JP2016225804A - Information processor, communication system, information processing method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a server for giving a person in charge access permission to a determined document among documents encrypted for the person in charge of documents.SOLUTION: An encrypted text storage part 71 stores encrypted information and an encrypted first random number by using a first public key (a public key of a person in charge) and the first random number. A key reception part 74 receives from a communication terminal of the person in charge a re-encryption key for converting the encrypted information into information decryptable by a second secret key generated by using a first secret key corresponding to the first public key, the encrypted first random number, a second public key (a public key for a person in charge) and a second random number to correspond to the second public key, and the second random number encrypted by using the second public key. A conversion part 75 uses the re-encryption key to convert the encrypted information into the information decryptable by the second secret key, and replaces the encrypted information and the encrypted first random number stored in the storage part 71 with the converted information and the encrypted second random number.SELECTED DRAWING: Figure 7

Description

  The present invention relates to an information processing apparatus for controlling access to information, a communication system including the information processing apparatus, an information processing method, and a program for causing a computer to execute the method.

  In the existing main public key encryption method, when decrypting information encrypted with a certain public key, for example, a document, it cannot be decrypted unless a secret key corresponding to the public key is used. For this reason, to convert a document encrypted with one public key into a document encrypted with another public key, first convert it back to plaintext with the corresponding private key and then encrypt it again with the other public key. Must be converted. However, re-encryption by such a method has the following danger.

  The first is the risk that the plain culture file will be read when it returns to plain text. The second is the risk that the remaining trace data will be read after re-encrypting and deleting the plain culture file. Third, there is a risk that an encrypted document (ciphertext) and a secret key are read when returning to plaintext.

  In view of such a problem, an encryption processing method called a proxy re-encryption method has been proposed (see, for example, Patent Document 1, Non-Patent Documents 1 and 2). This method will be briefly described with reference to FIG. The ciphertext 10 can be decrypted with the secret key of the original user 11 shown in FIG. The original ciphertext 10 and the re-encryption key 14 are given to the agent 15 in order to convert this into ciphertext 13 that can be decrypted by the user 12 who is newly permitted to decrypt. Here, although described as the users 10 and 11 and the agent 15, what is actually processed is a computer used by the users 11 and 12 and a server as the agent 15.

  The re-encryption key 14 is a key generated from the private key of the original user 11 and the public key of the user 12 who is newly permitted to decrypt. The re-encryption key 14 decrypts the ciphertext. I can't. The re-encryption key 14 is only for changing the key so that a newly authorized user 12 can decrypt it.

When the agent 15 changes the key using the re-encryption key 14, there are several requirements that must be met as security requirements. The requirements are listed below.
(1) The agent 15 cannot decrypt the ciphertext using the re-encryption key 14.
(2) The agent 15 cannot obtain the secret key of any user from the re-encryption key 14.
(3) The agent 15 must not be able to re-encrypt in the reverse direction.
(4) When the re-encryption key 14 is generated, information other than the private key of the original user 11 and the public key of the user 12 who is newly permitted to decrypt should not be required. This is for convenience.
(5) The key size should not increase with the number of users. This is for scalability.
(6) The re-encryption key 14 must be given a time limit. This is because when a plurality of users 12 who are newly permitted to decrypt and are members of some organization, the member has been removed from the organization.
(7) It must not be possible to forge a re-encryption key for an unauthorized member from the existing re-encryption key 14.

JP 2001-202010 A

Lihua Wang, Licheng Wang, Masahiro Mambo, Eiji Okamoto, “Identity-Based Proxy Cryptosystems with Revocability and Hierarchical Confidentialities”, IEICE Trans. Fundamentals, Vol. E95-A, No.1, pp.70-88, Jan. 2012 Wang Tonghua, Atsushi Waseda, Ryo Nojima, Shiho Moriai, `` PRINCESS: Secure Re-encryption with INd-Cca security in Encrypted file Storage System '', The 31th Symposium on Crypography and Information Security Kagoshima, Japan, Jan. 21-24, 2014

  In the above agent encryption method, when a plurality of ciphertexts sent from the outside to the original user 11 are stored on the server, the original user 11 sets one of those ciphertexts. On the other hand, access permission can be given to the user 12. However, since all the documents sent to the original user 11 by the re-encryption key 14 on the server can be converted so that they can be decrypted by the user, the key of the original user 11 can be obtained by the user 12 by an internal attack. There is a problem that other documents which are encrypted by the user but are not permitted to access can be obtained and decrypted.

  Therefore, it has been desired to provide an apparatus, a method, and the like that can give access permission only to predetermined information and improve security.

