JP2009105824A - Encrypted message transmitting/receiving method, sender apparatus, recipient apparatus, encrypted message transmitting/receiving system and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent an encrypted sentence from being decrypted by a key server regarding continuous messages between a sender and a recipient without requiring pre-setting for the recipient. <P>SOLUTION: A sender apparatus 1 calculates a temporary shared key from an identifier of a recipient and a private key of a sender, uses this shared key to encrypt a transmission message and transmits it to a recipient apparatus 2 together with a public key of the sender. When a key server 3 successfully authenticates the recipient apparatus 2, a specific key of the recipient is transmitted to the recipient apparatus 2, the recipient apparatus 2 calculates a temporary shared key from the specific key of the recipient and the public key of the sender, and decrypts the message. The recipient apparatus 2 calculates a shared private key from the public key of the sender and a private key of the recipient and transmits a public key of the recipient to the sender apparatus 1. The sender apparatus 1 calculates the same shared private key from the public key of the recipient and the private key of the sender. The sender apparatus 1 and the recipient apparatus 2 use the shared private key to encrypt or decrypt messages transmitted/received continuously. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an encrypted message transmission / reception method, a communication device, an encrypted message transmission / reception system, and a program for transmitting and receiving an encrypted electronic mail.

  In recent years, various methods for encrypting messages transmitted and received by electronic mail have been considered.

  For example, in S / MIME (Secure Multi-purpose Internet Mail Extension: RFC3850, 3851), as a preset, an e-mail recipient (hereinafter referred to as a recipient) generates a pair of a secret key and a public key in advance. The certificate authority issues and publishes a public key certificate corresponding to the generated public key. The sender of the email (hereinafter referred to as the sender) obtains the recipient's public key certificate, encrypts the message using the recipient's public key contained in the obtained public key certificate, Send to recipient. The receiver decrypts the received ciphertext using his / her private key.

  Identity Based Encryption (hereinafter referred to as IBE) has been considered as a technique for transmitting encrypted mail without the recipient's prior setting such as preparation of a public key certificate (see Non-Patent Document 1, for example).

  In IBE, a sender generates an encryption key from a known receiver identifier (for example, an e-mail address), so that the receiver generates a key beforehand and transmits a public key certificate. Notification to the person is no longer necessary.

  FIG. 7 is a sequence diagram for explaining the IBE processing.

In IBE, a key server exists in addition to a sender and a receiver. The key server generates a secret parameter s and public parameters P and sP, and discloses the public parameters P and sP. Here, P is a point on the elliptic curve E. E is assumed to be public. Further, sP represents a point that is s times the point P. The sender generates a random number r, generates an encryption key K1 = e (Q, sP) ^ r and a public key rP from the receiver identifier ID _B and the public parameter sP, and uses the encryption key K1. And encrypts the message and sends it to the recipient along with the public key rP. Here, Q is a point on the elliptic curve E and is calculated as Q = F (ID _B ) using a predetermined function F. Further, e (•, •) is a pairing operation on the elliptic curve E, and e (Q, sP) ＾ r represents e (Q, sP) to the power of r. The pairing calculation satisfies e (Q1 + Q2, P) = e (Q1, P) · e (Q2, P) and e (Q, P1 + P2) = e (Q, P1) · e (Q, P2). . From this, e (aQ, bP) = e (Q, P) ^ ab = e (bQ, aP) is derived.

The receiver who has received the ciphertext requests the receiver's unique key from the key server, and the key server uses the receiver's unique key sQ = s · F (ID _B ) from the secret parameter s and the receiver identifier ID _B. Is calculated and sent to the recipient.

  The receiver calculates an encryption key e (sQ, rP) = e (Q, sP) ^ r = K1 from the unique key sQ of the receiver received from the key server and the public key rP received from the sender. The ciphertext is decrypted using the encryption key K1.

As described above, in IBE, it is possible to send an encrypted mail without generating a key in advance on the receiver side or notifying the sender of a public key certificate.
Dan Boneh and Matthew Franklin, "Identity-Based Encryption from the Weil Pairing", Extended abstract in proceedings of Crypto 2001, LNCS Volume 2139, Springer-Verlag, pp. 213-229, 2001.

