JP4611642B2 - Authentication system - Google Patents

Description

  The present invention relates to a system for authentication, and relates to a technique for preventing unauthorized analysis focusing on input / output data.

  FIG. 9 is a diagram showing a conventional processing flow. This figure shows the processing procedure of authentication by the conventional challenge and response. If the key K1 held on the authenticating side does not match the key K2 held on the authenticated side, the authentication is not successful.

  However, in recent years, there is an increased risk that secret data in the apparatus is analyzed by side channel attacks such as power difference analysis and electromagnetic wave analysis. In such an illegal analysis, a random number R1 is given to the authenticated side, a data value related to processing of the random number R1 in the device on the authenticated side is predicted, and a procedure for finally obtaining the key K2 is followed.

  The present invention has been made in order to eliminate the above-described drawbacks of the prior art, and the object of the present invention is to make it difficult to predict by unauthorized analysis in the process on the authenticated side for random numbers. To do.

An authentication system according to the present invention includes:
An authentication system including an authenticated device to be authenticated and an authentication device to be authenticated,
The device to be authenticated
(1) a random number processing unit that converts a random number shared with the authentication device into a secret value by a secret method;
(2) an encryption unit that encrypts the converted random number to generate a ciphertext;
(3) a ciphertext processing unit that converts the generated ciphertext by a secret method;
(4) a ciphertext transmission unit that transmits the converted ciphertext to the authentication device;
The authentication device
(5) a ciphertext receiving unit that receives data that is assumed to be the converted ciphertext from an authenticated device;
(6) a ciphertext reverse processing unit that reverse-converts the received data by a conversion method of the ciphertext processing unit and a reversible conversion method;
(7) a decryption unit that decrypts the inversely converted ciphertext to generate a decrypted text;
(8) A random number reverse processing unit that reversely converts the generated decrypted text as data that is assumed to be the converted cipher text by conversion using a random number processing unit and a reversible conversion method.

  In the present invention, the random number given on the authenticated side is not used as it is, but the processing related to the authenticated such as encryption is performed after the conversion, so that it is difficult to perform fraud analysis from the outside focusing on the random number processing. , Confidentiality can be ensured.

Embodiment 1 FIG.
Hereinafter, the present invention will be described based on embodiments shown in the drawings. In this example, a procedure for performing both authentications at the same time is adopted.

  First, the process on the authenticated side will be mainly described. FIG. 1 is a diagram showing a flow of mutual authentication processing. Both devices simultaneously perform processing related to authentication.

  FIG. 2 is a diagram illustrating a configuration related to mutual authentication. With this configuration, authentication processing is performed. This figure assumes the apparatus on the left side of FIG. 1, but the right apparatus has the same configuration. Random number generation unit 201, random number transmission unit 202, random number reception unit 203, input processed data generation unit 204, random number processing unit 205, data storage unit 206, encryption unit 207, output processed data generation unit 208, ciphertext processing unit 209, The ciphertext transmission unit 210, the ciphertext reception unit 211, and the ciphertext verification unit 212 are included. In particular, the data storage unit 206 stores data related to secrecy in advance.

  Based on FIG. 1 and FIG. 2, the process on the authentication target side is described in detail. In S101 to S103 and S151 to S153, the random numbers generated independently by both parties are exchanged. For this purpose, a random number generation unit 201 that generates random numbers, a random number transmission unit 202 that transmits random numbers, and a random number reception unit 203 that receives random numbers are included.

  In S104 to S108 and S154 to S158, a ciphertext for authentication is generated. Since both devices operate symmetrically, the left device will be described as a specific example.

  In the present invention, the acquired random number R2 is processed (converted) and used, but input processed data IV used for the processing (conversion) is generated (S104). This processing is performed by the input processing data generation unit 204. In the figure, IV = F (R1, R2, Seed1, K1) is shown. However, as long as it is a function that can calculate common data between both apparatuses, the function may be calculated by another form of function.

An example of IV = F (R1, R2, Seed1, K1) is shown below.
num = m to hash (R1 || R2)
IV = Seed1
for j from 1 to num
IV = Enc (K1, IV)
A hash value of a value obtained by concatenating R1 and R2 is obtained, and the first m bits are cut out from the hash value to obtain num. Seed 1 is set as the initial value of IV, and encryption is repeated num times. At this time, the encryption key K1 held inside is used. The encryption result is output to IV.

