JP2016184899A - Authentication device, authenticated device, authentication method, authenticated method, authentication processing program, and authenticated processing program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication device, authenticated device, authentication method, authenticated method, authentication processing program, and authenticated processing program that can improve safety against spoofing or the like even if an attacker stores pairs of a challenge and a response.SOLUTION: A communication device T1 and a communication device T2 have stored the same random number table, safely update the random number table on a timely basis by only transmitting and receiving an index, and furthermore hand over a challenge value by index.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a technical field such as an authentication method between devices by a challenge-response method.

  In authentication by a general challenge-response method, for example, as disclosed in Patent Document 1, an authenticator (for example, a server) generates a random number R in response to an authentication request from an authenticated person (for example, a terminal). The random number R is transmitted as a challenge to the person to be authenticated, and the random number R is encrypted using an encryption key (secret key) K stored in the key storage unit to calculate encrypted data. On the other hand, when receiving the challenge from the authenticator, the authenticated person encrypts the random number R included in the challenge with the encryption key K stored in the key storage unit, and transmits this as a response to the authenticator. Then, the authenticator compares the calculated encrypted data with the encrypted data included in the response received from the terminal, and authenticates that the person to be authenticated is a legitimate prover if they match.

JP 2003-318894 A

  However, when the length of the random number used as a challenge is short because the attacker intercepts and accumulates the challenge and response pairs exchanged during authentication between the authenticator and the person to be authenticated Had the problem that the attacker could succeed in impersonating the person to be authenticated. For example, an attacker impersonates a person to be authenticated and makes an authentication request to the authenticator. Then, if the challenge sent from the authenticator is stored as described above, the attacker can specify the response associated with the challenge, so that the authentication is successful. If the person to be authenticated continues to use the authentication encryption key for a long period of time, the accumulated amount of the attacker increases and the risk of allowing impersonation increases. In addition, even if the challenge sent from the authenticator is not stored as described above, if the rule for converting the challenge into a response is easy (for example, the encryption key length is short), it is stored. By analyzing the challenge, a response corresponding to the challenge sent from the authenticator may be estimated.

  Therefore, the present invention has been made in view of the above points, and even if an attacker accumulates a pair of challenges and responses, an authentication device, an authenticated device, which can improve the security against impersonation, An object is to provide an authentication method, an authenticated method, an authentication processing program, and an authenticated processing program.

  In order to solve the above-described problem, the invention described in claim 1 is an authentication apparatus that executes an authentication process in response to an authentication request from an authenticated apparatus, and is shared between the authenticated apparatus and the authenticated apparatus. A random number table that stores the random number table in which a plurality of random numbers are associated with a unique index for each random number; and a predetermined number in the random number table stored in the first storage unit A new random number calculated using the random number associated with the first index in the number of indexes, and associated with the second index in the predetermined number of the indexes. A first receiving means for receiving an update command including the predetermined number of the indexes from the device to be authenticated that updates the random number received by the first receiving means; A new random number is calculated using the random number associated with the first index among the predetermined number of the indexes included in the updated command, and the calculated random number is used in the random number table. First updating means for updating the random number associated with the second index among the predetermined number of the indexes, second receiving means for receiving an authentication request from the device to be authenticated, and the second In response to the authentication request received by the receiving means, a first sending means for sending a challenge command including a predetermined number of third indexes in the random number table stored in the first storage means to the device to be authenticated. And in the random number table stored in the first storage means in response to the authentication request received by the second receiving means. First calculation means for calculating a first value using the random number associated with the index of 3, and the random number associated with the third index included in the challenge command is used. And receiving the response including the calculated second value from the device to be authenticated, the first value calculated by the first calculating unit, and the third receiving unit. And authentication means for executing an authentication process using the second value included in the response.

  According to a second aspect of the present invention, in the authentication device according to the first aspect, the authentication unit determines whether or not the first value and the second value match in the authentication process. It is characterized by that.

  The invention according to claim 3 is the authentication apparatus according to claim 1, wherein the authentication apparatus further includes random number generation means for generating a random number, and the first transmission means includes the third index, A challenge command including the random number generated by the random number generation means is transmitted to the device to be authenticated, and the first calculation means is calculated using the random number associated with the third index. The first value is calculated by encrypting the random number generated by the random number generation unit using the value as an encryption key, and the third reception unit includes the third index included in the challenge command. The first value calculated by encrypting the random number included in the challenge command, using the value calculated by using the associated random number as an encryption key. And receiving the response including the value from the device to be authenticated, wherein the authentication means determines whether or not the first value and the second value match in the authentication process. .

  According to a fourth aspect of the present invention, in the authentication device according to the first aspect, the authentication device further includes a random number generation unit that generates a random number, and the first transmission unit includes the third index. The challenge command including the random number generated by the random number generation means is transmitted to the device to be authenticated, and the third reception means is the random number associated with the third index included in the challenge command A response including the second value calculated by encrypting the random number included in the challenge command is received from the device to be authenticated using the value calculated by using the encryption key as an encryption key, and the authentication In the authentication process, the means uses a value obtained by decrypting the second value using the first value as a decryption key and the random number generated by the random number generating means. And judging whether or not to.

