JP2018148293A - Credential generation system and method, client terminal, server device, issuance request device, and credential issuance device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology capable of generating credentials with higher security.SOLUTION: A server device 2 requests a credential issuance device 4 to issue credentials of a client terminal 1, the issuance request device 3 requests the credential issuance device 4 to issue the credentials of the client terminal 1, the credential issuance device 4 issues a part of the credentials of the client terminal 1 on the basis of the credential issuance request from the server device 2 and issues another part of the credentials of the client terminal 1 on the basis of the issuance request of the credential from the issuance request device 3, and the client terminal 1 generates credentials of the client terminal 1 by using a part of the issued credential and another part of the credentials.SELECTED DRAWING: Figure 1

Description

  The present invention relates to information communication technology, and more particularly to technology for generating credentials such as passwords and certificates.

  In recent years, incidents have occurred in which credentials such as client passwords and certificates are leaked from server devices. For example, in 2016, there was an incident where ID and PW information leaked from a major online storage service (see Non-Patent Document 1, for example). If a credential is misused by a third party, it becomes possible to execute unauthorized access to the leaked service and other services. As a result, there is a risk of leading to situations such as unauthorized use of services by third parties and browsing of client privacy information.

  One countermeasure against such incidents is an authentication system that allows third parties to issue credentials. Hereinafter, three specific examples (A) to (C) will be given.

  (A) Private CA (Certificate Authority) issues a certificate using a third party. In the private CA service credential issuance flow, upon receiving a client application, the service provider creates a CSR (Certificate Signing Request), adds a signature with its own private key, and issues a certificate to the private CA. Ask.

  (B) In the distributed key authority (Distributed Trusted Authority: D-TA) proposed by Apache MILAGRO (incubating) (for example, see Non-Patent Document 2), a third-party organization, D-TA, issues credentials. To do. In the credential issuance flow using D-TA, the service provider adds a message authentication tag to multiple D-TAs using HMAC keys and requests key issuance. D-TA issues the client's key if the key issuance request is correct.

  (C) A third-party authentication system is used for authentication linkage. The client accesses a third party service where the client authenticates. If authentication is performed correctly, the third party will issue a token, and if the service provider verifies the token and is correct, authentication will pass.

  In these examples, requests for issuing certificates, client keys, and tokens are credentials. Hereinafter, the secret key or HMAC key used for the credential is referred to as an issue request key. By using these existing technologies, the service provider does not have to hold the client credential information.

The guardian, “Dropbox hack leads to leaking of 68m user passwords on the internet”, [online], [Search February 22, 2017], Internet <URL: https://www.theguardian.com/technology/2016 / aug / 31 / dropbox-hack-passwords-68m-data-breach> Apache MILAGRO (incubating), [online], [Search February 22, 2017], Internet <URL: http://docs.milagro.io/en/> Michael Scott, "M-Pin: A Multi-Factor Zero Knowledge Authentication Protocol", [online], [Search February 22, 2017], Internet <URL: https://www.miracl.com/hubfs/mpin4 .pdf>

  Even if a third-party organization with a credential issuing device (hereinafter referred to as a credential issuing authority) is used to prevent unauthorized key issuance, the existing private CA and D-TA credential issuing methods are If the issuance request key owned by the server device is leaked or illegally used, there is a possibility that an unauthorized credential is issued. Unauthorized credential issuance leads to unauthorized use of services by attackers. As a concrete example, there is a possibility of causing actual damage such as fraudulent remittance by online banking or infringement of privacy information such as photos and videos.

  An object of the present invention is to provide a credential generation system and method, a client terminal, a server device, an issue request device, a credential issue device, and a program capable of generating a credential with higher security.

