JP2014023036A - Key management device, application signature attachment device, reception terminal and program therefor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an application authentication system which updates a signature key by segments such as units of applications, units of versions, etc.SOLUTION: An application authentication system S comprises: a key management server 1 which generates a verification key and a signature key by a signature system using a verification key and a signature key which is updated on the basis of an application ID; an application signature attachment server 5 which attaches an application ID and a signature to an application; an application distribution server 7 which stores and distributes the application; and a reception terminal 9 which uses the application. The key management server 1 updates the application ID by receiving an instruction to update any of a plurality of segments composing the application ID from the application signature attachment server 5, and generates difference information for updating the corresponding signature key. Then, the application signature attachment server 5 updates the signature key by the difference information.

Description

  The present invention relates to a technique for authenticating an application in a broadcasting / communication cooperation service using a network such as a broadcast wave, the Internet, and a dedicated IP (Internet Protocol) line.

  In recent years, various services (hereinafter referred to as “broadcast / communication cooperation services”) in which broadcasting and communication are linked have been proposed along with digitalization of broadcasting and high-speed / wideband communication. In this broadcast / communication cooperation service, it is assumed that various information related to a broadcast program is acquired via a communication network and presented in combination with broadcast. Further, in order to enjoy such a service at the receiving terminal, an application adapted to the service is used. Here, the “application” refers to software that operates on a receiving terminal and has a function of presenting program-related information acquired via a communication network in combination with broadcasting.

  In order to realize more attractive services for viewers, it is necessary to provide an environment in which viewers can provide not only applications created by broadcast stations but also applications created by various operators. On the other hand, in order to make it possible for viewers to use the provided applications with peace of mind, it is necessary to check application creators who produce the applications and to perform “application authentication” that prevents falsification of the applications.

In general, application authentication is performed as follows.
In response to a request from the viewer, the application creator transmits the application to the viewer's receiving terminal via the communication network. At this time, using the signature key held by the application creator, a digital signature is added to the application and transmitted. The viewer's receiving terminal verifies the signature added to the received application using the verification key.

Note that this procedure is for the case where the application creator sends the application directly to the viewer's receiving terminal. However, the application created by the application creator is registered on the application distribution server operated by a third party other than the application creator. A model in which an application distribution server transmits to a receiving terminal in response to a request from a viewer can also be considered. That is, when using an application distribution server operated by a third party, an application creator adds a digital signature to the application using a signature key and transmits the application to the application distribution server when registering the application. On the other hand, the application distribution server verifies the signature added to the received application using the verification key.
In general, PKI (Public Key Infrastructure) is used for authentication using such a digital signature (see Non-Patent Document 1).

However, when this PKI authentication method is used, the key is generated by the application producer and the certificate authority, which is a third-party organization, manages the key, and a certificate revocation list (CRL) is also provided. Issued by a certificate authority. Therefore, even if the broadcasting station wants to revoke the signature key of the application creator who creates an unauthorized application, it is difficult to revoke the corresponding public key certificate with the existence of the broadcasting station. There was a problem that the signing key could not be revoked.
Also, when updating the application creator's signature key in PKI, it is necessary to perform complicated processing such as requiring the certificate authority to reissue the public key certificate, and the signature key can be updated immediately. There was a problem that I could not.

  Therefore, the inventor of the present application uses the Key-Insulated signature method or ID-based signature method, which is a signature method for updating the signature key based on the ID information, from the broadcast station side, and receives ID information (identifier) for each application creator. ) Has been developed (see Non-Patent Document 2), which can update the signature key and revoke the signature key.

Information Security Technology Laboratory, “PKI-related technical explanation”, [online], July 3, 2007, Information-technology Promotion Agency, [Search June 6, 2012], Internet <URL: http: // www.ipa.go.jp/security/pki/> Otake, Ogawa, “Application Authentication Method for Broadcast / Communication Collaboration Services”, Proceedings of SCIE 2011 Cryptography and Information Security Symposium (SCIS 2011)

The application authentication method using the conventional Key-Insulated signature method or the like updates the signature key or invalidates the signature key without relying on a third party even if a key leak occurs. Therefore, it is excellent in that the damage when the signature key is leaked can be reduced.
However, in this method, since the unit for updating and revoking the signature key is the ID information unit set for each application creator, the signature key is renewed and revoked by subdividing the application unit, version unit, etc. There was a request to do.

  The present invention has been made in view of such a demand. In a broadcasting / communication cooperation service, a broadcasting station performs key generation and key management, and signatures are divided into subdivisions such as application units and version units. It is an object of the present invention to provide a key management device, an application signature adding device and a receiving terminal used in an application authentication system capable of updating and revoking a key, and a program thereof.

  The present invention has been made to solve the above-mentioned problems. First, the key management device according to claim 1 includes a verification key for verifying a signature and a signature key updated based on the ID information. Depending on the signature method used, a key management device that generates a key for authenticating an application, an application signature adding device that adds the ID information and the signature to the application, and the ID information and the signature are added. In the key management device used in an application authentication system that includes an application distribution device that stores and distributes a registered application and a reception terminal that uses the application, and authenticates the application by the signature method, an update request reception unit Signature key update information generation means, signature key update information transmission means, and revocation list generation And stage were configured to include a revocation list transmission means.

  In such a configuration, the key management device uses the update request receiving unit to identify one of the ID information used in the signature scheme for performing key update based on the ID information and a plurality of predetermined categories constituting the ID information. The signature key update request including the update instruction information indicating the update is received from the application signature adding apparatus. As a result, a request to partially update the ID information is instructed. Note that the signature scheme based on the ID information includes, for example, a key-insulated signature scheme and an ID-based signature scheme.

Then, the key management device updates the requested ID information in units of sections based on the update instruction information included in the signature key update request by the signature key update information generation unit, and uses the signature scheme based on the ID information to The difference information for updating is generated. Further, the signature key update information generation unit generates signature key update information including the updated ID information and difference information. Then, the key management device transmits the signature key update information generated by the signature key update information generation unit to the application signature adding device by the signature key update information transmission unit.
As a result, in the signature method based on the ID information, the ID information can be subdivided into predetermined sections, and the ID information can be updated in units of the subdivided sections.

Also, the key management device sets the value of the category for identifying the application input from the outside inputted in the ID information to the category by the revocation list generating means, and any value other than the category The revocation list is generated by setting one or more pieces of ID information in which information indicating that is set.
Then, the key management device transmits the revocation list to the receiving terminal by the revocation list transmission means. As a result, the key management apparatus can specify and revoke the application specified by the specified section of the ID information.

  According to a second aspect of the present invention, there is provided a key management apparatus according to the first aspect, wherein the key management apparatus according to the first aspect is provided with a section area in which a security update number that is a number common to all applications is provided in the ID information. When the update information generation unit is instructed to update the security update number from the outside, the ID information is updated by updating the security update number for all ID information managed by the key management device. Also good.

  In such a configuration, the key management device, when instructed to update the security update number, updates all ID information to be managed by the signature key update information generation unit, and generates difference information for updating the signature key. . As a result, the key management apparatus can update the ID information all at once and update the signature keys all at once with the difference information.

  The key management apparatus is operated with a key management program for causing a computer to function as an update request receiving unit, a signature key update information generating unit, a signature key update information transmitting unit, a revocation list generating unit, and a revocation list transmitting unit. (Claim 3).

  The application signature adding apparatus according to claim 4 generates a key for performing application authentication by a signature method using a verification key for verifying a signature and a signature key updated based on ID information. Using a key management device, an application signature adding device that adds the ID information and the signature to the application, an application distribution device that stores and distributes the application with the ID information and the signature added, and the application A signature key storage means, a signature key update request means, and a signature key update information reception means in the application signature adding apparatus used in the application authentication system that authenticates the application by the signature scheme. Signature key updating means, ID / signature adding means, It was configured to include.

In this configuration, the application signature adding apparatus stores the signature key generated by the key management apparatus in the signature key storage unit in association with the ID information.
Then, the application signature adding apparatus is instructed from the outside to update any one of a plurality of predetermined categories constituting the ID information by the signature key update requesting unit, whereby the ID information and the ID information The signature key update request including the update instruction information indicating the category to be updated is transmitted to the key management device. As a result, in the key management apparatus, the requested ID information is updated in units of sections, and difference information for updating the signature key is generated.
Then, the application signature adding apparatus receives signature key update information including the updated ID information and difference information from the key management apparatus by the signature key update information receiving unit.

  Then, the application signature adding device updates the signature key stored in the signature key storage unit using the signature key update unit by the signature key update unit using the signature scheme based on the ID information, and the updated ID information And stored in the signature key storage means. As a result, the ID information is partially updated, and the signature key corresponding to the ID information is stored in the signature key storage unit.

  Then, the application signature adding device generates a signature using the signature key stored in the signature key storage unit by the ID / signature adding unit, and adds it to the application together with the corresponding ID information. As a result, the partially updated ID information and the signature generated with the ID information are added to the application.

  Alternatively, the application signature adding apparatus may be operated with an application signature adding program for causing a computer to function as a signature key update requesting means, a signature key update information receiving means, a signature key updating means, and an ID / signature adding means. Good (Claim 5).

  Further, the receiving terminal according to claim 6 generates a key for generating a key for authenticating an application by a signature method using a verification key for verifying a signature and a signature key updated based on ID information. A device, an application signature adding device that adds the ID information and the signature to the application, an application distribution device that stores and distributes the application with the ID information and the signature added, and reception using the application A verification key storage means, a revocation list reception means, a revocation list storage means, an application acquisition means, and a revocation, in the receiving terminal used for an application authentication system that authenticates the application by the signature method. A list verification unit and a signature verification unit. .

In this configuration, the receiving terminal stores in advance the verification key generated by the key management device in the verification key storage unit.
Then, the receiving terminal classifies the ID information into a plurality of predetermined areas by the revocation list receiving means, and sets a value of a classification that identifies an application to be revoked among the sections, One or more ID information set with information indicating an arbitrary value is received as a revocation list and stored in the revocation list storage means. As a result, the receiving terminal can determine whether or not the application specified by a certain section of the ID information has expired.

