JP2014222828A - Authentication system and authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication system that can continuously generate random numbers even if executing an authentication process using only a one-way channel.SOLUTION: A random number storage section 111b stores a first random number as a first random seed, and a random number storage section 111a stores the first random number as a second random seed. An authentication device 10a generates a second random number whose seed is the second random seed, transmits the second random number to an authentication device 10b by the use of a one-way channel 502, and stores the second random number as the second random seed in the random number storage section 111a. The authentication device 10b generates a third random number whose seed is the first random seed stored in the random number storage section 111b, compares the second random number received from the authentication device 10a with the third random number generated by means of a processor, and if the second random number matches the third random number, authenticates the authentication device A and stores the third random number as the first random seed in the random number storage section 111b.

Description

  The present invention relates to an authentication system and an authentication method. The present invention particularly relates to an authentication method between authentication apparatuses having different importance levels.

  The conventional “device authentication system” sends a random number R1 from the authentication side to the authenticated side as a challenge CHA1, and the authenticated side selects one of a plurality of functions fn (n is an integer of 2 or more) and selects the selected one The challenge CHA1 converted using the function fi is sent to the authentication side as a response RES1. On the authenticating side, the random number R1 sent by itself is used to convert the random number R1 using the same plural functions fn as the authenticated side, and it is determined whether or not it matches the response RES1 sent from the authenticated side. By doing so, authentication was performed (for example, patent document 1).

  In the conventional “communication device, communication system, and computer-readable storage medium”, the time and the hash value are sent from the authenticated side to the authenticating side. On the authentication side, the relationship between the sent time and its own clock is determined, and the hash value of the password received and the received time is calculated, and authentication / denial is determined based on the match / mismatch. (For example, Patent Document 2).

  In the conventional “one-way communication partner authentication protocol”, a random number sequence is divided into blocks, a digest is attached to each block, and the random number sequence and digest are sent together from the authenticated side to the authenticating side. On the authentication side, a digest is obtained from a random number sequence, and authentication or denial is determined based on whether the received digest matches or does not match (for example, Patent Document 3).

  In the conventional “authenticated device, authentication device, and authentication system”, a challenge is generated on the authenticated side, the challenge is converted into a function, and the challenge and the function value are combined and sent to the authenticating side. The authentication side converts the challenge sent to the function, and performs authentication / denial judgment based on whether the function value matches the function value sent or not (for example, Patent Document 4).

JP-A-10-224343 JP 2000-276444 A JP 2002-229850 A JP 2005-066541 A

  In the conventional “device authentication system”, the authentication side and the authenticated side are connected by a single communication path, so if the importance of the system on the authenticated side is high, depending on the threat on the communication path, There was a problem of affecting the data.

  In the conventional “communication device, communication system, and computer-readable storage medium”, the hash value of the time and password is calculated, so there is a possibility that the hash calculation will be the same in all systems, and in terms of security. There was a problem of becoming an unfavorable situation.

  In the conventional "one-way communication partner authentication protocol", since a random number sequence and digest are sent together from the authenticated side to the authenticating side, a replay attack that exploits the communication data on the communication path and then sends the communication data There was a problem of being vulnerable to

  Further, in the conventional “authenticated device, authentication device, and authentication system”, since the challenge and the function value are sent to the authentication side, a replay attack in which communication data is exploited on the communication path and then the communication data is sent. There was a problem of being vulnerable to

  The present invention has been made to solve the above problems, and when the importance of the devices constituting the system is different, secure authentication in which a threat on the communication path does not affect the highly important devices, An object is to provide a key exchange and encryption method.

An authentication system according to the present invention includes a first device, a second device having higher importance than the first device, and a bidirectional communication path for performing bidirectional communication between the first device and the second device. And an unidirectional communication path that performs unidirectional communication from the second apparatus to the first apparatus, wherein the second apparatus transmits data to the first apparatus using the unidirectional communication path. ,
The first device includes:
A first random number generator for generating a first random number;
A first random number storage unit that stores the first random number generated by the first random number generation unit as a first random number seed that is a seed of random number generation;
A first encryption unit for encrypting the first random number generated by the first random number generation unit;
A first transmission / reception unit that transmits the first random number encrypted by the first encryption unit to the second device using the bidirectional communication path;
The second device includes:
A second decoding unit for decoding the first random number received from the first transmission / reception unit of the first device;
And a second random number storage unit that stores the first random number decoded by the second decoding unit as a second random number seed that is a seed of random number generation.

  According to one aspect of the present invention, the first random number generated by the first random number generation unit of the first device is stored in the first random number storage unit, and the first random number is stored by the second random number storage unit of the second device. In order to use the generated random numbers as seeds for the next random number generation in the first device and the second device, the first random number storage unit and the second random number storage as the first random number seed and the second random number seed Even if the authentication process is executed using only a unidirectional communication path, random numbers can be generated continuously, such as when the bidirectional communication path is disconnected. Also in the authentication, a retransmission attack can be prevented and the data sending side can be securely authenticated.

