JP2007158967A - Information processing apparatus, tamper resistant device, encryption processing method and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide encryption processing techniques with which safe and fast encryption processing can be performed by effectively utilizing authorized encryption techniques. <P>SOLUTION: A tamper resistant device (IC card) 200 of which tamper resistance is high but throughput is low, performs only processing to generate an initial vector IV and to generate a first stage encryption operation block E-1 using the initial vector IV and a first key K1 and following processing is performed by a terminal device 100 such as a personal computer of which throughput is high. As an algorithm in block encryption, existent one can be adopted. For encryption processing, result information of block encryption processing performed before such as a known output feedback mode repeating subsequent block encryption processing is utilized. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a cryptographic processing technique for performing block cryptographic processing on data divided into a plurality of blocks. More specifically, the present invention relates to a cryptographic processing method for performing cryptographic processing on data in cooperation with a plurality of apparatuses, for example, an information processing apparatus and a tamper resistant device, and an apparatus, device, and computer program for realizing the cryptographic processing method.

  In recent years, problems of unauthorized access and information leakage problems have increased, and interest in tamper resistance has increased. One technique for improving tamper resistance is to increase confidentiality so that it is difficult to read data from the outside. A typical example is file data encryption. Although there are various types of such encryption methods, it is practical and general to perform encryption using common key encryption in consideration of the processing time.

  On the other hand, in the case of the common key cryptosystem, there is a problem that if a key used for encryption leaks, a file encrypted using the key can be decrypted. For this reason, even if the key used for encryption is leaked, it is required to protect the file encrypted using the key.

  As a method for solving this type of problem, it is conceivable to perform encryption processing in a tamper resistant device constituted by, for example, an IC card. However, the information processing capability of the tamper resistant device is extremely low compared to a terminal device such as a general personal computer. Therefore, it is unrealistic to encrypt a large file within the tamper resistant device.

  Focusing on the problems due to the low processing capability of such a general IC card, there is also one in which a new encryption algorithm is mounted on the IC card (see Patent Document 1).

JP 2000-207284 A

  However, the encryption method proposed in Patent Document 1 is relatively safe for data up to a specific size, but there may be a problem in encrypting data of a specific size or larger.

  The main object of the present invention is to provide a cryptographic processing technique that enables safe and high-speed cryptographic processing by effectively utilizing an already-authorized encryption method.

The present invention aims to solve the above problems by an information processing apparatus that performs characteristic cryptographic processing, a tamper resistant device, a cryptographic processing method, and a computer program.
The information processing apparatus provided by the present invention, in cooperation with the tamper resistant device having the first key, repeats the execution of the block cipher processing after using the result information of the block cipher processing executed earlier, An information processing apparatus for encrypting target data composed of a plurality of consecutive blocks, an interface unit that enables information exchange with the tamper resistant device, and a second key that is different from the first key A key storage unit to store, and the result of block cipher processing executed by the tamper-proof device using the first key is received as result information of first-stage block cipher processing via the interface unit, and the key storage unit The second key is read from the first and the subsequent block cipher processing using the received result information and the read second key is repeatedly executed. Consisting comprises a to the encryption processing unit.

The tamper resistant device has a function of generating a first cryptographic operation block by encrypting, for example, vector data corresponding to a block in the first stage with the first key. The first block is read from the target data stored in the memory, and the read first block or the vector data corresponding to the block is sent to the tamper resistant device via the access unit. At the same time, the first cryptographic operation block is received from the tamper resistant device, and the next block cipher processing is executed using the first cryptographic operation block and the second key.
The tamper resistant device provided by the present invention, in cooperation with the information processing apparatus having the second key, by repeating the execution of the block cipher processing after using the result information of the block cipher processing executed earlier, A tamper resistant device that encrypts target data composed of a plurality of consecutive blocks, and is configured to be connectable to an interface device that enables information exchange with the information processing device. A key storage unit that stores a first key that is different from the key of the key, and a part of the target data received from the information processing device via the interface device, and a first-stage block encryption process for the received target data And a cipher processing unit for sending the result information to the information processing device via the interface device. It is intended to execute the following stages of the block cipher processing to the rest of the object data using the result information to the management device.

  In the cryptographic processing method provided by the present invention, the tamper-resistant device having the first key and the information processing apparatus having the second key cooperate to use the result information of the block cryptographic processing executed previously. An encryption processing method for encrypting target data composed of a plurality of consecutive blocks by repeating execution of subsequent block encryption processing, wherein the information processing apparatus stores the target data stored in a predetermined memory. A first step of reading a part and sending the part of the target data to the tamper resistant device; and a first block cipher for the part of the target data received by the tamper resistant device from the information processing apparatus A second step of performing processing and sending the result information to the information processing apparatus; and the information processing apparatus receiving the result information A third method and a step of repeating the execution of the next subsequent block cipher processing using said boric second key.

