JP2012060366A - Communication system, communication method and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a communication system that establishes encrypted communication after authentication between a terminal loaded with a browser incapable of accessing a memory of the terminal and a server without a server certificate.SOLUTION: A terminal 2 includes: a screen area division section 21 for dividing a browser screen area into a plurality of frames; an authentication requesting section 22 for requesting a server 3 to authenticate authentication information via a first frame; an intermediate data storage section 23 for storing intermediate data in the process of requesting authentication in another frame different from the first frame; a shared key generation section 24 for generating a shared key from the intermediate data if a notification of successful authentication is received from the server 3; and a shared key storage section 25 for storing the shared key in another frame. The server 3 includes: an authentication section 32 for determining whether or not to authenticate the authentication information requested by the terminal 2 according to an authentication information storage section 31, and sending the authentication result to the terminal 2; and a shared key generation section 33 for generating a shared key from intermediate data in the process of authenticating the authentication information if the authentication is successful.

Description

  The present invention relates to a communication system that performs cryptographic communication, and more particularly, to a communication system, a communication method, and a computer program that perform cryptographic communication after user authentication.

  Many communication systems that provide services while performing encrypted communication after user authentication are known as communication systems that provide services via a network. Many of such communication systems are based on the assumption that a web browser application (hereinafter simply referred to as a browser) is used in a terminal.

  For example, a communication system providing a web mail service authenticates that a user is an owner of a certain mail address by using a user ID and a password, and then sends a mail addressed to the user stored in the server to the user. Send to the terminal operated by. Then, the browser installed in the terminal displays the mail addressed to the user. At this time, it is desirable that encrypted communication is performed between the server and the terminal so that mail transmitted from the server to the terminal does not leak.

  In general, SSL (Secure Socket Layer) communication is used for such encrypted communication. In order to use SSL communication, the server acquires a server certificate from a certificate issuing organization or the like in advance. After confirming the validity and reliability of the server certificate received from the server, the terminal receives provision of services by starting encrypted communication.

  However, even in a communication system that provides a service for which it is desirable to perform encrypted communication after user authentication, the server may not have a server certificate. For example, a server operated by an individual often does not have a server certificate that is expensive to acquire. A server that does not own a server certificate cannot perform SSL communication.

  In order for such a communication system to perform cryptographic communication, it is necessary to perform key exchange with authentication in which a key for cryptographic communication is exchanged and shared between the server and the terminal after user authentication. As a technique for key exchange with authentication, a technique for performing user authentication using a password and generating a shared key for encrypted communication using intermediate data generated during the authentication is known (for example, non-patent) Reference 1 and Non-Patent Document 2). Each of these authenticated key exchange techniques is mathematically guaranteed to be secure.

Bellare, M., D. Pointcheval, P. Rogaway. “Authenticated Key Exchange Secure against Dictionary Attacks”, Eurocrypt 3000 LNCS (Springer-Verlag) 1807. Katz, J., R. Ostrovsky, M. Yung. "Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords", Eurocrypt 3001 (Springer-Vergal) 2045.

  However, a browser installed in the terminal may have an operational limitation that the memory included in the terminal cannot be accessed (that is, information stored in the memory cannot be read and written). For example, a browser installed in a mobile phone may have the above-described limitation.

  In the technology for key exchange with authentication described in Non-Patent Document 1 and Non-Patent Document 2, as described above, the intermediate data generated in user authentication is used for key sharing for encryption communication. It is necessary to memorize temporarily.

  Here, a terminal equipped with a browser that cannot access the terminal memory cannot store intermediate data in the terminal memory. Therefore, in a communication system employing the techniques described in Non-Patent Document 1 and Non-Patent Document 2, it is not possible to provide a service for performing encrypted communication after user authentication to a terminal having the above-described restrictions.

  The present invention has been made to solve the above-described problem, and performs encrypted communication after user authentication between a terminal equipped with a browser having a restriction that prevents access to the memory of the terminal and a server that does not have a server certificate. It aims at providing the communication system which performs.

  The communication system of the present invention is a communication system including a server and a terminal, and the terminal includes a screen area dividing unit that divides a browser screen area for displaying content into a plurality of frames, and a plurality of frames. An authentication request unit that requests the server to authenticate the authentication information acquired through the first frame, and intermediate data used when the server requests the authentication. , When the intermediate data storage unit stored in a frame other than the first frame and the authentication result information received from the server indicate successful authentication, based on the intermediate data stored in the intermediate data storage unit A shared key generation unit that generates a shared key used for encrypted communication with the server, and a shared key storage unit that stores the shared key in the other frame, and the server An authentication information storage unit storing authentication information registered in advance and whether or not to authenticate authentication information required for authentication by the terminal based on the authentication information storage unit; An authentication unit that transmits the authentication result information to the terminal, and when the authentication unit determines to authenticate the authentication information, based on the intermediate data used when authenticating the authentication information, A shared key generation unit that generates the shared key used for the encrypted communication.

  In addition, the server of the present invention determines, based on the authentication information storage unit storing authentication information registered in advance and the authentication information storage unit, whether to authenticate authentication information required for authentication by the terminal. In addition, when it is determined that the authentication information is authenticated by the authentication unit that transmits the authentication result information indicating whether or not the authentication is successful to the terminal, the intermediate data used when the authentication information is authenticated And a shared key generation unit that generates a shared key used for encrypted communication with the terminal.

  Further, the terminal of the present invention includes a screen area dividing unit that divides a browser screen area that displays content into a plurality of frames, and authentication of authentication information acquired through a first frame among the plurality of frames. An authentication request unit for requesting the server via the first frame, and intermediate data storage for storing the intermediate data used when requesting the authentication from the server in another frame other than the first frame And a shared key generation unit that generates a shared key used for encrypted communication with the server based on the intermediate data stored in the intermediate data storage unit when the authentication result information received from the server represents authentication success And a shared key storage unit for storing the shared key in the other frame.

  The computer program according to the present invention includes an authentication information storage step of storing authentication information registered in advance in a server that communicates with the terminal in the authentication information storage unit, and the terminal based on the authentication information storage unit. Determining whether or not to authenticate authentication information required for authentication, and transmitting authentication result information indicating whether or not the authentication is successful to the terminal, and authenticating the authentication information in the authentication step. If it is determined, a shared key generation step of generating a shared key used for encrypted communication with the terminal is executed based on intermediate data used when authenticating the authentication information.

  Further, the computer program of the present invention includes a screen area dividing step for dividing a browser screen area for displaying content into a plurality of frames on a terminal that communicates with a server, and a first frame among the plurality of frames. Requesting the server to authenticate the authentication information acquired through the first frame, and intermediate data used when requesting the authentication in the authentication request step, An intermediate data storage step for storing in an intermediate data storage unit in a frame other than the frame, and when the authentication result information received from the server represents an authentication success, based on the intermediate data stored in the intermediate data storage unit Generating a shared key used for encrypted communication with the server; and sharing the shared key in the other frame A shared key storing step of storing in the storage unit, thereby to execute.

  The data structure of the present invention is a data structure of content delivered from a server to a terminal, and a frame structure in which a plurality of frames constituting a browser screen area in which the content is displayed on the terminal is defined. Represents information and information applied to the first frame among the plurality of frames, and requests authentication of the authentication information acquired via the first frame to the server via the first frame. In addition, if the authentication result information received from the server indicates successful authentication, authentication with a certificate that generates a shared key used for encrypted communication with the server is based on intermediate data used when requesting the authentication to the server. Represents first frame information including a key exchange application and information applied to other frames other than the first frame. Including a middle data storage information for storing data, and a another frame information including a shared key storage information for storing the shared key.

  Further, the communication method of the present invention uses a server and a terminal, and the terminal divides a browser screen area for displaying content into a plurality of frames, and the first frame of the plurality of frames is passed through the first frame. Request authentication of the acquired authentication information to the server via the first frame, and send intermediate data used when requesting the authentication to the server in another frame other than the first frame. The server stores the authentication information registered in advance in the authentication information storage unit, and the authentication information requested to be authenticated by the terminal based on the authentication information storage unit. In addition to determining whether or not to authenticate, transmitting authentication result information indicating whether or not the authentication is successful to the terminal, and determining that the authentication information is to be authenticated, it is used when authenticating the authentication information. Based on the intermediate data, a shared key used for encryption communication with the terminal is generated. When the authentication result information received from the server indicates authentication success, the terminal stores the intermediate key stored in the intermediate data storage unit. Based on the data, the shared key used for encryption communication with the server is generated, and the shared key is stored in the shared key storage unit in the other frame.

  The present invention can provide a communication system that performs encrypted communication after user authentication between a terminal equipped with a browser having a restriction that cannot access the memory of the terminal and a server that does not have a server certificate.