Further, the receiving terminal acquires an application to which the ID information and the signature are added from the application distribution device by the application acquisition unit.
The receiving terminal identifies the application to be revoked in the revocation list stored in the revocation list storage means in the ID information added to the application acquired by the application acquisition means by the revocation list verification means. When the values of the classification match, it is determined that the ID information is invalid.

Further, the receiving terminal verifies the signature added to the application by the signature verification unit using the verification key stored in the verification key storage unit.
Accordingly, the receiving terminal can revoke a partially matching application in the ID information, and can verify a signature from the partially updated ID information.

  In addition, the receiving terminal may be operated by an application authentication program for causing a computer to function as a revocation list receiving unit, an application obtaining unit, a revocation list verification unit, and a signature verification unit.

The present invention has the following excellent effects.
According to the first and third aspects of the present invention, in the signature method based on the ID information, the ID information can be subdivided into a plurality of sections, and the signature key can be updated or revoked for each section. As a result, the present invention can update the signature key or revoke it in subdivided divisions such as application units and version units as well as application creators, and can use ID information for general purposes. be able to.
Further, according to the first and third aspects of the present invention, since the application signature adding apparatus can request the key management apparatus to partially update the ID information, every time an application is created and registered In addition, the signing key can be updated. As a result, the present invention can reduce spoofing damage caused by key leakage.

  According to the second aspect of the invention, the ID key is divided and the signature key is partially updated and revoked from the application signature adding device, and the signature key is simultaneously renewed and revoked from the key management device. Can be made.

  According to the sixth and seventh aspects of the present invention, it is possible to verify whether or not the application is valid based on the segmented ID information. Thus, according to the present invention, the validity of an application can be determined in divided sections such as an application unit and a version unit, and ID information can be used for general purposes.

1 is a system configuration diagram showing a configuration of an application authentication system according to an embodiment of the present invention. It is a functional block diagram which shows the structure of the key management server (key management apparatus) which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the signature key issuing server (signature key issuing apparatus) which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the application signature addition server (application signature addition apparatus) which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the application delivery server (application delivery apparatus) which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the receiving terminal which concerns on embodiment of this invention. It is a flowchart which shows the operation | movement of the key generation in the application authentication system, and signature key issue. It is a flowchart which shows the detailed operation | movement (master key and verification key generation operation) of FIG. FIG. 8 is a flowchart showing a detailed operation (partial key generation operation, signature key generation operation) for issuing the signature key in FIG. 7. It is a flowchart which shows the operation | movement of signature key update in an application authentication system. 11 is a flowchart showing detailed operations (differential partial key generation operation, signature key update operation) of signature key update in FIG. 10. It is a flowchart which shows the registration / update operation | movement of the application in an application authentication system. It is a flowchart which shows the detailed operation | movement of signature generation of FIG. It is a flowchart which shows the authentication operation | movement of the application in an application authentication system. It is a flowchart which shows the detailed operation | movement of signature verification of FIG. It is a flowchart which shows the operation | movement which expires the application in an application authentication system. It is a data structure figure which shows an example of the structure of application ID. It is explanatory drawing for demonstrating the update example of application ID. It is explanatory drawing for demonstrating the example which revokes an application by application ID. It is a system block diagram which shows the structure of the application authentication system which concerns on other embodiment of this invention. It is a functional block diagram which shows the structure of the key management server (key management apparatus) which concerns on other embodiment of this invention. It is a functional block diagram which shows the structure of the application signature addition server (application signature addition apparatus) which concerns on other embodiment of this invention. It is a system block diagram which shows the modification of the application authentication system which concerns on embodiment of this invention. It is a system block diagram which shows the modification of the application authentication system which concerns on other embodiment of this invention.

Embodiments of the present invention will be described below with reference to the drawings.
[Application authentication system configuration]
First, the configuration of the application authentication system will be described with reference to FIG.
The application authentication system S is a system for authenticating an application provided to a user (viewer) by an application creator (service provider) in a broadcasting / communication cooperation service. Here, the application authentication system S is a Strong Key-Insulated signature (G. Ohtake, G. Hanaoka and K. Ogawa: “Efficient Provider Authentication for Bidirectional Broadcasting Service”, IEICE Trans. Fundamentals, Vol. E93-A, No. 6, pp. 1039-1051, 2010.) shall be used to configure the system.

The application authentication system S includes a key management server (key management device) 1 and a signature key issuing server (signature key issuing device) 3 provided in a broadcasting station, an application signature adding server 5 held by an application producer, and application distribution. An application distribution server 7 held by the user and a receiving terminal 9 provided in the user's home (or carried by the user). The key management server 1, the application signature adding server 5, the application distribution server 7, and the receiving terminal 9 are connected to a network (external network) N ₁ such as the Internet (or a dedicated IP line). . In addition, the key management server 1 and the signature key issuing server 3 are connected internal network (dedicated communication line) to N ₂ in the broadcasting station.
Here, in order to simplify the description, the application signature attached server 5, but illustrates the application distribution server 7 and the receiving terminal 9 one by one, they may be the network N ₁ can be more connection means Not too long.

  The key management server (key management device) 1 authenticates the application by a signature method (here, a Strong Key-Insulated signature) using a verification key for verifying a signature and a signature key updated based on the ID information. It generates and manages (stores) a key to be used in the process. Here, the key management server 1 generates a key generation device 10 that generates and manages a verification key and a master key, a key that is used to generate or update a signature key, and a revocation list that indicates a list of revoked signature keys. A partial key generation device (signature key update partial key generation device) 20. It is assumed that the verification key generated by the key management server 1 is written on, for example, an IC card and distributed to the receiving terminal 9 offline.

  The signature key issuing server (signature key issuing device) 3 generates a signature key used when adding a signature to an application. It is assumed that the signature key generated by the signature key issuing server 3 is also distributed to the application creator (application signature adding server 5) offline in consideration of leakage and the like.

  The application signature addition server (application signature addition device) 5 manages (stores) and updates a signature key, adds a signature to the application using the signature key, and registers it in the application distribution server 7. Here, the application signature addition server 5 includes a signature key update device 50 that manages (stores) and updates a signature key, and a signature generation device 60 that adds a signature to the application and transmits it.

  The application distribution server (application distribution apparatus) 7 acquires and registers an application created by the application creator via the application signature addition server 5 and transmits it to the receiving terminal 9 that requested the application.

  The receiving terminal 9 receives an application from the application distribution server 7 and verifies (authenticates) the signature added to the application with a verification key. The receiving terminal 9 is a device that can enjoy a broadcasting / communication cooperation service, such as a television receiver or a personal computer.

  These key management server 1 (key generation device 10, partial key generation device 20), signature key issuing server 3, application signature addition server 5 (signature key update device 50, signature generation device 60), application distribution server 7, The receiving terminal 9 includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), a HDD (Hard Disk Drive), a communication interface (not shown), and the CPU. Various functions to be described later are realized by developing a program stored in the HDD or the like in the RAM.

[Key management server configuration]
Next, the configuration of the key management server will be described with reference to FIG. 2 (refer to FIG. 1 as appropriate). Here, the key management server (key management device) 1 includes a key generation device 10 and a partial key generation device (signature key update partial key generation device) 20. It is assumed that the key generation device 10 and the partial key generation device 20 are communicably connected via a communication interface (not shown).

(Configuration of key generation device)
The key generation device 10 generates and manages (stores) a master key for generating a key (partial key, differential partial key) used when generating a signature key and a verification key for verifying the signature key To do. Here, the key generation device 10 includes a key generation unit 11, a verification key management unit 12, a first master key management unit 13, and a second master key transmission unit 14.

The key generation unit 11 generates a master key (first master key, second master key) and a verification key. That is, the key generation means 11 determines the master key (first master key, second master key) based on the generator g of the cyclic group of the prime order q and the residue class Z _q modulo the prime number q. Generate a verification key.

Specifically, the key generation means 11 generates prime numbers p and q whose q is a divisor of (p−1), and among the multiplicative group Z _p ^* ({1,..., P−1}, A generator g is generated such that the order of the subgroup generated by the element g having the greatest common divisor with p of 1 (a set of integers that is relatively prime with p) is q. Then, the key generation means 11 randomly selects x, x ′ from the remainder class Z _q (0, 1,..., Q−1; hereinafter simply indicated by Z _q ) modulo the prime number q, and by (1), to generate a first master key _{x 0.} Further, the key generation means 11 sets x ′ as the second master key.

The first master key x ₀ generated in this way is output to the first master key management means 13, and the second master key x ′ is output to the second master key transmission means 14.
Further, the key generation means 11 generates a verification key VK composed of prime numbers p, q, element g, elements y ₀ , y ′, and hash function H (•) as shown in the following equation (2). .

The elements y ₀ and y ′ of the verification key VK are values obtained by the following equation (3).

The hash function H (•) is H: {0, 1} ^* → Z _q , that is, a function for converting a bit string ({0, 1} ^* ) having an arbitrary length into a fixed length value of Z _q. It is. For this hash function, for example, an algorithm such as SHA-1 can be used.
The verification key VK generated by the key generation unit 11 is output to the verification key management unit 12.

The verification key management unit (verification key storage unit) 12 manages the verification key generated by the key generation unit 11. Here, the management performed by the verification key management unit 12 specifically includes a process of writing (storing) the verification key generated by the key generation unit 11 in a storage medium (not shown) and reading it in response to a request. Say.
Here, the verification key management means 12 reads the verification key from the storage medium according to the operator's instruction when distributing the verification key to the receiving terminal 9. The verification key read in this way is output to an IC card issuing device (not shown), written on the IC card, and distributed to the receiving terminal 9, for example. The verification key management means 12 may distribute the verification key via a secure transmission path (for example, broadcast wave).

  Further, the verification key management unit 12 reads the verification key from the storage medium when generating the partial key in the partial key generation device 20 described later. In this case, the verification key management unit 12 reads the verification key from the storage medium in accordance with an instruction from the partial key generation device 20 or the operator, and outputs the verification key to the partial key generation device 20.