It is a system configuration | structure figure which shows the communication system in case the importance of the 2nd apparatus 20a and 1st apparatus 20b which comprises a system is equivalent. It is a system block diagram which shows a communication system when the importance of the 2nd apparatus 20a and the 1st apparatus 20b which comprise a system differs. It is a figure which shows the case where the unidirectional communication path 502 is made radio | wireless in the communication system of FIG. FIG. 4 is a diagram illustrating a state where a bidirectional communication path 501 is disconnected in the communication system of FIG. 3. It is a block block diagram of the authentication system 500 which concerns on this Embodiment. It is a figure which shows an example of the hardware constitutions of authentication apparatus 10a, 10b which concerns on this Embodiment. It is a figure which shows the authentication request transmission process of the authentication apparatus B (authentication apparatus 10b) which concerns on this Embodiment. It is a figure which shows the authentication request transmission process of the authentication apparatus A (authentication apparatus 10a) which concerns on this Embodiment. It is a figure which shows the authentication apparatus A authentication process of the authentication apparatus B (authentication apparatus 10b) which concerns on this Embodiment. It is a figure which shows the authentication apparatus B authentication process of the authentication apparatus A (authentication apparatus 10a) which concerns on this Embodiment. It is a figure which shows the judgment result A reception process of the authentication apparatus B (authentication apparatus 10b) which concerns on this Embodiment. It is a figure which shows the unidirectional authentication request | requirement transmission process of the authentication apparatus A (authentication apparatus 10a) which concerns on this Embodiment. It is a figure which shows the unidirectional authentication process of the authentication apparatus B (authentication apparatus 10b) which concerns on this Embodiment. It is a figure which shows the unidirectional authentication process of the authentication apparatus B (authentication apparatus 10b) which concerns on this Embodiment.

Embodiment 1 FIG.
FIG. 1 is a system configuration diagram showing a communication system in which the second device 20a and the first device 20b communicate. In FIG. 1, the second device 20a and the first device 20b are connected by a bidirectional communication path 501 (also referred to as a bidirectional transmission path). In this bidirectional communication path 501, it is possible to communicate all data such as control data and measurement data handled by both devices (second device 20a and first device 20b). In such a communication system, the importance of both devices is equivalent, and it is assumed that there is no difference in the importance of data handled by each device.

  FIG. 2 is a system configuration diagram showing a communication system when the importance of the second device 20a and the first device 20b constituting the system is different. The second device 20a and the first device 20b are connected by a bidirectional communication path 501 and a unidirectional communication path 502 (also referred to as a unidirectional transmission path). By distinguishing the data flowing through the bidirectional communication path 501 and the data flowing through the unidirectional communication path 502, it is possible to make a difference in the importance between the second device 20a and the first device 20b constituting the communication system. . In the second device 20a on the transmission side of the unidirectional communication path 502, it is possible to change the importance of each apparatus by performing control to transmit data with high importance using the unidirectional communication path 502. Here, the second device 20a is set to be more important than the first device 20b.

  FIG. 3 is a diagram illustrating a case where the unidirectional communication path 502 is wireless in the communication system of FIG. Since the unidirectional communication path 502 is wireless, the degree of freedom in installing the apparatus is increased, but it is necessary to pay sufficient attention to the security on the communication path (transmission path).

  FIG. 4 is a diagram showing a state where the bidirectional communication path 501 is disconnected in the communication system of FIG. Even in the case of a communication system in which the bidirectional communication path 501 is disconnected for some reason, it is possible to send highly important data from the second apparatus 20a to the first apparatus 20b using the wireless unidirectional communication path 502. Become. On the other hand, it is necessary to ensure security for the authentication of the second apparatus 20a on the transmission side.

FIG. 5 is a block configuration diagram of authentication system 500 according to the present embodiment.
The authentication system 500 includes an authentication device 10a (an example of a second device) and an authentication device 10b (an example of a first device). The authentication device 10a and the authentication device 10b are connected by a bidirectional communication path 501 and a unidirectional communication path 502. The authentication devices 10a and 10b are communication devices that perform authentication, key exchange, and encryption, and perform data transmission and reception.

The bidirectional communication path 501 is a communication path that performs bidirectional data transmission between the authentication device 10a and the authentication device 10b. The bidirectional communication path 501 is wired communication. The unidirectional communication path 502 is a communication path for transmitting data in one direction from the authentication apparatus 10a to the authentication apparatus 10b. The unidirectional communication path 502 performs data transmission by wireless communication, but may not be wireless communication but may be wired communication.
In the authentication system 500 shown in FIG. 5, it is assumed that the importance of the authentication device 10a is higher than the importance of the authentication device 10b. Therefore, the data transmitted from the authentication device 10a is transmitted using the unidirectional communication path 502.

Authentication devices 10a and 10b include decryption units 100a and 100b, random number generation / determination units 110a and 110b, random number storage units 111a and 111b, encryption units 120a and 120b, key generation units 130a and 130b, transmission and reception units 140a and 140b, and a clock unit. 180a and 180b are provided.
In the following description, reference numerals with the same numbers indicate configurations having the same functions. The subscripts a and b indicate whether the configuration belongs to the authentication device 10a or the authentication device 10b. In addition, the functional block of the authentication device 10a (second device) may be preceded by “second” in the block name, such as “second decryption unit” and “second encryption unit”. Similarly, the function block of the authentication device 10b (first device) may have “first” in front of the component block name, such as “first decryption unit” and “first encryption unit”.

The authentication device 10a further includes a transmission unit 150a. The authentication device 10a is connected to an input IF 25a (input interface) via the one-way communication unit 40a.
The authentication device 10b further includes a receiving unit 160b and a counting unit 170b. The authentication device 10b is connected to the output IF 30b (output interface).