It is a block diagram which shows the structure of the communication system as the 1st Embodiment of this invention. It is a block diagram which shows the hardware constitutions of the communication system as the 1st Embodiment of this invention. It is a functional block diagram of the communication system as a 1st embodiment of the present invention. It is a sequence diagram which shows operation | movement of the communication system as the 1st Embodiment of this invention. It is a functional block diagram of the communication system as the 2nd Embodiment of this invention. It is a sequence diagram which shows operation | movement of the communication system as the 2nd Embodiment of this invention. It is a sequence diagram which shows an example of operation | movement when the communication system as the 2nd Embodiment of this invention employ | adopts elliptical Diffie-Hellman key exchange. It is a sequence diagram which shows an example of an operation | movement when the communication system as the 2nd Embodiment of this invention employ | adopts public key encryption. It is a schematic diagram which shows an example of the data structure stored in a server in each embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 shows the configuration of a communication system as a first embodiment of the present invention. In FIG. 1, the communication system 1 includes a terminal 2 and a server 3. The terminal 2 and the server 3 are communicably connected to each other via a network constituted by the Internet, a LAN (Local Area Network), a public line network, a wireless communication network, or a combination thereof.

  In FIG. 1, one terminal 2 is shown, but the number of terminals provided in the communication system of the present invention is not limited.

  Next, FIG. 2 shows a hardware configuration of each device constituting the communication system 1.

  In FIG. 2, a terminal 2 includes a CPU (Central Processing Unit) 2001, a RAM (Random Access Memory) 2002, a ROM (Read Only Memory) 2003, a storage device 2004, a network interface 2005, a display device 2006, It is comprised by the computer apparatus provided with the input device 2007. FIG.

  In FIG. 2, the server 3 includes a computer device including a CPU 3001, a RAM 3002, a ROM 3003, a storage device 3004, and a network interface 3005.

  Next, the functional block configuration of each device constituting the communication system 1 is shown in FIG.

  In FIG. 3, the terminal 2 includes a screen area dividing unit 21, an authentication requesting unit 22, a midway data storage unit 23, a shared key generation unit 24, and a shared key storage unit 25. The server 3 includes an authentication information storage unit 31, an authentication unit 32, and a shared key generation unit 33.

  Here, the screen area dividing unit 21 includes a CPU 2001 that executes a computer program and a display device 2006. The authentication request unit 22 includes a CPU 2001 that executes a computer program, a network interface 2005, a display device 2006, and an input device 2007. The intermediate data storage unit 23 and the shared key storage unit 25 are configured by a CPU 2001 and a RAM 2002 that execute a computer program. The shared key generation unit 24 is generated by the CPU 2001 that executes a computer program. Note that the computer program executed by the CPU 2001 is stored in the ROM 2003 or the storage device 2004. Data read / written in the terminal or saved data such as images is stored in the storage device 2004.

  The authentication information storage unit 31 includes a storage device 3004. The authentication unit 32 includes a CPU 3001 that executes a computer program and a network interface 3005. The shared key generation unit 33 includes a CPU 3001 that executes a computer program. Note that the computer program executed by the CPU 3001 is stored in the ROM 3003 or the storage device 3004. Data read / written in the server or saved data such as images and documents is stored in the storage device 3004.

  However, the terminal 2 and the server 3 are not limited to the configuration described above.

  Next, the configuration of each part of the terminal 2 will be described.

  The screen area dividing unit 21 divides a browser screen area in which content is displayed into a plurality of frames. Here, the frame is a plurality of areas generated by dividing the browser screen area. A browser having a frame function can apply different contents to each frame.

  The screen area dividing unit 21 is realized by a browser that displays content on the screen. For example, the screen area dividing unit 21 may divide the screen area of the browser into a plurality of frames by reading the structure information of the frames included in the content and applying it to the screen area.

  The authentication request unit 22 requests the server 3 to authenticate the authentication information acquired via the first frame among the plurality of frames via the first frame.

  Here, the authentication information may be information including a user ID and a password of a user who operates the terminal 2, for example. The authentication information may be a terminal ID and password issued to the terminal 2. The authentication information may be other information issued in advance to authenticate that the server 3 is a service providing target.

  Further, the authentication request unit 22 may obtain the authentication information from the input device 2007 via the first frame by displaying an input screen including the user ID and password input fields on the first frame, for example. Good.

  In this case, the authentication request unit 22 may request authentication of authentication information by transmitting a value obtained by applying a predetermined one-way hash function to the password and a user ID to the server 3.

  The midway data storage unit 23 is included in a frame other than the first frame. The intermediate data storage unit 23 stores intermediate data used when the authentication request unit 22 requests authentication from the server 3 in another frame of the browser screen area.

  Here, a browser corresponding to the frame function generally enables reading and writing of data between frames. Therefore, the intermediate data storage unit 23 in another frame can store the intermediate data generated by the authentication request unit 22 operating in the first frame.

  For example, the midway data storage unit 23 may be configured by elements such as a text field included in information applied to other frames. At this time, it is desirable that the elements constituting the midway data storage unit 23 are not displayed. Alternatively, the entire other frame may be hidden. Note that the storage area of information applied to the frame in the browser screen area is secured in the RAM 2002, so the midway data storage unit 23 physically corresponds to a part of the storage area of the RAM 2002.

  Further, the intermediate data storage unit 23 may be composed of a plurality of elements in accordance with the number of intermediate data written to other frames. Alternatively, the intermediate data storage unit 23 may store a plurality of intermediate data connected by a predetermined separator character in one element. The intermediate data storage unit 23 may be included in one frame other than the first frame, or may be included in a plurality of frames other than the first frame.

  Further, the intermediate data stored in the intermediate data storage unit 23 in another frame is not rewritten even if the server 3 requests authentication by the authentication request unit 22 functioning in the first frame. On the other hand, the information applied to the first frame is rewritten when the authentication request unit 22 requests authentication from the server 3.

  For example, the case where the midway data storage unit 23 stores the password acquired by the authentication request unit 22 via the first frame as midway data will be described. In this case, the user ID and password input in the first frame and held in the first frame are information received from the server 3 when the authentication requesting unit 22 requests the server 3 to authenticate from the first frame. Because it is rewritten by, it is not retained. On the other hand, the password stored in the intermediate data storage unit 23 in another frame is held in the other frame even after the authentication request unit 22 requests authentication from the first frame to the server 3. .

  When the authentication result information received from the server 3 indicates successful authentication, the shared key generation unit 24 generates a shared key used for encrypted communication with the server 3 based on the intermediate data stored in the intermediate data storage unit 23. .

  At this time, the shared key generation unit 24 functions in the first frame, and may read the intermediate data from the intermediate data storage unit 23 to generate the shared key.

  For example, the shared key generation unit 24 may generate a value obtained by encrypting a password stored in the midway data storage unit 23 with a predetermined encryption algorithm as a shared key used for encrypted communication with the server 3.

  The shared key storage unit 25 stores the shared key generated in another frame. At this time, the frame including the shared key storage unit 25 may be the same as or different from the frame including the midway data storage unit 23 as long as it is a frame other than the first frame. .

  Next, the configuration of each part of the server 3 will be described.

  The authentication information storage unit 31 stores authentication information registered in advance. The authentication information stored in the authentication information storage unit 31 is issued in advance to the service provision target.

  For example, the authentication information storage unit 31 may store a user ID and its password in association with each other.

  Based on the authentication information storage unit 31, the authentication unit 32 determines whether to authenticate authentication information requested to be authenticated by the terminal 2. Then, the authentication unit 32 transmits information indicating authentication success or authentication failure to the terminal 2.

  For example, when authentication is requested by receiving a hash value of a password and a user ID from the terminal 2, the authentication unit 32 acquires a password associated with the received user ID from the authentication information storage unit 31. Then, the authentication unit 32 verifies whether or not the value obtained by applying the predetermined one-way hash function to the acquired password is equal to the hash value of the received password. And the authentication part 32 transmits the information showing an authentication success or an authentication failure to the terminal 2 based on whether these values are equal.

  When the authentication unit 32 determines that the authentication information is to be authenticated, the shared key generation unit 33 generates a shared key to be used for encrypted communication with the terminal 2 based on the intermediate data used when authenticating the authentication information. .

  For example, the shared key generation unit 33 may generate a value obtained by encrypting the password acquired from the authentication information storage unit 31 with a predetermined encryption algorithm as a shared key used for encrypted communication with the terminal 2.

  The operation of the communication system 1 configured as described above will be described with reference to the sequence diagram of FIG.

  First, the screen area dividing unit 21 of the terminal 2 divides a browser screen area for displaying content into a plurality of frames (step S1).

  Next, the authentication request unit 22 requests the server 3 to authenticate the authentication information acquired through the first frame among the plurality of frames (step S2).