  A credential generation system according to an aspect of the present invention includes a client terminal, a server device that provides a service to the client terminal, an issue request device, and a credential issue device, and generates a credential for the client terminal. In the system, the server device requests the credential issuing device to issue the client terminal credential, the issuing device requests the credential issuing device to issue the client terminal credential, and the credential issuing device receives the credential from the server device. The client terminal issues a part of the client terminal credential based on the issuance request, and issues the other part of the client terminal credential based on the credential issuance request from the issuance request apparatus. , Using other portions of the part and credentials issued credential to generate the credential of the client terminal.

  Credentials with higher security can be generated.

The block diagram for demonstrating the example of a credential production | generation system. 6 is a flowchart for explaining an example of a credential generation method. The block diagram for demonstrating the example of the credential generation system of the specific example 1. FIG. The flowchart for demonstrating the example of the credential generation method of the specific example 1. FIG. The figure for demonstrating the example of the authentication method of the specific example 1. FIG.

[Embodiment]
Hereinafter, an embodiment of the present invention will be described with reference to the drawings.

  As illustrated in FIG. 1, the credential generation system includes, for example, a client terminal 1, a server device 2, an issue request measure 3, and a credential issue device 4. The credential generation method is realized, for example, by each unit of the credential generation system performing the processing from step S1 to step S13 described below with reference to FIG.

  The client terminal 1 is a terminal device such as a PC, a smartphone, or a tablet terminal that a client using the system has. The client terminal 1 accesses the server device 2 and the issue request device 3 and receives the credentials. Credentials are information used for user authentication such as ID, password, certificate, and key.

  The server device 2 is a server device owned by a service provider. The service provider uses the server device 2 to provide a predetermined predetermined service to the client. The server device 2 makes a credential issuing request to the credential issuing device 4, receives the credential issued by the credential issuing device 4, and transmits the received credential to the client terminal 1. At this time, as described later, the server device 2 may divide and deliver the credentials.

  The issue request device 3 is a server device that the issue request station has and makes a credential issue request to the credential issue device 4. The issue request device 3 can issue a credential issue request to the credential issue device 4 in the same manner as the server device 2. In other words, the issue request device 3 makes a credential issue request to the credential issue device 4, receives the credential issued by the credential issue device 4, and transmits the received credential to the client terminal 1. As described above, the authority to issue the credential issued by the service provider is distributed between the server device 2 and the issue request device 3.

  The credential issuing device 4 is a reliable third-party server device. The credential issuing device 4 verifies the issue request from the server device 2 and the issue request device 3, and if the verification result is correct, generates a credential divided into the number of the server device 2 and the issue request device 3, respectively. 2 and the issue request apparatus 3.

<Step S1>
The client accesses the server device 2 of the service provider using the client terminal 1 and requests registration of the client.

  In other words, the client terminal 1 transmits client registration information to the server device 2 (step S1).

<Step S2>
The server device 2 creates client information necessary for issuing credentials from the registration information of the client (step S2).

<Step S3>
The server apparatus 2 creates issuance request information that can identify the creator for the client information, and transmits the client information and the issuance request information to the credential issuing apparatus 4. For example, HMAC, common key cryptography, public key cryptography, or the like can be used to create issuance request information that can identify the creator.

  In other words, the server device 2 requests the credential issuing device 4 to issue the credentials of the client terminal 1 (step S3).

<Step S4>
The credential issuing device 4 verifies the received request, and if it is correct, issues a part of the credential corresponding to the client information and transmits it to the server device 2 (step S4).

<Step S5>
The server device 2 transmits the received credentials to the client terminal 1 (step S5).

  For example, the server device 2 randomly divides the received credential into two, transmits one by a method that can be obtained only by the client (for example, mail), and transmits the rest to the client terminal 1.

<Step S6>
The client terminal 1 creates a part of the credential using, for example, the credential received by the client from the server device 2 and the credential received by the client terminal 1 from the server device 2 (step S6).

  Thus, in this example, a part of the credentials issued by the credential issuing device 4 is transmitted to the client terminal 1 via the server device 2 by the processing from step S4 to step S6.

<Step S7>
The client uses the client terminal 1 to access the issue requesting device 3 and requests registration of the client.

