JP5611996B2 - Information communication method and information communication system - Google Patents

Description

  The present invention relates to a system for communicating information related to personal privacy, confidential information, etc. (hereinafter referred to as “secret information”), and in particular, the sender can arbitrarily manage the reference authority of the receiver of the transmitted data. The present invention relates to an information communication method.

  When passing confidential information on an information system, it is required to prevent transmission data from being leaked to anyone other than a valid recipient.

  However, there is a frequent problem that secret information is leaked to a third party due to an incorrect designation of a transmission destination or inadequate data management by a receiver. In addition, it is often pointed out that privacy is infringed because the transmitted data is used by the receiver for purposes other than the intended one.

  As a conventional method for solving such a problem, data encryption is generally used. Even if data is leaked to other than the receiver who has the right access right to the secret information by the encryption, there is an effect of preventing the leak of the secret information (Patent Document 1 and Patent Document 2).

  On the other hand, a data transmission method is known in which transmission data is temporarily stored in a sender's local disk area before information is actually transmitted to a transmission destination, and is actually transmitted after a certain period of time. With this method, if the transmission destination is in the waiting time, it is possible to cancel the transmission even if the transmission destination is wrong.

  In addition, a method is known in which transmission data is not directly transmitted to a receiver but is transmitted on a reliable relay server, and the receiver receives the transmission data from the relay server. In the transmitted data, reference time limit information (transmission date and time, referenceable period) is added, and the possibility of referring to the data is checked based on the current date and time of the relay person. This method makes it impossible to access the data after a certain period.

Japanese Patent Laid-Open No. 2003-114853 JP 2007-124246 A

  The method of encrypting data has a certain effect of preventing leakage of secret information due to eavesdropping or the like, but there is a risk that secret information can be easily leaked if the recipient's secret key is leaked. As a method for preventing such a risk, a method for preventing a secret key from being easily duplicated by storing an encryption process in an external memory is known, as disclosed in Patent Document 1. However, even this method is not sufficiently effective because there is a risk that the external memory physically passes to a third party.

  Also, as disclosed in Patent Document 2, a method is known in which decryption can be executed only when data center decryption is permitted by inquiring to a reliable center whether decryption of encrypted data is possible. With this method, it is possible to manage the user who performed the decoding, the date and time, the number of times, and the like. However, if the encrypted data is perpetuated as it is, the encrypted data may be leaked to hackers or the like, or the encryption may be decrypted due to a future improvement in computer performance. Also, since the data once decrypted is not managed, it is impossible to prevent the decrypted data from leaking out.

  In the conventional method of waiting for transmission in data transmission, if the standby time is short, the transmission is performed before the transmission error is noticed. There is a problem that real-time performance is impaired when the standby time is long. Furthermore, there is no legitimate means for once deleting the transmitted data or making it impossible to refer to it. Also, this method cannot prevent information leakage due to data eavesdropping.

  In the method of transmitting data together with information on the referenceable time to a reliable relayer, the secret information of the sender is known to the relayer unless the transmission data is encrypted. When the transmission data is encrypted with the recipient's public key, the secret information is not known to the relay party, but since the transmission data is decrypted by the receiver, the transmission data remains in the receiver after all. Further, since there is no means for the sender to confirm whether or not the information sent to the relay party has actually been erased, the possibility that the relay station will permanently store the data cannot be denied. In this case, there is a risk that the encrypted data will be decrypted if the computing ability of the computer is improved in the future.

  In view of the above background, an object of the present invention is to provide an information communication method that reduces the risk of leakage of secret information.

  The information communication method of the present invention is an information communication method for transmitting data from a transmitting station to a receiving station, wherein the transmitting station transmits the first encrypted data and the second encrypted data to be transmitted by a secret sharing method. Dividing into encrypted data; the transmitting station transmitting a data identifier of the transmission data and the first encrypted data to a relay station; and the relay station transmitting the data identifier and the first data. Storing encrypted data; the relay station generating an access address for accessing the first encrypted data; and transmitting the access address to the transmitting station; Transmitting the data identifier of the data to be transmitted, the second encrypted data, and the access address to the receiving station; and Transmitting the data identifier, the relay station transmitting the first encrypted data corresponding to the data identifier transmitted to the access address to the receiving station, and the receiving station Comprises restoring the transmission data based on the first encrypted data and the second encrypted data.

  In this way, by the secret sharing method, the transmission data is divided into the first encrypted data and the second encrypted data, the first encrypted data is transmitted to the relay station, and the second encrypted data is transmitted to the receiving station. Since it is configured to transmit, even if the first encrypted data or the second encrypted data is wiretapped, the transmitted data cannot be restored, and the safety of information communication can be improved. In addition, since the transmission data cannot be restored only from the first encrypted data transmitted to the relay station, the transmission data will not be restored at the relay station even if the computing capacity of the computer is improved in the future.