Replace the encryption part in this example with a hash function,
IV = hash (IV)
Another function is also conceivable.

  Then, the random number R2 is processed (converted) using the data IV (S105). This process is performed by the random number processing unit 205. In this example, an exclusive OR is calculated as the logical operation.

R2 '= R2 XOR IV
Then, the processed (converted) random number R2 ′ is encrypted with the encryption key K3 (S106). This processing is performed by the encryption unit 207.

C1 ′ = Enc (K3, R2 ′)
In the present invention, the obtained ciphertext C1 ′ is further processed (converted), and output processed data FV used for this purpose is generated (S107). This process is performed by the output processing data generation unit 208. In the figure, FV = G (R1, R2, Seed2, K2) is shown, but as long as it is a function that can calculate common data between both apparatuses, it may be calculated by another form of function.

An example of FV = G (R1, R2, Seed2, K2) is shown below.
num = n to hash (R1 || R2)
FV = Seed2
for j from 1 to num
FV = Enc (K2, FV)
A hash value of a value obtained by concatenating R1 and R2 is obtained, and the first n bits are cut out from the hash value to obtain num. Seed2 is set as the initial value of FV, and encryption is repeated num times. At this time, the encryption key K2 held inside is used. The encryption result is output to FV.

Replace the encryption part in this example with a hash function,
FV = hash (FV)
Another function is also conceivable.

  Then, the ciphertext C1 ′ is processed (converted) using the data FV (S108). This process is performed by the ciphertext processing unit 209. In this example, an exclusive OR is calculated as the logical operation.

C1 = C1 'XOR FV
The ciphertext C1 obtained in this way is transmitted from the ciphertext transmitting unit 210 to the partner apparatus (S110), and the ciphertext receiving unit 211 similarly receives the ciphertext C2 from the partner (S109).

  Then, the ciphertext verification unit 212 verifies the ciphertext C2 in order to authenticate the counterpart device.

  Next, the ciphertext verification process, that is, the authentication process will be described. FIG. 3 is a diagram showing a processing flow of ciphertext verification. This process is also performed symmetrically.

  FIG. 4 is a diagram illustrating a configuration related to ciphertext verification. Further, the ciphertext reverse processing unit 401, the decryption unit 402, the random number reverse processing unit 403, and the authentication result determination unit 404 are provided. This figure assumes the apparatus on the left side of FIG. 3, but the right apparatus has the same configuration.

  Based on FIG. 1 and FIG. 2, the process on the authentication target side will be described in detail. Here, the description will be made assuming the left device.

  First, the ciphertext reverse processing unit 401 performs reverse processing (reverse conversion) on the received ciphertext C2 (S301). This process is an inverse conversion to the conversion of S158. In this example, an exclusive OR is calculated as a logical operation in this example. The FV used previously is used.

C2 '= C2 XOR FV
Then, the ciphertext C2 ′ obtained by reverse processing (inverse conversion) is decrypted using the encryption key K3 (S302). This process is performed by the decoding unit 402.

R1 ′ = Dec (K3, C2 ′)
The random number R1 ′ obtained as a plaintext of the decryption result is inversely processed (inversely converted) (S303). This process is an inverse conversion to the conversion of S155, and is performed by the random number inverse processing unit 403. In this example, an exclusive OR is calculated as a logical operation in this example. IV uses what was calculated | required previously.

R1 = R1 'XOR IV
Then, the random number R1 generated in S101 is compared with the data assumed to be the random number R1 calculated in the above process (S304). If they match, the authentication result is considered successful (S305), and if they do not match, the authentication result fails (S306). The authentication result determination unit 404 performs processing.

  The method of verification can be verified not only by decoding, but also by predicting the value generated by the other party using R1 and R2, and whether the received value matches the expected value. Further, as a method for generating IV and FV, simple addition or the like is possible in addition to the hash function and the cryptographic algorithm.

Embodiment 2. FIG.
In the present embodiment, a mode applied to encryption and decryption in a cipher block chaining (CBC) mode will be described.

  First, encryption will be described. This corresponds to the processing of the random number processing unit 205, the encryption unit 207, and the ciphertext processing unit 209 of the first embodiment. FIG. 5 is a diagram showing blocks related to encryption when applied to the CBC mode. FIG. 6 is a diagram showing a processing flow relating to encryption when applied to the CBC mode. The process will be described with reference to these drawings.

