JP5125682B2 - Key sharing system - Google Patents

Description

  The present invention relates to a key sharing system for sharing secret information between two entities using public key cryptography.

  In recent years, information exchange by communication has been actively performed, and encryption for concealing communication is an indispensable technology. In modern cryptography, communication secrecy is realized by keeping the cryptographic key secret even if the algorithm is disclosed. Therefore, in communication using encryption, it becomes a problem how to share a key for encrypting data between both parties performing communication.

  Modern ciphers are mainly classified into symmetric key ciphers and public key ciphers. The former is typically a block cipher such as DES or AES, and assumes that the transmitting side and the receiving side have the same key in advance. The latter is typically RSA encryption, and the keys used for encryption and decryption are different. The key used for encryption is called a public key, and the key used for decryption is called a secret key. It is easy to generate a public key from a private key, but the reverse is very difficult. For this reason, even if the public key is disclosed, if the secret key is not leaked, the information encrypted with the public key can be decrypted only by the person who has the secret key.

  However, since public key cryptography requires a much larger amount of computation than symmetric cryptography, the key used in symmetric key cryptography (called session key) is shared using public key cryptography, and the actual data is symmetric key. Encryption processing is often performed using encryption.

When using public key cryptography, it is necessary to ensure that domain parameters and public keys that define operations used in public key cryptography are correct. In the case of a method using a discrete logarithm over a finite field, the domain parameter is composed of a prime number p that determines a residue system operation and an element g (mod p) of mod p that is a generator of the discrete logarithm problem, and a secret key x (mod For q), the public key is generally defined as y = g ^x (mod p). Here, q is the order of g, that is, the smallest natural number a that satisfies g ^a = 1 (mod p).

  Here, the domain parameter and the public key are collectively referred to as public information. As for the validity of public information, a method based on a public key certificate by a certificate authority is well known. On the other hand, in a closed system, it is possible to ensure reliability by obtaining public information directly from a reliable organization.

  For example, the model of the cryptographic communication system as shown in FIG. 8 includes parameter generation means 101, server 102 and terminal 103. There are multiple terminals for one server. Each terminal directly communicates only with the server. The parameter generation means generates public key encryption parameters and key information at the time of terminal distribution, sets necessary information for the server and the terminal, and then passes the terminal to the user. The parameter generation unit 101 and the server 102 may be realized by the same device.

In a key sharing scheme based on the Diffie-Hellman algorithm, a prime number p is generated such that (p−1) is divisible by q for a sufficiently large prime number q. At this time, there is an element g that is not 1 such that g ^q = 1 (mod p). Diffie-Hellman key sharing between entities A and B is performed as shown in Table 1 below.

In Table 1, r and s are secret keys, and g ^r (mod p) and g ^s (mod p) are public keys. Both can share a common secret g ^(rs) (mod p), and finding g ^(rs) (mod p) from g ^r (mod p) and g ^s (mod p) is a discrete logarithm problem. It is considered as difficult.

However, the Diffie-Hellman algorithm is resistant to passive attacks that eavesdrop on g ^r (mod p) and g ^s (mod p) and seeks secret information, but is vulnerable to active attacks such as spoofing. It has been. Therefore, it is essential to authenticate the communication partner when using the Diffie-Hellman algorithm.

  Therefore, for the key sharing with authentication, for example, a method described in Non-Patent Document 1 is known.

  The authentication key sharing method described in Non-Patent Document 1 will be described below. In key sharing with authentication, there are a fixed key mainly used for authentication and a temporary key used only for session key generation. A fixed key is a secret key and public key that are held in advance between entities. It is a key that is held for a long time, and it is possible to verify that the other party has a fixed secret key using the fixed public key. Authentication can be realized. On the other hand, the temporary key is a secret key and a public key generated by using a random number generated when a session key is generated in the Diffie-Hellman algorithm.

  Non-Patent Document 1 describes a method C (1,1) as a key sharing method when a fixed secret key exists only on one side. The first ‘1’ of C (1,1) represents the number of temporary keys, and the second ‘1’ represents the number of fixed keys.

  FIG. 9 shows an example of information relating to the processing of the parameter generation means in C (1,1) and the fixed key held by the server and terminal. The following processing is performed for the fixed key indexes i = 1, 2,..., L set in the terminal.

  The parameter generation unit 101 generates a set of (p (i), q (i), g (i), x (i), y (i)), and the server 102 generates the generated (p (i) , q (i), g (i), x (i), y (i)). Further, the terminal 103 holds a list 202 of a set of (p (i), g (i), y (i)).

  By setting the fixed public key for the server at the terminal in this way, the terminal can verify the impersonation of the server.