The verification key management unit 12 discloses the stored verification key as public information, and is obtained from the signature key issuing server 3 and the application signature adding server 5 via the network N ₁ and the internal network N _2. It can be referred to.

  The first master key management means (first master key storage means) 13 manages the first master key generated by the key generation means 11. Here, the management performed by the first master key management unit 13 specifically writes (stores) the first master key generated by the key generation unit 11 in a storage medium (not shown) and responds to the request. The process of reading out.

  Here, the first master key management unit 13 reads the first master key from the storage medium when the partial key generation device 20 generates the partial key. In this case, the first master key management unit 13 reads the first master key from the storage medium in response to a request from the partial key generation device 20 or an instruction from the operator, and outputs the first master key to the partial key generation device 20.

The second master key sending unit 14 via the internal network N _2, is to send a second master key generated by the key generation unit 11 to the signature key issuing server 3.

(Configuration of partial key generation device [signature key update partial key generation device])
A partial key generation device (signature key update partial key generation device) 20 generates a key (partial key, differential partial key) used to generate or update a signature key, and also shows a revocation list indicating a list of revoked signature keys. Is generated. Here, the partial key generation device 20 includes a partial key generation unit 21, a partial key management unit 22, a partial key transmission unit 23, an update request reception unit 24, a signature key update information generation unit 25, and a signature key update. Information transmitting means 26, registration completion receiving means 27, and revocation list notifying means 28 are provided.

The partial key generation means 21 generates a unique partial key for each application creator based on the verification key and the first master key generated by the key generation device 10. The partial key generation unit 21 uses information (initial information) for identifying an application producer among identification information (ID information; hereinafter referred to as application ID) for individually identifying applications from an input unit (not shown). When the application ID is input, a new partial key is generated.
Here, for example, as shown in FIG. 17, the application ID includes security update number S _N , broadcast station number B _N , producer number C _N , application number A _N , application version A _V , and application attribute _AT . Consists of division information.

Among the application IDs, the security update number (security update number) is a number for managing the signature key in the entire system. This security update number is a continuous number from a predetermined number (for example, “1”), and is updated when the signature keys are updated all at once.
The broadcast station number (broadcast station No.) is a number for identifying a broadcast station that issues a signature key, and the producer number (producer No.) is a number for identifying an application producer.

The application number (application No.) is a number for the application creator to individually identify the application, and the application version (application Ver.) Is a number indicating the version of the same application. The application attribute (application Att.) Is an authorized application indicating that a predetermined administrator has verified the application in advance and given approval in the application authentication system S for realizing the broadcasting / communication cooperation service. This is a number indicating the type of (A application).
Here, in the initial application ID input to the partial key generation means 21, a security update number, a broadcast station number, and a producer number are set as information for identifying the application producer, and the application number, application version, and application attribute are set. Assume that a predetermined initial value (for example, “0”) is set.

Specifically, the partial key generation means 21 randomly generates a random number r ₁ from Z _q , and at the receiving terminal 9 based on the random number r ₁ and a part (p, g) of the verification key. Partial key verification information v ₁ that is a part of information indicating the validity of the partial key is generated by the following equation (4).

Further, as shown in the following formula (5), the partial key generation unit 21 concatenates (partially connects) the value T of the initial application ID to the partial key verification information v ₁ , and from the concatenated value, A hash value c ₁ is generated by a hash function H (•) that is a part. Here, “‖” is a connection symbol that connects two numerical values.

Then, the partial key generation means 21 performs initial initialization by the following equation (6) based on the first master key x ₀ , a part (q) of the verification key, the hash value c _1, and the random number r _1. It generates a partial key x ₁ corresponding to the application ID.

This partial key generation means 21 outputs the generated partial key x ₁ and partial key verification information v ₁ to the partial key management means 22 together with the (initial) application ID.

The partial key management means (partial key storage means) 22 manages the partial key generated by the partial key generation means 21 in association with the application ID. Here, the management performed by the partial key management unit 22 is specifically performed by using the partial key x ₁ , the partial key verification information v ₁ and the application ID value T generated by the partial key generation unit 21 as partial key information. A process of outputting to the key transmission unit 23, writing (storing) it in a storage medium (not shown), and reading it in response to a request. Here, the partial key management means 22 uses the signature key to update the partial key x ₁ managed (stored) in association with the application ID in response to a request from the signature key update information generation means 25 when updating the signature key. Output to the update information generation means 25.

Further, when the partial key is updated by the signature key update information generation unit 25 with the update of the application ID, the partial key management unit 22 stores the updated partial key together with the updated application ID.
In addition, the partial key management unit 22 is notified of the registration completion notification including the application ID from the application distribution server 7 via the registration completion receiving unit 27, so that the application corresponding to the application ID is distributed to the application. The fact that it is registered in the server 7 is set. As a result, for example, when there is a signature key update request for an application that is not yet registered in the application distribution server 7, application management such as not accepting the update can be performed by the key management server 1.

The partial key transmitting unit 23 transmits the partial key to the signature key issuing server 3 via the internal network N ₂ based on an instruction from the partial key managing unit 22. Here, the partial key transmission means 23 combines the partial key x ₁ together with the partial key verification information v ₁ (see the above equation (4)) and the value T of the application ID when the partial key x ₁ is generated. , And transmitted as partial key information (x ₁ , v ₁ , T).

The update request receiving means 24 sends a request (signature key update request) to update (including the case of newly registering) a signature key corresponding to a certain application from the application signature adding server 5 via the network N _1. To receive. The signature key update request includes an application ID (including an initial application ID) that is ID information for specifying the current application, and information indicating a classification instructed by the application producer to be updated in the application ID. (Update instruction information info) is included.

Incidentally, the update instruction information (info), for example, as shown in FIG. 18, when registering new applications in (FIG. 18 (a)) as an instruction for updating the application number _{A N,} info = 1 is set, the time to upgrade the application (Fig. 18 (b)), as an indication for updating the application version _{a V,} info = 2 is set. Although not shown in the figure, a value of update instruction information determined in advance, for example, info = 3, is similarly set when the application attribute _AT is updated.
The update request reception unit 24 outputs the received application ID and update instruction information to the signature key update information generation unit 25 as an instruction to update the signature key (update instruction).

  The signature key update information generation unit 25 generates a new one corresponding to the application ID based on the update instruction (update instruction information) input from the update request reception unit 24 or the update instruction (update instruction information) input from the outside. A partial key is generated, and a difference partial key (difference information) is generated by taking a difference from the partial key before update that is managed (stored) by the partial key management means 22.

  When an update instruction is input from the outside, the signature key update information generation means 25 is managed (stored) by the partial key management means 22 in order to update the signature keys all at once as shown in FIG. For all the partial keys, new partial keys and differential partial keys corresponding to the application IDs whose security update numbers have been updated are generated.

Further, the signature key update information generation unit 25 generates a partial key by the same method as the partial key generation unit 21. That is, the signature key update information generation unit 25 randomly generates a random number r ₂ from Z _q , and the receiving terminal 9 uses the partial key based on the random number r ₂ and a part (p, g) of the verification key. of the partial key verification information v ₂ which is a part of the information indicating the validity, it generates the following equation (7).

Further, the signature key update information generation means 25 concatenates (updates) the updated application ID value (T + n) to the partial key verification information v ₂ as shown in the following equation (8), and concatenates them. from the value, by which is part of the verification key hash function H (·), generates a hash value c _2. Here, “‖” is a connection symbol that connects two numerical values.

Here, (T + n) indicates the updated application ID. For example, when the update instruction information indicates that the application version is to be updated, the signature key update information generating unit 25 increases the bit value corresponding to the application version classification in the application ID by “1”. N is generated, and the updated application ID value (T + n) is generated.
Then, the signature key update information generating means 25 includes a first master key _{x 0,} a part of the verification key (q), the hash value _{c 2,} based on the random number _{r 2,} the following equation (9) , it generates a partial key x ₂ corresponding to the application ID after the update.

Then, the signature key update information generation unit 25 includes a partial key x ₁ corresponding to the pre-update application ID managed (stored) by the partial key management unit 22, a partial key x ₂ corresponding to the post-update application ID, Then, based on part (q) of the verification key, a difference partial key Δx is generated by the following equation (10).

Then, the signature key update information generation unit 25 outputs the updated application ID value (T + n) and the partial key x ₂ to the partial key management unit 22. As a result, the partial key management unit 22 manages (stores) the updated application ID and the partial key in association with each other.
Also, the signature key update information generation unit 25, the generated differential partial keys [Delta] x, the partial key verification information v _2, with the value of the application ID of the updated (T + n), and outputs the signature key update information transmitting unit 26.

Signature key update information transmitting unit 26, a differential partial key Δx generated by the signature key update information generation unit 25, via the network N _1, is intended to be sent to the application signature attached server 5. The signature key update information transmitting means 26 combines the partial key verification information v ₂ and the updated application ID value (T + n) together with the difference partial key Δx, together with the signature key update information (Δx, v ₂ , (T + n) is transmitted to the application signature adding server 5.
The signature key update information transmitting unit 26 refers to the producer number in the application ID, and sends the signature key update information (Δx, v ₂ , T + n) to the application signature addition server 5 associated with the producer number in advance. ).

The registration completion receiving unit 27 receives a registration completion notification indicating that an application has been registered in the application distribution server 7 from the application distribution server 7 via the network N ₁ . Note that an application ID that identifies a registered application is added to the registration completion notification.
The registration completion reception unit 27 outputs the received registration completion notification to the partial key management unit 22.

  The revocation list notifying means 28 notifies the receiving terminal 9 of a list of application IDs (Revocation List; hereinafter referred to as RL) for specifying a signature key to be revoked. Here, the revocation list notification means 28 includes a revocation list generation means 281 and a revocation list transmission means 282.

The revocation list generation unit 281 generates RL based on revocation information input from the outside. The revocation list generation means 281 sets one or more applications having information indicating that an application ID to be revoked is set in the application ID and a value indicating an arbitrary value in the other category. ID is generated as a revocation list.
The revocation information is information for identifying an application to be revoked, and is, for example, a value for each category when the application ID has a data structure as shown in FIG.