  For example, as described above, the authentication request unit 22 acquires the user ID and password from the input device via the input screen displayed in the first frame, and includes the hash value of the acquired password and the user ID May be transmitted to the server 3.

  Next, the authentication request unit 22 writes the intermediate data used when requesting the authentication in step S2 to the intermediate data storage unit 23 in a frame other than the first frame (step S3).

  For example, the authentication request unit 22 may write the password in the intermediate data storage unit 23 as described above.

  The authentication unit 32 of the server 3 requested for authentication from the terminal 2 verifies the authentication information requested for authentication based on the authentication information storage unit 31 (step S4).

  For example, the authentication unit 32 acquires a password associated with the received user ID from the authentication information storage unit 31. And the authentication part 32 may verify whether the hash value of the acquired password and the received hash value correspond.

  If it is determined that the authentication information is not authenticated (No in step S5), the authentication unit 32 transmits authentication result information indicating an authentication failure to the terminal 2 (step S6).

  On the other hand, if it is determined to authenticate the authentication information (Yes in step S5), the authentication unit 32 transmits authentication result information indicating successful authentication to the terminal 2 (step S7).

  Next, the shared key generation unit 33 generates a shared key based on the intermediate data used when verifying the authentication information in step S4 (step S8).

  For example, the shared key generation unit 33 may generate a shared key by applying a predetermined encryption algorithm to the password acquired from the authentication information storage unit 31 when verifying the authentication information in step S4.

  Upon receiving the authentication result information, the authentication request unit 22 of the terminal 2 determines whether or not the authentication result information represents a successful authentication (step S9).

  Here, when the authentication result information indicates an authentication failure, the terminal 2 ends the key exchange operation with authentication.

  For example, the terminal 2 may display the information indicating the authentication failure in the first frame and then terminate the authenticated key exchange operation.

  On the other hand, when the authentication result information indicates that the authentication is successful, the shared key generation unit 24 reads the intermediate data written to the intermediate data storage unit 23 (step S10).

  Next, the shared key generation unit 24 generates a shared key based on the read intermediate data (step S11).

  For example, the shared key generation unit 24 may generate a shared key by applying a predetermined encryption algorithm to the password held in the midway data storage unit 23.

  Next, the shared key generation unit 24 writes the shared key generated in step S11 to the shared key storage unit 25 in another frame (step S12).

  Thereafter, the terminal 2 performs cryptographic communication with the server 3 using a shared key held in another frame. The server 3 performs encrypted communication with the terminal 2 using the generated shared key.

  The encrypted communication using the generated shared key is performed until the browser is terminated or the shared key is deleted from another frame.

  Above, description of operation | movement of the communication system 1 is complete | finished.

  Next, effects of the first exemplary embodiment of the present invention will be described.

  The communication system as the first embodiment of the present invention performs encrypted communication after user authentication between a terminal equipped with a browser having a restriction that prevents access to the memory of the terminal and a server that does not have a server certificate. be able to.

  The reason is that the terminal according to the first embodiment of the present invention uses the first frame in the browser screen area to perform authenticated key exchange with the server, and is used when performing authenticated key exchange. This is because halfway data is written to other frames. That is, the terminal in the first embodiment of the present invention uses another frame as a memory.

  As a result, the terminal according to the first exemplary embodiment of the present invention is used to generate a shared key even if information based on authenticated key exchange is transmitted to and received from the server and the content of the first frame is rewritten. This is because halfway data can be held in another frame. Therefore, the terminal according to the first embodiment of the present invention can receive the service of a server that employs an authenticated key exchange technique that requires holding data midway without accessing a storage device inside the terminal. Because it can.

(Second Embodiment)
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. Note that, in each drawing referred to in the description of the present embodiment, the same reference numerals are given to the same configuration and steps that operate in the same manner as in the first embodiment of the present invention, and the detailed description in the present embodiment. Description is omitted.

  First, FIG. 5 shows a functional block configuration of a communication system 4 as a second embodiment of the present invention. In FIG. 5, the communication system 4 includes a terminal 5 and a server 6. Further, the terminal 5 and the server 6 are connected to each other via a network so that they can communicate with each other. Although FIG. 5 shows one terminal 5, the number of terminals 5 in the present invention is not limited.

  Here, the hardware configuration of the communication system 4 is the same as the hardware configuration of the communication system 1 as the first embodiment of the present invention described with reference to FIG. The detailed explanation is omitted.

  In FIG. 5, the terminal 5 is different from the terminal 2 in the first exemplary embodiment of the present invention in that the authentication request unit 52 is replaced with the authentication request unit 22 and the shared key generation unit 54 is replaced with the shared key generation unit 24. And a terminal application receiving unit 56 and a terminal application executing unit 57 are different. The authentication request unit 52 includes an authentication request data generation unit 521 and a response generation unit 522.

  In FIG. 5, the server 6 is different from the server 3 according to the first embodiment of the present invention in that the authentication unit 62 is replaced with the authentication unit 32 and the shared key generation unit 63 is replaced with the shared key generation unit 33. And a terminal application storage unit 64 and a terminal application transmission unit 65. The authentication unit 62 includes a challenge generation unit 621 and a response verification unit 622.

  Here, the terminal application reception unit 56 includes a CPU 2001 that executes a computer program and a network interface 2005. The terminal application execution unit 57 includes a CPU 2001 that executes a computer program.

  The terminal application storage unit 64 includes a storage device 3004. The terminal application transmission unit 65 includes a CPU 3001 that executes a computer program and a network interface 3005.

  Next, the configuration of each part of the terminal 5 and the server 6 will be described.

  The authentication request data generation unit 521 generates authentication request data for starting an authentication request and transmits the authentication request data to the server 6. Then, the authentication request data generation unit 521 stores the intermediate data used when generating the authentication request data in the intermediate data storage unit 23.

  For example, if the authentication information includes a user ID and a password, the authentication request data generation unit 521 may generate authentication request data including the user ID and transmit it to the server 6.

  The response generation unit 522 generates response data based on challenge data and intermediate data, which will be described later, and transmits the response data to the server 6. Then, the response generation unit 522 adds the intermediate data used when generating the response data to the intermediate data storage unit 23 and stores it.

  The shared key generation unit 54 generates a shared key based on the intermediate data stored in the intermediate data storage unit 23 by the authentication request data generation unit 521 and the response generation unit 522.

  The terminal application receiving unit 56 receives a terminal application from the server 6. The terminal application will be described later. Here, the terminal application reception unit 56 is configured by a browser installed in the terminal 5. For example, the terminal application receiving unit 56 may receive a terminal application from the server 6 by accessing a predetermined URL (Uniform Resource Locator) provided by the server 6.

  The terminal application execution unit 57 executes the received terminal application. For example, the terminal application execution unit 57 is configured by an application execution engine incorporated in a browser. The application execution engine executes an application included in the content displayed by the browser.

  The challenge generation unit 621 generates random challenge data in response to receiving authentication request data from the terminal 5. Then, the challenge generation unit 621 transmits the generated challenge data to the terminal 5.

  From the viewpoint of safety, the challenge data is desirably random data that is different for each authentication.

  The response verification unit 622 verifies response data received from the terminal 5. Then, the response verification unit 622 determines whether to authenticate the authentication information.

  Specifically, the response verification unit 622 determines that the received response data is based on correct authentication information based on the authentication request data received by the challenge generation unit 621 and the challenge data generated by the challenge generation unit 621. It is determined whether or not it is generated.

  The shared key generation unit 63 generates a shared key based on the intermediate data used by the challenge generation unit 621 and the response verification unit 622.

  The terminal application storage unit 64 stores a terminal application for causing the terminal 5 to function as the screen area dividing unit 21, the authentication request unit 52, the midway data storage unit 23, the shared key generation unit 54, and the shared key storage unit 25. To do.

  The terminal application transmission unit 65 transmits the above-described terminal application to the terminal 5. For example, the terminal application transmission unit 65 may transmit the terminal application in response to access from the terminal 5 to a predetermined URL.

  The operation of the communication system 4 configured as described above will be described with reference to FIG.

  First, the terminal application transmission unit 65 of the server 6 transmits a terminal application to the terminal 5. Then, the terminal application receiving unit 56 of the terminal 5 receives the terminal application (step S21).

For example, the terminal application transmission unit 65 may transmit the terminal application in response to a request from the terminal application reception unit 56 (browser) activated in the terminal 5.

  Next, the terminal application execution unit 57 executes a terminal application (step S22). Accordingly, the terminal 5 functions as the screen area dividing unit 21, the authentication request unit 52, the midway data storage unit 23, the shared key generation unit 54, and the shared key storage unit 25.

  Next, the screen area dividing unit 21 divides the browser screen area displaying the content into a plurality of frames (step S23).

