JP2012151632A - Key management device, signature key updating partial key generation device, signature key issue device, application server and reception terminal, and control program for the same - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an application authentication system that makes it possible to easily revoke a signature key or easily update the signature key.SOLUTION: An application authentication system S has a key management server 1 and a signature key issue server 3 in a broadcast station. The key management server 1 comprises: partial key generation means for generating a partial key corresponding to an effective identifier which is an initial service provider identifier given to each service provider, or an effective identifier to which a value larger than a maximum value of the effective identifier before updating is set in updating a signature key; update key information generation means for generating a differential partial key by means of the difference between the partial key after the updating and the partial key before the updating; update key information transmission means for transmitting the differential partial key with the effective identifier to an application server 5; and revocation list generation means for generating a revocation list having a value defining a boundary between the effective identifier before the updating and the effective identifier after the updating as an element.

Description

  The present invention relates to a technique for authenticating an application in a broadcasting / communication cooperation service using a network such as a broadcast wave, the Internet, and a dedicated IP (Internet Protocol) line.

  In recent years, various services that link broadcasting and communication (hereinafter, such services are referred to as “broadcast / communication cooperation services”) have been studied along with digitalization of broadcasting and high-speed / broadband communication. In this broadcast / communication cooperation service, it is assumed that various information related to a broadcast program is acquired via a communication network and presented in combination with broadcast. Further, in order to enjoy such a service at the receiving terminal, an application adapted to the service is used. Here, the “application” refers to software that operates on a receiving terminal and has a function of presenting program-related information acquired via a communication network in combination with broadcasting.

  In order to realize more attractive services for viewers, it is necessary to provide an environment in which viewers can provide not only applications created by broadcast stations but also applications created by various operators. On the other hand, in order to make it possible for viewers to use the provided applications with peace of mind, “application authentication” that checks the service provider (service provider) that produces the application and prevents falsification of the application is also available. is necessary.

In general, application authentication is performed as follows.
In response to a request from the viewer, the service provider transmits the application to the viewer's receiving terminal via the communication network. At this time, using the signature key held by the service provider, a digital signature is added to the application and transmitted. The viewer's receiving terminal verifies the signature added to the received application using the verification key.

This procedure is for the case where the service provider directly sends the application to the receiving terminal of the viewer. However, the application created by the service provider is registered in an application server operated by a third party other than the service provider, A model of transmitting from the application server to the receiving terminal according to a request from the viewer is also conceivable. That is, when using an application server operated by a third party, the service provider adds a digital signature to the application using a signature key and transmits the application to the application server when registering the application. On the other hand, the application server verifies the signature added to the received application using the verification key.
In general, PKI (Public Key Infrastructure) is used for authentication using such a digital signature (see Non-Patent Document 1).

Information Security Technology Laboratory, “PKI related technical explanation”, [online], July 3, 2007, Information-technology Promotion Agency, [Search January 11, 2011], Internet <URL: http: // www.ipa.go.jp/security/pki/>

In the broadcasting / communication cooperation service, if there is a service provider who creates an application that performs illegal operations, the broadcast station efficiently revokes the signature added by the service provider or the signature key held by the service provider. A means to do is necessary.
However, the PKI described above is a model in which a service provider generates keys and a certificate authority that is a third-party organization manages keys, and a certificate revocation list (CRL) is also issued by the certificate authority. The Therefore, even if the broadcasting station wants to revoke the signature key of the service provider that creates an unauthorized application, it is difficult to revoke the corresponding public key certificate with the existence of the broadcasting station. There was a problem that the signing key could not be revoked.

  In addition, the signature key needs to be securely managed by the service provider, but the signature key may be leaked to a third party due to a server attack or the like. Therefore, a means for easily updating the signature key is necessary as a countermeasure against key leakage. However, when updating the service provider's signature key in PKI, it is necessary to perform complicated processing such as requiring the CA to reissue the public key certificate, and the signature key can be updated immediately. There was a problem that I could not.

  The present invention has been made in view of the above-described problems. In a broadcasting / communication cooperation service, a broadcasting station performs key generation and key management, and one fixed number of services regardless of the number of service providers. Key management device and signature key update partial key used in an application authentication system that makes it possible to verify a signature using a verification key, and also allows easy revocation of the signature key and easy update of the signature key It is an object of the present invention to provide a generation device, a signature key issuing device, an application server, a receiving terminal, and a control program thereof.

  The present invention has been made to solve the above-mentioned problems. First, the key management device according to claim 1 is a verification key which is public information for verifying a signature added to an application for each service provider. And an application server adds a signature to the application to the receiving terminal by a signature method using a signature key that is a secret key corresponding to the verification key and is a key unique to the service provider and sequentially updated. In a key management apparatus that is provided in an application authentication system to be distributed and generates key information for updating the signature key by the signature method, an update key information generation unit, an update key information transmission unit, a revocation list generation unit, And a revocation list transmission means.

  In such a configuration, the key management device is an effective identifier that is assigned to the service provider by the update key information generation unit in correspondence with the signature key, and is based on the maximum value of the valid identifier before the update when the signature key is updated. The key information is generated in association with the valid identifier for which a larger value is set. This key information is generated by an ID-based signature scheme or a key-insulated signature scheme. Then, the key management device transmits the key information to the application server together with the updated valid identifier for each service provider by the updated key information transmitting unit. Thus, the application server that has acquired the key information can update the signature key in correspondence with the valid identifier.

  Then, the key management device generates a revocation list by the revocation list generation means, using as an element a value that distinguishes the boundary between the pre-update valid identifier and the post-update valid identifier. This is because the validity identifier has different values before and after the signature key is updated, so if the boundary value is notified as a revocation list, the receiving terminal can determine whether the signature key is valid or invalid. This is because it becomes possible. Then, the key management device transmits the revocation list to the receiving terminal by the revocation list transmission means. As a result, the receiving terminal can determine whether or not the valid identifier has expired by determining the value of the value that divides the boundary.

  Furthermore, the key management apparatus may be controlled by a key management program that causes a computer to function as an update key information generation unit, an update key information transmission unit, a revocation list generation unit, and a revocation list transmission unit. .

  The receiving terminal according to claim 3 includes a verification key that is public information for verifying a signature added to an application for each service provider, and a key unique to the service provider that is secret information corresponding to the verification key. And an application authentication system in which an application server adds a signature to the application and distributes it to a receiving terminal by a signature method using signature keys that are sequentially updated by key information generated by a key management device. The receiving terminal, comprising: a verification key storage unit, a revocation list reception unit, a revocation list storage unit, an application reception unit, a revocation list verification unit, a signature verification unit, and an application management unit. did.

  In such a configuration, the receiving terminal stores the verification key in the verification key storage unit in advance. Then, the receiving terminal sets a valid identifier assigned to each service provider from the key management device by the revocation list receiving means, which is larger than the maximum value of the valid identifier before the update when the signature key is updated. Among the valid identifiers, a revocation list having a value that divides the boundary between the valid identifier before the update and the valid identifier after the update is received and stored in the revocation list storage means.

In addition, the receiving terminal receives the valid identifier of the signature key when the signature is added together with the application with the signature from the application server by the application receiving unit. Then, the receiving terminal verifies whether the validity identifier added to the application received by the application receiving means is valid based on the revocation list stored in the revocation list storage means by the revocation list verification means. . Further, the receiving terminal verifies the signature added to the application by the signature verification unit using the verification key stored in the verification key storage unit.
Then, the receiving terminal activates or stores the application by the application management unit when the valid identifier is valid and the signature is valid in the revocation list verification unit and the signature verification unit.

  Furthermore, the receiving terminal may be controlled by an application signature authentication program that causes a computer to function as a revocation list receiving unit, an application receiving unit, a revocation list verification unit, a signature verification unit, and an application management unit. .

  The signature key update partial key generation device according to claim 5 is a signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, and verifies the signature. A key generation device that generates a verification key to be generated, a first master key for generating a partial key that is a part of the signature key unique to the service provider, and a second master key for generating the signature key; Using the verification key and the first master key, a partial key generation device for signature key update for generating the partial key and a differential partial key used when the application server updates the signature key, An application in which the application server adds the signature to the application and distributes it to the receiving terminal, and authenticates the application with the verification key in the receiving terminal The partial key generation device for signing key update used in the application authentication system includes a partial key generation unit, a partial key storage unit, a partial key transmission unit, an update key information generation unit, and an update key information transmission unit. And a revocation list generation unit and a revocation list transmission unit.

  In such a configuration, the partial key generation device for signing key update includes a valid identifier that is an initial service provider identifier assigned to each service provider by the partial key generation unit, or a valid before update when the signature key is updated. A partial key corresponding to the valid identifier for each service provider is generated from the verification key and the first master key in association with the valid identifier set to a value larger than the maximum value of the identifier. This partial key can be generated by, for example, a key-insulated signature scheme.

  Then, the signature key update partial key generation device stores the generated partial key in the partial key storage unit in association with the valid identifier. Then, the partial key generation device for signing key update adds a valid identifier by the partial key transmission means and transmits the partial key to the signature key issuing device.

  Further, the signature key update partial key generation device uses the update key information generation unit to generate a difference based on a difference between the partial key generated by the partial key generation unit and the partial key before update stored in the partial key storage unit. Generate a partial key. Then, the signature key update partial key generation device transmits the differential partial key together with the updated valid identifier for each service provider identifier to the application server by the update key information transmission unit. As a result, the application server that has obtained the differential partial key can update the signature key in correspondence with the valid identifier.

  Further, the signature key updating partial key generation device generates a revocation list by using a revocation list generation unit with a value that divides the boundary between the pre-update valid identifier and the post-update valid identifier as an element. This is because the validity identifier has different values before and after the signature key is updated, so if the boundary value is notified as a revocation list, the receiving terminal can determine whether the signature key is valid or invalid. This is because it becomes possible. Then, the signature key updating partial key generation device transmits the revocation list to the receiving terminal by the revocation list transmission means. As a result, the receiving terminal can determine whether or not the valid identifier has expired by determining the value of the value that divides the boundary.

  Further, the signature key update partial key generation device according to claim 6 is the signature key update partial key generation device according to claim 5, wherein the partial key generation means is an update indicating the number of updates of the signature key. By multiplying the identifier by the upper limit of the predetermined total number of the service providers and adding to the service provider identifier, the valid identifier unique to each service provider is calculated, and the partial key is generated The configuration.

  In such a configuration, each time the signature key update partial key generation apparatus updates the signature key, the valid identifier increases for each upper limit value of the predetermined total number of service providers.

  At this time, the revocation list generation means multiplies the update identifier before update by the upper limit value of the total number of service providers determined in advance, and adds the maximum value of the service provider identifier to a value for dividing the boundary. (Claim 7).

Further, the revocation list generating means may set a value obtained by multiplying the updated update identifier by the upper limit value of a predetermined total number of service providers as a value for dividing the boundary (claim 8).
Thereby, it can be determined by a certain standard (boundary) whether or not the valid identifier has expired.