  Here, the “secret sharing method” is an encryption method in which a plurality of encrypted data is generated from original information and the original information cannot be restored unless the divided encrypted data is collected. In this method, the original information cannot be restored unless all the encrypted data divided into n pieces are collected (n-out-of-n distributed method), and k out of n pieces of encrypted data are stored. There is a method (k-out-of-n distributed method) that can restore the original information if collected. In the present invention, any method may be adopted, but it is necessary that the original transmission data can be restored from the first encrypted data transmitted to the relay station and the second encrypted data transmitted to the receiving station. .

  In the information communication method of the present invention, when the relay station receives the data identifier from the receiving station, the relay station transmits the data identifier to the transmitting station, and the first encrypted data related to the data identifier is transmitted. The relay station transmits the first encrypted data to the receiving station when there is a response from the transmitting station that transmission is possible. May be.

  In this way, the transmitting station controls whether to transmit data to the receiving station by adopting a configuration that requires permission of the transmitting station to transmit the first encrypted data to the receiving station. be able to. When there are a plurality of transmission destination reception stations, it is possible to control whether or not transmission is performed for each reception station.

  In the information communication method of the present invention, the relay station generates a deletion address for deleting the first encrypted data, and transmits the deletion address to the transmission station. A step of transmitting the data identifier to a deletion address and a step of the relay station deleting the first encrypted data corresponding to the deletion address may be provided.

  With this configuration, the transmitting station can delete transmitted data from the relay station so that transmission data does not leak from the relay station.

  The information communication method of the present invention is a software in which a secret key for decryption is incorporated in the receiving station, and the software is installed to allow the transmission data to be used without leaking outside, The transmitting station may include a step of encrypting the transmission data with a public key corresponding to the secret key of the destination receiving station before performing secret sharing of the transmission data.

  Since the transmission data is encrypted by using the secret key embedded in the software that is used without leaking the transmission data to the outside in this way, the transmission data can be decrypted only by the software. When using the transmission data in, data can be prevented from leaking outside.

  In the information communication method of the present invention, stochastic encryption may be performed in the encryption step.

  By performing probability encryption in this way, it is possible to prevent the correspondence between transmission data and encrypted data from being specified.

  The information communication method of the present invention may comprise a step of authenticating each station before transmitting / receiving data among the transmitting station, the relay station, and the receiving station.

  Thus, by performing authentication of each station, security can be further improved.

  In the information communication method of the present invention, the transmitting station may calculate a hash value of the first encrypted data or the second encrypted data and use the hash value as the data identifier.

  Since the hash value is almost unique to the first encrypted data or the second encrypted data (in theory, it is not unique, but it can be regarded as unique in practice). It can be used effectively.

  An information communication system according to the present invention is an information communication system for transmitting data from a transmitting station to a receiving station using a relay station, wherein the transmitting station transmits transmission data to be transmitted by a first encryption method using a secret sharing method. Means for dividing the encrypted data into second encrypted data, means for transmitting the data identifier of the transmission data and the first encrypted data to the relay station, and the first encrypted data from the relay station. Means for receiving an access address for accessing the data, and means for transmitting the data identifier of the transmission data and the access address to the receiving station, wherein the relay station transmits the data identifier transmitted from the transmitting station. And means for storing the first encrypted data, means for generating the access address and transmitting the access address to the transmitting station, and from the receiving station, Means for transmitting the first encrypted data corresponding to the data identifier to the receiving station when the data identifier is received for the access address, and the receiving station is transmitted from the transmitting station. Means for receiving the second encrypted data and the access address; means for transmitting the data identifier to the access address; and receiving the first encrypted data transmitted from the relay station. And means for restoring transmission data based on the first encrypted data and the second encrypted data.

  According to the present invention, the transmission data is divided into the first encrypted data and the second encrypted data by the secret sharing method, the first encrypted data is transmitted to the relay station, and the second encrypted data is received. Since it is configured to transmit to the station, even if the first encrypted data or the second encrypted data is wiretapped, the transmitted data cannot be restored, and the safety of information communication can be improved.

It is a figure which shows the outline | summary of the information communication method of embodiment. It is a figure which shows the structure of a transmission station. It is a figure which shows the structure of a relay station. It is a figure which shows the structure of a receiving station. It is a figure which shows the flow of a data transmission process. It is a figure which shows the flow of a data transmission process. It is a figure which shows the flow of a data transmission process. It is a figure which shows the flow of a data reception process. It is a figure which shows the flow of a data reception process. It is a figure which shows the flow of a data deletion process.

Hereinafter, an information communication system and an information communication method according to embodiments of the present invention will be described.
(Overview)
FIG. 1 is a diagram showing an overview of the information communication system of the present embodiment. First, after describing the outline with reference to FIG. 1, a detailed configuration will be described. As shown in FIG. 1, the information communication system includes a transmitting station S that transmits data, a receiving station R that receives data, and a relay station M that relays part of data transmission and reception. Data transmitted in the present embodiment is referred to as original data D.

