JP4757591B2 - Password authentication key exchange apparatus, system, method, and computer program - Google Patents

Description

  The present invention relates to a password authentication key exchange apparatus, system, method, and computer program that reduce the processing load on a client terminal.

There is known a security technique using a password authentication key exchange protocol for securing a digital document by using a low-grade password that can be easily stored by a person. In this method, a password or a hash value of a password is shared between the client terminal and the server, and key sharing is performed without holding secret key information in the client terminal. This technique has a technical feature in that an attacker to a network between a client terminal and a server creates a situation where password prediction cannot be performed offline. As an application example of this method, for example, there is a security method in which information derived from a hash value of a password is used in combination with an RSA method or a Diffie-Hellman key exchange method (see Patent Documents 1 to 3).
The Diffie-Hellman type key exchange method generates a random number at each of a plurality of nodes, transmits a value obtained by power-modulating this random number to the other party, and again uses the random number generated by itself for the received value. This is a method of sharing a key that can be known only by both parties by taking a power residue.

Special table 2003-536320 gazette JP 2001-313634 A JP 2002-335238 A

However, the above-described conventional security method requires a long time for the “power residue calculation” used in the password authentication key exchange protocol. Therefore, for example, in a service in which a client terminal having a low computing capacity such as a portable terminal communicates with a server via a local store terminal, there is a problem that the waiting time associated with the power residue calculation becomes long and is not suitable for use. is there.
In addition, when a client terminal wants to share a key with multiple servers at the same timing, it is necessary to generate a random number different for each server on the client terminal side, so that processing takes time and loads on the client terminal. There is also the problem of concentration.
The present invention solves this problem, reduces the load of random number generation processing and calculation processing at the client terminal when the client terminal performs key exchange with the server, efficiently performs key exchange with the server, and thus The main problem is to provide a method for realizing service cooperation using a plurality of servers.

The present invention is, for example, a password authentication key exchange apparatus capable of communicating with each of a client terminal that generates a first random number and a server that generates server data, and is a second that is larger in size than the first random number. Based on random number generation means for generating a random number of the client, client primary data generated by the client terminal using the first random number and a predetermined password, and the second random number generated by the random number generation means by transmitting the generated said client secondary data secondary data to the server, secondary data generating prompting generating a shared key shared with the previous SL client terminal based on the client secondary data to the server Means, the server data generated by the server, and the second random number generated by the random number generating means. By transmitting the generated the key exchange part data key exchange partial data to the client terminal have, key exchange prompting generating a shared key shared with the server on the basis of the key exchange part data to said client terminal And a partial data generating means.

  In this password authentication key conversion apparatus, when the client terminal communicates with a plurality of servers, the random number generation means may generate a second random number different for each server. Further, the share information further includes difference information generation means for generating difference information of a plurality of server data relating to the plurality of servers, and the difference information generation means further uses the difference information in addition to the key exchange partial data. The client terminal may be prompted to generate a key.

The present invention is also a system including, for example, a server, a client terminal that generates a first random number, and a password authentication key exchange device that can communicate with each of the servers, the server including a third random number and Key exchange management for generating server data using the third random number and generating a shared key shared with the client terminal based on the third random number and the client secondary data generated by the client terminal The password authentication key exchange device includes: a random number generation unit that generates a second random number that is larger in size than the first random number; and the client terminal receives the first random number and the password. The client secondary data based on the client primary data generated using the second random number generated by the random number generation means. Generates over data, secondary data generating means for transmitting the client secondary data to the server, on the basis of the said second random number that the server is the server data and the random number generating means generates the generated key by generating a replacement partial data to transmit the key exchange part data to the client terminal, the key exchange part data prompting generating a shared key shared with the server on the basis of the key exchange part data to said client terminal Generating means.

  Also in this password authentication key exchange system, when the client terminal communicates with a plurality of servers, the random number generation means may generate different second random numbers for different servers. The password authentication key exchange apparatus further includes difference information generation means for generating difference information of a plurality of server data relating to a plurality of servers, and the difference information generation means adds the difference to the key exchange partial data. The client terminal may be prompted to generate the shared key further using information.

The present invention can be embodied as a password authentication key exchange method. This method is executed by a system having a server and a password authentication key exchange apparatus that can communicate with each of the client terminals. The client terminal generates a first random number, and the first random number is generated. Generating client primary data using the random number and a predetermined password, and the password authentication key exchange apparatus generates a second random number having a size larger than the first random number, and the generation Generating client secondary data based on the client primary data and the second random number, and transmitting the client secondary data to the server; and the server generates a third random number, Server data is generated based on the third random number, and the previous data is generated based on the third random number and the client secondary data. Phase and the password authentication key exchange device, the key exchange section generates a key exchange partial data based on the server is the server data generated with the second random number to generate a shared key shared with the client terminal by sending data to the client terminal, and a step of prompting generating a shared key shared with the server on the basis of the key exchange part data to the client terminal.

The present invention is a computer program for causing a computer to operate as a password authentication key exchange apparatus that can communicate with each of a client terminal that generates a first random number and a server that generates server data. Random number generating means for generating a second random number larger in size than the first random number, client primary data generated by the client terminal using the first random number and a predetermined password, and the random number generating means by sending the client secondary data to the server to generate client secondary data based on the second random number, it generates a shared key shared with the previous SL client terminal based on the client secondary data secondary data generating means for prompting said server to said server generated Wherein by sending the key exchange portion data to generate a key exchange partial data on the basis of the second random number the server data and the random number generating means to generate the client terminal has, based on the key exchange part data A computer program for causing the client terminal to function as key exchange partial data generation means for urging the client terminal to generate a shared key shared with the server.