  Further, a signature key update partial key generation program that causes a computer to function as a partial key generation unit, a partial key transmission unit, an update key information generation unit, an update key information transmission unit, a revocation list generation unit, a revocation list transmission unit, The signature key update partial key generation apparatus may be controlled (claim 9).

  The signature key issuing device according to claim 10 is a signature key issuing device that issues a service provider-specific signature key that is used when an application server adds a signature to an application, and a verification key that verifies the signature. A key generation device for generating a first master key for generating a partial key to be a part of the signature key unique to the service provider and a second master key for generating the signature key; and the verification key And the first master key, the partial key and a signature key update partial key generation device for generating a differential partial key used when the application server updates the signature key. An application that adds the signature to the application and distributes it to a receiving terminal, and authenticates the application with the verification key in the receiving terminal A said signing key issuing apparatus used in testimony system, and a second master key receiving unit, a second master key storing means, and the partial key reception means, and the signature key generation means, configured to include a.

In this configuration, the signature key issuing device receives the second master key unique to the service provider from the key generation device by the second master key receiving unit and stores it in the second master key storage unit.
Further, the signature key issuing device uses the partial key receiving unit to update from the signature key updating partial key generation device an effective identifier that is an initial service provider identifier assigned to each service provider, or when the signature key is updated. The valid identifier set with a value larger than the maximum value of the valid identifier before update and the partial key are received.

  In the signature key issuing device, the signature key generation unit generates a signature key using the second master key stored in the second master key storage unit and the partial key received by the partial key reception unit. Thereby, the signature key issuing device can generate a signature key corresponding to the valid identifier acquired from the key generation device. Further, the signature key is distributed to the service provider, and the signature is added to the application in the application server, so that the signature also corresponds to the valid identifier.

  Furthermore, the signature key issuing device may be controlled by a signature key issuing program that causes the computer to function as a second master key receiving unit, a partial key receiving unit, and a signature key generating unit.

  The application server according to claim 12, wherein the application server issues a signature key issuing device for issuing a signature key unique to a service provider used when the application server adds a signature to the application, a verification key for verifying the signature, and the service A key generation device for generating a first master key for generating a partial key to be a part of the signature key unique to a provider and a second master key for generating the signature key; the verification key; A signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key using the first master key, and the application server includes the application An application that authenticates the application with the verification key at the receiving terminal. A said application server for use in Deployment authentication system, and a signature key storing means, and updates key information receiving unit, a signature key updating means, a signature addition unit, and an application transmitting section, and configured to include.

  In such a configuration, the application server stores the signature key generated by the signature key issuing device in the signature key storage unit. Then, the application server uses the update key information receiving means to set the service provider identifier assigned to each service provider from the signature key update partial key generation device as the initial valid identifier, and when the signature key is updated, The valid identifier set to a value larger than the maximum valid identifier and the differential partial key are received. Then, the application server updates the signature key stored in the signature key storage unit in association with the valid identifier by using the differential partial key received by the update key information reception unit by the signature key update unit.

  In addition, the application server generates a signature corresponding to the valid identifier using the signature key stored in the signature key storage unit by the signature addition unit, and adds the signature to the application. Then, the application server transmits the application with the signature added to the receiving terminal by the application transmitting unit.

  Further, the application server may be controlled by an application signature adding program that causes the computer to function as an update key information receiving unit, a signature key updating unit, a signature adding unit, and an application transmitting unit.

  The receiving terminal according to claim 14 includes: a signature key issuing device that issues a signature key unique to a service provider used when an application server adds a signature to an application; a verification key that verifies the signature; and the service A key generation device for generating a first master key for generating a partial key to be a part of the signature key unique to a provider and a second master key for generating the signature key; the verification key; A signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key using the first master key, and the application server includes the application To the receiving terminal, and the receiving terminal authenticates the application with the verification key. The receiving terminal used in the system, verification key storage means, revocation list reception means, revocation list storage means, application reception means, revocation list verification means, signature verification means, application management means, It was set as the structure provided with.

  In such a configuration, the receiving terminal stores the verification key generated by the key generation device in the verification key storage unit. Then, the receiving terminal uses the revocation list receiving unit to set the service provider identifier assigned to each service provider from the signature key update partial key generation device as the initial valid identifier, and the valid before update when the signature key is updated. Revocation list storage means for receiving a revocation list whose element is a value that demarcates the boundary between a valid identifier before update and a valid identifier after update among valid identifiers set with a value larger than the maximum value of the identifier. To remember.

In addition, the receiving terminal receives the valid identifier of the signature key when the signature is added together with the application with the signature from the application server by the application receiving unit. Then, the receiving terminal verifies whether the validity identifier added to the application received by the application receiving means is valid based on the revocation list stored in the revocation list storage means by the revocation list verification means. . Further, the receiving terminal verifies the signature added to the application by the signature verification unit using the verification key stored in the verification key storage unit.
Then, the receiving terminal activates or stores the application by the application management unit when the valid identifier is valid and the signature is valid in the revocation list verification unit and the signature verification unit.

  Furthermore, the receiving terminal may be controlled by an application signature authentication program that causes a computer to function as a revocation list receiving unit, an application receiving unit, a revocation list verification unit, a signature verification unit, and an application management unit. .

The present invention has the following excellent effects.
According to the inventions described in claims 1, 2, 5 to 9, in the application authentication system, the broadcasting station can perform key generation and key management, and even when a key leak occurs, a third party Regardless of the organization, the signature key can be quickly updated by simply transmitting information for updating the signature key to the application server.
According to the first, second, fifth to ninth aspects of the present invention, the information for updating the signature key is generated corresponding to the valid identifier, and the value is different before and after the update. Whether or not the valid identifier has expired can be determined only by the value indicating the boundary between the identifiers before and after the update. Therefore, the description of the revocation list can be simplified and the signature key can be easily verified.

According to the invention described in claims 10 to 13, the signature key is generated and updated corresponding to the valid identifier. In addition, since the value of the valid identifier varies before and after the signature key is updated, it can be easily determined whether or not the valid identifier has expired.
According to the invention described in claims 3, 4, 14, and 15, the validity of the signature key is collectively determined only by determining the magnitude of the value that distinguishes the boundary of the valid identifier before and after the update notified by the revocation list. Therefore, the determination load can be reduced.

1 is a system configuration diagram showing a configuration of an application authentication system according to an embodiment of the present invention. It is a functional block diagram which shows the structure of the key management server (Key generation apparatus, the partial key generation apparatus for signature key update) concerning embodiment of this invention. It is a functional block diagram which shows the structure of the signature key issuing server (signature key issuing apparatus) which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the application server (signature key update apparatus, signature production | generation apparatus) which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the receiving terminal which concerns on embodiment of this invention. It is a flowchart which shows the operation | movement of the key generation in the application authentication system, and signature key issue. 7 is a flowchart showing a detailed operation (master key / verification key generation operation) of key generation in FIG. 6. FIG. 7 is a flowchart showing a detailed operation (partial key generation operation, signature key generation operation) for issuing a signature key in FIG. 6. It is a flowchart which shows the operation | movement of signature key update in an application authentication system. 10 is a flowchart showing detailed operations (difference partial key generation operation, signature key update operation) of signature key update in FIG. 9. It is a flowchart which shows the authentication operation | movement of the application in an application authentication system. 12 is a flowchart showing detailed operations (signature generation operation and signature verification operation) of authentication in FIG. It is explanatory drawing for demonstrating the content of the normal update of a signature key, and the revocation list of a signature key. It is explanatory drawing for demonstrating the update of the signature key in the case of adding a service provider, and the content of the revocation list | wrist of a signature key. It is explanatory drawing for demonstrating the content of the renewal of a signature key in the case of revoking the signature key of a specific service provider, and the revocation list | wrist of a signature key. It is explanatory drawing for demonstrating the content of the renewal list of a signature key when a signature key is leaked, and a signature key revocation list. It is explanatory drawing for demonstrating the relationship between a signature key and a revocation list. It is a system block diagram which shows the structure of the application authentication system which concerns on other embodiment of this invention. It is a functional block diagram which shows the structure of the key management server (key generation apparatus, signature key generation apparatus) which concerns on other embodiment of this invention. It is a functional block diagram which shows the structure of the application server (signature key update apparatus, signature production | generation apparatus) which concerns on other embodiment of this invention.

Embodiments of the present invention will be described below with reference to the drawings.
[Application authentication system configuration]
First, the configuration of the application authentication system will be described with reference to FIG.
The application authentication system S is a system for authenticating an application provided by a service provider to a user (viewer) in a broadcasting / communication cooperation service. Here, the application authentication system S is a Strong Key-Insulated signature (G. Ohtake, G. Hanaoka and K. Ogawa: “Efficient Provider Authentication for Bidirectional Broadcasting Service”, IEICE Trans. Fundamentals, Vol. E93-A, No. 6, pp. 1039-1051, 2010.) shall be used to configure the system.

The application authentication system S includes a key management server (key management device) 1 and a signature key issuing server (signature key issuing device) 3 provided in a broadcasting station, and an application server provided in a service provider (service provider). 5 and a receiving terminal 7 provided in the user's home (or carried by the user). Incidentally, the key management server 1, the application server 5, and the receiving terminal 7 are connected to each other to the network (external network) N _1, such as the Internet (or private IP line). In addition, the key management server 1 and the signature key issuing server 3 are connected internal network (dedicated communication line) to N ₂ in the broadcasting station.
Here, for simplification of the description, it is illustrated the application server 5 and the reception terminal 7 one by one, they may be are more connected to the network N ₁ course.

  The key management server (key management device) 1 generates and manages (stores) a key used when authenticating an application. Here, the key management server 1 generates a key generation device 10 that generates and manages a verification key and a master key, a key that is used to generate or update a signature key, and a revocation list that indicates a list of revoked signature keys. A partial key generation device (signature key update partial key generation device) 20. It is assumed that the verification key generated by the key management server 1 is written on, for example, an IC card and distributed to the receiving terminal 7 offline.

  The signature key issuing server 3 generates a signature key used when adding a signature to an application. It is assumed that the signature key generated by the signature key issuing server 3 is also distributed to the service provider (application server 5) offline in consideration of leakage and the like.

  The application server 5 manages (stores) and updates the signature key, adds a signature to the application using the signature key, and transmits the signature to the receiving terminal 7. Here, the application server 5 includes a signature key update device 50 that manages (stores) and updates a signature key, and a signature generation device 60 that adds a signature to the application and transmits it.

  The receiving terminal 7 receives an application from the application server 5 and verifies (authenticates) a signature added to the application with a verification key. The receiving terminal 7 is, for example, a television receiver or a personal computer that can enjoy the broadcasting / communication cooperation service.

  The key management server 1 (the key generation device 10 and the partial key generation device 20), the signature key issuing server 3, the application server 5, and the receiving terminal 7 are respectively a CPU (Central Processing Unit) and a ROM (Read Only). Memory (RAM), RAM (Random Access Memory), HDD (Hard Disk Drive), communication interface, etc. (not shown), and the CPU implements various functions to be described later by expanding programs stored in the HDD etc. into the RAM. To do.