  In the information communication system of the present embodiment, the original data D is not transmitted from the transmitting station S to the receiving station R, but is divided into share E_D_M and share E_D_R, share E_D_M is transmitted to the relay station M, and share E_D_R is Transmit to receiving station R. Share E_D_M and share E_D_R are data that cannot restore original data D alone. The receiving station R receives the share E_D_M from the relay station M, and restores the original data D using the share E_D_R received from the transmitting station S and the share E_D_M received from the relay station M.

  This flow will be described with reference to FIG. The transmitting station S first divides the original data D into share E_D_M and share E_D_R. Next, the transmitting station S transmits to the relay station M the data identifier that identifies the original data and the share E_D_M generated by the division.

  The relay station M stores the data identifier transmitted from the transmitting station S and the share E_D_M in association with each other, and generates an access address U_G for the data identifier. The relay station M transmits the access address U_G to the transmission station S.

  The transmitting station S transmits the data identifier, the share E_D_R, and the access address U_G received from the relay station M to the receiving station R. The receiving station R transmits a data identifier to the access address U_G received from the transmitting station S.

  When the relay station M receives the data identifier from the receiving station R, the relay station M transmits a share E_D_M corresponding to the data identifier to the receiving station R. When receiving the share E_D_M from the relay station M, the receiving station R restores the original data D using the share E_D_M received from the relay station M and the share E_D_R received from the transmitting station S.

  The overview of the information communication system and the information communication method of the present embodiment has been described above. The contents described above are only the most basic part of the present embodiment. Actually, a mechanism in which the transmitting station S has the authority to delete the share E_D_M from the relay station M, and each station In the data transmission / reception, the processing for authenticating the legitimacy of each station is included. Details will be described below.

(System configuration)
FIG. 2 is a diagram illustrating a configuration of the transmission station S. The transmitting station S has a transmission processing unit 10. The transmission processing unit 10 includes a digital signature public key management unit 12, a relay station authentication unit 14, a relay data registration unit 16, and a data division unit 22. The relay station authentication unit 14 has functions of generating a random message, generating a digital signature, and calculating a signature hash. The relay data registration unit 16 includes a digital signature unit 18 and a data access hash calculation unit 20. Here, the digital signature unit 18 has functions of generating a random message, calculating a signature hash, and calculating digital signature data. The data dividing unit 22 has a (k, n) threshold secret sharing unit 24. The (k, n) threshold secret sharing unit 24 has a function of generating a random number.

  The transmitting station processing unit 10 includes an encrypted public key management unit 26, a data encryption unit 28, a data transmission unit 30, a data transmission log management unit 34, and a data deletion unit 36. The data encryption unit 28 has functions of generating random numbers and calculating encrypted data. The data transmission unit 30 has an access information file generation unit 32.

  FIG. 3 is a diagram showing the configuration of relay station M. The relay station M includes a relay processing unit 40. The relay processing unit 40 includes a digital signature private key management unit 42, a digital signature unit 44, a transmission station authentication unit 46, a reception station authentication unit 48, The relay data registration unit 50, the relay data deletion unit 52, the relay data transfer unit 54, and the relay data management unit 56 are included. The digital signature unit 44 has functions of calculating a signature hash and calculating digital signature data. The transmitting station authentication unit 46 has functions for verifying a digital signature and calculating a hash for signature. The receiving station authentication unit 48 has a function of verifying a digital signature and calculating a hash for signature. The relay data registration unit 50 has a function of generating an access address and a deletion address. The relay data management unit 56 includes a share management unit 58 and an access management unit 60.

  FIG. 4 is a diagram illustrating a configuration of the receiving station R. The receiving station R has a reception processing unit 70. The reception processing unit 70 includes an access information decryption unit 72, a relay data reception unit 74, a relay station authentication unit 78, a secure on-memory decryption unit 80, and a data copy protection function 94. The access information decryption unit 72 has a function of decrypting public key encryption. The relay data receiving unit 74 has a digital signature unit 76. The digital signature unit 76 has functions for generating a random message, calculating a signature hash, and calculating digital signature data. The relay station authentication unit 78 has functions of generating a random message, verifying a digital signature, and calculating a hash for signature.

  The secure on-memory decryption unit 80 includes a data combination unit 82, which includes a (k, n) threshold secret sharing unit 84, a memory access protection function 86, a data decryption unit 88, And a data utilization unit 92 that performs authentication and statistical processing. The data decryption unit 88 includes a secret key management unit 90 that manages the secret key of the receiving station S, and has a function of decrypting data encrypted with the public key of the receiving station S. The data replication protection function 94 is a function for suppressing data replication so that received data is not leaked to the outside, and has a clipboard function suppression, a screen capture function suppression, a printing function suppression function, and the like.

