JP2008141667A - Secure communication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a secure communication method with which a new nonce with which an initial value is not easily inferred by a third person even when re-initiation occurs in an authentication device wherein re-initiation may occur, and which can be achieved at low cost. <P>SOLUTION: An authentication device A comprises a random number generating means 1a for generating a random number and a nonce generating means 2a for generating a nonce N, wherein the nonce generating means 2a is adaptive to generate an initial value N(1) of the nonce N on the basis of the random number generated by the random number generating means at least when re-initiating the authentication device A and a new nonce N(n+1), other than the initial value, in the case that the authentication device A authenticates a device B to be authenticated, is generated by making increment a nonce N(n) used for the last authentication. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to security of a communication network, and more particularly, to a secure communication method for performing secure authentication using a nonce between communication devices that can communicate with each other.

  In a communication network based on communication devices that can communicate with each other, the communication device of the other party guarantees a trust relationship when establishing communication between the device to be authenticated and the authentication device and actually transmitting and receiving data. It is very important to perform communication after confirming whether or not to establish a secure communication network. Therefore, various authentication protocols and key distribution protocols have been used to realize a secure communication system.

  For example, as shown in Japanese Patent No. 3078841, when communication is performed between two devices, device A and device B, a secret key Kab is secretly distributed to each device in advance. To perform secure authentication, a nonce N, which is an unpredictable one-time number, is used. As shown in FIG. 14, execution of this protocol is started from block 501, and device A sends device name A and the generated nonce Nab to device B. When receiving a message from the device A, the authentication function AUTH (Kab, Nab, Nba, B, based on the shared key Kab, the nonce Nab, the new nonce Nba generated by the device B, and the name B of the own device that is the message source. ) Is calculated by device B. Referring to block 502, the value of this authentication function and the nonce Nba are sent from device B to device A. When receiving the message from device B, device A recalculates the value of the authentication function AUTH (Kab, Nab, Nba, B) and compares it with the counterpart in the message sent by device B. If this matches, the device B is authenticated. Thereafter, the device A calculates the value of another authentication function ACK (Kab, Nab, Nba) based on the shared key Kab, nonce Nab, and nonce Nba to complete the two-way authentication. Referring to block 503, the value of the authentication function ACK (Kab, Nab, Nba) is sent from device A to device B. When receiving the message from device A, device B recalculates the value of the authentication function ACK (Kab, Nab, Nba) and compares it with the counterpart of the message sent by device A. If this matches, device A authentication is provided.

  Here, a nonce N, which is a number that is used only once and cannot be predicted by the devices A and B, is generated and used for authentication by using a method for generating a value that has not been generated before the generation time. However, in order to keep the nonce N used only once, there are a method using a continuous number and a method using a random number for the nonce N. Normally, in the method using the continuous number, the value of the nonce N is sequentially incremented within a certain bit width. However, since it is conceivable that a resend attack that accumulates the previous nonce N value and then resends in a timely manner after one round of the counter is performed from another device, the bit width must be a large value so that it does not fill up immediately. I must.

Moreover, as shown in Japanese translations of PCT publication No. 2004-525558, nonce N uses the random number produced | generated by the cryptographically strong random number generator, for record encryption and decryption of data. It can serve as a unique identifier.
Japanese Patent No. 3078841 JP-T-2004-525558

  However, in the secure communication method as the conventional example described above, when the nonce is generated by the method using the continuous number, if the authentication device power or the software is restarted due to some failure, the authentication device is restarted. Since the nonce starts at the same value at startup, it is more susceptible to attacks from third parties.

  Therefore, when the power to the authentication device is stopped or the internal software is rebooted, the nonce used in the past is retained in a storage medium such as flash memory, and when a new nonce is generated at the time of restart, it is retained in the storage medium. It is conceivable to generate a nonce by referring to the value of the nonce that is not equal to the past nonce. However, a nonvolatile memory such as a flash memory has a limitation on the number of times of writing, and there is a problem that operation is not guaranteed if writing exceeding the limitation is performed. Furthermore, there is a problem that it is costly to use a flash memory having a large number of limited write operations.

  Also, in order to make it difficult for a third party to infer the nonce generated at startup, it is possible to use a method that uses a random number for nonce generation, but for nonce generation other than the initial value immediately after restart However, when using random numbers, the nonce needs to be sufficiently randomized using an expensive random number generator to reduce the possibility of inference by a third party, which is expensive. .

  The present invention has been invented in view of the above-described background art, and in an authentication device that can be restarted, even if a restart occurs, an initial value can be easily estimated by a third party. It is an object of the present invention to provide a secure communication method that can generate a nonce that is not necessary and can be realized at low cost.

  In order to solve the above-described problem, the invention according to claim 1 of the present application is a secure communication method in which an authentication device authenticates a device to be authenticated via a network, and the authentication device and the device to be authenticated are used for the authentication. The key is stored in advance, and the authentication device includes at least random number generation means for generating a random number, nonce generation means for generating a nonce, and encryption of the nonce using the key or decryption of the encrypted nonce. Nonce encryption / decryption means for performing one and nonce transmission means for transmitting the nonce or encrypted nonce to the device to be authenticated, and the device to be authenticated uses the key of the nonce transmitted from the authentication device A nonce encryption / decryption unit that performs encryption or decryption using the key of the encrypted nonce transmitted from the authentication device, and a nonce encrypted by the reception nonce encryption / decryption unit And a nonce return means for transmitting the nonce decrypted by the nonce or the received nonce encryption / decryption means to the authentication device, and the random number generation means generates a random number at least when the authentication device is restarted. The means generates the initial value of the nonce based on the random number generated by the random number generation means, and the new nonce when the authentication device other than the initial value authenticates the device to be authenticated is used for the previous authentication. It is generated by incrementing the nonce.

