JP4864566B2 - Attribute authentication method, key management device, service providing destination device, service providing source device, and attribute authentication system - Google Patents

Description

  The present invention relates to an attribute authentication method, a key management device, a service providing destination device, a service providing source device, and an attribute authentication system.

Conventionally, a server providing a service such as distribution of predetermined data or permission to connect to a predetermined website uses the attribute certificate in which the personal information of the service user is described, and the identity of the service user A technique of performing authentication or the like is known (see, for example, Patent Document 1). In addition, since various types of information described in attribute certificates are mostly related to the privacy of service users, for example, encryption is generally performed to protect the information from being leaked to the outside. .
JP 2004-304227 A

  By the way, the attribute certificate is issued for each server of the service provider that performs the personal authentication, for example, according to each use. Therefore, a device such as a mobile terminal on the service user side needs to store all of a plurality of attribute certificates issued for each server in order to use a service from each server. However, there are many cases where the storage capacity of a device on the service user side, such as a mobile phone, is often limited, and it may be difficult to secure a large memory capacity enough to store a plurality of attribute certificates.

  Therefore, the present invention has been made in view of the above, and an attribute authentication method, a key management device, and a service that can prevent a service providing destination device from consuming a large amount of memory to store a plurality of attribute certificates. It is an object of the present invention to provide a providing apparatus, a service providing apparatus, and an attribute authentication system.

  In order to solve the above-described problem, the attribute authentication method according to the present invention provides a plurality of ciphers that differ for each attribute information when the attribute certificate generation device generates an attribute certificate including a plurality of attribute information. A first step of encrypting a plurality of attribute information with a key, and a key management device for managing the encryption key group a plurality of decryption keys corresponding to each of the plurality of encryption keys in the first step, and A second step of storing the group identification information for identifying the group and the decryption keys belonging to the group in association with each other, and the service providing destination apparatus acquires a plurality of group identification information from the key management apparatus, and a plurality of group identifications Encryption identification information is generated by encrypting specific group identification information from the information with the public key of the service provider apparatus, and the attribute certificate generation apparatus is used in the first step. A third step of transmitting the generated attribute certificate together with the encrypted identification information to the service providing source device, and the service providing source device from the encrypted identification information transmitted from the service providing destination device in the third step. A fourth step of decrypting the specific group identification information using the private key of the own device and requesting the decryption key corresponding to the specific group identification information to the key management device, and the key management device of the service providing source device In response to the request, the fifth step of transmitting the decryption key stored in association with the specific group identification information to the service providing source device, and the service providing source device transmitting from the service providing destination device in the third step The group specified by the specific group identification information by decrypting the attribute certificate with the decryption key transmitted by the key management device in the fifth step And a sixth step of acquiring attribute information corresponding to the.

  In addition, when generating an attribute certificate that includes a plurality of attribute information, the key management device encrypts the plurality of attribute information with a plurality of encryption keys that differ for each attribute information. Receiving a plurality of encryption keys, grouping a plurality of decryption keys corresponding to each of the plurality of encryption keys, and associating the group identification information for identifying the grouped group with the decryption keys belonging to the group And storing the storage unit for storing and the specific group identification information decrypted by the service providing source device, and transmitting the decryption key stored in association with the specific group identification information to the service providing source device. Transmitting means.

  Further, the service providing destination device specifies a group of a plurality of decryption keys corresponding to each of a plurality of different encryption keys for each of a plurality of pieces of attribute information included in the attribute certificate from a key management device that manages the encryption keys. A plurality of pieces of identification information are obtained, encrypted identification information is generated by encrypting specific group identification information from the obtained group identification information with the public key of the service providing source device, and the attribute certificate generation device The generated attribute certificate is transmitted to the service provider apparatus together with the encrypted identification information.

  In addition, the service provider apparatus identifies a plurality of decryption key groups corresponding to a plurality of different encryption keys for each of the plurality of attribute information included in the attribute certificate, and is encrypted with the public key of the own apparatus. The group identification information received by the service providing destination device and decrypted by the decryption means for decrypting the group identification information from the group identification information encrypted using the private key of the own device and the key management device for managing the encryption key Means for transmitting the group identification information decrypted by the means, receiving means for receiving the decryption key stored in association with the group identification information from the key management device, and receiving means for receiving the attribute certificate received by the service providing destination device Acquisition means for acquiring attribute information corresponding to the decryption key of the group specified by the group identification information by decrypting with the decryption key received from the key management device Equipped with a.

  Further, the attribute authentication system generates a plurality of different attribute information for each attribute information when generating the key management device, the service providing destination device, the service providing source device, and the attribute certificate including a plurality of attribute information. An attribute certificate generating device for encrypting a plurality of attribute information with the encryption key.

  According to the attribute authentication method, key management device, service providing destination device, service providing source device, and attribute authentication system of the present invention, the attribute information is encrypted with a different encryption key for each attribute information. On the other hand, the decryption key corresponding to each encryption key is associated with different group identification information for each group to which the decryption key belongs. That is, the attribute information is classified according to each application, for example, for each group of decryption keys required when a certain service provider device authenticates the user of the service provider, and each group includes the group identification information. Is associated. The attribute information of a plurality of groups is included in one attribute certificate.

