JP4606040B2 - Qualification authentication system, qualification authentication method, and information processing apparatus - Google Patents

Description

  The present invention relates to a method for authenticating the use qualifications of a communication partner or a user in an information communication system or the like.

  Conventionally, the present inventors have made a procedure for authenticating a person to be authenticated (user) to a certifier (center) and having a function of authenticating the validity of a password input by the user on the center side. "SAS-2 authentication method" (Takasuke Tsuji, Takashi Ueoka, Akihiro Shimizu, "Simple And Secure password authentication protocol, Ver. 2 (SAS-2)", IEICE technical report, OIS2002-30, Vol. 102, No. 314, pp. 7-11, 2002).

  The “SAS-2 authentication method” will be described below with reference to the drawings. In addition, the notation used for description of a prior art is shown below. “←” indicates assignment of the right side to the left side. “S” indicates a password secretly held by the person to be authenticated. “ID” indicates an authenticated person identifier that is information for identifying an apparatus on the authenticated person side (hereinafter, referred to as “authenticated person” as appropriate). “XOR” indicates an exclusive OR operation. “N” indicates the number of authentications. N of N [n] indicates a random number. n is an integer of 1 or more and is used to identify a random number. “F” and “H” indicate one-way conversion functions that do not use the password “S”. “X” indicates a one-way conversion function using a password “S” and a random number N [n]. It is difficult to calculate y from z and x when the unidirectional conversion function is “z = F (x, y)” or “z = H (x, y)”. Say function. “X” is a one-way conversion function using the password S and the random number N [n], and “X [n] = X (ID, S XOR N [n])”. Is used to calculate.

  With reference to FIG. 1, the procedure at the time of initial registration in the procedure of authentication by the “SAS-2 authentication method” will be described.

  First, in the device on the user (authenticated person) side, the password “S”, the random number N [1], and the user identifier “ID” that are kept secret by the user are used, and “A ← X (ID, S XOR N [1]) ”is calculated to calculate“ A ”. “A” is authentication information used for the first authentication.

  Next, the user (authenticated person) side apparatus sends the authentication information “A” used for the initial authentication together with the user identifier “ID” to the center (authenticator) side apparatus by a secure means. Then, the random number N [1] is stored in the device on the user (authenticated person) side.

  Next, in the center (authenticator) side device (hereinafter referred to as “authenticator” as appropriate), the received authentication information “A” used for the initial authentication is registered together with the user identifier “ID”.

  Next, with reference to FIG. 2, an authentication procedure of the “SAS-2 authentication method” will be described. The procedure at the time of authentication described here is the procedure at the time of the n-th authentication after the first time (n = 1).

  First, the user side apparatus calculates “A ← X (ID, S XOR N [n])” from the stored random number N [n] to calculate the current authentication information “A”, A new random number N [n + 1] is generated or authentication information “A” is set to N [n + 1] this time, and “C ← X (ID, S XOR N [n + 1])” and “D ← F (ID, C)” The next authentication information “C” and the second next authentication information “D” are calculated.

  Next, using the calculated current authentication information “A”, next authentication information “C”, and second next authentication information “D”, “α ← C XOR (D + A)” and “β ← D XOR A” An arithmetic operation is performed to calculate a first authenticator “α” and a second authenticator “β”.

  Then, the user-side device sends the first authenticator “α” and the second authenticator “β” together with “ID” to the center-side device. The random number N [n + 1] is stored in the user (authenticated person) side device.

  At this time, “A” is the current authentication information, “C” is the next authentication information, and “D” is the second next authentication information that is another next authentication information obtained by unidirectionally converting the next authentication information “C”. .

  Next, the center side apparatus receives the first authenticator “α” and the second authenticator “β” and “ID”.

  The center-side apparatus then registers the current authentication information “A” corresponding to the user identifier “ID” for the received first authenticator “α” and second authenticator “β”. Is used to calculate “D ← β XOR A” to calculate the second authentication information “D”. Using the sum of the calculated second authentication information “D” and the current authentication information “A”, the calculation of “C ← α XOR (D + A)” is performed to calculate the next authentication information “C”.

  Further, the center-side apparatus verifies whether or not the result “F (ID, C)” obtained by unidirectional conversion of the calculated next authentication information “C” is equal to the second next authentication information “D”. If the verification results match, the qualification of the person to be authenticated is authenticated, and the next authentication information “C” is newly registered as authentication information “A” as authentication information used for the next authentication.

  Next, a procedure at the time of mutual authentication performed following the procedure shown in FIG. 2 in the procedure of authentication by the “SAS-2 authentication method” will be described with reference to FIG. The procedure at the time of authentication described here is also the procedure at the time of the n-th authentication after the first time (n = 1).

  Using the first authenticator “α” and the second authenticator “β” sent from the device on the person to be authenticated (user) side, the device on the authenticator (center) side authenticates the user to be authenticated. After the establishment, the center side device is obtained by further applying a unidirectional conversion function “H” to the data “D” obtained by applying the unidirectional conversion function “F” to the next authentication information “C”. The mutual authenticator “γ” is calculated. That is, “γ ← H (ID, D)” is calculated, and “γ” is sent from the authenticator side to the person to be authenticated.

  In the device on the authenticated person (user) side, the data “D” obtained by applying the unidirectional conversion function “H” to the data “D” obtained by applying the unidirectional conversion function “F” to the next authentication information “C”. H (ID, D) ”is calculated and this data is compared with the received mutual authenticator“ γ ”. If they match, the authentication by the authenticator is confirmed to be successful or the authenticated person authenticates. Authenticate each other.

  In the “SAS-2 authentication method”, which is the conventional technology described above, the qualification of the person to be authenticated is authenticated by verifying the information related to the next authentication information masked by the current authentication information registered on the center side. is doing.

  That is, in the “SAS-2 authentication method”, the current authentication information “A” is sent in advance, and the data “D”, which is the one-way conversion of the next authentication information “C”, is used as the current authentication information “A”. The sum of the first authenticator “α” that is the masked information, the next authentication information “C”, the data “D” that is the one-way conversion of the next authentication information “C”, and the current authentication information “A” “ (D + A) ”is sent to the third authentication information“ A ”used for authentication and the next authentication information“ C ”to the third party After preventing leakage, the second authentication information “D”, which is a one-way conversion of the next authentication information “C” masked by the current authentication information “A” and sent, and the next authentication information “C” It is masked with the sum of the second next authentication information “D” and the current authentication information “A”, which is unidirectional conversion, “(D + A)”. The qualification of the person to be authenticated is authenticated by verifying whether the data obtained by applying the one-way conversion to the next authentication information “C” is equal.

