JP4556252B2 - IC card, in-vehicle device and roadside device used for encryption conversion device, decryption conversion device, encryption communication device and automatic fee collection system - Google Patents

Description

BACKGROUND OF THE INVENTION
The present invention relates to an encryption / decryption technique for digital data transmitted between a computer, an information home appliance, an automatic fee collection device, and the like.
[Prior art]
In general, in digital information home appliances, an encryption technique for preventing unauthorized copying of digital data is essential. For example, when digital video data received by a digital broadcast receiver is digitally recorded on a digital recording device, if the digital video data has a copyright, a function for protecting the digital video data is required for each device.
In order to realize such a copyright protection system, it is necessary to prevent data tampering and unauthorized copying by using encryption techniques such as digital data copy restrictions, device authentication, and real-time digital data encryption. I must.
As a conventional example of encryption technology, for example, a common key encryption method represented by DES encryption disclosed in Japanese Patent Laid-Open No. 51-108701 can be cited. Many of the common key cryptosystems are characterized in that complex encryption conversion is configured by repeatedly performing simple conversion. Various attempts have been made to make these ciphers more secure. For example, by increasing the number of simple conversion iterations, the statistical characteristics of the ciphertext can be further disturbed, making cryptanalysis difficult.
[Problems to be solved by the invention]
However, increasing the number of conversion iterations increases the processing time required for cryptographic conversion. Therefore, there is a problem that the security enhancement measure by increasing the number of times of simple conversion is not suitable for the real-time encryption process in the copyright protection system described above.
An object of the present invention is to provide a high-speed encryption conversion device, decryption conversion device, encryption communication device, and automatic fee collection device that is resistant to decryption by making the encryption conversion algorithm variable and hiding the algorithm to be used from a third party. It is to provide.
[Means for Solving the Problems]
As a cryptographic conversion device,
An encryption conversion device that inputs at least one encryption key, at least one algorithm parameter, and plaintext data, and outputs the ciphertext data,
A plurality of stages of cryptographic conversion means for performing at least one of exclusive-OR operation, cyclic shift operation, and addition operation,
The cryptographic conversion means includes first arithmetic means for performing an exclusive OR operation or addition operation on input data with a part of data generated from the encryption key data;
A second computing means for performing an exclusive OR operation or addition operation with a part of the data determined by the algorithm parameter, and the input data;
Each including at least one third arithmetic means for cyclically shifting the input data by the number of bits determined by the algorithm parameter,
The same encryption key and the same algorithm parameter are used, and the conversion using the plurality of successive stages of the encryption conversion means, arbitrarily selected from all the encryption conversion means, is all different. And
As a decoding conversion device,
A decryption / conversion device that inputs at least one encryption key, at least one algorithm parameter, and ciphertext data, and outputs plaintext data,
The cryptographic conversion means includes first arithmetic means for performing an exclusive OR operation or addition operation on input data with a part of data generated from the encryption key data;
A second computing means for performing an exclusive OR operation or addition operation with a part of the data determined by the algorithm parameter, and the input data;
Each including at least one third operation means for cyclically shifting the input data by the number of bits determined by the algorithm parameter,
The same encryption parameter and the same algorithm parameter are used, and the conversion using the plurality of successive stages of the decryption conversion means arbitrarily selected from all the decryption conversion means is different. And
As an encryption communication device,
Between the transmitting device and the receiving device that perform communication, the same encryption key is used, the transmitting device encrypts plaintext with the encryption key and transmits the encrypted text, and the receiving device transmits the received encrypted text to the An encryption communication device having a common key encryption for decrypting with an encryption key to obtain the plaintext,
The transmitting device includes a cryptographic conversion unit and a first algorithm key holding unit,
The receiving device has a decryption conversion unit and a second algorithm key holding unit,
The conversion algorithm of the encryption conversion unit included in the transmission device is determined by a first parameter held in the first algorithm key holding unit included in the transmission device,
The conversion algorithm of the decryption conversion means possessed by the receiving device is determined by a second parameter held in the second algorithm key retaining means possessed by the receiving device,
The transmitting device and the receiving device, in addition to the encryption key, only when the first parameter and the second parameter are equal, the ciphertext encrypted by the transmitting device using the encryption key, The receiving apparatus can correctly decrypt using the encryption key.