  On the other hand, a certain service providing source device receives the attribute certificate and the encrypted identification information for the own device from the service providing destination device. Since the encrypted identification information for the own device is encrypted with the public key of the own device, the service providing source device uses the private key of the own device to encrypt the group encrypted in the encrypted identification information. The identification information can be decoded. Then, the service provider apparatus inquires about the decryption key for the self apparatus associated with the group identification information by transmitting the decrypted group identification information to the key management apparatus. When the key management device reads out the decryption key for the service provider device stored in association with the group identification information and transmits it to the service provider device, the service provider device includes the attribute certificate. Among the plurality of described attribute information, only the attribute information for the own device that can be decrypted with the transmitted decryption key can be partially decrypted and read.

  On the other hand, for example, when a certain service provider device acquires encryption identification information for another device, the service provider device does not know the secret key of the other device, and thus the public key of the other device. It is not possible to decrypt the group identification information for other devices encrypted in (1). For this reason, the service providing source apparatus cannot inquire the key management apparatus about the decryption key for the other apparatus, and cannot acquire the decryption key for the other apparatus. Therefore, it is possible to prevent the service providing source device from reading attribute information for other devices among the plurality of attribute information included in the attribute certificate.

  As described above, even if one attribute certificate is shared between different service provider devices, a service provider device cannot read attribute information for other devices. In other words, the attribute certificate generating device only needs to generate one attribute certificate for one service providing destination device regardless of the number of devices that provide services to one service providing destination device. In other words, even if one service providing destination device is provided with services from a plurality of service providing source devices, it is only necessary to hold one attribute certificate. In this case, each service providing device reads only the attribute information for its own device and does not authenticate itself without reading the attribute information for other devices. Therefore, it is possible to prevent the service providing destination device from consuming a large amount of memory in order to store, for example, a plurality of attribute certificates corresponding to the number of service providing source devices.

  In the present invention, the attribute information is encrypted with a different encryption key for each attribute information. On the other hand, the service providing destination device transmits group identification information (encrypted identification information) associated with each group of decryption keys to the service providing source device. Since the group identification information is associated with each group of decryption keys, the number of group identification information is equal to or less than the number of decryption keys. For this reason, for example, the amount of data transmitted by the service providing destination apparatus can be reduced compared to a case where the service providing destination apparatus transmits a decryption key that differs for each attribute information to the service providing source apparatus. Therefore, the communication burden on the service providing destination apparatus is small, and the communication cost on the user side using the service can be reduced.

  According to the present invention, a certain service provider device cannot read attribute information for other devices. For this reason, the service providing destination device only needs to hold one attribute certificate when services are provided from a plurality of service providing source devices, for example. Therefore, it is possible to prevent the service providing destination device from consuming a large amount of memory in order to store, for example, a plurality of attribute certificates corresponding to the number of the plurality of service providing source devices.

  Exemplary embodiments of an attribute certificate generating device, a key management device, a service providing destination device, a service providing source device, an attribute authentication system, and an attribute authentication method according to the present invention will be described below in detail with reference to the accompanying drawings. . In the description of the drawings, the same elements are denoted by the same reference numerals, and redundant description is omitted.

  First, a basic configuration of the attribute authentication system 1 according to the embodiment of the present invention will be described with reference to FIG. FIG. 1 is a schematic configuration diagram of the attribute authentication system 1. As shown in FIG. 1, an attribute authentication system 1 includes an attribute certificate issuing device (attribute certificate generating device) 10, a key management device 20, a user terminal (service providing destination device) 30, and a server (service providing source device) 40. And a public key management device 50. In FIG. 1, the user terminal 30 and the server 40 are illustrated as a single unit, but in the actual configuration of the attribute authentication system 1, there are a plurality of user terminals 30 and servers 40. The attribute certificate issuing device 10 is installed in, for example, an attribute certificate issuing authority (AA), and the public key management device 20 is installed in, for example, a certificate authority (CA) that issues public keys. It is. Hereinafter, each component of the attribute authentication system 1 will be described in detail.

  The attribute certificate issuing device 10 is a device that issues an attribute certificate. FIG. 2 is a hardware configuration diagram of the attribute certificate issuing device 10. As shown in FIG. 2, the attribute certificate issuing device 10 physically includes a CPU 11, a RAM 12 and a ROM 13 that are main storage devices, an input device 14 such as a keyboard and a mouse that are input devices, and an output device 15 such as a display. The computer system includes a communication module 16 that is a data transmission / reception device such as a network card, and an auxiliary storage device 17 such as a hard disk. Each function of the attribute certificate issuing device 10 to be described later is configured to read predetermined software on hardware such as the CPU 11 and the RAM 12 shown in FIG. 2 to control the communication module 16, the input device 14, This is realized by operating the output device 15 and reading and writing data in the RAM 12 and the auxiliary storage device 17.

  Returning to FIG. 1, the attribute certificate issuing device 10 is configured to be able to communicate with the user terminal 30 via the communication network 60. The communication network 60 is a wireless communication network such as the Internet network, a PDC (Personal Digital Cellular) network, and an IMT (International Mobile Telecommunication) 2000 network. In addition, the attribute certificate issuing device 10 is configured to be able to communicate with the key management device 20 via the communication network 70. The communication network 70 is a communication network such as the Internet network.

  FIG. 3 is a schematic configuration diagram of the attribute certificate issuing device 10. As shown in FIG. 3, the attribute certificate issuing device 10 functionally includes an attribute information encryption unit 110, an attribute certificate issue unit 120, and an encryption key transmission unit 130.

