JP6040780B2 - Cryptographic processing apparatus, method and program - Google Patents

Description

  The present invention relates to a cryptographic processing apparatus, method, and program.

  In recent years, with the progress of information and communication technology, it has become extremely frequent that electronic computers are interconnected with other electronic computers. Along with this, there has been an increase in opportunities for electronic computers and data handled in them to be accessed by persons other than authorized owners and users, and for depositing such data to other computers for communication and processing. For this reason, a technique that enables operations such as comparison while keeping the original data secret has been devised and used.

One such technique is a cryptographic processing device that uses a cryptographic hash function (hereinafter, sometimes simply referred to as a hash function).
A hash function is defined as a mapping that, when applied to arbitrary data (original data), converts it into another data called a fixed-length hash value. That is, the cryptographic hash function always converts the same original data to the same hash value, but in most cases, different original data does not convert to the same hash value. A “good” hash function is a function in which a corresponding hash value undergoes random changes in response to regular changes in original data (for example, continuous increase / decrease in numerical values, inversion of specific bits, etc.).

  The cryptographic hash function refers to a hash function that has very strong randomness of the hash value and one-way conversion, and is highly secure. In other words, it is impossible or extremely difficult to derive the original data by looking at only the hash value without knowing the original data, or finding the relationship or regularity between the original data by looking at only the plurality of hash values. Refers to things. MD5, SHA-1, SHA-2, and the like are known as typical algorithms that function as cryptographic hash functions.

  Cryptographic hash functions are often used for security purposes because they are secure. For example, it is used for digital signatures, message authentication codes (MAC) and password authentication. Of these, for password authentication, in order to determine whether the user is a regular user, the hash value of the password registered in advance is compared with the hash value entered by the user. Determine user.

JP 2010-237653 A

RFC 2104 “HMAC: Keyed-Hashing for Message Authentication”

  When comparing two encrypted data obtained by applying a cryptographic hash function to the two data for the two unencrypted original data, the hash value will be completely different if the original data is slightly different. Therefore, it cannot be known that the original data is similar. Therefore, when encryption is performed using a hash function, there is a problem that it cannot be determined whether or not two original data are similar to each other even if the encrypted data are compared.

  For example, in order to determine whether or not a user is a regular user, when comparing a hash value of a password registered in advance with a hash value input by the user, a correct user sets a password different in one character a predetermined number of times. If you enter it incorrectly, account lock will occur. When an account lock occurs, there are problems that it is necessary for the administrator to release the lock and that it takes time and effort to accept the password again. In addition, when an account lock occurs, there is a problem that user data specified by an identifier (ID) corresponding to a password may be erased.

  In the case of password authentication, when an authorized user inputs an incorrect password, the input password is often “near” the correct password, for example, a partial character string matches. Here, that two character strings are “near each other” means that a relatively high portion of the entire character string matches. On the other hand, there are not many cases where the password entered by an attacker who tries to login after breaking the security is in the vicinity of the correct password. If the above two situations can be distinguished, it is possible to detect a situation in which a password is erroneously detected in spite of being a regular user, but there is a problem that there is no such method.

  Therefore, as one aspect, an object of the present invention is to provide an apparatus and a method for comparing similarities indicating whether or not two input character strings are in the “neighborhood” while keeping them secret.

There is provided an encryption processing apparatus that compares similarities indicating whether or not first and second input character strings are in the “neighborhood” while keeping them secret. The cryptographic processing device receives a character string obtained by inserting a first wildcard character used as an arbitrary character in a first input character string, or at least one character of the first input character string. A first similar character string group generation unit that generates a character string obtained by substituting one wildcard character as a first similar character string, and an encryption function that operates the first similar character string. A first encryption unit that generates a first comparison cipher value and a character string obtained by inserting a second wildcard character used as an arbitrary character into the second input character string, or A second similar character string group generation unit that generates a character string obtained by replacing at least one character of the two input character strings with the second wildcard character as a second similar character string; Apply the encryption function to similar strings A second encryption unit that generates a second comparison cipher value, and compares the first comparison cipher value with the second comparison cipher value to obtain the first input character string and the second And a similar encryption comparison unit that determines the similarity of the input character strings.

  In the cryptographic processing apparatus and method according to the embodiment, by comparing the hash value of two character strings, for example, the hash value of the entered password with the regular password, it is determined whether the two character strings are in the “neighborhood”. There is an effect that it can be determined.

It is a figure explaining the outline of password authentication. It is a figure which shows the example of a condition when receiving the online brute force attack from a regular user. It is a figure which shows the example of a condition when receiving the online brute force attack from the attacker. It is a figure which shows the example of the plaintext comparison system as one of the countermeasures against an online brute force attack. It is a figure which shows the example of the method of taking the hash value of all the neighborhood character strings as one of the countermeasures against an online brute force attack. It is a figure which shows another example of the method of taking the hash value of all the neighborhood character strings as one of the countermeasures against an online brute force attack. FIG. 6 is a diagram illustrating an outline of an example of a neighborhood hash generation method according to an embodiment of the disclosure. It is a figure which shows the example of the production | generation method of neighborhood hash. It is a figure which shows the example of the functional block of a cryptographic system. It is a figure which shows the example of the functional block of the similar hash production | generation part of FIG. It is a figure which shows the example of the functional block of the similar hash comparison part of FIG. It is a figure which shows the example of similar hash data. It is a block diagram which shows the example of a structure of a cryptographic processing apparatus or a 1st similar hash production | generation part, a 2nd similar hash production | generation part, and / or a similar hash comparison part. It is an example of the flowchart which shows the flow of a process in a similar character string production | generation process. It is an example of the flowchart which shows the flow of a process in the similar character string production | generation process corresponding to 1 character increase / decrease. It is an example of the flowchart which shows the flow of the process in the similar character string production | generation process corresponding to 2 character increase / decrease. It is an example of the flowchart which shows the flow of a process in a comparison process.

