JP2009271107A - Secret communication system and secret authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To secure high confidentiality and to reduce the cost by lessening operation load. <P>SOLUTION: The information data to be secret is decentralized and set to a plurality of decentralized data including function data for specifying a function and rule data for specifying information data. In an informing device 1, decentralized data is generated from the information data, and the decentralized data are sent to an informed device 2. In the informed device, a function is restored from the decentralized data to obtain the information data. Especially, some of the plurality of decentralized data are shared between the informing device and the informed device, and secretly and partially held in the informing device and the informed device. In the informing device, decentralized data not shared with the informed device are generated from the information data, and the decentralized data are sent to the informed device. In the informed device, the information data is obtained from the decentralized data held by its own device and the decentralized data received from the informing device. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a secret communication system that notifies notification data from a notification device to a notified device without being known by another person, and performs authentication by notifying an authentication device of authentication data from the authentication target device without being known by another person It relates to an authentication system.

  In video communication systems such as teleconferencing systems and IP camera systems that communicate video data via a network, and network printing systems that communicate print data via a network, confidentiality of video data and print data is required. Since the communication data to be transmitted is transmitted on the network, there is a possibility that the communication data may be stolen, and various techniques for preventing this are known (see, for example, Patent Document 1).

  In addition, in an Internet commerce system such as Internet banking and Internet shopping, an authentication system that verifies whether or not a user is a registered person is necessary, but because authentication data such as a password is sent over the network, Various techniques for stealing authentication data and impersonating a legitimate user to prevent illegal profits are known (see, for example, Patent Document 2).

Contactless IC cards having electronic money functions are rapidly spreading, and contactless IC cards and RFID tags have come to be used in entrance / exit management systems and product management systems. In a system using a kind of RFID device, it is necessary to prevent fraudulent profits by stealing authentication data by skimming. Randomized Hash is a technology for improving the safety of such RFID devices. A Lock method, a hash chain method (see Patent Document 3), and a re-encryption method (see Patent Document 4) are known.
JP 2007-288694 A JP 2007-293787 A Japanese National Patent Publication No. 2005-031579 JP 2004-317764 A

  However, various conventional technologies can increase the confidentiality of communication data and authentication data by complex calculation processing, but require high-speed calculation means, which increases costs and demands for lower costs. Therefore, there is a demand for a technique that cannot satisfy both of these requirements and can achieve both low cost and high secrecy. In particular, a system that realizes forward secure that does not search for facts related to notifications (communication partner, communication date, etc.) retroactively, and back secure that does not search for facts related to notifications in the future is desired. It is.

  The present invention has been devised based on such knowledge of the inventor, and its main purpose is to ensure a high degree of secrecy and reduce the calculation load to reduce costs. It is providing the secret communication system and secret authentication system which were comprised. It is another object of the present invention to provide a secret communication system and a secret authentication system capable of realizing forward secure and back secure.

  In the secret communication system of the present invention, notification data to be concealed is determined by being distributed in a plurality of distributed data composed of function data for specifying a function and rule data for specifying notification data from this function. The distributed data is generated from the notification data, the distributed data is sent to the notified device, and the notification device obtains the notification data by restoring the function from the distributed data.

  In the secret authentication system of the present invention, in the secret communication system, the notification data is authentication data indicating the authenticity of a device to be authenticated or a user. Based on the above, the validity of the notification device as the device to be authenticated is verified.

  According to the present invention, notification data cannot be obtained unless all of the distributed data is available, so that a high degree of secrecy can be secured, and by using a function with a small order like a linear function, Since the calculation load can be reduced, low-speed calculation means can be used, and the cost can be reduced.

  In the secret communication system according to the first invention made to solve the above problem, the notification data to be concealed is a plurality of distributed data including function data specifying a function and rule data specifying notification data from the function In the notification device, the distributed data is generated from the notification data, and the distributed data is sent to the notified device. In the notified device, the function is restored from the distributed data to generate the notification data. The configuration is as desired.