  In other words, the client terminal 1 transmits client registration information to the issuance request apparatus 3 (step S7).

<Step S8>
The issue request apparatus 3 creates client information necessary for issuing the credential from the registration information of the client (step S8).

<Step S9>
The issuance request apparatus 3 creates issuance request information that can identify the creator for the client information, and transmits the client information and the issuance request information to the credential issuance apparatus 4. For example, HMAC, common key cryptography, public key cryptography, or the like can be used to create issuance request information that can identify the creator.

  In other words, the issue request device 3 requests the credential issue device 4 to issue the credentials of the client terminal 1 (step S9).

<Step S10>
The credential issuing device 4 verifies the request received from the issue request device 3, and if correct, issues the other part of the credential corresponding to the client information and transmits it to the issue request device 3 (step S10).

  The other part of the credential is information that can generate the credential corresponding to the client information by using the other part of the credential and a part of the credential corresponding to the client information issued in step S4.

<Step S11>
The issue request device 3 transmits the received credentials to the client terminal 1 (step S11).

  For example, the issuance request apparatus 3 randomly divides the received credential into two, transmits one by a method that can be obtained only by the client (for example, mail), and transmits the rest to the client terminal 1.

<Step S12>
The client terminal 1 creates the other part of the credential using, for example, the credential received by the client from the server device 2 and the credential received by the client terminal 1 from the server device 2 (step S12).

  In this way, in this example, the other part of the credential issued by the credential issuing device 4 is transmitted to the client terminal 1 via the issue requesting device 3 by the processing from step S10 to step S12.

<Step S13>
The client terminal 1 creates a credential corresponding to the client information using a part of the credential created in step S6 and the other part of the credential created in step S12.

  In other words, the client terminal 1 generates the credential of the client terminal 1 by using a part of the credential issued by the credential issuing device 4 and the other part of the credential by the credential issuing device 4 (step S13).

  The effects of the above embodiment will be described below. For example, it is assumed that the attacker knows information about the attacking client. In addition, if the attacker succeeds in the attack, the client's credentials will be acquired. Furthermore, it is assumed that the attacker cannot know the information that reaches the client's email address. Even if the service provider is attacked and the information held by the service provider is leaked or used illegally, the attacker can acquire only the issuing authority of the server apparatus 2 and the issuing authority of the issuing request apparatus 3 Can not get. Therefore, the attacker cannot obtain the client credentials. Therefore, it can be said that the above embodiment has higher safety than the existing model.

  In this way, in order to prevent an unauthorized issue request of credentials when the server device 2 of the service provider is attacked, a new issue request device 3 is prepared, and the server device 2 and the issue request device 3 of the service provider are prepared. Credentials can be generated when both issue requests. Thereby, it is possible to generate a credential with higher security.

[Specific Example 1]
Hereinafter, as a specific example 1, an example of an authentication system using D-TA will be described.

  In an authentication system using D-TA, one or more D-TAs and an issuing requesting authority are used. As the issuance request protocol, message authenticators such as HMAC, public key cryptography such as AES, public key cryptography such as RSA and ECC, and the like can be used.

  In the authentication system described below, one issue request device 3 is used as an issue request station, and two D-TAs are used as the credential issue device 4. The two D-TAs are D-TA1 and D-TA2. Credential issuance requests are made using HMAC, and the HMAC key is securely exchanged in advance between the server device of the service provider and D-TA1, and between issuance request device 3 and D-TA2. Suppose that As the authentication protocol, the M-pin protocol is used (for example, see Non-Patent Document 1). As a method that can be received only by the client, the server device 2 sends a part of the credential information to the client mail address, and the issuance request device 3 sends a URL to the client mail address within a predetermined time. Only when you can access the URL, send it to a part of the credential information.