[Key management server configuration]
Next, the configuration of the key management server will be described with reference to FIG. 2 (refer to FIG. 1 as appropriate). Here, the key management server (key management device) 1 includes a key generation device 10 and a partial key generation device (signature key update partial key generation device) 20. It is assumed that the key generation device 10 and the partial key generation device 20 are communicably connected via a communication interface (not shown).

(Configuration of key generation device)
The key generation device 10 generates and manages (stores) a master key for generating a key (partial key, differential partial key) used when generating a signature key and a verification key for verifying the signature key To do. Here, the key generation device 10 includes a key generation unit 11, a verification key management unit 12, a first master key management unit 13, and a second master key transmission unit 14.

The key generation unit 11 generates a master key (first master key, second master key) and a verification key. That is, the key generation means 11 determines the master key (first master key, second master key) based on the generator g of the cyclic group of the prime order q and the residue class Z _q modulo the prime number q. Generate a verification key.
Specifically, the key generation unit 11 generates prime numbers p and q where q is a divisor of (p−1), and the order of the subgroup generated by the element g of the multiplicative group Z _p ^* is q. A generation source g such that Then, the key generation means 11 randomly selects x, x ′ from the remainder class Z _q (0, 1,..., Q−1; hereinafter simply indicated by Z _q ) modulo the prime number q, and by (1), to generate a first master key _{x 0.} Further, the key generation means 11 sets x ′ as the second master key.

The first master key x ₀ generated in this way is output to the first master key management means 13, and the second master key x ′ is output to the second master key transmission means 14.
Further, the key generation means 11 generates a verification key VK composed of prime numbers p, q, element g, elements y ₀ , y ′, and hash function H (•) as shown in the following equation (2). .

The elements y ₀ and y ′ of the verification key VK are values obtained by the following equation (3).

The hash function H (•) is H: {0, 1} ^* → Z _q , that is, a function for converting a bit string ({0, 1} ^* ) having an arbitrary length into a fixed length value of Z _q. It is. For this hash function, for example, an algorithm such as SHA-1 can be used.
The verification key VK generated by the key generation unit 11 is output to the verification key management unit 12.

The verification key management unit (verification key storage unit) 12 stores and manages the verification key generated by the key generation unit 11. Specifically, the verification key management unit 12 writes the verification key generated by the key generation unit 11 in a storage medium (not shown) and reads it in response to a request.
Here, the verification key management means 12 reads the verification key from the storage medium according to the operator's instruction when distributing the verification key to the receiving terminal 7. The verification key read in this way is output to an IC card issuing device (not shown), written on the IC card, and distributed to the receiving terminal 7, for example. Note that the verification key management unit 12 may distribute the verification key via a secure communication path (for example, a broadcast wave).

  Further, the verification key management unit 12 reads the verification key from the storage medium when generating the partial key in the partial key generation device 20 described later. In this case, the verification key management unit 12 reads the verification key from the storage medium in accordance with an instruction from the partial key generation device 20 or the operator, and outputs the verification key to the partial key generation device 20.

The verification key management unit 12 discloses the stored verification key as public information, and can be obtained or referred to from the signature key issuing server 3 or the application server 5 via the network N ₁ or the internal network N ₂ . Suppose that

  The first master key management means (first master key storage means) 13 stores and manages the first master key generated by the key generation means 11. Specifically, the first master key management unit 13 writes the first master key generated by the key generation unit 11 in a storage medium (not shown) and reads it in response to a request.

  Here, the first master key management unit 13 reads the first master key from the storage medium when the partial key generation device 20 generates the partial key. In this case, the first master key management unit 13 reads the first master key from the storage medium in response to a request from the partial key generation device 20 or an instruction from the operator, and outputs the first master key to the partial key generation device 20.

The second master key sending unit 14 via the internal network N _2, is to send a second master key generated by the key generation unit 11 to the signature key issuing server 3.

(Configuration of partial key generation device [signature key update partial key generation device])
A partial key generation device (signature key update partial key generation device) 20 generates a key (partial key, differential partial key) used to generate or update a signature key, and also shows a revocation list indicating a list of revoked signature keys. Is generated. Here, the partial key generation device 20 includes a parameter input unit 21, a partial key generation unit 22, a partial key management unit 23, a partial key transmission unit 24, an update key information generation unit 25, and an update key information transmission unit. 26, a revocation list generation means 27, and a revocation list transmission means 28.

  The parameter input means 21 inputs various parameters for generating a partial key, a differential partial key, and a revocation list. Here, the update type, the update identifier, and the service provider identifier are input to the parameter input unit 21 from the input unit (not shown), and the first master key and the verification key are input from the key generation device 10.

  The update type is type information indicating an instruction for processing contents of signature key issuance, update, and revocation. For example, as shown in the following table, signature key issuance, update, and revocation are assigned to the update type values as processing contents.

  The update identifier is an identifier indicating the number of signature key updates. The update identifier is a serial number from a predetermined number (for example, “0”), and when the signature key is updated, a value obtained by adding “1” to the current update identifier.

The service provider identifier is an identifier determined in advance to uniquely identify the service provider. This service provider identifier is a serial number from a predetermined number (for example, “1”). When a new service provider is registered, “1” is set as the maximum value of the current service provider identifier. The added value.
The parameter input unit 21 outputs the input update type, update identifier, service provider identifier, first master key, and verification key to the partial key generation unit 22.

The partial key generation unit 22 generates a partial key based on the update type, update identifier, service provider identifier, first master key, and verification key input by the parameter input unit 21. That is, the partial key generation means 22 generates an identifier (valid identifier) that is valid at the time of issuing or updating the signature key from the service provider identifier assigned to each service provider by using the update identifier, and the valid identifier Generate a partial key unique to.
Specifically, partial key generation unit 22 generates randomly a random number r from Z _q, and the random number r, a portion of the verification key (p, g) based on the, in the receiving terminal 7 partial key of Partial key verification information v that is a part of information indicating validity is generated by the following equation (4).

  Further, as shown in the following formula (5), the partial key generation unit 22 uses the hash function H (•) that is a part of the verification key to obtain the hash value c of the partial key verification information v corresponding to the signature key. Generate. However, “‖” indicates connection.

In this equation (5), i is a service provider identifier, j is an update identifier, and n is a predetermined upper limit value of the total number of service providers. In equation (5), (i + jn), that is, (service provider identifier + update identifier × n) is an identifier for identifying a signature key after issuance or renewal at the service provider corresponding to the service provider identifier ( Effective identifier). In addition, in order to show the content as a valid identifier, a code such as “i + jn” may be attached, but this valid identifier is a numerical value after performing an operation such as “i + jn”.
Then, the partial key generation means 22 uses the following formula (6) based on the first master key x ₀ , a part (q) of the verification key, the hash value c, and the random number r to obtain the partial key x Is generated.

In this way, the partial key generation unit 22 generates a partial key corresponding to the signature key identifier (valid identifier).
When the update type is “1 [signature key issuance]”, the partial key generation unit 22 outputs the generated partial key to the partial key management unit 23.

  Further, when the update type is “2 [signature key update]”, the partial key generation means 22 uses the generated partial key, the partial key verification information, the verification key, and the valid identifier (i + jn) together with the update type as the update key information. Output to the generation means 25.

When the update type is “3 [signature key update (when service provider is added)]”, the partial key generation means 22 is the same as in the case where the update type is “1 [signature key issuance]”. After the key is generated and output to the partial key management means 23, a partial key for updating the signature key is generated as in the case of “2 [signature key update]”, and the partial key and partial key verification are performed. The information, the verification key, and the valid identifier (i + jn) are output to the update key information generation unit 25.
In addition, the partial key generation unit 22 outputs the update type to the revocation list generation unit 27 when updating the signature key (in the case of signature types “2” and “3”).

  In addition, when the update type is “4 (signature key revocation)”, the partial key generation unit 22 does not generate a partial key, but displays the input service provider identifier (service provider identifier to be revoked) as a revocation list. Output to the generation means 27.

  The partial key management means (partial key storage means) 23 stores and manages the partial key generated by the partial key generation means 22. Specifically, the partial key management unit 23 outputs the partial key x, the partial key verification information v, and the valid identifier (i + jn) generated by the partial key generation unit 22 to the partial key transmission unit 24 as partial key information. Then, the data is written in a storage medium (not shown), and read according to a request. Here, the partial key management unit 23 outputs the managed (stored) partial key x to the update key information generation unit 25 in response to a request from the update key information generation unit 25 when updating the signature key.

The partial key transmitting unit 24 transmits the partial key to the signature key issuing server 3 via the internal network N ₂ based on an instruction from the partial key managing unit 23. Here, the partial key transmission unit 24 combines the partial key x, the partial key verification information v (see the above equation (4)), and the partial identifier x (i + jn) when the partial key x is generated. It transmits as information (x, v, i + jn).

  Since the partial key transmitting unit 24 transmits the signature key to the signature key issuing server 3 at the stage of issuing the signature key, the update identifier j is an initial value (“0”). Therefore, here, the partial key transmitting means 24 transmits the partial key information (x, v, service provider identifier i) to the signature key issuing server 3.

The update key information generation unit 25 includes a partial key newly generated by the partial key generation unit 22 for updating the signature key for each service provider identifier, and an update managed (stored) by the partial key management unit 23. A difference partial key is generated by taking a difference from the previous partial key.
Specifically, the update key information generation unit 25 sets the partial key x managed (stored) by the partial key management unit 23 to x ₁ and the partial key x generated by the partial key generation unit 22 to x ₂ . At this time, based on a part (q) of the verification key, a difference partial key Δx is generated by the following equation (7).

The differential partial key Δx generated in this way is output to the update key information transmitting unit 26 together with the partial key verification information v and the valid identifier (i + jn).
The update key information generation unit 25 is notified of a service provider identifier (valid identifier) for which the update of the signature key (transmission of the differential partial key) is to be individually stopped from the revocation list generation unit 27 to be described later. The identifier is stored in a storage medium (not shown), and a differential partial key corresponding to the corresponding service provider identifier (valid identifier) is not generated.

Update key information transmitting unit 26, a differential partial key Δx generated by updating the key information generation unit 25, via the network N _1, is intended to be sent to the application server 5. The update key information transmitting unit 26 combines the partial key verification information v and the valid partial identifier (i + jn) at the time of generating the differential partial key Δx together with the differential partial key Δx together with the differential partial key information (Δx, v , I + jn) to the application server 5.

The revocation list generation means 27 generates a list (revocation list; hereinafter referred to as CRL) that specifies a signature key to be revoked. Here, the revocation list generating unit 27 generates a CRL using a value that distinguishes the boundary between the valid identifier before the update and the valid identifier after the update as a first element.
Specifically, when the update type is “2, 3 (signature key update)”, the revocation list generating unit 27 determines the maximum valid identifier (the maximum valid identifier specified by the service provider identifier and the update identifier before the update) ( That is, the maximum value of the service provider identifier + the update identifier before update × the upper limit value of the number of service providers) is described in the first element of the CRL as the maximum revocation identifier.