In the present embodiment, data input from the input IF 25a is input to the authentication device 10a via the one-way communication unit 40a, and key generation processing and encryption processing are performed in the authentication device 10a. It is assumed that the data is transmitted to the authentication device 10b. It is assumed that the authentication device 10b receives encrypted data, performs key generation processing and decryption processing, and outputs them from the output IF 30b.
The authentication process between the authentication device 10a and the authentication device 10b is an authentication process necessary for data transmission from the authentication device 10a to the authentication device 10b.

Next, the function of each component will be briefly described.
The decryption units 100a and 100b receive the ciphertext and decrypt it.
Random number generation / determination units 110a and 110b (an example of a random number generation unit) generate random numbers and store them in random number storage units 111a and 111b. In addition, the random number generation / determination units 110a and 110b determine the sent random numbers by the processing device. The random number generation by the random number generation / determination unit 110a and the random number generation / determination unit 110b is performed by the same series of pseudo-random number generators.

The encryption units 120a and 120b input plain text and encrypt it.
The key generation units 130a and 130b generate keys used for encryption and decryption.
The transmission / reception units 140 a and 140 b transmit and receive data via the bidirectional communication path 501.
The transmitter 150a only transmits data.
The receiving unit 160b only receives data.
The counting unit 170b holds the transmitted data, and counts it if it is the same data.
The clock units 180a and 180b measure the time and compare and judge the sent time.
The input IF 25a accepts data input.
The output IF 30b outputs data.
The one-way communication unit 40a allows data to flow only in one direction.
In addition to the above, the authentication devices 10a and 10b include a control unit (not shown) that controls the functional blocks.

FIG. 6 is a diagram illustrating an example of a hardware configuration of the authentication devices 10a and 10b according to the present embodiment.
A hardware configuration example of the authentication devices 10a and 10b will be described with reference to FIG.

The authentication devices 10a and 10b are computers, and each element of the authentication devices 10a and 10b can be realized by a program.
As a hardware configuration of the authentication devices 10a and 10b, an arithmetic device 901, an external storage device 902, a main storage device 903, a communication device 904, and an input / output device 905 are connected to the bus.

The arithmetic device 901 is a CPU (Central Processing Unit) that executes a program.
The external storage device 902 is, for example, a ROM (Read Only Memory), a flash memory, or a hard disk device.
The main storage device 903 is a RAM (Random / Access / Memory).
The communication device 904 is a communication board or the like, for example, and is connected to a LAN (Local / Area / Network) or the like. The communication device 904 is not limited to a LAN, but is an IP-VPN (Internet / Protocol / Virtual / Private / Network), a wide-area LAN, an ATM (Asynchronous / Transfer / Mode) network, a WAN (Wide / Area / Network), or the Internet. It does not matter if it is connected to. LAN, WAN, and the Internet are examples of networks.
The input / output device 905 is, for example, a mouse, a keyboard, a display device, or the like. Instead of the mouse, a touch panel, touch pad, trackball, pen tablet, or other pointing device may be used.

The program is normally stored in the external storage device 902, and is loaded into the main storage device 903 and sequentially read into the arithmetic device 901 and executed.
The program is a program that realizes a function described as “unit” shown in FIG.
Further, an operating system (OS) is also stored in the external storage device 902. At least a part of the OS is loaded into the main storage device 903, and the arithmetic unit 901 executes the OS while displaying “˜ part” shown in FIG. ”Is executed.
An application program is also stored in the external storage device 902, and is sequentially executed by the arithmetic device 901 while being loaded in the main storage device 903.
In the description of the present embodiment, “determining”, “determining”, “extracting”, “detecting”, “setting”, “registering”, “selecting” ”,“ Generate ”,“ Input of ”,“ Output of ”, etc., information, data, signal values, and variable values indicating the results of the processing are stored in the main storage device 903 as files. Yes.
In addition, data received by the authentication devices 10 a and 10 b is stored in the main storage device 903.
Further, the encryption key / decryption key, random number value, and parameter may be stored in the main storage device 903 as a file.

  The configuration in FIG. 6 is merely an example of the hardware configuration of the authentication devices 10a and 10b, and the hardware configuration of the authentication devices 10a and 10b is not limited to the configuration illustrated in FIG. There may be.

Next, the operation of the authentication devices 10a and 10b according to the present embodiment will be described.
In the present embodiment, when the authentication device 10a and the authentication device 10b communicate with each other, an authentication process is executed immediately before the communication. Alternatively, when the communication between the authentication device 10a and the authentication device 10b is continued, the authentication process is executed regularly or at a predetermined time. The authentication device 10a and authentication device 10b may be referred to as authentication device A and authentication device B in the following description. The random number generator used by the authentication device 10a and the authentication device 10b is assumed to be a pseudo-random number generator of the same series.

FIG. 7 is a diagram showing authentication request transmission processing of the authentication device B (authentication device 10b) according to the present embodiment.
In S101, the random number generation / determination unit 110b (first random number generation unit) causes the processing device to generate a random number Rb (first random number) using a pseudo random number generator. The random number storage unit 111b stores the random number b in the storage device as a first random number seed that is a seed for generating random numbers.
In S102, the random number generation / determination unit 110b outputs the random number Rb to the encryption unit 120b.
In S103, the clock unit 180b outputs the current time Tb1 to the encryption unit 120b.
In S104, the encryption unit 120b concatenates and encrypts the input random number Rb and the current time Tb1 to obtain a ciphertext (Rb, Tb1).
In S105, the encryption unit 120b outputs the ciphertext (Rb, Tb1) and the current time Tb1 to the transmission / reception unit 140b.
In S106, the transmission / reception unit 140b (first transmission / reception unit) transmits the ciphertext (Rb, Tb1) and the current time Tb1 to the transmission / reception unit 140a of the authentication apparatus A (authentication apparatus 10a) using the bidirectional communication path 501. Are transmitted as an authentication request (B1 authentication data).