  According to this, even if the intermediary that intervenes in the communication between the notification device and the notified device sniffs the distributed data sent from the notification device to the notified device, the intermediary notifies that all the distributed data is not available. Since data cannot be obtained, a high degree of secrecy can be ensured, and the calculation load can be reduced by using a function having a small order such as a linear function. And cost can be reduced.

  Here, the function data of the dispersion data uniquely defines the function, and for example, the coordinate value of the point on the linear or n-th order curve indicated by the function, the coefficient of the function formula, the slope, the intercept, etc. Value. Here, when the coordinate value of the point on the straight line or curve of the n-order function is function data, the function data is the X value and Y value of n + 1 points, and the function is uniquely determined by these values. .

  Further, the rule data of the distributed data is an agreement for specifying the notification data from the function. For example, when the Y value of a point on the linear or n-th order curve indicated by the function is used as the notification data, the point The X value of becomes the rule data. Furthermore, the coordinate value of the intersection of the primary straight line or n-th order curve indicated by the function and another primary straight line or n-th order curve can be used as the notification data. In this case, another primary straight line forming the intersection is provided. Or the value which specifies the function which shows an nth-order curve becomes rule data. Further, the coefficient of the function equation can be used as the notification data. In this case, the designation information using the coefficient as the notification data is the rule data.

  According to a second invention for solving the above-mentioned problem, in the first invention, the notification device, the notified device, and the part of the plurality of distributed data may be transferred to the notification device and the notified device using a procedure different from the notification time. And sharing a part thereof with the notification device and the notified device in secret, and the notification device generates distributed data that is not shared with the notified device from the notification data. Then, the distributed data is sent to the notified device, and the notified device obtains notification data from the distributed data held by the own device and the distributed data received from the notification device.

  According to this, it is sufficient to send only distributed data that is not shared between the notification device and the notified device, and the amount of communication can be reduced. Moreover, the confidentiality of notification data can be improved by keeping a part of shared data to be shared secretly.

  According to a third aspect of the present invention for solving the above problem, in the second aspect of the present invention, the distributed data to be kept secret in both the notification device and the notified device is the same one-way. Conversion is performed using a function, and the distributed data is updated with the conversion result.

  According to this, even if the distributed data held by the notification device or the notified device is stolen by another person, the distributed data held in the past by the notification device or the notified device is not known. It is possible to realize forward secure that is not searched retroactively. In addition, since only the conversion process within the apparatus is sufficient, the cost can be reduced.

  In this case, as the one-way function, it is difficult to calculate the inverse function and it is practically impossible to obtain the original data. A typical example is a hash function, but a power function, particularly a square function. However, an increase in the number of digits is preferable because practically sufficient unidirectionality can be obtained and the calculation load is low.

  Note that the conversion of the distributed data using the one-way function may be performed on all of the distributed data or a part thereof.

  A fourth invention made to solve the above-mentioned problem is that, in the first to third inventions, in the notification device, distributed data to be sent to the notified device is a public key of the notified device, or the Encrypted by using a common key shared by both the notified device and the notification device, and then sent to the notified device, and in the notified device, the encrypted distributed data is the private key of its own device, or Decryption is performed using a common key shared by both the notified device and the notification device.

  According to this, even if the distributed data held by the notification device or the notified device is stolen by another person, the distributed data sent from the notification device to the notified device is encrypted. The intermediary who intervenes in communication with the device does not know the content of the distributed data to be transmitted unless there is a secret key of the notified device, and realizes back-secure without searching the notification data in the future be able to. Further, it is possible to realize forward secure which does not search the notification data retroactively.

  Note that the encryption of the distributed data may be performed on a part of the distributed data in addition to the entire distributed data. Further, the public key and secret key of the notified device are not limited to those in the notified device, but also include an external smart card read by the notified device. Similarly, the common key shared by both the notified device and the notification device includes the notified device or an external smart card read by the notification device.

