JP3610106B2 - Authentication method in a communication system having a plurality of devices - Google Patents

Description

[0001]
[Industrial application fields]
The present invention relates to a communication system in which a plurality of devices are connected through a communication path, and more particularly to an authentication method in a communication system in which authentication is performed by a plurality of devices being distributed.
[0002]
[Prior art]
Conventionally, in many communication systems, information is transmitted in units of data blocks called packets. Even when a packet is transmitted to a designated destination, all devices (users) constituting the communication system can receive the packet. In addition, since a plurality of devices are connected via the same communication path, it is difficult to specify the packet transmission source. For this reason, in such a communication system, it is easy to be exposed to an attack of “sniffing” that illegally obtains a packet for another destination and “spoofing” that makes a device appear to another device.
[0003]
In order to mitigate the threat of eavesdropping and spoofing, a technique using a cryptographic technique called a public key cryptosystem (Ikeno, Koyama: “Contemporary Cryptography”, The Institute of Electronic Communication, 1986) is known. Some public key cryptosystems have an authentication function called “digital signature” in addition to the encryption function, such as RSA cryptography. Spoofing can be prevented.
[0004]
As another countermeasure for mitigating the threat of eavesdropping and spoofing, Kerberos (shared by kerberos: S. Garfinkel and G. Spafford / Hide Yamaguchi) translated by "UNIX Security", ASCII, pp.349 -357, pp. 535-542, 1993) is well known.
[0005]
The following is the authentication protocol of Needham and Schroeder (RN Needham and MD Schroeder: “Using Encryption for Authentication in Large Network of Computers”, 3). And Birrell's Secure RPC (Remote Procedure Call) protocol (AD Birrell: “Secure Communications Using Remote Calls 1”, ACM Trans. On Computer. P. 3). 1985 A specific Kerberos authentication protocol based on the above) will be described.
[0006]
Normally, Kerberos has an authentication server that manages secret information (corresponding to a secret key) of all devices of the communication system. First, as shown in FIG. 16A, the authentication server shares the secret key pki with each device i. In the following, a certificate requester is called a prover, and a certificate authenticating the prover is called a certifier.
[0007]
As shown in FIG. 16B, when the prover A asks the certifier B for proof, A sends data 161 in a format such as {A, B, R} to the authentication server. However, A and B are public identification information for specifying the prover A and the certifier B such as a device or a user name, and R is a number selected at random.
[0008]
On the other hand, the authentication server returns data 162 of {authenticator, R, B, CK} ^ pkA to A. However, {M} ^ k indicates data obtained by encrypting the message M with the key k, and the authenticator is configured as {T, A, CK} ^ pkB using the time stamp T. CK is a common key generated by an authentication server used for subsequent common key encryption communication between A and B.
[0009]
Hereinafter, the secret common key when the common key encryption communication is performed between the prover and the authenticator will be referred to as a conversation key. Therefore, the authentication server also serves as a conversation key distribution server. Finally, the prover A sends the above-described authenticator 163 to the authenticator B, and B authenticates A by decrypting the authenticator with his secret master key pkB. Cryptographic communication is performed using CK.
[0010]
As described above, the threat of eavesdropping or impersonation can be mitigated by the authentication protocol using Kerberos.
[0011]
[Problems to be solved by the invention]
However, in the public key cryptosystem, it is necessary to perform a power residue calculation of a large integer of 512 bits or more, and there is a problem that the calculation amount becomes enormous.
[0012]
In addition, a protocol such as Kerberos in the common key method requires an authentication server that can be completely trusted, including physical meaning, in order for the authentication server to manage the secret information of all devices constituting the communication system. (Similarly, in the case of the public key cryptosystem, a centralized management center that manages all public keys is necessary and has the same problem). Therefore, in order to ensure security, it is necessary to strictly manage the authentication server in a locked room where an unauthorized person cannot enter without permission. In addition, when the authentication server becomes unreliable due to failure or crime, there is a problem that the fault tolerance is weak such that the safety of the entire system is collapsed.
[0013]
Therefore, in order to solve such a problem of authentication server reliability, the present invention proposes a distributed authentication server that distributes and manages secret information by a plurality of devices.
[0014]
The request for this distributed authentication server is as follows.
(1) For the certifier and the authenticator, the distributed authentication protocol realizes the same authentication function as the authentication protocol by the conventional centralized management.
(2) For the prover and the authenticator, the distributed authentication protocol guarantees the same interface (data format) as the authentication protocol by the conventional centralized management.
(3) For the prover and the authenticator, the distributed authentication protocol is realized with the same amount of computation as the authentication protocol by the conventional centralized management.
(4) The above requirement is satisfied unless a majority of the devices constituting the distributed authentication server are unreliable.
[0015]
[Means for Solving the Problems]
In order to solve the above-mentioned problem, according to the authentication method of the present invention, in a communication system having a plurality of devices including a device group constituting a distributed authentication server,
The certifier side device that is requested to be authenticated by the certifier side device transmits an authentication request message including the identifiers of the certifier and the certifier to each device constituting the distributed authentication server,
The devices constituting the distributed authentication server jointly generate an authenticator encrypted with a secret key related to the authenticator based on the authentication request message, and encrypt the authenticator with a secret key related to the prover. Generate an authentication message
Each device constituting the distributed authentication server transmits the authentication message to the prover side device,
The certifier side device that has received the authentication message decrypts the authentication message, and transmits the obtained authenticator to the certifier side device.