Here, an example of an RL for revoking an application will be described with reference to FIG. 19 (see FIG. 2 as appropriate). The application ID has the data structure shown in FIG.
FIG. 19A shows an example of an RL for revoking a specific application.
For example, when the security update number S _N (= 0x1), the broadcast station number B _N (= 0x5), the producer number C _N (= 0xb) and the application number A _N (= 0x3) are set as the revocation information, the revocation information list generating means 281 (here, a value "0") application version _{a V} and wildcard region of the section of the application attribute _{a T} as to generate a RL = {0x15b300}.

FIG. 19B shows an example of an RL that expires a specific version of a specific application.
For example, security update number S _N (= 0x1), broadcast station number B _N (= 0x5), producer number C _N (= 0xb), application number A _N (= 0x3), and application version A _V (= 0x1) When it is set as the revocation information, the revocation list generation unit 281 generates RL = {0x15b310} using a wild card (in this case, a value “0”) as a section of the application attribute _AT .

FIG. 19C shows an example of an RL that invalidates a specific application creator application collectively.
For example, when the security update number S _N (= 0x1), the broadcast station number B _N (= 0x5), and the producer number C _N (= 0xb) are set as the revocation information, the revocation list generation unit 281 uses the application number A _N, (in this case, a value "0") application version _{a V} and wildcard region of the section of the application attribute _{a T} as to generate a RL = {0x15b000}.

FIG. 19D shows an example of an RL that invalidates old applications collectively when signature keys are updated all at once.
For example, when the security update number S _N (= 0x1) is set as the revocation information, the revocation list generating unit 281 determines whether the broadcast station number B _N , the application number A _N , the application version _AV, and the application attribute _AT are classified. RL = {0x100000} is generated using the area as a wild card (in this case, value “0”).
The RL generated in this way is output to the revocation list transmission unit 282.
Returning to FIG. 2, the description of the configuration of the key management server 1 will be continued.

Revocation list transmitting unit 282, the revocation list generated by the revocation list generation unit 281 (RL), through the network N _1, is intended to be transmitted to the receiving terminal 9. As a result, the receiving terminal 9 can verify whether or not the application ID added to the application is valid.

[Configuration of signing key issuing server]
Next, the configuration of the signature key issuing server will be described with reference to FIG. 3 (refer to FIG. 1 as appropriate). Here, the signature key issuing server (signature key issuing device) 3 includes a second master key receiving unit 31, a second master key managing unit 32, a partial key receiving unit 33, a signature key generating unit 34, and a signature key. Output means 35.

The second master key receiving unit 31, a second master key generated by the key management server 1, and receives via the internal network N _2. The received second master key is output to the second master key management means 32.

  The second master key management means (second master key storage means) 32 manages the second master key received by the second master key receiving means 31. Here, the management performed by the second master key management means 32 specifically writes (stores) the second master key received by the second master key reception means 31 in a storage medium (not shown), and requests it. The process which reads according to. Here, the second master key management means 32 outputs the second master key managed (stored) to the signature key generation means 34 in response to a request from the signature key generation means 34.

Partial key receiving means 33, a partial key generated by the key management server 1 (partial key information), and receives via the internal network N _2. The received partial key (partial key information) is output to the signature key generation unit 34.

  The signature key generation unit 34 generates a signature key from the second master key managed (stored) by the second master key management unit 32 and the partial key (partial key information) received by the partial key reception unit 33. To do. That is, the signature key generation unit 34 generates a signature key by adding the second master key to the partial key.

Specifically, the signature key generating unit 34 includes the second master key x ′ managed (stored) by the second master key managing unit 32 and the partial key information (partial key x received by the partial key receiving unit 33). ₁ , based on the partial key x ₁ included in the partial key verification information v ₁ and the application ID value T) and the prime q that is part of the verification key disclosed as public information in the key management server 1. Te, the following equation (11), generates a signing key SK _T corresponding to the application ID.

The signature key SK _T generated in this way is output to the signature key output unit 35 as signature key information (SK _T , v ₁ , T) together with the partial key verification information v ₁ and the application ID value T.

  The signature key output unit 35 outputs the signature key (signature key information) generated by the signature key generation unit 34 to the outside. For example, the signature key output means 35 outputs a signature key (signature key information) to a writing device (not shown) of a storage medium such as a CD-R, and writes the signature key on the CD-R or the like. The storage medium in which the signature key (signature key information) is written in this way is distributed to the application signature addition server 5 offline.

[Configuration of application signature addition server]
Next, the configuration of the application signature adding server will be described with reference to FIG. Here, the application signature addition server 5 includes a signature key update device 50 and a signature generation device 60. It is assumed that the signature key update device 50 and the signature generation device 60 are communicably connected via a communication interface (not shown).

(Configuration of signing key update device)
The signature key update device 50 updates the signature key distributed from the signature key issuing server 3 based on the differential partial key (signature key update information) transmitted from the key management server 1. Here, the signature key update device 50 includes a signature key input unit 51, a signature key management unit 52, a signature key update request unit 53, a signature key update information reception unit 54, and a signature key update unit 55. Yes.

The signature key input means 51 inputs a signature key (signature key information) generated by the signature key issuing server 3. The signing key input means 51 uses, for example, a signature via a reading device (not shown) that reads out the signing key (signature key information) from a storage medium such as a CD-R in which the signing key (signature key information) is written. Enter the key (signing key information).
Here, the signature key information includes a signature key, partial key verification information, and an application ID (initial application ID). The input signature key information is output to the signature key management means 52.

The signature key management means (signature key storage means) 52 manages the signature key (signature key information) input by the signature key input means 51. Here, the management performed by the signature key management unit 52 specifically writes (stores) the signature key (signature key information) input by the signature key input unit 51 in a storage medium (not shown), and requests The process of reading and updating the signature key (signature key information) according to the above.
Here, when the signature key update unit 55 updates the signature key, the signature key management unit 52 reads the signature key (signature key information) from the storage medium in response to a request from the signature key update unit 55, and updates the signature key. It outputs to the means 55. Also, the signature key management unit 52 acquires the updated signature key (signature key information) from the signature key update unit 55 and writes it in the storage medium.

  The signature key management unit 52 reads a signature key (signature key information) stored in the storage medium in response to a request from the signature generation device 60 when the signature generation device 60 adds a signature to the application. The data is output to the generation device 60.

The signature key update request unit 53 transmits a request for updating the signature key (signature key update request) to the key management server 1 via the network N ₁ .
Here, the signature key update request means 53 is instructed through the input means (not shown) the application ID managed (stored) by the signature key management means 52 and the category to be updated with the application ID. Thus, the application ID and the update instruction information indicating the category to be updated are transmitted to the key management server 1 as a signature key update request.
As described in FIG. 18, for example, when the application number is updated in the application ID (FIG. 18A), this update instruction information is set to info = 1, and the application version is updated. In FIG. 18B, info = 2 is set.

Signature key update information receiving unit 54, a differential partial keys generated by the key management server 1 (signature key update information), and receives via the network N _1. The received difference partial key (signature key update information) is output to the signature key update means 55. The signature key update information, and the difference between partial key Δx, a partial key verification information v _2, and a value of the application ID of the updated (T + n).

The signature key updating unit 55 updates the signature key based on the differential partial key (signature key update information) received by the signature key update information receiving unit 54. That is, the signature key update unit 55 updates the signature key by adding the difference partial key to the signature key before update.
Specifically, the signature key updating means 55, a signing key SK _T corresponding to the value T of the signature managed by the key management unit 52 (stored) by which the pre-update application ID, the signature key update information receiving unit 54 Based on the differential partial key Δx included in the received signature key update information and the prime number q which is a part of the verification key disclosed as public information in the key management server 1, The signature key SK _{T + n} corresponding to the new application ID value (T + n) is generated.

Signing key SK T _{+ n} thus generated, together with the partial key verification information v ₂ contained in the signature key update information, in association with the value of the application ID (T + n), it is stored in the signature key management unit 52 .

(Configuration of signature generator)
The signature generation device 60 uses the signature key managed by the signature key update device 50 to add a signature to the application. Here, the signature generation device 60 includes an application input unit 61, an ID / signature addition unit 62, and an application registration request unit 63.

The application input means 61 inputs an application from the outside. For example, the application input unit 61 may receive an application via a network inside the application creator, or may read an application written in a storage medium. The application input unit 61 outputs the input application to the ID / signature adding unit 62.
It is assumed that the application input means 61 receives information specifying an application ID such as an application number and an application version for identifying the application together with the application entity.

The ID / signature adding unit 62 adds a digital signature to the application input by the application input unit 61 using a signature key. That is, the ID / signature adding unit 62 calculates a hash value including an application ID unique to each application, generates a signature unique to the application ID, and adds the signature to the application.
Specifically, the ID / signature adding unit 62 randomly generates a random number r _s from Z _q based on a part (p, g) of the verification key disclosed as public information, and uses the following formula ( by 13), generates signature verification information v _s to be a part of the information for verifying the validity of the signature.

Further, the ID / signature adding means 62, as shown in the following formula (14), the partial key verification information v ₂ and the application ID value (T + n) stored in the signature key management means 52 and the application (software) ) M and the signature verification information v _s generated by Expression (13) are concatenated, and a hash value c _s is generated by a hash function H (•) that is a part of the public verification key.

Then, the ID / signature adding unit 62 includes the hash value c _s , the random number r _s , the signature key SK _{T + n} stored in the signature key management unit 52, and part of the publicized verification key (q) Based on the above, the signature σ _s is generated by the following equation (15).

Then, the ID / signature adding means 62 sends the signature information (σ _s , c _s , v ₂ ) including the signature σ _s , the hash value c _s, and the partial key verification information v ₂ to the application M, and the signature key. The application ID value (T + n) stored in the management means 52 is added and output to the application registration request means 63.

The application registration request unit 63 sends the application (ID / signature-added application) to which the application ID and signature (signature information) are added by the ID / signature adding unit 62 together with a request for registering the application via the network N ₁ . Are transmitted to the application distribution server 7.