  A secret authentication system according to a fifth invention made to solve the above-mentioned problem is the secret communication system according to any one of the first to fourth inventions, wherein the notification data indicates the authenticity of the device to be authenticated or the user. It is data, and it is set as the structure which verifies the correctness of the said notification apparatus used as an apparatus to be authenticated based on the said authentication data in the said apparatus notified as an authentication apparatus.

  According to this, the authentication data of the device to be authenticated required for authentication by the authentication device can be notified to the authentication device without being sent out on the communication path, so that the confidentiality of the authentication data can be highly secured.

  Here, the authentication data indicates the validity of the device to be authenticated, such as a password given to the device to be authenticated and the user who operates the device, biometric information about the user who operates the device to be authenticated, and the like. .

  A sixth invention made to solve the above-mentioned problem is that, in the fifth invention, both the device to be authenticated and the authentication device convert the authentication data using the same one-way function. Thus, the authentication data is updated with the conversion result.

  According to this, even if the authentication data held by the authenticated device or the authentication device is stolen by another person, the authentication data held in the past by the authenticated device or the authentication device is not known. It is possible to realize forward secure without searching retroactively (authenticating partner, authentication date, etc.). In card authentication or the like in which the device to be authenticated is a card, safety can be ensured without taking any special measures when the card is discarded. In addition, since only the conversion process within the apparatus is sufficient, the cost can be reduced.

  Note that the authentication data conversion using the one-way function may be performed on a part of the authentication data in addition to the entire authentication data.

  A seventh invention made to solve the above-mentioned problems is that, in the fifth and sixth inventions, in the authentication device, a part of distributed data is arbitrarily generated and sent to the device to be authenticated. In the device to be authenticated, the remaining distributed data is generated from the distributed data received from the authentication device and the authentication data, and the distributed data is sent to the authentication device.

  According to this, since the distributed data sent from the authentication device to the device to be authenticated changes sequentially, the exchange between the authentication device and the device to be authenticated is imitated using the distributed data used here. It becomes impossible to receive authentication, and retry attacks can be prevented.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

≪Secret communication system≫
FIG. 1 is a system configuration diagram showing a secret communication system according to the present invention. Here, the notification device 1 and the notified device 2 are connected to the network, and notification data to be kept secret is notified from the notification device 1 to the notified device 2. In such a communication system, the following secret communication method is employed in order to prevent the notification data from being stolen by the intermediary device 3 intervening in the communication between the notification device 1 and the notified device 2. Is done.

  2 and 3 are diagrams for explaining the point of the secret communication in the present invention. Here, the notification data m is given as the Y value of the point M (x1, m) where the X value is x1 on the linear line passing through the point S (x2, s) and the point K (x3, k). The straight line function equation is uniquely determined by the function data x2, x3, s, and k, and is notified from these function data and the rule data x1 for specifying the notification data m from the straight line function equation. Data m is determined.

  Here, the function data x2, x3, s, k and the rule data x1 are positioned as distributed data that prescribes the notification data m in a distributed manner, and notification is made that all of these distributed data x1 to x3, s, k are not complete. Data m cannot be obtained.

  Although all of the distributed data x1 to x3 · s · k can be sent from the notification device 1 to the notified device 2 at the time of notification, as shown below, one of the distributed data x1 to x3 · s · k Are shared between the notification device 1 and the notified device 2 in advance or after the procedure in a procedure different from that at the time of notification, and at the time of notification, the notification device 1 uses the notification data m to Distributed data that is not shared between them, and sends the distributed data to the notified device 2. In the notified device 2, the notification data m is obtained from the distributed data held by the own device and the distributed data received from the notification device 1. It is better to ask.

  In the method 1 shown in FIG. 2A, only the distributed data s that is the Y value of one point S is sent from the notification device to the notified device, and the remaining distributed data x1 to x3 · k are transmitted to the notification device and the notified device. Shared with the device. The remaining distributed data x1 to x3 · k are fixed values, and at least a part of the information is kept secret. It is desirable to keep everything secret for safety. In this case, only the distributed data s varies according to the notification data m.

