JP3898796B2 - Encryption device - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to an encryption device provided in a communication device that performs secret communication by sharing a secret key, and particularly relates to an encryption device that can be realized with a small circuit scale.
[0002]
[Prior art]
There are many cases where it is necessary to prevent data communicated via a communication path from being illegally copied or altered on the communication path.
For example, a literary work such as a movie is digitized, further compressed, and digitally recorded on an optical disc, which is taken out as electrical information by an optical disc playback device, and the extracted digital information is decompressed by an information decompression device, This is the case where it is played back by the audiovisual playback device.
[0003]
Here, the optical disk reproducing device and the information decompressing device are separated as separate devices, and when data communication is performed between them by a digital communication path, this communication data is recorded by the digital information recording device without permission of the author, and further digital information is recorded. If it is duplicated by the duplicating device, the copyrighted work of the movie is illegally duplicated, and copyright infringement occurs. Therefore, it is necessary to prevent data being communicated via the communication path from being illegally copied on the communication path. While the specifications of circuits and components in equipment are not publicly disclosed, the electrical characteristics and signal formats for data communication are often disclosed to the public, so unauthorized copying of data on the communication path and subsequent data modification Becomes a big problem.
[0004]
Various techniques for excluding such illegal activities and ensuring safe communication have been known.
The most representative one uses a partner authentication technique. Basically, the sender of the data authenticates the validity of the receiver and sends the data only when it is confirmed that the receiver is a legitimate recipient. It is prevented from being received.
[0005]
In this case, the side that proves its validity like the receiver in this case is called a prover, and the side that checks the validity of the other party like the sender in this case is called an authenticator. In addition, in the case of devices related to the above-mentioned optical disc recording / playback, those devices comply with the standards set by the industry of optical disc related devices rather than whether or not the authentication is successful between specific devices. Whether it is a thing or not is a problem. Therefore, in such a case, “validity” means “conforming to a predetermined standard”.
(First prior art)
As a first specific conventional technique, there is a one-way authentication method using a cryptographic technique described in the international standard ISO / IEC9798-2.
[0006]
This authentication method is based on proving that the prover has secret data called an authentication key to the authenticator without notifying the key itself. For that purpose, first, the certifier selects some data and throws it to the prover. This action is called challenge, and the data thrown is called challenge data.
On the other hand, the prover encrypts the challenge data using a cryptographic conversion and an authentication key that are owned in advance. Then, the encrypted data is returned to the authenticator. This action is called a response, and the data is called response data.
[0007]
The authenticator who has received this response data shares the authentication key with the decryption conversion, which is the reverse of the encryption conversion owned by the prover, and decrypts the response data returned from the prover with the authentication key. Decrypt using transform. If this result matches the challenge data, it is determined that the receiver has a proper authentication key, and authenticity of the prover is authenticated. One-way authentication means that one side proves its validity to the other.
[0008]
Here, the cryptographic conversion T is a mapping from a plaintext set determined by the key data S to a ciphertext set. When the plaintext is X, the ciphertext is written as T (S, X). Between the inverse transformation TINV that is a mapping from the ciphertext set determined by the same key data S to the plaintext set,
TINV (S, T (S, X)) = X
There is a relationship. This means that plaintext X is encrypted and converted back to the original state. Inverse conversion of encryption conversion is called decryption conversion. In order to perform cryptographic conversion, it is necessary that it is difficult to obtain the plaintext X from the ciphertext T (S, X) when there is no knowledge of the key S. In addition, by convention, encryption conversion is described as E (S,), and decryption conversion is described as D (S,).
[0009]
FIG. 11 is a diagram illustrating an example of an authentication method described in the standard.
FIG. 11 shows a case where the digital work mj is transferred from the first device 11 to the second device 12. Here, the first device 11 confirms the validity of the second device 12.
The operation of this conventional one-way authentication method will be described below according to the step numbers shown in the figure.
[0010]
(1) The first device 11 generates a random number R1. Then, this is transmitted as challenge data to the second device 12 via the communication path.
(2) When receiving the random number, the second device 12 encrypts the random number using the secret authentication key S stored in the second device 12 as an encryption key. As a result, C1 is transmitted as response data to the first device 11 via the communication path.
[0011]
(3) When receiving the response data, the first device 11 decrypts the response data C1 using the authentication key S stored in the first device 11 as a decryption key.
(4) The first device 11 compares the decryption result RR1 with the random number R1 temporarily stored in the first device 11. If they match, the first device 11 considers that the second device 12 has the same authentication key S and authenticates that the communication partner is valid. On the other hand, if they do not match, it is determined that the communication partner is not valid, and the processing is interrupted.
[0012]
(5) The first device 11 authenticates the second device 12 and then transmits the digital work to the second device 12 via the communication path.
If a third device that does not have the authentication key S is connected to the communication path instead of the second device 12, the third device detects the correct data C1 in the above step (2). As a result, the decryption result RR1 does not match R1 in step (3), so that the first device 11 does not transmit the digital work to the third device in step (4). .
[0013]
If the same challenge data and response data are always used between the first device 11 and the second device 12, an unauthorized third device that knows that may impersonate the second device 12. Conceivable. In order to avoid this, different challenge data (random numbers) is sent from the first device 11 each time.
(Second prior art)
By the way, in the first conventional technique, for example, after authentication, false data stored in the hard disk device can be illegally transmitted to the second device 12 having a regular authentication key. In order to solve this problem, it is necessary for the second device 12 to confirm the validity of the first device 11 at the same time as the first device 11 confirms the validity of the second device 12.
[0014]
In addition, when the digital work is transmitted to the second device 12 via the communication path after both devices have been authenticated, the data on the communication path is extracted and stored in, for example, a hard disk device. Can be considered. Of course, this requires knowledge of the electrical characteristics and data format of the signals on the communication path, but since such knowledge is generally not particularly secret information, the extraction of digital works is a technology. Is fully possible. Therefore, authentication alone is not sufficient, and after successful authentication, a new key randomly generated is shared between each device, and encrypted communication is performed by encrypting and transferring the digital work using that key. Is required. A secret key for encrypting data to be transferred such as a digital work is hereinafter referred to as a “data transfer key”.
[0015]
In the following, a second prior art that extends the one-way authentication as the first prior art and performs two-way authentication, sharing of a data transfer key, and encrypted communication will be described.
FIG. 12 shows an example of an apparatus that realizes this bidirectional authentication.
FIG. 12 shows a case where the digital work mj is encrypted and transferred from the first device 21 to the second device 22.
[0016]
The conventional bidirectional authentication and data transfer key sharing operation will be described below according to the step numbers shown in FIG.
(1) The first device 21 generates a random number R1. This has the meaning as the first challenge data. And this is transmitted to the 2nd apparatus 22 via a communication path.
Here, the random number R2 has a meaning as second challenge data from the second device 22 to the first device 21. That is, the ciphertext C1 has the meaning of both response data to the first challenge data and second challenge data.
[0017]
(2) The second device 22 generates a random number R2 and combines it with the random number R1 received from the first device 21 to create combined data R1 || R2. Here, the symbol "||" indicates that both pieces of data are combined in the digit direction. The combined data R1 || R2 is encrypted using the authentication key S of the second device 22 as an encryption key, and the ciphertext C1 is transmitted to the first device 21.
[0018]
(3) The first device 21 decrypts the ciphertext C1 received from the second device 22 using the authentication key S as a decryption key, and sets the higher order as separated data RR1 and the lower order as separated data RR2.
(4) The first device 21 compares the separated data RR1 with the random number R1 temporarily stored in the first device 21. If they match, the communication partner is authenticated as a valid device having the authentication key S. If they do not match, the authentication process is interrupted here.
[0019]
(5) The first device 21 generates a random number K and sets it as the data transfer key K. The combined data RR2 || K obtained by combining the acquired separated data RR2 and the data transfer key K is encrypted with the authentication key S of the first device 21, and the ciphertext C2 is transmitted to the second device 22. .
