JP2016039456A - Communication system, communication method, node, data processing device, and communication control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent deterioration in security while securing compatibility with general-purpose security communication protocols and reducing a load on a node.SOLUTION: The present invention relates to a communication system including a node, a first data processing device, one or more second data processing devices, a server, and a communication control device for mediating communication between the node and another device. In the communication system of the present invention, the node divides information into first partial integer information and one or more pieces of second partial integer information, transmits the first partial integer information to the first data processing device, transmits the second partial integer information to the second data processing devices, to request calculation of the source of a prescribed cyclic group and calculation based on the source of the prescribed cyclic group, and generates common key information on the basis of the calculation results returned from the first data processing device and the second data processing devices.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication system, a communication method, a node, a data processing apparatus, and a communication control apparatus, and can be applied to a communication system that supports security communication using certificate-based TLS (Transport Layer Security), for example.

  Conventionally, certificate-based TLS is widely used in IP communication networks as a protocol for ensuring end-to-end secure communication paths. In recent years, the movement of IP reachable nodes, such as wireless sensors, with less resources has accelerated, and the effect that the TLS protocol can be used when an encrypted communication path is established between the sensor and a server on the Internet is Can be expected to be big.

  However, wireless nodes used in sensor networks have few computational resources such as CPUs and memories in order to reduce manufacturing costs, and communication bandwidth and power consumption may be limited. The amount of traffic and the amount of calculation of the public key encryption algorithm are considered to be problems.

  As a conventional technique for dealing with the above-described problems, there are techniques described in Patent Documents 1 to 3.

  Patent Documents 1 and 2 describe a method for reducing the load on a terminal by causing an end-to-end key exchange process and an authentication process to be performed by a calculation processing entrusted device on a higher-level network side with a security processing unit. .

  Non-Patent Document 1 discloses a method for reducing the calculation load of a terminal by causing an end-to-end key exchange process to be burdened with a part of the security process by a calculation entrusted device on the host network side.

Japanese Patent Application No. 2012-015216 Japanese Patent Application No. 2012-158725

Kazuomi Oishi, Tsutomu Matsumoto, “Diffie-Hellman public key distribution method request calculation protocol,” IEICE (D), vol. J93-D, no. 7, pp. 1202-1213, Jul. 2010.

  However, the technology described in Patent Document 1 is not compatible with a general-purpose security communication protocol such as TLS (Transport Layer Security).

  Further, in the technique described in Patent Document 2, since random number information is generated by a calculation entrusted server (computed commission server), the vulnerability in the case where the computed commission server uses a weak pseudo random number sequence having a short period is used. I can't cover it. In addition, since there is no setting method for the pre-shared key when switching the calculation entrusted server, it is necessary to manually set the pre-key sharing with a new calculation entrusted server.

  Furthermore, in the technique described in Patent Document 3, there is a problem that the amount of traffic accompanying the entrustment of calculation becomes enormous.

  In view of the above problems, the compatibility with general-purpose security communication protocols (for example, TLS etc.) is ensured and the load on the node on the client side is reduced, and the deterioration of security is suppressed. A communication system, a communication method, a node, a data processing device, and a communication control device are desired.

  The first aspect of the present invention is (1) mediating communication between a node, a first data processing device, one or more second data processing devices, a server, and the node and another device. (2) The node includes (2-1) a dividing unit that divides integer information into first partial integer information and one or more second partial integer information. (2-2) The first partial integer information is encrypted with advance key information shared in advance with the first data processing device, and the first data processing is performed via the communication control device. First calculation requesting means for requesting calculation processing based on the first partial integer information by transmitting to the device; and (2-3) the second partial integer information corresponding to each of the second partial integer information. Pre-key information shared in advance with the data processing device And second calculation requesting means for requesting calculation processing based on the second partial integer information by transmitting to each of the second data processing devices via the communication control device, 3) The first data processing device is (3-1) the first partial integer information obtained by decrypting the data supplied from the node with pre-key information shared in advance with the node. And the element of the predetermined cyclic group are calculated by an operation defined in the predetermined cyclic group, the result of the operation is held as first original information, and is shared in advance with the node The first original information processing means for encrypting using the prior key information to be transmitted to the node via the communication control device, and (3-2) the first partial integer information and the predetermined element. , Calculate with the operations defined in the predetermined cyclic group And a second original information processing means for holding the result of the operation as second original information. (4) Each of the second data processing devices is (4-1) supplied from the node. The second partial integer information obtained by decrypting the generated data with the pre-key information shared in advance with the node and the element of the predetermined cyclic group are defined in the predetermined cyclic group. And the result of the operation is stored as third original information, encrypted using pre-key information shared in advance with the node, and the node is transmitted via the communication control device. And (4-2) calculating the second partial integer information and the element of the predetermined cyclic group by an operation defined in the predetermined cyclic group. The result calculated based on the operation is held as the fourth original information. And a fourth original information processing means for transmitting to the first data processing apparatus. (5) The first data processing apparatus receives each fourth original information and receives each fourth element. Information and the second original information, the result obtained by calculating with the operation defined in the predetermined cyclic group is held as the fifth original information, the original information of the fifth cyclic group, The system further comprises fifth original information processing means for transmitting the encrypted first original information to the node via the communication control device, and (6) the node includes the encrypted first information The original information and the encrypted third original information are received and decrypted, and the first original information and the third original information are calculated in the predetermined cyclic group. The result obtained by performing the calculation in step 6 is held as the sixth original information, and is common by performing a predetermined calculation on the sixth original information. Further comprising a common key information processing means for generating information, (7) The communication control device, a communication system characterized by having a communication control unit that mediates communication between the nodes and other devices.

  The second aspect of the present invention (1) mediates communication between a node, a first data processing device, one or more second data processing devices, a server, and the node and another device. A communication method of a communication system having a communication control device, wherein (2) the node divides integer information into first partial integer information and one or more second partial integer information; 3) The node encrypts the first partial integer information with advance key information shared in advance with the first data processing device, and performs the first data processing via the communication control device. A first calculation requesting step for requesting calculation processing based on the first partial integer information by transmitting to the device; and (4) the first corresponding to the second partial integer information respectively corresponding to the second partial integer information. Sharing in advance between two data processing devices A second calculation requesting step for requesting calculation processing based on the second partial integer information by encrypting each with key information and transmitting to each of the second data processing devices via the communication control device; (5) The first partial integer information obtained by the first data processing device decrypting the data supplied from the node with pre-key information shared in advance with the node; and A pre-key that calculates an element of a predetermined cyclic group with an operation defined in the predetermined cyclic group, holds a result of the operation as first original information, and is shared in advance with the node A first original information processing step of encrypting using information and transmitting the information to the node via the communication control device; and (6) the first data processing device includes the first partial integer information, To the above-mentioned predetermined traveling group A second original information processing step for performing a calculation with an operation defined as follows and holding the result of the operation as second original information; and (7) the second data processing device received by each of the second data processing devices. The partial integer information of 2 and the element of the predetermined cyclic group are calculated by an operation defined in the predetermined cyclic group, and the result of the operation is held as third original information. A third original information processing step of encrypting using pre-key information shared in advance between the two and transmitting to the node via the communication control device; and (8) each of the second data processing devices The second partial integer information and the predetermined element are calculated by an operation defined in the predetermined cyclic group, and a result calculated based on the operation is stored as fourth original information. And a fourth data to be transmitted to the first data processing device (9) the first data processing device receives each fourth source information, and transmits each fourth source information and the second source information in the predetermined cyclic group. A result obtained by performing a calculation with a defined operation is held as fifth original information, and the fifth original information and the encrypted first original information are stored in the node via the communication control device. And (10) the node receives and decrypts the encrypted first original information and each of the encrypted third original information, and A result obtained by calculating the first original information and each of the third original information by an operation defined in the predetermined cyclic group is held as sixth original information, and the sixth original information is stored. A common key information processing means for generating common key information by performing a predetermined operation on the information, and (11) the communication control device Characterized in that it comprises a communication control step for mediating communication between the node and another device.