  In view of the above problems, according to the present invention, an information processing apparatus that controls access to information, the information encrypted using the information, the first public key, and the first random number, and the first information A storage unit for storing a random number of 1; encrypted information; a first secret key corresponding to the first public key; an encrypted first random number; a second public key; and a second random number. And a re-encryption key for converting to information that can be decrypted with a second private key corresponding to the second public key generated using the second public key, and encrypted using the second public key Using the receiving unit that receives the second random number and the re-encryption key, the encrypted information is converted into information that can be decrypted with the second secret key, and the encrypted information stored in the storage unit And a conversion unit that replaces the converted information and the encrypted first random number with the converted information and the encrypted second random number. Location is provided.

  According to the present invention, access permission can be given only to predetermined information, and security can be improved.

The figure which showed the system configuration | structure for demonstrating a proxy encryption system. The figure explaining the outline of the process implemented with the communication system containing the information processing apparatus of this invention. The figure which showed the structural example of the communication system. The figure which showed the hardware constitutions of information processing apparatus. The functional block diagram of a transmission source terminal. The functional block diagram of a transmission destination terminal. The functional block diagram of a server. The functional block diagram of a communication terminal. The flowchart which showed the flow of the process which a communication system performs. The figure explaining the tampering prevention by a digital signature.

  FIG. 2 is a diagram for explaining the outline of processing executed in a communication system including the information processing apparatus of the present invention. The information processing apparatus performs processing for converting information encrypted with a certain public key into a form encrypted with another public key. Therefore, the information processing apparatus can be accessed only by a user who holds a secret key corresponding to the other public key, and can control access to the information.

  All three pieces of information transmitted from the transmission source terminal in the communication system are stored on the server 20 as the information processing apparatus. The information can be a file, a folder, or the like. Hereinafter, the information will be described as a document file (document). In FIG. 2, only the storage device that the server 20 has is shown as the server 20. The three documents are encrypted with the public key of the responsible person 22 who is the user who uses the transmission destination terminal 21, and access permission is given only to the responsible person 22.

A label 23 is added to each of the three documents as information indicating what kind of content the document is. For example, if the content of the document is a catalog of a new product, the label “product catalog” is attached. The person in charge 22 reads the label 23 attached to the document addressed to himself / herself stored on the server 20, and determines to which business the document is related and to whom the access permission is given. For example, it is assumed that the person in charge 22 reads the label 23 of the document M ₁ and determines that the person in charge A is in charge. The responsible person 22 uses the destination terminal 21 to instruct the server 20 to permit the person in charge A to access the document M ₁ . The responsible person 22 uses the destination terminal 21 to convert the document M ₁ encrypted with the responsible person's 22 public key so that it can be decrypted with the responsible person A's private key (referred to as encryption theory). A re-encryption key 24 for re-encryption is generated and transmitted to the server 20.

The server 20 uses the re-encryption key 24 transmitted from the transmission destination terminal 21 to encrypt the document M ₁ encrypted with the public key of the person in charge 22 with the public key of the person in charge A. Convert to ₁ . Then, substituting the document M ₁ obtained by converting the document M ₁ saved. Since the person in charge A is permitted to access the replaced document M ₁ , the person in charge A accesses the document M ₁ from the communication terminal 25 used by himself, and uses the secret key of the person in charge A for the document M _1. decrypted back into plain text, it is possible to view the document M _1.

In the conventional agent encryption method, the transmission source terminal uses the public key of the transmission destination responsible person 22 and the plain text document to encrypt it, and transmits it to the server 20. In addition, responsible for 22 generates a re-encryption key 24 from the private key of the person responsible for 22 and the public key of the person in charge A, and sends it to the server 20, the access to the document M ₁ to the person in charge A Making it possible. On the other hand, in the present invention, in the transmission source terminal, encryption is performed using a public key of the responsible person 22 and a plain text document as well as a random number. The destination terminal 21 generates the re-encryption key 24 using the secret key of the responsible person 22, the random number, and the public key of the responsible person A, transmits it to the server 20, and transmits the re-encrypting key. 24 to convert.

Since the three documents addressed to the person in charge are encrypted with different random numbers and the re-encryption key 24 is generated using different random numbers, the person in charge A can decrypt only the document M ₁ , These two documents cannot be deciphered. Incidentally, when the random numbers are the same, it is possible to decrypt the other documents M ₂ and M ₃ from the difference between the plain text of the document M ₁ and the encrypted document M ₁ . Here, since the three documents are encrypted using the same public key, different random numbers are used. However, when the three documents use different public keys, the same random number may be used.