(6) The second device 22 decrypts the ciphertext C2 received from the first device 21 using the authentication key S, and sets the higher order as separated data RRR2 and the lower order as separated data KK.
[0020]
(7) The second device 22 compares the separated data RRR2 with the random number R2 temporarily stored in the second device 22. If they match, the communication partner is authenticated as a valid device having the authentication key S. If they do not match, the authentication process is interrupted here. On the other hand, the decrypted separated data KK is set as the data transfer key KK.
[0021]
(8) The first device 21 encrypts the digital work using the data transfer key K and transmits it to the second device 22 via the communication path.
(9) The second device 22 decrypts the data using the data transfer key KK to obtain the original digital work.
Here, if the first device 21 has a regular authentication key S and the second device 22 does not have a regular authentication key, the first device 21 communicates in step (4). It can be determined that the other party does not have a regular authentication key, and the authentication process can be interrupted. If the first device 21 does not have a regular authentication key and the second device 22 has a regular authentication key, the second device 22 is a communication partner in step (7). Can be determined to have no authorized authentication key, and the authentication process can be interrupted. In this way, it is possible to prevent a digital work from flowing out to an unauthorized device and at the same time to prevent an unauthorized device from flowing into an authorized device.
[0022]
Further, when both the first device 21 and the second device 22 have a valid authentication key, when the authentication process is completed and the digital work is transmitted on the communication path in step (8), Even if the digital work is electronically copied and stored in the digital storage device, the digital work is encrypted, so it is meaningless digital data. Digital works are effectively protected.
[0023]
As described above, for successful two-way authentication using encryption technology, it is easy for the authentication keys stored in the first device 21 and the second device 22 to be fraudulent. It is an indispensable condition not to understand. Further, it is necessary that the random number generation unit for the challenge data and the data transfer key K generation unit are not accessible from the outside and cannot be changed.
[0024]
The most effective method for ensuring the secrecy of these components is a method for realizing, as an IC, a part that performs the above-described authentication, data transfer key sharing, and encryption communication. This is because, in general, it takes a lot of labor to analyze an IC, so that an authentication key or the like is not easily deciphered.
[0025]
[Problems to be solved by the invention]
However, in order to realize the first device 21 in the second prior art with an IC, such an IC (hereinafter referred to as “encrypted IC”) needs to include the following parts.
・ Random number generator for generating random number R1
A decryption unit for decrypting the ciphertext C1
-The part that stores the authentication key S
A comparison unit for comparing the random number R1 with the separated data RR1
・ Random number generator for generating data transfer key K
An encryption part for combining and encrypting the separated data RR2 and the data transfer key K
-The part that stores the data transfer key K
・ Cryptographic part that encrypts digital works using data transfer key K
The second device 22 also requires hardware of the same scale.
[0026]
As described above, when the above conventional authentication method is realized by an IC, two random number generation units and two conversion units (decryption unit and encryption unit) must have a large number of functions, so that the circuit scale is large. There is a problem that it increases and eventually leads to an increase in the cost of the equipment.
In the second prior art, the data transfer key K for encrypting data is generated by the first device 21. For the same reason that mutual authentication is required, this key is used for both the keys. It is better to reflect the value generated by the device.
[0027]
As described above, in order to protect a line between devices, a method of realizing a function such as authentication and secret information for that purpose in an IC is effective. However, in the conventional method, if the mutual authentication part, the data transfer key sharing part, and the data encryption part are all realized in one IC, the scale of the IC becomes very large, and the cost is reduced. Leading up.
[0028]
Accordingly, a first object of the present invention is to provide an encryption apparatus that includes a small-scale encryption IC and has a minimum necessary function for ensuring the safety of communication between devices.
Here, the encryption IC has the following functions.
(1) Store the authentication key securely. The key is not rewritten or read by external access.
[0029]
(2) Share the data transfer key securely. The key is not rewritten or read by external access.
(3) However, the size of the encryption IC is minimized by not providing the encryption IC with a part not related to the security of the communication system.
A second object of the present invention is to provide a highly secure cryptographic communication system that is suitable for implementation using a small-scale encryption IC.
[0030]
[Means for Solving the Problems]
  In order to achieve the first object, the present invention performs sharing of a data transfer key and encryption communication using the data transfer key.Mutually authenticate that the other device is a legitimate device by communication based on a challenge-response authentication protocolAn encryption device provided in a device, the first random number generation unit for generating a first random number for sharing the data transfer key, and the first random number generated by the first random number generation unit First random number holding means;A first encryption unit for encrypting the first random number generated by the first random number generation unit; and the first random number encrypted by the first encryption unitFirst transmission means for transmitting a first random number to the counterpart device of the encrypted communication;Second random number generation means for generating a second random number for challenge data to be transmitted to the counterpart device, and whether the response data returned from the counterpart device with respect to the challenge data matches the second random number When the authentication unit authenticates that the counterpart device is a legitimate device when they match, and when the authentication unit authenticates,A data transfer key generating unit that generates the time-varying data transfer key using the first random number held in the first random number holding unit, and the data transfer key for the transfer data to be encrypted Transfer data encryption means for encrypting the data, the first random number generation means, the first random number holding means,The first encryption means;The data transfer key generation means and the transfer data encryption means are realized by a circuit in one IC,The second random number generation means and the authentication means are realized by a circuit outside the IC,The first random number holding means holds the first random number in an area that cannot be accessed from outside the IC.
[0031]
  As a result, the first random number directly related to the generation of the data transfer key is held inside the encryption IC that cannot be accessed from the outside, so that the time-varying data transfer key is securely shared with each device and encrypted communication is performed. Is called. In addition, the encryption IC has a minimum necessary function for ensuring the safety of communication between devices, and thus can be realized with a small circuit.
  In addition, since the third party cannot know the first random number directly related to the generation of the data transfer key, the confidentiality of the data transfer key is maintained, even if the encryption algorithm and its inverse conversion algorithm are known. Cryptographic communication is maintained. When the mutual authentication between devices succeeds, a regular data transfer key is generated at the same time, and the security of the secret communication is improved. Further, since the processing unit that is not related to the security of the communication system, that is, the processing unit that is not directly related to the generation of the data transfer key is provided outside the encryption IC, the scale of the encryption IC is prevented from becoming unnecessarily large. The
[0032]
In order to achieve the second object, the present invention provides a communication system comprising a transmitter and a receiver for sharing a data transfer key and performing cryptographic communication using the data transfer key, The transmitter and the receiver mutually authenticate that the counterpart device is a legitimate device by communication based on the challenge-response type authentication protocol, and each generates a first random number for challenge data. Random number generating means; second random number generating means for generating a second random number for the data transfer key; combining means for combining the first random number and the second random number; and encrypting means for encrypting the combined data. A first transmission unit that transmits the encrypted combined data to the counterpart device, and a first reception unit that receives the encrypted combined data transmitted from the first transmission unit of the counterpart device Decrypting means for decrypting the received combined data; separating means for separating the decrypted combined data into first separated data corresponding to response data and second separated data for the data transfer key; A second transmitting means for returning the first separated data as response data to the counterpart device; a second receiving means for receiving the first separated data returned from the second transmitting means of the counterpart device; Comparing one separated data with the first random number, and combining the second random number and the second separated data with a comparing means for authenticating the counterpart device with a valid device if they match, A data transfer key generating unit that generates the data transfer key; and an encryption communication unit that performs encrypted communication with the counterpart device using the generated data transfer key when the authentication is performed. It is characterized in.
[0033]
As a result, mutual authentication is performed between the transmitter and the receiver, a data transfer key is generated, a random number directly related to the generation of the data transfer key is not transmitted and received as it is, and a data transfer key is generated. Since the two directly related random numbers are provided from the transmitter and the receiver, respectively, it is suitable to be realized using a small-scale encryption IC, and a highly secure cryptographic communication system is provided. Realized.
[0034]
DETAILED DESCRIPTION OF THE INVENTION
(Embodiment 1)
FIG. 1 shows a processing sequence in Embodiment 1 in which mutual authentication, data transfer key sharing, and data encryption communication are performed between a first device and a second device having an encryption device according to the present invention. FIG.