  The invention described in claim 5 is a device to be authenticated that transmits an authentication request to the authentication device according to any one of claims 1 to 4, and is shared between the device to be authenticated and the authentication device. A second storage means for storing a random number table in which a plurality of random numbers are associated with a unique index for each random number; and a predetermined number in the random number table stored in the second storage means Update command including the index, and the predetermined number of the indexes by a new random number calculated using the random number associated with the first index among the predetermined number of the indexes A second transmission unit that transmits an update command for updating the random number associated with the second index in the authentication unit to the authentication device; and a second storage unit that stores the update command. In the random number table, a new random number is calculated using the random number associated with the first index, and the random number table stored in the second storage unit by the calculated random number Receiving the challenge command from the authentication device, second update means for updating the random number associated with the second index, third transmission means for transmitting the authentication request to the authentication device, and Fourth receiving means and second calculating means for calculating the second value using the random number associated with the third index included in the challenge command received by the fourth receiving means And a fourth transmission means for transmitting a response including the second value calculated by the second calculation means to the authentication device. And wherein the door.

  According to a sixth aspect of the present invention, in the authenticated device according to the fifth aspect, the second calculation means uses the random number associated with the third index included in the challenge command. The second value is calculated by encrypting the random number included in the challenge command using the calculated value as an encryption key.

  The invention according to claim 7 is an authentication method in an authentication apparatus that executes an authentication process in response to an authentication request from an apparatus to be authenticated, and is a random number table shared between the authentication apparatus and the apparatus to be authenticated. Storing the random number table in which a plurality of random numbers and a unique index for each random number are associated with each other in a first storage unit; and a predetermined number of the random number table stored in the first storage unit The random number associated with the second index in the predetermined number of indexes by a new random number calculated using the random number associated with the first index in the index Receiving an update command including the predetermined number of the indexes from the device to be authenticated, and the received update command A new random number is calculated using the random number associated with the first index among the predetermined number of the included indexes, and the predetermined number of the indexes in the random number table is calculated based on the calculated random number. Updating the random number associated with the second index in the list, receiving an authentication request from the device to be authenticated, and in response to the received authentication request, the first storage means A challenge command including a predetermined number of the third index in the random number table stored in the authentication table, and the first storage means in response to the received authentication request. A first value is calculated using the random number associated with the third index in the random number table. Receiving a response including a second value calculated using the random number associated with the third index included in the challenge command from the authenticated device; and A step of performing an authentication process using the calculated first value and the second value included in the response.

  The invention described in claim 8 is an authenticated method in an authenticated apparatus that transmits an authentication request to the authenticated apparatus described in claim 7, and is a random number table shared between the authenticated apparatus and the authenticated apparatus. Storing the random number table in which a plurality of random numbers and a unique index for each random number are associated with each other in a second storage unit; and a predetermined number of the random number table stored in the second storage unit An update command including the index, and a new random number calculated using the random number associated with the first index among the predetermined number of the indexes. Transmitting an update command for updating the random number associated with the second index in the authentication device to the authentication device; and In the random number table stored in the table, a new random number is calculated using the random number associated with the first index, and the calculated random number is stored in the second storage unit. Updating the random number associated with the second index in a random number table; transmitting the authentication request to the authentication device; receiving the challenge command from the authentication device; Calculating the second value using the random number associated with the third index included in the received challenge command; and a response including the calculated second value. And transmitting to the authentication device.

  According to a ninth aspect of the present invention, there is provided a random number table shared between the authentication device and the device to be authenticated, the computer executing authentication processing in response to an authentication request from the device to be authenticated, and a plurality of random numbers, Storing the random number table in which a unique index is associated with each random number in a first storage unit; and a first of a predetermined number of the indexes in the random number table stored in the first storage unit Updating the random number associated with the second index among the predetermined number of the indexes with a new random number calculated using the random number associated with the index Receiving an update command including the predetermined number of the indexes from an apparatus; and the predetermined command included in the received update command. A new random number is calculated using the random number associated with the first index in the index, and a second of the predetermined number of the indexes in the random number table is calculated based on the calculated random number. Updating the random number associated with the index, receiving an authentication request from the device to be authenticated, and being stored in the first storage unit in response to the received authentication request Transmitting a challenge command including a predetermined number of third indexes in the random number table to the device to be authenticated; and the random number table stored in the first storage unit in response to the received authentication request Calculating a first value using the random number associated with the third index in Receiving a response including a second value calculated using the random number associated with the third index included in the challenge command from the device to be authenticated, and the calculated And executing an authentication process using the first value and the second value included in the response.

  According to a tenth aspect of the present invention, there is provided a random number table shared between the authentication target device and the authentication device to a computer that transmits an authentication request to the authentication device according to the ninth aspect. Storing the random number table in which a unique index is associated with each random number in a second storage unit, and an update command including a predetermined number of the indexes in the random number table stored in the second storage unit. Then, the new random number calculated using the random number associated with the first index in the predetermined number of indexes is used as the second index in the predetermined number of indexes. A step of transmitting an update command for updating the associated random number to the authentication device; and before storing the random number in the second storage means A new random number is calculated using the random number associated with the first index in the random number table, and the second random number table stored in the second storage unit is calculated based on the calculated random number. Updating the random number associated with the index, transmitting the authentication request to the authentication device, receiving the challenge command from the authentication device, and the received challenge command A step of calculating the second value using the random number associated with the third index included in and transmitting a response including the calculated second value to the authentication device. And executing the step.