  Now that the outline of the present invention has been described, the details thereof will be described below. First, the configuration of the communication system will be described with reference to FIG. The communication system includes a transmission source terminal 31 connected to the network 30 for transmitting a document to a responsible person, a server 32 as an information processing apparatus that receives and stores the document transmitted from the transmission source terminal 31, A transmission destination terminal 33 serving as a transmission destination used by the person in charge and a communication terminal 34 used by the person in charge A and permitted to be accessed by the person in charge. The communication terminal 34 is connected to the network 30 via a relay device called an access point 35 that performs wireless communication.

  Although an example in which the communication terminal 34 is connected to the network 30 via the access point 35 is shown here, the communication terminal 34 may be directly connected to the network 30. Further, the communication system is not limited to the person in charge A, but can include a plurality of communication terminals 34 used by a plurality of persons in charge, and the person in charge can permit access to at least one of the persons in charge. .

  The network 30 may be any network such as a LAN (Local Area Network), a WAN (Wide Area Network), and the Internet, and may be either a wired network or a wireless network. The network 30 may be a single network, or two or more networks connected using a relay device such as a router or a proxy server. Each terminal or server can perform communication using an appropriate communication protocol such as TCP / IP when performing communication via the network 30.

  Each of the transmission source terminal 31, the transmission destination terminal 33, and the communication terminal 34 publishes the public key used for encrypting the document on the network 30 or by e-mail, and decrypts the document encrypted with the public key. The private key used for this purpose is held and strictly managed so as not to leak outside. Hereinafter, the public key and secret key that are disclosed and held by each terminal will be described as the public key and secret key of the person who uses each terminal.

  The transmission source terminal 31 creates a document to be sent to the responsible person according to the instruction of the creator (sender), and uses the random number generated by the device itself and the public key of the responsible person, and creates the created document. The encrypted document is transmitted as a ciphertext to the server 32 in order to access the transmission destination terminal 33. The document to be created is plain text that is not encrypted, and may be any of text, table, figure, image, and a combination thereof.

The encryption can be performed using an encryption method such as RSA encryption, elliptic curve encryption, and ElGamal encryption. Here, since random numbers are handled, it is preferable to use ElGamal encryption. The ElGamal cipher is an encryption method using an asymmetrical relationship in which it is difficult to calculate a discrete logarithm, but a discrete power that is the reverse process is easy. In the discrete logarithm, when a prime number p and a constant q are given, it is easy to calculate y = g ^x mod p from x, but it is difficult to obtain x from y. g ^x mod p is an arithmetic expression for obtaining a remainder by dividing g ^x by p. As an encryption method using such a relationship, in addition to ElGamal encryption, Cramer-Shoup encryption using a hash function that is more robust than ElGamal encryption can be used.

Briefly explaining encryption, for example, if plaintext is D, random number is R, and encryption with public key, ElGamal cipher creates ciphertext of the form (p ₁ (D), p ₂ (R)). The That is, it is a ciphertext including an encrypted plaintext and an encrypted random number. Usually, since a random number having the same length as the plaintext is generated, an n-bit plaintext is encrypted as a 2n-bit ciphertext twice as much.

To be more specific about the encryption of the plaintext is D, the random number and r1, the public key of the person responsible When P ^a, the ElGamal encryption, ciphertext, for example, ^{(D × (P a) r1} , P It is created in the form of a power of ^r1 ). Cipher text, P ^r1 is obtained by encrypting the random number r1 with the public key P ^a responsible person.

  The transmission source terminal 31 transmits such a ciphertext to the server 32. When the server 32 receives the ciphertext received from the transmission source terminal 31, the server 32 stores the ciphertext in a storage device included in the server 32. The server 32 can notify the transmission destination terminal 33 that there is a document addressed to the person in charge. The responsible person receives the notification using the destination terminal 33, refers to the label attached to the ciphertext addressed to himself / herself stored in the server 32, and permits any person in charge to access the document. To decide.

The responsible person acquires the encrypted random number of the ciphertext stored in the server 32 using the destination terminal 33, that is, ^Pr1, and obtains the responsible person's private key a and the encrypted random number ^Pr1. And the public key P ^{b of} the determined person in charge (for example, person A) and the newly generated random number r2 are used to generate a ciphertext that can be decrypted with the private key b of person A. Create an encryption key. This random number r2 is completely different from the random number r1.

In this example, the re-encryption key can be calculated as (P ^b ) ^{r 2} / (P ^r1 ) ^a , for example. In addition, it encrypted using the public key P ^b of the person in charge A a random number r2, to calculate the P ^r2. Then, the person in charge uses the destination terminal 33 to specify the ciphertext permitting access, and to use the re-encryption key (P ^b ) ^r2 / (P ^r1 ) ^a and the encrypted random number P ^r2 . Send to server 32.