  Further, when the update type is “4 (signature key revocation)”, the revocation list generation means 27 has a valid identifier corresponding to the service provider identifier to be individually revoked (that is, service provider identifier + update identifier × service provision). The upper limit of the number of persons) is described as the individual revocation identifier after the second element of the CRL. It is assumed that the format that describes the first element (maximum revocation identifier) and each element after the second element (individual revocation identifier) in the CRL is known in advance in the receiving terminal 7.

As a result, it is possible to revoke the signature key corresponding to the identifier below the maximum revocation identifier described as the first element of the CRL at a time, and the signature key corresponding to the individual revocation identifier described after the second element. Can be revoked individually.
Since the maximum revocation identifier may be a value smaller than a newly generated identifier, it may be the updated identifier multiplied by the upper limit value of the number of service providers.
The CRL generated in this way is output to the revocation list transmission means 28.

  In addition, when the update type is “4 (signature key revocation)”, the revocation list generation unit 27 stops the update key information generation unit 25 to renew the service provider identifier (valid identifier) in order to stop transmission of the differential partial key. ).

Revocation list transmitting unit 28, the revocation list generated by the revocation list generation unit 27 (CRL), via the network N _1, is intended to be transmitted to the receiving terminal 7. As a result, the receiving terminal 7 can authenticate whether or not the application is transmitted from an authorized service provider.

Here, the relationship among the update identifier, the signature key, and the CRL maximum revocation identifier will be described with reference to FIG.
As shown in FIG. 17A, the signature key corresponding to the service provider identifier 1, 2,..., M (valid identifier 1, 2,..., M) generated when the update identifier is “0” is SK. _{In the case of 1} , SK ₂ ,..., SK _m , the maximum revocation identifier that is the first element of the CRL is a value that does not indicate the service provider identifier, for example, “0”.

Then, by updating the signature key, the signature key corresponding to the service provider identifier 1, 2,..., M (valid identifier 1 + n, 2 + n,..., M + n) with the update identifier “1” is changed to SK _{1 + n} , SK _{2 + n} ,. SK _{m + n} is generated. The maximum revocation identifier at this time is {m} or the upper limit value {n} of the number of service providers so as to include the maximum valid identifier (m) of the update identifier “0”.
Similarly, when the signature key is updated with the update identifier “2”, {m + n} or the upper limit value of the number of service providers is set so that the maximum revocation identifier includes the maximum valid identifier (m + n) of the update identifier “1”. It is assumed that {2n} is multiplied by the update identifier value “2”.

In FIG. 17A, there are unused valid identifiers such as (m + 1),..., N, (m + n + 1),.
Therefore, in order to eliminate these unused valid identifiers, as shown in FIG. 17B, when generating a signature key, the valid identifier corresponding to the signature key before the update, for example, the update identifier “0” is used. A signature key may be generated from (m1 + 1) obtained by adding “1” to the maximum valid identifier “m1”, and the maximum revocation identifier at that time may be {m1}.

[Configuration of signing key issuing server]
Next, the configuration of the signature key issuing server will be described with reference to FIG. 3 (refer to FIG. 1 as appropriate). Here, the signature key issuing server (signature key issuing device) 3 includes a second master key receiving unit 31, a second master key managing unit 32, a partial key receiving unit 33, a signature key generating unit 34, and a signature key. Output means 35.

The second master key receiving unit 31, a second master key generated by the key management server 1, and receives via the internal network N _2. The received second master key is output to the second master key management means 32.

  The second master key management means (second master key storage means) 32 stores and manages the second master key received by the second master key reception means 31. Specifically, the second master key management unit 32 writes the second master key received by the second master key receiving unit 31 in a storage medium (not shown) and reads it in response to a request. Here, the second master key management means 32 outputs the second master key managed (stored) to the signature key generation means 34 in response to a request from the signature key generation means 34.

Partial key receiving means 33, a partial key generated by the key management server 1 (partial key information), and receives via the internal network N _2. The received partial key (partial key information) is output to the signature key generation unit 34.

The signature key generation unit 34 includes the second master key managed (stored) by the second master key management unit 32, and the partial key (partial key information) received by the partial key reception unit 33 for each service provider identifier. From this, a signature key is generated. That is, the signature key generation unit 34 generates a signature key by adding the second master key to the partial key.
Specifically, the signature key generation means 34 includes the second master key x ′ managed (stored) by the second master key management means 32 and the partial key information (partial key, Based on the partial key x included in the partial key verification information and the service provider identifier) and the prime number q which is a part of the verification key disclosed as public information in the key management server 1, the following formula ( According to 8), a signature key SK _i corresponding to the service provider identifier _i is generated.

The signature key SK _i generated in this way is output to the signature key output means 35 as the signature key information (SK _i , v, i) together with the partial key verification information v and the service provider identifier i.

  The signature key output unit 35 outputs the signature key (signature key information) generated by the signature key generation unit 34 to the outside. For example, the signature key output means 35 outputs a signature key (signature key information) to a writing device (not shown) of a storage medium such as a CD-R, and writes the signature key on the CD-R or the like. The storage medium in which the signature key (signature key information) is thus written is distributed to the application server 5 offline.

Application server configuration
Next, the configuration of the application server will be described with reference to FIG. 4 (refer to FIG. 1 as appropriate). Here, the application server 5 includes a signature key update device 50 and a signature generation device 60. It is assumed that the signature key update device 50 and the signature generation device 60 are communicably connected via a communication interface (not shown).

(Configuration of signing key update device)
The signature key update device 50 updates the signature key distributed to the service provider based on the differential partial key (differential partial key information) transmitted from the key management server 1. Here, the signature key update device 50 includes a signature key input unit 51, a signature key management unit 52, an update key information reception unit 53, and a signature key update unit 54.

The signature key input means 51 inputs a signature key (signature key information) generated by the signature key issuing server 3. The signing key input means 51 uses, for example, a signature via a reading device (not shown) that reads out the signing key (signature key information) from a storage medium such as a CD-R in which the signing key (signature key information) is written. Enter the key (signing key information).
Here, the signature key information includes a signature key, partial key verification information, and a service provider identifier. The input signature key information is output to the signature key management means 52.

The signature key management means (signature key storage means) 52 stores and manages the signature key (signature key information) input by the signature key input means 51. Specifically, the signature key management unit 52 writes the signature key (signature key information) input by the signature key input unit 51 in a storage medium (not shown), and the signature key (signature key information) in response to the request. Read and update.
Here, the signature key management unit 52 reads the signature key (signature key information) from the storage medium in response to a request from the signature key update unit 54 when the signature key update unit 54 updates the signature key, and updates the signature key. It outputs to the means 54. Also, the signature key management unit 52 acquires the updated signature key from the signature key update unit 54 and overwrites and saves it in the storage medium.

  The signature key management unit 52 reads the signature key (signature key information) stored in the storage medium in response to a request from the signature generation device 60 when the signature generation device 60 adds a signature to the application. The data is output to the generation device 60.

Update key information receiving unit 53, a key management server 1 differential partial keys generated in (differential partial key information), and receives via the network N _1. The received differential partial key (differential partial key information) is output to the signature key update unit 54. This differential partial key information includes a differential partial key, partial key verification information, and a valid identifier.

The signature key updating unit 54 updates the signature key based on the differential partial key (differential partial key information) received by the update key information receiving unit 53. That is, the signature key update unit 54 updates the signature key by adding the difference partial key to the signature key before update.
Specifically, the signature key update unit 54 receives the pre-update signature key managed (stored) by the signature key management unit 52 and the update key information reception unit 53 with SK _{i + (j−1) n} . Based on the difference partial key Δx included in the difference partial key information and the prime number q which is a part of the verification key disclosed as public information in the key management server 1, a difference is obtained by the following equation (9). A new signature key SK _{i + jn} associated with the valid identifier (i + jn) included in the partial key information is generated.

For example, if the update identifier j becomes "1" to "0", the signing key SK _i which correspond to a valid identifier (i), that corresponds to a valid identifier (i + n) signing key _{SK i + n} is generated Become. In this way, as the update identifier sequentially increases, the valid identifier increases to i, i + n, i + 2n,..., I + mn, and the signature keys SK _i , SK _{i + n} , SK _{i + 2n,.} SK _{i + mn} is sequentially generated.
The signature key SK _{i + jn} generated in this way is stored in the signature key management means 52 in association with the valid identifier (i + jn) together with the partial key verification information v included in the differential partial key information.

(Configuration of signature generator)
The signature generation device 60 uses the signature key managed by the signature key update device 50 to add a signature to the application. Here, the signature generation apparatus 60 includes an application input unit 61, a signature addition unit 62, and an application transmission unit 63.

  The application input means 61 inputs an application from the outside. For example, the application input unit 61 may receive an application via a network inside the service provider, or may read an application written in a storage medium. The application input unit 61 outputs the input application to the signature adding unit 62.

The signature adding unit 62 adds a digital signature to the application input by the application input unit 61 using a signature key. That is, the signature adding unit 62 calculates a hash value including a valid identifier unique to each service provider, generates a signature unique to the valid identifier, and adds the signature to the application.
Specifically, the signature adding unit 62 randomly generates a random number r _s from Z _q based on a part (p, g) of the verification key disclosed as public information, and the following equation (10) Thus, signature verification information v _s that is a part of information for verifying the validity of the signature is generated.

Further, as shown in the following equation (11), the signature adding unit 62 includes the partial key verification information v and the valid identifier (i + jn) stored in the signature key management unit 52, the application (software) M, the equation The signature verification information v _s generated in (10) is concatenated, and a hash value c _s is generated by a hash function H (•) that is a part of the public verification key.

Then, the signature adding means 62 is based on the hash value c _s , the random number r _s , the signature key SK _{i + jn} stored in the signature key management means 52, and a part (q) of the publicized verification key. Thus, the signature σ _s is generated by the following equation (12).

Then, the signature adding unit 62 sends the signature information (σ _s , c _s , v) including the signature σ _s , the hash value c _s, and the partial key verification information v to the application M, and the signature key management unit 52. The stored valid identifier (i + jn) is added and output to the application transmission means 63.

Application transmitting means 63 is for transmitting the signature by the signature adding means 62 (signature information) and an application effective identifier is added (signed application), to the receiving terminal 7 via the network N _1.

[Configuration of receiving terminal]
Next, referring to FIG. 5 (see FIG. 1 as appropriate), the configuration of the receiving terminal will be described. Here, the receiving terminal 7 includes a revocation list receiving means 71, a revocation list management means 72, a verification key management means 73, an application receiving means 74, a revocation list verification means 75, a signature verification means 76, and an application management. Means 77.

Revocation list receiving unit 71, a revocation list that has been generated by the key management server 1 (CRL), is intended to receive via the network N _1. The received CRL is output to the revocation list management means 72.

