JP2513169B2 - User authentication method - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a user authentication method for confirming the sender's identity, and in particular, it is highly safe and
The present invention relates to an efficient user authentication method capable of reducing communication traffic.

[0002]

2. Description of the Related Art As a conventionally proposed method , F
There are iat and Shamir's methods . This is as follows.

[Outside 1] Calculation of the square root in the above (mod N) is performed by calculating the prime factor (P
And Q) are known. The method is described, for example, by Rabin MO in "Digitalized Sign".
atures and Public-key Functions as Intractable
as Factorization ”(Tech.Rep.MIT/LCS/TR-
212 MIT Lab. Computer. Sci. , 1979). Further, a concrete configuration example of the square root calculation device is described in the patent application “Public Key Cryptography System” by the present applicant (Japanese Patent Application No. 61-16
No. 9350). The sender A proves to the authenticator B that A is genuine by the following procedure.

[Outside 2] For more information on the above method , see Fiat A. and Shamir.
A: “How to proveyourself: Practical solution to
identification and signature problems ”, Proceedi
ngs of Crypto 86, Santa Barbara, Aug.1986, pp.18
-1-18-7. This method has been proved to be safe by a computational theory method. That is,
This method has been proved to be a zero-knowledge proof in the above-mentioned Fiat and Shamir article. If the user authentication method is a zero-knowledge proof, any fraudulent act is difficult
It is ensured from the computational theoretical point of view.

[0003]

[Problems to be Solved by the Invention] However, Fiat and Sham
In the method of ir, the number of bits of the message is (1000 × t + k × t)
Since it is a bit and it is necessary to select k and t of a certain size to secure security, the amount of communication increases,
The problem is that the amount of transferred information is large. The present invention has been made in view of the above circumstances, and its object is to:
An object of the present invention is to provide a user authentication method capable of solving the above-mentioned problems in the conventional technique and reducing the amount of transferred information.

[0004]

The above object of the present invention is a user authentication method in a system for realizing user authentication for confirming the legitimacy of a user, which includes the following items. It is achieved by the characteristic user authentication method . (1) In the initial information setting step that the user performs only once when joining the system, (a) the user (authenticatee) who has joined the system generates a public key and a secret key of a digital signature, and stores the secret key. It is kept secret, and the public key is paired with the identification information (ID) of the person to be authenticated as public information and registered in the public key management list or the certifier management list. (2) In the authentication process stage after the initial information setting stage, (a) First, the person to be authenticated generates random numbers R and U, and X = F (R, U) using the public one-way function F. And send it to the authenticator along with their ID. (b) The authenticator receiving the X and the ID retrieves the public key from the management book based on the ID, generates a random number Y, and transmits the random number Y to the authenticated person. (c) The authenticated person who has received the random number Y calculates M = H (R, Y) by using an appropriate function H, and generates a digital signature S for M using the authenticated person's private key. , S, R, U
To the certifier. (d) The authenticator receiving S, R, U verifies whether or not X = F (R, U) is satisfied by using the one-way function F described above, and if not satisfied, If the authentication result is rejected, the process is terminated, and if satisfied, M = H (R, Y) is calculated using the above-mentioned function H, and the authenticity of M and its digital signature S is verified. Verification is performed using the public key of, and if the verification is successful, the authenticity of the authenticated person is confirmed.

[0005]

In the method of Fiat and Shamir described above, since the authentication process is basically configured by repeating the Yes / No (1 bit) question and answer, the communication amount increases, whereas Since the user authentication method according to the present invention is basically configured to perform a query response of several 100 bits only once, it is possible to reduce the communication amount. Incidentally, whereas the method of Fiat and Shamir method described above is limited to a power calculation method according to the present invention is an advantage also that it can be configured as a base any digital signature scheme .