  The attribute information encryption unit 110 encrypts the attribute information with a different encryption key for each attribute information. FIG. 4 is a diagram showing an encryption key used for the encryption process of the attribute information encryption unit 110. As shown in FIG. 4, the attribute information encryption unit 110 encrypts “user identification information” of the attribute information with the encryption key 1. Similarly, the attribute information encryption unit 110 encrypts “billing information” of the attribute information with the encryption key 2 and encrypts “affiliation information” of the attribute information with the encryption key 3. Thus, one attribute information corresponds to one encryption key. Note that the above-described correspondence (correspondence between attribute information and encryption key) is the same in the following description. Returning to FIG. 3, the attribute information encryption unit 110 outputs the encrypted attribute information to the attribute certificate issuing unit 120. Further, the attribute information encryption unit 110 outputs the encryption key used for encrypting each attribute information to the encryption key transmission unit 130. The attribute information encryption unit 110 attaches information specifying attribute information encrypted with a certain encryption key to the encryption key and outputs the information to the encryption key transmission unit 130.

  The attribute certificate issuance unit 120 receives encrypted attribute information from the attribute information encryption unit 110 and generates an attribute certificate describing the encrypted attribute information. FIG. 5 is a diagram illustrating an attribute certificate generated by the attribute certificate issuing unit 120. As shown in FIG. 5, the attribute certificate includes “user identification information” encrypted with the encryption key 1, “billing information” encrypted with the encryption key 2, and “ "Affiliation information" is described. That is, a plurality of attribute information encrypted with different encryption keys is described in one attribute certificate. In addition, as will be described later, one attribute certificate in which a plurality of encrypted attribute information is described is shared by a plurality of service provider devices. Returning to FIG. 3, the attribute certificate issuing unit 120 issues the attribute certificate generated in this way to the user terminal 30 via the communication network 60. This issuance processing is performed by transmitting attribute certificate electronic data from the attribute certificate issuing device 10 to the user terminal 30.

  The encryption key transmitting unit 130 receives the encryption key used for encrypting the attribute information from the attribute information encrypting unit 110 and transmits the input encryption key to the key management apparatus 20.

  Returning to FIG. 1, the key management device 20 is a device that manages an encryption key used for encryption of attribute information and an arbitrary random number (group identification information) in association with each other. Similar to the attribute certificate issuing device 10, the key management device 20 is configured as a computer system including CPU, RAM, ROM, input device, output device, communication module, auxiliary storage device and the like as physical components. (See FIG. 2). The key management device 20 is configured to be able to communicate with the attribute certificate issuing device 10 and the server 40 via the communication network 70. The key management device 20 is configured to be able to communicate with the user terminal 30 via the communication network 60.

  FIG. 6 is a schematic configuration diagram of the key management device 20. As shown in FIG. 6, the key management device 20 functionally includes a table storage unit (storage means) 210, an encryption key reception unit 220, a random number generation unit 230, a random number transmission unit 240, an inquiry reception unit 250, and an inquiry. A response unit (transmission means) 260 is provided.

  The table storage unit 210 stores an attribute classification table that is referred to when the random number generation unit 230 described later generates a different random number for each group to which attribute information belongs. In the attribute classification table, attribute information is grouped. In the present embodiment, the attribute information is classified for each group of attribute information necessary when performing personal authentication for a user of a service providing destination with a server of a certain service providing source.

  FIG. 7 is a diagram illustrating an example of the attribute classification table stored in the table storage unit 210. Each attribute information in FIG. 7 is classified for each group of attribute information necessary for each server to authenticate the user of the user terminal 30. That is, the attribute information used when the server 40A authenticates the user of the user terminal 30 is “user identification information”, and “user identification information” is classified into group A. Similarly, “user identification information” and “charging information” used by the server 40B are classified into group B, and “charging information” and “affiliation information” used by the server 40C are classified into group C. Further, “user identification information”, “billing information”, and “affiliation information” used by the server 40D are classified into a group D. As described above, at least one attribute information belongs to each group. In addition, for example, one attribute information such as “user identification information” may belong to a plurality of groups. Note that the above-described classification (affiliation relationship between attribute information and group) is the same in the following description.

  Returning to FIG. 6, the encryption key receiving unit 220 receives the encryption key used for encrypting the attribute information from the attribute certificate issuing device 10. As described above, the encryption key transmitted from the attribute certificate issuing device 10 is attached with the identification information of the attribute information encrypted with the encryption key. The encryption key receiving unit 220 outputs the received encryption key to the random number generation unit 230.

  The random number generation unit 230 receives an encryption key from the encryption key reception unit 220 and generates a different random number for each group to which the encryption key belongs. Specifically, the random number generation unit 230 first groups the encryption keys input from the encryption key reception unit 220. In the present embodiment, the random number generation unit 230 classifies a certain encryption key into the same group as the group to which the attribute information encrypted with the encryption key belongs. At this time, the random number generation unit 230 refers to the attribute classification table stored in the table storage unit 210 and knows to which group certain attribute information belongs. In addition, the random number generation unit 230 refers to the specific information attached to the encryption key to know which encryption key is used for encryption of certain attribute information.

  FIG. 8 shows how the random number generation unit 230 classifies the encryption keys. As shown in the first and second columns from the left in FIG. 8, the encryption key 1 (the encryption key used to encrypt the “user identification information”) is the group A (the group to which the “user identification information” belongs). ). Similarly, the encryption key 1 and the encryption key 2 are classified into the group B, and the encryption key 2 and the encryption key 3 are classified into the group C. The encryption key 1, the encryption key 2, and the encryption key 3 are classified into a group D.