  According to the present invention, responses to the same challenge can be made different, and even if an attacker accumulates a challenge-response pair, a response corresponding to the challenge is specified based on the accumulated information. It can prevent, and the safety | security with respect to impersonation etc. can be improved.

(A) is a figure which shows the example of a schematic structure of the data communication system S, (B) is a figure which shows the example of a schematic structure of the communication apparatus Tn. It is a figure which shows an example of a random number table. It is a sequence diagram which shows an example of the random number table update process performed with communication apparatus T1 and communication apparatus T2. In Example 1, it is a sequence diagram which shows an example of the challenge / response process performed by communication apparatus T1 and communication apparatus T2. In Example 2, it is a sequence diagram which shows an example of the challenge / response process performed by communication apparatus T1 and communication apparatus T2. In Example 3, it is a sequence diagram which shows an example of the challenge / response process performed by communication apparatus T1 and communication apparatus T2.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The embodiment described below is an embodiment when the present invention is applied to a data communication system.

  First, a schematic configuration and functions of the data communication system S will be described with reference to FIG. FIG. 1A is a diagram illustrating a schematic configuration example of the data communication system S, and FIG. 1B is a diagram illustrating a schematic configuration example of the communication device Tn.

  As shown in FIG. 1A, the data communication system S includes a plurality of communication devices (entities) Tn (n = 1, 2, 3,... K). In such a data communication system S, M2M (Machine to Machine) communication is possible between the communication devices Tn via the communication network NW. Examples of the communication device Tn include a server, a personal computer, a mobile phone, a mobile terminal such as a smartphone, an IC card, a sensor device, an actuator device, and a game machine. The sensor device is a communication device equipped with a sensor such as temperature, humidity, illuminance, vibration, power, or strain. The actuator device is a communication device equipped with a display board, lighting, buzzer, relay, or the like. Examples of the communication network NW include Bluetooth (registered trademark), UWB (ultra wideband), PAN (personal area network), the Internet, IoT (Internet of Things), sensor network, mobile communication network, and the like. The communication network NW may be configured by combining a plurality of communication methods at each location, for example. For example, the server and the mobile phone communicate with each other via the Internet, gateway, and mobile communication network. Further, for example, the sensor device and the actuator device perform short-range wireless communication via the PAN.

  As shown in FIG. 1B, the communication device Tn includes a CPU (Central Processing Unit) 10, a coprocessor 11, a storage unit 12, a sensor unit 13, an I / F unit 14, a communication unit 15, and the like. Is done. Note that the configurations of all the communication devices Tn do not have to be the same and may be different. For example, the communication device T1 may be configured with the sensor unit 13, and the communication device T2 may be configured without the sensor unit 13. In the following embodiments, the communication device T1 will be described as an authenticated device (for example, a portable terminal), and the communication device T2 will be described as an authentication device (for example, a server).

  The CPU 10 is an example of a computer in the present invention. The coprocessor 11 executes encryption processing and decryption processing using an encryption key (decryption key). The sensor unit 13 includes a sensor such as temperature, humidity, illuminance, vibration, power, or strain. The I / F unit 14 is an interface for connecting to peripheral devices of the communication device Tn. The communication unit 15 is for communicating with a communication partner via the communication network NW under the control of the CPU 10. The storage unit 12 of the communication device T2 is an example of a first storage unit, and the storage unit 12 of the communication device T1 is an example of a second storage unit. The storage unit 12 includes a ROM (Read Only Memory), a RAM (Random Access Memory), a nonvolatile memory (for example, a flash memory), and the like. The storage unit 12 may include a hard disk drive (HDD) or a solid state drive (SSD) instead of the nonvolatile memory.

  The storage unit 12 stores programs to be executed by the CPU 10 and the coprocessor 11 and various data. The program stored in the storage unit 12 of the communication device T2 includes an authentication processing program to be executed by the CPU 10. The program stored in the storage unit 12 of the communication device T1 includes an authentication processing program to be executed by the CPU 10. In addition, the programs stored in the storage unit 12 of the communication device T1 and the communication device T2 define an encryption processing program that defines an encryption process to be executed by the coprocessor 11 and a decryption process to be executed by the coprocessor 11. A decryption processing program is included. The storage unit 12 of the communication device T1 and the communication device T2 is provided with a secure storage area, and a random number table is stored in this storage area. The random number table is a table in which a plurality of random numbers and unique indexes (for example, natural numbers) are associated with each random number. The random number table is to be shared between the communication device T1 and the communication device T2.

  FIG. 2 is a diagram illustrating an example of a random number table. In the example of FIG. 2, the random number (random number value) is expressed by a character such as Rn. However, in actuality, the random number is a 128-bit value composed of a numerical expression (0 and 1) on the CPU 10, for example. . The random number table is stored in advance in the storage unit 12 when the communication device Tn is manufactured, for example. In this configuration, since the random number itself is not exchanged between the communication devices Tn via the communication network NW, security can be improved.