  The software (program) for realizing the reception processing unit 70 is distributed from the transmission station S and installed in the reception station R. As described above, the software that realizes the reception processing unit 70 includes the secret key of the receiving station R, and this software can only be used to decrypt the data transmitted from the transmitting station S. Since this software is provided with the data copy protection function 94, the data transmitted from the transmitting station S cannot be copied. With this configuration, the original data D received and decoded by the receiving station S is copied from the receiving station S and is not distributed.

  Although not shown in FIG. 1, there is a station T that each station trusts, and the station T holds data (data for digital signature) for authenticating each station and discloses it to each station. However, in the following, for the sake of simplicity, it is assumed that these public data are obtained in advance from stations that each station trusts.

  Each station holds digital signature secret data for authenticating each station. Let SX_S, SX_M, and SX_R be the digital signature private keys of the transmitting station S, relay station M, and receiving station R, respectively. SV_S = SG ^ (-SX_S) (mod SP), SV_M = SG, the public data (SP, SQ, SG) published by the trusting station T and the public key data generated from them by the private key of each station Let ^ (-SX_M) (mod SP), SV_R = SG ^ (-SX_R) (mod SP). Here, SP and SQ are sufficiently large prime numbers, and SG is a number belonging to the residue class Z_SP that satisfies SG ^ SQ = 1 (mod SP). “^” Means exponentiation, and mod SP means the remainder of a number SP. Let SH (•, •) be a hash function with two arguments for digital signature. Here, for the sake of simplicity, it is assumed that a zero knowledge proof type Schnorr signature is used for the digital signature, but other zero knowledge proof type signatures may be used. For the hash function, Merkle-Damagard transformation can be used.

Each station uses public key cryptography in addition to digital signatures. The private key of the receiving station R is CX_R, and the public key is (CP_R, CG_R, CY_R). The secret key CX_R is managed by the secret key management unit 90 in the software distributed to the receiving station R, and the user of the receiving station S cannot export the secret key. Here, CP_R is a sufficiently large prime number, CG_R is the primitive element of the remainder class Z_CP_R, the secret key CX_R is an element of the remainder class Z_ (CP_R-1), and the public key and the secret key are Each satisfies the following relationship:
CY_R = CG_R ^ (CX_R) (mod CP_R).

  Here, for simplicity, it is assumed that ElGamal encryption is used for public key encryption, but other probabilistic public key encryption may be used.

(Data transmission process)
5 to 7 are diagrams showing the flow of data transmission processing. The transmitting station S creates transmission information to be transmitted (S10) and designates a transmission destination (S12). Here, plain text transmission data created by the transmission station S is referred to as original data D. Hereinafter, for simplicity, it is assumed that the original data D is an element of the remainder class Z_CP_R.

(Relay station authentication process)
For data transmission, first, it is authenticated that the preset relay station M is an official relay station. Digital signatures are used for this purpose. When the transmission station S executes transmission after editing transmission data, the following procedure is followed.

  First, the relay station M is requested for digital signature data of the relay station M (S14). In response to the request from the transmission station S, the relay station M transmits the digital signature S_M to the transmission station S (S16). The transmitting station S verifies the received digital signature (S18). Only when it is authenticated that it is an official relay station M (YES in S18), the following transmission process is executed. If the authentication fails (NO in S18), the transmission process is stopped. The relay station M is authenticated using a digital signature. Here, zero-knowledge Schnorr authentication is used as follows.

(Relay station authentication process-details)
The transmitting station S generates a trial message M1 that is randomly generated. This message M1 is transmitted to the relay station M to request digital signature data. In response to this request, the relay station M first randomly selects the number R1 from the remainder class Z_SQ, and calculates X1 = SG ^ (R1) (mod SP). Next, C1 = SH (M1, X1) is calculated using the hash function SH. Further, Y1 = R1 + SX_M · C1 (mod SQ) is calculated using the secret key SX_M of the relay station M. Here, “·” represents a product. The relay station M returns S_M = (C1, Y1) calculated for the received message M1 to the transmitting station.

  The transmitting station S calculates X1 ′ = SG ^ (Y1) · SV_M ^ (C1) from the received S_M = (C1, Y1), and further calculates a hash value C1 ′ = SH (M1, X1 ′). If C1 = C1 ′, it is authenticated that the relay station M is an official relay station, and if not, the transmission processing is stopped as an unauthorized relay station.

(Raw data encryption processing)
Next, the transmitting station S calculates encrypted data E_D using the public key (CP_R, CG_R, CY_R) of the receiving station R selected from the original data D (S20). Here, ElGamal encryption is used for this encryption, and calculation is performed as follows. First, the number R2 is randomly selected from the remainder class Z_ (CP_R-1), and the encrypted data E_D is calculated as follows.
E_D = (E_D_1, E_D_2) = (CG_R ^ R2 (mod CP_R), D ・ CY_R ^ R2 (mod CP_R))

  The reason why probabilistic public key cryptography is used here is to generate different cipher data E_D every time even if the same original data D has been sent in the past. In this way, even if the correspondence between the contents of the original data D sent before and the encrypted data E_D is leaked, it can be prevented from being affected by it.