The server 32 extracts the specified ciphertext (D × (P ^a ) ^r1 , P ^r1 ) from the stored ciphertext based on the information received from the destination terminal 33 and receives the received re-encryption key Is used to convert the ciphertext. Specifically, the ciphertext D × (P ^a ) ^r1 is multiplied by the re-encryption key (P ^b ) ^r2 / (P ^r1 ) ^a and converted to D × (P ^b ) ^r2 , and D × (P ^a ) Replace ^r1 with D × (P ^b ) ^r2 . Further, to replace the portion of the P ^r1 to P ^r2. Then, the ciphertext becomes (D × (P ^b ) ^r2 , P ^r2 ), which is stored in the storage device instead of (D × (P ^a ) ^r1 , P ^r1 ).

The server 32 can notify the communication terminal 34 that there is a ciphertext permitted to be accessed, and the communication terminal 34 can receive the notification and read and obtain the ciphertext from the server 32. it can. The communication terminal 34 acquires ^Pr2 from the acquired ciphertext, decrypts it using the ^Pr2 and the secret key b of the person in charge A, and the person in charge A reads the plaintext D obtained by the decryption. Can do.

  Such an encryption method can be used when a person in charge of an organization accepts ciphertexts in a lump and distributes them to each person in charge in the organization for processing. It can also be used when the administrator encrypts the document with his / her public key and allows the document to be managed to be viewed only by a specific person. In addition, the example of these utilization is an example, and this invention is not limited to this utilization example. In this encryption method, since the ciphertext and the re-encryption key are in a one-to-one relationship by using a random number, it is possible to eliminate the risk of permission to access other than those determined by the person in charge.

  A computer such as a PC or a workstation can be used as the transmission source terminal 31, the server 32, the transmission destination terminal 33, and the communication terminal 34 included in the communication system. Each terminal can be a tablet terminal, a smartphone, a PDA (Personal Digital Assistant). ) Etc. Since all the devices have the same configuration, the hardware configuration of only the server 32 will be described with reference to FIG.

  The server 32 includes a CPU 40, a ROM 41, a RAM 42, an HDD 43, and a communication I / F 44 as hardware. The CPU 40 controls the entire server 32. The ROM 41 stores a boot program for starting the server 32 and firmware for controlling the HDD 43 and the like. The RAM 42 provides a work area for the CPU 40. The HDD 43 stores a program that performs communication with each terminal and conversion for re-encryption, an OS that provides basic functions for the program, files such as ciphertext, and various setting files. The communication I / F 44 is connected to the network 30 and controls communication with each terminal via the network 30. These can exchange information with each other via the bus 45.

  Although FIG. 4 shows an example in which the HDD 43 is used as a storage device, an SSD (Solid State Drive) may be used. In addition, hardware includes an input / output I / F, a display device such as a display, an input device such as a keyboard and a mouse, and an external storage I / F for connecting and controlling an external storage device such as an external HDD. It may be.

  Next, functions of each terminal and server will be described with reference to FIGS. 5 is a functional block diagram of the transmission source terminal 31, FIG. 6 is a transmission destination terminal 33, FIG. 7 is a server 32, and FIG. Referring to FIG. 5, the transmission source terminal 31 includes a document creation unit 50, a random number generation unit 51, a ciphertext generation unit 52, and a ciphertext transmission unit 53 as functional units. These functional units are implemented by the CPU provided in the transmission source terminal 31 by executing a program and by communication I / F.

  The document creation unit 50 creates a document by receiving information such as characters input by the document creator. The document to be created is plain text that has not been encrypted yet. The random number generator 51 generates a random number sequence. The random number has the same length as the plain text. Therefore, if the plaintext is n bits long, the random number is also n bits long. The random number is not limited to this, but can be generated using, for example, a rand function in C language.

  The ciphertext generation unit 52 uses the document created by the document creation unit 50, the random number generated by the random number generation unit 51, and the public key of the responsible person who is the transmission destination disclosed on the network 30. Then, the ciphertext as shown in the above example is generated by encrypting the random number with the public key. Then, the ciphertext generation unit 52 attaches a label to the generated ciphertext. Although it is not always necessary to attach a label, it is preferable to attach a label because the person in charge can easily grasp the content of the document without decrypting the ciphertext.

  The ciphertext transmission unit 53 transmits the ciphertext generated by the ciphertext generation unit 52 to the server 32. The ciphertext transmission unit 53 can access and transmit the ciphertext using address information such as the IP address of the server 32 registered in the transmission source terminal 31.

