JP2009060496A - Cipher protocol executing device, cipher protocol executing method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To arbitrarily update or change a cipher protocol depending on an opposite party. <P>SOLUTION: A cipher protocol function executed by an application is transmitted to an execution-control module, an electronic signature in a definition file is verified and the definition file is stored when its validity can be confirmed. The definition file corresponding to the cipher protocol function executed by the application received by the execution-control module is read from the definition file and interpreted to generate a compiler description language, and the compiler description language is compiled and a practice file is generated. The execution-control module executs the cipher protocol function by the generated practice file. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a cryptographic protocol execution device, a cryptographic protocol execution method, and a program for executing a cryptographic protocol between entities.

  In recent years, various services using computers have been provided. In many services, an authentication protocol for authenticating a user and a key exchange protocol for exchanging a key for encryption are used.

Conventionally, in a system using such an authentication protocol or a key exchange protocol, it is almost always implemented one protocol. Moreover, when changing a protocol for every apparatus, the protocol had to be individually mounted by that amount (for example, refer to Patent Document 1). Moreover, when updating, all the programs had to be replaced. IPSEC and the like can use a plurality of protocols, but it cannot be said that an optimum protocol is derived, and the number of protocols that can be executed is very limited to about two.
JP 2004-112037 A

  In other words, the conventional technology as described above has a problem in that when a problem occurs in the protocol, all the execution programs must be replaced, which is very expensive. Also, when a defect is found in the cryptographic algorithm used by the cryptographic protocol, the protocol must be exchanged in the same manner. Furthermore, it has been impossible to dynamically change the protocol without replacing such a program.

  Therefore, the present invention has been made in view of the above-described problems, and provides a cryptographic protocol execution device, a cryptographic protocol execution method, and a program capable of arbitrarily updating or changing a cryptographic protocol by a communication partner. With the goal.

  The present invention proposes the following matters in order to solve the above problems.

  (1) The present invention is an execution / management module (for example, equivalent to the execution / management module 5 in FIG. 1) that receives an encryption protocol function that the application wants to execute from an application (for example, the application 6 in FIG. 1). From the definition file, a compiler language conversion module (for example, FIG. 1) that reads a definition file corresponding to a cryptographic protocol function that is received by the execution / management module and that the application wants to execute and interprets it. And a compiler module (for example, equivalent to the compiler module 4 in FIG. 1) that compiles the compiler description language to generate an executable file. Depending on the generated executable file, It proposes a cryptographic protocol execution device and executes the cryptographic protocol functions.

  According to the present invention, the execution / management module receives from the application the cryptographic protocol function that the application wants to execute, and the compiler language conversion module wants to execute the application received by the execution / management module from the definition file. Reads and interprets the definition file corresponding to the cryptographic protocol function to generate a compiler description language. Then, the compiler module compiles the compiler description language to generate an execution file, and executes the cryptographic protocol function using the execution file generated by the execution / management module. Therefore, the cryptographic protocol can be arbitrarily updated or changed according to a request from the application.

  (2) The present invention proposes an encryption protocol execution device characterized in that, for the encryption protocol execution device of (1), the definition file is composed of at least a function, data, an entity, and a flow.

  According to the present invention, the definition file includes at least functions, data, entities, and flows. Therefore, any protocol can be described easily.

  (3) The present invention proposes an encryption protocol execution device characterized in that an electronic signature is added to the definition file for the encryption protocol execution device of (1).

  According to the present invention, an electronic signature is added to the definition file. Therefore, the validity of the definition file can be confirmed by verifying the electronic signature.

  (4) The present invention proposes a cryptographic protocol execution device according to (1), wherein the definition file includes descriptions of both entities that execute the cryptographic protocol.

  According to the present invention, the definition file includes a description of both entities executing the cryptographic protocol. Therefore, a plurality of different execution modules are generated from one definition file.

  (5) The present invention proposes a cryptographic protocol execution device characterized in that, in the cryptographic protocol execution device of (1), the definition file is described in XML.