  In the improvement of the method 1 shown in FIG. 2B, the distributed data s · x2 that is the X value and Y value of one point S is sent, and the remaining distributed data x1 · x3 · k is sent to the notification device and the notified device. Share with. This remaining distributed data x1, x3, k is a fixed value, and at least a part of the information is kept secret. It is desirable to keep everything secret for safety. In this case, the distributed data x2 is generated with an arbitrary value, for example, a random number, and the distributed data s is determined so that the point S comes on a straight line passing through the two points M · K.

  In the method 2 shown in FIG. 3A, the distributed data s · k that is the Y value of two points S · K is sent, and the remaining distributed data x1 to x3 are shared between the notification device and the notified device. is doing. The remaining distributed data x1 to x3 are fixed values, and at least a part of the information is kept secret. It is desirable to keep everything secret for safety. In this case, the distributed data s is generated with an arbitrary value, for example, a random number, and the distributed data k is determined as the Y value of the point K at which the X value is x3 on the straight line passing through the two points M · S. Conversely, after the distributed data k is determined by random numbers, the distributed data s may be determined as the Y value of the point S at which the X value is x2 on the straight line passing through the two points M · K.

  In the improvement of the method 2 shown in FIG. 3B, the X and Y values of the point S and the Y value of the point K are sent as the distributed data s · x2 · k, and the remaining distributed data x1 · x3 is sent to the notification device. And the notified device. The remaining distributed data x1 and x3 are fixed values, and at least a part of the information is kept secret. It is desirable to keep everything secret for safety. In this case, the distributed data s · x2 is generated by an arbitrary value, for example, a random number, and the distributed data k is defined as the Y value of the point K at which the X value becomes x3 on the straight line passing through the two points M · S.

  FIG. 4 is a diagram for explaining the point according to another example of the secret communication in the present invention. Here, the notification data m1 is a point M1 (x1) where the X value is x1 on a quadratic curve passing through the point M2 (x2, m2), the point K (x3, k), and the point S (x4, s). , M1), and the function equation of this curve is uniquely determined by the function data x2 to x4 · m2 · s · k, and the notification data m1 is obtained from these function data and the function equation of the curve. Notification data m is obtained from the rule data x1 for specifying.

  Here, the function data x2 to x4 · m2 · s · k and the rule data x1 are positioned as distributed data defining the notification data m1 in a distributed manner, and all of these distributed data x1 to x4 · m2 · s · k The notification data m1 cannot be obtained unless they are prepared.

  A part of the distributed data x1 to x4 · m2 · s · k is shared between the notification device 1 and the notified device 2 in advance or after the procedure in a procedure different from the notification time, and at the time of notification, In the notification device 1, distributed data that is not shared with the notified device 2 is generated from the notification data m, and the distributed data is sent to the notified device 2. Notification data can be obtained from the data and the distributed data received from the notification device 1.

<Basic example of a secret communication system>
FIG. 5 is a block diagram illustrating a first example of the notification apparatus and the notified apparatus illustrated in FIG. 1. Here, the method 2 in FIG. 3A is adopted, the distributed data x1 to x3 are shared between the notification device 1 and the notified device 2, and the distributed data s · k is transmitted from the notification device 1 to the notified device 2. Sent to.

  The notification device 1 includes a distributed data storage unit 101 that secretly stores the distributed data x1 to x3, a random number generation unit 102 that generates the distributed data s with random numbers, and the distributed data x1 to x3 stored in the distributed data storage unit 101. , And the function processing unit 103 for obtaining the distributed data k from the distributed data s generated by the random number generating unit 102 and the notification data m to be transmitted secretly, and the distributed data k obtained here and the random number generating unit 102 The generated distributed data s is sent to the notified device 2. In the function processing unit 103, a function is specified from the distributed data x1, x2, s and the notification data m, and the distributed data k is obtained from the function and the distributed data x3.