  In the following, there will be provided a cryptographic processing device, method and program for comparing the degree of similarity indicating whether or not the first and second input character strings are in the “neighborhood” while keeping them secret. Here, that two character strings are “near each other” means that a relatively high portion of the entire character string matches.

  In this specification, only the cryptographic hash function is dealt with among the hash functions. Therefore, unless otherwise specified, the cryptographic hash function and the cryptographic hash value are simply referred to as a hash function and a hash value, respectively. To do. Hereinafter, the terms “hash” and “hash value” may be treated equally.

  In addition, although the data serving as the input of the hash function is an arbitrary byte string, it will be described below as a character string in which an arbitrary number of characters are arranged for convenience. Actually, it may be data in which one character corresponds to one byte as in an ASCII character string, or a byte string resulting from character encoding of a character string may be input to a hash function as original data.

  The password may include not only a personal identification number but also a PIN, a passphrase, and the like.

<General description>
An outline of a password authentication method and an example of an attack method for the password authentication method will be described with reference to FIGS.

FIG. 1 is a diagram for explaining the outline of password authentication. In the following, in order to encrypt a character string, a method is used in which a hash function is applied to the character string as an encryption function, and a hash value (or simply hash) is obtained as an encryption value. However, the encryption function is not limited to the hash function such as MD2, MD4, MD5, and SHA, and other encryption functions may be used. The encryption function may include a one-way function such as a shift of a feedback shift register (LFSR), a bit of a shift, a remainder of a characteristic polynomial over a GF (2 ^m ) over an extended Galois field having 2 ^m elements. .

  As pre-processing, a correct hash is generated by applying a hash function H ′ to a correct password. In the example of FIG. 1, the hash function H ′ is applied to the correct password “p @ ssW0rd” to generate a correct hash “c6e71570a97”.

  At the time of authentication, the hash function H ′ is applied to the password input by the user to generate a hash (comparison hash) and compare it with the correct hash obtained in advance. If the comparison hash, which is a hash generated from the password input by the user, matches the correct hash, the user who inputs the character string is authenticated as a regular user.

  In the example of FIG. 1, it is assumed that a character string “password” is input by the user. When the hash function H ′ is applied to the character string, the hash “56529076e997” is obtained. When this is compared with the correct hash “c6e71570a97”, it does not match, so this user is not authenticated as a regular user.

  On the other hand, if a user inputs a character string “p @ ssW0rd” as a password, a hash “c6e71570a97” is obtained by applying a hash function H ′ to this character string. This matches the correct hash. Therefore, this user is authenticated as a regular user.

  In general, if the original data in the hash function is slightly different, the hash values obtained by operating the hash function are completely different, so it is impossible to know that the original data is similar. That is, it cannot be known from only the hash values that the two original data character strings are similar, for example, one character difference.

  FIG. 2A is a diagram illustrating an example of a situation when receiving an online brute force attack from a regular user. FIG. 2B is a diagram illustrating an example of a situation when receiving an online brute force attack from an attacker.

  Even if it is input from a legitimate user, there are situations where the password is mistaken several times in succession due to careless mistakes or suddenly being unable to remember the password. This is likely to occur frequently in the IT society where passwords are used everywhere, and regardless of age or sex, such as children or the elderly. In such a situation, a character string having some relationship with a correct password is often input. Moreover, if an authorized user mistakes the password several times in succession, an account lock occurs, and in order to make it possible again, not only will there be a time loss, such as waiting for a while or having the administrator release it, Data may be erased.

  In the example shown in FIG. 2A, even though the correct password is the character string “p @ ssW0rd”, the legitimate user is the character “similar” to the correct character string, such as the character string “password” or “passWord”. A column is entered.

  In addition, an attack may be set on the authentication system in order to steal confidential data such as personal data stored in the system from an unauthorized user.

  FIG. 2B is an example of a character string that is input as a password when an attack that attempts to break security by entering all character strings that an attacker can conceive. In this case, since the attacker does not have information on the correct password in advance, the character string often has nothing to do with the correct password. In the example of FIG. 2B, although the correct password is the character string “p @ ssW0rd”, the correct password and the correct character string such as the character string “xA51aaa” are not only long, but “similarity A character string that is not “near” or “near” the correct character string is input.

  If the two situations shown in FIG. 2A and FIG. 2B can be distinguished from each other, the accuracy of brute force detection will increase, the accuracy of account lock will increase, and it will be possible to lock with the correct user error Benefits such as a decrease in sex can be expected.

  However, if such a similarity match is possible, the similarity of the original data can be known only from the hash value, so there is a possibility that the safety is lower than when the similarity is unknown. In other words, an attacker who wants to know the original data of the hash value knows that the predicted original data is similar if it is similar even if it does not completely match the correct original data. It can be considerably narrowed. For this reason, there is a possibility that correct original data can be known with a smaller number of trials than when a similar match is not possible. In such similar matches, it is unavoidable to find out the desired similarity, but it is desirable not to know any further properties. In addition, by introducing secret information into the hash function processing using keyed hashing technology, it is possible to prevent even a similar match from being performed by a third party who does not know the secret information, thereby reducing the threat of reduced security. Sometimes you can.

  One of the methods for discriminating a password input mistake by a regular user from a password input mistake by an attacker is a plain text comparison method as shown in FIG.

  In this method, the input password is compared with the plain text of the correct password. However, there is a problem that storing plaintext passwords is dangerous. In particular, there is a possibility that the plain text of the correct password will be leaked or the administrator will peep. Even if the password is correctly encrypted, the password may be revealed if the encryption key leaks or the key is guessed.

  As another example of a method for discriminating a password input mistake by a legitimate user and a password input mistake by an attacker, a method of creating a hash value (similar hash value) for all data similar to one original data can be considered. If any of these hash values matches the hash value obtained from the other original data, it can be known that they are similar. For example, if the original data is “abcd”, one character difference such as “abcd”, “accd”, “adcd” in which the second character is replaced, such as “bbcd”, “cbcd”, “dbcd” in which the first character is replaced, etc. By creating all the similar data and creating their hash values, it can be seen that if one of the similar hash values matches the hash value of another original data, it is different by one character.