"Study on security of one-time password authentication method SAS" (IEICE Technical Report, OFS2001-48, No. 435, pp. 53-58, 2001) “SAS-2 authentication method” (Keisuke Tsuji, Takashi Kamioka, Akihiro Shimizu, “Simple And Secure password authentication protocol, Ver. 2 (SAS-2)”, IEICE technical report, OIS2002-30, Vol. 102, No. 314, pp. 7-11, 2002)

  In the “SAS-2 authentication method”, next authentication information and information obtained by applying the one-way conversion function once to the current authentication information or the next authentication information are extracted from the two authenticators received at the center side. The qualification of the person to be authenticated is authenticated by comparing the result of applying the direction conversion function once with the information extracted from the authenticator.

  Here, in the “SAS-2 authentication method”, since addition is used when generating authentication information, it is necessary to restore the carry information in the process of extracting the original information.

  In the “SAS-2 authentication method”, when generating the authentication information “A” and “D”, “A ← X (ID, S XOR N [n])”, “C ← X (ID, S XOR N [n + 1]) ”. However, since this random number is stored in the terminal of the person to be authenticated, there is a risk that when a terminal is shared by a plurality of people, the random number is stolen by another person and a password is guessed.

  Further, in the “SAS-2 authentication method”, “γ ← H (ID, D)” is used as data for authenticating the authenticator at the time of mutual authentication. If the mutual authenticator “γ” used in the authentication is reused, the attacker can impersonate the person to be authenticated by reusing the (n + 1) th authentication information. Further, although it is difficult to obtain “D” from the mutual authenticator “γ”, the attacker intercepts all past communication information, and the mutual authenticators “γ” to “D”, “D” Assuming that “C” can be obtained from “”, all authentication information currently stored on the authenticator side from the time of the first authentication can be obtained.

  Therefore, the problem of the present invention is to make the SAS-2 authentication method, which is the prior art, more secure and reduce the communication cost, thereby expanding the application range to PDAs, mobile phones, IC cards, communication protocols, etc. It is to provide a credential authentication method that can be further expanded.

  Another object of the present invention is to provide a qualification authentication method in which the processing steps are simpler than before.

  According to the present invention, the authentication target device is requested to access by transmitting the ID information unique to each authentication target device and the first and second authenticators based on the authentication information based on the ID information to the authentication side device. In the qualification authentication system according to the invention of claim 1, in the qualification authentication system according to the invention, the authentication side device determines whether or not to permit access of the device to be authenticated as authenticating the qualification of the side device. Authentication information used by the authenticated device for the current authentication (hereinafter referred to as “authenticated current authentication information”) is recorded in advance for each ID information, and the authenticated device uses for the next authentication. A random number for generating information (hereinafter referred to as “authenticated-side next authentication information”) is acquired, the next-authentication side authentication information is generated based on the ID information and the random number, and the generated authenticated-side Next authentication information When the same calculation is performed again on the value after the calculation, the first authenticator is generated by performing a calculation using a mask function that obtains a value before the calculation. The second authenticator is generated based on the authenticated side current authentication information and the authenticated side next authentication information, and the first and second authenticators are transmitted to the authenticating apparatus together with the ID information, The generated authentication target next authentication information is recorded as the authentication target current authentication information corresponding to the ID information and used for the next authentication, and the authentication side device authenticates the authentication side device for the current authentication. Information (hereinafter referred to as “authentication side current authentication information”) is recorded in advance for each of the ID information, and the calculation by the mask function is performed on the received first authenticator and the authentication side current authentication information. Okona Then, the authentication side device calculates authentication information used for the next authentication (hereinafter referred to as authentication side next authentication information), and based on the authentication side current authentication information and the authentication side next authentication information, A verification value for verifying the authenticator is generated, the verification value is compared with the received second authenticator, and access of the device to be authenticated is permitted and calculated only when the comparison result matches. The authentication side next authentication information is recorded as the authentication side current authentication information used for the next authentication corresponding to the ID information of the device to be authenticated.

  According to the present invention, the ID information unique to each authenticated device and the first and second authenticators based on the authentication information based on the ID information are transmitted to the authenticating device to request access. 9. In the qualification authentication method according to the invention of claim 8, wherein the authentication side apparatus determines whether or not to permit access to the authentication target apparatus as authenticating the authentication side apparatus. As a process, prior to the current authentication, authentication information (hereinafter referred to as “authenticated side current authentication information”) used by the authenticated side device is recorded in the authenticated side device for each ID information. A random number for generating authentication information (hereinafter referred to as “authenticated side next authentication information”) recorded in the means and used by the device to be authenticated for next authentication, and based on the ID information and the random number, If the authentication side next authentication information is generated, and the same calculation is performed again on the value after the calculation for the next authentication information to be authenticated and the current authentication information to be authenticated, the value before the calculation is obtained. The first authenticator is generated by performing an operation using a mask function to be generated, the second authenticator is generated based on the authenticated-side current authentication information and the authenticated-side next authentication information, and the first and the The second authenticator is transmitted to the authenticating device together with the ID information, and the generated authenticated next authentication information is recorded as the authenticated current authentication information used for the next authentication corresponding to the ID information. As the process in the authentication side device, prior to the current authentication, authentication information used for the current authentication in the authentication side device (hereinafter referred to as authentication side current authentication information) is the authentication side for each ID information. Authentication information (hereinafter referred to as “authentication information”) used by the authentication side device for the next authentication by performing an operation using the mask function on the received first authentication code and the authentication side current authentication information. , “Authentication side next authentication information” is calculated, and a verification value for verifying the second authenticator is generated based on the authentication side current authentication information and the authentication side next authentication information, and the verification Only when the comparison result is the same by comparing the received value with the received second authenticator, access of the authenticated side device is permitted, and the calculated next authentication information of the authenticated side is stored in the authenticated side device. A qualification authentication method is obtained, which is recorded as the authentication side current authentication information used for the next authentication corresponding to the ID information.