  The invention according to claim 2 of the present application is a secure communication method in which an authentication device authenticates a device to be authenticated via a network, and the authentication device and the device to be authenticated hold a key used for the authentication in advance, The authentication device includes a time generation unit that generates a current time, a nonce generation unit that generates a nonce, and a nonce encryption / decryption that performs at least one of encryption of a nonce using the key or decryption of an encrypted nonce And nonce transmitting means for transmitting the nonce or encrypted nonce to the device to be authenticated, and the device to be authenticated is an encryption or authentication device that uses the nonce key transmitted from the authentication device. The received nonce encryption / decryption means for decrypting the encrypted nonce transmitted using the key, and the nonce or reception nonce encrypted by the reception nonce encryption / decryption means A nonce reply means for transmitting the nonce decrypted by the signal decryption means to the authentication device, and the time generation means generates the current time at least when the authentication device is restarted. The initial value of the nonce is generated based on the time generated by the time generation means, and the new nonce when the authentication device other than the initial value authenticates the device to be authenticated is the nonce used for the previous authentication. It is generated by incrementing.

  The invention according to claim 3 of the present application is a secure communication method in which an authentication device authenticates a device to be authenticated via a network, and the authentication device and the device to be authenticated hold a key used for the authentication in advance, The authentication device includes: a random number generation unit that generates a random number; a time generation unit that generates a current time; a nonce generation unit that generates a nonce; and encryption of a nonce using the key or decryption of an encrypted nonce A nonce encryption / decryption unit that performs at least one of the nonce and a nonce transmission unit that transmits the nonce or the encrypted nonce to the device to be authenticated, and the device to be authenticated includes the key of the nonce transmitted from the authentication device. Receiving nonce encryption / decryption means for performing encryption using the key of the encrypted nonce transmitted from the authentication or authentication device, and reception nonce encryption / decryption means And a nonce reply means for transmitting the encoded nonce or the nonce decrypted by the received nonce encryption / decryption means to the authentication device, and the random number generation means generates a random number at least when the authentication device is restarted. Yes, the time generation means generates the current time at least when the authentication device is restarted, and the nonce generation means uses the time generated by the time generation means as the upper digit of the nonce, and the lower digit of the nonce. The initial value of the nonce is generated using the random number generated by the random number generator. The new nonce when the authentication device other than the initial value authenticates the device to be authenticated is the nonce used for the previous authentication. It is characterized by being generated by incrementing.

  According to a fourth aspect of the present invention, in the secure communication method according to the third aspect, the authentication device includes a reboot frequency detecting unit that detects a restart frequency per predetermined time, and the nonce generating unit is a reboot frequency detecting unit. Based on the restart frequency per predetermined time detected by the above, the ratio of the number of upper digits and lower digits of the initial value of the generated nonce is changed.

  In the secure communication method according to the first aspect of the present invention, the authentication device and the device to be authenticated hold in advance a key used for authentication, and the authentication device includes a random number generation means, a nonce generation means, and a nonce encryption / decryption Means and a nonce transmitting means, and the device to be authenticated includes a receiving nonce encryption / decryption means and a nonce reply means, so that the authentication device uses the common key and the nonce to It can be authenticated.

  Furthermore, since the nonce generation unit generates the initial value of the nonce based on the random number generated by the random number generation unit at least when the authentication device is restarted, it prevents a third party from easily guessing the initial value of the nonce. be able to. In addition, since the authentication device is to generate a nonce by incrementing the nonce used in the previous authentication for generating a nonce other than the initial value, the nonce generating unit may always generate a different nonce. And can keep the nonce used only once. In addition, nonces other than the initial value can be generated by a method using a continuous number, and it is not necessary to use random numbers, so that cost reduction can be realized.

  In the secure communication method according to claim 2 of the present application, the authentication device and the device to be authenticated hold in advance a key used for authentication, and the authentication device includes a time generation means, a nonce generation means, and a nonce encryption / decryption Means and a nonce transmitting means, and the device to be authenticated includes a receiving nonce encryption / decryption means and a nonce reply means, so that the authentication device uses the common key and the nonce to It can be authenticated.

  Furthermore, since the nonce generation unit generates an initial value of the nonce based on the current time generated by the time generation unit at least when the authentication device is restarted, the nonce initial value generated when the authentication device was restarted at least in the past. The initial value of a different nonce can always be generated without being equal to the value. In addition, when the authentication device authenticates the device to be authenticated, a nonce is incremented and a new nonce is generated. Therefore, a different nonce can always be generated and the nonce can be used only once. Can do. In addition, nonces other than the initial value can be generated by a method using a continuous number, and cost reduction can be realized.

  In the secure communication method according to the third aspect of the present invention, the authentication device and the device to be authenticated hold in advance a key used for authentication, and the authentication device includes a random number generation means, a time generation means, a nonce generation means, The nonce encryption / decryption unit and the nonce transmission unit, and the device to be authenticated includes the reception nonce encryption / decryption unit and the nonce return unit, so that the authentication device uses the common key and the nonce. The device to be authenticated can be authenticated.