  Describes notation and symbols used in the following description.

  q is a predetermined prime number. G1 and G2 are q-torsion points in the elliptic curve. G3 is a subgroup of order q of the finite field. e: G1 × G2 → G3 is a pairing function. H1: {0,1} → G1 is a hash function. P and Q are generation sources of G1 and G2, respectively. mail is the mail address of the client. P is a client ID, which is a coordinate obtained by mapping mail to a point on an elliptic curve by putting mail in a hash function. sQ is a secret key of the server device 2. k1 and k2 are HMAC keys. Assume that the server apparatus 2 and D-TA1 have k1, and the issue request apparatus 3 and D-TA2 have k2. s1 and s2 are master secret keys. Suppose D-TA1 has s1 and D-TA2 has s2.

<Step S1>
The client terminal 1 transmits mail to the server device 2. mail corresponds to the registration information of the client.

<Step S2>
P ← H1 (mail). That is, the server apparatus 2 calculates H1 (mail) and substitutes it for P. P corresponds to client information.

<Step S3>
tag1 ← HMAC (k1, P). That is, the server apparatus 2 calculates HMAC (k1, P) and substitutes it into tag1.

  Then, the server device 2 transmits P and tag1 to D-TA1 of the credential issuing device 4. P and tag1 correspond to the issuance request information.

<Step S4>
IF tag1 = HMAC (k1, P), s1P ← s1 * P. That is, D-TA1 of credential issuing device 4 calculates HMAC (k1, P) using received P and k1, and determines whether or not the calculation result matches received tag1. If it is determined that they match, s1 * P is calculated and substituted for s1P.

  Then, the D-TA1 of the credential issuing device 4 transmits s1P to the server device 2.

  s1P corresponds to part of the credentials.

<Step S5>
a∈Z _q ^* , aP ← a * P, (s1-a) P ← s1P-aP. That is, the server apparatus 2 selects aεZ _q ^* , calculates a * P and substitutes it into aP, calculates s1P-aP, and substitutes it into (s1-a) P.

  Then, the server device 2 transmits P, (s1-a) P to the client terminal 1. Further, the server device 2 transmits a to the mail address mail, thereby transmitting a to the client.

<Step S6>
aP ← a * P, s1P ← (s1-a) P + aP. That is, the client terminal 1 calculates a * P and substitutes it into aP, calculates (s1-a) P + aP, and substitutes it into s1P.

  s1P corresponds to part of the credentials.

<Step S7>
The client terminal 1 transmits mail, P to the issue request device 3. mail and P correspond to client registration information.

<Step S8>
In this example, the process of step S8 is not performed.

<Step S9>
tag2 ← HMAC (k2, P). That is, the server device 2 calculates HMAC (k2, P) and substitutes it into tag2.

  Then, the server device 2 transmits P and tag2 to D-TA2 of the credential issuing device 4. P and tag2 correspond to the issuance request information.

<Step S10>
IF tag2 = HMAC (k2, P), s2P ← s2 * P. That is, the D-TA2 of the credential issuing device 4 calculates HMAC (k2, P) using the received P and k2, and determines whether the calculation result matches the received tag2. If it is determined that they match, s2P is calculated and substituted for s2P.

  Then, the D-TA 2 of the credential issuing device 4 transmits s2P to the issue request device 3.

  s2P corresponds to the other part of the credential.

<Step S11>
b∈Z _q ^* , bP ← b * P, (s2-b) P ← s2P-bP. That is, the issue requesting device 3 selects bεZ _q ^* , calculates b * P and substitutes it into bP, calculates s2P-bP, and substitutes it into (s2-b) P.

  Then, the issue request apparatus 3 transmits (s1-a) P to the client terminal 1.

  The issuance request device 3 transmits a predetermined URL to the mail address mail. The client receives b from the issue request device 3 by accessing the received URL. In this way, the issuance request apparatus 3 transmits b to the client.

<Step S12>
bP ← b * P, s2P ← (s2-b) P + bP. That is, the client terminal 1 calculates b * P and substitutes it into bP, calculates (s2-b) P + bP, and substitutes it into s2P.

  s2P corresponds to the other part of the credential.