  Further, according to the present invention, an information processing apparatus which is a device to be authenticated that realizes the qualification authentication method is obtained.

  In addition, according to the present invention, an information processing apparatus which is an authentication side apparatus for realizing the qualification authentication method can be obtained.

  In the qualification authentication method according to the present invention, the next authentication information is extracted from the authenticator received on the authenticator side, and the generation result generated by the current authentication information, the next authentication information, etc. is compared with the received authenticator to be authenticated. By authenticating the qualification, authentication information is given a degree of freedom in the authentication information. For this reason, it is possible to control the output length of the authenticator, and it is possible to reduce an extra process for restoring the original information.

  In addition, since a plurality of pieces of authentication information are used for generating mutual authentication information, the strength of the authentication method is further increased.

  That is, in the “SAS-2 authentication method”, the next authentication information received from the first and second authenticators received at the center side and the result of applying the one-way conversion function once to the current or next authentication information are obtained. In contrast to authenticating the qualification of the person to be authenticated by comparing the result of applying the one-way conversion function to the authentication information this time or next time with the information extracted from the authenticator, In the authentication method, the next authentication information is extracted from the first authenticator received at the center side, and the generation result generated based on the current authentication information and the next authentication information is compared with the received second authenticator. By authenticating the authenticator's qualification, the authenticator can be given a degree of freedom. For example, in the process of generating the authenticator on the authenticated person side based on the current authentication information and the next authentication information, the calculation result of the one-way conversion function can be output as shorter data and transmitted to the authenticator side. The data length of authentication information to be controlled can be controlled. In addition, since the current authentication information and the next authentication information are masked, a function with a smaller processing load is used instead of the one-way conversion function in the process of generating the authenticator based on the current authentication information and the next authentication information. Can be used.

  In addition, in the SAS-2 authentication method, addition is used when generating an authenticator. Therefore, in the process of retrieving the original information, it is necessary to restore the carry information, whereas in this authentication method, Since it is not necessary to restore the original information for generating the authenticator, independent calculation is possible in units of blocks, and the processing program associated with carry can be reduced.

  Further, in the SAS-2 authentication method, when generating authentication information “A” and “C”, A ← X (ID, S XOR N [n]), C ← X (ID, S XOR N [n + 1]) The calculation is performed using random numbers. However, since this random number is stored in the terminal of the person to be authenticated, when sharing the terminal with multiple people, there was a risk that the random number was stolen by another person and the password was guessed. In the authentication method, secret information is stored in a storage device managed by the person to be authenticated, thereby preventing leakage of the secret information to a third party. At this time, storing the authentication information instead of the random number can reduce the one-way function calculation processing at the time of authentication. In addition, by storing a sufficiently long private key with randomness in the storage device of the person to be authenticated and using it instead of the password stored by the person to be authenticated, the random number generation process can be performed on the side of the authenticator or the person to be authenticated Can be outsourced to other terminals.

  Furthermore, in the SAS-2 authentication method, γ ← H (ID, D) is used as data for authenticating the authenticator at the time of mutual authentication. If the mutual authenticator “γ” used in (2) is reused, the attacker can impersonate the person to be authenticated by reusing the authentication information for the (n + 1) th time. Further, although it is difficult to calculate “D” from the mutual authenticator “γ”, the attacker intercepts all past communication information, and the mutual authenticators “γ” to “D”, “D” Assuming that "C" can be obtained from "", it is possible to obtain all authentication information currently stored on the certifier side from the time of the first authentication. By using information generated from a plurality of pieces of authentication information to generate the mutual authenticator “γ”, the risk of reuse and the decoding of all past authentication information are made difficult.

  The qualification authentication system according to the present invention will be described below.

  In this authentication method, the next authentication information is extracted from the first authenticator received at the center side, and the generation result generated by the current authentication information and the next authentication information is compared with the received second authenticator. Authenticate the qualification of the person to be authenticated. As a result, it is possible to give the authenticator a degree of freedom, such as being able to output the calculation result of the one-way conversion function as shorter data, reducing the extra process for restoring the original information can do.

The qualification authentication system according to the present invention basically has the following configurations (1) to (7).

  (1) The ID device unique to each device to be authenticated and the first and second authenticators based on the authentication information based on the ID information are transmitted to the device on the authentication side to request access. In the qualification authentication system for determining whether or not to permit access to the device to be authenticated as the authentication of the qualification, in the qualification authentication system that determines whether or not to permit access to the device to be authenticated, the device to be authenticated Authentication information to be used (hereinafter referred to as “authenticated side current authentication information”) is recorded in advance for each of the ID information, and the authentication information used by the authenticated side device for the next authentication (hereinafter referred to as “authenticated side next authentication”). Information ”), generate the next authentication information on the authenticated side based on the ID information and the random number, and generate the next authentication information on the authenticated side and the current authentication on the authenticated side Information and On the other hand, when the same calculation is performed again on the value after the calculation, the first authenticator is generated by performing a calculation using a mask function that can obtain the value before the calculation, and the authentication target side current authentication information and the authentication target The second authenticator is generated based on the next authentication information on the side, the first and second authenticators are transmitted to the authenticating device together with the ID information, and the generated next authentication information on the authenticated side is generated. It is recorded as the authentication target side current authentication information used for the next authentication corresponding to the ID information, and the authentication side device uses the authentication side device for authentication information (hereinafter referred to as “authentication side current authentication information”). Is previously recorded for each of the ID information, and the received authentication device and the authentication side current authentication information are calculated by the mask function so that the authentication side device Authentication Authentication information (hereinafter referred to as “authentication side next authentication information”) is calculated, and a verification value for verifying the second authenticator is calculated based on the authentication side current authentication information and the authentication side next authentication information. The verification value and the received second authenticator are compared, and the access of the device to be authenticated is permitted only when the comparison result is coincident. A qualification authentication system that records the authentication side current authentication information used for the next authentication corresponding to the ID information of the authentication side device.