The revocation list management means (revocation list storage means) 72 stores and manages the CRL received by the revocation list reception means 71. Specifically, the revocation list management means 72 writes the CRL received by the revocation list receiving means 71 to a storage medium (not shown), and reads and updates the CRL as required.
Here, when the revocation list verification unit 75 verifies the service provider identifier (valid identifier), the revocation list management unit 72 reads the CRL from the storage medium in response to a request from the revocation list verification unit 75, and performs revocation list verification. It outputs to the means 75.
In addition, when the revocation list receiving unit 71 newly receives a CRL, the revocation list management unit 72 updates the CRL stored in the storage medium.

  The verification key management means (verification key storage means) 73 stores and manages the verification key generated by the key management server 1. Specifically, the verification key management unit 73 is, for example, an IC card or the like, and is a storage medium in which a verification key is written in advance. The verification key management unit 73 reads the verification key in response to a request from the signature verification unit 76.

Applications receiving unit 74, an application that is sent from the application server 5 (signed application), and receives via the network N _1. The application reception unit 74 outputs the received signed application to the revocation list verification unit 75.

The revocation list verification unit 75 refers to the CRL stored in the revocation list management unit 72 and verifies whether or not the service provider identifier (valid identifier) added to the signed application is valid. It is.
That is, the revocation list verification means 75 is added to the signed application when the valid identifier (i + jn) added to the signed application is equal to or less than the maximum revocation identifier described in the first element of the CRL. It is determined that the signature key corresponding to the valid identifier (i + jn) has already been revoked.

Further, the revocation list verification means 75 adds the valid identifier (i + jn) added to the signed application to the signed application if it matches one of the individual revocation identifiers described in the second and subsequent elements of the CRL. It is determined that the signature key corresponding to the valid identifier (i + jn) that has already been revoked.
As described above, when the revocation list verification unit 75 determines that the signature key corresponding to the valid identifier (i + jn) added to the signed application has been revoked, an error message is sent to the display device (not shown). Is displayed.

  When the revocation list verification unit 75 determines that the valid identifier (i + jn) added to the signed application is valid, the revocation list verification unit 75 outputs the signed application to the signature verification unit 76.

The signature verification unit 76 verifies the signature added to the signed application using the verification key stored in the verification key management unit 73. That is, the signature verification unit 76 verifies the signature based on whether or not the hash value obtained by using a predetermined conditional expression using the verification key matches the hash value added to the signature.
Specifically, as shown in the following formula (13), the signature verification unit 76 concatenates the partial key verification information v added to the application and the valid identifier (i + jn) to the verification key management unit 73. A hash value c ₁ is generated by the hash function H (•) included in the recorded verification key.

Then, the signature verification unit 76 uses the hash value c ₁ , a part of the verification key (p, g, y ₀ , y ′), and the signature information (σ _s , c _s , v) as follows: Signature verification is performed depending on whether the conditional expression of Expression (14) is satisfied.

  The signature verification unit 76 determines that the added signature is a valid signature only when the formula (14) is satisfied, and outputs the signed application to the application management unit 77. If the signature verification unit 76 determines that the signature is not valid, the signature verification unit 76 displays an error message on a display device (not shown).

The application management unit 77 activates (decrypts and reproduces) or stores the signed application whose signature is determined to be valid by the signature verification unit 76.
The application management unit 77 is a general storage / reproduction unit that decodes and reproduces an encoded application (encoded data), or stores the application once in a storage medium such as a hard disk. Therefore, detailed description is omitted here.

[Operation of application authentication system]
Next, the operation of the application authentication system will be described.
[Key generation / signature key issuance]
First, referring to FIG. 6 (refer to FIGS. 2 and 3 as appropriate), operations of key generation and signature key issuance, which are initial operations in the application authentication system S, will be described.
First, the key management server 1 includes two master keys (first master key and second master key) necessary for generating a signature key by the key generation unit 11 in the key generation device 10, public information, and the like. (Step S1: master key / verification key generation). The operation of generating keys (master key and verification key) in step S1 will be described later with reference to FIG.

Then, the key management server 1 stores the verification key generated in step S1 by the verification key management unit 12 and discloses the verification key (step S2). The verification key generated in step S1 is distributed (distributed) to the receiving terminal 7 offline or via a secure communication path (for example, broadcast wave) (not shown as a step).
The key management server 1 stores the first master key generated in step S1 by the first master key management means 13 (step S3). Further, the key management server 1 transmits the second master key generated in step S1 to the signature key issuing server 3 by the second master key transmission unit 14 (step S4).

On the other hand, the signature key issuing server 3 receives the second master key by the second master key receiving means 31 (step S5). Then, the second master key management means 32 stores the second master key (step S6).
Through the above operation, a master key (first master key and second master key) necessary for generating a signature key and a verification key for verifying the signature key are generated.

Thereafter, the application authentication system S performs the following operation in order to issue a signature key to the service provider.
That is, the key management server 1 uses the parameter input unit 21 in the partial key generation device 20 to input the service provider identifier from the outside and obtain the verification key and the first master key stored in steps S2 and S3. Then, the partial key generation means 22 generates partial key information including a partial key for generating a signature key (step S7: partial key generation). The partial key generation operation in step S7 will be described later with reference to FIG.

And the key management server 1 memorize | stores the partial key (partial key information) produced | generated by step S7 by the partial key management means 23 (step S8).
Furthermore, the key management server 1 transmits the partial key (partial key information) generated in step S7 to the signature key issuing server 3 by the partial key transmission unit 24 (step S9).

On the other hand, the signature key issuing server 3 receives the partial key (partial key information) by the partial key receiving means 33 (step S10).
Then, the signature key issuing server 3 generates a signature key from the partial key (partial key information) received in step S10 and the second master key stored in step S6 by the signature key generation unit 34 (step S11). : Signing key generation). The signature key generation operation in step S11 will be described later with reference to FIG. The signature key generated in step S11 is distributed to the service provider (application server 5) offline (not shown as a step).

Through the above operation, a signature key is generated and managed as secret information by the service provider.
When there are a plurality of service providers (application servers 5), a plurality of signature keys are generated corresponding to the service providers. In this case, the operations after step S7 are repeated according to the number of service providers. It is.

(Key [master key / verification key] generation)
Next, with reference to FIG. 7 (refer to FIG. 2 as appropriate), operations for generating a master key (first master key and second master key) and a verification key will be described. The operation described here corresponds to the operation in step S1 described in FIG. 6 and operates in the key generation unit 11 of the key generation device 10.

First, the key generation means 11 generates prime numbers p and q whose q is a divisor of (p−1) (step S21), and based on the prime numbers p and q, the element g of the multiplicative group Z _p ^* is used. A generation source g is generated such that the order of the generated subgroup is q (step S22). Then, the key generation means 11 randomly selects x, x ′ from Z _q (step S23).
Then, the key generation unit 11 sets the x ₀ obtained by performing the calculation of the equation (1) and the first master key (step S24).
Further, the key generation means 11 sets x ′ selected in step S23 as the second master key (step S25).

After that, the key generation means 11 calculates a part (y ₀ , y ′) of the verification key element by the calculation of the formula (3), and p, q, g, y ₀ , y ′ and the hash function H ( The verification key VK shown in the equation (2) consisting of (.) Is generated (step S26).
By the above operation, the key generation unit 11 generates a first master key x ₀ and the second master key x 'are two master key for generating a signature key and a verification key VK is a public information .

(Signing key issuance)
Next, with reference to FIG. 8 (refer to FIGS. 2 and 3 as appropriate), the main operation when issuing a signature key will be described. The operation described in FIG. 8A corresponds to the partial key generation operation in step S7 described in FIG. 6, and operates in the partial key generation unit 22 of the key generation device 10 of the key management server 1. 8B corresponds to the signature key generation operation of step S11 described with reference to FIG. 6, and operates in the signature key generation means 34 of the signature key issuing server 3.

First, as shown in FIG. 8A, the partial key generation means 22 randomly generates a random number r ₁ (r) from Z _q (step S31). Then, the partial key generation means 22 obtains the partial key verification information v ₁ (v) by the calculation of the formula (4) based on the random number r ₁ (r) and a part (p, g) of the verification key. Generate (step S32).
Further, the partial key generation means 22 connects the partial key verification information v ₁ (v) and the valid identifier (here, since it is the signing key issuance stage, the service provider identifier i), and the equation (5) ) To generate a hash value c ₁ (c) (step S33).

Thereafter, the partial key generation means 22 uses the above formula (0) based on the first master key x ₀ , a part (q) of the verification key, the hash value c ₁ (c), and the random number r ₁ (r). 6), the partial key x ₁ (x) is generated (step S34).
The partial key x ₁ (x) generated in this way is transmitted to the signature key issuing server 3 as partial key information together with the partial key verification information v ₁ (v) and the service provider identifier i.

On the other hand, as shown in FIG. 8B, the signature key generation means 34 includes the second master key x ′ acquired in advance and the portion included in the partial key information generated and transmitted in step S34. Based on the key x ₁ (x) and a part (q) of the publicized verification key, a signature key SK _i corresponding to the service provider identifier _i is generated by the equation (8) (step S41). ).
The signature key SK _i generated in this way is distributed offline to the service provider identified by the service provider identifier i.

[Signature key update]
Next, the signature key update operation in the application authentication system S will be described with reference to FIG. 9 (see FIGS. 2, 4 and 5 as appropriate).
First, the key management server 1 inputs the update type, update identifier, and service provider identifier from the outside by the parameter input means 21 in the partial key generation device 20, and is stored in steps S2 and S3 in FIG. The verification key and the first master key are acquired, and the partial key generation unit 22 and the update key information generation unit 25 generate differential partial key information including a differential partial key for updating the signature key (step S51: differential part). Key generation). The difference partial key generation operation in step S51 will be described later with reference to FIG.
And the key management server 1 transmits the difference partial key (difference partial key information) produced | generated by step S51 by the update key information transmission means 26 to the application server 5 (step S52).

  Furthermore, the key management server 1 uses the revocation list generation unit 27 to generate a revocation list (CRL) in which the maximum value of the valid identifiers before updating (maximum revocation identifier) is described in the first element (step S53). The revocation list generation means 27 describes those identifiers (individual revocation identifiers) after the second element when service provider identifiers that are to be revoked individually are input. Then, the key management server 1 transmits the CRL generated in step S53 to the receiving terminal 7 by the revocation list transmission unit 28 (step S54).

On the other hand, the application server 5 receives the difference partial key (difference partial key information) by the update key information receiving means 53 in the signature key updating apparatus 50 (step S55).
The application server 5 then uses the signature key update unit 54 to manage the pre-update signature key managed (stored) by the signature key management unit 52 based on the difference partial key (difference partial key information) received in step S55. (Step S56: Signature key update). The signature key update operation in step S56 will be described later with reference to FIG.