  FIG. 4 is a diagram showing an example of a method for storing hash values of all neighboring character strings as one of countermeasures against online brute force attacks, and FIG. 5 is a neighboring character string as one of countermeasures against online brute force attacks. It is a figure which shows another example of the method of keeping all the hash values.

  In FIG. 4, all character strings different from the character string “p @ ssW0rd”, which is a correct password, by one character are generated in advance. For example, the first character is deleted to “@ ssW0rd”, or the first character is replaced to “a @ ssW0rd”. Then, the hash function H ′ is applied to each of the character strings different from the correct password by one character to obtain a hash value. These hashes form a neighborhood hash group. A main hash which is a hash corresponding to the character string “p @ ssW0rd” which is a correct password is also obtained in advance.

  Here, the neighborhood hash group may be a collection of hash values generated from a character string in the “neighborhood” of a character string indicating a correct password.

  At the time of authentication, a hash function H ′ is applied to the input password, for example, “p @ ssW0rd” to obtain a comparison hash. In the case of FIG. 4, the character string “c6e715703a97” is obtained as the comparison hash. This comparison hash matches the main hash.

  In this method, if the password is n characters, there are about n × 96 elements in the neighborhood hash group (96 is the number of characters), and if n = 8, 768, 2 character differences and character insertion are considered. There are more elements in the neighborhood hash group.

  In FIG. 5, only the correct main hash is obtained in advance as the hash corresponding to the character string “p @ ssW0rd” which is a correct password.

  At the time of authentication, first, a hash function H ′ is applied to the input character string to obtain a main hash. Also, all character strings that differ from the input character string by one character are generated, and corresponding hashes are obtained from all these character strings. These hashes form a neighborhood hash group. The correct primary hash obtained in advance is compared with the elements of the primary hash and the neighborhood hash group related to the character string input at the time of authentication.

  In the case of FIG. 5, the hash corresponding to the character string “passW0rd” input at the time of authentication is different from the correct main hash, but one of the elements in the neighborhood hash group matches the correct main hash. In this case, it is determined that there is a high possibility that the input character string is a character string erroneously input by the authorized user.

  However, in this method, the number of necessary similar hash values is too large, and the processing amount for generating the hash values or the capacity for storing the generated hash values becomes enormous. Specifically, if the type of character is m and the maximum number of characters constituting the original data is n, approximately m × n hash values are required only to express the similarity of one character difference. For example, in the ASCII code, there are approximately 100 types of characters excluding control characters, and if the original data composed of these characters is a maximum of 16 characters, approximately 1600 similar hash values are required.

  FIG. 6 is a diagram illustrating an outline of an example of a neighborhood hash generation method according to the disclosed embodiment.

  In this method, for example, it is assumed that there are a character string a and a character string b to be compared. At this time, the hash value is calculated after first replacing the character at each position in the character string a with a wildcard character. A wild card character is a special character for expressing that it matches an arbitrary character in this method, and is a character used as a substitute for an arbitrary character. The wild card character may be anything as long as it is not a character that can be used for the original data, and one is determined in advance. The hash values calculated in this way are collected into a similar hash value set A of the character string a. Similarly, a similar hash value set B is calculated for the character string b. In order to perform the similarity comparison, it is compared whether any of the elements of A matches any of the elements of B. If there is a match, it can be seen that the character strings a and b are different by one character.

  In the example of FIG. 6, a character string is generated by replacing each position of the character string “p @ ssW0rd”, which is a correct password, with a wild card “_” in advance. A hash function h ″ is applied to these character strings.

  Also during authentication, a character string is generated by replacing each position of the input character string “passW0rd” with a wild card “_”. Then, the hash function h ″ is applied to these character strings. If the hash obtained in advance matches one of the hash values obtained at the time of authentication, the input password is different by one character. .

  These processes may be performed after determining that the hash corresponding to the character string input at the time of authentication is different from the hash corresponding to the correct password, or may be processed simultaneously.

In this way, if the password and n characters, the number of n hash to be saved in advance, the number is also n-number of hash to generate at the time of authentication, and n comparison of ^twice Thus, the password input error by a regular user attacker Can be used to identify password entry mistakes. Actually, the character string may be determined as a maximum of 16 characters, and the missing part may be padded.

  Further, when a similar hash value set is created by the above method, the length (that is, the number of characters) of the original character string is known from the size of the set (ie, the number of hashes included in the set). To prevent this, each character is replaced after padding the original character string. The padding process prepares a special padding character for representing padding in the same manner as the wildcard character, and adds it to the end of the original character string until the predetermined number of characters is reached. If the original character string is longer than the default number of characters, characters exceeding the default number can be removed and shortened, or the character string can be left as it is and replaced with wildcard characters up to the specified number of characters. Also good.

FIG. 7 is a diagram illustrating an example of a neighborhood hash generation method.
In addition to replacing the wildcard character with the original character, it may be inserted before or after the original character. Thereby, the similarity that one character is more or less can be detected. If the length is equalized by the padding, the last character is removed for the inserted length. In this case, the same character string is created when the padding character is replaced and when it is inserted before the padding character, and the number of padding characters from the number of pairs in which similar hash values match, that is, the original In order to avoid this, if the insertion position is immediately before the padding character, a change is made so that the character strings do not match. You may add padding characters at the beginning of the string.

  Wildcard characters can also be replaced or inserted at multiple positions. Thereby, not only one character but also a difference or increase / decrease in a plurality of characters can be regarded as similar and detected.

  In the example of FIG. 7, padding characters “.” Are inserted after the original 8-character string “abcdefgh” to generate a 16-character string “abcdefgh... Then, after replacing each position of the 16-character string “abcdefgh...” With the wild card character “_”, a hash function is applied (hashed). For example, if the first character of a 16-character string “abcdefgh...” Is replaced with a wild card, “_bcdefgh. The hash value “c6e095202b97” is obtained by acting.