  According to the present invention, when the client terminal performs key exchange with the server, by performing the calculation in cooperation with the client terminal, the load of the random number generation process and the calculation process on the client terminal are reduced. Key exchange can be performed efficiently.

<First Embodiment>
FIG. 1 is a conceptual diagram of a password authentication key exchange system according to the first embodiment of the present invention. The password authentication key conversion system according to this embodiment includes a password authentication key exchange device 1. The password authentication key exchange device 1 is installed in a store or the like, and can communicate with a client terminal 2 such as a mobile phone or a PDA operated by a user at any time via a wireless communication path, and further includes a plurality of servers 3a. , 3b (hereinafter referred to as “3” when collectively referring to servers) are configured to be able to communicate through the network 4 such as the Internet at any time.

  The client terminal 2 generates a first random number, and transmits a value obtained by performing a power-residue calculation of the first random number as client primary data to the password authentication key exchange apparatus 1 disposed in a store or the like. The password authentication key exchange apparatus 1 generates a second random number, and generates client secondary data from the value obtained by performing a power-residue calculation using the second random number and the client primary data. Then, the generated client secondary data is transmitted to the server 3. The server 3 shares a key that only the client terminal 2 and the server 3 can know by performing a power-residue operation again on the value of the received client secondary data using the third random number generated by itself. To do. This key is called a shared key.

  When the client terminal 2 performs key exchange with a plurality of servers 3a, 3b,..., The size of the first random number generated by the client terminal 2 is reduced, and instead, a password authentication key disposed in a store or the like. The exchange device 1 may generate a second random number having a size larger than the first random number generated by the client terminal 2.

  When the client terminal 2 shares a key with a plurality of servers 3a, 3b,... At the same timing, the password authentication key exchange device 1 disposed in the store or the like is different for each server 3a, 3b,. By generating the random number of 2, even if the generation of the first random number for each of the different servers 3a, 3b,... Is omitted in the client terminal 2, the different random numbers are used for the servers 3a, 3b,. You can also behave.

Further, for example, when the same password is set for a plurality of servers 3a, 3b,..., The password authentication key exchange device 1 disposed in the store or the like is sent from each server 3a, 3b. The calculation load of the client terminal 2 may be further reduced by calculating the difference information of the data and notifying the client terminal 2 of the difference information.
In other words, in the password authentication key exchange system, the client terminal 2 and the password authentication key exchange apparatus 1 perform the calculation in a coordinated manner, so that the load relating to the random number generation at the client terminal 2 and the power residue calculation using the random number are performed. The load is reduced.

  In this embodiment, it is assumed that the client terminal 2 and the password authentication key exchange apparatus 1 installed in a store or the like are in an environment in which, for example, proximity communication using a non-contact IC, infrared rays, or the like is possible. Therefore, as described above, even if the size of the first random number used in the client terminal 2 is small, the problem of wiretapping on the communication path between the two does not occur.

  As a specific service image of the password authentication key exchange system, for example, when the content is managed by one server 3a and the key of the content is managed by the other server 3b, In some cases, a secure communication path is established when content is downloaded, and a secure communication path is established with another server 3b for content key acquisition, billing, and the like.

  A configuration example of the password authentication key exchange apparatus 1 for realizing the above-described function is as shown in FIG. That is, the password authentication key exchange apparatus 1 includes a control unit 11 which is a kind of computer, a communication unit 12 for realizing wireless communication with the client terminal 2 and network communication with the server 3, a display unit including a liquid crystal display device and the like. 13. An operation input unit 14 including a mouse and a keyboard, and a storage unit 15 including a memory device such as a RAM, a ROM, and a hard disk.

The control unit 11 forms a random number generation function 11a, a secondary data generation function 11b, a key exchange partial data generation function 11c, and a difference information generation function 11d in the control unit 11 based on a control program 100 as an example of a computer program. To do.
The random number generation function 11a is a function for generating a second random number for each of the servers 3a, 3b... Based on the service information presented from the client terminal 2. The secondary data generation function 11 b is a function that generates client secondary data based on the client primary data created by the client terminal 2 and the second random number generated by the random number generation function 11 a and transmits it to the server 3. The key exchange partial data generation function 11c generates key exchange partial data based on the server data created by the servers 3a, 3b... And the second random number previously generated by the random number generation function 11a. 2 is a function to transmit to 2. The difference information generation function 11d generates the difference information from the plurality of server data and exchanges the key with the plurality of servers 3a, 3b... And the same password for the plurality of servers 3a, 3b. It is a function to transmit. Details of each function will be described later.

The storage unit 15 stores the generated random number for each server 3 and the status (data indicating server data waiting, key sharing, etc.) in association with each other. In addition to the above, the storage unit 15 temporarily stores various parameters used for password authentication key exchange.
When the functions 11a to 11d are formed and executed, the control unit 11 functions as a random number generation unit, a secondary data generation unit, a key exchange partial data generation unit, and a difference information generation unit, respectively. However, the implementation form of each means is not limited to the functions 11a to 11d, and can be appropriately replaced with firmware and hardware.