  The computer program provided by the present invention executes a block cipher process after using a result of the block cipher process executed previously in cooperation with a tamper resistant device having a first key in a computer program provided with a memory. Is a computer program for operating as an information processing apparatus that encrypts target data consisting of a plurality of consecutive blocks, and enables the computer to exchange information with the tamper resistant device An interface unit, a key storage unit that stores a second key different from the first key in the memory, and result information of a block cipher process executed by the tamper resistant device using the first key. Received as result information of block cipher processing through the interface unit and from the key storage unit Reading the serial second key is a computer program to function as the encryption processing unit, repeating the execution of the next subsequent block cipher process using a second key that has been read the said received result information.

  According to the present invention, only part of the block cipher processing is performed by the tamper-resistant device, and the remaining part is performed by the information processing apparatus with high processing capability. is there. In particular, block ciphers can use existing cipher usage modes that have been authorized for security, so there is no problem with reliability depending on the data size, and the second key is lost or leaked. Even in this case, safety is ensured. That is, even if a malicious third party obtains the second key, a correct decryption result cannot be obtained unless the first key is obtained, but the first key is held in the tamper resistant device. Therefore, a high security level can be ensured. Therefore, even if the second key is leaked, normally the first key is not leaked, and the security regarding the cryptographic processing is ensured.

Hereinafter, an encryption / decryption system according to an embodiment of the present invention will be described.
(First embodiment)
FIG. 1 is an overall configuration diagram of an encryption / decryption system according to a first embodiment of the present invention. This encryption / decryption system includes a terminal device 100 as an example of an information processing device, an IC card 200 as an example of a tamper resistant device, and an IC card reader / writer 300 as an example of an interface device for the IC card 200. . As the terminal device 100, a personal computer or the like can be used. The IC card reader / writer 300 is used by being connected to the terminal device 100.

The terminal device 100 includes a CPU (processor unit) 110, a ROM 120, a RAM 130, an HDD (hard disk drive) 140 as an auxiliary storage unit, and an I / O control unit 150 as an interface unit. The HDD 140 is used for a computer program for causing the CPU 110 to execute processing to be performed on the terminal device 100 side among the encryption / decryption methods executed according to the present embodiment, and encryption / decryption processing. A second key (K2) is stored. The computer program is expanded on the RAM 130. The CPU 110 operates in accordance with software instructions developed on the main memory RAM 130, thereby realizing a characteristic encryption / decryption method in cooperation with the IC card 200. The second key may always be stored in a means other than the terminal device 100 such as a USB memory, but is expanded on the RAM 130 when performing encryption / decryption processing.
On the RAM 130, data generated while the CPU 110 operates in accordance with the software command and data used by the CPU 110 are temporarily stored.

The IC card 200 includes a CPU 210, a ROM 220, a RAM 230, and an EEPROM 240 as auxiliary storage. The EEPROM 140 has a computer program for causing the CPU 210 to execute processing to be performed on the IC card 200 side in the encryption / decryption processing according to the present embodiment, and a first key used for the encryption / decryption processing. (K1) is stored. The computer program is expanded on the RAM 230. The CPU 210 operates in accordance with software instructions developed on the main memory RAM 230, thereby realizing the above encryption / decryption method in cooperation with the terminal device 100.
On the RAM 230, data generated while the CPU 210 is operating according to the software instruction and data used by the CPU 210 are temporarily stored.

The IC card reader / writer 300 operates as an access unit for enabling information exchange with the IC card 200 under the control of the CPU 110 via the I / O control unit 150.
In this embodiment, since the IC card 200 is taken as an example of the tamper resistant device, the IC card reader / writer 300 is required, but the present invention is not limited to this. That is, the present invention can be applied to tamper resistant devices other than the IC card 200. For example, a configuration that directly connects to the I / O control unit 150 or a configuration that connects to a communication port (not shown) provided in the terminal device 100 may be used. In this case, there is no need to provide an IC card reader / writer.