  Alternatively, the random number table is not stored in the storage unit 12 when the communication device Tn is manufactured, for example, and the communication device T1 and the communication device T2 that communicate with each other after the communication device Tn is shipped communicate the random numbers and indexes respectively generated You may comprise so that a random number table may be produced | generated by transmitting to an other party. For example, when the communication device T1 and the communication device T2 perform communication, first, the communication device T1 and the communication device T2 each generate an empty random number table in the storage unit 12. First, the communication device T1 generates a random number R1 by a random number generator, associates the generated random number R1 with the index 1, and transmits the generated random number R1 to the communication device T2, and associates the generated random number R1 with the index 1. And register it in the random number table. Next, the communication device T2 associates the random number R1 received from the communication device T1 with the index 1 and registers them in the random number table. Then, the communication device T2 generates a random number R2 using a random number generator, associates the generated random number R2 with the index 2, and transmits the generated random number R2 to the communication device T1, and associates the generated random number R2 with the index 2. Register in the random number table. Next, the communication device T1 registers the random number R2 received from the communication device T2 and the index 2 in the random number table in association with each other. Such processing is repeatedly and alternately performed (indexes 3 to n), thereby completing the random number table as shown in FIG. With this configuration, it is possible to generate a unique random number table (that is, a unique random number table between the authenticating device and the device to be authenticated) between the communication device T1 and the communication device T2.

  And CPU10 of communication apparatus T1 performs a random number table update process and a challenge / response process according to the to-be-authenticated process program of this invention. The CPU 10 of the communication device T1 functions as a second transmission unit, a second update unit, and the like in the random number table update process. On the other hand, the CPU 10 of the communication device T2 executes random number table update processing and challenge / response processing in accordance with the authentication processing program of the present invention. The CPU 10 of the communication device T2 functions as a first reception unit, a first update unit, and the like in the random number table update process. Specifically, for example, the CPU 10 of the communication device T1 updates the random number table including a predetermined number (for example, two or more arbitrary) indexes in the random number table stored in the storage unit 12 in the random number table updating process. A command (an example of an update command) is transmitted to the communication device T2. This random number table update command uses the new random number calculated using the random number associated with the first index in the predetermined number of indexes to the second index in the predetermined number of indexes. This command updates the associated random number. Further, in the random number table update process, the CPU 10 of the communication device T1 calculates a new random number using the random number associated with the first index in the random number table stored in the storage unit 12, and calculates the calculated random number. The random number associated with the second index in the random number table stored in the storage unit 12 is updated with the random number. On the other hand, for example, the CPU 10 of the communication device T2 in the random number table update process, the random number associated with the first index among the predetermined number of indexes included in the random number table update command received from the communication device T1. Is used to calculate a new random number, and the random number associated with the second index among the predetermined number of indexes in the random number table stored in the storage unit 12 is updated with the calculated random number. As a result, the random number table is shared between the communication device T1 and the communication device T2.

  The CPU 10 of the communication device T1 functions as a third transmission unit, a fourth reception unit, a second calculation unit, a fourth transmission unit, and the like in the challenge / response process. On the other hand, in the challenge / response process, the CPU 10 of the communication device T2 functions as a first transmission unit, a first calculation unit, a second reception unit, a third reception unit, an authentication unit, a random number generation unit, and the like. Specifically, for example, the CPU 10 of the communication device T1 transmits an authentication request (for example, a login command) to the communication device T2 in the challenge / response process. On the other hand, for example, in the challenge / response process, the CPU 10 of the communication device T2 responds to the authentication request received from the communication device T1, and determines a predetermined number (for example, one or more) in the random number table stored in the storage unit 12. An arbitrary number of challenge commands including the third index are transmitted to the communication device T2. In addition, the CPU 10 of the communication device T2 uses the random number associated with the third index in the random number table stored in the storage unit 12 in response to the authentication request received from the communication device T1. (Example of first value) is calculated. On the other hand, the CPU 10 of the communication device T1 calculates a response value (an example of a second value) using a random number associated with the third index included in the challenge command received from the communication device T2. Then, the CPU 10 of the communication device T1 transmits a response including the calculated response value to the communication device T2. On the other hand, the CPU 10 of the communication device T2 executes an authentication process using the response value included in the response received from the communication device T2 and the calculated challenge value. In this authentication process, for example, it is determined whether or not the response value and the challenge value match. If they match, authentication succeeds, and if they do not match, authentication fails.

Next, the operation of the data communication system S will be described separately in the first to third embodiments. As a premise of the following operation, it is assumed that the same random number table is stored in the communication device T1 (authenticated device) and the communication device T2 (authentication device).
Example 1

  First, Example 1 is demonstrated with reference to FIG.3 and FIG.4. FIG. 3 is a sequence diagram illustrating an example of a random number table update process performed by the communication device T1 and the communication device T2. FIG. 4 is a sequence diagram illustrating an example of challenge / response processing performed by the communication device T1 and the communication device T2 in the first embodiment.

  In the example shown in FIG. 3, the random number table update process is started from the communication device T1. Note that the random number table update process is executed, for example, periodically (for example, at intervals of 3 days) or irregularly (for example, timing for turning on the communication device T1).