  The plaintext P ′ to be encrypted is composed of a random number R and blocks of actual data M1, M2,. Then, the following processing is repeated in order from this top block (S601).

  In order from the top, a block of equally divided data is acquired (S602). First, get R. After the second time, they are acquired in the order of M1, M2,. This is one input of logical operations (501, 502, 503,...).

  The input side parameter that becomes other input data is also specified (S603). Initially, a random number IV (corresponding to dummy data) is used. From the second time onward, the previous encryption result (in order C0 ′, C1 ′,...) Is used.

  Then, these input side logical operations (S604) are performed. In this example, an exclusive OR (XOR) is obtained. This is the processing indicated by 501, 502, and 503 in FIG.

  The operation results (initially R ′, in order M1, M2,...) Are encrypted with the encryption key ukey stored therein (S605). As a result, C0 ′, C1 ′, C2 ′,.

  The output side logical operation is performed with the encryption result and the random number FV used in common with the decryption side as inputs (S606). In this example, an exclusive OR (XOR) is obtained. This is the process indicated by 521, 522, 523 in FIG.

  Then, the calculation results are sequentially stored as a block of encrypted data (S607). In order, C0, C1, C2,.

  The process ends when all the blocks have been processed (S608).

  Subsequently, decoding will be described. This corresponds to the processing of the ciphertext reverse processing unit 401, the decryption unit 402, and the random number reverse processing unit 403 of the first embodiment. FIG. 7 is a diagram illustrating blocks related to decoding when applied to the CBC mode. FIG. 8 is a diagram showing a processing flow relating to decoding when applied to the CBC mode.

  The encrypted data is composed of blocks C0, C1, C2,. Then, the following processing is repeated in order from this top block (S801).

  In order from the top, blocks of encrypted data are acquired (S802). This is one input of logical operations (701, 702, 703,...).

  As the other input data, a random number FV used in common with the encryption side is used to perform an input side logical operation (S803). In this example, an exclusive OR (XOR) is obtained. This is the processing indicated by 701, 702, and 703 in FIG.

  The calculation result (initially C0 ′, C1 ′, C2 ′,...) Is decrypted with the encryption key ukey stored therein (S804). As a result, R ′, M1 ′, M2 ′,. The decoding result becomes one input of the output side logical operation.

  The output side parameter to be another input is specified (S805). Initially, a random number IV (corresponding to dummy data) is used. From the second time onward, the previous decoded input data (in order, C0 ′, C1 ′,...) Is used.

  Then, these output side logical operations (S806) are performed. In this example, an exclusive OR (XOR) is obtained. This is the processing indicated by 711, 712, and 713 in FIG.

  The calculation results are sequentially stored as a block of equal data (S807). In order, R, M1, M2,. However, the random number R, which is dummy data, is ignored and the blocks after M1 are used.

  The process ends when all blocks have been processed (S808).

  In the above-described example, an example of mutual authentication has been described. However, an authentication system that includes an authenticated device to be authenticated and an authentication device that performs authentication and authenticates only one of them is also effective.

  The authentication device is a computer, and each element can execute processing by a program. Further, the program can be stored in a storage medium so that the computer can read the program from the storage medium.

  FIG. 10 is a diagram illustrating a hardware configuration example of the authentication apparatus. An arithmetic device 1001, a data storage device 1002, a memory 1003, and a communication interface 1004 are connected to the bus. The data storage device 1002 is, for example, a ROM (Read Only Memory) or a hard disk. The memory 1003 is a normal RAM (Random Access Memory).

  The program is normally stored in the data storage device 1002, and is loaded into the memory 1003 and sequentially read into the arithmetic device 1001 for processing. Data is received and transmitted by the communication interface 1004.

  This makes it difficult for an attacker to derive an encrypted value and prevents side channel attacks.

It is a figure which shows the flow of a process of mutual authentication. It is a figure which shows the structure which concerns on mutual authentication. It is a figure which shows the processing flow of the verification of a ciphertext. It is a figure which shows the structure which concerns on verification of a ciphertext. It is a figure which shows the block which concerns on encryption at the time of applying to CBC mode. It is a figure which shows the processing flow which concerns on encryption at the time of applying to CBC mode. It is a figure which shows the block which concerns on the decoding at the time of applying to CBC mode. It is a figure which shows the processing flow which concerns on the decoding at the time of applying to CBC mode. It is a figure which shows the conventional process flow. It is a figure which shows the hardware structural example of an authentication apparatus.