  In IBE described in Non-Patent Document 1, an encryption key can be shared between a sender and a receiver by transmitting and receiving messages. For this reason, it is possible to encrypt a continuous message exchanged between the sender and receiver after the first message, such as a reply message, using the shared encryption key. However, since the receiver's unique key for calculating the shared encryption key is generated by the key server, the key server can calculate the shared encryption key between the sender and the receiver as well as the receiver. Therefore, the message can be decrypted by intercepting the communication contents between the sender and the receiver in the key server, and there is a problem that there is a risk of eavesdropping and information leakage by the key server administrator.

  It is an object of the present invention to provide an easy-to-use and safer encrypted message transmission / reception method that does not require prior setting of a receiver as in IBE and that cannot decrypt a ciphertext by a key server for a message that continues between the sender and receiver, and a sender An apparatus, a receiver apparatus, an encrypted message transmission / reception system, and a program are provided.

In order to achieve the above object, the present invention provides:
An encrypted message transmission / reception method for encrypting and transmitting a message at a sender device and decrypting the encrypted message at a receiver device,
The sender device generating a key pair composed of a public key and a secret key of a sender who sends the message using the sender device;
The sender device calculating a temporary shared key based on the sender's private key and the identifier of the recipient receiving the message using the recipient device;
The sender device encrypts the message using the temporary shared key and calculates ciphertext;
The sender device transmitting the ciphertext and the sender's public key to the recipient device;
Receiving the ciphertext and the sender's public key, transmitting the receiver's identifier to a key server connected to the sender device and the receiver device;
The key server calculating a unique key of the recipient based on the identifier of the recipient;
The key server transmitting the recipient's unique key to the recipient device;
The recipient device calculating the temporary shared key based on the recipient's unique key received from the key server and the sender's public key received from the sender device;
The receiver device uses the temporary shared key to decrypt the ciphertext received from the sender device and calculate a message;
The recipient device generating a key pair comprising a public key and a private key of the recipient;
The recipient device calculating a shared secret key from the recipient's secret key and the sender's public key;
The recipient device transmitting the recipient's public key to the sender device;
The sender device having received the recipient's public key from the recipient device calculates the shared secret key from the recipient's public key and the sender's secret key.

  The sender device calculates a temporary shared key between the sender and receiver from the identifier of the receiver and the sender's private key, encrypts the transmission message using this, and sends it to the receiver device together with the sender's public key. Send. If the validity of the recipient device can be guaranteed, such as when the key server authenticates the recipient device, the recipient's unique key is sent to the recipient device, and the recipient device receives the recipient's unique key and the sender's public key The temporary shared key is calculated from the message and the message is decrypted. The receiver apparatus calculates a shared secret key from the sender's public key and the receiver's private key, and transmits the receiver's public key to the sender apparatus. The sender device calculates the same shared secret key from the recipient's public key and the sender's secret key. Messages that are continuously transmitted and received between the sender device and the receiver device are encrypted and decrypted using the shared secret key.

  According to the present invention, since the encrypted mail can be transmitted without the prior setting of the receiver, the sender does not consider the environment of the receiver and also encrypts the receiver who has not exchanged mail until now. You can send an email. In addition, since messages that are exchanged between the sender and receiver after the first message sent from the sender to the receiver, such as a reply message, cannot be decrypted by the key server, messages can be sent and received without worrying about information leakage. It becomes possible.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is a diagram showing an embodiment of an encrypted message transmission / reception system of the present invention.

  As shown in FIG. 1, this embodiment includes a sender device 1, a recipient device 2, and a key server 3, which are connected to each other via a communication network 4. Thereby, the sender apparatus 1, the receiver apparatus 2, and the key server 3 can communicate with each other.

  The sender apparatus 1 is an apparatus possessed by an e-mail sender (for example, sender A) such as a mobile phone, a PDA (Personal Digital Assistants), or a personal computer. In this embodiment, the sender apparatus 1 is a communication apparatus that is a communication partner for the receiver apparatus 2.