[0035]
FIG. 1 shows a case where the digital work mj is transferred from the first device 51 to the second device 52. FIG. 1 shows only the encryption device included in each of the devices 51 and 52, and other components not directly related to the encryption device (transmission / reception unit, digital work processing system, etc.) are omitted. Has been.
The encryption device according to the present invention provided in the first device 51 is roughly composed of an MPU 53 and a first encryption IC 54.
[0036]
The MPU 53 includes a ROM that holds a control program unique to the encryption apparatus, a general-purpose microprocessor that executes the control program, and a RAM. The MPU 53 is a process that does not directly participate in sharing the data transfer key (in the figure). Steps (1) and (7)) are performed.
The first encryption IC 54 is a one-chip semiconductor IC, and is a process directly involved in sharing the data transfer key (steps (3), (5), (9), (11) in the figure). To do.
[0037]
Similarly, the encryption apparatus according to the present invention provided in the second device 52 is roughly composed of an MPU 55 and a second encryption IC 56.
The MPU 55 includes a ROM that holds a control program unique to the encryption device, a general-purpose microprocessor that executes the control program, and a RAM. The MPU 55 is a process that is not directly involved in sharing the data transfer key (in the figure). Steps (2) and (8)) are performed.
[0038]
The second encryption IC 56 is a one-chip semiconductor IC and is a process directly involved in sharing the data transfer key (steps (4), (6), (10), (12) in the figure). To do.
In this embodiment, a 64-bit block encryption algorithm E compliant with a data encryption standard (DES) and an inverse conversion algorithm D thereof are used. Hereinafter, the conversion using the encryption algorithm E is referred to as “encryption”, and the conversion using the inverse conversion algorithm D is referred to as “decryption”.
[0039]
Further, the first encryption IC 54 includes only the encryption algorithm E, and the second encryption IC 56 includes only the inverse conversion algorithm D. This is for reducing the scale of the encryption ICs 54 and 56 and for safety.
The operation of the encryption apparatus according to the first embodiment will be described below according to the step numbers shown in FIG.
[0040]
(1) The MPU 53 of the first device 51 generates a random number R1 (32 bits), stores it, and passes it to the first encryption IC 54.
(2) Similarly to step (1), the MPU 55 of the second device 52 generates a random number R2 (32 bits), stores it, and transmits it to the second encryption IC 56.
[0041]
(3) The first encryption IC 54 generates a random number R3 (32 bits) and stores it in an area that cannot be accessed from the outside. The random number R1 generated by the MPU and the random number R3 are combined and encrypted using the E function.
Here, the symbol “||” indicates that two random numbers are combined in the digit direction to be 64 bits (the random number R1 is the upper 32 bits and the random number R3 is the lower 32 bits). For encryption, a secret authentication key S held in advance by the first encryption IC 54 and the second encryption IC 56 is used. The first encryption IC 54 transmits the encryption result C1 to the second device 52 via the transmission unit (not shown in the figure) of the first device 51.
[0042]
(4) Similar to step (3), the second encryption IC 56 generates a random number R4 (32 bits) and stores it in an area that cannot be accessed from the outside. The random number R2 generated by the MPU and the random number R4 are combined and decrypted by the inverse transformation algorithm D. The authentication key S is used for decryption. The second encryption IC 56 transmits the decryption result C2 (64 bits) to the first device 51 via the transmission unit (not shown) of the second device 52.
[0043]
(5) The first encryption IC 54 encrypts the decrypted text C2 received from the second device 52 with the authentication key S using the E function. Then, the obtained 64 bits are separated into separated data RR2 which is the upper 32 bits and separated data RR4 which is the lower 32 bits. Further, the separated data RR2 is transmitted to the second device 52 via the transmission unit of the first device 51, while the separated data RR4 is not accessible from the outside in the first encryption IC 54 without going out. To store.
[0044]
Note that when the first encryption IC 54 and the second encryption IC 56 are authentic and hold the same authentication key S, the separated data RR2 is generated by the MPU 55 of the second device 52. The separated data RR4 matches the random number R4 stored inside the second encryption IC 56.
(6) Similar to step (5), the second encryption IC 56 decrypts the ciphertext C1 received from the first encryption IC 54 with the authentication key S using the inverse conversion algorithm D. Then, the obtained 64 bits are separated into separated data RR1 which is the upper 32 bits and separated data RR3 which is the lower 32 bits. Further, the separated data RR1 is transmitted to the first device 51 via the transmission unit of the second device 52, while the separated data RR3 is not accessible from the outside in the second encryption IC 56 without going out. To store.
[0045]
In the case where the first encryption IC 54 and the second encryption IC 56 are normal to each other and hold the same authentication key S, the separated data RR1 matches the random number R1, and the separated data RR3 matches the random number R3.
(7) The random number R1 stored in the step (1) in the MPU 53 of the first device 51 is compared with the separated data RR1 received from the second device 52. The second encryption IC 56 and the second device 52 having the same are authenticated as valid devices.
[0046]
(8) Similar to step (7), the random number R2 stored in step (2) in the MPU 55 of the second device 52 is compared with the separated data RR2 received from the second device 52. If yes, the first encryption IC 54 and the first device 51 having the same are authenticated as valid devices.
(9) The first encryption IC 54 generates the data transfer key K by combining the random number R3 stored in the step (3) and the separated data RR4. Here, the data transfer key K (64 bits) is generated with the random number R3 as the upper 32 bits and the separated data RR4 as the lower 32 bits. Since this data transfer key K is a combination of two random numbers, it can be said to be a time-variant key, that is, a newly generated key.
[0047]
(10) Similarly to step (9), the second encryption IC 56 generates the data transfer key K by combining the separated data RR3 and the random number R4 stored in the step (4). Here, a data transfer key K (64 bits) is generated in which the separated data RR3 is the upper 32 bits and the random number R4 stored in step (4) is the lower 32 bits. This data transfer key is also a time-varying key.
[0048]
When the mutual authentication in step (7) and step (8) succeeds, the random number R3 generated in step (3) matches the separated data RR3 obtained in step (6). Since the random number R4 generated in step (4) matches the separated data RRR4 obtained in step (5), the data generated in step (9) and step (10) respectively. The transfer key K will match.
[0049]
(11) The first encryption IC 54 of the first device 51 uses the data transfer key K obtained in the above step (9) for the blocked digital work mj (64 bits) sent from the MPU 53. The process of transmitting the encrypted ciphertext Cj to the second device 52 is repeated until all the digital works to be transferred have been transmitted.
[0050]
(12) In response to step (11), the second encryption IC 56 of the second device 52 receives the encrypted digital work Cj (64 bits) transmitted by the first device 51. The digital work mmj obtained by decrypting the data transfer key K obtained in step (10) is sent to the MPU 55. This decryption is repeated as long as the digital work Cj is transmitted from the first device 51.
[0051]
In this manner, mutual authentication, sharing of the data transfer key K, and encrypted data communication are performed between the first device 51 and the second device 52 by the encryption device of the first embodiment.
As is clear from the above description, the encryption apparatus according to the first embodiment has the following characteristics.
[0052]
The first feature is that the data transfer key K is safely protected inside the encryption IC. Specifically, in the case of the encryption device included in the first device 51, two data directly used for generating the data transfer key K, that is, the random number R3 and the separated data RR4 are as follows: Meet.
The random number R3 is generated inside the first encryption IC 54, is not output to the outside, and is held in an area that cannot be read from the outside.
[0053]
The separated data RR4 is generated (separated and generated) inside the first encryption IC 54, is not output to the outside, and is held in an area that cannot be read from the outside. As a result, since the data transfer key K is protected in the encryption IC, the first device 51 and the second device can be used even if those disclosed as the encryption algorithm E and the inverse conversion algorithm D are adopted. The security of the encryption communication between 52 is guaranteed.