FIG. 8 is a diagram showing an authentication request transmission process of the authentication device A (authentication device 10a) according to the present embodiment. This is a process of requesting authentication from the authentication device A to the authentication device B.
In S201, the transmission / reception unit 140a outputs the B1 authentication data (ciphertext (Rb, Tb1), current time Tb1) received from the authentication device B to the decryption unit 100a. The decryption unit 100a (second decryption unit) decrypts the ciphertext (Rb, Tb1). Of the decrypted text, the decrypted text corresponding to the random number Rb is written as the decrypted text (random number Rb), and the decrypted text corresponding to the current time Tb1 is written as the decrypted text (current time Tb1). In addition, among the B1 authentication data, data corresponding to the current time Tb1 is written as data (current time Tb1).

In S202, the decryption unit 100a outputs the decrypted text (current time Tb1) to the clock unit 180a. The clock unit 180a uses the processing device to calculate the difference between the decrypted text (current time Tb1) and the current time Ta.
In S203, the clock unit 180a determines whether or not the difference between the decrypted text (current time Tb1) and the current time Ta is within a predetermined range. If it is out of the predetermined range (NO in S203), authentication device A denies authentication device B (S210). If within the predetermined range (YES in S203), clock unit 180a replaces current time Ta with the decrypted text (current time Tb1) (S204). That is, the time of the current time Ta is Tb1. Here, the replaced current time Ta is written as current time Ta (Tb1).

  In S205, the decryption unit 100a outputs the decrypted text (random number Rb), the decrypted text (current time Tb1), and the data (current time Tb1) to the random number generation / determination unit 110a. The random number generation / determination unit 110a determines whether or not the decrypted text (current time Tb1) matches the data (current time Tb1). If they do not match (NO in S206), authentication device A denies authentication device B (S210). If they match (YES in S206), the process proceeds to S207.

  In S207, the random number generation / determination unit 110a generates a random number Ra and connects the generated random number Ra and the decrypted text (random number Rb) to form a connected text (Ra, Rb). In addition, the random number storage unit 111a (second random number storage unit) stores a decrypted text (random number Rb) as a second random number seed, which is a seed for generating random numbers, in the storage device, for example, when the bidirectional communication path 501 is disconnected. Hold. The random number generation / determination unit 110a outputs the concatenated text (Ra, Rb) to the encryption unit 120a. The clock unit 180a outputs the current time Ta (Tb1) to the encryption unit 120a.

In S208, the encryption unit 120a concatenates and encrypts the concatenated text (Ra, Rb) and the current time Ta (Tb1). The encryption unit 120a outputs the ciphertext (Ra, Rb, Ta (Tb1)) and the current time Ta (Tb1) to the transmission unit 150a.
In S209, the transmission unit 150a transmits the ciphertext (Ra, Rb, Ta (Tb1)) and the current time Ta (Tb1) to the reception unit 160b of the authentication apparatus B using the unidirectional communication path 502. The ciphertext (Ra, Rb, Ta (Tb1)) and the current time Ta (Tb1) are used as A1 authentication data.

FIG. 9 is a diagram showing an authentication apparatus A authentication process of the authentication apparatus B (authentication apparatus 10b) according to the present embodiment.
In S301, the receiving unit 160b outputs the A1 authentication data (ciphertext (Ra, Rb, Ta (Tb1)), current time Ta (Tb1)) received from the authentication device A to the decrypting unit 100b. The decryption unit 100b decrypts the ciphertext (Ra, Rb, Ta (Tb1)). Among the decrypted texts, the decrypted text corresponding to the random number Ra is the decrypted text (random number Ra), the decrypted text corresponding to the random number Rb is the decrypted text (random number Rb), and the decrypted text corresponding to the current time Ta (Tb1) is the decrypted text ( Current time Ta (Tb1)) is written. In addition, among the A1 authentication data, data corresponding to the current time Ta (Tb1) is written as data (current time Ta (Tb1)).

In S302, the decryption unit 100b outputs the decrypted text (current time Ta (Tb1)) to the clock unit 180b. The clock unit 180b calculates the difference between the decrypted text (current time Ta (Tb1)) and the current time Tb2 by the processing device.
In S303, the clock unit 180b determines whether the difference between the decrypted text (current time Ta (Tb1)) and the current time Tb2 is within a predetermined range. If it is outside the predetermined range (NO in S303), authentication apparatus B denies authentication apparatus A (S313). When within the predetermined range (YES in S303), clock unit 180b replaces current time Tb2 with the decrypted text (current time Ta (Tb1)) (S304). That is, the time of the current time Tb2 is Ta (Tb1). Here, the replaced current time Tb2 is written as current time Tb2 (Tb1).

