JP2021118406A - User authentication method and user authentication method - Google Patents

Abstract

To provide a user authentication method and a user authentication method that can strengthen the confidentiality of a private key used at the time of user authentication.SOLUTION: In a user authentication method, a private key and a public key are generated in advance on the basis of user's password information, and three distributed keys A1 to A3 are generated from private key information. The distributed key A1 is registered in a client device, the distributed key A2 is registered in an offline device, and the private key information is erased (S21 to S24). In addition, the public key is registered in a server, the distributed key A3 is registered in a distributed key management server for backup, the public key is deposited in certificate authority, and a certificate is obtained (S25 to S27). At the time of authentication, the private key information is reproduced using two of the distributed keys A1 to A3, and the server system is logged in.SELECTED DRAWING: Figure 6

Description

The present invention relates to a technique for user authentication for logging in to a system or application.

For user authentication, various systems such as IC card authentication and fingerprint authentication have been proposed, and many types that combine passwords are also used. For example, as a method for user authentication on a network, "PAP (Password Authentication Protocol: RFC1334)" described in Non-Patent Document 1 is known.

To explain the outline based on FIG. 1, when the user tries to log on, the server 3 prompts for the input of the user name and the password 1. The character string (phrase) input by the user as the password 1 is transmitted to the server 3 by the client device (user terminal: PC, smartphone, tablet, etc.) 2.

When the server 3 receives the user's password, it encrypts it by the same method as the password file (encrypted) 4 held by the server 3. The identity of the user is determined by comparing the two, and if the two match, the user is allowed to log in.

However, the user name and password 1 entered by the user are transmitted to the server 3 as they are without being encrypted on the client device 2. As a result, as shown in FIG. 2, there is a possibility that packets may be leaked due to eavesdropping of packets on the communication path (Internet or the like) 5 or intrusion into the server 3, and unauthorized use (unauthorized access) by spoofing may occur.

Therefore, improvement of user authentication as shown in FIG. 3 has been proposed. Here, the password information is secretly shared as in the virtual currency protection method of Non-Patent Document 2, and the distributed key (PW fragment E: private key) is assigned to the participants appropriate for operation.

Details will be described with reference to FIGS. 4 and 5. FIG. 4 shows the setup on the client device 2 side of the user. Further, FIG. 5 shows the operation (authentication operation) of the client device 2 and the server 3 at the time of user authentication.

(1) Setup The setup processing operations (S01 to S03) will be described with reference to FIG.

S01: At the start of setup, the user operates the client device 2 to generate a user name and a private key (password) 1.

S02, S03: A public key (public key) is generated by a general public encryption method using the password 1 information (character string) generated in S01 as a private key (private key) (S02). While the password information is secretly managed by the user, the public key is registered in the PW public key file DB4 of the server 3 together with the user name (S03).

(2) Authentication Operation An authentication operation (S11 to S16) of the client device 2 and the server 3 will be described with reference to FIG.

S11: The user operates the client device 2 to tell the user name to the server 3 and request a connection. As a result, the authentication operation is started.

S12: When there is a connection request from the user of S11, the server 3 generates a random number and a time stamp, encrypts the generated information with the public key of the password file 4, and transmits the generated information to the client device 2.

S13: When the transmission of S12 is received by the client device 2, the client device 2 decrypts the code using the private key based on the received information, and "the same random number is used for the server time, client time, user name, and four-party hash. , Encrypt it with the private key, and send it to the server 3.

S14, S15: When the server 3 receives the transmission of S13, the ciphertext of the received information is decrypted by the public key of the corresponding user, and the "message hash value" and the "decrypted hash value" sent in S12 are displayed. To judge the success or failure of the authentication.

That is, if both match and the time stamp interval is equal to or less than a predetermined value, the user's identity is affirmed and the authentication is established, while if not, the user's identity is denied and the authentication is denied (S14). If the authentication is established, the session key and the establishment notification are transmitted from the server 3 to the client device 2 (S15), and login is permitted.

S16: The user receives the transmission of S15 by the client device 2, starts a predetermined operation using the session key, and ends the authentication operation.