On the other hand, the receiving terminal 7 receives the revocation list (CRL) by the revocation list receiving means 71 (step S58). And the receiving terminal 7 memorize | stores CRL received by the revocation list management means 72 at step S58 (step S59).
Through the above operation, the signature key is updated in the application server 5, and the CRL notifies the receiving terminal 7 that the signature key before the update has expired.

(Differential partial key generation / signature key update)
Next, the main operation when updating the signature key will be described with reference to FIG. 10 (see FIGS. 2 and 4 as appropriate). The operation described in FIG. 10A corresponds to the differential partial key generation operation in step S51 described in FIG. 9, and the partial key generation unit 22 and update key information generation of the key generation device 10 of the key management server 1 are performed. Operates in means 25. The operation described in FIG. 10B corresponds to the signature key update operation in step S56 described in FIG. 9, and operates in the signature key update unit 54 of the signature key update device 50 in the application server 5.

First, as shown in FIG. 10A, the partial key generation means 22 randomly generates a random number r ₂ (r) from Z _q (step S61). Then, the partial key generation means 22 obtains the partial key verification information v ₂ (v) by the calculation of the formula (4) based on the random number r ₂ (r) and a part (p, g) of the verification key. Generate (step S62).
Further, the partial key generation means 22 concatenates the partial key verification information v ₂ (v) and the valid identifier (i + jn), and generates a hash value c ₂ (c) according to the equation (5) (step S63). ).

Then, the partial key generation means 22 uses the above formula (0) based on the first master key x ₀ , a part (q) of the verification key, the hash value c ₂ (c), and the random number r ₂ (r). 6), the partial key x ₂ (x) is generated (step S64).

Thereafter, the update key information generation unit 25 includes a previous partial key x ₁ that a partial key management unit 23 is managed (stored), and partial key x ₂ generated in step S64, a part of the verification key (q ) And the difference partial key Δx is generated by the equation (7) (step S65).
The differential partial key Δx thus generated is transmitted to the application server 5 as differential partial key information together with the partial key verification information v ₂ (v) and the valid identifier (i + jn).

On the other hand, as shown in FIG. 10B, the signature key update unit 54 sets the signature key before update managed (stored) by the signature key management unit 52 as SK _{i + (j−1) n} and step S65. Based on the difference partial key Δx included in the difference partial key information generated and transmitted in step (b) and a part (q) of the verification key released as public information in the key management server 1, the equation (9) ) To generate a new signature key SK _{i + jn} (step S71).

The signature key SK _{i + jn} generated in this way is stored in the signature key management means 52 in association with the valid identifier (i + jn) together with the partial key verification information v included in the differential partial key information. As a result, the signature key (signature key information) held by the application server 5 is updated.

[Application authentication]
Next, an application authentication operation for generating a signature in the application authentication system S and adding it to the application and verifying the signature on the receiving side of the application will be described with reference to FIG. 11 (refer to FIGS. 4 and 5 as appropriate).

First, the application server 5 inputs an application from the outside by the application input means 61 (step S81).
Then, the application server 5 generates a signature based on the signature key information stored in the signature key management unit 52 by the signature adding unit 62 (step S82: signature generation). The signature generation operation in step S82 will be described later with reference to FIG.

  Then, the application server 5 adds the signature generated in step S82 to the application input in step S81 by the signature adding unit 62 (step S83). Then, the application server 5 transmits the signed application with the signature added in step S83 to the receiving terminal 7 by the application transmitting unit 63 (step S84).

  On the other hand, the receiving terminal 7 receives the signed application by the application receiving means 74 (step S85). Then, the receiving terminal 7 verifies whether or not the signature is valid for the signed application by the revocation list verification unit 75 and the signature verification unit 76 (step S86: signature verification). The signature generation operation in step S86 will be described later with reference to FIG.

The receiving terminal 7 activates (decrypts and reproduces) or stores the application by the application management unit 77 only when it is determined in step S87 that the signature is valid as a verification result (Yes in step S87). This is performed (step S88).
On the other hand, when it is determined that the signature is invalid as a verification result (No in step S87), the receiving terminal 7 displays an error message without activating the application and ends the process.
With the above operation, only applications to which a legitimate service provider has added a valid signature are activated and stored in the receiving terminal 7.

(Signature generation / signature verification)
Next, the main operation of application authentication will be described with reference to FIG. 12 (see FIGS. 4 and 5 as appropriate). The operation described in FIG. 12A corresponds to the signature generation operation in step S82 described in FIG. 11, and operates in the signature adding unit 62 of the signature generation device 60 of the application server 5. 12B corresponds to the signature verification operation in step S86 described in FIG. 11, and operates in the revocation list verification unit 75 and the signature verification unit 76 of the receiving terminal 7.

First, as shown in FIG. 12A, the signature adding unit 62 randomly generates a random number r _s from Z _q (step S91). The signature adding means 62, the random number _{r s,} a part of the verification key (p, g) based on the, generates signature verification information _{v s} by calculation of the equation (10) (step S92).

Further, signature adding means 62 connected to the partial key verification information v stored in the signature key managing unit 52, a signature verifying information v _s, valid identifier (i + jn), an application M, the equation (11 ) To generate a hash value c _s (step S93).

Thereafter, the signature adding unit 62 uses the hash value c _s , the random number r _s , the signature key SK _{i + jn} corresponding to the valid identifier (i + jn) stored in the signature key management unit 52, and a part of the verification key (q ) And the signature σ _s is generated by the equation (12) (step S94).
The signature σ _s thus generated is added to the application M together with the hash value c _s , the partial key verification information v, and the valid identifier (i + jn) to generate a signed application.

On the other hand, as shown in FIG. 12B, the revocation list verification unit 75 determines whether or not the valid identifier (i + jn) added to the signed application is included in the CRL (step S101).
Here, when the valid identifier (i + jn) is included in the CRL, that is, when the valid identifier (i + jn) is less than or equal to the maximum revocation identifier described in the first element of the CRL, or the valid identifier (i + jn) ) Matches one of the individual revocation identifiers described after the second element of the CRL (Yes in step S101), the signature corresponding to the illegal signature key has been added, so the revocation list verification means 75 Sets that the signature is invalid in the verification result (step S102), and ends the signature verification operation.

On the other hand, when the valid identifier (i + jn) is not included in the CRL (No in step S101), the signature verification unit 76 performs the following operation.
That is, the signature verification unit 76 generates the hash value c ₁ by the above equation (13) using the hash function H (•) included in the verification key recorded in the verification key management unit 73 (step S103). .
Then, the signature verification means 76 uses the above formula based on the hash value c ₁ , a part of the verification key (p, g, y ₀ , y ′), and the signature information (σ _s , c _s , v). The signature σ _s is verified depending on whether or not the conditional expression (14) is satisfied (step S104).

Here, when the conditional expression (14) is satisfied (Yes in step S104), the signature verification unit 76 sets that the signature is valid in the verification result (step S105). On the other hand, if the conditional expression (14) is not satisfied (No in step S104), the signature verification unit 76 sets that the signature is not valid in the verification result (step S102).
Through the above procedure, the receiving terminal 7 can verify the signature added to the application.

[Example of signing key renewal and revocation]
Next, referring to FIGS. 13 to 16 (refer to FIGS. 1 to 5 as appropriate), the signature key update and revocation processing in the application authentication system will be specifically described.

(Normal update)
First, processing for periodically updating the signature key will be described with reference to FIG.
As shown in FIG. 13, when the number of service providers is m, service provider identifiers 1, 2,..., M are assigned to the respective service providers. Then, as described in the signature key issuing operation of FIG. 6, the partial key generation unit 22 of the key management server 1 transmits the partial key generated with the update identifier “0” to the signature key issuing server 3, and the signature key issuing server 3 generates signature keys SK ₁ , SK ₂ ,..., SK _m corresponding to the service provider identifiers 1, ₂ ,.

At this time, since there is no signature key to be revoked, the revocation list generating means 27 of the key management server 1 sets a value (in this case, “0”) smaller than the valid service provider identifier. Accordingly, the receiving terminal 7 that has acquired the CRL can determine that all the signature keys SK ₁ , SK ₂ ,..., SK _m corresponding to the service provider identifiers 1, ₂ ,.

Thereafter, when the signature key is updated, the update identifier is incremented by 1, the partial key generation unit 22 generates a partial key with the new update identifier “1”, and the update key information generation unit 25 generates the part previously generated. A difference partial key is generated by taking the difference from the key. Then, the signature key update unit 54 of the application server 5 updates the signature key with the difference partial key. At this time, the key management server 1 notifies the application server 5 of the valid identifier (service provider identifier + update identifier × service provider number upper limit value) simultaneously with the differential partial key. The signature key update unit 54 generates a signature key corresponding to the valid identifier. Accordingly, when the update identifier is changed from “0” to “1”, the signature keys SK ₁ , SK ₂ ,..., SK _m held in the application server 5 for each service provider are valid identifiers 1 + n, 2 + n. ,..., M _{+ n} are updated to signature keys SK _{1 + n} , SK _{2 + n} ,.

At this time, since the signature keys to be revoked are the signature keys SK ₁ , SK ₂ ,..., SK _m , m is described in the first element as a maximum revocation identifier, and CRL = {m} is generated. Alternatively, CRL = {n} is generated by describing n, which is (update identifier “1” × upper limit value n of service providers), in the first element. Accordingly, the receiving terminal 7 that has acquired the CRL has all the signature keys SK ₁ , SK ₂ ,..., SK _m corresponding to the service provider identifiers 1, 2,..., M by CRL {m} or {n}. It can be determined to be invalid.
In this way, the signature identifier is updated by increasing the update identifier to “0”, “1”,..., And by setting a value smaller than the updated valid identifier in the CRL, the signature key before the update is set. Can be revoked at once.

(When adding a service provider)
Next, processing for adding a service provider will be described with reference to FIG. Here, it is assumed that a service provider to which a service provider identifier t satisfying m <t ≦ n is added while the signature key with the update identifier “2” is distributed.
In this case, first, as described in the signature key issuing operation of FIG. 6, the partial key generating unit 22 of the key management server 1 transmits the partial key generated with the update identifier “0” to the signature key issuing server 3, and The signature key generation unit 34 of the key issuing server 3 generates a signature key SK _t corresponding to the service provider identifier t.

Thereafter, when the update identifier “3” is updated, the signature key SK _t of the service provider identifier t is a signature key corresponding to the valid identifier (service provider identifier t + update identifier “3” × service provider number upper limit n). Updated to SK _{t + 3n} .
At this time, the revocation list generation means 27 of the key management server 1 uses the maximum value t of the valid identifier before update, the update identifier “2” before update, and the upper limit value n of the number of service providers as the maximum revocation identifier. The specified valid identifier is described in the first element, and CRL = {t + 2n} is generated. Alternatively, CRL = {3n} is generated by describing (updated identifier “3” after update × upper limit value n of the number of service providers) in the first element.

Here, the signature key corresponding to the update identifier “0” is generated as the signature key of the newly added service provider. However, the signature key corresponding to the currently valid update identifier is generated. Also good. For example, in FIG. 14, when the update identifier "2", when generating a signature key of the service provider identifier t, may generate the _{SK t + 2n} instead of SK _t.