  The notified device 2 includes the distributed data storage unit 201 that secretly stores the distributed data x1 to x3, the distributed data x1 to x3 stored in the distributed data storage unit 201, and the distributed data s · k received from the notification device 1. And a function processing unit 202 for obtaining the notification data m. In the function processing unit 202, a function is restored from the distributed data x2, x3, s, and k, and notification data m is obtained from this function and the distributed data x1.

  Here, even if the intermediary device 3 sniffs the distributed data s · k sent from the notification device 1 to the notified device 2, if the intermediary device 3 does not know all the distributed data x1 to x3, the notification data m cannot be determined.

<Example of forward secure in a secret communication system>
FIG. 6 is a block diagram illustrating a second example of the notification apparatus and the notified apparatus illustrated in FIG. 1. Here, the notification device 1 converts the distributed data x1 stored in the distributed data storage unit 101 to be kept secret using a one-way function, and updates the distributed data x1 with the conversion result Part 111 is provided. Further, the notified device 2 converts the distributed data x1 stored in the distributed data storage unit 201 to be kept secret using a one-way function, and updates the distributed data x1 with the conversion result Part 211. Other configurations are the same as those in the example of FIG.

  The data updating unit 111 of the notification device 1 and the data updating unit 211 of the notified device 2 use the same one-way function. As this one-way function, a typical one-way function such as a hash function can be used. However, a square function that provides a practically sufficient one-way is preferable, and the calculation load is low. The present invention can also be applied to a simple device having only a low-speed calculation function.

  In addition, the update processing in the data update unit 111 of the notification device 1 and the data update unit 211 of the notified device 2 are performed at the same timing. For example, when the notification of a series of notification data is finished, the update processing is appropriately determined. Held regularly at regular intervals.

  As a result, even if the shared data x1 held by the notification device 1 or the notified device 2 is stolen by another person, the shared data x1 previously held by the notification device 1 or the notified device 2 is not known. Further, it is possible to realize forward secure without searching the notification data retroactively. In addition, since only the conversion process within the apparatus is sufficient, the cost can be reduced.

  The data updating units 111 and 211 can also update other distributed data x2 and x3 with a one-way function.

<Example of forward / back secure in a secret communication system>
FIG. 7 is a block diagram illustrating a third example of the notification apparatus and the notified apparatus illustrated in FIG. 1. Here, the notification device 1 has an encryption unit 121 that encrypts the distributed data s generated by the random number generation unit 102 using the public key of the notified device 2, and the encrypted data obtained here E (s) is sent to the notified device 2. In addition, the notified device 2 includes a decryption unit 221 that decrypts the encrypted data E (s) received from the notification device 1 using its own secret key, and the distributed data s obtained here Is sent to the function processing unit 202. Other configurations are the same as those in the example of FIG.

  As an encryption method used in the encryption unit 121, various encryption methods such as an RSA method, a DH method, and an elliptical encryption method are possible.

  If the value of the distributed data s is very large, a common key is generated with a random number, the shared data s is encrypted with this common key, and the common key is encrypted with the public key of the notified device 2. It is better to use hybrid encryption. Here, the public key of the notified device 2 is used as the encryption key, but this may be a common key shared between the notification device 1 and the notified device 2.

  Thereby, even if the distributed data held by the notification device 1 or the notified device 2 is stolen by another person, the distributed data sent from the notification device 1 to the notified device 2 is encrypted. The intermediary device 3 intervening in the communication between the device 1 and the notified device 2 does not know the content of the distributed data to be transmitted unless there is a secret key of the notified device 2, and searches for the notification data in the future. It is possible to achieve back security without any problems. Further, it is possible to realize forward secure which does not search the notification data retroactively.