  The recipient device 2 is a device possessed by an email recipient (for example, recipient B) such as a mobile phone, a PDA (Personal Digital Assistants), or a personal computer. In this embodiment, the receiver device 2 is a communication device that is a communication partner for the transmitter device 1.

  The key server 3 performs key generation, management, and the like.

  The communication network 4 is, for example, a network such as the Internet or a corporate network.

  Although FIG. 1 shows a mode in which the number of sender devices 1 and the number of recipient devices 2 are each one, there may be a mode in which there are a plurality of each.

  FIG. 2 is a block diagram showing a configuration of the sender device 1 shown in FIG.

  As shown in FIG. 2, the sender apparatus 1 shown in FIG. 1 includes a network interface unit 11, a user interface unit 12, a storage unit 13, and a control unit 14.

  The network interface unit 11 performs communication with external devices such as the recipient device 2 and the key server 3.

  The user interface unit 12 has an interface function with the sender A who is a user and is a pointing device such as a display, a keyboard, and a mouse for inputting and outputting.

  The storage unit 13 includes a mailer program 13A that performs mail processing, an encryption / decryption program 13B that encrypts / decrypts messages to be transmitted / received, and a key information database 13C that stores keys used for encryption / decryption. It is configured.

  The control unit 14 controls the network interface unit 11, the user interface unit 12, and the storage unit 13 to cause the sender device 1 to perform operations necessary for transmission / reception of encrypted mail.

  FIG. 2 shows only the components related to the present invention.

  FIG. 3 is a block diagram showing a configuration of the recipient device 2 shown in FIG.

  As shown in FIG. 3, the recipient device 2 shown in FIG. 1 includes a network interface unit 21, a user interface unit 22, a storage unit 23, and a control unit 24.

  The network interface unit 21 performs communication with external devices such as the sender device 1 and the key server 3.

  The user interface unit 22 has a function of interfacing with the recipient B who is a user, and is a display device for performing input / output, a pointing device such as a keyboard, a mouse, or the like.

  The storage unit 23 includes a mailer program 23A for performing mail processing, an encryption / decryption program 23B for encrypting / decrypting messages to be transmitted / received, a key information database 23C for storing keys used for encryption / decryption, It consists of authentication information 23D which is information necessary for authentication. The authentication information 23D is necessary for authentication performed by the receiver device 2 on the key server 3 in order to have the key server 3 issue a unique key of the receiver B necessary for decrypting the message transmitted from the sender A. Information.

  The control unit 24 controls the network interface unit 21, the user interface unit 22, and the storage unit 23, and causes the recipient device 2 to perform operations necessary for sending and receiving encrypted mail.

  FIG. 3 shows only the components related to the present invention.

  FIG. 4 is a block diagram showing a configuration of the key server 3 shown in FIG.

  As shown in FIG. 4, the key server 3 shown in FIG. 1 includes a network interface unit 31, a key generation unit 32, an authentication unit 33, a storage unit 34, and a control unit 35.

  The network interface unit 31 performs communication with external devices such as the sender device 1 and the receiver device 2.

  The key generation unit 32 generates a unique key for the receiver B.

  The authentication unit 33 authenticates the receiver B necessary for notifying the receiver B of the unique key.

  The storage unit 34 includes a public parameter 34A, an authentication information database 34B, and a secret parameter 34C. The public parameter 34A is a public parameter necessary for the sender A to calculate the temporary shared key K1. The authentication information database 34B stores information necessary for authenticating the receiver B by the authentication unit 33. The secret parameter 34C is a parameter necessary for the key generation unit 32 to generate the unique key of the receiver B.

  The control unit 35 controls the network interface unit 31, the key generation unit 32, the authentication unit 33, and the storage unit 34, and generates and manages public parameters, secret parameters, and a unique key of the receiver B in the key server 3. And transmission.

  The encrypted message transmission / reception method in the form shown in FIG. 1 will be described below.

  FIG. 5 is a sequence diagram for explaining the encrypted message transmission / reception method in the form shown in FIG. Here, the sender A who owns the sender apparatus 1 encrypts and transmits a message to the receiver B who owns the receiver apparatus 2, and sends a reply to the transmitted message from the receiver apparatus 2 to the sender apparatus 1. A case where data is encrypted and transmitted will be described as an example.