(When the service provider is revoked)
Next, processing for revoking a signature key of a specific service provider will be described with reference to FIG. Here, it is assumed that after distributing the signature key with the update identifier “1”, the signature key of the service provider defined as a certain service provider identifier k is revoked.

In this case, the revocation list generating means 27 of the key management server 1 describes the maximum value m of the valid identifier before update in the first element as the maximum revocation identifier, and the service provider identifier k to be revoked as the individual revocation identifier. The valid identifier in the update identifier “1” is described in the second element, and CRL = {m, k + n} is generated. Alternatively, (the current update identifier “1” × the upper limit value n of the number of service providers) is described in the first element, and CRL = {n, k + n} is generated.
In updating the signature key after the update identifier “2”, since the differential key corresponding to the service provider identifier k is not generated in the update key information generation unit 25 of the key management server 1, the individual revocation identifier is included in the CRL. Need not be described, and is the same as the operation described in FIG.

(If a signature key leak is detected)
Next, a signature key update and revocation process when a specific service provider's signature key is leaked will be described with reference to FIG. Here, it is assumed that the signature key of the service provider identifier h is leaked in the update identifier “1”.

In this case, as in the process described with reference to FIG. 15, the maximum value m of the valid identifier before update is described in the first element as the maximum revocation identifier, and the service provider identifier h to be revoked is updated as the individual revocation identifier. The valid identifier in the identifier “1” is described in the second element, and CRL = {m, h + n} is generated. Alternatively, (the current update identifier “1” × the upper limit value n of the number of service providers) is described in the first element, and CRL = {n, h + n} is generated.
Further, a service provider identifier h ′ is newly assigned to the service provider to which the service provider identifier h is assigned.
The subsequent processing is the same as the processing when a new service provider is added in FIG.

  In FIGS. 13 to 16, the example in which the signature key is updated and the CRL is generated by the method described in FIG. 17A has been described. However, as described in FIG. Needless to say, the signature key may be updated and the CRL may be generated so that the valid identifiers are continuous.

  According to the application authentication system S described above, the broadcast station can perform key generation and key management, and can verify a signature using a fixed-length verification key regardless of the number of service providers. Further, by using the maximum revocation identifier, a plurality of signature keys can be easily revoked at the same time, and the signature keys can be easily updated.

  Further, since the application authentication system S manages the master key separately, even if one master key leaks, the signature key cannot be updated without the other master key. The service provider can be authenticated safely.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to this. For example, the key management server 1 can be realized by operating a general computer by a program (key management program [key generation program, signature key update partial key generation program]) that functions as each of the above-described units. it can. Similarly, the signature key issuing server 3 can be realized by operating a general computer by a program (signature key issuing program) that functions as each of the above-described units.

  The signature key update device 50 of the application server 5 can be realized by operating a general computer by a program (signature key update program) that functions as each of the above-described means. This can be realized by operating a general computer by a program (application signature adding program) that functions as each of the above-described means. Furthermore, the receiving terminal 7 can be realized by operating a general computer by a program (application authentication program) that functions as each of the above-described means.

  Here, although the system is configured using Strong Key-Insulated signatures, ID-based signatures (A. Shamir: “Identity-Based Cryptosystems and Signature Schemes”, Proc. Of CRYPTO'84, LNCS 196, pp. 47) -53, Springer-Verlag, 1984.) and Key-Insulated signatures (Y. Dodis, J. Katz, S. Xu and M. Yung: “Strong Key-Insulated Signature Schemes”, Proc. Of PKC'03, pp. .130-144, 2003.) can also be used to implement a system for updating or revoking the signature key of the present invention.

[Other configuration of application authentication system (ID-based signature)]
Hereinafter, another embodiment of the present invention using an ID-based signature will be described.
As shown in FIG. 18, when the present invention using the ID-based signature, the application authentication system S _B includes a key management server (a key management apparatus) 1B with a broadcasting station, a service provider (service provider The application server 5B provided in the user) and the receiving terminal 7 provided in the user's house (or carried by the user).

An ID-based signature does not have the concept of a partial key, and a signature key is generated from one master key and an ID (service provider identifier [valid identifier]). Therefore, the application authentication system S _B may omit the signing key issuing server 3 from the application authentication system S described in FIG 1, the key management server 1 of the key generation device 10 and the partial key generation unit 20, the key generation device 10B and a signature The key management server 1B is configured as the key generation device 20B, and the application server 5B is configured with the signature key update device 50 of the application server 5 as the new signature key update device 50B. The receiving terminal 7 is the same as that shown in FIG.

[Key management server configuration]
First, the configuration of the key management server will be described with reference to FIG. 19 (refer to FIG. 18 as appropriate). Here, the key management server (key management device) 1B includes a key generation device 10B and a signature key generation device 20B. It is assumed that the key generation device 10B and the signature key generation device 20B are communicably connected via a communication interface (not shown).

(Configuration of key generation device)
The key generation device 10B generates and manages (stores) a master key for generating a signature key and a verification key for verifying the signature key. Here, the key generation device 10B includes a key generation unit 11B, a verification key management unit 12, and a master key management unit 13B. The verification key management unit 12 is the same as that described with reference to FIG.

  The key generation unit 11B generates a master key and a verification key. Here, the key generation unit 11B generates a master key and a verification key by an ID-based signature method. The key generation unit 11B outputs the generated verification key to the verification key management unit 12, and outputs the generated master key to the master key management unit 13B.

  The master key management unit 13B stores and manages the master key generated by the key generation unit 11B. The master key management unit 13B manages the master key in the same manner as the first master key managed by the first master key management unit 13 described in FIG.

(Configuration of signature key generator)
The signature key generation device 20B generates a signature key and key information used when updating the signature key, and generates a revocation list indicating a list of revoked signature keys. Here, the signature key generation apparatus 20B includes a parameter input unit 21, a signature key generation unit 22B, a signature key management unit 23B, a signature key transmission unit 24B, an update key information generation unit 25B, and an update key information transmission unit. 26B, a revocation list generation unit 27, and a revocation list transmission unit 28.

The parameter input unit 21, the revocation list generation unit 27, and the revocation list transmission unit 28 have the same configuration as the partial key generation device 20 described in FIG.
As described above, an ID-based signature does not have the concept of a partial key, and a signature key is generated from one master key and an ID (service provider identifier [valid identifier]). The illustrated partial key generation means 22, partial key management means 23, and partial key transmission means 24 are configured as a signature key generation means 22B, a signature key management means 23B, and a signature key transmission means 24B, respectively.
That is, the signature key generation device 20B generates a signature key by the ID key signature method by the signature key generation unit 22B, manages (stores) the signature key by the signature key management unit 23B, and uses the signature key transmission unit 24B. The signature key is transmitted to the application server 5B.

Here, the update key information generation unit 25 and the update key information transmission unit 26 shown in FIG. 2 are configured as an update key information generation unit 25B and an update key information transmission unit 26B, respectively.
Also in the update key information generation unit 25B and the update key information transmission unit 26B, the update key information generation unit 25 and the update key information transmission unit 26 illustrated in FIG. 2 obtain the partial key difference and transmit it to the application server 5. However, the only difference is that the difference between the signature keys is obtained and transmitted to the application server 5B.

Application server configuration
Next, the configuration of the application server will be described with reference to FIG. 20 (refer to FIG. 18 as appropriate). Here, the application server 5B includes a signature key update device 50B and a signature generation device 60. The signature generation device 60 is the same as that described with reference to FIG.

  The signature key update device 50B updates the signature key distributed to the service provider based on the differential signature key (differential signature key information) transmitted from the key management server 1B. Here, the signature key update device 50B includes a signature key input unit 51, a signature key management unit 52, an update key information reception unit 53B, and a signature key update unit 54B. The signature key input means 51 and the signature key management means 52 are the same as those described with reference to FIG.

Also, the update key information receiving unit 53B and the signature key updating unit 54B are different from the update key information receiving unit 53 and the signature key updating unit 54 described in FIG. The only difference is that it receives the differential signature key and updates the signature key. The signature key updating unit 54B updates the signature key using the differential signature key by a general ID-based signature method.
As described above, the present invention sequentially updates a verification key, which is public information for verifying a signature added to an application for each service provider, and a service provider-specific key, which is secret information corresponding to the verification key. In a signature scheme using a signed key, a plurality of signature keys can be easily revoked at the same time, and the signature key can be easily updated.

S Application authentication system 1 Key management server (key management device)
DESCRIPTION OF SYMBOLS 10 Key generation apparatus 11 Key generation means 12 Verification key management means (Verification key storage means)
13 First master key management means (first master key storage means)
14 Second master key transmission means 20 Partial key generation device (signature key update partial key generation device)
21 Parameter input means 22 Partial key generation means 23 Partial key management means (partial key storage means)
24 partial key transmission means 25 update key information generation means 26 update key information transmission means 27 revocation list generation means 28 revocation list transmission means 3 signature key issuing server (signature key issuing device)
31 Second master key receiving means 32 Second master key management means (second master key storage means)
33 Partial Key Receiving Unit 34 Signature Key Generating Unit 35 Signature Key Output Unit 5 Application Server 50 Signature Key Update Device 51 Signature Key Input Unit 52 Signature Key Management Unit (Signature Key Storage Unit)
53 Renewal Key Information Receiving Means 54 Signature Key Updating Means 60 Signature Generation Device 61 Application Input Means 62 Signature Adding Means 63 Application Sending Means 7 Receiving Terminal 71 Revocation List Receiving Means 72 Revocation List Management Means (Revocation List Storage Means)
73 Verification key management means (Verification key storage means)
74 Application Receiving Unit 75 Revocation List Verification Unit 76 Signature Verification Unit 77 Application Management Unit

Claims (15)