  When the random number table update process is started, the CPU 10 of the communication device T1 generates a random number table update command RUpdate (n, k, l) (step S1). Here, n, k, and l are arguments passed to the communication device T2, and correspond to a predetermined number of indexes in the random number table stored in the storage unit 12. In this example, “n” corresponds to the above-described second index, and “k” and “l” correspond to the first index. The first index determined as an argument of RUpdate may be 3 or more. Also, n, k, l are arbitrarily determined by random numbers, for example (for example, n = 1, k = 2, l = 4 or n = 4, k = 1, l = 2). The Alternatively, n, k, and l may be determined in the order of registration.

  Next, the CPU 10 of the communication device T1 transmits the random number table update command RUpdate (n, k, l) generated in step S1 to the communication device T2 via the communication unit 15 and the communication network NW (step S2). Next, the CPU 10 of the communication device T1 calculates a new random number Rn to be associated with the index n using the random number Rk associated with the index k and the random number Rl associated with the index l ( Step S3). The new random number Rn is calculated by the following equation (1), for example.

  Rn: = Rk xor Rl (1)

  Here, “xor” represents exclusive OR. Further, “(left side): = (right side)” represents that the calculation result of the right side is substituted into the left side. That is, in the above equation (1), the exclusive OR of Rk and Rl is Rn. The new random number Rn may be calculated by other calculation methods. For example, the generated random number may have a fixed length (for example, 128 bits), and the higher 128 bits obtained by multiplying Rk and Rl may be used as a new random number Rn.

  Next, the CPU 10 of the communication device T1 updates (changes) the random number Rn associated with the index n in the random number table stored in the storage unit 12 of the communication device T1 with the new random number Rn calculated in step S3. (Step S4).

  On the other hand, when the CPU 10 of the communication device T2 receives the random number table update command RUpdate (n, k, l) transmitted from the communication device T1, it corresponds to the index k indicated by the random number table update command RUpdate (n, k, l). Using the random number Rk attached and the random number Rl associated with the index l, a new method for associating with the index n by the same calculation method as the communication device T1 (for example, the above equation (1)) A random number Rn is calculated (step S11).

  Next, the CPU 10 of the communication device T2 updates (changes) the random number Rn associated with the index n in the random number table stored in the storage unit 12 of the communication device T2 with the new random number Rn calculated in step S11. (Step S12).

  Next, the CPU 10 of the communication device T2 transmits an update completion message to the communication device T1 via the communication unit 15 and the communication network NW (step S13). On the other hand, when receiving the update completion message transmitted from the communication device T2, the CPU 10 of the communication device T1 returns a confirmation response message to the communication device T2 (step S5).

  Next, in the example shown in FIG. 4, challenge / response processing is started from the communication device T1. The challenge / response process is started in response to, for example, a login instruction from an authenticated person who is a user of the communication device T1.

  When the challenge / response process is started, the CPU 10 of the communication device T1 transmits an authentication request (for example, a login command) to the communication device T2 via the communication unit 15 and the communication network NW (step S21).

  On the other hand, when the CPU 10 of the communication device T2 receives the authentication request transmitted from the communication device T1, the challenge command Challenge (k, -l) including a predetermined number of third indexes in the random number table stored in the storage unit 12 is received. , m) is generated (step S31). Here, k, -l, m are arguments passed to the communication device T1, and correspond to the third index in the random number table stored in the storage unit 12. In addition, “-” in “-l” indicates that a negation operator is used to improve the security of the encryption key. “L” may be used instead of “-l”. The number of indexes determined as arguments in the challenge may be three or more. In addition, k, l, and m are arbitrarily determined by random numbers, for example, or determined in the order of registration.

  Next, the CPU 10 of the communication device T2 transmits the challenge command Challenge (k, -l, m) generated in step S31 to the communication device T1 via the communication unit 15 and the communication network NW (step S32).

  Next, the CPU 10 of the communication device T2 uses the random number Rk associated with the index k and the random number Rl associated with the index l (“−” is added to “l”, so that ¬Rl is used. The challenge value V is calculated using the random number Rm associated with the index m (step S33). The challenge value V is calculated by the following equation (2), for example.

  V: = Rk xor ¬ Rl xor Rm (2)

  Here, “¬” represents a negation operator. That is, ¬Rl means inversion of all bits in the numerical expression on the CPU 10. In the above equation (2), the exclusive OR of Rk, ¬Rl, and Rm is V. The challenge value V may be calculated by another calculation method. For example, a random number to be generated may be set to a fixed length, and a higher fixed length bit obtained by multiplying Rk, ¬Rl, and Rm may be used as the challenge value V.

  On the other hand, when the CPU 10 of the communication device T1 receives the challenge command Challenge (k, -l, m) transmitted from the communication device T2, it is associated with the index k indicated by the challenge command Challenge (k, -l, m). Using the same calculation method as the communication device T2 (for example, the above-described random number Rk, the inverted value ¬R1 of the random number Rl associated with the index l, and the random number Rm associated with the index m). The response value Res is calculated by (Expression (2)) (step S22).

  Next, the CPU 10 of the communication device T1 transmits a response including the response value Res calculated in step S22 to the communication device T2 via the communication unit 15 and the communication network NW (step S23).