  First, as a preliminary preparation, the key server 3 generates a random number s and stores it in the secret parameter 34C of the storage unit 34. Further, sP is calculated, and sP and P are stored in the public parameter 34A of the storage unit 34. Here, P is a point on the elliptic curve E, and the elliptic curve E is open to the public. Further, sP represents a point that is s times the point P.

  The sender apparatus 1 acquires sP and P stored in the public parameter 34A from the key server 3 via the network interface unit 11 (step 100).

The sender device 1 that has acquired sP and P starts the mailer program 13A from the storage unit 13 and displays on the user interface unit 12 a prompt to input a message to be transmitted to the receiver B. When the sender A inputs the message M1 using the user interface unit 12 in accordance with the display (step 101), the sender apparatus 1 calculates Q = F (ID _B ) using a predetermined function F. (Step 102). Here, Q is a point on the elliptic curve E, and ID _B is an identifier such as an e-mail address of the recipient B.

Thereafter, the control unit 14 of the sender device 1 generates an integer KS _A = r that is a secret key, and stores the generated secret key KS _A = r and the identifier ID _B of the receiver B in the key information database 13C. (Step 103).

Table 1 is a table showing an example of the key information database 13C stored and the identifier ID _B of the receiver B and the private key r.

Further, the control unit 14 of the sender apparatus 1 calculates a temporary shared key K1 = e (Q, sP) ^ KS _A using the secret key KS _A (step 104). Here, e (•, •) is a pairing operation on the elliptic curve E. E (Q, sP) ^ KS _A represents e (Q, sP) raised to the KS _A power.

  Subsequently, the control unit 14 of the sender device 1 reads the encryption / decryption program 13B from the storage unit 13, encrypts the message M1 using the read encryption / decryption program 13B and the shared key K1, and encrypts the message M1. A sentence C1 = E (K1, M1) is obtained (step 105). Here, E (•, •) is a function representing encryption by common key encryption with the first argument as a key and the second argument as plain text.

Further, the control unit 14 of the sender apparatus 1 calculates the public key KP _A = KS _A · P = rP using the secret key KS _A (step 106). As a result, a key pair of the secret key KS _A generated at step 103 and the public key KP _A calculated at step 106 is generated.

When the public key KP _A is calculated, the control unit 14 of the sender device 1 uses the network interface unit 11 to send the ciphertext C1, the identifier ID _A of the sender _A, and the public key KP _A to the receiver. It transmits to the apparatus 2 (step 107). Here, the identifier ID _A of the sender A is an e-mail address of the sender A, for example. The transmission of ID _A may be omitted by using the public key KP _A instead of the identifier ID _A.

The control unit 24 of the receiver apparatus 2 that has received the ciphertext C1, the identifier ID _A of the sender A, and the public key KP _A of the sender _A at the network interface unit 21 receives the ID _A and KP _A. The associated information is stored in the key information database 23C of the storage unit 23 (step 108).

Table 2 is a table showing an example of the key information database 23C in which the public key KP _A of the sender A and the identifier ID _A of the sender _A are stored.

The control unit 24 of the receiver device 2 reads the authentication information 23D stored in the storage unit 23, and the read authentication information 23D and the identifier ID _B of the receiver B are transmitted to the key server 3 by the network interface unit 21. Transmit and request the receiver B's unique key (step 109). Here, instead of transmitting the authentication information directly, information generated from the authentication information may be transmitted.

The authentication unit 33 of the key server 3 that has received the request for the unique key from the receiver device 2 receives the received authentication information, the identifier ID _B, and the information stored in the authentication information database 34B of the storage unit 34. User B is authenticated (step 110). For this authentication, for example, a method using an ID and a password, or any authentication method may be used without being limited thereto. Here, when the setting necessary for the authentication of the receiver B is not made in the key server 3, the receiver device 2 may access the key server 3 and perform the setting necessary for the authentication.