The certifier-side device that has received the authenticator decrypts the authenticator and authenticates the prover.
[0016]
【Example】
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
[0017]
[Example 1]
FIG. 1 is a diagram showing an information processing system having distributed information processing apparatuses according to an embodiment of the present invention.
[0018]
In the figure, reference numeral 14 denotes a device (hereinafter referred to as a member) AS (1),..., AS (k) constituting the distributed authentication server. Reference numeral 11 denotes a secret communication path capable of physically and securely performing secret communication between devices (designed so that it cannot be accessed from other communication paths). Reference numeral 12 denotes information about all members. Are broadcast-type communication channels that are interconnected so as to be open to the public. Here, the number of members is a relatively small number of about 20 or less from the viewpoint of efficiency.
[0019]
The total number of devices constituting the communication system may be considerably larger than that of the members, and the members are connected to the members via the secret communication path 11. In addition, the apparatuses communicate with each other through a normal (unsafe) communication path 13. Thereafter, when one device sends a request for a service (eg, file transfer, remote procedure call, etc.) in another device, the requested device is called “client”, and the device that provides the service in response to this request is called “server” ". In FIG. 1, reference numeral 15 denotes a device C / S (1),..., C / S (n) which is such a client or server. However, the member may be a client or a server.
[0020]
In the present embodiment, mutual authentication and authentication of communication contents are realized in such a client or server. It also realizes sharing of a secret key for performing secret communication between the client and the server. Further, since secret information is distributed and managed and distributed among members, there is an advantage that it is safer than a conventional impression server. In the following, when a client requests authentication for identifying a server in order to request a service, a client that requests authentication is referred to as a “certifier”, and a server that provides authentication is referred to as a “certifier”.
[0021]
FIG. 2 is a diagram illustrating a block configuration of a member device. In the figure, reference numeral 21 denotes a communication unit for communicating with other devices via the secret communication path 12 or the broadcast communication path 13. Reference numeral 22 denotes an arithmetic processing unit that performs various operations such as a one-way hash function, which will be described later, and determination processing according to a program stored in the storage unit 24, and controls each unit of the apparatus. Reference numeral 23 denotes a random number generator such as a pseudo-random number generator, which is used to generate a random value. Reference numeral 24 denotes a storage unit for storing programs to be executed by the arithmetic processing unit 22, information such as arithmetic results generated in the course of processing, information received from other devices, various parameters, and the like. Also, devices other than the members of the communication system have the same hardware configuration as the members.
[0022]
A basic part of the distributed authentication protocol is a VSS (Verifiable Secret Sharing) protocol described below. According to VSS, this is a technique for distributing one piece of secret information to a plurality of secret parts such that the original secret information cannot be estimated if the majority is less than the majority, and the original secret information can be restored if the majority is correct.
[0023]
[VSS protocol]
A procedure for distributing the secrets on a given finite field F in a verifiable manner will be described below.
[0024]
FIG. 3 is a diagram showing the relationship between the secret s and the partial matrix S.
[0025]
In the present embodiment, the submatrix S = [s (i, j)] (i, j = 1,..., N) for a certain secret element s 1 means that each row vector S_r (i) = [s (i , 1),. . . , S (i, n)] (i = 1,..., N) are n different values of the t-th order polynomial fi with constant s_r (i) as a constant term. . . , In values fi (il),. . . , Fi (in) and each column vector S_c (j) = [s (1, j),. . . , S (n, j)] (j = 1,..., N) is a number n different values of the t-th order polynomial gi with a certain secret s_c (j) as a constant term. . . , In for values gi (il),. . . , Gi (in) and the vector [s_r (1),. . . , S_r (n)] and [s_c (1),. . . , S_c (n)] to the values f (il,..., In) and g (il,..., In) of the t-order polynomials f and g with the original secret s as a constant term. It is what has become.
The sub-matrix used in the secret sharing scheme capable of confirming the speech type, as will be described below, is an n × n matrix S = [s (i, j)] (i, j = 1,..., n).
[0026]
First, each row vector S_r (i) = [s (i, 1),. . . , S (i, n)] (i = 1,..., N) is a secret part vector for a secret s_r (i) (the secret part of subscriber j in the secret sharing scheme with element j of the vector) Vector), and each column vector S_c (j) = [s (1, j),. . . , S (n, j)] (j = 1,..., N) becomes a secret subvector for a certain secret s_c (j).
[0027]
However, the vector [s_r (1),... Consisting of the secrets s_r (i) and s_c (j) described above. . . , S_r (n)] and [s_c (1),. . . , S_c (n)] are both secret subvectors for the original secret s 1. In the secret sharing process, the column vector i (i = 1,..., N) and the secret s_r (i) of the submatrix thus configured are used as the secret partial information of the subscriber i 1 for each subscriber i. By transmitting to, it is possible to check with high probability whether the partial information broadcast by each subscriber is correct or not if the subscriber who distributed the partial information does not cheat during the secret restoration process.
[0028]
Also, in this embodiment, in order to confirm whether the partial information broadcast at the time of the secret restoration process is correct even when the subscriber who has the original secret information and distributes the secret partial information is fraudulent, A one-way hash function (Ikeno, Koyama: ”that serves as an authenticator of the secret s_r (i) corresponding to each subscriber i (i = 1,..., N) in distributing information. ("Modern cryptography", pp. 224-225, IEICE, 1986).
