JP5586758B1 - Dynamic encryption key generation system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To obtain an encryption technique capable of securely generating a different key for each group such as a company.
External data providing means for providing external data obtained by previously encrypting ID-corresponding data and a program control value including a program control element; and decrypting the encrypted external data; An external data decrypting means for generating a program control value; a first key information generating means for generating first key information from the obtained ID correspondence data; and a second key information for generating second key information from the obtained program control value. A dynamic encryption key comprising: a two-key information generation unit; and an encryption processing device including an encryption key generation unit configured to generate an encryption key from the obtained first key information and second key information. Generation system.
[Selection] Figure 1

Description

  The present invention relates to a technique for concealing an encryption key by a function multiplexing method, for example.

  With the spread of the Internet, more and more users are transferring and transmitting / receiving confidential data stored in computer systems via a network. In this case, the data stored in the computer may be stolen by a malicious third party if it is not protected by any protection mechanism. In addition, malicious hackers (those who are familiar with computer technology) often intentionally steal data from others via the Internet.

  For this reason, how to protect data transferred / transmitted / received on a network line or the like is an important issue.

  In general, a user can encrypt data by some encryption technique. In this way, even if the encrypted data leaks, the encrypted data cannot be decrypted correctly without the correct key, and malicious hackers and others access the correct contents of the encrypted data. Data security is ensured.

  Most current encryption techniques require the user to enter a password and encrypt the data based on the password. When the user wants to decrypt the encrypted data, the user only needs to re-enter the password to obtain the original data. However, the user must be inconvenienced because the password must be exchanged safely in accordance with the data transfer.

  Another type of encryption method uses a key to encrypt data (see, for example, Patent Document 1). In such an encryption method, security is maintained by incorporating a logic for generating a key in the software system. However, as long as the same software system is used, encrypted data between different groups can be decrypted. Therefore, this encryption method is also not sufficiently secure.

JP 2012-209932 A

  Since the conventional data encryption apparatus incorporates a logic for generating a key in the software system, a different key cannot be generated for each group in the same software system.

  It is an object of the present invention to obtain an encryption technique that enables a different key to be generated safely in units of groups such as companies. Specifically, it resolves two issues: (a) different keys can be generated on a group basis, and (b) when a malicious third party obtains the program, it becomes difficult to retrieve the key. For the purpose. Furthermore, a system for securely generating different encryption keys for each group without making a large-scale modification of an existing program is provided.

A dynamic encryption key generation system according to a first aspect of the present invention includes a key generation processing device that generates an encryption key using a predetermined algorithm, and external data provision that provides data to the key generation processing device A dynamic encryption key generation system comprising means,
The external data providing means provides external data composed of ID-corresponding data corresponding to a group ID and a program control value including two or more program control elements in response to a request for the group ID.
The key generation processing device includes:
External data decrypting means for decrypting the encrypted external data to generate ID-corresponding data and a program control value;
First key information generating means for generating first key information from the obtained ID correspondence data in accordance with a pre-installed algorithm;
Second key information generating means for generating second key information from the obtained program control value according to another algorithm mounted in advance;
It is characterized by comprising an encryption key generating means for generating an encryption key from the obtained first key information and second key information in accordance with another algorithm mounted in advance.

  In the dynamic encryption key generation system according to the invention described in claim 2, the external data provided by the external data providing means according to claim 1 is obtained by combining ID-corresponding data and a program control value. Is encrypted using a common key A with a predetermined encryption algorithm.

  A dynamic encryption key generation system according to a third aspect of the present invention is the dynamic encryption key generation system according to the second aspect, wherein the external data decryption means decrypts the encrypted external data using a common key A, and the ID The data is divided into corresponding data and program control values.