  In the encryption / decryption processing by this encryption / decryption system, the CPU 110 executes the software instruction expanded on the RAM 130 of the terminal device 100 as described above, while the software expanded on the RAM 230 of the IC card 200. This is realized by the CPU 210 executing the instruction. More specifically, encryption in the output feedback (Output FeedBack: OFB) mode is performed in cooperation with the terminal device 100 and the IC card 200. Further, the terminal device 100 and the IC card 200 cooperate to perform decoding in the output feedback mode. As is well known, the “output feedback mode” is one of the modes for preventing the output result from being the same even if the content of a certain block is the same as the content of another block. FIGS. 2 and 3 are diagrams for explaining the encryption procedure, and FIGS. 4 and 5 are processing procedures for the decryption.

  In this embodiment, prior to encryption in the output feedback mode, the data to be encrypted is compressed in advance in order to increase its randomness. Normally, the data before encryption is called “plaintext”, and the data after encryption is called “ciphertext”. In this embodiment, “plaintext” is data before compression in order to distinguish between data before and after compression. Is called “original data”, and the compressed data is called “target data” in the sense of being encrypted in the output feedback mode.

  Note that the randomness can be improved by means other than compression. In this case, the data before applying the means is the original data, and the data after applying the means is the “target data”. When it is not necessary to consider randomness and the original data (plain text) is encrypted as it is, the original data becomes the target data.

  The above encryption procedure will be described in more detail. Referring to FIG. 2, the terminal device 100 first compresses the original data to generate target data (step S101), and transmits the first block of the target data, for example, the first block A_1 to the IC card 200. (Step S102).

On the IC card 200 side, when the head block A_1 is received from the terminal device 100 (step S201), the first vector, the initial vector IV in this example, is obtained from the head block A_1 (step S202).
Next, the initial vector IV is encrypted using the first key K1 of the IC card 200 to generate the first-stage cryptographic operation block E_1 (step S203), and the first-stage cryptographic operation block E_1 is transmitted to the terminal device 100 (step S203). S204). What is indicated by “E” in FIG. 3 is Encrypter (encryptor: encryption algorithm). This is the same as Encrypter in the terminal device 100.

  When the terminal device 100 receives the first-stage cryptographic operation block E_1 from the IC card 200 (step S103), the terminal device 100 uses all the blocks A_1 and A_2 constituting the target data using the first-stage cryptographic operation block E_1 and the second key K2. A_3... Is encrypted according to the output feedback mode to create a ciphertext (step S104).

Specifically, as can be seen from FIG. 3, the terminal device 100 performs an exclusive OR operation between the first-stage cryptographic operation block E_1 and the first block (first block) A_1, and the first ciphertext block A_1 corresponding to the first block A_1. Generate '.
In addition, the first-stage cryptographic operation block E_1 is encrypted with the second key K2 to generate the second-stage cryptographic operation block E_2, and the second-stage cryptographic operation block E_2 and the second block A_2 are exclusive-ORed, A second ciphertext block A_2 ′ obtained by encrypting the two blocks A_2 is generated.
Further, the next-stage cryptographic operation block E_2 is encrypted with the second key K2 to generate the cryptographic operation block E_3, and the third block A_3 is obtained by taking the exclusive OR of the cryptographic operation block E_3 and the third block A_3. In the following, block cipher processing is repeatedly performed to generate a ciphertext.

  Decryption of the ciphertext obtained in this way is performed according to the procedure of FIG. That is, the terminal device 100 transmits the first ciphertext block of the ciphertext, in this example, the first block A_1 'to the IC card 200 (step S301).

When receiving the first block A_1 ′ of the ciphertext from the terminal device 100 (step S401), the IC card 200 side obtains the first vector corresponding to the first block A_1 ′, in this example, the initial vector IV (step S402).
Next, the IC card 200 decrypts the initial vector IV with the first key K1, generates a decryption operation block D_1 (step S403), and transmits the decryption operation block D_1 to the terminal device 100 (step S404). Here, what is indicated by “D” in FIG. 5 is a descriptor (decoder: decoding algorithm), which is the same as the descriptor in the terminal device 100.

  When receiving the decryption operation block D_1 from the IC card 200 (step S302), the terminal device 100 uses all the ciphertext blocks (first ciphertext) constituting the ciphertext using the decryption operation block D_1 and the second key K2. The block A_1 ′, the second ciphertext block A_2 ′, the third ciphertext block A_3 ′...) Are decrypted according to the output feedback mode, and target data is created (step S303).