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a configuration diagram of an encryption communication device in which a data transmission device including the encryption conversion device according to the present invention and a data reception device including the decryption conversion device according to the present invention perform encryption communication. In FIG. 1, the data transmission device 1 includes an encryption conversion unit 11, a key sharing unit 12, a data processing unit 13, a communication processing unit 14, and a key length data holding unit 15. The data receiving device 2 also includes a decryption conversion unit 31, a key sharing unit 32, a data processing unit 33, and a communication processing unit 34. As the data transmission device 1, for example, a digital broadcast receiver can be considered. The data receiving device 2 may be a digital recording device, for example. In this case, the data processing units 13 and 33 handle digital program data such as the MPEG2-TS (Transport Stream) format distributed by the digital broadcasting service, and the data processing unit 13 receives and multiplexes the digital program data. Separation processing, expansion processing, transmission processing, and the like are performed, and the data processing unit 33 performs digital program data reception processing, expansion processing, storage processing, and the like.
When the data transmitting device 1 and the data receiving device 2 perform encrypted communication, first, data called an encryption key necessary for encrypting and decrypting data is shared. The encryption key is shared by the key sharing unit 12 of the data transmitting device 1 and the key sharing unit 32 of the data receiving device 2 exchanging messages via the communication processing unit 14 and the communication processing unit 34. At this time, the key length of the encryption key is determined based on the key length data held in the key length information holding means 15 of the data transmitting device 1. The encryption key shared between the two parties is preferably different every time. This is because, if the encryption key is different, the generated ciphertext is different, which makes it difficult for a third party to decrypt the ciphertext. There are various methods for sharing the encryption key. For example, the key sharing method of Deffy Herman (for example, Tatsuaki Okamoto et al., “Modern Crypto”, published by Sangyo Tosho Co., Ltd. (Described in detail on page 202). If this is used, even if a third party intercepts a message exchanged for sharing the encryption key, it is very difficult to infer the encryption key from them and each time a different encryption key is securely shared It becomes possible.
After sharing the data key, the data transmitting device 1 outputs the data that the data processing unit 13 wants to transmit, and inputs this to the encryption conversion unit 11. Here, the data output from the data processing unit 13 is not encrypted, and such data is hereinafter referred to as “plaintext”. The encryption conversion unit 11 includes encryption conversion means 20, key conversion means 23, and algorithm key holding means 24. The key conversion means 23 generates a plurality of data called conversion keys based on the encryption key and key length data. Here, the key length data represents the key length of the encryption key determined at the time of the encryption key sharing described above. The algorithm key holding means 24 holds a plurality of data called algorithm keys. The encryption conversion algorithm performed by the encryption conversion means 20 is determined by the algorithm key. The cipher conversion unit 20 uses the conversion key generated by the key conversion unit 23 and the algorithm key in the algorithm key holding unit 24 to perform cipher conversion on the plain text and outputs a cipher text. The ciphertext generated by the cryptographic conversion device 11 is transmitted to the data receiving device 2 by the communication processing unit 14.
In the data receiving device 2, the communication processing unit 34 receives the ciphertext, and inputs the received ciphertext to the decryption conversion unit 31. The decryption conversion unit 31 includes decryption conversion means 40, key conversion means 43, and algorithm key holding means 44. The key conversion unit 43 has the same configuration as the key conversion unit 23 described above, and generates a conversion key based on the encryption key and key length data. The algorithm key holding unit 44 has the same configuration as the algorithm key holding unit 24 described above, and holds an algorithm key. The decryption conversion algorithm performed by the decryption conversion means 40 is determined by the algorithm key. The decryption / conversion unit 40 decrypts and converts the ciphertext using the conversion key generated by the key conversion unit 43 and the algorithm key in the algorithm key holding unit 44. Here, the decryption / conversion unit 40 decrypts and converts the ciphertext encrypted by the cipher conversion unit 20 into the original plaintext by the decryption / conversion unit 40 only when the same algorithm key as that of the cipher conversion unit 20 described above is used. It becomes possible. The plain text output from the decryption conversion unit 31 is input to the data processing unit 33, and data processing is performed.
As described above, the data transmission device 1 and the data reception device 2 can perform encrypted communication only when they hold the same algorithm key. By handling this algorithm key as secret information, encryption communication having an authentication function can be realized. In other words, if only a legitimate device holds the correct algorithm key, encrypted communication can be performed only when the communication partner is a legitimate device. In order to realize this, an example in which a key management organization 3 that generates and centrally manages algorithm keys is provided in FIG. As shown in FIG. 1, legitimate devices (in this case, the data transmitting device 1 and the data receiving device 2) securely acquire the algorithm key from the key management organization 3 so as not to leak outside. For example, it is conceivable that an algorithm key managed by the key management organization 3 is embedded in the algorithm key holding unit 24 and the algorithm key holding unit 44 when the data transmitting device 1 and the data receiving device 2 are manufactured.
At this time, the data receiving device 1 also acquires key length data at the same time. As a result, the ciphertext transmitted by the legitimate device holding the correct algorithm key can be decrypted only by the legitimate device holding the correct algorithm key. Moreover, since the algorithm key is also secret information in addition to the encryption key, it is possible to make it more difficult for a third party to decipher the ciphertext flowing on the communication path.