  The random number generator 230 generates a different random number for each of the classified groups. FIG. 8 shows how the random number generation unit 230 generates random numbers. As shown in the first and third columns from the left in FIG. 8, the random number generation unit 230 generates a random number A as a random number of the group A. Similarly, the random number generation unit 230 generates a random number B as a group B random number, generates a random number C as a group C random number, and generates a random number D as a group D random number. The random number generation unit 230 outputs the generated random number and the decryption key corresponding to the encryption key belonging to the same group as the random number to the table storage unit 210. In the present embodiment, an arbitrary encryption key and a decryption key corresponding to the encryption key are the same.

  The table storage unit 210 receives a random number and a decryption key belonging to the same group as the random number from the random number generation unit 230 and stores the random number and the decryption key in association with each other. FIG. 8 shows a state in which the table storage unit 210 stores a random number and a decryption key in association with each other. As shown in FIG. 8, the table storage unit 210 stores the decryption key 1 and the random number A in association with each other. Similarly, the table storage unit 210 stores the decryption key 1, the decryption key 2, and the random number B in association with the group B, and the decryption key 2, the decryption key 3, and the random number C in association with the group C. Attached and stored. For group D, decryption key 1, decryption key 2, decryption key 3 and random number D are stored in association with each other.

  Returning to FIG. 6, the random number transmission unit 240 transmits the random number stored in the table storage unit 210 to the user terminal 30. The random number transmission unit 240 adds information specifying a server belonging to a group associated with a certain random number to the random number and transmits the information to the user terminal 30.

  The inquiry receiving unit 250 receives an arbitrary random number from the server 40. The inquiry receiving unit 250 outputs the received random number to the inquiry response unit 260.

  The inquiry response unit 260 receives an arbitrary random number from the inquiry reception unit 250, reads the decryption key stored in the table storage unit 210 in association with the random number, and transmits the read decryption key to the server 40 It is. Specifically, in the example illustrated in FIG. 8, when the inquiry reception unit 250 receives, for example, the random number A from the server 40, the inquiry response unit 260 transmits the decryption key 1 associated with the random number A from the table storage unit 210. Read and send to server 40. For example, when the inquiry receiving unit 250 receives the random number B from the server 40, the inquiry response unit 260 reads the decryption key 1 and the decryption key 2 associated with the random number B from the table storage unit 210 and sends them to the server 40. Send. Similarly, when the inquiry reception unit 250 receives the random number C or the random number D from the server 40, the decryption key associated with the random number is read and transmitted.

  Returning to FIG. 1, the user terminal 30 is a service-providing portable terminal, and is, for example, a cellular phone in the present embodiment. FIG. 9 is a hardware configuration diagram of the user terminal 30. As shown in FIG. 9, the user terminal 30 physically includes a CPU 31, a RAM 32 and a ROM 33 that are main storage devices, an operation unit 34 such as an operation button, an LCD (Liquid Crystal Display), an EL (Electro Luminescence), and the like. The output device 35, the attribute certificate issuing device 10, the public key management device 50, and the server 40 are configured to include a wireless communication unit 36 that wirelessly transmits and receives data and an auxiliary storage device 37 such as a memory device. Each function of the user terminal 30 to be described later is configured such that predetermined software is read on the hardware such as the CPU 31 and the RAM 32 shown in FIG. 9 to control the operation unit 34, the output device 35, and the wireless communication unit under the control of the CPU 31. This is realized by operating 36 and reading and writing data in the RAM 32 and the auxiliary storage device 37. In addition, the RAM 32 and the auxiliary storage device 37 of the user terminal 30 are limited in their storable capacities, and it is difficult to ensure a large memory capacity enough to store a plurality of attribute certificates, for example. Returning to FIG. 1, the user terminal 30 is configured to be able to communicate with the attribute certificate issuing device 10, the key management device 20, the server 40, and the public key management device 50 via the communication network 60.

  FIG. 10 is a schematic configuration diagram of the user terminal 30. As shown in FIG. 10, the user terminal 30 functionally includes a reception unit 310, an encrypted random number generation unit 320, a service request unit 330, and a service transfer unit 340.

  The receiving unit 310 receives the attribute certificate issued by the attribute certificate issuing device 10 via the communication network 60. In addition, the reception unit 310 receives a random number generated by the key management device 20 via the communication network 60. As described above, the random number transmitted from the key management device 20 is assigned identification information of servers belonging to the group associated with the random number. In addition, the receiving unit 310 acquires the public key of the server 40 from the public key management device 20 via the communication network 60. The receiving unit 310 outputs the random number acquired from the key management device 20 and the public key acquired from the public key management device 20 to the encrypted random number generation unit 320. Further, the reception unit 310 outputs the attribute certificate acquired from the attribute certificate issuing device 10 to the service request unit 330.

  The encrypted random number generation unit 320 receives the random number and the public key from the reception unit 310 and encrypts the random number with the server public key indicated by the server specifying information attached to the random number. Encryption random numbers (encryption identification information) are generated. FIG. 11 is a diagram illustrating a public key used for the encrypted random number generation process of the encrypted random number generation unit 320, the encrypted random number generated by the encrypted random number generation process, and the like. As shown in FIG. 11, the encrypted random number generator 320 encrypts the random number A with the public key of the server 40A (the server specified by the server identification information attached to the random number A), and encrypts the random number A for the server 40A. Is generated. Similarly, the encrypted random number generator 320 encrypts the random number B with the public key of the server 40B to generate an encrypted random number B for the server 40B, and encrypts the random number C with the public key of the server 40C. The encrypted random number C is generated, and the random number D is encrypted with the public key of the server 40D to generate the encrypted random number D for the server 40D. Returning to FIG. 10, the encrypted random number generation unit 320 outputs the encrypted random number generated by the encryption to the service request unit 330.