  Further, the nonce generating means generates the upper digit of the nonce based on the current time generated by the time generating means at least when the authentication device is restarted, and sets the lower digit of the nonce based on the random number generated by the random number generating means. Since it is generated, the nonce value does not start from the same value at startup, it is possible to always generate an initial value of a different nonce, and keep the nonce used only once .

  In addition, the nonce generating means generates a new nonce by incrementing the nonce when the authenticating device authenticates the device to be authenticated. Therefore, the generation of a numerical value that can be used as a nonce can be suppressed.

  In addition, the nonce generation means generates the low-order digit of the nonce based on random numbers so that the non-significant low-order digit does not become a close value when the authentication device restarts in a very short time. Can do. As a result, it is possible to prevent the nonce generated in the past from being incremented and the initial value of the nonce newly generated by activation of the authentication device from becoming the same value.

  In the secure communication method of the invention according to claim 4 of the present application, in particular, the nonce generation unit is configured to determine the upper digit and lower digit of the nonce to be generated based on the restart frequency per predetermined time detected by the reboot frequency detection unit. Since the digit number ratio is changed, the number ratio of the upper digits of the nonce can be lowered when the restart frequency is high.

  When the authentication device repeatedly restarts in a short time, the nonce generation means frequently generates the initial value of the nonce, so the number of nonce generations by increment is reduced, so The numerical values that can be used for the digits are not sufficiently used, and the upper digits are consumed quickly. In this case, by reducing the number of upper digits of the nonce and increasing the number of lower digits, a numerical value that can be used as a nonce can be used effectively.

  1 to 4 show a secure communication method according to the first embodiment of the present invention. For example, as shown in FIG. 1, the secure communication method is a secure communication method in which the authentication device A authenticates the device to be authenticated B via the network, and the authentication device A and the device to be authenticated B are used for the authentication. The authentication device A holds the common key Ka to be generated in advance, and the authentication device A encrypts the nonce N using the common key Ka, the random number generation unit 1a that generates a random number, the nonce generation unit 2a that generates the nonce N, or A nonce encryption / decryption unit 3a that performs at least one of decryption of the encrypted nonce E (N), and a nonce transmission unit 4a that transmits the nonce N or the encrypted nonce E (N) to the device to be authenticated B. The device to be authenticated B encrypts the nonce N transmitted from the authentication device A using the common key Ka or the encrypted nonce E (N) transmitted from the authentication device A. Common Receive nonce encryption / decryption means 5b that performs decryption using Ka, and nonce E (N) encrypted by reception nonce encryption / decryption means 5b or nonce N decrypted by reception nonce encryption / decryption means A random number generating means 1a for generating a random number at least when the authentication apparatus A is restarted, and the nonce generating means 2a is a random number generated by the random number generating means 1a. The initial value N (1) of the nonce N is generated based on the above, and the new nonce N (n + 1) when the authentication device A other than the initial value N (1) authenticates the device to be authenticated B is This is generated by incrementing the nonce N (n) used for the authentication.

  Hereinafter, the secure communication method of this embodiment will be described in more detail.

  In the example shown in FIG. 1, when the authentication device A and the device to be authenticated B are connected to the same communication network, and communication is performed between the two devices, the authentication device A and the device to be authenticated B have a common key Ka beforehand. In order to perform more secure authentication, a nonce N, which is a number used only once, is used. The authentication device A and the device to be authenticated B are equipped with a power source 11, a central processing unit 12, a communication module 13, a volatile memory 14, and a read-only storage device 15.

  The power supply 11 manages the power supply of the authentication device A and the device to be authenticated B.

  The central processing unit 12a of the authentication device A includes a random number generation unit 1a, a nonce generation unit 2a, a nonce encryption / decryption unit 3a, and a nonce transmission unit 4a. The central processing unit 12b of the device to be authenticated B includes a received nonce encryption / decryption unit 5b and a nonce reply unit 6b. The central processing unit 12 is activated by power supplied from the power source 11. Further, the central processing unit 12 reads a random number temporarily stored in the volatile memory 14, and reads a program for encryption communication using the common key Ka and the nonce N stored in advance in the read-only storage device 15. Various operations are performed by using each means, and commands for transmission / reception with the authentication device A or the device to be authenticated B, which are other devices, are sent to the communication module 13.

  The communication module 13 receives a command from the central processing unit 12 and performs communication with the authentication device A or the device to be authenticated B via the communication network.

  The volatile memory 14a temporarily stores the random number generated by the random number generation unit 1a. The random number is read by the central processing unit 12a and the initial value N (1) of the nonce N by the nonce generation unit 2a. Used to generate

  The read-only storage device 15 stores in advance a program for encrypted communication using the common key Ka and the nonce N, and this program is read from the central processing unit 12 and executed.

  Note that a RAM (Random Access Memory) is used for the volatile memory 14, and a ROM (Read Only Memory) is used for the read-only storage device 15.

  Here, in this specification, when referring generically, it shows with the reference symbol which abbreviate | omitted the alphabetic suffix, and when referring to an individual structure, it shows with the reference symbol which attached | subjected the alphabetic suffix.

  Next, a nonce N is generated by the authentication device A between the authentication device A and the device to be authenticated B, and the communication contents until the session is actually started after the authentication to the device B to be authenticated are performed. This will be described with reference to FIGS.