In addition, the data transmitter 1 acquires the key length data from the key management organization 3, and generates the encryption key based on the key length data, so that the key length of the encryption key can be updated. For example, if the updated key length data is embedded in a newly manufactured data transmitting device, the key length of the encryption key can be updated in encrypted communication with the newly manufactured data transmitting device. As a result, the key length of the encryption key can be increased in the future, and the security can be further improved. Also, the key length can be changed depending on the region where the product is shipped.
FIG. 2 shows an example of a detailed block diagram of the cryptographic conversion unit 11. Here, a 64-bit plaintext, a 40-bit or 64-bit encryption key, and 1-bit key length data are input to the cipher conversion unit 11, and a 64-bit ciphertext is output. The encryption key is converted by the key key conversion means 23 into 32-bit conversion keys K1 and K2 based on the key length data. The key length data is 0 if the encryption key is 40 bits and 1 if the encryption key is 64 bits. The conversion of the key conversion means 23 will be described later. The cryptographic conversion means 20 in the cryptographic conversion unit 11 is composed of N substitutional transposing conversion means 211 to 21N. The conversion algorithm of the substitution transposition conversion means 21n (where 1 ≦ n ≦ N) is determined by the algorithm key Gn held in the algorithm key holding means 24.
The plaintext is first separated into an upper 32-bit value R0 and a lower 32-bit value L0, and is input to the substitution transposition conversion means 211. The first cipher conversion is performed using K1 and K2, and the 32-bit value R1 And the 32-bit value L1 is output. Subsequently, R1 and L1 are input to the substitution transposition conversion means 212, and the second cryptographic conversion is performed using K1 and K2, and a 32-bit value R2 and a 32-bit value L2 are output. The cipher conversion as described above is repeated N times, and the final output value, the 32-bit value RN and the 32-bit value LN, are combined to obtain a 64-bit ciphertext. Here, the total number N of cryptographic conversion repetitions is called the round number.
Here, it is assumed that the encryption key is fixed, and two or more consecutive substitution transposing conversion means are arbitrarily selected from all the substitution transposing conversion means, and the same data is converted as an input value. In this case, the conversion result is determined by the algorithm key Gn. The cryptographic conversion apparatus according to the present invention uses only algorithm keys that can obtain different conversion results in all the combinations described above. That is, periodicity does not appear in the cipher conversion that repeatedly uses the substitution transposition conversion means. As a result, the encryption strength can be improved.
FIG. 3 shows an example of a block diagram of the key conversion means 23 of FIG. In FIG. 3, the key conversion means 23 includes a 64-bit register 26, a multiplexer 27, and an addition operation unit 28. The encryption key is first stored in the register 26. Here, if the encryption key is 40 bits, the value is stored in the lower 40 bits of the register 26, and if the encryption key is 64 bits, the value is stored in all of the registers 26. Next, the lower 32 bits of the register 26 are set as K1. Next, if the value of the key length data is 0, a 32-bit value from the lower 9th bit to the lower 40th bit of the register 26 is selected as the output value of the multiplexer 27. If the value of the key length data is 1, the value of the upper 32 bits of the register 26 is selected as the output value of the multiplexer 27. The output value of the multiplexer 27 is subjected to addition of K1 and 32 bits by the addition operation unit 28, and this result is set as K2. Here, the 32-bit addition is a remainder obtained by dividing a normal addition result by 2 to the 32nd power.
FIG. 4 shows a block diagram of the substitution transposing / converting means 21n that performs the n-th (here, 1 ≦ n ≦ N) cryptographic conversion in FIG. In FIG. 4, the substitution transposing means 21n is composed of a bit string conversion unit 61 and an addition operation unit 62, and converts Rn-1 and Ln-1 into Rn and Ln using K1 and K2. The substitution transposing means 21n first inputs the value of Ln−1 to the bit string conversion unit 61. In the bit string conversion unit 61, the conversion algorithm is determined by the algorithm key Gn. If the input value of the bit string conversion unit 61 is U and the output value is Z, it can be expressed by the following formula.
Z = FGn (K1, K2, U)
Here, the function FGn (X) represents the conversion of the bit string conversion unit 61. The algorithm key Gn is composed of the following data.
Gn = (An, Bn, Cn, Pn, Qn, Sn)
Here, An, Bn, and Cn are 32-bit data, and Pn, Qn, and Sn are 1 ≦ Pn ≦ 31, 1 ≦ Qn ≦ 31, and 1 ≦ Sn ≦ 31. The value of the algorithm key Gn may take a different value for each n (1 ≦ n ≦ N).
Next, Rn-1 is input to the addition operation unit 32, and a 62-bit addition operation with Zn is performed to obtain Ln. Finally, let the value of Ln-1 be Rn. The above conversion can be summarized as follows.
