. The key management method according to claim 14, comprising:   26. The key management method according to claim 25, wherein the step of generating the key update information includes a step of dividing the key encryption information into a predetermined number of divisions by the key encryption information dividing unit. A message transmission method in which a plurality of information processing devices each connected to an information communication network transmit a message to be transmitted to a management device,
Dividing the message to be transmitted to the management device by the message information dividing means into a predetermined number of divisions to generate message division information;
Message information generating means generating message information based on the message division information divided by the message information dividing means;
And a message information transmitting unit transmitting the message information generated and synchronized by the message information generating unit to the management device. A program capable of causing a computer to execute the method according to claim 14 or 25 to 27.

Images