  The service request unit 330 requests a service such as distribution of predetermined data or permission for connection to a predetermined website from the server 40 via the communication network 60. In order for the user terminal 30 to receive the service from the server 40, the user terminal 30 needs to cause the server 40 to authenticate the identity of the user of the terminal itself. For this reason, the service request unit 330 transmits the request signal for the service to the server 40, the attribute certificate input from the reception unit 310, and the encryption for the server generated by the encrypted random number generation unit 320. A random number is transmitted to the server 40.

  The service transfer / reception unit 340 accepts the provision of service from the server 40 as a response signal to the service request signal or the like transmitted from the service request unit 330 to the server 40.

  Returning to FIG. 1, the server 40 is a service provider server. As with the attribute certificate issuing device 10 and the key management device 20, the server 40 is a computer system including a CPU, RAM, ROM, input device, output device, communication module, auxiliary storage device, and the like as physical components. It is configured (see FIG. 2). The server 40 is configured to be able to communicate with the key management device 20 via the communication network 70. The server 40 is configured to be able to communicate with the user terminal 30 via the communication network 60.

  FIG. 12 is a schematic configuration diagram of the server 40. As shown in FIG. 12, the server 40 functionally includes a service request reception unit 410, a random number decryption unit (decryption unit) 420, a secret key storage unit 430, a decryption key inquiry unit 440, a decryption key reception unit (reception unit). ) 450, an attribute information acquisition unit (acquisition means) 460, and a service providing unit 470.

  The service request receiving unit 410 receives a service request signal from the user terminal 30 via the communication network 60 and confirms the identity of the user of the user terminal 30 with the attribute certificate and the encryption for the own server. The randomized random number is further received. The service request reception unit 410 outputs the encrypted random number for the server received from the user terminal 30 to the random number decryption unit 420. Further, the service request reception unit 410 outputs the attribute certificate received from the user terminal 30 to the attribute information acquisition unit 460. Further, the service request receiving unit 410 outputs the service request signal received from the user terminal 30 to the service providing unit 470.

  The random number decryption unit 420 receives an encrypted random number from the service request reception unit 410 and decrypts the random number encrypted in the encrypted random number. At this time, the random number decryption unit 420 decrypts the random number using the private key of the own server stored in the private key storage unit 430. As described above, an arbitrary encrypted random number is a server's public key indicated by server specifying information attached to a random number obtained by decrypting the encrypted random number, and the random number is encrypted. For this reason, the random number decryption unit 420 uses the private key of the local server stored in the private key storage unit 430 to generate the random number for the local server from the encrypted random number for the local server input from the service request reception unit 410. Can be decrypted.

  For example, in FIG. 11 described above, the server 40A receives the encrypted random number A from the user terminal 30, and decrypts the random number A from the encrypted random number A using the private key of the server itself. On the other hand, the server 40A does not receive encrypted random numbers (for example, encrypted random number B) for other servers. Even if the server 40A acquires the encrypted random number for the other server, the server 40A does not know the secret key of the other server, so that the random number for the other server (for example, the random number B) may be decrypted. Can not. Similarly, the server 40B decrypts the random number B from the encrypted random number B using the private key of its own server, and the server 40C decrypts the random number C from the encrypted random number C using the private key of its own server. The server 40D decrypts the random number D from the encrypted random number D using the private key of its own server. In contrast, each server does not receive encrypted random numbers for other servers, but even if it acquires encrypted random numbers for other servers, each server knows the secret key of the other server. Therefore, the random numbers for other servers cannot be decrypted. Returning to FIG. 12, the decryption key decryption unit 420 outputs the decrypted random number for its own server to the decryption key inquiry unit 440.

  The decryption key inquiry unit 440 refers to when the service providing unit 470 confirms the identity of the user of the user terminal 30 by transmitting the random number for its own server decrypted by the random number decryption unit 420 to the key management device 20. The key management device 20 is inquired of a decryption key for decrypting the attribute information to be performed.

  The decryption key receiving unit 450 receives the decryption key transmitted from the key management device 20 in response to the inquiry from the decryption key inquiry unit 440. Decryption key receiving section 450 outputs the received decryption key to attribute information acquisition section 460.

  The attribute information acquisition unit 460 uses the decryption key input from the decryption key reception unit 450 and uses the decryption key among the plurality of attribute information described in the attribute certificate input from the service request reception unit 410. Only the decodable attribute information is partially decoded and read. The decryption key input from the decryption key receiving unit 450 is a decryption key stored in the key management device 20 in association with the random number decrypted by the random number decryption unit 420 from the encrypted random number for its own server. For this reason, the attribute information that can be decrypted with the decryption key is the same as the attribute information required when the server itself confirms the identity of the user of the user terminal 30. The attribute information acquisition unit 460 outputs the read attribute information to the service providing unit 470.

  The service providing unit 470 confirms the identity of the user terminal 30 with respect to the user by referring to the attribute information input from the attribute information acquisition unit 460, and input from the service request receiving unit 410 according to the confirmation result A service corresponding to the service request signal is provided to the user terminal 30.

  Returning to FIG. 1, the public key management device 50 is a device that manages the public key of the server 40. As with the attribute certificate issuing device 10, the public key management device 20 is configured as a computer system including CPU, RAM, ROM, input device, output device, communication module, auxiliary storage device, and the like as physical components. (See FIG. 2). The public key management device 20 is configured to be able to communicate with the user terminal 30 via the communication network 60.