Ln = Rn + FGn (K1, K2, Ln-1)
Rn = Ln-1
FIG. 5 shows an example of a block diagram of the bit string converter 61 of FIG. The bit string converter 61 includes five bit string converters 81 to 85. The bit string converter 81 includes an exclusive OR unit 94. The bit string converter 82 includes an addition operation unit 95 and a cyclic shift unit 91. The bit string converter 83 includes an addition operation unit 96 and a cyclic shift unit 92. The bit string converter 84 includes an addition operation unit 97. The bit string converter 85 includes an addition operation unit 98 and a cyclic shift unit 93.
An exclusive OR unit 94 in the bit string converter 81 performs an exclusive OR operation on two input values. Of the two input values, one is K1 shown in FIG. 4, and the other is U shown in FIG. 4, that is, the input values of the bit string converter 61 and the bit string converter 81. Here, if the output value is V, the conversion of the bit string converter 81 can be expressed as follows.
V = K1 (+) U
Here, the notation X (+) Y indicates an exclusive OR operation of X and Y.
The cyclic shift unit 91 in the bit string converter 82 cyclically shifts the data Pn (1 ≦ Pn ≦ 31), which is a part of the algorithm key Gn, to the left. The addition operation unit 95 performs a 32-bit addition operation on the three input values. One of the three input values is data An that is a part of the algorithm key Gn shown in FIG. 4, the other is the input value V of the bit string converter 82, and the other is circulated to the left. This is the shift data Pn. Here, if the output value is W, the conversion of the bit string converter 82 can be expressed as follows.
W = V + (V <<<Pn) + An
Where the notation X <<<Y represents that Y is cyclically shifted to the left by Y bits.
The cyclic shift unit 92 in the bit string converter 83 cyclically shifts the data Qn (1 ≦ Qn ≦ 31), which is a part of the algorithm key Gn, to the left. The addition operation unit 96 performs a 32-bit addition operation on the three input values. Among the three input values, one is the data Bn which is a part of the algorithm key Gn shown in FIG. 4, the other is the input value W of the bit string conversion function 83, and the other is the above left. The cyclic shift data Pn. Here, if the output value is X, the conversion of the bit string converter 83 can be expressed as follows.
X = W + (W <<<Qn) + Bn
An addition operation unit 97 in the bit string converter 84 performs a 32-bit addition operation on two input values. Of the two input values, one is K2 shown in FIG. 4 and the other is the input value X of the bit string converter 84. Here, if the output value is Y, the conversion of the bit string converter 84 can be expressed as follows.
Y = K2 + X
The cyclic shift unit 93 in the bit string converter 85 cyclically shifts to the left by the data Sn (1 ≦ Sn ≦ 31) that is a part of the algorithm key Gn. The addition operation unit 98 performs a 32-bit addition operation on the three input values. Of the three input values, one is the data Cn which is a part of the algorithm key Gn shown in FIG. 4, the other is the input value Y of the bit string converter 85, and the other is circulated to the left. This is the shift data Sn. Here, if the output value is Z, the conversion of the bit string converter 85 can be expressed as follows.
Z = Y + (Y <<<Sn) + Cn
As described above, the bit string converter 61 performs bit string conversion by causing the five bit string converters 81 to 85 to act on the converted data. Here, the configuration in which the bit sequence conversion unit 61 changes the operation order of the five bit sequence converters 81 to 85 on the conversion data is also included in the scope of the present invention. In FIG.
F1 81 → F2 82 → F3 83 → F4 84 → F5 85
For example, this is
F4 84 → F3 83 → F1 81 → F5 85 → F2 82
It is good. In addition, the five bit string converters 81 to 85 are not limited to one exclusive OR unit, three cyclic shift units, and four addition operation units, but the substitution transposition mixed conversion is performed. Even if the configuration includes at least one addition operation unit that can be realized and at least one cyclic shift operation unit, the effect of the invention does not change.
FIG. 6 shows a detailed block diagram of the decoding conversion unit 31 of FIG. The decryption / conversion unit 31 decrypts the ciphertext that has been cipher-converted by using the cipher conversion unit 11 shown in FIG. 2 to the original data. The decryption conversion unit 31 receives a 64-bit ciphertext, a 40-bit or 64-bit data key, and 1-bit key length data, and outputs a 64-bit plaintext. The encryption conversion means 40 in the decryption conversion unit 31 is composed of N substitutional transposition conversion means 411 to 41N. The conversion algorithm of the substitution transposition conversion means 41n (where 1 ≦ n ≦ N) is determined by the algorithm key Gn held in the algorithm key holding means 44.