When the authentication of the receiver B is successful, the key generation unit 32 of the key server 3 calculates Q = F (ID _B ) (step 111), and based on the calculated Q, the unique key sQ of the receiver B Is calculated (step 112). The network interface unit 31 of the key server 3 transmits the calculated unique key sQ of the receiver B to the receiver device 2 (step 113).

The control unit 24 of the receiver device 2 that has received the receiver B's unique key sQ is a temporary shared key e (from the received receiver B's unique key sQ and the sender A's public key KP _A. sQ, KP _A ) is calculated (step 114). Here, from the nature of the pairing operation, e (sQ, KP _A ) = e (sQ, rP) = e (Q, sP) ^ r = e (Q, sP) ^ KS _A = K1. The control unit 24 of the receiver device 2 reads the encryption / decryption program 23B from the storage unit 23, and uses the read encryption / decryption program 23B and the calculated temporary shared key K1 to generate a ciphertext. The message D (K1, C1) = M1 is calculated (decoded) from C1 (step 115). The control unit 24 of the receiver apparatus 2 reads the mailer program 23A from the storage unit 23, and displays the calculated (decrypted) message M1 on the user interface unit 22 using the read mailer program 23A (step 116). . Here, D (•, •) is a function representing decryption by common key encryption with the first argument as a key and the second argument as ciphertext.

Then, the control unit 24 of the recipient apparatus 2, as in step 103 in the sender apparatus 1, generates an integer KS _B = q as the recipient's private key B (step 117).

Further, the control unit 24 of the receiver device 2 uses the generated secret key KS _B and the public key KP _A of the sender A transmitted from the transmitter device 1 between the sender A and the receiver B. The shared secret key K = KS _B · KP _A = q · (rP) is calculated. The control unit 24 of the receiver apparatus 2 stores the calculated K and KS _B = q in an entry including ID _A as a partner identifier in the key information database 23C (step 118). That is, the partner identifier and the shared secret key are stored in association with each other.

Table 3 is a table showing an example of the key information database 23C in which K and q are stored in an entry including ID _A as a partner identifier.

In addition, the control unit 24 of the receiver device 2 calculates the public key KP _B = qP of the receiver B using the secret key KS _B of the receiver B (Step 119). As a result, a key pair of the secret key KS _B generated at step 117 and the public key KP _B calculated at step 119 is generated. The calculated public key KP _B of the recipient B and the identifier ID _B of the recipient B are transmitted to the sender device 1 using the network interface unit 21 (step 120). The transmission / reception in step 120 is automatically performed by the mailer programs 23A and 13A, but this operation may be performed manually by the receiver B or the sender A.

The control unit 14 of the sender apparatus 1 that has received the identifier ID _B of the receiver B and the public key KP _B of the receiver B by the network interface unit 11 uses the received identifier ID _B of the receiver _B as a key as a key information database. The 13C entry is searched, and the private key KS _A = r of the sender A generated by itself is read from the corresponding entry. The control unit 14 of the sender device 1 uses the read secret key KS _A of the sender _A and the public key KP _B of the recipient B received from the receiver device 2 to The shared secret key KS _A · KP _B = r · (qP) = q · (rP) = K is calculated. The control unit 14 of the sender device 1 stores the calculated K in an entry including ID _B as a partner identifier in the key information database 23C (step 121). That is, the partner identifier and the shared secret key are stored in association with each other. At this time, the status information of the corresponding entry is changed to “key shared”. Here, since the values of K calculated in step 118 and step 121 are the same, the shared secret key K can be shared between the sender device 1 and the receiver device 2.

Also, P a point on an elliptic curve, a public key KP _B = qP recipient B, and the public information such as a public key KP _A = rP sender A, to calculate the secret key q and r and shared secret key K Is known to be difficult. Therefore, it is difficult for a third party to calculate plaintext from public information and ciphertext.

After calculating the shared secret key K, the sender apparatus 1 transmits key sharing confirmation information and the identifier A of the sender _A to the receiver apparatus 2 (step 122). This confirmation information is, for example, information that can be confirmed to be correctly decrypted using K.

Confirmation information and sender A control unit 24 of the recipient apparatus 2 the identifier ID has been received as _A confirms the confirmation information (for example, decrypted using the K), the other party identifier in the key information database 23C The status of the entry whose ID is ID _A is changed to “key shared”.