"Chapter 6 Remote Access Billing Countermeasure Technology 6.5 User Authentication System" Searched on November 27, 2019 Internet URL <https://www.ipa.go.jp/security/awareness/administrator/romote/capter6 /5.html ＞ Masao Yamazawa, Atsushi Tsunoda, Ken Kondo, Toshiaki Saisho, Masafumi Gotaiko, Nao Sato, Shigeo Tsujii, Keiichi Noda, "MELT-UP activities for high reliability of cryptocurrency (bitcoin) and blockchain- Focusing on private key management-, "SCIS) 2018, 4F2-2. Jan. January 2018. Masao Yamazawa, Atsushi Tsunoda, Ken Kondo, Toshiaki Saisho, Masashi Gotaiko, Nao Sato, Hirosuke Yamamoto, Shigeo Tsujii, Keiichi Noda, "MELT for High Reliability of Cryptocurrency (Bitcoin) Blockchain" UP Activities (II) -Operations and Ethics-, "CSS2018, 3B3-5. October 2018. Masao Yamazawa, Atsushi Tsunoda, Ken Kondo, Toshiaki Saisho, Masashi Gotaiko, Nao Sato, Hirosuke Yamamoto, Shigeo Tsujii, Keiichi Noda, "Context of Security Management, MELT-UP Activities for Deeper Understanding-Modern Issues" And enlightenment, "The 32nd National Convention of the Japan Security Management Society, June 2018

A public key cryptosystem is used in authentication using PKI (Public Key Infrastructure. There is no mechanism for cryptographically protecting the private key of the public key cryptosystem, and it is used as a secret in operation.

The problem of the present invention is to make it possible to construct an information processing system that is secure against leakage, destruction, failure, etc. of the private key by distributing the private key by a cryptographic operation called secret sharing. There is.

(1) One aspect of the present invention is a method in which a server authenticates a user in response to a connection request.
A setup process that generates a private key and a public key based on the user's authentication information in advance,
If there is a connection request, it has an authentication process that identifies the user using both keys.
The setup process includes a distributed key generation step of generating at least three distributed keys from the private key.
A distributed key storage step in which each of the distributed keys is distributed and stored in the client device, offline device, and distributed key management server on the user side, and
It has a public key registration step of registering the public key and the user's information in the server.
The authentication process includes a first transmission step in which a random number and a time stamp are encrypted with a public key on the server side and transmitted to the user side.
A restoration step in which the private key is restored by using two or more of the distributed keys on the user side,
A second transmission step of decrypting the decrypted information with the private key based on the information received in the first transmission step, encrypting the decrypted information with the private key, and transmitting the decryption information to the server side.
The server is characterized by having an authentication step of decrypting the information received in the second transmission step with the public key and comparing it with the transmission information of the first transmission step to determine the success or failure of the authentication. ..

(2) Another aspect of the present invention is a method in which a server authenticates a user in response to a connection request.
Set up a private key and a public key based on the user's authentication information in advance, and if there is a connection request, authenticate the user using both keys.
During the setup
At least three distributed keys are generated from the private key, and each of the generated distributed keys is stored in each of the client device, offline device, and distributed key management server on the user side.
After storing each distributed key by the distributed key storage step, the public key and the user information are registered in the server.
When authenticating the user
While the server side encrypts the random number and time stamp with the public key and sends it to the user side,
The user side reads two or more of the distributed keys to restore the private key, decrypts the decrypted information with the private key based on the received information, encrypts the decrypted information with the private key, and sends the decrypted information to the server side.
The feature is that the information received on the server side is decrypted with the public key to identify the user, and the success or failure of the authentication is determined.

According to the present invention, it is possible to construct an information processing system that is secure against leakage, destruction, failure, etc. of the private key by distributing the private key by a cryptographic operation called secret sharing.

Schematic diagram of user authentication. Schematic diagram showing the risk. Schematic diagram of the improvement. The chart figure which shows the setup operation process of FIG. The sequence diagram which shows the authentication operation of FIG. The chart which shows the setup operation process of the user authentication method (method) which concerns on embodiment of this invention. The sequence diagram which shows the authentication operation example 1. FIG. The sequence diagram which shows the authentication operation example 2. The sequence diagram which shows the authentication operation example 3. (A) is a graph showing the restoration principle of the private key information S, and (b) is a graph showing an example in which restoration is not possible. The block diagram of the Example.

Hereinafter, the user authentication method (method) according to the embodiment of the present invention will be described. Here, the secret sharing technology of Non-Patent Documents 2 to 4 is mainly applied to user authentication for logging in to a specific system / application, and the secret key is divided and operated to improve confidentiality and availability. In order to use this authentication method, it is necessary to set up on the user side in advance as in the past.