The ciphertext is first separated into an upper 32-bit value RN and a lower 32-bit value LN, and is input to the substitution transposition conversion means 41N. The first decryption conversion is performed using K1 and K2, and the 32-bit value RN-1 and 32-bit value LN-1 are output. Subsequently, RN-1 and LN-1 are input to the substitution transposition conversion means 21N-1, and the second cryptographic conversion is performed using K1 and K2, and the 32-bit value RN-2 and the 32-bit value LN- 2 is output. The decoding conversion as described above is repeated N times, and the final output value, the 32-bit value R0 and the 32-bit value L0, are combined to obtain a 64-bit plaintext. Here, the total number of repetitions N of decryption conversion shall be called the number of rounds as in the case of encryption conversion.
Here, it is assumed that the encryption key is fixed, and two or more consecutive substitution transposing conversion means are arbitrarily selected from all the substitution transposing conversion means, and the same data is converted as an input value. In this case, the conversion result is determined by the algorithm key Gn. The decryption / conversion device according to the present invention uses only algorithm keys that can obtain different conversion results in all the combinations described above. That is, periodicity does not appear in the decoding conversion that repeatedly uses the substitution transposition conversion means.
FIG. 7 shows a block diagram of the substitution transposing means 41n for executing the (N + 1−n) -th (1 ≦ n ≦ N) decoding conversion in FIG. In FIG. 7, the substitution transposing means 41n is composed of the bit string conversion unit 61 and the subtraction operation unit 72 described with reference to FIG. 5, and Rn and Ln are converted into Rn-1 and Ln− using K1 and K2, respectively. Convert to 1. The substitution transposing / converting means 41n first inputs the value of Rn to the bit string converting unit 61. In the bit string conversion unit 61, the conversion algorithm is determined by the algorithm key Gn. Here, the input value of the bit string conversion unit 31n is represented as U, and the output value is represented as Z. Next, Ln is input to the subtraction operation unit 72, and a 32-bit subtraction operation with Z is performed to obtain Rn-1. Here, the 32-bit subtraction is a normal subtraction, and if the result is negative, the value is added to 2 to the 32nd power. Finally, let Rn be Ln-1. The above conversion can be summarized as follows.
Rn-1 = Ln-FGn (K1, K2, Rn)
Ln-1 = Rn
In this conversion, the reverse conversion of the substitution / transplacement conversion means 21n described with reference to FIG. 2 is performed. Thus, if the decryption conversion unit 31 shares the same encryption key and algorithm key with the encryption conversion unit 11, the data encrypted by the encryption conversion unit 11 can be decrypted.
The embodiments of the data transmission device 1 including the encryption conversion unit according to the present invention and the data reception device 2 including the decryption conversion unit according to the present invention have been described in detail above with reference to FIGS. However, it is obvious that the present invention includes a configuration obtained by changing a part of the above configuration. For example, the encryption key is described as two examples of 40 bits and 64 bits, and the key length data is described as 1 bit. However, the present invention is not limited to this. For example, the encryption key can be changed from 40 bits to 128 bits, and the key length data may be 7 bits so that these can be selected. In this case, the key conversion means increases the selector so that the position for selecting the encryption key can be changed according to the value of the input key length data so that two conversion keys having a 32-bit length can be generated. Just do it. Alternatively, the encryption key may be 64 bits or more, four conversion keys having a 32-bit length may be generated, and the N substitution transposition conversion means may be divided into two sets and supplied two by two. .
In order to generate a plurality of conversion keys, the substitution transposition conversion means used in the cryptographic conversion may be used. For example, a key conversion means for generating eight 32-bit conversion keys is shown.
In FIG. 8, the key conversion means 23 is composed of eight substitution transposition conversion means 211 to 218 and an extended key holding means 100. The extended key holding means 100 holds eight 32-bit extended keys KE1 to KE8 that are used to generate a conversion key. The 64-bit encryption key is sequentially converted using the eight substitution / translation means 211 to 218. Here, the conversion algorithm of each substitution / transposition conversion means is determined by the algorithm key held in the algorithm holding means 24. Further, the extended key held in the extended key holding means 100 is input to each substitution / transposition conversion means. For example, the expansion keys KE3 and KE4 are input to the substitution transposition conversion means 212.
The above conversion is performed, and L1 to L8, which are output values of the eight substitution transposition conversion means 211 to 218, are set as eight conversion keys.
Here, the conversion key stored in the extended key holding means may use the same value every time, or may perform the update process in the same manner as the algorithm key. Further, the key sharing process may be performed by the same method as the encryption key.
The key conversion means 23 described with reference to FIG. 8 can share the substitution transposition conversion means used in the cryptographic conversion. Therefore, for example, when the cryptographic conversion apparatus based on the present invention is implemented by hardware, the security can be reduced with a small circuit scale. It is possible to realize high cryptographic conversion.