  Thereafter, encryption communication is possible between the sender apparatus 1 and the receiver apparatus 2 using the shared secret key K. For example, in the case where the reply message M2 for the message M1 is subsequently encrypted and transmitted from the receiver apparatus 2 to the sender apparatus 1, the procedure is as follows.

In the receiver device 2, the mailer program 23A causes the user interface unit 22 to display a reply message from the receiver B to the sender A. Accordingly, when the receiver B inputs the reply message M2 using the user interface unit 22 (step 123), the control unit 24 of the receiver device 2 uses the shared secret key K and the encryption / decryption program 23B. The ciphertext C2 = E (K, M2) for the reply message M2 is calculated (step 124). The control unit 24 of the receiver apparatus 2 transmits the calculated ciphertext C2 and the identifier ID _B of the receiver _B to the transmitter apparatus 1 using the network interface unit 21 (step 125).

The sender apparatus 1 that has received the identifier ID _B and the ciphertext C2 of the receiver _B searches for an entry from the key information database 13C using ID _B as a search key. Using the shared secret key K in the retrieved entry and the encryption / decryption program 13B read from the storage unit 13, the reply message D (K, C2) = M2 is calculated (decrypted) from the ciphertext C2. (Step 126). The control unit 14 of the sender device 1 displays the calculated (decrypted) reply message M2 on the user interface unit 12 using the mailer program 13A (step 127).

  As described above, the shared secret key K can be used for encrypted communication that is subsequently performed between the sender A and the receiver B (step 128).

  In the above-described example, the case where a message is returned from the receiver B to the sender A after step 123 has been described. However, the same applies to the case where a new message is transmitted from the sender A to the receiver B.

  In the following, another example of the encrypted message transmission / reception method in the form shown in FIG. 1 will be described.

FIG. 6 is a sequence diagram for explaining another example of the encrypted message transmission / reception method in the form shown in FIG. In this example, in the method described with reference to FIG. 5, the step 120 for transmitting the public key KP _B from the receiver device 2 to the sender device 1 and the step 125 for transmitting the ciphertext C2 are performed simultaneously. . The same processing is performed up to step 119. In addition, for the processes after step 119, the same processes as those described with reference to FIG. 5 are given the same step numbers, and the description thereof is omitted.

  When the receiver B inputs the reply message M2 to the receiver device 2 (step 123), the control unit 24 of the receiver device 2 calculates the ciphertext C2 for the reply message M2 (step 124).

Then, the control unit 24 of the receiver device 2 uses the network interface unit 21 to transmit the identifier ID _B of the receiver _B , the public key KP _B, and the ciphertext C2 to the transmitter device 1 (step 129). ).

  Thereafter, the sender device 1 calculates a shared secret key K (step 121), and transmits a key sharing confirmation message to the receiver device 2 (step 122). Note that the process of step 122 can be omitted. Further, the sender device 1 decrypts the reply message M2 from the ciphertext C2 (step 126), and displays the computed reply message M2 on the user interface unit 12 using the mailer program 13A (step 127). ).

  The encryption / decryption program 23B stored in the storage unit 23 of the receiver device 2 is downloaded as necessary when the receiver device 2 acquires the unique key sQ of the receiver B from the key server 3. May be. In this case, prior acquisition / setting of the encryption / decryption program 23B is not necessary.

In addition, when the receiver device 2 communicates with the key server 3, authentication and encryption are performed as necessary. However, when the key server 3 knows the recipient B's destination (e-mail address or the like), the authentication may be replaced by the following method. The key server 3 that has received the identifier ID _B of the receiver B from the receiver device 2 obtains the destination of the receiver _B that is uniquely determined from the identifier ID _{B of the} receiver B, and receives the unique key sQ of the receiver B to this destination. Is transmitted to guarantee the validity of the receiver B. The key server 3 may store the correspondence between the identifier ID _B of the recipient B and the destination of the recipient B in advance in the authentication information database 34B of the storage unit 34 or the like.