≪Setup process≫
First, the setup process will be described with reference to FIG. In this description, the same reference numerals as those in FIG. 2 are used.

As an example, a setup process for a user to log in to the system / application of the server 3 will be described. Here, it is assumed that the user executes the set-up process (S21 to S27) from the client device 2 owned by the user.

S21: At the start of setup, the user operates the client device 2 in the same manner as in S11 to generate authentication information, that is, a user name and a private key (private key / password) 1.

S22: The same process as in S02 of FIG. 4 is performed.

S23: From the information of the secret key 1 generated in S22 (character string: hereinafter referred to as the secret key information S), the distributed keys A1 to A3 are generated by the secret sharing technique of Non-Patent Documents 2 to 4. Although S23 shows an example of generating the distributed keys A1 to A3, the number of distributed keys is not limited to three, and may be three or more.

S24: The distributed keys A1 and A2 generated in S23 are saved and registered. That is, the distributed key A1 is stored in a secure area (for example, an encrypted area) of the client device 2. On the other hand, the distributed key A2 is stored in the tamper-resistant area of a secure offline device (for example, USB memory, security card, etc.) 7. After storing both A1 and A2, the private key information S is completely erased from the client device 2, and the user secretly manages the distributed keys A1 and A2.

S25: The user name and the public key (public key) generated in S22 are registered in the password file DB 4 of the server 3. At this time, in order to maintain sufficient security, it is preferable to save and register the public key offline.

S26: Save / register the distributed key A3 generated in S23. Here, the distributed key A3 is registered in the database (DB) of the distributed key management server DK8 (see FIGS. 8 and 9), which is not shown, in a format associated with the user name. The distributed key A3 can be used as a backup when the distributed keys A1 and A2 are lost.

S27: Deposit the public key with the certificate authority (CA) and obtain the certificate. Here, it is assumed that the user and the server 3 share a certificate. Obtaining this proof may be provided as an option.

≪Authentication operation≫
Next, the authentication operation (authentication process) after the setup will be described. Here, user authentication is performed using two of the distributed keys A1 to A3. Hereinafter, the authentication operation will be described according to the combination of the distributed keys A1 to A3.

(1) Authentication operation example 1
An authentication operation example 1 will be described with reference to FIG. 7. FIG. 7 shows an authentication process (S31 to S38) in which the user requests authentication by the client device 2. It is assumed that the offline device 7 is connected to the client device 2 in a readable state.

S31, S32: The user operates the client device 2 to inform the server 3 of the user name and request a connection (S31). As a result, the authentication operation is started. At this time, it is assumed that the distribution key A2 of the offline device 7 is read into the client device 2 at the same time (S32).

S33: Similar to S12, the server 3 generates a random number and a time stamp in response to the connection request of S31, encrypts the generated information with the public key, and transmits the generated information to the client device 2.

S34: When the client device 2 receives the transmission of S33, the private key information S is restored by the distributed keys A1 and A2. The restoration of the private key information S will be described with reference to FIG.

That is, as shown in FIG. 10A, the linear function "y = ax + S" is determined by randomly selecting the slope a with the y-intercept of the linear function as the secret key information S. The points "w1, w2, w3, ..." on the straight line of this linear function are used as the distributed key information. In this case, if the two points of the distributed key information are collected, the secret key information S can be restored by solving the simultaneous equations of the equations (1) and (2).
Equation (1): y1 = a × w1 + S
Equation (2): y2 = a × w2 + S
On the other hand, as shown in FIG. 10B, the line segment cannot be fixed and the private key information S cannot be restored by using only one of "w1 and w2". At this time, if "w1 = distributed key A1, w2 = distributed key A2, w3 = distributed key A3", the private key information S can be restored by aligning two of the distributed keys A1 to A3.

S35: The client device 2 executes transmission to the server 3 through the same processing as in S13 using the private key information S restored based on the received information in S34. The private key information S restored after this transmission is deleted.

S36 to 38: When the server 3 receives the transmission of S35, the same authentication process as in S14 is executed (S36). If the authentication is established at this time, the session key and the establishment notification are transmitted to the client device 2 as in S15, and login is permitted (S37). Therefore, when the client device 2 receives the transmission of S37, the user can start a predetermined operation using the session key (S38), thereby ending the authentication operation.