[0029]
Next, this one-way hash function will be described.
[0030]
The one-way hash function is a function that performs data compression scrambling, and is a function that is easy to calculate an output value from an input value but difficult to perform an inverse operation to determine an input value from the output value. However, in this embodiment, compared with the one-way function used in the conventional secret sharing scheme that can be confirmed non-interactively, it does not have to have a special algebraic property, and the calculation processing is one-way faster. Sex hash function can be used.
[0031]
As a specific example of the one-way hash function, R.I. Merkle ("One Way Hash Functions and DES", Advanced in Cryptology-Crypto '89, Lecture Notes in Computer Science, Vol. 435, Spring-Verlag, S A one-way hash function has been proposed.
[0032]
FIG. 8 is a diagram illustrating a specific configuration of the one-way hash function.
[0033]
In the same figure, (a) shows block encryption by DES, 81 is an encryption circuit (64 in FIG. 8, DES is represented by E in which 64-bit output is obtained from a 64-bit input and a 56-bit key). It is expressed by
[0034]
(B) shows the processing of the function F 1 using the DES as a partial processing and having an input length of 119 bits and an output length of 112 bits, and 82 is a function arithmetic circuit. This process is defined as follows.
[0035]
First, the input is divided into two parts k and x (however, the length of one part k is 55 bits and the length of the remaining part x is 64 bits). Next, the result of calculating the XOR of the output obtained by using the part x as the input of DES, the remaining part k and '0' as a continuous value '0', and k as a 56-bit key and x. The left 64 bits in the output of the function F. Similarly, 48 bits from the result (64 bits) of the XOR of the output obtained with the same part x as the input and the remaining part k and '1' as the key and the obtained value '1', k as the key and x Is the remaining part of the function F (48 bits on the right). The result of continuous two outputs thus obtained becomes the output of the 112-bit F function.
[0036]
(C) shows a process in which a given message is input and a hash value of a one-way hash function is output, and 83 is a hash function processing unit. This process is executed as follows.
[0037]
First, the first 119 bits of a given message are used as the input of the above function F 1 to obtain the first 112 bits of output. Next, the output is again set to the input 112 bits, and the remaining 7 bits from the message are continuously input to the function F 1 repeatedly. Finally, the 112-bit output obtained when all the messages are input (appropriately add '0' if there are insufficient bits to input the last 7 bits of the message) is used as a hash value for the message. .
[0038]
The one-way nature of the hash function calculated as described above (being given a single hash value, it is extremely difficult to find messages with different inputs that yield the same hash value) is used It is given by the security of block ciphers such as DES (the output becomes a random variable with a key when an input is given, and the input becomes a random variable with a key when an output is given). Shown by Mercle (see previous paper).
[0039]
Furthermore, the same paper also proposes a one-way hash function that is more efficient than the above-described hash function. Rivest ( "The MD4 message digest algorithm", Advances in Cryptology over Crypto'90, Lecture Notes in Computer Science, Vol. 537, Springer-Verlag, 1991. NIST Federal Information Processing Standard for Secure Hash, American National Standard X9.30- 199x).
[0040]
Next, the Cut and Choose process in the present embodiment will be described.
[0041]
Whether the secret partial information received by all subscribers during the secret sharing process becomes secret partial information distributed in a verifiable manner, as in the case of Cut and Choose performed in the conventional secret sharing method capable of interactive confirmation. In order to check whether or not k randomly chosen secrets l1,. . . , Lk distribute the submatrix and hash value and broadcast all secret information about k / 2 secrets (li (1), ..., li (k / 2)) randomly determined by all subscribers And lj (1) + s,... For the remaining k / 2 secrets (lj (1),..., Lj (k / 2)). . . , Lj (k / 2) + s is broadcast, and if the number of parts having errors is larger than t in all the broadcast information, it is determined that the secret sharing process is not correct.
[0042]
As described above, a secret sharing scheme that satisfies the following conditions (c ′) and (d ′) can be realized in place of the conditions (c) and (d) of the conventional secret sharing scheme that can be confirmed. In addition, a method and a communication system for executing distributed calculation can be realized.
[0043]
(C ′) When illegal partial information is mixed with correct partial information, there are cases where the original secret information cannot be restored even if there are t + 1 correct partial information. However, it is possible to identify an unauthorized subscriber. is there.
[0044]
(D ′) When all the subscribers receive the secret partial information, if the partial information is not the correct information for restoring the secret information x 1, the identity of the subscriber who made the fraud during the restoration process Is possible.
[0045]
Under these conditions, even if there is an unauthorized subscriber as in the conventional system, the secret is restored, that is, error correction cannot be performed, but the unauthorized subscriber can be identified, that is, error detection can be performed. If conditions (c) and (d) exist, distributed computation can be executed correctly even if there are unauthorized subscribers (fault tolerance for correctness can be realized), but the conditions (c ′) and (d ′) can be changed to However, since an unauthorized subscriber can be detected, a correct output can be obtained by performing a warning and re-execution, and fault tolerance can be realized.
[0046]
Therefore, in this embodiment, if there is an unauthorized subscriber when restoring the distributed secret, it may be impossible to restore the secret, but it is possible to identify the subscriber who performed the illegal secret. A distributed method is proposed. As a result, it is possible to realize a secret sharing scheme that can be confirmed so that both the necessary calculation amount and the communication amount located in the middle of the interactive method (1) and the cryptographic method (2) are practical orders. .