  Although the padding character is “.” And the wildcard character is “_”, any character that is not used in the password may be used, and any number of bytes may be used. It may be a control character.

<Device configuration>
With reference to FIGS. 8 to 11, an example of a cryptographic processing apparatus having the above functions will be described.

  The cryptographic processing device 10 is realized as software on an electronic computer, but may be realized as hardware.

  FIG. 8 is a diagram illustrating an example of the configuration of the cryptographic processing apparatus 10 that performs similarity comparison. The cryptographic processing apparatus 10 includes a first similar hash generation unit 102, a second similar hash generation unit 104, and a similar hash comparison unit 106. The similar hash comparison unit 106 is electrically connected to the first similar hash generation unit 102 and the second similar hash generation unit 104. The first similar hash generation unit 102 and the second similar hash generation unit 104 respectively obtain the main hash values H (A), H (B) and similar hash data (neighboring hash group) from the input character string A and the input character string B. ) Generate NA and NB. The similar hash comparison unit 106 uses a combination of a main hash value and similar hash data created from a plurality of input character strings, and outputs a matching result and a similarity between the two. In FIG. 8, the similar hash comparison unit 106 includes the main hash value H (A) that is the output of the first similar hash generation unit 102 and the similar hash data NA, and the main hash that is the output of the second similar hash generation unit 104. The value H (B) is compared with the similar hash data NB.

  The first similar hash generation unit 102, the second similar hash generation unit 104, and the similar hash comparison unit 106 may be arranged physically separate from each other or may be arranged very close to each other. Moreover, these may be stored in one housing | casing and may be stored in a mutually separate housing | casing. When they are housed in separate housings, similar hash data created at one location is moved by communication and used for comparison at another location. In addition, either the first similar hash generation unit 102 or the second similar hash generation unit 104 may be housed in the same housing as the similar hash comparison unit 106. Here, even if they are not housed in the same casing, it is sufficient if they are close to each other. For example, they may be in the same building or in the same organization. The same applies to not only the physical arrangement but also the temporal arrangement. The generated similar hash data may be used immediately for comparison, or may be stored and compared later. One of the two similar hash data in the figure may be stored and the other may be generated at the time of comparison.

  FIG. 9 is a diagram illustrating an example of functional blocks of the similar hash generation units 102 and 104 in FIG. The similar hash generation units 102 and 104 have the same or similar configuration, and the similar hash generation unit 102 will be described below as an example. The similar hash generation unit 102 includes an input character reception unit 1020, a first hash function operation unit 1022, a similar character string group generation unit 1024, and a second hash function operation unit 1026. The similar hash generation unit 104 includes an input character reception unit 1040, a first hash function operation unit 1042, a similar character string group generation unit 1044, and a second hash function operation unit 1046, which are respectively input character reception units. 1020, the first hash function operation unit 1022, the similar character string group generation unit 1024, and the second hash function operation unit 1026 have the same or similar configuration and / or function.

  The similar hash generation unit 102 receives an input character string and outputs a main hash value and a similar hash value group.

  The input character reception unit 1020 receives the input character string as an input character string, and outputs the received input character string to the first hash function operation unit 1022 and the similar character string group generation unit 1024.

  The first hash function operating unit 1022 applies a hash function to the input character string received from the input character receiving unit 1020, and outputs the obtained hash value as the main hash value.

  As illustrated in FIG. 7, the similar character string group generation unit 1024 generates a plurality of similar character strings by modifying the input character string. As described above, wildcard characters are used for similar character strings. The similar character string generated by the similar character string group generation unit 1024 is output to the second hash function operation unit 1026.

  The second hash function operating unit 1026 operates the hash function on the similar character string received from the similar character string group generation unit 1024, and outputs the obtained hash value as similar hash data.

  The hash function used in the first hash function operating unit 1022 and the second hash function operating unit 1026 may be a cryptographic hash function. Further, the first hash function operation unit 1022 and the second hash function operation unit 1026 may not be the same algorithm. Further, the first hash function operation unit 1022 and the second hash function operation unit 1026 may use an algorithm that adds agitation information generally called salt, or an HMAC (message authentication code by hash) algorithm that uses key information. It doesn't matter. The first hash function operating unit 1022 and the second hash function operating unit 1026 are more secure and desirable if the algorithm itself and the value of the accompanying salt or key information are different than the same configuration and / or function.

  FIG. 10 is a diagram illustrating an example of the configuration of the similar hash comparison unit 106. The similar hash comparison unit 106 receives as input the main hash values H (A) and H (B) and similar hash data sets NA and NB for the two input character strings A and B, and indicates a match or a match. Output the result and similarity.

  The similar hash comparison unit 106 includes a main hash value comparison unit 1060 and a similar hash data comparison unit 1062.

  The main hash value comparison unit 1060 compares the main hash values H (A) and H (B), and determines that they are the same if they are the same value, and that they do not match.

  The similar hash data comparison unit 1062 compares the similar hash data and outputs the similarity.

  FIG. 11 shows an example of the structure of similar hash data. The similar hash data includes one or more sets of similarity and similar hash values. The similarity indicates how many characters the similarity hash value corresponds to from the original character string. The similar hash value is an output of the first hash function operation unit 1022 and the second hash function operation unit 1026, and the length and format depend on the hash function used. In FIG. 11, SHA-1 is assumed as an algorithm used, and an 80-bit (20-byte) hash value is expressed as a 40-digit hexadecimal number.