  According to the present invention, the definition file is described in XML. Therefore, it is readable for the user, is easy to edit, and has excellent versatility.

  (6) The present invention is characterized in that, for the cryptographic protocol execution device according to (5), the compiler language conversion module performs structure analysis and semantic analysis of a definition file described in XML to generate a source code. A cryptographic protocol execution device is proposed.

  According to the present invention, the compiler language conversion module performs structure analysis and semantic analysis of a definition file described in XML to generate a source code. In other words, in the structural analysis, the definition file described in XML data is decomposed into several blocks, and in the semantic analysis, the blocks are linked based on the common elements in the blocks decomposed by the structural analysis, Collect the data and flow required by the entity, store it again, and generate the source code.

  (7) The present invention proposes an encryption protocol execution device characterized in that the definition file collectively describes the same type of function definition for the encryption protocol execution device of (1).

  According to the present invention, the definition file collectively describes the same type of function definition. Therefore, this reduces the code size, so that redundancy can be suppressed.

  (8) The present invention verifies the first step (for example, equivalent to step S101 in FIG. 6) of transmitting the cryptographic protocol function that the application wants to execute to the execution / management module, and verifies the electronic signature in the definition file. And when the application received by the execution / management module from the definition file is executed by the second step of storing the definition file (for example, corresponding to step S102 in FIG. 6). A third step (for example, corresponding to step S103 in FIG. 6) of reading a definition file corresponding to the cryptographic protocol function to be read and interpreting it to generate a compiler description language, and generating an executable file by compiling the compiler description language A fourth step (e.g., corresponding to step S104 in FIG. 6) and the execution / management module And a fifth step (for example, corresponding to step S105 of FIG. 6) for executing the cryptographic protocol function by the generated executable file. Yes.

  According to the present invention, the cryptographic protocol function desired to be executed by the application is transmitted to the execution / management module, the electronic signature in the definition file is verified, and when the validity is confirmed, the definition file is stored. Then, the definition file corresponding to the cryptographic protocol function that the application received by the execution / management module wants to execute is read from the definition file, interpreted to generate a compiler description language, and the compiler description language is compiled to execute the execution file. Generate. The execution / management module executes the cryptographic protocol function using the generated execution file. Therefore, the cryptographic protocol can be arbitrarily updated or changed according to a request from the application.

  (9) The present invention verifies the electronic signature in the definition file and the first step (for example, equivalent to step S101 in FIG. 6) of transmitting to the execution / management module the cryptographic protocol function that the application wants to execute. When the validity is confirmed, the second step of storing the definition file (for example, corresponding to step S102 of FIG. 6) and the execution / management module received from the definition file A third step (for example, corresponding to step S103 in FIG. 6) that reads and interprets a definition file corresponding to the cryptographic protocol function that the application wants to execute to generate a compiler description language, and compiles and executes the compiler description language A fourth step (for example, corresponding to step S104 in FIG. 6) for generating a file, The execution and management module the generated executable file, proposes a program for executing a fifth step of executing the cryptographic protocol function (for example, corresponding to step S105 of FIG. 6) and, the.

  According to the present invention, the cryptographic protocol function desired to be executed by the application is transmitted to the execution / management module, the electronic signature in the definition file is verified, and when the validity is confirmed, the definition file is stored. Then, the definition file corresponding to the cryptographic protocol function that the application received by the execution / management module wants to execute is read from the definition file, interpreted to generate a compiler description language, and the compiler description language is compiled to execute the execution file. Generate. The execution / management module executes the cryptographic protocol function using the generated execution file. Therefore, the cryptographic protocol can be arbitrarily updated or changed according to a request from the application.