  FIG. 13 is a schematic configuration diagram of the public key management device 50. As shown in FIG. 13, the public key management device 50 functionally includes a public key storage unit 510 and a public key transmission unit 520. The public key storage unit 510 stores the public key of the server 40 acquired in advance from the server 40, for example. The public key transmission unit 520 transmits the public key of the server 40 stored in the public key storage unit 510 to the user terminal 30.

  Next, an operation (attribute authentication method) performed by the attribute authentication system 1 will be described with reference to FIGS. 14 and 15. 14 and 15 are sequence diagrams illustrating the operation of the attribute authentication system 1. First, an operation performed in the attribute authentication system 1 before the service providing destination device requests a service from the service providing source device will be described with reference to FIG.

  First, the attribute certificate issuing device 10 encrypts the attribute information with a different encryption key for each attribute information. That is, for example, as can be understood with reference to FIG. 4 described above, the attribute certificate issuing device 10 encrypts the “user identification information” of the attribute information with the encryption key 1 and the “accounting information” of the attribute information with the encryption key 2. The attribute information “affiliation information” is encrypted with the encryption key 3 (step S101).

  Next, the attribute certificate issuing device 10 describes the attribute information encrypted in step S1, generates an attribute certificate as shown in FIG. 5, for example, and issues the attribute certificate to the user terminal 30. (Step S2).

  Next, the attribute certificate issuing device 10 transmits the encryption key (encryption key 1, encryption key 2, and encryption key 3) used for the encryption process in step S1 to the key management device 20 (step S103).

  Next, the key management device 20 groups the encryption keys received from the attribute certificate issuing device 10 in step S103, and generates different random numbers for each group. That is, for example, as can be seen with reference to FIG. 8 described above, the key management device 20 generates a random number A as a random number of the group A (the group into which the encryption key 1 is classified). Similarly, the random number generation unit 230 generates a random number B as a group B random number, generates a random number C as a group C random number, and generates a random number D as a group D random number. When grouping the encryption keys, the key management device 20 refers to, for example, the attribute classification table shown in FIG. 7, knows to which group certain attribute information belongs, and encrypts the attribute information. The encryption keys used in the above are classified into the same group as the attribute information (step S104).

  Next, the key management device 20 stores the random number generated in step S104 and the decryption key corresponding to the encryption key belonging to the same group as the random number (step S105).

  Next, the key management device 20 transmits the random number generated in step S104 and stored in step S105 to the user terminal 30 (step S106).

  Next, the public key management device 50 transmits the public key acquired in advance from the service providing source device such as the server 40A to the user terminal 30 (step S107).

  Next, the user terminal 30 encrypts the random number received in step S106 with the public key received in step S107, and generates an encrypted random number. At this time, the user terminal 30 encrypts an arbitrary random number with the server public key indicated by the server identification information attached to the random number. That is, for example, as can be understood with reference to FIG. 11 described above, the user terminal 30 encrypts the random number A with the public key of the server 40A (the server indicated by the server identification information attached to the random number A). The encrypted random number A is generated. Similarly, the user terminal 30 encrypts the random number B with the public key of the server 40B to generate an encrypted random number B for the server 40B, encrypts the random number C with the public key of the server 40C, and encrypts the server 40C. A random number C is generated, and the random number D is encrypted with the public key of the server 40D to generate an encrypted random number D for the server 40D (step S108).

  The main operation performed in the attribute authentication system 1 before the user terminal 30 of the service providing destination device makes a service request to the server 40A of the service providing source device has been described above. On the other hand, below, with reference to FIG. 15, the operation | movement performed when the user terminal 30 of a service provision destination apparatus requests | requires a service to the server 40A and the server 40B of a service provision source apparatus is demonstrated.

  The user terminal 30 requests a service from the server 40A via the communication network 60. The user terminal 30 transmits the service request signal, the attribute certificate issued in step S102, and the encrypted random number A for the server 40A generated in step S108 to the server 40A (step S201).

  Next, in order to provide the user terminal 30 with a service corresponding to the service request signal received in step S201, the server 40A first confirms the identity of the user terminal 30 with respect to the user. The server 40A first decrypts the random number A encrypted in the encrypted random number A received in step S201 with the private key of its own server. In step S108, the encrypted random number A is obtained by encrypting the random number A with the public key of the server 40A. Therefore, the server 40A can decrypt the random number A based on the encrypted random number A with the private key of the server itself. Yes (step S202).

  Next, the server 40A queries the key management device 20 for a decryption key for decrypting the attribute information necessary for confirming the identity of the user terminal 30 to the user. This operation is performed by the server 40A transmitting the random number A decrypted in step S202 to the key management apparatus 20 (step S203).

  Next, the key management device 20 responds to an inquiry from the server 40A. In this operation, the key management device 20 reads the decryption key 1 stored in step S105 in association with the random number A received in step S203 (see FIG. 8), and transmits the read decryption key 1 to the server 40. (Step S204).

  Next, the server 40A uses the decryption key 1 received in step S204 to decrypt and read “user identification information” described in the attribute certificate received in step S201. In step S101 and step S102, since the attribute certificate is obtained by encrypting and describing the “user identification information” with the encryption key 1, the server 40A decrypts the “user identification information” with the decryption key 1. It can be read (step S205).

  Next, the server 40A uses the “user identification information” read in step S205 to confirm the identity of the user terminal 30 with respect to the user (step S206).