  The third aspect of the present invention is (1) mediating communication between a node, a first data processing device, one or more second data processing devices, a server, and the node and another device. A node constituting a communication system having a communication control device, (2) dividing means for dividing integer information into first partial integer information and one or more second partial integer information; and (3) the above The first partial integer information is encrypted with advance key information shared in advance with the first data processing device, and is transmitted to the first data processing device via the communication control device. Between the first calculation requesting means for requesting calculation processing based on the first partial integer information, and (4) the second data processing device corresponding to each of the second partial integer information in advance. Encrypt with each pre-key information to be shared Second calculation requesting means for requesting calculation processing based on the second partial integer information by transmitting to each of the second data processing devices via the control device; (5) the first data The data returned from the processing device based on the request of the first calculation request means is decrypted with the pre-key information shared in advance with the first data processing device, and the predetermined cyclic group is concerned The first original information is acquired, and data returned from each of the second data processing devices based on the request of the second calculation requesting unit is exchanged with the second data processing device. Decrypting with the pre-shared key information in advance to obtain third original information related to the predetermined cyclic group, and the first original information and each of the third original information in the predetermined cyclic group The result obtained by calculating with the defined operation is the sixth It held as information, and having a common key information processing means for generating a common key information by performing a predetermined calculation based on information of the sixth.

  The fourth aspect of the present invention is (1) mediating communication between a node, a first data processing device, one or more second data processing devices, a server, and the node and another device. A first data processing device constituting a communication system having a communication control device, (2) decrypting data supplied from the node with prior key information shared in advance with the node; The first partial integer information divided from the integer information is held, and the first partial integer information and the element of the predetermined cyclic group are calculated by the operation defined in the predetermined cyclic group and the predetermined cyclic group. Perform calculation, hold the result of the operation as original information of the first cyclic group, encrypt using the pre-key information shared in advance with the node, and store it in the node via the communication control device First original information processing means for transmitting, (3) the first 2nd original information which calculates partial integer information and the element of a predetermined cyclic group by the calculation defined in the said predetermined cyclic group, and hold | maintains the result of the calculation as original information of a 2nd cyclic group (4) from each of the second data processing devices, one of a plurality of second partial integer information divided from the integer information and the element of the predetermined cyclic group, When the original information of the fourth cyclic group obtained as a result of performing the calculation defined in the predetermined cyclic group is supplied, the fourth cyclic group obtained from each of the second data processing devices. And the result obtained by calculating the original information of the second cyclic group by the operation defined in the predetermined cyclic group is held as original information of the fifth cyclic group, and Communication of the original information of 5 cyclic groups and the encrypted first original information Via the control device and having a source information processing unit of the fifth to be sent to the node.

  The fifth aspect of the present invention is (1) mediating communication between a node, a first data processing device, one or more second data processing devices, a server, and the node and another device. A second data processing device constituting a communication system having a communication control device, wherein (2) the first partial integer information divided from the integer information and the element of the predetermined cyclic group are When the second original information obtained as a result of performing the calculation defined in the cyclic group is supplied from the first data processing device, the second original information and the predetermined cyclic group Using the pre-key information shared in advance with the above node, holding the result of the operation as third original information, and calculating with the operation defined in the predetermined cyclic group A third encrypted data is transmitted to the node via the communication control device. (3) second partial integer information divided from the integer information obtained by decrypting data supplied from the node with advance key information shared in advance with the node; And the result of the calculation based on the calculation is stored as the original information of the cyclic group, and the first data processing device stores the result of the cyclic group element in the first data processing apparatus. It has the 4th original information processing means to transmit, It is characterized by the above-mentioned.

  The sixth aspect of the present invention is (1) mediating communication between a node, a first data processing device, one or more second data processing devices, a server, and the node and another device. The communication control device constituting a communication system having a communication control device, characterized in that (2) communication control means for mediating communication between the node and another device.

  ADVANTAGE OF THE INVENTION According to this invention, the communication system which can suppress the fall of security property can be provided, ensuring compatibility with the protocol of a general-purpose security communication, and implement | achieving the load reduction of the node of a client side. .

1 is a block diagram showing an overall configuration of a network system according to an embodiment. It is the block diagram shown about the functional structure of the node which concerns on embodiment. It is the block diagram shown about the functional structure of the radio | wireless NW management terminal which concerns on embodiment. It is the block diagram shown about the functional structure of the 1st calculation consignment server which concerns on embodiment. It is the block diagram shown about the functional structure of the 2nd calculation consignment server which concerns on embodiment. It is the block diagram shown about the functional structure of the key sharing server which concerns on embodiment. It is the flowchart shown about operation | movement of the communication system which concerns on embodiment.

(A) Main Embodiment Hereinafter, an embodiment of a communication system, a communication method, a node, a data processing device, and a communication control device according to the present invention will be described in detail with reference to the drawings. Note that the data processing apparatus and the communication control apparatus of this embodiment will be described as being a calculation-commissioned server and a wireless NW management terminal, respectively.

(A-1) Configuration of Embodiment FIG. 1 is a block diagram showing an overall configuration of a communication system 1 of this embodiment.

  As shown in FIG. 1, in the communication system 1, a plurality of nodes 100, a wireless NW management terminal 200, two calculation-commissioned servers 300 and 400, a key sharing server 500, and a TLS server 600 are arranged. In the following description, the calculated entrusted server 300 may be referred to as a “first calculated entrusted server” and the calculated entrusted server 400 may be referred to as a “second calculated entrusted server”. In this embodiment, the second calculation entrusted server 400 is described as being one unit, but may be configured by a plurality of units.

  In the communication system 1 according to this embodiment, the certificate-based TLS handshake protocol is executed by the TLS client side (node 100) while performing the calculation entrustment to the two computation entrusted servers 300 and 400. Yes.

  In the communication system 1, each node 100 is connected to the wireless network N2. In addition, the first calculation consignment server 300, the second calculation consignment server 400, the key sharing server 500, and the TLS server 600 are each connected to the Internet N1. Further, in the wireless NW management terminal 200, the Internet N1 can be connected to both the Internet N1 and the wireless network N2.

  In the following description, “g” is a generator of the cyclic group <G,..., And is a parameter common to the system. In the following description, “n” is the order of a predetermined element “g” belonging to the cyclic group G. Further, in the following, “α · β∈G” for the element “α, β” of the cyclic group G performs the operation “•” defined in the cyclic group G with α and β as operands. It means that. Furthermore, in the following, for the element α and the integer β of the cyclic group G, “α ^ β∈G” means that the operation defined in the cyclic group G is performed β times with α as an operand. To do. For example, when the cyclic group G is a group formed by rational points on the elliptic curve E, “α · β∈G” means an elliptic addition of α and β on the elliptic curve E, and “α ^ β “∈G” means an elliptic scalar β multiplication of α.

In the following, the remainder class of the modulus N to which the integer a belongs with respect to the integer a is represented as “a mod N”. Further, in the following, a finite field of modulus _N is represented as F _N , and a multiplicative group formed by the entire reversible remainder class of F _N is represented as F _N ^* .