[Application distribution server configuration]
Next, the configuration of the application distribution server will be described with reference to FIG. 5 (refer to FIG. 1 as appropriate). Here, the application distribution server 7 includes application registration means 71, application storage means 72, registration completion transmission means 73, application request reception means 74, and application transmission means 75.

The application registration unit 71 receives an application from the application signature addition server 5 via the network N ₁ and registers (stores) it in the application storage unit 72.
The application registration unit 71 receives an application ID and an application with a signature (ID / signed application) transmitted from the application signature adding server 5 together with a request for registering the application, and corresponds to the application ID. In addition, the application and signature are written in the application storage means 72.
The application registration unit 71 notifies the registration completion transmission unit 73 together with the application ID that the writing is completed after the writing of the application with the ID / signature to the application storage unit 72 is completed.

  The application storage means 72 stores the application with the application ID and signature added in the application signature addition server 5. The application storage means 72 can be composed of a general recording medium such as a hard disk.

  When the registration completion transmission unit 73 receives a notification from the application registration unit 71 that the application (application with ID / signature) has been written to the application storage unit 72, the registration completion transmission unit 73 indicates that the registration of the application has been completed. A registration completion notification is sent to the key management server 1. The registration completion transmission unit 73 adds the application ID of the application for which registration has been completed to the registration completion notification.

The application request receiving unit 74 receives an application request as an application request from the receiving terminal 9 via the network N ₁ . The application request receiving unit 74 outputs an application request to the application transmission unit 75.

  The application transmitting unit 75 reads the application requested by the application request received by the application request receiving unit 74 from the application storage unit 72, and receives the requested receiving terminal 9 together with the application ID and signature added to the application. To send to.

[Configuration of receiving terminal]
Next, the configuration of the receiving terminal will be described with reference to FIG. 6 (refer to FIG. 1 as appropriate). Here, the receiving terminal 9 includes a verification key management unit 91, a revocation list reception unit 92, a revocation list management unit 93, an application acquisition unit 94, a signature verification unit 95, a revocation list verification unit 96, and an application management. Means 97.

  The verification key management means (verification key storage means) 91 stores and manages the verification key generated by the key management server 1. Specifically, the verification key management unit 91 is, for example, a storage medium in which a verification key is written in advance, such as an IC card. The verification key management unit 91 reads the verification key in response to a request from the signature verification unit 95.

Revocation list receiving unit 92, a revocation list that has been generated by the key management server 1 (RL), is to receive via the network N _1. The received RL is output to the revocation list management means 93.

The revocation list management means (revocation list storage means) 93 stores and manages the RL received by the revocation list reception means 92. Specifically, the revocation list management unit 93 writes the RL received by the revocation list reception unit 92 to a storage medium (not shown), and reads and updates the RL as requested.
Here, when the revocation list verification unit 96 verifies the application ID, the revocation list management unit 93 reads the RL from the storage medium in response to a request from the revocation list verification unit 96 and outputs the RL to the revocation list verification unit 96.
Further, when the revocation list management unit 93 newly receives an RL by the revocation list reception unit 92, the revocation list management unit 93 updates the RL stored in the storage medium.

The application acquisition unit 94 transmits an application request (application request) specified by the user, which is input via an input unit (not shown), to the application distribution server 7 via the network N _1. To get that application.

Note that the application acquisition means 94 receives information for identifying the application, such as the producer number C _N and the application number A _N among the application IDs described in FIG. Information for identifying the terminal 9, for example, an IP address or the like is described.

An application ID and signature information (signature σ _s , hash value c _s , partial key verification information v ₂ ) are added to the application acquired by the application acquisition unit 94, and the application acquisition unit 94 acquires the acquired ID · The signed application is output to the signature verification means 95.

The signature verification unit 95 verifies the signature added to the application using the verification key stored in the verification key management unit 91. That is, the signature verification unit 95 verifies the signature based on whether or not the hash value obtained by using a predetermined conditional expression using the verification key matches the hash value added to the signature.
Specifically, the signature verification unit 95, as shown in the following equation (16), connects the value of the partial key verification information v ₂ and the application ID added to the application (T + n), the verification key management the hash function H (·) contained in the verification key stored in the unit 91 generates a hash value c _2.

Then, the signature verification unit 95 performs the following based on the hash value c ₂ , part of the verification key (p, g, y ₀ , y ′), and signature information (σ _s , c _s , v ₂ ). The signature is verified depending on whether or not the conditional expression (17) is satisfied.

  Then, the signature verification unit 95 determines that the added signature is a valid signature only when the equation (17) is satisfied, and outputs the application and the application ID added thereto to the revocation list verification unit 96. If the signature verification unit 95 determines that the signature is not valid, the signature verification unit 95 displays an error message on a display device (not shown).

  The revocation list verification unit 96 refers to the RL stored in the revocation list management unit 93 and verifies whether the application ID added to the application is valid. In other words, when the application ID added to the application corresponds to the application ID described in the RL, the revocation list verification unit 96 already has the signature key corresponding to the application and the application ID added to the application. Judge that it has expired.

For example, assume that the revocation list is RL = {0x15b300} as shown in FIG. At this time, it is assumed that 0x15b311 is added to the application as the application ID.
In this case, in the RL, since the classification of the application version _AV and the application attribute _AT is a wild card (“0”), the revocation list verification unit 96 determines the classification other than the wild card, that is, the security update number S _N ( = 0x1), the broadcast station number B _N (= 0x5), the producer number C _N (= 0xb) and the application number A _N (= 0x3) are determined as to whether or not the application ID and RL match. Here, since they match each other, the revocation list verification unit 96 determines that the application and the signature key corresponding to the application ID have already been revoked.
As described above, when the revocation list verification unit 96 determines that the application or the signature key corresponding to the application ID added to the application has been revoked, the revocation list verification unit 96 displays an error message on a display device (not shown). .

  In addition, when the revocation list verification unit 96 determines that the application ID added to the application is valid, the revocation list verification unit 96 outputs the application to the application management unit 97.

The application management unit 97 activates (decrypts or reproduces) or stores an application for which the signature is determined to be valid by the signature verification unit 95 and the application ID is determined to be valid by the revocation list verification unit 96. It is.
The application management unit 97 is a general storage / reproduction unit that decodes and reproduces an encoded application (encoded data) or stores the application once in a storage medium such as a hard disk and then reproduces it. Therefore, detailed description is omitted here.

[Operation of application authentication system]
Next, the operation of the application authentication system will be described.
[Key generation / signature key issuance]
First, referring to FIG. 7 (refer to FIGS. 2 to 4 as appropriate), operations of key generation and signature key issuance that are initial operations in the application authentication system S will be described.
First, the key management server 1 includes two master keys (first master key and second master key) necessary for generating a signature key by the key generation unit 11 in the key generation device 10, public information, and the like. (Step S1: master key / verification key generation). Note that the operation of generating keys (master key and verification key) in step S1 will be described later with reference to FIG.

Then, the key management server 1 stores the verification key generated in step S1 by the verification key management unit 12 and discloses the verification key (step S2). The verification key generated in step S1 is distributed (distributed) to the receiving terminal 9 offline or via a secure transmission path (for example, broadcast wave) (not shown as a step).
The key management server 1 stores the first master key generated in step S1 by the first master key management means 13 (step S3). Further, the key management server 1 transmits the second master key generated in step S1 to the signature key issuing server 3 by the second master key transmission unit 14 (step S4).

On the other hand, the signature key issuing server 3 receives the second master key by the second master key receiving means 31 (step S5). Then, the second master key management means 32 stores the second master key (step S6).
Through the above operation, a master key (first master key and second master key) necessary for generating a signature key and a verification key for verifying the signature key are generated.

Thereafter, the application authentication system S performs the following operation in order to issue a signature key to the application creator.
That is, the key management server 1 inputs the initial application ID from the outside by the partial key generation unit 21 in the partial key generation device 20 and obtains the verification key and the first master key stored in steps S2 and S3. Then, partial key information including a partial key for generating a signature key is generated (step S7: partial key generation). The partial key generation operation in step S7 will be described later with reference to FIG.

And the key management server 1 memorize | stores the partial key (partial key information) produced | generated by step S7 by the partial key management means 22 (step S8).
Furthermore, the key management server 1 transmits the partial key (partial key information) generated in step S7 to the signature key issuing server 3 by the partial key transmission unit 23 (step S9).

On the other hand, the signature key issuing server 3 receives the partial key (partial key information) by the partial key receiving means 33 (step S10).
Then, the signature key issuing server 3 generates a signature key from the partial key (partial key information) received in step S10 and the second master key stored in step S6 by the signature key generation unit 34 (step S11). : Signing key generation). Note that the signature key generation operation in step S11 will be described later with reference to FIG. The signature key generated in step S11 is distributed offline to the application creator (application signature addition server 5).
Then, the application signature adding server 5 inputs the signature key distributed offline by the signature key input unit 51, and stores the signature key by the signature key management unit 52 (step S12).

With the above operation, a signature key is generated and managed as secret information by the application creator.
If there are a plurality of application producers (application signature addition server 5), a plurality of signature keys are generated correspondingly. In this case, the operation after step S7 depends on the number of application producers. Repeated.

(Key [master key / verification key] generation)
Next, with reference to FIG. 8 (refer to FIG. 2 as appropriate), operations for generating a master key (first master key and second master key) and a verification key will be described. The operation described here corresponds to the operation in step S1 described in FIG. 7, and operates in the key generation unit 11 of the key generation device 10.

First, the key generation means 11 generates prime numbers p and q whose q is a divisor of (p−1) (step S21), and based on the prime numbers p and q, the element g of the multiplicative group Z _p ^* is used. A generation source g is generated such that the order of the generated subgroup is q (step S22). Then, the key generation means 11 randomly selects x, x ′ from Z _q (step S23).
Then, the key generation unit 11 sets the x ₀ obtained by performing the calculation of the equation (1) and the first master key (step S24).
Further, the key generation means 11 sets x ′ selected in step S23 as the second master key (step S25).