As described above, the cryptographic processing apparatus 10 can obtain at least one of the character string obtained by inserting the first wildcard character used as an arbitrary character into the first input character string, or the first input character string. A first similar character string group generation unit 1022 that generates a character string obtained by replacing one character with the first wildcard character as a first similar character string, and an encryption function is applied to the similar character string A first encryption unit 1026 for generating a first comparison cipher value, and a character string obtained by inserting a second wildcard character used as an arbitrary character in the second input character string, Or a second similar character string group generation unit 1042 that generates, as a second similar character string, a character string obtained by replacing at least one character of the second input character string with the second wildcard character; , Second similar sentence A second encryption unit 1046 for generating a second comparison cipher value by applying an encryption function to the column, and comparing the first comparison cipher value and the second comparison cipher value to obtain a first input character A similar encryption comparison unit 106 that determines the similarity between the sequence and the second input character string is included.

  In this case, the “similarity” of a certain character string may be the number of characters inserted or replaced with padding characters. Then, a certain character string may be defined as being “near each other” when the number of characters inserted or replaced with padding characters is less than or equal to a predetermined number of characters with respect to another character string.

  In the above, the hash function is used as the encryption function, but another encryption function may be used. The hash function operation unit may be simply referred to as an encryption unit, and the similar hash comparison unit may be simply referred to as a similar encryption comparison unit.

  In the above description, two encrypted value groups obtained by encrypting a character string group obtained by inserting a wild card into two character strings or substituting at least one character of the character string with a wild card are compared. However, an encrypted value group may be generated from only one of the two character strings and compared with the encrypted value of the other character string.

  FIG. 12 is a configuration diagram illustrating an example of the configuration of the cryptographic processing device 10 or the first similar hash generation unit 102, the second similar hash generation unit 104, and / or the similar hash comparison unit 106. FIG. 12 is a configuration diagram of an example of a computer that can be used as the cryptographic processing apparatus 10 or the first similar hash generation unit 102, the second similar hash generation unit 104, and / or the similar hash comparison unit 106.

  The computer 500 includes an MPU 502, ROM 504, RAM 506, hard disk device 508, input device 510, display device 512, interface device 514, and recording medium drive device 516. These components are connected via a bus line 520, and various data can be exchanged under the management of the MPU 502.

  An MPU (Micro Processing Unit) 502 is an arithmetic processing unit that controls the operation of the entire computer 500, and functions as a control processing unit of the computer 500.

  A ROM (Read Only Memory) 504 is a read-only semiconductor memory in which a predetermined basic control program is recorded in advance. The MPU 502 reads out and executes this basic control program when the computer 500 is activated, thereby enabling operation control of each component of the computer 500.

  A RAM (Random Access Memory) 506 is a semiconductor memory that can be written and read at any time and used as a working storage area as necessary when the MPU 502 executes various control programs.

  The hard disk device 508 is a storage device that stores various control programs executed by the MPU 502 and various data. The MPU 502 reads out and executes a predetermined control program stored in the hard disk device 508, thereby performing various control processes described later.

  The input device 510 is, for example, a mouse device or a keyboard device, and when operated by a user of the system of FIG. Send to.

  The display device 512 is, for example, a liquid crystal display, and displays various texts and images according to display data sent from the MPU 502.

  The interface device 514 manages the exchange of various information with various devices connected to the computer 500.

  The recording medium driving device 516 is a device that reads various control programs and data recorded on the portable recording medium 518. The MPU 502 can read out and execute a predetermined control program recorded in the portable recording medium 520 via the recording medium driving device 516, thereby performing various control processes described later. As the portable recording medium 218, for example, a flash memory equipped with a USB (Universal Serial Bus) standard connector, a CD-ROM (Compact Disc Read Only Memory), a DVD-ROM (Digital Versatile Disc Only Only). and so on.

  In order to configure a cryptographic processing apparatus using such a computer 500, for example, a control program for causing the MPU 502 to perform the processing in each processing unit described above is created. The created control program is stored in advance in the hard disk device 508 or the portable recording medium 520. Then, a predetermined instruction is given to the MPU 502 to read and execute the control program. In this way, the functions provided in the cryptographic processing device 10 or the first similar hash generation unit 102, the second similar hash generation unit 104, and / or the similar hash comparison unit 106 are provided by the MPU 502.

  By using such a cryptographic processing device 10, whether the two character strings are in the “neighborhood” by comparing the hash values of the two character strings, for example, the hash value of the entered password and the input password. Whether it can be determined.

  In addition, it is possible to distinguish between an incorrect password input by an authorized user and an incorrect password input by an attacker.

  When the above cryptographic processing device is used as a device for password authentication, if a legitimate user enters an incorrect password, the entered password must be in the “nearby” position of the correct password, such as a partial character string matching. There are many. Here, that two character strings are “near each other” means that a relatively high portion of the entire character string matches. On the other hand, there are not many cases where the password entered by an attacker who tries to login after breaking the security is in the vicinity of the correct password. According to the above device, it is obtained from a hash value obtained from a character string obtained by substituting some wildcard characters for the correct password and a character string obtained by substituting some wildcard characters for the input character string. By comparing with the hash value, it is possible to determine whether it is an input error or a brute force attack.

<Example of processing>
Referring to FIG. 13 to 16, an example of processing. In this process, a special character called a wild card character is used. The wild card character needs to be determined in advance, but may be any character that is never included in the original input character string. Generally, control characters in the range of 0 to 31 and 127 in the ASCII code are rarely used for the input character string, and any of these can be used.

  In the following description, the default value of the maximum number of characters that can be compared is 16. Furthermore, the padding character used for aligning with the predetermined length is also determined in advance in the same manner as the wild card character. The padding character is preferably a different character from the wildcard character.

If the apparatus is a general-purpose computer as shown in FIG. 12, FIGS. 13 to 16 and / or the following description define a control program for performing such processing. That is, hereinafter, it is also a description of a control program that causes a general-purpose computer to perform the processing described below.

FIG. 13 is an example of a flowchart showing the flow of processing in the similar character string generation processing. FIG. 13 shows an example in which a similarity in which one character in the input character string is replaced with another character can be detected.

  In step S102, the input character string receiving unit 1020 (1040) receives the input character string s. For example, s = “abcd”.