  A procedure for key sharing with authentication when C (1,1) is applied to a communication model having the terminal 103 and the server 102 will be described below with reference to FIG. The terminal 103 transmits a terminal ID to the server 102 (step S1001). The server 102 determines the index i of the parameter to be used in the parameter list for the terminal 103 (step S1002) and transmits it to the terminal 103 (step S1003). Here, these steps can be omitted if there is an agreement regarding the index of parameters to be used in advance.

The terminal 103 generates a random number r (1 <r <q (i)) (step S1004), obtains a temporary public key w = g (i) ^r (mod p (i)) (step S1005), and the server 102 (Step S1006). Normally, the server 102 performs processing for checking the validity of the temporary public key w here. That is, it is verified that w is not 0, 1 but w ^{q (i)} = 1 (mod p (i)).

The terminal 103 calculates z = y (i) ^r (mod p (i)) = g ^{(rx (i))} (mod p (i)) using r and the fixed public key y (i) (step S1007). ). A session key k = kdf (w, otherinfo) is generated by using the key derivation function kdf that receives the generated z and otherinfo, which is shared information between the terminal and the server (may be public information) (step S1008). It is desirable to apply a hash function to the key derivation function. The otherinfo includes terminal-specific information such as a terminal ID. When a hash function is used, a bit string obtained by concatenating w and otherinfo is used as an input of the hash function. The hash function is described in Non-Patent Document 2, for example.

The server 102 calculates Z = wx ⁽ⁱ⁾ (mod p (i)) = ^{grx (i)} (mod p (i)) using the received w (step S1009). If the processing is correctly performed, Z = z can be shared between the terminal 103 and the server 102. The server 102 derives the session key K = k using the key derivation function kdf using the otherinfo and Z identical to those of the terminal 103 (step S1010).

  FIG. 11 shows a method of generating a temporary secret key in the server S. If a fixed secret key of the server is leaked, it is possible to prevent a past session key from being obtained. . In the following, the difference from FIG. 10 is shown.

After the index i is transmitted by the server 102, a random number a is generated (step S1104), a temporary public key b = g (i) ^a (mod p (i)) is generated (step S1105), and transmitted to the terminal 103 (step S1104). S1108). Server 102, ^{C = w a (mod p (} i)) = g (ra) (mod p (i)) to generate (step S1110), the terminal 103 ^{c = g (ar) (mod} p (i)) Is generated (step S1114). If the processing is correctly performed, C = c can be shared between the server 102 and the terminal 103. The server 102 derives a session key k using Z, C and otherinfo (step S1112). Similarly, the terminal 103 derives a session key K = k using z, c and otherinfo (step S1115).

  Further, in order to perform secure key sharing, a step for confirming that both share the same session key as shown in FIG. 12 is indispensable. Message authentication can be used for this confirmation. For message authentication, for example, a method using common key encryption described in Non-Patent Document 3 can be applied.

  A session key confirmation procedure in the server 102 shown in FIG. 12 will be described below. A part of session key K is assigned to secret key K1 for common key encryption, and the rest is assigned to secret key K2 for message authentication (step S1201). A message authenticator M of message authentication data Mac_Data_S_T is generated using K2 as a secret key (step S1202) and transmitted to the terminal 103 (step S1205). Mac_Data_S_T is composed of public data that can be shared between the server 102 and the terminal 103, and data including a temporary public key and an ID.

  The message authenticator m sent from the terminal 103 is verified using the key K2 and the message authentication data Mac_Data_T_S (step S1207). Further, the terminal 103 generates and transmits the Mac_Data_T_S message authenticator m in the same procedure as the server 102, and verifies the message authenticator M sent from the server 102. Mac_Data_T_S is the same data as Mac_Data_S_T, but they need to be different.

  As described above, the key sharing method using the discrete logarithm problem on the finite field has been described. However, as shown in Non-Patent Document 1, the same key sharing can be performed even if the module formed by the rational points of the elliptic curve on the finite field is used. It can be carried out. By using an elliptic curve, safety can be maintained even if the parameter is set small, and the processing speed can be increased.

Patent Document 1 describes an invention that reduces the key length size by adopting an encryption method based on the discrete logarithm problem on an elliptic curve, and verifies the validity of data exchanged between terminals. ing.
JP 2007-13564 A NIST Special Publication (SP) 800-56A, `` Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography '', 2006 NIST Federal Information Processing Standards (FIPS) Publication 180-2, "Specifications for the ECURE HASH STANDARD" 2002 NIST Special Publication (SP) 800-38B `` Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication '' 2005

  However, when domain parameters and public keys are set in advance in a terminal, the terminal uses the settings for a relatively long period of time. For this reason, when an attacker obtains the information of the terminal, an attack opportunity is given to the domain parameter for a relatively long period of time.