After that, the key generation means 11 calculates a part (y ₀ , y ′) of the verification key element by the calculation of the formula (3), and p, q, g, y ₀ , y ′ and the hash function H ( The verification key VK shown in the equation (2) consisting of (.) Is generated (step S26).
By the above operation, the key generation unit 11 generates a first master key x ₀ and the second master key x 'are two master key for generating a signature key and a verification key VK is a public information .

(Signing key issuance)
Next, with reference to FIG. 9 (refer to FIGS. 2 and 3 as appropriate), the main operation when issuing a signature key will be described. The operation described in FIG. 9A corresponds to the partial key generation operation in step S7 described in FIG. 7, and operates in the partial key generation unit 21 of the key generation device 10 of the key management server 1. 9B corresponds to the signature key generation operation in step S11 described in FIG. 7, and operates in the signature key generation unit 34 of the signature key issuing server 3.

First, as shown in FIG. 9A, the partial key generation means 21 randomly generates a random number r ₁ from Z _q (step S31). Then, the partial key generation means 21 generates the partial key verification information v ₁ by the calculation of the equation (4) based on the random number r ₁ and the part (p, g) of the verification key (step S32). .
Further, the partial key generation means 21 connects the partial key verification information v ₁ and the initial application ID (value T), and generates the hash value c ₁ by the above equation (5) (step S33).

Thereafter, the partial key generation means 21 calculates the partial key based on the first master key x ₀ , a part (q) of the verification key, the hash value c _1, and the random number r ₁ according to the equation (6). generating a x ₁ (step S34).
The partial key x ₁ generated in this way is transmitted to the signature key issuing server 3 as partial key information together with the partial key verification information v ₁ and the initial application ID (value T).

On the other hand, as shown in FIG. 9B, the signature key generation unit 34 includes the second master key x ′ acquired in advance and the part included in the partial key information generated and transmitted in step S34. key _{x 1,} based on a portion of the verification key that is published (q), by the equation (11), generates a signing key SK _T corresponding to the initial application ID (value T) (step S41) .
The generated signature key SK _T, as will be distributed off-line application creators.

[Signature key update]
Next, the signature key update operation in the application authentication system S will be described with reference to FIG. 10 (see FIGS. 2 and 4 as appropriate).
Here, an operation for updating a signature key required when an application creator creates or updates an application and registers the application in the application distribution server 7 will be described.

First, the application signature adding server 5 uses the signature key update request unit 53 to update the application ID before update managed (stored) by the signature key management unit 52 and an update instruction indicating the category to be updated in the application ID. Information (info) is transmitted to the key management server 1 as a signature key update request (step S51).
Then, the key management server 1 receives the signature key update request by the update request receiving unit 24 in the partial key generation device 20 (step S52).

Then, the key management server 1 uses the signature key update information generation unit 25 to generate signature key update information including a difference partial key for updating the signature key (step S53: difference partial key generation). The difference partial key generation operation in step S53 will be described later with reference to FIG.
Thereafter, the key management server 1 transmits the differential partial key (signature key update information) generated in step S53 to the application signature addition server 5 by the signature key update information transmission unit 26 (step S54).

Then, the application signature adding server 5 receives the differential partial key (signature key update information) by the signature key update information receiving means 54 in the signature key update device 50 (step S55).
Then, the application signature addition server 5 uses the difference partial key (signature key update information) received in step S55 by the signature key update unit 55 to receive the pre-update signature key managed (stored) by the signature key management unit 52. (Step S56: signature key update). The signature key update operation in step S56 will be described later with reference to FIG.
Then, the application signature adding server 5 stores the updated signature key by the signature key management unit 52 (step S57).
With the above operation, the signature key used when adding a signature to the application is updated in the application signature adding server 5.

In this operation, the application creator requests the key management server 1 to update the signature key at the timing when the application creator creates or updates the application, but the application IDs are simultaneously updated from the key management server 1. Is also possible.
In this case, the procedure of steps S51 and S52 in FIG. 10 is omitted, and the key management server 1 updates the signature key by the signature key update information generation unit 25 when the update instruction is input from the outside. Signature key update information including the differential partial key is generated (step S53: differential partial key generation). At this time, the signature key update information generation unit 25 generates a new differential partial key corresponding to the application ID whose security update number has been updated for all partial keys managed (stored) by the partial key management unit 22. .
The operations after step S54 are the same as the operations described in FIG.

(Differential partial key generation / signature key update)
Next, with reference to FIG. 11 (refer to FIG. 2 and FIG. 4 as appropriate), main operations when the signature key is updated will be described. The operation described in FIG. 11A corresponds to the differential partial key generation operation in step S53 described in FIG. 10, and is performed in the signature key update information generation unit 25 of the partial key generation device 20 of the key management server 1. To do. The operation described in FIG. 11B corresponds to the signature key update operation in step S56 described in FIG. 10, and operates in the signature key update unit 55 of the signature key update device 50 of the application signature addition server 5.

First, as shown in FIG. 11 (a), the signature key update information generation unit 25 generates a random number _{r 2} at random from _{Z q} (step S61). Then, the signature key update information generating unit 25 generates the partial key verification information v ₂ by the calculation of the formula (7) based on the random number r ₂ and a part (p, g) of the verification key (step) S62).
Further, the signature key update information generation unit 25 concatenates the partial key verification information v ₂ and the updated application ID value (T + n), and generates the hash value c _{2 according} to the equation (8) (step). S63).

Then, the signature key update information generation unit 25 uses the equation (9) based on the first master key x ₀ , a part (q) of the verification key, the hash value c _2, and the random number r ₂ . It generates a partial key _{x 2} (step S64).

Thereafter, the signature key update information generation unit 25 includes the partial key x ₁ corresponding to the pre-update application ID managed (stored) by the partial key management unit 22, the partial key x ₂ generated in step S64, Based on the part (q) of the verification key, a difference partial key Δx is generated by the equation (10) (step S65).
The differential partial key Δx generated in this way is transmitted to the application signature addition server 5 as the signature key update information together with the partial key verification information v ₂ and the updated application ID value (T + n).

On the other hand, as shown in FIG. 11B, the signature key update unit 55 includes a signature key SK _T corresponding to the pre-update application ID value T managed (stored) by the signature key management unit 52, and a step Based on the difference partial key Δx included in the signature key update information generated and transmitted in S65 and a part (q) of the verification key disclosed as public information in the key management server 1, the above formula ( 12), the signature key SK _{T + n} corresponding to the new application ID value (T + n) is generated (step S71).

Signing key SK T _{+ n} thus generated, together with the partial key verification information v ₂ contained in the signature key update information, in association with the value of the application ID (T + n), it is stored in the signature key management unit 52 . As a result, the signature key (signature key information) held by the application signature addition server 5 is updated.

[Application registration / update]
Next, referring to FIG. 12 (refer to FIGS. 2, 4 and 5 as appropriate), a signature in the application authentication system S is generated and added to the application, and the application is registered in the application distribution server 7 (including updating). The application registration / update operation to be performed will be described.

First, the application signature addition server 5 inputs an application (including an application number and an application version) from the outside by the application input unit 61 (step S81).
Then, the application signature addition server 5 generates a signature (signature information) based on the signature key information stored in the signature key management unit 52 by the ID / signature addition unit 62 (step S82: signature generation). Note that the signature generation operation in step S82 will be described later with reference to FIG.

  Then, the application signature adding server 5 uses the ID / signature adding means 62 for the application input in step S81, the application ID corresponding to the application number and application version of the application, and the signature (signature information) generated in step S82. Are added (step S83). Then, the application signature addition server 5 transmits the application with ID / signature to which the application ID and signature are added in step S83 to the application distribution server 7 by the application registration requesting unit 63 (step S84).

On the other hand, the application distribution server 7 receives the application with ID / signature by the application registration means 71 (step S85). Then, the application distribution server 7 writes and stores the application and signature in the application storage unit 72 in association with the application ID by the application registration unit 71 (step S86).
Thereafter, the application distribution server 7 transmits, to the key management server 1, the registration completion transmission means 73, indicating that the registration of the application with ID / signature has been completed (registration completion notification with application ID) (step S87).

The key management server 1 receives the registration completion notification by the registration completion receiving unit 27 of the partial key generation device 20 (step S88), and the partial key management unit 22 applies the application corresponding to the application ID to the application. The fact that it is registered in the distribution server 7 is set (step S89).
As a result of the above operation, only applications to which a legitimate application creator has added a valid signature are stored in the application distribution server 7.

(Signature generation)
Next, an operation for generating a signature (signature information) will be described with reference to FIG. The operation described here corresponds to the signature generation operation in step S82 described in FIG. 12, and operates in the ID / signature addition means 62 of the signature generation apparatus 60 of the application signature addition server 5.

First, the ID / signature adding means 62 randomly generates a random number r _s from Z _q (step S91). Then, ID · signature addition unit 62, the random number _{r s,} based on a portion of the verification key (p, g), generates signature verification information _{v s} by calculation of the equation (13) (step S92) .

Further, ID · signature addition means 62, a partial key verification information v ₂ stored in the signature key managing unit 52, a signature verifying information v _s, the value of the application ID (T + n), connects the application M Then, the hash value c _s is generated by the equation (14) (step S93).

Thereafter, the ID / signature adding unit 62 includes the hash value c _s , the random number r _s , the signature key SK _{T + n} corresponding to the application ID value (T + n) stored in the signature key management unit 52, and the verification key Based on the part (q), the signature σ _s is generated by the equation (15) (step S94).
By adding the signature σ _s generated in this way to the application M together with the hash value c _s , the partial key verification information v, and the application ID value (T + n), an application with an ID / signature is generated. It will be.

[Application authentication]
Next, with reference to FIG. 14 (refer to FIGS. 5 and 6 as appropriate), an application authentication operation in which the receiving terminal 9 acquires an application and verifies the signature and the application ID in the application authentication system S will be described.

First, the receiving terminal 9, the application acquisition unit 94, an application specified by the user request (application request), via the network N _1, and transmits the application distribution server 7 (step S101).