  In S104, the input character string receiving unit 1020 (1040) adds padding characters to the end of the input character string s received in S102 until the predetermined number of characters is reached. In the case of s = “abcd”, if the padding character is “...”, then s = “abcd...

  Next, in S106, the similar character string group generation unit 1024 (2044) initializes a variable i representing a character position to 1.

  S108 to S112 constitute a loop, and the loop processing is performed while increasing the value of the variable i representing the character position by one. The loop is repeated until the value of i exceeds the length of the character string s.

  In S108, the similar character string group generation unit 1024 (2044) replaces the i character of the character string s with a wildcard character, for example, “?”, And sets the similarity = 1 and character string t as similar hash data ( 1, t) is output.

  For example, the first character of the character string s = “abcd...” Is replaced with the wildcard character “?”, And similarity hash data 1 and character string t = A set (1, t) of “? Bcd...

  In S110, the similar character string group generation unit 1024 (2044) increases the variable i representing the character position by one.

  In S112, the similar character string group generation unit 1024 (2044) determines whether the variable i representing the character position exceeds the number of characters in the character string s. If the result of this determination is “YES”, that is, if the variable i representing the character position exceeds the number of characters of s, the processing is terminated. If the result of this determination is “NO”, that is, if the variable i representing the character position does not exceed the number of characters of s, the process returns to S108.

  By the processing of S108 to S112, similarity = 1 and character string t = “abcd ...” from the combination of similarity = 1 and character string t = “? Bcd... 16 similar hash data are generated until "...".

FIG. 14 is an example of a flowchart showing the flow of processing in the similar character string generation processing corresponding to increase / decrease of one character. This process is processed by the similar character string group generation unit 1024 (2044).

S202 to S206 are the same as the processes of S102 to S106 described above.
In S208, the similar character string group generation unit 1024 (2044) inserts a wild card character, for example, “?” Immediately before the i-th character of the character string s, and creates a character string u with the last character deleted. For example, if the string s = “abcd...” And i = 1, then the string u = “? Abcd. .

  In the next S210, the similar character string group generation unit 1024 (2044) determines that the character string u if the i + 1 character of the character string u is a padding character, or if the i character is the last character and the i + 1 character does not exist. Add padding characters to the beginning of. If the character string s = “abcd...” And i = 5, then the character string u = “. Abcd... In this case, the padding character at the end may be deleted.

  In S212, the similar character string group generation unit 1024 (2044) outputs a set (1, u) of similarity = 1 and character string u as similar hash data.

The processing of S214 to S216 is the same as the processing of S110 to S112.
In S214, the similar character string group generation unit 1024 (2044) increases the variable i representing the character position by one.

  In S216, the similar character string group generation unit 1024 (2044) determines whether the variable i representing the character position exceeds the number of characters in the character string s. If the result of this determination is “YES”, that is, if the variable i representing the character position exceeds the number of characters of s, the processing is terminated. If the result of this determination is “NO”, that is, if the variable i representing the character position does not exceed the number of characters of s, the process returns to S208.

FIG. 15 is an example of a flowchart showing a flow of processing in the similar character string generation processing corresponding to increase / decrease of two characters. FIG. 15 shows an example in which a similarity in which two characters in the input character string are replaced with another character can be detected. This process is processed by the similar character string group generation unit 1024 (2044).

This process is similar to the case of changing one character shown in FIG. 14 except that all (i, j) pairs (where 1 ≦ i <j ≦ n and n is the character string s after padding). In order to create a character string t in which the i-th character and j-th character are replaced with wildcard characters with respect to (length), processing is performed in a double loop, and a set of similarity 2 and character string t is output.

S302 to S306 are the same as the processes of S102 to S106 described above.
S308 to S314 form a loop for the variable j representing the (second) character position, and the loop processing is performed while increasing the value of the variable j representing the character position by one. The loop repeats until the value of j exceeds the length of the character string s.

In S308, a variable j representing the character position (second) is initialized to i + 1.
In S310, the similar character string group generation unit 1024 (2044) replaces the i character of the character string s with a wildcard character, for example, “?”, And sets similarity = 2 and character string t as similar hash data ( 2, t) is output. For example, if the character string s = “abcd...” And i = 1 and j = 2, the character string t = “? Cd. If i = 1 and j = 16, then the character string t = “? Bcd...

  In S312, the similar character string group generation unit 1024 (2044) increments the (second) variable j representing the character position by one.

  In S314, the similar character string group generation unit 1024 (2044) determines whether the (second) variable j representing the character position exceeds the number of characters in the character string s. If the result of this determination is “YES”, that is, if the (second) variable j representing the character position exceeds the number of characters of s, the process proceeds to S316. If the result of this determination is “NO”, that is, if the (second) variable j representing the character position does not exceed the number of characters of s, the process returns to S310.

  In S316, the similar character string group generation unit 1024 (2044) increments the (first) variable i representing the character position by one.

  In S318, the similar character string group generation unit 1024 (2044) determines whether the (first) variable i representing the character position exceeds the number of characters in the character string s. If the result of this determination is “YES”, that is, if the (first) variable i representing the character position exceeds the number of characters of s, the process is terminated. If the result of this determination is “NO”, that is, if the (first) variable i representing the character position does not exceed the number of characters of s, the process returns to S308.

FIG. 16 is an example of a flowchart showing the flow of processing in the comparison processing.
In this process, when the input similar hash data is NA and NB, respectively, a search is performed for a similar hash value in NA and a similar hash value in NB. This is a process of outputting a small value. Basically, the hash values match only when the same number of wildcard characters are included in the original character string of the hash value (the input of the second hash function operation unit 1026 (1046)), and thus the hashes having different degrees of similarity. The values are unlikely to match. This process can be realized in various ways. For example, a method may be used in which a common element is extracted from a set of similar hash values, and then a search is performed for those having a low similarity. Then, how to search in order from the front.