Furthermore, in the following, it is assumed that the integer “a∈F _n ^* ” is the secret key of the node 100, and “P _a = g ^ a∈G” is the public key of the node 100.

In the following, it is assumed that “integer bεF _n ^* ” is a secret key of the TLS server 600 and “P _b = g ^ bεG” is a public key of the TLS server 600. Further, in the following, it is assumed that b and P _b are also a DH private key and a DH public key, respectively. Furthermore, in the following, the integer “x∈F _n ^* ” is the DH private key of the node 100 in Diffie-Hellman key sharing, and “P _x = g ^ x∈G” is the same DH public key. To do.

The integers x ₁ and x ₂ are partial DH secret key information, and satisfy “x ₁ + x ₂ = x mod n”. Further, hereinafter, the common key information shared as a result of Diffie-Hellman key sharing is referred to as a shared key K. Furthermore, in the following, it is assumed that the advance key information PSK _i (i = 1, 2), the advance key information update key information q, and the shared key K are key information used in the common key cryptosystem.

  Next, detailed configurations of the node 100, the wireless NW management terminal 200, the first calculated consignment server 300, the second calculated consignment server 400, and the key sharing server 500 will be described.

  2 to 6 are block diagrams showing the functional configurations of the node 100, the wireless NW management terminal 200, the first calculated consignment server 300, the second calculated consignment server 400, and the key sharing server 500, respectively. It is. In the communication system 1, the TLS server 600 can be a server machine equipped with server functions related to various TLS protocols.

[Internal configuration of node 100]
Next, the internal configuration of the node 100 will be described with reference to FIG.

  The node 100 includes a transmission / reception unit 101, an encryption unit 102, a decryption unit 103, a secret information storage unit 104, a secret information division unit 105, an advance key information storage unit 106, an advance key information update unit 107, an advance key information update control unit 108, It has a shared key information generation unit 109, a signature information generation unit 110, a random number generation unit 111, an address information input unit 112, a Finished generation unit 113, and a Finished comparison unit 114.

  The transmission / reception unit 101 has a network interface function for communicating with an entity (another communication device) connected to the wireless network N2.

The encryption unit 102 performs data encryption, and in this embodiment, as an example, a description will be given assuming that a common key encryption method such as AES is applied. The encryption key information uses the key information stored in the advance key information storage unit 106. In this embodiment, partial DH secret key information x ₁ and x ₂ (details will be described later) output from the secret information division unit 105 are encrypted using PSK ₁ and PSK ₂ as keys, respectively, and are transmitted via the transmission / reception unit 101. It is assumed that the data is transmitted to the first calculated consignment server 300 and the second calculated consignment server 400.

The decryption unit 103 decrypts the encrypted ciphertext. Specifically, the decryption unit 103 transmits the encrypted partial DH shared key information Enc (PSK ₁ , P _b ^ (x ₁ )) and Enc (PSK ₂ , P _b ^ (x ₂ )) to the wireless NW. Received from the management terminal 200, decrypted, and output to the shared key information generation unit 109. It is assumed that the decryption unit 103 uses key information stored in the prior key information storage unit 106 as key information for decryption.

The secret information storage unit 104 stores secret key information a of the public key encryption pair (a, P _a ) and pre-key information update key information q in advance. Further, the integer x arbitrarily generated by the random number generator 111 is temporarily stored until the TLS handshake is completed. The secret information storage unit 104 temporarily stores the DH shared key information K generated by the shared key information generation unit 109 for a necessary period.

The secret information dividing unit 105 arbitrarily divides the DH secret key x so that the sum of x ₁ and x ₂ is x with respect to the integers x ₁ and x ₂ . In this embodiment, x ₁ and x ₂ are referred to as “first partial DH private key information” and “second partial DH private key information”, respectively.

The advance key information storage unit 106 stores the first advance key information PSK ₁ and the second advance key information PSK ₂ .

  The advance key information update unit 107 updates the advance key information stored in the advance key information storage unit 106. In this embodiment, the pre-key information update unit 107 implements a keyed one-way function, and uses the pre-key information update key information q stored in the secret key storage unit 104 as key information. The prior key information stored in the storage unit 106 is input to the keyed one-way function, and all or part of the output information is used as new prior key information.

  The advance key information update control unit 108 performs a process of determining a timing for operating the advance key information update unit 107 and a process of outputting a signal for controlling the advance key information update unit 107. In this embodiment, the process of determining the timing is to detect that a pre-shared key update command (UpdatePSK) has been received from the wireless NW management terminal 200 via the transmission / reception unit 101.

The shared key information generation unit 109 receives the first partial shared key information P _b ^ (x ₁ ) and the second partial shared key information P _b ^ (x ₂ ) from the decryption unit 103, and uses the shared key K as The shared key K is obtained from the equation (1), and the shared key K is stored in the secret information storage unit 104 as a TLS session key.

_{K = F (P b ^ (} x 1) · P b ^ (x 2)) ... (1)
Here, P _b ^ (x ₁ ) and P _b ^ (x ₂ ) are elements of the cyclic group G, and F (Z) is a function for converting the element Z of the cyclic group G into key information. Then, in addition to the elements of the cyclic group G, this is a function defined in TLS using spare information called a client random value and a server random value.

The signature information generation unit 110 reads the secret key a of the node 100 and the random number x generated by the random number generation unit from the secret information storage unit 104 and is transmitted from the wireless NW management terminal 200 via the transmission / reception unit 101. Integer information h and r are received, and signature information s is calculated by the following equation (2) and transmitted to the wireless NW management terminal 200. In the equation (2), x ⁻¹ is an inverse element of x.

s = x ⁻¹ × (h + a × r) mod n (2)
The random number generation unit 111 generates an arbitrary element from the elements of the finite field F _n and outputs it to the secret information storage unit 104.

  The address information input unit 112 includes an interface for receiving TLS server address information (Internet URL or the like) from the outside when performing a TLS handshake. Then, the address information input unit 112 transmits the input address information to the wireless NW management terminal 200 via the transmission / reception unit 101.

  The Finished generation unit 113 receives the hash value of the TLS handshake message transmitted / received by the wireless NW management terminal 200 to / from the TLS server from the wireless NW management terminal 200, and is defined in the shared key K, the hash value, and the TLS handshake protocol. The client Finished message or the server Finished message is generated using this message.

  The Finished comparison unit 114 compares the server Finished generated by the Finished generation unit 113 with the server Finished message received from the wireless NW management terminal 200, and detects a TLS handshake failure if they do not match.

[Wireless NW management terminal 200]
Next, the device configuration of the wireless NW management terminal 200 will be described with reference to FIG.

  The wireless NW management terminal 200 includes a wireless NW transmission / reception unit 201, an Internet transmission / reception unit 202, a TLS handshake control unit 203, a TLS handshake message generation unit 204, a wireless NW management unit 205, and a parameter generation unit 206.

  The wireless NW transmission / reception unit 201 is connected to the wireless network N2 and functions as a network interface that communicates with an entity (another communication device).

  The Internet transmission / reception unit 202 has a function of a network interface for communicating with an entity (another communication device) connected to the Internet N1.

  The TLS handshake control unit 203 controls processing for exchanging TLS handshake messages on behalf of nodes.