Specifically, as can be seen from FIG. 5, the terminal device 100 performs an exclusive OR of the decryption operation block D_1 and the first ciphertext block A_1 ′, and decrypts the first block (first block) A_1.
Also, the decryption operation block D_1 is decrypted with the second key K2 to generate the next-stage decryption operation block D_2, and exclusive decryption of the decryption operation block D_2 and the second ciphertext block A_2 ′ is performed. Two blocks A_2 are generated.
Furthermore, the decryption operation block D_2 is encrypted with the second key K2 to generate the decryption operation block D_3, and the third block A_3 is obtained by taking the exclusive OR of the encryption operation block E_3 and the third ciphertext block A_3 ′. Is generated. Thereafter, the block decoding process is repeated to obtain target data.
Thereafter, the terminal device 100 creates original data by decompressing (decompressing) the target data (step S304).

  In such an encryption / decryption method, even when the second key K2 used for processing in the terminal device 100 is leaked, the first key K1 is stored in the IC card 200 that is a tamper-resistant device. Therefore, a person who has acquired only the second key K2 cannot properly decrypt the ciphertext, and can ensure high security.

  In this encryption / decryption method, an existing block encryption method (encryption use mode, output feedback mode) whose safety has been verified and authorized can be used. Therefore, a computer program for embodying this method While being easy to develop, it is possible to obtain high reliability.

  Further, the encryption-related processing performed on the IC card 200 side is only the generation of the initial vector IV and the first-stage cryptographic operation block E_1, and the subsequent processing can be performed on the terminal device 100 side. Even if it exists, it can be encrypted at high speed.

  The present invention is not limited to the above-described embodiment. Depending on the improvement of the processing capability of the tamper resistant device and the reduction of the processing time required for encryption, the tamper resistant device side such as the IC card 200 may be used. For example, the first ciphertext block A_1 ′ may be generated and the next cryptographic operation block E_2 may be generated, and the subsequent processing may be performed on the terminal device 100 side.

(Second Embodiment)
An encryption / decryption method executed according to the second embodiment of the present invention will be described. This method is a modification of the encryption / decryption method according to the first embodiment. Since the apparatus configuration and the like for realizing this method are the same as those in the first embodiment, description thereof will be omitted and only processing will be described.
The difference will be briefly described. In the encryption / decryption method according to the first embodiment, the initial vector IV is generated on the IC card 200 side. However, in the encryption / decryption method according to the second embodiment, the initial vector IV is generated. The IV is generated on the terminal device 100 side. The procedure of this method will be described with reference to FIGS.

  Referring to FIGS. 6 and 7, the terminal device 100 first generates target data by compressing the original data (step S501). Also, an initial vector IV is generated from the first block (first block) A_1 of the target data (step S502), and the generated initial vector IV is transmitted to the IC card 200 (step S503).

  When receiving the initial vector IV from the terminal device 100 (step S601), the IC card 200 side encrypts the initial vector IV using the first key K1 to generate the first-stage cryptographic operation block E_1 (step S602). The first-stage cryptographic operation block E_1 is transmitted to the terminal device 100 (step S603).

  When receiving the first-stage cryptographic operation block E_1 from the IC card 200 (step S504), the terminal device 100 uses all the blocks A_1, A_2, and A_3 constituting the target data using the first-stage cryptographic operation block E_1 and the second key K2. Are encrypted in accordance with the output feedback mode to create a ciphertext (step S505). Details of the processing in step S505 are the same as those in the first embodiment.

The ciphertext thus obtained is decrypted by the procedure shown in FIGS.
In decryption, the terminal device 100 first obtains an initial vector IV corresponding to the first block A_1 ′ of the ciphertext (step S701), and transmits the initial vector IV to the IC card 200 (step S702).

  When receiving the initial vector IV from the terminal device 100 (step S801), the IC card 200 side decrypts the initial vector IV with the first key K1 to generate a decryption calculation block D_1 (step S802). The calculation block D_1 is transmitted to the terminal device 100 (step S803).

When the terminal device 100 receives the decryption operation block D_1 from the IC card 200 (step S703), the terminal device 100 uses all of the ciphertext blocks (first ciphertext) constituting the ciphertext using the decryption operation block D_1 and the second key K2. The block A_1 ′, the second ciphertext block A_2 ′, the third ciphertext block A_3 ′...) Are decrypted according to the output feedback mode, and target data is created (step S704). Details of the processing in step S704 are the same as in the case of the first embodiment.
Thereafter, the terminal device 100 decompresses (decompresses) the target data to create original data (step S705).

  According to the present embodiment, in addition to the effects obtained by the first embodiment, the calculation processing for generating the initial vector IV is also performed on the terminal device 100 side, so that further speedup can be achieved.