Explanation of symbols

  201 random number generation unit, 202 random number transmission unit, 203 random number reception unit, 204 input processed data generation unit, 205 random number processing unit, 206 data storage unit, 207 encryption unit, 208 output processed data generation unit, 209 ciphertext processing unit, 210 Ciphertext transmission unit, 211 Ciphertext reception unit, 212 Ciphertext verification unit, 401 Ciphertext reverse processing unit, 402 Decryption unit, 403 Random number reverse processing unit, 404 Authentication result determination unit

Claims (1)

An authentication system comprising an authenticated device that generates a ciphertext C1 by a predetermined encryption process and an authentication device that decrypts the ciphertext C1 generated by the authenticated device,
The device to be authenticated
(1) the authentication device and a random number R1 and random number R2 to share with, the predetermined secret value by the conversion process using the first function operation with a different conversion processing in the first logical operation is an encryption process A random number processing unit for converting to a random number R2 ′ ,
As the first function operation, a value obtained by concatenating the random number R1 and the random number R2 is obtained, a hash value of the obtained concatenated value is obtained, and a predetermined m (m> 0 integer) from the head of the obtained hash value. The bits are cut out, a predetermined value Seed1 is set as the initial value of IV of the hash function IV = hash (IV), and the hash function IV = hash (IV) is repeatedly calculated for the number of times of the cut out m-bit value. To find the hash value,
As the first logical operation, a random number processing unit that performs an exclusive OR operation between the random number R2 and a hash value obtained by iterative calculation of the hash function IV = hash (IV) to obtain a random number R2 ′;
(2) An encryption unit that encrypts the random number R2 ′ converted by the random number processing unit by the predetermined encryption process to generate a ciphertext C1 ′ ,
As the predetermined encryption process, an encryption unit that generates a ciphertext C1 ′ using an encryption function Enc (K3, R2 ′) that encrypts the random number R2 ′ using an encryption key K3 ;
(3) The ciphertext C1 ′ generated by the encryption unit is a conversion process different from both the predetermined encryption process and the conversion process of the random number processing unit, and includes a second function operation and a second logic. A ciphertext processing unit that obtains a ciphertext C1 by conversion by a conversion process using an operation ,
As the second function operation, a value obtained by concatenating the random number R1 and the random number R2 is obtained, a hash value of the obtained concatenated value is obtained, and a predetermined n (n> 0 integer) from the head of the obtained hash value, n ≠ m) bits are cut out, a predetermined value Seed2 is set as the initial value of the FV of the hash function FV = hash (FV), and the hash function FV = hash (FV) for the number of n-bit values cut out. ) Repeatedly to find the hash value,
As the second logical operation, a ciphertext processing unit that obtains a ciphertext C1 by performing an exclusive OR operation between the ciphertext C1 ′ and a hash value obtained by iterative calculation of the hash function FV = hash (FV). When,
(4) a ciphertext transmission unit that transmits the ciphertext C1 converted by the ciphertext processing unit to the authentication device;
The authentication device
(5) a ciphertext receiving unit that receives data that is assumed to be the converted ciphertext from an authenticated device;
(6) a ciphertext reverse processing unit that reversely converts the data received by the ciphertext receiving unit by a conversion process reverse to a conversion process using a function operation and a logical operation of the ciphertext processing unit;
(7) a decryption unit that decrypts the ciphertext reversely transformed by the ciphertext reverse processing unit and generates a decrypted text;
(8) The decrypted text generated by the decryption unit is inversely converted as data that is assumed to be the converted ciphertext by a conversion process that is reverse to the conversion process using the function operation and the logical operation of the random number processing unit A random number reverse processing unit for generating a random number used for authentication;
(9) The random number used for authentication generated by the random number reverse processing unit is compared with the random number shared with the device to be authenticated, and when the comparison result matches, the authentication of the device to be authenticated is determined to be successful, An authentication system comprising: an authentication result determination unit that determines that authentication of a device to be authenticated is unsuccessful when the compared results do not match.

Images