In S305, the decryption unit 100b outputs the decrypted text (random number Rb), the decrypted text (random number Ra), the decrypted text (current time Ta (Tb1)), and data (current time Ta (Tb1)) to the counting unit 170b. The counting unit 170b compares the decrypted text input from the decrypting unit 100b with the decrypted text that has been sent and stored before by the processing device. If they match (YES in S306), the count value is increased (S307a).
For example, the authentication device 10b stores the sending data transmitted from the authentication device 10a in the sending data storage unit 112b. The counting unit 170b uses the processing device to count the number of sending data that matches the decrypted text (random number Ra) in the sending data stored in the sending data storage unit 112b. The random number generation / determination unit 110b (first determination unit) may reject the authentication apparatus A when the number of pieces of transmission data that matches the random number Ra counted by the counting unit 170b is equal to or greater than a threshold value (predetermined value). .

In addition, the counting unit 170b compares the data input from the decoding unit 100b with the data that has been transmitted and stored before by the processing device. If they match (YES in S306), the count value is increased (S307a).
If the decrypted text and the data do not match (NO in S306), the count value is reset (S307b).

If the count value is equal to or greater than the threshold value in S308 (NO in S308), authentication device B denies authentication device A (S313). If the count value is less than the threshold value (YES in S308), the process proceeds to S309.
In a communication system, data may be retransmitted for convenience of a communication path. The processes in S305 to S308 are processes for rejecting authentication on the assumption that retransmission data less than the threshold value is accepted as valid authentication data and data retransmitted more than the threshold value is invalid authentication data.

  In S309, the counting unit 170b sends the decrypted text (random number Rb), the decrypted text (random number Ra), the decrypted text (current time Ta (Tb1)), and the data (current time Ta (Tb1)) to the random number generation / determination unit 110b. Output. Whether the random number generation / determination unit 110b matches the decrypted text (Rb) and the random number Rb generated in S101, and matches the decrypted text (current time Ta (Tb1)) and current time Tb2 (Tb1). Is determined by the processing device. If all match (YES at 310), the process proceeds to S311. If any of them does not match (NO in S310), authentication device B denies authentication device A (S313).

  In S <b> 311, the random number generation / determination unit 110 b connects the decrypted text (random number Ra) and the determination result (authentication) as a determination result for authenticating the authentication device A. The random number generation / determination unit 110b outputs a concatenated text to the encryption unit 120b. The clock unit 180b outputs the current time Tb2 (Tb1) to the encryption unit 120b. The encryption unit 120b concatenates and encrypts the concatenated text input from the random number generation / determination unit 110b and the current time Tb2 (Tb1) input from the clock unit 180b. This ciphertext is assumed to be a ciphertext (Ra, determination result B (authentication), Tb2 (Tb1)). The encryption unit 120b outputs the ciphertext (Ra, determination result B (authentication), Tb2 (Tb1)) and the current time Tb2 (Tb1) to the transmission / reception unit 140b.

  In S312, the transmission / reception unit 140b uses the bidirectional communication path 501 to the transmission / reception unit 140a of the authentication apparatus A to use the ciphertext (Ra, determination result B (authentication), Tb2 (Tb1)) and the current data time Tb2 (Tb1). ) As B2 authentication data.

FIG. 10 is a diagram showing an authentication device B authentication process of the authentication device A (authentication device 10a) according to the present embodiment.
In S401, the transmission / reception unit 160a receives the B2 authentication data (ciphertext (Ra, determination result B (authentication), Tb2 (Tb1)), data (current time Tb2 (Tb1))) received from the authentication device B, and decrypts the unit 100a. The decryption unit 100a decrypts the ciphertext (Ra, determination result B (authentication), Tb2 (Tb1)), of which the decrypted text corresponding to the random number Ra is decrypted (random number Ra), A decrypted text corresponding to the current time Tb2 (Tb1) is written as a decrypted text (current time Tb2 (Tb1)), and among the B2 authentication data, data corresponding to the current time Tb2 (Tb1) is data (current time Tb2 ( Write Tb1)).

In S402, the decryption unit 100a outputs the decrypted text (current time Tb2 (Tb1)) to the clock unit 180a. The clock unit 180a calculates the difference between (current time Tb2 (Tb1)) and current time Ta2 by the processing device.
In S403, the clock unit 180a determines whether or not the difference between the decrypted text (current time Tb2 (Tb1)) and the current time Ta2 is within a predetermined range. If it is outside the predetermined range (NO in S403), authentication device A denies authentication device B (S412). If within the predetermined range (YES in S403), clock unit 180a replaces current time Ta2 with the decrypted text (current time Tb2 (Tb1)) (S404). That is, the time of the current time Ta2 is Tb2 (Tb1). Here, the replaced current time Ta2 is written as current time Ta2 (Tb1).

  In S405, the decryption unit 100a sends the decrypted text (random number Ra), decrypted text (current time Tb2 (Tb1)), data (current time Tb2 (Tb1)), decrypted text (judgment result B) to the random number generation / determination unit 110a. Is output. The random number generation / determination unit 110a determines that “the decrypted text (Ra) matches the random number Ra generated in S207” and “the decrypted text (current time Tb2 (Tb1)) matches the current time Ta2 (Tb1). Is determined by the processing device. If all match (YES in S406), the process proceeds to S408. If any of them does not match (NO in S406), authentication device A denies authentication device B (S412).

In S408, the random number generation / determination unit 110a determines that the authentication apparatus A authenticates the authentication apparatus B, and outputs the determination result A (authentication) to the encryption unit 120a. The clock unit 180a outputs the current time Ta2 (Tb1) to the encryption unit 120a.
In S409, the encryption unit 120a encrypts the determination result A input from the random number generation / determination unit 110a and the current time Ta2 (Tb1) input from the clock unit 180a. This ciphertext is assumed to be a ciphertext (judgment result A (authentication), Ta2 (Tb1)). The encryption unit 120a outputs the ciphertext (determination result A (authentication), Ta2 (Tb1)) and the current time Ta2 (Tb1) to the transmission unit 150a.