  As shown in FIG. 2, when the authentication device A is restarted, the random number generator 1a generates a random number (S101). Note that the random number needs to be a uniform random number so as not to be guessed. For example, a random number can be generated using a hash function as a pseudo-random number. This random number is temporarily stored in the volatile memory 14a (S102). The nonce generation means 2a reads the random number stored in the volatile memory 14a, generates an initial value N (1) of the nonce N, and stores the initial value N (1) in the volatile memory 14a (S103). The generated initial value N (1) of the nonce N is encrypted by the nonce encryption / decryption means 3a using the common key Ka held in advance (S104). Further, the encrypted nonce E (N (1)) is transmitted to the device to be authenticated B by the nonce transmitting means 4a (S105).

  The above restart includes both a cold reboot in which the power supply 11 of the authentication device A is restarted and a warm reboot in which the software is reset and a part of the hardware check is omitted to start up at high speed. Further, the authentication device A may operate as if it is restarted when the power is turned on for the first time after manufacture.

  Next, as shown in FIG. 3, the device B to be authenticated has a common non-encrypted nonce E (N (1)) received from the authentication device A held in advance by the reception nonce encryption / decryption means 5b. Decryption into nonce N (1) using the key Ka (S106). Further, the device to be authenticated B transmits the decrypted nonce N (1) to the authentication device A by the nonce reply unit 6b (S107).

  The authentication device A receives the decrypted nonce N (1) transmitted from the device to be authenticated B (S108), and collates with the nonce N (1) generated by the nonce generation means 2a (S109). If they match, the device B to be authenticated is authenticated (S110), and a session between the device A and the device B to be authenticated is started.

  When the session is started again between the authentication device A and the device B to be authenticated, the authentication device A uses the previously used nonce N (n) stored in the volatile memory 14a as shown in FIG. The read / nonce generation unit 2a generates a nonce N (n + 1) obtained by incrementing the nonce N (n), and the generated nonce N (n + 1) is stored in the volatile memory 14a (S151). Furthermore, the generated nonce N (n + 1) is encrypted by the nonce encryption / decryption means 3a using the common key Ka held in advance (S152). The encrypted nonce E (N (n + 1)) is transmitted to the device to be authenticated B by the nonce transmitting means 4a (S153).

  Next, the device to be authenticated B receives the encrypted nonce E (N (n + 1)) received from the authentication device A by the reception nonce encryption / decryption means 5b using the common key Ka held in advance by the nonce N Decoding into (n + 1) (S154). Further, the device to be authenticated B transmits the decrypted nonce N (n + 1) to the authentication device A by the nonce reply unit 6b (S155).

  The authentication device A receives the decrypted nonce N (n + 1) transmitted from the device to be authenticated B (S156), and collates with the nonce N (n + 1) generated by the nonce generation unit 2a (S157). If they match, the device B to be authenticated is authenticated (S158), and the session between the device A and the device B to be authenticated is started again.

  As another example of this embodiment, the nonce N sent from the authentication device A to the device to be authenticated B is not encrypted, and the nonce N sent from the device to be authenticated B to the authentication device A is encrypted. There is a way. Specifically, the authentication device A transmits the nonce N generated by the nonce generation unit 2a to the device B to be authenticated by the nonce transmission unit 4a without encrypting the nonce N. The device to be authenticated B encrypts the received nonce N by the received nonce encryption / decryption means 5b using the common key Ka held in advance, and authenticates the encrypted nonce E (N) by the nonce return means 6b. Reply to device A. Further, the authentication device A decrypts the received encrypted nonce E (N) into the nonce N using the common key Ka held in advance by the nonce encryption / decryption means 3a. Next, the authentication device A compares the decrypted nonce N with the nonce N generated by the nonce generation unit 2a possessed by the own device. Authentication is performed, and a session between the authentication device A and the device to be authenticated B is started.

  As described above, the nonce N (n + 1) other than the initial value is generated by incrementing the previously used nonce N (n). Here, the nonce N other than the initial value is generated as a continuous number by incrementing, and as this increment, an operation in which a number of 2 or more is increased may be performed, or an operation in which subtraction is performed. May be performed.

  Therefore, the authentication device A and the device to be authenticated B hold the common key Ka in advance, and the authentication device A includes a random number generation unit 1a, a nonce generation unit 2a, a nonce encryption / decryption unit 3a, and a nonce transmission unit 4a. The authenticated device B includes the received nonce encryption / decryption unit 5b and the nonce return unit 6b, so that the authenticated device A uses the common key Ka and the nonce N to It can be authenticated.

  Further, since the nonce generation unit 2a generates the initial value N (1) of the nonce N based on the random number generated by the random number generation unit 1a at least when the authentication device A is restarted, a third party can easily perform the nonce N It is possible to prevent the initial value N (1) from being estimated. Further, since the authentication device A is for generating a nonce N (n) other than the initial value, the nonce N (n + 1) used for the previous authentication is incremented to newly generate a nonce N (n + 1). 2a can always generate a different nonce N and keep the nonce N used only once. Further, the nonce N other than the initial value can be generated by a method using a continuous number, and it is not necessary to use a random number, and cost reduction can be realized.

  FIG. 5 shows a secure communication method according to the second embodiment of the present invention. Here, only matters different from those in the first embodiment will be described, and other matters (configuration, operational effects, and the like) are the same as those in the first embodiment, and thus description thereof will be omitted.