  In S402, the similar hash comparison unit 106 sorts the similar hash data NA and NB in ascending order of similarity.

  In S404, the similar hash comparison unit 106 extracts the similarity dA and the hash value H (A) in order from the top of the similar hash data NA.

  In S406, the similar hash comparison unit 106 extracts the similarity dB and the hash value H (B) in order from the top of the similar hash data NB.

  In S408, the similar hash comparison unit 106 determines whether dA and dB are equal and H (A) and H (B) are equal. If the result of this determination is “NO”, that is, dA and dB are not equal, or H (A) and H (B) are not equal, the process proceeds to S412. If the result of this determination is “YES”, that is, if dA and dB are equal and H (A) and H (B) are equal, the process proceeds to S410.

  In S410, the similar hash comparison unit 106 outputs the similarity dA = dB and ends the process.

  In next step S412, the similar hash comparison unit 106 determines whether there is a remaining set in the similar hash data NB. If the result of this determination is “YES”, that is, if there are remaining pairs in the similar hash data NB, the process returns to S406. If the result of this determination is “NO”, that is, if there is no remaining set in the similar hash data NB, the process proceeds to S414.

  In next step S412, the similar hash comparison unit 106 determines whether there is a remaining set in the similar hash data NA. If the result of this determination is “YES”, that is, if there are remaining pairs in the similar hash data NA, the process returns to S404. If the result of this determination is “NO”, that is, if there is no remaining set in the similar hash data NA, the process proceeds to S416.

  In S416, the similar hash comparison unit 106 outputs a result of dissimilarity in the sense that there is no similarity between the similar hash data NA and the similar hash data NB, and ends the processing.

  By comparing the sets of cryptographic hash values corresponding to two or more inputs by the apparatus and method as described above, whether or not the inputs are “neighboring” to each other, for example, their original data is It is possible to know whether they are similar under conditions such as n character differences. In particular, in the apparatus and method as described above, it is possible to determine whether the inputs are “near each other” while keeping the original value secret.

  Furthermore, the safety that the original data and the relationship between the original data are not known is maintained except that it is possible to know whether or not they are similar.

  In the apparatus and method as described above, the number of hash values required to determine password input in the “neighborhood” of the correct password is small. Assuming that the number of characters constituting the original data is n at the maximum, this method can use 2 × n hash values.

  When comparing two encrypted data obtained by applying a cryptographic hash function to the two data for the two unencrypted original data, the hash value will be completely different if the original data is slightly different. Therefore, it cannot be known that the original data is similar. However, by using the encryption processing apparatus and method described above, it can be determined by comparing encrypted data whether or not the two original data are similar to each other.

  Further, in the above-described cryptographic processing apparatus and method, it is possible to obtain the “similarity” of the two original data by comparing the encrypted data, regardless of whether the two original data are similar to each other. .

Regarding the above embodiment, the following additional notes are disclosed.
(Appendix 1)
A character string obtained by inserting a first wildcard character used as an arbitrary character in the first input character string, or at least one character of the first input character string is the first wildcard character A first similar character string group generation unit that generates a character string obtained by replacing as a first similar character string;
A first encryption unit for generating a first comparison encryption value by applying an encryption function to the first similar character string;
A character string obtained by inserting a second wildcard character used as an arbitrary character in the second input character string, or at least one character of the second input character string is the second wildcard character A second similar character string group generation unit that generates a character string obtained by replacing as a second similar character string;
A second encryption unit for generating a second comparison encryption value by applying the encryption function to the second similar character string;
A similar encryption comparison unit that compares the first comparison encryption value and the second comparison encryption value to determine the similarity between the first input character string and the second input character string;
A cryptographic processing device including:
(Appendix 2)
The cryptographic processing device according to attachment 1, wherein the first similar character string group generation unit and / or the second similar character string group generation unit generates a plurality of similar character strings.
(Appendix 3)
further,
An input character string receiving unit that inserts a specific padding character for padding until the predetermined length is reached when the first input character string and the second input character string are shorter than a predetermined length; The cryptographic processing apparatus according to appendix 1 or 2.
(Appendix 4)
The compounds similar character string group generation unit, the depending on the number of substitution of wildcard insertion and / or said wild card, any one of Appendices 1 through 3 to output a similarity for the input character string The cryptographic processing device according to 1.
(Appendix 5)
The cryptographic processing apparatus according to any one of appendices 1 to 4, wherein the first input character string and the second input character string are passwords.
(Appendix 6)
The cryptographic processing apparatus according to any one of appendices 1 to 5, wherein the wild card character is a control character.
(Appendix 7)
The cryptographic processing apparatus according to any one of appendices 1 to 6, wherein the encryption function is a hash function.
(Appendix 8)
A cryptographic processing method executed by a computer,
A character string obtained by inserting a first wildcard character used as an arbitrary character in the first input character string, or at least one character of the first input character string is the first wildcard character Generating a character string obtained by substituting for the first similar character string;
Generating a first comparison cipher value by applying an encryption function to the first similar character string;
A character string obtained by inserting a second wildcard character used as an arbitrary character in the second input character string, or at least one character of the second input character string is the second wildcard character Generating a character string obtained by substituting for the second similar character string;
Applying the encryption function to the second similar character string to generate a second comparison cipher value;
Comparing the first comparison cipher value and the second comparison cipher value to determine the similarity between the first input character string and the second input character string;
A cryptographic processing method including:
(Appendix 9)
The cryptographic processing method according to attachment 6, wherein generating the similar character string generates a plurality of similar character strings.
(Appendix 10)
further,
Appendix 7 or 8 including inserting a specific padding character to pad until the predetermined length is reached when the first input character string and the second input character string are shorter than a predetermined length The cryptographic processing method described in 1.
(Appendix 11)
The generating of the similar character string includes any one of the appendixes 7 to 9 that output the similarity to the input character string depending on the number of insertions of the wild card and / or replacement with the wild card. The cryptographic processing method described in 1.
(Appendix 12)
The encryption processing method according to any one of appendices 7 to 10, wherein the first input character string and the second input character string are passwords.
(Appendix 13)
The encryption processing method according to any one of appendices 7 to 11, wherein the wild card character is a control character.
(Appendix 14)
The encryption processing method according to any one of appendices 7 to 13, wherein the encryption function is a hash function.
(Appendix 15)
A character string obtained by inserting a first wildcard character used as an arbitrary character in the first input character string, or at least one character of the first input character string is the first wildcard character A character string obtained by replacing with is generated as a first similar character string,
An encryption function is applied to the first similar character string to generate a first comparison encryption value;
A character string obtained by inserting a second wildcard character used as an arbitrary character in the second input character string, or at least one character of the second input character string is the second wildcard character A character string obtained by replacing with is generated as a second similar character string,
Generating a second comparison cipher value by applying the encryption function to the second similar character string;
A program for causing a computer to execute a process of comparing the first comparison encryption value and the second comparison encryption value to determine the similarity between the first input character string and the second input character string.
(Appendix 16)
The program according to appendix 12, which causes the computer to execute a process of generating a plurality of similar character strings in the process of generating the similar character string.
(Appendix 17)
further,
Supplementary note for causing a computer to execute a process of inserting a specific padding character for padding until the predetermined length is reached when the first input character string and the second input character string are shorter than a predetermined length. The program according to 13 or 14.
(Appendix 18)
The processing for generating the similar character string causes the computer to execute processing for outputting the similarity to the input character string depending on the number of times the wild card is inserted and / or replaced with the wild card. 15. The program according to any one of 15.
(Appendix 19)
The program according to any one of appendices 13 to 16, wherein the first input character string and the second input character string are passwords.
(Appendix 20)
The program according to any one of appendices 13 to 17, wherein the wild card character is a control character.
(Appendix 21)
The program according to any one of appendices 7 to 13, wherein the encryption function is a hash function.