[0047]
In the following, a method for realizing a identifiable dispersion of secrets on a given finite field F 1 will be specifically described.
[0048]
First, the submatrix S 1 for the secret s 1 will be specifically described.
[0049]
A submatrix S = [s (i, j)] (i, j = 1,..., N) for a secret element s 1 on a given finite field is defined as each row vector S_r (i) = [s (I, 1),. . . , S (i, n)] (i = 1,..., N) have n different values i1,. . . , In values fi (i1),. . . , Fi (in) and each column vector S_c (j) = [s (1, j),. . . , S (n, j)] (j = 1,..., N) are n different values j1,. . . , Jn values gj (j1),. . . , Gj (jn) and the vector of values [s_r (1),. . . , S_r (n)] and [s_c (1),. . . , S_c (n)] to the values f (i1,..., In) and g (j1,..., Jn) of the t-order polynomials f 1 and g 2 with the original secret s 1 as a constant term. It is what has become.
[0050]
Next, the process of the present embodiment is divided into a secret sharing process for distributing a secret part so that a secret on a given finite field is secretly distributed among all subscribers, and distributed to all subscribers. This is divided into two processes, namely, a secret restoration process for clarifying a secret subscriber or an unauthorized subscriber (when there is a fraud).
[0051]
(1) Secret sharing process
The secret sharing process is a process in which a subscriber d having a secret element s distributes a secret part for s. FIG. 5 shows the processing procedure. In the figure, processing Rj, i is processing performed by subscriber i in round j.
[0052]
In the following, h represents an efficient one-way hash function (with a fast calculation scheme). For example, a hash function (see “Modern Cryptography” above) configured by a high-speed block encryption function is used. The safety parameter k 1 satisfies k = nk ′ for a certain constant k ′. In this case, the probability of erroneous confirmation of the secret sharing process is 2 ^ (− k ′ (t + 1)) due to the Cut and Choose process (T. Rabin, M. Ben-Or “Variable Secret Sharing and Multiple Protocols Whistle. See “Majority”).
[0053]
(Round 1) The subscriber d 1 uses the random number generator 23 to generate the original secret s 1 and the randomly selected secret elements l 1,. . . , Lk with partial matrices S, L1,. . . , Lk. Then, as shown in FIG. 4, the secret values s_r (1),. . . , S_r (n), l1_r (1),. . . , L1_r (n),. . . , Lk_r (1),. . . , Lk_r (n), a one-way hash function value s * is calculated by the arithmetic processing unit 22.
[0054]
Subscriber d is associated with each subscriber i (i = 1,..., N, excluding itself), but each column vector S_c (i), L1_c (i),. . . , Lk_c (i) and secrets s_r (i), l1_r (i),. . . , Lk_r (i) (information B1.i) is transmitted using the secret communication path 11, and the hash value s * (information B1.d) is broadcast using the broadcast communication path 12 among all subscribers ( Process R1.d).
[0055]
(Round 2) Each subscriber i (i = 1,..., N) broadcasts k ′ randomly selected bits (information B2.i) using the random number generator 23 (processing R2). I). These randomly chosen k 'bits are denoted as Bi_1,. . , Bi_k ', all bits for all n subscribers are denoted by B1,. . . , Bk.
[0056]
(Round 3) For subscriber d 1, for each bit Bj (j = 1,..., K 1) broadcast in round 2, if Bj is 1, the submatrix generated by subscriber d 1 in round 1 Lj is broadcast, and if Bj is 0, the addition result (written as S + Lj) on the finite field for each element of the submatrix S and Lj generated by the subscriber d in round 1 is broadcast (process R3.d). Information broadcast by the subscriber d is shown in FIG. d.
[0057]
(Round 4) Each subscriber i (i = 1,..., N) receives information B1. For each value j (j = 1,..., k) in i, column vectors Lj_c (i) and lj_r (i) (when bit Bj broadcast in round 2 is 1) or Lj_c Check if (i) + S_c (i) and lj_r (i) + s_r (i) (when Bj is 0) are equal to the column vector and secret value corresponding to the submatrix broadcast in round 3; If it is not equal to the value j, the determination message (information B4.i) of the subscriber d 1 is broadcast (process R4.i).
[0058]
(Round 5) When the determination message (information B4.i) is broadcast in round 4, the subscriber d 1 transmits information B1 secretly transmitted by the subscriber d 1 in round 1 for each subscriber j that broadcasts the determination message. . j (here, information B5.d) is broadcast (process R5.d).
[0059]
(Post-processing) Each subscriber i (i = 1,..., N) indicates that the information broadcast in round 5 is not correct or the number of determination messages broadcast in round 4 is If so, it is determined that the subscriber d 1 has made an unauthorized act (process Pi).
[0060]
All the information received by each subscriber i in rounds 1 to 5 is s_i.
[0061]
(2) Secret restoration processing
The secret restoration process is a process for calculating the original secret s by all the subscribers from the information s_i possessed by each subscriber by the secret sharing process described above. FIG. 6 shows the procedure.
[0062]
(Round 1) Each subscriber i (i = 1,..., N) broadcasts secret values s_c (i) and s_r (i) (information B1.i) included in the partial information s_i (processing B1). R1.i).