In the dynamic encryption key generation system according to the invention described in claim 4, the first key information generation means according to any one of claims 1 to 3 includes a control variable B1 and a control variable Bn. ,
A normal key information selection means for selecting key information using intermediate data that is selected only by the control variable B1, one or more dummy functions, and intermediate data that has been selected by the control variable Bn and passed through the normal function. And one or more dummy key information selection means,
The intermediate data is created by inputting the ID correspondence data to the regular function selected by the control variable B1;
The first key information is generated by inputting the intermediate data to the regular key information selecting means selected by the control variable Bn.

The dynamic encryption key generation system according to the invention described in claim 5 is characterized in that the second key information generation means according to any one of claims 1 to 4 controls the program control value with two or more program controls. Control element dividing means for dividing into elements, a message C having a predetermined size incorporated in advance, and key information selecting means for selecting second key information by a predetermined function,
Intermediate data is generated from one of the two or more program control elements converted from the program control value by the control element dividing means and the message C;
The second key information is generated by inputting intermediate data to the function.

The dynamic encryption key generation system according to the invention described in claim 6 is characterized in that the encryption key generation means according to any one of claims 1 to 5 has one or more predetermined numbers (N1 Number of pieces of first key information and one or more predetermined number (N2 pieces) of second key information.
The N1 first key information and the N2 second key information are subjected to a predetermined calculation process to obtain an encryption key.

  The present invention can provide an encryption technique that enables a different key to be securely generated in units of groups such as companies even in the same software system. Specifically, it resolves two issues: (a) different keys can be generated on a group basis, and (b) when a malicious third party obtains the program, it becomes difficult to retrieve the key. be able to. Furthermore, there is an effect that it is possible to provide a system that can safely generate different encryption keys for each group without performing a large-scale modification of an existing program.

It is explanatory drawing which shows the outline | summary of one Example of the dynamic encryption key generation system of this invention. It is explanatory drawing which shows the outline | summary of one Example of the external data production apparatus which produces the external data of FIG. It is process drawing which shows the external data creation process process by the apparatus of FIG. It is explanatory drawing which shows the outline | summary of one Example of the transmission / reception system of external data. FIG. 5 is a process diagram showing an external data transmission / reception processing process in the system of FIG. 4. It is explanatory drawing which shows the outline | summary of one Example of the external data decoding means of the key generation processing apparatus of FIG. It is process drawing which shows the process of the external data decoding means in the decoding means of FIG. It is explanatory drawing which shows the outline | summary of one Example of the 1st key information generation means of the key generation processing apparatus of FIG. It is process drawing which shows the 1st key information generation process process of FIG. It is explanatory drawing which shows the outline | summary of one Example of the 2nd key information generation means of the key generation processing apparatus of FIG. It is process drawing which shows the 2nd key information generation process process of FIG. It is explanatory drawing which shows the outline | summary of one Example of the encryption key production | generation means of the key production | generation apparatus of FIG. It is process drawing which shows the encryption key production | generation process process of FIG.

According to the present invention, there is provided a dynamic encryption key generation system including a key generation processing device that generates an encryption key with a predetermined algorithm, and external data providing means that provides data to the key generation processing device. And
The external data providing means provides external data composed of ID-corresponding data corresponding to a group ID and a program control value including two or more program control elements in response to a request for the group ID.
The key generation processing device includes:
External data decrypting means for decrypting the encrypted external data to generate ID-corresponding data and a program control value;
First key information generating means for generating first key information from the obtained ID correspondence data in accordance with a pre-installed algorithm;
Second key information generating means for generating second key information from the obtained program control value according to another algorithm mounted in advance;
An encryption key generating unit that generates an encryption key from the obtained first key information and second key information in accordance with another algorithm mounted in advance is provided. As a result, it is possible to obtain an encryption technique that enables a different key to be securely generated for each group of companies.

  In the ID correspondence data of the present invention, a predetermined number of bit strings (for example, any one of 64, 48, 32, and 24 bits) is generated using a random number generator. An existing random number generator that is already used may be selected from a random number generator such as a linear congruential method, a Mersenne twister, or a hardware random number generator.