[0054]
The second feature is that the circuit accommodated in the encryption IC is kept to the minimum necessary. Specifically, in the case of the encryption device included in the first device 51, the following processing is realized by a circuit outside the first encryption IC 54, that is, the MPU 53.
・ Generation of random number R1
・ Comparison of random number R1 and separated data RR1
In other words, consideration is given so that the circuit scale of the first encryption IC 54 does not become unnecessarily large. These two processes relate to the authentication of the counterpart device and are not directly involved in the generation of the data transfer key K. Therefore, even if an attempt is made to make fraud using the fact that these processes are implemented outside the IC, it is impossible to make an act that would benefit the first device 51. The response data RR2 for the challenge data C2 from the second device 52 is created in the encryption IC.
[0055]
FIG. 2 is a block diagram showing a hardware configuration of the first encryption IC 54.
The second encryption IC 56 can also be realized with the same hardware scale.
The external I / F unit 61 is the only input / output port for accessing the internal circuit of the first encryption IC 54 from the outside.
The random number generation unit 60 generates a 32-bit random number R3.
[0056]
The random number storage unit 62 is a storage circuit that holds the random number R <b> 3 generated by the random number generation unit 60.
The combining unit 63 combines the random number R3 stored in the random number storage unit 62 with the lower 32 bits and the 32-bit data R1 input via the external I / F unit 61 as the upper 32 bits.
[0057]
The authentication key S storage unit 64 is a storage circuit that holds an authentication key S given in advance.
The switches 65 and 66 are a 64-bit wide 3-input 1-output multiplexer and a 64-bit wide 2-input 1-output multiplexer, respectively.
The E function 67 is an encryption circuit based on the encryption algorithm E.
The switch 68 is a 64-bit wide 1-input 3-output demultiplexer.
[0058]
The separation unit 69 separates the 64-bit data output from the switch 68 into the upper 32 bits RR2 and the lower 32 bits RR4.
The data transfer key K generation unit 59 combines the random number R3 stored in the random number storage unit 62 with the upper 32 bits and the separated data RR4 separated by the separation unit 69 as the lower 32 bits, thereby obtaining the data transfer key K. Generate.
[0059]
The data transfer key K storage unit 70 is a storage circuit that holds the data transfer key K generated by the data transfer key K generation unit 59.
Next, how each component shown in FIG. 2 operates in each step shown in FIG.
In step (3) of FIG. 1, the random number generation unit 60 generates a random number R3 and stores it in the random number storage unit 62, and the combining unit 63 receives the random number R3 and the random number input via the external I / F unit 61. R1 is combined and sent to E function 67 via switch 65. The E function 67 receives the authentication key S from the authentication key S storage unit 64 via the switch 66, encrypts the combined data R1 || R3 output from the combining unit 63 using the authentication key S, and converts the result C1 into the switch 68. And output to the second device 52 via the external I / F unit 61.
[0060]
In steps (5) and (9) of FIG. 1, the decrypted text C2 input via the external I / F unit 61 is input to the E function via the switch 65. The E function 67 receives the authentication key S from the authentication key S storage unit 64, encrypts the decrypted text C2 using it, and sends it to the separation unit 69 via the switch 68. The separation unit 69 separates it into separated data RR2 and separated data RR4, the separated data RR2 is output to the outside via the external I / F unit 61, and the separated data RR4 is sent to the data transfer key K generation unit 59. The data transfer key K generation unit 59 generates the data transfer key K by combining the random number R3 stored in the random number storage unit 62 and the separated data RR4 sent from the separation unit 69, and then generates the data transfer key K. Store in the K storage unit 70.
[0061]
In step (11) of FIG. 1, the E function 67 uses the data transfer key K stored in the data transfer key K storage unit 70 as a digital work mj input via the external I / F unit 61 and the switch 65. And the result Cj is output to the second device 52 via the switch 68 and the external I / F unit 61.
In the first embodiment, specific bit lengths and data structures such as random numbers and ciphertexts are shown, but the present invention is not limited to these. For example, in the above step (5), the 32-bit random numbers R1 and R2 are combined into 64 bits, which are input to the 64-bit cryptographic function E to obtain the 64-bit ciphertext C1. For example, each part may be 64 bits, and a 128-bit ciphertext C1 may be generated by repeating encryption using the encryption function E twice. However, in this case, it is necessary that the part related to the random number R1 and the part related to R2 cannot be easily separated from the ciphertext C1. As one of the methods, there is an encryption method with a chain like the CBC mode. For details on the CBC mode, see Shinichi Ikeno and Kenji Koyama, “Contemporary Cryptography”, p.
[0062]
In the first embodiment, the first encryption IC 54 includes only the encryption function E, and the second encryption IC 56 includes only the inverse function D, thereby reducing the hardware scale. Is not the essence of the present invention as described above. That is, it is a matter that needs to be determined in relation to the circuit scale allowed for the encryption ICs 54 and 56, the type of encryption algorithm, and the like. For example, each possesses both the encryption algorithm E and the inverse transformation algorithm D. The encryption algorithm E may be used for encryption of random numbers, and the inverse conversion algorithm D may be used for decryption of information sent from the counterpart device. This is because the present invention is characterized in that the security of the secret communication is ensured by making at least the components directly involved in the generation of the data transfer key K into an IC.
[0063]
In the first embodiment, for example, the generation of the random number R1 in step (1) may be performed in the first encryption IC 54. As a result, the possibility of using the first encryption IC 54 as a decryption device is eliminated, and a more secure encryption device can be obtained. That is, in the first embodiment, the random number R1 is generated outside the first encryption IC 54, and the first encryption IC 54 outputs the ciphertext C1 based on the random number R1. The ciphertext C1 is affected by the random number R3 generated inside the first encryption IC 54. If the random number R3 is not a sufficiently random value, the first encryption IC 54 is encrypted. It can be abused as a decryption device. Therefore, by generating the random number R1 in the first encryption IC 54, the possibility of the attack described above is eliminated, and the encryption apparatus becomes more secure.
(Embodiment 2)
Next, a second embodiment is shown as a modification of the steps in the first embodiment shown in FIG. The purpose and effect are the same as those of the first embodiment. Further, the hardware scale is similar to that of the first embodiment shown in FIG. In the first embodiment, communication is performed by encrypting the response data without encrypting the challenge data. However, in the second embodiment, communication is performed without encrypting the response data by encrypting the challenge data. The description will focus on the differences from the first embodiment.
[0064]
FIG. 3 shows processing in Embodiment 2 in which mutual authentication, data transfer key sharing, and data encryption communication are performed between the first device 71 and the second device 72 having the encryption device according to the present invention. It is a figure which shows a sequence.
FIG. 3 shows a case where the digital work mj is transferred from the first device 71 to the second device 72.
[0065]
The MPU 73, the first encryption IC 74, the MPU 75, and the second encryption IC 76 correspond to the MPU 53, the first encryption IC 54, the MPU 55, and the second encryption IC 56 in the first embodiment, and have different processing procedures. Except for this, the hardware configuration is the same as in the first embodiment.
The operation of the encryption apparatus according to the second embodiment will be described below according to the step numbers shown in FIG.
[0066]
(1) The random number R1 (32 bits) is generated and stored in the MPU 73 of the first device 71 and stored in the second device 72 via the transmission unit (not shown) of the first device 71. Send. The second device 72 passes this to the second encryption IC 76.
(2) Similar to step (1), the MPU 75 of the second device 72 generates and stores a random number R2 (32 bits) and passes it through the transmission unit (not shown) of the second device 72. To the first device 71. The first device 71 passes this to the first encryption IC 74.
[0067]
(3) The first encryption IC 74 generates a random number R3 (32 bits) and stores it in an area that cannot be accessed from the outside. The random number R2 received from the second device 72 and the random number R3 are combined and encrypted with the E function. For encryption, a secret authentication key S held in advance by the first encryption IC 74 and the second encryption IC 76 is used. The first encryption IC 74 transmits the encryption result C1 (64 bits) to the second device 72.