Specifically, the TLS handshake control unit 203 causes the TLS handshake message generation unit 204 to generate a TLS handshake message to be exchanged with the TLS server, and transmits the generated TLS handshake message via the transmission / reception unit. When processing using the secret information of the node 100 is necessary in the process in which the generation unit 204 generates the TLS message, necessary parameter information is given to the node 100. Then, the TLS handshake control unit 203 receives the result of the process using the secret information from the node 100 and gives it to the TLS handshake message generation unit 204. Then, the TLS handshake control unit 203 receives parameters from the parameter generation unit 206. Then, TLS handshake control unit 203, among the parameter information received from the parameter generating unit 206, the server public key information P _b Internet transceiver to the first of the calculated consignment server 300 and the second to-be-calculated consignment server 400 Via 202. Then, the TLS handshake control unit 203 transmits the integer information h, r, server random information rand _s , and client random information rand _c to the node 100 via the wireless NW transmission / reception unit 201. The TLS handshake control unit 203 then encrypts the partial shared key information Enc (PSK ₁ , P _b ^ (x ₁ )) respectively encrypted from the first computed commission server 300 and the second computed commission server 400. And Enc (PSK ₂ , P _b ^ (x ₂ )) are received and transferred to the node 100. When the TLS handshake control unit 203 receives the advance key information update command addressed to the node 100 from the key sharing server 500 via the Internet transmission / reception unit 202, the TLS handshake control unit 203 sends the advance key information update command to the wireless NW transmission / reception unit 201. To the node 100.

The TLS handshake message generation unit 204 generates a TLS handshake message and supplies it to the TLS handshake control unit 203. However, as a message secret key information of the node 100 is required in the TLS handshake, ClientKX, CertificateVerify, there is a client Finished message, TLS handshake message generator 204, DH public key information P _x including ClientKX the first It is received from the first calculation entrusted server 300 via the TLS handshake control unit 203. Also, the TLS handshake message generation unit 204 receives the digital signature information s included in the CertificateVerify and the client Finished message from the node 100 via the TLS handshake control unit 203.

  The wireless NW management unit 205 includes “address information”, “public key certificate information”, “TLS session information”, “connection destination TLS server information”, and “calculated” regarding the subordinate node 100 connected to the wireless network N2. The management server manages the address information of the consignment server, and gives information to the TLS handshake control unit 203 as necessary. Note that the wireless NW management unit 205 may have the public key certificate of the node 100 stored in advance in a key sharing server, for example, and may download it or install it manually from an input interface. You may do it. In addition, when the wireless NW management terminal 200 receives the advance key information update command (UpdatePSK), the wireless NW management unit 205 uses the wireless NW as address of the calculation consignment server for the node 100 using the address information of the calculation consignment servers 300 and 400. Stored in the management unit 205.

The parameter generation unit 206 generates or extracts parameter information from the TLS message transmitted / received from the transmission / reception unit 201. Specifically, the parameter generation unit 206 generates the parameter r generated from the hash values h, h ′, h ″ of the TLS message transmitted / received to / from the TLS server and the DH public key information P _x by a predetermined time. The server random value information rand _s is extracted from the ServerHello message received by the Internet transmitting / receiving unit 202, and the client random value information rand _c is extracted from the ClientHello message transmitted from the Internet transmitting / receiving unit 202. Parameter generating unit 206, for the parameters r, generated from the DH public key information P _x. In addition, the parameter generation unit 206 extracts the server public key P _b from the Certificate message of the TLS server 600.
[First calculation entrusted server 300]
Next, the apparatus configuration of the first calculation entrustment server 300 will be described with reference to FIG.

  The first calculation entrusted server 300 includes a transmission / reception unit 301, a key information reception unit 302, a key information storage unit 303, a decryption unit 304, a secret information storage unit 305, a general parameter storage unit 306, a calculation unit 307, and an encryption unit 308. Become.

  The transmission / reception unit 301 has a function of a network interface for communicating with an entity (another communication device) connected to the Internet N1.

The key information receiving unit 302 performs a process of securely receiving the first pre-key information PSK ₁ of the node 100 from the key sharing server 500 against eavesdropping or tampering. For example, the key information receiving unit 302 may construct and receive a secure communication path with the key sharing server 500 using SSL (Secure Socket Layer). The key information receiving unit 302 stores the pre-key information obtained here in the key information storage unit 303.

The key information storage unit 303 stores the advance key information PSK ₁ and provides the advance key information to the decryption unit 304 and the encryption unit 308 as necessary.

The decryption unit 304 receives and decrypts the first partial DH key information Enc (PSK ₁ , x ₁ ) encrypted with the first pre-key information PSK ₁ , and the first partial DH key information is secret information. The information is temporarily stored in the storage unit 305.

The secret information storage unit 305 temporarily stores the first partial DH secret key information x ₁ and provides it to the calculation unit 307 as necessary.

The general parameter storage unit 306 stores a generation source g of the cyclic group G in advance. In general parameter storage unit 306 via the transceiver unit 301 from the wireless NW management terminal 200, and temporarily stores the received server public key P _b of TLS Sapa. Further, the general parameter storage unit 306 receives the first partial DH public key information g ^ (x ₁ ) from the computing unit 307 and temporarily stores it, and then stores the second partial DH from the second computation entrusted server 400. The public key information g ^ (x ₂ ) is received via the transmission / reception unit 301 and temporarily stored. The general parameter storage unit 306 outputs the parameter information to the calculation unit 307 as necessary.

The calculation unit 307 receives the server public key information P _b from the general parameter storage unit 306 and also receives the first partial DH secret key information x ₁ from the secret information storage unit 305, and the first partial shared key information p _b ^ (X ₁ ) is calculated and output to the encryption unit 308. The arithmetic unit 307, the general parameter storage unit 306 with receiving the generator g of the cyclic group G, receiving a first portion DH private key information x ₁ from the secret information storage unit 306, the first portion DH public key Information g ^ (x ₁ ) is calculated and temporarily stored in the general parameter storage unit 306. Further, the calculation unit 307 receives the first partial DH public key information g ^ (x ₁ ) and the second partial DH public key information g ^ (x ₂ ) from the general parameter storage unit 306 and receives the following ( 3) The client DH public key information _Px is calculated from the equation (3) and is transmitted to the wireless NW management terminal 200 via the transmission / reception unit 301.

P _x = g ^ (x ₁ ) · g ^ (x ₂ ) (3)
When the encryption unit 308 receives the first partial DH shared key information P _b ^ (x ₁ ) from the calculation unit, the encryption unit 308 reads the _first pre-key information PSK ₁ from the key information storage unit 303, and the first pre-key information ^ first portion DH shared key information P _b a (x ₁₎ encrypted information _{Enc (PSK 1, P b ^} (x 1)) to generate using PSK _1, wirelessly via the transceiver 301 It transmits to the NW management terminal 200.

[Second calculation entrusted server 400]
Next, the second calculation entrusted server 400 will be described with reference to FIG.

  In the following, the second calculated consignment server 400 will be described focusing on the differences from the first calculated consignment server 300.

  The second calculation entrusted server 400 includes a transmission / reception unit 401, a key information reception unit 402, a key information storage unit 403, a decryption unit 404, a secret information storage unit 405, a general parameter storage unit 406, a calculation unit 407, and an encryption unit 408. Become.

  The transmission / reception unit 401 has the same configuration as the transmission / reception unit 301 of the first calculation-commissioned server 300.

The key information receiving unit 402 has the same configuration as that of the key information receiving unit 302 of the first calculation entrusted server 300 except that the key information receiving unit 402 receives the second pre-key information PSK ₂ .

The key information storage unit 403 is configured to store a second pre-key information PSK _2.

The decryption unit 404 receives and decrypts the second partial DH private key information x ₂ encrypted with the second pre-key information PSK ₂ and decrypts the second partial DH private key information x ₂ 405 is temporarily stored.