  As shown in FIG. 5, the secure communication method is a secure communication method in which the authentication device A authenticates the device to be authenticated B via the network, and the authentication device A and the device to be authenticated B are common for the authentication. The authentication device A holds the key Ka in advance, and the authentication device A encrypts the nonce N using the common key Ka, the time generation unit 7a that generates the current time, the nonce generation unit 2a that generates the nonce N, or A nonce encryption / decryption unit 3a that performs at least one of decryption of the encrypted nonce E (N), and a nonce transmission unit 4a that transmits the nonce N or the encrypted nonce E (N) to the device to be authenticated B. The device to be authenticated B encrypts the nonce N transmitted from the authentication device A using the common key Ka or the encrypted nonce E (N) transmitted from the authentication device A. Common key K A nonce encryption / decryption unit 5b that performs decryption using the nonce E (N) encrypted by the reception nonce encryption / decryption unit 5b or a nonce N decrypted by the reception nonce encryption / decryption unit A nonce reply means 6b for transmitting to A, the time generation means 7a generates the current time at least when the authentication device A is restarted, and the nonce generation means 2a is generated by the time generation means 7a. An initial value N (1) of the nonce N is generated based on the time, and a new nonce N (n + 1) when the authentication device A other than the initial value N (1) authenticates the device to be authenticated B is: It is generated by incrementing the nonce N (n) used for the previous authentication.

  Hereinafter, the secure communication method of this embodiment will be described in more detail.

  As shown in FIG. 6, when the authentication device A is restarted, the time generation unit 7a generates the current time (S201). This time is configured using, for example, the year, month, day, hour, minute, and second, and is temporarily stored in the volatile memory 14a (S202). The nonce generation unit 2a reads the time stored in the volatile memory 14a, generates the initial value N (1) of the nonce, and stores the initial value N (1) in the volatile memory 14a (S203).

  It should be noted that the authentication steps after step S204 after the nonce initial value N (1) is generated until the device to be authenticated B is authenticated are the same as steps S104 to S110 of the first embodiment.

  Therefore, the authentication device A and the device to be authenticated B hold the common key Ka in advance, and the authentication device A includes the time generation unit 7a, the nonce generation unit 2a, the nonce encryption / decryption unit 3a, and the nonce transmission unit 4a. The authenticated device B includes the received nonce encryption / decryption unit 5b and the nonce return unit 6b, so that the authenticated device A uses the common key Ka and the nonce N to It can be authenticated.

  Furthermore, since the nonce generation unit 2a generates the initial value N (1) of the nonce N based on the current time generated by the time generation unit 7a at least when the authentication device A is restarted, at least the past authentication device A Thus, the initial value N (1) of the nonce N that is different from the initial value N (1) of the nonce N generated at the time of restart can be generated.

  FIG. 7 shows a secure communication system and a secure communication method according to the third embodiment of the present invention. Here, only matters different from those in the first and second embodiments will be described, and other matters (configuration, operational effects, etc.) are the same as those in the first and second embodiments, and therefore the description thereof. Is omitted.

  As shown in FIG. 7, a secure communication method in which an authentication device A authenticates a device to be authenticated B via a network, where the authentication device A and the device to be authenticated B hold a common key Ka used for the authentication in advance. The authentication device A includes a random number generation unit 1a that generates a random number, a time generation unit 7a that generates a current time, a nonce generation unit 2a that generates a nonce N, and a nonce using the common key Ka The nonce encryption / decryption means 3a that performs at least one of N encryption or decryption of the encrypted nonce E (N), and transmits the nonce N or the encrypted nonce E (N) to the device B to be authenticated. The non-authenticating device B includes a nonce transmitting unit 4a, and the authenticated device B encrypts the nonce N transmitted from the authenticating device A using the common key Ka or the encrypted nonce E transmitted from the authenticating device A. (N Received nonce encryption / decryption means 5b for performing decryption using the common key Ka and nonce E (N) encrypted by the reception nonce encryption / decryption means 5b or received nonce encryption / decryption means A nonce return means 6b for transmitting the nonce N to the authentication device A, the random number generation means 1a generates a random number at least when the authentication device A is restarted, and the time generation means 7a includes at least the authentication device A. The nonce generating means 2a uses the time generated by the time generating means 7a as the upper digit of the nonce N, and the random number generating means 1a generates the lower order digit of the nonce N. The initial value N (1) of the nonce N is generated using the random number, and the new nonce N (n + 1) when the authentication device A other than the initial value N (1) authenticates the device B to be authenticated is ,The previous And it is generated by incrementing nonce N a (n) used in testimony. Further, the authentication device A includes a reboot frequency detection unit 8a that detects a restart frequency per predetermined time, and the nonce generation unit 2a is based on the restart frequency per predetermined time detected by the reboot frequency detection unit 8a. The ratio of the number of upper and lower digits of the initial value N (1) of the nonce N to be generated is changed.

  Hereinafter, the secure communication method of this embodiment will be described in more detail.

  As shown in FIG. 8, when the authentication device A is restarted, the time generation unit 7a generates the current time (S301). This time is configured using, for example, the year, month, day, hour, minute, and second, and is temporarily stored in the volatile memory 14a (S302). The random number generation unit 1a generates a random number (S303). Similarly, this random number is temporarily stored in the volatile memory 14a (S304). The nonce generation means 2a reads the time and random number stored in the volatile memory 14a, and generates the initial value N (1) of the nonce N (S305).