[0063]
(Round 2) Each subscriber i (i = 1,..., N) has t + 1 values s_c (i, 1),. . . , S_c (i, t + 1) and s_r (i, 1),. . . , S_r (i, t + 1) and determine the results of polynomial interpolation s (c) and s (r), both are equal and the remaining broadcast value is the value s (c) = s (r ) Check whether the same polynomial corresponding to is the correct value. If all values are correct, it is determined that the original secret s is equal to s (c) = s (r), and the restoration process ends. On the other hand, when a value that does not correspond to the same polynomial is broadcast, the column vector S_c (i) (information B2.i) included in the partial information s_i is broadcast (the process R2.i).
[0064]
(Round 3) Each subscriber i (i = 1,..., N) obtains a submatrix S ′ from the column vector S_c (j) (j = 1,..., N) broadcast in Round 2. Generate 1,. . . , N to all sets t1,. . . , Tm (total m =_nC_{t + 1}= N! / ((T + 1)! (Nt-1)!) Column vector set T1,. . . , Tm and the result of polynomial interpolation for each row and column s'_r (1),. . . , S'_r (n) and s'_c (1),. . . , S′_c (n) and the results of polynomial interpolation of these values, s ′ (r) and s ′ (c), are both equal, and all elements of their column vectors are respectively Values s′_c (1),. . . , S'_c (n) and s'_r (1),. . , S′_r (n), whether or not the same value of the same polynomial is obtained.
[0065]
The set T1,... Including t + 1 column vectors confirmed in this way. . , Tm, the number of sets corresponding to different correct sub-matrices is t + 1 at maximum, and these sub-matrices are denoted by S_1,. . . , S_T (where T <t + 1). If there is only one correct submatrix (T = 1), it is determined that the secret s for that matrix is equal to the original secret, and the uncorresponding column vector represents the fraudulent subscriber. If there are two or more correct sub-matrices, each subscriber i (i = 1,..., N) broadcasts all the partial information s_i (information B3.i) they have (the processing R3. i).
[0066]
(Post-processing) Each subscriber i (i = 1,..., N) uses the information s_j (j = 1,..., N) broadcast in round 3 to calculate the correct value in round 4 Submatrices S_1,. . . , S_T (where T <t + 1), the same one-way hash function as in the secret sharing process described above is calculated, and all the broadcast information is correct and the value s broadcast in round 1 of the distributed process Check if it corresponds to *. It is determined that the secret s' corresponding to the sub-matrix correct for these confirmations (which can be at most one) is equal to the original secret s. On the other hand, if there is no correct submatrix for the above-mentioned confirmation, it is determined that the secret is illegal for the distributed subscriber d 1 (process Pi).
[0067]
[Distributed secret linear combination processing]
By the above-described verifiable secret sharing process, the elements {1,. . . , P-1} when two secret elements x 1 and y 2 are distributed (where each subscriber i has a secret part x_i and y_i corresponding to the secret elements x 1 and y 2) Without performing the above, the secret part (x + y) _i corresponding to the sum x + y on the given finite field is calculated as follows.
[0068]
First, when the column vectors X_c (i) and Y_c (i) and the secret values x_r (i) and y_r (i) of the submatrix possessed by each subscriber are added for each element, the addition result X_c (i) + Y_c It is clear from the definition of the submatrix (row and column elements are polynomial values) that (i) and x_r (i) + y_r (i) are column vectors and secret values of the submatrix for x + y .
[0069]
Further, the values x * and y * of the one-way hash function used for confirming the partial information in the secret restoration process are stored, and both the x + y as a result of the addition are necessary when the restoration process is performed. Is used to check the submatrix X + Y corresponding to the secret x + y.
[0070]
In addition, in order to calculate the distributed multiplication of one secret element x and the public element a in a distributed manner, the result of multiplying each element of the submatrix each subscriber has with a It is an element of the submatrix for x * a. Therefore, the linear combination a * x + b * y using the two distributed secret elements x and y and the public elements a and b joins the group as shown in FIG. Calculations can be made in a distributed manner without interaction between each subscriber.
[0071]
As described above, the secret can be distributed among the members in a confirmable manner.
[0072]
Next, a distributed pseudo-random generation (Shared pseudo-random generation) protocol for generating pseudo random numbers among members will be described.
[0073]
[Distributed pseudorandom number generation protocol]
The member AS (1),..., AS (k) that constitutes the distributed authentication server controls the secret part r (i) (i = i = r) of the member AS (i) to control the distributed pseudorandom number r. 1, ..., k) is output. This protocol is implemented as shown in FIG.
[0074]
Each member AS (i) generates a secret pseudorandom number ri expressed as an element on a finite field (process 81).
[0075]
Each member AS (i) secretly distributes the secret pseudorandom number ri using the secret sharing process that can be confirmed. When each member performs this, each member AS (j) (j = 1,..., K) has a secret part r1 (j),. However, m (≦ k) is the number of members confirmed to have performed secret sharing correctly (process 82).
[0076]
Each member AS (j) adds the above-mentioned secret part and generates r (j) = r1 (j) +... + Rm (j) which is a secret part for AS (j) of the secret pseudorandom number r 1 ( Process 83).
[0077]
This secret pseudo-random number r is a number that no one can know unless a majority of the members are involved. As described above, pseudo-random numbers are generated in a distributed manner, and the pseudo-random numbers can be used as a conversation key between the prover and the authenticator.
[0078]
Next, a protocol for executing secret key encryption processing among members in a distributed manner will be shown. In this case, the process differs depending on whether the secret key-encrypted data is distributed secret data or public data.