[0006]

Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 2 is a block diagram showing the overall configuration of an embodiment of the present invention. In the figure, reference numeral 100 denotes a user (or station) to be authenticated, and 200 denotes an authenticator (or station) to perform authentication, and these are assumed to be coupled via an insecure communication path 300. First, the station 100 that has joined the system generates a public key and a private key and authenticates the public key according to the following procedure in the initial information setting stage that the station basically performs only once when joining the system. It is registered in the public key management book or the authenticator 200 in pairs with the user's identification information (ID). FIG. 3 is a block diagram showing the processing of the initial information setting stage of the station 100 that has joined the system in FIG. Here, the digital signature algorithm used for the process is determined, and the public key A and the secret key B are generated using the encryption key generator 120. A signature creation function GB used by a signature creator, a signature verification function VA used by a signature verifier, a one-way function F used by the one-way function calculator 140, and a function used by another function calculator 160, which will be described later. Define H. In addition, among those defined above, the public key A and the one-way function F are the public information, and the secret key B is the secret information. In addition, as a digital signature method, a method ("A Fast Signature Scheme Base" by the present inventor is used.
d on Congruetial Polynominal Operations "IEE
E Transactions on Information Theory, vol.36, N
o.1, pp.47-53, 1990). The above-mentioned one-way function is a function in which F (x) is easy to calculate, but it is difficult to find x from F (x). The one-way function F is a high-speed conventional encryption device, for example, a DES encryption (for example, Data
Encryption Standard Federal Information Process
ssing Standards Publication 46, 1977), FE
AL encryption (for example, “Extension of FEAL encryption” by Miyaguchi et al., N
TT R & D, vol.39, No.10, pp.1439-1450, 1990) and hash function (for example, Miyaguchi et al. “128-bit hash function“ N-Hash ””, NTT R & D, vol.39,
No. 10, pp.1451-1458, 1990), etc.). In this case, the calculation time of F (x) can be almost ignored.
In the embodiment described below, there are two inputs (R and U) to the one-way function calculator 140.
R‖U (connecting R and U) is a one-way function calculator 1
It may be input to 40. When using a cryptographic function such as FEAL encryption, R is input to the cryptographic function as plain text, U
It is also possible to input as a key and realize F (R, U) as a ciphertext output at that time. Moreover, as an example of the above-mentioned function H, a function using an exclusive OR, a function using a remainder operation, etc. can be considered. These processes are very fast and their calculation time is almost negligible.

Next, a user authentication procedure in which the station 100 proves its validity to the station 200 will be described.
In the following description, the station 100 will be referred to as a person to be authenticated and the station 200 will be referred to as an authenticator. Of course, the station 200 is the authenticated person,
It is also possible for station 100 to act as an authenticator. The authentication procedure will be described below with reference to FIGS. 4, 1A and 1B. Note that FIG. 4 is a diagram showing a state of communication between a person to be authenticated and a communication text of the person to be authenticated, and FIGS. 1A and 1B show a person to be authenticated 100 and an authenticator involved in the communication shown in FIG. 3 is a block diagram showing a user authentication process of 200. FIG. The user authentication procedure is as follows. Step 1: First, the authenticated person 100 uses the random number generator 11
Random numbers R and U are generated using 0, and the one-way function calculator 1
40, using the published one-way function F, X = F
Calculate (R, U) and use it with your ID to verify 2
To 00. Step 2: The authenticator 200 searches the management book 270 for the public key A based on the received ID, then generates a random number Y using the random number generator 210, and generates this random number Y as the authenticated person 1
To 00. Step 3: The authenticated person 100 calculates M = (R, Y) using the function calculator 160, and then stores the secret key B in the memory 15
The signature generator 180 calculates S = GB (M) using the signature generator function GB described above, and sends S, U and R to the authenticator 200. Step 4: The authenticator 200 uses the one-way function calculator 24.
0, F (R, U) is calculated from the received random numbers R, U using the one-way function F, and the value is X = F (R, U) received from the authenticated person in step 1 described above. U) and whether or not they match with each other is checked by the matching checker 230. If the inspection does not pass, "fail" is output and the authentication process ends. When the above-mentioned inspection is passed, the function calculator 160 is used to calculate M = H (R, Y), and M, S, and A are input to the signature verifier 290. Signature verifier 29
At 0, it is checked whether or not the above signature verification function VA (M, S) = 0 is satisfied. The signature verifier 290 uses the VA (M,
If S) = 0 is satisfied, “pass” is output, and if not, “fail” is output, and the process ends. The transmission of the ID in the above step 1 may be performed in step 3, and the parameter U may be omitted.