  The nonce N (1) to be generated is configured such that the upper digit is composed of time and the lower digit is composed of random numbers. For example, if the nonce N is 32 bits, the upper 16 bits are time and the lower 16 bits are random numbers. Here, using the fact that the frequency of increment is different between the upper digit and the lower digit of the nonce N, the value of the time that changes slowly is used for the upper digit with a small increment frequency, and a numerical value that can be used as the nonce N Consume consumption. In addition, since the nonce generation unit 2a generates an initial value N (1) using a random number as a lower digit, even if the restart occurs in a very short time, the generated nonce N (1) is This prevents a close value and ensures that the nonce is used only once.

  Furthermore, the reboot frequency detection means 8a detects the restart frequency per predetermined time of the authentication device A, and transmits this frequency to the nonce generation means 2a. The nonce generation means 2a sets the ratio of the number of digits of the upper and lower digits of the nonce N based on the received frequency.

  Here, the method of detecting the authentication frequency and the restart frequency by frequent update of the session can be obtained by obtaining the device-specific restart frequency stored in the volatile memory 14a or the like. For example, regarding the frequency of restart, the power on / off frequency or the software reset frequency differs depending on whether the authentication device A is a server or a client. If the authentication device A is a server, the power on / off frequency or software reset frequency is very low, and if the authentication device A is a client, the power on / off or software reset is likely to occur frequently.

  Moreover, the restart frequency per predetermined time can also be detected by counting the actual number of restarts. In this case, the reboot frequency detection means 8a periodically transmits the restart frequency per predetermined time to the nonce generation means 2a, and the nonce generation means 2a responds to the frequency of receiving the digit number ratio between the upper and lower digits. Can be changed automatically.

  When the restart frequency per predetermined time detected by the reboot frequency detection unit 8a is high, the nonce generation unit 2a generates the nonce N by reducing the digit ratio of the upper digits. Since the upper digit of the nonce N is generated using the time when the authentication device is activated, the upper digit of the nonce N is frequently updated when the restart frequency is high. For this reason, the nonce generation means 2a consumes the upper digits without fully using the lower digits of the usable nonce N, and the usable range of the nonce N is used up quickly.

  When such restart frequency is high, by reducing the number ratio of the upper digits of the nonce N, early consumption of the upper digits can be prevented. For example, when the number of digits is reduced from one that uses the year, month, hour, minute, and second as the upper digit to one that uses the year, month, and time, the restart of the authentication device A occurs frequently in a short time. In this case, the upper digit becomes the same value as the previous initial value, and consumption of the upper digit can be suppressed. Even in this case, since the lower digit of the nonce N is generated by a random number, it can be prevented from being the same value as the previous initial value.

  It should be noted that the authentication steps after step S306 after the initial nonce value N (1) is generated until the device to be authenticated B is authenticated are the same as steps S104 to S110 of the first embodiment.

  Therefore, the authentication device A and the device to be authenticated B hold the common key Ka in advance, and the authentication device A includes the random number generation unit 1a, the time generation unit 7a, the nonce generation unit 2a, and the nonce encryption / decryption unit 3a. And the non-authenticating device B includes the received nonce encryption / decryption unit 5b and the nonce return unit 6b, so that the authentication device A uses the common key Ka and the nonce N. The device to be authenticated B can be authenticated.

  Further, the nonce generating unit 2a generates the upper digit of the nonce N based on the current time generated by the time generating unit 7a at least when the authentication device A is restarted, and based on the random number generated by the random number generating unit 1a. Since the lower digit of the nonce N is generated, the value of the nonce N does not start from the same value at the time of activation, and an initial value N (1) of a different nonce N can always be generated. N can be kept used only once.

  Further, when the authentication device A authenticates the device B to be authenticated, the nonce generation unit 2a generates a new nonce N (n + 1) by incrementing the nonce N (n). By generating the high-order digits with a small change frequency based on the time when the change is slow and the same value does not occur, consumption of the numerical value that can be used as the nonce N can be suppressed.

  In addition, the nonce generation unit 2a generates the lower digit of the nonce N based on the random number so that the lower digit does not become a close value when the authentication device A is restarted in a very short time. be able to.

  Accordingly, it is possible to prevent the nonce N generated in the past from being incremented and the initial value N (1) of the nonce N newly generated by the activation of the authentication device A from being the same value.

  Furthermore, the nonce generating means 2a changes the ratio of the number of digits of the upper and lower digits of the nonce N to be generated based on the restart frequency per predetermined time detected by the reboot frequency detecting means 8a. When the restart frequency is high, the digit number ratio of the upper digits of the nonce N can be lowered.

  When the authentication device repeats restarting in a short time, the nonce generation means 2a frequently generates the initial value N (1), and therefore the number of generations of the nonce N by increment is small. Therefore, the usable numerical values of the lower digits are not sufficiently used, and the upper digits are consumed quickly. In this case, by reducing the number of upper digits of the nonce and increasing the number of lower digits, a numerical value usable as the nonce N can be used effectively.

  Note that the communication device capable of communicating with each other of the present invention can have both functions of an authentication device and a device to be authenticated, and the nonce N and the common key Ka can be used between any communication devices without distinction between authentication and authentication. Therefore, the degree of freedom in system construction can be increased.