  Next, the authentication request data generation unit 521 displays an authentication information input screen in the first frame, and acquires the authentication information from the input device 2007 via the first frame. Then, the authentication request data generation unit 521 generates authentication request data for starting an authentication request using the acquired authentication information (step S24).

  For example, the authentication request data generation unit 521 may acquire a user ID and password from the input screen of the first frame, and generate authentication request data including the acquired user ID.

  Next, the authentication request data generation unit 521 writes the intermediate data used when generating the authentication request data in step S24 to the intermediate data storage unit 23 (step S25).

  For example, the authentication request data generation unit 521 may write information including the user ID and password to the midway data storage unit 23.

  At this time, it is desirable that the midway data storage unit 23 is not displayed from the viewpoint of safety.

  Next, the authentication request data generation unit 521 transmits the authentication request data generated in step S24 to the server 6 (step S26).

  The challenge generation unit 621 of the server 6 that has received the authentication request data generates challenge data (step S27). Then, the challenge generation unit 621 transmits the generated challenge data to the terminal 5 (step S28).

  At this time, from the viewpoint of safety, the challenge data is desirably a random value that is different for each authentication.

  The response generation unit 522 of the terminal 5 that has received the challenge data generates response data based on the challenge data and the intermediate data stored in the intermediate data storage unit 23 (step S29).

  For example, the response generation unit 522 may generate response data based on the challenge data and the password.

  At this time, since the challenge data is a random value, the response data when receiving authentication of the same authentication information is different each time.

  Next, the response generation unit 522 adds the intermediate data used when generating the response data to the intermediate data storage unit 23 and stores it (step S30).

  Thereby, the intermediate data storage unit 23 stores the data written in step S25 and the data written in step S30.

  Again, from the viewpoint of safety, it is desirable that the midway data storage unit 23 is not displayed.

  Next, the response generation unit 522 transmits the response data generated in step S30 to the server 6 (step S31).

  The response verification unit 622 of the server 6 that has received the response data verifies the received response data based on the authentication request data received in step S26 and the challenge data generated in step S27 (step S32).

  For example, the response verification unit 622 acquires a password associated with the user ID included in the authentication request data from the authentication information storage unit 31. Then, the response verification unit 622 determines whether the response data generated based on the challenge data generated in step S27 and the password acquired from the authentication information storage unit 31 matches the response data received in step S31. You may make it judge.

  Next, when the authentication fails due to the verification of the response data (No in step S33), the response verification unit 622 transmits authentication result information indicating the authentication failure to the terminal 5 (step S34).

  Then, the server 6 ends the key exchange process with authentication.

  On the other hand, when the authentication is successful by verifying the response data (Yes in step S33), the response verification unit 622 transmits authentication result information indicating the authentication success to the terminal 5 (step S35).

  Next, the shared key generation unit 63 generates a shared key based on the intermediate data and authentication request data used when verifying the response data (step S36).

  Next, when the authentication result information indicates an authentication failure (No in step S37), the terminal 5 that has received the authentication result information ends the key exchange process with authentication.

  At this time, the terminal 5 may obtain new authentication information from the input device 2007 by displaying the authentication information input screen again in the first frame. In this case, the communication system 4 executes the operation from step S24 again. However, in this case, from the viewpoint of safety, the server 6 sets a limit on the number of times the authentication request data is retransmitted, and terminates the operation when the number of retransmissions continuously exceeds a predetermined number. The above rules may be established.

  On the other hand, when the authentication result information indicates successful authentication (Yes in step S37), the shared key generation unit 54 reads the intermediate data from the intermediate data storage unit 23 (step S38).

  Next, the shared key generation unit 54 generates a shared key based on the read halfway data (step S39).

  Next, the shared key generation unit 54 stores the generated shared key in the shared key storage unit 25 (step S40).

  Thereafter, the terminal 5 performs encrypted communication with the server 6 using the shared key stored in the shared key storage unit 25. Further, the server 6 performs encrypted communication with the terminal 5 by temporarily storing the shared key generated in step S36 in a storage device inside the server 6.

  Above, description of operation | movement of the communication system 4 is complete | finished.

  Next, effects of the second exemplary embodiment of the present invention will be described.

  The communication system as the second exemplary embodiment of the present invention is a secure key exchange with authentication between a terminal equipped with a browser having a restriction that prevents access to a storage device of a terminal and a server that does not have a server certificate. Can be further improved.

  The reason is that the intermediate data used when performing the key exchange with authentication is held in another frame, so that a technique of key exchange with authentication strong against a replay attack like the challenge response method can be adopted. Here, in the challenge-response method, the terminal needs to temporarily store intermediate data used for transmission / reception of information with the server a plurality of times. At this time, even when using a terminal equipped with a browser that cannot access the memory by holding the intermediate data in other frames as described above, the intermediate data used when performing key exchange with authentication This is because can be temporarily stored a plurality of times.

  Further, in the communication system as the second embodiment of the present invention, even if the browser has a restriction that cannot access the storage device of the terminal, as long as the terminal has a browser having a frame function and an application execution function, It is possible to receive a service using a highly secure key exchange with authentication.

  The reason for this is that a terminal application that allows a terminal having a browser that cannot access the storage device of the terminal to exchange an authenticated key with the server is stored on the server side, and the terminal application is transferred from the server to the terminal. It is because it transmits. For this reason, it is not necessary for the terminal to have a special application, and if a browser having a frame function and an application execution function is mounted, a highly secure key exchange with authentication can be performed with the server. It is.

<First Operation Example of Second Embodiment>
Next, an operation example in the case of applying elliptic Diffie-Hellman key exchange as a technology for authenticated key exchange in the second embodiment of the present invention will be described with reference to FIG.

  Here, first, elliptical Diffie-Hellman key exchange will be described.

  Elliptical Diffie-Hellman key exchange is a technique in which user A and user B share a shared key used for cryptographic communication, and has been proved to be mathematically secure.

First, let g be the group generator on the elliptic curve and q be the order of the group on the elliptic curve. Also, g and q are assumed to be shared between user A and user B.
[Step 1]: User A selects an arbitrary value r1 of 0 or more and q−1 or less, and calculates [r1] g.

Here, [r1] g represents that the binomial operation defined for the group on the elliptic curve is repeatedly applied to the generator g r1 times. That is, if a binary operation is defined as an addition, [r1] g represents r1 times g. User A then sends [r1] g to user B.
[Step 2]: User B selects an arbitrary value r2 between 0 and q−1 and calculates [r2] g. User B then sends [r2] g to user A.
[Step 3]: User A and User B use [r2] g and [r1] g received and r1 and r2 selected by themselves, respectively, and [r1r2] g = [r1] ([r2] g ) = [r2] ([r1] g) is calculated. User A and user B use [r1r2] g as a shared key.

  This elliptic Diffie-Hellman key exchange is a technique whose security has been mathematically proven based on the discrete logarithm assumption on the elliptic curve that it is difficult to obtain r from [r] g.

  Next, an operation example of the communication system 4 when such an elliptic Diffie-Hellman key exchange is adopted will be described with reference to the sequence diagram of FIG.

  First, in response to a request from the terminal 5, the terminal application transmitter 65 of the server 6 transmits a terminal application to the terminal 5 (step S21).

  At this time, the server 6 transmits the group order q on the elliptic curve and the group generation source g together with the terminal application to the terminal 5.

  The terminal application to be transmitted causes the terminal 5 to function as the screen area dividing unit 21, the authentication request data generating unit 521, the response generating unit 522, the midway data storage unit 23, and the shared key generating unit 54. The terminal application includes a hash function H and a hash function G.

  Here, the hash function H is a hash function that takes an arbitrary character string as input, and outputs points on a group on an elliptic curve having an order q and a generation source g. The hash function G is a hash function that receives an arbitrary character string and outputs a k-bit character string. K is a security parameter. From the viewpoint of safety, k is preferably 160 or more.

  Next, the terminal application execution unit 57 of the terminal 5 executes the received terminal application (step S22).

  Next, the screen area dividing unit 21 displays a page composed of two frames on the browser (step S23). Hereinafter, the two frames displayed on the browser are referred to as frame 1 and frame 2. The frame 1 constitutes an embodiment of the first frame of the present invention, and the frame 2 constitutes an embodiment of another frame of the present invention.

  Next, the authentication request data generation unit 521 generates authentication request data as follows (step S24).

  In step S24, first, the authentication request data generation unit 521 acquires the user ID “userID” and the password “pw” via the frame 1.

  Next, the authentication request data generation unit 521 selects an arbitrary value r1 of 0 or more and q−1 or less.

  Further, the authentication request data generation unit 521 randomly selects a k-bit sid.

  Then, the authentication request data generation unit 521 generates [r1] H (sid || pw) as authentication request data.