  (2) The ID information unique to each device to be authenticated and the first and second authenticators based on the authentication information based on the ID information are transmitted to the authentication device to request access. In the qualification authentication system in which the authentication side device determines whether or not to permit access to the device to be authenticated as authenticating the qualification, the authentication side device is detachable from the device to be authenticated. And authentication information used for the current authentication (hereinafter referred to as “authenticated side current authentication information”) is recorded in advance for each ID information in the detachable recording means. And acquiring a random number for generating authentication information (hereinafter referred to as “authenticated side next authentication information”) used by the device to be authenticated for next authentication, and based on the ID information and the random number, Certified A mask that generates the next authentication information, and obtains the value before the calculation by performing the same calculation again on the value after the calculation for the generated next authentication information on the authenticated side and the current authentication information on the authenticated side. The first authenticator is generated by performing a calculation using a function, and the second authenticator is generated based on the authenticated-side current authentication information and the authenticated-side next authentication information, and the first and second The authenticator is transmitted to the authenticating apparatus together with the ID information, and the generated authentication target next authentication information is associated with the ID information, and can be attached and detached as the authenticated target current authentication information used for the next authentication. Recorded in the recording means, and the authentication side device has previously recorded and received authentication information (hereinafter referred to as “authentication side current authentication information”) used for the current authentication in the authentication side device for each ID information. Said The authentication function used by the authentication side device for the next authentication (hereinafter referred to as authentication side next authentication information) is calculated by performing an operation using the mask function on the one authenticator and the authentication side current authentication information. , Generating a verification value for verifying the second authenticator based on the authenticator current authentication information and the authenticator next authentication information, and comparing the verification value with the received second authenticator Then, only when the comparison result is coincident, the access of the device to be authenticated is permitted, and the calculated next authentication information of the authentication side corresponding to the ID information of the device to be authenticated is used for the next authentication. The qualification authentication system is characterized by recording this time as authentication information.

  (3) The qualification authentication according to (1) or (2), wherein the device to be authenticated generates a next authentication information by performing a one-way function on an information group including the ID information and the random number. system.

  (4) The device to be authenticated generates the next authentication information on the authenticated side by applying the one-way function to the information group including the ID information, the random number, and the password on the authenticated side. The qualification authentication system described.

  (5) The device to be authenticated generates the second authenticator by applying the one-way function to a group of information including the authenticated current authentication information and the authenticated next authentication information, and generates the second authenticator. The side device generates the verification value by applying the one-way function to an information group including the authentication side current authentication information and the authentication side next authentication information. (1) to (4) Credential authentication system.

  (6) The authenticated device includes an information group including the authenticated side current authentication information, the authenticated side next authentication information, and shared information shared between the authenticated side device and the authenticating device. Applying the one-way function to generate the second authenticator, and the authentication-side apparatus applies a one-way to an information group including the authentication-side current authentication information, the authentication-side next authentication information, and the shared information. The qualification authentication system according to (5), wherein a function is applied to generate the verification value.

(7) The authentication side device records the authentication side current authentication information used in the authentication process before the previous time as the authentication side previous authentication information in advance for each ID information, and permits access to the authenticated side device. And generating a mutual authenticator based on the previous authentication information on the authenticating side and the next authentication information on the authenticating side, and transmitting the mutual authenticator to the device to be authenticated. The authentication target side current authentication information used for authentication processing is recorded as the authenticated side previous authentication information, and compared with the mutual authenticator based on the authentication side previous authentication information and the authenticated side next authentication information. When a comparison value is generated and the comparison value is compared with the received mutual authenticator and the comparison result is coincident, (a) the authentication side device confirms that the authentication is successful, or ( b) The authentication side device Certification system according to any one of the authentication (1) to (6).

  Hereinafter, referring to the drawings, an information processing system having a first information processing device on the person to be authenticated side and a second information processing device on the side of the authenticator, a program thereof, and the like as an example, qualification authentication according to an embodiment of the present invention The system, the qualification authentication method, and the information processing apparatus will be described in detail. In addition, since the component which attached | subjected the same code | symbol in the Example performs the same operation | movement, description may be abbreviate | omitted again.

  FIG. 4 shows the configuration of an information processing system having a first information processing apparatus on the person to be authenticated (user) side and a second information processing apparatus on the certifier (center) in the first embodiment of the present invention.

  With reference to FIG. 4, the information processing system includes a first information processing device 11 and a second information processing device 12.

  The first information processing apparatus 11 includes a user identifier storage unit 1101, a password storage unit 1102, a first calculation unit 1103, a first transmission unit 1104, and a first reception unit 1105.

  The user identifier storage unit 1101 stores a user identifier for identifying the user or the first information processing apparatus (hereinafter, the user identifier is referred to as a symbol and appropriately referred to as “ID”). This user identifier may be input to the user every time authentication processing is performed, or an ID stored in advance by the first information processing apparatus may be used during authentication processing. . The user identifier storage unit 1101 can be realized by a non-volatile or volatile recording medium.

  The password storage unit 1102 stores a password for authenticating the person to be authenticated (user) (hereinafter, the password is appropriately referred to as “S”). The password “S” may be input by the user every time authentication processing is performed, or “S” stored in advance by the first information processing apparatus is used for authentication processing. May be. The password storage unit 1102 can be realized by a nonvolatile or volatile recording medium.

  The user identifier storage unit 1101 and the password storage unit 1102 can normally be realized by one recording medium, but may be realized by different recording media.

  The first calculation unit 1103 performs unidirectional conversion (calculation using a unidirectional conversion function), generation of random numbers, and the like. The first calculation unit 1103 can be usually realized by a CPU, a memory, or the like. The functions and processing procedures for the first calculation unit 1103 to perform calculations are usually realized by software, and the software is recorded in a recording medium such as a ROM. However, it may be realized by hardware (dedicated circuit).

  The first transmission unit 1104 transmits the calculation result of the first calculation unit 1103 and the like to the second information processing apparatus 12. The first transmission unit 1104 can be realized by wireless or wired communication means or broadcast means.

  The first receiving unit 1105 receives data from the second information processing apparatus 12. The first receiving unit 1105 can be realized by wireless or wired communication means or means for receiving a broadcast (such as a tuner and a software driver).

  The first transmission unit 1104 and the first reception unit 1105 are usually realized by one means, but may be realized by different means.

  The second information processing apparatus 12 includes a second reception unit 1201, an information recording unit 1202, a second calculation unit 1203, an authentication unit 1204, and a second transmission unit 1205.

  The second receiving unit 1201 receives data from the first information processing apparatus 11. The second receiving unit 1201 can be usually realized by wireless or wired communication means, but does not exclude means for receiving broadcasts.