  The program control value of the present invention is a control value that is used after the decryption process, and may be composed of two or more program control elements and generated by a predetermined algorithm. For example, one integer value n is determined using a random number, a predetermined number of integer values are generated using a random number, and the generated value is used as a program control element, or a random number is used. Generated by generating a predetermined number of integer values without duplication as a program control element or by generating a predetermined number of integer values within a predetermined range using random numbers A value can be used as a program control element, or one or more of these elements can be used in combination as a program control value.

  The external data of the present invention is obtained by encrypting a combination of ID correspondence data and a program control value using a common key A with a predetermined encryption algorithm. That is, these program control elements are selected and combined to obtain a program control value. ID-corresponding data and program control value data are combined, the generated value is external data before encryption, the common key A is used as the key value, the external data before encryption is encrypted, and the generated value is external data And

  Therefore, the external data provided by the external data providing means of the present invention is preferably encrypted by combining the ID correspondence data and the program control value using the common key A with a predetermined encryption algorithm. It is what.

  The common key A for encrypting the external data before encryption uses the same value as the common key A used in the external data decryption means described later. However, the external data decryption means uses the unique value in the program. The common key A is obtained by the key information generating means used. In an external data creation device that encrypts external data before encryption, the value of the common key A can be directly stored. This is possible because the external data creation device itself is configured as a program that is not disclosed to the outside.

  The external data providing means of the present invention exists separately from the key generation processing apparatus, and further to the key generation processing apparatus that has inquired external data corresponding to the group ID inquired from one key generation processing apparatus. Anything provided is acceptable. For example, it may be installed in a server on a communication line, or may be installed in a memory chip in some cases, and if necessary, a key generation processing device and a memory chip may be connected and used.

  In order to acquire external data from the external data providing means, specifically, the user inputs a group ID and an authentication code, and transmits the group ID and the authentication code to the server. Check the group ID and authentication code values on the server. If one or both values are different, an error is assumed. If both values match, the system may acquire external data corresponding to the group ID on the server and send the external data from the server to the key generation processing device.

  The external data decrypting means of the present invention decrypts the encrypted external data using the common key A to obtain external data before encryption, and divides the external data before encryption into ID-corresponding data and program control values. To do. Subsequent key information is created by the key generation processing device of the present invention using the divided ID correspondence data and the program control value.

  That is, the first key information generating means of the key generation processing device generates the first key information from the ID correspondence data in accordance with the algorithm mounted in advance, and the second key information generating means also uses the first key information generating means. The second key information is generated from the obtained program control value according to the algorithm. Further, the encryption key generation means generates an encryption key from the obtained first key information and second key information in accordance with yet another algorithm that is mounted in advance. As a result, it is possible to obtain an encryption technique that enables a different key to be securely generated for each group of companies.

  The first key information generating means of the present invention comprises a control variable B1 and a control variable Bn, and is selected only by a normal function that is uniquely selected by the control variable B1, one or more dummy functions, and the control variable Bn. The normal key information selecting means for selecting the first key information using the intermediate data that has passed through the normal function, and one or more dummy key information selecting means.

  The ID correspondence data is input to the regular function selected by the control variable B1 to create intermediate data. At this time, it is possible to input the data corresponding to the data stored in the program in the key generation processing apparatus instead of inputting the ID correspondence data as it is into the regular function. Intermediate data is generated by a regular function.

  As the regular function and the dummy function, a combination of four arithmetic operations and bit operations may be used, or a function combining various cryptographic hash functions which are a kind of one-way function may be adopted. MD5, SHA-1, and SHA-256 are used as the cryptographic hash function. Examples of combinations are SHA-256 × MD5, MD5 × SHA-1 × MD5, and the like. In the case of SHA-256 × MD5, SHA-256 is executed first, and its output (hash value) is input to MD5. The output of MD5 is assumed to be the output of SHA-256 × MD5.

  Finally, the intermediate data is input to the regular key information selection unit selected by the control variable Bn to generate the first key information. At this time, the intermediate data to be used may be a normal function selected by the control variable B1, preferably a normal one-way function, or may be another intermediate data.