The secret information storage unit 405 temporarily stores the second partial DH secret key information x ₂ and provides it to the calculation unit 407 as necessary.

The general parameter storage unit 406 stores a generation source g of the cyclic group G in advance. In general parameter storage unit 406 temporarily stores the received server public key P _b of TLS server 600 via the transceiver unit 401 from the wireless NW management terminal 200. Further, the general parameter storage unit 406 outputs these parameter information to the calculation unit 407 as necessary.

The calculation unit 407 receives the server public key information P _b from the general parameter storage unit 406 and also receives the second partial DH secret key information x ₂ from the secret information storage unit 405, and receives the second partial shared key information P _b ^ (X ₂ ) is calculated and output to the encryption unit 408. The arithmetic unit 407, general parameters received from the storage unit 406 of the generator g of the cyclic group G, receives secret information storage unit 406 the second portion from the DH private key information x _2, second portion DH public key information g ^ (x ₂ ) is calculated, and the result is transmitted to the first calculation entrusted server 300 via the transmission / reception unit 401.

When the encryption unit 408 receives the second partial DH shared key information P _b ^ (x ₂ ) from the calculation unit 407, the encryption unit 408 reads the _second pre-key information PSK ₂ from the key information storage unit 403. Then, the encryption unit 408 encrypts the second partial DH shared key information P _b ^ (x ₂ ) using the _second prior key information PSK ₂ , and the information Enc (PSK ₂ , P _b ^ (x ₂ )) is transmitted to the wireless NW management terminal 200 via the transceiver 401.

[Key sharing server 500]
Next, the configuration of the key sharing server 500 will be described with reference to FIG.

  The key sharing server 500 includes a transmission / reception unit 501, a node information storage unit 502, an advance key information update unit 503, an advance key information update control unit 504, and a key distribution unit 505.

  The transmission / reception unit 501 functions as a network interface that communicates with an entity (another communication device) connected to the Internet N1.

The node information storage unit 502 includes an identifier of the node 100, a copy of the advance key information PSK _i stored in the advance key information storage unit 106 of the node 100, and an update of the advance key information stored in the secret information storage unit 104. A copy of the key information q is stored. The above-mentioned information stored in the node information storage unit 502 is set (for example, set using an input interface (not shown)) by, for example, storing it in the node information storage unit 502 when the node 100 is manufactured (at the time of introduction). You may do it.

  The advance key information update unit 503 can execute the same advance key information update process as the advance key information update unit 107 of the node 100.

  The advance key information update control unit 504 supplies the advance key information update command (UpdatePSK) to the advance key information update unit 503 at a predetermined timing, and wirelessly transmits the advance key information update command addressed to the node 100 via the transmission / reception unit 501. It transmits to the NW management terminal 200. This pre-key information update command includes the Internet address information of the first calculated consignment server 300 and the second calculated consignment server 400.

The key distribution unit 505 safely distributes the pre-key information PSK _i (i = 1, 2) to wiretapping / falsification using SSL or the like to each calculation-commissioned server.

(A-2) Operation | movement of embodiment Next, operation | movement (communication method which concerns on embodiment) of the communication system 1 of this embodiment which has the above structures is demonstrated.

  FIG. 7 is a sequence diagram showing an overall operation example of the communication system 1.

In the initial state of the flowchart of FIG. 7, the first calculated consignment server 300 and the second calculated consignment server 400 do not yet have the prior key information PSK _i (i = 1, 2) of the node 100. To do. Therefore, when the key sharing server 500 shares the advance key information, the advance key information update command (UpdatePSK) of the node 100 is sent from the advance key information update control unit 504 via the advance key information update unit 503 and the transmission / reception unit 501, respectively. It is transmitted to the wireless NW management terminal 200 (S101, S102).

The advance key information update unit 503 receives the advance key information update command of the node 100 and stores the advance key information PSK _i (i = 1, 2) of the node 100 and the advance key information update key information q of the node 100 as node information. The information is read from the unit 502 and updated to overwrite and update the advance key information of the node 100 stored in the node information storage unit 502, and the updated advance key information is output to the key delivery unit 505. The first pre-key information PSK _i is securely delivered to the first calculation entrusted server 300 via the transmission / reception unit 501 (S104), and the second pre-key information PSK2 is transmitted to the second calculation entrusted server 400 is safely delivered to 400 via the transmission / reception unit 501 (S105). In the entrusted servers 300 and 400, the distributed pre-key information is received by the key information receiving unit 302 and the key information receiving unit 402 and stored in the key information storage unit 303 and the key information storage unit 403.

  The wireless NW management terminal 200 receives the message at the TLS handshake control unit 203 via the Internet transmission / reception unit 202, recognizes that the command is an advance key information update instruction addressed to the node 100, and passes the wireless NW transmission / reception unit 201. To the node 100 (S103). Also, the wireless NW management terminal 200 causes the wireless NW management unit 205 to store the Internet address information of the first calculated consignment server 300 and the second calculated consignment server 400 included in the advance key information update command.

The node 100 receives the advance key information update command by the advance key information update control unit 108 via the transmission / reception unit 101. In the node 100, the advance key information update control unit 108 outputs an advance key information update command to the advance key information update unit 107, and the advance key information update unit 107 includes the advance key information storage unit 106 and the secret information storage unit. The pre-key information PSK _i (i = 1, 2) and the pre-key information update key information q are read from the respective 104, the pre-key information is updated, and is overwritten and stored in the pre-key information storage unit 106 (S106).

  Since the processing of the above steps S101 to S106 is pre-processing in the communication system 1, and the pre-key information update control unit 504 does not issue a pre-key information update command unless the calculation entrusted server is subsequently changed, The above processing is not executed.

  Next, the address information of the TLS server is input to the address information input unit 112 in the node 100, whereby the address information is transmitted to the wireless NW management terminal 200 (S107).

  The wireless NW management terminal 200 receives the address information of the TLS server 600 in the TLS handshake control unit 203 via the wireless NW transmission / reception unit 201, and the Client Hello specified in the TLS handshake message protocol is transmitted to the TLS handshake server 600. A message is transmitted to the TLS server 600 (S108).

  The TLS server 600 transmits ServerHello, Certificate, CertificateRequest, ServerHelloDone defined in the TLS handshake protocol to the wireless NW management terminal 200 (S109).

Next, the wireless NW management terminal 200 extracts the server random value rand _s from the ServerHello message and temporarily stores it in the parameter generation unit 206 and also stores the public key information P of the TLS server 600 from the Certificate message. Extract _b . Further, the wireless NW management terminal 200 reads the addresses of the first calculated consignment server 300 and the second calculated consignment server 400 stored in the wireless NW management unit 205, and public key information P of the TLS server 600. _b is transmitted to the calculation entrusted servers 300 and 400, respectively (S110, S111). In the calculation consignment server 300 and 400, respectively stored in the general parameter storage unit 306 and the general parameter storage unit 406 the public key information P _b.

Then, the node 100 arbitrarily generates an integer xεF _n in the random number generation unit 111 and stores it in the secret information storage unit 104, and the integer x is read from the secret information storage unit and is stored in the secret information division unit 105. Is divided into a _first partial DH private key x ₁ and a second partial DH private key x ₂ and output to the encryption unit 102 (S 112).

Furthermore, the node 100, the encryption unit 102, the first portion DH private key x ₁ is encrypted by the first pre-key information PSK _1, second part DH private key x ₂ is the second pre-key information The data is encrypted by PSK ₂ and transmitted to the wireless NW management terminal 200 via the transmission / reception unit 101 (S113).