  Next, the server 40A provides a service corresponding to the service request signal received in step S201 to the user terminal 30 (step S207).

  Further, the user terminal 30 requests a service from the server 40B via the communication network 60. The user terminal 30 transmits the service request signal, the attribute certificate issued in step S102, and the encrypted random number B for the server 40B generated in step S108 to the server 40B (step S301).

  Next, the server 40B first confirms the identity of the user terminal 30 with respect to the user in order to provide the user terminal 30 with a service corresponding to the service request signal received in step S301. The server 40B first decrypts the random number B encrypted in the encrypted random number B received in step S301 with the private key of its own server. In step S108, the encrypted random number B is obtained by encrypting the random number B with the public key of the server 40B. Therefore, the server 40B can decrypt the random number B based on the encrypted random number B with the private key of the own server. Yes (step S302).

  Next, the server 40B queries the key management device 20 for a decryption key for decrypting attribute information necessary for confirming the identity of the user terminal 30 to the user. This operation is performed by the server 40B transmitting the random number B decrypted in step S302 to the key management device 20 (step S303).

  Next, the key management device 20 responds to an inquiry from the server 40B. In this operation, the key management device 20 reads the decryption key 1 and the decryption key 2 stored in step S105 in association with the random number B received in step S303 (see FIG. 8), and the read decryption key 1 and This is performed by transmitting the decryption key 2 to the server 40 (step S304).

  Next, using the decryption key 1 and decryption key 2 received in step S304, the server 40B decrypts and reads “user identification information” described in the attribute certificate received in step S301. In step S101 and step S102, the attribute certificate is obtained by encrypting and describing “user identification information” with the encryption key 1 and encrypting and describing “accounting information” with the encryption key 2. 40B can decrypt and read “user identification information” and “billing information” with the decryption key 1 and the decryption key 2 (step S305).

  Next, the server 40B confirms the identity of the user terminal 30 with respect to the user using the “user identification information” and “billing information” read in step S305 (step S306).

  Next, the server 40B provides a service corresponding to the service request signal received in step S301 to the user terminal 30 (step S307).

  Next, operations and effects of the attribute authentication system 1 and the attribute authentication method according to the present embodiment will be described. According to the attribute authentication system 1 and the attribute authentication method of the present embodiment, the attribute information is encrypted with a different encryption key for each attribute information. On the other hand, a decryption key corresponding to each encryption key is associated with a different random number for each group to which the decryption key belongs. That is, the attribute information is classified according to each application, for example, for each group of decryption keys required when a certain service provider device authenticates the user of the service provider, and each group corresponds to the above random number. Attached. The attribute information of a plurality of groups is included in one attribute certificate.

  On the other hand, each server receives the attribute certificate and the encrypted random number for its own server from the user terminal 30. Since the encrypted random number for the local server is encrypted with the public key of the local server, the server uses the private key of the local server to decrypt the random number encrypted in the encrypted random number. Can do. Then, the server sends the decrypted random number to the key management device 20, thereby inquiring about the decryption key for the server associated with the random number. When the key management apparatus 20 reads out the decryption key for the server stored in association with the random number and transmits the decryption key to the server, the server, among the plurality of attribute information described in the attribute certificate, Only the attribute information for the server that can be decrypted with the transmitted decryption key can be partially decrypted and read.

  On the other hand, for example, when a certain server obtains an encrypted random number for another server, the server does not know the secret key of the other server, so the other server is encrypted with the public key of the other server. Unable to decrypt random numbers for other servers. For this reason, the server cannot query the key management apparatus 20 for the decryption key for another server, and cannot obtain the decryption key for another server. Therefore, it is possible to prevent the server from reading the attribute information for another server among the plurality of attribute information included in the attribute certificate.

  As described above, even if one attribute certificate is shared between different servers, a server cannot read attribute information for another server. That is, the attribute certificate issuing device 10 need only generate one attribute certificate for one user terminal regardless of the number of servers that provide services to one user terminal. In other words, even if one user terminal is provided with services from a plurality of servers, it is only necessary to hold one attribute certificate. In this case, each server does not read the attribute information for other servers, but only the attribute information for its own server is read to perform identity authentication. Therefore, it is possible to prevent the user terminal from consuming a large amount of memory in order to store a plurality of attribute certificates corresponding to the number of servers, for example.

  In the present embodiment, the attribute information is encrypted with a different encryption key for each attribute information. On the other hand, the user terminal 30 transmits a random number (encrypted random number) associated with each group of decryption keys to the server 40. Since random numbers are associated with each group of decryption keys, the number of random numbers is equal to or less than the number of decryption keys. For this reason, for example, compared with the case where the user terminal 30 transmits different decryption keys for each attribute information to the server, the amount of data transmitted by the user terminal 30 can be reduced. Therefore, the communication burden on the user terminal 30 is small, and the communication cost on the side using the service can be reduced.

  In the present embodiment, the attribute classification table stored in the key management device 20 (the affiliation relationship between each group and attribute information) determines which attribute information a certain server can acquire. For this reason, the type of attribute information that can be acquired by any server can be easily changed simply by changing the affiliation relationship described in the attribute classification table. This is useful, for example, when changing the type of personal information of a user disclosed to the server of the service provider.

  As mentioned above, although preferred embodiment of this invention was described, it cannot be overemphasized that this invention is not limited to the said embodiment.

  For example, in the above embodiment, the attribute certificate issuing device 10 performs the attribute information encryption process, but the user terminal 30 may perform the attribute information encryption process. In this case, for example, the attribute authentication system 1 can be configured by including the attribute certificate issuing device 10 in the user terminal 30. Further, the attribute authentication system 1 may be configured by including the key management device 20 in the user terminal 30.