  In Patent Document 1, although protection is provided by validity verification, such a situation is not desirable in an application that requires high-strength security, and it is desirable that an attacker obtain as little information as possible from the terminal. It is. For this purpose, there is a method in which the server sends public information to the terminal at the start of a session without storing any key information in the terminal in advance.

  However, there is a problem that server impersonation can be easily performed at this time. Further, when an unauthorized server sends an unauthorized domain parameter, the security may be impaired even if the fixed secret key is not leaked.

  The present invention has been made in view of the above problems, and realizes high-strength security that makes it impossible to obtain domain parameter information even if terminal information leaks.

  In order to solve the above-described problem, a key sharing system according to the present invention includes a parameter generation device having parameter generation means for generating a domain parameter, a secret key, and a public key for public key cryptography for each terminal, a server, and a terminal. In a key sharing system that shares secret information, the parameter generation device has a hash value calculation means for calculating a hash value for a bit string composed of domain parameters, and the server generates a publicly generated parameter generation device for each terminal. First holding means for holding a list including a domain parameter and a secret key of key encryption, and the terminal includes second holding means for holding a list composed of a set of a public key and a hash value generated by the parameter generation device. It is characterized by providing.

  The parameter generation device includes an exclusive OR generation unit that generates a random number having the same length as the bit string including the domain parameter and obtains an exclusive OR with the hash value, and the server uses the first holding unit. , Holding the list including the domain parameter generated by the parameter generating means, the secret key, and the result of obtaining the exclusive OR, and the terminal uses the second holding means to generate the hash value and the public key generated by the parameter generating means. It is characterized by holding a list consisting of a set with random numbers added.

  The parameter generation device is characterized by generating parameters using an algorithm based on a discrete logarithm problem over a finite field.

  The parameter generation device uses an algorithm based on a discrete logarithm problem on an elliptic curve with a finite field coefficient to generate a parameter.

  The server and the terminal operate as auxiliary means for encrypting the line device.

  The server holds password data associated with the line device by the first holding means, and the terminal has password input means for taking in a password for the line device from the outside, and derives a session key using the data including the password It is characterized by that.

  The parameter generation device is incorporated on a server.

  According to the present invention, even if terminal information is leaked, an attacker cannot obtain domain parameter information, so a prior attack is impossible. Further, since the terminal has a hash value of the domain parameter, it is possible to check even when an invalid parameter is sent from an unauthorized server. In addition, since the terminal stores the public key in advance, it is possible to check an unauthorized server that does not have a fixed secret key in the process of verifying the shared session key. Furthermore, domain parameters are distributed and held between the server and the terminal, and when the session starts, the server sends only the distributed information, so that it is impossible to obtain the domain parameters only from the information on the communication path. Further, a terminal (user) can be identified by combining an existing line device and a password associated therewith.

  In the present invention, it is assumed that the security of the server and the terminal are greatly different. In other words, it is assumed that the server is in a safe place and the risk of leakage of secret information and illegal processing is very small, while the terminal is highly risk of theft and information leakage. In such a model, even if a fixed secret key is set in the terminal, its effectiveness is low. Therefore, a method of setting the fixed secret key only in the server is suitable.

  FIG. 1 shows the operation of the parameter generation unit 101 and the information held by the server 102 and the terminal 103 in the embodiment of the present invention. The parameter generation means 101 performs the following processing on the indices i = 1, 2,... L of the public key parameter list when a terminal is given. Here, L is the upper limit of the number of parameters for the terminal.

  Domain parameters p (i), g (i) and q (i), secret key x (i), and public key y (i) are generated. Next, a hash value h (i) = Hash (p (i) || g () using p (i) || g (i), which is a bit string obtained by concatenating p (i) and g (i), as input data. i)). The server 102 stores p (i), g (i), q (i), x (i), and y (i) as in the prior art. The terminal 103 stores only the hash value h (i) and the public key y (i).

  Next, the procedure for key sharing between the server 102 and the terminal 103 in the embodiment of the present invention will be described with reference to FIG. Similar to the prior art, the terminal 103 transmits a terminal ID to the server 102 (step S1001), and the server 102 determines an index i of a parameter to be used in the parameter list for 103 (step S1002). .

  The server 102 obtains and transmits a bit string p || g obtained by concatenating p = p (i) and g = g (i) corresponding to the index i (steps S201 and S202). The terminal 103 calculates a hash value Hash (p || g) for the received p || g and compares it with the stored h (i) (step S203). If they do not match, the key sharing process is terminated, assuming that an invalid parameter has been sent. If the validity of p and g can be confirmed, a conventional key sharing process is performed (the same processes as in steps S1003 to S1009 in FIG. 10 are executed).