[0068]
(4) Similar to step (3), the second encryption IC 76 generates a random number R4 (32 bits) and stores it in an area that cannot be accessed from the outside. The random number R1 received from the first device 71 and the random number R4 are combined and decrypted by the inverse transformation algorithm D. The authentication key S is used for decryption. The second encryption IC 76 transmits the decryption result C2 (64 bits) to the first device 71.
[0069]
(5) The first encryption IC 74 encrypts the decrypted text C2 received from the second encryption IC 76 with the authentication key S using the E function. Of the resulting 64-bit data, the upper 32 bits are the separated data RR1, and the lower 32 bits are the separated data RR4. The separated data RR1 is passed to the MPU 73 of the first device 71, while the separated data RR4 is stored in a region in the first encryption IC 74 that cannot be accessed from the outside without going out.
[0070]
When the first and second encryption ICs 76 are authentic and have the same authentication key S, the separated data RR1 is the same as the random number R1 generated by the MPU 73 of the first device 71. The separated data RR4 is the same as the random number R4 generated by the second encryption IC 76.
(6) Similar to step (6), the second encryption IC 76 decrypts the ciphertext C1 received from the first encryption IC 74 with the authentication key S using the inverse conversion algorithm D. The high-order 32 bits of the resulting 64-bit data are set as separation data RR2, and the low-order 32 bits are set as separation data RR3. Then, the separated data RR2 is transferred to the MPU 75 of the second device 72, while the separated data RR3 is stored in an area in the second encryption IC 76 that cannot be accessed from the outside without going out.
[0071]
If the first and second encryption ICs 76 are authentic and have the same authentication key S, the separated data RR2 is a random number R2 generated by the MPU 75 of the second device 72. The separated data RR3 is the same as the random number R3 generated by the first encryption IC 74.
(7) When the stored R1 in the MPU 73 of the first device 71 matches the separated data RR1 received from the first encryption IC 74, the second encryption IC 76 and The second device 72 including the second encryption IC 76 is authenticated as a valid device.
[0072]
(8) Similar to step (8), if the stored R2 in the MPU 75 of the second device 72 is compared with the separated data RR2 received from the second encryption IC 76, they match. The first encryption IC 74 and the first device 71 including the first encryption IC 74 are authenticated as a legitimate device.
(9) The data transfer key K is created in the first encryption IC 74 using the random number R3 and the separated data RR4. In the figure, the combination of both is the data transfer key K (64 bits).
[0073]
(10) Similar to step (10), the data transfer key K is created in the second encryption IC 76 using the separated data RR3 and the random number R4 in the same manner as the first encryption IC 74. In the figure, the combination of both is the data transfer key K (64 bits).
(11) The first encryption IC 74 of the first device 71 uses the data transfer key K obtained in the above step (9) as the blocked digital work mj (64 bits) sent from the MPU 73. The process of transmitting the encrypted ciphertext Cj to the second device 72 is repeated until all digital works to be transferred have been transmitted.
[0074]
(12) Corresponding to step (11), the second encryption IC 76 of the second device 72 receives the encrypted digital work Cj (64 bits) transmitted by the first device 71. Then, decryption is performed using the data transfer key K obtained in the step (10), and the obtained digital work mmj is sent to the MPU 75. This decryption is repeated as long as the digital work Cj is transmitted from the first device 71.
[0075]
In this manner, the encryption apparatus of the second embodiment allows mutual authentication, sharing of the data transfer key K and data between the first device 71 and the second device 72 as in the case of the first embodiment. Encryption communication is performed.
As described above, the encryption apparatus according to the present embodiment and the one according to the first embodiment are identical in hardware configuration, and only the processing procedure, that is, the connection and execution order of each hardware component are different. is there. Therefore, the characteristics of the encryption apparatus of the present embodiment and its modification can be said to be the same as in the first embodiment.
(Embodiment 3)
The encryption devices of the first and second embodiments have the following common points.
(1) Two random numbers are generated in both devices, one of which is used only for authentication and the other one is used only for generating the data transfer key K.
(2) The random number used for generating the data transfer key K is not output to the outside of the encryption IC as it is, while the random number used for authentication is output to the outside of the encryption IC. Will be released.
[0076]
On the other hand, the encryption apparatus according to the third embodiment described below generates only one random number and uses it for both purposes for authentication and data transfer key generation. This is to reduce the burden of random number generation in the encryption IC compared to the first and second embodiments.
Further, random number generation and comparison processing for authentication are performed inside the encryption IC. That is, unlike the first and second embodiments, not only the data transfer key generation but also the authentication processing is performed by the internal circuit of the encryption IC. As described above, this is for coping with the misuse of using the encryption IC for decryption, and the safety of encryption communication can be improved.
[0077]
FIG. 4 shows processing in Embodiment 3 for performing mutual authentication, data transfer key sharing, and data encryption communication between the first device 71 and the second device 72 having the encryption device according to the present invention. It is a figure which shows a sequence.
FIG. 4 shows a case where the digital work mj is transferred from the first device 81 to the second device 82.
[0078]
In the present embodiment, as in the first and second embodiments, the encryption devices according to the present invention provided in the devices 81 and 82 are roughly divided into MPUs 83 and 85 and encryption ICs 84 and 86, respectively. Consists of However, since the MPUs 83 and 85 perform the function of only passing the digital work mj to the encryption ICs 84 and 86, it can be said that the encryption device according to the present invention is substantially composed only of the encryption ICs 84 and 86. .
[0079]
The first encryption IC 84 and the second encryption IC 86 are one-chip semiconductor ICs as in the first and second embodiments.
The operation of the encryption apparatus according to the third embodiment will be described below according to the step numbers shown in FIG.
(1) The first encryption IC 84 generates and stores the random number R1, encrypts it with the E function, and sends the ciphertext C1 via the transmission unit (not shown) of the first device 81. Is transmitted to the second device 82. For encryption, a secret authentication key S held in advance with the second encryption IC 86 is used. The second device 82 passes the received ciphertext C1 to the second encryption IC 86.
[0080]
(2) The second encryption IC 86 decrypts the received ciphertext C1 with the inverse conversion algorithm D to obtain a decrypted text RR1. When the first encryption IC 84 and the second encryption IC 86 are authentic, the decrypted text RR1 matches the random number R1.
(3) The second encryption IC 86 generates and stores the random number R2, and combines it with the decrypted text RR1 to decrypt it with the inverse transformation algorithm D. The authentication key S is used for decryption. The second encryption IC 86 transmits the decrypted text C2 to the first device 81 via the transmission unit (not shown) of the second device 82. The first device 81 passes this to the first encryption IC 84.
[0081]
(4) In the first encryption IC 84, the decrypted text C2 is encrypted with the E function, and the result is separated into separated data RRR1 and separated data RR2. The separated data RRR1 matches the decrypted text RR1 and the random number R1 in the case of an exchange with a legitimate device. The separated data RR2 matches the random number R2.
(5) In the first encryption IC 84, the random number R1 stored in the step (1) is compared with the separated data RRR1, and if they match, the second encryption IC 86 and the second encryption IC The validity of the second device 82 including the integrated IC 86 is authenticated.
[0082]
(6) In the first encryption IC 84, the separated data RR2 is encrypted with the E function and transmitted to the second device 82. The second device 82 passes this ciphertext C3 to the second encryption IC 86.
(7) In the second encryption IC 86, the ciphertext C3 is decrypted by the inverse conversion algorithm D to obtain a decrypted text RRR2.
[0083]
(8) The second encryption IC 86 compares the random number R2 stored in the step (3) and the decrypted text RRR2, and if they match, the first encryption IC 84 and the first encryption The validity of the first device 81 including the integrated IC 84 is authenticated.
(9) In the first encryption IC 84, the data transfer key K is generated by combining the random number R1 and the separated data RR2.
[0084]
(10) In the second encryption IC 86, the data transfer key K is generated using the decrypted text RR1 and the random number R2.