≪Secret Authentication System≫
FIG. 8 is a system configuration diagram showing a secret authentication system according to the present invention. Here, a client device (authenticated device) 5 and a server device (authentication device) 6 are connected to a network, and authentication data (password or the like) for authenticating the client device 5 in the server device 6 is sent from the client device 5 to the server. This is to notify the device 6. In such an authentication system, authentication data is stolen by the intermediary device 7 intervening in the communication between the client device 5 and the server device 6, or the intermediate device 3 pretends to be a regular client device 5 and the server device. In order to prevent unauthorized authentication in step 6, the following secret authentication method is employed.

<Basic example of secret authentication system>
FIG. 9 is a block diagram showing a first example of the device to be authenticated and the authentication device shown in FIG. Here, the method 2 in FIG. 3A is adopted, the distributed data x1 to x3 are shared between the client device 5 and the server device 6, and the distributed data s · k is transmitted from the client device 5 to the server device 6. It is done.

  The client device 5 includes an authentication data storage unit 501 that secretly stores authentication data m indicating the validity of the own device, a distributed data storage unit 502 that secretly stores the distributed data x1 to x3, and the distributed data s as random numbers. The random number generation unit 503 to generate, the authentication data m stored in the authentication data storage unit 501, the distributed data x1 to x3 stored in the distributed data storage unit 502, and the distributed data from the distributed data s generated by the random number generation unit 503 a function processing unit 504 for obtaining k, and the distributed data k obtained by the function processing unit 504 and the distributed data s generated by the random number generation unit 503 at the time of an authentication request from the client device 5 to the server device 6. It is sent to the notified device 2. In the function processing unit 504, a function is specified from the distributed data x1, x2, s and the authentication data m, and the distributed data k is obtained from the function and the distributed data x3.

  The server device 6 includes an authentication data storage unit 601 that stores authentication data m for each of the plurality of client devices 5, a distributed data storage unit 602 that stores the distributed data x1 to x3, and a distributed data stored in the distributed data storage unit 602. The function processing unit 603 for obtaining authentication data m from the data x1 to x3 and the distributed data s · k received from the client device 5, the authentication data m obtained by the function processing unit 603, and the authentication data storage unit 601 And a verification unit 604 that compares the authentication data m and verifies the authenticity of the client device 5. In the function processing unit 603, a function is restored from the distributed data x2, x3, s, and k, and authentication data m is obtained from this function and the distributed data x1.

  The verification unit 604 sequentially reads the authentication data m from the authentication data storage unit 601. If the authentication data m matches the authentication data m obtained by the function processing unit 603, the authentication is successful. The authentication data m is read from the authentication data storage unit 601 and the same processing is performed. If there is no match, the authentication is assumed to have failed.

  Here, even if the intermediary device 7 sniffs the distributed data s · k sent from the client device 5 to the server device 6, if the intermediate device 7 does not know all the distributed data x1 to x3, the authentication data m Cannot be asked.

<Example of forward secure with secret authentication system>
FIG. 10 is a block diagram showing a second example of the device to be authenticated and the authentication device shown in FIG. Here, the client device 5 has a data update unit 511 that converts authentication data m to be kept secret using a one-way function and updates the authentication data m with the conversion result. In addition, the server device 6 includes a data update unit 611 that converts authentication data m to be kept secret using a one-way function and updates the authentication data m with the conversion result. Other configurations are the same as those in the example of FIG.

  The data updating unit 511 of the client device 5 and the data updating unit 611 of the server device 6 use the same one-way function. As this one-way function, a typical one-way function such as a hash function can be used. However, a square function that provides a practically sufficient one-way is preferable, and the calculation load is low. The present invention can also be applied to a simple device (such as an RFID tag) having only a low-speed calculation function.

  Further, the update processing in the data update unit 511 of the client device 5 and the data update unit 611 of the server device 6 are performed at the same timing. For example, the authentication is performed by the data update unit 511 of the client device 5 every time authentication is performed. At the same time as the data is updated, the authentication data related to the client device 5 is updated by the data update unit 611 of the server device 6.