  In S410, the transmission unit 150a sends the ciphertext (determination result A (authentication), Ta2 (Tb1)) and the current time Ta2 (Tb1) to the reception unit 160b of the authentication apparatus B using the unidirectional communication path 502. , Transmitted as A2 authentication data.

FIG. 11 is a diagram showing a determination result A reception process of the authentication device B (authentication device 10b) according to the present embodiment.
In S501, the receiving unit 160b receives the ciphertext (determination result A (authentication), Ta2 (Tb1)) and the current time Ta2 (Tb1) as A2 authentication data. The receiving unit 160b sends the ciphertext to the decrypting unit 100b and decrypts it. Of the decrypted text, the decrypted text corresponding to the judgment result is written as the decrypted text (judgment result A), and the decrypted text corresponding to the current time Ta2 (Tb1) is written as the decrypted text (current time Ta2 (Tb1)). Of the data, data corresponding to the current time Ta2 (Tb1) is written as data (current time Ta2 (Tb1)).

  In S502, the decryption unit 100b sends the decrypted text (current time Ta2 (Tb1)) to the clock unit 180b, compares it with the current time Tb3 of the clock unit 180b, and processes whether the difference is within a predetermined range. Judge by device. If it is outside the predetermined range (NO in S503), authentication device B denies authentication device A (S508). If it is within the predetermined range (YES in S503), the current time Tb3 is replaced with the decrypted text (current time Ta2 (Tb1)) (S504). The replaced current time is defined as current time Tb3 (Tb1).

The decryption unit 100b sends the decrypted text (determination result A), the decrypted text (current time Ta2 (Tb1)), and data (current time Ta2 (Tb1)) to the random number generation / determination unit 110b.
In S505, the random number generation / determination unit 110b determines whether or not the decrypted text (current time Ta2 (Tb1)) matches the data (current time Ta2 (Tb1)). If they do not match (NO in S506), authentication device B denies authentication device A (S508).
If they match (YES in S506), authentication apparatus B determines that the determination result of authentication apparatus A (10a) is authentication from the decrypted text (determination result A), and determines that it has been authenticated (S507).

The operation in which the authentication apparatus A and the authentication apparatus B that is less important than the authentication apparatus A perform the authentication process using the bidirectional communication path 501 and the unidirectional communication path 502 has been described above.
Next, a procedure for unidirectional authentication in which the authentication device 10b authenticates the authentication device 10a when the bidirectional communication path 501 shown in FIG. 4 is interrupted for some reason will be described. It is assumed that both the authentication device 10a and the authentication device 10b know that the two-way communication path 501 has been disconnected, and that both perform the single method authentication.

FIG. 12 is a diagram showing a unidirectional authentication request transmission process of the authentication device A (authentication device 10a) according to the present embodiment.
In S601, the random number generation / determination unit 110a generates a random number Ra (an example of a second random number) using the decrypted text (random number Rb) (second random number seed) held in the random number storage unit 111a as a seed. After the random number Ra is generated, the random number storage unit 111a updates the second random number seed to the random number Ra and stores it in the storage device in order to use the random number Ra as a seed for the next random number generation.
The random number generation / determination unit 110a outputs the random number Ra to the encryption unit 120a.
The clock unit 180a outputs the current time Ta to the encryption unit 120a.

In S602, the encryption unit 120a (second encryption unit) concatenates and encrypts the random number Ra and the current time Ta. This ciphertext is assumed to be a ciphertext (Ra, Ta).
The encryption unit 120a outputs the ciphertext (Ra, Ta) and the current time Ta to the transmission unit 150a (second transmission unit).
In S603, the transmission unit 150a transmits the ciphertext (Ra, Ta) and the current data time Ta to the reception unit 160b of the authentication apparatus B using the unidirectional communication path 502.

  This is the end of the description of the unidirectional authentication request transmission process of the authentication device A (authentication device 10a).

FIG. 13 is a diagram showing a unidirectional authentication process of the authentication device B (authentication device 10b) according to the present embodiment. FIG. 14 is a diagram showing a unidirectional authentication process of the authentication device B (authentication device 10b) according to the present embodiment.
In S701, the receiving unit 160b outputs the ciphertext (Ra, Ta) received from the authentication device A and the current time Ta to the decrypting unit 100b. The decryption unit 100b (first decryption unit) decrypts the ciphertext (Ra, Ta). Of the decrypted text, the decrypted text corresponding to the random number Ra is written as the decrypted text (random number Ra), and the decrypted text corresponding to the current time Ta is written as the decrypted text (current time Ta). Data corresponding to the current time Ta is written as data (current time Ta).

In S702, the decryption unit 100b outputs the decrypted text (current time Ta) to the clock unit 180b. The clock unit 180b calculates a difference between the decrypted text (current time Ta) and the current time Tb of the clock unit 180b by the processing device.
In S703, the clock unit 180b determines whether the difference between the decrypted text (current time Ta) and the current time Tb is within a predetermined range by the processing device. If it is outside the predetermined range (NO in S703), authentication apparatus B denies authentication apparatus A (S713). If within the predetermined range (YES in S703), clock unit 180b replaces current time Tb with the decrypted text (current time Ta) (S704). That is, the current time Tb is Ta. Here, the replaced current time Tb is written as current time Tb (Ta).