The client terminal 2 is configured as shown in FIG. 3, for example. That is, the client terminal 2 includes a control unit 21, a communication unit 22, a display unit 23, an operation input unit 24, and a storage unit 25. The control unit 21 is a type of computer, and by reading and executing a predetermined client control program 200, a service information management function 21a and a key exchange management function 21b are formed in the control unit 21.
The service information management function 21a is a function for holding service information registered in the client terminal 2 and notifying the store side password authentication key exchange device 1 of service information (for example, URL of the server). The key exchange management function 21b is a function for performing a password authentication key exchange with the server 3 based on the password input at the client terminal 2 and the generated second random number, and acquiring a shared key. Details of each function will be described later.

In the storage unit 25, server information corresponding to each service (for example, server URL, port number, etc.), a user ID, and the like are stored in association with each other as service information, and a service using a password is further identified. Is also stored. Also, various parameters used for password authentication key exchange are temporarily stored.
In addition, the control part 21 functions as a service information management means and a key exchange management means, respectively, when acting based on the functions 21a and 21b. However, the implementation form of each means is not limited to the functions 21a and 21b, and can be appropriately replaced with firmware and hardware.

The server 3 is configured as shown in FIG. That is, the server 3 includes a control unit 31, a communication unit 32, and a storage unit 33. The control unit 31 is a kind of computer, and executes a user management function 31a and a key exchange management function 31b in the control unit 31 by reading and executing a predetermined server control program 300. The user management function 31a is a function for holding a password for each user. The key exchange management function 31b generates a third random number, and server data based on the generated third random number and the client secondary data generated by the secondary data generation function 11b of the password authentication key exchange device 1. This is a function for obtaining a shared key by exchanging password authentication keys. Details of each function will be described later.
The storage unit 33 stores a user ID, a password, an expiration date, and a key shared flag in association with each other. Various parameters used for password authentication key exchange are also temporarily stored.
In addition, the control part 31 functions as a user management means and a key exchange management means, respectively, when acting based on the functions 31a and 31b. However, the implementation form of each means is not limited to the functions 31a and 31b, and can be appropriately replaced with firmware and hardware.

[Operation procedure]
Hereinafter, an operation example of the password authentication key exchange system of this embodiment will be described with reference to FIGS.
After the control program 200 of the client terminal 2 and other programs are activated, when the user inputs the user ID and password by operating the operation input unit 24 (step S1), the control unit 22 of the client terminal 2 exchanges keys. Based on the management function 21b, a random number Sa1 (first random number) smaller in size than a later-described random number generated on the password authentication key exchange apparatus 1 side is generated (step S2). Based on the service information management function 21a, the control unit 22 notifies the store-side password authentication key exchange apparatus 1 of the server information and the user ID of the server 3 desired to be used (step S3). At this stage, in the storage unit 25 of the client terminal 2, as “service information”, server information for each service (for example, server URL, port number, etc.), user ID, information related to a service with the same password, and password Parameters used for authentication key exchange are stored. The control unit 22 refers to the “service information” stored in the storage unit 25 and reads and notifies the server information and the user ID corresponding to the server 3 desired to be used.

  When the store side password authentication key exchange apparatus 1 receives the server information and the user ID via the communication unit 12 (step S4), the control unit 11 selects a service (step S5). When there are a plurality of services, the service may be designated on the password authentication key exchange apparatus 1 side, or when the client terminal 2 designates the service in advance, the process of step S4 may be omitted.

  The control unit 11 also generates a random number Sa2-1, Sa2-2,... Sa2-n (second random number) for each server 3 used in the service previously selected in step S5 based on the random number generation function 11a. Is generated (step S6). The control unit 11 further notifies the connection destination server 3 of the user ID sent from the client terminal 2 and creates the client primary data on the client terminal 2 side necessary for password authentication key exchange to the client terminal 2 Is requested (key exchange request) (step S7). When using a plurality of servers 3, user IDs are notified respectively.

In the client terminal 2 that has received the key exchange request, the control unit 21 uses the key exchange management function 21b to calculate the exponentiation remainder based on the hash value of the password previously input in step S1 and the random number Sa1 generated in step S2. To generate client primary data (step S8). For example, if the password input in step S1 is π, its hash value is H (π), and discrete logarithm domain parameters are k and q, the client primary data Wa1 can be obtained by a power-residue calculation as follows. it can.
g1 = H (π) ^ k modq
Wa1 = (g1 ^ Sa1 modq)

  In the client terminal 2, the control unit 21 uses the key exchange management function 21 b to transmit the public parameters used for password authentication key exchange and the client primary data Wa 1 generated in step S 8 via the communication unit 22 to the store-side password. It transmits to the authentication key exchange apparatus 1 (step S9).

  When the password authentication key exchange apparatus 1 receives the public parameter and the client primary data via the communication unit 12 (step S10), the control unit 11 determines whether or not the client primary data Wa1 is within a predetermined range (for example, a power) Whether the remainder is within the remainder value, etc.) (step S11). In step S11, when the control unit 11 determines that the client primary data Wa1 is not within the predetermined range, the server information notified from the client terminal 2 to the password authentication key exchange device 1 on the store side or the previously generated random number Sa2-1, Sa2-2,... Sa2-n are cleared and an error notification is sent to the client terminal 2 (step S12).