  Referring to FIG. 6, the transmission destination terminal 33 includes a notification receiving unit 60, a random number acquisition unit 61, a random number generation unit 62, a key generation unit 63, and a key transmission unit 64 as functional units. These functional units are realized by a communication I / F executed by a CPU included in a transmission destination terminal.

  The notification receiving unit 60 receives a notification that the ciphertext addressed to the person in charge has been received from the server 32. At this time, the label attached to the ciphertext can also be received at the same time. Note that the notification receiving unit 60 is not essential, and may be configured such that the destination terminal 33 periodically inquires whether there is a ciphertext addressed to the responsible person. It is also possible to have a configuration in which an inquiry is made and an inquiry is received in response to the instruction. The responsible person refers to the label received by the notification receiving unit 60 and determines the communication terminal 34 that permits access to the document.

  The random number acquisition unit 61 requests an encrypted random number included in the received ciphertext, and acquires the encrypted random number from the server 32. The random number acquisition unit 61 can use the document name given to the ciphertext as identification information and specify the document name to request an encrypted random number. The random number can be requested using any information as long as the ciphertext can be identified, such as a matter described in the label, without being limited to the document name. The random number generation unit 62 arbitrarily generates a random number in the same manner as the random number generation unit 51 of the transmission source terminal 31 shown in FIG.

  The key generation unit 63 generates the public key of the person in charge A who uses the communication terminal 34 determined by the person in charge, the encrypted random number, the secret key of the person in charge, and the random number generated by the random number generation part 62. Use to generate a re-encryption key. In addition, the key generation unit 63 encrypts the random number generated by the random number generation unit 62 with the public key of the person in charge A. The key transmission unit 64 transmits, to the server 32, a random number encrypted with the public key of the person in charge A together with information for specifying the communication terminal 34, information for specifying the ciphertext, and the re-encryption key. Requesting re-encryption of the ciphertext and instructing the communication terminal 34 to be notified. Here, notification is instructed, but it is also possible to request only re-encryption.

  Information for specifying the communication terminal 34 is terminal identification information for identifying the communication terminal 34, and may be a terminal name, an IP address, a MAC address, or the like. The information for specifying the ciphertext is information for identifying the ciphertext, and can be a document name, a matter described in a label, or the like.

  Referring to FIG. 7, the server 32 includes, as its functional units, a ciphertext receiving unit 70, a ciphertext storage unit 71, a notification unit 72, a random number transmission unit 73, a key receiving unit 74, and a conversion unit 75. And a ciphertext transmission unit 76. These functional units are implemented by the CPU provided in the server 32 and the program is executed by the HDD and the communication I / F.

  The ciphertext receiving unit 70 receives the ciphertext transmitted from the transmission source terminal 31. The ciphertext storage unit 71 stores the ciphertext received by the ciphertext receiving unit 70 or the converted and replaced ciphertext. The ciphertext storage unit 71 can also store a re-encryption key.

  The notification unit 72 notifies the transmission destination terminal 33 that the ciphertext addressed to the person in charge has been received. The notification unit 72 notifies the communication terminal 34 that there is a ciphertext addressed to the person in charge A. In the case of a configuration in which an inquiry is received from the transmission destination terminal 33 or the communication terminal 34, the notification unit 72 may not be provided.

  In response to a request from the transmission destination terminal 33, the random number transmission unit 73 transmits the encrypted random number included in the ciphertext to the transmission destination terminal 33. Transmission to the destination terminal 33 can be performed using address information such as the IP address of the destination terminal 33 registered in the server 32. The same applies to transmission to the communication terminal 34 described later. The key receiving unit 74 receives a re-encryption key generated at the transmission destination terminal 33 and a random number encrypted with the public key of the person in charge A. At this time, the key receiving unit 74 also receives information for specifying the communication terminal 34 and information for specifying the ciphertext.

  The conversion unit 75 identifies the ciphertext from among the ciphertexts stored in the ciphertext storage unit 71 from the information for identifying the ciphertext received by the key receiving unit 74, and identifies the communication terminal 34. From this information, the communication terminal 34 is specified from among the communication terminals connected to the network 30. Then, the converting unit 75 uses the re-encryption key to convert the encrypted document part in the specified ciphertext into an encrypted document part that can be decrypted with the secret key of the person in charge A. Convert. The encrypted random number portion is also replaced with the random number encrypted with the public key of the person in charge A received. Thus, the conversion unit 75 replaces the ciphertext stored in the ciphertext storage unit 71 with the converted ciphertext.