  On the other hand, the application distribution server 7 receives an application request by the application request receiving means 74 (step S102). Then, the application delivery server 7 reads the application requested by the application request from the application storage means 72 by the application transmitting means 75, and requests the application as an ID / signed application together with the application ID and signature added to the application. It transmits to the received receiving terminal 9 (step S103).

Then, the receiving terminal 9, the application acquisition unit 94, via the network _{N 1,} receives the ID · Signed application (step S104).
Here, the receiving terminal 9 verifies whether or not the signature added to the application is valid by the signature verification means 95 (step S105: signature verification). Note that the signature verification operation in step S105 will be described later with reference to FIG.

If the receiving terminal 9 determines that the signature is invalid as a verification result (No in step S106), the receiving terminal 9 does not start the application or the like, displays an error message, and ends the process.
On the other hand, if it is determined that the signature is valid as the verification result (Yes in step S106), the receiving terminal 9 manages the application ID added to the application by the revocation list verification unit 96 by the revocation list management unit 93. The validity of the application is verified based on whether or not it is included in the (stored) revocation list (step S107).

If the receiving terminal 9 determines that the application ID is revoked as a result of the verification based on the revocation list (Yes in step S108), the receiving terminal 9 ends the application authentication operation.
On the other hand, when it is determined that the application ID is valid (No in step S108), the receiving terminal 9 starts (decrypts and reproduces) or accumulates the application using the application management unit 97 (step S109).
With the above operation, only applications to which a valid signature is added by a legitimate application creator are activated and stored in the receiving terminal 9.

(Signature verification)
Next, an operation for verifying a signature will be described with reference to FIG. 15 (see FIG. 6 as appropriate). The operation described here corresponds to the signature verification operation in step S105 described in FIG. 14, and operates in the signature verification means 95 of the receiving terminal 9.

First, the signature verification unit 95 uses the hash function H (·) included in the verification key recorded in the verification key management unit 91 to use the partial key verification information v ₂ added to the application and the value of the application ID. (T + n) and on the basis, generates a hash value _{c 2} by the equation (16) (step S111).
Then, the signature verification means 95 is based on the hash value c ₂ , a part of the verification key (p, g, y ₀ , y ′), and the signature information (σ _s , c _s , v ₂ ). The signature σ _s is verified depending on whether or not the conditional expression of Expression (17) is satisfied (step S112).

Here, when the conditional expression of Expression (17) is satisfied (Yes in Step S112), the signature verification unit 95 sets that the signature is valid in the verification result (Step S113). On the other hand, if the conditional expression (17) does not hold (No in step S112), the signature verification unit 95 sets that the signature is not valid in the verification result (step S114).
With the above operation, the receiving terminal 9 can verify the signature added to the application.

[Application revocation]
Next, with reference to FIG. 16 (refer to FIGS. 2 and 6 as appropriate), an operation for invalidating the application will be described.

First, the key management server 1 generates the revocation list (RL) based on the revocation information input from the outside by the revocation list generation unit 281 of the revocation list notification unit 28 (step S121). At this time, the revocation list generation means 281 includes, as revocation information for identifying the application to be revoked, for example, as shown in FIG. 19A, when revoking a specific application, the security update number S _N , the broadcast station The number B _N , the producer number C _N and the application number A _N are input. Then, the revocation list generation unit 281 generates an RL using a region other than the application ID specified by the revocation information as a wild card.
Then, the key management server 1 transmits the revocation list generated in step S121 to the receiving terminal 9 by the revocation list transmission unit 282 (step S122).

On the other hand, the receiving terminal 9 receives the revocation list by the revocation list receiving means 92 (step S123).
Then, the receiving terminal 9 writes and stores the revocation list in the storage unit (not shown) by the revocation list management unit 93 (step S124).
With the above operation, the application ID to be revoked is stored in the receiving terminal 9, and the revocation list can be verified in step S107 described with reference to FIG.

  According to the application authentication system S described above, the broadcasting station performs key generation and key management, and the receiving terminal 9 verifies the signature using a fixed-length verification key regardless of the number of application creators. be able to.

  Further, since the application authentication system S manages the master key separately, even if one master key leaks, the signature key cannot be updated without the other master key. It is possible to securely authenticate the application creator.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to this. For example, the key management server 1 can be realized by operating a general computer by a program (key management program [key generation program, signature key update partial key generation program]) that functions as each of the above-described units. it can. Similarly, the signature key issuing server 3 can be realized by operating a general computer by a program (signature key issuing program) that functions as each of the above-described units.

  The signature key update device 50 of the application signature addition server 5 can be realized by operating a general computer by a program (signature key update program) that functions as each of the above-described means. Can be realized by operating a general computer by a program (application signature adding program) that functions as each of the above-described means. Furthermore, the receiving terminal 9 can be realized by operating a general computer by a program (application authentication program) that functions as each of the above-described means.

  Here, although the system is configured using Strong Key-Insulated signatures, ID-based signatures (A. Shamir: “Identity-Based Cryptosystems and Signature Schemes”, Proc. Of CRYPTO'84, LNCS 196, pp. 47) -53, Springer-Verlag, 1984.) and Key-Insulated signatures (Y. Dodis, J. Katz, S. Xu and M. Yung: “Strong Key-Insulated Signature Schemes”, Proc. Of PKC'03, pp. .130-144, 2003.) can also be used to implement a system for updating and revoking the signature key and application ID of the present invention.

[Other configuration of application authentication system (ID-based signature)]
Hereinafter, another embodiment of the present invention using an ID-based signature will be described.
As shown in FIG. 20, when the present invention using the ID-based signature, the application application authentication system S _B, and the key management server (a key management apparatus) 1B with the broadcasting station, the application author held The signature adding server 5B, the application distribution server 7 held by the application distributor, and the receiving terminal 9 provided in the user's home (or carried by the user).

An ID-based signature does not have the concept of a partial key, and a signature key is generated from one master key and ID information. Therefore, the application authentication system S _B may omit the signing key issuing server 3 from the application authentication system S described in FIG 1, the key management server 1 of the key generation device 10 and the partial key generation unit 20, the key generation device 10B and a signature The key management server 1B is configured as the key generation device 20B, and the application signature addition server 5B is configured with the signature key update device 50 of the application signature addition server 5 as the new signature key update device 50B. The application distribution server 7 and the receiving terminal 9 are the same as those in FIG.

[Key management server configuration]
First, the configuration of the key management server will be described with reference to FIG. 21 (refer to FIG. 20 as appropriate). Here, the key management server (key management device) 1B includes a key generation device 10B and a signature key generation device 20B. It is assumed that the key generation device 10B and the signature key generation device 20B are communicably connected via a communication interface (not shown).

(Configuration of key generation device)
The key generation device 10B generates and manages (stores) a master key for generating a signature key and a verification key for verifying the signature key. Here, the key generation device 10B includes a key generation unit 11B, a verification key management unit 12, and a master key management unit 13B. The verification key management unit 12 is the same as that described with reference to FIG.

  The key generation unit 11B generates a master key and a verification key. Here, the key generation unit 11B generates a master key and a verification key by an ID-based signature method. The key generation unit 11B outputs the generated verification key to the verification key management unit 12, and outputs the generated master key to the master key management unit 13B.

  The master key management unit 13B stores and manages the master key generated by the key generation unit 11B. The master key management unit 13B manages the master key in the same manner as the first master key managed by the first master key management unit 13 described in FIG.

(Configuration of signature key generator)
The signature key generation device 20B generates a signature key and key information used when updating the signature key, and generates a revocation list indicating a list of revoked signature keys. Here, the signature key generation apparatus 20B includes a signature key generation unit 21B, a signature key management unit 22B, a signature key output unit 23B, an update request reception unit 24, a signature key update information generation unit 25B, and a signature key update. Information transmitting means 26B, registration completion receiving means 27, and revocation list notifying means 28 are provided.

The update request receiving unit 24, the registration completion receiving unit 27, and the revocation list notifying unit 28 have the same configuration as the partial key generation device 20 described in FIG.
As described above, the ID-based signature does not have the concept of a partial key, and a signature key is generated from one master key and ID information. Therefore, here, the partial key generation unit 21 shown in FIG. The key management unit 22 and the partial key transmission unit 23 are configured as a signature key generation unit 21B, a signature key management unit 22B, and a signature key output unit 23B, respectively.
In other words, the signature key generation device 20B generates a signature key (signature key information) based on the ID-based signature method by the signature key generation unit 21B, manages (stores) the signature key by the signature key management unit 22B, and Output to the outside by the output means 23B. For example, the signature key output unit 23B outputs a signature key (signature key information) to a writing device (not shown) of a storage medium such as a CD-R, and writes the signature key on the CD-R or the like. The storage medium in which the signature key (signature key information) is written in this way is distributed offline to the application signature addition server 5B.

Also, here, the signature key update information generation unit 25 and the signature key update information transmission unit 26 shown in FIG. 2 are configured as a signature key update information generation unit 25B and a signature key update information transmission unit 26B, respectively. .
Also in the signature key update information generation unit 25B and the signature key update information transmission unit 26B, the signature key update information generation unit 25 and the signature key update information transmission unit 26 shown in FIG. The only difference is that it is transmitted to the additional server 5, whereas the difference between the signature keys is obtained and transmitted to the application signature additional server 5B.

[Configuration of application signature addition server]
Next, the configuration of the application signature adding server will be described with reference to FIG. 22 (refer to FIG. 20 as appropriate). Here, the application signature addition server 5B includes a signature key update device 50B and a signature generation device 60. The signature generation device 60 is the same as that described with reference to FIG.

  The signature key update device 50B updates the signature key distributed to the application creator based on the differential signature key (differential signature key information) transmitted from the key management server 1B. Here, the signature key update device 50B includes a signature key input unit 51, a signature key management unit 52, a signature key update request unit 53, a signature key update information reception unit 54B, and a signature key update unit 55B. Yes. The signature key input unit 51, the signature key management unit 52, and the signature key update request unit 53 are the same as those described with reference to FIG.