[0079]
[Distributed secret key encryption / decryption of distributed secret data]
FIG. 9A is a diagram for explaining this protocol. Let m be a message composed of N blocks m1,..., MN of length L. However, the VSS protocol is a finite field GF (2^L) Run on. Assume that each secret part m1 (i),..., MN (i) is secretly distributed to the member AS (i). A secret key pk having the same length as the message m is also divided into N blocks pk1,..., PkN having a length L, and secretly distributed among the same members. It has a secret part pk1 (i), ..., pkN (i).
[0080]
In order to perform the secret key encryption processing of the message m using the secret key pk, each member AS (i) performs addition on a given finite field for each block as follows.
[0081]
c1 (i) = m1 (i) + pk1 (i),..., cN (i) = mN (i) + pkN (i)
Since the VSS protocol is homomorphic, c1 (i),..., CN (i) corresponds to the secret part of c1,..., CN obtained by dividing the ciphertext c into N blocks for each length L. To do. Therefore, the ciphertext c is restored and released by executing the above-described secret restoration process.
[0082]
Thereby, the device in the communication system having the secret key pk can decrypt the original message m from the disclosed ciphertext c. However, the secret key pk is disposable and will not be used again.
[0083]
[Distributed private key encryption / decryption of public data]
When the message m is made public, the above-described encryption protocol has a problem that the secret key pk is known by subtracting the message m from the published cipher c. Therefore, a protocol as shown in FIG. 9B is used for the public data.
[0084]
As in the above case, it is assumed that the message m is composed of N blocks m1,..., MN having a length L. However, the contents are assumed to be public data known to the members. The secret key pk has a length twice that of the message m and is 2N blocks pk1 of length L. 1, pk1 2, pkN 1, pkN Divided into two. This pk is secretly distributed among the members, and the member AS (i) is assigned to each secret part pk1. 1 (i), pk1 2 (i), ... pkN 1 (i), pkN 2 (i).
[0085]
In order to realize the secret key pk encryption processing of the message m using the secret key pkpk, each member AS (i) performs the next operation on the given finite field for each block. However, in the following formula, • represents multiplication and + represents addition.
[0086]
c1 (i) = m1 · pk1 1 (i) + pk1 2 (i), ..., cN (i) = mN · pkN 1 (i) + pkN Since the 2 (i) VSS protocol is homomorphic even for linear combinations, c1 (i),..., CN (i) divides the ciphertext c into N blocks for each length L. This corresponds to the secret part of c1,..., cN. Therefore, the ciphertext c is restored and released by executing the above-described secret restoration process.
[0087]
As described above, this protocol is pkj 1 and pkj 2 (j = 1,..., N) are used, so that even if the message m is public data, the secret key pk is not known. Here, the shorter the length L, the easier the encryption operation, but the probability that a tamper can change the ciphertext c to a fake ciphertext c ′ and obtain a fake message m ′. Is 2^-L  Therefore, L cannot be made too small from the viewpoint of safety. Therefore, about 32 is appropriate for L.
[0088]
As for decryption, a device in the communication system sharing the secret key pk decomposes the secret key pk and the ciphertext c for each length L, and generates pkj 1, pkj 2 and cj (cj-pkj 2) / pkj By performing the operation of 1, mj can be obtained. Thereby, the original message m can be decrypted. However, also in this case, the secret key pk is disposable and will not be used again.
[0089]
[Authentication Protocol]
Using the above protocol, authentication using a common key is realized by a distributed authentication server instead of a conventional centralized authentication server as follows.
[0090]
The authentication protocol includes communication for the prover to receive an authentication message from the distributed authentication server, and communication for the prover to show authentication data to the authentication company. This is called “online processing”.
By the way, as a premise for performing this online processing, it is necessary to share a secret key between the distributed authentication server and a device serving as a prover or an authenticator, or generate a conversation key by the distributed authentication server. This is called “offline processing”. This offline processing may be executed every time a secret key or conversation key is required during online processing, but this increases processing time and communication time of online processing.
[0091]
Therefore, online processing can be performed efficiently by executing offline processing prior to online processing. In the following, “offline processing” will be described with reference to FIG. 10A and “online processing” will be described with reference to FIG.
[0092]
[Offline processing]
The information that needs to be shared in advance between the members constituting the distributed authentication server is information related to the secret keys of all devices. However, as described with respect to the distributed secret key encryption / decryption protocol, since the secret key used between the prover and the distributed authentication server is disposable after the message, it is necessary to generate a large number of keys. This process is executed by the following secret key distribution process. In addition, the process of generating a distributed pseudo random number used as a conversation key between the prover and the authenticator is also executed offline as follows.
[0093]
[Secret key distribution processing]
In the communication system, an apparatus j that wishes to receive authentication has a sufficiently large number M of pseudo-random numbers pkj arbitrarily selected in advance by the secret sharing process described above. 1, ..., pkj Distribute M to each member. As a result, the member AS (i) becomes a secret part pkj of the pseudo random number. 1 (i), ..., pkj M (i) is received. However, if j does not correctly distribute the secret, j can no longer receive the authentication service using its own secret key pkj, so the post-processing to check whether the distributed information is correct is in this case It may be omitted. Also, there may be no broadcast communication channel for confirming that j is not lying between j and the member.