  When the server 3 receives the notification (key exchange request) including the user ID sent from the client terminal 2 via the communication unit 32, the control unit 31 registers the user ID based on the user management function 31a. It is confirmed whether or not (step S13). If the control unit 31 determines in step S13 that the user ID is not registered, the server information notified from the client terminal 2 to the password authentication key exchange device 1 on the store side, or the random number Sa2 generated by the device 1 -1, Sa2-2,... Sa2-n are erased, and an instruction is given to the client terminal 2 for error notification (step S14). If the control unit 31 determines that the user ID is registered, it generates a random number Sb (third random number) (step S15).

In the password authentication key exchange apparatus 1, based on the secondary data generation function 11b, the controller 11 uses the public parameters and client primary data Wa1 received in step S10 and the random numbers Sa2-1 and Sa2-generated in step S6. 2,..., Sa2-n is performed based on the power-residue calculation to generate client secondary data, and this client secondary data is transmitted to each server 3 (step S16). For example, assuming that the random number for the server 3a is Sa2-1, the client secondary data Wa to be transmitted to the server 3a can be obtained by the following modular exponentiation.
Wa2-1 = g1 ^ Sa2-1 modq
Wa = Wa1 * Wa2-1

Similarly, assuming that the random number for the server 3b is Sa2-2, the client secondary data Wa ′ to be transmitted to the server 3b can be obtained by the following modular exponentiation.
Wa2-2 = g1 ^ Sa2-2 modq
Wa '= Wa1 * Wa2-2

  When the server 3 receives the client secondary data Wa via the communication unit 32 (step S17), the control unit 31 puts the client secondary data Wa within a predetermined range (for example, within a power residue remainder value, etc.). It is confirmed whether or not there is (step S18). If it is determined that the client secondary data Wa is not within the predetermined range, the process proceeds to step S14, and the above-described instruction relating to the error notification is performed. On the other hand, when the control unit 31 determines that the client secondary data Wa is within the predetermined range, the key exchange management function 31b uses the password or password from the storage unit 35 based on the user ID previously confirmed in step S13. The server acquires password related data, creates server data using the random number Sb generated in step S15, and notifies the password authentication key exchange apparatus 1 (step S19).

For example, the server data generated by the server 3a is represented by the following expression including the random number Sb.
Wb = g1 ^ Sb modq
The server data Wb ′ generated by the server 3b by the same arithmetic expression is represented by the following expression including the random number Sb ′.
Wb '= g1 ^ Sb'modq

After execution of step S19, the server 3 shares sharing between the client terminal 2 and the server 3 based on the client secondary data Wa received by the control unit 31 in step S17 and the random number Sb generated in step S15. Key exchange shared data Z that is a source for generating a key is generated (step S20). For example, the server 3a obtains the key exchange shared data Z1 from the client secondary data Wa and the generated random number Sb by the following power residue calculation.
Z1 = Wa ^ Sb * k modq
In this case, the shared key Ki is as follows from the key exchange shared data Z1 and the public parameter Pi. H is a hash function.
Ki = H (z1‖Pi)

Similarly, in the server 3b, the key exchange shared data Z2 is obtained from the client secondary data Wa ′ and the generated random number Sb ′ by the following power-residue calculation.
Z2 = Wa ^ Sb '* k modq
In this case, the shared key Ki is as follows from the key exchange shared data Z1 and the public parameter Pi ′.
Ki = H (Z1‖Pi ′)

When the password authentication key exchange device 1 receives the server data Wb from the server 3 via the communication unit 12 (step S21), the control unit 11 applies the server data to the server data based on the key exchange partial data generation function 11c. Using the public parameters received in step S10 and the random numbers Sa2-1, Sa2-2,... Generated in step S6, key exchange partial data of the key exchange shared data is generated and notified to the client terminal 2 ( Step S22).
For example, the key exchange partial data Z2-1 of the key exchange shared data Z1 notified from the server 3a is obtained from the server data Wb, the random number Ss2-1, and the discrete logarithm domain parameter q by the following power-residue calculation.
Z2-1 = Wb ^ Ss2-1 modq

Similarly, the key exchange partial data Z2-2 of the key exchange shared data Z2 notified from the server 3b is obtained from the server data Wb ′, the random number Ss2-2, and the domain parameter q of the discrete logarithm by the following power residue calculation. .
Z2-2 = Wb '^ Ss2-2 modq

That is, when server data is received from a plurality of servers (step S23), the control unit 11 determines whether or not the plurality of servers have the same password setting (step S24). If the same password is not set, key exchange partial data is generated as described above and transmitted to the client terminal 2 (step S25). On the other hand, when a plurality of servers have the same password setting, the control unit 11 generates key exchange partial data by the key exchange partial data generation function 11c and calculates difference information by the difference information generation function 11d. These are transmitted to the client terminal 2 (step S26).
For example, the difference information between the server data Wb from the server 3a and the server data Wb ′ from the server 3a is Wb ′ / Wb.