  In response to a request from the communication terminal 34, the ciphertext transmission unit 76 transmits the corresponding converted ciphertext out of the ciphertext stored in the ciphertext storage unit 71 to the communication terminal 34.

  Referring to FIG. 8, the communication terminal 34 includes a notification receiving unit 80, a ciphertext requesting unit 81, a ciphertext receiving unit 82, and a decrypting unit 83 as functional units. These functional units are implemented by a communication I / F in which a CPU included in the communication terminal 34 executes a program.

  The notification receiving unit 80 receives a notification from the server 32. This notification is a notification that there is a ciphertext addressed to the person in charge A. Instead of the notification receiving unit 80, a configuration may be adopted in which an inquiry is made as to whether or not there is a ciphertext that is permitted to access the server 32. In response to the notification, the ciphertext request unit 81 requests the server 32 for ciphertext. The ciphertext request can be made using address information such as the IP address of the server 32 registered in the communication terminal 34.

  When the server 32 receives the request, the server 32 searches the ciphertext storage unit 71 for the corresponding ciphertext and transmits the retrieved ciphertext to the communication terminal 34. The ciphertext receiving unit 82 receives the ciphertext transmitted by the server 32. The decryption unit 83 decrypts the received ciphertext using a secret key that is strictly managed by the communication terminal 34. The communication terminal 34 can activate and open an application corresponding to the decrypted document and display it on the screen.

  Up to now, the functions of each terminal and server and the contents of the processes executed by each terminal have been described. It will be described with reference to the flowchart showing the overall processing flow of the communication system shown in FIG. In FIG. 9, the process by each terminal and a server is distinguished and shown by the partition by a broken line.

  The processing is started from step 900. In step 901, a document to be transmitted by the transmission source terminal 31 to the responsible person who is the transmission destination is used by using the public key of the responsible person and a random number generated by the transmission source terminal 31. Encrypt. In step 902, the ciphertext including the encrypted document and the encrypted random number is transmitted to the server 32.

  In step 903, the server 32 receives the ciphertext and stores it in the ciphertext storage unit 71. In step 904, the server 32 notifies the destination terminal 33 that there is a ciphertext addressed to the person in charge. At this time, the label is also sent. In step 905, the responsible person refers to the label attached to the ciphertext, and the responsible person determines the communication terminal 34 that is permitted to access, for example, by selecting the communication terminal. In step 906, the destination terminal 33 requests the server 32 for an encrypted random number included in the ciphertext. In step 907, in response to this, the server 32 transmits the random number to the transmission destination terminal 33.

  In step 908, the transmission destination terminal 33 generates a random number and uses the determined public key of the communication terminal 34, the acquired encrypted random number, the responsible person's private key, and the generated random number. Generate a re-encryption key. At this time, the generated random number is encrypted with the public key of the person in charge A who uses the communication terminal 34 permitted to access. In step 909, the re-encryption key is transmitted to the server 32 together with the encrypted random number.

  In step 910, the server 32 uses the re-encryption key and the encrypted random number to convert the encrypted text into a ciphertext that can be decrypted with the person A's private key. In step 911, the original ciphertext is replaced with the converted ciphertext. In step 912, the server 32 notifies the communication terminal 34 that there is a ciphertext.

  In step 913, the communication terminal 34 requests a ciphertext, and in step 914, the server 32 transmits the requested ciphertext to the communication terminal 34. In step 915, the ciphertext received by the communication terminal 34 is decrypted with the secret key of the person in charge A, and the decrypted document is displayed. In step 916, this processing is terminated.

  In the communication system, even if the user 12 performs an internal attack on the server 32 and performs unauthorized access to another document encrypted with the key of the user 11, other ciphertexts addressed to the same responsible person have different random numbers. Therefore, the person in charge A cannot convert it into a ciphertext that can be decrypted. Therefore, the person in charge A cannot read the other ciphertext document. Therefore, this communication system can give access permission only to a specific document, and as a result, security can be improved.

  If the method of the present invention is used, even if login or biometric authentication is performed using a password to use such a service, it is only necessary once, and the re-encryption key is changed for changing the access permission. Just do it. For this reason, it is not necessary to repeat login every time the access permission is changed, and the work can be reduced. In addition, since the login is not repeated and the processing is simple, the operation of the server 32 can be reduced. In addition, a third party cannot restore the ciphertext from the re-encryption key, neither secret key can be obtained, re-encryption in the reverse direction, and access to other employees is permitted. Since the re-encryption key to be used cannot be forged, it is a very secure method.