  On the other hand, when receiving the response transmitted from the communication device T1, the CPU 10 of the communication device T2 executes an authentication process using the response value Res included in the response and the challenge value V calculated in step S33. . In this authentication process, the CPU 10 of the communication device T2 determines whether or not the challenge value V and the response value Res match (step S34). When the challenge value V matches the response value Res (step S34: YES), the CPU 10 of the communication device T2 determines that the authentication is successful (step S35). On the other hand, when the challenge value V and the response value Res do not match (step S34: NO), the CPU 10 of the communication device T2 determines that the authentication has failed (step S36). Then, the CPU 10 of the communication device T2 transmits an authentication result message indicating authentication success or failure to the communication device T1 via the communication unit 15 and the communication network NW (step S37).

  As described above, according to the first embodiment, the same random number table is stored in the communication device T1 and the communication device T2, and the random number table is updated safely and in a timely manner only by transmitting and receiving the index. Since the value is passed by index, response values for the same challenge (ie, index) can be made different, and even if an attacker accumulates a challenge-response value pair, It is possible to prevent the response value corresponding to the challenge from being specified based on the information, and to improve the security against impersonation and the like. Further, even when the same challenge as that used in the past authentication process is reused, it is possible to improve the security against the impersonation method.

(Example 2)
Next, Example 2 will be described with reference to FIG. FIG. 5 is a sequence diagram illustrating an example of a challenge / response process performed by the communication device T1 and the communication device T2 in the second embodiment. The random number table update process in the second embodiment is the same as that in the first embodiment, and is performed as shown in FIG.

  In the example illustrated in FIG. 5, the challenge / response process is started from the communication device T1 as in the first embodiment. The challenge / response process is started in response to, for example, a login instruction from an authenticated person who is a user of the communication device T1, as in the first embodiment.

  When the challenge / response process is started, the CPU 10 of the communication device T1 transmits an authentication request (for example, a login command) to the communication device T2 via the communication unit 15 and the communication network NW (step S41).

  On the other hand, upon receiving the authentication request transmitted from the communication device T1, the CPU 10 of the communication device T2 generates a random number R (step S51). The random number R is preferably a nonce (number used once) used only once. Note that the communication device T2 may be provided with a random number generator that generates a random number separately from the CPU 10. In this case, a random number R is generated by a random number generator. Next, the CPU 10 of the communication device T2 includes a challenge command Challenge (R, k, -l) including a predetermined number of third indexes in the random number table stored in the storage unit 12 and the random number R generated in step S51. , m) is generated (step S52).

  Next, the CPU 10 of the communication device T2 transmits the challenge command Challenge (R, k, -l, m) generated in step S52 to the communication device T1 via the communication unit 15 and the communication network NW (step S53). .

  Next, the CPU 10 of the communication device T2 uses the random number Rk associated with the index k and the random number Rl associated with the index l (“−” is added to “l”, so that ¬Rl is used. And a random number Rm associated with the index m, and a challenge value is obtained by encrypting the random number R generated in step S51 using the calculated value K2 as an encryption key. V is calculated (step S54). The value K2 is calculated by, for example, the following formula (3), and the challenge value V is calculated by, for example, the following formula (4).

  K2: = Rk xor ¬ Rl xor Rm (3)

  V: = E (R, K2) (4)

  Here, “E (first argument, second argument)” represents an encryption operator that encrypts the plaintext of the first argument using the second argument as an encryption key.

  On the other hand, when the CPU 10 of the communication device T1 receives the challenge command Challenge (R, k, -l, m) transmitted from the communication device T2, the index k indicated by the challenge command Challenge (R, k, -l, m). The value K1 is calculated using the random number Rk associated with, the inverted value ¬Rl of the random number Rl associated with the index l, and the random number Rm associated with the index m. E (R, K1) is calculated as the response value Res by encrypting the random number R included in the challenge command Challenge (R, k, -l, m) using the value K1 as the encryption key (step S42). The value K1 and the response value Res are calculated by the same calculation method as the communication device T2 (for example, the above formulas (3) and (4)).

  Next, the CPU 10 of the communication device T1 transmits a response including the response value Res calculated in step S42 to the communication device T2 via the communication unit 15 and the communication network NW (step S43).

  On the other hand, when receiving the response transmitted from the communication device T1, the CPU 10 of the communication device T2 executes an authentication process using the response value Res included in the response and the challenge value V calculated in step S54. . The processing after step S55 is the same as the processing after step S34.

  As described above, according to the second embodiment, since the challenge command includes the random number R together with the index, the random number R is encrypted with the value calculated using the index, and the response is transmitted. The safety of values to be compared in the authentication process can be improved.

Example 3
Next, Example 3 will be described with reference to FIG. FIG. 6 is a sequence diagram illustrating an example of a challenge / response process performed by the communication device T1 and the communication device T2 in the third embodiment. The random number table update process in the third embodiment is the same as that in the first embodiment, and is performed as shown in FIG.

  In the example illustrated in FIG. 6, as in the first and second embodiments, the CPU 10 of the communication device T1 sends an authentication request (for example, a login command) to the communication device T2 via the communication unit 15 and the communication network NW. Transmit (step S61).