  The information recording unit 1202 records all or part of the data received by the second receiving unit 1201 or the calculation result of the second calculation unit 1203. The information recording unit 1202 can be usually realized by software, but may be realized by hardware (dedicated circuit). The information recording destination of the information recording unit 1202 may be a recording medium built in the second information processing apparatus 12 or an external recording medium. The recording medium may be a non-volatile recording medium or a volatile recording medium.

  The second calculation unit 1203 performs calculations such as one-way conversion. The second arithmetic unit 1203 can be usually realized by a CPU, a memory, software, and the like. That is, the calculation formula of the one-way function and the algorithm of various calculations are usually realized by software, and the software is stored in the memory (ROM or the like) of the second calculation unit 1203.

  The authentication unit 1204 performs authentication based on the calculation result of the second calculation unit 1203 and the like. The authentication unit 1204 can be usually realized by software, but may be realized by hardware (dedicated circuit).

  The second transmission unit 1205 transmits information on the calculation result of the second calculation unit 1203 from the second information processing device 12 to the first information processing device 11. The second transmission unit 1205 can be realized by a wireless or wired communication unit or a broadcasting unit.

  Hereinafter, a procedure in which the first information processing apparatus 11 on the person to be authenticated (user) side receives authentication by the second information processing apparatus 12 on the certifier (center) side will be described with reference to FIGS.

  In this embodiment, the following notation is used. “←” indicates assignment of the right side to the left side. “S” indicates a password secretly held by the first information processing apparatus on the authenticated person side. “ID” indicates an authenticated person identifier (user identifier) that is information for identifying the first information processing apparatus on the authenticated person side. “AN” indicates shared information shared between the person to be authenticated and the authenticator. For example, time information or an authenticated person identifier “ID” can be used. “N” indicates the number of authentications. N of “N [n]” indicates a random number. N of “N [n]” is an integer of 1 or more and is used to identify a random number. “XOR” indicates exclusive OR. “M” indicates a mask function that is a function that results in the original information when the same calculation is performed twice. For example, an exclusive OR operation corresponds to the mask function. “AT” indicates a one-way conversion function that does not use the password “S”. The one-way function is a function in which it is difficult to calculate y from z and x when “z = AT (x, y)”. “VT” indicates a one-way conversion function using a password “S” and a random number N [n], and “VT [n] = VT (ID, S, N [n])” n] ".

  FIG. 5 is a flowchart for explaining the procedure of initial registration (n = 0) of the person to be authenticated (user).

  Referring to FIGS. 4 and 5, password “S” and user identifier “ID” are stored in advance in first information processing apparatus 11 on the user side. The password “S” is kept secret by the user.

  Then, the first calculation unit 1103 of the first information processing apparatus 11 generates a random number N [1]. Since the technique for generating random numbers is an existing technique, description thereof is omitted. Then, the first calculation unit 1103 stores the random number N [1].

  Next, the first calculation unit 1103 calculates “A ← VT (ID, S, N [1])” using the user identifier “ID”, the password “S”, and the random number N [1]. Then, “A” is calculated. “A” is authentication information used for the first authentication.

  Next, the first transmission unit 1104 transmits the authentication information “A” used for the first authentication together with the user identifier “ID” to the second information processing apparatus 12 on the center (authenticator) side by a secure means.

  Then, the first calculation unit 1103 stores the authentication information “A”.

  Next, the second receiving unit 1201 of the second information processing apparatus 12 on the center side receives the user identifier “ID” and the authentication information “A”.

  Next, the information recording unit 1202 registers the authentication information “A” used for the received first authentication in association with the user identifier “ID”.

  The above is the procedure for initial registration of the person to be authenticated (user).

  FIG. 6 is a flowchart for explaining the procedure for the n-th authentication after the first time (n = 1).

  4 and 6, the first information processing apparatus 11 on the user side extracts the current authentication information “A”, the user identifier “ID”, and the password “S” that are stored.

  Note that the user identifier “ID” and the password “S” may be input by the user every time data transmission or the like is performed (every time authentication is required). Sometimes it is. When the first information processing apparatus 11 stores the user identifier “ID” and the password “S”, the user identifier “ID” and the password “S” are extracted from the first information processing apparatus 11.

  Next, the first calculation unit 1103 generates a new random number N [n + 1] or substitutes “A” as N [n + 1] and sets “C ← VT (ID, S, N [n + 1])”. An operation is performed to calculate “C”.

  Further, the first calculation unit 1103 calculates “α ← M (A, C)” and “β ← AT (A, C, AN)” using the authentication information “A” and the calculated “C”. To calculate the first authenticator “α” and the second authenticator “β”.

  Then, the first transmitting unit 1104 sends the first authenticator “α” and the second authenticator “β” together with the user identifier “ID” to the second information processing apparatus 12 on the center side.

  Here, “A” is the current authentication information, and “C” is the next authentication information.

  Then, the first calculation unit 1103 stores the next authentication information “C” instead of the current authentication information “A”.

  Next, the second receiving unit 1201 of the second information processing apparatus 12 on the center side receives the first authenticator “α”, the second authenticator “β”, and the user identifier “ID”.

  Then, the second calculation unit 1203 uses the current authentication information “A” registered corresponding to “ID” for the received first authenticator “α”, and uses “C ← M (A , Α) ”to calculate“ C ”.

  Furthermore, the second calculation unit 1203 performs unidirectional conversion on the current authentication information “A” and the calculated “C”, and the result “AT (A, C, AN)” is equal to the second authenticator “β”. Verify whether or not.

  If both data match, the authentication unit 1204 authenticates the qualification of the person to be authenticated (first information processing apparatus 11). “Authenticate the qualification” means that the access from the first information processing apparatus is determined to be appropriate. Then, the information recording unit 1202 newly registers the next authentication information “C” as “A” as the authentication information used for the next authentication. However, as will be described later, when mutual authentication is performed between the center and the user after the main authentication, the information recording unit 1202 registers the next authentication information “C” instead of the current authentication information “A”. In some cases, the current authentication information “A” is registered as the previous authentication information “Y”.

  The above is the procedure for the n-th authentication after the first time (n = 1) of the person to be authenticated (user).

  FIG. 7 is a flowchart for explaining the procedure at the time of the n-th mutual authentication after the first time (n = 1).