  In the first and second embodiments, if there is no processing result of the previous block, the encryption / decryption processing of the block cannot be performed, and if there is no processing result of the first block, a plurality of stages It is a condition that even a part of the block consisting of cannot be correctly decoded. For example, in ECB, CBC, and CFB, which are block cipher usage modes, when a key registered in a normal terminal leaks, it is possible to decrypt a block other than the head block using that key. Therefore, the cipher usage mode is not only the output feedback mode described above, but also a cipher usage mode in which the process of performing subsequent block ciphers using the processing contents of the block cipher performed earlier is sequentially repeated. In addition, if there is no processing result of the first block, other cipher use modes may be used as long as even a part of a block consisting of a plurality of stages cannot be decrypted correctly.

It is a block diagram which shows roughly the structure of the encryption / decryption system by the 1st Embodiment of this invention. It is a figure which shows the encryption method by the 1st Embodiment of this invention. It is a figure which shows the relationship of the block cipher in the encryption method shown by FIG. It is a figure which shows the decoding method by the 1st Embodiment of this invention. It is a figure which shows the relationship of the block cipher in the decoding method shown by FIG. It is a figure which shows the encryption method by the 2nd Embodiment of this invention. It is a figure which shows the relationship of the block cipher in the encryption method shown by FIG. It is a figure which shows the decoding method by the 2nd Embodiment of this invention. It is a figure which shows the relationship of the block cipher in the decoding method shown by FIG.

Explanation of symbols

100 Terminal device 110 CPU
120 ROM
130 RAM
140 HDD
150 I / O control unit 200 IC card 210 CPU
220 ROM
230 RAM
240 EEPROM
300 IC card reader / writer

Claims (5)

In cooperation with the tamper resistant device having the first key, by repeating the execution of the block encryption process after using the result information of the previously executed block encryption process, the target data consisting of a plurality of consecutive blocks is obtained. An information processing device for encryption,
An interface unit that enables information exchange with the tamper resistant device;
A key storage unit for storing a second key different from the first key;
The tamper resistant device receives the result information of the block cipher process executed by using the first key as the result information of the first stage block cipher process through the interface unit, and receives the second key from the key storage unit. An encryption processing unit that repeats execution of block encryption processing from the next stage using the read result information and the read second key;
An information processing apparatus comprising: The tamper resistant device has a function of generating a first cryptographic operation block by encrypting vector data corresponding to a block in the first stage with the first key,
The encryption processing unit reads the first-stage block from the target data stored in a predetermined memory, and the read first-stage block or the vector data corresponding to the block is read through the access unit. Sending to the tamper device and receiving the first cryptographic operation block from the tamper resistant device, and executing the next block cipher processing using the first cryptographic operation block and the second key;
The information processing apparatus according to claim 1. In cooperation with the information processing apparatus having the second key, by repeating the execution of the block encryption process after using the result information of the previously executed block encryption process, the target data consisting of a plurality of consecutive blocks is obtained. A tamper resistant device for encryption,
It is configured to be connectable with an interface device that enables information exchange with the information processing device, and
A key storage unit for storing a first key different from the second key;
A part of the target data is received from the information processing device via the interface device, and first-stage block encryption processing is performed on the received part of the target data, and the result information is transmitted to the information via the interface device. An encryption processing unit to be sent to the processing device,
Causing the information processing apparatus to execute block cipher processing of the subsequent stage on the remaining portion of the target data using the result information;
Tamper resistant device. The tamper resistant device having the first key and the information processing apparatus having the second key cooperate to repeat the execution of the block encryption process after using the result information of the previously executed block encryption process. The encryption processing method for encrypting the target data consisting of a plurality of continuous blocks,
A first step in which the information processing apparatus reads a part of the target data stored in a predetermined memory and sends the part of the target data toward the tamper resistant device;
A second step in which the tamper resistant device performs a first stage block cipher process on the partial target data received from the information processing apparatus, and sends the result information to the information processing apparatus;
The information processing apparatus that has received the result information includes a third step that repeats execution of block cipher processing of the subsequent stage using the result information and the second key.
Cryptographic processing method. By repeating the execution of the block cipher processing after using the result information of the block cipher processing executed previously in cooperation with the tamper resistant device having the first key, the computer having the memory is continuously connected in a plurality of stages. A computer program for operating as an information processing apparatus for encrypting target data consisting of blocks,
The computer,
An interface unit that enables information exchange with the tamper resistant device;
A key storage unit for storing a second key different from the first key in the memory; and
The tamper resistant device receives the result information of the block cipher process executed by using the first key as the result information of the first stage block cipher process through the interface unit, and receives the second key from the key storage unit. A computer program for reading and functioning as an encryption processing unit that repeats execution of block encryption processing from the next stage using the received result information and the read second key.

Images