  On the other hand, when receiving the authentication request transmitted from the communication device T1, the CPU 10 of the communication device T2 generates a random number R (for example, nonce) as in the second embodiment (step S71), and executes a challenge command Challenge (R, k , -l, m) is generated (step S72), and the generated challenge command Challenge (R, k, -l, m) is transmitted to the communication device T1 (step S73).

  On the other hand, when the CPU 10 of the communication device T1 receives the challenge command Challenge (R, k, -l, m) transmitted from the communication device T2, as in the second embodiment, E (R, K1) is used as the response value Res. Calculation is performed (step S62), and a response including the response value Res is transmitted to the communication device T2 (step S63).

  On the other hand, when the CPU 10 of the communication device T2 receives the response transmitted from the communication device T1, the random number Rk associated with the index k and the random number Rl associated with the index l (“−” is added to “−”). ”Rl is used) and a random number Rm associated with the index m is calculated, and the calculated value K2 is used as a decryption key (= encryption key). The challenge value V is calculated by decoding the response value Res included in the response (step S74). The value K2 is calculated by, for example, the above formula (3), and the challenge value V is calculated by, for example, the following formula (5).

  V: = D (Res, K2) (5)

  Here, “D (first argument, second argument)” represents a decryption operator that decrypts the ciphertext of the first argument using the second argument as an encryption key. In the normal case, the challenge value V in the third embodiment is a random number R included in the challenge command Challenge (R, k, -l, m) transmitted to the communication device T1.

  Next, the CPU 10 of the communication device T2 determines whether or not the challenge value V calculated in step S74 (a value obtained by decrypting the response value Res using the value K2 as a decryption key) matches the random number R generated in step S71. Is determined (step S75). When the challenge value V matches the random number R (step S75: YES), the CPU 10 of the communication device T2 determines that the authentication is successful (step S76). On the other hand, if the challenge value V and the random number R do not match (step S75: NO), the CPU 10 of the communication device T2 determines that the authentication has failed (step S77). Then, the CPU 10 of the communication device T2 transmits an authentication result message indicating success or failure of authentication to the communication device T1 (step S78).

  As described above, according to the third embodiment, since the challenge command includes the random number R together with the index, the random number R is encrypted with the value calculated using the index, and the response is transmitted. Thus, it is possible to improve the safety of values to be compared in the authentication process.

10 CPU
11 Coprocessor 12 Storage unit 13 Sensor unit 14 I / F unit 15 Communication unit Tn Communication device

Claims (10)