(Digital signature processing for transmission data)
Next, the transmitting station S generates a digital signature from the encrypted data E_D (S22). The transmitting station S randomly selects the number R3 from the remainder class Z_SQ as a digital signature to be added to the encrypted data E_D, and calculates X3 = SG ^ (R3) (mod SP). Next, C3 = SH (E_D, X3) is calculated using the hash function SH. Further, Y3 = R3 + SX_S · C3 (mod SQ) is calculated using the secret key SX_S of the transmitting station S.

  In the following, the digital signature S_E_D = (C3, Y3) is used to check that after the receiving station R decrypts the received data, it is indeed the encrypted data E_D transmitted from the correct transmitting station S .

  The digital signature added to the encrypted data E_D is that when the data transmitted from the transmission station S to the relay station M is later deleted, the deletion instruction surely came from the legitimate transmission station S of the data. It is used to verify that.

(Transmission data division processing)
The description will be continued with reference to FIG. Next, the transmitting station S secretly distributes the encrypted data E_D into a plurality of data (S24). Here, Shamir's (k, n) -threshold secret sharing method is used. This is because it is possible to divide the original data D into n distributed data (called shares) and restore the original data D when any k or more shares are collected. The original data D cannot be restored from less than one share.

  In the present embodiment, the transmitting station S divides each of the encrypted data E_D_1 and E_D_2 into three shares. In FIG. 1, two shares E_D_M and E_D_R are mentioned for the sake of outline, but in this embodiment, after dividing into three shares, two of them are used for information transmission. Let E_D_1 share (E_D_1_1, E_D_1_2, E_D_1_3). Similarly, the share of E_D_2 is set to (E_D_2_1, E_D_2_2, E_D_2_3).

(Transmission data division processing-Share creation method)
Here, a method for creating a share will be described. For threshold secret sharing, the congruence of the legal TP shall be used. Hereinafter, a case where n = 3 and k = 2 will be described. First, a number H1 is randomly selected from the remainder class Z_TP, and a polynomial f1 (X) = E_D_1 + H1 · X (mod TP) is generated. (Here, CP_R ≦ TP is assumed.) Using this polynomial, a share is created as follows.
E_D_1_1 = f1 (1), E_D_1_2 = f1 (2), E_D_1_3 = f1 (3)

Similarly, E_D_2 selects a number H2 randomly from the remainder class Z_TP, and generates a polynomial f2 (X) = E_D_2 + H2 · X (mod TP). Using this polynomial, create a share as follows:
E_D_2_1 = f2 (1), E_D_2_2 = f2 (2), E_D_2_3 = f2 (3)

  Hereinafter, for simplicity, it is assumed that E_D_S = (E_D_1_1, E_D_2_1), E_D_M = (E_D_1_2, E_D_2_2), E_D_R = (E_D_1_3, E_D_2_3). These are also called shares.

(Relay data registration process)
Next, a procedure for transmitting share E_D_M to relay station M will be described. First, the transmitting station S generates a hash value H_E_D = H (E_D_S) using the hash function H from the share E_D_S (S26). Here, the hash value H_E_D is used as information for identifying the transmission data D. That is, the hash value H_E_D corresponds to the data identifier described in the overview.

  Further, the transmitting station S gives a digital signature S_S so that the relay station M can authenticate the transmitting station S (S28). First, the transmitting station S randomly generates a message M4, selects a number R4 randomly from the remainder class Z_SQ, and calculates X4 = SG ^ (R4) (mod SP). Next, C4 = SH (M4, X4) is calculated using the hash function SH. Further, using the secret key SX_S of the transmitting station S, Y4 = R4 + SX_S · C4 (mod SQ) is calculated.

  The transmitting station S transmits the digital signature S_S = (M4, C4, Y4), the share E_D_M, the hash value H_E_D, and the identifier ID_R of the receiving station to the relay station M (S30). The relay station M verifies the received digital signature S_S and confirms that it is sent from the official transmitting station S (S32). The description of the verification procedure is omitted because it is the same as the relay station authentication process. If the transmitting station S can be authenticated (YES in S32), the process proceeds to the following process. If the transmitting station S cannot be authenticated (NO in S32), the process is interrupted.

  The relay station M stores the share E_D_M in association with the hash value H_E_D (S34). Further, the identifier ID_R of the given receiving station R is stored in association with the hash value H_E_D.

  The description will be continued with reference to FIG. Subsequently, the relay station M uses the hash value H_E_D to generate an address U_G for accessing the relay data and an address U_D for deleting the relay data (S36). By designating these addresses, the relay station M can know the corresponding hash value H_E_D, and hence the associated share E_D_M and the identifier ID_R of the receiving station R can be specified.

  After performing the above processing, the relay station M returns the access address U_G and the deletion address U_D to the transmission station S (S36).

  Note that the relay station M cannot restore the encrypted data E_D only from the received share E_D_M.