  For example, another normal one-way function selected only by the control variable B2 is inputted with intermediate data by the control variable B1 to generate another intermediate data, and further, the control variables are B3, B4. May be repeated a predetermined number of times.

  It is also possible to assume that the regular one-way function selected by the control variable B1 is used repeatedly. That is, as described above, the data stored in the program in the key generation processing apparatus is added and input, but the data stored in the program is changed to intermediate data by the control variable B1, and this intermediate data is changed. May be input and the intermediate data may be generated with a normal one-way function based on the control variable B1 by repeating a predetermined number of times.

  As an algorithm for generating the first key information from the intermediate data, for example, an algorithm for selecting some data from a predetermined number of data can be selected. Which value to select is built into the program in advance. Using the selected selection algorithm, data having a predetermined size (number of bits) is selected from the intermediate data. The remaining data is not used and becomes a dummy. This selected data becomes the first key information.

  As described above, the dummy calculation is incorporated into the program of the key generation processing device and used by the first key information generation means, thereby producing an effect that makes it difficult to guess the key. Note that the actual calculation is a normal function, and not all dummy functions are used, but there are many dummy functions that are not actually calculated, so it is possible to avoid extreme performance reductions. It is.

  Further, by using the control variable B, it is difficult to specify which function is a normal function.

The second key information generating means of the present invention is preferably a control element dividing means for converting a program control value into two or more program control elements, and a message C having a predetermined size incorporated in advance. The key information selecting means for selecting the second key information by a predetermined function,
Intermediate data is generated from one of the two or more program control elements converted from the program control value by the control element dividing means and the message C;
The second key information is generated by inputting intermediate data to the function.

  The message C of the present invention may be any message having a predetermined size incorporated in advance.

  As the control element dividing means of the present invention, the program control value is converted into two or more program control elements. That is, as described above, a program control element as a value generated by generating a predetermined number of integer values using random numbers without duplication, or one integer value n is determined using random numbers, and random numbers are used. A predetermined number of integer values are generated, and a predetermined number of integer values in a predetermined range using a program control element or a random number as a generated value are generated without duplication. Thus, each control element constituting a program control value obtained by combining one or more program control elements or the like as the generated value is obtained.

  Intermediate data is generated from any of these control elements and the message C. Then, this intermediate data is input to a one-way function to generate key information. As the intermediate data input to the one-way function, the second data generated from another program control element and the intermediate data may be the same as the intermediate data generated from one program control element and the message C. Multiple processing may be performed so that the intermediate data is generated from the intermediate data, further program control elements, and the second intermediate data. However, in the case of multiple generations, there is a disadvantage that the performance is reduced.

  The predetermined function of the second key information generation means of the present invention may be a combination of four arithmetic operations and bit operations, and employs a function combining various cryptographic hash functions which are a kind of one-way function. Also good. MD5, SHA-1, and SHA-256 are used as functions that combine various cryptographic hash functions, which are a type of one-way function. Examples of combinations are SHA-256 × MD5, MD5 × SHA-1 × MD5, and the like. In the case of SHA-256 × MD5, SHA-256 is executed first, and its output (hash value) is input to MD5. The output of MD5 is assumed to be the output of SHA-256 × MD5. The number to be combined and the cryptographic hash function to be used are determined from the value of the program control element.

  The encryption key generating means of the present invention preferably has one or more predetermined number (N1) of first key information and one or more predetermined number (N2) of second key information. The encryption key is generated from the above, and a predetermined calculation process is performed on the N1 first key information and the N2 second key information to obtain the encryption key. In addition, since it can be assumed that the sizes of the first key information and the second key information are significantly different and less than the required encryption key size, more preferably, N2 first key information and N2 second keys. You may add performing operation which connects information and divides the connected data into the block of a key size. In this case, an encryption key is obtained by performing predetermined arithmetic processing on the divided data.