<Step S13>
sP ← s1P + s2P. That is, the client terminal 1 calculates s1P + s2P and substitutes it into sP.

  sP corresponds to the credential. In this example, sP is a key used for authentication described below.

  In steps S14 to S17, an authentication process is performed between the client terminal 1 and the server 2 device.

<Step S14>
x∈Z _q ^* , U ← x * P. That is, the client terminal 1 selects xεZ _q ^* , calculates x * P, and substitutes it into U.

  Then, the client terminal 1 transmits mai and U to the server device 2.

<Step S15>
y∈Z _q ^* . That is, the server apparatus 2 selects yεZ _q ^* .

  Then, the server device 2 transmits y to the client terminal 1.

<Step S16>
V →-(x + y) ((s-α) P + αP). That is, the client terminal 1 calculates − (x + y) ((s−α) P + αP) and substitutes it for V. α is a pin number set by the client. Further, s = s1 + s2.

  Then, the client terminal 1 transmits y to the server device 2.

<Step S17>
P = H1 (mail), g = e (V, Q) ・ e (U + yP, sQ), IF g ≠ 1, reject the connection. That is, the server device 2 calculates H1 (mail) and substitutes it for P, calculates e (V, Q) · e (U + yP, sQ) and substitutes it for g, and g ≠ 1. To determine.

  The server device 2 disconnects the connection of the client terminal 1 if g ≠ 1, and assumes that the authentication of the client terminal 1 is successful if g ≠ 1.

[Specific Example 2]
Hereinafter, as a specific example 2, an example of an authentication system using PKI will be described.

  An authentication system using PKI uses one or more CAs and issuing request stations. As the issuance request protocol, message authenticators such as HMAC, public key cryptography such as AES, public key cryptography such as RSA and ECC, and the like can be used.

  The authentication system described below uses one issue request device 3 as an issue request station and one CA as a credential issue device 4. Hereinafter, CA is referred to as a credential issuing device 4. Also, RSA public key cryptography is used as the issuance request protocol. It is assumed that the public key used in the issue request is securely exchanged between the server device 2 and the credential issue device 4, and between the issue request device 3 and the credential issue device 4. For the authentication protocol, RSA signature using a certificate is used. As a method that can be received only by the client, the server device 2 and the issue requesting device 3 send part of the key information to the mail address.

<Step S1>
The client terminal 1 transmits client registration information, which is an ID and a mail address necessary for the certificate, to the server device 2.

<Step S2>
The server device 2 creates a CSR necessary for issuing the credential from the registration information of the client.

<Step S3>
The server device 2 creates a signature for the CSR with its own RSA private key, and transmits the CSR and signature to the credential issuing device 4. CSR and signature correspond to issue request information.

<Step S4>
The credential issuing device 4, which is a CA, verifies the received signature with the public key of the server device 2. If the verification result is correct, a certificate is created according to the CSR, and the signature value of the certificate is randomly divided into two. .

  Then, the credential issuing device 4 transmits to the server device 2 the pre-signature certificate of the certificate, the signature algorithm, and one signature value divided. One of the divided signature values corresponds to a part of the credential.

<Step S5>
The server apparatus 2 randomly divides the signature value of the received certificate into two parts, transmits one of them by a method that only the client can obtain (such as transmitting information to a mail address), and transmits the rest to the client terminal 1.

<Step S6>
The client terminal 1 creates a part of the signature value by combining the signature value received by the client by mail and the signature value received by the client terminal 1 from the server device 2.

  Part of this signature value corresponds to part of the credential.

<Step S7>
The client terminal 1 transmits client registration information, which is an ID and a mail address necessary for the certificate, to the issuance request apparatus 3.

<Step S8>
The issue request apparatus 3 creates a CSR necessary for issuing a credential from the registration information of the client.

<Step S9>
The issue requesting device 3 creates a signature for the CSR with its own RSA private key, and transmits the CSR and signature to the credential issuing device 4. CSR and signature correspond to issue request information.