When the client terminal 2 receives the key exchange partial data from the password authentication key exchange device 1 via the communication unit 22 (step S27), the control unit 21 verifies the key exchange partial data (step S28). Here, it is confirmed whether or not the received key exchange partial data is within a predetermined range (for example, whether it is within a remainder value of a power residue). In the case of an error, the password authentication key exchange device 1 or server 3 on the store side is checked. Then, this is notified, and the information set and generated in each node is deleted (step S29). On the other hand, when the received key exchange partial data is within the predetermined range, the control unit 21 determines whether or not difference information has been sent (step S30). If not sent, the key exchange shared data Z1 is generated using the random number Sa1 generated in step S2 (step S31). In this case, the key exchange shared data Z1 can be obtained by the following power-residue calculation.
Za = (Z2-1 ^ k modq)
Zb = Wb ^ Sa1 * k modq
Z1 = Za * Zb
= (Wb ^ (Sa1 * k + Sa2-1 * k) modq
= (Wb ^ (Sa1 + Sa2-1 * k) modq

The shared key Ki is as follows from the key exchange shared data Z1 and the public parameter Pi.
Ki = H (Z1‖Pi)

On the other hand, when difference information is sent in step S30, in the client terminal 2, the control unit 21 generates key exchange shared data Z2 based on the random number Sa1 generated in step S2 and the difference information ( Step S32). For example, the difference information between the server data Wb from the server 3a and the server data Wb ′ from the server 3a is Wb ′ / Wb. In step S32, using this difference information, the key exchange shared data Z2 is obtained by the following power-residue calculation.
Zc = (Z2-2 ^ k modq)
Zd = Zb * difference information (= Wb ′ / Wb)
Z2 = Zc * Zd
= (Wb '^ ((Sa1 + Sa2-2) * k) modq
The shared key Ki is as follows from the key exchange shared data Z2 and the public parameter Pi ′.
Ki = H (Z1‖Pi ′)

  As is clear from the above description, according to the password authentication key exchange system of the first embodiment, the size of the first random number generated by the client terminal 2 is the size of the second random number generated by the store-side device 1. By making it smaller than the above, it becomes possible to reduce the processing load of the modular exponentiation operation related to the first random number in the client terminal 2. Also, security can be ensured by not disclosing the discrete logarithm domain parameter k value in the store side password authentication key exchange apparatus 1. Even if the client terminal 2 wishes to exchange keys simultaneously with a plurality of servers 3, it is only necessary to generate one first random number, so that the processing burden can be reduced in this respect as well. Furthermore, when the same password is used for a plurality of servers 3, the processing load on the client terminal 2 can be further reduced by using the difference information. In this way, the client terminal 2 and the password authentication key exchange device 1 perform calculations in cooperation, thereby reducing the load related to random number generation at the client terminal 2 and the load such as exponentiation remainder processing using random numbers. Is possible.

  In addition, since a safe communication path can be established between the inexpensive client terminal 2 having a low computing capacity and the plurality of servers 3a, 3b,..., Even in an environment where a safe communication path between the servers 3a, 3b,. Service cooperation using a plurality of servers 3a, 3b.

Second Embodiment
Next, a second embodiment of the password authentication key exchange system will be described. The password authentication key exchange system of this embodiment is obtained by adding a new function to the password authentication key exchange device 1 that is a component of the system according to the first embodiment. The conceptual diagram is substantially the same as FIG. 1, the configuration of the client terminal 2 is the same as that of FIG. 3, and the configuration of the server 3 is the same as that of FIG.
First, with reference to FIG. 7, the structural example of the password authentication key exchange apparatus 5 which comprises the password authentication key exchange system which concerns on 2nd Embodiment is demonstrated.
The password authentication key exchange device 5 includes a control unit 51 as a kind of computer, a communication unit 52 for realizing wireless communication with the client terminal 2 and network communication with the server 3, a display unit 53 including a liquid crystal display device, a mouse, and the like. And an operation input unit 54 including a keyboard and a storage unit 55 including a memory device such as a RAM and a ROM.

The control unit 51 forms at least a request calculation management function 51a, a client / server connection management function 51b, a shared key confirmation function 51c, and a client / server communication function 51d based on a control program 500 as an example of a computer program.
The request calculation management function 51a includes the random number generation function 11a, the secondary data generation function 11b, the key exchange partial data generation function 11c, and the difference information generation function 11d of the first embodiment (FIG. 2) described above. This includes functions related to calculation function selection / addition and determination of random number generation size according to each client / server (based on client calculation capability, communication security level with server, etc.).

  The client / server connection management function 51b is used for session management, that is, management such as session allocation when the client terminal 2 is temporarily disconnected from the store side password authentication key exchange device 1 and accessed simultaneously at a plurality of servers, and the plurality of servers 3 A function to hold response results from other servers 3 until a response is received from the server 3 when accessing the server, a function to generate a generated random number MAC for each site, a function to verify when using it, and a proxy in the event of a server connection error It is a function to access the server. The shared key data confirmation function 51c includes a retry / disconnection function such as when a password is entered incorrectly. The client / server communication management function 51d is used for managing the connection time of the client / server (including accounting) and deleting the session ID generated by the client / server connection management (when the client / server connection is completed or when an abnormality occurs). This function. Details of each function will be described later.

  In the case of acting based on the functions 51a to 51d, the control unit 51 functions as a request calculation management unit, a client / server connection management unit, a shared key confirmation unit, and a client / server communication management unit, respectively. However, the implementation form of each means is not limited to the functions 51a to 51d, and can be appropriately replaced with firmware or hardware.