  By not storing p and g in the terminal as in the present invention, even if the terminal is stolen and information is leaked, only the hash value h (i) and the public key y (i) are leaked. Since the information of (i) and g (i) is not obtained, there is no opportunity for attack of the discrete logarithm problem with specific parameters. Further, when an illegal server impersonates and sends an invalid parameter, it can be confirmed by the hash value h (i). In addition, for a response attack in which an index i, p (i), g (i) once sent by an unauthorized server is copied and sent again, the unauthorized server has a secret key x (i). Therefore, the Diffie-Hellman algorithm cannot generate the same session key as that of the terminal, and thus security can be maintained by the session key sharing confirmation process as shown in FIG.

  FIG. 3 is a diagram showing an operation in which the present invention is combined with the key sharing method for generating a temporary secret key even in the server described in FIG. According to the present invention, the past session key can be concealed and the security can be improved when the terminal information is leaked even when the fixed secret key x (i) of the server shown in FIG. 11 is leaked. As for the processing procedure, after the index i is determined (step S1102), the above-described steps S201 to S203 are performed, and the subsequent operations are the same as the steps S1104 to S1115 described in FIG.

  FIG. 4 shows another embodiment of the present invention. By sending p (i) || g (i) in the form of Barnum encryption (secret sharing) with a random number, it is only possible to eavesdrop on the communication path. In this method, information on (i) and g (i) cannot be obtained. Hereinafter, the process of the parameter generation unit 101 will be described in detail.

  The domain parameters p (i), g (i), q (i), the secret key x (i) and the public key y (i) are generated as before, and the hash value h (i) = Generate Hash (p (i) || g (i)). Next, generate a random number R (i) of the same length as p (i) || g (i) and calculate U (i) = R (i) + (p (i) || g (i)) To do. Here, “+” indicates exclusive OR. At this time, the parameter generation unit 101 sets U (i) in the server 102 in addition to the public information and the secret key, and sets h (i), y (i), and R (i) in the terminal 103.

  FIG. 5 shows a key sharing process procedure when the present embodiment is applied to the key sharing method shown in FIG. The key sharing process will be described below with reference to FIG.

  First, the terminal 103 transmits the terminal ID to the server 102 (step S1101) as in the conventional case, and the server 102 determines the parameter index i (step S1102). The server 102 transmits the index i and U (i) to the terminal 103 (step S501). The terminal 103 calculates R (i) + U (i) from the received U (i) and the stored R (i) and assigns it to p || g (step S502), and the terminal 103 has a hash value h = Hash (p || g) is calculated and compared with the stored h (i) (step S503). If they do not match, the key sharing process is terminated, assuming that an invalid parameter has been sent. If the validity of p and g can be confirmed, a conventional key sharing process is performed (the same processes as in steps S1104 to S1115 in FIG. 11 are executed).

  By using the method in the present embodiment, it is impossible to obtain p (i) and g (i) simply by acquiring data on the communication path, and it is possible to improve safety.

  As described above, the present invention has explained the key sharing method using the discrete logarithm problem on a finite field. However, as shown in Non-Patent Document 1, the same is true even if an module formed by a rational point of an elliptic curve on a finite field is used. Key sharing can be performed. By using an elliptic curve, safety can be maintained even if the parameter is set small, and the processing speed can be increased.

  In addition, it is difficult to protect against terminal impersonation in a model that assumes a high risk of leakage of information stored in the terminal as assumed in the present invention. Therefore, in order to increase the safety on the terminal side, it is necessary to use other means in combination.

  FIG. 6 shows a form in which the present invention is used as auxiliary means for a conventional line device such as a telephone. In FIG. 6, a server 102 and a terminal 103 are terminals that perform key sharing in the present invention, and function as auxiliary means for line terminals 601 and 602 such as telephones that perform communication. As the line device attached to the terminal 103, for example, a mobile phone is excellent in convenience.

  As shown in FIG. 6, since the line device can be specified by the conventional line system by using the auxiliary means of the line device and the present invention, the terminal itself can be impersonated by specifying the telephone that can be used on the terminal side. Although it is difficult to prevent this, it cannot be used with an unspecified telephone, so that safety can be improved.