  Next, the authentication request data generation unit 521 stores g, q, r1, pw, and sid used in step S24 in the midway data storage unit 23 of frame 2 (step S25).

  Next, the authentication request data generation unit 521 sends [r1] H (sid || pw), userID, and sid as authentication request data to the server 6 (step S26).

  The challenge generation unit 621 of the server 6 that has received [r1] H (sid || pw), userID, sid as authentication request data generates challenge data as follows (step S27).

  In step S27, first, the challenge generation unit 621 acquires the password pw associated with the received userID from the authentication information storage unit 31.

  Furthermore, the challenge generation unit 621 selects an arbitrary r2 that is 0 or more and q−1 or less, and calculates [r2] H (sid || pw).

  The challenge generation unit 621 calculates [r1r2] H (sid || pw) = [r2] ([r1] H (sid || pw)).

  Then, the challenge generation unit 621 generates K0 = G (sid || [r1r2] H (sid || pw) || 0) as challenge data.

  Next, the challenge generation unit 621 sends K0 and [r2] H (sid || pw) to the terminal 5 (step S28).

  The response generation unit 522 of the terminal 5 that has received K0 and [r2] H (sid || pw) as challenge data generates response data as follows (step S29).

  In step S29, first, the response generation unit 522 reads g, q, r1, and sid from the midway data storage unit 23 of the frame 2.

  Further, the response generation unit 522 calculates [r1r2] H (sid || pw) = [r1] ([r2] H (sid || pw)).

  Further, the response generation unit 522 calculates G (sid || [r1r2] H (sid || pw) || 0) and confirms whether or not it matches K0 of the received challenge data. At this time, if the calculated K0 does not match the received K0, the terminal 5 stops operating.

  On the other hand, when the calculated K0 matches the received K0, the response generation unit 522 generates K1 = G (sid || [r1r2] H (sid || pw) || 1) as response data.

  Next, the response generation unit 522 adds [r1r2] H (sid || pw) used in step S29 to the midway data storage unit 23 of frame 2 (step S30).

  Next, the response generation unit 522 sends K1 as response data to the server 6 (step S31).

  The response verification unit 622 of the server 6 that has received K1 as response data uses [r1r2] H (sid || pw) used when generating challenge data in step S27 and the sid received in step S26. G (sid || [r1r2] H (sid || pw) || 1) is calculated, and it is verified whether or not it matches K1 of the received response data (step S32).

At this time, if the calculated K1 and the received K1 do not match (No in step S33), the response verification unit 622 sends verification result information indicating an authentication failure to the terminal 5 (step S34). Then, the server 6 ends the key exchange operation with authentication. On the other hand, when the calculated K1 matches the received K1 (Yes in step S33), the response verification unit 622 displays verification result information indicating the authentication success in the terminal 5 (step S35).

  Then, the shared key generation unit 63 generates K2 = G (sid || [r1r2] H (sid || pw) || 2) as a shared key (step S36).

  The terminal 5 that has received the verification result information ends the authenticated key exchange operation when the verification result information indicates an authentication failure (No in step S37).

  On the other hand, if the verification result information indicates successful authentication (Yes in step S37), the shared key generation unit 54 reads [r1r2] H (sid || pw), sid from the midway data storage unit 23 of frame 2 (step S37). S38).

  Next, the shared key generation unit 54 generates K2 = G (sid || [r1r2] H (sid || pw) || 2) as a shared key based on the intermediate data read in step S38 (step S38). S39).

  Next, the shared key generation unit 54 stores the shared key K2 generated in step S39 in the shared key storage unit 25 of frame 2 (step S40).

  Thereafter, the terminal 5 performs encrypted communication with the server 6 using the shared key K2 stored in the shared key storage unit 25. Further, the server 6 performs encrypted communication with the terminal 5 by temporarily storing the shared key K2 generated in step S36 in a storage device inside the server 6.

  Above, description of the operation example of the communication system 4 which employ | adopted elliptical Diffie-Hellman key exchange is complete | finished.

  Next, the effect of the second exemplary embodiment of the present invention that employs elliptical Diffie-Hellman key exchange will be described.

  The communication system as the second exemplary embodiment of the present invention adopts elliptic Diffie-Hellman key exchange, so that a server equipped with a browser having a restriction that cannot access the storage device of the terminal, and the server, It is possible to improve resistance to replay attacks against authenticated key exchange, man-in-the-middle attacks, online dictionary attacks, and server impersonation.

  First, the reason why the communication system adopting the elliptic Diffie-Hellman key exchange is resistant to the replay attack will be described. This is because even if the attacker performs a replay attack, the secret information r1 in the terminal 5 cannot be obtained from the public information [r1] H (sid || pw) transmitted from the terminal to the server. Further, r2 selected by the server 6 takes a different value every time, and K0 = G (sid || [r1r2] H (sid || pw) || 0) cannot be calculated. Therefore, an attacker who performs a replay attack cannot calculate the response data K1 and the shared key K2.

  In addition, the reason why the communication system employing the elliptic Diffie-Hellman key exchange is resistant to man-in-the-middle attacks will be described. Because, even if an attacker performs a man-in-the-middle attack, secret information r1 and r2 cannot be obtained from public information [r1] H (sid || pw) and [r2] H (sid || pw), respectively. Therefore, [r1r2] H (sid || pw) and K0, K1, K2 cannot be calculated.

  Furthermore, the reason why the communication system adopting the elliptic Diffie-Hellman key exchange is resistant to online dictionary attacks will be explained. This is because an attacker needs to perform a dictionary attack on r1, r2 and pw in order to obtain the shared key K2. This is because an online dictionary attack can be made impossible by setting the lengths of r1 and r2 to a length that makes dictionary attack difficult.

  Furthermore, the reason why the communication system that employs the elliptic Diffie-Hellman key exchange is resistant to server impersonation will be described. This is because the attacker does not know the user's password and cannot calculate K0, K1, K2.

  Note that when performing an authenticated key exchange based on such an elliptic Diffie-Hellman key exchange, the terminal uses the password pw, the secret information r1 selected by the terminal, and the public information [r2] H (sid It is necessary to temporarily store intermediate data such as || pw). The communication system as the second exemplary embodiment of the present invention can be used even if the terminal is equipped with a browser having a restriction that cannot access the memory in the terminal, by providing a midway data storage unit in another frame. Can be temporarily stored. Therefore, the communication system as the second exemplary embodiment of the present invention employs elliptic Diffie-Hellman key exchange, and can improve resistance to various attacks.

  Note that the communication system according to the second embodiment of the present invention has the same effect even when the authenticated key exchange technique described in Non-Patent Document 1 and Non-Patent Document 2 is employed, for example. Not too long.

<Second Operation Example of Second Embodiment>
Next, in the second embodiment of the present invention, an operation example when performing key exchange with authentication using public key cryptography will be described. Here, description will be made assuming that RSA encryption is used as an example of public key encryption.

  First, RSA encryption will be described.

RSA cryptography is a public key cryptosystem composed of three procedures: a key setup phase, an encryption phase, and a decryption phase. Here, the security parameter is k.
[Key setup phase] (input: security parameter k)
Step 1: The receiver randomly generates two prime numbers p, q of k / 2 bits. Here, “/” represents division.
Step 2: The recipient calculates N = pq.
Step 3: The receiver generates e and d such that ed = 1 mod (p-1) (q-1). Here, “mod” represents a remainder operation.
Step 4: The receiver sets the public key as pk = (e, N) and the secret key as sk = (d, p, q, N).
[Encryption phase] (input: message m, public key pk)
Step 1: The sender encrypts the message m with the public key pk. That is, ciphertext c = RSA_pk (m) = m ^ e mod N is calculated. Here, “^” represents a power.
Step 2: The sender sends the ciphertext c to the receiver.
[Decryption phase] (input: ciphertext c, secret key sk)
Step 1: The receiver decrypts the ciphertext c with the secret key sk. That is, the message m = DEC_sk (c) = c ^ d mod N is calculated.
Step 2: Get message m.

  Here, it is assumed that the prime factorization problem that p and q cannot be obtained from N in a realistic time by selecting a sufficiently large k is difficult. Based on this assumption, it is known that the RSA cipher cannot obtain the secret key sk and the message m from the public key pk and the ciphertext c.

  Next, an example of the operation of the communication system 4 employing such RSA encryption will be described with reference to the sequence diagram of FIG.

In FIG. 8, it is assumed that the public key pk = (e, N) and the secret key sk = (d, p, q, N) of the server 6 are determined in advance. In addition, it is assumed that the security parameter k is predetermined. From the viewpoint of safety, k is preferably 1024 or more. Further, it is assumed that k_1 is set as another security parameter. From the viewpoint of safety, it is desirable that k_1 is 160 or more. First, in response to a request from the terminal 5, the terminal application transmitting unit 65 of the server 6 transmits the terminal application to the terminal 5 (step S21). ).