Further, the signature key update information receiving unit 54B and the signature key updating unit 55B are the same as those in the case where the signature key update information receiving unit 54 and the signature key updating unit 55 described with reference to FIG. The only difference is that the differential signature key is received and the signature key is updated. The signature key update unit 55B updates the signature key using the differential signature key by a general ID-based signature method.
As described above, the present invention is sequentially updated with a verification key, which is public information for verifying a signature added to an application created by an application creator, and an application-specific key, which is secret information corresponding to the verification key. In the signature method using the signature key, the signature key can be easily revoked by associating the application ID such as the application number and version with the divided area, and the signature key can be easily updated. it can.

[Modification of application authentication system]
Here, in the application authentication systems S and S _B (see FIGS. 1 and 20), the application signature adding servers 5 and 5B are arranged on the application producer side, and the signature key is distributed to the application producer. However, the application signature addition servers 5 and 5B may be arranged on the application distributor side and the signature key may be distributed to the application distributor. That is, as shown in FIGS. 23 and 24, the application authentication systems S _C and S _D may be configured.

In this case, the application created by the application creator is input to the application input means 61 (see FIG. 4) of the signature generation apparatus 60 of the application signature addition server 5 or 5B installed on the application distributor side, and has an ID and signature. The application is registered in the application distribution server 7.
Alternatively, after the application creator registers the application in the application storage unit 72 (see FIG. 5) of the application distribution server 7, the signature generation device 60 of the application signature adding server 5 uses the application input unit 61 (see FIG. 4). The application may be read out and re-registered as an application with an ID / signature.
As a result, the signature key can be managed collectively by the application distributor.

S Application authentication system 1 Key management server (key management device)
DESCRIPTION OF SYMBOLS 10 Key generation apparatus 11 Key generation means 12 Verification key management means (Verification key storage means)
13 First master key management means (first master key storage means)
14 Second master key transmission means 20 Partial key generation device (signature key update partial key generation device)
21 Partial key generation means 22 Partial key management means (partial key storage means)
DESCRIPTION OF SYMBOLS 23 Partial key transmission means 24 Update request reception means 25 Signature key update information generation means 26 Signature key update information transmission means 27 Registration completion reception means 28 Revocation list notification means 3 Signature key issue server (signature key issue device)
31 Second master key receiving means 32 Second master key management means (second master key storage means)
33 Partial Key Receiving Unit 34 Signature Key Generating Unit 35 Signature Key Output Unit 5 Application Signature Adding Server (Application Signature Adding Device)
DESCRIPTION OF SYMBOLS 50 Signature key update apparatus 51 Signature key input means 52 Signature key management means (signature key storage means)
53 Signature Key Update Requesting Unit 54 Signature Key Update Information Receiving Unit 55 Signature Key Updating Unit 60 Signature Generation Device 61 Application Input Unit 62 ID / Signature Adding Unit 63 Application Registration Request Transmitting Unit 7 Application Distribution Server (Application Distribution Device)
71 Application Registration Unit 72 Application Storage Unit 73 Registration Completion Transmission Unit 74 Application Request Reception Unit 75 Application Transmission Unit 9 Receiving Terminal 91 Verification Key Management Unit (Verification Key Storage Unit)
92 Revocation list receiving means 93 Revocation list management means (revocation list storage means)
94 Application acquisition means 95 Signature verification means 96 Revocation list verification means 97 Application management means

Claims (7)

A key management device for generating a key for authenticating an application by a signature method using a verification key for verifying a signature and a signature key updated based on the ID information; and the ID information and the signature for the application An application signature adding device, an application distribution device that stores and distributes the application with the ID information and the signature added thereto, and a receiving terminal that uses the application. In the key management device used in an application authentication system that performs authentication,
Update request reception for receiving, from the application signature adding apparatus, a signature key update request including the ID information and update instruction information indicating an update of any of a plurality of predetermined sections constituting the ID information Means,
Based on the update instruction information included in the signature key update request received by the update request receiving means, the requested ID information is updated in units of sections, and difference information for updating the signature key by the signature method is generated. And signature key update information generating means for generating signature key update information including the updated ID information and the difference information;
Signature key update information transmitting means for transmitting the signature key update information generated by the signature key update information generating means to the application signature adding device;
In the ID information, one or more pieces of ID information in which information indicating an arbitrary value is set in the other category and the value of the category specifying the application to be revoked input from the outside is set in the category. A revocation list generating means for generating a revocation list;
Revocation list transmitting means for transmitting the revocation list generated by the revocation list generating means to the receiving terminal;
A key management device comprising: In the ID information, an area of a section describing a security update number that is a number common to the entire application is provided,
When the signing key update information generating unit is instructed to update the security update number from the outside, the ID information is obtained by updating the security update number for all ID information managed by the key management device. The key management apparatus according to claim 1, wherein the key management apparatus is updated. A key management device for generating a key for authenticating an application by a signature method using a verification key for verifying a signature and a signature key updated based on the ID information; and the ID information and the signature for the application An application signature adding device, an application distribution device that stores and distributes the application with the ID information and the signature added thereto, and a receiving terminal that uses the application. A computer of the key management device used in an application authentication system that performs authentication,
Update request reception for receiving, from the application signature adding apparatus, a signature key update request including the ID information and update instruction information indicating an update of any of a plurality of predetermined sections constituting the ID information means,
Based on the update instruction information included in the signature key update request received by the update request receiving means, the requested ID information is updated in units of sections, and difference information for updating the signature key by the signature method is generated. Signature key update information generation means for generating signature key update information including the updated ID information and the difference information,
Signature key update information transmitting means for transmitting the signature key update information generated by the signature key update information generating means to the application signature adding apparatus;
In the ID information, one or more pieces of ID information in which information indicating an arbitrary value is set in the other category and the value of the category specifying the application to be revoked input from the outside is set in the category. Revocation list generation means for generating a revocation list;
Revocation list transmission means for transmitting the revocation list generated by the revocation list generation means to the receiving terminal;
Key management program to function as A key management device for generating a key for authenticating an application by a signature method using a verification key for verifying a signature and a signature key updated based on the ID information; and the ID information and the signature for the application An application signature adding device, an application distribution device that stores and distributes the application with the ID information and the signature added thereto, and a receiving terminal that uses the application. In the application signature adding apparatus used in the application authentication system for performing authentication,
Signature key storage means for storing the signature key in advance in association with the ID information;
The ID information and the update instruction information indicating the update section of the ID information are included by being instructed from the outside to update any of the plurality of predetermined sections constituting the ID information. A signature key update request means for transmitting a signature key update request to the key management device;
In the key management device, the requested ID information is updated in units of sections, and after the difference information for updating the signature key is generated, the updated signature information including the updated ID information and the difference information is updated. Signature key update information receiving means for receiving information from the key management device;
Using the signature key update information received by the signature key update information receiving means, the signature key stored in the signature key storage means is updated by the signature method, and the signature key is associated with the updated ID information. A signature key update means stored in the storage means;
An ID / signature adding means for generating a signature using a signature key stored in the signature key storage means and adding the signature together with corresponding ID information;
An application signature adding apparatus comprising: A key management device for generating a key for authenticating an application by a signature method using a verification key for verifying a signature and a signature key updated based on the ID information; and the ID information and the signature for the application An application signature adding device, an application distribution device that stores and distributes the application with the ID information and the signature added thereto, and a receiving terminal that uses the application. A computer of the application signature adding device used in an application authentication system that performs authentication,
The ID information and the update instruction information indicating the update section of the ID information are included by being instructed from the outside to update any of the plurality of predetermined sections constituting the ID information. A signature key update request means for transmitting a signature key update request to the key management device;
In the key management device, the requested ID information is updated in units of sections, and after the difference information for updating the signature key is generated, the updated signature information including the updated ID information and the difference information is updated. Signature key update information receiving means for receiving information from the key management device;
Using the signature key update information received by the signature key update information receiving means, the signature key stored in the signature key storage means is updated by the signature method, and the signature key storage is associated with the updated ID information. Signature key update means stored in the means,
An ID / signature adding means for generating a signature using the signature key stored in the signature key storage means and adding the signature together with corresponding ID information;
Application signature addition program to make it function as. A key management device for generating a key for authenticating an application by a signature method using a verification key for verifying a signature and a signature key updated based on the ID information; and the ID information and the signature for the application An application signature adding device, an application distribution device that stores and distributes the application with the ID information and the signature added thereto, and a receiving terminal that uses the application. In the receiving terminal used in the application authentication system that performs authentication,
Verification key storage means for storing the verification key generated by the key generation device;
The ID information is divided into a plurality of predetermined areas, and a value of a division for specifying an application to be invalidated is set in the division, and information indicating an arbitrary value is set in another division Revocation list receiving means for receiving one or more pieces of ID information as a revocation list;
Revocation list storage means for storing the revocation list received by the revocation list reception means;
Application acquisition means for acquiring an application with ID information and a signature added thereto from the application distribution device;
In the ID information added to the application acquired by the application acquisition unit, when the value of the classification for identifying the application to be revoked in the revocation list stored in the revocation list storage unit matches, Revocation list verification means for determining that the ID information is invalid;
Signature verification means for verifying a signature attached to the application by using a verification key stored in the verification key storage means;
A receiving terminal comprising: A key management device for generating a key for authenticating an application by a signature method using a verification key for verifying a signature and a signature key updated based on the ID information; and the ID information and the signature for the application An application signature adding device, an application distribution device that stores and distributes the application with the ID information and the signature added thereto, and a receiving terminal that uses the application. A computer of the receiving terminal used in an application authentication system for performing authentication,
The ID information is divided into a plurality of predetermined areas, and a value of a division for specifying an application to be invalidated is set in the division, and information indicating an arbitrary value is set in another division A revocation list receiving means for receiving one or more pieces of ID information as a revocation list and storing them in a revocation list storage means;
Application acquisition means for acquiring an application with ID information and a signature added thereto from the application distribution device;
In the ID information added to the application acquired by the application acquisition unit, when the value of the classification for identifying the application to be revoked in the revocation list stored in the revocation list storage unit matches, Revocation list verification means for determining ID information as invalid,
Signature verification means for verifying a signature added to the application with a verification key stored in the verification key storage means in advance;
Application authentication program to function as

Images