  The wireless NW management terminal 200 transfers the encrypted first partial DH private key information as it is to the first calculation-commissioned server 300 (S114), and the encrypted second partial DH private key The information is transferred as it is to the second calculation entrusted server 400 (S115).

In the second calculation entrusted server 400, the encrypted second partial DH secret key information Enc (PSK ₂ , x ₂ ) is decrypted by the decryption unit 404 and stored in the secret information storage unit 405, and the calculation unit 407 Output to. Then, the calculation unit 407 reads the generation source g from the general parameter storage unit 406 to create the second partial DH public key information g ^ (x ₂ ), and sends the first calculated entrusted server via the transmission / reception unit 401. 300 (S 116), the public key information P _b is read from the general parameter storage unit 406, the second partial DH shared key information P _b ^ (x ₂ ) is calculated and output to the encryption unit 408.

Then, the encryption unit 408 encrypts the second partial DH shared key information P _b ^ (x ₂ ) with the prior key information PSK ₂ and transmits it to the wireless NW management terminal 200 via the transmission / reception unit 401 (S118).

On the other hand, in the first calculation entrusted server 300, the encrypted first partial DH secret key information Enc (PSK ₁ , x ₁ ) is decrypted by the decryption unit 304, stored in the secret information storage unit 305, and calculated. Output to the unit 307. Then, the calculation unit 307 reads the generator g from the general parameter storage unit 306 to create first partial DH public key information g ^ (x ₁ ) and temporarily stores the first partial DH public key information g ^ (x ₁ ) in the general parameter storage unit 306. The public key information P _b is read from the general parameter storage unit 306, the first partial DH shared key information P _b ^ (x ₁ ) is calculated and output to the encryption unit 308. Then, the encryption unit 308 encrypts the first partial DH shared key information P _b ^ (x ₁ ) with the pre-key information PSK ₁ and transmits it to the wireless NW management terminal 200 via the transmission / reception unit 301. Further, when receiving the second partial DH public key information g ^ (x ₂ ), the first calculation entrusted server 300 temporarily stores it in the general parameter storage unit 306. Then, the first partial DH public key information g ^ (x ₁ ) and the second partial DH public key information g ^ (x ₂ ) are output from the general parameter storage unit 306 to the calculation unit 307. Then, the DH public key information _Px is generated and calculated by the calculation unit 307 by the calculation defined for the cyclic group G, and transmitted to the wireless NW management terminal 200 via the transmission / reception unit 301 (S117).

The wireless NW management terminal 200, the hash value h of the messages exchanged with the TLS server from the start of the TLS handshake, parameters generated from DH public key information P _x received from the first of the calculated consignment server 300 r, the client random value rand _c extracted by the parameter generation unit 206, the server random value rand _s, and the first partial DH shared key information Enc (PSK ₁ , P _b ^ ( x ₁ )) and the encrypted second partial DH shared key information Enc (PSK ₂ , P _b ^ (x ₂ )) are transmitted to the node 100 (S 119).

When the node 100 receives the first and second partial DH shared key information, the decryption unit 103 decrypts the pre-key information PSK _i (i = 1, 2) stored in the pre-key information storage unit 106. And output to the shared key information generation unit 109. Further, the node 100 uses the received client random value rand _c and server random value rand _{s to} generate the DH shared key information K in the shared key information generation unit 109 according to the above equation (1), and the secret information storage unit 104 Remember me. Further, the node 100 provides the signature information generation unit 110 with the hash value h and parameter r received from the wireless NW management terminal 200 and the secret key information a and DH secret key information x stored in the secret information storage unit. The signature information s is calculated by the above equation (2) and transmitted to the wireless NW management terminal 200 via the transmission / reception unit 101 (S120).

Next, when the wireless NW management terminal 200 receives the signature information s from the wireless NW transmission / reception unit 201, the TLS handshake control unit 203 gives it to the TLS handshake message generation unit 204. Then, TLS handshake message generator 204 creates a Certificate message from the wireless NW management unit 204 reads the public key certificate of the node 100, to create a ClientKX from DH public key information P _x, signature information s and parameters CertificateVerify information is created from r, and these and ChangeCipherspec messages are transmitted to the TLS server 600 via the Internet transmitting / receiving unit 202 (S121).

  Next, the wireless NW management terminal 200 transmits the hash value h ′ of the message transmitted / received from the TLS server 600 so far to the node 100 via the wireless NW transmission / reception unit 201 (S122).

  In addition, the node 100 receives the hash value h ′ by the Finished generation unit 113, generates a client Finished message Finishedc defined in the TLS handshake protocol, and transmits it to the wireless NW management terminal 200 via the transmission / reception unit 101 (S123). ).

  Next, the wireless NW management terminal 200 transmits the client Finished message to the TLS server 600 (S124).

Also, the wireless NW management terminal 200 temporarily stores the hash value h ′ of the message transmitted / received to / from the TLS server 600 so far using an appropriate storage means (not shown in the configuration diagram), and the TLS It is assumed that a ChangeCiperspec message from the server 600 and a server Finished message Finished _s defined in the TLS handshake protocol are received from the Internet transmitting / receiving unit 202 (S125).

  Then, the wireless NW management terminal 200 transmits the server Finished message together with the hash value h ″ to the node 100 via the wireless NW transmission / reception unit 201 (S126).

In the node 100, h ′ is input to the Finished generation unit 113 to generate the server Finished message Finished _s and output to the comparison unit 114, and the server Finished message received from the wireless NW management terminal 200 is input to the comparison unit 114. . The comparison unit 114 examines whether or not the two servers Finished messages match, and if they do not match, it is assumed that the TLS handshake has failed.

(A-3) Effects of Embodiment According to this embodiment, the following effects can be achieved.

  In the communication system 1 of this embodiment, the partial calculation of the TLS handshake protocol in the node 100 is safely hurt by an external device (the first calculation consignment server 300 and the second calculation consignment server 400). Can do.

  In addition, by generating random number information on the node 100 side, security risks (risk of impersonation, etc.) can be suppressed, and the traffic volume required for the TLS handshake protocol can be reduced (for example, the system described in Patent Document 3) Can be reduced).

  Further, in the communication system 1, the number of calculation entrustments for key sharing and digital signature generation is reduced to one, and the communication between each calculated entrusted server and the node 100 is summarized by the wireless NW management terminal 200. As a result, the burden on calculation and communication in the node 100 is reduced.

(B) Other Embodiments The present invention is not limited to the above-described embodiments, and may include modified embodiments as exemplified below.

(B-1) In the above embodiment, the secret information dividing unit 105 has been described as dividing the integer x = x ₁ + x _2. However, the random number generating unit 111 generates x ₁ and x ₂ , This is given to the encryption unit 102 to be distributed to the first and second calculation-commissioned servers 300 and 400, and an integer synthesis unit is prepared separately to calculate x ₁ + x ₂ = x, which is stored as a secret information storage unit The configuration may be such that it is stored in 104.

  (B-2) In the above-described embodiment, the timing for issuing the advance key information update command has been described as before the advance key information is distributed to the server to be calculated. However, other timing (for example, manual operation by the administrator) The timing may be updated at the timing or timer processing.

  (B-3) The node 100 may send the DH shared key K to the wireless NW management terminal 200, and the wireless NW management terminal 200 may authenticate the generation of the client Finished message and the server Finished message from the TLS server. As a result, it is possible to reduce the amount of communication due to the transmission and reception of the Finished message of the node 100.

  (B-4) In the above-described embodiment, it has been described that there is one second calculated consignment server 400, but a plurality of second calculated consignment servers 400 may be arranged.