Next, another embodiment of the encryption conversion device and the decryption conversion device according to the present invention will be described.
The entire block diagram of the cryptographic conversion apparatus in this embodiment is the same as that described in FIG. 2 used in the description of the above embodiment.
FIG. 9 shows a block diagram of the substitution transposition conversion means 21n for executing the n-th cryptographic conversion in the cryptographic conversion unit 11 of FIG. In FIG. 9, the substitution transposition conversion means 21 n includes a bit string conversion unit 361 and a calculation unit 362. Here, the arithmetic unit 362 performs either an exclusive OR operation or an addition operation on the two input data. Which calculation is performed by the calculation unit 362 is determined from the algorithm key. The conversion procedure of the substitution transposition conversion means 21n in FIG. 9 is the same as that described in the above embodiment.
FIG. 10 shows an example of a block diagram of the bit string conversion unit 361 of FIG. The bit string converter 361 includes five bit string converters 81 to 85. The bit string converter 81 includes a calculation unit 394. The bit string converter 82 includes a calculation unit 395, a calculation unit 396, and a cyclic shift unit 91. The bit string converter 83 includes a calculation unit 397, a calculation unit 398, and a cyclic shift unit 92. The bit string converter 84 includes a calculation unit 399. The bit string converter 85 includes a calculation unit 400, a calculation unit 401, and a cyclic shift unit 93. Here, the arithmetic units 394 to 401 perform either the exclusive OR operation or the addition operation of the two input data, similarly to the arithmetic unit 362 in FIG. Which operation is performed is determined from the algorithm key. The bit string conversion unit 361 performs bit string conversion by applying these bit string conversion functions F1 81 to F5 85 to the conversion data.
As described above, the cryptographic conversion apparatus according to the present embodiment can determine the number of addition operation and exclusive OR operation used in the cryptographic conversion apparatus from the algorithm key.
Next, an embodiment of another encryption communication apparatus using the encryption conversion apparatus and the decryption conversion apparatus according to the present invention will be described.
FIG. 11 shows a block diagram of the automatic fee collection apparatus. Here, the automatic toll collection device is a roadside machine installed on the toll road when the car passes the toll road, and collects the toll from the driver's IC card by electronic payment without stopping the car. It is a system that can. There are various expectations for automatic toll collection equipment, such as the elimination of traffic congestion on the road and the improvement of convenience by electronic payment using IC cards.
The automatic fee collection apparatus shown in FIG. 11 includes an automobile 200, a roadside device 201, an in-vehicle device 202, an IC card 203, and a key management organization 204.
The automobile 200 is equipped with an in-vehicle device 202, and an IC card 203 is inserted into the in-vehicle device 202 when the automobile 200 is driven.
The roadside machine 201 is installed on a toll road and has a function of collecting a toll when the automobile 200 passes.
The contract information of the automatic fee collection system is stored in advance in the IC card 203, and when the automobile 200 passes through the roadside device 201, the roadside is obtained by wireless communication via the in-vehicle device 202 in which the IC card 203 is inserted. The contract information is transferred to the machine 201, and then the route information and settlement information are received from the roadside machine 201.
In order to perform these processes safely and accurately, it is necessary to verify the validity of contract information, route information, and settlement information, and to prevent unauthorized tampering and eavesdropping. Therefore, between the IC card 203 and the vehicle-mounted device 202, and between the vehicle-mounted device 202 and the roadside device 201, for the other party authentication process for recognizing the communication partner as valid, the encryption and decryption of the exchange data It is necessary to share the encryption key to be used and perform encryption communication using the shared encryption key. The encryption conversion device and the decryption conversion device based on the present invention can be applied to this partner authentication processing, key sharing processing, and encryption communication.
In order to realize the above processing, a common algorithm key and a license key issued by the key management organization 204 are held in advance in the in-vehicle device 202, the IC card 203, and the roadside device 201. For example, it is conceivable to embed each inside during manufacture.
Here, details of the algorithm key and details of encryption conversion and decryption conversion determined by the algorithm key are as described above.
In addition, the license key is embedded in a legitimate device as secret information, and is used for correctly performing authentication processing and key sharing processing. For example, consider a case where device B confirms that device A is a legitimate device in order for devices A and B to communicate. For this purpose, the device A may prove to the device B that the license key held by the device A is correct. Here, since the license key is secret information, the device A must prove to the device B that it is correct without revealing its license key. This proof can be realized by using a cryptographic technique. For example, a method using a symmetric key cryptosystem is described in ISO 9798-2, which is an international standard for security mechanisms. As a specific example of this symmetric key cryptosystem, an encryption conversion device or a decryption conversion device based on the present invention can be applied.
Next, each element constituting FIG. 11 will be described.