  Predetermined arithmetic processing in the present invention refers to four arithmetic operations and bit arithmetic processing, and particularly includes exclusive OR operation which is one of the bit processing arithmetic processing.

  FIG. 1 is an explanatory diagram showing an outline of an embodiment of the dynamic encryption key generation system of the present invention. As shown in the figure, the dynamic encryption key generation system of the present embodiment provides a key generation processing device (10) that generates an encryption key with a predetermined algorithm, and provides this key generation processing device (10). The external data providing means (30) for holding the external data (21) to be stored in advance is divided into two. The external data (21) provided by the external data providing means (30) is obtained by encrypting the external data before encryption composed of the ID correspondence data (40) and the program control value (50).

  The key generation processing device (10) includes an external data decryption means (60) for decrypting the encrypted external data (21) to generate ID-corresponding data (40) and a program control value (50), and ID correspondence First key information generating means (80) for generating first key information (90) from data (40), and second key information generating means (110) for generating second key information (110) from program control value (50). 100) and encryption key generating means (120) for generating an encryption key (130) from the first key information (90) and the second key information (110).

  FIG. 2 is an explanatory diagram showing an outline of an embodiment of the external data creation device for creating the external data of FIG. FIG. 3 is a process diagram showing an external data creation process by the apparatus of FIG. As shown in the figure, the ID correspondence data (40) is generated by the ID correspondence data generation means (22) of the external data creation device (20). In this embodiment, twelve 12-bit strings are generated using a random number generator, which is used as ID-corresponding data (40), and ten pieces of first key information are generated, so ten ID-corresponding data are generated. It goes without saying that various selections are possible for the bit string and the number.

  The program control value (50) is a control value used after the decryption process, and includes two or more program control elements. The program control value generation means (23) generates the program control value (50). In this embodiment, one integer value n of 1 to 4 is determined using a random number, n integer values of 1 to 3 are generated using a random number, and the generated value is used as the program control element 1. .

  A program control element 2 is a value generated by generating 16 integer values from 1 to 300 using random numbers without duplication. Sixteen integer values from 0 to 31 are generated using random numbers, and the generated value is set as the program control element 3. These elements 1 to 3 were combined to obtain a program control value (50). Needless to say, the generation of each control element is not limited to these. Note that the program control element 3 can be duplicated. In this embodiment, five program control values are generated.

  The obtained ID correspondence data (40) and the program control value (50) are combined by the data combining means (24) to become external data (25) before encryption. Various algorithms can be selected for combining the data corresponding to the ID correspondence data (40) and the program control value (50). The program control value (50) may be simply connected after the ID correspondence data (40), or a method of dividing each group into groups of a predetermined length and connecting these groups alternately can be selected. . The obtained pre-encrypted external data (25) is encrypted by the encryption means (26) using the common key A (27) to become external data (21).

  As shown in FIG. 1, external data (21) is required for the key generation processing device (10) to obtain the encryption key (130). The external data (21) exists separately from the key generation processing device (10) by the external data providing means (30). For this reason, it is necessary to receive external data corresponding to the group ID to the key generation processing device (10). FIG. 4 is an explanatory diagram showing an outline of an embodiment of an external data transmission / reception system. FIG. 5 is a process diagram showing external data transmission / reception processing steps in the system of FIG.

  As shown in the figure, the key generation processing device (10) has an external data acquisition function (13), and receives external data (21) in the external data providing means (30) in the server on the communication line. . When the group ID (11) and the authentication code (12) are input to the key generation processing device (10), the server transmission function (14) of the external data acquisition function (13) in the key generation processing device (10) is set. Is sent to the authentication function (31) of the external data providing means (30) to check the values of the group ID (11) and the authentication code (12), and if either or both values are different An error.

  If both values match, the external data selection means (32) acquires the external data (21) corresponding to the group ID (11), and the key generation processing device (10) from the external data provision means (30). Send external data (21) to the external data reception function (15).