An authentication device that performs authentication processing in response to an authentication request from a device to be authenticated,
A first storage means for storing a random number table shared between the authentication device and the device to be authenticated, wherein the random number table associates a plurality of random numbers with a unique index for each random number;
Based on the new random number calculated using the random number associated with the first index among the predetermined number of indexes in the random number table stored in the first storage unit, the predetermined number of First receiving means for receiving an update command including the predetermined number of the indexes from the device to be authenticated that updates the random number associated with the second index in the index;
A new random number is calculated using the random number associated with the first index among the predetermined number of the indexes included in the update command received by the first receiving unit, and the calculated A first updating means for updating the random number associated with the second index among the predetermined number of the indexes in the random number table by a random number;
Second receiving means for receiving an authentication request from the device to be authenticated;
In response to the authentication request received by the second receiving means, a challenge command including a predetermined number of third indexes in the random number table stored in the first storage means is transmitted to the device to be authenticated. One transmission means;
In response to the authentication request received by the second receiving means, a first value using the random number associated with the third index in the random number table stored in the first storage means First calculating means for calculating
Third receiving means for receiving a response including a second value calculated by using the random number associated with the third index included in the challenge command from the device to be authenticated;
Authentication means for executing authentication processing using the first value calculated by the first calculation means and the second value included in the response received by the third receiving means;
An authentication device comprising:   The authentication apparatus according to claim 1, wherein the authentication unit determines whether or not the first value and the second value match in the authentication process. The authentication device further includes random number generation means for generating a random number,
The first transmission unit transmits a challenge command including the third index and the random number generated by the random number generation unit to the device to be authenticated,
The first calculating means encrypts the random number generated by the random number generating means by using the value calculated by using the random number associated with the third index as an encryption key. Calculate the value of 1
The third receiving means uses the value calculated by using the random number associated with the third index included in the challenge command as an encryption key, and the random number included in the challenge command is encrypted. A response including the second value calculated by being converted from the authentication target device,
The authentication apparatus according to claim 1, wherein the authentication unit determines whether or not the first value and the second value match in the authentication process. The authentication device further includes random number generation means for generating a random number,
The first transmission unit transmits a challenge command including the third index and the random number generated by the random number generation unit to the device to be authenticated,
The third receiving means uses the value calculated by using the random number associated with the third index included in the challenge command as an encryption key, and the random number included in the challenge command is encrypted. A response including the second value calculated by being converted from the authentication target device,
The authentication unit determines whether or not the value obtained by decrypting the second value using the first value as a decryption key and the random number generated by the random number generation unit match in the authentication process. The authentication apparatus according to claim 1, wherein: An authenticated device that transmits an authentication request to the authentication device according to any one of claims 1 to 4,
A second storage means for storing the random number table shared between the authentication target device and the authentication device, wherein the random number table associates a plurality of random numbers with a unique index for each random number;
An update command including a predetermined number of the indexes in the random number table stored in the second storage means, wherein the random number associated with the first index in the predetermined number of the indexes is Second transmission means for transmitting an update command for updating the random number associated with the second index among the predetermined number of the indexes to a new random number calculated by using the second transmission means;
In the random number table stored in the second storage unit, a new random number is calculated using the random number associated with the first index, and the calculated random number is stored in the second storage unit. Second update means for updating the random number associated with the second index in the stored random number table;
Third transmission means for transmitting the authentication request to the authentication device;
Fourth receiving means for receiving the challenge command from the authentication device;
Second calculating means for calculating the second value using the random number associated with the third index included in the challenge command received by the fourth receiving means;
Fourth transmission means for transmitting a response including the second value calculated by the second calculation means to the authentication device;
A device to be authenticated.   The second calculation means encrypts the random number included in the challenge command using a value calculated using the random number associated with the third index included in the challenge command as an encryption key. The device to be authenticated according to claim 5, wherein the second value is calculated as described above. An authentication method in an authentication device that executes authentication processing in response to an authentication request from a device to be authenticated,
Storing in the first storage means the random number table shared between the authentication device and the device to be authenticated, wherein the random number table associates a plurality of random numbers with a unique index for each random number;
Based on the new random number calculated using the random number associated with the first index among the predetermined number of indexes in the random number table stored in the first storage unit, the predetermined number of Receiving an update command including the predetermined number of the indexes from the device to be authenticated that updates the random number associated with the second index in the index;
A new random number is calculated using the random number associated with the first index among the predetermined number of the indexes included in the received update command, and the random number is calculated based on the calculated random number. Updating the random number associated with the second of the predetermined number of the indexes in the table;
Receiving an authentication request from the device to be authenticated;
In response to the received authentication request, transmitting a challenge command including a predetermined number of third indexes in the random number table stored in the first storage means to the device to be authenticated;
Calculating a first value using the random number associated with the third index in the random number table stored in the first storage unit in response to the received authentication request; ,
Receiving a response including a second value calculated using the random number associated with the third index included in the challenge command from the device to be authenticated;
Performing an authentication process using the calculated first value and the second value included in the response;
An authentication method comprising: An authenticated method in an authenticated device that transmits an authentication request to the authentication device according to claim 7,
Storing in the second storage means the random number table shared between the device to be authenticated and the authentication device, wherein the random number table associates a plurality of random numbers with a unique index for each random number;
An update command including a predetermined number of the indexes in the random number table stored in the second storage means, wherein the random number associated with the first index in the predetermined number of the indexes is Transmitting an update command for updating the random number associated with the second index among the predetermined number of the indexes to the authentication device by using a new random number calculated by using the random number;
In the random number table stored in the second storage unit, a new random number is calculated using the random number associated with the first index, and the calculated random number is stored in the second storage unit. Updating the random number associated with the second index in the stored random number table;
Transmitting the authentication request to the authentication device;
Receiving the challenge command from the authentication device;
Calculating the second value using the random number associated with the third index included in the received challenge command;
Transmitting a response including the calculated second value to the authentication device;
A method to be authenticated, comprising: In a computer that executes authentication processing in response to an authentication request from the device to be authenticated,
Storing in the first storage means the random number table shared between the authentication device and the device to be authenticated, wherein the random number table associates a plurality of random numbers with a unique index for each random number;
Based on the new random number calculated using the random number associated with the first index among the predetermined number of indexes in the random number table stored in the first storage unit, the predetermined number of Receiving an update command including the predetermined number of the indexes from the device to be authenticated that updates the random number associated with the second index in the index;
A new random number is calculated using the random number associated with the first index among the predetermined number of the indexes included in the received update command, and the random number is calculated based on the calculated random number. Updating the random number associated with the second of the predetermined number of the indexes in the table;
Receiving an authentication request from the device to be authenticated;
In response to the received authentication request, transmitting a challenge command including a predetermined number of third indexes in the random number table stored in the first storage means to the device to be authenticated;
Calculating a first value using the random number associated with the third index in the random number table stored in the first storage unit in response to the received authentication request; ,
Receiving a response including a second value calculated using the random number associated with the third index included in the challenge command from the device to be authenticated;
Performing an authentication process using the calculated first value and the second value included in the response;
An authentication processing program characterized in that A computer that transmits an authentication request to the authentication device according to claim 9,
Storing in the second storage means the random number table shared between the device to be authenticated and the authentication device, wherein the random number table associates a plurality of random numbers with a unique index for each random number;
An update command including a predetermined number of the indexes in the random number table stored in the second storage means, wherein the random number associated with the first index in the predetermined number of the indexes is Transmitting an update command for updating the random number associated with the second index among the predetermined number of the indexes to the authentication device by using a new random number calculated by using the random number;
In the random number table stored in the second storage unit, a new random number is calculated using the random number associated with the first index, and the calculated random number is stored in the second storage unit. Updating the random number associated with the second index in the stored random number table;
Transmitting the authentication request to the authentication device;
Receiving the challenge command from the authentication device;
Calculating the second value using the random number associated with the third index included in the received challenge command;
Transmitting a response including the calculated second value to the authentication device;
An authenticated processing program characterized by causing the processing to be executed.

Images