  According to the present invention, an authentication / key sharing protocol can be dynamically updated. Therefore, the protocol can be changed for each partner, or the protocol specification can be updated immediately when a security flow is found.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

<Configuration of cryptographic protocol execution device>
As shown in FIG. 1, the cryptographic protocol execution device according to the present embodiment includes a protocol definition file 1, an environment parameter acquisition module 2, a compiler language conversion module 3, a compiler module 4, an execution / management module 5, It consists of an application 6.

  The protocol definition file 1 is a file in which the specifications of the cryptographic protocol are described, and is described in a special description language for describing various definitions and execution steps related to the execution of processing according to the specifications of the cryptographic protocol. . In other words, the cryptographic protocol description language is composed of functions, data, entities, and flows so that any protocol can be described easily.

  In more detail, it consists of a protocol purpose description, an entity definition description, a data definition description, and a protocol definition description. The data definition description includes a function definition description. The protocol definition description is classified based on the XML description. As a result, it is easy for the user to edit, easy to edit, and versatile. In addition, an electronic signature is added to the protocol definition file 1. Therefore, the validity of the definition file can be confirmed by verifying the electronic signature.

  The environment parameter acquisition module 2 acquires various parameters required by the compiler language conversion module 3 and inputs them to the compiler language conversion module 3. It also mediates transmission and reception of protocol definition files. The compiler language conversion module 3 reads the protocol definition file 1 described in the protocol description language format and outputs an execution file.

  The execution / management module 5 executes the protocol by actually operating the generated execution module. Also, after compiling and executing the protocol, the result of OK / NG is returned to the application 6. The application 6 gives a protocol function (authentication and key sharing) to be executed to the compiler. Further, the application 6 can call the encryption algorithm with an interface common to each function (authentication protocol, key sharing protocol). Alternatively, the application 6 can be executed by giving a protocol definition file 1 name.

The cryptographic algorithm and the like execute a protocol by calling an external library. Therefore, the compiler module 4 reads and compiles the header file of the external library during the compilation process. Also, in order to compile the same protocol definition file in any environment, the header file format is shared. Specifically, the header files for the following functions are shared.
1) Common key encryption algorithm 2) Public key encryption algorithm 3) Digital signature algorithm 4) Hash function algorithm 5) Message authenticator generation algorithm 6) Key sharing algorithm 7) Random number generation algorithm

In addition, a common ID is assigned to the encryption algorithm so that the compiler module can identify which algorithm the header file is. The environment parameter acquisition module is called by the execution management module. The environment parameter acquisition function acquires the following parameters and returns the acquired parameters to the execution management module.
1) API (header file) of each cryptographic algorithm and function
2) File that stores data such as keys in advance 3) Protocol definition file 4) Classification of Initiator and Responder

  When one of the two entities transmits a protocol definition file and the other receives it, the transmitting side is an initiator and the receiving side is a responder. Usually, one entity makes a request for the protocol definition file 1 first, and the other module sends the protocol definition file 1. In the case of the client-server model, the client is a responder that receives the protocol definition file 1, and the server is an initiator that transmits the protocol definition file 1. Note that which is the initiator may be determined dynamically between entities separately.

<Functions of compiler language conversion module>
The processing configuration of the compiler language conversion module is as shown in FIG. 2, and the compiler language conversion module has a structure analysis function, a semantic analysis function, and various table generation functions.

  The structure analysis function analyzes the XML of the protocol definition file and generates a data table and an analysis table. Specifically, 1) node extraction, 2) data table record addition, 3) analysis table record addition, 4) data storage, and 5) data-list generation are executed.

  The structure analysis function analyzes the structure of the data table. Specifically, 1) syntax check and 2) data for storing the function execution result are added to the data table. In this process, data is performed first. The image after the structural analysis is shown in the upper right of FIG.

  The semantic analysis function performs semantic analysis on the data table and reflects it in the data table and the analysis table. Specifically, 1) data-list link generation, 2) relation check, and 3) analysis table entity item data generation are performed. This process is performed for each record of the flow table. The image after semantic analysis is shown in the lower right of FIG.