  Here, the transmitted terminal application causes the terminal 5 to function as the screen area dividing unit 21, the authentication request data generating unit 521, the response generating unit 522, the midway data storage unit 23, and the shared key generating unit 54. The terminal application includes a hash function G and a hash function H. The hash function G is a hash function that receives an arbitrary character string and outputs a k-k_1 bit character string. The hash function H is a hash function that receives an arbitrary character string and outputs a k_1-bit character string.

  In step S21, from the viewpoint of security, it is desirable that the URL of the terminal application sent to the user includes H (pk) that is a hash value of the public key. If the browser installed in the terminal has a restriction on the length of the URL of the access destination, a part of h (pk), for example, the first few bits may be included in the URL. In the following description, it is assumed that H (pk) is included in the URL.

  Next, the terminal application execution unit 57 of the terminal 5 executes the received terminal application (step S22).

  Next, the screen area dividing unit 21 displays a page composed of two frames on the browser (step S23). Hereinafter, the two frames displayed on the browser are referred to as frame 1 and frame 2. The frame 1 constitutes an embodiment of the first frame of the present invention, and the frame 2 constitutes an embodiment of another frame of the present invention.

  Next, the authentication request data generation unit 521 generates authentication request data as follows (step S24).

  In step S24, first, the authentication request data generation unit 521 acquires the user ID “userID” and the password “pw” via the input screen displayed in the frame 1.

  Next, the authentication request data generation unit 521 generates a request message including userID as authentication request data.

  Next, the authentication request data generation unit 521 writes the userID and pw used in step S24 into the intermediate data storage unit 23 of the frame 2 as intermediate data (step S25).

  Next, the authentication request data generation unit 521 sends the request message generated in step S24 to the server 6 (step S26).

  Upon receiving the request message, the challenge generation unit 621 of the server 6 selects the random number r2 and the public key pk as challenge data by randomly selecting k2 bits of r2 (step S27).

  Next, the challenge generation unit 621 sends r2 and pk as challenge data to the terminal 5 (step S28).

  The response generation unit 522 of the terminal 5 that has received r2 and pk generates response data as follows (step S29).

  In step S <b> 29, first, the response generation unit 522 reads pw from the halfway data storage unit 23 of the frame 2.

  Next, the response generation unit 522 verifies whether the H (pk) included in the URL matches the H (pk) generated using the received pk. That is, the response generation unit 522 determines whether or not the public key has been altered. Here, when they do not match (when the public key is altered), the terminal 5 ends the key exchange operation with authentication.

  On the other hand, when they match (when the public key has not been altered), the response generation unit 522 selects the k_1-bit random number r1.

  Next, the response generation unit 522 calculates c = G (r2 || r1 || pw || 0).

  Further, the response generation unit 522 generates E = RSA_pk (r1 || c) as response data.

  Next, the response generation unit 522 adds r1 and r2 used in step S28 to the midway data storage unit 23 of frame 2 (step S30).

  Next, the response generation unit 522 sends the response data E to the server 6 (step S31).

  The response verification unit 622 of the server 6 that has received the response E verifies the response data as follows (step S32).

  In step S32, first, the response verification unit 622 obtains authentication information to be verified by decrypting the received response data E using the secret key sk corresponding to the public key pk. That is, the response verification unit 622 obtains r1, c by calculating r1 || c = DEC_sk (E).

  Further, the response verification unit 622 determines whether to authenticate the authentication information obtained by the decryption.

  Specifically, the response verification unit 622 acquires the password pw corresponding to userID included in the authentication request data received in step S <b> 26 with reference to the authentication information storage unit 31.

  Next, the response verification unit 622 calculates H (r2 || r1 || pw || 0) based on the acquired pw, r1 obtained in step S32, and the random number r2 selected by the own apparatus.

  Then, the response verification unit 622 confirms whether the calculated H (r2 || r1 || pw || 0) matches the ciphertext c (step S33).

  Here, if they do not match, the response verification unit 622 sends verification result information indicating verification failure to the terminal 5 (step S34), and stops the subsequent key exchange operation with authentication.

  On the other hand, if they match, the response verification unit 622 sends verification result information indicating the verification success to the terminal 5 (step S35).

  Next, the shared key generation unit 63 generates K = H (r1 || r2 || pw || 1) as a shared key based on r1, r2, and pw (step S36).

  Next, the terminal 5 that has received the verification result information ends the authenticated key exchange process when the verification result information indicates an authentication failure (No in step S37).

  If the verification result information indicates successful authentication (Yes in step S37), the shared key generation unit 54 reads r1, r2, and pw from the midway data storage unit 23 of frame 2 (step S38).

  Next, the shared key generation unit 54 generates K = H (r1 || r2 || pw || 1) as a shared key (step S39).

  Next, the shared key generation unit 54 stores the shared key K in the shared key storage unit 25 of the frame 2 (Step S40).

  Thereafter, the terminal 5 performs encrypted communication with the server 6 using the shared key K stored in the shared key storage unit 25. Further, the server 6 performs encrypted communication with the terminal 5 by temporarily storing the shared key K generated in step S36 in a storage device inside the server 6.

  Above, description of operation | movement of the communication system 4 using RSA encryption is complete | finished.

  Next, the effect of the second embodiment of the present invention using RSA encryption will be described.

  A communication system as a second embodiment of the present invention employs a key exchange with authentication using RSA encryption, and a server equipped with a terminal having a browser that has a restriction that prevents access to a storage device of the terminal, and a server In the meantime, it is possible to improve resistance to replay attacks against authenticated key exchange, man-in-the-middle attacks, online dictionary attacks, and server impersonation.

  First, the reason why the communication system according to the second embodiment of the present invention that performs authenticated key exchange using RSA encryption is resistant to a replay attack will be described. This is because, even if the attacker performs a replay attack, by changing the random number r2 selected by the server each time, the c and the shared key K used when generating the response data can be changed every time. .

  The reason why the communication system according to the second embodiment of the present invention that performs authenticated key exchange using RSA encryption is resistant to man-in-the-middle attacks and online dictionary attacks will be described. This is because, even if an attacker performs a man-in-the-middle attack or an online dictionary attack, it is difficult to obtain r1 and c from the ciphertext E due to the security of the RSA cipher. Therefore, the attacker cannot calculate the shared key K.

  Furthermore, the reason why the communication system according to the second embodiment of the present invention that performs authenticated key exchange using RSA encryption is resistant to impersonation of the server will be described. This is because, when an attacker tries to impersonate a server, in order to impersonate a public key, it is necessary to generate pk ′ whose hash value matches the hash value H (pk) included in the URL. However, this is difficult due to the security of the hash function.

  Moreover, even if an attacker performs an attack while using the public key of a real server, it is difficult to obtain a secret key or decrypt a ciphertext because of the security of RSA encryption. Therefore, it is difficult for an attacker to obtain the shared key K. However, in this case, since the terminal correctly ends the authenticated key exchange process, it cannot be determined that the attacker has been impersonating.

  However, in later encrypted communication, the data sent from the terminal is encrypted by K, so that the attacker cannot decrypt it. Therefore, unless the H (pk) in the terminal is rewritten illegally, it is difficult to impersonate the server.

  Note that when performing key exchange with authentication using RSA encryption in this way, the terminal temporarily stores the password pw, the secret information r1 selected by the terminal, and the public information r2 received from the server. There is a need to. The communication system according to the second embodiment of the present invention can provide a communication data storage unit in another frame even if the terminal is equipped with a browser having a restriction that cannot access the memory in the terminal. Information can be temporarily stored. Therefore, the communication system as the second exemplary embodiment of the present invention can adopt the key exchange with authentication using the RSA cipher and improve the resistance against various attacks.

  Note that the communication system as the second exemplary embodiment of the present invention may perform authenticated key exchange using public key encryption other than RSA encryption, such as El Gamal encryption or elliptic El Gamal encryption. In particular, the communication system according to the second embodiment of the present invention is publicly disclosed that satisfies the strength safety, such as RSA-OAEP (Optimal Asymmetric Encryption Padding) encryption and Cramer-Shoup encryption, from the viewpoint of security. It is desirable to use key encryption.

  Further, in the second embodiment of the present invention, the terminal application stored in the terminal application storage unit of the server may be configured by the content 9 having the data structure shown in FIG. In FIG. 9, the content 9 includes frame structure information 91, first frame information 92, and other frame information 93.

  The frame structure information 91 includes structure information of a plurality of frames constituting the browser screen area. The frame structure information 91 is read by a browser installed in the terminal and applied to the browser screen area, thereby constituting an embodiment of the screen area dividing unit of the present invention.

  The first frame information is information applied to the first frame among the plurality of frames.