In the above embodiment, the shared secret key K is calculated by K = KS _A · KP _B = KS _B · KP _{A, which} is calculated as f (KS _A , KP _B ) = f (KS _B , KP _A ), the value of f is difficult to calculate from KP _A and KP _B, and the function f is difficult to calculate KS _A and KS _B from the value of f and KP _A , KP _B. , K = f (KS _A , KP _B ) = f (KS _B , KP _A ) may be calculated.

  Further, in the transmission / reception of the encrypted message between the sender apparatus 1 and the receiver apparatus 2, the following confirmation may be performed. Send a challenge c (eg, a random number) from sender A to receiver B in one round (eg, round N), and key c from receiver B to sender A in the next round (eg, round N + 1) E (K, c) encrypted in (1) is returned as a response. By confirming this relationship, the sender A can prove that the sharing of the key K between the sender A and the receiver B is correctly completed.

  In each step described above, the order of execution between steps that are not dependent on each other may be interchanged.

  In the above-described embodiment, the transmitter apparatus 1 and the receiver apparatus 2 have been described as separate communication apparatuses. However, it goes without saying that each communication apparatus may have one function.

  Further, as an embodiment of the present invention, e-mail encryption has been described as an example. However, the present invention is not limited to e-mail. For example, characters such as IM (Instant Massaging), chat, push-to-talk, Applicable to voice and image communication services.

  Further, the sender device 1, the receiver device 2, and the key server 3 described above record a program for realizing the functions in a computer-readable recording medium, and the program recorded in the recording medium. The program may be read by a computer and executed. The computer-readable recording medium refers to a recording medium such as a flexible disk, a magneto-optical disk, and a CD-ROM, and a storage device such as a hard disk device built in the computer system. Further, the computer-readable recording medium is a computer that dynamically holds the program for a short time (transmission medium, transmission wave) as in the case of transmitting the program via the Internet, and the computer that serves as the server in that case Some of them hold programs for a certain period of time, such as the volatile memory inside. Here, the computer is the sender device 1, the recipient device 2, and the key server 3.

  As described above, in the present invention, since the encrypted mail can be transmitted without the prior setting of the receiver, the sender does not consider the environment of the receiver, and so far between the sender and the sender. Encrypted mail can be sent to a recipient who has never sent or received an e-mail. Also, messages sent and received between the sender and receiver after the first message sent from the sender to the receiver, such as a reply message, cannot be decrypted by the key server, so there is no worry about information leakage, etc. Transmission and reception are possible.

It is a figure which shows one Embodiment of the encryption message transmission / reception system of this invention. It is a block diagram which shows the structure of the sender | transmitter apparatus shown in FIG. It is a block diagram which shows the structure of the receiver apparatus shown in FIG. It is a block diagram which shows the structure of the key server shown in FIG. It is a sequence diagram for demonstrating the encryption message transmission / reception method in the form shown in FIG. It is a sequence diagram for demonstrating the other example of the encryption message transmission / reception method in the form shown in FIG. It is a sequence diagram for demonstrating the process of IBE.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Sender apparatus 2 Receiver apparatus 3 Key server 4 Communication network 11, 21, 31 Network interface part 12, 22 User interface part 13, 23, 34 Storage part 13A, 23A Mailer program 13B, 23B Encryption / decryption program 13C, 23C Key information database 14, 24, 35 Control unit 23D Authentication information 32 Key generation unit 33 Authentication unit 34A Public parameter 34B Authentication information database 34C Secret parameter

Claims (9)