A verification key, which is public information for verifying a signature to be added to an application for each service provider, and a signature key, which is secret information corresponding to the verification key and is a key unique to the service provider and sequentially updated. In a key management device that is provided in an application authentication system in which an application server adds a signature to the application and distributes the signature to the receiving terminal using the signature scheme, and generates key information for updating the signature key by the signature scheme.
An effective identifier that is assigned to each service provider corresponding to the signature key, and is associated with an effective identifier that is set to a value that is larger than the maximum value of the effective identifier before update when the signature key is updated, Update key information generating means for generating the key information;
Update key information transmitting means for transmitting the key information to the application server together with the updated effective identifier for each service provider;
A revocation list generating means for generating a revocation list using as an element a value that demarcates a boundary between the pre-update valid identifier and the post-update valid identifier;
Revocation list transmitting means for transmitting the revocation list to the receiving terminal;
A key management device comprising: A verification key, which is public information for verifying a signature to be added to an application for each service provider, and a signature key, which is secret information corresponding to the verification key and is a key unique to the service provider and sequentially updated. The key management apparatus is provided in an application authentication system in which an application server adds a signature to the application and distributes the signature to the receiving terminal according to the signature method, and generates key information for updating the signature key by the signature method. Computer
An effective identifier that is assigned to each service provider corresponding to the signature key, and is associated with an effective identifier that is set to a value that is larger than the maximum value of the effective identifier before update when the signature key is updated, Update key information generating means for generating the key information;
Update key information transmitting means for transmitting the key information to the application server together with the updated valid identifier for each service provider,
A revocation list generating means for generating a revocation list by using as an element a value for dividing a boundary between the pre-update valid identifier and the post-update valid identifier;
Revocation list transmission means for transmitting the revocation list to the receiving terminal;
Key management program characterized by functioning as A verification key, which is public information for verifying a signature added to an application for each service provider, and a key unique to the service provider, which is secret information corresponding to the verification key, generated by the key management device The reception terminal used in an application authentication system in which an application server adds a signature to the application and distributes the signature to the reception terminal by a signature method using a signature key that is sequentially updated by information,
Verification key storage means for storing the verification key in advance;
Among valid identifiers set by the key management device for each service provider and set to a value larger than the maximum valid identifier before update when the signature key is updated, A revocation list receiving means for receiving a revocation list whose element is a value that divides the boundary between the valid identifier and the updated valid identifier
Revocation list storage means for storing the revocation list received by the revocation list reception means;
Application receiving means for receiving, from the application server, an application to which the signature is added, and a valid identifier of a signature key when the signature is added;
Revocation list verification means for verifying whether or not the validity identifier added to the application received by the application reception means is valid based on the revocation list stored in the revocation list storage means;
Signature verification means for verifying a signature attached to the application by using a verification key stored in the verification key storage means;
In the revocation list verification unit and the signature verification unit, when the valid identifier is valid and the signature is valid, an application management unit that activates or stores the application; and
A receiving terminal comprising: A verification key, which is public information for verifying a signature added to an application for each service provider, and a key unique to the service provider, which is secret information corresponding to the verification key, generated by the key management device A computer that controls the receiving terminal used in an application authentication system in which an application server adds a signature to the application and distributes the signature to the receiving terminal by a signature method using a signature key that is sequentially updated by information;
Among valid identifiers set by the key management device for each service provider and set to a value larger than the maximum valid identifier before update when the signature key is updated, A revocation list receiving means for receiving a revocation list whose element is a value that divides the boundary between the valid identifier and the updated valid identifier, and storing the revocation list in the revocation list storage means,
Application receiving means for receiving, from the application server, an application to which the signature has been added and a valid identifier of a signature key when the signature is added;
Revocation list verification means for verifying whether or not the validity identifier added to the application received by the application reception means is valid based on the revocation list stored in the revocation list storage means;
Signature verification means for verifying a signature added to the application with a verification key stored in the verification key storage means in advance;
In the revocation list verification unit and the signature verification unit, an application management unit that activates or stores the application when the valid identifier is valid and the signature is valid,
An application authentication program characterized by causing it to function as A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. The signature key update unit used in an application authentication system that authenticates the application with the verification key in the receiving terminal A key generation device,
In association with an effective identifier that is an initial service provider identifier assigned to each service provider, or an effective identifier that is set to a value that is larger than the maximum value of the effective identifier before update when the signature key is updated, Partial key generation means for generating the partial key corresponding to the valid identifier for each service provider from the verification key and the first master key;
Partial key storage means for storing the partial key generated by the partial key generation means in association with the valid identifier;
A partial key transmitting means for adding the valid identifier and transmitting the partial key to the signature key issuing device;
Update key information generation means for generating a difference partial key based on the difference between the partial key generated by the partial key generation means and the partial key before update stored in the partial key storage means;
Update key information transmitting means for transmitting the differential partial key to the application server together with the updated effective identifier for each service provider identifier;
A revocation list generating means for generating a revocation list using as an element a value that demarcates a boundary between the pre-update valid identifier and the post-update valid identifier;
Revocation list transmitting means for transmitting the revocation list to the receiving terminal;
A partial key generation device for signing key update, comprising:   The partial key generation means multiplies the update identifier indicating the number of updates of the signature key by the upper limit value of the predetermined total number of the service provider, and adds it to the service provider identifier for each service provider. 6. The signature key update partial key generation apparatus according to claim 5, wherein the valid identifier unique to the key is calculated to generate the partial key.   The revocation list generating means multiplies the update identifier before update by the upper limit value of the total number of the service providers, and adds the maximum value of the service provider identifiers to a value for dividing the boundary. The partial key generation device for signing key update according to claim 6, wherein:   The revocation list generation means sets a value obtained by multiplying the updated update identifier by the upper limit value of the predetermined total number of the service provider as a value for dividing the boundary. Signature key update partial key generation device. A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. The signature key update unit used in an application authentication system that authenticates the application with the verification key in the receiving terminal The computer that controls the key generation apparatus,
In association with an effective identifier that is an initial service provider identifier assigned to each service provider, or an effective identifier that is set to a value that is larger than the maximum value of the effective identifier before update when the signature key is updated, Partial key generation means for generating the partial key corresponding to the valid identifier for each service provider from the verification key and the first master key and storing the partial key in the partial key storage means;
A partial key transmitting means for adding the valid identifier and transmitting the partial key to the signature key issuing device;
Update key information generation means for generating a difference partial key based on the difference between the partial key generated by the partial key generation means and the partial key before update stored in the partial key storage means;
Update key information transmitting means for transmitting the differential partial key to the application server together with the updated effective identifier for each service provider identifier,
A revocation list generating means for generating a revocation list by using as an element a value for dividing a boundary between the pre-update valid identifier and the post-update valid identifier;
Revocation list transmission means for transmitting the revocation list to the receiving terminal;
A partial key generation program for updating a signature key, characterized in that A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. The signature key issuing device used in an application authentication system for authenticating the application with the verification key in the receiving terminal There,
Second master key receiving means for receiving the second master key unique to the service provider from the key generation device;
Second master key storage means for storing the second master key;
An effective identifier that is an initial service provider identifier assigned to each service provider from the partial key generator for signing key update, or larger than the maximum value of the valid identifier before update when the signature key is updated A partial key receiving means for receiving a valid identifier set with a value and the partial key;
Signature key generating means for generating a signature key corresponding to the valid identifier using the second master key stored in the second master key storage means and the partial key received by the partial key receiving means When,
A signing key issuing device comprising: A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. The signature key issuing device used in an application authentication system for authenticating the application with the verification key in the receiving terminal The control computer,
Second master key receiving means for receiving the second master key unique to the service provider from the key generation apparatus and storing it in a second master key storage means;
An effective identifier that is an initial service provider identifier assigned to each service provider from the partial key generator for signing key update, or larger than the maximum value of the valid identifier before update when the signature key is updated A partial key receiving means for receiving a valid identifier set with a value and the partial key;
Signature key generating means for generating a signature key corresponding to the valid identifier using the second master key stored in the second master key storage means and the partial key received by the partial key receiving means ,
A signature key issuing program characterized by functioning as: A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. The application used in an application authentication system that authenticates the application with the verification key at the receiving terminal. A server,
Signature key storage means for storing a signature key generated by the signature key issuing device;
A service provider identifier assigned to each service provider from the partial key generator for signing key update is set as an initial valid identifier, and a value larger than the maximum value of the valid identifier before update is set when the signature key is updated. Update key information receiving means for receiving the set valid identifier and the differential partial key;
A signature key update unit that updates the signature key stored in the signature key storage unit in association with the valid identifier using the differential partial key received by the update key information reception unit;
A signature adding means for generating a signature corresponding to the valid identifier using a signature key stored in the signature key storage means and adding the signature to the application;
Application transmitting means for transmitting the application to which the signature is added by the signature adding means to the receiving terminal;
An application server comprising: A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. The application used in an application authentication system that authenticates the application with the verification key at the receiving terminal. The computer that controls the server,
A service provider identifier assigned to each service provider from the partial key generator for signing key update is set as an initial valid identifier, and a value larger than the maximum value of the valid identifier before update is set when the signature key is updated. Update key information receiving means for receiving the set valid identifier and the differential partial key;
Signature key update means for updating the signature key generated by the signature key issuing device stored in the signature key storage means in association with the valid identifier using the differential partial key received by the update key information receiving means ,
A signature adding means for generating a signature corresponding to the valid identifier using the signature key stored in the signature key storage means and adding the signature to the application;
Application transmitting means for transmitting the application to which the signature is added by the signature adding means to the receiving terminal;
An application signature adding program characterized in that it functions as an application. A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. The receiving terminal used in an application authentication system that authenticates the application with the verification key in the receiving terminal. ,
Verification key storage means for storing the verification key generated by the key generation device;
A service provider identifier assigned to each service provider from the partial key generator for signing key update is set as an initial valid identifier, and a value larger than the maximum value of the valid identifier before update is set when the signature key is updated. Of the set valid identifiers, a revocation list receiving means for receiving a revocation list whose elements are values that divide the boundary between the valid identifier before the update and the valid identifier after the update,
Revocation list storage means for storing the revocation list received by the revocation list reception means;
Application receiving means for receiving, from the application server, an application to which the signature is added, and a valid identifier of a signature key when the signature is added;
Revocation list verification means for verifying whether or not the validity identifier added to the application received by the application reception means is valid based on the revocation list stored in the revocation list storage means;
Signature verification means for verifying a signature attached to the application by using a verification key stored in the verification key storage means;
In the revocation list verification unit and the signature verification unit, when the valid identifier is valid and the signature is valid, an application management unit that activates or stores the application; and
A receiving terminal comprising: A signature key issuing device that issues a service provider-specific signature key used when an application server adds a signature to an application, a verification key for verifying the signature, and a part of the signature key specific to the service provider Using the key generation device that generates a first master key for generating a partial key and a second master key for generating the signature key, the partial key using the verification key and the first master key And a signature key update partial key generation device that generates a differential partial key used when the application server updates the signature key, and the application server adds the signature to the application and distributes it to the receiving terminal. Controlling the receiving terminal used in an application authentication system for authenticating the application with the verification key in the receiving terminal That the computer,
A service provider identifier assigned to each service provider from the partial key generator for signing key update is set as an initial valid identifier, and a value larger than the maximum value of the valid identifier before update is set when the signature key is updated. Among the set valid identifiers, a revocation list receiving means for receiving a revocation list whose element is a value dividing the boundary between the valid identifier before the update and the valid identifier after the update, and storing it in the revocation list storage means,
Application receiving means for receiving, from the application server, an application to which the signature has been added and a valid identifier of a signature key when the signature is added;
Revocation list verification means for verifying whether or not the validity identifier added to the application received by the application reception means is valid based on the revocation list stored in the revocation list storage means;
A signature verification unit that verifies a signature added to the application using a verification key generated by the key generation device stored in advance in the verification key storage unit;
In the revocation list verification unit and the signature verification unit, an application management unit that activates or stores the application when the valid identifier is valid and the signature is valid,
An application authentication program characterized by causing it to function as

Images