  The first frame information requests authentication of the authentication information acquired via the first frame to the server via the first frame, and when the authentication result information received from the server represents authentication success, It includes a key exchange application with authentication for generating a shared key used for encrypted communication with the server based on intermediate data used when requesting authentication from the server.

  The first frame information is executed in the first frame by an application execution engine incorporated in a browser installed in the terminal, thereby constituting an embodiment of the authentication request unit and the shared key generation unit of the present invention. To do.

  The other frame information 93 is information applied to other frames other than the first frame.

  The other frame information 93 includes an intermediate data storage field for storing intermediate data used when requesting authentication of authentication information from the server, and a shared key storage field for storing a shared key. The intermediate data storage field and the shared key storage field are preferably set to non-display. The intermediate data storage field and the shared key storage field constitute an embodiment of the intermediate data storage information and the shared key storage information in the data structure of the present invention.

  Further, the other frame information 93 is read by a browser installed in the terminal and applied to another frame, thereby constituting an embodiment of the intermediate data storage unit and the shared key storage unit of the present invention.

  Such a data structure of the content 9 constitutes an embodiment of the data structure of the present invention.

  In each of the embodiments of the present invention described above, the server operation described with reference to each sequence diagram is stored as a computer program of the present invention in a storage device (storage medium) of the server, and the computer The program may be read and executed by the CPU. In such a case, the present invention is constituted by the code of the computer program or a storage medium.

  In each embodiment of the present invention described above, the operation of the terminal described with reference to each flowchart is stored in a storage device (storage medium) of a server as a computer program of the present invention. The program may be downloaded by the terminal and read and executed by the CPU of the terminal. In such a case, the present invention is constituted by the code of the computer program or a storage medium.

  Moreover, each embodiment mentioned above can be implemented in combination as appropriate.

  The present invention is not limited to the above-described embodiments, and can be implemented in various modes.

Moreover, although a part or all of said embodiment can be described also as the following additional remarks, it is not restricted to the following.
(Appendix 1)
A communication system comprising a server and a terminal,
The terminal
A screen area dividing unit for dividing a browser screen area for displaying content into a plurality of frames;
An authentication request unit that requests authentication of the authentication information acquired via the first frame from the plurality of frames to the server via the first frame;
A midway data storage unit for storing midway data used when requesting the authentication from the server in a frame other than the first frame;
If the authentication result information received from the server represents authentication success, a shared key generation unit that generates a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit,
A shared key storage unit for storing the shared key in the other frame;
Have
The server
An authentication information storage unit storing authentication information registered in advance;
Based on the authentication information storage unit, it is determined whether to authenticate authentication information that is required to be authenticated by the terminal, and an authentication unit that transmits authentication result information indicating whether authentication is successful to the terminal;
A shared key generation unit configured to generate the shared key used for encrypted communication with the terminal based on intermediate data used when authenticating the authentication information when the authentication unit determines to authenticate the authentication information; ,
A communication system.
(Appendix 2)
The server
A terminal application storage unit for storing a terminal application for causing the terminal to function as the screen area dividing unit, the authentication request unit, the intermediate data storage unit, the shared key generation unit, and the shared key storage unit;
A terminal application transmitter for transmitting the terminal application to the terminal;
Further comprising
The terminal
A terminal application receiver for receiving the terminal application;
A terminal application execution unit for executing the terminal application;
The communication system according to appendix 1, further comprising:
(Appendix 3)
The authentication request unit of the terminal is
An authentication request for generating authentication request data for starting the authentication request and transmitting it to the server, and storing data used when generating the authentication request data as the intermediate data in the intermediate data storage unit A data generator;
Response data is generated based on random challenge data and the intermediate data received from the server and transmitted to the server, and the data used when generating the response data is used as the intermediate data, the intermediate data storage unit A response generator to store in addition to,
Have
The authentication unit of the server is
A challenge generator for generating the challenge data in response to reception of the authentication request data and transmitting the challenge data to the terminal;
A response verification unit that determines whether to authenticate the authentication information by verifying the response data received from the terminal;
The communication system according to appendix 1 or appendix 2, characterized by comprising:
(Appendix 4)
The terminal application transmitter of the server transmits the terminal application to the terminal by including at least a part of a hash value of the public key of the server in a URL (Uniform Resource Locator) of the terminal application. ,
The challenge generation unit of the server includes the public key in the challenge data and transmits the challenge key to the terminal,
When the response generation unit of the terminal determines that the public key included in the challenge data has not been modified based on the URL of the application for the terminal, and determines that the public key has not been modified, Information that encrypts the authentication information using the public key is included in the response data and transmitted to the server,
The response verification unit of the server determines whether or not to authenticate authentication information obtained by decrypting information included in the response data using a secret key corresponding to the public key. The communication system according to Supplementary Note 3.
(Appendix 5)
An authentication information storage unit storing authentication information registered in advance;
Based on the authentication information storage unit, it is determined whether to authenticate authentication information that is required to be authenticated by the terminal, and an authentication unit that transmits authentication result information indicating whether authentication is successful to the terminal,
When it is determined by the authentication unit to authenticate the authentication information, a shared key generation unit that generates a shared key used for encrypted communication with the terminal based on intermediate data used when authenticating the authentication information;
A server with
(Appendix 6)
A screen area dividing unit for dividing a browser screen area for displaying content into a plurality of frames;
An authentication requesting unit that requests authentication of authentication information acquired via the first frame among the plurality of frames to the server via the first frame;
A midway data storage unit for storing midway data used when requesting the authentication from the server in a frame other than the first frame;
If the authentication result information received from the server represents authentication success, a shared key generation unit that generates a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit,
A shared key storage unit for storing the shared key in the other frame;
With a terminal.
(Appendix 7)
To the server that communicates with the terminal,
An authentication information storage step of storing authentication information registered in advance in an authentication information storage unit;
An authentication step of determining whether to authenticate authentication information requested to be authenticated by the terminal based on the authentication information storage unit, and transmitting authentication result information indicating whether authentication is successful to the terminal;
In the authentication step, when it is determined to authenticate the authentication information, a shared key generation step for generating a shared key used for encrypted communication with the terminal based on intermediate data used when authenticating the authentication information;
A computer program that runs
(Appendix 8)
On the terminal that communicates with the server,
A screen area dividing step for dividing a browser screen area for displaying content into a plurality of frames;
An authentication requesting step for requesting the server to authenticate the authentication information acquired through the first frame among the plurality of frames;
An intermediate data storage step for storing intermediate data used when requesting the authentication in the authentication request step in an intermediate data storage unit in a frame other than the first frame;
If the authentication result information received from the server represents an authentication success, a shared key generation step for generating a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit;
A shared key storage step of storing the shared key in a shared key storage unit in the other frame;
A computer program that runs
(Appendix 9)
A data structure of content distributed from a server to a terminal,
Frame structure information in which structures of a plurality of frames constituting a browser screen area in which the content is displayed in the terminal are defined;
Represents information applied to a first frame of the plurality of frames, and requests authentication of authentication information acquired via the first frame from the server via the first frame, and If the authentication result information received from the server indicates successful authentication, an authenticated key exchange application that generates a shared key used for encrypted communication with the server based on intermediate data used when requesting the authentication from the server First frame information including:
Other frame information representing information applied to other frames other than the first frame, including intermediate data storage information for storing the intermediate data, and shared key storage information for storing the shared key;
A data structure containing
(Appendix 10)
Using a server and a terminal
The terminal
Divide the browser screen area that displays content into multiple frames,
Requesting the server to authenticate the authentication information acquired through the first frame of the plurality of frames through the first frame;
The intermediate data used when requesting the authentication to the server is stored in the intermediate data storage in a frame other than the first frame,
The server
Store pre-registered authentication information in the authentication information storage unit,
Based on the authentication information storage unit, it is determined whether to authenticate authentication information required for authentication by the terminal, and transmits authentication result information indicating whether authentication is successful to the terminal,
If it is determined to authenticate the authentication information, based on the intermediate data used when authenticating the authentication information, a shared key used for encrypted communication with the terminal is generated,
The terminal
If the authentication result information received from the server represents an authentication success, based on the intermediate data stored in the intermediate data storage unit, generate the shared key used for encrypted communication with the server,
A communication method for storing the shared key in a shared key storage unit in the other frame.
(Appendix 11)
The terminal
A screen area dividing unit that divides a browser screen area for displaying content into a plurality of frames;
An authentication requesting unit that requests authentication of the authentication information acquired via the first frame from the plurality of frames to the server via the first frame;
An intermediate data storage unit that stores intermediate data used when requesting the authentication from the server in a frame other than the first frame;
If the authentication result information received from the server represents authentication success, a shared key generation unit that generates a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit, and
A shared key storage unit for storing the shared key in the other frame;
A terminal application storage unit that stores a terminal application for functioning as:
A terminal application transmitter for transmitting the terminal application to the terminal;
The server according to appendix 5, further comprising:
(Appendix 12)
Terminal application reception for receiving a terminal application from the server for causing the terminal to function as the screen area dividing unit, the authentication requesting unit, the intermediate data storage unit, the shared key generation unit, and the shared key storage unit And
A terminal application execution unit for executing the terminal application;
The terminal according to appendix 6, further comprising:
(Appendix 13)
A screen area dividing step for dividing a browser screen area for displaying content into a plurality of frames;
An authentication requesting step for requesting the server to authenticate authentication information acquired through the first frame among the plurality of frames;
An intermediate data storage step for storing intermediate data used when requesting the authentication in the authentication request step in an intermediate data storage unit in a frame other than the first frame;
If the authentication result information received from the server represents a successful authentication, a shared key generation step for generating a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit, and
A shared key storage step of storing the shared key in a shared key storage unit in the other frame;
A terminal application storage step of storing the terminal application including the terminal application storage unit in a terminal application storage unit;
A terminal application transmission step of transmitting the terminal application to the terminal;
The computer program according to appendix 7, wherein the server is further executed.
(Appendix 14)
A terminal application receiving step for receiving, from the server, a terminal application including the screen area dividing step, the authentication requesting step, the intermediate data storing step, the shared key generating step, and the shared key storing step;
A terminal application execution step for executing the terminal application;
The computer program according to appendix 8, wherein the terminal is further executed.
(Appendix 15)
Using the server and the terminal,
The server
A terminal application for causing the terminal to function as the screen area dividing unit, the authentication request unit, the intermediate data storage unit, the shared key generation unit, and the shared key storage unit is stored in the terminal application storage unit. Every
Sending the terminal application to the terminal;
The terminal
Receiving the terminal application;
The communication method according to appendix 10, wherein the received terminal application is executed.