  The received external data (21) is decrypted by the external data decrypting means (60) of the key generation processing device (10), passed through the external data (25) before encryption, and the ID corresponding data (40) and the program control value. Get (50). FIG. 6 is an explanatory diagram showing an outline of an embodiment of the external data decrypting means of the key generation processing apparatus of FIG. FIG. 7 is a process diagram showing an external data decoding process in the decoding means of FIG.

  As shown in the figure, with the external data (21) input as a start sign, the external data decrypting means (60) uses the fixed value (61) in the program and the common key A (27) by the key information generating means (62). Is generated. The common key A (27) has the same value as the common key A (27) for encrypting the above-mentioned external data before encryption, and the external data decrypting means (63) is used by using the common key A (27). Thus, the external data (21) is decrypted into the external data (25) before encryption.

  Subsequently, the data is divided into ID correspondence data (40) and a program control value (50) by the division function means (64). The division function means (64) performs the reverse of the operation of the data combining means (24) of the external data creation device (20) described above. From the obtained ID correspondence data (40) and the program control value (50), the key generation processing device generates subsequent key information.

  First, the first key information is obtained using the ID correspondence data (40). FIG. 8 is an explanatory diagram showing an outline of an embodiment of the first key information generation means of the key generation processing apparatus of FIG. FIG. 9 is a process diagram showing the first key information generation process of FIG. As shown in the figure, the divided ID correspondence data (40) is input to the first key information generating means (80).

  The first key information generating means (80) includes a control variable B1 (91) and a control variable Bn (93), and a normal one-way function (84) selected only by the control variable B1 (91) and 1 A normal key that selects the first key information (90) using intermediate data (92) that is uniquely selected by one or more dummy functions (85) and a control variable Bn (93) and has passed a normal one-way function. Information selection means (87) and one or more dummy key information selection means (88) are included.

  As described above, the ID correspondence data (40) of the present embodiment is an integer value of 12 × 12 bits. The in-program data (81) is added to the integer value of the ID correspondence data (40) input to the first key information generating means (80) by the data combination means (82). The added data is input to the normal one-way function (84) selected by the one-way function selection means (83) using the control variable B1 (91) to create intermediate data (92). The

  A number of dummy functions prevent malicious third parties from specifying regular one-way functions. In addition, the actual calculation is a normal one-way function, and not all dummy functions are used, but there are many dummy functions that are not actually calculated. It is possible.

  The intermediate data (92) is input to the regular key information selection means (87) selected by the selection means (86) of the selection algorithm using the control variable Bn (93) to generate the first key information (90). . In this case, a large number of dummy selection devices prevent a malicious third party from specifying the legitimate key information selection device (87).

  When generating the first key information (90), the intermediate data (92) to be used may use a normal one-way function (84) selected by the control variable B1 (91), Other intermediate data may be used. In one other embodiment, as shown by the one-dot chain line in the figure, the intermediate data by the control variable B1 is input to another normal one-way function that is only selected by the control variable B2 (94) to obtain another intermediate data. .., (95) may be generated, and further, control data B3, B4... And intermediate data (96) obtained by repeating this a predetermined number of times may be used.

  As the one-way function, a function combining various cryptographic hash functions may be adopted. For example, MD5, SHA-1, and SHA-256 are used as the cryptographic hash function. As examples of combinations, SHA-256 × MD5, MD5 × SHA-1 × MD5, and the like can be selected. For example, the normal one-way function selected by the control variable B1 may be MD5 × SHA-256, and the dummy functions may be SHA-256 × MD5 and MD5 × SHA-1 × MD5.

  In another embodiment, the intermediate data (92) obtained by the normal one-way function (84) selected by the control variable B1 (91) is converted into in-program data ( In addition to 81), the operation of generating intermediate data with the normal one-way function (84) may be repeated at least once more.