According to the above-described embodiment, as will be described below, the effects of safety and reduction of communication amount can be obtained. That is, (1) Security: Completeness: A legitimate subject (who knows B) passes with probability 1. Soundness: An unauthorized subject (not knowing B) has a negligible probability of passing because it is difficult to create a correct signature for arbitrary information M. Confidentiality: No matter what R is selected and transferred by the certifier, if the correct subject randomly selects U, the value of M will be randomly distributed, so the certifier will get a signature for a specific value. The certifier cannot obtain valid information regarding the confidential information of the authenticatee. (2) Regarding communication volume:

[Outside 3] The number of bits of the communication text is k = 4, t = when N is 512 bits
Comparing in the case of 5 (recommended value in the above-mentioned paper), the method of Fiat and Shamir: 5120 + 20 + ID bit number In this embodiment: 912 + ID bit number. In this embodiment, the communication amount is Fiat and Sh
It will be about 1/5 of the case of Amir's method . This can be said to be a remarkable effect. The above examples are offered an example of the present invention have been shown, the present invention is naturally not to be limited thereto.

[0009]

As described above in detail, according to the present invention, a remarkable effect that a user authentication method capable of reducing the amount of transferred information while ensuring security can be realized can be achieved. Is.

[0010]

[Brief description of drawings]

FIG. 1 is a block diagram showing user authentication processing of a person to be authenticated and an authenticator in an embodiment of the present invention.

FIG. 2 is a block diagram showing the overall configuration of the embodiment.

FIG. 3 is a block diagram showing a process of an initial information setting stage of a station that has joined the system.

FIG. 4 is a diagram showing how communication is performed between the authenticated person and the authenticator.

[Explanation of symbols]

100: authenticated station, 200: certificate authority, 300: communication path,
110, 210: random number generator, 120: encryption key generator,
140, 240: one-way function calculator, 150: memory, 160, 260: function calculator, 180: signature creator, 230: match checker, 270: (public) management book, 29
0: Signature verifier.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (56) References JP-A-63-26137 (JP, A) JP-A-2-181537 (JP, A) JP-A-6-21939 (JP, A) LECTURE NOTES COM PUTER SCIENCE VOL. 403, 1990, p. 232-243, "A MO DIFICATION OF THE FIAT-SHAMIR SCHEM E.", K.S. OHTA, T .; OKAMO TO ELECTRONICS LETTER RS, VOL. 24 NO. 2, 21 JA NUARY 1988, p. 115-116, "E FFFICIENT IDENTIFI CATION AND SIGNATURE RE SCHEMES." OHT A

Claims (1)

(57) [Claims] 1. A user authentication method in a system for realizing the user authentication for confirming the validity of the user, the user authentication method, which comprises the following sections
Law . (1) In the initial information setting step that the user performs only once when joining the system, (a) the user (authenticatee) who has joined the system generates a public key and a secret key of a digital signature, and stores the secret key. It is kept secret, and the public key is paired with the identification information (ID) of the person to be authenticated as public information and registered in the public key management list or the certifier management list. (2) In the authentication process stage after the initial information setting stage, (a) First, the person to be authenticated generates random numbers R and U, and X = F (R, U) using the public one-way function F. And send it to the authenticator along with their ID. (b) The authenticator receiving the X and the ID retrieves the public key from the management book based on the ID, generates a random number Y, and transmits the random number Y to the authenticated person. (c) The authenticated person who has received the random number Y calculates M = H (R, Y) by using an appropriate function H, and generates a digital signature S for M using the authenticated person's private key. , S, R, U
To the certifier. (d) The authenticator receiving S, R, U verifies whether or not X = F (R, U) is satisfied by using the one-way function F described above, and if not satisfied, If the authentication result is rejected, the process is terminated, and if satisfied, M = H (R, Y) is calculated using the above-mentioned function H, and the authenticity of M and its digital signature S is verified. Verification is performed using the public key of, and if the verification is successful, the authenticity of the authenticated person is confirmed.