  In the methods described so far, access permission can be given only to a predetermined document. However, if the server 32 is attacked and hijacked, whether or not the access-permitted document has been altered. Cannot be confirmed. That is, when a document is created on the server 32 without permission, the document is encrypted with the public key of the communication terminal 34, and re-encrypted, the communication terminal 34 determines whether the document is a falsified document. I do n’t know. This is because if an arbitrary random number is generated and a ciphertext is generated using the random number, a ciphertext similar to the ciphertext converted with the correct re-encryption key can be generated.

  Therefore, in the transmission source terminal 31, a sender who encrypts and transmits a document can transmit a ciphertext by attaching the electronic signature (digital signature) of the sender to the encrypted document. The digital signature is information that proves the sender of the document with encrypted signature information and guarantees that the document has not been tampered with.

  Processing using these will be described in detail with reference to FIG. In FIG. 10, the transmission destination terminal 33 and the server 32 are shown as one device (management terminal 90). The source terminal 31 includes an electronic certificate α including a verification key of a signer who is a sender S who uses the source terminal 31, a public key a of a responsible person A who uses the management terminal 90, and a signature of the signer. Using the key s and the document M, a ciphertext {C (a, M), α, D (s, M)} is created. The ciphertext includes a part C of the encrypted document and a part D of the electronic signature. Here, for the sake of simplicity, random numbers will not be mentioned, but in the present invention, naturally, random numbers are included for encryption.

  The transmission source terminal 31 transmits the created ciphertext to the management terminal 90. In the management terminal 90, the re-encryption key and the encrypted random number are converted into ciphertext that can be decrypted with the secret key of each person in charge using each communication terminal 34 by the same process as described above, It transmits to each communication terminal 34 according to the request | requirement of the communication terminal 34. FIG.

In FIG. 10, for example, ciphertexts {C (a, M ₁ ), α ₁ , D (s, M ₁ )} should be processed by persons in charge B and C by the person in charge A who uses the management terminal 90. And decide. Then, the management terminal 90 replaces the public key a included in the ciphertext with the public keys b and c of the persons in charge B and C with the re-encryption key, and the ciphertext {C (b, M ₁ ), α ₁ , D (s, M ₁ )}, {C (c, M ₁ ), α ₁ , D (s, M ₁ )}. Then, these ciphertexts are transmitted to the communication terminals B and C used by the persons in charge B and C.

For example, when the communication terminal B used by the person in charge B receives the ciphertext {C (b, M ₁ ), α ₁ , D (s, M ₁ )}, the communication terminal B receives the electronic certificate in the ciphertext. The digital signature is decrypted using the verification key included in the document α ₁ . The digital signature is obtained by encrypting a hash value calculated from a plaintext using a hash function with a signer's signature key. Therefore, a hash value can be obtained by decrypting the digital signature.

Further, the communication terminal B using the private key of the person B, decrypts the encrypted document, and acquires the document M _1. Communication terminal B, by applying a hash function to calculate a hash value for document M _1. Then, the communication terminal B compares the calculated hash value with the hash value obtained above to check whether they match. If they match, it can be displayed that no tampering has occurred, and if they do not match, it can be displayed that tampering has occurred. The hash function is a one-way function, and for example, SHA-1 or MD5 can be used.

  By sending the ciphertext with the digital signature in this way, the person in charge who is permitted to access can confirm whether or not the document has been falsified.

  The information processing apparatus, communication system, and information processing method of the present invention have been described in detail so far. However, the present invention is not limited to the above-described embodiments, and other embodiments, additions, changes, and deletions are performed. The present invention can be modified within a range that can be conceived by those skilled in the art, and any embodiment is included in the scope of the present invention as long as the effects and advantages of the present invention are exhibited. Therefore, it is possible to provide a program for causing a computer to execute the information processing method, a recording medium on which the program is recorded, an external device that holds the program and provides the program in response to a download request. Is.

DESCRIPTION OF SYMBOLS 10, 13 ... Ciphertext, 11, 12 ... User, 14 ... Re-encryption key, 15 ... Proxy, 20 ... Server, 21 ... Destination terminal, 22 ... Responsible person, 23 ... Label, 24 ... Re-encryption Key 25, communication terminal, 30 network, 31 source terminal, 32 server, 33 destination terminal, 34 communication terminal, 35 access point, 40 CPU, 41 ROM, 42, RAM 43 ... HDD, 44 ... Communication I / F, 45 ... Bus, 50 ... Document creation unit, 51 ... Random number generation unit, 52 ... Ciphertext generation unit, 53 ... Ciphertext transmission unit, 60 ... Notification reception unit, 61 ... Random number acquisition , 62 ... random number generator, 63 ... key generator, 64 ... key transmitter, 70 ... ciphertext receiver, 71 ... ciphertext storage, 72 ... notifier, 73 ... random number generator, 74 ... key receiver 75 ... Conversion unit, 76 ... Ciphertext transmission unit, 80 ... Notification reception unit, 81 ... Ciphertext request unit, 8 ... ciphertext receiving unit, 83 ... decoding unit, 90 ... management terminal