<Relationship between analysis table, data table, and source generation table>
The relationship between the analysis table, data table, and source generation table is shown in FIG.
The data table stores contents (data) obtained by actually analyzing the XML describing the protocol definition file. The data table has a relation relationship, and each table has data of an id field in order to refer to data of another table.

  The source generation table is a table used when the source is actually generated. The content is an index to the data table, and a pointer that directly refers to the data is prepared to facilitate the data reference. This table and data table are used together when generating the source.

  The content of the analysis table is an index to the data table, and a pointer for directly referring to the data is prepared in order to facilitate data reference. Also, the usage for each entity is checked to facilitate the construction of the source generation table.

  The data table has items of other tables by id, but the analysis table / source generation table directly has a pointer on the data table corresponding to id.

<Configuration of source generation table>
As shown in FIG. 4, the source generation table is made up of an algorithm table, Data, Function, Flow, and Script. The algorithm table provides a header file, Data is a variable declaration and initialization, Function is a function definition, Flow Gives the flow and Script gives the body to generate the source code. Specifically, the data, flow, and function required by the entity are stored in Data, Function, and Flow, respectively, and source code is generated. Although not shown, error processing may be added as necessary.

<Relationship between protocol definition file and each table>
FIG. 5 shows the relationship between the protocol definition file and each table. According to FIG. 5, a data table group is generated from the protocol definition file, and an analysis table is generated from the protocol definition file and the data table group.

  Further, a source code generation table group is generated from the analysis table and the data table group, and a source code is obtained from the source code generation table group. By compiling this source code, an execution program is generated.

<Processing of cryptographic protocol execution device>
Next, processing of the cryptographic protocol execution device will be described with reference to FIG.
First, the cryptographic protocol function (authentication protocol, key sharing protocol) that the application 6 wants to execute is transmitted to the execution / management module 5 (step S101). The compiler language conversion module 3 verifies the electronic signature in the protocol definition file 1 and stores the protocol definition file 1 when the validity is confirmed (step S102).

  A protocol definition file corresponding to a cryptographic protocol function desired to be executed by the application 6 received by the execution / management module 5 is read from the protocol definition file 1 and interpreted to generate a compiler description language (step 103).

  Then, the compiler module 4 compiles the compiler description language to generate an execution file (step S104), and executes the cryptographic protocol function using the execution file generated by the execution / management module 5 (step S105).

  Therefore, according to the present embodiment, the authentication / key sharing protocol can be dynamically updated. Therefore, when the protocol is changed for each partner or a security flow is found, the protocol specification is immediately updated. You will be able to.

<Example 1>
Hereinafter, as Example 1, the generation of functionInstance is shown by a specific example with reference to FIG.
First, one function is described for each record of the functionInstance-list in FIG. Then, the target record of the functionInstance table is acquired from the functionInstance-list of FIG. 7, and source code for calling the corresponding function is generated.

At this time, the source code is composed of the following elements.
1st line: Function declaration 2nd line: Function call

  The function name is acquired from the functionInstance table. The function name of the function to be called is generated from the data of the function table target record. The arguments are acquired from the data-list in the target record of the functionInstance table, and are first argument, second argument,. For the argument name, the data table target record is acquired from the data-list target record, and the contents of the label item are assigned to this. It should be noted that the description of the algorithm item in the function table does not match the description of the algorithm in the protocol definition file. For this correspondence, it is necessary to refer to the definition file.

As a result of the above processing, the following source code is obtained.
func_a () :: =
aaa_from (d1, func_b_ret, func_a_ret)

<Example 2>
Hereinafter, as a second embodiment, the generation of the flow will be described with a specific example with reference to FIG.
First, one function is described for each record of the flow-list in FIG. Then, the target record of the flow table is acquired from the flow-list of FIG. 8, and source code for calling the corresponding functionInstance and send or recv function is generated.