(11) In the first encryption IC 84 of the first device 81, the block digital work mj (64 bits) sent from the MPU 83 is used as the data transfer key K obtained in the above step (9). The process of transmitting the encrypted ciphertext Cj to the second device 82 is repeated until all the digital works to be transferred have been transmitted.
[0085]
(12) In response to step (11), the second encryption IC 86 of the second device 82 receives the encrypted digital work Cj (64 bits) transmitted from the first device 81. Decryption is performed using the data transfer key K obtained in step (10), and the obtained digital work mmj is sent to the MPU 85. This decryption is repeated as long as the digital work Cj is transmitted from the first device 81.
[0086]
In this manner, mutual authentication and sharing of the data transfer key K is performed between the first device 71 and the second device 72 by the encryption device of the third embodiment, as in the first and second embodiments. And data encryption communication.
In steps (1), (2), (6), and (7), one random number is encrypted, and in steps (3) and (4), a combination of two random numbers is encrypted. When the 64-bit E function and the inverse transformation algorithm D are used, each random number is set to 32 bits, and the former 32-bit value is padded with a fixed 32-bit value. For example, the random number is the lower 32 bits, and the upper 32 bits are all fixedly zero. For the latter, the combined 64 bits may be input to each function as it is.
[0087]
In addition, when the bit length of each random number is doubled to 64 bits, the former is input to the function as it is, and for the latter, each function is repeatedly used twice. For example, a chained cipher such as CBC mode is performed. Just do it.
In the third embodiment described above, unlike the first and second embodiments, the random number for authentication and the random number for sharing the data transfer key are shared. Then, random number generation for authentication and comparison processing for authentication are performed in the encryption IC. Accordingly, since the random number does not appear outside the encryption IC as it is, it is safer against an attack using the encryption IC as a decryptor. This also ensures sufficient safety even when the number of bits of each random number is small.
(Embodiment 4)
Next, an encryption apparatus according to Embodiment 4 will be described.
[0088]
This device is an embodiment pursuing a compact encryption IC, and is different from the above embodiments 1 to 3 in that one-way authentication is adopted and a data transfer key is disclosed. . However, it is assumed that the encryption algorithm E and its inverse transformation algorithm D are kept secret.
FIG. 5 is a diagram showing a processing sequence when the digital work mj is transferred from the first device 91 to the second device 92.
[0089]
FIG. 6 is a block diagram showing a hardware configuration of the first encryption IC 94.
(1) First, the random number generation unit 101 of the first encryption IC 94 generates a random number R1 that uses both challenge data and a data transfer key, stores the random number R1 in the random number storage unit 102, and passes through the external I / F unit 100. Transmit to the second device 92.
(2) The second encryption IC 96 decrypts the received random number R1 using the authentication key S previously owned in common with the first encryption IC 94, and the obtained decrypted text C1 1 to the first device 91.
[0090]
(3) In the first encryption IC 94, the E function 106 performs the above authentication stored in advance in the authentication key S storage unit 103 for the decrypted text C1 received via the external I / F unit 100 and the switch 105. Encryption is performed using the same key S. Data RR1 obtained as a result is sent to the comparison unit 108 via the switch 107, where it is compared with the random number R1 held in the random number storage unit 102.
[0091]
(4) If the results match, the second device 92 can be authenticated as a legitimate device, and therefore the comparison unit 108 uses the random number R1 held in the random number storage unit 102 as the data transfer key. The switch 104 is controlled as used.
(5) The E function 106 encrypts the digital work mj sent from the MPU 93 via the external I / F unit 100 and the switch 105 using the random number R1 sent via the switch 104, The data is transmitted to the second device 92 via the 107 and the external I / F unit 100.
[0092]
(6) In the second encryption IC 96 of the second device 92, the random number R1 received in the above step (2) is applied to the digital work Cj sent from the first device 91 as the data transfer key. And the obtained digital work mmj is sent to the MPU 95.
In this way, in this embodiment, authentication, sharing of a data transfer key, and encrypted communication are realized with fewer steps and components than in the first to third embodiments.
[0093]
In the present embodiment, since the random number R1 transmitted from the first device 91 to the second device 92 is used as it is as a data transfer key, the data transfer key is easily known to a third party. obtain. However, even if a third party who knows the data transfer key attempts to eavesdrop and decrypt the digital work Cj, the encryption algorithm E and its inverse conversion algorithm D are kept secret as described above. Not successful.
[0094]
Further, even if the third party attempts to decipher the cryptographic algorithm by forging the convenient random number R1, only the random number generation unit 101 can store the new random number R1 in the random number storage unit 102. Since there is no means for storing the new random number R1 in the random number generation unit 101 from the outside of the encryption IC 94, the attempt is not successful.
As described above, if the encryption algorithm and its inverse conversion algorithm are kept secret, authentication, data transfer key generation, and encryption communication can be realized even by a compact encryption IC as in this embodiment.
[0095]
In the first to fourth embodiments, the method for setting (storing) the authentication key S in the encryption IC is preferably as follows.
That is, a part of the authentication key S is preset when the encryption IC is manufactured, and the remaining part is written after the encryption IC is manufactured. Specifically, a part of the authentication key S storage unit 64 is constituted by a mask ROM in which a part of the authentication key S is written in advance, and the remaining part is constituted by a programmable writable ROM.
[0096]
This is because it is safe because it does not involve human intervention for creating the final encryption IC, but it is easy to analyze the set value by chip analysis by reverse engineering. On the other hand, when it consists only of the write-once ROM, it is difficult to analyze the set value by reverse engineering, but there is a drawback that mistakes can be mixed and fraud is possible because the setting is manual. This is to make up for both of these drawbacks.
[0097]
In addition, as a specific example of the encryption algorithm in the encryption communication of the first to fourth embodiments, the following may be used.
The digital work is divided into 64-bit blocks on the transmission side, and the data transfer key K (64 bits) and exclusive OR for each bit are taken. The result is ciphertext. Similarly, on the receiving side, an exclusive OR of the received 64-bit ciphertext and the data transfer key K may be taken. As a result, the original block is decoded.
[0098]
There is also a method of updating the data transfer key K used for each block while synchronizing the data transfer key K between the transmitting side and the receiving side, instead of fixing the data transfer key K. For the update, the E function or the inverse transformation algorithm D may be used. The encryption / decryption in the block may be the exclusive OR described above.
In the first to fourth embodiments, some examples of the challenge response type are shown as the authentication method, but the present invention is not limited to these examples. For example, a challenge response type in which a random number is generated by an encryption IC on the authentication side, this is sent as challenge data, and response data returned from the certification side is compared with reference response data generated on the authentication side Another example may be used.
[0099]
In the first to fourth embodiments, a technique for securely performing authentication and encryption communication with a small circuit scale has been disclosed. However, there is a trade-off relationship between the strength of security and the circuit scale necessary for that purpose. Needless to say. Therefore, if there is a sufficient circuit scale that can be implemented in the MPU or encryption IC, a new conversion means for executing the data conversion F () is additionally introduced for the following purpose. Can enhance the safety.
(1) One of them is to prevent plaintext challenge data and plaintext response data from flowing through the transmission path.
[0100]
For example, in the processing sequence (steps (1), (3), (6), and (7)) in which the first device 51 shown in FIG. 1 authenticates the second device 52, the following changes are made.
In step (6), the second encryption IC 56 does not send the separated data RR1 to the MPU 53, but performs a predetermined conversion F () on the separated data RR1 and uses the resulting data F (RR1). Send to MPU53.
[0101]
In step (7), the MPU 53 does not compare the random number R1 and the separated data RR1, but performs the same transformation F () as that used in step (6) on the random number R1, and obtains the data obtained as a result. F (R1) is compared with data F (RR1) sent from the second encryption IC 56.
By doing so, it is avoided that the ciphertext C1 and a part of the plaintext RR1 flow through the transmission path, so that security against known plaintext attacks is enhanced.
(2) The other is to avoid using the challenge data as a data transfer key as it is.
[0102]
For example, in step (5) shown in FIG. 5, the first encryption IC 94 does not use the random number R1 as it is as a data transfer key, but performs a predetermined conversion F () on the random number R1 and obtains the result. The obtained data F (R1) is used as a data transfer key.