  Referring to FIG. 4 and FIG. 7, the first authenticator “α” and the second authenticator “β” sent from the first information processing apparatus 11 on the user side and received by the second receiving unit 1201 are obtained. The second operation unit 1203 of the second information processing device 12 on the center side previously stored in the information recording unit 1202 after the authentication of the person to be authenticated is established in the second information processing device 12 on the center side. The data “γ” obtained by applying the one-way conversion function “AT” to the authentication information “Y”, the next authentication information “C” and the like extracted is calculated. That is, “γ ← AT (Y, C, AN)” is calculated. Then, the second transmission unit 1205 of the center-side second information processing device 12 sends the data “γ” to the first information processing device 11 as a mutual authenticator “γ”.

  The previous authentication information “Y” stored in the information recording unit 1202 is generated and stored in advance at the time of initial registration (n = 0) of the person to be authenticated (user). .

  That is, referring to FIG. 4, in the first information processing apparatus 11 on the user side, the password “S” and the user identifier “ID” are stored in advance.

  Then, the first calculation unit 1103 of the first information processing apparatus 11 generates a random number N [0]. Then, the first calculation unit 1103 stores the random number N [0].

  Next, the first calculation unit 1103 calculates “Y ← VT (ID, S, N [0])” using the user identifier “ID”, the password “S”, and the random number N [0]. Then, “Y” is calculated. “Y” is authentication information used for the first mutual authentication.

  Next, the first transmission unit 1104 transmits the authentication information “Y” used for the first authentication together with the user identifier “ID” to the second information processing apparatus 12 on the center (authenticator) side by a secure means.

  Then, the first calculation unit 1103 stores “Y” as the previous authentication information “Y” used for the first mutual authentication.

  Next, the second receiving unit 1201 of the second information processing apparatus 12 on the center side receives the user identifier “ID” and the authentication information “Y”.

  Next, the information recording unit 1202 registers the authentication information “Y” used for the received first mutual authentication as the previous authentication information “Y” in association with the user identifier “ID”.

  The above is the procedure for initial registration of a person to be authenticated (user) for mutual authentication.

  When generating “γ”, other information may be used in addition to the combination of the previous authentication information “Y” and the next authentication information “C”. In other words, the previous authentication information can be used instead of the previous authentication information “Y”.

  For example, “γ ← AT (A, C, AN)” may be used. However, in this case, a result different from “β” must be calculated. For example, “β ← AT (A XOR C || AN)”, “γ ← AT (A || C || AN)” (where “||” indicates data concatenation). The information before the directional conversion function calculation is made different, or a different unidirectional conversion function is used.

  Next, the first receiving unit 1105 of the first information processing apparatus 11 on the user side receives the mutual authenticator “γ”.

  Then, the first calculation unit 1103 calculates “AT (Y, C, AN)” using the previously stored authentication information “Y” and the calculated “C”, and receives the result. If it matches with the mutual authenticator “γ”, it is confirmed that the second information processing device 12 on the center side has succeeded, or the first information processing device 11 on the user side performs the second information processing on the center side. The devices 12 authenticate each other.

  The above is the procedure at the time of the n-th mutual authentication after the first time (n = 1) of the person to be authenticated (user).

  In the present embodiment, the user side apparatus performs the initial registration process and the first (n = 1) and subsequent n-th authentication process by the same first information processing apparatus. And the apparatus that performs the n-th authentication process after the first time (n = 1) may be different. For example, the initial registration process may be performed by a personal computer, and after the first time (n = 1), the n-th authentication process may be performed by a portable terminal (including a mobile phone) that can be carried. In such a case, the authentication information “A”, the user identifier “ID”, and the like recorded in the personal computer that has performed the initial registration process must be recorded in a mobile terminal (including a mobile phone) by some means. Such processing may be recorded by transmitting the authentication information “A” or the user identifier “ID” from the personal computer to the portable terminal. However, the processing may be other processing.

  Further, the authentication process in this embodiment can be applied to various applications. For example, this authentication process can be used for sending and receiving mail. Also, this authentication process can be used as an authentication process when accessing a home page. The application to various applications is not limited to this embodiment, and the same applies to the authentication processing in all modifications of the present invention.

  Furthermore, the processing in the present embodiment may be realized by software. Then, this software may be distributed by software download or the like. Further, this software may be recorded and distributed on a recording medium such as a CD-ROM. This also applies to all modifications of the present invention.

  Even when the processing in the present embodiment is realized by software, the step of performing initial registration and the step of performing authentication may be separated.

  Further, the process performed by the first information processing apparatus and the process performed by the second information processing apparatus are separated as a program.

  In the first embodiment, the authentication information is stored in the device to be authenticated. However, the authentication information can be stored in a storage device such as an IC card that is securely held by the person to be authenticated. Hereinafter, the procedure will be described as a second embodiment of the present invention.

  At the time of initial registration, the authenticated device transmits initial authentication information generated by the authenticated user identifier, the secret information of the authenticated user, a random number, etc. to the authenticating device together with the authenticated user identifier. On the other hand, the authentication side apparatus registers the received information. At this time, the authenticated device stores the authenticated user identifier and the initial authentication information in a storage device that is securely managed by the authenticated user.

  During authentication, the device to be authenticated reads the authenticated user identifier and the initial authentication information from the storage device for safe management, generates a random number for the next authentication, generates the authenticated user identifier, the confidential information of the authenticated user, and the next authentication. Next time authentication information is generated with random numbers for the next time, and the authentication information is generated with the information masked by the current authentication information read out next time authentication information, the current authentication information, the next authentication information, etc., and the information together with the authenticated person identifier Sent to the authenticating device. On the other hand, the authentication side apparatus extracts the next authentication information using the stored current authentication information and the received authentication information, and the data generated by the current authentication information, the next authentication information, etc. is equal to the received authenticator. Is verified, and the qualification of the device to be authenticated is authenticated, and the extracted next authentication information is stored in correspondence with the authentication target identifier as information used for the next authentication.

  After the authentication is established, the device to be authenticated stores the next authentication information generated instead of the current authentication information in a storage device that safely manages.

  It is also possible to generate a random number for next authentication and next authentication information in advance and store the generated next authentication information in a storage device that is securely managed by the person to be authenticated.

  As described above, the qualification authentication method, the information processing apparatus, and the qualification authentication system according to the present invention have been described by the specific embodiments. However, the present invention is not limited to this embodiment, and the use qualifications of the communication partner and the user in the information communication system and the like. Needless to say, those skilled in the art can apply and modify various means for authenticating the above.