  The second key information (110) is obtained using the program control value (50). FIG. 10 is an explanatory diagram showing an outline of an embodiment of the second key information generation means of the key generation processing apparatus of FIG. FIG. 11 is a process diagram showing the second key information generation process of FIG. As shown in the figure, the second key information generating means (100) includes a control element dividing means (101) for dividing the program control value into two or more program control elements, and a predetermined size incorporated in advance. Message C (102) and key information generating means (108) for generating second key information by a predetermined function.

  When the program control value (50) is input to the second key information generating means (100), two or more program control elements (100) constituting the program control value (50) are controlled by the control element dividing means (101). 103). That is, as described above, in the present embodiment, the program control element 1, the program control element 2 and the program control element 3 are combined to obtain the program control value (50), but this combination is controlled by the control element dividing means (101). Operation reverse processing is performed, and the program control element 1, the program control element 2, and the program control element 3 are divided.

  Intermediate data 1 (105) is generated from one of the two or more program control elements converted from the program control value (50) by the control element dividing means (101) and the message C (102). For example, the message C is set to 300 data having a size of 32 bits, and using the 300 data and the program control element 2, the data selection means (104) selects 16 data to be used for the calculation. , 16 data may be used as intermediate data 1 (105).

  Further, after the intermediate data 2 and the program control element 3 are combined to generate the intermediate data 2 (107) by the data generation means (106), the intermediate data 2 is converted into a function predetermined by the key information generation means (108). (107) is input to generate the second key information (110), and the second key information (110) is output. The data generation means (106) cyclically shifts the 16 numerical values of the intermediate data 1 to the right by the numerical value given by the program control element 3. The 512-bit data obtained by connecting the 16 data after the shift is defined as intermediate data 2.

  As the predetermined function, a combination of four arithmetic operations and bit operations may be used, or a function combining various cryptographic hash functions which are a kind of one-way function may be adopted. For example, MD5, SHA-1, and SHA-256 are used as various cryptographic hash functions that are a kind of one-way function. Examples of combinations are SHA-256 × MD5, MD5 × SHA-1 × MD5, and the like. In the case of SHA-256 × MD5, SHA-256 is executed first, and its output (hash value) is input to MD5. The output of MD5 is assumed to be the output of SHA-256 × MD5. Specifically, the numerical value of the program control element 1 is the number of cryptographic hash function types and the number of numbers combined. For example, the number 221 is SHA-1 × SHA-1 × MD5.

  The encryption key (130) is obtained from the obtained first key information (90) and second key information (110). FIG. 12 is an explanatory diagram showing an outline of an embodiment of the encryption key generation means of the key generation processing apparatus of FIG. FIG. 13 is a process diagram showing the encryption key generation process of FIG. As shown in the figure, the encryption key generation means (120) generates an encryption key (130) using the first key information (90) and the second key information (110). In the present embodiment, the encryption key generation means (120) includes, as one or more N1 pieces of first key information (90), for example, the 10 pieces of first key information (90) and one or more pieces as described above. As the N2 pieces of second key information (110), for example, as described above, five pieces of second key information (110) are subjected to bit operation processing to obtain an encryption key (130).

  The sizes of the first key information and the second key information vary depending on the function. For example, MD5 is 128 bits, SHA-1 is 160 bits, and SHA-256 is 256 bits. For example, in the case of SHA-256 × MD5, the size of MD5 to be executed last is 128 bits. For this reason, assuming that the sizes of the first key information and the second key information are significantly different and less than the required encryption key size, specifically, N2 first key information and N2 first key information The encryption key was obtained by concatenating the two-key information, performing an operation of dividing the concatenated data into key-sized blocks, and performing an exclusive OR operation process on the divided data.

  As described above, it is possible to obtain an encryption technique that enables a different key to be securely generated for each group of companies. In addition, different keys can be generated for each group, and when a malicious third party obtains the program, there is an effect that it is difficult to obtain the key. Furthermore, there is an effect that it is possible to provide a system that can safely generate different encryption keys for each group without performing a large-scale modification of an existing program.