(Data transmission process)
When the transmitting station S receives the access address U_G and the deletion address U_D from the relay station M, the transmitting station S sets the hash value H_E_D and the access address U_G as access information F = (H_E_D, U_G), and performs the same process as the encryption of the original data D. The encrypted access information E_F is generated using the public key of the receiving station R (S38). That is, the number R5 is randomly selected from the remainder class Z_ (CP_R-1), and the encrypted access information E_F is calculated as follows.
E_F = (E_F_1, E_F_2) = (CG_R ^ R5 (mod CP_R), F · CY_R ^ R5 (mod CP_R)).

  After completing the above procedure, share E_D_R, encrypted access information E_F, and digital signature S_E_D are transmitted from the transmitting station S to the receiving station R (S40). In the transmitting station S, the original data D, the deletion address U_D, and the identifier ID_R of the receiving station are stored in association with each other (S42). In the present embodiment, an example in which the original data D is left in the transmitting station S has been described. However, a configuration in which the original data D is not left in the transmitting station S is possible. By adopting a configuration that does not leave the original data D, the risk of leakage of the original data D can be reduced.

  Here, even if the data transmitted from the transmitting station S to the receiving station R is eavesdropped, only part of the share is included in the transmitted data, so the encrypted data E_D cannot be restored only with this data. Note that you can't. Further, since the access information F is encrypted using the public key of the receiving station R, it is difficult to know the access information F.

(Data reception processing)
8 and 9 are diagrams illustrating a flow of data reception processing by the receiving station R. FIG. With reference to FIG. 8 and FIG. 9, the procedure from the time when the receiving station R receives data from the transmitting station S to the restoration of the original data D will be described.

(Access information restoration process)
First, the receiving station R receives the encrypted access information E_F, the share E_D_R, and the digital signature S_E_D transmitted from the transmitting station S (S44). The receiving station R restores the encrypted access information E_F = (E_F_1, E_F_2) as follows using the private key of the receiving station R.
F = E_F_2 ・ E_F_1 ^ (CP_R-1-CX_R) (mod CP_R)

  The receiving station R acquires the access address U_G and the hash key H_E_D from the restored access information F = (H_E_D, U_G) (S46).

(Digital signature processing)
The receiving station R generates and assigns a digital signature S_R so that the relay station M can authenticate the receiving station R (S48). Specifically, the receiving station R first generates a message M6 randomly, selects a number R6 randomly from the remainder class Z_SQ, and calculates X6 = SG ^ (R6) (mod SP). Next, C6 = SH (M6, X6) is calculated using the hash function SH. Further, using the secret key SX_R of the receiving station R, Y6 = R6 + SX_R · C6 (mod SQ) is calculated. From the above, the digital signature S_R = (M6, C6, Y6) is obtained.

(Relay data request processing)
The receiving station R obtains the access address U_G of the relay station M from the restored access information F = (H_E_D, U_G), and transmits the hash key H_E_D and the digital signature S_R = (M6, C6, Y6) to this address. (S50).

(Receiving station authentication process)
When the relay station M receives the hash key H_E_D and the digital signature S_R transmitted to the address U_G, the relay station M authenticates the receiving station R using the digital signature S_R (S52). Specifically, the relay station M first obtains the public key SV_R of the digital signature of the receiving station R from the identifier ID_R of the receiving station R associated with the hash key H_E_D. The relay station M calculates X6 ′ = SG ^ (Y6) · SV_R ^ (C6), and further calculates a hash value C6 ′ = SH (M6, X6 ′). If C6 = C6 ′ (YES in S54), the receiving station R is authenticated as an authorized receiving station, and if not (NO in S54), the processing is performed as an unauthorized receiving station. Discontinue.

  Even if the data transmitted from the transmitting station S to the receiving station R is eavesdropped and the encrypted access information F is decrypted and the relay station M is requested to acquire the relay data, the eavesdropping is performed. Note that it is difficult for a station to clear the authentication of this receiving station R because it is difficult to generate a digital signature of the formal receiving station R.

(Relay data transmission processing)
If the receiving station R can be authenticated (YES in S54), the relay station M checks whether the share E_D_M associated with the hash key H_E_D has been invalidated from the transmitting station S (described later in “data deletion process”) ( S56). If the share E_D_M is valid (YES in S56), the relay station M transmits the share E_D_M to the receiving station R (S58). If it is invalid, the processing is stopped (NO in S56).

  If the data has not been deleted, the relay station M may inquire the transmitting station S as a check to see if the share E_D_M has been invalidated. That is, the hash key H_E_D and the receiving station identifier ID_R are transmitted from the relay station M to the transmitting station S, and an inquiry is made as to whether the share E_D_M can be transmitted to the receiving station S specified by the receiving station identifier ID_R. . As a result, when the transmission station S returns a response indicating that transmission is possible, the relay station M determines that the share E_D_M is valid. With this configuration, when there are a plurality of receiving destinations, the transmitting station S can determine the validity / invalidity of the share E_D_M for each receiving station R.