  In the above embodiment, an arbitrary encryption key and a decryption key corresponding to the encryption key are the same, but they may be separate from each other. In this case, the decryption key may be generated by the attribute certificate issuing device 10 or may be generated by the user terminal 30.

  In the above embodiment, the user terminal 30 is configured to receive a random number from the key management device 20, but a password input from the user of the user terminal 30 may be used instead of the random number. . At this time, the key management device 20 may store the password and the decryption key in association with each other. In this case, since it is not necessary for the user terminal 30 to store a random number, the memory cost of the user terminal 30 can be reduced.

1 is a schematic configuration diagram of an attribute authentication system 1. FIG. 2 is a hardware configuration diagram of an attribute certificate issuing device 10. FIG. 2 is a schematic configuration diagram of an attribute certificate issuing device 10. FIG. It is a figure which shows the encryption key used for the encryption process of attribute information. It is the figure which imaged the attribute certificate. 2 is a schematic configuration diagram of a key management device 20. FIG. It is a figure which shows an example of an attribute classification table. 4 is a diagram illustrating an example of data stored in a key management device 20. FIG. 2 is a hardware configuration diagram of a user terminal 30. FIG. 2 is a schematic configuration diagram of a user terminal 30. FIG. It is a figure which shows the public key etc. in the production | generation process of an encryption random number. 2 is a schematic configuration diagram of a server 40. FIG. 2 is a schematic configuration diagram of a public key management device 50. FIG. It is a sequence diagram which shows operation | movement of the attribute authentication system 1. It is a sequence diagram which shows operation | movement of the attribute authentication system 1.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Attribute authentication system, 10 ... Attribute certificate issuing apparatus, 20 ... Key management apparatus, 210 ... Table storage part, 260 ... Query response part, 30 ... User terminal, 40 ... Server, 420 ... Random number decoding part, 450 ... Decryption Key receiving unit, 460 ... attribute information acquisition unit, 50 ... public key management device, 60, 70 ... communication network.

Claims (5)

A first step of encrypting the plurality of attribute information with a plurality of encryption keys different for each attribute information when the attribute certificate generating device generates an attribute certificate including a plurality of attribute information;
A key management device that manages encryption keys groups a plurality of decryption keys corresponding to each of the plurality of encryption keys in the first step, and identifies group identification information that identifies the grouped group and decryption belonging to the group A second step of storing the keys in association with each other;
The service providing destination apparatus obtains the plurality of group identification information from the key management apparatus, and encrypts the specific group identification information from the plurality of group identification information with the public key of the service providing source apparatus. A third step of generating encrypted identification information and transmitting the attribute certificate generated by the attribute certificate generating device in the first step to the service providing device together with the encrypted identification information;
The service providing source device decrypts the specific group identification information from the encrypted identification information transmitted from the service providing destination device in the third step using the private key of the own device, and the specific group A fourth step of requesting the key management device for a decryption key corresponding to the identification information;
A fifth step in which the key management device transmits a decryption key stored in association with the specific group identification information to the service providing device in response to a request from the service providing device;
The service providing source device decrypts the attribute certificate transmitted from the service providing destination device in the third step with the decryption key transmitted by the key management device in the fifth step. And a sixth step of acquiring attribute information corresponding to the decryption key of the group specified by the group identification information. When generating an attribute certificate including a plurality of attribute information, from the attribute certificate generating device that encrypts the plurality of attribute information with a plurality of encryption keys different for each attribute information, the plurality of encryption keys Storage means for grouping a plurality of decryption keys corresponding to each of the plurality of encryption keys and storing the group identification information for specifying the grouped group and the decryption keys belonging to the group in association with each other When,
Transmitting means for receiving the specific group identification information decrypted by the service providing device and transmitting the decryption key stored in the storage means in association with the specific group identification information to the service providing device. A key management device characterized by the above.   A plurality of group identification information for specifying a plurality of groups of decryption keys corresponding to a plurality of different encryption keys for each of the plurality of attribute information included in the attribute certificate is acquired from a key management device that manages the encryption key, and Encryption identification information is generated by encrypting specific group identification information from among a plurality of acquired group identification information with the public key of the service provider apparatus, and the attribute certificate generated by the attribute certificate generation apparatus is A service providing destination device that transmits the encrypted identification information to the service providing source device. A service providing destination that identifies a group of a plurality of decryption keys corresponding to each of a plurality of different encryption keys for each of a plurality of pieces of attribute information included in an attribute certificate, and provides group identification information encrypted with the public key of the own device Decryption means for decrypting the group identification information from the encrypted group identification information received by the device and using the private key of the own device;
Receiving means for transmitting the group identification information decrypted by the decryption means to a key management apparatus for managing an encryption key, and receiving the decryption key stored in association with the group identification information from the key management apparatus;
Attribute information corresponding to the decryption key of the group specified by the group identification information is obtained by decrypting the attribute certificate received by the service providing destination device with the decryption key received from the key management device by the receiving unit. And a service providing apparatus characterized by comprising: The attribute certificate generation apparatus according to claim 2, wherein when generating an attribute certificate including a plurality of attribute information, the attribute certificate generation apparatus encrypts the plurality of attribute information with a plurality of encryption keys different for each attribute information. An attribute authentication system comprising: a key management device; a service provision destination device according to claim 3; and a service provision source device according to claim 4.

Images