An encrypted message transmission / reception method for encrypting and transmitting a message at a sender device and decrypting the encrypted message at a receiver device,
The sender device generating a key pair composed of a public key and a secret key of a sender who sends the message using the sender device;
The sender device calculating a temporary shared key based on the sender's private key and the identifier of the recipient receiving the message using the recipient device;
The sender device encrypts the message using the temporary shared key and calculates ciphertext;
The sender device transmitting the ciphertext and the sender's public key to the recipient device;
Receiving the ciphertext and the sender's public key, transmitting the receiver identifier to a key server connected to the receiver device via a communication network;
The key server calculating a unique key of the recipient based on the identifier of the recipient;
The key server transmitting the recipient's unique key to the recipient device;
The recipient device calculating the temporary shared key based on the recipient's unique key received from the key server and the sender's public key received from the sender device;
The receiver device uses the temporary shared key to decrypt the ciphertext received from the sender device and calculate a message;
The recipient device generating a key pair comprising a public key and a private key of the recipient;
The recipient device calculating a shared secret key from the recipient's secret key and the sender's public key;
The recipient device transmitting the recipient's public key to the sender device;
Encrypted message transmission / reception in which the sender device that has received the recipient's public key from the recipient device calculates the shared secret key from the recipient's public key and the sender's private key Method. The encrypted message transmission / reception method according to claim 1,
The key pair generated by the sender device is a pair of a random number r generated as a secret key and a public key rP that is an r multiple of a point P on the disclosed elliptic curve E,
The step of calculating a temporary shared key by the sender device is performed by multiplying a secret parameter s by a point Q corresponding to the identifier of the receiver on the E by a predetermined function, and the key server multiplying the point P by the secret parameter s. A step of calculating e (Q, sP) ^ r using a public point sP, the sender's private key r, and a pairing operation e on E,
The unique key of the receiver is a point sQ obtained by multiplying the point Q, which corresponds to the identifier of the receiver on the E by a predetermined function, by s,
The step of calculating a temporary shared key by the receiver device is a step of calculating e (sQ, rP) using the receiver's unique key sQ, the sender's public key rP, and the pairing operation e. It is characterized by
The key pair generated by the receiver is a pair of a random number q generated as a secret key and a public key qP that is a point q times the point P,
The step of calculating the shared secret key by the receiver device is a step of calculating q · (rP) = rqP from the receiver secret key q and the sender public key rP,
The step of calculating a shared secret key by the sender device is a step of calculating r · (qP) = rqP from the public key qP of the receiver and the secret key r of the sender. Message transmission / reception method. The encrypted message transmission / reception method according to claim 1 or 2,
The encrypted message transmission / reception method further comprising the step of encrypting and transmitting / receiving a continuous message between the sender apparatus and the receiver apparatus using the shared secret key. The encrypted message transmission / reception method according to any one of claims 1 to 3,
The step of transmitting the receiver identifier to the key server by the receiver device is transmitted together with the authentication information of the receiver,
The step of transmitting the recipient's unique key to the recipient device is performed by authenticating the recipient based on the authentication information, and only when the authentication is successful. An encrypted message transmission / reception method characterized by transmitting. A sender device that encrypts a message and sends it to a recipient device,
A network interface;
Means for generating a key pair comprising a public key and a private key of a sender who transmits the message using the sender device;
Means for calculating a temporary shared key based on the sender's private key and the identifier of the recipient receiving the message using the recipient device;
Means for encrypting the message using the calculated temporary shared key to obtain a ciphertext;
Means for transmitting the ciphertext and the sender's public key to the recipient device via the network interface;
Means for receiving the recipient's public key from the recipient device via the network interface;
A sender device comprising means for calculating a shared secret key between the sender and the receiver from the receiver's public key and the sender's private key. A receiver device that receives an encrypted message transmitted from the sender device;
A network interface;
Means for receiving by the network interface a ciphertext from the sender device and a sender's public key for sending the message using the sender device;
The identifier of the recipient who receives the message using the recipient device is transmitted to the key server connected to the recipient device via the communication network, and the unique key of the recipient is requested. Means,
Means for receiving the unique key from the key server via the network interface;
Means for calculating a temporary shared key based on the unique key and the sender's public key;
Means for decrypting the message from the calculated temporary shared key and the ciphertext;
Means for generating a key pair consisting of the recipient's public key and private key;
Means for calculating a shared secret key between the sender and the recipient from the generated secret key of the recipient and the public key of the sender;
Means for transmitting the generated public key of the recipient to the sender device via the network interface;   An encrypted message transmission / reception system comprising the sender device according to claim 5, the receiver device according to claim 6, and a communication network connecting the sender device and the receiver device.   A program for causing a computer to function as the sender device according to claim 5.   The program for functioning a computer as a receiver apparatus of Claim 6.

Images