  As a result, even if the authentication data held by the client device 5 or the server device 6 is stolen by another person, the distributed data held by the client device 5 or the server device 6 in the past is not known. It is possible to realize forward secure that does not search retroactively (authentication partner, authentication date and time). In addition, since only the conversion process within the apparatus is sufficient, the cost can be reduced.

  Note that the data updating units 511 and 611 may update the distributed data x1 to x3 stored in the distributed data storage units 502 and 602, particularly the distributed data x1, with a one-way function.

  Note that when the authentication is repeated a plurality of times, the authentication data m becomes an intersection of lines passing through the distributed data s · k. Therefore, in the method of FIG. In this way, changing the value of authentication data or distributed data significantly reduces the risk.

<Example of forward / back-secure using a secret authentication system>
FIG. 11 is a block diagram illustrating a third example of the device to be authenticated and the authentication device illustrated in FIG. 8. Here, the client device 5 has an encryption unit 521 that encrypts the distributed data s generated by the random number generation unit 503 using the public key of the server device 6, and the encrypted data E obtained here (S) is sent to the server device 6. In addition, the server device 6 includes a decryption unit 621 that decrypts the encrypted data E (s) received from the client device 5 using its own secret key. It is sent to the function processing unit 603. Other configurations are the same as those in the example of FIG.

  Thereby, even if the authentication data held by the client device 5 or the server device 6 is stolen by another person, the distributed data sent from the client device 5 to the server device 6 is encrypted. The intermediary device 7 intervening in communication with the server device 6 does not know the content of the distributed data to be transmitted unless there is a secret key of the server device 6, and will not search for facts related to authentication in the future. Back secure can be realized. In addition, it is possible to realize forward secure that does not search for facts related to notifications retroactively. Furthermore, when the authentication is repeated a plurality of times, the authentication data m becomes an intersection of lines passing through the distributed data s · k. Therefore, in the method of FIG. Thus, if the value of the distributed data is changed by encryption, the risk can be significantly reduced.

  Here, of the distributed data k · s sent from the client device 5 to the server device 6, only the distributed data s is encrypted, but both of them are encrypted, or only the distributed data k is encrypted. Also good.

  If the value of the distributed data is very large, a hybrid is generated in which a common key is generated with a random number, the shared data is encrypted with this common key, and the common key is encrypted with the public key of the server device 6. It is good to use encryption. Here, the public key of the server device 6 is used as the encryption key, but this may be a common key shared between the client device 5 and the server device 6.

<Example of defense against retry attacks using the challenge-response method>
FIG. 12 is a block diagram showing a fourth example of the device to be authenticated and the authentication device shown in FIG. Here, the server device 6 has a random number generation unit 631 that generates the distributed data s with random numbers, and the distributed data s obtained here is sent to the client device 5. The client device 5 obtains the distributed data k from the distributed data s received from the server device 6, the authentication data m stored in the authentication data storage unit 501, and the distributed data x1 to x3 stored in the distributed data storage unit 502. Is performed by the function processing unit 504, and the distributed data k obtained here is sent to the server device 6.

  In this configuration, since the distributed data s sent from the server device 6 to the client device 5 changes irregularly, the shared data used here is imitated by the exchange between the client device 5 and the server device 6. It cannot be used for unauthorized authentication and can prevent retry attacks.

  It should be noted that the examples shown in the above drawings can be combined appropriately. Further, in each example after FIG. 5, a method using a linear function is adopted, but a method using a quadratic function shown in FIG. 4 can be adopted, and other methods such as a cubic function are also possible. It is.

<Example of two-way authentication>
Although not particularly illustrated, the configuration of the client device 1 and the server device 2 shown in the above examples is replaced with each other, that is, the client device 1 is an authentication device, the server device 2 is an authenticated device, The function processing unit generates distributed data k, sends the distributed data k to the client device 1, the distributed data k generated in the own device by the collation unit of the client device 1, and the distributed data k received from the server device 2 By combining the configuration for verifying the validity of the server device 2 by comparing the above and the configuration shown in each of the above examples, bidirectional authentication becomes possible.