In the case where there are a plurality of second calculated entrustment servers 400, the secret information dividing unit 105 of the node 100 assigns the DH secret key x to the number of calculated entrusted servers (the first calculated entrusted server 300 and the second calculated entrusted server 300). Divide by the total number of calculation entrusted servers 400). For convenience, let the partial DH private keys given to the M second entrusted servers 400 be x ₂₁ , x _{22 ,.}

Further, when there are a plurality of second calculated entrustment servers 400, the first calculated entrustment server 300 sends second partial DH public key information g ^ (x from each second calculated entrustment server 400. ₂₁ ) to g ^ (x _2M ) are received. The first calculation entrusted server 300 includes the first partial DH public key information g ^ (x ₁ ) and the respective second partial DH public key information g ^ (x ₂₁ ) to g ^ (x _2M ) Is supplied to the calculation unit 307. Then, in the arithmetic unit 307, for the first partial DH public key information g ^ (x ₁ ) and the respective second partial DH public key information g ^ (x ₂ ) to g ^ (x _2M ), the cyclic group By calculating with the calculation defined in G, DH public key information P _x is generated and transmitted to the node 100.

  Furthermore, when there are a plurality of second calculation entrustment servers 400, the first partial DH shared key information supplied from the first calculation entrustment server 300 and the supply from each second calculation entrustment server 400 DH shared key information K is generated based on the second partial DH shared key information.

  (B-5) When a public key pair issued by PKI is used as the DH public key pair of the node 100, it is not necessary to generate a digital signature (when the cipher suite of the TLS handshake is fixed_ECDH).

  (B-6) When the TLS protocol fails, the node 100 may check the calculation entrusted to the calculation entrusted server and check whether the calculation entrusted server correctly calculated. In addition, the node 100 may change the calculation entrusted server to be used when the calculation entrusted server does not perform a correct calculation as a result of the verification.

  DESCRIPTION OF SYMBOLS 1 ... Communication system, 100 ... Node, 101 ... Transmission / reception part, 102 ... Encryption part, 103 ... Decryption part, 104 ... Secret information storage part, 105 ... Secret information division part, 106 ... Advance key information storage part, 107 ... Advance key Information update unit 108 ... Advance key information update control unit 109 ... Shared key information generation unit 110 110 Signature information generation unit 111 ... Random number generation unit 112 ... Address information input unit 113 ... Finished generation unit 114 ... Finished Comparison unit 200 ... Wireless NW management terminal 201 ... Wireless NW transmission / reception unit 202 ... Internet transmission / reception unit 203 ... TLS handshake control unit 204 ... TLS handshake message generation unit 205 ... Wireless NW management unit 206 ... Parameter Generating unit, 300... First calculation entrusted server, 301 ... transmitting / receiving unit, 302 ... key information receiving unit, 3 DESCRIPTION OF SYMBOLS 3 ... Key information storage part, 304 ... Decryption part, 305 ... Secret information storage part, 306 ... General parameter storage part, 307 ... Operation part, 308 ... Encryption part, 400 ... 2nd calculation entrusted server, 401 ... Transmission / reception part 402: Key information receiving unit, 403 ... Key information storage unit, 404 ... Decryption unit, 405 ... Secret information storage unit, 406 ... General parameter storage unit, 407 ... Operation unit, 408 ... Encryption unit, 500 ... Key sharing server, 500 ... Key sharing server, 502 ... Node information storage unit, 503 ... Advance key information update unit, 504 ... Advance key information update control unit, 505 ... Key distribution unit, 600 ... TLS server, N1 ... Internet, N2 ... Wireless network.

Claims (15)