The source code consists of the following elements.
1) From:
1st line: Function declaration 2nd line and after: functionInstance function call Last line: send function call 2) To:
1st line: Function declaration 2nd line: recv function call 3rd line transition: functionInstance function call

  The function to be called is recursively acquired with all the descriptions of functionInstance-id in the data-list of the flow table target record and those with the description of functionInstance-id in the data-list of those functionInstances. .

  The function call order is from the deepest nesting. However, functions that are not related to each other need not be nested.

  The arguments are acquired from the data-list, and are first argument, second argument,... For the argument name, the data table target record is obtained from the data-list target record, and the contents of the label item are assigned to this.

As a result of the above processing, the following source code is obtained.
flow_1 () :: =
func_b ()
func_a ()
send (d1, func_a_ret)

  Note that the cryptographic protocol execution device of the present invention is realized by recording the processing of the cryptographic protocol execution device on a computer-readable recording medium, causing the cryptographic protocol execution device to read and execute the program recorded on the recording medium. be able to. The computer system here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

It is a block diagram of the encryption protocol execution apparatus which concerns on this embodiment. It is a figure which shows the function of the compiler language conversion module which concerns on this embodiment. It is a figure which shows the relationship between the analysis table which concerns on this embodiment, a data table, and a source generation table. It is a figure which shows the structure of the source generation table which concerns on this embodiment. It is a figure which shows the relationship between the protocol definition file which concerns on this embodiment, and each table. It is a processing flow of the encryption protocol execution apparatus which concerns on this embodiment. FIG. 3 is a diagram illustrating an outline of processing according to the first embodiment. FIG. 10 is a diagram illustrating an outline of processing according to a second embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Protocol definition file, 2 ... Environment parameter acquisition module, 3 ... Compiler language conversion module, 4 ... Compiler module, 5 ... Execution management module, 6 ... Application

Claims (9)

An execution / management module that receives from the application a cryptographic protocol function that the application wants to execute;
A compiler language conversion module that reads a definition file corresponding to a cryptographic protocol function that the application received by the execution / management module wants to execute from a definition file, interprets it, and generates a compiler description language;
A compiler module that compiles the compiler description language to generate an executable file,
An encryption protocol execution apparatus, wherein the execution / management module executes the encryption protocol function by using the generated execution file.   2. The cryptographic protocol execution apparatus according to claim 1, wherein the definition file includes at least a function, data, an entity, and a flow.   The cryptographic protocol execution apparatus according to claim 1, wherein an electronic signature is added to the definition file.   2. The cryptographic protocol execution apparatus according to claim 1, wherein the definition file includes descriptions of both entities that execute the cryptographic protocol.   2. The cryptographic protocol execution apparatus according to claim 1, wherein the definition file is described in XML.   6. The cryptographic protocol execution apparatus according to claim 5, wherein the compiler language conversion module generates a source code by performing structure analysis and semantic analysis of a definition file described in XML.   2. The cryptographic protocol execution apparatus according to claim 1, wherein the definition file collectively describes function definitions of the same type. A first step of transmitting to the execution / management module a cryptographic protocol function that the application wants to execute;
A second step of verifying the electronic signature in the definition file and storing the definition file when the validity is confirmed;
A third step of reading a definition file corresponding to a cryptographic protocol function received by the execution / management module from the definition file and interpreting it to generate a compiler description language;
A fourth step of compiling the compiler description language to generate an executable file;
A fifth step in which the execution / management module executes the cryptographic protocol function by the generated execution file;
A cryptographic protocol execution method characterized by comprising: On the computer,
A first step of transmitting to the execution / management module a cryptographic protocol function that the application wants to execute;
A second step of verifying the electronic signature in the definition file and storing the definition file when the validity is confirmed;
A third step of reading a definition file corresponding to a cryptographic protocol function received by the execution / management module from the definition file and interpreting it to generate a compiler description language;
A fourth step of compiling the compiler description language to generate an executable file;
A fifth step in which the execution / management module executes the cryptographic protocol function by the generated execution file;
A program for running

Images