DESCRIPTION OF SYMBOLS 1, 4 Communication system 2, 5 Terminal 3, 6 Server 21 Screen area division part 22, 52 Authentication request part 23 Intermediate data storage part 24, 54, 33, 63 Shared key generation part 25 Shared key storage part 31 Authentication information storage part 32, 62 Authentication unit 56 Terminal application reception unit 57 Terminal application execution unit 64 Terminal application storage unit 65 Terminal application transmission unit 9 Content 91 Frame structure information 92 First frame information 93 Other frame information 521 Authentication request data generation unit 522 Response generation unit 621 Challenge generation unit 622 Response verification unit 2001, 3001 CPU
2002, 3002 RAM
2003, 3003 ROM
2004, 3004 Storage device 2005, 3005 Network interface 2006 Display device 2007 Input device

Claims (10)

A communication system comprising a server and a terminal,
The terminal
A screen area dividing unit for dividing a browser screen area for displaying content into a plurality of frames;
An authentication request unit that requests authentication of the authentication information acquired via the first frame from the plurality of frames to the server via the first frame;
A midway data storage unit for storing midway data used when requesting the authentication from the server in a frame other than the first frame;
If the authentication result information received from the server represents authentication success, a shared key generation unit that generates a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit,
A shared key storage unit for storing the shared key in the other frame;
Have
The server
An authentication information storage unit storing authentication information registered in advance;
Based on the authentication information storage unit, it is determined whether to authenticate authentication information that is required to be authenticated by the terminal, and an authentication unit that transmits authentication result information indicating whether authentication is successful to the terminal;
A shared key generation unit configured to generate the shared key used for encrypted communication with the terminal based on intermediate data used when authenticating the authentication information when the authentication unit determines to authenticate the authentication information; ,
A communication system. The server
A terminal application storage unit for storing a terminal application for causing the terminal to function as the screen area dividing unit, the authentication request unit, the intermediate data storage unit, the shared key generation unit, and the shared key storage unit;
A terminal application transmitter for transmitting the terminal application to the terminal;
Further comprising
The terminal
A terminal application receiver for receiving the terminal application;
A terminal application execution unit for executing the terminal application;
The communication system according to claim 1, further comprising: The authentication request unit of the terminal is
An authentication request for generating authentication request data for starting the authentication request and transmitting it to the server, and storing data used when generating the authentication request data as the intermediate data in the intermediate data storage unit A data generator;
Response data is generated based on random challenge data and the intermediate data received from the server and transmitted to the server, and the data used when generating the response data is used as the intermediate data, the intermediate data storage unit A response generator to store in addition to,
Have
The authentication unit of the server is
A challenge generator for generating the challenge data in response to reception of the authentication request data and transmitting the challenge data to the terminal;
A response verification unit that determines whether to authenticate the authentication information by verifying the response data received from the terminal;
The communication system according to claim 1 or 2, characterized by comprising: The terminal application transmitter of the server transmits the terminal application to the terminal by including at least a part of a hash value of the public key of the server in a URL (Uniform Resource Locator) of the terminal application. ,
The challenge generation unit of the server includes the public key in the challenge data and transmits the challenge key to the terminal,
When the response generation unit of the terminal determines that the public key included in the challenge data has not been modified based on the URL of the application for the terminal, and determines that the public key has not been modified, Information that encrypts the authentication information using the public key is included in the response data and transmitted to the server,
The response verification unit of the server determines whether or not to authenticate authentication information obtained by decrypting information included in the response data using a secret key corresponding to the public key. The communication system according to claim 3. An authentication information storage unit storing authentication information registered in advance;
Based on the authentication information storage unit, it is determined whether to authenticate authentication information that is required to be authenticated by the terminal, and an authentication unit that transmits authentication result information indicating whether authentication is successful to the terminal,
When it is determined by the authentication unit to authenticate the authentication information, a shared key generation unit that generates a shared key used for encrypted communication with the terminal based on intermediate data used when authenticating the authentication information;
A server with A screen area dividing unit for dividing a browser screen area for displaying content into a plurality of frames;
An authentication requesting unit that requests authentication of authentication information acquired via the first frame among the plurality of frames to the server via the first frame;
A midway data storage unit for storing midway data used when requesting the authentication from the server in a frame other than the first frame;
If the authentication result information received from the server represents authentication success, a shared key generation unit that generates a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit,
A shared key storage unit for storing the shared key in the other frame;
With a terminal. To the server that communicates with the terminal,
An authentication information storage step of storing authentication information registered in advance in an authentication information storage unit;
An authentication step of determining whether to authenticate authentication information requested to be authenticated by the terminal based on the authentication information storage unit, and transmitting authentication result information indicating whether authentication is successful to the terminal;
In the authentication step, when it is determined to authenticate the authentication information, a shared key generation step for generating a shared key used for encrypted communication with the terminal based on intermediate data used when authenticating the authentication information;
A computer program that runs On the terminal that communicates with the server,
A screen area dividing step for dividing a browser screen area for displaying content into a plurality of frames;
An authentication requesting step for requesting the server to authenticate the authentication information acquired through the first frame among the plurality of frames;
An intermediate data storage step for storing intermediate data used when requesting the authentication in the authentication request step in an intermediate data storage unit in a frame other than the first frame;
If the authentication result information received from the server represents an authentication success, a shared key generation step for generating a shared key used for encrypted communication with the server, based on the intermediate data stored in the intermediate data storage unit;
A shared key storage step of storing the shared key in a shared key storage unit in the other frame;
A computer program that runs A data structure of content distributed from a server to a terminal,
Frame structure information in which structures of a plurality of frames constituting a browser screen area in which the content is displayed in the terminal are defined;
Represents information applied to a first frame of the plurality of frames, requests authentication of authentication information acquired via the first frame from the server via the first frame, and An authentication key exchange application for generating a shared key used for encrypted communication with the server, based on intermediate data used when requesting the authentication to the server, if the authentication result information received from Including first frame information,
Other frame information representing information applied to other frames other than the first frame, including intermediate data storage information for storing the intermediate data, and shared key storage information for storing the shared key;
A data structure containing Using a server and a terminal
The terminal
Divide the browser screen area that displays content into multiple frames,
Requesting the server to authenticate the authentication information acquired through the first frame of the plurality of frames through the first frame;
The intermediate data used when requesting the authentication to the server is stored in the intermediate data storage in a frame other than the first frame,
The server
Store pre-registered authentication information in the authentication information storage unit,
Based on the authentication information storage unit, it is determined whether to authenticate authentication information required for authentication by the terminal, and transmits authentication result information indicating whether authentication is successful to the terminal,
If it is determined to authenticate the authentication information, based on the intermediate data used when authenticating the authentication information, a shared key used for encrypted communication with the terminal is generated,
The terminal
If the authentication result information received from the server represents an authentication success, based on the intermediate data stored in the intermediate data storage unit, generate the shared key used for encrypted communication with the server,
A communication method for storing the shared key in a shared key storage unit in the other frame.

Images