Similarly, in step (6), the second encryption IC 96 does not directly use the random number R1 as a data transfer key, but performs the same conversion F () as that used in step (5) on the random number R1. The data F (R1) obtained as a result is used as a data transfer key.
[0103]
By doing so, the data transfer key F (R1) can be concealed, and the security of encryption communication is enhanced.
(3) The other is to complicate the joining process.
For example, in step (9) shown in FIG. 1, the first encryption IC 54 does not simply combine the random number R3 and the separated data RR4 in the digit direction, but converts these R3 and RR4 into a predetermined conversion F ( The data F (R3, RR4) obtained as a result is set as the data transfer key K.
[0104]
Similarly, in step (10), the second encryption IC 56 does not simply combine the random number R4 and the separated data RR3 in the digit direction, but uses these R4 and RR3 in the above step (9). The same conversion F () is performed, and the data F (R3, RR4) obtained as a result is set as the data transfer key K.
By doing so, the procedure for generating the data transfer key K is complicated, and the security of encryption communication is enhanced.
(Examples of application to specific communication systems)
As described above, the encryption apparatus according to the present invention includes a small-scale encryption IC and has a minimum necessary function for ensuring the safety of communication between devices. Therefore, the encryption device is suitable for communication devices that require secret communication and are required to be small, such as mobile phones and multimedia related devices that handle digital works.
[0105]
FIG. 7 is a diagram showing an application example of the encryption apparatus according to the present invention to a specific communication system, and shows an overview of a reproduction system of a digital work such as a movie.
This system includes the optical disk drive device 110 corresponding to the first device in the above embodiment, the video reproduction device 111 corresponding to the second device, the SCSI cable 116 connecting them, and the like. In this system, the compressed video data read by the optical disk drive device 110 is encrypted and transferred to the video playback device 111, where the video is played back.
[0106]
FIG. 8 is a block diagram showing a configuration of the optical disk drive device 110.
The optical disk drive device 110 includes an MPU 124 that controls the entire device, a SCSI controller 121 that is a communication interface with the video reproduction device 111, and a read control unit 122 that controls the optical head 125 to read and control video data from the optical disc 115. And the encryption IC 123 corresponding to the encryption IC of the first device in the first to fourth embodiments described above, and recorded on the optical disc 115 after authenticating that the video reproduction device 111 is a valid device. The video data is read out, encrypted by the encryption IC 123, and transferred to the video playback device 111 via the SCSI cable 116.
[0107]
FIG. 9 is a diagram showing an overview of a circuit board mounted inside the optical disk drive device 110. The encryption IC 123 is an LSI formed on one silicon substrate, and has a flat package shape molded with plastic.
FIG. 10 is a block diagram showing the configuration of the video playback device 111.
The video reproduction device 111 includes an MPU 131 that controls the entire device, a SCSI controller 130 that is a communication interface with the optical disc drive device 110, and an encryption corresponding to the encryption IC of the second device of the first to fourth embodiments. IC 132, MPEG decoder 133 that decompresses the compressed video data decrypted by encryption IC 132, AV signal processor 134 that converts the decompressed video data into an analog video signal, and outputs the video to CRT 112 and speaker 114; Consists of
[0108]
By applying the encryption apparatus according to the present invention to such a video reproduction system, digital works recorded on the optical disc 115 are protected from unauthorized copying and the like, and healthy development in the distribution market of multimedia related products is expected. it can.
[0109]
【The invention's effect】
As is apparent from the above description, the encryption device according to the present invention is an encryption device provided in a device that performs sharing of a data transfer key and encryption communication using the data transfer key. First random number generating means for generating a first random number for key sharing, first random number holding means for holding the first random number generated by the first random number generating means, and the first random number generating means Data transfer for generating the time-varying data transfer key using first transmission means for transmitting the generated first random number to the counterpart device of the cryptographic communication and the first random number held in the first random number holding means Key generation means, and transfer data encryption means for encrypting transfer data to be encrypted by using the data transfer key, the first random number generation means, the first random number holding means, Data transfer key generation means Fine the transfer data encryption means is realized by circuits in one IC, the first random number holding means is characterized by holding the first random number in an area inaccessible from outside of the IC.
[0110]
As a result, the first random number directly related to the generation of the data transfer key is held inside the encryption IC that cannot be accessed from the outside, so that the time-varying data transfer key is securely shared with each device and encrypted communication is performed. Is called. In addition, the encryption IC has a minimum necessary function for ensuring the safety of communication between devices, and thus can be realized with a small circuit.
[0111]
Here, the encryption device further includes first encryption means for encrypting the first random number generated by the first random number generation means, and the first encryption means is realized by a circuit in the IC. The first transmission unit may transmit the first random number encrypted by the first encryption unit to the counterpart device.
As a result, the third party cannot know the first random number that is directly related to the generation of the data transfer key, so that the confidentiality of the data transfer key is maintained, even if the encryption algorithm and its inverse conversion algorithm are known. Even encrypted communication is maintained.
[0112]
Here, the devices mutually authenticate that the counterpart device is a valid device by communication based on a challenge-response type authentication protocol, and the encryption device further transmits to the counterpart device A second random number generating means for generating a second random number for challenge data, and determining whether or not the response data returned from the counterpart device with respect to the challenge data matches the second random number; In this case, the counterpart device may be provided with authentication means for authenticating that the device is a legitimate device, and the data transfer key generation means may generate the data transfer key when the authentication is performed.
[0113]
Thereby, when the mutual authentication between the devices is successful, a regular data transfer key is generated at the same time, and the security of the secret communication is improved.
Here, the second random number generation means and the authentication means may be realized by a circuit outside the IC.
As a result, the portion not related to the security of the communication system, that is, the processing unit not directly related to the generation of the data transfer key is provided outside the encryption IC, thereby suppressing the size of the encryption IC from becoming unnecessarily large. Is done.
[0114]
Here, the encryption device further includes decryption means for decrypting the encrypted combined data sent from the counterpart device, first separated data corresponding to the response data, and the decrypted combined data. Separating means for separating the remaining second separated data, and second transmitting means for returning the first separated data to the counterpart device, wherein the first encryption means includes the first random number and the second random number. And the resulting combined data is encrypted, and the data transfer key generation means generates the data transfer key by combining the first random number and the second separated data, and The decoding unit and the separation unit may be realized by a circuit in the IC.
[0115]
The encryption apparatus further includes a second transmission unit that transmits the second random number as challenge data to the counterpart device, and a decryption unit that decrypts the encrypted combined data transmitted from the counterpart device. And separating means for separating the decrypted combined data into first separated data corresponding to response data and remaining second separated data, and the authenticating means returns the first separated data from the counterpart device The first encryption unit combines the challenge data transmitted from the counterpart device and the first random number, and encrypts the combined data obtained as a result. The data transfer key generation means generates the data transfer key by combining the first random number and the second separated data, and generates the data transfer key, Separating means can also be assumed to be realized by the circuits in the IC.
[0116]
As a result, an encryption apparatus having a minimum necessary function for ensuring the safety of communication between devices and having a small-scale encryption IC is realized.
Here, the encryption algorithm by the transfer data encryption means may be the same as at least one of the first encryption means and the decryption means.
[0117]
This makes it possible to mount the transfer data encryption unit, the first encryption unit, and the decryption unit together with a single converter, thereby reducing the circuit scale of the encryption IC.
Here, the encryption algorithm by the transfer data encryption means is different from any of the first encryption means and the decryption means, and may be simpler than any of them.
[0118]
As a result, even if the encryption is repeated many times due to the size of the transfer data, the problem that the data transfer time is significantly increased due to the encryption is avoided.
Here, the transfer data encryption means may divide the transfer data into blocks having a predetermined length and encrypt each block using a corresponding portion of the data transfer key.
[0119]
As a result, this encryption apparatus can be applied to encrypted communication of transfer data having a large data size.