[0094]
In this process, j is a sufficiently large number of secret keys pkj i (i = 1,..., M) and each member h (h = 1,..., k) is a secret part pkj i (h) (i = 1,..., M) is held as a list. As described above, since the secret key is disposable, j and each member h hold indexes pkj and pkj (h) indicating positions on the list of keys to be used next. Then, j generates a secret key when there is a margin for processing, and distributes this secret when the communication system is free, and continues updating.
[0095]
[Pseudo-random number generation processing]
As shown in FIG. 11, similarly to the secret key distribution process, distributed pseudorandom numbers r1,..., RQ that are conversation keys used between the prover and the authenticator are also generated by the offline process and held as a list. The As described in the above distributed pseudorandom number generation protocol, all members need to perform distributed processing of pseudorandom numbers, but all members do not have to be executed at the same time. If there is room in the processing and communication system, this processing may be executed and distributed to other members. Thereby, each member holds the distributed pseudo random numbers r1 (j),..., RQ (j) as a list together with an index indicating the use position.
[0096]
[Online processing]
The online authentication protocol for obtaining an authenticator from the distributed authentication server for the client P (certifier) in the communication system to send to the server V (certifier) is performed by the following steps S1 to S4.
[0097]
(Step S1) The client P uses the normal communication path to AUTH. Information indicated as REQUEST {id P, id A request message 101 including V, s} is sent to the members constituting the distributed authentication server. However, id P is the client P, id V is data specifying the server V, and s is a random number selected arbitrarily.
[0098]
(Step S2) AUTH The member that has received REQUEST performs the following processing steps S21 to S26.
[0099]
(Step S21) A time stamp indicating the current time is broadcast, and the common time is confirmed.
[0100]
(Step S22) Using the distributed secret key encryption protocol of the distributed secret data, distributed pseudo random numbers rz,..., Rz + a-1 used as conversation keys ck1,. x, ..., pkV x + a-1 is encrypted as a secret encryption key. Here, a represents the number of pseudo-random numbers, and z and x are indices representing the start of the pseudo-random number list and the secret key pk list, respectively. At this time, z 1 and x 2 are updated as z = z + a and x = x + a, respectively. The result encrypted in this way 1, ..., CT a.
[0101]
(Step S23) Using a distributed secret key encryption protocol of public data, a public time stamp and an identifier that is an identifier of a prover P is 2b private keys pkV from the same private key pk list as step S22. x, ..., pkV Encrypt by x + 2b. And it updates with x = x + 2b + 1. The result of this encryption is CT a + 1, ..., CT a + b and CT together with the result of step S22 1, ..., CT It is set as a + b, and it is set as an authenticator together with the index x before update in step S22.
[0102]
(Step S24) Using the distributed secret key encryption protocol for the distributed secret data, the ciphertext CT for the authenticator obtained in step S23 1, ..., CT a + b and the common keys ck1,..., cka used in step S22 are 2a + b secret keys pkP y, ..., pkP Encrypt y + 2a + b as an encryption key. However, y is an index indicating the beginning of the secret key list with the prover, and is updated as y = y + 2a + b + 1. The result encrypted in this way is represented by CCT. 1, ..., CCT Let 2a + b.
[0103]
(Step S25) Using the distributed secret key encryption protocol of the public data, the pseudo random number s disclosed in Step S1 and the identifier of the authenticator V is 2c private keys pkP from the same private key list as in step S24. y, ..., pkP Encrypt by y + 2c. Then, y = y + 2c + 1 is updated. The result encrypted in this way is represented by CCT. 2a + b + 1, ..., CCT 2a + b + c and CCT together with the result of step S24 1, ..., CCT Let 2a + b + c.
[0104]
(Step S26) CCT distributed secretly using secret restoration processing 1, ..., CCT 2a + b + c is restored and transmitted to the client P, who is the prover, together with the index y before being updated in step S24 as the authentication message 102 using a normal communication path.
[0105]
(Step S3) The prover P receives the received index y and the private key pkP from his private key list. y, ..., pkP The received data CCT by y + 2a + b + 2c 1, ..., CCT The pseudorandom number ck is decrypted from 2a + b + c using the distributed secret key decryption protocol of public data. And the decrypted s and id Check that V is correct. If it is confirmed that it is correct, the decrypted pseudorandom number ck is stored as a common key with the authenticator, and the decrypted authenticator 103 is transmitted to the authenticator V.
[0106]
(Step S4) The certifier V has an index x that can be included in the authenticator and a pkV from its own private key list. x, ..., pkV By using the distributed secret key decryption protocol of public data, the time stamp and the identifier id of the prover are obtained from the received authenticator by x + a + 2b. P is decrypted, and the pseudorandom number ck is decrypted using the distributed secret key decryption protocol of the distributed secret data. And the decrypted timestamp and identifier id Check that P is correct. If it is confirmed that it is correct, the prover P is authenticated, and the decrypted pseudorandom number ck is stored as a common key with the authenticator.
[0107]
[Example 2]
In the above-described first embodiment, if the attacker wiretap and memorizes the authenticator sent by the prover to the authenticator, the attacker shows the authenticator to the authenticator, and the attacker does not intend to use the service. Can be requested from the certifier, and the prover can be confused. This attack is called a replay attack.
[0108]
Therefore, in this embodiment, in order to mitigate this replay attack, the communicated time information is further added to the authenticator sent by the prover to the authenticator in step S3 of the online processing of the first embodiment. This procedure is shown in FIG. The present embodiment differs from the first embodiment only in the steps S3 and 4 ′ of the online processing, but differs only in that the steps S3 ′ and 4 ′ are performed. To do.