A communication system including a node, a first data processing device, one or more second data processing devices, a server, and a communication control device that mediates communication between the node and another device. And
The above node
Dividing means for dividing the integer information into first partial integer information and one or more second partial integer information;
By encrypting the first partial integer information with advance key information shared in advance with the first data processing device and transmitting it to the first data processing device via the communication control device First calculation requesting means for requesting calculation processing based on the first partial integer information;
Each of the second partial integer information is encrypted with advance key information that is shared in advance with the corresponding second data processing device, and the second partial integer information is passed through the communication control device. Second calculation requesting means for requesting calculation processing based on the second partial integer information by transmitting to the data processing device;
The first data processing device includes:
The first partial integer information obtained by decrypting the data supplied from the node with pre-key information shared in advance with the node and the element of the predetermined cyclic group are used as the predetermined cyclic group. The calculation is performed by the operation defined in the group, the result of the operation is held as the first original information, encrypted using the pre-key information shared in advance with the node, and the communication control device First original information processing means for transmitting to the node,
A second element that calculates the first partial integer information and an element of a predetermined cyclic group by an operation defined in the predetermined cyclic group, and holds the result of the operation as second original information Information processing means,
Each of the second data processing devices is
The second partial integer information obtained by decrypting the data supplied from the node with the pre-key information shared in advance with the node and the element of the predetermined cyclic group are used as the predetermined cyclic group. The calculation is performed by the operation defined in the group, the result of the operation is held as the third original information, encrypted using the advance key information shared in advance with the node, and the communication control device is A third original information processing means for transmitting to the node via
The second partial integer information and the element of the predetermined cyclic group are calculated by an operation defined in the predetermined cyclic group, and the result calculated based on the calculation is used as the fourth original information. Holding the fourth original information processing means for transmitting to the first data processing device, the first data processing device,
Each fourth original information is received, and the result obtained by calculating each fourth original information and the second original information by an operation defined in the predetermined cyclic group is a fifth element. A fifth original information processing means for holding the fifth original information and the encrypted first original information to the node via the communication control device,
The above node
The encrypted first original information and each encrypted third original information are received and decrypted, and the first original information and each third original information are converted into the predetermined information. The common key information processing that holds the result obtained by performing the calculation defined in the cyclic group as the sixth original information and generates the common key information by performing a predetermined calculation on the sixth original information Further comprising means,
The communication control device
A communication system comprising communication control means for mediating communication between the node and another device. The communication control means of the communication control device comprises:
When transmitting the encrypted first original information and each encrypted third original information to the node, the fifth original information and the digital signature generation parameter information are included,
The above node
Digital signature information processing means for receiving the fifth original information and the digital signature generation parameter information, generating digital signature information by executing a predetermined calculation, and transmitting the digital signature information to the communication control device Further comprising
The communication control means of the communication control device comprises:
The communication system according to claim 1, wherein the digital signature information is received, and the digital signature information and the fifth original information are transmitted to the server. The communication control means of the communication control device comprises:
After transmitting the fifth original information and the digital signature information to the server, further comprising key confirmation information generation parameter processing means for generating a key confirmation information generation parameter and transmitting it to the node;
The node receives the key confirmation generation information parameter, generates first key confirmation information using the key confirmation generation information parameter and the common key information, and transmits the first key confirmation information to the communication control device. Further comprising
The communication control means of the communication control device receives the first key confirmation information, transmits it to the server,
The server further includes second key confirmation information processing means for receiving the first key confirmation information and generating second key confirmation information and transmitting the second key confirmation information to the communication control device,
The communication system according to claim 2, wherein the communication control means of the communication control device receives the second key confirmation information. The digital signature information processing means of the node, when transmitting the digital signature information to the communication control device, transmits the common key information together to the communication control device,
The communication control means of the communication control device receives the digital signature information and common key information, transmits the fifth original information and the digital signature information to the server, and sets a key confirmation generation information parameter. Further comprising key confirmation information generation parameter processing means for generating and generating first key confirmation information and transmitting it to the server;
The server further includes second key confirmation information processing means for receiving the first key confirmation information and generating second key confirmation information and transmitting the second key confirmation information to the communication control device. Item 3. The communication system according to Item 2. A key distribution server for storing a copy of the prior key information of the node and delivering the prior key information to the data processing device;
The key distribution server
A key distribution means for updating the pre-key information and transmitting a pre-key information update command to the node;
The node further comprises key update means for updating the advance key information in the same manner as the method in which the key distribution server has updated the advance key information when receiving the advance key information update command. 5. The communication system according to any one of 4. The above node
A random number holding means for holding a random number;
The communication system according to claim 1, wherein the dividing unit uses the random number information held by the random number holding unit as integer information.   The server is a TLS server, the node is a TLS client connected to the server, and the communication control device performs a TLS handshake with the server on behalf of the node operating as a TLS client. The communication system according to any one of claims 1 to 6.   The node further comprises verification means for verifying an operation requested by the first calculation requesting means or the means since the second calculation when the TLS handshake fails. 8. The communication system according to 7. Communication of a communication system having a node, a first data processing device, one or more second data processing devices, a server, and a communication control device that mediates communication between the node and another device A method,
A dividing step in which the node divides the integer information into first partial integer information and one or more second partial integer information;
The node encrypts the first partial integer information with advance key information shared in advance with the first data processing device, and passes the first data processing device to the first data processing device via the communication control device. A first computation requesting step for requesting computation processing based on the first partial integer information by transmitting;
Each of the nodes encrypts each of the second partial integer information with a prior key information that is shared in advance with the corresponding second data processing device, and passes through the communication control device. A second calculation requesting step for requesting calculation processing based on the second partial integer information by transmitting to the second data processing device;
The first partial integer information obtained by the first data processing device decrypting the data supplied from the node with pre-key information shared in advance with the node, and the predetermined cyclic group Using the pre-key information that is calculated by the operation defined in the predetermined cyclic group, holds the result of the operation as first original information, and is shared in advance with the node A first original information processing step of encrypting and transmitting to the node via the communication control device;
The first data processing device calculates the first partial integer information and an element of a predetermined cyclic group by an operation defined in the predetermined cyclic group, and the result of the operation is a second value. A second original information processing step retained as original information;
Each of the second data processing devices calculates the received second partial integer information and the element of the predetermined cyclic group by an operation defined in the predetermined cyclic group, and A third original information processing step of storing a result as third original information, encrypting the result using pre-key information shared in advance with the node, and transmitting the result to the node via the communication control device When,
Each of the second data processing devices calculates the second partial integer information and the element of the predetermined cyclic group by an operation defined in the predetermined cyclic group, and based on the calculation A fourth original information processing step of storing the calculated result as fourth original information and transmitting it to the first data processing device;
The first data processing device receives each fourth original information and calculates each fourth original information and the second original information by an operation defined in the predetermined cyclic group. The fifth original information is stored as the fifth original information, and the fifth original information and the encrypted first original information are transmitted to the node via the communication control device. Processing steps;
The node receives and decrypts the encrypted first original information and the encrypted third original information, and the first original information and the third original information Is stored as sixth original information, and common key information is generated by performing a predetermined operation on the sixth original information. A common key information processing means;
The communication control device includes a communication control step of mediating communication between the node and another device. A communication system having a node, a first data processing device, one or more second data processing devices, a server, and a communication control device that mediates communication between the node and another device A node that
Dividing means for dividing the integer information into first partial integer information and one or more second partial integer information;
By encrypting the first partial integer information with advance key information shared in advance with the first data processing device, and transmitting the first partial integer information to the first data processing device via the communication control device First calculation requesting means for requesting calculation processing based on the first partial integer information;
Each of the second partial integer information is respectively encrypted with pre-key information shared in advance with the corresponding second data processing device, and each of the second partial integer information is passed through the communication control device. Second calculation requesting means for requesting calculation processing based on the second partial integer information by transmitting to the data processing device;
The data returned from the first data processing device based on the request of the first calculation requesting unit is decrypted with the pre-key information shared in advance with the first data processing device, and the predetermined data The first original information related to the cyclic group is acquired, and data returned from each of the second data processing devices based on the request of the second calculation requesting unit is processed in the second data processing. Decrypting with prior key information shared in advance with the device to obtain third original information related to a predetermined cyclic group, the first original information and each of the third original information, Common key information for holding a result obtained by performing a calculation by a calculation defined in a predetermined cyclic group as sixth original information and generating common key information by performing a predetermined calculation on the sixth original information And a processing means.   11. The node according to claim 10, further comprising verification means for verifying data returned based on the request by the first calculation request means or the second calculation request means. A communication system having a node, a first data processing device, one or more second data processing devices, a server, and a communication control device that mediates communication between the node and another device A first data processing device, comprising:
The data supplied from the node is decrypted with the pre-key information shared in advance with the node, the first partial integer information divided from the integer information is held, and the first partial integer information and The element of the predetermined cyclic group is calculated by the operation defined in the predetermined cyclic group, the result of the operation is held as the first original information, and is shared in advance with the node First original information processing means for encrypting using prior key information and transmitting to the node via the communication control device;
A second element that calculates the first partial integer information and an element of a predetermined cyclic group by an operation defined in the predetermined cyclic group, and holds the result of the operation as second original information Information processing means;
From each of the second data processing devices, one of a plurality of second partial integer information divided from the integer information and an element of the predetermined cyclic group are defined in the predetermined cyclic group. When the fourth original information obtained as a result of the calculation by the operation is supplied, the fourth original information obtained from each of the second data processing devices and the second original information are obtained. , Holding the result obtained by performing the calculation by the operation defined in the predetermined cyclic group as the original information of the fifth cyclic group, the fifth original information, the encrypted first original information, And a fifth original information processing means for transmitting the information to the node via the communication control device. A communication system having a node, a first data processing device, one or more second data processing devices, a server, and a communication control device that mediates communication between the node and another device A second data processing device,
The second original information obtained as a result of calculating the first partial integer information divided from the integer information and the element of the predetermined cyclic group by an operation defined in the predetermined cyclic group, When supplied from the first data processing device, the second element information and the element of the predetermined cyclic group are calculated by an operation defined in the predetermined cyclic group, and the result of the operation Is stored as third original information, encrypted using prior key information shared in advance with the node, and transmitted to the node via the communication control device; The second partial integer information divided from the integer information obtained by decrypting the data supplied from the node with the advance key information shared in advance with the node, and the element of a predetermined cyclic group The calculation is performed with the operation defined in the predetermined cyclic group. And a fourth original information processing means for holding a result calculated based on the calculation as fourth original information and transmitting the result to the first data processing apparatus. A communication system having a node, a first data processing device, one or more second data processing devices, a server, and a communication control device that mediates communication between the node and another device The communication control device
A communication control device comprising communication control means for mediating communication between the node and another device. The server is a TLS server, the node is a TLS client connected to the server, and the communication control means performs a TLS handshake with the server on behalf of the node operating as a TLS client. ,
The communication control means is
Storage means for storing at least public key certificate information relating to the TLS client of the node;
TLS handshake message generating means for generating a TLS handshake message to be transmitted to the server;
Parameter generation means for extracting predetermined parameter information from a TLS handshake message transmitted and received with the server or generating predetermined parameter information based on the TLS handshake message;
A TLS hand that controls the TLS handshake message generation means and the parameter generation means, and transmits and receives predetermined information between the server, the first data processing device, and the second data processing device. The communication control apparatus according to claim 14, further comprising a shake control unit.

Images