  For example, the third embodiment of the present invention can be configured as follows.

  As shown in FIG. 9, the authentication device A can be provided with a function as a device to be authenticated by providing the central processing unit 12a with the received nonce encryption / decryption unit 5a and the nonce reply unit 6a. In addition, the device B to be authenticated includes a random number generator 1b, a nonce generator 2b, a nonce encryption / decryptor 3b, a nonce transmitter 4b, a time generator 7b, and a reboot frequency detector in the central processing unit 12b. 8b can be provided with a function as an authentication device.

  In addition, the authentication device and the device to be authenticated of the first and second embodiments can have both functions of the authentication device and the device to be authenticated by having the same configuration.

  In the first to third embodiments, an example of the one-way authentication in which the authentication device A generates the nonce N and authenticates the device to be authenticated B has been described. Can be generated to perform two-way authentication combined with one-way authentication. Furthermore, the secure communication method of the present invention can also be used in the case of a system that performs communication between a plurality of devices, and various authentication methods using nonce N such as mutual authentication and authentication involving a third party are performed. You can also

The above-described first to third embodiments are examples in one simple embedded device. Further, if an apparatus for performing cryptographic processing can be allowed, various forms for adding options for authentication can be considered. It is done.
In addition to the embodiment of the present invention described above, various patterns can be considered for the authentication method using the encryption algorithm.

  For example, there is a mechanism for authenticating communication between two parties as the ISO / IEC 9798-2 standard. This authentication mechanism is a one-way authentication method using a time stamp or a mutual authentication method using nonce N. Here, the one-way authentication method using the time stamp is an authentication method that does not require the nonce N.

In the mutual authentication method using the nonce N, as shown in FIG. 10, the nonce Nb of the device b is sent from the device b to the device a, and the device a sends the nonce Na of the device a, the nonce Nb of the device b, and the device In order to identify the message to b, the value “b” is attached and encrypted with the common key Kab and {Na, Nb, B} Kab is sent. The device b sends the decrypted nonce Na of the device a to the device a. It encrypts with its own nonce Nb with a common key Kab and sends {Nb, Na} Kab. The information in parentheses indicates that it is encrypted by Kab.

  Nonce N is also widely used in third-party authentication methods. In the example shown in FIG. 11, authentication between the device a and the device b is not performed directly, but is performed with the reliable third-party device P. The device a transmits the values of “a” and “b” and the nonce Na for identifying the communication partner to be transmitted to the device P. The device P is common so that only the nonce Na, the identification value “b”, the common key Kab between the devices a and b, and the device b can be decrypted with the common key Kap between the devices a and P. A message obtained by encrypting the value of the key Kab and “a” with the common key Kbp between the devices b and P is further encrypted with Kap, and the device a is represented as {Na, b, Kab, {Kab, a} Kbp} Kap. Send to. Device a decrypts the message with Kap and sends {Kab, a} Kbp to device b. Device b decrypts the message with Kbp and obtains Kab. The generated nonce Nb is encrypted with the obtained Kab and sent to the device a. The device a decrypts the message, encrypts a value obtained by subtracting 1 from Nb in the received certificate, and sends it to the device b.

  In the first to third embodiments, the common key Kab is used for authentication of the authentication device A and the device to be authenticated B. However, in the authentication method using encryption, the authentication device A that is secretly passed. And the key of the device B to be authenticated may be held in one or both for authentication. If the public key mechanism is used, the public keys of the authentication device A and the device to be authenticated B may be used, and the secret key for the public key may be used for decryption.

  For example, there is an authentication method using public key cryptography as the ISO / IEC 9798-3 standard. When a one-way authentication method using a time stamp is used for authentication, the nonce N is not required. In CA (PKa), the public key PKa of the device a is included in the certificate of the device a. SIGN (Ta, b) PKa-1 performs a digital signature with the private key PKa-1 for the public key of the device a. The device a is authenticated by transmitting CA (PKa), Ta, b, and SIGN (Ta, b) PKa-1 to the device b. Here, Ta is a time stamp. “B” is an identification value indicating that the message is to the device b.

  In the example shown in FIG. 12, the nonce Nb of the device b is sent from the device b to the device a, and the device a sends a certificate CA (PKa) including the public key PKa of the device a to the device b, and a nonce Na of the device a. , Digitally sign the message identification value “b” and Na, Nb, “b” with the private key PKa-1 to CA (PKa), Na, b, SIGN (Na, Nb, b) PKa-1 is sent, and the device b sends to the device a a certificate CA (PKa) including the public key PKb of the device b, a value “a” for identifying the message to the device a, and Nb, Na, and a private key PKb. CA (PKb), a, SIGN (Nb, Na, a) PKb-1 are sent with a digital signature at -1. The information in parentheses indicates that it is encrypted by Kab.

  In the first to third embodiments described above, only authentication using message encryption with an encryption key has been taken up, but other than that, a hash system technique that is faster than encryption is used. There are also two-party authentication protocols.

  In the example shown in FIG. 13, the device a sends a non-encrypted nonce Na to the device b, and the device b uses the non-encrypted nonce Nb and the common key Kba for Na, Nb and “b”, and a high-speed hash. The processing using the system technology is sent to the device a, and the device a similarly sends Na and Nb after processing using the high-speed hash system technology.