DESCRIPTION OF SYMBOLS 10 Encryption processing apparatus 102 1st similar hash production | generation part 104 2nd similar hash production | generation part 106 Similar hash comparison part 1020, 1040 Input character string reception part 1022, 1042 1st hash function action | operation part 1024, 1044 Similar character string group production | generation Units 1026 and 1046 Second hash function operation unit 1060 Main hash comparison unit 1062 Similar hash value group comparison unit

Claims (9)

String obtained by inserting a used Ruwa-carded character as any character in the first input string or replacing at least one character of the first input string before Kiwa Ile-card characters, A first similar character string group generation unit that generates a character string obtained as a first similar character string;
A first encryption unit for generating a first comparison encryption value by applying an encryption function to the first similar character string;
String obtained by inserting the wildcard character in the second input string, or a character string obtained by replacing at least one character of the second input string before Kiwa Ile-card characters, A second similar character string group generation unit that generates a second similar character string;
A second encryption unit for generating a second comparison encryption value by applying the encryption function to the second similar character string;
When the first comparison encryption value and the second comparison encryption value are equal , the number of insertions and / or substitutions of the wildcard in the first input character string, and the second A similar encryption comparison unit that outputs the similarity between the first input character string and the second input character string based on the number of insertions and / or replacements with the wild card in the input character string When,
A cryptographic processing device including:   The cryptographic processing apparatus according to claim 1, wherein the first similar character string group generation unit and / or the second similar character string group generation unit generates a plurality of similar character strings. further,
An input character string receiving unit that inserts a specific padding character for padding until the predetermined length is reached when the first input character string and the second input character string are shorter than a predetermined length; The cryptographic processing apparatus according to claim 1 or 2. The compounds similar character string group generation unit, the depending on the number of substitution of wildcard insertion and / or the wildcard any one of claims 1 to 3 for outputting a similarity for the input character string The cryptographic processing device according to item.   The cryptographic processing apparatus according to any one of appendices 1 to 4, wherein the first input character string and the second input character string are passwords.   The cryptographic processing apparatus according to claim 1, wherein the wild card character is a control character.   The cryptographic processing apparatus according to claim 1, wherein the encryption function is a hash function. First similar string group generation unit comprises at least a first input string to any used as a character Ruwa Ile-string obtained by inserting the card character or the first input string, 1 a character string obtained by replacing the characters before Kiwa Ile-card characters, generates a first similar string,
The first encryption unit generates a first comparison encrypted value by applying an encryption function to the first similar string,
Second similar string group generation unit, a second input string to the character string obtained by inserting a wildcard character or the second input string at least a character before Kiwa Ile-card, the string obtained by replacing the character, generating a second similar string,
The second encryption unit generates the second comparison encrypted value by the action of the cryptographic function on said second similar string,
The number of insertions and / or substitutions to the wildcard in the first input character string when the similar encryption comparison unit has the first comparison encryption value equal to the second comparison encryption value And the degree of similarity between the first input character string and the second input character string based on the number of insertions and / or substitutions of the wild card in the second input character string. Output ,
Cryptographic processing method comprising. String obtained by inserting a used Ruwa-carded character as any character in the first input string or replacing at least one character of the first input string before Kiwa Ile-card characters, A first similar character string group generation unit that generates a character string obtained as a first similar character string ;
A first encryption unit for generating a first comparison encryption value by applying an encryption function to the first similar character string;
String obtained by inserting the wildcard character in the second input string, or a character string obtained by replacing at least one character of the second input string before Kiwa Ile-card characters, A second similar character string group generation unit that generates a second similar character string ;
A second encryption unit for generating a second comparison encryption value by applying the encryption function to the second similar character string;
When the first comparison encryption value and the second comparison encryption value are equal , the number of insertions and / or substitutions of the wildcard in the first input character string, and the second A similar encryption comparison unit that outputs the similarity between the first input character string and the second input character string based on the number of insertions and / or replacements with the wild card in the input character string As
A program that causes a computer to function .

Images