According to this authentication method, since two of the distributed keys A1 to A3 are required to restore the private key information S, the private key information S is restored even if each of them is individually leaked or lost. There is no risk of it being done, and its confidentiality is strengthened. Further, since the private key information S restored in S34 is erased after the processing of S35, the risk of theft is reduced.

Therefore, the theft of the private key information S is prevented, and the risk of unauthorized access such as spoofing can be avoided. As a result, it is possible to construct an information processing system that is secure against leakage, destruction, failure, etc. of the private key by distributing the private key by a cryptographic operation called secret sharing. Further, since the security of the private key can be ensured in the public key cryptosystem, it is possible to ensure the security of the private key not only in the PKI authentication method but also in the blockchain technology.

(2) Authentication operation example 2
An authentication operation example 3 will be described with reference to FIG. In S41 to S48 in FIG. 8, basically the same operation processing as in S31 to S38 is executed.

Here, the client device 2 accesses the distributed key management server 8 via the network and reads the distributed key A3 (S42). Therefore, the private key information S is restored by the distributed keys A1 and A3 (S44), and the user is allowed to log in (S47).

As a result, for example, when the offline device 7 is lost or the distributed key A2 is accidentally erased, the user can restore the private key information S by using the backup distributed key A3 instead of the distributed key A2, and the availability. Is improved.

At this time, the user can request the additional issuance of a new distributed key A2'after logging in. As the new distribution key A2'issued here, the distribution information on the straight line of the linear function shown in FIG. 10A is used.

That is, a new distribution key A2'(random number different from the distribution key A2) is generated based on the distribution information on the line segment determined by "w1 (A1), w3 (A3)". As a result, the offline device 7 can be used by reissuing the security card of the distributed key A2'and downloading it to the USB memory.

After that, the private key information S can be restored by the distributed keys A1 and A2', and the availability is improved in this respect as well. Normally, it is preferable to suspend the use of the distributed key A2 of the offline device 7 that has been lost. However, since the private key information S cannot be restored by itself as described above, the risk of unauthorized access can be reduced even if the use of the distributed key A2 is forgotten to be stopped.

(3) Authentication operation example 3
An authentication operation example 2 will be described with reference to FIG. In S51 to S58 in FIG. 9, the same operation processing as in S31 to S38 is executed. However, the client device 2 in S31 to S38 is read as the distributed key management server 8 and executed.

That is, if the offline device 7 is readablely connected to the distributed key management server 8, the distributed key A3 is read into the distributed key management server 8, the private key information S is restored by the distributed keys A2 and A3, and the user can log in. Will be done.

Therefore, even if the distribution key A1 of the client device 2 is not provided, the private key information S can be restored by the distribution key A7 of the offline device 7 and the backup distribution key A3 registered in the distribution key management server 8, and the same as in the second embodiment. Similarly, availability is improved.

For example, when the user uses a smartphone as the client device 2, even if the smartphone is changed / lost, login is permitted if the private key information S is restored by the distributed keys A2 and A3. After this login, the data of the old model may be transferred to the new model, which makes the data transfer safe and easy.

<< Example >>
An embodiment will be described with reference to FIG. FIG. 11 shows a configuration example of a lifestyle-related improvement support system. Here, the client devices 2 owned by the lifestyle improvement supporters U1 to U3 are connected to the AI analysis server 3 and the MIRUWS management server (distributed key management server) 8 via a communication path (Internet or the like) 12, respectively.

At this time, the distributed key A1 is registered in each client device 2 by the set-up process (S21 to S28), the security card (offline device) 7 of the distributed key A2 is distributed to the supporters U1 to U2, and the MIRUWS management server 8 The distributed key A3 is stored in the server for backup.

The supporters U1 and U2 basically restore the private key information S with the distributed keys A1 and A2, log in to the lifestyle improvement support system of the AI analysis server 3, and feed the terminal 10 of the viewer C. Provide advice and information.

However, if one of the distributed keys A1 / A2 cannot be used for some reason (change / loss of the client device 2 model / loss of the security card 7, etc.), the private key information S is restored by using the distributed key A3. , You can log in to the lifestyle improvement support system.

As a result, the supporters U1 to U3 can safely and surely log in to the lifestyle-related improvement support system and give advice to each viewer. On the other hand, since it is possible to prevent spoofing of the supporters U1 to U3 by stealing the private key information S, the viewer C can safely use the lifestyle-related improvement support system.