Here, the transfer data encryption means may perform the encryption by taking an exclusive OR of the block and a corresponding portion of the data transfer key.
[0120]
As a result, the transfer data encryption means can be realized with a simple logic circuit.
Here, the encryption by the first encryption unit and the decryption by the decryption unit may be the same conversion algorithm.
As a result, the first encryption means and the decryption means can be implemented by a single converter, and the circuit scale of the encryption IC can be reduced.
[0121]
Here, the first encryption means and the decryption means perform the encryption and decryption using the key data previously stored in the IC, and part of the key data is stored in the IC. It can also be assumed that the remaining part of the data stored in the mask ROM area is stored in the write-once ROM area in the IC.
As a result, it is possible to make up for the drawbacks when the authentication key is composed only of the mask ROM and the disadvantages when the authentication key is composed only of the write-once ROM.
[0122]
Here, the devices mutually authenticate that the counterpart device is a legitimate device by communication based on a challenge-response type authentication protocol,
The encryption apparatus further includes decryption means for decrypting encrypted combined data sent from the counterpart device with respect to the challenge data, and first decryption data corresponding to response data. Separating means for separating the separated data and the remaining second separated data, and whether or not the first random number and the first separated data match each other, and if the two match, the counterpart device is a legitimate device Authenticating means for authenticating, a second encryption means for encrypting the second separated data when the authentication is made, and a second reply for sending the encrypted second separated data as response data to the counterpart device 2 transmission means, wherein the data transfer key generation means generates the data transfer key by combining the first random number and the second separated data, and the decryption means, the separation Stage and the second encryption unit may also be assumed to be realized by the circuits in the IC.
[0123]
As a result, only one random number is generated and used for both the purpose of authentication and the generation of the data transfer key, so that the circuit scale for generating the random number in the encryption device is reduced.
Further, since random number generation and comparison processing for authentication are performed inside the encryption IC, the security of encryption communication is improved.
[0124]
The present invention also relates to a communication system including a transmitter and a receiver that share a data transfer key and perform cryptographic communication using the data transfer key. Can also be provided.
As a result, mutual authentication is performed between the transmitter and the receiver, a data transfer key is generated, a random number directly related to the generation of the data transfer key is not transmitted and received as it is, and a data transfer key is generated. Since the two directly related random numbers are provided from the transmitter and the receiver, respectively, it is suitable to be realized using a small-scale encryption IC, and a highly secure cryptographic communication system is provided. Realized.
[Brief description of the drawings]
FIG. 1 is a diagram showing a processing sequence of an encryption device according to a first embodiment of the present invention.
FIG. 2 is a block diagram showing a hardware configuration of the first encryption IC 54 shown in FIG.
FIG. 3 is a diagram showing a processing sequence of the encryption device according to the second embodiment of the present invention.
FIG. 4 is a diagram showing a processing sequence of an encryption apparatus according to a third embodiment of the present invention.
FIG. 5 is a diagram showing a processing sequence of an encryption apparatus according to a fourth embodiment of the present invention.
6 is a block diagram showing a hardware configuration of the first encryption IC 94 shown in FIG. 5. FIG.
FIG. 7 is a diagram showing an application example of the encryption apparatus according to the present invention to a specific communication system.
8 is a block diagram showing a configuration of the optical disc drive apparatus 110 shown in FIG.
FIG. 9 is a diagram showing an overview of a circuit board mounted inside the optical disc drive apparatus 110;
10 is a block diagram showing a configuration of the video reproduction device 111 shown in FIG.
FIG. 11 is a diagram showing a one-way authentication processing sequence according to the first prior art.
FIG. 12 is a diagram showing a processing sequence of two-way authentication according to the second prior art.
[Explanation of symbols]
51, 71, 81, 91 First device
52, 72, 82, 92 Second device
53, 73, 83, 93 MPU of the first device
54, 74, 84, 94 First encryption IC
55, 75, 85, 95 MPU of the second device
56, 76, 86, 96 Second encryption IC
59 Data transfer key K generator
60, 101 random number generator
61, 100 External I / F section
62, 102 random number storage
63 Joint
64, 103 Authentication key S storage
65, 66, 68, 104, 105, 107 switch
67, 106 E function
69 Separation part
70 Data transfer key K storage
108 comparator
110 Optical disk drive device
111 Video playback device
121 SCSI controller
122 Control unit
123 Encryption IC
124 MPU
125 optical head
130 SCSI controller
131 MPU
132 Encryption IC
133 MPEG decoder
134 AV signal processor

Claims (9)

Sharing of data transfer key and its data transfer key cryptographic communication line stomach using, provided to a device mutually authenticate that the counterpart device to each other is an authorized device by communication based on a challenge-response type authentication protocol An encryption device,
First random number generation means for generating a first random number for sharing the data transfer key;
First random number holding means for holding the first random number generated by the first random number generating means;
First encryption means for encrypting the first random number generated by the first random number generation means;
First transmission means for transmitting the first random number encrypted by the first encryption means to the counterpart device of the encrypted communication;
Second random number generation means for generating a second random number for challenge data to be transmitted to the counterpart device;
Authentication means for judging whether or not the response data returned from the counterpart device with respect to the challenge data matches the second random number, and authenticating that the counterpart device is a valid device if they match When,
A data transfer key generating unit that generates the time-varying data transfer key using the first random number held in the first random number holding unit when the authentication unit performs authentication ;
Transfer data encryption means for encrypting transfer data to be encrypted using the data transfer key,
The first random number generation means, the first random number holding means, the first encryption means, the data transfer key generation means, and the transfer data encryption means are realized by a circuit in one IC,
The second random number generation means and the authentication means are realized by a circuit outside the IC,
The encryption apparatus according to claim 1, wherein the first random number holding means holds the first random number in an area that cannot be accessed from outside the IC. The encryption device further includes:
Decryption means for decrypting the encrypted combined data sent from the counterpart device;
Separating means for separating the decrypted combined data into first separated data corresponding to response data and remaining second separated data;
Second transmission means for returning the first separated data to the counterpart device;
The first encryption means combines the first random number and the second random number, encrypts the combined data obtained as a result,
The data transfer key generation means generates the data transfer key by combining the first random number and the second separated data,
Said decoding means and said separation means, the encryption apparatus according to claim 1, characterized in that it is implemented in circuitry within the IC. The encryption device further includes:
Second transmission means for transmitting the second random number as challenge data to the counterpart device;
Decryption means for decrypting the encrypted combined data sent from the counterpart device;
Separating means for separating the decrypted combined data into first separated data corresponding to response data and remaining second separated data;
The authentication means performs the determination and authentication as response data returned from the counterpart device as the first separation data,
The first encryption means combines the challenge data transmitted from the counterpart device and the first random number, encrypts the combined data obtained as a result,
The data transfer key generation means generates the data transfer key by combining the first random number and the second separated data,
Said decoding means and said separation means, the encryption apparatus according to claim 1, characterized in that it is implemented in circuitry within the IC. The algorithm for encryption by the transfer data encryption means, at least one of those and encryption device according to claim 2 or 3, wherein the the same said first encryption means and the decryption means. The algorithm for encryption by the transfer data encryption means differs also from that of any of the first encryption means and the decryption means, and claim 2 or characterized in that it is a simple than that of any 3. The encryption device according to 3 . 6. The encryption according to claim 5, wherein the transfer data encryption means divides the transfer data into blocks having a predetermined length and encrypts each block using a corresponding portion of the data transfer key. apparatus. 7. The encryption apparatus according to claim 6, wherein the transfer data encryption means performs the encryption by taking an exclusive OR of the block and a corresponding portion of the data transfer key. 8. The encryption apparatus according to claim 7, wherein the encryption by the first encryption means and the decryption by the decryption means are the same conversion algorithm. The first encryption means and the decryption means perform the encryption and decryption using key data previously held in the IC,
9. The encryption apparatus according to claim 8 , wherein a part of the key data is stored in a mask ROM area in the IC and a remaining part is stored in a write-once ROM area in the IC.

Images