In S705, the decryption unit 100b outputs the decrypted text (random number Ra), the decrypted text (current time Ta), and the data (current time Ta) to the counting unit 170b. The counting unit 170b compares the decrypted text input from the decrypting unit 100b with the decrypted text that has been sent and stored before by the processing device. If they match (YES in S706), the count value is increased (S707a).
In addition, the counting unit 170b compares the data input from the decoding unit 100b with the data that has been transmitted and stored before by the processing device. If they match (YES in S706), the count value is increased (S707a).
If the decrypted text and the data do not match (NO in S706), the count value is reset (S707b).

If the count value is equal to or greater than the threshold value in S708 (NO in S708), authentication device B denies authentication device A (S713). If the count value is less than the threshold value (YES in S708), the process proceeds to S709a.
The processing in S705 to S708 is processing for rejecting authentication on the assumption that retransmission data less than the threshold value is accepted as valid authentication data, and data retransmitted more than the threshold value is invalid authentication data. Here, it is assumed that the threshold is determined in advance and stored in the storage device of the authentication device B.

  The counting unit 170b outputs the decrypted text (random number Ra), the decrypted text (current time Ta), and the data (current time Ta) to the random number generation / determination unit 110b.

In S709a, the random number generation / determination unit 110b generates a random number Rc (an example of a third random number) using the random number Rb (first random number seed) stored in the random number storage unit 111b as a seed. The random number generation / determination unit 110b determines whether or not the random number Rc matches the decrypted text (random number Ra).
The random number generation / determination unit 110b determines whether the decrypted text (Ra) matches the generated random number Rc by the processing device. If they match (YES in 709b), the process proceeds to S710a. If they do not match (NO in S709b), the process proceeds to S709c.
In S709c, the random number generation / determination unit 110b determines whether or not the random number Rc has been generated continuously a predetermined number of times or more. If random number generation / determination unit 110b has generated random number Rc a predetermined number of times or more (YES in S709c), authentication apparatus B denies authentication apparatus A (S713). If the random number generation / determination unit 110b has not generated the random number Rc more than the predetermined number of times (NO in S709c), the process returns to S709a, generates the random number Rc again, and matches the decrypted text (Ra). It is determined whether or not.

  In S710a, the random number generation / determination unit 110b determines whether the decrypted text (current time Ta) matches the data (current time Ta) by the processing device.

  The random number generation / determination unit 110b determines whether the decrypted text (current time Ta) matches the data (current time Ta) by the processing device. If they match (YES in S710b), the process proceeds to S711a. If they do not match (NO in S710b), authentication device B denies authentication device A (S713).

In S712, the random number storage unit 111b updates the first random number seed to the random number Rc and stores it in the storage device in order to use the random number Rc that matches the random number Ra as the seed for the next random number generation.
This is the end of the description of the one-way authentication processing of the authentication device A and the authentication device B.

In the authentication method of authentication system 500 according to the present embodiment, clock information is used as timekeeping information used together with random numbers. However, it is possible to authenticate in the same manner by using, for example, communication counter information in which the counter value increases for each communication instead of the clock information.
The same effect can be obtained by using both the clock information and the communication counter value.
Further, the same effect can be obtained by using information other than the clock information and the communication counter value that can be timed by both authentication devices.

It has been described that the authentication system 500 according to the present embodiment has the following configuration.
The authentication system 500 is different in importance between the authentication devices 10a and 10b, and a unidirectional communication path 502 that uses radio to send important data from a device with high importance (authentication device 10a) to a device with low importance (authentication device 10b). , An authentication system having a two-way communication path 501 using a wire for transmitting and receiving data other than important data.
The authentication device 10a and the authentication device 10b use pseudo-random number generators of the same series as random number generators. Normally, when a bidirectional communication path can be used, a device with low importance holds a generated random number, and a device with high importance uses a random number part that decrypts ciphertext sent from a device with low importance. Hold.
The authentication device 10a and the authentication device 10b generate a random number using the decrypted random number part held in the highly important device as a seed when the abnormality can be used only when a unidirectional communication path can be used. The low-priority device generates a random number using the held random number as a seed, and holds the generated random number as a next seed.
Further, the authentication device 10a and the authentication device 10b further send a random number, a ciphertext of clock information and timekeeping information from the transmission side, and the reception side receives the timekeeping information sent and the timekeeping information timed by the reception side. And the sent timing information and its encrypted information are compared, the sent data sent before is compared with the sent data sent now, and the sent random number and the receiving side hold it. Compare random number information.

  As described above, in the authentication system (authentication apparatus) according to the present embodiment, the generated random number is sent to the authenticated side, the random number sent on the authenticated side is encrypted and sent back, and the authentication side generates first. In addition to the challenge and response authentication procedure that compares the random number sent and the random number sent from the authenticated side, the time information and its encrypted information are sent and compared with the clock information on the receiving side. , And sent time information and its encryption information. In addition, the previously sent data is compared with the currently sent data. In addition, since the generated random number is prepared when the bidirectional communication path is disconnected, and the random number can be continuously generated as a seed when generating the random number, the retransmission attack can be prevented even in the one-way authentication at the time of disconnection. The data sender can be securely authenticated.