[Operation procedure]
Next, the operation of the password authentication key exchange apparatus 5 according to the second embodiment will be described with reference to the procedure explanatory diagrams of FIGS.
First, the procedure of the requested calculation management process by the requested calculation management function 51a by the control unit 51 will be described with reference to the procedure explanatory diagram of FIG.
When receiving a request calculation request and calculation data from the client terminal 2 (step S51), the control unit 51 determines whether or not a function corresponding to the request calculation is formed, that is, whether or not the function is provided. (Step S52). If it does not have a function, it is determined whether or not the function can be downloaded (step S53). If it can be downloaded, the calculation function is downloaded, and the process proceeds to step S56 (step S54). If the download is impossible, an error notification is sent to the client terminal 2 (step S55).
Note that the downloading of the function corresponding to the request calculation is based on the download of the corresponding application. When the server 3 plays a role as an ASP, a request is sent to the server 3 to check whether or not the corresponding application exists and whether or not the download is possible. Become. However, it is needless to say that the method is not limited to this method.

  Thereafter, the control unit 51 selects a computation module corresponding to the requested computation (step S56), and the security level between the requested server 3 and the store side password authentication key exchange device 5 (self) is registered. It is determined whether or not there is (step S57). “Security level” refers to a value obtained by quantifying the degree of security such as a safety level for security. If this security level is not registered, route information to the server 3 is acquired, a level value of the security level is calculated, and the process proceeds to step S59 (step S58). If the security level has already been registered, the process proceeds to step S59.

  The control unit 51 acquires a random number size corresponding to the level value of the security level (step S59), and determines whether or not a random number size that can be calculated by the client terminal 2 is notified (step S60). If not notified, a random number size corresponding to the security level of the server 3 is set as a random number generated by the store side password authentication key exchange device 5 (self) (step S61). On the other hand, if notified, the difference between the random size sizes of the server 3 and the client terminal 2 is set as the random size of the password authentication key exchange device 5 (self) on the store side (step S62). In this way, a random number is generated, calculation is performed on the calculation data received in step S51 (step S63), and the process proceeds to execution of the client / server connection management function 51b (step S64).

  The procedure of the client / server connection management process by the client / server connection management function 51b is as shown in FIG. The flow of the client / server connection management process is divided into two types depending on whether or not there is a connection request from the client terminal 2 to the plurality of servers 3. That is, the control unit 51 determines whether or not there is a connection request from the client terminal 2 to the plurality of servers 3 (step S71). If there is no request, the control unit 51 performs the client / server connection management process after step S73. On the other hand, if there is such a request, the process proceeds to a second process of client / server connection management described later (step S72).

  In the first process of client / server connection management, first, a session ID for a server is generated, stored in the storage unit 55 together with the generated random number (step S73), and the calculation result is notified to the server 3 (step S74). Thereafter, the control unit 51 generates a session ID for the client terminal 2 and notifies the client terminal 2 of the session ID (step S75), and monitors whether there is no response from the server 3 beyond the waiting time (step S76). In step S76, when there is no response from the server 3 beyond the waiting time, it is confirmed whether or not an alternative server is specified at the time of error (step S77). If there is an alternative server designation, reconnection is made to the designated alternative server (step S78). On the other hand, when the alternative server is not specified, the control unit 51 clears the random number and the session ID and notifies the client terminal 2 of an error (step S79).

  When the data from the server 3 is received during the monitoring of step S76 (step S80), the control unit 51 determines whether or not the session ID in the received data is the same as the session ID held in the storage unit 55. Judgment is made (step S81). If they are not the same, the random number and the session ID are cleared, and an error notification is sent to the client terminal 2 (step S79). On the other hand, when both are the same, the calculation using the random number corresponding to the session ID and the data received from the server 3 is performed (step S82), and the calculation result is notified to the client terminal 2 (step S82). S83).

  Thereafter, the control unit 51 determines whether the client terminal 2 and the password authentication key exchange device 5 (self) are in a communicable state (step S84). If it is not in a communicable state, the session ID is displayed on the display unit 53 of the store-side device 5 (self) to prompt the client terminal 2 to enter a waiting state (step S85). Then, it is monitored whether or not communication with the client terminal 2 is allowed beyond this waiting time (step S86). If communication is not possible, the random number and session ID are cleared, and an error is notified to the client terminal 2 (step S79). On the other hand, when both are in a communicable state at step S84 and when communication is possible at this step S86, communication is performed with the client terminal 2 (step S87), and the shared key data confirmation processing is performed. (Step S88).

  FIG. 10 shows the procedure of the second process of client / server connection management by the control unit 51. In FIG. 9, when the process proceeds to the second client / server connection management process (FIG. 9: step S72), the control unit 51 generates and assigns a group ID for each server session ID as shown in FIG. The group ID is notified to the server 3 (step S101). Then, it is monitored whether there is a response from the server 3 beyond the waiting time (step S102). If there is no response from the server 3, the random number and session ID are cleared and an error notification is sent to the client terminal 2 (step S103). On the other hand, when there is a response, data from the server 3 is received (step S104). Then, it is determined whether or not the session ID in the received data is the same as the session ID held in the storage unit 55 (step S105). If they are not the same, the random number and session ID are cleared and an error notification is sent to the client terminal 2 (step S103).

  If it is determined in step S105 that both session IDs are the same, the control unit 51 determines whether there is no server session ID having the same group ID that has not received data from the server 3 (step S105). S106). If there is something that has not been received, the process returns to step S104, and the above processing procedure is repeated. On the other hand, if there is nothing that has not been received, the control unit 51 clears the group ID assigned to the session ID for each server (step S107), and the random numbers held in the storage unit 55 corresponding to each session ID. Then, a predetermined calculation (integration, power residue calculation, etc.) is performed using the received data from the server 3. Moreover, difference information is calculated as needed (step S108). Thus, the control unit 51 notifies the client terminal 2 of the calculation result via the communication unit 52 (step S109), and proceeds to the shared key data confirmation process (step S110). Of course, instead of the processing in step S108, the same processing as in steps S84 to S86 in FIG. 9 may be performed.