It is a flowchart explaining the initial registration procedure in a prior art. It is a flowchart explaining the authentication procedure in a prior art. It is a flowchart explaining the mutual authentication procedure in a prior art. It is a block diagram which shows the structure of the information processing system in the Example of this invention. It is a flowchart explaining the initial registration procedure in the Example of this invention. It is a flowchart explaining the authentication procedure in the Example of this invention. It is a flowchart explaining the mutual authentication procedure in the Example of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 11 1st information processing apparatus 12 2nd information processing apparatus 1101 User identifier storage part 1102 Password storage part 1103 1st calculating part 1104 1st transmission part 1105 1st receiving part 1201 2nd receiving part 1202 Information recording part 1203 2nd calculating part 1204 Authentication unit 1205 Second transmission unit

Claims (16)

Authenticating the qualification of the device to be authenticated that has transmitted ID information unique to each device to be authenticated and first and second authenticators based on the authentication information based on the ID information to the device to be authenticated and requested access In the qualification authentication system for determining whether or not to permit access of the device to be authenticated, the authentication side device,
The authenticated device is:
The authentication information authenticated side device used for this authentication (hereinafter, referred to as "authenticated side current authentication information") is recorded in advance into each of the ID information,
The authentication information authenticated side device uses the next authentication (hereinafter, referred to as "authenticated side next authentication information") to get the random number for generating,
Based on the ID information and the random number, generate the next authentication information on the authenticated side,
If the same calculation is performed again on the value after the calculation for the generated next authentication information on the authenticated side and the current authentication information on the authenticated side, a calculation using a mask function that obtains the value before the calculation is performed. Generate one authenticator,
Generating the second authenticator based on the authenticated side current authentication information and the authenticated side next authentication information;
Sending the first and second authenticators together with the ID information to the authenticating device;
Record the generated authentication target next authentication information corresponding to the ID information as the authentication target current authentication information used for the next authentication,
The authentication side device is:
Authentication information used for this authentication in the authentication side device (hereinafter referred to as “authentication side current authentication information”) is recorded in advance for each ID information,
An operation using the mask function is performed on the received first authenticator and the authentication side current authentication information, and authentication information used by the authentication side device for the next authentication (hereinafter referred to as authentication side next authentication information). )
Based on the authentication side current authentication information and the authentication side next authentication information, generate a verification value for verifying the second authenticator ,
The verification value and the received second authenticator are compared, and only when the comparison result is identical, the access to the device to be authenticated is permitted,
The calculated authentication side next authentication information is recorded as the authentication side current authentication information used for the next authentication corresponding to the ID information of the device to be authenticated.   Authenticating the qualification of the device to be authenticated that has transmitted ID information unique to each device to be authenticated and first and second authenticators based on the authentication information based on the ID information to the device to be authenticated and requested access In the qualification authentication system for determining whether or not to permit access of the device to be authenticated, the authentication side device,
  The authenticated device is:
  It has a recording means detachable from the device to be authenticated as a configuration of the device to be authenticated
  In the detachable recording means, authentication information used for the current authentication (hereinafter referred to as “authenticated side current authentication information”) is recorded in advance for each ID information,
  Obtaining a random number for generating authentication information (hereinafter referred to as “authenticated side next authentication information”) used by the device to be authenticated for next authentication,
  Based on the ID information and the random number, generate the next authentication information on the authenticated side,
  If the same calculation is performed again on the value after the calculation for the generated next authentication information on the authenticated side and the current authentication information on the authenticated side, a calculation using a mask function that obtains the value before the calculation is performed. Generate one authenticator,
  Generating the second authenticator based on the authenticated side current authentication information and the authenticated side next authentication information;
  Sending the first and second authenticators together with the ID information to the authenticating device;
  The generated authentication target next authentication information corresponding to the ID information is recorded in the removable recording means as the authentication target current authentication information used for the next authentication,
  The authentication side device is:
  Authentication information used for this authentication in the authentication side device (hereinafter referred to as “authentication side current authentication information”) is recorded in advance for each ID information,
  An operation using the mask function is performed on the received first authenticator and the authentication side current authentication information, and authentication information used by the authentication side device for the next authentication (hereinafter referred to as authentication side next authentication information). )
  Based on the authentication side current authentication information and the authentication side next authentication information, generate a verification value for verifying the second authenticator,
  The verification value and the received second authenticator are compared, and only when the comparison result is identical, the access to the device to be authenticated is permitted,
  The calculated authentication side next authentication information is recorded as the authentication side current authentication information used for the next authentication corresponding to the ID information of the device to be authenticated. 3. The qualification authentication system according to claim 1, wherein the device to be authenticated generates a next authentication information to be authenticated by applying a one-way function to an information group including the ID information and the random number. 4. The qualification according to claim 3, wherein the authenticated side device performs the one-way function on an information group including the ID information, the random number, and the authenticated side password to generate the authenticated side next authentication information. Authentication system. The authenticated device generates the second authenticator by applying the one-way function to an information group including the authenticated side current authentication information and the authenticated side next authentication information,
  The said authentication side apparatus produces | generates the said verification value by performing the said one-way function to the information group containing the said authentication side present authentication information and the said authentication side next authentication information. Credential authentication system. The authenticated side device is configured to apply the one-way to an information group including the authenticated side current authentication information, the authenticated side next authentication information, and shared information shared between the authenticated side device and the authenticated side device. Applying a sex function to generate the second authenticator;
  6. The qualification authentication according to claim 5, wherein the authentication side apparatus generates the verification value by applying a one-way function to an information group including the authentication side current authentication information, the authentication side next authentication information, and the shared information. system. The authentication side device is:
  The authentication side current authentication information used in the authentication process before the previous time is recorded in advance as the authentication side last authentication information for each ID information,
  After permitting access of the device to be authenticated, generate a mutual authenticator based on the authentication side previous authentication information and the authentication side next authentication information,
  Sending the mutual authenticator to the device to be authenticated;
  The authenticated device is:
  The authentication target side current authentication information used for the authentication process before the previous time is recorded as the authentication target previous authentication information,
  Based on the authentication side previous authentication information and the authenticated side next authentication information, generate a comparison value for comparison with the mutual authenticator,