<Step S10>
The credential issuing device 4 that is a CA verifies the received signature with the public key of the issue requesting device 3, and if the verification result is correct, the issuance requesting device 3 uses the remaining part of the signature value of the certificate generated in step S4. Send to.

  The remaining part of the signature value corresponds to the other part of the credential.

<Step S11>
The issuance requesting device 3 randomly divides the signature value of the received certificate into two, transmits one of them in a method that only the client can obtain (such as transmitting information to a mail address), and transmits the rest to the client terminal 1. .

<Step S12>
The client terminal 1 creates a part of the signature value by combining the signature value received by the client by mail and the signature value received by the client terminal 1 from the issue requesting device 3.

  Part of this signature value corresponds to the other part of the credential.

<Step S13>
The client terminal 1 creates a complete certificate by adding a part of the signature value created in step S6 and a part of the signature value created in step S12.
By configuring such an authentication system, it is possible to safely issue a certificate while entrusting a certificate issuing function to the third party, which is the issue requesting device 3.

[Modifications, etc.]
The number of issue request devices 3 and credential issue devices 4 is arbitrary. A server device and a plurality of issue request devices 3 may be used for one credential issuing device 4, or the issue request authority of a plurality of credential issue devices 4 may be held by one server device and the issue request device 3.

  Further, the credential delivery method from the credential issuing device 4 to the client terminal 1 is not limited to one. A method of delivering the entire client credentials via the server device 2 may be used. The entire client credential may be divided into the server device 2 and the issue requesting device 3 and transmitted from both devices.

  Further, when the credential is delivered from the server device 2 or the issue requesting device 3 to the client, it may be divided and delivered using a method in which only the client can receive an e-mail address or the like.

  Needless to say, other modifications are possible without departing from the spirit of the present invention.

[Program and recording medium]
When each process in the client terminal 1, the server apparatus 2, the issue request apparatus 3, and the credential issue apparatus 4 is realized by a computer, the processing contents of the functions that these terminals and apparatuses should have are described by a program. Then, by executing this program on a computer, the processing of these terminals and devices is realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  Each processing means may be configured by executing a predetermined program on a computer, or at least a part of these processing contents may be realized by hardware.

1 Client terminal 2 Server device 3 Issuing request measure 4 Credential issuing device

Claims (8)

In a credential generation system that generates a credential of the client terminal, including a client terminal, a server device that provides a service to the client terminal, an issue request device, and a credential issue device,
The server device requests the credential issuing device to issue the client terminal credential,
The issuing device requests the credential issuing device to issue the credentials of the client terminal,
The credential issuing device issues a part of the credential of the client terminal based on a credential issuance request from the server device, and other than the credential of the client terminal based on the credential issuance request from the issuance request device. Issued a department,
The client terminal generates a credential for the client terminal using a part of the issued credential and the other part of the credential.
Credential generation system. The credential generation system of claim 1,
The credential issuing device transmits a part of the issued credential to the client terminal via the server device, and transmits the other part of the issued credential to the client terminal via the issue request device. ,
Credential generation system.   The client terminal of the credential generation system according to claim 1 or 2.   The server device of the credential generation system according to claim 1 or 2.   The issuance request device of the credential generation system according to claim 1 or 2.   The credential issuing device of the credential generation system according to claim 1 or 2. In a credential generation method that is executed by a client terminal, a server device that provides a service to the client terminal, an issue request device, and a credential issue device, and generates a credential of the client terminal,
The server device requests the credential issuing device to issue the credentials of the client terminal;
The issuing device requesting the credential issuing device to issue the credentials of the client terminal;
The credential issuing device issues a part of the credential of the client terminal based on the credential issuance request from the server device, and other than the credential of the client terminal based on the credential issuance request from the issuance request device. Issuing a part;
The client terminal generates a credential for the client terminal using a part of the issued credential and the other part of the credential;
Credential generation method.   The program for functioning a computer as each part of the terminal or apparatus in any one of Claim 3-6.

Images