Next, a procedure of shared key confirmation processing based on the shared key confirmation function 51c by the control unit 51 will be described with reference to the procedure explanatory diagram of FIG.
The control unit 51 first determines whether or not confirmation data for key exchange shared data has been requested (step S121). Here, it is assumed that the request is made from the server 3 after the key exchange is completed between the client terminal 2 and the server 3. If the request has not been made, the process proceeds to a client / server communication management process described later (step S122). On the other hand, when the request has been made, the control unit 51 requests the client terminal 2 to generate confirmation data (step S123).
When the confirmation data from the client terminal 2 is received (step S124), the control unit 51 determines whether or not the session ID given to the received confirmation data is the same as the session ID held in the storage unit 55. (Step S125). If both are not the same, an error notification is sent to the client terminal 2 and the server 3, and the session ID and received data are cleared (step S126). When both are the same, the confirmation data acquired from the client terminal 2 is notified to the server 3 (step S127).

  Thereafter, when data from the server 3 is received (step S128), it is determined whether or not the session ID in the received data is the same as the session ID held in the storage unit 55 (step S129). If both are not the same, an error notification is sent to the client terminal 2 and the server 3, and the session ID and received data are cleared (step S126). On the other hand, when both are the same, the control part 51 judges whether the response from the server 3 is the confirmation data NG (step S130). When the response from the server is the confirmation data NG, the control unit 51 increments the number of NG (step S131), and monitors whether the number of NG is equal to or greater than the predetermined number (step S132). When the number of NG times is equal to or greater than the predetermined number, the control unit 51 notifies the client terminal 2 and the server 3 of an error via the communication unit 52 and clears the session ID and received data (step S126). On the other hand, when the number of NG is less than the predetermined number, the control unit 51 requests the client terminal 2 to re-enter the password, and performs the calculation again (step S133).

Next, with reference to FIG. 12, the procedure of the client / server communication management process based on the client / server communication management function 51d by the control unit 51 will be described.
The control unit 51 permits communication between the client terminal 2 and the server 2 (step S141), and requests data from the client terminal 2 by server transmission (step S142). When data is received from the client terminal 2 (step S143), the control unit 51 determines whether there is a request for disconnecting the communication between the client and the server from the client terminal 2 (step S144). If there is such a request, the control unit 51 disallows communication between the client terminal 2 and the server 3 and clears the session ID (step S145). On the other hand, when there is no such request, the control unit 51 determines whether or not the session ID given to the data received from the client terminal 2 is the same as the session ID held in the storage unit 55 (step S146). If they are not the same, the control unit 51 notifies the client terminal 2 and the server 3 of an error, and clears the session ID and received data (step S150). On the other hand, if both are the same, the data received from the client terminal 2 is notified to the server 3 (step S148).

  When the control unit 51 receives data from the server 3 via the communication unit 52 (step S149), the control unit 51 determines whether or not the session ID in the received data is the same as the session ID held in the storage unit 55. Judgment is made (step S150). If the two are not the same, the control unit 51 proceeds to step S147 and performs the above-described processing. On the other hand, when both are the same, the control part 51 notifies the client terminal 2 of the data acquired from the server 3 via the communication part 52 (step S151). Then, the control unit 51 determines whether or not the communication time between the client terminal 2 and the server 3 has exceeded the limit (step S152). If the limit is exceeded, the process proceeds to step S145 and the above-described processing is performed. On the other hand, if the limit is not exceeded, the process returns to step S142 to repeat the series of processes described above.

  As described above, in the second embodiment, in addition to the function of the password authentication key exchange apparatus 1 according to the first embodiment, not only the power-residue calculation based on the request calculation management function 51a but also other requests for calculations are supported. It was shown that it would be possible. In addition, the determination method of the random number size of the second random number generated by the password authentication key exchange device 5 is embodied. Further, when the client terminal 2 accesses a plurality of servers 3, management processing based on the group ID in addition to the session ID is realized by the client / server connection management function 51b. Further, a check using confirmation data at the time of password authentication key exchange is also realized as a shared key data confirmation function 51c. Communication management after password authentication key exchange is also made appropriate by the client / server communication function 51d. Therefore, further efficiency of password authentication key exchange and service cooperation using a plurality of servers 3a, 3b... In a secure communication environment are possible.

Although the present invention has been described with reference to the first and second embodiments, the present invention is not limited to these embodiments, and various improvements and modifications can be made. As the first embodiment, an example in which the client terminal 2 exchanges with a plurality of servers 3a, 3b... Is shown, but the present invention can also be applied to key exchange between a plurality of client terminals as in P2P. Moreover, although the case where the communication between the client terminal 2 and the password authentication key exchange devices 1 and 5 on the store side is a proximity communication has been described as an example, if there is another reliable communication path, the remote terminal Of course, the key may be exchanged via the network.
Further, the present invention has an advantage that key information can be exchanged while reducing threats such as key loggers and phishing that acquire personal information since personal information such as passwords does not leak to store terminals and communication channels.