≪Other / Other examples≫
The present invention is not limited to the above-described embodiment, and can be modified and implemented within the range described in each claim. It is illustrated below.

(1) In the authentication operation example 2, the authentication operation of reading the distributed key A3 of the distributed key management server 8 by the client device 7 has been described. It is also possible to read the distributed key A1 of 2 and restore the private key information S.

(2) When the private key information S is distributed to four or more, it is possible to store and use it in a plurality of client devices 2.

(3) After the private key information S is distributed, the private key information S can be left in the client device 7 as a backup without being erased. However, it is preferable that the private key information S for backup is separately distributed and stored as a separate distributed piece set from the viewpoint of reducing the risk of theft.

1 ... Password 2 ... Client device 3 ... Server (AI analysis server)
4 ... Password file DB
5, 12 ... Communication path 6 ... User name 7 ... Offline device (security card)
8 ... Distributed key management server (MIRUWS management server)
10 ... Terminal

Claims (9)

A method in which the server authenticates the user in response to a connection request.
A setup process that generates a private key and a public key based on the user's authentication information in advance,
If there is a connection request, it has an authentication process that identifies the user using both keys.
The setup process includes a distributed key generation step of generating at least three distributed keys from the private key.
A distributed key storage step in which each of the distributed keys is distributed and stored in the client device, offline device, and distributed key management server on the user side, and
It has a public key registration step of registering the public key and the user's information in the server.
The authentication process includes a first transmission step in which a random number and a time stamp are encrypted with a public key on the server side and transmitted to the user side.
A restoration step in which the private key is restored by using two or more of the distributed keys on the user side,
A second transmission step of decrypting the decrypted information with the private key based on the information received in the first transmission step, encrypting the decrypted information with the private key, and transmitting the decryption information to the server side.
An authentication step in which the server decodes the information received in the second transmission step with the public key and compares it with the transmission information in the first transmission step to determine the success or failure of the authentication.
A user authentication method characterized by having. The user authentication method according to claim 1, further comprising a step of erasing the private key after storing each of the distributed keys in the distributed key storage step. The user authentication method according to claim 1 or 2, further comprising a step of erasing the private key restored in the restoration step after the second transmission step. In the first transmission step, the server transmits the encrypted information to the client device.
In the restore step, the private key is restored to the client device using the distributed key of the client device and the offline device.
The user authentication method according to any one of claims 1 to 3, wherein in the second transmission step, the client device transmits the encrypted information to the server. In the first transmission step, the server transmits the encrypted information to the distributed key management server.
In the restore step, the private key is restored to the distributed key management server by using the distributed key of the distributed key management server and the offline device.
The user authentication method according to any one of claims 1 to 3, wherein in the second transmission step, the distributed key management server transmits the encrypted information to the server. In the first transmission step, the server transmits the encrypted information to the client device.
In the restore step, the private key is restored to the client device by using the distributed key of the distributed key management server and the client device.
The user authentication method according to any one of claims 1 to 3, wherein in the second transmission step, the client device transmits the encrypted information to the server. In the first transmission step, the server transmits the encrypted information to the distributed key management server.
In the restore step, the private key is restored to the distributed key management server by using the distributed key of the distributed key management server and the client device.
The user authentication method according to any one of claims 1 to 3, wherein in the second transmission step, the distributed key management server transmits the encrypted information to the server. The user authentication method according to any one of claims 1 to 7, wherein a new distributed key can be issued. A method in which the server authenticates the user in response to a connection request.
Set up a private key and a public key based on the user's authentication information in advance, and if there is a connection request, authenticate the user using both keys.
During the setup
At least three distributed keys are generated from the private key, and each of the generated distributed keys is stored in each of the client device, offline device, and distributed key management server on the user side.
After storing each distributed key by the distributed key storage step, the public key and the user information are registered in the server.
When authenticating the user
While the server side encrypts the random number and time stamp with the public key and sends it to the user side,
The user side reads two or more of the distributed keys to restore the private key, decrypts the decrypted information with the private key based on the received information, encrypts the decrypted information with the private key, and sends the decrypted information to the server side.
A user authentication method characterized in that information received on the server side is decrypted with the public key to identify a user, and the success or failure of the authentication is determined.

Images