(Distributed data restoration processing)
When receiving the share E_D_M from the relay station M, the receiving station R restores the encrypted data E_D. Here, it is assumed that the following calculations are all executed on the volatile memory and that no data is left on the nonvolatile memory. Also, on a system having a clipboard function, a screen capture function, a print function, etc., if these functions are enabled, disable these functions so that they cannot be used (S60), The following processing is executed. In the present embodiment, the digital signature private key SX_R as the receiving station R is given only to a system in which such a protection function is guaranteed. The relay station M checks with a digital signature that it is a legitimate receiving station and has such a protection function.

  The receiving station R restores the encrypted data E_D from the share E_D_M received from the relay station M and the share E_D_R received from the transmitting station S (S62). Specifically, the receiving station R restores the secret-distributed data as follows. That is, E_D_1_2 = f1 (2) and E_D_1_3 = f1 (3) are solved as simultaneous equations relating to the coefficient of f1 (X), and the polynomial f1 (X) is specified. Since the (2,3) -threshold secret sharing method is used, the polynomial f1 (X) is always determined as long as E_D_1_2 and E_D_1_3 are valid distributed data. Therefore, E_D_1 = f1 (0) is obtained by substituting 0 for X of the polynomial f1 (X). Similarly, E_D_2_2 = f2 (2) and E_D_2_3 = f2 (3) are solved as simultaneous equations regarding the coefficient of f2 (X), the polynomial f2 (X) is specified, and E_D_2 = f2 (0) is obtained. In this way, encrypted data E_D = (E_D_1, E_D_2) is obtained.

(Authentication of transmitting station)
In order to confirm that the restored data E_D is indeed data transmitted from the transmitting station S and that the restored data is not forged, the digital signature S_E_D = (C3, Y3) of the transmitting station S Is used for authentication (S64). The receiving station R calculates X3 ′ = SG ^ (Y3) · SV_S ^ (C3), and further calculates a hash value C3 ′ = SH (E_D, X3 ′). If C3 = C3 ′ (YES in S66), it is confirmed that the encrypted data E_D is certainly sent from the official transmitting station S, and the process proceeds to the following process. If the authentication fails (NO in S66), the process is stopped.

(Restore encryption data)
When the authentication of the encrypted data E_D = (E_D_1, E_D_2) is successful, the receiving station R decrypts the encrypted data and obtains the original data D (S68).
D = E_D_2 ・ E_D_1 ^ (CP_R-1-CX_R) (mod CP_R).

(Process using original data)
The restored original data D is used for authentication or statistical processing in the receiving station R (S70). At this time, it is assumed that the formal receiving station R guarantees that the encrypted data E_D and the original data D are not copied (assigned) to other variables.

  However, in the case of statistical processing, the original data is not necessarily required, and the encrypted data E_D may be used for statistical processing as it is. In that case, it is desirable that the encrypted data E_D is not decrypted.

  When the use of the original data D or the encrypted data E_D is completed, the encrypted data E_D and the original data D are safely deleted from the volatile memory (S72). “Erase safely” means to release the memory by overwriting another random data in the position on the memory.

  In addition, the invalidated setting is disabled so that the clipboard function, the screen capture function, the printing function, etc. cannot be used (returns to the original setting) (S74).

(Data deletion process)
FIG. 10 is a diagram showing the flow of data deletion processing. In the present embodiment, the transmitting station S can delete the access right of the receiving station R to the share E_D_M sent to the relay station M so that the receiving station R cannot restore the transmitted data once. Share E_D_M may be deleted from relay station M. Note that even if not deleted, the relay station M alone cannot restore the data E_D before distribution.

(Relay station authentication)
In order to delete the access right of the receiving station R to the share E_D_M in the relay station M, the target relay station M is first authenticated (S80 to S84). This process is the same as the process (S14 to S18) described in (Data transmission process).

(Transmission station digital signature generation)
If the authentication of the relay station M is successful, when the relay station M executes the access right deletion process, it generates a digital signature S_S for confirming that the command is issued from the official transmitting station S (S86). This process is the same as the process described in (Data transmission process).

(Access right deletion processing)
When registering the share E_D_M, the transmitting station S transmits the hash key H_E_D, the digital signature S_S, and the identifier ID_R of the receiving station R to the deletion address U_D issued from the relay station M (S88).

  The relay station M authenticates the digital signature of the transmitting station S (S90). If the authentication fails (NO in S92), the process is stopped. If the authentication is successful (YES in S92), the relay station M invalidates the access right to the share E_D_M of the identifier ID_R of the receiving station R associated with the hash key H_E_D (S94).

  At this time, it should be noted that the relay station M cannot restore the data E_D before distribution even if the share E_D_M remains in the relay station M. Further, the relay station M may actually delete the data instead of controlling the presence or absence of the access right.