The roadside device 201 includes a wireless communication unit 232, an encryption / decryption processing unit 230, a partner authentication / key sharing processing unit 233, a main control unit 235, and a data holding unit 234.
The in-vehicle device 202 includes a wireless communication unit 212, an encryption / decryption processing unit 210, an IC card communication unit 211, a partner authentication / key sharing processing unit 213, a data holding unit 214, and a main control unit 215.
The IC card 203 includes an IC card communication unit 221, an encryption / decryption processing unit 220, a counterpart authentication / key sharing processing unit 223, a data holding unit 224, and a main control unit 225.
Here, the encryption / decryption conversion processing units 210, 220, and 230 incorporate the above-described encryption conversion device and decryption conversion device based on the present invention, and can encrypt and decrypt data. is there.
The IC card communication units 211 and 221 are used to perform communication processing between the in-vehicle device 202 and the IC card 203.
Further, the wireless communication units 212 and 232 are used for performing wireless communication processing between the in-vehicle device 202 and the roadside device 201.
Further, the authentication / key sharing processing units 213, 223, and 233 perform authentication processing for recognizing the communication partner as legitimate, and sharing of an encryption key used for data encryption and decryption. . The authentication / key sharing processing unit 213 uses the encryption conversion function and the decryption conversion function provided by the encryption / decryption processing unit 210 in order to perform authentication processing and key sharing processing. In order to realize the same function, the authentication / key sharing processing unit 223 uses the encryption / decryption conversion processing unit 220. Similarly, the authentication / key sharing processing unit 233 uses the encryption / decryption conversion processing unit 230.
The data holding units 214, 224, and 234 are used to hold algorithm keys and license keys acquired from the key management organization 204. It is also assumed that contract information, route information and settlement information can be held.
FIG. 12 shows a communication flow diagram of the automatic fee collection apparatus of FIG.
In the flowchart of FIG. 12, first, when the IC card 203 of FIG. 11 is set in the in-vehicle device 202, a partner authentication / key sharing process 240 is performed between the IC card 203 and the in-vehicle device 202. Then, after the partner authentication / key sharing process 240 is successful, the IC card 203 performs encrypted communication 241 to transfer the contract information to the in-vehicle device 202. When the in-vehicle device 202 acquires the contract information of the IC card 203, the in-vehicle device 202 holds it secretly in the data holding unit 214 (FIG. 11) in the in-vehicle device 202.
Next, when the automobile 200 in FIG. 11 passes through the roadside device 201, a partner authentication / key sharing process 250 is performed between the in-vehicle device 202 and the roadside device 201. Then, after the partner authentication / key sharing process 250 is successful, the in-vehicle device 202 performs encrypted communication 251 in order to transfer the contract information previously acquired from the IC card to the roadside device 201. The encrypted communication 251 is also used to transfer route information and settlement information from the roadside device 201 to the in-vehicle device 202.
Next, the in-vehicle device 202 performs encryption communication 261 in order to transfer the route information and settlement information obtained from the roadside device 201 to the IC card 203.
Here, the settlement of the road toll is performed between the IC card 203 and the roadside device 201. However, the IC card 203 and the roadside device 201 cannot communicate with each other unless the vehicle-mounted device 202 is interposed. In this case, there is a possibility that the in-vehicle device 202 performs an illegal process and thus an illegal settlement is performed. In preparation for such a situation, the roadside device 201 needs to be able to identify the in-vehicle device 202 used for settlement with the IC card 203. For example, an identification number is assigned to the in-vehicle device 202, and the in-vehicle device 202 transfers the identification number of the in-vehicle device 202 to the IC card 203 in the partner authentication / key sharing process 240 with the IC card 203. The IC card 203 generates and returns a digital signature for both the identification number of the in-vehicle device 202 and the settlement history of the IC card 203. Then, the in-vehicle device 202 transfers its own identification number and the digital signature acquired from the IC card 203 to the roadside device 201 in the partner authentication / key sharing process 250. Thereafter, the roadside device 201 can verify when the in-vehicle device 202 is used by verifying the digital signature generated by the IC card 203.
Further, in the encrypted communications 241, 251, and 261, it is necessary to prevent the encrypted data flowing on the communication path from being tampered with by a third party. In order to realize this, it is necessary to perform message authentication that can determine that the received message is valid. In order to perform message authentication, the sender and the receiver share a message authentication key in secret in advance. The message authentication key is shared, for example, in the other party authentication / key sharing process 250 shown in FIG. Then, the sender generates data called a message authentication code (MAC) from the message to be transferred and the message authentication key. The sender forwards the message authenticator along with the message to the recipient. The receiver verifies the received message authenticator using the message authentication key. This verification can determine whether the received message has been tampered with. Regarding message authentication, for example, a technique using a symmetric key cryptosystem is described in ISO9797, which is an international standard for security mechanisms. As a specific example of this symmetric key cryptosystem, an encryption conversion device or a decryption conversion device based on the present invention can be applied.