The conceptual diagram of the password authentication key exchange system using the password authentication key exchange apparatus 1 which concerns on 1st Embodiment of this invention. The figure which showed the structural example of the password authentication key exchange apparatus. The figure which showed the structural example of the client terminal. The figure which showed the structural example of the server. Explanatory drawing of the operation | movement procedure of the password authentication key exchange system which concerns on 1st Embodiment. Explanatory drawing of the operation | movement procedure of the password authentication key exchange system which concerns on 1st Embodiment. The figure which showed the structural example of the password authentication key exchange apparatus which comprises the password authentication key exchange system which concerns on 2nd Embodiment. Explanatory drawing of a request calculation management process. Explanatory drawing of the 1st process of a client server connection management. Explanatory drawing of the 2nd process of a client server connection management. Explanatory drawing of a shared key confirmation process. Explanatory drawing of the procedure of a client server communication management process.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Password authentication key exchange apparatus, 2 ... Client terminal, 3 ... Server, 4 ... Network, 5 ... Password authentication key exchange apparatus, 11 ... Control part, 12 ... Communication part, 13 ... Display part, 14 ... Operation input part, DESCRIPTION OF SYMBOLS 15 ... Memory | storage part, 11a ... Random number generation function, 11b ... Secondary data generation function, 11c ... Key exchange partial data generation function, 11d ... Difference information generation function, 21 ... Control part, 22 ... Communication part, 23 ... Display part, 24 ... Operation input unit, 25 ... Storage unit, 21a ... Service information management function, 21b ... Key exchange management function, 31 ... Control unit, 32 ... Communication unit, 33 ... Storage unit, 31a ... User management function, 31b ... Key exchange Management function.

Claims (8)

A password authentication key exchange device capable of communicating with each of a client terminal that generates a first random number and a server that generates server data,
Random number generating means for generating a second random number larger in size than the first random number;
The client terminal generates client secondary data based on the client primary data generated by using the first random number and a predetermined password and the second random number generated by the random number generation means, and the client secondary data by sending data to the server, and the secondary data generating means for prompting generating a shared key shared with the previous SL client terminal based on the client secondary data to the server,
By sending the said key exchange partial data to generate a key exchange partial data on the basis of the second random number that the server is the server data and the random number generating means generates generated to the client terminal, the key exchange A password authentication key exchange device , comprising: key exchange partial data generation means for prompting the client terminal to generate a shared key shared with the server based on partial data. The client terminal is capable of communicating with a plurality of servers,
The random number generation means is capable of generating a second random number different for each server.
The password authentication key exchange apparatus according to claim 1. And further comprising difference information generating means for generating difference information of the plurality of server data generated by the plurality of servers, wherein the difference information generating means uses the difference information in addition to the key exchange partial data. Prompt the client terminal to generate a key;
The password authentication key exchange apparatus according to claim 2. A system having a server, a client terminal for generating a first random number, and a password authentication key exchange device capable of communicating with each of the servers,
The server generates server data using the third random number and the third random number, and shares the client terminal with the client terminal based on the third random number and the client secondary data generated by the client terminal. A key exchange management means for generating a shared key to be
The password authentication key exchange device is:
Random number generating means for generating a second random number larger in size than the first random number;
The client terminal generates the client secondary data on the basis of the second random number the first random number and client primary data and the random number generator generated using a password-generated, the client secondary Secondary data generation means for transmitting data to the server ;
By sending the said key exchange partial data to generate a key exchange partial data on the basis of the second random number that the server is the server data and the random number generating means generates generated to the client terminal, the key exchange A password authentication key exchange system , comprising: key exchange partial data generation means for prompting the client terminal to generate a shared key shared with the server based on partial data. The client terminal is capable of communicating with a plurality of servers,
The random number generation means generates a second random number different for each server;
The password authentication key exchange system according to claim 4. The password authentication key exchange apparatus further includes difference information generation means for generating difference information of a plurality of server data related to a plurality of servers,
The difference information generation means prompts the client terminal to generate the shared key further using the difference information in addition to the key exchange partial data.
The password authentication key exchange system according to claim 5. A method executed by a system having a server and a password authentication key exchange device capable of communicating with each of client terminals,
The client terminal generates a first random number and generates client primary data using the first random number and a predetermined password;
The password authentication key exchange device generates a second random number that is larger in size than the first random number, and generates client secondary data based on the generated client primary data and the second random number. Generating and sending the client secondary data to the server ;
The server generates a third random number, generates server data based on the third random number, and shares a shared key with the client terminal based on the third random number and the client secondary data Generating
By the password authentication key exchange unit transmits the key exchange portion data to generate a key exchange section data based on said server data which the server generates the second random number to said client terminal, the key Urging the client terminal to generate a shared key shared with the server based on exchange partial data,
Password authentication key exchange method. A computer program for causing a computer to operate as a password authentication key exchange device that can communicate with each of a client terminal that generates a first random number and a server that generates server data,
The computer,
Random number generating means for generating a second random number having a size larger than that of the first random number;
The client terminal generates client secondary data based on the client primary data generated by using the first random number and a predetermined password and the second random number generated by the random number generation means, and the client secondary data by sending data to the server, secondary data generating means for prompting generating a shared key shared with the previous SL client terminal based on the client secondary data to the server,
By sending the said key exchange partial data to generate a key exchange partial data on the basis of the second random number that the server is the server data and the random number generating means generates generated to the client terminal, the key exchange A computer program for functioning as key exchange partial data generation means for urging the client terminal to generate a shared key shared with the server based on partial data.

Images