  The case where there is a single receiving station R has been described above, but the present invention can be easily expanded when there are a plurality of receiving stations R. In that case, the transmitting station S can individually delete the right of relay data access to each receiving station R.

  Note that a normal electronic mail mechanism can be used for data communication between stations. Further, a method based on the REST protocol may be used between the transmitting station S and the relay station M and between the receiving station R and the relay station M. In this case, POST is used to register relay data, PUT is used to acquire relay data, and DELETE is used to delete relay data.

  As described above, according to the present invention, the safety of information communication can be improved, and it is useful for highly confidential mail transmission and the like.

S Transmitting station
M Relay station
R receiving station 10 transmission processing unit 12 digital signature public key management unit 14 relay station authentication unit 16 relay data registration unit 18 digital signature unit 20 data access hash calculation unit 22 data division unit 24 (k, n) threshold secret sharing unit 26 Encryption public key management unit 28 Data encryption unit 30 Data transmission unit 32 Access information file generation unit 34 Data transmission log management unit 36 Data deletion unit 40 Relay processing unit 42 Digital signature private key management unit 44 Digital signature unit 46 Transmission station authentication Unit 48 receiving station authentication unit 50 relay data registration unit 52 relay data deletion unit 54 relay data transfer unit 56 relay data management unit 58 share management unit 60 access management unit 70 reception processing unit 72 access information decoding unit 74 relay data reception unit 76 digital Signature unit 78 Relay station authentication unit 80 Secure on-memory decryption unit 82 Data connection Combiner 84 (k, n) threshold secret sharing unit 86 Memory access protection function 88 Data decryption unit 90 Secret key management unit 92 Data use unit 94 Data copy protection function

Claims (7)

An information communication method for transmitting data from a transmitting station to a receiving station,
Installing software that incorporates a secret key for decryption into the receiving station, and that allows transmission data transmitted from the transmitting station to be used without leaking outside;
The transmitting station encrypts the transmission data with a public key corresponding to a secret key of a destination receiving station;
It said transmitting station, dividing the transmission data to the first encrypted data and the second encrypted data by a secret sharing scheme,
The transmitting station transmitting a data identifier of the transmission data and the first encrypted data to a relay station;
The relay station storing the data identifier and the first encrypted data;
The relay station generating an access address for accessing the first encrypted data, and transmitting the access address to the transmitting station;
The transmitting station transmitting to the receiving station a data identifier of data to be transmitted, the second encrypted data, and the access address;
The receiving station transmitting the data identifier to the access address;
The relay station transmitting the first encrypted data corresponding to the data identifier transmitted to the access address to the receiving station;
The receiving station restoring the transmission data based on the first encrypted data and the second encrypted data;
The receiving station decrypting the transmission data using the secret key;
An information communication method comprising: When the relay station receives the data identifier from the receiving station, the relay station may transmit the data identifier to the transmitting station and transmit first encrypted data related to the data identifier to the receiving station With steps to inquire
The information communication method according to claim 1, wherein the relay station transmits the first encrypted data to the receiving station when there is a response indicating that transmission is possible from the transmitting station. The relay station generates a deletion address for deleting the first encrypted data, and transmits the deletion address to the transmission station;
The transmitting station transmitting the data identifier to the deleted address;
The relay station deleting the first encrypted data corresponding to the deletion address;
The information communication method according to claim 1, further comprising: In the step of encrypting, probabilistic information communication method according to any one of claims 1 to 3 for encryption. Said transmitting station, the relay station, before transmitting and receiving data between each other of the receiving station, information communication method according to any one of claims 1 to 4 comprising the step of authenticating the respective stations. Said transmitting station, said first calculates the encrypted data or the hash value of the second encrypted data, the method of information communication according to one of claims 1 to 5 using the hash value as the data identifier . An information communication system for transmitting data from a transmitting station to a receiving station using a relay station,
The transmitting station is
Means for encrypting transmission data to be transmitted with a public key corresponding to a secret key of a destination receiving station;
It means for dividing the transmission data to the first encrypted data and the second encrypted data by a secret sharing scheme,
Means for transmitting the data identifier of the transmission data and the first encrypted data to the relay station;
Means for receiving an access address for accessing the first encrypted data from the relay station;
Means for transmitting the data identifier of the transmission data and the access address to the receiving station,
The relay station is
Means for storing the data identifier and the first encrypted data transmitted from the transmitting station;
Means for generating the access address and transmitting the access address to the transmitting station;
Means for transmitting the first encrypted data corresponding to the data identifier to the receiving station when the data identifier is received for the access address from the receiving station;
The receiving station is
Means for receiving the second encrypted data and the access address transmitted from the transmitting station;
Means for transmitting the data identifier to the access address;
Means for receiving the first encrypted data transmitted from the relay station;
Means for restoring transmission data based on the first encrypted data and the second encrypted data;
Wherein the the receiving station is a software that incorporates a secret key for decryption, it is installed software to use without leakage of transmission data transmitted from the transmitting station to the outside Information communication system.

Images