In the description of the above embodiment, “encryption unit”, “decryption unit”, “transmission / reception unit”, “transmission unit”, “reception unit”, “clock unit”, “counting unit”, “random number generation / determination unit” The “key generation unit” constitutes the authentication device 10a and the authentication device 10b as independent function blocks. However, the present invention is not limited to this. For example, the “encryption unit”, “decryption unit”, “clock unit”, “counting unit”, and “random number generation / determination unit” are realized by one functional block, Unit "," transmission unit ", and" reception unit "may be realized by one functional block. Alternatively, the authentication device 10a and the authentication device 10b may be configured by any other combination of these functional blocks.
In addition, this invention is not limited to these embodiment, A various change is possible as needed.

  10a, 10b authentication device, 20a second device, 20b first device, 25a input IF, 30b output IF, 40a one-way communication unit, 100a, 100b decryption unit, 110a, 110b random number generation / determination unit, 111a, 111b random number storage Part, 112b transmission data storage part, 120a, 120b encryption part, 130a, 130b key generation part, 140a, 140b transmission / reception part, 150a transmission part, 160b reception part, 170a, 170b counting part, 180a, 180b clock part, 500 authentication system 501 bi-directional communication path 502 unidirectional communication path 901 arithmetic unit 902 external storage unit 903 main storage unit 904 communication unit 905 input / output unit

Claims (8)

A first device; a second device having a higher importance than the first device; a bidirectional communication path for performing bidirectional communication between the first device and the second device; An authentication system for transmitting data to the first device using the unidirectional communication path, wherein the second device uses the unidirectional communication path.
The first device includes:
A first random number generator for generating a first random number;
A first random number storage unit that stores the first random number generated by the first random number generation unit as a first random number seed that is a seed of random number generation;
A first encryption unit for encrypting the first random number generated by the first random number generation unit;
A first transmission / reception unit that transmits the first random number encrypted by the first encryption unit to the second device using the bidirectional communication path;
The second device includes:
A second decoding unit for decoding the first random number received from the first transmission / reception unit of the first device;
An authentication system comprising: a second random number storage unit that stores the first random number decrypted by the second decryption unit as a second random number seed that is a seed of random number generation. The second device further includes:
A second random number generator for generating a second random number using the second random number seed stored in the second random number storage as a seed;
A second encryption unit for encrypting the second random number generated by the second random number generation unit;
A second transmission unit that transmits the second random number encrypted by the second encryption unit to the first device using the one-way communication path;
The second random number storage unit stores the second random number generated by the second random number generation unit as the second random number seed,
The first device further includes:
A first decryption unit for decrypting the second random number received from the second transmission unit of the second device;
The first random number generator
Generating a third random number using the first random number stored in the first random number storage as a seed;
The first device further includes:
When the processing unit compares the third random number generated by the first random number generation unit and the second random number decoded by the first decoding unit, and the third random number and the second random number match A first determination unit that determines to authenticate the second device;
The first random number storage unit stores the third random number generated by the first random number generation unit as the first random number seed when the first determination unit determines to authenticate the second device. The authentication system according to claim 1. The second device further includes:
A second timekeeping unit for obtaining second timekeeping information;
The second encryption unit encrypts the second timing information acquired by the second timing unit and the second random number,
The second transmission unit transmits the second timing information encrypted by the second encryption unit and the second random number to the first device,
The first decryption unit decrypts the second random number received from the second transmission unit and the second timing information,
The first device further includes:
A first timekeeping unit for obtaining first timekeeping information;
The first determination unit is configured such that the third random number and the second random number match, and the first time information acquired by the first time measurement unit and the second time measurement decoded by the first decoding unit. 3. The authentication system according to claim 2, wherein the information is compared with a processing device, and the second device is authenticated when the first timekeeping information and the second timekeeping information match. The first device further includes:
A delivery data storage unit for storing delivery data transmitted from the second transmission unit;
A first counting unit that counts the number of sending data that matches the second random number decoded by the first decoding unit in the sending data stored in the sending data storage unit;
The said 1st determination part denies a said 2nd apparatus, when the number of the transmission data which corresponds with the said 2nd random number counted by the said 1st counting part is more than predetermined value. The authentication system according to 2 or 3.   The authentication system according to claim 3, wherein the first timekeeping information and the second timekeeping information are time information.   The authentication system according to claim 3, wherein the first timekeeping information and the second timekeeping information are communication counter information for counting the number of times of communication.   The authentication system according to claim 3, wherein the first timekeeping information and the second timekeeping information are time information and communication counter information for counting the number of times of communication. A first device; a second device having a higher importance than the first device; a bidirectional communication path for performing bidirectional communication between the first device and the second device; In the authentication method of the authentication system, comprising: a unidirectional communication path that performs unidirectional communication to one apparatus, wherein the second apparatus transmits data to the first apparatus using the unidirectional communication path;
A first random number generation step in which the first random number generator of the first device generates a first random number;
A first random number storage step in which the first random number storage unit of the first device stores the first random number generated by the first random number generation step as a first random number seed that is a seed of random number generation;
A first encryption step in which a first encryption unit of the first device encrypts the first random number generated by the first random number generation step;
A first transmission / reception step in which the first transmission / reception unit of the first device transmits the first random number encrypted by the first encryption step to the second device using the bidirectional communication path;
A second decryption step in which a second decryption unit of the second device decrypts the first random number received in the first transmission / reception step of the first device;
The second random number storage unit of the second device includes a second random number storage step of storing the first random number decoded by the second decoding step as a second random number seed that is a seed of random number generation. Authentication method.

Images