  As described above, in the ISO / IEC standard example, there are various authentication methods using the nonce N except for the time stamp method.

It is a block block diagram which shows the structure of the secure communication method which is 1st Embodiment of this invention. It is a flowchart and sequence diagram of nonce generation and communication authentication in the secure communication system. It is a flowchart and sequence diagram of nonce generation and communication authentication in the secure communication system. It is a flowchart and sequence diagram of nonce generation and communication authentication in the secure communication system. It is a block block diagram which shows the structure of the secure communication method which is the 2nd Embodiment of this invention. It is a flowchart and sequence diagram of nonce generation and communication authentication in the secure communication system. It is a block block diagram which shows the structure of the secure communication method which is the 3rd Embodiment of this invention. It is a flowchart and sequence diagram of nonce generation and communication authentication in the secure communication system. It is a block block diagram which shows the structure of the secure communication system which is a modification of the 3rd Embodiment of this invention. It is a flowchart which shows an example of the mechanism which authenticates communication between two apparatuses. It is a flowchart which shows an example of the mechanism which authenticates communication between two apparatuses. It is a flowchart which shows an example of the mechanism which authenticates communication between two apparatuses. It is a flowchart which shows an example of the mechanism which authenticates communication between two apparatuses. It is a flowchart which shows the authentication protocol of the secure communication system which is a prior art example.

Explanation of symbols

A Authentication device B Device to be authenticated Ka Common key 1 Random number generation means 2 Nonce generation means 3 Nonce encryption / decryption means 4 Nonce transmission means 5 Reception nonce encryption / decryption means 6 Nonce return means 7 Time generation means 8 Reboot frequency detection means 11 Power supply 12 central processing unit 13 communication module 14 volatile memory 15 read-only storage device

Claims (4)

  A secure communication method in which an authentication device authenticates an authentication target device via a network, wherein the authentication device and the authentication target device hold a key used for the authentication in advance, and the authentication device generates a random number. Generating means, nonce generating means for generating a nonce, nonce encryption / decryption means for performing at least one of encryption of the nonce using the key or decryption of the encrypted nonce, and nonce or encrypted nonce A nonce transmitting means for transmitting to the device to be authenticated, the device to be authenticated encrypting using the key of the nonce transmitted from the authentication device or the encrypted nonce transmitted from the authentication device. A reception nonce encryption / decryption unit that performs decryption using the key, a nonce encrypted by the reception nonce encryption / decryption unit, or a nonce decrypted by the reception nonce encryption / decryption unit A random number generating means for generating a random number at least when the authentication apparatus is restarted. The nonce generating means The new nonce when an authentication device other than the initial value authenticates the device to be authenticated is to be generated by incrementing the nonce used for the previous authentication. A secure communication method.   A secure communication method in which an authentication device authenticates a device to be authenticated via a network. The authentication device and the device to be authenticated hold a key used for the authentication in advance, and the authentication device generates a current time. A time generation means for generating a nonce, a nonce generation means for generating a nonce, a nonce encryption / decryption means for performing at least one of encryption of the nonce using the key or decryption of the encrypted nonce, and nonce or encryption A nonce transmitting means for transmitting the nonce transmitted to the device to be authenticated, and the device to be authenticated is encrypted using the key of the nonce transmitted from the authentication device or the encrypted device transmitted from the authentication device. Received nonce encryption / decryption means for performing decryption using the nonce key and nonce encrypted by the received nonce encryption / decryption means or decrypted by the received nonce encryption / decryption means A nonce return means for transmitting a nonce to the authentication device, and the time generation means generates the current time at least when the authentication device is restarted. The nonce initial value is generated based on this, and the new nonce when the authentication device other than the initial value authenticates the device to be authenticated is generated by incrementing the nonce used in the previous authentication. There is provided a secure communication method.   A secure communication method in which an authentication device authenticates an authentication target device via a network, wherein the authentication device and the authentication target device hold a key used for the authentication in advance, and the authentication device generates a random number. Generating means, time generating means for generating a current time, nonce generating means for generating a nonce, and nonce encryption / decryption for performing at least one of encryption of a nonce using the key or decryption of an encrypted nonce And nonce transmitting means for transmitting the nonce or encrypted nonce to the device to be authenticated, and the device to be authenticated is an encryption or authentication device that uses the nonce key transmitted from the authentication device. A received nonce encryption / decryption means for performing decryption using the key of the encrypted nonce transmitted, and a nonce or reception node encrypted by the received nonce encryption / decryption means A nonce reply unit that transmits the nonce decrypted by the encryption / decryption unit to the authentication device, the random number generation unit generates a random number at least when the authentication device is restarted, and the time generation unit includes: At least when the authentication device is restarted, the current time is generated, and the nonce generation means uses the time generated by the time generation means as the upper digit of the nonce, and the random number generated by the random number generation means as the lower digit of the nonce Is used to generate an initial value of nonce, and a new nonce when an authentication device other than the initial value authenticates the device to be authenticated is generated by incrementing the nonce used for the previous authentication. A secure communication method, characterized by:   The authentication device includes a reboot frequency detecting unit that detects a restart frequency per predetermined time, and the nonce generating unit generates an initial nonce generated based on the restart frequency per predetermined time detected by the reboot frequency detecting unit. 4. The secure communication method according to claim 3, wherein the ratio of the number of digits of the upper and lower digits of the value is changed.

Images