Claims (12)

An information processing apparatus for controlling access to information,
A storage unit for storing the information encrypted using the information, the first public key, and the first random number, and the first random number;
The encrypted information is generated using a first secret key corresponding to the first public key, the encrypted first random number, a second public key, and a second random number. The re-encryption key for converting the information into a information that can be decrypted by the second secret key corresponding to the second public key, and the second random number encrypted using the second public key. A receiving unit for receiving and
Using the re-encryption key, the encrypted information is converted into information that can be decrypted with the second secret key, and the encrypted information stored in the storage unit and the encrypted information are stored. An information processing apparatus including a conversion unit that replaces the first random number with the converted information and the encrypted second random number.   A notifying unit that publishes the first public key and notifies the first terminal holding the first secret key that there is the encrypted information addressed to the first terminal; and And a random number transmission unit that receives the encrypted first random number acquisition request from the terminal and transmits the encrypted first random number to the first terminal. Information processing device.   The encrypted information and the encrypted first random number have a label describing the content of the information, and the notification unit sends the label to the first terminal. The information processing apparatus according to claim 2.   A notifying unit that publishes the second public key and notifies the second terminal holding the second secret key that there is the converted information addressed to the second terminal; and the second terminal 4. An information transmission unit that receives the converted information acquisition request from the information transmission unit and transmits the converted information and the encrypted second random number to the second terminal. The information processing apparatus according to claim 1.   The information processing apparatus according to any one of claims 1 to 4, wherein encryption is performed using ElGamal encryption or Cramer-Shoup encryption.   The information processing apparatus according to claim 1, wherein an electronic signature is added to the encrypted information. An information processing apparatus according to claim 1, and a first terminal that publishes a first public key and holds the first secret key, wherein the first terminal includes: ,
A random number acquisition unit that acquires an encrypted first random number from the information processing apparatus;
A random number generator for generating a second random number;
Encrypted with the first public key using the obtained encrypted first random number, the first secret key, the second random number, and a second public key A re-encryption key for converting the received information into information that can be decrypted with a second secret key corresponding to the second public key, a second random number encrypted with the second public key, A key generation unit for generating
A communication system comprising: a key transmission unit that transmits the re-encryption key and the encrypted second random number to the information processing apparatus. The communication system includes a second terminal that publishes a second public key and holds the second secret key, and the second terminal includes:
An information requesting unit that requests the information processing apparatus to obtain information converted using the re-encryption key;
An information receiving unit for receiving the converted information and the encrypted second random number from the information processing apparatus;
The communication system according to claim 7, further comprising: a decryption unit that decrypts the converted information using the encrypted second random number and the second secret key. The communication system includes a third terminal, and the third terminal includes:
A random number generator for generating the first random number;
A generating unit that generates encrypted information and an encrypted first random number using the information, the first public key, the information, and the first random number;
The communication system according to claim 7, further comprising: an information transmission unit that transmits the encrypted file and the encrypted first random number to the information processing apparatus.   The communication system according to claim 9, wherein the generation unit adds an electronic signature to the encrypted file. An information processing method executed by an information processing device that controls access to information, wherein the information processing device encrypts information using the information, a first public key, and a first random number. And a storage unit for storing the first random number,
The encrypted information is generated using a first secret key corresponding to the first public key, the encrypted first random number, a second public key, and a second random number. The re-encryption key for converting the information into a information that can be decrypted by the second secret key corresponding to the second public key, and the second random number encrypted using the second public key. Receiving and
Using the re-encryption key to convert the encrypted information into information that can be decrypted with the second secret key;
Replacing the encrypted information and the encrypted first random number stored in the storage unit with converted information and the encrypted second random number. A program for causing a computer to execute an information processing method for controlling access to information, wherein the computer encrypts information using the information, a first public key, and a first random number, and A storage unit for storing the first random number;
The encrypted information is generated using a first secret key corresponding to the first public key, the encrypted first random number, a second public key, and a second random number. The re-encryption key for converting the information into a information that can be decrypted by the second secret key corresponding to the second public key, and the second random number encrypted using the second public key. Receiving and
Using the re-encryption key to convert the encrypted information into information that can be decrypted with the second secret key;
A program for executing the step of replacing the encrypted information and the encrypted first random number stored in the storage unit with converted information and the encrypted second random number.