(10) ... key generation processing device,
(11)… Group ID,
(12)… authentication code,
(13)… External data acquisition function,
(14) ... Server transmission function,
(15)… External data reception function,
(20)… External data creation device,
(21)… External data,
(22) ... ID correspondence data generating means,
(23) ... program control value generation means,
(24) ... data combining means,
(25)… External data before encryption,
(26)… encryption means,
(27)… Common key A,
(30)… External data provision means,
(31)… Authentication function,
(32) ... external data selection means,
(40)… ID correspondence data,
(50)… Program control value,
(60) ... external data decoding means,
(61)… fixed value in program,
(62) ... key information generating means,
(63) ... external data decoding means,
(64) ... division function means,
(80) ... 1st key information generation means,
(81)… data in the program,
(82) ... data combination means,
(83)… selection means,
(84)… Regular one-way function,
(85)… dummy function,
(86) ... Selection algorithm selection means,
(87)… legitimate key information selection means,
(88)… Dummy key information selection means,
(90) ... 1st key information,
(91) ... control variable B1,
(92)… Intermediate data,
(93) ... control variable Bn,
(94) ... control variable B2,
(95)… Intermediate data,
(96)… Intermediate data,
(100)… second key information generating means,
(101)… control element dividing means,
(102)… Message C,
(103)… Program control element,
(104)… data selection means,
(105) ... Intermediate data 1,
(106)… data generation means,
(107) ... Intermediate data 2,
(108)… Key information selection means,
(110)… second key information,
(120) ... encryption key generation means,
(130)… encryption key,

Claims (6)

A dynamic encryption key generation system comprising a key generation processing device that generates an encryption key with a predetermined algorithm, and external data providing means for providing data to the key generation processing device,
The external data providing means provides external data composed of ID-corresponding data corresponding to a group ID and a program control value including two or more program control elements in response to a request for the group ID.
The key generation processing device includes:
External data decrypting means for decrypting the encrypted external data to generate ID-corresponding data and a program control value;
First key information generating means for generating first key information from the obtained ID correspondence data in accordance with a pre-installed algorithm;
Second key information generating means for generating second key information from the obtained program control value according to another algorithm mounted in advance;
A dynamic encryption key comprising encryption key generation means for generating an encryption key from the obtained first key information and second key information in accordance with yet another algorithm mounted in advance Generation system.   The external data provided by the external data providing means is obtained by encrypting a combination of ID correspondence data and a program control value using a common key A with a predetermined encryption algorithm. The dynamic encryption key generation system according to claim 1.   3. The dynamic encryption according to claim 2, wherein the external data decrypting means decrypts the encrypted external data using a common key A and divides the encrypted external data into the ID corresponding data and a program control value. Key generation system. The first key information generating means comprises a control variable B1 and a control variable Bn;
A normal key information selection means for selecting key information using intermediate data that is selected only by the control variable B1, one or more dummy functions, and intermediate data that has been selected by the control variable Bn and passed through the normal function. And one or more dummy key information selection means,
The intermediate data is created by inputting the ID correspondence data to the regular function selected by the control variable B1;
4. The first key information is generated by inputting the intermediate data to a regular key information selection unit selected by the control variable Bn. 5. Dynamic encryption key generation system. The second key information generating means includes a control element dividing means for dividing the program control value into two or more program control elements, a message C having a predetermined size incorporated in advance, and a predetermined value. Key information selecting means for selecting second key information by a function,
Intermediate data is generated from one of the two or more program control elements converted from the program control value by the control element dividing means and the message C;
The dynamic encryption key generation system according to any one of claims 1 to 4, wherein intermediate data is input to the function to generate second key information. The encryption key generating means generates an encryption key from one or more predetermined number (N1) of first key information and one or more predetermined number (N2) of second key information. Which generates
6. The encryption key is obtained by performing predetermined arithmetic processing on the N1 first key information and the N2 second key information. The dynamic encryption key generation system described in 1.

Images