  6 can be further improved by associating the line device (telephone) with the user and performing password authentication by the user. In this case, as shown in FIG. 7, the server 102 holds a password list 702 corresponding to the terminal device line device ID (telephone number) in addition to the domain parameters and key information of public key cryptography. On the terminal side, the user needs to input the password 701 at the time of use. Password authentication can be realized by including the server-terminal shared information otherinfo as an input of the key derivation function shown in FIG. If the passwords do not match, the derived session keys do not match, so that user authentication can be performed by including it in the normal session key sharing confirmation process.

  In addition, for example, NIST Special Publication (SP) 800-57, “Recommendati for Key Management” 2006 can be used to set parameters to achieve a high level of safety. According to Non-Patent Document 3, the discrete logarithm parameter value p recommended for use up to 2030 is 2048 bits and q is 224 bits. The hash function to be used is any one of SHA-224, SHA-256, SHA-384, and SHA-512 described in Non-Patent Document 2. In this embodiment, SHA-256 is used.

  When the scheme of Non-Patent Document 3 is applied using symmetric key encryption with AES having a key length of 128 bits and message authentication for confirming session key sharing using 128 bits with AES, the key derivation function kdf () in FIG. A hash value is obtained by inputting a bit string obtained by concatenating the shared information by the Diffie-Hellman algorithm and otherinfo to SHA-256.

  When a user password is also used as shown in FIG. 7, a bit string concatenated with the password is further input to SHA-256. For the 256 bits of the output of SHA-256, the first 128 bits are used as the AES private key K1 used for data encryption, and the second 128 bits are used as the message authentication private key K2. The above-described SHA-256 can also be used to generate a hash value for p || g in the present invention shown in FIG.

  For example, when the parameter list size is changed every day for two years, the amount of data held by the terminal in FIG. 1 is 712 pairs of 256 bits of hash value and 2048 bits of public key, and the amount of data is about 1.64 megabits. Become.

  The present invention has been described above by the preferred embodiments of the present invention. While the invention has been described with reference to specific embodiments, various modifications and changes may be made to the embodiments without departing from the broad spirit and scope of the invention as defined in the claims. Obviously you can.

It is a figure which shows the process of the parameter production | generation means in the embodiment of this invention, and the information which a server and a terminal hold | maintain. It is a figure which shows the key sharing process in embodiment of this invention. It is a figure which shows the process in the case of utilizing a temporary secret key by the server side in embodiment of this invention. It is a figure which shows the process of the parameter production | generation means in another embodiment of this invention, and the information which a server and a terminal hold | maintain. It is a figure which shows the key sharing process in another embodiment of this invention. It is a figure which shows the example of application of this invention. It is a figure which shows the example of application of this invention. It is a figure which shows a communication model. It is a figure which shows the process of the parameter generation means in a prior art, and the information which a server and a terminal hold | maintain. It is a figure which shows the key sharing process in a prior art. It is a figure which shows the process in the case of utilizing a temporary secret key by the server side in a prior art. It is a figure which shows the process in which the shared session key in a prior art is mutually verified.

Explanation of symbols

101 Parameter generation means 102 Server 103 Terminal 104, 105 Line device 701 Password

Claims (7)

In a key sharing system for sharing secret information between a parameter generation device having a domain parameter and a secret key of public key cryptography, a parameter generation unit that generates a public key for each terminal, a server, and the terminal,
The parameter generation device has hash value calculation means for calculating a hash value for a bit string composed of the domain parameters,
The server includes first holding means for holding a list including domain parameters and secret keys of public key cryptography generated by the parameter generation device for each terminal,
The key sharing system, wherein the terminal includes a second holding unit that holds a list including a set of the public key and the hash value generated by the parameter generation device. The parameter generation device has an exclusive OR generation means for generating an exclusive OR with the hash value by generating a random number having the same length as the bit string composed of domain parameters,
The server holds a list including the domain parameter generated by the parameter generation unit, the secret key, and a result of obtaining the exclusive OR by the first holding unit,
2. The key according to claim 1, wherein the terminal holds a list including a set obtained by adding the random number to the hash value generated by the parameter generation unit and the public key by the second holding unit. Shared system.   3. The key sharing system according to claim 1, wherein the parameter generation device generates a parameter using an algorithm based on a discrete logarithm problem over a finite field.   4. The key sharing system according to claim 1, wherein the parameter generation apparatus generates a parameter using an algorithm based on a discrete logarithm problem on an elliptic curve having a finite field coefficient. 5.   The key sharing system according to any one of claims 1 to 4, wherein the server and the terminal operate as auxiliary means for encrypting the line device. The server holds password data associated with the line device by the first holding means,
6. The key sharing system according to claim 5, wherein the terminal includes password input means for fetching a password for the line device from the outside, and derives a session key using data including the password.   The key sharing system according to claim 1, wherein the parameter generation device is incorporated on the server.

Images