FIG. 13 shows a detailed flow diagram of encrypted communication 241 as an example of encrypted communication including message authentication. In the flowchart of FIG. 13, the IC card 203 first generates a message authenticator in the MAC generation process 261. Next, a combining process 262 is performed to combine the transfer message and the message authenticator. Thereafter, encryption processing 263 for encrypting data obtained by combining the transfer message and the message authenticator is performed, and encrypted data is generated.
Next, the in-vehicle device 202 receives the encrypted data and first performs a decryption process 264. Thereafter, the message and the message authenticator transferred by the IC card are restored by performing the separation process 265. Next, a MAC verification process 266 for verifying the restored message authenticator is performed to verify the validity of the received message.
This makes it possible to safely exchange data that should not be wiretapped or tampered with such as billing information and route information.
By performing the above processing, the toll is charged in the IC card 203, and the charging information can be managed by the roadside device 201.
【The invention's effect】
According to the present invention, a high-speed encryption conversion device, a decryption conversion device, an encryption communication device, and an automatic fee collection device that are strong against cryptanalysis can be obtained by changing the encryption conversion algorithm and hiding the algorithm to be used from a third party. Can be realized.
[Brief description of the drawings]
FIG. 1 is an example of an encryption communication apparatus performed by a transmitting device and a receiving device in the present invention.
FIG. 2 is a block diagram showing a cipher conversion unit in FIG.
FIG. 3 is a block diagram of a key conversion unit in FIG.
4 is a block diagram of a substitution transposition conversion unit in FIG. 2. FIG.
FIG. 5 is a block diagram of a bit string conversion unit in FIG. 4;
6 is a block diagram showing a decoding conversion unit in FIG. 1. FIG.
7 is a block diagram of an embodiment of the substitution transposition conversion means in FIG. 6. FIG.
FIG. 8 is an example of a block diagram of key conversion means in the present invention.
FIG. 9 is a block diagram of another embodiment of the substitution transposition conversion means in the present invention.
FIG. 10 is a block diagram of another embodiment of the bit string converter in the present invention.
FIG. 11 is a block diagram of an automatic fee collection device according to another embodiment of the present invention for encryption communication.
FIG. 12 is a diagram showing a communication flow of the automatic fee collection device in the present invention.
FIG. 13 is a diagram showing encryption communication used in the automatic fee collection apparatus according to the present invention.
[Explanation of symbols]
1 Data transmission equipment
2 Data receiver
3 Key management organization
11 Cryptographic converter
12 Key sharing part
13 Data processing section
14 Communication processor
15 Key data holding means
20 Cryptographic conversion means
211 to 21N Substitution transpose conversion means
23 Key conversion means
24 Algorithm key holding means
31 Decryption converter
32 Key sharing part
33 Data processing section
34 Communication processor
411-41N Substitution and transposition conversion means
43 Key conversion means
44 Algorithm key holding means
81 Key transmitter
82 Key receiver

Claims (2)

A cryptographic conversion device comprising cryptographic conversion means for inputting one piece of cryptographic key data, one piece of algorithm key data, and plaintext data, and outputting the encrypted text data,
The cryptographic conversion means includes
First arithmetic means for performing an exclusive OR operation or addition operation on input data and data generated from the encryption key data;
Output data of the first computing means as input data, second computing means for performing an exclusive OR operation or addition operation with the data that is part of the algorithm key data;
Output data of the second calculation means is input data, and third calculation means for cyclically shifting the input data by the number of bits determined by the data that is part of the algorithm key data. N stages of conversion means (N is a natural number) for converting a bit string by operation ,
The input data to the first stage of the conversion means and the plaintext data, the encryption converter, wherein the output data and to Rukoto of N-1-stage converter input data to the N-th stage of the converter. A decryption / conversion device including decryption / conversion means for inputting one encryption key data, one algorithm key data, and ciphertext data, and outputting plaintext data,
The decoding conversion means includes
First arithmetic means for performing an exclusive OR operation or addition operation on input data and data generated from the encryption key data;
Output data of the first computing means as input data, second computing means for performing an exclusive OR operation or addition operation with the data that is part of the algorithm key data;
Third output means that cyclically shifts the input data by the number of bits determined by the data that is part of the algorithm key data, using the output data of the second operation means as input data ,
And N stages of conversion means (N is a natural number) for converting a bit string by calculation by each calculation means ,
The input data to the first stage of the conversion means and the encrypted data, decryption converter, wherein the output data and to Rukoto of N-1-stage converter input data to the N-th stage of the converter.

Images