  The secret communication system and secret authentication system according to the present invention have the effect of ensuring high secrecy and reducing the calculation load to reduce the cost, and notify the notification data without being known to others This is useful as a secret communication system for notifying a notification target device from a device to be notified, authentication data from an authentication target device to the authentication device without being known to others, and performing a authentication and a secret authentication system.

The system block diagram which shows the secret communication system by this invention The figure explaining the point of the secret communication in this invention The figure explaining the point of the secret communication in this invention The figure explaining the point by another example of the secret communication in this invention The block diagram which shows the 1st example of the notification apparatus and to-be-notified apparatus shown in FIG. The block diagram which shows the 2nd example of the notification apparatus and to-be-notified apparatus shown in FIG. The block diagram which shows the 3rd example of the notification apparatus shown in FIG. 1, and a to-be-notified apparatus. The system block diagram which shows the secret authentication system by this invention Block diagram showing a first example of the device to be authenticated and the authentication device shown in FIG. Block diagram showing a second example of the device to be authenticated and the authentication device shown in FIG. Block diagram showing a third example of the device to be authenticated and the authentication device shown in FIG. Block diagram showing a fourth example of the device to be authenticated and the authentication device shown in FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Notification apparatus 2 Notification apparatus 3 Intermediate person apparatus 5 Client apparatus 6 Server apparatus 7 Intermediate person apparatus 101 Distributed data storage part, 102 Random number generation part, 103 Function processing part, 111 Data update part, 121 Encryption part 201 Distributed data storage Unit, 202 function processing unit, 211 data update unit, 221 decryption unit 501 authentication data storage unit, 502 distributed data storage unit, 503 random number generation unit, 504 function processing unit, 511 data update unit, 521 encryption unit 601 authentication data Storage unit, 602 Distributed data storage unit, 603 function processing unit, 604 collation unit, 611 data update unit, 621 decryption unit, 631 random number generation unit

Claims (7)

Notification data to be concealed is determined by being distributed in a plurality of distributed data consisting of function data for specifying a function and rule data for specifying notification data from this function,
In the notification device, generate distributed data from the notification data, send the distributed data to the notified device,
The secret communication system, wherein the notified device obtains notification data by restoring the function from the distributed data. A part of the plurality of distributed data is shared between the notification device and the notified device by a procedure different from that at the time of notification, and part of the shared data is secretly shared by the notification device and the notified device. To hold
In the notification device, from the notification data, generate shared data that is not shared with the notified device, and send the distributed data to the notified device,
The secret communication system according to claim 1, wherein the notified device obtains notification data from the distributed data held by the device itself and the distributed data received from the notification device.   In both the notification device and the notified device, the shared data to be kept secret is converted using the same one-way function, and the shared data is updated with the conversion result. The secret communication system according to claim 2. In the notification device, the distributed data to be sent to the notified device is encrypted using a public key of the notified device or a common key shared by both the notified device and the notification device, and then the notified device To the device,
The decrypted data is decrypted in the notified device using a secret key of the device itself or a common key shared by both the notified device and the notification device. The secret communication system according to claim 3. The secret communication system according to any one of claims 1 to 4, wherein the notification data is authentication data indicating authenticity of a device to be authenticated or a user,
A secret authentication system, wherein the notifying device serving as an authentication device verifies the validity of the notifying device serving as the device to be authenticated based on the authentication data.   6. The authentication data is converted by using the same one-way function in both of the authentication target device and the authentication device, and the authentication data is updated with the conversion result. Secret authentication system. In the authentication device, a part of the distributed data is arbitrarily generated and sent to the device to be authenticated,
7. The authenticated device generates the remaining distributed data from the distributed data received from the authentication device and the authentication data, and sends the distributed data to the authentication device. Secret authentication system.

Images