[0109]
(Step S <b> 3 ′) After executing step S <b> 3 of the first embodiment, the prover uses the obtained conversation key ck and the new time stamp T <b> 2 and the prover identifier id. P is encrypted {T2, id P} ^ ck is sent to the authenticator together with the authenticator.
[0110]
(Step S4 ') After authenticating the authenticator by executing step S4 of the first embodiment, the authenticator uses the obtained conversation key ck to attach the attached message {T2, id. P} ^ ck is decrypted, and the time stamp T2 and the prover identifier id If P is confirmed and T2 is old, the service request is not accepted.
[0111]
【The invention's effect】
As described above, according to the present invention, if the majority of the devices constituting the distributed authentication server can be trusted, the reliability and safety of the server are superior to those of the conventional centralized management type authentication server. Such effects can be obtained.
[0112]
The distributed authentication protocol performs the same authentication function as the authentication protocol by the conventional centralized management for the prover and the authenticator, and realizes high fault tolerance.
[0113]
For the prover and the authenticator, the online processing of the distributed authentication protocol guarantees the same interface (data format) as that of the conventional authentication protocol, so that it can be easily replaced with the conventional authentication server.
[0114]
For the prover and the authenticator, the online processing of the distributed authentication protocol is realized with the same calculation amount as that of the conventional authentication protocol.
[Brief description of the drawings]
FIG. 1 is a diagram showing a block configuration of a communication system in an embodiment of the present invention.
FIG. 2 is a diagram showing a block configuration of each device of the system.
FIG. 3 is a diagram illustrating a relationship between a secret and a submatrix.
FIG. 4 is a diagram illustrating processing by a one-way hash function.
FIG. 5 is a diagram showing a procedure of secret sharing processing;
FIG. 6 is a diagram illustrating a procedure of secret restoration processing.
FIG. 7 is a diagram illustrating distributed secret linear combination processing;
FIG. 8 is a diagram illustrating a procedure of pseudo random number distributed generation processing;
FIG. 9 is a diagram showing a procedure of distributed secret key encryption processing;
FIG. 10 is a diagram showing a procedure of a distributed authentication protocol.
FIG. 11 is a diagram showing a procedure for offline pseudo-random number generation processing;
FIG. 12 is a diagram showing a procedure for offline secret key distribution processing;
FIG. 13 is a diagram showing a procedure of a distributed authentication protocol.
FIG. 14 is a diagram showing a procedure of a distributed authentication protocol.
FIG. 15 is a diagram illustrating a procedure of a distributed authentication protocol according to the second embodiment.
FIG. 16 is a diagram showing a procedure of a conventional authentication protocol.
[Explanation of symbols]
11 Secret channel
12 Broadcast communication channels
13 Normal communication path
14 Devices constituting a distributed authentication server
15 Client and server devices
21 Communication Department
22 Arithmetic processing part
23 Random number generator
24 storage unit
101 Request message
102 Authentication message
103 authenticator
161 prover
162 Certifier
163 Authentication Center
164, 165, 166 data

Claims (9)

In a communication system having a plurality of devices including a device group constituting a distributed authentication server,
The certifier side device that is requested to be authenticated by the certifier side device transmits an authentication request message including the identifiers of the certifier and the certifier to each device constituting the distributed authentication server,
The devices constituting the distributed authentication server jointly generate, based on the authentication request message, an authenticator encrypted with a secret key related to the authenticator, and encrypt the authenticator with a secret key related to the prover. Generate an authentication message
Each device constituting the distributed authentication server transmits the authentication message to the prover side device,
The certifier side device that has received the authentication message decrypts the authentication message, and transmits the obtained authenticator to the certifier side device.
The authentication method, wherein the authenticator side device that has received the authenticator decrypts the authenticator and authenticates the prover. 2. The devices constituting the distributed authentication server jointly transmit a common key used for encrypted communication between the two devices to the certifier side device and the certifier side device. Authentication method described in. 3. The authentication method according to claim 2, wherein each device configuring the distributed authentication server transmits the common key to the prover-side device by including the common key in the authentication message. 3. The authentication method according to claim 2, wherein each device configuring the distributed authentication server transmits the certifier including the common key to the authenticator side device. A common key used for cryptographic communication between the prover-side device and the authenticator-side device is shared as a pseudo-random number using a secret sharing process that can be confirmed. The authentication method according to claim 1, wherein the authentication method is generated as follows. In each device constituting the distributed authentication server, encryption with a secret key is performed by dividing data to be encrypted into a plurality of blocks, and adding a different secret key to each of the divided blocks on a predetermined finite field. The authentication method according to claim 1, wherein the authentication method is executed. In each device constituting the distributed authentication server, encryption with a secret key is performed by dividing data to be encrypted into a plurality of blocks, and multiplying each divided block by a different secret key on a predetermined finite field, The authentication method according to claim 1, wherein the authentication method is executed by further adding a different secret key to each multiplication result. The authentication method according to claim 1, wherein each device constituting the communication system distributes and distributes a secret key related to the device to each device constituting the distributed authentication server by secret sharing processing. When the prover-side device transmits the authenticator to the authenticator-side device, the authenticator is encrypted using a common key common to the prover-side device and the authenticator-side device together with a time stamp. Send
The authentication method according to claim 1, wherein the authenticator side device decrypts the received information from the prover side device using the common key and confirms a time stamp.

Images