  When the comparison value is compared with the received mutual authenticator by comparing the comparison value, (a) the authentication side device confirms that the authentication is successful, or (b) the authentication side device The qualification authentication system according to any one of claims 1 to 6, wherein: Authenticating the qualification of the device to be authenticated that has transmitted ID information unique to each device to be authenticated and first and second authenticators based on the authentication information based on the ID information to the device to be authenticated and requested access In the qualification authentication method for determining whether or not to permit access of the device to be authenticated with the authentication device,
  As a process in the device to be authenticated,
  Prior to the current authentication, authentication information used for the current authentication in the authenticated device (hereinafter referred to as “authenticated current authentication information”) is recorded in the recording means of the authenticated device for each ID information. And
  Obtaining a random number for generating authentication information used by the device to be authenticated for next authentication (hereinafter referred to as authentication target next authentication information);
  Based on the ID information and the random number, generate the next authentication information on the authenticated side,
  If the same calculation is performed again on the value after the calculation for the generated next authentication information on the authenticated side and the current authentication information on the authenticated side, a calculation using a mask function that obtains the value before the calculation is performed. Generate one authenticator,
  Generating the second authenticator based on the authenticated side current authentication information and the authenticated side next authentication information;
  Sending the first and second authenticators together with the ID information to the authenticating device;
  Record the generated authentication target next authentication information corresponding to the ID information as the authentication target current authentication information used for the next authentication,
  As a process in the authentication side device,
  Prior to the current authentication, authentication information used for the current authentication in the authentication side device (hereinafter referred to as authentication side current authentication information) is recorded in the recording means of the authentication side device for each ID information,
  An operation using the mask function is performed on the received first authenticator and the authentication side current authentication information, and authentication information used by the authentication side device for the next authentication (hereinafter referred to as “authentication side next authentication information”). Calculated)
  Based on the authentication side current authentication information and the authentication side next authentication information, generate a verification value for verifying the second authenticator,
  The verification value and the received second authenticator are compared, and only when the comparison result is identical, the access to the device to be authenticated is permitted,
  The calculated authentication side next authentication information is recorded as the authentication side current authentication information used for the next authentication corresponding to the ID information of the device to be authenticated. Authenticating the qualification of the device to be authenticated that has transmitted ID information unique to each device to be authenticated and first and second authenticators based on the authentication information based on the ID information to the device to be authenticated and requested access In the qualification authentication method for determining whether or not to permit access of the device to be authenticated with the authentication device,
As a process in the device to be authenticated,
It has a recording means detachable from the device to be authenticated as a configuration of the device to be authenticated,
Prior to this authentication, the authentication information used in the this time authentication authenticated side device (hereinafter, referred to as "authenticated side current authentication information") is recorded in the removable recording unit for each of the ID information And
The authentication information authenticated side device uses the next authentication (hereinafter, referred to as the authenticated side next authentication information ") to get the random number for generating,
Based on the ID information and the random number, generate the next authentication information on the authenticated side,
If the same calculation is performed again on the value after the calculation for the generated next authentication information on the authenticated side and the current authentication information on the authenticated side, a calculation using a mask function that obtains the value before the calculation is performed. Generate one authenticator,
Generating the second authenticator based on the authenticated side current authentication information and the authenticated side next authentication information;
Sending the first and second authenticators together with the ID information to the authenticating device;
The generated authentication target next authentication information corresponding to the ID information is recorded in the removable recording means as the authentication target current authentication information used for the next authentication ,
As a process in the authentication side device,
Prior to the current authentication, authentication information used for the current authentication in the authentication side device (hereinafter referred to as authentication side current authentication information) is recorded in the recording means of the authentication side device for each ID information,
An operation using the mask function is performed on the received first authenticator and the authentication side current authentication information, and authentication information used by the authentication side device for the next authentication (hereinafter referred to as “authentication side next authentication information”). Calculated)
Based on the authentication side current authentication information and the authentication side next authentication information, generate a verification value for verifying the second authenticator ,
The verification value and the received second authenticator are compared, and only when the comparison result is identical, the access to the device to be authenticated is permitted,
The calculated authentication side next authentication information is recorded as the authentication side current authentication information used for the next authentication corresponding to the ID information of the device to be authenticated. The qualification authentication method according to claim 8 or 9, wherein, as a process in the authentication target apparatus, a next-direction authentication information is generated by applying a one-way function to an information group including the ID information and the random number.   11. The next authentication information to be authenticated is generated by applying the one-way function to an information group including the ID information, the random number, and a password to be authenticated as a step in the authenticated device. Credential authentication method. As a step in the device to be authenticated, the second authenticator is generated by applying the one-way function to a group of information including the authenticated current authentication information and the authenticated next authentication information,
As a step in the authentication-end device, any one of the claims 8 to 11 to generate the verification value by performing the one-way function to information group including the authentication side current authentication information and the authentication side next authentication information The qualification authentication method described in 1. As a process in the authenticated side device, the authenticated side current authentication information, the authenticated side next authentication information, and an information group including shared information shared between the authenticated side device and the authenticated side device Applying the one-way function to generate the second authenticator;
13. The verification value is generated by performing a one-way function on an information group including the authentication side current authentication information, the authentication side next authentication information, and the shared information as a step in the authentication side device. Credential authentication method. As a process in the authentication side device,
  The authentication side current authentication information used in the authentication process before the previous time is recorded in advance as the authentication side last authentication information for each ID information,
  After permitting access of the device to be authenticated, generate a mutual authenticator based on the authentication side previous authentication information and the authentication side next authentication information,
  Sending the mutual authenticator to the device to be authenticated;
  As a process in the device to be authenticated,
  The authentication target side current authentication information used for the authentication process before the previous time is recorded as the authentication target previous authentication information,
  Based on the authentication target previous authentication information and the authentication target next authentication information, generate a comparison value for comparison with the mutual authenticator,
  When the comparison value is compared with the received mutual authenticator by comparing the comparison value, (a) the authentication side device confirms that the authentication is successful, or (b) the authentication side device The qualification authentication method according to any one of claims 8 to 13, wherein the authentication is performed. An information processing apparatus, which is a device to be authenticated, that realizes the qualification authentication method according to any one of claims 8 to 14. An information processing apparatus which is an authentication side apparatus for realizing the qualification authentication method according to any one of claims 8 to 14.

Images